弱弱的问一下,还是关于armadillo的,以前问过一次,现在有了新问题,所以重开个话题,版主勿怪
我研读了前辈们的脱文,已经dump出子进程,恢复了IAT,但还是不能正常运行
这是我第一次脱壳,对壳了解不深,有些迷茫,所以我重头说尽量把问题写的详细一点
各位大侠耐心点看:)先谢过
这是用ArmadilloFindProtected检查的结果
!- Protected Armadillo
<Protection Options>
Debug-Blocker
CopyMem-II
<Backup Key Options>
No Registry Keys at All
<Compression Options>
Better/Slower Compression
!- Child detach
Child process ID: 000002E8
Entry point: 00DAA000
Original bytes: 60E8
用OD加载,先he WaitForDebugEvent(我下BP断不到正确位子),在转存中跟随,再bp WriteProcessMemory
堆栈
0012BB28 00D98B4D /CALL 到 WriteProcessMemory 来自 tzfx.00D98B47
0012BB2C 0000004C |hProcess = 0000004C (window)
0012BB30 0044B000 |Address = 44B000
0012BB34 003A36B8 |Buffer = 003A36B8
0012BB38 00001000 |BytesToWrite = 1000 (4096.)
0012BB3C 0012BC44 \pBytesWritten = 0012BC44
内存数据
0012CD60 01 00 00 00 3C 08 00 00 ...<..
0012CD68 10 0B 00 00 01 00 00 80 ....?
0012CD70 00 00 00 00 00 00 00 00 ........
0012CD78 D5 B8 44 00 02 00 00 00 崭D....
0012CD80 00 00 00 00 D5 B8 44 00 ....崭D.
0012CD88 D5 B8 44 00 00 00 00 00 崭D.....
问题一:
OEP应该是0044B8D5,可我感觉它不是,以前调试时这里是0041A197,什么设置也没改,就变了,奇怪。我认为0041A197是正确的,后面会说到原因。
ALT+F9,然后搜索or eax,fffffff8,来到那段代码,用patch欺骗父进程将所有子进程全部解码,然后用LOADPE dump之,改OEP=1A197。
这些都是参考前辈们的文章做的。
再用OD加载dump出来的东东
0041A197 > 55 PUSH EBP
0041A198 8BEC MOV EBP,ESP
0041A19A 6A FF PUSH -1
0041A19C 68 00544500 PUSH dumped.00455400
0041A1A1 68 DCEC4100 PUSH dumped.0041ECDC
0041A1A6 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041A1AC 50 PUSH EAX
0041A1AD 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0041A1B4 83EC 58 SUB ESP,58
0041A1B7 53 PUSH EBX
0041A1B8 56 PUSH ESI
0041A1B9 57 PUSH EDI
0041A1BA 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0041A1BD FF15 58224500 CALL DWORD PTR DS:[452258]
到0041A1BD的CALL,程序会飞掉,所以在数据窗口Ctrl+G来到452258处,看到的都是些77、7E之类的东西,翻到顶部,RVA=00452000。
下面是修复IAT
OD重新加载,bp DebugActiveProcess。再开个OD附加子进程,
ALT+F9,然后将EB FE修改回原值60 E8
bp OpenMutexA,再用经典代码修改
bp GetModuleHandleA,然后找到magic jmp并改之,F9停到这里
0041A197 34 45 XOR AL,45
0041A199 1C BE SBB AL,0BE
0041A19B 9E SAHF
0041A19C A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
0041A19D F0:8024CE 98 LOCK AND BYTE PTR DS:[ESI+ECX*8],98 ; LOCK 前缀
0041A1A2 088D 8FF0B0C0 OR BYTE PTR SS:[EBP+C0B0F08F],CL
0041A1A8 CE INTO
续问题一:
这时子进程还没解码,所以停在OEP处,所以我说0041A197才是正确的OEP,不知这样理解对不对,如果对,前面的OEP为什么会变成0044B8D5
用ImportREC选择该进程,OEP=1A197,RVA=52000,直接按获取输入表,再按显示无效地址,剪掉,FixDump选择刚才Dump的文件,显示成功。
运行一下,又崩了,晕。用OD打开看看
0041A197 > 55 PUSH EBP
0041A198 8BEC MOV EBP,ESP
0041A19A 6A FF PUSH -1
0041A19C 68 00544500 PUSH dumped_.00455400
0041A1A1 68 DCEC4100 PUSH dumped_.0041ECDC
0041A1A6 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041A1AC 50 PUSH EAX
0041A1AD 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0041A1B4 83EC 58 SUB ESP,58
0041A1B7 53 PUSH EBX
0041A1B8 56 PUSH ESI
0041A1B9 57 PUSH EDI
0041A1BA 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0041A1BD FF15 58224500 CALL DWORD PTR DS:[<&kernel32.GetVersion>] ; kernel32.GetVersion
0041A1C3 33D2 XOR EDX,EDX
0041A1C5 8AD4 MOV DL,AH
0041A1C7 8915 6C61D700 MOV DWORD PTR DS:[D7616C],EDX
0041A1CD 8BC8 MOV ECX,EAX
0041A1CF 81E1 FF000000 AND ECX,0FF
0041A1D5 890D 6861D700 MOV DWORD PTR DS:[D76168],ECX
0041A1DB C1E1 08 SHL ECX,8
0041A1DE 03CA ADD ECX,EDX
0041A1E0 890D 6461D700 MOV DWORD PTR DS:[D76164],ECX
0041A1E6 C1E8 10 SHR EAX,10
0041A1E9 A3 6061D700 MOV DWORD PTR DS:[D76160],EAX
0041A1EE 6A 01 PUSH 1
0041A1F0 E8 A04A0000 CALL dumped_.0041EC95
0041A1F5 59 POP ECX
0041A1F6 85C0 TEST EAX,EAX
0041A1F8 75 08 JNZ SHORT dumped_.0041A202
0041A1FA 6A 1C PUSH 1C
0041A1FC E8 C3000000 CALL dumped_.0041A2C4
0041A201 59 POP ECX
0041A202 E8 552D0000 CALL dumped_.0041CF5C
0041A207 85C0 TEST EAX,EAX
0041A209 75 08 JNZ SHORT dumped_.0041A213
0041A20B 6A 10 PUSH 10
0041A20D E8 B2000000 CALL dumped_.0041A2C4
0041A212 59 POP ECX
0041A213 33F6 XOR ESI,ESI
0041A215 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0041A218 E8 BC480000 CALL dumped_.0041EAD9
0041A21D FF15 54214500 CALL DWORD PTR DS:[<&kernel32.GetCommandLineA>] ; kernel32.GetCommandLineA
0041A223 A3 7878D700 MOV DWORD PTR DS:[D77878],EAX
0041A228 E8 7A470000 CALL dumped_.0041E9A7
0041A22D A3 5061D700 MOV DWORD PTR DS:[D76150],EAX
0041A232 E8 23450000 CALL dumped_.0041E75A
0041A237 E8 65440000 CALL dumped_.0041E6A1
0041A23C E8 AB0F0000 CALL dumped_.0041B1EC //在这里CALL入几层后,最终崩溃
0041A241 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
0041A244 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0041A247 50 PUSH EAX
0041A248 FF15 58214500 CALL DWORD PTR DS:[<&kernel32.GetStartupInfoA>] ; kernel32.GetStartupInfoA
IAT似乎修复正确了,跟一下看看
00442F5F E8 569C0000 CALL dumped_.0044CBBA
00442F64 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
00442F68 85C9 TEST ECX,ECX
00442F6A 8848 14 MOV BYTE PTR DS:[EAX+14],CL //在这里,无法处理的异常
00442F6D 75 08 JNZ SHORT dumped_.00442F77
00442F6F 6A FD PUSH -3
00442F71 E8 C987FDFF CALL dumped_.0041B73F
00442F76 59 POP ECX
00442F77 6A 01 PUSH 1
00442F79 58 POP EAX
到00442F6A处崩了
CL=00
DS:[0016D7AC]=??? EAX+14=0016D7AC
Ctrl+G到0016D7AC处看看,结果显示指定地址中没有内存
打开内存窗口看看,果然没有这段。
问题二:
出现上述情况是什么原因?是壳没脱好,还是IAT修复的不完整?应该怎样解决?
我太菜,请大侠解答时尽量说的详细点,或提供相应的参考文章。谢谢,麻烦了
[课程]FART 脱壳王!加量不加价!FART作者讲授!