PESPIN v0.7脱壳(完结篇)
【目 标】: win98’s notepad和自己随便写的一个masm程序
【工 具】:Olydbg1.1
【任 务】:完成上篇文章里没有完成的任务脱壳and修复
【操作平台】:WINXP pro sp1
【作 者】:loveboom[DFCG][FCG]
【相关链接】: 见附见
【简要说明】:看过我上篇关于脱pespin 的文章就知道我上次只做了一半的工作,所以我们这次的任务是脱衣+说服”她”(修复)。
【详细过程】:
上次我们说怎么到关键代码处,所以这里不再多讲了,如果你没看过的话,可以先去看看我的上篇文章,话说通过上一篇我们到了关键代码处(这次的程序和上次不同,不过关键代码是一样的,LoadLibraryA断后,来到了这里:
0040C887 60 [color=#0000D0]PUSHAD[/color] [color=#008000];最后到了这里[/color]
0040C888 EB 04 [color=#0000D0]JMP[/color] SHORT VC.0040C88E
0040C88A CB [color=#0000D0]RETF[/color] [color=#008000]; Far return[/color]
0040C88B EB 04 [color=#0000D0]JMP[/color] SHORT VC.0040C891
现在清除一点垃圾代码,清理过后,向下看看这里的代码:
0040C918 8BBD 792B4000 [color=#0000D0]MOV[/color] [color=#FF0000]EDI[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+402B79]
0040C91E 3BC7 [color=#0000D0]CMP[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDI[/color]
0040C920 76 35 [color=#0000D0]JBE[/color] SHORT VC.0040C957
[color=#008000];找到这里后,改成jmp xxxx[/color]
0040C922 03BD 7D2B4000 [color=#0000D0]ADD[/color] [color=#FF0000]EDI[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+402B7D]
……
0040C950 50 [color=#0000D0]PUSH[/color] [color=#FF0000]EAX[/color]
0040C951 FF95 C4394000 [color=#0000D0]CALL[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+4039C4]
0040C957 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C95A
0040C959 90 [color=#0000D0]NOP[/color]
0040C95A 894424 1C [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]ESP[/color]+1C],[color=#FF0000]EAX[/color]
[color=#008000];这里改成 mov ss:[edx],eax,移入正确的函数[/color]
0040C95E 61 [color=#0000D0]POPAD[/color]
上面的全部改完后,就要注意了,现在有两种情况,分别对应vc/Delphi,和masm两种情况(VB的就不用说了,相当简单,上面的都不用改).先说vc/delphi这种情况:
在第一个ret向下看不远处就会看到.
VC/delphi的解决方法:
0040C962 0BC0 [color=#0000D0]OR[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EAX[/color]
0040C964 C3 [color=#0000D0]RETN[/color] [color=#008000];这里就是Ret[/color]
0040C965 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C968
0040C967 90 [color=#0000D0]NOP[/color]
0040C968 57 [color=#0000D0]PUSH[/color] [color=#FF0000]EDI[/color]
0040C969 51 [color=#0000D0]PUSH[/color] [color=#FF0000]ECX[/color]
0040C96A 90 [color=#0000D0]NOP[/color]
0040C96B 90 [color=#0000D0]NOP[/color]
0040C96C 90 [color=#0000D0]NOP[/color]
0040C96D 90 [color=#0000D0]NOP[/color]
0040C96E 90 [color=#0000D0]NOP[/color]
0040C96F 90 [color=#0000D0]NOP[/color]
0040C970 90 [color=#0000D0]NOP[/color]
0040C971 90 [color=#0000D0]NOP[/color]
0040C972 90 [color=#0000D0]NOP[/color]
0040C973 BF 4FE24000 [color=#0000D0]MOV[/color] [color=#FF0000]EDI[/color],VC.0040E24F
0040C978 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C97B
0040C97A 90 [color=#0000D0]NOP[/color]
0040C97B B9 7F020000 [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],27F
0040C980 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C983
0040C982 90 [color=#0000D0]NOP[/color]
0040C983 3917 [color=#0000D0]CMP[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]],[color=#FF0000]EDX[/color]
0040C985 74 0A [color=#0000D0]JE[/color] SHORT VC.0040C991
0040C987 47 [color=#0000D0]INC[/color] [color=#FF0000]EDI[/color]
0040C988 ^ E2 F9 LOOPD SHORT VC.0040C983
0040C98A EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C98D
0040C98C 90 [color=#0000D0]NOP[/color]
0040C98D 8902 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDX[/color]],[color=#FF0000]EAX[/color]
[color=#008000];这里就是进行搞破坏,所以这里要NOP它[/color]
0040C98F EB 25 [color=#0000D0]JMP[/color] SHORT VC.0040C9B6
0040C991 90 [color=#0000D0]NOP[/color]
0040C992 90 [color=#0000D0]NOP[/color]
0040C993 90 [color=#0000D0]NOP[/color]
0040C994 90 [color=#0000D0]NOP[/color]
0040C995 90 [color=#0000D0]NOP[/color]
0040C996 90 [color=#0000D0]NOP[/color]
0040C997 90 [color=#0000D0]NOP[/color]
0040C998 90 [color=#0000D0]NOP[/color]
0040C999 90 [color=#0000D0]NOP[/color]
0040C99A 807F FF 00 [color=#0000D0]CMP[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-1],0
0040C99E 74 11 [color=#0000D0]JE[/color] SHORT VC.0040C9B1
0040C9A0 807F FF E9 [color=#0000D0]CMP[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-1],0E9
[color=#008000];这里是判断是不是MASM的程序.后面再讲[/color]
0040C9A4 ^ 75 E7 [color=#0000D0]JNZ[/color] SHORT VC.0040C98D
0040C9A6 83C7 04 [color=#0000D0]ADD[/color] [color=#FF0000]EDI[/color],4
0040C9A9 2BC7 [color=#0000D0]SUB[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDI[/color]
0040C9AB 8947 FC [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-4],[color=#FF0000]EAX[/color]
0040C9AE EB 06 [color=#0000D0]JMP[/color] SHORT VC.0040C9B6
0040C9B0 90 [color=#0000D0]NOP[/color] [color=#008000];这里是花指令,nop掉[/color]
0040C9B1 8907 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]],[color=#FF0000]EAX[/color]
[color=#008000];对于VC/DELPHI加的壳的程序,这里是最重要的了[/color]
0040C9B3 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040C9B6
0040C9B5 90 [color=#0000D0]NOP[/color]
0040C9B6 59 [color=#0000D0]POP[/color] [color=#FF0000]ECX[/color]
并且经过多次跟踪,每个跳去壳中的IAT里装的就是真正的iat位置,所以我们要想办法让它改回去,运行到0040C9B1处看看,刚好edi就是壳的iat,edx就是真正的iat,
得到这些信息后就好办很多,把0040C9B1这里改成跳到一个空闲的地方,写上我们自己的代码,我找的是4113F0,找到地方后,就把0040c9b1的代码改成:
0040C9B1 /E9 3A4A0000 [color=#0000D0]JMP[/color] VC.004113F0
在4113F0处写上几行代码:
004113F0 60 [color=#0000D0]PUSHAD[/color]
004113F1 9C [color=#0000D0]PUSHFD[/color]
004113F2 BB 00104000 [color=#0000D0]MOV[/color] [color=#FF0000]EBX[/color],VC.00401000 [color=#008000]; CODEBASE[/color]
004113F7 B9 00400000 [color=#0000D0]MOV[/color] [color=#FF0000]ECX[/color],4000 [color=#008000]; CODESIZE[/color]
004113FC 8B13 [color=#0000D0]MOV[/color] [color=#FF0000]EDX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EBX[/color]]
004113FE 3BD7 [color=#0000D0]CMP[/color] [color=#FF0000]EDX[/color],[color=#FF0000]EDI[/color]
00411400 75 0C [color=#0000D0]JNZ[/color] SHORT VC.0041140E
00411402 8B17 [color=#0000D0]MOV[/color] [color=#FF0000]EDX[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]]
00411404 8913 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EBX[/color]],[color=#FF0000]EDX[/color]
00411406 83C3 04 [color=#0000D0]ADD[/color] [color=#FF0000]EBX[/color],4
00411409 83E9 03 [color=#0000D0]SUB[/color] [color=#FF0000]ECX[/color],3
0041140C EB 03 [color=#0000D0]JMP[/color] SHORT VC.00411411
0041140E 83C3 01 [color=#0000D0]ADD[/color] [color=#FF0000]EBX[/color],1
00411411 ^ E2 E9 LOOPD SHORT VC.004113FC
00411413 9D [color=#0000D0]POPFD[/color]
00411414 61 [color=#0000D0]POPAD[/color]
00411415 ^ E9 9CB5FFFF [color=#0000D0]JMP[/color] VC.0040C9B6 [color=#008000];找完后回去老地方[/color]
上面这段代码的作用就是在code段里找跳到壳iat的那个地址,然后用那个地址里的值来替换它.好了,现在看看效果如何,在12ffa4处下断 hr 12ffa4,断下后,用imp填入oep为10cc,然后AUTOSEARCH-+Get一下看看,怎么样,可以自动找到,iat了吧,看看简单看一下stolen code:
0040D088 55 [color=#0000D0]PUSH[/color] [color=#FF0000]EBP[/color] [color=#008000];*****[/color]
0040D089 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D08C
0040D08B 90 [color=#0000D0]NOP[/color]
0040D08C 8BEC [color=#0000D0]MOV[/color] [color=#FF0000]EBP[/color],[color=#FF0000]ESP[/color] [color=#008000];*****[/color]
0040D08E EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D091
0040D090 90 [color=#0000D0]NOP[/color]
0040D091 83EC 44 [color=#0000D0]SUB[/color] [color=#FF0000]ESP[/color],44 [color=#008000];*****[/color]
0040D094 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D097
0040D096 90 [color=#0000D0]NOP[/color]
0040D097 56 [color=#0000D0]PUSH[/color] [color=#FF0000]ESI[/color] [color=#008000];*****[/color]
0040D098 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D09B
0040D09A 90 [color=#0000D0]NOP[/color]
0040D09B FF15 19E34000 [color=#0000D0]CALL[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[40E319] [color=#008000];*****[/color]
[color=#008000]; VC.004063E4 这里要注意一下,这里要改成 CALL DWORD PTR DS:[4063E4][/color]
0040D0A1 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D0A4
0040D0A3 90 [color=#0000D0]NOP[/color]
0040D0A4 8BF0 [color=#0000D0]MOV[/color] [color=#FF0000]ESI[/color],[color=#FF0000]EAX[/color] [color=#008000];*****[/color]
0040D0A6 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D0A9
0040D0A8 90 [color=#0000D0]NOP[/color]
0040D0A9 8A00 [color=#0000D0]MOV[/color] [color=#FF0000]AL[/color],[color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EAX[/color]] [color=#008000];*****[/color]
0040D0AB EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D0AE
0040D0AD 90 [color=#0000D0]NOP[/color]
0040D0AE 3C 22 [color=#0000D0]CMP[/color] [color=#FF0000]AL[/color],22 [color=#008000];*****[/color]
0040D0B0 EB 01 [color=#0000D0]JMP[/color] SHORT VC.0040D0B3
0040D0B2 90 [color=#0000D0]NOP[/color]
0040D0B3 - E9 2740FFFF [color=#0000D0]JMP[/color] VC.004010DF [color=#008000];抽的代码并不多,到这里总算把控制权交还回程序了.[/color]
补上壳所抽代码,然后dump,fixdump就搞定了.。
好了,现在VC/DELPHI的已经搞定了,我们来看看masm的了。
00405918 8BBD 792B4000 [color=#0000D0]MOV[/color] [color=#FF0000]EDI[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+402B79]
0040591E 3BC7 [color=#0000D0]CMP[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDI[/color]
00405920 76 35 [color=#0000D0]JBE[/color] SHORT masm.00405957
[color=#008000];这里一样改成 jmp xxxx[/color]
00405922 03BD 7D2B4000 [color=#0000D0]ADD[/color] [color=#FF0000]EDI[/color],[color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]EBP[/color]+402B7D]
00405959 90 [color=#0000D0]NOP[/color]
0040595A 894424 1C [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]ESP[/color]+1C],[color=#FF0000]EAX[/color]
[color=#008000];这里改成 mov ss:[edx],eax[/color]
0040595E 61 [color=#0000D0]POPAD[/color]
……
0040598D 8902 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDX[/color]],[color=#FF0000]EAX[/color]
[color=#008000];这里也nop掉[/color]
下面的就要注意了,MASM的就会走这条路:
0040599A 807F FF 00 [color=#0000D0]CMP[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-1],0
0040599E 74 11 [color=#0000D0]JE[/color] SHORT masm.004059B1
004059A0 807F FF E9 [color=#0000D0]CMP[/color] [color=#b000b0]BYTE[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-1],0E9
[color=#008000];如果是MASM的它的IAT又玩另外一种花样,MASM的程序它就变成了远程跳了[/color]
004059A4 ^ 75 E7 [color=#0000D0]JNZ[/color] SHORT masm.0040598D
004059A6 83C7 04 [color=#0000D0]ADD[/color] [color=#FF0000]EDI[/color],4
[color=#008000];如果是 远程跳的话,就到这里,进行”解释”了[/color]
004059A9 2BC7 [color=#0000D0]SUB[/color] [color=#FF0000]EAX[/color],[color=#FF0000]EDI[/color]
004059AB 8947 FC [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-4],[color=#FF0000]EAX[/color]
004059AE EB 06 [color=#0000D0]JMP[/color] SHORT masm.004059B6
004059B0 90 [color=#0000D0]NOP[/color]
004059B1 8907 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]],[color=#FF0000]EAX[/color]
看看上面的代码再分析分析,可以发现,其实 [
edi-1]就是原程序的FF25的地址,[
EDI+1]就是放正确iat的地址,所以我们又来写几行代码,这个就更容易的。
改成这样子:
004059A6 66:C747 FF FF25 [color=#0000D0]MOV[/color] [color=#b000b0]WORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]-1],25FF
004059AC 8957 01 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]+1],[color=#FF0000]EDX[/color]
004059AF EB 05 [color=#0000D0]JMP[/color] SHORT masm.004059B6
004059B1 8907 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[[color=#FF0000]EDI[/color]],[color=#FF0000]EAX[/color]
004059B3 EB 01 [color=#0000D0]JMP[/color] SHORT masm.004059B6
004059B5 90 [color=#0000D0]NOP[/color]
004059B6 59 [color=#0000D0]POP[/color] [color=#FF0000]ECX[/color]
004059B7 5F [color=#0000D0]POP[/color] [color=#FF0000]EDI[/color]
004059B8 C3 [color=#0000D0]RETN[/color]
呵呵,改好去用hr 12ffa4的方法到stolen code处:
00406088 6A 00 [color=#0000D0]PUSH[/color] 0
0040608A EB 01 [color=#0000D0]JMP[/color] SHORT masm.0040608D
0040608C 90 [color=#0000D0]NOP[/color]
0040608D 68 97604000 [color=#0000D0]PUSH[/color] masm.00406097
00406092 - E9 2FB0FFFF [color=#0000D0]JMP[/color] masm.004010C6
00406097 A3 00304000 [color=#0000D0]MOV[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[403000],[color=#FF0000]EAX[/color]
0040609C EB 01 [color=#0000D0]JMP[/color] SHORT masm.0040609F
0040609E 90 [color=#0000D0]NOP[/color]
0040609F 68 A9604000 [color=#0000D0]PUSH[/color] masm.004060A9
004060A4 - E9 35B0FFFF [color=#0000D0]JMP[/color] masm.004010DE [color=#008000]; JMP to COMCTL32.InitCommonControls[/color]
004060A9 6A 00 [color=#0000D0]PUSH[/color] 0
004060AB EB 01 [color=#0000D0]JMP[/color] SHORT masm.004060AE
004060AD 90 [color=#0000D0]NOP[/color]
004060AE 68 962628E1 [color=#0000D0]PUSH[/color] E1282696
004060B3 810424 98E9171F [color=#0000D0]ADD[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]SS[/color]:[[color=#FF0000]ESP[/color]],1F17E998
004060BA 6A 00 [color=#0000D0]PUSH[/color] 0
004060BC EB 01 [color=#0000D0]JMP[/color] SHORT masm.004060BF
004060BE 90 [color=#0000D0]NOP[/color]
004060BF 6A 65 [color=#0000D0]PUSH[/color] 65
004060C1 EB 01 [color=#0000D0]JMP[/color] SHORT masm.004060C4
004060C3 90 [color=#0000D0]NOP[/color]
004060C4 FF35 00304000 [color=#0000D0]PUSH[/color] [color=#b000b0]DWORD[/color] [color=#b000b0]PTR[/color] [color=#FF0000]DS[/color]:[403000]
004060CA EB 01 [color=#0000D0]JMP[/color] SHORT masm.004060CD
004060CC 90 [color=#0000D0]NOP[/color]
004060CD 68 D7604000 [color=#0000D0]PUSH[/color] masm.004060D7
004060D2 - E9 F5AFFFFF [color=#0000D0]JMP[/color] masm.004010CC
004060D7 6A 00 [color=#0000D0]PUSH[/color] 0
004060D9 EB 01 [color=#0000D0]JMP[/color] SHORT masm.004060DC
004060DB 90 [color=#0000D0]NOP[/color]
004060DC 68 E6604000 [color=#0000D0]PUSH[/color] masm.004060E6
004060E1 - E9 DAAFFFFF [color=#0000D0]JMP[/color] masm.004010C0
这里具体的代码我就不在多讲了,自己看也看得懂吧.
好了,到了这里也算是到了终点站吧,收工!
Greetz:
Fly,Jingulong,yock,tDasm,David,ahao,vcasm,UFO(brother),alan(sister),all of my friends
and you!
By loveboom[DFCG][FCG]
Email:bmd2chen@tom.com
点击下载:附件!pespin.rar_50603.rar
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!
:D
,你自己下吧:p 
