Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks 关键部分脱壳求助
OD是使用看雪上下载的版本
**************************************
C0000005 (ACCESS VIOLATION)
C0000008 (INVALID HANDLE)
C000001D (ILLEGAL INSTRUCTION)
C000001E (INVALID LOCK SEQUENCE)
C0000096 (PRIVILEGED INSTRUCTION)
**************************************
载入
004C6000 cod> 60 pushad
004C6001 E8 00000000 call 004C6006
004C6006 5D pop ebp
004C6007 50 push eax
004C6008 51 push ecx
004C6009 0FCA bswap edx
004C600B F7D2 not edx
004C600D 9C pushfd
004C600E F7D2 not edx
004C6010 0FCA bswap edx
004C6012 EB 0F jmp short 004C6023
004C6014 B9 EB0FB8EB mov ecx, EBB80FEB
004C6019 07 pop es
004C601A B9 EB0F90EB mov ecx, EB900FEB
004C601F 08FD or ch, bh
004C6021 EB 0B jmp short 004C602E
004C6023 F2: prefix repne:
004C6024 ^ EB F5 jmp short 004C601B
004C6026 ^ EB F6 jmp short 004C601E
004C6028 F2: prefix repne:
004C6029 EB 08 jmp short 004C6033
004C602B FD std
004C602C ^ EB E9 jmp short 004C6017
转单进程后
7C80EC1B ker> 8BFF mov edi, edi
7C80EC1D 55 push ebp
7C80EC1E 8BEC mov ebp, esp
7C80EC20 51 push ecx
7C80EC21 51 push ecx
7C80EC22 837D 10 00 cmp dword ptr [ebp+10], >
7C80EC26 56 push esi
7C80EC27 0F84 7A500300 je 7C843CA7
7C80EC2D 64:A1 18000000 mov eax, fs:[18]
7C80EC33 FF75 10 push dword ptr [ebp+10]
7C80EC36 8DB0 F80B0000 lea esi, [eax+BF8]
7C80EC3C 8D45 F8 lea eax, [ebp-8]
7C80EC3F 50 push eax
7C80EC40 FF15 8C10807C call [<&ntdll.RtlInitAnsi>; ntdll.RtlInitAnsiString
7C80EC46 6A 00 push 0
7C80EC48 8D45 F8 lea eax, [ebp-8]
7C80EC4B 50 push eax
7C80EC4C 56 push esi
7C80EC4D FF15 8810807C call [<&ntdll.RtlAnsiStri>; ntdll.RtlAnsiStringToUnicodeString
he GetModuleHandleA+5
堆栈
00129260 /00129500
00129264 |00A85CE1 返回到 00A85CE1 来自 kernel32.GetModuleHandleA
00129268 |001293B4 ASCII "kernel32.dll"
这时去断点返回
00A85CE1 8B0D AC40AB00 mov ecx, [AB40AC]
00A85CE7 89040E mov [esi+ecx], eax
00A85CEA A1 AC40AB00 mov eax, [AB40AC]
00A85CEF 391C06 cmp [esi+eax], ebx
00A85CF2 75 16 jnz short 00A85D0A
00A85CF4 8D85 B4FEFFFF lea eax, [ebp-14C]
00A85CFA 50 push eax
00A85CFB FF15 BC62AA00 call [AA62BC] ; kernel32.LoadLibraryA
00A85D01 8B0D AC40AB00 mov ecx, [AB40AC]
00A85D07 89040E mov [esi+ecx], eax
00A85D0A A1 AC40AB00 mov eax, [AB40AC]
00A85D0F 391C06 cmp [esi+eax], ebx
00A85D12 0F84 2F010000 je 00A85E47 //MAGIC JMP 改成JMP
00A85D18 33C9 xor ecx, ecx
00A85D1A 8B07 mov eax, [edi]
00A85D1C 3918 cmp [eax], ebx
00A85D1E 74 06 je short 00A85D26
00A85D20 41 inc ecx
00A85D21 83C0 0C add eax, 0C
00A85D24 ^ EB F6 jmp short 00A85D1C
00A85D26 8BD9 mov ebx, ecx
00A85D28 C1E3 02 shl ebx, 2
00A85D2B 53 push ebx
00A85D2C E8 63F20100 call 00AA4F94 ; jmp 到 msvcrt.operator new
ALT+M
Memory map, 条目 23
地址=00401000 //设置断点
大小=00062000 (401408.)
属主=code 00400000
区段=CODE
类型=Imag 01001002
访问=R
初始访问=RWE
SHIFT +F9
不是来到OEP
而是出现红色代码, 如果MAGIC JMP不改成JMP 来到是OEP 但是无法DUMP (OD长时间没有反映,程序很小)
00A91A7C F62D AA0D4E34 imul byte ptr [344E0DAA]
00A91A82 F3: prefix rep:
00A91A83 8E32 mov seg?, [edx] ; 未定义的段寄存器
00A91A85 16 push ss
00A91A86 AB stos dword ptr es:[edi]
00A91A87 213B and [ebx], edi
00A91A89 89D9 mov ecx, ebx
00A91A8B E5 E7 in eax, 0E7
00A91A8D 0181 8E1B889C add [ecx+9C881B8E], eax
00A91A93 B2 5B mov dl, 5B
00A91A95 4C dec esp
00A91A96 CA A18F retf 8FA1
00A91A99 6E outs dx, byte ptr es:[edi>
00A91A9A E8 992EB506 call 075E4938
00A91A9F 1B88 E8AB03D0 sbb ecx, [eax+D003ABE8]
00A91AA5 7A 1C jpe short 00A91AC3
00A91AA7 5D pop ebp
00A91AA8 210C92 and [edx+edx*4], ecx
00A91AAB DAACB3 EAC7471A fisubr dword ptr [ebx+esi*4>
00A91AB2 F3: prefix rep:
00A91AB3 06 push es
00A91AB4 48 dec eax
00A91AB5 3B17 cmp edx, [edi]
00A91AB7 25 7790D542 and eax, 42D59077
00A91ABC 9A 859EE17C 6D3F call far 3F6D:7CE19E85
00A91AC3 B8 BB2933E8 mov eax, E83329BB
00A91AC8 4F dec edi
00A91AC9 B2 36 mov dl, 36
00A91ACB D2D1 rcl cl, cl
00A91ACD 54 push esp
00A91ACE 5C pop esp
00A91ACF CB retf
00A91AD0 6C ins byte ptr es:[edi], d>
00A91AD1 1257 9A adc dl, [edi-66]
00A91AD4 42 inc edx
00A91AD5 ^ 79 A3 jns short 00A91A7A
00A91AD7 1F pop ds
00A91AD8 BE 71E0E9A0 mov esi, A0E9E071
00A91ADD 322D D0EA3DBD xor ch, [BD3DEAD0]
00A91AE3 11C0 adc eax, eax
00A91AE5 A5 movs dword ptr es:[edi], >
00A91AE6 A2 08213898 mov [98382108], al
00A91AEB F3: prefix rep:
00A91AEC 96 xchg eax, esi
00A91AED C3 retn
00A91AEE 00F0 add al, dh
00A91AF0 54 push esp
00A91AF1 D85D 4A fcomp dword ptr [ebp+4A]
00A91AF4 76 53 jbe short 00A91B49
00A91AF6 CA 2E4D retf 4D2E
00A91AF9 F4 hlt
00A91AFA A5 movs dword ptr es:[edi], >
00A91AFB 28AD 0BC1CE5A sub [ebp+5ACEC10B], ch
00A91B01 59 pop ecx
00A91B02 97 xchg eax, edi
00A91B03 58 pop eax
00A91B04 D6 salc
00A91B05 F2: prefix repne:
00A91B06 3D D5EB2C16 cmp eax, 162CEBD5
00A91B0B E7 C5 out 0C5, eax
00A91B0D 39CB cmp ebx, ecx
00A91B0F E2 75 loopd short 00A91B86
00A91B11 D5 17 aad 17
00A91B13 AB stos dword ptr es:[edi]
00A91B14 FA cli
00A91B15 76 0B jbe short 00A91B22
00A91B17 64:850F test fs:[edi], ecx
00A91B1A BC AFE6CE7A mov esp, 7ACEE6AF
00A91B1F D4 20 aam 20
00A91B21 41 inc ecx
00A91B22 9A FEEA6B27 3AB2 call far B23A:276BEAFE
00A91B29 0373 A5 add esi, [ebx-5B]
00A91B2C 06 push es
00A91B2D ^ 77 CF ja short 00A91AFE
00A91B2F 2E:E4 CE in al, 0CE
00A91B32 0010 add [eax], dl
00A91B34 8356 C3 B5 adc dword ptr [esi-3D], >
00A91B38 17 pop ss
00A91B39 4E dec esi
00A91B3A 56 push esi
00A91B3B A6 cmps byte ptr [esi], byte>
00A91B3C 76 53 jbe short 00A91B91
00A91B3E 5C pop esp
00A91B3F 26:9C pushfd
00A91B41 B3 2A mov bl, 2A
00A91B43 A9 3B718EB4 test eax, B48E713B
00A91B48 26:11B0 C82ED6FA adc es:[eax+FAD62EC8], e>
00A91B4F 93 xchg eax, ebx
00A91B50 26:4E dec esi
00A91B52 62A4A2 1BE86F6D bound esp, [edx+6D6FE81B]
00A91B59 FFD1 call ecx
00A91B5B 7B EC jpo short 00A91B49
00A91B5D ^ E2 B8 loopd short 00A91B17
00A91B5F C010 E8 rcl byte ptr [eax], 0E8
00A91B62 4B dec ebx
00A91B63 90 nop
00A91B64 221C43 and bl, [ebx+eax*2]
00A91B67 71 50 jno short 00A91BB9
00A91B69 AE scas byte ptr es:[edi]
00A91B6A AC lods byte ptr [esi]
00A91B6B 7B 90 jpo short 00A91AFD
00A91B6D 5A pop edx
00A91B6E F5 cmc
00A91B6F 9A 3C1D52ED 2F3D call far 3D2F:ED521D3C
00A91B76 DFE6 fbld esi ; 非法使用寄存器
00A91B78 C7 ??? ; 未知命令
00A91B79 5D pop ebp
00A91B7A 53 push ebx
00A91B7B FA cli
00A91B7C AB stos dword ptr es:[edi]
00A91B7D 22C0 and al, al
00A91B7F 5B pop ebx
00A91B80 2D CE9938E0 sub eax, E03899CE
00A91B85 A3 1D4BEEB5 mov [B5EE4B1D], eax
00A91B8A 12EE adc ch, dh
00A91B8C 93 xchg eax, ebx
00A91B8D 1C D7 sbb al, 0D7
00A91B8F 5C pop esp
00A91B90 AD lods dword ptr [esi]
00A91B91 3117 xor [edi], edx
00A91B93 0236 add dh, [esi]
00A91B95 A8 6F test al, 6F
00A91B97 FB sti
00A91B98 A3 B3513DE7 mov [E73D51B3], eax
00A91B9D 6A 80 push -80
00A91B9F A5 movs dword ptr es:[edi], >
00A91BA0 25 9D810A3A and eax, 3A0A819D
00A91BA5 6E outs dx, byte ptr es:[edi>
00A91BA6 3BD7 cmp edx, edi
00A91BA8 83DC 48 sbb esp, 48
00A91BAB 94 xchg eax, esp
00A91BAC 27 daa
00A91BAD ^ E3 F8 jecxz short 00A91BA7
00A91BAF 2910 sub [eax], edx
哪位大侠给小弟点提示,万分感谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课