【脱壳过程】:
一、准备工作
侦壳:用PEiD查壳,Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks 加壳,
打开LordPE看见该程序有2个进程,证明该软件具有双进程特征,下面我们就必须先分离父进程,要程序把自己当成子进程运行。
二、脱壳
1.分离父进程,使程序把自己当成子进程运行
设置Ollydbg忽略所有其它异常选项。用IsDebug 1.4插件去掉Ollydbg的调试器标志。
Ollydbg载入主程序:
006C6B00 >/$ 55 push ebp
006C6B01 |. 8BEC mov ebp, esp
006C6B03 |. 6A FF push -1
006C6B05 |. 68 A01A6E00 push hce.006E1AA0
006C6B0A |. 68 D8676C00 push hce.006C67D8 ; SE 处理程序安装
006C6B0F |. 64:A1 0000000>mov eax, dword ptr fs:[0]
006C6B15 |. 50 push eax
006C6B16 |. 64:8925 00000>mov dword ptr fs:[0], esp
006C6B1D |. 83EC 58 sub esp, 58
006C6B20 |. 53 push ebx
006C6B21 |. 56 push esi
006C6B22 |. 57 push edi
006C6B23 |. 8965 E8 mov [local.6], esp
006C6B26 |. FF15 78C16D00 call near dword ptr ds:[<&KERNEL32.Ge>; kernel32.GetVersion
006C6B2C |. 33D2 xor edx, edx
006C6B2E |. 8AD4 mov dl, ah
006C6B30 |. 8915 E02C6E00 mov dword ptr ds:[6E2CE0], edx
命令行下断:BP OpenMutexA 然后F9运行:
7C80EC1B > 8BFF mov edi, edi
7C80EC1D 55 push ebp
7C80EC1E 8BEC mov ebp, esp
7C80EC20 51 push ecx
7C80EC21 51 push ecx
7C80EC22 837D 10 00 cmp dword ptr ss:[ebp+10], 0
7C80EC26 56 push esi
7C80EC27 0F84 7A500300 je kernel32.7C843CA7
7C80EC2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EC33 FF75 10 push dword ptr ss:[ebp+10]
7C80EC36 8DB0 F80B0000 lea esi, dword ptr ds:[eax+BF8]
7C80EC3C 8D45 F8 lea eax, dword ptr ss:[ebp-8]
7C80EC3F 50 push eax
7C80EC40 FF15 8C10807C call near dword ptr ds:[<&ntdll.RtlIn>; ntdll.RtlInitAnsiString
7C80EC46 6A 00 push 0
7C80EC48 8D45 F8 lea eax, dword ptr ss:[ebp-8]
7C80EC4B 50 push eax
7C80EC4C 56 push esi
7C80EC4D FF15 8810807C call near dword ptr ds:[<&ntdll.RtlAn>; ntdll.RtlAnsiStringToUnicodeString
7C80EC53 85C0 test eax, eax
7C80EC55 0F8C 36500300 jl kernel32.7C843C91
7C80EC5B FF76 04 push dword ptr ds:[esi+4]
7C80EC5E FF75 0C push dword ptr ss:[ebp+C]
7C80EC61 FF75 08 push dword ptr ss:[ebp+8]
7C80EC64 E8 2CFFFFFF call kernel32.OpenMutexW
7C80EC69 5E pop esi
7C80EC6A C9 leave
7C80EC6B C2 0C00 retn 0C
0013D7A0 006B2740 /CALL 到 OpenMutexA 来自 hce.006B273A
0013D7A4 001F0001 |Access = 1F0001
0013D7A8 00000000 |Inheritable = FALSE
0013D7AC 0013DDE0 \MutexName = "5EE8::DA426D3A1C"
分离父进程,设中断GetModuleHandleA,
7C80B529 > 8BFF mov edi, edi
7C80B52B 55 push ebp
7C80B52C 8BEC mov ebp, esp
7C80B52E 837D 08 00 cmp dword ptr ss:[ebp+8], 0
7C80B532 74 18 je short kernel32.7C80B54C
7C80B534 FF75 08 push dword ptr ss:[ebp+8]
7C80B537 E8 682D0000 call kernel32.7C80E2A4
7C80B53C 85C0 test eax, eax
7C80B53E 74 08 je short kernel32.7C80B548
7C80B540 FF70 04 push dword ptr ds:[eax+4]
7C80B543 E8 F4300000 call kernel32.GetModuleHandleW
7C80B548 5D pop ebp
7C80B549 C2 0400 retn 4
堆栈:
0013CE70 5D175394 /CALL 到 GetModuleHandleA 来自 5D17538E
0013CE74 5D1753E0 \pModule = "kernel32.dll"
0013CF30 77F45BD8 /CALL 到 GetModuleHandleA 来自 SHLWAPI.77F45BD2
0013CF34 77F4501C \pModule = "KERNEL32.DLL"
0013D744 006B1893 /CALL 到 GetModuleHandleA 来自 hce.006B188D
0013D748 00000000 \pModule = NULL
00137B98 00E51A09 /CALL 到 GetModuleHandleA 来自 00E51A03
00137B9C 00E66364 \pModule = "kernel32.dll"
00137BA0 00E67588 ASCII "VirtualAlloc"
00137B98 00E51A26 /CALL 到 GetModuleHandleA 来自 00E51A20
00137B9C 00E66364 \pModule = "kernel32.dll"
00137BA0 00E6757C ASCII "VirtualFree"
异常:SHIFT+F9:
00137908 00E39C01 /CALL 到 GetModuleHandleA 来自 00E39BFB
0013790C 00137A4C \pModule = "kernel32.dll"
ALT+F9到达:
00E39C01 8B0D 74B7E600 mov ecx, dword ptr ds:[E6B774]
00E39C07 89040E mov dword ptr ds:[esi+ecx], eax
00E39C0A A1 74B7E600 mov eax, dword ptr ds:[E6B774]
00E39C0F 391C06 cmp dword ptr ds:[esi+eax], ebx
00E39C12 75 16 jnz short 00E39C2A
00E39C14 8D85 B4FEFFFF lea eax, dword ptr ss:[ebp-14C]
00E39C1A 50 push eax
00E39C1B FF15 DC00E600 call near dword ptr ds:[E600DC] ; kernel32.LoadLibraryA
00E39C21 8B0D 74B7E600 mov ecx, dword ptr ds:[E6B774]
00E39C27 89040E mov dword ptr ds:[esi+ecx], eax
00E39C2A A1 74B7E600 mov eax, dword ptr ds:[E6B774]
00E39C2F 391C06 cmp dword ptr ds:[esi+eax], ebx
00E39C32 0F84 32010000 je 00E39D6A ; //改成为 JMP 00E39D6A 修改这是为了避开IAT加密
00E39C38 33C9 xor ecx, ecx
00E39C3A 8B07 mov eax, dword ptr ds:[edi]
00E39C3C 3918 cmp dword ptr ds:[eax], ebx
00E39C3E 74 06 je short 00E39C46
00E39C40 41 inc ecx
00E39C41 83C0 0C add eax, 0C
00E39C44 ^ EB F6 jmp short 00E39C3C
00E39C46 8BD9 mov ebx, ecx
00E39C48 C1E3 02 shl ebx, 2
00E39C4B 53 push ebx
00E39C4C E8 EB520200 call 00E5EF3C ; jmp 到 msvcrt.operator new
00E39C51 8B0D 6CB7E600 mov ecx, dword ptr ds:[E6B76C]
00E39C57 89040E mov dword ptr ds:[esi+ecx], eax
00E39C5A 53 push ebx
00E39C5B E8 DC520200 call 00E5EF3C ; jmp 到 msvcrt.operator new
00E39C60 59 pop ecx
00E39C61 59 pop ecx
00E39C62 8B0D 70B7E600 mov ecx, dword ptr ds:[E6B770]
00E39C68 89040E mov dword ptr ds:[esi+ecx], eax
00E39C6B 8B1F mov ebx, dword ptr ds:[edi]
00E39C6D 8B03 mov eax, dword ptr ds:[ebx]
00E39C6F 85C0 test eax, eax
00E39C71 0F84 D6000000 je 00E39D4D
00E39C77 33FF xor edi, edi
00E39C79 68 00010000 push 100
00E39C7E 8D8D A8FDFFFF lea ecx, dword ptr ss:[ebp-258]
00E39C84 51 push ecx
00E39C85 50 push eax
00E39C86 E8 50E4FFFF call 00E380DB
00E39C8B 83C4 0C add esp, 0C
00E39C8E 8D85 A8FDFFFF lea eax, dword ptr ss:[ebp-258]
00E39C94 50 push eax
00E39C95 A1 74B7E600 mov eax, dword ptr ds:[E6B774]
00E39C9A FF3406 push dword ptr ds:[esi+eax]
00E39C9D FF15 D800E600 call near dword ptr ds:[E600D8] ; kernel32.GetProcAddress
00E39CA3 8BC8 mov ecx, eax
取消所有断点,设中断bp GetCurrentThreadId,F9
7C809737 > 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80973D 8B40 24 mov eax, dword ptr ds:[eax+24]
7C809740 C3 retn
堆栈:
001371C8 66001E3A /CALL 到 GetCurrentThreadId 来自 66001E34
001371CC 00000001
001371D0 66001C1E 返回到 66001C1E 来自 66001DE6
001371D4 66001B64 返回到 66001B64 来自 66001B90
001371A8 66003505 /CALL 到 GetCurrentThreadId 来自 660034FF
ALT+F9返回到
66003505 8D4E 14 lea ecx, dword ptr ds:[esi+14]
66003508 8BF8 mov edi, eax
6600350A 8B01 mov eax, dword ptr ds:[ecx]
6600350C FF50 10 call near dword ptr ds:[eax+10]
6600350F 8BF0 mov esi, eax
66003511 85F6 test esi, esi
66003513 74 09 je short 6600351E
66003515 3B7E 14 cmp edi, dword ptr ds:[esi+14]
66003518 0F85 5CB60100 jnz 6601EB7A
6600351E 8D4D FC lea ecx, dword ptr ss:[ebp-4]
66003521 E8 39000000 call 6600355F
66003526 8BC6 mov eax, esi
66003528 5F pop edi
66003529 5E pop esi
6600352A C9 leave
6600352B C3 retn
调试的程序无法处理异常,程序在此异常,无法再调试!!!!!!!!!
00E55ED5 8B04B0 mov eax, dword ptr ds:[eax+esi*4]
00E55ED8 3341 60 xor eax, dword ptr ds:[ecx+60]
00E55EDB 8B0D 2800E700 mov ecx, dword ptr ds:[E70028] ; hce.006DC310
00E55EE1 3341 70 xor eax, dword ptr ds:[ecx+70]
00E55EE4 8B0D 2800E700 mov ecx, dword ptr ds:[E70028] ; hce.006DC310
00E55EEA 3341 54 xor eax, dword ptr ds:[ecx+54]
00E55EED 8B0D 2800E700 mov ecx, dword ptr ds:[E70028] ; hce.006DC310
00E55EF3 3341 28 xor eax, dword ptr ds:[ecx+28]
00E55EF6 8B0D 2800E700 mov ecx, dword ptr ds:[E70028] ; hce.006DC310
00E55EFC 3341 64 xor eax, dword ptr ds:[ecx+64]
00E55EFF 3385 90C5FFFF xor eax, dword ptr ss:[ebp-3A70]
00E55F05 50 push eax
00E55F06 FFB5 C8C5FFFF push dword ptr ss:[ebp-3A38]
00E55F0C E8 6F2D0000 call 00E58C80
00E55F11 83C4 0C add esp, 0C
00E55F14 8B85 94C5FFFF mov eax, dword ptr ss:[ebp-3A6C]
00E55F1A 40 inc eax
00E55F1B 8985 94C5FFFF mov dword ptr ss:[ebp-3A6C], eax
请教各位该怎么办?感谢!!!!!!!!
[课程]FART 脱壳王!加量不加价!FART作者讲授!