小弟刚学脱壳,随便下了个软件,用peid一查竟然是Armadillo壳,后又用ArmaFP.exe来查,发现是(小弟怕对本站有影响,修改了文件名为XX)
<------- 12-06-2006 14:25:22 ------->
C:\Program Files\XX\XX.exe
!- Protected Armadillo
?- Signature = 0C0CFCEC
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
CopyMem-II
!- <Backup Key Options>
Fixed Backup Keys
!- <Compression Options>
Best/Slowest Compression
!- <Other Options>
Disable Monitoring Thread
于是down了fly大虾的文章《Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版》一步步的学习:
首先隐藏OD,忽略所在异常,打开被调试文件。BP WaitForDebugEvent,中断后,取消断点,看堆栈。堆栈内容为:
0012BCB8 0063C4DF /CALL to WaitForDebugEvent from XX.0063C4D9
0012BCBC 0012CD90 |pDebugEvent = 0012CD90
0012BCC0 000003E8 \Timeout = 1000. ms
在数据窗口定位到0012CD90处,准备看OEP值.接着下断。
BP WriteProcessMemory,F9后,堆栈内容如下:
0012BB58 00640477 /CALL to WriteProcessMemory from XX.00640471
0012BB5C 0000004C |hProcess = 0000004C (window)
0012BB60 00401000 |Address = 401000
0012BB64 003E71D8 |Buffer = 003E71D8
0012BB68 00001000 |BytesToWrite = 1000 (4096.)
0012BB6C 0012BC74 \pBytesWritten = 0012BC74
数据窗口0012cd90内容如下:
0012CD90 01 00 00 00 5C 04 00 00 F0 07 00 00 01 00 00 80
0012CDA0 00 00 00 00 00 00 00 00 00 10 40 00 02 00 00 00
0012CDB0 08 00 00 00 00 10 40 00 00 10 40 00 01 00 00 00
0012CDC0 00 00 00 00 00 00 00 00 18 8D 3A F0 A0 44 77 83
从而知道OEP=401000 (为什么是会是401000呢这个数字呢,奇怪啊!!!)
PID=45C
ALT+F9返回程序领空,查找OR EAX,FFFFFFF8指令,找到两条
双击第一项来到0063caaf,向上翻,在0063ca63处找到:
0063CA63 > 83BD CCF5FFFF >CMP DWORD PTR SS:[EBP-A34],0
0063CA6A . 0F8C A8020000 JL XX.0063CD18
0063CA70 . 8B8D CCF5FFFF MOV ECX,DWORD PTR SS:[EBP-A34]
0063CA76 . 3B0D 487F6700 CMP ECX,DWORD PTR DS:[677F48]
0063CA7C . 0F8D 96020000 JGE XX.0063CD18
0063CA82 . 8B95 40F6FFFF MOV EDX,DWORD PTR SS:[EBP-9C0]
0063CA88 . 81E2 FF000000 AND EDX,0FF
0063CA8E . 85D2 TEST EDX,EDX
0063CA90 . 0F84 AD000000 JE XX.0063CB43
0063CA96 . 6A 00 PUSH 0
0063CA98 . 8BB5 CCF5FFFF MOV ESI,DWORD PTR SS:[EBP-A34]
0063CA9E . C1E6 04 SHL ESI,4
0063CAA1 . 8B85 CCF5FFFF MOV EAX,DWORD PTR SS:[EBP-A34]
于是在0063ca63处下断点,Shift+F9中断下来后取消断点, 把[ebp-A34]=[0012CD7C]=0000012B清0,然后根据“0063CA7C . 0F8D 96020000 JGE XX.0063CD18”这句,在0063cd18处下断,
找到打补丁0063cb36处:
0063CB36 25 FF000000 AND EAX,0FF
0063CB3B 85C0 TEST EAX,EAX
0063CB3D 0F84 D5010000 JE XX.0063CD18
0063CB43 837D D8 00 CMP DWORD PTR SS:[EBP-28],0
0063CB47 75 27 JNZ SHORT XX.0063CB70
补丁如下:
0063CB36 FF85 CCF5FFFF INC DWORD PTR SS:[EBP-A34]
0063CB3C C705 4C7F6700 >MOV DWORD PTR DS:[677F4C],1
0063CB46 ^E9 18FFFFFF JMP XX.0063CA63
之后,shift+F9,中断在0063cd18处,原文讲道“此时子进程代码已解开。用lordPE完全dump出子进程。”此处,dump过程由于fly大虾仅一笔带过,而系统中是双进程,究竟dump哪个呢?此进程PID为45C,于是我dump另一个PID=2f0的进程。
之后,小弟把dump现来的dumped.exe入口RVA改为1000,发现代码码竟然为空? 不知为何,请各位老大们指点!!!!
以上过程有错吗?此时,怎么修复IAT,请指点!!小弟不脚感激!
[课程]Android-CTF解题方法汇总!