-
-
SVK1.3x脱壳笔记
-
发表于: 2024-2-9 13:39 2915
-
本帖是关于SVK1.3x的脱壳过程。在学习的过程中做了些笔记,如果笔记中有错误或者有遗漏的步骤,欢迎大家在评论区指出!(本次帖子文字量较大,所以排版不是很好,请大家谅解。)
1. 找伪OEP,选项--SFX--字节方式跟踪真实入口(速度非常慢)/选项--异常--忽略所有异常!设置好之后,重载OD,用字节方式跟踪真正入口处来到达伪OEP。
0040524C 90 nop
0040524D 90 nop
0040524E 90 nop
0040524F 90 nop
00405250 90 nop
00405251 90 nop
00405252 90 nop
00405253 90 nop
00405254 90 nop
00405255 90 nop
00405256 90 nop
00405257 90 nop
00405258 90 nop
00405259 90 nop
0040525A 90 nop
0040525B 90 nop
0040525C 90 nop
0040525D 90 nop
0040525E 90 nop
0040525F 90 nop
00405260 90 nop
00405261 90 nop
00405262 90 nop
00405263 90 nop
00405264 90 nop
00405265 90 nop
00405266 90 nop
00405267 90 nop
00405268 90 nop
00405269 90 nop
0040526A 90 nop
0040526B 90 nop
0040526C 90 nop
0040526D 90 nop
0040526E 90 nop
0040526F 90 nop
00405270 90 nop
00405271 90 nop
00405272 90 nop
00405273 90 nop
00405274 90 nop
00405275 90 nop
00405276 90 nop
00405277 90 nop
00405278 90 nop
00405279 90 nop
0040527A 90 nop
0040527B 90 nop
0040527C 90 nop
0040527D 90 nop
0040527E 90 nop
0040527F 90 nop
00405280 90 nop
00405281 90 nop
00405282 90 nop
00405283 90 nop
00405284 90 nop
00405285 90 nop
00405286 90 nop
00405287 90 nop
00405288 90 nop
00405289 90 nop
0040528A 90 nop
0040528B 90 nop
0040528C 90 nop
0040528D 90 nop
0040528E 90 nop
0040528F 90 nop
00405290 90 nop
00405291 90 nop
00405292 90 nop
00405293 90 nop
00405294 90 nop
00405295 90 nop
00405296 90 nop
00405297 90 nop
00405298 90 nop
00405299 90 nop
0040529A 90 nop
0040529B 90 nop
0040529C 90 nop
0040529D 90 nop
0040529E 90 nop
0040529F 90 nop
004052A0 90 nop
004052A1 90 nop
004052A2 90 nop
004052A3 90 nop
004052A4 90 nop
004052A5 90 nop
004052A6 90 nop
004052A7 90 nop
004052A8 90 nop
004052A9 90 nop
004052AA 90 nop
004052AB 90 nop
004052AC 90 nop
004052AD 90 nop
004052AE 90 nop
004052AF 90 nop
004052B0 90 nop
004052B1 90 nop
004052B2 90 nop
004052B3 90 nop
004052B4 90 nop
004052B5 90 nop
004052B6 E8 1C010000 call wowcrown.004053D7 //停在这,FOEP!
2. bp GetModuleHandleA+5,Shift+F9,通过所有异常!
77E5AD8B /0F84 37010000 je kernel32.77E5AEC8 //断在这里。取消断点,Alt+F9返回!
77E5AD91 |FF7424 04 push dword ptr ss:[esp+4]
77E5AD95 |E8 F8050000 call kernel32.77E5B392
77E5AD9A |85C0 test eax,eax
00A556B0 5B pop ebx ; wowcrown.004081A4 //返回到这里
00A556B1 5E pop esi
00A556B2 5F pop edi
00A556B3 5D pop ebp
00A556B4 0BC0 or eax,eax
00A556B6 75 2F jnz short 00A056E7
3. Ctrl+F搜索特征码:
cmp dword ptr ds:[ebx],2D66B1C5
来到特殊API处理的地方!
00A55784 813B C5B1662D cmp dword ptr ds:[ebx],2D66B1C5
00A5578A 0F84 62180000 je 00A06FF2 //改jmp 00A557E4跳过特殊处理
00A55790 813B 9404B2D9 cmp dword ptr ds:[ebx],D9B20494
00A55796 0F84 AA1C0000 je 00A07446
00A5579C 813B A41A86D0 cmp dword ptr ds:[ebx],D0861AA4
00A557A2 0F84 58210000 je 00A07900
00A557A8 813B 706586B1 cmp dword ptr ds:[ebx],B1866570
00A557AE 0F84 C1240000 je 00A07C75
00A557B4 813B 0E46769B cmp dword ptr ds:[ebx],9B76460E
00A557BA 0F84 36280000 je 00A07FF6
00A557C0 813B DB0793E6 cmp dword ptr ds:[ebx],E69307DB
00A557C6 0F84 76280000 je 00A08042
00A557CC 813B 627B6CA5 cmp dword ptr ds:[ebx],A56C7B62
00A557D2 0F84 BA280000 je 00A08092
00A557D8 813B 664E96BB cmp dword ptr ds:[ebx],BB964E66
00A557DE 0F84 00290000 je 00A080E4
00A557E4 813B 4506D75B cmp dword ptr ds:[ebx],5BD70645 //壳验证(注册)函数
00A557EA 0F84 43290000 je 00A08133
00A557F0 813B 0DE0FC1D cmp dword ptr ds:[ebx],1DFCE00D //壳验证(注册)函数
00A557F6 0F84 83290000 je 00A0817F
00A557FC 813B 31DD0F00 cmp dword ptr ds:[ebx],0FDD31 //壳验证(注册)函数
00A55802 0F84 C6290000 je 00A081CE
00A55808 813B 95B75126 cmp dword ptr ds:[ebx],2651B795
00A5580E 0F84 132A0000 je 00A08227 //jmp 00A55850跳过特殊处理
00A55814 813B B482F64B cmp dword ptr ds:[ebx],4BF682B4
00A5581A 0F84 582A0000 je 00A08278
00A55820 813B 0F1ACF4C cmp dword ptr ds:[ebx],4CCF1A0F
00A55826 0F84 972A0000 je 00A082C3
00A5582C 813B 4A7687DF cmp dword ptr ds:[ebx],DF87764A
00A55832 0F84 FC2D0000 je 00A08634
00A55838 813B B8B8B2FB cmp dword ptr ds:[ebx],FBB2B8B8
00A5583E 0F84 56320000 je 00A08A9A
00A55844 813B 8E5D2D57 cmp dword ptr ds:[ebx],572D5D8E
00A5584A 0F84 86320000 je 00A08AD6
00A55850 60 pushad
4. Ctrl+S搜索特征码:
mov dword ptr ds:[edi],eax
popad
来到普通API处理处:
00A55B4D 5F pop edi
00A55B4E 58 pop eax
00A55B4F 8907 mov dword ptr ds:[edi],eax ◆
00A55B51 61 popad ◆
00A55B52 8385 43010200 04 add dword ptr ss:[ebp+20143],4
00A55B59 ^ E9 ADFBFFFF jmp 00A0570B
颠倒一下:
00A55B4D 5F pop edi
00A55B4E 58 pop eax
00A55B4F 61 popad ◆ //在此F2下断,Shift+F9运行!断在这里,取消断点!
00A55B50 8907 mov dword ptr ds:[edi],eax ◆
00A55B52 8385 43010200 04 add dword ptr ss:[ebp+20143],4
至此IAT的处理已经告一段落了。。。要处理Stolen Code了!
继续下bp GetModuleHandleA+5,Shift+F9通过过异常后,取消断点,Alt+F9返回!
接着hr 12FFB0,Shift+F9,断下三次
0012FC40 60 pushad //第一次
0012FC41 E8 03000000 call 0012FC49
0012FC46 D2EB shr bl,cl
0012FC54 E8 01000000 call 0012FC5A //第二次
0012FC59 E8 E8020000 call 0012FF46
0012FC5E 00CD add ch,cl
0012FCFB E8 00000000 call 0012FD00 //第三次
0012FD00 5D pop ebp
0012FD01 E8 02000000 call 0012FD08
然后取消断点!
继续,命令行下tc ebp==12FFC0(Start ESP Value-4)
00ADEF1D ^\E9 28FBFFFF jmp 00A8EA4A //断在这里,开始处理Stolen Code了,恶梦开了。。。
00ADEF22 0000 add byte ptr ds:[eax],al
5. 00ADEF1D ^\E9 28FBFFFF jmp 00ADEA4A //断在这,开始处理Stolen Code,以下没有特别说明全部使用F8!
00ADEF22 0000 add byte ptr ds:[eax],al
6. 接下去,会经过很多被抽取的代码,所以没有完全列出。
7. 二进制代码(刚好106字节)
55 8B EC 6A FF 68 80 72 40 00 68 D8 53 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68
5B 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 63 40 00 59 83 0D B8 99 40 00 FF 83 0D BC 99 40
00 FF FF 15 C8 63 40 00 8B 0D AC 99 40 00 89 08 FF 15 DC 63 40 00 8B 0D A8 99 40 00 89 08 A1 E0
63 40 00 8B 00 A3 B4 99 40 00
我们现在补上Stolen Code!
0040524C 55 push ebp
0040524D 8BEC mov ebp,esp
0040524F 6A FF push -1
00405251 68 80724000 push wowcrown.00407280
00405256 68 D8534000 push wowcrown.004053D8 ; jmp to msvcrt._except_handler3
0040525B 64:A1 00000000 mov eax,dword ptr fs:[0]
00405261 50 push eax
00405262 64:8925 00000000 mov dword ptr fs:[0],esp
00405269 83EC 68 sub esp,68
0040526C 5B pop ebx
0040526D 56 push esi
0040526E 57 push edi
0040526F 8965 E8 mov dword ptr ss:[ebp-18],esp
00405272 33DB xor ebx,ebx
00405274 895D FC mov dword ptr ss:[ebp-4],ebx
00405277 6A 02 push 2
00405279 FF15 C4634000 call dword ptr ds:[4063C4] ; msvcrt.__set_app_type
0040527F 59 pop ecx
00405280 830D B8994000 FF or dword ptr ds:[4099B8],FFFFFFFF
00405287 830D BC994000 FF or dword ptr ds:[4099BC],FFFFFFFF
0040528E FF15 C8634000 call dword ptr ds:[4063C8] ; msvcrt.__p__fmode
00405294 8B0D AC994000 mov ecx,dword ptr ds:[4099AC]
0040529A 8908 mov dword ptr ds:[eax],ecx
0040529C FF15 DC634000 call dword ptr ds:[4063DC] ; msvcrt.__p__commode
004052A2 8B0D A8994000 mov ecx,dword ptr ds:[4099A8]
004052A8 8908 mov dword ptr ds:[eax],ecx
004052AA A1 E0634000 mov eax,dword ptr ds:[4063E0]
004052AF 8B00 mov eax,dword ptr ds:[eax]
004052B1 A3 B4994000 mov dword ptr ds:[4099B4],eax
8. 用LordPE纠正大小脱壳!打开ImpREC,OEP填524C--自动搜索IAT--获取输入表--发现有很多无效!(可以使用等级1修复。第二个无效函数是kernel32.dll中补上GetModuleHandleA这个函数即可。最后一个无效函数可以剪切掉。程序即可运行)(注:这种情况仅作者的电脑上遇到,如果有人跟我遇到跟我一样的问题也可以参考一下)
注:有参考天草老师的笔记