首页
社区
课程
招聘
SVK1.3x脱壳笔记
发表于: 2024-2-9 13:39 2915

SVK1.3x脱壳笔记

2024-2-9 13:39
2915

本帖是关于SVK1.3x的脱壳过程。在学习的过程中做了些笔记,如果笔记中有错误或者有遗漏的步骤,欢迎大家在评论区指出!(本次帖子文字量较大,所以排版不是很好,请大家谅解。)


1.      找伪OEP,选项--SFX--字节方式跟踪真实入口(速度非常慢)/选项--异常--忽略所有异常!设置好之后,重载OD,用字节方式跟踪真正入口处来到达伪OEP

0040524C                90                     nop

0040524D                90                     nop

0040524E                90                     nop

0040524F                90                     nop

00405250                90                     nop

00405251                90                     nop

00405252                90                     nop

00405253                90                     nop

00405254                90                     nop

00405255                90                     nop

00405256                90                     nop

00405257                90                     nop

00405258                90                     nop

00405259                90                     nop

0040525A                90                     nop

0040525B                90                     nop

0040525C                90                     nop

0040525D                90                     nop

0040525E                90                     nop

0040525F                90                     nop

00405260                90                     nop

00405261                90                     nop

00405262                90                     nop

00405263                90                     nop

00405264                90                     nop

00405265                90                     nop

00405266                90                     nop

00405267                90                     nop

00405268                90                     nop

00405269                90                     nop

0040526A                90                     nop

0040526B                90                     nop

0040526C                90                     nop

0040526D                90                     nop

0040526E                90                     nop

0040526F                90                     nop

00405270                90                     nop

00405271                90                     nop

00405272                90                     nop

00405273                90                     nop

00405274                90                     nop

00405275                90                     nop

00405276                90                     nop

00405277                90                     nop

00405278                90                     nop

00405279                90                     nop

0040527A                90                     nop

0040527B                90                     nop

0040527C                90                     nop

0040527D                90                     nop

0040527E                90                     nop

0040527F                90                     nop

00405280                90                     nop

00405281                90                     nop

00405282                90                     nop

00405283                90                     nop

00405284                90                     nop

00405285                90                     nop

00405286                90                     nop

00405287                90                     nop

00405288                90                     nop

00405289                90                     nop

0040528A                90                     nop

0040528B                90                     nop

0040528C                90                     nop

0040528D                90                     nop

0040528E                90                     nop

0040528F                90                     nop

00405290                90                     nop

00405291                90                     nop

00405292                90                     nop

00405293                90                     nop

00405294                90                     nop

00405295                90                     nop

00405296                90                     nop

00405297                90                     nop

00405298                90                     nop

00405299                90                     nop

0040529A                90                     nop

0040529B                90                     nop

0040529C                90                     nop

0040529D                90                     nop

0040529E                90                     nop

0040529F                90                     nop

004052A0                90                     nop

004052A1                90                     nop

004052A2                90                     nop

004052A3                90                     nop

004052A4                90                     nop

004052A5                90                     nop

004052A6                90                     nop

004052A7                90                     nop

004052A8                90                     nop

004052A9                90                     nop

004052AA                90                     nop

004052AB                90                     nop

004052AC                90                     nop

004052AD                90                     nop

004052AE                90                     nop

004052AF                90                     nop

004052B0                90                     nop

004052B1                90                     nop

004052B2                90                     nop

004052B3                90                     nop

004052B4                90                     nop

004052B5                90                     nop

004052B6         E8 1C010000            call wowcrown.004053D7 //停在这,FOEP             

2.      bp GetModuleHandleA+5Shift+F9,通过所有异常!

 

77E5AD8B    /0F84 37010000      je kernel32.77E5AEC8  //断在这里。取消断点,Alt+F9返回!

77E5AD91    |FF7424 04          push dword ptr ss:[esp+4]

77E5AD95    |E8 F8050000        call kernel32.77E5B392

77E5AD9A    |85C0               test eax,eax

 

00A556B0     5B                pop ebx      ; wowcrown.004081A4   //返回到这里

00A556B1     5E                 pop esi

00A556B2     5F                 pop edi

00A556B3     5D                 pop ebp

00A556B4     0BC0               or eax,eax

00A556B6     75 2F              jnz short 00A056E7

 

3.      CtrlF搜索特征码:

 

cmp dword ptr ds:[ebx],2D66B1C5

 

来到特殊API处理的地方!

 

00A55784     813B C5B1662D      cmp dword ptr ds:[ebx],2D66B1C5

00A5578A     0F84 62180000      je 00A06FF2               //jmp 00A557E4跳过特殊处理

00A55790     813B 9404B2D9      cmp dword ptr ds:[ebx],D9B20494

00A55796     0F84 AA1C0000      je 00A07446

00A5579C     813B A41A86D0      cmp dword ptr ds:[ebx],D0861AA4

00A557A2     0F84 58210000      je 00A07900

00A557A8     813B 706586B1      cmp dword ptr ds:[ebx],B1866570

00A557AE     0F84 C1240000      je 00A07C75

00A557B4     813B 0E46769B      cmp dword ptr ds:[ebx],9B76460E

00A557BA     0F84 36280000      je 00A07FF6

00A557C0     813B DB0793E6      cmp dword ptr ds:[ebx],E69307DB

00A557C6     0F84 76280000      je 00A08042

00A557CC     813B 627B6CA5      cmp dword ptr ds:[ebx],A56C7B62

00A557D2     0F84 BA280000      je 00A08092

00A557D8     813B 664E96BB      cmp dword ptr ds:[ebx],BB964E66

00A557DE     0F84 00290000      je 00A080E4

00A557E4     813B 4506D75B      cmp dword ptr ds:[ebx],5BD70645 //壳验证(注册)函数

00A557EA     0F84 43290000      je 00A08133

00A557F0     813B 0DE0FC1D      cmp dword ptr ds:[ebx],1DFCE00D //壳验证(注册)函数

00A557F6     0F84 83290000      je 00A0817F

00A557FC     813B 31DD0F00      cmp dword ptr ds:[ebx],0FDD31   //壳验证(注册)函数

00A55802     0F84 C6290000      je 00A081CE

00A55808     813B 95B75126      cmp dword ptr ds:[ebx],2651B795

00A5580E     0F84 132A0000      je 00A08227                    //jmp 00A55850跳过特殊处理

00A55814     813B B482F64B      cmp dword ptr ds:[ebx],4BF682B4

00A5581A     0F84 582A0000      je 00A08278

00A55820     813B 0F1ACF4C      cmp dword ptr ds:[ebx],4CCF1A0F

00A55826     0F84 972A0000      je 00A082C3

00A5582C     813B 4A7687DF      cmp dword ptr ds:[ebx],DF87764A

00A55832     0F84 FC2D0000      je 00A08634

00A55838     813B B8B8B2FB      cmp dword ptr ds:[ebx],FBB2B8B8

00A5583E     0F84 56320000      je 00A08A9A

00A55844     813B 8E5D2D57      cmp dword ptr ds:[ebx],572D5D8E

00A5584A     0F84 86320000      je 00A08AD6

00A55850     60                 pushad

 

 

4.      CtrlS搜索特征码:

 

mov dword ptr ds:[edi],eax

popad

 

来到普通API处理处:

 

00A55B4D     5F                 pop edi

00A55B4E     58                 pop eax

00A55B4F     8907               mov dword ptr ds:[edi],eax 

00A55B51     61                 popad

00A55B52     8385 43010200 04   add dword ptr ss:[ebp+20143],4

00A55B59   ^ E9 ADFBFFFF        jmp 00A0570B

 

颠倒一下:

 

00A55B4D     5F                 pop edi

00A55B4E     58                 pop eax

00A55B4F     61                 popad   //在此F2下断,Shift+F9运行!断在这里,取消断点!

00A55B50     8907               mov dword ptr ds:[edi],eax

00A55B52     8385 43010200 04   add dword ptr ss:[ebp+20143],4

 

至此IAT的处理已经告一段落了。。。要处理Stolen Code了!

 

继续下bp GetModuleHandleA+5ShiftF9通过过异常后,取消断点,AltF9返回!

 

接着hr 12FFB0,ShiftF9,断下三次

 

0012FC40     60                 pushad  //第一次

0012FC41     E8 03000000        call 0012FC49

0012FC46     D2EB               shr bl,cl

 

0012FC54     E8 01000000        call 0012FC5A  //第二次

0012FC59     E8 E8020000        call 0012FF46

0012FC5E     00CD               add ch,cl

 

0012FCFB     E8 00000000        call 0012FD00  //第三次

0012FD00     5D                 pop ebp

0012FD01     E8 02000000        call 0012FD08

 

然后取消断点!

 

继续,命令行下tc ebp==12FFC0Start ESP Value-4

 

00ADEF1D   ^\E9 28FBFFFF        jmp 00A8EA4A  //断在这里,开始处理Stolen Code了,恶梦开了。。。

00ADEF22     0000               add byte ptr ds:[eax],al

 

5.      00ADEF1D   ^\E9 28FBFFFF        jmp 00ADEA4A  //断在这,开始处理Stolen Code,以下没有特别说明全部使用F8

00ADEF22     0000               add byte ptr ds:[eax],al

6.      接下去,会经过很多被抽取的代码,所以没有完全列出。

7.      二进制代码(刚好106字节)

    

55 8B EC 6A FF 68 80 72 40 00 68 D8 53 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68

5B 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 63 40 00 59 83 0D B8 99 40 00 FF 83 0D BC 99 40

00 FF FF 15 C8 63 40 00 8B 0D AC 99 40 00 89 08 FF 15 DC 63 40 00 8B 0D A8 99 40 00 89 08 A1 E0

63 40 00 8B 00 A3 B4 99 40 00

 

我们现在补上Stolen Code

 

0040524C     55                 push ebp

0040524D     8BEC               mov ebp,esp

0040524F     6A FF              push -1

00405251     68 80724000        push wowcrown.00407280

00405256     68 D8534000        push wowcrown.004053D8               ; jmp to msvcrt._except_handler3

0040525B     64:A1 00000000     mov eax,dword ptr fs:[0]

00405261     50                 push eax

00405262     64:8925 00000000   mov dword ptr fs:[0],esp

00405269     83EC 68            sub esp,68

0040526C     5B                 pop ebx

0040526D     56                 push esi

0040526E     57                 push edi

0040526F     8965 E8            mov dword ptr ss:[ebp-18],esp

00405272     33DB               xor ebx,ebx

00405274     895D FC            mov dword ptr ss:[ebp-4],ebx

00405277     6A 02              push 2

00405279     FF15 C4634000      call dword ptr ds:[4063C4]           ; msvcrt.__set_app_type

0040527F     59                 pop ecx

00405280     830D B8994000 FF   or dword ptr ds:[4099B8],FFFFFFFF

00405287     830D BC994000 FF   or dword ptr ds:[4099BC],FFFFFFFF

0040528E     FF15 C8634000      call dword ptr ds:[4063C8]           ; msvcrt.__p__fmode

00405294     8B0D AC994000      mov ecx,dword ptr ds:[4099AC]

0040529A     8908               mov dword ptr ds:[eax],ecx

0040529C     FF15 DC634000      call dword ptr ds:[4063DC]           ; msvcrt.__p__commode

004052A2     8B0D A8994000      mov ecx,dword ptr ds:[4099A8]

004052A8     8908               mov dword ptr ds:[eax],ecx

004052AA     A1 E0634000        mov eax,dword ptr ds:[4063E0]

004052AF     8B00               mov eax,dword ptr ds:[eax]

004052B1     A3 B4994000        mov dword ptr ds:[4099B4],eax

 

8.      LordPE纠正大小脱壳!打开ImpRECOEP524C--自动搜索IAT--获取输入表--发现有很多无效!(可以使用等级1修复。第二个无效函数是kernel32.dll中补上GetModuleHandleA这个函数即可。最后一个无效函数可以剪切掉。程序即可运行)(注:这种情况仅作者的电脑上遇到,如果有人跟我遇到跟我一样的问题也可以参考一下)

 

 

 

注:有参考天草老师的笔记



[注意]APP应用上架合规检测服务,协助应用顺利上架!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//