第一次脱壳就遇到了UltraProtect 1.x -> RISCO Software Inc.
从网上查了查资料,发现这个壳对于新手来说挺难缠的
这次脱壳针对的是一款802.1x认证客户端软件
用peid0.94检测是这个壳
olly载入,一开始就是这个
我也不知道该怎么处理
00625000 > 60 PUSHAD
00625001 85FA TEST EDX,EDI
00625003 C1EA 84 SHR EDX,84 ; 移位常量超出 1..31 的范围
00625006 7E 03 JLE SHORT DigitalC.0062500B
00625008 7F 01 JG SHORT DigitalC.0062500B
0062500A EA 66C1CA06 EB0>JMP FAR 01EB:06CAC166 ; 远跳转
00625011 ^ 72 FC JB SHORT DigitalC.0062500F
00625013 50 PUSH EAX
00625014 E8 01000000 CALL DigitalC.0062501A
00625019 7D 58 JGE SHORT DigitalC.00625073
0062501B 58 POP EAX
0062501C 03F1 ADD ESI,ECX
0062501E 7E 03 JLE SHORT DigitalC.00625023
00625020 7F 01 JG SHORT DigitalC.00625023
00625022 7D 66 JGE SHORT DigitalC.0062508A
00625024 C1DA 6F RCR EDX,6F ; 移位常量超出 1..31 的范围
00625027 E8 01000000 CALL DigitalC.0062502D
0062502C - 7C 83 JL SHORT DigitalC.00624FB1
0062502E C40466 LES EAX,FWORD PTR DS:[ESI] ; 段寄存器更改
00625031 81D6 1AE3EB01 ADC ESI,1EBE31A
00625037 73 0F JNB SHORT DigitalC.00625048
00625039 8201 00 ADD BYTE PTR DS:[ECX],0
0062503C 0000 ADD BYTE PTR DS:[EAX],AL
0062503E 4A DEC EDX
0062503F EB 01 JMP SHORT DigitalC.00625042
00625041 - 77 81 JA SHORT DigitalC.00624FC4
00625043 - E2 9C LOOPD SHORT DigitalC.00624FE1
00625045 D925 BDE80100 FLDENV (28-BYTE) PTR DS:[1E8BD]
0062504B 0000 ADD BYTE PTR DS:[EAX],AL
0062504D - 72 83 JB SHORT DigitalC.00624FD2
曾经试着用esp定律
不过因为刚刚接触破解
所以没有什么经验
dd esp下断
f9运行后遇到了int 3
0062B394 CC INT3
0062B395 90 NOP ;停在这里了=============
0062B396 64:67:8F06 0000 POP DWORD PTR FS:[0]
0062B39C 83C4 04 ADD ESP,4
0062B39F 60 PUSHAD
0062B3A0 E8 00000000 CALL DigitalC.0062B3A5
0062B3A5 5E POP ESI
0062B3A6 83EE 06 SUB ESI,6
0062B3A9 B9 5B000000 MOV ECX,5B
0062B3AE 29CE SUB ESI,ECX
0062B3B0 BA 97B4C450 MOV EDX,50C4B497
0062B3B5 C1E9 02 SHR ECX,2
0062B3B8 83E9 02 SUB ECX,2
0062B3BB 83F9 00 CMP ECX,0
0062B3BE 7C 1A JL SHORT DigitalC.0062B3DA
0062B3C0 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
0062B3C3 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
0062B3C7 2BC3 SUB EAX,EBX
0062B3C9 C1C8 1D ROR EAX,1D
0062B3CC 2BC2 SUB EAX,EDX
0062B3CE 81C2 BAF2555E ADD EDX,5E55F2BA
0062B3D4 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
0062B3D7 49 DEC ECX
0062B3D8 ^ EB E1 JMP SHORT DigitalC.0062B3BB
0062B3DA 61 POPAD
0062B3DB 61 POPAD
0062B3DC C3 RETN
0062B3DD 0000 ADD BYTE PTR DS:[EAX],AL
0062B3DF 0000 ADD BYTE PTR DS:[EAX],AL
0062B3E1 0060 0F ADD BYTE PTR DS:[EAX+F],AH
0062B3E4 8A01 MOV AL,BYTE PTR DS:[ECX]
0062B3E6 0000 ADD BYTE PTR DS:[EAX],AL
0062B3E8 00F9 ADD CL,BH
0062B3EA F8 CLC
0062B3EB E8 01000000 CALL DigitalC.0062B3F1
0062B3F0 EA 83C40481 D9C>JMP FAR CBD9:8104C483 ; 远跳转
0062B3F7 E6 5E OUT 5E,AL ; I/O 命令
0062B3F9 23E8 AND EBP,EAX
0062B3FB 0100 ADD DWORD PTR DS:[EAX],EAX
0062B3FD 0000 ADD BYTE PTR DS:[EAX],AL
0062B3FF EA 83C404FC EB0>JMP FAR 01EB:FC04C483 ; 远跳转
然后又F9
这次遇到了INT 1
0062B07F C3 RETN
0062B080 64:67:FF36 0000 PUSH DWORD PTR FS:[0]
0062B086 64:67:8926 0000 MOV DWORD PTR FS:[0],ESP
0062B08C 33C0 XOR EAX,EAX
0062B08E CD 01 INT 1 ;停到了这里===============
0062B090 40 INC EAX
0062B091 40 INC EAX
0062B092 0BC0 OR EAX,EAX
0062B094 0F85 B6000000 JNZ DigitalC.0062B150
0062B09A 60 PUSHAD
0062B09B 8DBD 36B74100 LEA EDI,DWORD PTR SS:[EBP+41B736]
0062B0A1 4F DEC EDI
0062B0A2 8D8D 70BE4100 LEA ECX,DWORD PTR SS:[EBP+41BE70]
0062B0A8 83C1 02 ADD ECX,2
0062B0AB 2BCF SUB ECX,EDI
0062B0AD C1E9 02 SHR ECX,2
0062B0B0 E8 49D8FFFF CALL DigitalC.006288FE
0062B0B5 AB STOS DWORD PTR ES:[EDI]
0062B0B6 ^ E2 F8 LOOPD SHORT DigitalC.0062B0B0
0062B0B8 61 POPAD
0062B0B9 60 PUSHAD
0062B0BA E8 92DAFFFF CALL DigitalC.00628B51
0062B0BF B8 05000000 MOV EAX,5
0062B0C4 E8 21D8FFFF CALL DigitalC.006288EA
0062B0C9 83F8 00 CMP EAX,0
0062B0CC 74 28 JE SHORT DigitalC.0062B0F6
0062B0CE 90 NOP
0062B0CF 90 NOP
0062B0D0 90 NOP
0062B0D1 90 NOP
0062B0D2 83F8 01 CMP EAX,1
0062B0D5 74 30 JE SHORT DigitalC.0062B107
0062B0D7 90 NOP
0062B0D8 90 NOP
0062B0D9 90 NOP
0062B0DA 90 NOP
0062B0DB 83F8 02 CMP EAX,2
0062B0DE 74 32 JE SHORT DigitalC.0062B112
0062B0E0 90 NOP
0062B0E1 90 NOP
0062B0E2 90 NOP
0062B0E3 90 NOP
0062B0E4 83F8 03 CMP EAX,3
0062B0E7 74 34 JE SHORT DigitalC.0062B11D
0062B0E9 90 NOP
0062B0EA 90 NOP
0062B0EB 90 NOP
0062B0EC 90 NOP
0062B0ED 83F8 04 CMP EAX,4
0062B0F0 74 36 JE SHORT DigitalC.0062B128
0062B0F2 90 NOP
0062B0F3 90 NOP
0062B0F4 90 NOP
0062B0F5 90 NOP
0062B0F6 8DB5 36B74100 LEA ESI,DWORD PTR SS:[EBP+41B736]
0062B0FC E8 FDD7FFFF CALL DigitalC.006288FE
0062B101 AB STOS DWORD PTR ES:[EDI]
0062B102 EB 4B JMP SHORT DigitalC.0062B14F
0062B104 90 NOP
0062B105 90 NOP
0062B106 90 NOP
0062B107 8DB5 C2864000 LEA ESI,DWORD PTR SS:[EBP+4086C2]
0062B10D EB 1F JMP SHORT DigitalC.0062B12E
0062B10F 90 NOP
0062B110 90 NOP
0062B111 90 NOP
0062B112 8DB5 90794000 LEA ESI,DWORD PTR SS:[EBP+407990]
0062B118 EB 14 JMP SHORT DigitalC.0062B12E
0062B11A 90 NOP
0062B11B 90 NOP
0062B11C 90 NOP
0062B11D 8DB5 907C4000 LEA ESI,DWORD PTR SS:[EBP+407C90]
0062B123 EB 09 JMP SHORT DigitalC.0062B12E
0062B125 90 NOP
0062B126 90 NOP
0062B127 90 NOP
0062B128 8DB5 52A04000 LEA ESI,DWORD PTR SS:[EBP+40A052]
0062B12E B8 0A000000 MOV EAX,0A
0062B133 E8 B2D7FFFF CALL DigitalC.006288EA
0062B138 8BC8 MOV ECX,EAX
0062B13A 41 INC ECX
0062B13B B8 1E000000 MOV EAX,1E
同时遇到一个访问违例[FFFFFFFF]
Shift+F9后ollydbg直接退出了......
从一个国外网站上看到
说int 3 和 int 1是常用的anti-debug手段
其中int 1 anti-debug的示例代码跟这次遇到的一样
明明知道危险,但却不知道如何处理
在一次偶然的单步跟踪中
意外(我现在的水平,能跟到那里,也只能是运气了)的到了程序检测debug工具的代码
检测了不下20中程序,怕怕......
请各位大侠帮忙指点一下
虽然明知道这个壳不好惹
但是我还是有这个耐心的
如果需要补充什么基础知识
我也乐意去学
现在实在没有头绪
郁闷中!!!!
(明后几天可能不能上网,回复不及时请见谅)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课