-
-
[原创]DAStub加壳的98记事本 脱壳分析
-
发表于: 2006-9-13 13:49 2935
-
【破解日期】 2006年9月13日
【破解作者】 冷血书生
【作者邮箱】 colddoctor@126.com
【作者主页】 http://www.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 DAStub加壳的98记事本
【下载地址】 本地下载
【软件大小】 33.5K
【加壳方式】 DAStub
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
水平太菜,不足之处,还请各位大侠指点
--------------------------------------------------------------------------------
【破解内容】
0040C2B0 N>mov edi,NOTEPAD.0040E04C /// OD载入停在这里
0040C2B5 or ecx,FFFFFFFF
0040C2B8 xor eax,eax
0040C2BA push NOTEPAD.0040E034
0040C2BF repne scas byte ptr es:[edi]
0040C2C1 not ecx
0040C2C3 dec ecx
0040C2C4 push ecx
0040C2C5 push NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2CA call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C2CF add esp,0C
0040C2D2 push NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2D7 call dword ptr ds:[<&KERNEL32.LoadLi>; kernel32.LoadLibraryA
0040C2DD mov esi,eax
0040C2DF mov edi,NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2E4 or ecx,FFFFFFFF
0040C2E7 xor eax,eax
0040C2E9 repne scas byte ptr es:[edi]
0040C2EB not ecx
0040C2ED dec ecx
0040C2EE mov edi,NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2F3 mov edx,ecx
0040C2F5 push NOTEPAD.0040E034
0040C2FA shr ecx,2
0040C2FD rep stos dword ptr es:[edi]
0040C2FF mov ecx,edx
0040C301 and ecx,3
0040C304 rep stos byte ptr es:[edi]
0040C306 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C30B or ecx,FFFFFFFF
0040C30E xor eax,eax
0040C310 repne scas byte ptr es:[edi]
0040C312 not ecx
0040C314 dec ecx
0040C315 push ecx
0040C316 push NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C31B call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C320 mov ebx,dword ptr ds:[<&KERNEL32.Get>; kernel32.GetProcAddress
0040C326 add esp,0C
0040C329 push NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C32E push esi
0040C32F call ebx
0040C331 mov dword ptr ds:[40E0D4],eax
0040C336 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C33B or ecx,FFFFFFFF
0040C33E xor eax,eax
0040C340 repne scas byte ptr es:[edi]
0040C342 not ecx
0040C344 dec ecx
0040C345 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C34A mov edx,ecx
0040C34C push NOTEPAD.0040E034
0040C351 shr ecx,2
0040C354 rep stos dword ptr es:[edi]
0040C356 mov ecx,edx
0040C358 and ecx,3
0040C35B rep stos byte ptr es:[edi]
0040C35D mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C362 or ecx,FFFFFFFF
0040C365 xor eax,eax
0040C367 repne scas byte ptr es:[edi]
0040C369 not ecx
0040C36B dec ecx
0040C36C push ecx
0040C36D push NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C372 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C377 add esp,0C
0040C37A push NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C37F push esi
0040C380 call ebx
0040C382 mov dword ptr ds:[40E0DC],eax
0040C387 mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C38C or ecx,FFFFFFFF
0040C38F xor eax,eax
0040C391 repne scas byte ptr es:[edi]
0040C393 not ecx
0040C395 dec ecx
0040C396 mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C39B mov edx,ecx
0040C39D shr ecx,2
0040C3A0 rep stos dword ptr es:[edi]
0040C3A2 mov ecx,edx
0040C3A4 push NOTEPAD.0040E034
0040C3A9 and ecx,3
0040C3AC rep stos byte ptr es:[edi]
0040C3AE mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3B3 or ecx,FFFFFFFF
0040C3B6 xor eax,eax
0040C3B8 repne scas byte ptr es:[edi]
0040C3BA not ecx
0040C3BC dec ecx
0040C3BD push ecx
0040C3BE push NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3C3 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C3C8 add esp,0C
0040C3CB push NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3D0 push esi
0040C3D1 call ebx
0040C3D3 mov dword ptr ds:[40E0D8],eax
0040C3D8 mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3DD or ecx,FFFFFFFF
0040C3E0 xor eax,eax
0040C3E2 repne scas byte ptr es:[edi]
0040C3E4 not ecx
0040C3E6 dec ecx
0040C3E7 mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3EC mov edx,ecx
0040C3EE push NOTEPAD.0040E034
0040C3F3 shr ecx,2
0040C3F6 rep stos dword ptr es:[edi]
0040C3F8 mov ecx,edx
0040C3FA and ecx,3
0040C3FD rep stos byte ptr es:[edi]
0040C3FF mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C404 or ecx,FFFFFFFF
0040C407 xor eax,eax
0040C409 repne scas byte ptr es:[edi]
0040C40B not ecx
0040C40D dec ecx
0040C40E push ecx
0040C40F push NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C414 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C419 add esp,0C
0040C41C push NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C421 push esi
0040C422 call ebx
0040C424 mov dword ptr ds:[40E0D0],eax
0040C429 mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C42E or ecx,FFFFFFFF
0040C431 xor eax,eax
0040C433 repne scas byte ptr es:[edi]
0040C435 not ecx
0040C437 dec ecx
0040C438 mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C43D mov edx,ecx
0040C43F push NOTEPAD.0040E034
0040C444 shr ecx,2
0040C447 rep stos dword ptr es:[edi]
0040C449 mov ecx,edx
0040C44B and ecx,3
0040C44E rep stos byte ptr es:[edi]
0040C450 mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C455 or ecx,FFFFFFFF
0040C458 xor eax,eax
0040C45A repne scas byte ptr es:[edi]
0040C45C not ecx
0040C45E dec ecx
0040C45F push ecx
0040C460 push NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C465 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C46A add esp,0C
0040C46D push NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C472 push esi
0040C473 call ebx
0040C475 mov dword ptr ds:[40E0CC],eax
0040C47A mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C47F or ecx,FFFFFFFF
0040C482 xor eax,eax
0040C484 repne scas byte ptr es:[edi]
0040C486 not ecx
0040C488 dec ecx
0040C489 mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C48E mov edx,ecx
0040C490 shr ecx,2
0040C493 rep stos dword ptr es:[edi]
0040C495 mov ecx,edx
0040C497 and ecx,3
0040C49A rep stos byte ptr es:[edi]
0040C49C call dword ptr ds:[40E0D8] ; kernel32.IsDebuggerPresent
0040C4A2 cmp eax,1
0040C4A5 jnz short NOTEPAD.0040C4AF
0040C4A7 push 0
0040C4A9 call dword ptr ds:[40E0D0] ; kernel32.ExitProcess
0040C4AF push 18
0040C4B1 push 40
0040C4B3 call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C4B9 mov ebx,eax
0040C4BB push ebx
0040C4BC push NOTEPAD.0040E000
0040C4C1 call NOTEPAD.0040C000
0040C4C6 add esp,8
0040C4C9 mov ecx,6
0040C4CE mov esi,ebx
0040C4D0 mov edi,NOTEPAD.0040E000
0040C4D5 rep movs dword ptr es:[edi],dword pt>
0040C4D7 push ebx
0040C4D8 call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C4DE mov esi,dword ptr ds:[40E008]
0040C4E4 mov eax,offset NOTEPAD.<模块入口点> ; ASCII "刻嗬"
0040C4E9 sub eax,esi
0040C4EB xor ecx,ecx
0040C4ED mov dword ptr ds:[40E0E0],eax
0040C4F2 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C4F7 mov esi,dword ptr ds:[eax+3C]
0040C4FA push NOTEPAD.0040E034
0040C4FF add esi,eax
0040C501 mov dword ptr ss:[ebp-18],esi
0040C504 mov cx,word ptr ds:[esi+14]
0040C508 mov ax,word ptr ds:[esi+6]
0040C50C mov word ptr ss:[ebp-10],ax
0040C510 xor eax,eax
0040C512 lea ebx,dword ptr ds:[ecx+esi+18]
0040C516 or ecx,FFFFFFFF
0040C519 repne scas byte ptr es:[edi]
0040C51B not ecx
0040C51D dec ecx
0040C51E push ecx
0040C51F push NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C524 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C529 mov eax,dword ptr ss:[ebp-10]
0040C52C add esp,0C
0040C52F and eax,0FFFF
0040C534 dec eax
0040C535 test eax,eax
0040C537 jle NOTEPAD.0040C6DF
0040C53D mov dword ptr ss:[ebp-10],eax
0040C540 mov byte ptr ss:[ebp-1],0
0040C544 mov esi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C549 mov edi,ebx
0040C54B mov dl,byte ptr ds:[edi]
0040C54D mov cl,byte ptr ds:[esi]
0040C54F mov al,dl
0040C551 cmp dl,cl
0040C553 jnz short NOTEPAD.0040C573
0040C555 test al,al
0040C557 je short NOTEPAD.0040C56F
0040C559 mov cl,byte ptr ds:[edi+1]
0040C55C mov dl,byte ptr ds:[esi+1]
0040C55F mov al,cl
0040C561 cmp cl,dl
0040C563 jnz short NOTEPAD.0040C573
0040C565 add edi,2
0040C568 add esi,2
0040C56B test al,al
0040C56D jnz short NOTEPAD.0040C54B
0040C56F xor eax,eax
0040C571 jmp short NOTEPAD.0040C578
0040C573 sbb eax,eax
0040C575 sbb eax,-1
0040C578 test eax,eax
0040C57A jnz short NOTEPAD.0040C580
0040C57C mov byte ptr ss:[ebp-1],1
0040C580 mov eax,dword ptr ds:[ebx+10]
0040C583 test eax,eax
0040C585 je NOTEPAD.0040C6CC
0040C58B push eax
0040C58C push 40
0040C58E call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C594 mov edx,eax
0040C596 mov al,byte ptr ss:[ebp-1]
0040C599 test al,al
0040C59B mov dword ptr ss:[ebp-14],edx
0040C59E mov dword ptr ss:[ebp-C],0
0040C5A5 je short NOTEPAD.0040C623
0040C5A7 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C5AC or ecx,FFFFFFFF
0040C5AF xor eax,eax
0040C5B1 repne scas byte ptr es:[edi]
0040C5B3 not ecx
0040C5B5 dec ecx
0040C5B6 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C5BB mov esi,ecx
0040C5BD shr ecx,2
0040C5C0 rep stos dword ptr es:[edi]
0040C5C2 mov ecx,esi
0040C5C4 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C5CA and ecx,3
0040C5CD rep stos byte ptr es:[edi]
0040C5CF mov eax,dword ptr ds:[40E00C]
0040C5D4 mov ecx,dword ptr ds:[ebx+10]
0040C5D7 mov edi,dword ptr ds:[ebx+C]
0040C5DA add esi,eax
0040C5DC sub ecx,eax
0040C5DE add esi,edi
0040C5E0 mov edi,edx
0040C5E2 mov edx,ecx
0040C5E4 shr ecx,2
0040C5E7 rep movs dword ptr es:[edi],dword pt>
0040C5E9 mov ecx,edx
0040C5EB and ecx,3
0040C5EE rep movs byte ptr es:[edi],byte ptr >
0040C5F0 mov eax,dword ptr ds:[40E00C]
0040C5F5 test eax,eax
0040C5F7 je short NOTEPAD.0040C641
0040C5F9 push eax
0040C5FA push 40
0040C5FC call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C602 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C608 mov edi,dword ptr ds:[ebx+C]
0040C60B mov ecx,dword ptr ds:[40E00C]
0040C611 add esi,edi
0040C613 mov dword ptr ss:[ebp-C],eax
0040C616 mov edi,eax
0040C618 mov eax,ecx
0040C61A shr ecx,2
0040C61D rep movs dword ptr es:[edi],dword pt>
0040C61F mov ecx,eax
0040C621 jmp short NOTEPAD.0040C63C
0040C623 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C629 mov edi,dword ptr ds:[ebx+C]
0040C62C mov ecx,dword ptr ds:[ebx+10]
0040C62F add esi,edi
0040C631 mov edi,edx
0040C633 mov edx,ecx
0040C635 shr ecx,2
0040C638 rep movs dword ptr es:[edi],dword pt>
0040C63A mov ecx,edx
0040C63C and ecx,3
0040C63F rep movs byte ptr es:[edi],byte ptr >
0040C641 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C647 mov edx,dword ptr ds:[ebx+C]
0040C64A mov ecx,dword ptr ds:[ebx+8]
0040C64D lea eax,dword ptr ss:[ebp-8]
0040C650 push eax
0040C651 add esi,edx
0040C653 push 4
0040C655 push ecx
0040C656 push esi
0040C657 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C65D mov edi,dword ptr ss:[ebp-14]
0040C660 push esi
0040C661 push edi
0040C662 call NOTEPAD.0040C000
0040C667 mov eax,dword ptr ss:[ebp-8]
0040C66A mov ecx,dword ptr ds:[ebx+8]
0040C66D add esp,8
0040C670 lea edx,dword ptr ss:[ebp-8]
0040C673 push edx
0040C674 push eax
0040C675 push ecx
0040C676 push esi
0040C677 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C67D push edi
0040C67E call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C684 mov al,byte ptr ss:[ebp-1]
0040C687 test al,al
0040C689 je short NOTEPAD.0040C6CC
0040C68B mov eax,dword ptr ds:[40E00C]
0040C690 test eax,eax
0040C692 je short NOTEPAD.0040C6CC
0040C694 mov eax,dword ptr ds:[ebx+8]
0040C697 lea edx,dword ptr ss:[ebp-8]
0040C69A push edx
0040C69B push 4
0040C69D push eax
0040C69E push esi
0040C69F call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6A5 mov edi,dword ptr ss:[ebp-C]
0040C6A8 push esi
0040C6A9 push edi
0040C6AA call NOTEPAD.0040C8F0
0040C6AF mov edx,dword ptr ss:[ebp-8]
0040C6B2 mov eax,dword ptr ds:[ebx+8]
0040C6B5 add esp,8
0040C6B8 lea ecx,dword ptr ss:[ebp-8]
0040C6BB push ecx
0040C6BC push edx
0040C6BD push eax
0040C6BE push esi
0040C6BF call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6C5 push edi
0040C6C6 call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C6CC mov eax,dword ptr ss:[ebp-10]
0040C6CF add ebx,28
0040C6D2 dec eax
0040C6D3 mov dword ptr ss:[ebp-10],eax
0040C6D6 jnz NOTEPAD.0040C540
0040C6DC mov esi,dword ptr ss:[ebp-18]
0040C6DF lea ecx,dword ptr ss:[ebp-8]
0040C6E2 push ecx
0040C6E3 push 4
0040C6E5 push 0F8
0040C6EA push esi
0040C6EB call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6F1 dec word ptr ds:[esi+6]
0040C6F5 mov eax,dword ptr ss:[ebp-8]
0040C6F8 lea edx,dword ptr ss:[ebp-8]
0040C6FB push edx
0040C6FC push eax
0040C6FD push 0F8
0040C702 push esi
0040C703 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C709 call NOTEPAD.0040C740
0040C70E call NOTEPAD.0040CB10
0040C713 mov ecx,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C719 mov eax,dword ptr ds:[40E000]
0040C71E add eax,ecx
0040C720 mov dword ptr ds:[40E000],eax
0040C725 push dword ptr ds:[40E000] ; NOTEPAD.004010CC /// OEP
0040C72B mov ecx,0D
0040C730 xor eax,eax
0040C732 mov edi,NOTEPAD.0040E000
0040C737 rep stos dword ptr es:[edi]
0040C739 retn /// 返回到OEP
////////////////////////////////////////////////////////////////////////////////////////////
壳程序对几个函数加密,还有.rsrc段也加密了,调用同一call 0040CCE0 对其解密
脱壳方法: 1)可以使用ESP定律
2)可以使用bp kernel32.LoadLibraryA 断点
3)可以使用bp VirtualProtect断点
4)可以在.rsrc段下内存访问断点,再在CODE段下内存访问断点
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
【破解作者】 冷血书生
【作者邮箱】 colddoctor@126.com
【作者主页】 http://www.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 DAStub加壳的98记事本
【下载地址】 本地下载
【软件大小】 33.5K
【加壳方式】 DAStub
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
水平太菜,不足之处,还请各位大侠指点
--------------------------------------------------------------------------------
【破解内容】
0040C2B0 N>mov edi,NOTEPAD.0040E04C /// OD载入停在这里
0040C2B5 or ecx,FFFFFFFF
0040C2B8 xor eax,eax
0040C2BA push NOTEPAD.0040E034
0040C2BF repne scas byte ptr es:[edi]
0040C2C1 not ecx
0040C2C3 dec ecx
0040C2C4 push ecx
0040C2C5 push NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2CA call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C2CF add esp,0C
0040C2D2 push NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2D7 call dword ptr ds:[<&KERNEL32.LoadLi>; kernel32.LoadLibraryA
0040C2DD mov esi,eax
0040C2DF mov edi,NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2E4 or ecx,FFFFFFFF
0040C2E7 xor eax,eax
0040C2E9 repne scas byte ptr es:[edi]
0040C2EB not ecx
0040C2ED dec ecx
0040C2EE mov edi,NOTEPAD.0040E04C ; ASCII "KERNEL32.dll"
0040C2F3 mov edx,ecx
0040C2F5 push NOTEPAD.0040E034
0040C2FA shr ecx,2
0040C2FD rep stos dword ptr es:[edi]
0040C2FF mov ecx,edx
0040C301 and ecx,3
0040C304 rep stos byte ptr es:[edi]
0040C306 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C30B or ecx,FFFFFFFF
0040C30E xor eax,eax
0040C310 repne scas byte ptr es:[edi]
0040C312 not ecx
0040C314 dec ecx
0040C315 push ecx
0040C316 push NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C31B call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C320 mov ebx,dword ptr ds:[<&KERNEL32.Get>; kernel32.GetProcAddress
0040C326 add esp,0C
0040C329 push NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C32E push esi
0040C32F call ebx
0040C331 mov dword ptr ds:[40E0D4],eax
0040C336 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C33B or ecx,FFFFFFFF
0040C33E xor eax,eax
0040C340 repne scas byte ptr es:[edi]
0040C342 not ecx
0040C344 dec ecx
0040C345 mov edi,NOTEPAD.0040E05C ; ASCII "GlobalAlloc"
0040C34A mov edx,ecx
0040C34C push NOTEPAD.0040E034
0040C351 shr ecx,2
0040C354 rep stos dword ptr es:[edi]
0040C356 mov ecx,edx
0040C358 and ecx,3
0040C35B rep stos byte ptr es:[edi]
0040C35D mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C362 or ecx,FFFFFFFF
0040C365 xor eax,eax
0040C367 repne scas byte ptr es:[edi]
0040C369 not ecx
0040C36B dec ecx
0040C36C push ecx
0040C36D push NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C372 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C377 add esp,0C
0040C37A push NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C37F push esi
0040C380 call ebx
0040C382 mov dword ptr ds:[40E0DC],eax
0040C387 mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C38C or ecx,FFFFFFFF
0040C38F xor eax,eax
0040C391 repne scas byte ptr es:[edi]
0040C393 not ecx
0040C395 dec ecx
0040C396 mov edi,NOTEPAD.0040E068 ; ASCII "GlobalFree"
0040C39B mov edx,ecx
0040C39D shr ecx,2
0040C3A0 rep stos dword ptr es:[edi]
0040C3A2 mov ecx,edx
0040C3A4 push NOTEPAD.0040E034
0040C3A9 and ecx,3
0040C3AC rep stos byte ptr es:[edi]
0040C3AE mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3B3 or ecx,FFFFFFFF
0040C3B6 xor eax,eax
0040C3B8 repne scas byte ptr es:[edi]
0040C3BA not ecx
0040C3BC dec ecx
0040C3BD push ecx
0040C3BE push NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3C3 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C3C8 add esp,0C
0040C3CB push NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3D0 push esi
0040C3D1 call ebx
0040C3D3 mov dword ptr ds:[40E0D8],eax
0040C3D8 mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3DD or ecx,FFFFFFFF
0040C3E0 xor eax,eax
0040C3E2 repne scas byte ptr es:[edi]
0040C3E4 not ecx
0040C3E6 dec ecx
0040C3E7 mov edi,NOTEPAD.0040E074 ; ASCII "IsDebuggerPresent"
0040C3EC mov edx,ecx
0040C3EE push NOTEPAD.0040E034
0040C3F3 shr ecx,2
0040C3F6 rep stos dword ptr es:[edi]
0040C3F8 mov ecx,edx
0040C3FA and ecx,3
0040C3FD rep stos byte ptr es:[edi]
0040C3FF mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C404 or ecx,FFFFFFFF
0040C407 xor eax,eax
0040C409 repne scas byte ptr es:[edi]
0040C40B not ecx
0040C40D dec ecx
0040C40E push ecx
0040C40F push NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C414 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C419 add esp,0C
0040C41C push NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C421 push esi
0040C422 call ebx
0040C424 mov dword ptr ds:[40E0D0],eax
0040C429 mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C42E or ecx,FFFFFFFF
0040C431 xor eax,eax
0040C433 repne scas byte ptr es:[edi]
0040C435 not ecx
0040C437 dec ecx
0040C438 mov edi,NOTEPAD.0040E088 ; ASCII "ExitProcess"
0040C43D mov edx,ecx
0040C43F push NOTEPAD.0040E034
0040C444 shr ecx,2
0040C447 rep stos dword ptr es:[edi]
0040C449 mov ecx,edx
0040C44B and ecx,3
0040C44E rep stos byte ptr es:[edi]
0040C450 mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C455 or ecx,FFFFFFFF
0040C458 xor eax,eax
0040C45A repne scas byte ptr es:[edi]
0040C45C not ecx
0040C45E dec ecx
0040C45F push ecx
0040C460 push NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C465 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C46A add esp,0C
0040C46D push NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C472 push esi
0040C473 call ebx
0040C475 mov dword ptr ds:[40E0CC],eax
0040C47A mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C47F or ecx,FFFFFFFF
0040C482 xor eax,eax
0040C484 repne scas byte ptr es:[edi]
0040C486 not ecx
0040C488 dec ecx
0040C489 mov edi,NOTEPAD.0040E094 ; ASCII "VirtualProtect"
0040C48E mov edx,ecx
0040C490 shr ecx,2
0040C493 rep stos dword ptr es:[edi]
0040C495 mov ecx,edx
0040C497 and ecx,3
0040C49A rep stos byte ptr es:[edi]
0040C49C call dword ptr ds:[40E0D8] ; kernel32.IsDebuggerPresent
0040C4A2 cmp eax,1
0040C4A5 jnz short NOTEPAD.0040C4AF
0040C4A7 push 0
0040C4A9 call dword ptr ds:[40E0D0] ; kernel32.ExitProcess
0040C4AF push 18
0040C4B1 push 40
0040C4B3 call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C4B9 mov ebx,eax
0040C4BB push ebx
0040C4BC push NOTEPAD.0040E000
0040C4C1 call NOTEPAD.0040C000
0040C4C6 add esp,8
0040C4C9 mov ecx,6
0040C4CE mov esi,ebx
0040C4D0 mov edi,NOTEPAD.0040E000
0040C4D5 rep movs dword ptr es:[edi],dword pt>
0040C4D7 push ebx
0040C4D8 call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C4DE mov esi,dword ptr ds:[40E008]
0040C4E4 mov eax,offset NOTEPAD.<模块入口点> ; ASCII "刻嗬"
0040C4E9 sub eax,esi
0040C4EB xor ecx,ecx
0040C4ED mov dword ptr ds:[40E0E0],eax
0040C4F2 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C4F7 mov esi,dword ptr ds:[eax+3C]
0040C4FA push NOTEPAD.0040E034
0040C4FF add esi,eax
0040C501 mov dword ptr ss:[ebp-18],esi
0040C504 mov cx,word ptr ds:[esi+14]
0040C508 mov ax,word ptr ds:[esi+6]
0040C50C mov word ptr ss:[ebp-10],ax
0040C510 xor eax,eax
0040C512 lea ebx,dword ptr ds:[ecx+esi+18]
0040C516 or ecx,FFFFFFFF
0040C519 repne scas byte ptr es:[edi]
0040C51B not ecx
0040C51D dec ecx
0040C51E push ecx
0040C51F push NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C524 call NOTEPAD.0040CCE0 ; 解密函数CALL
0040C529 mov eax,dword ptr ss:[ebp-10]
0040C52C add esp,0C
0040C52F and eax,0FFFF
0040C534 dec eax
0040C535 test eax,eax
0040C537 jle NOTEPAD.0040C6DF
0040C53D mov dword ptr ss:[ebp-10],eax
0040C540 mov byte ptr ss:[ebp-1],0
0040C544 mov esi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C549 mov edi,ebx
0040C54B mov dl,byte ptr ds:[edi]
0040C54D mov cl,byte ptr ds:[esi]
0040C54F mov al,dl
0040C551 cmp dl,cl
0040C553 jnz short NOTEPAD.0040C573
0040C555 test al,al
0040C557 je short NOTEPAD.0040C56F
0040C559 mov cl,byte ptr ds:[edi+1]
0040C55C mov dl,byte ptr ds:[esi+1]
0040C55F mov al,cl
0040C561 cmp cl,dl
0040C563 jnz short NOTEPAD.0040C573
0040C565 add edi,2
0040C568 add esi,2
0040C56B test al,al
0040C56D jnz short NOTEPAD.0040C54B
0040C56F xor eax,eax
0040C571 jmp short NOTEPAD.0040C578
0040C573 sbb eax,eax
0040C575 sbb eax,-1
0040C578 test eax,eax
0040C57A jnz short NOTEPAD.0040C580
0040C57C mov byte ptr ss:[ebp-1],1
0040C580 mov eax,dword ptr ds:[ebx+10]
0040C583 test eax,eax
0040C585 je NOTEPAD.0040C6CC
0040C58B push eax
0040C58C push 40
0040C58E call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C594 mov edx,eax
0040C596 mov al,byte ptr ss:[ebp-1]
0040C599 test al,al
0040C59B mov dword ptr ss:[ebp-14],edx
0040C59E mov dword ptr ss:[ebp-C],0
0040C5A5 je short NOTEPAD.0040C623
0040C5A7 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C5AC or ecx,FFFFFFFF
0040C5AF xor eax,eax
0040C5B1 repne scas byte ptr es:[edi]
0040C5B3 not ecx
0040C5B5 dec ecx
0040C5B6 mov edi,NOTEPAD.0040E044 ; ASCII ".rsrc"
0040C5BB mov esi,ecx
0040C5BD shr ecx,2
0040C5C0 rep stos dword ptr es:[edi]
0040C5C2 mov ecx,esi
0040C5C4 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C5CA and ecx,3
0040C5CD rep stos byte ptr es:[edi]
0040C5CF mov eax,dword ptr ds:[40E00C]
0040C5D4 mov ecx,dword ptr ds:[ebx+10]
0040C5D7 mov edi,dword ptr ds:[ebx+C]
0040C5DA add esi,eax
0040C5DC sub ecx,eax
0040C5DE add esi,edi
0040C5E0 mov edi,edx
0040C5E2 mov edx,ecx
0040C5E4 shr ecx,2
0040C5E7 rep movs dword ptr es:[edi],dword pt>
0040C5E9 mov ecx,edx
0040C5EB and ecx,3
0040C5EE rep movs byte ptr es:[edi],byte ptr >
0040C5F0 mov eax,dword ptr ds:[40E00C]
0040C5F5 test eax,eax
0040C5F7 je short NOTEPAD.0040C641
0040C5F9 push eax
0040C5FA push 40
0040C5FC call dword ptr ds:[40E0D4] ; kernel32.GlobalAlloc
0040C602 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C608 mov edi,dword ptr ds:[ebx+C]
0040C60B mov ecx,dword ptr ds:[40E00C]
0040C611 add esi,edi
0040C613 mov dword ptr ss:[ebp-C],eax
0040C616 mov edi,eax
0040C618 mov eax,ecx
0040C61A shr ecx,2
0040C61D rep movs dword ptr es:[edi],dword pt>
0040C61F mov ecx,eax
0040C621 jmp short NOTEPAD.0040C63C
0040C623 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C629 mov edi,dword ptr ds:[ebx+C]
0040C62C mov ecx,dword ptr ds:[ebx+10]
0040C62F add esi,edi
0040C631 mov edi,edx
0040C633 mov edx,ecx
0040C635 shr ecx,2
0040C638 rep movs dword ptr es:[edi],dword pt>
0040C63A mov ecx,edx
0040C63C and ecx,3
0040C63F rep movs byte ptr es:[edi],byte ptr >
0040C641 mov esi,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C647 mov edx,dword ptr ds:[ebx+C]
0040C64A mov ecx,dword ptr ds:[ebx+8]
0040C64D lea eax,dword ptr ss:[ebp-8]
0040C650 push eax
0040C651 add esi,edx
0040C653 push 4
0040C655 push ecx
0040C656 push esi
0040C657 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C65D mov edi,dword ptr ss:[ebp-14]
0040C660 push esi
0040C661 push edi
0040C662 call NOTEPAD.0040C000
0040C667 mov eax,dword ptr ss:[ebp-8]
0040C66A mov ecx,dword ptr ds:[ebx+8]
0040C66D add esp,8
0040C670 lea edx,dword ptr ss:[ebp-8]
0040C673 push edx
0040C674 push eax
0040C675 push ecx
0040C676 push esi
0040C677 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C67D push edi
0040C67E call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C684 mov al,byte ptr ss:[ebp-1]
0040C687 test al,al
0040C689 je short NOTEPAD.0040C6CC
0040C68B mov eax,dword ptr ds:[40E00C]
0040C690 test eax,eax
0040C692 je short NOTEPAD.0040C6CC
0040C694 mov eax,dword ptr ds:[ebx+8]
0040C697 lea edx,dword ptr ss:[ebp-8]
0040C69A push edx
0040C69B push 4
0040C69D push eax
0040C69E push esi
0040C69F call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6A5 mov edi,dword ptr ss:[ebp-C]
0040C6A8 push esi
0040C6A9 push edi
0040C6AA call NOTEPAD.0040C8F0
0040C6AF mov edx,dword ptr ss:[ebp-8]
0040C6B2 mov eax,dword ptr ds:[ebx+8]
0040C6B5 add esp,8
0040C6B8 lea ecx,dword ptr ss:[ebp-8]
0040C6BB push ecx
0040C6BC push edx
0040C6BD push eax
0040C6BE push esi
0040C6BF call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6C5 push edi
0040C6C6 call dword ptr ds:[40E0DC] ; kernel32.GlobalFree
0040C6CC mov eax,dword ptr ss:[ebp-10]
0040C6CF add ebx,28
0040C6D2 dec eax
0040C6D3 mov dword ptr ss:[ebp-10],eax
0040C6D6 jnz NOTEPAD.0040C540
0040C6DC mov esi,dword ptr ss:[ebp-18]
0040C6DF lea ecx,dword ptr ss:[ebp-8]
0040C6E2 push ecx
0040C6E3 push 4
0040C6E5 push 0F8
0040C6EA push esi
0040C6EB call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C6F1 dec word ptr ds:[esi+6]
0040C6F5 mov eax,dword ptr ss:[ebp-8]
0040C6F8 lea edx,dword ptr ss:[ebp-8]
0040C6FB push edx
0040C6FC push eax
0040C6FD push 0F8
0040C702 push esi
0040C703 call dword ptr ds:[40E0CC] ; kernel32.VirtualProtect
0040C709 call NOTEPAD.0040C740
0040C70E call NOTEPAD.0040CB10
0040C713 mov ecx,dword ptr ds:[40E0E0] ; NOTEPAD.00400000
0040C719 mov eax,dword ptr ds:[40E000]
0040C71E add eax,ecx
0040C720 mov dword ptr ds:[40E000],eax
0040C725 push dword ptr ds:[40E000] ; NOTEPAD.004010CC /// OEP
0040C72B mov ecx,0D
0040C730 xor eax,eax
0040C732 mov edi,NOTEPAD.0040E000
0040C737 rep stos dword ptr es:[edi]
0040C739 retn /// 返回到OEP
////////////////////////////////////////////////////////////////////////////////////////////
壳程序对几个函数加密,还有.rsrc段也加密了,调用同一call 0040CCE0 对其解密
脱壳方法: 1)可以使用ESP定律
2)可以使用bp kernel32.LoadLibraryA 断点
3)可以使用bp VirtualProtect断点
4)可以在.rsrc段下内存访问断点,再在CODE段下内存访问断点
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
谁下载
看原图
赞赏
雪币:
留言: