【文章标题】: 脱pib壳
【文章作者】: flong
【作者邮箱】: flong30[at]hotmail.com
【软件名称】: notepad.exe
【下载地址】: 在附件里面
【加壳方式】: pib
【使用工具】: OllyICE v1.10 修改版
【操作平台】: xp sp2
【作者声明】: 写给新手看的,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
在网上看到一款国外的壳,还有源代码,挺不错,拿来练练手。
先用pib给XP自带的notepad.exe加壳,然后来脱掉它。
用OllyICE载入notepad.exe(已经加壳):
01013086 > E8 25010000 call 010131B0 ;停在入口
0101308B 0010 add [eax], dl
0101308D 0000 add [eax], al
0101308F 0090 00000000 add [eax], dl
点击F7,跟入
010131AF 00E8 add al, ch
010131B1 0000 add [eax], al
010131B3 0000 add [eax], al
010131B5 5D pop ebp ; notepad.010131B5
然后一路F7+F4,遇到call则F4到后一句,来到
01013302 85C0 test eax, eax
01013304 74 17 je short 0101331D
01013306 0385 59114000 add eax, [ebp+401159]
0101330C 60 pushad
0101330D 8D9D 00104000 lea ebx, [ebp+401000]
01013313 53 push ebx
01013314 FFD0 call eax
01013316 58 pop eax
01013317 61 popad
01013318 83C2 04 add edx, 4
0101331B ^ E2 DC loopd short 010132F9
哈哈,一阵窃喜,popad这么快就出来,真是秒秒钟就脱了,F7下去
0101331D 59 pop ecx
0101331E 51 push ecx
0101331F 8D85 84114000 lea eax, [ebp+401184]
01013325 50 push eax
01013326 6A 04 push 4
01013328 68 00100000 push 1000
0101332D 51 push ecx
0101332E FF95 80114000 call [ebp+401180]
01013334 59 pop ecx ; notepad.010000E0
01013335 8B85 6D114000 mov eax, [ebp+40116D]
0101333B 8981 88000000 mov [ecx+88], eax
01013341 C781 8C000000 6>mov dword ptr [ecx+8C], 368
0101334B 6A 40 push 40
0101334D 68 00100000 push 1000
01013352 68 00000001 push 01000000
01013357 6A 00 push 0
01013359 FF95 45114000 call [ebp+401145]
0101335F 8BD8 mov ebx, eax
01013361 81C3 00002000 add ebx, 200000 ; UNICODE "d.MM.yyyy"
01013367 8DB5 8B104000 lea esi, [ebp+40108B]
0101336D 8DBD B3104000 lea edi, [ebp+4010B3]
01013373 33D2 xor edx, edx
01013375 B9 0A000000 mov ecx, 0A
0101337A AD lods dword ptr [esi]
0101337B 85C0 test eax, eax
都走这么远了,还没有跳转啊?
0101337D /74 29 je short 010133A8
0101337F |0385 59114000 add eax, [ebp+401159]
01013385 |50 push eax
01013386 |53 push ebx
01013387 |50 push eax
01013388 |E8 B8010000 call 01013545
0101338D |83C4 08 add esp, 8
01013390 |58 pop eax
01013391 |60 pushad
01013392 |8D8D B3104000 lea ecx, [ebp+4010B3]
01013398 |03CA add ecx, edx
0101339A |8B09 mov ecx, [ecx]
0101339C |8BF8 mov edi, eax
0101339E |8BF3 mov esi, ebx
010133A0 |F3:A4 rep movs byte ptr es:[edi], byte ptr>
010133A2 |61 popad
010133A3 |83C2 04 add edx, 4
010133A6 ^|E2 D2 loopd short 0101337A
010133A8 \83BD 51114000 0>cmp dword ptr [ebp+401151], 0
怎么又出来一个popad?继续下去
010133AF /74 66 je short 01013417
010133B1 |8B85 51114000 mov eax, [ebp+401151]
010133B7 |8B9D 59114000 mov ebx, [ebp+401159]
010133BD |8BF3 mov esi, ebx
010133BF |0FB77E 3C movzx edi, word ptr [esi+3C]
010133C3 |03FE add edi, esi
010133C5 |8B57 34 mov edx, [edi+34]
010133C8 |60 pushad
010133C9 |2BDA sub ebx, edx
010133CB |899D 55114000 mov [ebp+401155], ebx
010133D1 |61 popad
010133D2 |3BD3 cmp edx, ebx
010133D4 |74 41 je short 01013417
010133D6 |03D8 add ebx, eax
010133D8 |833B 00 cmp dword ptr [ebx], 0
010133DB |74 3A je short 01013417
010133DD |8B03 mov eax, [ebx]
010133DF |8B4B 04 mov ecx, [ebx+4]
010133E2 |D1E9 shr ecx, 1
010133E4 |83C3 08 add ebx, 8
010133E7 |0FB73B movzx edi, word ptr [ebx]
010133EA |8BD7 mov edx, edi
010133EC |C1EF 0C shr edi, 0C
010133EF |83FF 03 cmp edi, 3
010133F2 |75 1A jnz short 0101340E
010133F4 |8BFA mov edi, edx
010133F6 |81E7 FF0F0000 and edi, 0FFF
010133FC |03F8 add edi, eax
010133FE |03BD 59114000 add edi, [ebp+401159]
01013404 |50 push eax
01013405 |8B85 55114000 mov eax, [ebp+401155]
0101340B |0107 add [edi], eax
0101340D |58 pop eax
0101340E |8BFA mov edi, edx
01013410 |83C3 02 add ebx, 2
01013413 ^|E2 D2 loopd short 010133E7
01013415 ^|EB C1 jmp short 010133D8
怎么还没有跳转呢,尽是循环啊,继续
01013417 8B85 5D114000 mov eax, [ebp+40115D]
0101341D 0BC0 or eax, eax
0101341F 74 11 je short 01013432
01013421 0385 59114000 add eax, [ebp+401159]
01013427 8BBD 79104000 mov edi, [ebp+401079]
0101342D 8B70 08 mov esi, [eax+8]
01013430 893E mov [esi], edi
01013432 8BB5 61114000 mov esi, [ebp+401161]
01013438 03B5 59114000 add esi, [ebp+401159]
0101343E 83EE 14 sub esi, 14
01013441 83C6 14 add esi, 14
01013444 837E 10 00 cmp dword ptr [esi+10], 0
01013448 0F84 90000000 je 010134DE
0101344E 8B5E 0C mov ebx, [esi+C]
01013451 039D 59114000 add ebx, [ebp+401159]
01013457 56 push esi
01013458 53 push ebx
01013459 FF95 35104000 call [ebp+401035]
0101345F 5E pop esi
01013460 8985 65114000 mov [ebp+401165], eax
01013466 833E 00 cmp dword ptr [esi], 0
01013469 74 13 je short 0101347E
0101346B 8B3E mov edi, [esi]
0101346D 03BD 59114000 add edi, [ebp+401159]
01013473 8B4E 10 mov ecx, [esi+10]
01013476 038D 59114000 add ecx, [ebp+401159]
0101347C EB 12 jmp short 01013490
0101347E 8B7E 10 mov edi, [esi+10]
01013481 03BD 59114000 add edi, [ebp+401159]
01013487 8B4E 10 mov ecx, [esi+10]
0101348A 038D 59114000 add ecx, [ebp+401159]
01013490 833F 00 cmp dword ptr [edi], 0
01013493 ^ 74 AC je short 01013441
01013495 8B1F mov ebx, [edi]
01013497 0FBAE3 1F bt ebx, 1F
0101349B 72 20 jb short 010134BD
0101349D 039D 59114000 add ebx, [ebp+401159]
010134A3 83C3 02 add ebx, 2
010134A6 51 push ecx
010134A7 57 push edi
010134A8 53 push ebx
010134A9 FFB5 65114000 push dword ptr [ebp+401165]
010134AF FF95 39104000 call [ebp+401039]
010134B5 5F pop edi
010134B6 59 pop ecx
010134B7 8907 mov [edi], eax
010134B9 8901 mov [ecx], eax
010134BB EB 19 jmp short 010134D6
010134BD D1E3 shl ebx, 1
010134BF D1EB shr ebx, 1
010134C1 51 push ecx
010134C2 57 push edi
010134C3 53 push ebx
010134C4 FFB5 65114000 push dword ptr [ebp+401165]
010134CA FF95 39104000 call [ebp+401039]
010134D0 5F pop edi
010134D1 59 pop ecx
010134D2 8907 mov [edi], eax
010134D4 8901 mov [ecx], eax
010134D6 83C7 04 add edi, 4
010134D9 83C1 04 add ecx, 4
010134DC ^ EB B2 jmp short 01013490
010134DE B9 0A000000 mov ecx, 0A
还没有大跳转啊,奇怪咯
010134E3 33D2 xor edx, edx
010134E5 8DB5 03114000 lea esi, [ebp+401103]
010134EB 03F2 add esi, edx
010134ED AD lods dword ptr [esi]
010134EE 85C0 test eax, eax
010134F0 74 17 je short 01013509
010134F2 0385 59114000 add eax, [ebp+401159]
010134F8 60 pushad
010134F9 8D9D 00104000 lea ebx, [ebp+401000]
010134FF 53 push ebx
01013500 FFD0 call eax
01013502 58 pop eax
01013503 61 popad
01013504 83C2 04 add edx, 4
01013507 E2 DC loopd short 010134E5
又出来一个popad,继续
01013509 8BA5 94114000 mov esp, [ebp+401194]
0101350F 8B85 98114000 mov eax, [ebp+401198]
01013515 8B9D 9C114000 mov ebx, [ebp+40119C]
0101351B 8B8D A0114000 mov ecx, [ebp+4011A0]
01013521 8B95 A4114000 mov edx, [ebp+4011A4]
01013527 8BB5 A8114000 mov esi, [ebp+4011A8]
0101352D 8BBD AC114000 mov edi, [ebp+4011AC]
01013533 8B95 69114000 mov edx, [ebp+401169]
01013539 0395 59114000 add edx, [ebp+401159]
0101353F - FFE2 jmp edx ; notepad.0100739D
哈哈,看到了吧,大跳转出来了,
0100739D 6A db 6A ; CHAR 'j'
0100739E 70 db 70 ; CHAR 'p'
0100739F 68 db 68 ; CHAR 'h'
010073A0 98 db 98
在0100739D上面点右键,dump,选上修复功能,运行一下试试,完全正常。
--------------------------------------------------------------------------------
【经验总结】
pib这个壳不是很难,关键是有耐心,共出现了三个popad,最后一个才出现大跳转。
【知识点】
跨段跳转:很多壳都是要给原始程序加一个新段来压缩或者加密,程序运行时解压或者解密之后就要一个跨段的跳转,到达
原始入口执行,根据这个特征来找到程序的原始入口是非常有效的。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月24日 下午 09:08:45
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课