【文章标题】: 请高手大哥进来指点指点
【文章作者】: 腾龙随缘
【软件名称】: sys.dll
【软件大小】: 712KB
【下载地址】: http://ys-e.ys168.com/ys168up/D0/?Sys.dlly69z7pd4fd7b0b5z9q9b0b5bpl9bp5b0b0b0bqd2b1f6e00e08e08e24b1bp2b0b5b0b0fcpd7z
【加壳方式】: Armadillo v4.40
--------------------------------------------------------------------------------
【详细过程】
请高手没指点下,看看小弟哪个步骤不对,我是按照教程手脱Armadillo v4.40 加过壳的 EdrLib.dll 文件 但没有成功!
PEiD查壳 Armadillo 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks
首先我下断 HE OutputDebugStringA Shift+F9 运行中断,堆栈:
0006E8E8 00AD580F /CALL 到 OutputDebugStringA 来自 00AD5809
0006E8EC 0006F260 \String = "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
确定为Armadillo v4.40加的壳
LordPE查到基址=00400000,入口点=0009AE97
清除断点后OD 重新载入DLL
0090AE97 >/$ 55 push ebp
0090AE98 |. 8BEC mov ebp, esp
0090AE9A |. 53 push ebx
0090AE9B |. 8B5D 08 mov ebx, [ebp+8]
0090AE9E |. 56 push esi
下断点 BP GetModuleHandleA+5,Shift+F9 运行中断后,看堆栈为:
第一次中断:
0006EC00 772AD205 返回到 SHLWAPI.772AD205 来自 kernel32.GetModuleHandleA
0006EC04 772B02D8 ASCII "KERNEL32.DLL"
第二次中断:
000691A0 00AD6DF3 返回到 00AD6DF3 来自 kernel32.GetModuleHandleA
000691A4 00AEBC1C ASCII "kernel32.dll"
000691A8 00AECEC4 ASCII "VirtualAlloc"
第三次中断:
000691A0 00AD6E10 返回到 00AD6E10 来自 kernel32.GetModuleHandleA
000691A4 00AEBC1C ASCII "kernel32.dll"
000691A8 00AECEB8 ASCII "VirtualFree"
第四次中断:
00068F04 00AC5CE1 返回到 00AC5CE1 来自 kernel32.GetModuleHandleA
00068F08 00069054 ASCII "kernel32.dll"
清除断点后返回:
00AC5CE1 8B0D AC40AF00 mov ecx, [AF40AC]
00AC5CE7 89040E mov [esi+ecx], eax
00AC5CEA A1 AC40AF00 mov eax, [AF40AC]
00AC5CEF 391C06 cmp [esi+eax], ebx
00AC5CF2 75 16 jnz short 00AC5D0A
00AC5CF4 8D85 B4FEFFFF lea eax, [ebp-14C]
00AC5CFA 50 push eax
00AC5CFB FF15 BC62AE00 call [AE62BC] ; kernel32.LoadLibraryA
00AC5D01 8B0D AC40AF00 mov ecx, [AF40AC]
00AC5D07 89040E mov [esi+ecx], eax
00AC5D0A A1 AC40AF00 mov eax, [AF40AC]
00AC5D0F 391C06 cmp [esi+eax], ebx
00AC5D12 0F84 2F010000 je 00AC5E47 Magic Jump改Je为JMP跳过IAT加密
00AC5D18 33C9 xor ecx, ecx
00AC5D1A 8B07 mov eax, [edi]
00AC5D1C 3918 cmp [eax], ebx
00AC5D1E 74 06 je short 00AC5D26
下断点:bp GetTickCount , Shift+F9 运行中断后,看堆栈:
第一次中断:
000691A8 00ADC009 /CALL 到 GetTickCount 来自 00ADC003
第二次中断:
000691A8 00ADC3C8 /CALL 到 GetTickCount 来自 00ADC3C2
清除断点后返回:
00ADC3C8 2B85 A4D4FFFF sub eax, [ebp-2B5C]
00ADC3CE 8B8D A8D4FFFF mov ecx, [ebp-2B58]
00ADC3D4 6BC9 32 imul ecx, ecx, 32
00ADC3D7 81C1 D0070000 add ecx, 7D0
在 CPU 窗口按 Ctrl+S 查找
PUSH EAX
XCHG CX,CX
POP EAX
STC
找到:
00ADCF54 50 push eax 我在这里下断运行
00ADCF55 66:87C9 xchg cx, cx
00ADCF58 58 pop eax
00ADCF59 F9 stc
清除断点:
00ADCF54 50 push eax
00ADCF55 66:87C9 xchg cx, cx
00ADCF58 58 pop eax
00ADCF59 C705 E0C0AE00 6>mov dword ptr [AEC0E0], 0AECB60
00ADCF63 A1 E49FAF00 mov eax, [AF9FE4]
00ADCF68 8B00 mov eax, [eax] 我在这里下断运行得到RVA地址清除断点
00ADCF6A 8985 3CD9FFFF mov [ebp-26C4], eax
00ADCF70 A1 E49FAF00 mov eax, [AF9FE4]
00ADCF75 83C0 04 add eax, 4
00ADCF78 A3 E49FAF00 mov [AF9FE4], eax
00ADCF7D A1 E49FAF00 mov eax, [AF9FE4]
00ADCF82 8B00 mov eax, [eax] 我在这里下断运行得到RVA大小清除断点
00ADCF84 8985 78D9FFFF mov [ebp-2688], eax
00ADCF8A A1 E49FAF00 mov eax, [AF9FE4]
00ADCF8F 83C0 04 add eax, 4
00ADCF92 A3 E49FAF00 mov [AF9FE4], eax
00ADCF97 83BD 3CD9FFFF 0>cmp dword ptr [ebp-26C4], 0
00ADCF9E 74 6F je short 00ADD00F
00ADCFA0 83BD 78D9FFFF 0>cmp dword ptr [ebp-2688], 0
00ADCFA7 74 66 je short 00ADD00F
00ADCFA9 8B85 FCD7FFFF mov eax, [ebp-2804]
00ADCFAF 8B8D 0CD8FFFF mov ecx, [ebp-27F4]
00ADCFB5 3B48 34 cmp ecx, [eax+34]
00ADCFB8 74 55 je short 00ADD00F 这里改JE为JMP
00ADCFBA FFB5 78D9FFFF push dword ptr [ebp-2688]
00ADCFC0 8B85 0CD8FFFF mov eax, [ebp-27F4]
RVA地址为:0005C000
ds:[009990D7]=0005C000
eax=009990D7 (Sys.009990D7)
RVA大小为:00005B78
ds:[009990DB]=00005B78
eax=009990DB (Sys.009990DB), ASCII "x["
打开内存查看窗口
00870000 00001000 sys PE 文件头 Imag R RWE
00871000 00053000 sys CODE Imag R RWE
008C4000 00003000 sys DATA Imag R RWE
008C7000 00001000 sys BSS Imag R RWE
008C8000 00003000 sys .idata Imag R RWE
008CB000 00001000 sys .edata Imag R RWE
008CC000 00006000 sys .reloc Imag R RWE
008D2000 00040000 sys .text Imag R RWE 我在这里下内存访问断点运行
00912000 00010000 sys .adata Imag R RWE
00922000 00010000 sys .data Imag R RWE
00932000 00010000 sys .reloc1 Imag R RWE
00942000 00060000 sys .pdata Imag R RWE
009A2000 00060000 sys .rsrc Imag R RWE
中断在008D5980:
008D5980 /$ 55 push ebp 教程说这里是OEP,我也不敢确定
008D5981 |. 8BEC mov ebp, esp
008D5983 |. 8B45 0C mov eax, [ebp+C]
008D5986 |. 50 push eax ; /Arg3
008D5987 |. 8B4D 08 mov ecx, [ebp+8] ; |
008D598A |. 51 push ecx ; |Arg2
008D598B |. 8B55 10 mov edx, [ebp+10] ; |
008D598E |. 83F2 FF xor edx, FFFFFFFF ; |
008D5991 |. 52 push edx ; |Arg1
008D5992 |. E8 A3E20200 call 00903C3A ; \Sys.00903C3A
然后我用LordPE选中Ollydbg的loaddll.exe的进程选中SYS.dll 选完全脱壳
到目录中修改 重定位:RVA=0005C000 大小=00005B78
在OD里随便找个API函数GetAsyncKeyState
008FAD8E |. FF15 EC219200 |call [<&USER32.GetAsyncKeyState>] ; \GetAsyncKeyState
ds:[009221EC]=77D1932C (USER32.GetAsyncKeyState)
用D 9221EC找到函数表
0092202C >77E51B14 kernel32.GlobalUnlock
00922030 >77E5166F kernel32.GlobalLock
00922034 >77E536A3 kernel32.GlobalAlloc
00922038 >77E5751A kernel32.GetTickCount
0092203C >77E59924 kernel32.WideCharToMultiByte
00922040 >77E5339C kernel32.IsBadReadPtr
00922044 >77E4C674 kernel32.GlobalAddAtomA
00922048 >77E4D36B kernel32.GlobalAddAtomW
0092204C >77E59F93 kernel32.GetModuleHandleA
00922050 >77E53803 kernel32.GlobalFree
00922054 >77E79F21 kernel32.GlobalGetAtomNameA
开头地址为:00922000
结束地址为:00922278
用ImportREC V1.6F 选取SYS.dll RVA中填00522000 大小填00000278
得到函数信息:
gdi32.dll FThunk:00522000 NbFunc:A (十进制:10) 有效:YES
kernel32.dll FThunk:0052202C NbFunc:46 (十进制:70) 有效:YES
msvcrt.dll FThunk:00522148 NbFunc:1F (十进制:31) 有效:YES
user32.dll FThunk:005221C8 NbFunc:2C (十进制:44) 有效:YES
改OEP为:008D5980-870000=65980
Fixing a dumped file...
4 (decimal:4) module(s)
9B (decimal:155) imported function(s).
*** New section added successfully. RVA:00138000 SIZE:00001000
Image Import Descriptor size: 50; Total length: 58C
dumped_.dll 恭喜! 修复文件成功.!
用Dll_LoadEx汉化版打开DLL文件,点加载后出现Can't Load This Dll!
没脱壳的DLL可以加载成功
NO.1--I:\Sys.dll-Load Success!
OD加载脱壳修复后的文件发现入口点为:
0090AE97 CC int3
我将CC改为55后为push ebp
但用Dll_LoadEx还是加载失败,不知道哪里错了,请高手大哥们指点指点!我好学习学习!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月27日 22:25:13
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课