该软件我用peid0.94检测是Armadillo 1.xx - 2.xx,然后按照常规方法脱壳:
1、方法:2次断点法,即是:bp GetModuleHandleA/he GetModuleHandleA和
bp GetCurrentThreadId
2、过程:
1)下断he GetModuleHandleA,找出Magic Jump,改jmp!
2)下断bp GetCurrentThreadId,找出OEP之前的关键代码如下:
00D013B1 03C2 ADD EAX,EDX
00D013B3 8B51 6C MOV EDX,DWORD PTR DS:[ECX+6C]
00D013B6 3351 28 XOR EDX,DWORD PTR DS:[ECX+28]
00D013B9 33D7 XOR EDX,EDI
00D013BB 2BC2 SUB EAX,EDX
00D013BD FFD0 CALL EAX
00D013BF EB 25 JMP SHORT 00D013E6
00D013C1 83F9 01 CMP ECX,1
00D013C4 75 22 JNZ SHORT 00D013E8
00D013C6 FF76 04 PUSH DWORD PTR DS:[ESI+4]
00D013C9 FF76 08 PUSH DWORD PTR DS:[ESI+8]
00D013CC 6A 00 PUSH 0
00D013CE E8 C22AFFFF CALL 00CF3E95
00D013D3 50 PUSH EAX
00D013D4 A1 DCB8D100 MOV EAX,DWORD PTR DS:[D1B8DC]
00D013D9 8B48 6C MOV ECX,DWORD PTR DS:[EAX+6C]
00D013DC 3348 3C XOR ECX,DWORD PTR DS:[EAX+3C]
00D013DF 3348 28 XOR ECX,DWORD PTR DS:[EAX+28]
00D013E2 2BF9 SUB EDI,ECX
00D013E4 FFD7 CALL EDI ======》此F7跟进应该是OEP了,可我跟进却是。。。,不明白!
00D013E6 8BD8 MOV EBX,EAX
00D013E8 5F POP EDI
00D013E9 8BC3 MOV EAX,EBX
00D013EB 5E POP ESI
00D013EC 5B POP EBX
00D013ED C3 RETN
00D013E8==》F7跟进后代码如下:
005AA000 90 NOP
005AA001 90 NOP
005AA002 90 NOP
005AA003 90 NOP
005AA004 90 NOP
005AA005 90 NOP
005AA006 90 NOP
005AA007 90 NOP
005AA008 90 NOP
005AA009 90 NOP
。。。。。省略部分相同代码
005AA2B5 90 NOP
005AA2B6 90 NOP
005AA2B7 - E9 44EDFCFF JMP vodmpeg4.00579000====》此处F7跟进
005AA2BC 0000 ADD BYTE PTR DS:[EAX],AL
005AA2BE 0000 ADD BYTE PTR DS:[EAX],AL
005AA2C0 0000 ADD BYTE PTR DS:[EAX],AL
005AA2B7==》F7跟进出现如下代码:
00579000 /EB 20 JMP SHORT vodmpeg4.00579022
00579002 |0000 ADD BYTE PTR DS:[EAX],AL
00579004 |40 INC EAX
00579005 |0000 ADD BYTE PTR DS:[EAX],AL
00579007 |0040 00 ADD BYTE PTR DS:[EAX],AL
0057900A |0000 ADD BYTE PTR DS:[EAX],AL
0057900C |0000 ADD BYTE PTR DS:[EAX],AL
0057900E |0000 ADD BYTE PTR DS:[EAX],AL
00579010 |0090 17000B00 ADD BYTE PTR DS:[EAX+B0017],DL
00579016 |0000 ADD BYTE PTR DS:[EAX],AL
00579018 |0230 ADD DH,BYTE PTR DS:[EAX]
0057901A |0000 ADD BYTE PTR DS:[EAX],AL
0057901C |0000 ADD BYTE PTR DS:[EAX],AL
0057901E |0000 ADD BYTE PTR DS:[EAX],AL
00579020 |0000 ADD BYTE PTR DS:[EAX],AL
00579022 \9C PUSHFD
00579023 55 PUSH EBP
00579024 57 PUSH EDI
00579025 56 PUSH ESI
00579026 52 PUSH EDX
00579027 51 PUSH ECX
00579028 53 PUSH EBX
00579029 9C PUSHFD
0057902A E8 00000000 CALL vodmpeg4.0057902F
0057902F 5D POP EBP
00579030 81ED EA664000 SUB EBP,vodmpeg4.004066EA
00579036 9C PUSHFD
00579039 /EB 01 JMP SHORT vodmpeg4.0057903C
0057903B |63E8 ARPL AX,BP
0057903D 05 000000EB ADD EAX,EB000000
00579042 77 72 JA SHORT vodmpeg4.005790B6
00579044 F4 HLT ; 特权命令
00579045 8383 C4049DEB 0>ADD DWORD PTR DS:[EBX+EB9D04C4],1
0057904C 75 74 JNZ SHORT vodmpeg4.005790C2
0057904E 0375 01 ADD ESI,DWORD PTR SS:[EBP+1]
00579051 75 50 JNZ SHORT vodmpeg4.005790A3
00579053 9C PUSHFD
00579054 6A 10 PUSH 10
此处打开ALT+M 内存映射,内容如下:
地址 大小 属主 区段 包含 类型 访问 初始访问 已映射为
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0011A000 00001000 Priv RW 保护 RW
0011B000 00015000 堆栈 于 主线 Priv RW 保护 RW
00130000 00003000 Map R R
00140000 0000F000 Priv RW RW
00240000 00006000 Priv RW RW
00250000 00003000 Map RW RW
00260000 00016000 Map R R \Device\HarddiskVolume1
00280000 0003D000 Map R R \Device\HarddiskVolume1
002C0000 00041000 Map R R \Device\HarddiskVolume1\
00310000 00006000 Map R R \Device\HarddiskVolume1
00320000 00041000 Map R R
00370000 00001000 Priv RWE RWE
00380000 00001000 Priv RWE RWE
00390000 00004000 Priv RW RW
003A0000 00003000 Map R R \Device\HarddiskVolume1
003B0000 00008000 Priv RW RW
003C0000 00001000 Priv RW RW
003D0000 00001000 Priv RW RW
003E0000 00002000 Priv RW RW
003F0000 00004000 Priv RW RW
00400000 00001000 vodmpeg4 Imag R RWE
00401000 00117000 vodmpeg4 Imag R RWE
00518000 00025000 vodmpeg4 Imag R RWE
0053D000 00001000 vodmpeg4 Imag R RWE
0053E000 00001000 vodmpeg4 Imag R RWE
0053F000 00004000 vodmpeg4 Imag R RWE
00543000 00020000 vodmpeg4 输出表 Imag R RWE
00563000 00016000 vodmpeg4 Imag R RWE
00579000 00031000 vodmpeg4 Imag R RWE
005AA000 00001000 vodmpeg4 Imag R RWE
005AB000 00020000 vodmpeg4 .text 代码 Imag R RWE
005CB000 00010000 vodmpeg4 .adata 代码 Imag R RWE
005DB000 00010000 vodmpeg4 .data 数据,输入表 Imag R RWE
005EB000 00010000 vodmpeg4 .reloc 重定位 Imag R RWE
005FB000 000E0000 vodmpeg4 .pdata Imag R RWE
006DB000 0001B000 vodmpeg4 .code 资源 Imag R RWE
00700000 0000E000 Map R E R E
我的问题:
1、为什么在00D013E8处F7跟进后不能到达OEP,按理Armadillo 1.xx - 2.xx客在此处跟进后能直接到达OEP
2、为什么内存映射00401000处区段是空白,一般这个应该是CODE字符
以上两个问题还望各位大侠指教,谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课