【文章标题】: OllyICE三步简单脱SoftwareCompress 1.4加壳程序
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 加壳后的notepad
【软件大小】: 43.7KB
【下载地址】: 自己搜索下载
【加壳方式】: SoftwareCompress 1.4
【编写语言】: Microsoft Visual C++ 7.0 Method2
【使用工具】: OllyICE
【操作平台】: 盗版非标准XPsp2
【软件介绍】: SoftwareCompress 1.4加壳试炼程序
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、OD载入目标程序,隐藏OD后,忽略所有异常
0101205C > E8 00000000 call 01012061 ; OD载入来到这里(壳EP入口)
01012061 812C24 AA1A4100 sub dword ptr [esp], 411AAA
01012068 5D pop ebp
01012069 E8 00000000 call 0101206E
0101206E 832C24 6E sub dword ptr [esp], 6E
01012072 8B85 5D1A4100 mov eax, dword ptr [ebp+411A5D]
01012078 290424 sub dword ptr [esp], eax
0101207B 8B0424 mov eax, dword ptr [esp]
0101207E 8985 5D1A4100 mov dword ptr [ebp+411A5D], eax
01012084 58 pop eax
01012085 8B85 5D1A4100 mov eax, dword ptr [ebp+411A5D]
0101208B 8B50 3C mov edx, dword ptr [eax+3C]
0101208E 03D0 add edx, eax
01012090 8B92 80000000 mov edx, dword ptr [edx+80]
01012096 03D0 add edx, eax
01012098 8B4A 58 mov ecx, dword ptr [edx+58]
0101209B 898D 491A4100 mov dword ptr [ebp+411A49], ecx
010120A1 8B4A 5C mov ecx, dword ptr [edx+5C]
Alt+M 打开内存镜像:
在第一区段(代码段)上F2设置断点F9运行!中断后取消断点。
-------------------------------
Memory map, 条目 30
地址=01001000
大小=00008000 (32768.)
属主=vc 01000000
区段=
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
-------------------------------
000A5077 A4 movs byte ptr es:[edi], byte ptr [esi] ; 中断在这里,中断后取消断点。
000A5078 B3 02 mov bl, 2
000A507A E8 6D000000 call 000A50EC
000A507F ^ 73 F6 jnb short 000A5077
000A5081 33C9 xor ecx, ecx
000A5083 E8 64000000 call 000A50EC
000A5088 73 1C jnb short 000A50A6
000A508A 33C0 xor eax, eax
000A508C E8 5B000000 call 000A50EC
000A5091 73 23 jnb short 000A50B6
000A5093 B3 02 mov bl, 2
000A5095 41 inc ecx
二、搜索特定代码,找OEP
Ctrl+S 搜索代码:
------------------------------------
mov eax, dword ptr [esp+10]
add eax, 14
------------------------------------
000A521B 36:8B4424 10 mov eax, dword ptr [esp+10] ; 搜索来到这里
000A5220 83C0 14 add eax, 14
000A5223 36:894424 10 mov dword ptr [esp+10], eax
000A5228 ^ 0F85 77FFFFFF jnz 000A51A5
000A522E 8BBD B01C4100 mov edi, dword ptr [ebp+411CB0]
000A5234 03F9 add edi, ecx ; 这里F2下断,F9到这里,EDI=0000739D(OEP值)
; 中断后取消断点,F8单步跟踪
000A5236 8D8D 181C4100 lea ecx, dword ptr [ebp+411C18]
000A523C 51 push ecx
000A523D 57 push edi
000A523E - FFA5 981C4100 jmp dword ptr [ebp+411C98] ; 进入后依旧F8单步
进入来到:
7C80FC2F > 6A 18 push 18 ; F8进入这里,继续F8
7C80FC31 68 D8FC807C push 7C80FCD8
7C80FC36 E8 8B28FFFF call 7C8024C6
7C80FC3B 8365 FC 00 and dword ptr [ebp-4], 0
7C80FC3F A1 E836887C mov eax, dword ptr [7C8836E8]
7C80FC44 8B5D 08 mov ebx, dword ptr [ebp+8]
7C80FC47 85C0 test eax, eax
7C80FC49 0F85 91070300 jnz 7C8403E0
7C80FC4F F6C3 04 test bl, 4
7C80FC52 0F84 98000000 je 7C80FCF0
7C80FC58 834D FC FF or dword ptr [ebp-4], FFFFFFFF
7C80FC5C FF35 A433887C push dword ptr [7C8833A4]
7C80FC62 FF15 9C12807C call dword ptr [<&ntdll.RtlLockHeap>] ; ntdll.RtlLockHeap
7C80FC68 C745 FC 01000000 mov dword ptr [ebp-4], 1
7C80FC6F 8D73 FC lea esi, dword ptr [ebx-4]
7C80FC72 8975 D8 mov dword ptr [ebp-28], esi
7C80FC75 56 push esi
7C80FC76 BF E030887C mov edi, 7C8830E0
7C80FC7B 57 push edi
7C80FC7C FF15 AC12807C call dword ptr [<&ntdll.RtlIsValidHandle>; ntdll.RtlIsValidHandle
7C80FC82 84C0 test al, al
7C80FC84 0F84 6C070300 je 7C8403F6
7C80FC8A 8B5E 04 mov ebx, dword ptr [esi+4]
7C80FC8D 895D E4 mov dword ptr [ebp-1C], ebx
7C80FC90 56 push esi
7C80FC91 57 push edi
7C80FC92 FF15 9412807C call dword ptr [<&ntdll.RtlFreeHandle>] ; ntdll.RtlFreeHandle
7C80FC98 85DB test ebx, ebx
7C80FC9A 0F84 67070300 je 7C840407
7C80FCA0 53 push ebx
7C80FCA1 6A 01 push 1
7C80FCA3 FF35 A433887C push dword ptr [7C8833A4]
7C80FCA9 FF15 1010807C call dword ptr [<&ntdll.RtlFreeHeap>] ; ntdll.RtlFreeHeap
7C80FCAF 84C0 test al, al
7C80FCB1 74 6C je short 7C80FD1F
7C80FCB3 8365 08 00 and dword ptr [ebp+8], 0
7C80FCB7 834D FC FF or dword ptr [ebp-4], FFFFFFFF
7C80FCBB FF35 A433887C push dword ptr [7C8833A4]
7C80FCC1 FF15 8C12807C call dword ptr [<&ntdll.RtlUnlockHeap>] ; ntdll.RtlUnlockHeap
7C80FCC7 8B45 08 mov eax, dword ptr [ebp+8]
7C80FCCA E8 3228FFFF call 7C802501
7C80FCCF C2 0400 retn 4 ; F8一直到这里,返回到OEP!
飞向光明之巅:
0100739D 6A 70 push 70 ; OEP
0100739F 68 98180001 push 01001898
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC 8B3D CC100001 mov edi, dword ptr [10010CC] ; kernel32.GetModuleHandleA
010073B2 FFD7 call edi
010073B4 66:8138 4D5A cmp word ptr [eax], 5A4D
010073B9 75 1F jnz short 010073DA
010073BB 8B48 3C mov ecx, dword ptr [eax+3C]
010073BE 03C8 add ecx, eax
010073C0 8139 50450000 cmp dword ptr [ecx], 4550
010073C6 75 12 jnz short 010073DA
010073C8 0FB741 18 movzx eax, word ptr [ecx+18]
010073CC 3D 0B010000 cmp eax, 10B
010073D1 74 1F je short 010073F2
010073D3 3D 0B020000 cmp eax, 20B
010073D8 74 05 je short 010073DF
010073DA 895D E4 mov dword ptr [ebp-1C], ebx
010073DD EB 27 jmp short 01007406
010073DF 83B9 84000000 0E cmp dword ptr [ecx+84], 0E
010073E6 ^ 76 F2 jbe short 010073DA
010073E8 33C0 xor eax, eax
三、脱壳修复
到达OEP后,使用OD自带的脱壳插件就可完成全部的脱壳修复工作。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月05日 AM 03:49:24
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
