下载页面: http://www.encryptpe.com
软件大小: 2.91M
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 加密工具
应用平台: Win9X/ME/NT/2000/XP/2003
软件简介: EncryptPE是老王的强壳。EncryptPE 能加密保护常规PE文件(EXE、DLL、OCX等一般程序或NT服务程序),防静态分析修改,反动态跟踪调试,有效地保护软件,防止盗版。除常规的对抗调试器(SoftIce、TRW、OllyDbg等)、监视器、DUMP工具方法外,EncryptPE采用的加密保护的手段还有:随机加密算法、CRC校验、变形、代码替换、进程注入、APIHOOK、多线程、调试运行、全程监控等。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:
这篇教程陆陆续续写了五十天,用了很多零星的时间来调试和整理,今天总算可以发布了。流程叙述的很长,阅读应该会很晦涩,不建议新手练习。随着教程的完毕,脱壳脚本也就可以写出来了,留给有时间的朋友玩吧。
EncryptPE是老王的强壳,想必大家都看到过,外挂、木马之类用EncryptPE加壳的较多。
大多数外挂都是采用“非Service”加壳方式,Service加壳方式强度弱点,以这个试炼吧
_____________________________________________________________
一.EncryptPE PEiD Sign
[EncryptPE V2.2007.04.11 -> WFS * Sign.By.fly]
signature = 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00
ep_only = true
最简单、准确地察看EncryptPE版本号是用WinHex等16进制工具打开被加壳程序,在PE头下面就可以看到。
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000220 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 EPE: EncryptPE V
00000230 32 2E 32 30 30 37 2E 34 2E 31 31 2C 20 43 6F 70 2.2007.4.11, Cop
00000240 79 72 69 67 68 74 20 28 43 29 20 57 46 53 00 00 yright (C) WFS
_____________________________________________________________
二.Service 方式加壳
EncryptPE有两种加壳方式:Service和非Service。
看帮助里的说明:“选择您要加密的PE文件(EXE、DLL、OCX等),如果是NT服务程序,请选中Service项(一般程序也可以在选中Service项后加密,其保护强度比不选中Service时稍低)。”
运行EncryptPE以“Service”方式加壳Win98记事本,Test.EncryptPE V2.2007.4.11.Service.exe作为试练品。
_____________________________________________________________
三.AntiDebug
由于V220070411.EPE壳运行库会注入到exeplorer.exe中,调试时避免一些麻烦,可以使用修改版OllyDbg
设置OllyDbg忽略所有异常选项,用IsDebuggerPresent插件隐藏OllyDbg的调试器标志。
0040D000 60 pushad
//进入OllyDbg后暂停在这
0040D001 9C pushfd
0040D002 64:FF35 00000000 push dword ptr fs:[0]
0040D009 E8 1B020000 call 0040D229
_____________________________________________
1.IsDebuggerPresent
BP IsDebuggerPresent Shift+F9 中断后看堆栈:
00F9FF48 711F7C29 /CALL 到 IsDebuggerPresent 来自 V2200704.711F7C27
00F9FF4C 00F9FF78 指针到下一个 SEH 记录
711F7C27 FFD3 call ebx ; kernel32.IsDebuggerPresent
//IsDebuggerPresent 检测
711F7C29 85C0 test eax,eax
711F7C2B 74 10 je short 711F7C3D
711F7C2D 803D B6182371 00 cmp byte ptr ds:[712318B6],0
711F7C34 75 07 jnz short 711F7C3D
711F7C36 C605 B0182271 01 mov byte ptr ds:[712218B0],1
//发现Debugger
711F7C3D 85DB test ebx,ebx
711F7C3F 74 16 je short 711F7C57
711F7C41 FFD3 call ebx ; kernel32.IsDebuggerPresent
//IsDebuggerPresent 检测
711F7C43 85C0 test eax,eax
711F7C45 75 10 jnz short 711F7C57
_____________________________________________
2.FindWindowA
711F6118 6A 00 push 0
711F611A E8 291CF3FF call 71127D48 ; jmp to USER32.FindWindowA
711F611F 8BD8 mov ebx,eax
711F6121 EB 0C jmp short 711F612F
针对OllyDBG的FindWindow检测是“ACPU”和“OLLYDBG”
00D831B0 54 52 57 32 30 30 30 20 66 6F 72 20 57 69 6E 64 TRW2000 for Wind
00D831C0 6F 77 73 20 39 78 00 00 26 00 00 00 0C 1C D8 00 ows 9x..&....?
00D832CC 54 57 58 32 30 30 32 20 66 6F 72 20 57 69 6E 64 TWX2002 for Wind
00D832DC 6F 77 73 20 24 00 00 00 1B 00 00 00 01 00 00 00 ows $.........
00D832EC 0B 00 00 00 52 65 67 6D 6F 6E 43 6C 61 73 73 00 ...RegmonClass.
00D832FC 1F 00 00 00 01 00 00 00 0F 00 00 00 54 44 65 44 .........TDeD
00D8330C 65 4D 61 69 6E 57 69 6E 58 00 00 00 17 00 00 00 eMainWinX......
00D8331C 01 00 00 00 04 00 00 00 41 43 50 55 00 00 00 00 ......ACPU....
00D8332C 17 00 00 00 01 00 00 00 07 00 00 00 4F 4C 4C 59 .........OLLY
00D8333C 44 42 47 00 00 00 00 00 00 00 00 00 00 00 00 00 DBG.............
_____________________________________________
3.CreateFileA
711F62F6 50 push eax
711F62F7 E8 6410F3FF call 71127360 ; jmp to kernel32.CreateFileA
711F62FC 8BD8 mov ebx,eax
711F62FE 83FB FF cmp ebx,-1
711F6301 74 0D je short 711F6310
711F6303 C605 B0182271 01 mov byte ptr ds:[712218B0],1
CreateFileA检测以下FileName:\\.\TRW \\.\TRW2000 \\.\TWX \\.\TWX2002 \\.\SICE \\.\NTICE \\.\REGVXD \\.\SIWDEBUG \\.\NMFilter \\.\SIWVID
_____________________________________________
4.OpenServiceA
711F6359 E8 06A8FDFF call 711D0B64 ; jmp to advapi32.OpenServiceA
//检测NTICE服务
以上只是大体记录了一下EncryptPE的Anti,使用修改版OllyDBG就可以不必管检测了
_____________________________________________________________
三.完美修复输入表
去掉以前的所有断点,使用IsDebuggerPresent插件隐藏OllyDbg的调试器标志
重新载入Test.EncryptPE V2.2007.4.11.Service.exe,下面开始正式脱壳吧
BP IsDebuggerPresent Shift+F9 中断后看堆栈
看到EncryptPE库文件开始检测IsDebuggerPresent,取消这个断点。
Alt+M打开内存察看窗口,找到EncryptPE所使用的支持库V220070411.EPE
地址 大小 物主 区段 包含
71120000 00001000 V2200704 71120000 PE header
71121000 000C7000 V2200704 71120000 EPE0
711E8000 00077000 V2200704 71120000 EPE1 code
7125F000 00002000 V2200704 71120000 .rsrc data,imports,exports,resources,relocations
V220070411.EPE 是EncryptPE壳的核心了。
下面来还原输入表,不需要ImportRec最后来辅助修复了
也可以修改MagicJMP跳开加密然后使用ImportRec修复输入表的
当然,“完美”都是相对的,某些不必要的数据没有还原
_____________________________________________
1.还原 DLLName
Ctrl+G:711E8000 这是V220070411.EPE第3区段的开始地址。
Ctrl+S 在整个段块搜索命令:
mov edx,dword ptr ds:[eax+80]
mov dword ptr ss:[ebp-38],edx
mov edx,dword ptr ds:[eax+84]
mov dword ptr ss:[ebp-34],edx
找到在71205168处,这里就是处理输入表加密的地方了
设置硬件执行断点,Shift+F9中断后取消此断点
7120515F 8B45 D8 mov eax,dword ptr ss:[ebp-28]
71205162 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205165 0345 D8 add eax,dword ptr ss:[ebp-28]
71205168 8B90 80000000 mov edx,dword ptr ds:[eax+80]
//[eax+80]=[00DC53FC]=00006000 原始的Import Table RVA
7120516E 8955 C8 mov dword ptr ss:[ebp-38],edx
71205171 8B90 84000000 mov edx,dword ptr ds:[eax+84]
//[eax+84]=[00DC5400]=0000008C 原始的Import Table Size
71205177 8955 CC mov dword ptr ss:[ebp-34],edx
7120517A 837D C8 00 cmp dword ptr ss:[ebp-38],0
7120517E 0F86 8D020000 jbe 71205411
71205184 837D CC 00 cmp dword ptr ss:[ebp-34],0
71205188 0F86 83020000 jbe 71205411
7120518E 6A 00 push 0
71205190 8D45 B8 lea eax,dword ptr ss:[ebp-48]
71205193 B9 01000000 mov ecx,1
71205198 8B15 4C3A2071 mov edx,dword ptr ds:[71203A4C]
7120519E E8 2510F2FF call 711261C8
712051A3 83C4 04 add esp,4
712051A6 8B75 DC mov esi,dword ptr ss:[ebp-24]
712051A9 0375 C8 add esi,dword ptr ss:[ebp-38]
//ESI=00400000+00006000=00406000 Import Table VA
//在[00406000]处可以看到IID表是原始的
712051AC E9 9E000000 jmp 7120524F
712051B1 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
712051B6 8B00 mov eax,dword ptr ds:[eax]
712051B8 8B55 E8 mov edx,dword ptr ss:[ebp-18]
712051BB 8B0490 mov eax,dword ptr ds:[eax+edx*4]
712051BE 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
712051C1 8B56 0C mov edx,dword ptr ds:[esi+C]
//[esi+C]=DLLName RVA
712051C4 0355 DC add edx,dword ptr ss:[ebp-24]
712051C7 E8 A0DBFFFF call 71202D6C
//解密DLLName
712051CC 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//EAX=[ebp-3C]=[0013FF48]=00DB1074, (ASCII "SHELL32.dll") DLLName
712051CF E8 F4FDF1FF call 71124FC8
//Patch: jmp 71232AA0 ★1
712051D4 50 push eax
712051D5 E8 8E23F2FF call 71127568 ; jmp to kernel32.GetModuleHandleA
712051DA 8945 FC mov dword ptr ss:[ebp-4],eax
712051DD 837D FC 00 cmp dword ptr ss:[ebp-4],0
712051E1 75 11 jnz short 712051F4
712051E3 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
712051E6 E8 DDFDF1FF call 71124FC8
712051EB 50 push eax
712051EC E8 E724F2FF call 711276D8 ; jmp to kernel32.LoadLibraryA
712051F1 8945 FC mov dword ptr ss:[ebp-4],eax
712051F4 837D FC 00 cmp dword ptr ss:[ebp-4],0
712051F8 75 05 jnz short 712051FF
712051FA E8 6D7EF2FF call 7112D06C
712051FF 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205202 E8 050EF2FF call 7112600C
71205207 40 inc eax
71205208 50 push eax
71205209 8D45 B8 lea eax,dword ptr ss:[ebp-48]
7120520C B9 01000000 mov ecx,1
71205211 8B15 4C3A2071 mov edx,dword ptr ds:[71203A4C]
71205217 E8 AC0FF2FF call 711261C8
7120521C 83C4 04 add esp,4
7120521F 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205222 E8 E50DF2FF call 7112600C
71205227 8B55 B8 mov edx,dword ptr ss:[ebp-48]
7120522A 8B4D FC mov ecx,dword ptr ss:[ebp-4]
7120522D 894CC2 F8 mov dword ptr ds:[edx+eax*8-8],ec>
71205231 8B45 B8 mov eax,dword ptr ss:[ebp-48]
71205234 E8 D30DF2FF call 7112600C
71205239 8B55 B8 mov edx,dword ptr ss:[ebp-48]
7120523C 8D44C2 FC lea eax,dword ptr ds:[edx+eax*8-4>
71205240 50 push eax
71205241 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
71205244 E8 87FBF1FF call 71124DD0
71205249 5A pop edx
7120524A 8902 mov dword ptr ds:[edx],eax
7120524C 83C6 14 add esi,14
7120524F 837E 0C 00 cmp dword ptr ds:[esi+C],0
71205253 76 0A jbe short 7120525F
71205255 837E 10 00 cmp dword ptr ds:[esi+10],0
71205259 0F87 52FFFFFF ja 712051B1
//循环处理
★1. Patch Code:
71232AA0 60 pushad
71232AA1 9C pushfd
71232AA2 8B7E 0C mov edi,dword ptr ds:[esi+C]
71232AA5 81C7 00004000 add edi,400000
71232AAB 8BF0 mov esi,eax
71232AAD 8B4E FC mov ecx,dword ptr ds:[esi-4]
//[esi-4]处是DLLName长度
71232AB0 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//复制解密出来的DLLName还原
71232AB2 9D popfd
71232AB3 61 popad
71232AB4 E8 0F25EFFF call 71124FC8
//712051CF处代码挪这里执行
71232AB9 E9 1627FDFF jmp 712051D4
//跳回去继续流程
从OllyDbg中二进制代码复制:
60 9C 8B 7E 0C 81 C7 00 00 40 00 8B F0 8B 4E FC F3 A4 9D 61 E8 0F 25 EF FF E9 16 27 FD FF
_____________________________________________
2.还原 ApiName
7120525F 8B75 DC mov esi,dword ptr ss:[ebp-24]
//F4到这里,DLLName还原完毕
71205262 0375 C8 add esi,dword ptr ss:[ebp-38]
71205265 33C0 xor eax,eax
71205267 8945 C8 mov dword ptr ss:[ebp-38],eax
7120526A 33C0 xor eax,eax
7120526C 8945 CC mov dword ptr ss:[ebp-34],eax
7120526F 33C0 xor eax,eax
71205271 8945 E0 mov dword ptr ss:[ebp-20],eax
71205274 E9 70010000 jmp 712053E9
71205279 A1 18F72171 mov eax,dword ptr ds:[7121F718]
7120527E 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205281 0305 18F72171 add eax,dword ptr ds:[7121F718]
71205287 0FB740 06 movzx eax,word ptr ds:[eax+6]
7120528B 48 dec eax
7120528C E8 DB0CFFFF call 711F5F6C
71205291 FF15 8B45B88B call dword ptr ds:[8BB8458B]
71205297 55 push ebp
71205298 E0 8B loopdne short 71205225
7120529A 04 D0 add al,0D0
7120529C 8945 FC mov dword ptr ss:[ebp-4],eax
7120529F 8B45 B8 mov eax,dword ptr ss:[ebp-48]
712052A2 8B55 E0 mov edx,dword ptr ss:[ebp-20]
712052A5 8B4CD0 04 mov ecx,dword ptr ds:[eax+edx*8+4]
712052A9 8B46 0C mov eax,dword ptr ds:[esi+C]
712052AC 0345 DC add eax,dword ptr ss:[ebp-24]
712052AF 8BD6 mov edx,esi
712052B1 E8 EE2FF2FF call 711282A4
//修改DLLName NOP掉 ★2
712052B6 837D FC 00 cmp dword ptr ss:[ebp-4],0
712052BA 0F86 14010000 jbe 712053D4
712052C0 8B7E 10 mov edi,dword ptr ds:[esi+10]
712052C3 037D DC add edi,dword ptr ss:[ebp-24]
712052C6 833E 00 cmp dword ptr ds:[esi],0
712052C9 75 07 jnz short 712052D2
712052CB 8BDF mov ebx,edi
712052CD E9 F6000000 jmp 712053C8
712052D2 8B1E mov ebx,dword ptr ds:[esi]
712052D4 035D DC add ebx,dword ptr ss:[ebp-24]
712052D7 E9 EC000000 jmp 712053C8
712052DC A9 00000080 test eax,80000000
712052E1 0F85 B4000000 jnz 7120539B
712052E7 0345 DC add eax,dword ptr ss:[ebp-24]
712052EA 8945 B4 mov dword ptr ss:[ebp-4C],eax
712052ED 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
712052F0 66:8B00 mov ax,word ptr ds:[eax]
712052F3 66:25 FF00 and ax,0FF
712052F7 66:3D FF00 cmp ax,0FF
712052FB 75 7F jnz short 7120537C
//判断是否特殊函数,是则跳转7120537C处理
712052FD A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205302 8B00 mov eax,dword ptr ds:[eax]
71205304 8B55 E8 mov edx,dword ptr ss:[ebp-18]
71205307 8B0490 mov eax,dword ptr ds:[eax+edx*4]
7120530A 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
7120530D 8B15 18F72171 mov edx,dword ptr ds:[7121F718]
71205313 8B52 3C mov edx,dword ptr ds:[edx+3C]
71205316 0315 18F72171 add edx,dword ptr ds:[7121F718]
7120531C 0FB752 06 movzx edx,word ptr ds:[edx+6]
71205320 0355 B4 add edx,dword ptr ss:[ebp-4C]
71205323 83EA 02 sub edx,2
71205326 E8 41DAFFFF call 71202D6C
7120532B 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
7120532E 66:C700 0000 mov word ptr ds:[eax],0
//Hint清0
71205333 33C0 xor eax,eax
71205335 8903 mov dword ptr ds:[ebx],eax
//ThunkValue清0,NOP掉。利用NOP的空间吧,修改为 jmp 71232AC0 ★3
71205337 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//ss:[0013FF48]=00DB1398, (ASCII "SHGetSpecialFolderPathA")
//[ebp-3C]是解密出来的ApiName
//71205335处修改跳向Patch地方
★3. Patch Code:
71232AC0 60 pushad
71232AC1 9C pushfd
71232AC2 8B75 C4 mov esi,dword ptr ss:[ebp-3C]
71232AC5 8B4E FC mov ecx,dword ptr ds:[esi-4]
//[esi-4]处是ApiName长度
71232AC8 8B3B mov edi,dword ptr ds:[ebx]
//[EBX]=ThunkValue
71232ACA 81C7 02004000 add edi,400002
//+00400000->基址 +2->Hint Size
71232AD0 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//还原ApiName
71232AD2 9D popfd
71232AD3 61 popad
71232AD4 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
//71205337处代码挪这里执行
71232AD7 E9 5E28FDFF jmp 7120533A
//跳回去继续流程
从OllyDbg中二进制代码复制:
60 9C 8B 75 C4 8B 4E FC 8B 3B 81 C7 02 00 40 00 F3 A4 9D 61 8B 45 C4 E9 5E 28 FD FF
_____________________________________________
3.校验
7120533A E8 91FAF1FF call 71124DD0
7120533F 8BC8 mov ecx,eax
71205341 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
71205344 83C0 02 add eax,2
71205347 8BD3 mov edx,ebx
71205349 E8 562FF2FF call 711282A4
//修改ApiName NOP掉 ★4
7120534E A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
//[7121DE18]=712218B0
71205353 8038 00 cmp byte ptr ds:[eax],0
//[712218B0]中是校验标志位
71205356 75 6A jnz short 712053C2
//跳就挂了,NOP掉 ★5
_____________________________________________
4.普通函数加密
71205358 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
7120535B E8 68FCF1FF call 71124FC8
71205360 50 push eax
71205361 6A 01 push 1
71205363 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205368 8B00 mov eax,dword ptr ds:[eax]
7120536A 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7120536D 8B0490 mov eax,dword ptr ds:[eax+edx*4]
71205370 8BCF mov ecx,edi
71205372 8B55 FC mov edx,dword ptr ss:[ebp-4]
71205375 E8 32D8FFFF call 71202BAC
//输入表加密,进入修改 ★
7120537A EB 46 jmp short 712053C2
________________________
进入71202BAC修改:
71202BAC 55 push ebp
71202BAD 8BEC mov ebp,esp
71202BAF 83C4 F0 add esp,-10
71202BB2 53 push ebx
71202BB3 56 push esi
71202BB4 57 push edi
71202BB5 894D F8 mov dword ptr ss:[ebp-8],ecx
71202BB8 8955 FC mov dword ptr ss:[ebp-4],edx
71202BBB 8BF8 mov edi,eax
71202BBD 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
71202BC0 33C0 xor eax,eax
71202BC2 8945 F0 mov dword ptr ss:[ebp-10],eax
71202BC5 84DB test bl,bl
71202BC7 74 0E je short 71202BD7
71202BC9 8B55 0C mov edx,dword ptr ss:[ebp+C]
71202BCC 8B45 FC mov eax,dword ptr ss:[ebp-4]
71202BCF E8 00FCFEFF call 711F27D4
71202BD4 8945 F0 mov dword ptr ss:[ebp-10],eax
71202BD7 8B45 F0 mov eax,dword ptr ss:[ebp-10]
71202BDA 8945 F4 mov dword ptr ss:[ebp-C],eax
71202BDD 84DB test bl,bl
71202BDF 0F85 49010000 jnz 71202D2E
71202BE5 8B9F E8030000 mov ebx,dword ptr ds:[edi+3E8]
71202BEB 83FB 1D cmp ebx,1D
71202BEE 7D 60 jge short 71202C50
71202BF0 6A 40 push 40
71202BF2 68 00300000 push 3000
71202BF7 68 00000100 push 10000
71202BFC 6A 00 push 0
71202BFE E8 5D4CF2FF call 71127860
71202C03 8BD8 mov ebx,eax
71202C05 85DB test ebx,ebx
71202C07 74 67 je short 71202C70
71202C09 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C0F E8 F833F2FF call 7112600C
71202C14 40 inc eax
71202C15 50 push eax
71202C16 8D87 78030000 lea eax,dword ptr ds:[edi+378]
71202C1C B9 01000000 mov ecx,1
71202C21 8B15 00BD1F71 mov edx,dword ptr ds:[711FBD00]
71202C27 E8 9C35F2FF call 711261C8
71202C2C 83C4 04 add esp,4
71202C2F 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C35 E8 D233F2FF call 7112600C
71202C3A 8B97 78030000 mov edx,dword ptr ds:[edi+378]
71202C40 895C82 FC mov dword ptr ds:[edx+eax*4-4],ebx
71202C44 C787 E8030000 00000>mov dword ptr ds:[edi+3E8],10000
71202C4E EB 20 jmp short 71202C70
71202C50 8B87 78030000 mov eax,dword ptr ds:[edi+378]
71202C56 E8 B133F2FF call 7112600C
71202C5B 8B97 78030000 mov edx,dword ptr ds:[edi+378]
71202C61 8B4482 FC mov eax,dword ptr ds:[edx+eax*4-4]
71202C65 BA 00000100 mov edx,10000
71202C6A 2BD3 sub edx,ebx
71202C6C 03C2 add eax,edx
71202C6E 8BD8 mov ebx,eax
71202C70 85DB test ebx,ebx
71202C72 0F84 B6000000 je 71202D2E
71202C78 83AF E8030000 1D sub dword ptr ds:[edi+3E8],1D
71202C7F A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202C84 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202C87 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202C8D 8A40 28 mov al,byte ptr ds:[eax+28]
71202C90 34 60 xor al,60
71202C92 34 A8 xor al,0A8
71202C94 8803 mov byte ptr ds:[ebx],al
71202C96 8BF3 mov esi,ebx
71202C98 46 inc esi
71202C99 B8 98471F71 mov eax,711F4798
71202C9E 2BC6 sub eax,esi
71202CA0 83E8 04 sub eax,4
71202CA3 8906 mov dword ptr ds:[esi],eax
71202CA5 A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202CAA 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202CAD 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202CB3 8A40 28 mov al,byte ptr ds:[eax+28]
71202CB6 34 60 xor al,60
71202CB8 34 BF xor al,0BF
71202CBA 8843 05 mov byte ptr ds:[ebx+5],al
71202CBD A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202CC2 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202CC5 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202CCB 8A40 28 mov al,byte ptr ds:[eax+28]
71202CCE 34 60 xor al,60
71202CD0 34 65 xor al,65
71202CD2 8843 06 mov byte ptr ds:[ebx+6],al
71202CD5 8BF3 mov esi,ebx
71202CD7 83C6 07 add esi,7
71202CDA 8BC3 mov eax,ebx
71202CDC 83C0 0B add eax,0B
71202CDF 8906 mov dword ptr ds:[esi],eax
71202CE1 8BF3 mov esi,ebx
71202CE3 83C6 0F add esi,0F
71202CE6 8B45 FC mov eax,dword ptr ss:[ebp-4]
71202CE9 8906 mov dword ptr ds:[esi],eax
71202CEB 8BF3 mov esi,ebx
71202CED 83C6 13 add esi,13
71202CF0 8B45 0C mov eax,dword ptr ss:[ebp+C]
71202CF3 8906 mov dword ptr ds:[esi],eax
71202CF5 8BF3 mov esi,ebx
71202CF7 83C6 17 add esi,17
71202CFA 8D87 98030000 lea eax,dword ptr ds:[edi+398]
71202D00 E8 1B23F2FF call 71125020
71202D05 8906 mov dword ptr ds:[esi],eax
71202D07 8D97 E5030000 lea edx,dword ptr ds:[edi+3E5]
71202D0D 8BC3 mov eax,ebx
71202D0F 83C0 1B add eax,1B
71202D12 B9 01000000 mov ecx,1
71202D17 E8 8855F2FF call 711282A4
71202D1C 8BF3 mov esi,ebx
71202D1E 83C6 0B add esi,0B
71202D21 8BC3 mov eax,ebx
71202D23 83C0 05 add eax,5
71202D26 3345 F0 xor eax,dword ptr ss:[ebp-10]
71202D29 8906 mov dword ptr ds:[esi],eax
71202D2B 895D F4 mov dword ptr ss:[ebp-C],ebx
71202D2E 837D F8 00 cmp dword ptr ss:[ebp-8],0
71202D32 74 2A je short 71202D5E
71202D34 33C0 xor eax,eax
71202D36 55 push ebp
71202D37 68 542D2071 push 71202D54
71202D3C 64:FF30 push dword ptr fs:[eax]
71202D3F 64:8920 mov dword ptr fs:[eax],esp
71202D42 8B75 F8 mov esi,dword ptr ss:[ebp-8]
71202D45 8B45 F4 mov eax,dword ptr ss:[ebp-C]
71202D48 8906 mov dword ptr ds:[esi],eax
//填充加密后地址,NOP掉 ★6
71202D4A 33C0 xor eax,eax
71202D4C 5A pop edx
71202D4D 59 pop ecx
71202D4E 59 pop ecx
71202D4F 64:8910 mov dword ptr fs:[eax],edx
71202D52 EB 0A jmp short 71202D5E
71202D54 E9 2714F2FF jmp 71124180
71202D59 E8 8A17F2FF call 711244E8
71202D5E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
71202D61 5F pop edi
71202D62 5E pop esi
71202D63 5B pop ebx
71202D64 8BE5 mov esp,ebp
71202D66 5D pop ebp
71202D67 C2 0800 retn 8
_____________________________________________
5.特殊函数加密
7120537C 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
//堆栈 [ebp-4C]=[0013FF38]=004066EE
//特殊函数ThunkValue+基址
7120537F 50 push eax
71205380 6A 00 push 0
71205382 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205387 8B00 mov eax,dword ptr ds:[eax]
71205389 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7120538C 8B0490 mov eax,dword ptr ds:[eax+edx*4]
7120538F 8BCF mov ecx,edi
71205391 8B55 FC mov edx,dword ptr ss:[ebp-4]
71205394 E8 13D8FFFF call 71202BAC
//jmp 71232AE4 ★7
71205399 EB 27 jmp short 712053C2
7120539B 25 FFFF0000 and eax,0FFFF
712053A0 50 push eax
712053A1 6A 01 push 1
712053A3 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
712053A8 8B00 mov eax,dword ptr ds:[eax]
712053AA 8B55 E8 mov edx,dword ptr ss:[ebp-18]
712053AD 8B0490 mov eax,dword ptr ds:[eax+edx*4]
712053B0 8BCF mov ecx,edi
712053B2 8B55 FC mov edx,dword ptr ss:[ebp-4]
712053B5 E8 F2D7FFFF call 71202BAC
712053BA 3BFB cmp edi,ebx
712053BC 74 04 je short 712053C2
712053BE 33C0 xor eax,eax
712053C0 8903 mov dword ptr ds:[ebx],eax
712053C2 83C3 04 add ebx,4
712053C5 83C7 04 add edi,4
712053C8 8B03 mov eax,dword ptr ds:[ebx]
712053CA 85C0 test eax,eax
712053CC 0F87 0AFFFFFF ja 712052DC
//循环处理每个DLL的函数
712053D2 EB 05 jmp short 712053D9
712053D4 E8 937CF2FF call 7112D06C
712053D9 A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
712053DE 8038 00 cmp byte ptr ds:[eax],0
//[71200685]处保存的是检验标志位
712053E1 75 16 jnz short 712053F9
//NOP掉 ★8
712053E3 83C6 14 add esi,14
712053E6 FF45 E0 inc dword ptr ss:[ebp-20]
712053E9 837E 0C 00 cmp dword ptr ds:[esi+C],0
712053ED 76 0A jbe short 712053F9
712053EF 837E 10 00 cmp dword ptr ds:[esi+10],0
712053F3 0F87 80FEFFFF ja 71205279
//循环处理输入表[code]
★7. Patch Code:
[code]71232AE4 E8 C300FDFF call 71202BAC
//71205394处代码挪这里执行
//EAX是写入IAT的加密地址
71232AE9 60 pushad
71232AEA 9C pushfd
71232AEB 8925 DE2A2371 mov dword ptr ds:[71232ADE],esp
//保存ESP
71232AF1 832D DE2A2371 04 sub dword ptr ds:[71232ADE],4
71232AF8 FFD0 call eax ;0118001D
//模拟程序调用加密函数
71232AFA 8BF0 mov esi,eax
71232AFC 8B4E FC mov ecx,dword ptr ds:[esi-4]
71232AFF 3E:8B7D B8 mov edi,dword ptr ds:[ebp-48]
71232B03 66:C707 0000 mov word ptr ds:[edi],0
71232B08 83C7 02 add edi,2
71232B0B F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
71232B0D C607 00 mov byte ptr ds:[edi],0
71232B10 9D popfd
71232B11 61 popad
71232B12 E9 8228FDFF jmp 71205399
从OllyDbg中二进制代码复制:
E8 C3 00 FD FF 60 9C 89 25 DE 2A 23 71 83 2D DE 2A 23 71 04 FF D0 8B F0 8B 4E FC 3E 8B 7D B8 66
C7 07 00 00 83 C7 02 F3 A4 C6 07 00 9D 61 E9 82 28 FD FF
________________________
进入71232AF8 call eax:
0118001D E8 76470770 call 711F4798
01180022 FF25 28001801 jmp dword ptr ds:[1180028]
711F4798 74 04 je short 711F479E
711F479A 75 02 jnz short 711F479E
711F479E 9C pushfd
711F479F 60 pushad
711F47A0 74 03 je short 711F47A5
711F47A2 75 01 jnz short 711F47A5
711F47A5 9C pushfd
711F47A6 58 pop eax
711F47A7 A3 94182271 mov dword ptr ds:[71221894],eax
711F47AC 74 04 je short 711F47B2
711F47AE 75 02 jnz short 711F47B2
711F47B2 E8 71000000 call 711F4828
711F47B7 31C0 xor eax,eax
711F47B9 A0 B0182271 mov al,byte ptr ds:[712218B0]
711F47BE 83F8 00 cmp eax,0
711F47C1 75 5F jnz short 711F4822
711F47C3 8B4424 24 mov eax,dword ptr ss:[esp+24]
711F47C7 89C3 mov ebx,eax
711F47C9 83C0 02 add eax,2
711F47CC 8B00 mov eax,dword ptr ds:[eax]
711F47CE 8B00 mov eax,dword ptr ds:[eax]
711F47D0 31D8 xor eax,ebx
711F47D2 83F8 00 cmp eax,0
711F47D5 75 24 jnz short 711F47FB
711F47D7 8B4424 24 mov eax,dword ptr ss:[esp+24]
711F47DB 83C0 02 add eax,2
711F47DE 8B00 mov eax,dword ptr ds:[eax]
711F47E0 31C9 xor ecx,ecx
711F47E2 8A48 10 mov cl,byte ptr ds:[eax+10]
711F47E5 51 push ecx
711F47E6 8B48 0C mov ecx,dword ptr ds:[eax+C]
711F47E9 8B50 08 mov edx,dword ptr ds:[eax+8]
711F47EC 8B40 04 mov eax,dword ptr ds:[eax+4]
711F47EF E8 FCE2FFFF call 711F2AF0
//解密特殊函数,进入
711F47F4 31D8 xor eax,ebx
711F47F6 8943 06 mov dword ptr ds:[ebx+6],eax
711F47F9 31D8 xor eax,ebx
711F47FB 89C3 mov ebx,eax
711F47FD 894424 24 mov dword ptr ss:[esp+24],eax
711F4801 8B03 mov eax,dword ptr ds:[ebx]
711F4803 3C CC cmp al,0CC
//检测普通IN3断点
711F4805 74 14 je short 711F481B
711F4807 80FC CC cmp ah,0CC
711F480A 74 0F je short 711F481B
711F480C C1E8 10 shr eax,10
711F480F 3C CC cmp al,0CC
711F4811 74 08 je short 711F481B
711F4813 80FC CC cmp ah,0CC
711F4816 74 03 je short 711F481B
711F4818 EB 08 jmp short 711F4822
711F481A E9 C605B018 jmp 89CF4DE5
711F481F 2271 01 and dh,byte ptr ds:[ecx+1]
711F4822 61 popad
711F4823 9D popfd
711F4824 C3 retn
711F4825 C3 retn
________________________
进入711F47EF call 711F2AF0:
711F2AF0 55 push ebp
711F2AF1 8BEC mov ebp,esp
711F2AF3 6A 00 push 0
711F2AF5 6A 00 push 0
711F2AF7 6A 00 push 0
711F2AF9 6A 00 push 0
711F2AFB 6A 00 push 0
711F2AFD 53 push ebx
711F2AFE 56 push esi
711F2AFF 57 push edi
711F2B00 894D F8 mov dword ptr ss:[ebp-8],ecx
711F2B03 8BFA mov edi,edx
711F2B05 8945 FC mov dword ptr ss:[ebp-4],eax
711F2B08 33C0 xor eax,eax
711F2B0A 55 push ebp
711F2B0B 68 95401F71 push 711F4095
711F2B10 64:FF30 push dword ptr fs:[eax]
711F2B13 64:8920 mov dword ptr fs:[eax],esp
711F2B16 33F6 xor esi,esi
711F2B18 8BDF mov ebx,edi
711F2B1A 85DB test ebx,ebx
711F2B1C 0F84 58150000 je 711F407A
711F2B22 803B 00 cmp byte ptr ds:[ebx],0
711F2B25 0F86 4F150000 jbe 711F407A
711F2B2B 33D2 xor edx,edx
711F2B2D 8A13 mov dl,byte ptr ds:[ebx]
711F2B2F 83C2 02 add edx,2
711F2B32 8D45 F4 lea eax,dword ptr ss:[ebp-C]
711F2B35 E8 1A26F3FF call 71125154
711F2B3A 8D45 F4 lea eax,dword ptr ss:[ebp-C]
711F2B3D E8 DE24F3FF call 71125020
711F2B42 33C9 xor ecx,ecx
711F2B44 8A0B mov cl,byte ptr ds:[ebx]
711F2B46 83C1 02 add ecx,2
711F2B49 8BD7 mov edx,edi
711F2B4B 42 inc edx
711F2B4C E8 5357F3FF call 711282A4
711F2B51 807D 08 00 cmp byte ptr ss:[ebp+8],0
711F2B55 74 09 je short 711F2B60
711F2B57 B2 01 mov dl,1
711F2B59 33C0 xor eax,eax
711F2B5B E8 1CFAFFFF call 711F257C
711F2B60 6A 01 push 1
711F2B62 6A 00 push 0
711F2B64 6A 00 push 0
711F2B66 6A 00 push 0
711F2B68 8D45 F4 lea eax,dword ptr ss:[ebp-C]
711F2B6B E8 B024F3FF call 71125020
711F2B70 50 push eax
711F2B71 8D45 F0 lea eax,dword ptr ss:[ebp-10]
711F2B74 8B55 F8 mov edx,dword ptr ss:[ebp-8]
711F2B77 E8 8C21F3FF call 71124D08
711F2B7C 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
711F2B7F 33D2 xor edx,edx
711F2B81 8A13 mov dl,byte ptr ds:[ebx]
711F2B83 83C2 02 add edx,2
711F2B86 58 pop eax
711F2B87 E8 08450000 call 711F7094
711F2B8C 8D45 EC lea eax,dword ptr ss:[ebp-14]
711F2B8F 50 push eax
711F2B90 33C9 xor ecx,ecx
711F2B92 8A0B mov cl,byte ptr ds:[ebx]
711F2B94 BA 03000000 mov edx,3
711F2B99 8B45 F4 mov eax,dword ptr ss:[ebp-C]
711F2B9C E8 8724F3FF call 71125028
711F2BA1 8B45 EC mov eax,dword ptr ss:[ebp-14]
//[EAX]=[[ebp-14]] 保存是解密后的特殊函数ApiName
711F2BA4 E8 1F24F3FF call 71124FC8
//可以在这里返回71232AFA后修复了 ★9
★9. Patch Code:
711F2BA4 8B25 DE2A2371 mov esp,dword ptr ds:[71232ADE]
711F2BAA C3 retn
从OllyDbg中二进制代码复制:
8B 25 DE 2A 23 71 C3
_____________________________________________
7.Import Table 还原完毕
712053F9 6A 00 push 0
//这里设置硬件执行断点 ★
//中断后取消以前的所有断点,撤销以前的所有修改
712053FB 8D45 B8 lea eax,dword ptr ss:[ebp-48]
712053FE B9 01000000 mov ecx,1
71205403 8B15 4C3A2071 mov edx,dword ptr ds:[71203A4C]
71205409 E8 BA0DF2FF call 711261C8
7120540E 83C4 04 add esp,4
71205411 33C0 xor eax,eax
71205413 E8 8C030000 call 712057A4
71205418 84C0 test al,al
7120541A 75 0B jnz short 71205427
//检验,不能跳
7120541C 33C0 xor eax,eax
7120541E E8 0141FFFF call 711F9524
71205423 84C0 test al,al
71205425 74 08 je short 7120542F
//检验,不跳则校验失败
71205427 A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
7120542C C600 01 mov byte ptr ds:[eax],1
至此,Import Table算是“完美”还原了,不需要再使用ImportREC来修复
_____________________________________________________________
四.Relocation Table
7120542F 8B45 D8 mov eax,dword ptr ss:[ebp-28]
71205432 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205435 0345 D8 add eax,dword ptr ss:[ebp-28]
71205438 8B55 DC mov edx,dword ptr ss:[ebp-24]
7120543B 2B50 34 sub edx,dword ptr ds:[eax+34]
//得到映象基址与文件基址的差值,exe是相同的,脱壳DLL需要注意了
7120543E 8955 B0 mov dword ptr ss:[ebp-50],edx
71205441 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
71205446 8B00 mov eax,dword ptr ds:[eax]
71205448 8B55 E8 mov edx,dword ptr ss:[ebp-18]
7120544B 8B0490 mov eax,dword ptr ds:[eax+edx*4]
7120544E 8B55 B0 mov edx,dword ptr ss:[ebp-50]
71205451 8990 E0030000 mov dword ptr ds:[eax+3E0],edx
71205457 8B45 D8 mov eax,dword ptr ss:[ebp-28]
7120545A 8B40 3C mov eax,dword ptr ds:[eax+3C]
7120545D 0345 D8 add eax,dword ptr ss:[ebp-28]
71205460 8B90 A0000000 mov edx,dword ptr ds:[eax+A0]
//[eax+A0]=0000C000 Relocation TableRVA
71205466 8955 C8 mov dword ptr ss:[ebp-38],edx
71205469 8B90 A4000000 mov edx,dword ptr ds:[eax+A4]
//[eax+A4]=0000093C Relocation Table Size
7120546F 8955 CC mov dword ptr ss:[ebp-34],edx
71205472 8B75 DC mov esi,dword ptr ss:[ebp-24]
71205475 0375 C8 add esi,dword ptr ss:[ebp-38]
//ImaeBase + Relocation Table RVA
71205478 8B5D CC mov ebx,dword ptr ss:[ebp-34]
7120547B 8B45 D8 mov eax,dword ptr ss:[ebp-28]
7120547E 8B40 3C mov eax,dword ptr ds:[eax+3C]
71205481 0345 D8 add eax,dword ptr ss:[ebp-28]
71205484 8B90 80000000 mov edx,dword ptr ds:[eax+80]
7120548A 8955 C8 mov dword ptr ss:[ebp-38],edx
7120548D 8B90 84000000 mov edx,dword ptr ds:[eax+84]
71205493 8955 CC mov dword ptr ss:[ebp-34],edx
71205496 85DB test ebx,ebx
71205498 0F8E 1A010000 jle 712055B8
如果是脱壳DLL,现在就可以把Relocation Table保存下来,壳还会把重定位表数据清0的
_____________________________________________________________
五.CodeReplace 修复
EncryptPE的CodeReplace就是把某些程序代码挪移到壳里执行,而这项加密是根据重定位表来处理的
如果加壳前PE没有重定位表,则无法使用CodeReplace功能。
1.CodeReplace效果如下
①.FF15
004010D3 FF15 E0634000 call dword ptr ds:[4063E0] ; kernel32.GetCommandLineA
//原代码
004010D3 E9 F001D900 jmp 011912C8
//CodeReplace
②.FF25
00404E72 FF25 14654000 jmp dword ptr ds:[406514] ; comdlg32.CommDlgExtendedError
//原代码
00404E72 E9 25F0D800 jmp 01193E9C
//CodeReplace
③.Mov
00402FBF 8B1D B0634000 mov ebx,dword ptr ds:[4063B0] ; kernel32.lstrlenA
//原代码
00402FBF E9 30E3E800 jmp 012912F4
//CodeReplace
_____________________________________________
2.CodeReplace修复处理
是EncryptPE的亮点之一。下面就来研究如何修复吧
712055C8 E8 0FD2F1FF call 711227DC
//里面有异常
712055CD A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
//此处需要设置断点后Shift+F9,中断后取消断点,否则将在712055C8里异常导致无法继续调试
712055D2 8038 00 cmp byte ptr ds:[eax],0
//比较校验标志位
712055D5 74 05 je short 712055DC
712055D7 E8 907AF2FF call 7112D06C
712055DC A1 C8DF2171 mov eax,dword ptr ds:[7121DFC8]
712055E1 8038 00 cmp byte ptr ds:[eax],0
712055E4 74 17 je short 712055FD
712055FD E8 01000000 call 71205603
71205603 58 pop eax
71205604 83C0 0C add eax,0C
71205607 60 pushad
71205608 E8 F7EAFEFF call 711F4104
7120561B E8 CCD7FFFF call 71202DEC
//这里设断,Shift+F9中断后取消断点
//处理CodeReplace,进入
下面修改代码的编号自上面延续,第五部分自10开始编号
71202DEC 53 push ebx
71202DED 56 push esi
71202DEE 57 push edi
71202DEF 55 push ebp
71202DF0 83C4 F4 add esp,-0C
71202DF3 8BF0 mov esi,eax
71202DF5 8B86 08030000 mov eax,dword ptr ds:[esi+308]
71202DFB 8B90 80000000 mov edx,dword ptr ds:[eax+80]
71202E01 8D86 A0030000 lea eax,dword ptr ds:[esi+3A0]
71202E07 8B8E 84030000 mov ecx,dword ptr ds:[esi+384]
71202E0D E8 0A20F2FF call 71124E1C
71202E12 C686 DC030000 00 mov byte ptr ds:[esi+3DC],0
71202E19 C686 DD030000 00 mov byte ptr ds:[esi+3DD],0
71202E20 C686 DE030000 00 mov byte ptr ds:[esi+3DE],0
71202E27 8B86 C4030000 mov eax,dword ptr ds:[esi+3C4]
71202E2D 85C0 test eax,eax
71202E2F 79 03 jns short 71202E34
71202E31 83C0 03 add eax,3
71202E34 C1F8 02 sar eax,2
71202E37 48 dec eax
71202E38 85C0 test eax,eax
71202E3A 0F8C 88010000 jl 71202FC8
71202E40 40 inc eax
71202E41 894424 08 mov dword ptr ss:[esp+8],eax
71202E45 C70424 00000000 mov dword ptr ss:[esp],0
71202E4C 8B1C24 mov ebx,dword ptr ss:[esp]
71202E4F C1E3 02 shl ebx,2
71202E52 039E A8030000 add ebx,dword ptr ds:[esi+3A8]
71202E58 8B2B mov ebp,dword ptr ds:[ebx]
71202E5A 03AE E0030000 add ebp,dword ptr ds:[esi+3E0]
71202E60 8BC5 mov eax,ebp
71202E62 40 inc eax
71202E63 894424 04 mov dword ptr ss:[esp+4],eax
71202E67 A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202E6C 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202E6F 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202E75 8A40 28 mov al,byte ptr ds:[eax+28]
71202E78 34 60 xor al,60
71202E7A 34 A9 xor al,0A9
71202E7C 8845 00 mov byte ptr ss:[ebp],al
71202E7F 8B9E E8030000 mov ebx,dword ptr ds:[esi+3E8]
71202E85 83FB 20 cmp ebx,20
71202E88 7D 60 jge short 71202EEA
71202E8A 6A 40 push 40
71202E8C 68 00300000 push 3000
71202E91 68 00000100 push 10000
71202E96 6A 00 push 0
71202E98 E8 C349F2FF call 71127860 ; jmp to kernel32.VirtualAlloc
71202E9D 8BF8 mov edi,eax
71202E9F 85FF test edi,edi
71202EA1 74 65 je short 71202F08
71202EA3 8B86 78030000 mov eax,dword ptr ds:[esi+378]
71202EA9 E8 5E31F2FF call 7112600C
71202EAE 40 inc eax
71202EAF 50 push eax
71202EB0 8D86 78030000 lea eax,dword ptr ds:[esi+378]
71202EB6 B9 01000000 mov ecx,1
71202EBB 8B15 00BD1F71 mov edx,dword ptr ds:[711FBD00]
71202EC1 E8 0233F2FF call 711261C8
71202EC6 83C4 04 add esp,4
71202EC9 8B86 78030000 mov eax,dword ptr ds:[esi+378]
71202ECF E8 3831F2FF call 7112600C
71202ED4 8B96 78030000 mov edx,dword ptr ds:[esi+378]
71202EDA 897C82 FC mov dword ptr ds:[edx+eax*4-4],edi
71202EDE C786 E8030000 00000>mov dword ptr ds:[esi+3E8],10000
71202EE8 EB 1E jmp short 71202F08
71202EEA 8B86 78030000 mov eax,dword ptr ds:[esi+378]
71202EF0 E8 1731F2FF call 7112600C
71202EF5 8B96 78030000 mov edx,dword ptr ds:[esi+378]
71202EFB 8B7C82 FC mov edi,dword ptr ds:[edx+eax*4-4]
71202EFF B8 00000100 mov eax,10000
71202F04 2BC3 sub eax,ebx
71202F06 03F8 add edi,eax
71202F08 85FF test edi,edi
71202F0A 0F84 AB000000 je 71202FBB
71202F10 8B86 E8030000 mov eax,dword ptr ds:[esi+3E8]
71202F16 83E8 1D sub eax,1D
71202F19 83E8 03 sub eax,3
71202F1C 8986 E8030000 mov dword ptr ds:[esi+3E8],eax
71202F22 A1 18F72171 mov eax,dword ptr ds:[7121F718]
71202F27 8B40 3C mov eax,dword ptr ds:[eax+3C]
71202F2A 0305 18F72171 add eax,dword ptr ds:[7121F718]
71202F30 8A40 28 mov al,byte ptr ds:[eax+28]
71202F33 34 60 xor al,60
71202F35 34 A8 xor al,0A8
71202F37 8807 mov byte ptr ds:[edi],al
//记事本此处处理没有使用,可能其他程序会有动作
71202F39 8BDF mov ebx,edi
71202F3B 43 inc ebx
71202F3C B8 34491F71 mov eax,711F4934
71202F41 2BC3 sub eax,ebx
71202F43 83E8 04 sub eax,4
71202F46 8903 mov dword ptr ds:[ebx],eax
71202F48 C647 05 00 mov byte ptr ds:[edi+5],0
71202F4C 8BDF mov ebx,edi
71202F4E 83C3 06 add ebx,6
71202F51 83C5 06 add ebp,6
71202F54 892B mov dword ptr ds:[ebx],ebp
71202F56 8BDF mov ebx,edi
71202F58 83C3 0A add ebx,0A
71202F5B 8B0424 mov eax,dword ptr ss:[esp]
71202F5E 8903 mov dword ptr ds:[ebx],eax
71202F60 8BDF mov ebx,edi
71202F62 83C3 0E add ebx,0E
71202F65 8B86 AC030000 mov eax,dword ptr ds:[esi+3AC]
71202F6B 8903 mov dword ptr ds:[ebx],eax
71202F6D 8BDF mov ebx,edi
71202F6F 83C3 12 add ebx,12
71202F72 8D86 A0030000 lea eax,dword ptr ds:[esi+3A0]
71202F78 E8 A320F2FF call 71125020
71202F7D 8903 mov dword ptr ds:[ebx],eax
71202F7F 8BDF mov ebx,edi
71202F81 83C3 16 add ebx,16
71202F84 8D86 DD030000 lea eax,dword ptr ds:[esi+3DD]
71202F8A 8903 mov dword ptr ds:[ebx],eax
71202F8C 8BDF mov ebx,edi
71202F8E 83C3 1A add ebx,1A
71202F91 8D86 DC030000 lea eax,dword ptr ds:[esi+3DC]
71202F97 8903 mov dword ptr ds:[ebx],eax
71202F99 8D96 E5030000 lea edx,dword ptr ds:[esi+3E5]
71202F9F 8BC7 mov eax,edi
71202FA1 83C0 1E add eax,1E
71202FA4 B9 01000000 mov ecx,1
71202FA9 E8 F652F2FF call 711282A4
71202FAE 2B7C24 04 sub edi,dword ptr ss:[esp+4]
71202FB2 83EF 04 sub edi,4
71202FB5 8B4424 04 mov eax,dword ptr ss:[esp+4]
71202FB9 8938 mov dword ptr ds:[eax],edi
71202FBB FF0424 inc dword ptr ss:[esp]
71202FBE FF4C24 08 dec dword ptr ss:[esp+8]
71202FC2 0F85 84FEFFFF jnz 71202E4C
71202FC8 8B86 CC030000 mov eax,dword ptr ds:[esi+3CC]
71202FCE 85C0 test eax,eax
71202FD0 79 03 jns short 71202FD5
71202FD2 83C0 03 add eax,3
71202FD5 C1F8 02 sar eax,2
71202FD8 48 dec eax
71202FD9 85C0 test eax,eax
71202FDB 0F8C AD010000 jl 7120318E
71202FE1 40 inc eax
71202FE2 894424 08 mov dword ptr ss:[esp+8],eax
71202FE6 C70424 00000000 mov dword ptr ss:[esp],0
71202FED 8B1C24 mov ebx,dword ptr ss:[esp]
71202FF0 C1E3 02 shl ebx,2
71202FF3 039E B0030000 add ebx,dword ptr ds:[esi+3B0]
71202FF9 8B2B mov ebp,dword ptr ds:[ebx]
71202FFB 03AE E0030000 add ebp,dword ptr ds:[esi+3E0]
71203001 8BC5 mov eax,ebp
71203003 83C0 02 add eax,2
71203006 894424 04 mov dword ptr ss:[esp+4],eax
7120300A A1 18F72171 mov eax,dword ptr ds:[7121F718]
7120300F 8B40 3C mov eax,dword ptr ds:[eax+3C]
71203012 0305 18F72171 add eax,dword ptr ds:[7121F718]
71203018 8A40 28 mov al,byte ptr ds:[eax+28]
7120301B 34 60 xor al,60
7120301D 34 A9 xor al,0A9
7120301F 8845 00 mov byte ptr ss:[ebp],al
71203022 8B9E E8030000 mov ebx,dword ptr ds:[esi+3E8]
71203028 83FB 2C cmp ebx,2C
7120302B 7D 60 jge short 7120308D
7120302D 6A 40 push 40
7120302F 68 00300000 push 3000
71203034 68 00000100 push 10000
71203039 6A 00 push 0
7120303B E8 2048F2FF call 71127860 ; jmp to kernel32.VirtualAlloc
71203040 8BF8 mov edi,eax
71203042 85FF test edi,edi
71203044 74 65 je short 712030AB
71203046 8B86 78030000 mov eax,dword ptr ds:[esi+378]
7120304C E8 BB2FF2FF call 7112600C
71203051 40 inc eax
71203052 50 push eax
71203053 8D86 78030000 lea eax,dword ptr ds:[esi+378]
71203059 B9 01000000 mov ecx,1
7120305E 8B15 00BD1F71 mov edx,dword ptr ds:[711FBD00]
71203064 E8 5F31F2FF call 711261C8
71203069 83C4 04 add esp,4
7120306C 8B86 78030000 mov eax,dword ptr ds:[esi+378]
71203072 E8 952FF2FF call 7112600C
71203077 8B96 78030000 mov edx,dword ptr ds:[esi+378]
7120307D 897C82 FC mov dword ptr ds:[edx+eax*4-4],edi
71203081 C786 E8030000 00000>mov dword ptr ds:[esi+3E8],10000
7120308B EB 1E jmp short 712030AB
7120308D 8B86 78030000 mov eax,dword ptr ds:[esi+378]
71203093 E8 742FF2FF call 7112600C
71203098 8B96 78030000 mov edx,dword ptr ds:[esi+378]
7120309E 8B7C82 FC mov edi,dword ptr ds:[edx+eax*4-4]
712030A2 B8 00000100 mov eax,10000
712030A7 2BC3 sub eax,ebx
712030A9 03F8 add edi,eax
712030AB 85FF test edi,edi
712030AD 0F84 CE000000 je 71203181
712030B3 8B86 E8030000 mov eax,dword ptr ds:[esi+3E8]
712030B9 83E8 1D sub eax,1D
712030BC 83E8 03 sub eax,3
712030BF 83E8 0C sub eax,0C
712030C2 8986 E8030000 mov dword ptr ds:[esi+3E8],eax
712030C8 A1 18F72171 mov eax,dword ptr ds:[7121F718]
712030CD 8B40 3C mov eax,dword ptr ds:[eax+3C]
712030D0 0305 18F72171 add eax,dword ptr ds:[7121F718]
712030D6 8A40 28 mov al,byte ptr ds:[eax+28]
712030D9 34 60 xor al,60
712030DB 34 A8 xor al,0A8
712030DD 8807 mov byte ptr ds:[edi],al
//写入跳转命令
712030DF 8BDF mov ebx,edi
712030E1 43 inc ebx
712030E2 B8 A84B1F71 mov eax,711F4BA8
712030E7 2BC3 sub eax,ebx
712030E9 83E8 04 sub eax,4
712030EC 8903 mov dword ptr ds:[ebx],eax
712030EE C647 05 00 mov byte ptr ds:[edi+5],0
712030F2 8BDF mov ebx,edi
712030F4 83C3 06 add ebx,6
712030F7 892B mov dword ptr ds:[ebx],ebp ; EncryptP.00402FA4
//记录处理地址
//ebp=00401FF5 (EncryptP.00401FF5)
//[011905EA]=00000000
712030F9 8BDF mov ebx,edi
712030FB 83C3 0A add ebx,0A
712030FE 8B0424 mov eax,dword ptr ss:[esp]
71203101 8903 mov dword ptr ds:[ebx],eax
71203103 8BDF mov ebx,edi
71203105 83C3 0E add ebx,0E
71203108 8B86 B4030000 mov eax,dword ptr ds:[esi+3B4]
7120310E 8903 mov dword ptr ds:[ebx],eax
71203110 8BDF mov ebx,edi
71203112 83C3 12 add ebx,12
71203115 8D86 A0030000 lea eax,dword ptr ds:[esi+3A0]
7120311B E8 001FF2FF call 71125020
71203120 8903 mov dword ptr ds:[ebx],eax
71203122 8BDF mov ebx,edi
71203124 83C3 16 add ebx,16
71203127 8D86 DE030000 lea eax,dword ptr ds:[esi+3DE]
7120312D 8903 mov dword ptr ds:[ebx],eax
7120312F 8BDF mov ebx,edi
71203131 83C3 1A add ebx,1A
71203134 BA 0C000000 mov edx,0C
71203139 8BC3 mov eax,ebx
7120313B E8 7851F2FF call 711282B8
71203140 8BDF mov ebx,edi
71203142 83C3 1C add ebx,1C
71203145 8B4424 04 mov eax,dword ptr ss:[esp+4]
71203149 8B00 mov eax,dword ptr ds:[eax] ; EncryptP.004064B8
7120314B 8903 mov dword ptr ds:[ebx],eax
//记录原来的重定位地址
//eax=004064AC (EncryptP.004064AC)
//[01190600]=00000000
7120314D 8BDF mov ebx,edi
7120314F 83C3 26 add ebx,26
71203152 8D86 DC030000 lea eax,dword ptr ds:[esi+3DC]
71203158 8903 mov dword ptr ds:[ebx],eax
7120315A 8D96 E5030000 lea edx,dword ptr ds:[esi+3E5]
71203160 8BC7 mov eax,edi
71203162 83C0 2A add eax,2A
71203165 B9 01000000 mov ecx,1
7120316A E8 3551F2FF call 711282A4
7120316F 45 inc ebp
71203170 896C24 04 mov dword ptr ss:[esp+4],ebp
71203174 2B7C24 04 sub edi,dword ptr ss:[esp+4]
71203178 83EF 04 sub edi,4
7120317B 8B4424 04 mov eax,dword ptr ss:[esp+4]
7120317F 8938 mov dword ptr ds:[eax],edi
//写入加密地址
71203181 FF0424 inc dword ptr ss:[esp]
//jmp 71232B20 ★10
71203184 FF4C24 08 dec dword ptr ss:[esp+8]
71203188 0F85 5FFEFFFF jnz 71202FED
//循环处理CodeReplace
7120318E 83C4 0C add esp,0C
//写好修复代码后这里设断
71203191 5D pop ebp
71203192 5F pop edi
71203193 5E pop esi
71203194 5B pop ebx
71203195 C3 retn
★10. Patch Code:
71232B20 60 pushad
71232B21 9C pushfd
71232B22 8925 1C2B2371 mov dword ptr ds:[71232B1C],esp
71232B28 832D 1C2B2371 04 sub dword ptr ds:[71232B1C],4
71232B2F 48 dec eax
71232B30 FFD0 call eax
//模拟程序调用CodeReplace,需要进入壳代码再修改
71232B32 8B30 mov esi,dword ptr ds:[eax]
//[eax]=调用CodeReplace处
71232B34 83C0 16 add eax,16
71232B37 8B38 mov edi,dword ptr ds:[eax]
//[eax+16]=原来的重定位地址
71232B39 66:8916 mov word ptr ds:[esi],dx
//还原CodeReplace处理的指令:FF15/FF25/Mov
71232B3C 897E 02 mov dword ptr ds:[esi+2],edi
//完成CodeReplace修复
71232B3F 9D popfd
71232B40 61 popad
71232B41 FF0424 inc dword ptr ss:[esp]
//71203181代码挪这里执行
71232B44 FF4C24 08 dec dword ptr ss:[esp+8]
//71203184代码挪这里执行
71232B48 E9 3B06FDFF jmp 71203188
从OllyDbg中二进制代码复制:
60 9C 89 25 1C 2B 23 71 83 2D 1C 2B 23 71 04 48 FF D0 8B 30 83 C0 16 8B 38 66 89 16 89 7E 02 9D
61 FF 04 24 FF 4C 24 08 E9 3B 06 FD FF
________________________
进入71232B30 call eax 模拟程序调用CodeReplace
00401FF5 E9 EAE5D800 jmp 011905E4
011905E4 E8 BF450670 call 711F4BA8
711F4BA8 9C pushfd
711F4BA9 60 pushad
711F4BAA E8 05000000 call 711F4BB4
711F4BB4 55 push ebp
711F4BB5 8BEC mov ebp,esp
711F4BB7 83C4 D8 add esp,-28
711F4BBA 53 push ebx
711F4BBB 56 push esi
711F4BBC 33C0 xor eax,eax
711F4BBE 8945 D8 mov dword ptr ss:[ebp-28],eax
711F4BC1 8945 DC mov dword ptr ss:[ebp-24],eax
711F4BC4 8945 E0 mov dword ptr ss:[ebp-20],eax
711F4BC7 8945 E8 mov dword ptr ss:[ebp-18],eax
711F4BCA 33C0 xor eax,eax
711F4BCC 55 push ebp
711F4BCD 68 3C4F1F71 push 711F4F3C
711F4BD2 64:FF30 push dword ptr fs:[eax]
711F4BD5 64:8920 mov dword ptr fs:[eax],esp
711F4BD8 50 push eax
711F4BD9 8B4424 6C mov eax,dword ptr ss:[esp+6C]
711F4BDD 8945 FC mov dword ptr ss:[ebp-4],eax
711F4BE0 58 pop eax
711F4BE1 8B45 FC mov eax,dword ptr ss:[ebp-4]
711F4BE4 83C0 15 add eax,15
711F4BE7 8945 F8 mov dword ptr ss:[ebp-8],eax
711F4BEA 50 push eax
711F4BEB 8B45 F8 mov eax,dword ptr ss:[ebp-8]
711F4BEE 894424 6C mov dword ptr ss:[esp+6C],eax
711F4BF2 58 pop eax
711F4BF3 8B45 FC mov eax,dword ptr ss:[ebp-4]
711F4BF6 8038 00 cmp byte ptr ds:[eax],0
//判断有没有处理过,处理过则直接跳走
711F4BF9 0F85 1A030000 jnz 711F4F19
711F4BFF 8B55 FC mov edx,dword ptr ss:[ebp-4]
711F4C02 8BC2 mov eax,edx
711F4C04 83C0 05 add eax,5
711F4C07 8B00 mov eax,dword ptr ds:[eax]
711F4C09 8945 F4 mov dword ptr ss:[ebp-C],eax
711F4C0C 8BC2 mov eax,edx
711F4C0E 83C0 09 add eax,9
711F4C11 8B00 mov eax,dword ptr ds:[eax]
711F4C13 8945 F0 mov dword ptr ss:[ebp-10],eax
711F4C16 8BC2 mov eax,edx
711F4C18 83C0 0D add eax,0D
711F4C1B 8B00 mov eax,dword ptr ds:[eax]
711F4C1D 8945 EC mov dword ptr ss:[ebp-14],eax
711F4C20 8BC2 mov eax,edx
711F4C22 83C0 21 add eax,21
711F4C25 8B18 mov ebx,dword ptr ds:[eax]
711F4C27 8D45 E7 lea eax,dword ptr ss:[ebp-19]
711F4C2A 83C2 25 add edx,25
711F4C2D B9 01000000 mov ecx,1
711F4C32 E8 6D36F3FF call 711282A4
711F4C37 8B45 FC mov eax,dword ptr ss:[ebp-4]
711F4C3A 83C0 10 add eax,10
711F4C3D 33D2 xor edx,edx
711F4C3F 8A13 mov dl,byte ptr ds:[ebx]
//[ebx]=[00D93134]=00 修改为01 ★11
//如果壳处理完CodeReplace则会把[ebx]置1,所以我们现在处理的话要手动改一下
//注意这个值!如果这里不是01的话则下面的修复流程无法继续! ★★
711F4C41 03C2 add eax,edx
711F4C43 8B18 mov ebx,dword ptr ds:[eax]
711F4C45 68 6C182271 push 7122186C
711F4C4A E8 A927F3FF call 711273F8
711F4C4F 803B 00 cmp byte ptr ds:[ebx],0
711F4C52 0F85 C0000000 jnz 711F4D18
711F4C58 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4C5B BA 09000000 mov edx,9
711F4C60 E8 EF04F3FF call 71125154
711F4C65 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4C68 E8 B303F3FF call 71125020
711F4C6D C600 24 mov byte ptr ds:[eax],24
711F4C70 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4C73 E8 A803F3FF call 71125020
711F4C78 40 inc eax
711F4C79 8B55 F0 mov edx,dword ptr ss:[ebp-10]
711F4C7C 83EA 08 sub edx,8
711F4C7F B9 08000000 mov ecx,8
711F4C84 E8 1B36F3FF call 711282A4
711F4C89 803D B6182371 00 cmp byte ptr ds:[712318B6],0
711F4C90 74 4C je short 711F4CDE
711F4C92 807D E7 00 cmp byte ptr ss:[ebp-19],0
711F4C96 74 1C je short 711F4CB4
711F4C98 E8 3B28F3FF call 711274D8
711F4C9D 50 push eax
711F4C9E 68 C91B0000 push 1BC9
711F4CA3 A1 B8182371 mov eax,dword ptr ds:[712318B8]
711F4CA8 50 push eax
711F4CA9 A1 BC182371 mov eax,dword ptr ds:[712318BC]
711F4CAE 50 push eax
711F4CAF E8 5434F3FF call 71128108
711F4CB4 6A 01 push 1
711F4CB6 6A 00 push 0
711F4CB8 6A 00 push 0
711F4CBA 6A 00 push 0
711F4CBC 8B45 E8 mov eax,dword ptr ss:[ebp-18]
711F4CBF E8 F04CF3FF call 711299B4
711F4CC4 50 push eax
711F4CC5 8D45 E0 lea eax,dword ptr ss:[ebp-20]
711F4CC8 8B55 EC mov edx,dword ptr ss:[ebp-14]
711F4CCB E8 3800F3FF call 71124D08
711F4CD0 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
711F4CD3 8B45 F0 mov eax,dword ptr ss:[ebp-10]
711F4CD6 5A pop edx
711F4CD7 E8 D8250000 call 711F72B4
711F4CDC EB 37 jmp short 711F4D15
711F4CDE 807D E7 00 cmp byte ptr ss:[ebp-19],0
711F4CE2 74 09 je short 711F4CED
711F4CE4 B2 01 mov dl,1
711F4CE6 33C0 xor eax,eax
711F4CE8 E8 8FD8FFFF call 711F257C
711F4CED 6A 01 push 1
711F4CEF 6A 00 push 0
711F4CF1 6A 00 push 0
711F4CF3 6A 00 push 0
711F4CF5 8B45 E8 mov eax,dword ptr ss:[ebp-18]
711F4CF8 E8 B74CF3FF call 711299B4
711F4CFD 50 push eax
711F4CFE 8D45 DC lea eax,dword ptr ss:[ebp-24]
711F4D01 8B55 EC mov edx,dword ptr ss:[ebp-14]
711F4D04 E8 FFFFF2FF call 71124D08
711F4D09 8B4D DC mov ecx,dword ptr ss:[ebp-24]
711F4D0C 8B45 F0 mov eax,dword ptr ss:[ebp-10]
711F4D0F 5A pop edx
711F4D10 E8 7F230000 call 711F7094
711F4D15 C603 01 mov byte ptr ds:[ebx],1
711F4D18 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4D1B BA 09000000 mov edx,9
711F4D20 E8 2F04F3FF call 71125154
711F4D25 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4D28 E8 F302F3FF call 71125020
711F4D2D BA 09000000 mov edx,9
711F4D32 E8 8135F3FF call 711282B8
711F4D37 837D F4 00 cmp dword ptr ss:[ebp-C],0
711F4D3B 7E 1E jle short 711F4D5B
711F4D3D 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4D40 E8 DB02F3FF call 71125020
711F4D45 8B55 F4 mov edx,dword ptr ss:[ebp-C]
711F4D48 C1E2 02 shl edx,2
711F4D4B 0355 F0 add edx,dword ptr ss:[ebp-10]
711F4D4E 83EA 02 sub edx,2
711F4D51 B9 04000000 mov ecx,4
711F4D56 E8 4935F3FF call 711282A4
711F4D5B 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4D5E E8 BD02F3FF call 71125020
711F4D63 83C0 05 add eax,5
711F4D66 8B55 F4 mov edx,dword ptr ss:[ebp-C]
711F4D69 C1E2 02 shl edx,2
711F4D6C 0355 F0 add edx,dword ptr ss:[ebp-10]
711F4D6F 83C2 02 add edx,2
711F4D72 B9 04000000 mov ecx,4
711F4D77 E8 2835F3FF call 711282A4
711F4D7C 807D E7 00 cmp byte ptr ss:[ebp-19],0
711F4D80 74 09 je short 711F4D8B
711F4D82 B2 01 mov dl,1
711F4D84 33C0 xor eax,eax
711F4D86 E8 F1D7FFFF call 711F257C
711F4D8B 6A 01 push 1
711F4D8D 6A 00 push 0
711F4D8F 6A 00 push 0
711F4D91 6A 00 push 0
711F4D93 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4D96 E8 8502F3FF call 71125020
711F4D9B 83C0 05 add eax,5
711F4D9E 50 push eax
711F4D9F 8B45 E8 mov eax,dword ptr ss:[ebp-18]
711F4DA2 E8 2102F3FF call 71124FC8
711F4DA7 8BD0 mov edx,eax
711F4DA9 8D45 D8 lea eax,dword ptr ss:[ebp-28]
711F4DAC E8 57FFF2FF call 71124D08
711F4DB1 8B4D D8 mov ecx,dword ptr ss:[ebp-28]
711F4DB4 BA 04000000 mov edx,4
711F4DB9 58 pop eax
711F4DBA E8 D5220000 call 711F7094
711F4DBF 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4DC2 E8 5902F3FF call 71125020
711F4DC7 8D50 07 lea edx,dword ptr ds:[eax+7]
711F4DCA B9 02000000 mov ecx,2
711F4DCF 8B45 F8 mov eax,dword ptr ss:[ebp-8]
711F4DD2 E8 CD34F3FF call 711282A4
711F4DD7 8B45 F8 mov eax,dword ptr ss:[ebp-8]
711F4DDA 66:8130 FFFF xor word ptr ds:[eax],0FFFF
711F4DDF 8B45 FC mov eax,dword ptr ss:[ebp-4]
711F4DE2 40 inc eax
711F4DE3 8B15 18F72171 mov edx,dword ptr ds:[7121F718]
711F4DE9 8B72 3C mov esi,dword ptr ds:[edx+3C]
711F4DEC 0335 18F72171 add esi,dword ptr ds:[7121F718]
711F4DF2 66:8B56 28 mov dx,word ptr ds:[esi+28]
711F4DF6 66:81F2 6042 xor dx,4260
711F4DFB 8BDA mov ebx,edx
711F4DFD 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4E00 66:8B09 mov cx,word ptr ds:[ecx]
711F4E03 66:33D9 xor bx,cx
711F4E06 66:81EB 409D sub bx,9D40
//下面是分支处理
711F4E0B 74 07 je short 711F4E14
//9D40 跳 == FF25
711F4E0D 66:FFCB dec bx
711F4E10 74 12 je short 711F4E24
//9D41 跳 == FF15
711F4E12 EB 75 jmp short 711F4E89
711F4E14 66:81F2 BFB8 xor dx,0B8BF
711F4E19 8B45 F8 mov eax,dword ptr ss:[ebp-8]
//jmp 711F4EDA ★12 使用711F4EDA的出口
711F4E1C 66:8910 mov word ptr ds:[eax],dx
//DX=25FF
711F4E1F E9 E5000000 jmp 711F4F09
711F4E24 66:81F2 BF88 xor dx,88BF
711F4E29 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4E2C 66:8911 mov word ptr ds:[ecx],dx
//DX=15FF
711F4E2F 8B15 18F72171 mov edx,dword ptr ds:[7121F718]
//jmp 711F4EDA ★13 使用711F4EDA的出口
711F4E35 8B52 3C mov edx,dword ptr ds:[edx+3C]
711F4E38 0315 18F72171 add edx,dword ptr ds:[7121F718]
711F4E3E 66:8B52 28 mov dx,word ptr ds:[edx+28]
711F4E42 66:81F2 6042 xor dx,4260
711F4E47 66:81F2 BFB8 xor dx,0B8BF
711F4E4C 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4E4F 66:8951 06 mov word ptr ds:[ecx+6],dx
711F4E53 8B55 F8 mov edx,dword ptr ss:[ebp-8]
711F4E56 8B4A 02 mov ecx,dword ptr ds:[edx+2]
711F4E59 894A 08 mov dword ptr ds:[edx+8],ecx
711F4E5C 8B0D 18F72171 mov ecx,dword ptr ds:[7121F718]
711F4E62 8B49 3C mov ecx,dword ptr ds:[ecx+3C]
711F4E65 030D 18F72171 add ecx,dword ptr ds:[7121F718]
711F4E6B 66:8B49 28 mov cx,word ptr ds:[ecx+28]
711F4E6F 66:81F1 6042 xor cx,4260
711F4E74 66:81F1 D0F5 xor cx,0F5D0
711F4E79 66:890A mov word ptr ds:[edx],cx
711F4E7C 8B00 mov eax,dword ptr ds:[eax]
711F4E7E 83C0 06 add eax,6
711F4E81 8942 02 mov dword ptr ds:[edx+2],eax
711F4E84 E9 80000000 jmp 711F4F09
711F4E89 F6C1 FF test cl,0FF
711F4E8C 75 27 jnz short 711F4EB5
711F4E8E 8A56 28 mov dl,byte ptr ds:[esi+28]
711F4E91 80F2 60 xor dl,60
711F4E94 81E2 FF000000 and edx,0FF
711F4E9A 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4E9D 66:8B09 mov cx,word ptr ds:[ecx]
711F4EA0 66:81E1 00FF and cx,0FF00
711F4EA5 66:03D1 add dx,cx
711F4EA8 66:81F2 C900 xor dx,0C9
711F4EAD 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4EB0 66:8911 mov word ptr ds:[ecx],dx
//89 MOV类型指令处理
711F4EB3 EB 25 jmp short 711F4EDA
//正好使用711F4EDA的出口,不需要修改
711F4EB5 8A56 28 mov dl,byte ptr ds:[esi+28]
711F4EB8 80F2 60 xor dl,60
711F4EBB 81E2 FF000000 and edx,0FF
711F4EC1 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4EC4 66:8B09 mov cx,word ptr ds:[ecx]
711F4EC7 66:81E1 00FF and cx,0FF00
711F4ECC 66:03D1 add dx,cx
711F4ECF 66:81F2 CB00 xor dx,0CB
711F4ED4 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
711F4ED7 66:8911 mov word ptr ds:[ecx],dx
//8B MOV类型指令处理
711F4EDA 8B0D 18F72171 mov ecx,dword ptr ds:[7121F718]
//出口代码修改 ★14
//711F4EDA mov esp,dword ptr ds:[71232B1C] ★
//711F4EE0 retn ★
711F4EE0 8B49 3C mov ecx,dword ptr ds:[ecx+3C]
711F4EE3 030D 18F72171 add ecx,dword ptr ds:[7121F718]
711F4EE9 66:8B49 28 mov cx,word ptr ds:[ecx+28]
711F4EED 66:81F1 6042 xor cx,4260
711F4EF2 66:81F1 D074 xor cx,74D0
711F4EF7 8B55 F8 mov edx,dword ptr ss:[ebp-8]
711F4EFA 66:894A 06 mov word ptr ds:[edx+6],cx
711F4EFE 8B00 mov eax,dword ptr ds:[eax]
711F4F00 2B45 F8 sub eax,dword ptr ss:[ebp-8]
711F4F03 83E8 06 sub eax,6
711F4F06 8942 08 mov dword ptr ds:[edx+8],eax
711F4F09 8B45 FC mov eax,dword ptr ss:[ebp-4]
711F4F0C C600 01 mov byte ptr ds:[eax],1
711F4F0F 68 6C182271 push 7122186C
711F4F14 E8 B727F3FF call 711276D0
711F4F19 33C0 xor eax,eax
711F4F1B 5A pop edx
711F4F1C 59 pop ecx
711F4F1D 59 pop ecx
711F4F1E 64:8910 mov dword ptr fs:[eax],edx
711F4F21 68 434F1F71 push 711F4F43
711F4F26 8D45 D8 lea eax,dword ptr ss:[ebp-28]
711F4F29 BA 03000000 mov edx,3
711F4F2E E8 09FCF2FF call 71124B3C
711F4F33 8D45 E8 lea eax,dword ptr ss:[ebp-18]
711F4F36 E8 DDFBF2FF call 71124B18
711F4F3B C3 retn
_____________________________________________
3.CodeReplace修复完成
71203188 0F85 5FFEFFFF jnz 71202FED
//循环处理CodeReplace
7120318E 83C4 0C add esp,0C
//写好修复代码后这里设断
71203191 5D pop ebp
71203192 5F pop edi
71203193 5E pop esi
71203194 5B pop ebx
71203195 C3 retn
//返回71205620
Import Table和CodeReplace修复Patch代码从OllyDbg中二进制复制汇总:
60 9C 8B 7E 0C 81 C7 00 00 40 00 8B F0 8B 4E FC F3 A4 9D 61 E8 0F 25 EF FF E9 16 27 FD FF 00 00
60 9C 8B 75 C4 8B 4E FC 8B 3B 81 C7 02 00 40 00 F3 A4 9D 61 8B 45 C4 E9 5E 28 FD FF 00 00 24 FE
13 00 00 00 E8 C3 00 FD FF 60 9C 89 25 DE 2A 23 71 83 2D DE 2A 23 71 04 FF D0 8B F0 8B 4E FC 3E
8B 7D B8 66 C7 07 00 00 83 C7 02 F3 A4 C6 07 00 9D 61 E9 82 28 FD FF 00 00 00 00 00 04 FE 13 00
60 9C 89 25 1C 2B 23 71 83 2D 1C 2B 23 71 04 48 FF D0 8B 30 83 C0 16 8B 38 66 89 16 89 7E 02 9D
61 FF 04 24 FF 4C 24 08 E9 3B 06 FD FF 00 00 00
7120318E处中断后取消以前所有修改的代码,脱壳到这里就算完成了。
_____________________________________________________________
六.Game Over
虽然在壳处理流程中我们已经知道了OEP值,但还是看下EncryptPE如何去OEP的吧
EncryptPE跳OEP的方式V1.2003至今没有多大变化
7120561B E8 CCD7FFFF call 71202DEC
71205620 A1 E0E02171 mov eax,dword ptr ds:[7121E0E0]
//CodeReplace处理后返回这里
一直向下走
71205722 BA 02000000 mov edx,2
71205727 E8 10F4F1FF call 71124B3C
7120572C C3 retn
71205734 8B45 F4 mov eax,dword ptr ss:[ebp-C]
71205737 5F pop edi
71205738 5E pop esi
71205739 5B pop ebx
7120573A 8BE5 mov esp,ebp
7120573C 5D pop ebp
7120573D C3 retn
//返回712037F9
712037F9 74 03 je short 712037FE
712037FE 83F8 00 cmp eax,0
71203801 74 52 je short 71203855
71203803 8A1D B6182371 mov bl,byte ptr ds:[712318B6]
71203809 80FB 00 cmp bl,0
7120380C 75 27 jnz short 71203835
7120380E 35 FFFFFFFF xor eax,FFFFFFFF
//EAX=FFBFEF33 XOR FFFFFFFF=004010CC OEP值 ★
71203813 894424 34 mov dword ptr ss:[esp+34],eax
71203817 83C4 10 add esp,10
7120381A 64:8F05 00000000 pop dword ptr fs:[0]
71203821 58 pop eax
71203822 25 00010000 and eax,100
71203827 3D 00010000 cmp eax,100
7120382C 74 27 je short 71203855
7120382E E8 D108FFFF call 711F4104
//进入
711F4104 E8 BC000000 call 711F41C5
//里面有int3异常
711F4109 53 push ebx
//这里设断,Shift+F9
711F410A 52 push edx
711F410B 8B5C24 14 mov ebx,dword ptr ss:[esp+14]
711F410F 8B93 C4000000 mov edx,dword ptr ds:[ebx+C4]
711F4115 8B83 C0000000 mov eax,dword ptr ds:[ebx+C0]
711F411B A3 94182271 mov dword ptr ds:[71221894],eax
711F4120 E8 03070000 call 711F4828
711F4125 9C pushfd
711F4126 58 pop eax
711F4127 A3 94182271 mov dword ptr ds:[71221894],eax
711F412C E8 F7060000 call 711F4828
711F4131 8B83 B8000000 mov eax,dword ptr ds:[ebx+B8]
711F4137 40 inc eax
711F4138 8983 B8000000 mov dword ptr ds:[ebx+B8],eax
711F413E 8B4424 0C mov eax,dword ptr ss:[esp+C]
711F4142 8B00 mov eax,dword ptr ds:[eax]
711F4144 3D 03000080 cmp eax,80000003
711F4149 75 71 jnz short 711F41BC
711F414B 803D B0182271 01 cmp byte ptr ds:[712218B0],1
711F4152 74 4F je short 711F41A3
711F4154 8B42 0C mov eax,dword ptr ds:[edx+C]
711F4157 8983 9C000000 mov dword ptr ds:[ebx+9C],eax
711F415D 8B42 10 mov eax,dword ptr ds:[edx+10]
711F4160 8983 A0000000 mov dword ptr ds:[ebx+A0],eax
711F4166 8B42 14 mov eax,dword ptr ds:[edx+14]
711F4169 8983 B4000000 mov dword ptr ds:[ebx+B4],eax
711F416F 8B42 1C mov eax,dword ptr ds:[edx+1C]
711F4172 8983 A4000000 mov dword ptr ds:[ebx+A4],eax
711F4178 8B42 20 mov eax,dword ptr ds:[edx+20]
711F417B 8983 A8000000 mov dword ptr ds:[ebx+A8],eax
711F4181 8B42 24 mov eax,dword ptr ds:[edx+24]
711F4184 8983 AC000000 mov dword ptr ds:[ebx+AC],eax
711F418A 8B42 28 mov eax,dword ptr ds:[edx+28]
711F418D 8983 B0000000 mov dword ptr ds:[ebx+B0],eax
//[ebx+B0]=eax=004010CC
711F4193 8B02 mov eax,dword ptr ds:[edx]
711F4195 8942 24 mov dword ptr ds:[edx+24],eax
711F4198 89D0 mov eax,edx
711F419A 83C0 24 add eax,24
711F419D 8983 C4000000 mov dword ptr ds:[ebx+C4],eax
711F41A3 31C0 xor eax,eax
711F41A5 8943 04 mov dword ptr ds:[ebx+4],eax
711F41A8 8943 08 mov dword ptr ds:[ebx+8],eax
711F41AB 8943 0C mov dword ptr ds:[ebx+C],eax
711F41AE 8943 10 mov dword ptr ds:[ebx+10],eax
711F41B1 C743 18 55010000 mov dword ptr ds:[ebx+18],155
711F41B8 5A pop edx
711F41B9 5B pop ebx
711F41BA C3 retn
//返回系统地址了
我们在004010CC处设断,Shift+F9就会中断在OEP了
004010CC 55 push ebp
//OEP
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E0634000 call dword ptr ds:[4063E0]
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
用LordPE完全Dump出这个进程,修正dumped0.exe的PE信息
OEP RVA=000010CC Import Table RVA=00006000
如果是DLL的话需要在第四部分保存重定位表,修正重定位表信息
Game Over
_____________________________________________________________
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了脱壳轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacKed By : fly
http://www.unpack.cn
2007.06.03 16:00
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课