↑
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:
SimplePack是bagie[tmx]的壳,用者不多,并且其Method2压缩方式已经被McAfee加入黑名单。
[SimplePack V1.1X-V1.2X (Method1) -> bagie * Sign.By.fly]
signature = 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0
ep_only = true
[SimplePack V1.X (Method2) -> bagie * Sign.By.fly]
signature = 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
ep_only = false
0040D000 60 pushad
//进入OllyDbg后暂停在这
0040D001 E8 00000000 call 0040D006
0040D006 5B pop ebx
0040D007 8D5B FA lea ebx,dword ptr ds:[ebx-6]
0040D00A BD 00004000 mov ebp,00400000
0040D00F 8B7D 3C mov edi,dword ptr ss:[ebp+3C]
0040D012 8D743D 00 lea esi,dword ptr ss:[ebp+edi]
0040D016 8DBE F8000000 lea edi,dword ptr ds:[esi+F8]
0040D01C 0FB776 06 movzx esi,word ptr ds:[esi+6]
0040D020 4E dec esi
0040D021 8B47 10 mov eax,dword ptr ds:[edi+10]
0040D024 09C0 or eax,eax
0040D026 74 55 je short 0040D07D
0040D028 0FB747 22 movzx eax,word ptr ds:[edi+22]
0040D02C 09C0 or eax,eax
0040D02E 74 4D je short 0040D07D
0040D030 6A 04 push 4
0040D032 68 00100000 push 1000
0040D037 FF77 10 push dword ptr ds:[edi+10]
0040D03A 6A 00 push 0
0040D03C FF93 63030000 call near dword ptr ds:[ebx+363] ; kernel32.VirtualAlloc
0040D042 50 push eax
0040D043 56 push esi
0040D044 57 push edi
0040D045 89EE mov esi,ebp
0040D047 0377 0C add esi,dword ptr ds:[edi+C]
0040D04A 8B4F 10 mov ecx,dword ptr ds:[edi+10]
0040D04D 89C7 mov edi,eax
0040D04F 89C8 mov eax,ecx
0040D051 C1E9 02 shr ecx,2
0040D054 FC cld
0040D055 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040D057 89C1 mov ecx,eax
0040D059 83E1 03 and ecx,3
0040D05C F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0040D05E 5F pop edi
0040D05F 5E pop esi
0040D060 8B0424 mov eax,dword ptr ss:[esp]
0040D063 89EA mov edx,ebp
0040D065 0357 0C add edx,dword ptr ds:[edi+C]
0040D068 E8 66010000 call 0040D1D3
0040D06D 58 pop eax
0040D06E 68 00400000 push 4000
0040D073 FF77 10 push dword ptr ds:[edi+10]
0040D076 50 push eax
0040D077 FF93 67030000 call near dword ptr ds:[ebx+367] ; kernel32.VirtualFree
0040D07D 83C7 28 add edi,28
0040D080 4E dec esi
0040D081 75 9E jnz short 0040D021
//循环解码
0040D083 BE 00600000 mov esi,6000
//解码完毕
//ESI=6000 Import Table RVA ★
0040D088 09F6 or esi,esi
0040D08A 0F84 0C010000 je 0040D19C
0040D090 01EE add esi,ebp
0040D092 8B4E 0C mov ecx,dword ptr ds:[esi+C]
0040D095 09C9 or ecx,ecx
0040D097 0F84 FF000000 je 0040D19C
//输入表处理完毕则跳转
0040D09D 01E9 add ecx,ebp
0040D09F 89CF mov edi,ecx
0040D0A1 57 push edi
0040D0A2 FF93 57030000 call near dword ptr ds:[ebx+357] ; kernel32.LoadLibraryA
0040D0A8 09C0 or eax,eax
0040D0AA 75 3D jnz short 0040D0E9
0040D0AC 6A 04 push 4
0040D0AE 68 00100000 push 1000
0040D0B3 68 00100000 push 1000
0040D0B8 6A 00 push 0
0040D0BA FF93 63030000 call near dword ptr ds:[ebx+363]
0040D0C0 89C6 mov esi,eax
0040D0C2 8D83 96020000 lea eax,dword ptr ds:[ebx+296]
0040D0C8 57 push edi
0040D0C9 50 push eax
0040D0CA 56 push esi
0040D0CB FF93 6F030000 call near dword ptr ds:[ebx+36F]
0040D0D1 6A 10 push 10
0040D0D3 6A 00 push 0
0040D0D5 56 push esi
0040D0D6 6A 00 push 0
0040D0D8 FF93 73030000 call near dword ptr ds:[ebx+373]
0040D0DE 89E5 mov ebp,esp
0040D0E0 B8 7E000000 mov eax,7E
0040D0E5 FF6424 2C jmp near dword ptr ss:[esp+2C]
0040D0E9 89C7 mov edi,eax
0040D0EB 8B0E mov ecx,dword ptr ds:[esi]
0040D0ED 09C9 or ecx,ecx
0040D0EF 75 03 jnz short 0040D0F4
0040D0F1 8B4E 10 mov ecx,dword ptr ds:[esi+10]
0040D0F4 09C9 or ecx,ecx
0040D0F6 0F84 CE000000 je 0040D1CA
0040D0FC 01E9 add ecx,ebp
0040D0FE 8B56 10 mov edx,dword ptr ds:[esi+10]
0040D101 01EA add edx,ebp
0040D103 8B01 mov eax,dword ptr ds:[ecx]
0040D105 09C0 or eax,eax
0040D107 75 05 jnz short 0040D10E
0040D109 83C6 14 add esi,14
0040D10C EB 84 jmp short 0040D092
0040D10E A9 00000080 test eax,80000000
0040D113 74 07 je short 0040D11C
0040D115 25 FFFF0000 and eax,0FFFF
0040D11A EB 05 jmp short 0040D121
0040D11C 01E8 add eax,ebp
0040D11E 83C0 02 add eax,2
0040D121 50 push eax
0040D122 51 push ecx
0040D123 52 push edx
0040D124 50 push eax
0040D125 57 push edi
0040D126 FF93 5B030000 call near dword ptr ds:[ebx+35B] ; kernel32.GetProcAddress
0040D12C 5A pop edx
0040D12D 59 pop ecx
0040D12E 09C0 or eax,eax
0040D130 75 52 jnz short 0040D184
0040D132 036E 0C add ebp,dword ptr ds:[esi+C]
0040D135 6A 04 push 4
0040D137 68 00100000 push 1000
0040D13C 68 00100000 push 1000
0040D141 6A 00 push 0
0040D143 FF93 63030000 call near dword ptr ds:[ebx+363]
0040D149 89C6 mov esi,eax
0040D14B 5F pop edi
0040D14C F7C7 0000FFFF test edi,FFFF0000
0040D152 74 08 je short 0040D15C
0040D154 8D83 BD020000 lea eax,dword ptr ds:[ebx+2BD]
0040D15A EB 06 jmp short 0040D162
0040D15C 8D83 ED020000 lea eax,dword ptr ds:[ebx+2ED]
0040D162 55 push ebp
0040D163 57 push edi
0040D164 50 push eax
0040D165 56 push esi
0040D166 FF93 6F030000 call near dword ptr ds:[ebx+36F]
0040D16C 6A 10 push 10
0040D16E 6A 00 push 0
0040D170 56 push esi
0040D171 6A 00 push 0
0040D173 FF93 73030000 call near dword ptr ds:[ebx+373]
0040D179 89E5 mov ebp,esp
0040D17B B8 7F000000 mov eax,7F
0040D180 FF6424 30 jmp near dword ptr ss:[esp+30]
0040D184 83C4 04 add esp,4
0040D187 8902 mov dword ptr ds:[edx],eax
0040D189 83C1 04 add ecx,4
0040D18C 83C2 04 add edx,4
0040D18F E9 6FFFFFFF jmp 0040D103
0040D194 83C6 14 add esi,14
0040D197 E9 F6FEFFFF jmp 0040D092
//循环处理输入表
0040D19C 8D4424 FC lea eax,dword ptr ss:[esp-4]
0040D1A0 50 push eax
0040D1A1 6A 04 push 4
0040D1A3 68 00100000 push 1000
0040D1A8 55 push ebp
0040D1A9 FF93 5F030000 call near dword ptr ds:[ebx+35F] ; kernel32.VirtualProtect
//设置PE头可读可写
0040D1AF BE 08014000 mov esi,00400108
0040D1B4 B8 00700000 mov eax,7000
0040D1B9 B9 B84F0000 mov ecx,4FB8
0040D1BE 8906 mov dword ptr ds:[esi],eax
//写入 Resource Table Address
0040D1C0 894E 04 mov dword ptr ds:[esi+4],ecx
//写入 Resource Table Size
0040D1C3 61 popad
0040D1C4 68 CC104000 push 004010CC
0040D1C9 C3 retn
//飞向光明之巅
004010CC 55 push ebp
//OEP
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E0634000 call near dword ptr ds:[4063E0] ; kernel32.GetCommandLineA
7C921231 C3 retn
//进入OllyDbg后暂停在系统断点
0013FFB4 7C816FD4 返回到 kernel32.7C816FD4 来自 ntdll.ZwSetInformationThread
//Shift+F9 中断取消断点 看看返回地址是7C816FD4处,Alt+F9
7C816FCE FF15 A013807C call near dword ptr ds:[ZwSetInformationThread]
7C816FD4 FF55 08 call near dword ptr ss:[ebp+8] ; 00400000
//返回这里,EXE从这里进入EP
and dword ptr ss:[ebp-4],0
push 4
lea eax,dword ptr ss:[ebp+8]
push eax
push 9
push -2
00400000 4D dec ebp
//Method2压缩方式竟然以基址地址为EP
00400001 5A pop edx
00400002 90 nop
00400003 EB 01 jmp short 00400006
00400006 52 push edx
00400007 E9 89010000 jmp 00400195
00400195 EB 01 jmp short 00400198
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课