SVKP 菜鸟也玩补区段
高手就不要看了,菜鸟学脱壳,自己研究的,没什么技术含量,有什么不对的地方,请大家指正.
避开IAT加密,处理输入表
忽略所有异常选项,隐藏OD!
0091B000 > 60 pushad
0091B001 E8 00000000 call 0091B006
0091B006 5D pop ebp
0091B007 81ED 06000000 sub ebp, 6
0091B00D EB 05 jmp short 0091B014
0091B00F B8 06364200 mov eax, 00423606
0091B014 64:A0 23000000 mov al, byte ptr fs:[23]
0091B01A EB 03 jmp short 0091B01F
0091B01C C784E8 84C0EB03>mov dword ptr [eax+ebp*8+3EBC084], 7>
0091B027 67:B9 49000000 mov ecx, 49
0091B02D 8DB5 C5020000 lea esi, dword ptr [ebp+2C5]
0091B033 56 push esi
0091B034 8006 44 add byte ptr [esi], 44
0091B037 46 inc esi
0091B038 ^ E2 FA loopd short 0091B034
Shift+F9 运行,中断在这个壳的典型的异常处
10D6137F 6285 0E0B0000 bound eax, qword ptr [ebp+B0E]
10D61385 EB 02 jmp short 10D61389
10D61387 0FE88B D1EB02CD psubsb mm1, qword ptr [ebx+CD02EBD1]
10D6138E 208B C2EB02CD and byte ptr [ebx+CD02EBC2], cl
10D61394 208B 8A4F0800 and byte ptr [ebx+84F8A], cl
10D6139A 007C03 EB add byte ptr [ebx+eax-15], bh
10D6139E 0369 74 add ebp, dword ptr [ecx+74]
10D613A1 FB sti
10D613A2 8B89 74010000 mov ecx, dword ptr [ecx+174]
命令行下断:bp GetModuleHandleA+5,Shift+F9停到这里
7C80B6A6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr [ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax, eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr [eax+4]
7C80B6BB E8 7D2D0000 call GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 retn 4
断下后取消断点,Alt+F9返回!
10D8018F E8 02000000 call 10D80196
10D80194 CD20 83042408 vxdcall 8240483
10D8019A C3 retn
10D8019B E8 EB020FE8 call F8E7048B
10D801A0 50 push eax
10D801A1 52 push edx
10D801A2 EB 02 jmp short 10D801A6
10D801A4 CD20 EB020FE9 vxdcall E90F02EB
10D801AA 0F31 rdtsc
10D801AC EB 02 jmp short 10D801B0
这里和别的大牛们说的不一样,我真接在代码段下内存访问断点,Shift+F9
Memory map, 条目 17
地址=00401000
大小=00075000 (479232.)
属主=123 00400000
区段=
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
程序就断在OEP了
0046992D 55 push ebp
0046992E 8BEC mov ebp, esp
00469930 6A FF push -1
00469932 68 C86D4700 push 00476DC8
00469937 68 30964600 push 00469630
0046993C 64:A1 00000000 mov eax, dword ptr fs:[0]
00469942 50 push eax
00469943 64:8925 0000000>mov dword ptr fs:[0], esp
0046994A 83EC 58 sub esp, 58
0046994D 53 push ebx
0046994E 56 push esi
0046994F 57 push edi
00469950 8965 E8 mov dword ptr [ebp-18], esp
00469953 FF15 90614700 call dword ptr [476190]
00469959 33D2 xor edx, edx
0046995B 8AD4 mov dl, ah
看来,OEP没有被抽字节,我们继续!@
用LordPE纠正大小然后DUMP之!!
打开IR 1.6,OEP填6992d--自动搜索IAT--获取输入表--有5个无效
对于这个壳,大家都知道,加密函数一般是GetProcAddress、GetModuleHandleA、GetCommandLineA、
ExitProcess.
5个不好确定,先按牛人们的方法,再走一次,避开IAT加密
忽略所有异常选项,隐藏OD!
0091B000 > 60 pushad
0091B001 E8 00000000 call 0091B006
0091B006 5D pop ebp
0091B007 81ED 06000000 sub ebp, 6
0091B00D EB 05 jmp short 0091B014
0091B00F B8 06364200 mov eax, 00423606
0091B014 64:A0 23000000 mov al, byte ptr fs:[23]
0091B01A EB 03 jmp short 0091B01F
0091B01C C784E8 84C0EB03>mov dword ptr [eax+ebp*8+3EBC084], 7>
0091B027 67:B9 49000000 mov ecx, 49
命令行下断:bp GetModuleHandleA+5,Shift+F9 通过所有异常,断下后取消断点,Alt+F9返回!
77C079B2 85C0 test eax, eax ; kernel32.7C800000
77C079B4 74 15 je short 77C079CB
77C079B6 68 9431BE77 push 77BE3194 ; ASCII
"InitializeCriticalSectionAndSpinCount"
77C079BB 50 push eax
77C079BC FF15 D010BE77 call dword ptr [77BE10D0] ;
kernel32.GetProcAddress
77C079C2 A3 5019C377 mov dword ptr [77C31950], eax
77C079C7 85C0 test eax, eax
77C079C9 75 0A jnz short 77C079D5
77C079CB B8 6F79C077 mov eax, 77C0796F
Ctrl+F搜索特征码,搜索所有命令:mov dword ptr ds:[edi],eax到这里
10D82B9C 8907 mov dword ptr [edi], eax
10D82B9E 7C 03 jl short 10D82BA3
10D82BA0 EB 03 jmp short 10D82BA5
10D82BA2 - E9 74FB61E8 jmp F93A271B
10D82BA7 0100 add dword ptr [eax], eax
10D82BA9 0000 add byte ptr [eax], al
10D82BAB 9A 83C404EB 02C>call far CD02:EB04C483
去共指令后是这样的
10D82B9C 8907 mov dword ptr [edi], eax
10D82B9E 7C 03 jl short 10D82BA3
10D82BA0 90 nop
10D82BA1 90 nop
10D82BA2 90 nop
10D82BA3 90 nop
10D82BA4 90 nop
10D82BA5 61 popad
10D82BA6 E8 01000000 call 10D82BAC
10D82BAB 9A 83C40490 909>call far 9090:9004C483
10D82BB2 90 nop
10D82BB3 8385 83E10100 0>add dword ptr [ebp+1E183], 4
10D82BBA 90 nop
10D82BBB 90 nop
10D82BBC 90 nop
10D82BBD 90 nop
10D82BBE ^ E9 65E0FFFF jmp 10D80C28
为了避开IAT加密,这里就要这样汇编了
10D82B9C 8907 popad
10D82B9E 7C 03 mov dword ptr ds:[edi],eax
10D82BA0 90 jl short 10D82BA3
10D82BA1 90 nop
10D82BA2 90 nop
10D82BA3 90 nop
10D82BA4 90 nop
10D82BA5 61 nop
10D82BA6 E8 01000000 call 10D82BAC
10D82BAB 9A 83C40490 909>call far 9090:9004C483
10D82BB2 90 nop
10D82BB3 8385 83E10100 0>add dword ptr [ebp+1E183], 4
10D82BBA 90 nop
10D82BBB 90 nop
10D82BBC 90 nop
10D82BBD 90 nop
10D82BBE ^ E9 65E0FFFF jmp 10D80C28
Ctrl+F搜索特征码,搜索所有命令:
cmp dword ptr ds:[ebx],251097CC 找到这里,
10D80F64 813B CC971025 cmp dword ptr [ebx], 251097CC
10D80F6A EB 03 jmp short 10D80F6F
10D80F6C C784E9 0F844330>mov dword ptr [ecx+ebp*8+3043840F], >
10D80F77 0000 add byte ptr [eax], al
10D80F79 00C3 add bl, al
10D80F7B EB 04 jmp short 10D80F81
一直F8走,来到这里
10D80FF4 /0F84 EB300000 je 10D840E5
10D80FFA |60 pushad
10D80FFB |E8 03000000 call 10D81003
10D81000 |D2EB shr bl, cl
10D81002 |0A58 EB or bl, byte ptr [eax-15]
10D81005 |0148 40 add dword ptr [eax+40], ecx
这里就要改了Ctrl+G 10D80F6A来到刚才找到的地方
10D80F64 813B CC971025 cmp dword ptr [ebx], 251097CC
10D80F6A EB 03 jmp short 10D80F6F
10D80F6C C784E9 0F844330>mov dword ptr [ecx+ebp*8+3043840F], >
10D80F77 0000 add byte ptr [eax], al
10D80F79 00C3 add bl, al
10D80F7B EB 04 jmp short 10D80F81
把10D80F6A EB 03 jmp short 10D80F6F这一句改成
10D80F6A EB 03 jmp short 10D80FFA
好,继续在代码断下内存访问断点,来到OEP处,用IR 1.6,一般的程序,这里应该就能找到所有的IAT了,但,
这个程序,还有三个,狂晕呀
没办法了,怎么办,只有手动跟踪了,但水平太菜,只知道,程序到
00469953 FF15 90614700 call dword ptr [476190]处
ds:[00476190]=10DE7CA7,这分明就是又到壳里了呀,这里想到了,脱ASPR的壳时,补区段,也是将壳的一个
段DUMP下,再补到脱壳后的程序里,呵呵,说干就干,DUMP下,10DE7CA7这个区段,补上之后,一切运行正常,
这个方法同样,不用在运行时找cmp dword ptr ds:[ebx],251097CC和mov dword ptr ds:[edi],eax这两
个特征码,直接运行到OEP后,找到IAT无效处的地方,看是那个区段,补进之,呵呵
打完,收工~~~~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课