看了fly版04年发布的
未知脱壳Skype和blackeyes在06年发布的
SKYPE中的 anti-debug 分析,收获很多,我找了比较新的skype3.0版本试着反编译了一下,找到了blackeyes中关于解码部分的位置,发现只是略有不同,但是后面的提到的关于内部IAT修复的代码确大不相同,这部分代码如下:
00C0B7F4 /> /55 push ebp
00C0B7F5 |. |8BEC mov ebp, esp
00C0B7F7 |. |83C4 D4 add esp, -2C
00C0B7FA |. |53 push ebx
00C0B7FB |. |56 push esi
00C0B7FC |. |57 push edi
00C0B7FD |. |33C0 xor eax, eax
00C0B7FF |. |8945 DC mov dword ptr [ebp-24], eax
00C0B802 |. |8945 D8 mov dword ptr [ebp-28], eax
00C0B805 |. |8945 D4 mov dword ptr [ebp-2C], eax
00C0B808 |. |8945 E0 mov dword ptr [ebp-20], eax
00C0B80B |. |33C0 xor eax, eax
00C0B80D |. |55 push ebp
00C0B80E |. |68 C1BAC000 push 00C0BAC1
00C0B813 |. |64:FF30 push dword ptr fs:[eax]
00C0B816 |. |64:8920 mov dword ptr fs:[eax], esp
00C0B819 |. |B8 04765B00 mov eax, <模块入口点>
00C0B81E |. |8945 E8 mov dword ptr [ebp-18], eax
00C0B821 |. |BB F4000000 mov ebx, 0F4
00C0B826 |. |8D45 FC lea eax, dword ptr [ebp-4]
00C0B829 |. |50 push eax ; /pOldProtect
00C0B82A |. |6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00C0B82C |. |53 push ebx ; |Size => F4 (244.)
00C0B82D |. |8B45 E8 mov eax, dword ptr [ebp-18] ; |
00C0B830 |. |50 push eax ; |Address
00C0B831 |. |E8 9ACD7FFF call <jmp.&kernel32.VirtualProtect> ; \VirtualProtect
00C0B836 |. |85C0 test eax, eax
00C0B838 |. |75 0A jnz short 00C0B844
00C0B83A |. |B8 D8BAC000 mov eax, 00C0BAD8 ; ASCII "0ut of memory"
00C0B83F |. |E8 E8FAFFFF call 00C0B32C
00C0B844 |> |8B45 E8 mov eax, dword ptr [ebp-18]
00C0B847 |. |33C9 xor ecx, ecx
00C0B849 |. |8BD3 mov edx, ebx
00C0B84B |. |E8 94827FFF call 00403AE4
00C0B850 |. |8D45 FC lea eax, dword ptr [ebp-4]
00C0B853 |. |50 push eax ; /pOldProtect
00C0B854 |. |6A 20 push 20 ; |NewProtect = PAGE_EXECUTE_READ
00C0B856 |. |53 push ebx ; |Size
00C0B857 |. |8B45 E8 mov eax, dword ptr [ebp-18] ; |
00C0B85A |. |50 push eax ; |Address
00C0B85B |. |E8 70CD7FFF call <jmp.&kernel32.VirtualProtect> ; \VirtualProtect
00C0B860 |. |85C0 test eax, eax
00C0B862 |. |75 0A jnz short 00C0B86E
00C0B864 |. |B8 D8BAC000 mov eax, 00C0BAD8 ; ASCII "0ut of memory"
00C0B869 |. |E8 BEFAFFFF call 00C0B32C
00C0B86E |> |C605 04D1D800>mov byte ptr [D8D104], 1
00C0B875 |. |6A 04 push 4 ; /Protect = PAGE_READWRITE
00C0B877 |. |68 00100000 push 1000 ; |AllocationType = MEM_COMMIT
00C0B87C |. |A1 58D1D800 mov eax, dword ptr [D8D158] ; |
00C0B881 |. |50 push eax ; |Size => 63A000 (6529024.)
00C0B882 |. |6A 00 push 0 ; |Address = NULL
00C0B884 |. |E8 37CD7FFF call <jmp.&kernel32.VirtualAlloc> ; \VirtualAlloc
00C0B889 |. |A3 60BAD900 mov dword ptr [D9BA60], eax
00C0B88E |. |833D 60BAD900>cmp dword ptr [D9BA60], 0
00C0B895 |. |75 0A jnz short 00C0B8A1
00C0B897 |. |B8 F0BAC000 mov eax, 00C0BAF0 ; ASCII "Not enough memory!"
00C0B89C |. |E8 8BFAFFFF call 00C0B32C
00C0B8A1 |> |B8 F8BC5C00 mov eax, 005CBCF8 ; MS是blackeyes提到的解码函数的位置,这是3.0版本的skype,略有不同
00C0B8A6 |. |8BD0 mov edx, eax
00C0B8A8 |. |0310 add edx, dword ptr [eax]
00C0B8AA |. |8955 E4 mov dword ptr [ebp-1C], edx
00C0B8AD |. |33C9 xor ecx, ecx
00C0B8AF |. |EB 53 jmp short 00C0B904
00C0B8B1 |> |8D0489 /lea eax, dword ptr [ecx+ecx*4]
00C0B8B4 |. |8B0485 10D1D8>|mov eax, dword ptr [eax*4+D8D110]
00C0B8BB |. |0345 E4 |add eax, dword ptr [ebp-1C]
00C0B8BE |. |8945 F8 |mov dword ptr [ebp-8], eax
00C0B8C1 |. |8D0489 |lea eax, dword ptr [ecx+ecx*4]
00C0B8C4 |. |8B0485 08D1D8>|mov eax, dword ptr [eax*4+D8D108]
00C0B8CB |. |0305 60BAD900 |add eax, dword ptr [D9BA60] ; Skype.005CBD00
00C0B8D1 |. |8945 F4 |mov dword ptr [ebp-C], eax
00C0B8D4 |. |B8 0FF07770 |mov eax, 7077F00F
00C0B8D9 |. |8D1489 |lea edx, dword ptr [ecx+ecx*4]
00C0B8DC |. |8B1495 14D1D8>|mov edx, dword ptr [edx*4+D8D114]
00C0B8E3 |. |C1EA 02 |shr edx, 2
00C0B8E6 |. |4A |dec edx
00C0B8E7 |. |85D2 |test edx, edx
00C0B8E9 |. |72 18 |jb short 00C0B903
00C0B8EB |. |42 |inc edx
00C0B8EC |. |33DB |xor ebx, ebx
00C0B8EE |> |8B75 F8 |/mov esi, dword ptr [ebp-8]
00C0B8F1 |. |8B349E ||mov esi, dword ptr [esi+ebx*4]
00C0B8F4 |. |33F0 ||xor esi, eax
00C0B8F6 |. |8B7D F4 ||mov edi, dword ptr [ebp-C]
00C0B8F9 |. |89349F ||mov dword ptr [edi+ebx*4], esi
00C0B8FC |. |83C0 71 ||add eax, 71
00C0B8FF |. |43 ||inc ebx
00C0B900 |. |4A ||dec edx
00C0B901 |.^|75 EB |\jnz short 00C0B8EE
00C0B903 |> |41 |inc ecx
00C0B904 |> |8D0489 lea eax, dword ptr [ecx+ecx*4]
00C0B907 |. |833C85 08D1D8>|cmp dword ptr [eax*4+D8D108], 0
00C0B90F |.^|77 A0 \ja short 00C0B8B1
00C0B911 |. |33FF xor edi, edi ;这里应该是解码结束了,按照blackeyes文中的注释"从这儿起开始解析一份内部的IAT",但是下面的代码和文中分析的大不相同
00C0B913 |. |BB 47010000 mov ebx, 147
00C0B918 |. |BE 6CD1D800 mov esi, 00D8D16C
00C0B91D |> |833E 00 /cmp dword ptr [esi], 0
00C0B920 |. |75 06 |jnz short 00C0B928
00C0B922 |. |837E 04 00 |cmp dword ptr [esi+4], 0
00C0B926 |. |74 7F |je short 00C0B9A7
00C0B928 |> |837E 08 00 |cmp dword ptr [esi+8], 0
00C0B92C |. |75 36 |jnz short 00C0B964
00C0B92E |. |8B06 |mov eax, dword ptr [esi]
00C0B930 |. |E8 2F9F7FFF |call 00405864
00C0B935 |. |50 |push eax ; /FileName
00C0B936 |. |E8 8DCB7FFF |call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
00C0B93B |. |8BF8 |mov edi, eax
00C0B93D |. |85FF |test edi, edi
00C0B93F |. |75 66 |jnz short 00C0B9A7
00C0B941 |. |68 0CBBC000 |push 00C0BB0C ; ASCII "Cannot load the DLL ("
00C0B946 |. |FF36 |push dword ptr [esi]
00C0B948 |. |68 2CBBC000 |push 00C0BB2C ; ASCII ")!"
00C0B94D |. |8D45 E0 |lea eax, dword ptr [ebp-20]
00C0B950 |. |BA 03000000 |mov edx, 3
00C0B955 |. |E8 CA9D7FFF |call 00405724
00C0B95A |. |8B45 E0 |mov eax, dword ptr [ebp-20]
00C0B95D |. |E8 CAF9FFFF |call 00C0B32C
00C0B962 |. |EB 43 |jmp short 00C0B9A7
00C0B964 |> |837E 04 00 |cmp dword ptr [esi+4], 0
00C0B968 |. |75 13 |jnz short 00C0B97D
00C0B96A |. |8B06 |mov eax, dword ptr [esi]
00C0B96C |. |E8 F39E7FFF |call 00405864
00C0B971 |. |50 |push eax ; /ProcNameOrOrdinal
00C0B972 |. |57 |push edi ; |hModule
00C0B973 |. |E8 18CA7FFF |call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
00C0B978 |. |8945 F0 |mov dword ptr [ebp-10], eax
00C0B97B |. |EB 0D |jmp short 00C0B98A
00C0B97D |> |8B46 04 |mov eax, dword ptr [esi+4]
00C0B980 |. |50 |push eax ; /ProcNameOrOrdinal
00C0B981 |. |57 |push edi ; |hModule
00C0B982 |. |E8 09CA7FFF |call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
00C0B987 |. |8945 F0 |mov dword ptr [ebp-10], eax
00C0B98A |> |837D F0 00 |cmp dword ptr [ebp-10], 0
00C0B98E |. |75 0A |jnz short 00C0B99A
00C0B990 |. |B8 38BBC000 |mov eax, 00C0BB38 ; ASCII "Failed to load function!"
00C0B995 |. |E8 92F9FFFF |call 00C0B32C
00C0B99A |> |A1 60BAD900 |mov eax, dword ptr [D9BA60]
00C0B99F |. |0346 08 |add eax, dword ptr [esi+8]
00C0B9A2 |. |8B55 F0 |mov edx, dword ptr [ebp-10]
00C0B9A5 |. |8910 |mov dword ptr [eax], edx
00C0B9A7 |> |83C6 0C |add esi, 0C
00C0B9AA |. |4B |dec ebx
00C0B9AB |.^|0F85 6CFFFFFF \jnz 00C0B91D
00C0B9B1 |. |8D45 FC lea eax, dword ptr [ebp-4]
00C0B9B4 |. |50 push eax ; /pOldProtect
00C0B9B5 |. |6A 04 push 4 ; |NewProtect = PAGE_READWRITE
00C0B9B7 |. |A1 58D1D800 mov eax, dword ptr [D8D158] ; |
00C0B9BC |. |50 push eax ; |Size => 63A000 (6529024.)
00C0B9BD |. |8B5D E4 mov ebx, dword ptr [ebp-1C] ; |
00C0B9C0 |. |53 push ebx ; |Address
00C0B9C1 |. |E8 0ACC7FFF call <jmp.&kernel32.VirtualProtect> ; \VirtualProtect
00C0B9C6 |. |85C0 test eax, eax
00C0B9C8 |. |75 51 jnz short 00C0BA1B
00C0B9CA |. |68 5CBBC000 push 00C0BB5C ; ASCII "error 9920 ("
00C0B9CF |. |8D4D D8 lea ecx, dword ptr [ebp-28]
00C0B9D2 |. |B2 08 mov dl, 8
00C0B9D4 |. |A1 58D1D800 mov eax, dword ptr [D8D158]
00C0B9D9 |. |E8 8A1388FF call 0048CD68
00C0B9DE |. |FF75 D8 push dword ptr [ebp-28]
00C0B9E1 |. |68 74BBC000 push 00C0BB74
00C0B9E6 |. |E8 5DC97FFF call <jmp.&kernel32.GetLastError> ; [GetLastError
00C0B9EB |. |33D2 xor edx, edx
00C0B9ED |. |52 push edx ; /Arg2 => 00000000
00C0B9EE |. |50 push eax ; |Arg1
00C0B9EF |. |8D45 D4 lea eax, dword ptr [ebp-2C] ; |
00C0B9F2 |. |E8 95F97FFF call 0040B38C ; \Skype.0040B38C
00C0B9F7 |. |FF75 D4 push dword ptr [ebp-2C]
00C0B9FA |. |68 80BBC000 push 00C0BB80
00C0B9FF |. |8D45 DC lea eax, dword ptr [ebp-24]
00C0BA02 |. |BA 05000000 mov edx, 5
00C0BA07 |. |E8 189D7FFF call 00405724
00C0BA0C |. |8B45 DC mov eax, dword ptr [ebp-24]
00C0BA0F |. |E8 D0FE82FF call 0043B8E4
00C0BA14 |. |6A 00 push 0 ; /ExitCode = 0
00C0BA16 |. |E8 0DC87FFF call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00C0BA1B |> |8BD3 mov edx, ebx
00C0BA1D |. |A1 60BAD900 mov eax, dword ptr [D9BA60]
00C0BA22 |. |8B0D 58D1D800 mov ecx, dword ptr [D8D158] ; Skype.0063A000
00C0BA28 |. |E8 DB777FFF call 00403208
00C0BA2D |. |68 00800000 push 8000 ; /FreeType = MEM_RELEASE
00C0BA32 |. |6A 00 push 0 ; |Size = 0
00C0BA34 |. |A1 60BAD900 mov eax, dword ptr [D9BA60] ; |
00C0BA39 |. |50 push eax ; |Address => Skype.005CBD00
00C0BA3A |. |E8 89CB7FFF call <jmp.&kernel32.VirtualFree> ; \VirtualFree
00C0BA3F |. |8B45 E4 mov eax, dword ptr [ebp-1C]
00C0BA42 |. |A3 60BAD900 mov dword ptr [D9BA60], eax
00C0BA47 |. |33DB xor ebx, ebx
00C0BA49 |> |8D55 FC /lea edx, dword ptr [ebp-4]
00C0BA4C |. |52 |push edx ; /pOldProtect
00C0BA4D |. |8D049B |lea eax, dword ptr [ebx+ebx*4] ; |
00C0BA50 |. |8B1485 18D1D8>|mov edx, dword ptr [eax*4+D8D118] ; |
00C0BA57 |. |52 |push edx ; |NewProtect
00C0BA58 |. |8B1485 0CD1D8>|mov edx, dword ptr [eax*4+D8D10C] ; |
00C0BA5F |. |52 |push edx ; |Size
00C0BA60 |. |8B0485 08D1D8>|mov eax, dword ptr [eax*4+D8D108] ; |
00C0BA67 |. |0305 60BAD900 |add eax, dword ptr [D9BA60] ; |Skype.005CBD00
00C0BA6D |. |50 |push eax ; |Address
00C0BA6E |. |E8 5DCB7FFF |call <jmp.&kernel32.VirtualProtect> ; \VirtualProtect
00C0BA73 |. |43 |inc ebx
00C0BA74 |. |8D049B |lea eax, dword ptr [ebx+ebx*4]
00C0BA77 |. |833C85 08D1D8>|cmp dword ptr [eax*4+D8D108], 0
00C0BA7F |.^|75 C8 \jnz short 00C0BA49
00C0BA81 |. |A1 68D1D800 mov eax, dword ptr [D8D168]
00C0BA86 |. |0305 60BAD900 add eax, dword ptr [D9BA60] ; Skype.005CBD00
00C0BA8C |. |6A 00 push 0
00C0BA8E |. |6A 01 push 1
00C0BA90 |. |FF35 60BAD900 push dword ptr [D9BA60] ; Skype.005CBD00
00C0BA96 |. |FFD0 call eax
00C0BA98 |. |833D 60BAD900>cmp dword ptr [D9BA60], 0
00C0BA9F |. |75 05 jnz short 00C0BAA6
00C0BAA1 |. |E8 BAA89AFF call 005B6360
00C0BAA6 |> |33C0 xor eax, eax
00C0BAA8 |. |5A pop edx
00C0BAA9 |. |59 pop ecx
00C0BAAA |. |59 pop ecx
00C0BAAB |. |64:8910 mov dword ptr fs:[eax], edx
00C0BAAE |. |68 C8BAC000 push 00C0BAC8
00C0BAB3 |> |8D45 D4 lea eax, dword ptr [ebp-2C]
00C0BAB6 |. |BA 04000000 mov edx, 4
00C0BABB |. |E8 DC987FFF call 0040539C
00C0BAC0 \. |C3 retn
如果要脱壳的话它的OEP在哪里呢?到最后能不能作出可执行的无壳程序啊?我已经跟了好长时间了还是没有头绪。谢谢所有人的回复。
[课程]Linux pwn 探索篇!