所用软件:PatchMaker 1.4
PEid查壳结果:PEncrypt 3.1 Final -> junkcode
用OllyICE载入后入口点这个样……
004034E1 > $ B8 00704100 mov eax, 00417000 ////OEP就是这个
004034E6 . FFD0 call eax //此处F7进入 ////这个壳有点奇怪
004034E8 . 60 pushad
004034E9 . 40 inc eax
004034EA . 0068 0C add byte ptr [eax+C], ch
004034ED . 51 push ecx
004034EE . 40 inc eax
004034EF . 0064A1 00 add byte ptr [ecx], ah
004034F3 . 0000 add byte ptr [eax], al
004034F5 . 0050 64 add byte ptr [eax+64], dl
004034F8 89 db 89
004034F9 . 25 00000000 and eax, 0
004034FE . 83EC 58 sub esp, 58
00403501 . 53 push ebx
00403502 . 56 push esi
00403503 . 57 push edi
00403504 . 8965 E8 mov dword ptr [ebp-18], esp
00403507 . FF15 F8A04000 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
然后单步进入那个Call Eax
进入以后这个样:
00417000 /E9 B2000000 jmp 004170B7
00417005 |57 push edi
00417006 |65:6E outs dx, byte ptr es:[edi]
一个JMP跳下去……让它走……
然后是这样:
004170B7 58 pop eax //OK单步就可以了
004170B8 E8 E7020000 call 004173A4
004170BD 48 dec eax
004170BE 2D BD104000 sub eax, 004010BD
004170C3 8DA8 05104000 lea ebp, dword ptr [eax+401005]
004170C9 FF3424 push dword ptr [esp]
004170CC 8F85 81000000 pop dword ptr [ebp+81]
004170D2 FFB5 81000000 push dword ptr [ebp+81]
004170D8 E8 00020000 call 004172DD
004170DD 8985 89000000 mov dword ptr [ebp+89], eax
004170E3 8D85 8D000000 lea eax, dword ptr [ebp+8D]
004170E9 50 push eax
004170EA FFB5 89000000 push dword ptr [ebp+89]
004170F0 E8 28020000 call 0041731D
004170F5 8945 2C mov dword ptr [ebp+2C], eax
004170F8 8D85 9A000000 lea eax, dword ptr [ebp+9A]
004170FE 50 push eax
004170FF FFB5 89000000 push dword ptr [ebp+89]
00417105 E8 13020000 call 0041731D
0041710A 8945 30 mov dword ptr [ebp+30], eax
0041710D 8D85 A9000000 lea eax, dword ptr [ebp+A9]
00417113 50 push eax
00417114 FFB5 89000000 push dword ptr [ebp+89]
0041711A E8 FE010000 call 0041731D
0041711F 8945 34 mov dword ptr [ebp+34], eax
00417122 6A 1C push 1C
00417124 8D45 59 lea eax, dword ptr [ebp+59]
00417127 50 push eax
00417128 FF75 1C push dword ptr [ebp+1C]
0041712B FF55 2C call dword ptr [ebp+2C]
0041712E 54 push esp
0041712F 6A 04 push 4
00417131 6A 08 push 8
00417133 FF75 1C push dword ptr [ebp+1C]
00417136 FF55 30 call dword ptr [ebp+30]
00417139 56 push esi
0041713A 8BF5 mov esi, ebp
0041713C 8B56 20 mov edx, dword ptr [esi+20]
0041713F 8956 75 mov dword ptr [esi+75], edx
00417142 0BD2 or edx, edx
00417144 74 1D je short 00417163 ///如果你愿意直接F4到这里……
然后F4到第一个Je处……判断为Magic Jump
给他改成Jmp short 00417163
OK……万事大吉……下面单步……一直到程序再次返回OEP……这样:
004034E1 > $ 55 push ebp ; patchmak.00417005
004034E2 ? 8BEC mov ebp, esp
004034E4 ? 6A FF push -1
004034E6 . 68 A0A14000 push 0040A1A0
004034EB ? 68 0C514000 push 0040510C ; 入口地址
004034F0 ? 64:A1 0000000>mov eax, dword ptr fs:[0]
004034F6 ? 50 push eax
004034F7 ? 64:8925 00000>mov dword ptr fs:[0], esp
004034FE . 83EC 58 sub esp, 58
00403501 . 53 push ebx
00403502 . 56 push esi
00403503 . 57 push edi
00403504 . 8965 E8 mov dword ptr [ebp-18], esp
OK……C++写的程序……然后ImportREC载入,什么也不用填……直接自动搜索IAT……然后没有无效指针……本壳解决完毕……
P.S.如果不改Magic Jump你是永远也无法解决掉那些无效指针的,三级跟踪一跟踪程序就自动关闭……嘿嘿……所以更改Magic Jump 是一个很聪明的脱掉这个壳的办法……呵呵~
第一次写脱文,大家多多指教……
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
好辛苦呀
