-
-
[原创].NET Reactor 通用脱法总结
-
发表于:
2008-2-5 10:24
16451
-
.NET Reactor 通用脱法总结
Writer by KuNgBiM/[CCG]
Email: kungbim@163.com
Date: February 05, 2008
Debuger Tools: OllyICE、CFF Explorer
Statement: 该篇文章也算是学习.NET Reactor脱壳的小小总结吧。
-----------------------------------------------------------------------------------------
【脱壳】
.NET Reactor 的Sign有点特殊性,PEiD查壳为:Borland Delphi 6.0 - 7.0 [Overlay]
OllyICE加载目标程序,并忽略所有异常选项,Shift+F9运行:
Alt+M 打开内存镜像,Ctrl+B 搜索UNICODE字符 --> “Kurapica UnpackME #1”
大概3次后找到:
038B535E 4B 00 75 00 72 00 61 00 70 00 69 00 63 00 61 00 K.u.r.a.p.i.c.a.
038B536E 20 00 55 00 6E 00 70 00 61 00 63 00 6B 00 4D 00 .U.n.p.a.c.k.M.
038B537E 45 00 20 00 23 00 31 00 00 41 31 00 36 00 32 00 E. .#.1..A1.6.2.
038B538E 30 00 34 00 31 00 31 00 32 00 2D 00 31 00 31 00 0.4.1.1.2.-.1.1.
038B539E 38 00 32 00 30 00 2D 00 39 00 36 00 32 00 32 00 8.2.0.-.9.6.2.2.
038B53AE 32 00 2D 00 32 00 36 00 35 00 32 00 31 00 2D 00 2.-.2.6.5.2.1.-.
038B53BE 38 00 37 00 30 00 32 00 34 00 01 41 57 00 65 00 8.7.0.2.4.AW.e.
038B53CE 6C 00 6C 00 20 00 64 00 6F 00 6E 00 65 00 20 00 l.l. .d.o.n.e. .
把拉动条直接拉到顶部找到:
038B0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........
038B0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
038B0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
038B0030 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 ............€...
038B0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
038B0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
038B0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
038B0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
038B0080 50 45 00 00 4C 01 04 00 87 5F 8B 47 00 00 00 00 PE..L.嘷婫....
038B0090 00 00 00 00 E0 00 0E 21 0B 01 08 00 00 50 00 00 ....?!..P..
038B00A0 00 50 00 00 00 00 00 00 8E 6A 00 00 00 20 00 00 .P......巎... ..
038B00B0 00 80 00 00 00 00 40 00 00 20 00 00 00 10 00 00 .€....@.. .....
在038B0000处右键“备份” ---> “保存数据到文件” ---> 保存为“_038B0000.exe”
【小提示】OllyICE默认保存数据格式为“*.mem”,所以我们这里直接保存为“*.exe”文件格式即可!
【修正元数据RVA及SIZE】
CFF Explorer打开我们dump出来的文件“_038B0000.exe”:
依次选择:
①Nt Headers ---> File Header ---> Characteristics ---> 反选“File is a DLL” ---> OK
②Address Converter ---> 搜索“BSJB”找到偏移为“000037AC” ---> 填入“File Offest”
我们得到“Meta Data RVA”:
RVA = 000047AC
③.NET Directory ---> Meta Data RVA ---> 填入得到的RVA“000047AC”
④Optional Header ---> Data Directories [x] ---> Import Directory RVA (Value) ---> 得到“00006A40”
计算出Meta Data SIZE:
Meta Data SIZE = Import Directory RVA - Meta Data RVA
0x6A40 - 0x47AC = 0x2294
Meta Data RVA = 000047AC
Meta Data SIZE = 00002294
以上修正完毕后保存运行即可!
.NET Reactor v3.6.0.0 的脱法也是一样的。
【脱壳方法总结】
OllyICE工作:
⑴加载待脱壳目标,运行后在内存中查找目标程序窗口句柄的标志的UNICODE字符串,并向上找到PE格式文件头标识信息;
⑵待找到PE格式文件头标识信息后,转储备份内存抓取的文件;
CFF Explorer工作:
⑴打开转储备份内存抓取后的文件,根据情况而修正文件的Characteristics;
⑵查找标识“BSJB”,计算并转换得出Meta Data RVA并修正;
⑶根据Import Directory RVA及Meta Data RVA,计算出Meta Data SIZE并修正;
⑷保存收工!
-----------------------------------------------------------------------------------------
特别感谢提供.NET相关文章的作者(排名不分先后):tankaiha、tracky、UFO-Pu55y、Rongchaua
-----------------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课