【脱壳过程】:
CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点,建议学习过UPX/AsPacK手动脱壳的朋友再来练习这个
脱壳的方法有很多,也可以使用ESP定律。大家先跟随练习,掌握后再去寻找自己的脱壳方法
_____________________________________________________________
一.EP 字串5
用LordPE察看目标文件的PE信息: ImageBase=00570000 SizeOfImage=00075000
设置OllyDbg忽略所有异常选项,用IsDebugPresent插件Hide,清除以前的所有断点 字串7
CODE
00571744 3C 20 cmp al,20
//进入OllyDbg后暂停在这
00571746 F5 cmc
00571747 79 01 jns short 0057174A
00571749 F8 clc
0057174A F5 cmc
0057174B F9 stc
0057174C 60 pushad
0057174D C0C1 70 rol cl,70 字串2
00571750 E9 1B000000 jmp 00571770
字串6
_______________________________________________________
二.数据恢复 字串7
BP VirtualAlloc
Shift+F9,中断后取消断点,Alt+F9返回
字串2
CODE
字串8
0013FD6C 005713CC /CALL to VirtualAlloc from UnPackMe.005713CA
0013FD70 00400000 |Address = 00400000
0013FD74 0006B000 |Size = 6B000 (438272.)
0013FD78 00003000 |AllocationType = MEM_COMMIT|MEM_RESERVE
0013FD7C 00000040 \Protect = PAGE_EXECUTE_READWRITE 字串1
我们看到申请的内存地址是00400000
字串5
一般EXE文件的基址大多是00400000,而CI Crypt加壳后这个文件基址是ImageBase=00570000
原来CI Crypt加壳后改了基址,运行时要把代码还原的。
多看代码,最好能看明白壳的流程,这样看的多了就能学习到很多知识了。
字串2
CODE 字串3
005713C0 51 push ecx
005713C1 6A 40 push 40
005713C3 68 00300000 push 3000
005713C8 51 push ecx
005713C9 50 push eax
005713CA FFD3 call near ebx; kernel32.VirtualAlloc
005713CC 59 pop ecx
//返回这里
005713CD 85C0 test eax,eax
005713CF 75 13 jnz short 005713E4
005713D1 6A 40 push 40
005713D3 68 00100000 push 1000
005713D8 51 push ecx
005713D9 50 push eax
字串1
005713DA FFD3 call near ebx
005713DC 85C0 test eax,eax
005713DE 0F84 4D020000 je 00571631
005713E4 8945 F4 mov dword ptr ss:[ebp-C],eax
005713E7 89C7 mov edi,eax
005713E9 8B75 08 mov esi,dword ptr ss:[ebp+8]
005713EC 56 push esi
005713ED 89F1 mov ecx,esi 字串2
005713EF 034E 3C add ecx,dword ptr ds:[esi+3C]
005713F2 8B49 54 mov ecx,dword ptr ds:[ecx+54]
005713F5 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00000400 (decimal 1024.)
//ds:[esi]=[00571B79]=4D ('M')
//es:[edi]=[00400000]=00
//开始把PE头数据复制回00400000
005713F7 5E pop esi
005713F8 0376 3C add esi,dword ptr ds:[esi+3C]
005713FB 81C6 F8000000 add esi,0F8
00571401 8B45 08 mov eax,dword ptr ss:[ebp+8]
00571404 0340 3C add eax,dword ptr ds:[eax+3C]
00571407 0FB640 06 movzx eax,byte ptr ds:[eax+6]
0057140B 8D7D C8 lea edi,dword ptr ss:[ebp-38]
0057140E 57 push edi
0057140F 6A 0A push 0A
00571411 59 pop ecx 字串5
00571412 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//[esi]处是加壳前文件的区段信息
00571414 5F pop edi
00571415 8B57 14 mov edx,dword ptr ds:[edi+14]
00571418 85D2 test edx,edx
0057141A 74 14 je short 00571430
0057141C 56 push esi
0057141D 8B75 08 mov esi,dword ptr ss:[ebp+8] 字串5
00571420 01D6 add esi,edx
00571422 8B4F 10 mov ecx,dword ptr ds:[edi+10]
00571425 8B57 0C mov edx,dword ptr ds:[edi+C]
00571428 8B7D F4 mov edi,dword ptr ss:[ebp-C]
0057142B 01D7 add edi,edx
0057142D F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00049200 (decimal 299520.)
//ds:[esi]=[00571F79]=56 ('V')
[课程]Android-CTF解题方法汇总!