某程序Armadillo脱壳脱壳
主程序是Armadillo 3.7以后的版本加的壳,
使用了Armadillo的双进程+CC+IAT变形+时间效验,所以脱壳分二部分进行:
第一部分:代码的获得、OEP的获得以及修复IAT
1.双进程到单进程的转换
对于双进程到单进程的转换我还是使用ollyScript脚本进行,脚本如下:
;================================
/*
arm3.75版以后的从双进程到单进程转换的Script自动运行脚本
适用于ollyScript0.92,不要勾上OD异常中的〔忽略以下范围的异常〕 选项
by fxyang
*/
dbh //隐藏OD
var address
gpa "OpenMutexA","kernel32.dll"
bp $RESULT
run
eoe code_1
code_1:
mov address,eip //获取第一次PREFIX LOCK:异常地址
esto
lbl3:
cmp eip,address //自动越过异常
ja begin
esto
begin:
exec
PUSHAD
PUSH EDX
push 0
push 0
CALL kernel32.CreateMutexA
POPAD
jmp kernel32.OpenMutexA
ende
//上面的代码就是在Script中运行从双进程到单进程的转换
bc $RESULT
lbl4:
gpa "VirtualProtect","kernel32.dll"
bp $RESULT //对VirtualProtect函数下中断
esto
// 中断后继续
esto
esto
esto
esto
rtr
sto
rtr
sto
sto
sto
sto
sto
sto
sto
sto
sti
sti
pause
//经过了上面的代码程序会停在壳的运行代码中
;==========================
程序停在这里:
00DEF065 PUSH EBP
00DEF066 MOV EBP,ESP
00DEF068 PUSH EBX
00DEF069 MOV EBX,DWORD PTR SS:[EBP+8]
00DEF06C PUSH ESI
00DEF06D MOV ESI,DWORD PTR SS:[EBP+C]
00DEF070 PUSH EDI
00DEF071 MOV EDI,DWORD PTR SS:[EBP+10]
00DEF074 TEST ESI,ESI
00DEF076 JNZ SHORT 00DEF081
00DEF078 CMP DWORD PTR DS:[E01AB4],0
00DEF07F JMP SHORT 00DEF0A7
2.修改IAT存放地址
由于壳使用了临时空间存放IAT表,所以要修改到程序可见段中。
Ctrl+S打开搜索命令序列窗口,填入:
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EBX
XOR EBX,EBX
这是段特征代码,要查找的第一个anti在这个代码段中,查找来到:
00DEBE33 PUSH EBP
00DEBE34 MOV EBP,ESP
00DEBE36 PUSH ECX
00DEBE37 PUSH EBX
00DEBE38 XOR EBX,EBX //特征代码
00DEBE3A CMP BYTE PTR DS:[DFFFFD],BL
00DEBE40 PUSH ESI
00DEBE41 PUSH EDI
00DEBE42 JNZ SHORT 00DEBE5E
00DEBE44 CMP BYTE PTR DS:[DFFC19],BL
00DEBE4A JNZ SHORT 00DEBE5E
00DEBE4C CALL 00DC7591
00DEBE51 TEST EAX,EAX
00DEBE53 JE SHORT 00DEBE5E
00DEBE55 CALL 00DC82D5
00DEBE5A TEST AL,AL
//anti的效验,光标停在这里,F4到这个地方。修改Al值为1
00DEBE5C JE SHORT 00DEBE65
00DEBE5E XOR AL,AL
00DEBE60 JMP 00DEBF91
下面是手工活了,F8运行:
00DE45CC MOV EAX,C80F9D61
00DE45D1 NOT ECX
00DE45D3 BSWAP EAX
00DE45D5 NOT ECX
00DE45D7 PUSH DWORD PTR DS:[DF0498] ; USER32.SetTimer <--注意
00DE45DD CALL 00DEA2E1
00DE45E2 POP ECX
00DE45E3 MOVZX EAX,AL
00DE45E6 MOV DWORD PTR SS:[EBP-134],EAX
00DE45EC PUSH ECX
00DE45ED BSWAP ECX
00DE45EF NOT ECX
00DE45F1 PUSH EAX
00DE45F2 NOT EAX
00DE45F4 MOV EAX,6C65696D
00DE45F9 XCHG EAX,ECX
F8继续,第一个解码代码:
00DE4A21 >CALL 00DC14AC
00DE4A26 >ADD ESP,10
00DE4A29 >MOV EAX,DWORD PTR DS:[DFFA1C]
00DE4A2E >MOV DWORD PTR SS:[EBP-399C],EAX
00DE4A34 >CMP DWORD PTR SS:[EBP-399C],0
00DE4A3B >JE SHORT 00DE4A73
00DE4A3D >MOV EAX,DWORD PTR SS:[EBP-399C]
00DE4A43 >CMP DWORD PTR DS:[EAX],0
00DE4A46 >JE SHORT 00DE4A73
00DE4A48 >MOV EAX,DWORD PTR SS:[EBP-399C]
00DE4A4E >MOV EAX,DWORD PTR DS:[EAX]
00DE4A50 >MOV EAX,DWORD PTR DS:[EAX]
00DE4A52 >ADD EAX,DWORD PTR DS:[E004F0]
00DE4A58 >MOV ECX,DWORD PTR SS:[EBP-399C]
00DE4A5E >MOV ECX,DWORD PTR DS:[ECX]
00DE4A60 >MOV DWORD PTR DS:[ECX],EAX
00DE4A62 >MOV EAX,DWORD PTR SS:[EBP-399C]
00DE4A68 >ADD EAX,4
00DE4A6B >MOV DWORD PTR SS:[EBP-399C],EAX
00DE4A71 ^>JMP SHORT 00DE4A3D
00DE4A73 >XCHG EAX,ESI //这里结束,F4到这里
00DE4A74 >XCHG CX,CX
00DE4A77 >XCHG EAX,ESI
00DE4A78 >INS DWORD PTR ES:[EDI],DX ; I/O 命令
F8继续,到申请临时空间的代码了,这个版本不再使用原来的 VirtualAlloc 函数:
00DE5209 MOV DWORD PTR DS:[DF68CC],0DF7454 ; ASCII "B4"
00DE5213 MOV EAX,DWORD PTR DS:[E00030]
00DE5218 MOV EAX,DWORD PTR DS:[EAX]
00DE521A MOV DWORD PTR SS:[EBP-3924],EAX
00DE5220 MOV EAX,DWORD PTR DS:[E00030]
00DE5225 ADD EAX,4
00DE5228 MOV DWORD PTR DS:[E00030],EAX
00DE522D CALL 00DEB11B
00DE5232 XOR ECX,ECX
00DE5234 TEST EAX,EAX
00DE5236 SETNE CL
00DE5239 INC ECX
00DE523A MOV EAX,DWORD PTR DS:[E00030]
00DE523F MOV EAX,DWORD PTR DS:[EAX]
00DE5241 XOR EDX,EDX
00DE5243 DIV ECX
00DE5245 MOV DWORD PTR SS:[EBP-37C8],EAX
00DE524B MOV EAX,DWORD PTR DS:[E00030]
00DE5250 ADD EAX,4
00DE5253 MOV DWORD PTR DS:[E00030],EAX
00DE5258 MOV EAX,DWORD PTR SS:[EBP-37C8]
00DE525E SHL EAX,2
00DE5261 PUSH EAX
00DE5262 CALL 00DEEF08 ; JMP to msvcrt.??2@YAPAXI@Z //申请函数
00DE5267 POP ECX
00DE5268 MOV DWORD PTR SS:[EBP+FFFFAFE8],EAX <--返回值,修改这个值
00DE526E MOV EAX,DWORD PTR SS:[EBP+FFFFAFE8]
00DE5274 MOV DWORD PTR SS:[EBP-3928],EAX
00DE527A MOV EAX,DWORD PTR DS:[E00028]
00DE527F MOV EAX,DWORD PTR DS:[EAX+78]
00DE5282 MOV DWORD PTR SS:[EBP+FFFFAE28],EAX
00DE5288 MOV EAX,DWORD PTR SS:[EBP+FFFFAE28]
00DE528E MOV DWORD PTR SS:[EBP-39F8],EAX
00DE5294 AND DWORD PTR SS:[EBP-39FC],0
00DE529B JMP SHORT 00DE52AA
修改申请返回值EAX =00646000 壳的第一代码段,因为壳运行时不再使用这个段。
下面是计算IAT的第一个加密表:
00DE529D MOV EAX,DWORD PTR SS:[EBP-39FC]
00DE52A3 INC EAX
00DE52A4 MOV DWORD PTR SS:[EBP-39FC],EAX
00DE52AA MOV EAX,DWORD PTR SS:[EBP-39FC]
00DE52B0 CMP EAX,DWORD PTR SS:[EBP-37C8]
00DE52B6 JNB 00DE5379
00DE52BC MOV DWORD PTR SS:[EBP+FFFFAE14],14
00DE52C6 PUSH 1DF5E0D
00DE52CB PUSH DWORD PTR SS:[EBP-39F8]
00DE52D1 LEA ECX,DWORD PTR SS:[EBP-39F8]
00DE52D7 CALL 00DC1071
00DE52DC INC EAX
00DE52DD XOR EDX,EDX
00DE52DF MOV ECX,5F5E100
00DE52E4 DIV ECX
00DE52E6 MOV DWORD PTR SS:[EBP-39F8],EDX
00DE52EC MOV DWORD PTR SS:[EBP+FFFFAE00],100
00DE52F6 PUSH 1DF5E0D
00DE52FB PUSH DWORD PTR SS:[EBP-39F8]
00DE5301 LEA ECX,DWORD PTR SS:[EBP-39F8]
00DE5307 CALL 00DC1071
00DE530C INC EAX
00DE530D XOR EDX,EDX
00DE530F MOV ECX,5F5E100
00DE5314 DIV ECX
00DE5316 MOV DWORD PTR SS:[EBP-39F8],EDX
00DE531C MOV EAX,DWORD PTR SS:[EBP-39F8]
00DE5322 XOR EDX,EDX
00DE5324 MOV ECX,2710
00DE5329 DIV ECX
00DE532B IMUL EAX,DWORD PTR SS:[EBP+FFFFAE14]
00DE5332 XOR EDX,EDX
00DE5334 MOV ECX,2710
00DE5339 DIV ECX
00DE533B MOV ECX,EAX
00DE533D MOV EAX,DWORD PTR SS:[EBP-39F8]
00DE5343 XOR EDX,EDX
00DE5345 MOV ESI,2710
00DE534A DIV ESI
00DE534C IMUL EAX,DWORD PTR SS:[EBP+FFFFAE00]
00DE5353 XOR EDX,EDX
00DE5355 MOV ESI,2710
00DE535A DIV ESI
00DE535C MOV ECX,DWORD PTR SS:[EBP+ECX*4-3978]
00DE5363 ADD ECX,EAX
00DE5365 MOV EAX,DWORD PTR SS:[EBP-39FC]
00DE536B MOV EDX,DWORD PTR SS:[EBP-3928]
00DE5371 MOV DWORD PTR DS:[EDX+EAX*4],ECX //值放到上面修改的地址中
00DE5374 JMP 00DE529D
00DE5379 MOV EAX,DWORD PTR DS:[E00030] //这是出口,F4到这里
这个表与后面的IAT加密可能有关系,或许可以从这里辟开iat的加密,我没有看懂。
3.获得程序代码
F8继续运行程序,到第二个代码解码的地方:
00DE5963 CALL 00DC14AC
00DE5968 ADD ESP,10
00DE596B MOV EAX,DWORD PTR DS:[DFFA20]
00DE5970 MOV DWORD PTR SS:[EBP-3A34],EAX
00DE5976 CMP DWORD PTR SS:[EBP-3A34],0
00DE597D JE SHORT 00DE59B5
00DE597F MOV EAX,DWORD PTR SS:[EBP-3A34]
00DE5985 CMP DWORD PTR DS:[EAX],0
00DE5988 JE SHORT 00DE59B5
00DE598A MOV EAX,DWORD PTR SS:[EBP-3A34]
00DE5990 MOV EAX,DWORD PTR DS:[EAX]
00DE5992 MOV EAX,DWORD PTR DS:[EAX]
00DE5994 ADD EAX,DWORD PTR DS:[E004F0]
00DE599A MOV ECX,DWORD PTR SS:[EBP-3A34]
00DE59A0 MOV ECX,DWORD PTR DS:[ECX]
00DE59A2 MOV DWORD PTR DS:[ECX],EAX
00DE59A4 MOV EAX,DWORD PTR SS:[EBP-3A34]
00DE59AA ADD EAX,4
00DE59AD MOV DWORD PTR SS:[EBP-3A34],EAX
00DE59B3 JMP SHORT 00DE597F
00DE59B5 XCHG EAX,EDI //这里结束,F4到这里
00DE59B6 XCHG CX,CX
00DE59B9 XCHG EAX,EDI
00DE59BA OR ESI,DWORD PTR DS:[ECX+EBX*2]
F8继续,到这里:
00DE5A9F MOV EAX,DWORD PTR SS:[EBP-3A48]
00DE5AA5 AND EAX,7FFFFFFF
00DE5AAA MOV ECX,DWORD PTR SS:[EBP-3910]
00DE5AB0 ADD EAX,DWORD PTR DS:[ECX+88]
00DE5AB6 MOV DWORD PTR SS:[EBP-3A48],EAX
00DE5ABC MOV EAX,DWORD PTR DS:[E00030]
00DE5AC1 MOV EAX,DWORD PTR DS:[EAX]
00DE5AC3 XOR EAX,DWORD PTR DS:[E00034]
00DE5AC9 MOV DWORD PTR SS:[EBP-3A44],EAX
00DE5ACF MOV EAX,DWORD PTR DS:[E00030]
00DE5AD4 ADD EAX,4
00DE5AD7 MOV DWORD PTR DS:[E00030],EAX
00DE5ADC MOV EAX,DWORD PTR SS:[EBP-3A44]
00DE5AE2 ADD EAX,10000 ; UNICODE "=::=::\"
00DE5AE7 PUSH EAX
00DE5AE8 CALL 00DEEF08 ; JMP to msvcrt.??2@YAPAXI@Z
00DE5AED POP ECX
00DE5AEE MOV DWORD PTR SS:[EBP+FFFFAFDC],EAX
00DE5AF4 MOV EAX,DWORD PTR SS:[EBP+FFFFAFDC]
00DE5AFA MOV DWORD PTR SS:[EBP-3A40],EAX
00DE5B00 MOV EAX,DWORD PTR SS:[EBP-3A40]
00DE5B06 MOV DWORD PTR SS:[EBP-3A38],EAX
00DE5B0C MOV EAX,DWORD PTR SS:[EBP-3A44]
00DE5B12 ADD EAX,10000 ; UNICODE "=::=::\"
00DE5B17 PUSH EAX
00DE5B18 PUSH 0
00DE5B1A PUSH DWORD PTR SS:[EBP-3A40]
00DE5B20 CALL 00DEEF14 ; JMP to msvcrt.memset
00DE5B25 ADD ESP,0C
00DE5B28 PUSH 1
00DE5B2A POP EAX
00DE5B2B TEST EAX,EAX
00DE5B2D JE 00DE5BBC
上面的代码是先申请一个空间,然后设置这个空间的准备解码程序的代码。
F8继续,到了还原程序代码段:
00DE5F3D LEA EAX,DWORD PTR SS:[EBP-3A4C]
00DE5F43 PUSH EAX
00DE5F44 PUSH 4
00DE5F46 PUSH DWORD PTR SS:[EBP-3A44]
00DE5F4C MOV EAX,DWORD PTR SS:[EBP-3900]
00DE5F52 ADD EAX,DWORD PTR SS:[EBP-3A48]
00DE5F58 PUSH EAX
00DE5F59 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect
00DE5F5F PUSH DWORD PTR SS:[EBP-3A44]
00DE5F65 PUSH DWORD PTR SS:[EBP-3A40]
00DE5F6B MOV EAX,DWORD PTR SS:[EBP-3900]
00DE5F71 ADD EAX,DWORD PTR SS:[EBP-3A48]
00DE5F77 PUSH EAX
00DE5F78 CALL 00DEEF02 ; JMP to msvcrt.memcpy
00DE5F7D ADD ESP,0C //内存数据复制
00DE5F80 LEA EAX,DWORD PTR SS:[EBP-3A4C]
00DE5F86 PUSH EAX
00DE5F87 PUSH DWORD PTR SS:[EBP-3A4C]
00DE5F8D PUSH DWORD PTR SS:[EBP-3A44]
00DE5F93 MOV EAX,DWORD PTR SS:[EBP-3900]
00DE5F99 ADD EAX,DWORD PTR SS:[EBP-3A48]
00DE5F9F PUSH EAX
00DE5FA0 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect
00DE5FA6 MOV EAX,DWORD PTR SS:[EBP-3A40]
00DE5FAC MOV DWORD PTR SS:[EBP+FFFFAFD8],EAX
00DE5FB2 PUSH DWORD PTR SS:[EBP+FFFFAFD8]
00DE5FB8 CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z
00DE5FBD POP ECX
00DE5FBE JMP 00DE5A57
可以看出来,壳不断的修改程序的各个段的属性,然后复制数据,这个循环就是解码这个程序。
5.还原IAT
上面的解码完成后到这里:
00DE5FC3 AND DWORD PTR DS:[E00034],0
00DE5FCA CMP DWORD PTR SS:[EBP-379C],0
00DE5FD1 JE SHORT 00DE6006
F8继续,第三个代码解码:
00DE637D CALL 00DC14AC
00DE6382 ADD ESP,10
00DE6385 MOV EAX,DWORD PTR DS:[DFFA24]
00DE638A MOV DWORD PTR SS:[EBP-3AA0],EAX
00DE6390 CMP DWORD PTR SS:[EBP-3AA0],0
00DE6397 JE SHORT 00DE63CF
00DE6399 MOV EAX,DWORD PTR SS:[EBP-3AA0]
00DE639F CMP DWORD PTR DS:[EAX],0
00DE63A2 JE SHORT 00DE63CF
00DE63A4 MOV EAX,DWORD PTR SS:[EBP-3AA0]
00DE63AA MOV EAX,DWORD PTR DS:[EAX]
00DE63AC MOV EAX,DWORD PTR DS:[EAX]
00DE63AE ADD EAX,DWORD PTR DS:[E004F0]
00DE63B4 MOV ECX,DWORD PTR SS:[EBP-3AA0]
00DE63BA MOV ECX,DWORD PTR DS:[ECX]
00DE63BC MOV DWORD PTR DS:[ECX],EAX
00DE63BE MOV EAX,DWORD PTR SS:[EBP-3AA0]
00DE63C4 ADD EAX,4
00DE63C7 MOV DWORD PTR SS:[EBP-3AA0],EAX
00DE63CD JMP SHORT 00DE6399
00DE63CF PUSH EDI //这里结束,F4到这里
00DE63D0 XCHG BX,BX
00DE63D3 POP EDI
F8继续,到这里:
00DE68DC CALL 00DC14AC
00DE68E1 ADD ESP,10
00DE68E4 MOV EAX,DWORD PTR DS:[DFFA2C]
00DE68E9 MOV DWORD PTR SS:[EBP-3B64],EAX
00DE68EF CMP DWORD PTR SS:[EBP-3B64],0
00DE68F6 JE SHORT 00DE692E
00DE68F8 MOV EAX,DWORD PTR SS:[EBP-3B64]
00DE68FE CMP DWORD PTR DS:[EAX],0
00DE6901 JE SHORT 00DE692E
00DE6903 MOV EAX,DWORD PTR SS:[EBP-3B64]
00DE6909 MOV EAX,DWORD PTR DS:[EAX]
00DE690B MOV EAX,DWORD PTR DS:[EAX]
00DE690D ADD EAX,DWORD PTR DS:[E004F0]
00DE6913 MOV ECX,DWORD PTR SS:[EBP-3B64]
00DE6919 MOV ECX,DWORD PTR DS:[ECX]
00DE691B MOV DWORD PTR DS:[ECX],EAX
00DE691D MOV EAX,DWORD PTR SS:[EBP-3B64]
00DE6923 ADD EAX,4
00DE6926 MOV DWORD PTR SS:[EBP-3B64],EAX
00DE692C JMP SHORT 00DE68F8
00DE692E XCHG AX,CX //这里结束,F4到这里
00DE6930 NOP
00DE6931 XCHG AX,CX
开始处理IAT表了,注意:
00DE6B32 PUSH DWORD PTR SS:[EBP-3B70]
00DE6B38 CALL 00DC9950
00DE6B3D POP ECX
00DE6B3E AND DWORD PTR SS:[EBP-3B74],0
00DE6B45 PUSH 0
00DE6B47 CALL DWORD PTR DS:[DF00D4] ; kernel32.GetModuleHandleA
00DE6B4D CMP DWORD PTR SS:[EBP-3B70],EAX //可以对上面的函数下中断到这里
00DE6B53 JNZ SHORT 00DE6B64
00DE6B55 MOV DWORD PTR SS:[EBP-3B74],0DF5180
00DE6B5F JMP 00DE6C28
00DE6B64 AND DWORD PTR SS:[EBP-3D98],0
00DE6B6B MOV DWORD PTR SS:[EBP-3D9C],0DF57C0
00DE6B75 JMP SHORT 00DE6B93
00DE6B77 MOV EAX,DWORD PTR SS:[EBP-3D9C]
00DE6B7D ADD EAX,0C
00DE6B80 MOV DWORD PTR SS:[EBP-3D9C],EAX
00DE6B86 MOV EAX,DWORD PTR SS:[EBP-3D98]
00DE6B8C INC EAX
00DE6B8D MOV DWORD PTR SS:[EBP-3D98],EAX
00DE6B93 MOV EAX,DWORD PTR SS:[EBP-3D9C]
00DE6B99 CMP DWORD PTR DS:[EAX],0 <--这个就是Magic jmp
00DE6B9C JE 00DE6C28 //修改为JMP 00DE6C28
00DE6BA2 MOV EAX,DWORD PTR SS:[EBP-3D9C]
00DE6BA8 MOV EAX,DWORD PTR DS:[EAX+8]
00DE6BAB AND EAX,1
00DE6BAE TEST EAX,EAX
00DE6BB0 JE SHORT 00DE6BD7
解码IAT表:
00DE6D62 AND DWORD PTR SS:[EBP-3B68],0
00DE6D69 CALL DWORD PTR DS:[DF029C] ; kernel32.GetTickCount
00DE6D6F MOV DWORD PTR SS:[EBP-3B6C],EAX //时间效验开始
00DE6D75 PUSH 1
00DE6D77 POP EAX
00DE6D78 TEST EAX,EAX
00DE6D7A JE 00DE70A7
00DE6D80 AND WORD PTR SS:[EBP-3DA4],0
00DE6D88 AND DWORD PTR SS:[EBP-3DAC],0
00DE6D8F AND DWORD PTR SS:[EBP-3DA8],0
00DE6D96 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6D9C MOVSX EAX,BYTE PTR DS:[EAX]
00DE6D9F TEST EAX,EAX
00DE6DA1 JNZ SHORT 00DE6DE7
00DE6DA3 LEA ECX,DWORD PTR SS:[EBP-37D4]
00DE6DA9 CALL 00DC1040
00DE6DAE MOVZX EAX,AL
00DE6DB1 CDQ
00DE6DB2 PUSH 14
00DE6DB4 POP ECX
00DE6DB5 IDIV ECX
00DE6DB7 MOV EAX,DWORD PTR SS:[EBP-37FC]
00DE6DBD MOV ECX,DWORD PTR SS:[EBP+EDX*4-3978] //模块分界加密,修改为 XOR ECX,ECX
00DE6DC4 MOV DWORD PTR DS:[EAX],ECX
00DE6DC6 MOV EAX,DWORD PTR SS:[EBP-37FC]
00DE6DCC ADD EAX,4
00DE6DCF MOV DWORD PTR SS:[EBP-37FC],EAX
00DE6DD5 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6DDB INC EAX
00DE6DDC MOV DWORD PTR SS:[EBP-3790],EAX
00DE6DE2 JMP 00DE70A7
00DE6DE7 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6DED MOVZX EAX,BYTE PTR DS:[EAX]
00DE6DF0 CMP EAX,0FF
00DE6DF5 JNZ 00DE6E92
00DE6DFB MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6E01 INC EAX
00DE6E02 MOV DWORD PTR SS:[EBP-3790],EAX
00DE6E08 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6E0E MOV AX,WORD PTR DS:[EAX]
00DE6E11 MOV WORD PTR SS:[EBP-3DA4],AX
00DE6E18 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6E1E INC EAX
00DE6E1F INC EAX
00DE6E20 MOV DWORD PTR SS:[EBP-3790],EAX
00DE6E26 CMP DWORD PTR SS:[EBP-3B74],0
00DE6E2D JE SHORT 00DE6E80
00DE6E2F MOV EAX,DWORD PTR SS:[EBP-3B74]
00DE6E35 MOV DWORD PTR SS:[EBP-3DB0],EAX
00DE6E3B JMP SHORT 00DE6E4C
00DE6E3D MOV EAX,DWORD PTR SS:[EBP-3DB0]
00DE6E43 ADD EAX,0C
00DE6E46 MOV DWORD PTR SS:[EBP-3DB0],EAX
00DE6E4C MOV EAX,DWORD PTR SS:[EBP-3DB0]
00DE6E52 CMP DWORD PTR DS:[EAX+8],0
00DE6E56 JE SHORT 00DE6E80
00DE6E58 MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6E5F MOV ECX,DWORD PTR SS:[EBP-3DB0]
00DE6E65 MOVZX ECX,WORD PTR DS:[ECX+4]
00DE6E69 CMP EAX,ECX
00DE6E6B JNZ SHORT 00DE6E7E
00DE6E6D MOV EAX,DWORD PTR SS:[EBP-3DB0]
00DE6E73 MOV EAX,DWORD PTR DS:[EAX+8]
00DE6E76 MOV DWORD PTR SS:[EBP-3DA8],EAX
00DE6E7C JMP SHORT 00DE6E80
00DE6E7E JMP SHORT 00DE6E3D
00DE6E80 MOV EAX,DWORD PTR SS:[EBP-3B68]
00DE6E86 INC EAX
00DE6E87 MOV DWORD PTR SS:[EBP-3B68],EAX
00DE6E8D JMP 00DE6F3C
00DE6E92 MOV EAX,DWORD PTR SS:[EBP-3790]
00DE6E98 MOV DWORD PTR SS:[EBP-3DAC],EAX
00DE6E9E PUSH 0
00DE6EA0 PUSH DWORD PTR SS:[EBP-3790]
00DE6EA6 CALL DWORD PTR DS:[DF02F0] ; msvcrt.strchr
00DE6EAC POP ECX
00DE6EAD POP ECX
00DE6EAE INC EAX
00DE6EAF MOV DWORD PTR SS:[EBP-3790],EAX
00DE6EB5 CMP DWORD PTR SS:[EBP-3B74],0
00DE6EBC JE SHORT 00DE6F2F
00DE6EBE MOV EAX,DWORD PTR SS:[EBP-3B74]
00DE6EC4 MOV DWORD PTR SS:[EBP-3DB4],EAX
00DE6ECA JMP SHORT 00DE6EDB
00DE6ECC MOV EAX,DWORD PTR SS:[EBP-3DB4]
00DE6ED2 ADD EAX,0C
00DE6ED5 MOV DWORD PTR SS:[EBP-3DB4],EAX
00DE6EDB MOV EAX,DWORD PTR SS:[EBP-3DB4]
00DE6EE1 CMP DWORD PTR DS:[EAX+8],0
00DE6EE5 JE SHORT 00DE6F2F
00DE6EE7 PUSH 100
00DE6EEC LEA EAX,DWORD PTR SS:[EBP-3EB4]
00DE6EF2 PUSH EAX
00DE6EF3 MOV EAX,DWORD PTR SS:[EBP-3DB4]
00DE6EF9 PUSH DWORD PTR DS:[EAX]
00DE6EFB CALL 00DC8092
00DE6F00 ADD ESP,0C
00DE6F03 LEA EAX,DWORD PTR SS:[EBP-3EB4]
00DE6F09 PUSH EAX
00DE6F0A PUSH DWORD PTR SS:[EBP-3DAC]
00DE6F10 CALL DWORD PTR DS:[DF035C] ; msvcrt._stricmp
00DE6F16 POP ECX
00DE6F17 POP ECX
00DE6F18 TEST EAX,EAX
00DE6F1A JNZ SHORT 00DE6F2D
00DE6F1C MOV EAX,DWORD PTR SS:[EBP-3DB4]
00DE6F22 MOV EAX,DWORD PTR DS:[EAX+8]
00DE6F25 MOV DWORD PTR SS:[EBP-3DA8],EAX
00DE6F2B JMP SHORT 00DE6F2F
00DE6F2D JMP SHORT 00DE6ECC
00DE6F2F MOV EAX,DWORD PTR SS:[EBP-3B68]
00DE6F35 INC EAX
00DE6F36 MOV DWORD PTR SS:[EBP-3B68],EAX
00DE6F3C CMP DWORD PTR SS:[EBP-3DA8],0
00DE6F43 JNZ SHORT 00DE6F87
00DE6F45 MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6F4C TEST EAX,EAX
00DE6F4E JE SHORT 00DE6F5F
00DE6F50 MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6F57 MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX
00DE6F5D JMP SHORT 00DE6F6B
00DE6F5F MOV EAX,DWORD PTR SS:[EBP-3DAC]
00DE6F65 MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX
00DE6F6B PUSH 1
00DE6F6D PUSH DWORD PTR SS:[EBP+FFFFAD5C]
00DE6F73 PUSH DWORD PTR SS:[EBP-3B70]
00DE6F79 CALL 00DCA113
00DE6F7E ADD ESP,0C
00DE6F81 MOV DWORD PTR SS:[EBP-3DA8],EAX
00DE6F87 CMP DWORD PTR SS:[EBP-3DA8],0
00DE6F8E JNZ SHORT 00DE6FD2
00DE6F90 MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6F97 TEST EAX,EAX
00DE6F99 JE SHORT 00DE6FAA
00DE6F9B MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6FA2 MOV DWORD PTR SS:[EBP+FFFFAD58],EAX
00DE6FA8 JMP SHORT 00DE6FB6
00DE6FAA MOV EAX,DWORD PTR SS:[EBP-3DAC]
00DE6FB0 MOV DWORD PTR SS:[EBP+FFFFAD58],EAX
00DE6FB6 PUSH 0
00DE6FB8 PUSH DWORD PTR SS:[EBP+FFFFAD58]
00DE6FBE PUSH DWORD PTR SS:[EBP-3B70]
00DE6FC4 CALL 00DCA113
00DE6FC9 ADD ESP,0C
00DE6FCC MOV DWORD PTR SS:[EBP-3DA8],EAX
00DE6FD2 CMP DWORD PTR SS:[EBP-3DA8],0
00DE6FD9 JNZ 00DE7077
00DE6FDF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE6FE6 TEST EAX,EAX
00DE6FE8 JE SHORT 00DE703E
00DE6FEA CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error
00DE6FF0 CMP EAX,32
00DE6FF3 JNZ SHORT 00DE7001
00DE6FF5 MOV DWORD PTR SS:[EBP-3DA8],0DCA108
00DE6FFF JMP SHORT 00DE703C
00DE7001 MOV EAX,DWORD PTR SS:[EBP+8]
00DE7004 MOV EAX,DWORD PTR DS:[EAX]
00DE7006 MOV DWORD PTR DS:[EAX],3
00DE700C CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error
00DE7012 PUSH EAX
00DE7013 MOVZX EAX,WORD PTR SS:[EBP-3DA4]
00DE701A PUSH EAX
00DE701B PUSH DWORD PTR SS:[EBP-3C8C]
00DE7021 PUSH 0DF73B0 ; ASCII "File "%s", ordinal %d (error %d)"
00DE7026 MOV EAX,DWORD PTR SS:[EBP+8]
00DE7029 PUSH DWORD PTR DS:[EAX+4]
00DE702C CALL DWORD PTR DS:[DF02EC] ; msvcrt.sprintf
00DE7032 ADD ESP,14
00DE7035 XOR EAX,EAX
00DE7037 JMP 00DE81EF
00DE703C JMP SHORT 00DE7077
00DE703E MOV EAX,DWORD PTR SS:[EBP+8]
00DE7041 MOV EAX,DWORD PTR DS:[EAX]
00DE7043 MOV DWORD PTR DS:[EAX],3
00DE7049 CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error
00DE704F PUSH EAX
00DE7050 PUSH DWORD PTR SS:[EBP-3DAC]
00DE7056 PUSH DWORD PTR SS:[EBP-3C8C]
00DE705C PUSH 0DF738C ; ASCII "File "%s", function "%s" (error %d)"
00DE7061 MOV EAX,DWORD PTR SS:[EBP+8]
00DE7064 PUSH DWORD PTR DS:[EAX+4]
00DE7067 CALL DWORD PTR DS:[DF02EC] ; msvcrt.sprintf
00DE706D ADD ESP,14
00DE7070 XOR EAX,EAX
00DE7072 JMP 00DE81EF
00DE7077 MOV EAX,DWORD PTR SS:[EBP-37FC]
00DE707D CMP EAX,DWORD PTR SS:[EBP-37A8]
00DE7083 JNB SHORT 00DE70A2
00DE7085 MOV EAX,DWORD PTR SS:[EBP-37FC]
00DE708B MOV ECX,DWORD PTR SS:[EBP-3DA8]
00DE7091 MOV DWORD PTR DS:[EAX],ECX //写入IAT表,可以看到写入到我们修改的地址中了
00DE7093 MOV EAX,DWORD PTR SS:[EBP-37FC]
00DE7099 ADD EAX,4
00DE709C MOV DWORD PTR SS:[EBP-37FC],EAX
00DE70A2 JMP 00DE6D75
00DE70A7 CALL DWORD PTR DS:[DF029C] ; kernel32.GetTickCount
00DE70AD SUB EAX,DWORD PTR SS:[EBP-3B6C] //获得上面代码运行的时间差
00DE70B3 MOV ECX,DWORD PTR SS:[EBP-3B68]
00DE70B9 IMUL ECX,ECX,32
00DE70BC ADD ECX,7D0
00DE70C2 CMP EAX,ECX
00DE70C4 JBE SHORT 00DE70CD //效验时间,这里要修改为JMP 00DE70CD
00DE70C6 MOV BYTE PTR SS:[EBP-37D8],1 <--修改标准
00DE70CD CMP DWORD PTR SS:[EBP-3928],0 {说明:如果这个标准修改,就会修改下面排列IAT表的参数值}
00DE70D4 JNZ 00DE7164
00DE70DA MOVZX EAX,BYTE PTR SS:[EBP-3B7C]
00DE70E1 TEST EAX,EAX
00DE70E3 JE SHORT 00DE7164
00DE70E5 PUSH 0
00DE70E7 MOV EAX,DWORD PTR SS:[EBP-3B78]
00DE70ED SHL EAX,2
00DE70F0 PUSH EAX
00DE70F1 MOV EAX,DWORD PTR SS:[EBP-3900]
00DE70F7 ADD EAX,DWORD PTR SS:[EBP-3B80]
00DE70FD PUSH EAX
00DE70FE CALL 00DE8C74
00DE7103 ADD ESP,0C
00DE7106 MOV EAX,DWORD PTR SS:[EBP-3B78]
00DE710C SHL EAX,2
00DE710F PUSH EAX
00DE7110 PUSH DWORD PTR SS:[EBP-37A0]
00DE7116 MOV EAX,DWORD PTR SS:[EBP-3900]
00DE711C ADD EAX,DWORD PTR SS:[EBP-3B80]
00DE7122 PUSH EAX
00DE7123 CALL 00DEEF02 ; JMP to msvcrt.memcpy
00DE7128 ADD ESP,0C
00DE712B PUSH 1
00DE712D MOV EAX,DWORD PTR SS:[EBP-3B78]
00DE7133 SHL EAX,2
00DE7136 PUSH EAX
00DE7137 MOV EAX,DWORD PTR SS:[EBP-3900]
00DE713D ADD EAX,DWORD PTR SS:[EBP-3B80]
00DE7143 PUSH EAX
00DE7144 CALL 00DE8C74
00DE7149 ADD ESP,0C
00DE714C MOV EAX,DWORD PTR SS:[EBP-37A0]
00DE7152 MOV DWORD PTR SS:[EBP+FFFFAFC8],EAX
00DE7158 PUSH DWORD PTR SS:[EBP+FFFFAFC8]
00DE715E CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z
00DE7163 POP ECX
00DE7164 CMP DWORD PTR SS:[EBP-3928],0
00DE716B JNZ SHORT 00DE7197
00DE716D LEA EAX,DWORD PTR SS:[EBP-3B84]
00DE7173 PUSH EAX
00DE7174 PUSH DWORD PTR SS:[EBP-3B84]
00DE717A MOV EAX,DWORD PTR SS:[EBP-3B78]
00DE7180 SHL EAX,2
00DE7183 PUSH EAX
00DE7184 MOV EAX,DWORD PTR SS:[EBP-3900]
00DE718A ADD EAX,DWORD PTR SS:[EBP-3B80]
00DE7190 PUSH EAX
00DE7191 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect
00DE7197 JMP 00DE697F
00DE719C MOV EAX,DWORD PTR SS:[EBP-391C] <--到这里完成IAT表
把上面修改的代码全部还原,一定要还原!
完整的表:
00646000 4D 22 DB 77 68 6A DB 77 M"埙hj埙
00646008 8B 6F DB 77 F4 6C DB 77 ?埙綮埙
00646010 10 24 DA 77 9A 22 DA 77 $邝?邝
00646018 D8 17 DA 77 D4 65 DB 77 ?邝藻埙
00646020 B1 63 DB 77 BB 28 DA 77 便埙?邝
00646028 99 4E DA 77 5B 66 DB 77 ?邝[f埙
00646030 27 67 DB 77 D9 23 DA 77 'g埙?邝
00646038 E2 68 DB 77 D6 27 DA 77 忤埙?邝
…………
00646B38 15 88 AC 7C 2D C1 B8 7C ?|-粮|
00646B40 63 4A AC 7C A6 F2 AD 7C cJ???
00646B48 11 F0 AD 7C 7B 85 AC 7C 瓠|{?|
00646B50 91 05 AC 7C F5 1F AC 7C ????
00646B58 FA 49 AC 7C 16 49 AC 7C ??I?
00646B60 16 72 B0 7C 5F 86 B0 7C r包_?|
00646B68 DB 8A B0 7C AF F3 AD 7C ?包??
00646B70 CF 9E B1 7C 0F B3 B1 7C ?秉潮|
00646B78 1D CD B1 7C 31 CC B1 7C 捅|1瘫|
00646B80 5B 46 B4 7C D7 48 B4 7C [F袋兹袋
00646B88 00 00 00 00 F3 F0 C9 74 ....箴婶
00646B90 00 00 00 00 ....
二进制复制上面的表,保留这个表用于后面的恢复
4D 22 DB 77 68 6A DB 77 8B 6F DB 77 F4 6C DB 77 10 24 DA 77 9A 22 DA 77 D8 17 DA 77 D4 65 DB 77
B1 63 DB 77 BB 28 DA 77 99 4E DA 77 5B 66 DB 77 27 67 DB 77 D9 23 DA 77 E2 68 DB 77 D6 27 DA 77
69 6D DC 77 8E 5B DC 77 00 00 00 00 B1 38 31 77 13 B3 31 77 3D 51 31 77 B7 4E 31 77 A4 7F 33 77
…………
00 00 00 00 A3 05 AC 7C 11 B2 B0 7C 2C 88 AE 7C 4E 8C AC 7C 70 97 AC 7C 9A 3E AC 7C 1E 04 AF 7C
CA E6 AD 7C 78 12 AD 7C 3C 12 B2 7C 72 83 AF 7C CE 88 AC 7C C7 80 AF 7C 15 88 AC 7C 2D C1 B8 7C
63 4A AC 7C A6 F2 AD 7C 11 F0 AD 7C 7B 85 AC 7C 91 05 AC 7C F5 1F AC 7C FA 49 AC 7C 16 49 AC 7C
16 72 B0 7C 5F 86 B0 7C DB 8A B0 7C AF F3 AD 7C CF 9E B1 7C 0F B3 B1 7C 1D CD B1 7C 31 CC B1 7C
5B 46 B4 7C D7 48 B4 7C 00 00 00 00 F3 F0 C9 74 00 00 00 00
下面是壳对IAT的重新加密:
00DE719C MOV EAX,DWORD PTR SS:[EBP-391C]
00DE71A2 MOV DWORD PTR SS:[EBP+FFFFAFC4],EAX
00DE71A8 PUSH DWORD PTR SS:[EBP+FFFFAFC4]
00DE71AE CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z
00DE71B3 POP ECX
00DE71B4 CMP DWORD PTR SS:[EBP-3928],0
00DE71BB JE 00DE731A
00DE71C1 MOV EAX,DWORD PTR DS:[E00028]
00DE71C6 MOV EAX,DWORD PTR DS:[EAX+60]
00DE71C9 MOV DWORD PTR SS:[EBP+FFFFADD4],EAX
00DE71CF MOV EAX,DWORD PTR SS:[EBP+FFFFADD4]
00DE71D5 MOV DWORD PTR SS:[EBP-3EBC],EAX
00DE71DB CALL 00DEA85B
00DE71E0 NEG EAX
00DE71E2 SBB EAX,EAX
00DE71E4 AND EAX,100
00DE71E9 ADD EAX,100
00DE71EE MOV DWORD PTR SS:[EBP+FFFFADC0],EAX
00DE71F4 PUSH 1DF5E0D
00DE71F9 PUSH DWORD PTR SS:[EBP-3EBC]
00DE71FF LEA ECX,DWORD PTR SS:[EBP-3EBC]
00DE7205 CALL 00DC1071
00DE720A INC EAX
00DE720B XOR EDX,EDX
00DE720D MOV ECX,5F5E100
00DE7212 DIV ECX
00DE7214 MOV DWORD PTR SS:[EBP-3EBC],EDX
00DE721A MOVZX ECX,BYTE PTR SS:[EBP-37D8]
00DE7221 NEG ECX
00DE7223 SBB ECX,ECX
00DE7225 AND ECX,100
00DE722B ADD ECX,200
00DE7231 MOV EAX,DWORD PTR SS:[EBP-3EBC]
00DE7237 XOR EDX,EDX
00DE7239 MOV ESI,2710
00DE723E DIV ESI
00DE7240 IMUL EAX,DWORD PTR SS:[EBP+FFFFADC0]
00DE7247 XOR EDX,EDX
00DE7249 MOV ESI,2710
00DE724E DIV ESI
00DE7250 ADD ECX,EAX
00DE7252 MOV DWORD PTR SS:[EBP-3EB8],ECX
00DE7258 AND DWORD PTR SS:[EBP-3EC0],0
00DE725F JMP SHORT 00DE726E
00DE7261 MOV EAX,DWORD PTR SS:[EBP-3EC0]
00DE7267 INC EAX
00DE7268 MOV DWORD PTR SS:[EBP-3EC0],EAX
00DE726E MOV EAX,DWORD PTR SS:[EBP-3EC0]
00DE7274 CMP EAX,DWORD PTR SS:[EBP-3EB8] <--就是这个参数会被上面的时间效验修改
00DE727A JNB 00DE731A
00DE7280 PUSH 1DF5E0D
00DE7285 PUSH DWORD PTR SS:[EBP-3EBC]
00DE728B LEA ECX,DWORD PTR SS:[EBP-3EBC]
00DE7291 CALL 00DC1071
00DE7296 INC EAX
00DE7297 XOR EDX,EDX
00DE7299 MOV ECX,5F5E100
00DE729E DIV ECX
00DE72A0 MOV DWORD PTR SS:[EBP-3EBC],EDX
00DE72A6 MOV EAX,DWORD PTR SS:[EBP-3EBC]
00DE72AC XOR EDX,EDX
00DE72AE MOV ECX,2710
00DE72B3 DIV ECX
00DE72B5 IMUL EAX,DWORD PTR SS:[EBP-37C8]
00DE72BC XOR EDX,EDX
00DE72BE MOV ECX,2710
00DE72C3 DIV ECX
00DE72C5 MOV DWORD PTR SS:[EBP-3EC8],EAX
00DE72CB MOV EAX,DWORD PTR SS:[EBP-3928]
00DE72D1 MOV EAX,DWORD PTR DS:[EAX]
00DE72D3 MOV DWORD PTR SS:[EBP-3EC4],EAX
00DE72D9 MOV EAX,DWORD PTR SS:[EBP-3EC8]
00DE72DF LEA EAX,DWORD PTR DS:[EAX*4+4]
00DE72E6 PUSH EAX
00DE72E7 MOV EAX,DWORD PTR SS:[EBP-3928]
00DE72ED ADD EAX,4
00DE72F0 PUSH EAX
00DE72F1 PUSH DWORD PTR SS:[EBP-3928]
00DE72F7 CALL DWORD PTR DS:[DF0300] ; msvcrt.memmove
00DE72FD ADD ESP,0C
00DE7300 MOV EAX,DWORD PTR SS:[EBP-3EC8]
00DE7306 MOV ECX,DWORD PTR SS:[EBP-3928]
00DE730C MOV EDX,DWORD PTR SS:[EBP-3EC4]
00DE7312 MOV DWORD PTR DS:[ECX+EAX*4],EDX
00DE7315 JMP 00DE7261
00DE731A PUSH DWORD PTR SS:[EBP-37C4] <--到这里结束
6.还原代码中的CALL IAt地址
F8继续,第四个代码解码:
00DE7614 CALL 00DC14AC
00DE7619 ADD ESP,10
00DE761C MOV EAX,DWORD PTR DS:[DFFA30]
00DE7621 MOV DWORD PTR SS:[EBP-3EF4],EAX
00DE7627 CMP DWORD PTR SS:[EBP-3EF4],0
00DE762E JE SHORT 00DE7666
00DE7630 MOV EAX,DWORD PTR SS:[EBP-3EF4]
00DE7636 CMP DWORD PTR DS:[EAX],0
00DE7639 JE SHORT 00DE7666
00DE763B MOV EAX,DWORD PTR SS:[EBP-3EF4]
00DE7641 MOV EAX,DWORD PTR DS:[EAX]
00DE7643 MOV EAX,DWORD PTR DS:[EAX]
00DE7645 ADD EAX,DWORD PTR DS:[E004F0]
00DE764B MOV ECX,DWORD PTR SS:[EBP-3EF4]
00DE7651 MOV ECX,DWORD PTR DS:[ECX]
00DE7653 MOV DWORD PTR DS:[ECX],EAX
00DE7655 MOV EAX,DWORD PTR SS:[EBP-3EF4]
00DE765B ADD EAX,4
00DE765E MOV DWORD PTR SS:[EBP-3EF4],EAX
00DE7664 JMP SHORT 00DE7630
00DE7666 XCHG EBX,ECX <--这里结束,F4到这里
00DE7668 NOP
F8继续,第五个代码解码:
00DE7BA2 CALL 00DC14AC
00DE7BA7 ADD ESP,10
00DE7BAA MOV EAX,DWORD PTR DS:[DFFA34]
00DE7BAF MOV DWORD PTR SS:[EBP+FFFFB0C4],EAX
00DE7BB5 CMP DWORD PTR SS:[EBP+FFFFB0C4],0
00DE7BBC JE SHORT 00DE7BF4
00DE7BBE MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4]
00DE7BC4 CMP DWORD PTR DS:[EAX],0
00DE7BC7 JE SHORT 00DE7BF4
00DE7BC9 MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4]
00DE7BCF MOV EAX,DWORD PTR DS:[EAX]
00DE7BD1 MOV EAX,DWORD PTR DS:[EAX]
00DE7BD3 ADD EAX,DWORD PTR DS:[E004F0]
00DE7BD9 MOV ECX,DWORD PTR SS:[EBP+FFFFB0C4]
00DE7BDF MOV ECX,DWORD PTR DS:[ECX]
00DE7BE1 MOV DWORD PTR DS:[ECX],EAX
00DE7BE3 MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4]
00DE7BE9 ADD EAX,4
00DE7BEC MOV DWORD PTR SS:[EBP+FFFFB0C4],EAX
00DE7BF2 JMP SHORT 00DE7BBE
00DE7BF4 XCHG EAX,EDI <--这里结束,F4到这里
00DE7BF5 XCHG CX,CX
F8来到恢复代码CALL 段中:
00DE7D7B MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC] <--计数器
00DE7D81 INC EAX
00DE7D82 MOV DWORD PTR SS:[EBP+FFFFB0BC],EAX
00DE7D88 MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC]
00DE7D8E MOV ECX,DWORD PTR SS:[EBP-37E8] <--CALL 地址表
00DE7D94 CMP DWORD PTR DS:[ECX+EAX*4],0 //表是以00结束的
00DE7D98 JE 00DE7E2E
00DE7D9E MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC]
00DE7DA4 MOV ECX,DWORD PTR SS:[EBP-37E8]
00DE7DAA MOV EDX,DWORD PTR SS:[EBP-3900] //代码段的基地址00400000
00DE7DB0 ADD EDX,DWORD PTR DS:[ECX+EAX*4]
00DE7DB3 MOV DWORD PTR SS:[EBP+FFFFB0AC],EDX
00DE7DB9 MOV EAX,DWORD PTR SS:[EBP+FFFFB0AC]
00DE7DBF MOV EAX,DWORD PTR DS:[EAX]
00DE7DC1 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX
00DE7DC7 CMP DWORD PTR SS:[EBP+FFFFB0A8],90909090
00DE7DD1 JE SHORT 00DE7E29
00DE7DD3 MOV EAX,DWORD PTR SS:[EBP+FFFFB0A8]
00DE7DD9 SUB EAX,DWORD PTR SS:[EBP+FFFFB0B8]
00DE7DDF MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX
00DE7DE5 PUSH DWORD PTR SS:[EBP+FFFFB0A8]
00DE7DEB MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC]
00DE7DF1 XOR EDX,EDX
00DE7DF3 PUSH 10
00DE7DF5 POP ECX
00DE7DF6 DIV ECX
00DE7DF8 CALL DWORD PTR DS:[EDX*4+DF0778] <-- CALL地址偏移加密算法
00DE7DFF POP ECX
00DE7E00 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX
00DE7E06 MOV EAX,DWORD PTR SS:[EBP+FFFFB0A8]
00DE7E0C MOV ECX,DWORD PTR SS:[EBP-3928]
00DE7E12 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
00DE7E15 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX
00DE7E1B MOV EAX,DWORD PTR SS:[EBP+FFFFB0AC]
00DE7E21 MOV ECX,DWORD PTR SS:[EBP+FFFFB0A8]
00DE7E27 MOV DWORD PTR DS:[EAX],ECX <--写入CALL地址
00DE7E29 JMP 00DE7D7B
00DE7E2E MOV EAX,DWORD PTR DS:[E00500] <--这里结束
F4到结束的地方,下面来恢复乱序的IAT表:
这个是参考了 yesky1 兄的方法,在此感谢了!
Ctrl+G 到地址00677000 中,写入代码:
00677000 PUSHAD
00677001 MOV EBX,0EE3FF8 //CALL 表
00677006 MOV EAX,HprSnap5.00400000
0067700B MOV EDX,DWORD PTR DS:[EBX]
0067700D ADD EAX,EDX
0067700F MOV ECX,DWORD PTR DS:[EAX]
00677011 MOV ECX,DWORD PTR DS:[ECX]
00677013 MOV ESI,HprSnap5.00676000 //新的IAT表基地址
00677018 MOV EDI,DWORD PTR DS:[ESI]
0067701A CMP ECX,EDI <--查找新的地址
0067701C JE SHORT HprSnap5.00677023
0067701E LEA ESI,DWORD PTR DS:[ESI+4]
00677021 JMP SHORT HprSnap5.00677018
00677023 MOV DWORD PTR DS:[EAX],ESI <--写入新的CALL 地址
00677025 LEA EBX,DWORD PTR DS:[EBX+4]
00677028 CMP DWORD PTR DS:[EBX],0 //完成后结束
0067702B JE SHORT HprSnap5.0067702F
0067702D JMP SHORT HprSnap5.00677006
0067702F POPAD
00677030 JMP 00DE7E2E //回到壳代码中
00677035 NOP
复制正确的IAT表的二进制数据到地址00676000处:
00676000 4D 22 DB 77 68 6A DB 77 M"埙hj埙
00676008 8B 6F DB 77 F4 6C DB 77 ?埙綮埙
00676010 10 24 DA 77 9A 22 DA 77 $邝?邝
00676018 D8 17 DA 77 D4 65 DB 77 ?邝藻埙
00676020 B1 63 DB 77 BB 28 DA 77 便埙?邝
…………
00676B58 FA 49 AC 7C 16 49 AC 7C ??I?
00676B60 16 72 B0 7C 5F 86 B0 7C r包_?|
00676B68 DB 8A B0 7C AF F3 AD 7C ?包??
00676B70 CF 9E B1 7C 0F B3 B1 7C ?秉潮|
00676B78 1D CD B1 7C 31 CC B1 7C 捅|1瘫|
00676B80 5B 46 B4 7C D7 48 B4 7C [F袋兹袋
00676B88 00 00 00 00 F3 F0 C9 74 ....箴婶
00676B90 00 00 00 00 ....
CALL地址表:
00EE3FF8 4B 10 00 00 92 10 00 00 K..?..
00EE4000 A7 10 00 00 B8 10 00 00 ?..?..
00EE4008 EA 10 00 00 14 11 00 00 ?....
00EE4010 64 11 00 00 75 11 00 00 d..u..
00EE4018 88 11 00 00 AB 11 00 00 ?..?..
00EE4020 0C 12 00 00 30 12 00 00 ...0..
00EE4028 B8 12 00 00 CB 12 00 00 ?..?..
00EE4030 E8 12 00 00 37 13 00 00 ?..7..
00EE4038 AC 13 00 00 B8 14 00 00 ?..?..
……
00EEB598 CE 8A 1B 00 DC 8A 1B 00 ?.?.
00EEB5A0 EC 8A 1B 00 07 8B 1B 00 ?.?.
00EEB5A8 2B 8B 1B 00 38 8B 1B 00 +?.8?.
00EEB5B0 96 8B 1B 00 09 8C 1B 00 ?..?.
00EEB5B8 7B 8C 1B 00 70 8D 1B 00 {?.p?.
00EEB5C0 B0 8D 1B 00 0F 8E 1B 00 ?.?.
运行上面的代码,回到壳中:
00DE7E2E MOV EAX,DWORD PTR DS:[E00500]
00DE7E33 MOV AL,BYTE PTR DS:[EAX+3D2F]
00DE7E39 MOV BYTE PTR SS:[EBP+FFFFAD8C],AL
00DE7E3F MOVZX EAX,BYTE PTR SS:[EBP+FFFFAD8C]
F8继续运行:
00DE81D7 PUSH 0DFFC00
00DE81DC CALL DWORD PTR DS:[DF02A0] ; ntdll.RtlLeaveCriticalSection
00DE81E2 MOV DWORD PTR DS:[DF68CC],0DF7364
00DE81EC PUSH 1
00DE81EE POP EAX
00DE81EF MOV ECX,DWORD PTR SS:[EBP-10]
00DE81F2 MOV DWORD PTR FS:[0],ECX
00DE81F9 POP EDI
00DE81FA POP ESI
00DE81FB POP EBX
00DE81FC LEAVE
00DE81FD RETN <--从这里退出
来到这里,这是到OEP的代码:
00DE0CBD MOV DWORD PTR SS:[EBP-4],EDI
00DE0CC0 MOV DWORD PTR DS:[DF68CC],0DF72D0 ; ASCII "LP9"
00DE0CCA OR EDI,FFFFFFFF
00DE0CCD PUSH EDI
00DE0CCE PUSH EDI
00DE0CCF CALL DWORD PTR DS:[DF0130] ; kernel32.GetCurrentProcess
00DE0CD5 PUSH EAX
00DE0CD6 MOV ESI,DWORD PTR DS:[DF0260] ; kernel32.SetProcessWorkingSetSize
00DE0CDC CALL ESI
00DE0CDE MOV DWORD PTR DS:[DF68CC],0DF72C8 ; ASCII "LP9a"
00DE0CE8 CMP DWORD PTR DS:[E004E4],EBX
00DE0CEE JE SHORT 00DE0D05 <--这里不能跳
00DE0CF0 CALL 00DC83E3
00DE0CF5 TEST AL,AL
00DE0CF7 JNZ SHORT 00DE0D05
00DE0CF9 PUSH EDI
00DE0CFA PUSH EDI
00DE0CFB MOV EAX,DWORD PTR DS:[E004E4] <--这里不正确,可能是上面的代码引起的。
00DE0D00 PUSH DWORD PTR DS:[EAX+4]
00DE0D03 CALL ESI <--原来的程序到这里是进入OEP
00DE0D05 MOV DWORD PTR DS:[DF68CC],0DF72C0 ; ASCII "LP9b"
00DE0D0F MOV DWORD PTR SS:[EBP-4],EBX
00DE0D12 JMP SHORT 00DE0D59
00DE0D14 PUSH 1
00DE0D16 POP EAX
00DE0D17 RETN
运行到00DE0D00 PUSH DWORD PTR DS:[EAX+4] 时,对程序的00400000 代码段下内存访问中断,
Shift+F9运行,停在OEP中:
004E9C30 PUSH EBP //OEP
004E9C31 MOV EBP,ESP
004E9C33 PUSH -1
004E9C35 PUSH HprSnap5.005DF7A0
004E9C3A PUSH HprSnap5.004EDAFC
004E9C3F MOV EAX,DWORD PTR FS:[0]
004E9C45 PUSH EAX
004E9C46 MOV DWORD PTR FS:[0],ESP
004E9C4D SUB ESP,58
004E9C50 PUSH EBX
004E9C51 PUSH ESI
004E9C52 PUSH EDI
004E9C53 MOV DWORD PTR SS:[EBP-18],ESP
重新复制正确的IAT表的二进制数据到地址00676000处:
00676000 4D 22 DB 77 68 6A DB 77 M"埙hj埙
00676008 8B 6F DB 77 F4 6C DB 77 ?埙綮埙
00676010 10 24 DA 77 9A 22 DA 77 $邝?邝
00676018 D8 17 DA 77 D4 65 DB 77 ?邝藻埙
00676020 B1 63 DB 77 BB 28 DA 77 便埙?邝
…………
00676B58 FA 49 AC 7C 16 49 AC 7C ??I?
00676B60 16 72 B0 7C 5F 86 B0 7C r包_?|
00676B68 DB 8A B0 7C AF F3 AD 7C ?包??
00676B70 CF 9E B1 7C 0F B3 B1 7C ?秉潮|
00676B78 1D CD B1 7C 31 CC B1 7C 捅|1瘫|
00676B80 5B 46 B4 7C D7 48 B4 7C [F袋兹袋
00676B88 00 00 00 00 F3 F0 C9 74 ....箴婶
00676B90 00 00 00 00 ....
终于走完了全程,完成了修复任务。dump下修改好的程序,用ImportREC修复dump的程序。
写到这里,发觉iat表的临时空间可以不要修改,在第6步中就可以自由修改存放地址。
作为方法,还是保留下来。
第二部分 待续
fxyang
2004.11.12
[课程]FART 脱壳王!加量不加价!FART作者讲授!