某程序Armadillo脱壳,CC处理
--CC猜想
重新加载主程序,隐藏OD后
bp GetThreadContext 中断第二次后
中断在函数中:
77E7A397 >PUSH DWORD PTR SS:[ESP+8]
77E7A39B PUSH DWORD PTR SS:[ESP+8]
77E7A39F CALL DWORD PTR DS:[<&ntdll.NtGetContextT>; ntdll.ZwGetContextThread
77E7A3A5 TEST EAX,EAX
77E7A3A7 JL kernel32.77E8780D
77E7A3AD XOR EAX,EAX
77E7A3AF INC EAX
77E7A3B0 RETN 8
看看堆栈:
0012BC84 00662033 /CALL 到 GetThreadContext 来自 HprSnap5.0066202D
0012BC88 00000050 |hThread = 00000050 (window)
0012BC8C 0012C314 \pContext = 0012C314
运行这个函数,看看Context域:
0012C314 01 00 01 00 00 00 00 00 ......
0012C31C 00 00 00 00 00 00 00 00 ........
0012C324 00 00 00 00 00 00 00 00 ........
0012C32C 00 00 00 00 00 00 00 00 ........
0012C334 00 00 00 00 00 00 00 00 ........
0012C33C 00 00 00 00 00 00 00 00 ........
0012C344 00 00 00 00 00 00 00 00 ........
0012C34C 00 00 00 00 00 00 00 00 ........
0012C354 00 00 00 00 00 00 00 00 ........
0012C35C 00 00 00 00 00 00 00 00 ........
0012C364 00 00 00 00 00 00 00 00 ........
0012C36C 00 00 00 00 00 00 00 00 ........
0012C374 00 00 00 00 00 00 00 00 ........
0012C37C 00 00 00 00 00 00 00 00 ........
0012C384 00 00 00 00 00 00 00 00 ........
0012C38C 00 00 00 00 00 00 00 00 ........
0012C394 00 00 00 00 00 00 00 00 ........
0012C39C 00 00 00 00 00 00 00 00 ........
0012C3A4 00 00 00 00 00 00 00 00 ........
0012C3AC 00 00 00 00 00 00 00 00 ........
0012C3B4 00 00 00 00 00 00 00 00 ........
0012C3BC 00 00 00 00 00 00 00 00 ........
0012C3C4 00 00 00 00 30 C3 62 00 ....0免.
0012C3CC 26 3C 4B 00 1B 00 00 00 &<K.... 004B3C26 <--CC下面的地址
0012C3D4 46 02 00 00 28 D1 12 00 F..(?. 000246 <--EFLAGS寄存器值
0012C3DC 23 00 00 00 00 00 00 00 #.......
先来看看程序流程:
00662025 PUSH EAX
00662026 MOV ECX,DWORD PTR SS:[EBP-1194]
0066202C PUSH ECX
0066202D CALL DWORD PTR DS:[<&KERNEL32.GetThreadC>; kernel32.GetThreadContext
{
处理过程
}
00662473 LEA EDX,DWORD PTR SS:[EBP-1468]
00662479 PUSH EDX
0066247A MOV EAX,DWORD PTR SS:[EBP-1194]
00662480 PUSH EAX
00662481 CALL DWORD PTR DS:[<&KERNEL32.SetThreadC>; kernel32.SetThreadContext
可以看出来,CC是一个以kernel32.GetThreadContext函数获取子进程相关信息后经过处理,
以kernel32.SetThreadContext函数把处理结果传回子进程的一个过程。
看看处理过程:
00662025 PUSH EAX
00662026 MOV ECX,DWORD PTR SS:[EBP-1194]
0066202C PUSH ECX
0066202D CALL DWORD PTR DS:[<&KERNEL32.GetThreadC>; kernel32.GetThreadContext
…………
00662076 NOP
00662077 MOV DWORD PTR SS:[EBP-146C],0
00662081 PUSH -1
00662083 PUSH 4
00662085 LEA EDX,DWORD PTR SS:[EBP-13B0] <--指向Context域中的0012C3CC,就是CC下面的地址值
0066208B PUSH EDX
0066208C CALL HprSnap5.00649F90 //进入
-->
00649F90 PUSH EBP
00649F91 MOV EBP,ESP
00649F93 MOV EAX,DWORD PTR SS:[EBP+C]
00649F96 PUSH EAX
00649F97 MOV ECX,DWORD PTR SS:[EBP+8]
00649F9A PUSH ECX
00649F9B MOV EDX,DWORD PTR SS:[EBP+10]
00649F9E XOR EDX,FFFFFFFF
00649FA1 PUSH EDX
00649FA2 CALL HprSnap5.006687DA //进入
00649FA7 ADD ESP,0C
00649FAA XOR EAX,FFFFFFFF
00649FAD POP EBP
00649FAE RETN
CALL HprSnap5.006687DA
关键代码:(用CC发生地址的下一个地址计算)
0066896B CMP DWORD PTR SS:[EBP+10],0 <--地址长度,计数器
0066896F JE SHORT HprSnap5.006689AD
00668971 MOV EDX,DWORD PTR SS:[EBP+C] <--指向Context域中的0012C3CC
00668974 XOR EAX,EAX
00668976 MOV AL,BYTE PTR DS:[EDX] <--取一位
00668978 MOV ECX,DWORD PTR SS:[EBP+8] //内存值=-1
0066897B XOR ECX,EAX
0066897D AND ECX,0FF
00668983 MOV EDX,DWORD PTR SS:[EBP+8]
00668986 SHR EDX,8
00668989 MOV EAX,DWORD PTR DS:[ECX*4+68AA0C] 查表
00668990 XOR EAX,EDX
00668992 MOV DWORD PTR SS:[EBP+8],EAX
00668995 MOV ECX,DWORD PTR SS:[EBP+C]
00668998 ADD ECX,1
0066899B MOV DWORD PTR SS:[EBP+C],ECX
0066899E MOV EDX,DWORD PTR SS:[EBP+10]
006689A1 SUB EDX,1
006689A4 MOV DWORD PTR SS:[EBP+10],EDX
006689A7 CMP DWORD PTR SS:[EBP+10],0
006689AB JNZ SHORT HprSnap5.00668971
006689AD MOV EAX,DWORD PTR SS:[EBP+8]
006689B0 XOR EAX,FFFFFFFF
006689B3 POP EBP
006689B4 RETN
使用的表:
0068AA0C 00 00 00 00 96 30 07 77 ....?w
0068AA14 2C 61 0E EE BA 51 09 99 ,a詈Q.?
0068AA1C 19 C4 6D 07 8F F4 6A 70 捻?jp
0068AA24 35 A5 63 E9 A3 95 64 9E 5ャ椋??
0068AA2C 32 88 DB 0E A4 B8 DC 79 2?じ荠
…………
0068ADF4 02 1B 68 5D 94 2B 6F 2A h]?o*
0068ADFC 37 BE 0B B4 A1 8E 0C C3 7?础??
0068AE04 1B DF 05 5A 8D EF 02 2D ?Z?-
0068AE0C 00 00 00 00 00 00 00 00 ........
<--返回
00662091 ADD ESP,0C
00662094 MOV DWORD PTR SS:[EBP-1198],EAX <--上面过程计算的结果
0066209A MOV EAX,DWORD PTR SS:[EBP-1198]
006620A0 XOR EDX,EDX
006620A2 MOV ECX,10
006620A7 DIV ECX
006620A9 MOV DWORD PTR SS:[EBP-119C],EDX <--取最后一位,这个关键参数多次使用,标记为@①
006620AF MOV EDX,DWORD PTR SS:[EBP-13B0] <--CC发生地址的下一个地址
006620B5 PUSH EDX
006620B6 MOV EAX,DWORD PTR SS:[EBP-119C]
006620BC CALL DWORD PTR DS:[EAX*4+68A8A8] //通过上面的值查找处理过程,说明下面的结果跟CC发生地址相关
表:
0068A8A8 B0 9F 64 00 22 A1 64 00 ?d."′.
0068A8B0 82 A2 64 00 35 A4 64 00 ?d.5や.
0068A8B8 05 A7 64 00 24 A8 64 00 т.$ㄤ.
0068A8C0 71 AA 64 00 3F AC 64 00 q?.??.
0068A8C8 F7 AE 64 00 9D B1 64 00 鳟d.?d.
0068A8D0 1F B4 64 00 8A B6 64 00 翠.?d.
0068A8D8 5E B9 64 00 8F BA 64 00 ^逛.?d.
0068A8E0 2B BD 64 00 F4 BF 64 00 +戒.艨d.
0068A8E8 69 A0 64 00 D2 A1 64 00 i_d.摇d.
0068A8F0 5B A3 64 00 9C A5 64 00 [d.?d.
0068A8F8 94 A7 64 00 4A A9 64 00 ?d.J╀.
0068A900 58 AB 64 00 9B AD 64 00 X?.?d.
0068A908 4A B0 64 00 DE B2 64 00 J颁.薏d.
0068A910 55 B5 64 00 F3 B7 64 00 U典.蠓d.
0068A918 F6 B9 64 00 DD BB 64 00 龉d.莼d.
0068A920 8F BE 64 00 2A C1 64 00 ?d.*龄.
006620C3 ADD ESP,4
006620C6 MOV DWORD PTR SS:[EBP-146C],EAX <--这个返回值用于CC 异常是否需要处理的判断
006620CC MOV DWORD PTR SS:[EBP-1470],0
006620D6 MOV ECX,DWORD PTR SS:[EBP-119C] <--@①
006620DC MOV EDX,DWORD PTR DS:[ECX*4+68C988]
表:
0068C988 B3 00 00 00 A3 00 00 00 ?..?..
0068C990 9E 00 00 00 B6 00 00 00 ?..?..
0068C998 C0 00 00 00 9C 00 00 00 ?..?..
0068C9A0 A4 00 00 00 AD 00 00 00 ?..?..
0068C9A8 9B 00 00 00 AA 00 00 00 ?..?..
0068C9B0 A8 00 00 00 B1 00 00 00 ?..?..
0068C9B8 B6 00 00 00 95 00 00 00 ?..?..
0068C9C0 B9 00 00 00 A4 00 00 00 ?..?..
006620E3 MOV DWORD PTR SS:[EBP-1190],EDX
006620E9 MOV EAX,DWORD PTR SS:[EBP-1470]
006620EF CMP EAX,DWORD PTR SS:[EBP-1190]
006620F5 JGE SHORT HprSnap5.00662153
006620F7 MOV EAX,DWORD PTR SS:[EBP-1190]
006620FD SUB EAX,DWORD PTR SS:[EBP-1470]
00662103 CDQ
00662104 SUB EAX,EDX
00662106 SAR EAX,1
00662108 MOV ECX,DWORD PTR SS:[EBP-1470]
0066210E ADD ECX,EAX
00662110 MOV DWORD PTR SS:[EBP-1474],ECX
00662116 MOV EDX,DWORD PTR SS:[EBP-119C] <--@①
0066211C MOV EAX,DWORD PTR DS:[EDX*4+68C928]
表:
0068C928 58 BC 3A 00 D8 C3 3A 00 X?.孛:.
0068C930 B8 CA 3A 00 68 6D DC 00 甘:.hm?
0068C938 30 74 DC 00 10 7C DC 00 0t?|?
0068C940 20 D2 3A 00 00 D9 3A 00 ?..?.
0068C948 40 E0 3A 00 C0 E6 3A 00 @?.梨:.
0068C950 E0 ED 3A 00 E0 F4 3A 00 囗:.圄:.
0068C958 60 FC 3A 00 B0 84 DC 00 `?.??
0068C960 10 8B DC 00 D0 92 DC 00 ?.??
0068C968 68 07 3A 00 60 E8 00 00 h:.`?.
00662123 MOV ECX,DWORD PTR SS:[EBP-1474]
00662129 MOV EDX,DWORD PTR SS:[EBP-146C]
0066212F CMP EDX,DWORD PTR DS:[EAX+ECX*4]
00662132 JBE SHORT HprSnap5.00662145
00662134 MOV EAX,DWORD PTR SS:[EBP-1474]
0066213A ADD EAX,1
0066213D MOV DWORD PTR SS:[EBP-1470],EAX <--这个计算得到第二个关键值,标记为@②
00662143 JMP SHORT HprSnap5.00662151
00662145 MOV ECX,DWORD PTR SS:[EBP-1474]
0066214B MOV DWORD PTR SS:[EBP-1190],ECX
00662151 JMP SHORT HprSnap5.006620E9
00662153 PUSHAD
00662154 XOR EAX,EAX
00662156 JNZ SHORT HprSnap5.0066215A
00662158 JMP SHORT HprSnap5.0066216F
继续
00662178 POPAD
00662179 MOV EDX,DWORD PTR SS:[EBP-119C] <--@①
0066217F MOV EAX,DWORD PTR DS:[EDX*4+68C928]
00662186 MOV ECX,DWORD PTR SS:[EBP-1470] <--@②
0066218C MOV EDX,DWORD PTR DS:[EAX+ECX*4]
0066218F CMP EDX,DWORD PTR SS:[EBP-146C]
00662195 JNZ HprSnap5.006624AD //这段代码是检查CC是不是存在于表中的
0066219B PUSH ECX
0066219C BSWAP ECX
0066219E NOT ECX
006621A0 PUSH EAX
006621A1 NOT EAX
006621A3 MOV EAX,6C65696D
006621A8 XCHG EAX,ECX
006621A9 MOV ECX,DEADC0DE
006621AE XCHG EAX,ECX
006621AF NOT EAX
006621B1 POP EAX
006621B2 NOT ECX
006621B4 POP ECX
006621B5 PUSHFD
006621B6 PUSHAD
006621B7 XOR EBX,EBX
006621B9 JE SHORT HprSnap5.006621BE
这段比较好理解,就是检查CC异常是不是需要处理的异常。
;=============================================================
主处理代码:
006621F2 MOV EAX,DWORD PTR SS:[EBP-119C] <--@①
006621F8 MOV ECX,DWORD PTR DS:[EAX*4+68C9C8]
表:
0068C9C8 40 BF 3A 00 80 C6 3A 00 @?.?.
0068C9D0 50 CD 3A 00 C0 CE 3A 00 P?.牢:.
0068C9D8 48 77 DC 00 98 7E DC 00 Hw???
0068C9E0 C8 D4 3A 00 D8 DB 3A 00 仍:.刿:.
0068C9E8 C8 E2 3A 00 88 E9 3A 00 肉:.?:.
0068C9F0 98 F0 3A 00 C8 F7 3A 00 ?:.洒:.
0068C9F8 08 80 DC 00 28 87 DC 00 ?(?.
0068CA00 18 8E DC 00 78 95 DC 00 ?.x?.
0068CA08 00 00 00 00 00 00 00 00 ........
0068CA10 18 C0 3A 00 48 C7 3A 00 ?.H?.
0068CA18 08 CE 3A 00 60 70 DC 00 ?.`p?
0068CA20 20 78 DC 00 50 7F DC 00 x?P?
0068CA28 90 D5 3A 00 A0 DC 3A 00 ?:._芎.
0068CA30 80 E3 3A 00 50 EA 3A 00 ?.P?.
0068CA38 60 F1 3A 00 A0 F8 3A 00 `?._?.
0068CA40 E0 80 DC 00 E0 87 DC 00 ????
0068CA48 F0 8E DC 00 40 96 DC 00 ??@?.
006621FF MOV EDX,DWORD PTR SS:[EBP-1470] <--@②
00662205 XOR EAX,EAX
00662207 MOV AL,BYTE PTR DS:[ECX+EDX] <--@③
表:[003AF7C8](其中之一)
003AF7C0 1B 00 5D 00 00 07 18 00 .]...
003AF7C8 DF C9 04 04 04 11 11 0E 呱
003AF7D0 05 04 04 09 04 05 05 05 .
003AF7D8 11 03 04 04 04 04 11 03
003AF7E0 04 04 11 02 04 04 03 04
003AF7E8 0D 05 0F 0D 11 05 56 11 ..V
003AF7F0 04 05 7F 03 02 D2 03 04 ?
003AF7F8 0C 0C 11 04 11 0E 11 04 ..
003AF800 0D 11 06 06 04 11 05 04 .
003AF808 04 E1 0C 11 05 05 04 11 ?
003AF810 06 08 04 05 04 11 11 03
003AF818 11 04 0C 96 8A 8A 04 0D .??.
003AF820 EE 05 0C 0C 04 0F 49 11 ?..I
003AF828 0C 0C 04 11 11 BD 0D 11 ..?
003AF830 C5 05 4B 0D 3C 11 0D 09 ?K.<..
003AF838 04 06 03 0C 05 05 04 11 .
003AF840 05 05 11 06 05 05 05 F1
0066220A MOV DWORD PTR SS:[EBP-148C],EAX <--@③
00662210 MOV EAX,DWORD PTR SS:[EBP-148C]
00662216 CDQ
00662217 AND EDX,0F
0066221A ADD EAX,EDX
0066221C SAR EAX,4
0066221F MOV DWORD PTR SS:[EBP-1484],EAX <--@④
00662225 MOV ECX,DWORD PTR SS:[EBP-148C]
0066222B AND ECX,8000000F
00662231 JNS SHORT HprSnap5.00662238
00662233 DEC ECX
00662234 OR ECX,FFFFFFF0
00662237 INC ECX
00662238 MOV DWORD PTR SS:[EBP-1488],ECX <--@⑤
0066223E MOV EDX,DWORD PTR SS:[EBP-1484]
00662244 CMP EDX,DWORD PTR SS:[EBP-1488]
0066224A JNZ SHORT HprSnap5.00662267
0066224C MOV EAX,DWORD PTR SS:[EBP-1488]
00662252 ADD EAX,1
00662255 AND EAX,8000000F
0066225A JNS SHORT HprSnap5.00662261
0066225C DEC EAX
0066225D OR EAX,FFFFFFF0
00662260 INC EAX
00662261 MOV DWORD PTR SS:[EBP-1488],EAX <--@⑤_II (补)
//上面代码是把参数@③的高位和低位分离成@④和@⑤
00662267 MOV ECX,DWORD PTR SS:[EBP-148C] <--@③
0066226D MOV EDX,DWORD PTR SS:[EBP-1484] <--@④
00662273 MOV EAX,DWORD PTR DS:[ECX*4+68BF38]
表:
0068BF38 32 80 E1 87 E2 6A E1 87 2??j?
0068BF40 6F 7B B7 85 D2 96 DC F0 o{??莛
0068BF48 4C 77 21 C7 DC FF BE C4 Lw!擒??
…………
0068C308 BD 57 4F E6 A1 1C D1 E5 阶O妗彦
0068C310 B6 0D 22 28 C0 51 A2 AE ?"(姥?
0068C318 A5 D4 1E 53 F7 F0 68 56 ピS黟hV
0068C320 D8 47 77 A5 40 42 1F 38 厍wダB8
0068C328 00 00 00 00 00 00 00 00 ........
0066227A XOR EAX,DWORD PTR DS:[EDX*4+6862AC]
00662281 MOV ECX,DWORD PTR SS:[EBP-1488] <--@⑤
00662287 XOR EAX,DWORD PTR DS:[ECX*4+6862AC]
0066228E MOV DWORD PTR SS:[EBP-147C],EAX <--计算EFL函数地址
00662294 MOV EDX,DWORD PTR SS:[EBP-13A8] EFL值
0066229A AND EDX,0FD7
006622A0 PUSH EDX
006622A1 MOV EAX,DWORD PTR SS:[EBP-148C]
006622A7 MOVSX ECX,BYTE PTR DS:[EAX+68A7A0]
006622AE CALL DWORD PTR DS:[ECX*4+68A8A8] <--幻影而已
006622B5 ADD ESP,4
006622B8 MOV DWORD PTR SS:[EBP-1478],EAX
006622BE MOV EDX,DWORD PTR SS:[EBP-13BC]
006622C4 PUSH EDX
006622C5 MOV EAX,DWORD PTR SS:[EBP-1478]
006622CB PUSH EAX
006622CC CALL DWORD PTR SS:[EBP-147C] <--处理EFLAGS寄存器值函数,得到跳转标志。
-->进入
实例:
006517AC PUSH EBP
006517AD MOV EBP,ESP
006517AF SUB ESP,0C
006517B2 PUSH EBX
006517B3 PUSH ESI
006517B4 PUSH EDI
006517B5 MOV EAX,DWORD PTR SS:[EBP+8]
006517B8 PUSH EAX
006517B9 CALL DWORD PTR DS:[68A760] ; HprSnap5.0064A794
006517BF ADD ESP,4
006517C2 MOV DWORD PTR SS:[EBP-4],EAX 还原出幻影代码加密的EFLAGS寄存器值值
006517C5 MOV EAX,DWORD PTR SS:[EBP-4]
006517C8 PUSH EBX
006517C9 MOV EBX,80
006517CE JMP SHORT HprSnap5.006517D5
006517D0 MOV EBX,4
006517D5 MOV EBX,41
006517DA NOT EBX
006517DC BSWAP EAX
006517DE NOT EBX
006517E0 INC EBX
006517E1 INC EBX
006517E2 AND EAX,0 核心
006517E5 AND EBX,800
006517EB DEC EBX
006517EC PUSH ECX
006517ED MOV ECX,4
006517F2 ADD EBX,ECX
006517F4 INC EBX
006517F5 POP ECX
006517F6 BSWAP EAX
006517F8 INC EAX 核心
006517F9 POP EBX
006517FA MOV DWORD PTR SS:[EBP-C],EAX 上面几句是核心 EAX=1
006517FD MOV ECX,DWORD PTR DS:[686320] 下面加密这个标志
00651803 XOR ECX,DWORD PTR DS:[686324]
00651809 SHL ECX,1
0065180B MOV DWORD PTR SS:[EBP-8],ECX
0065180E CMP DWORD PTR SS:[EBP-C],0
00651812 JE SHORT HprSnap5.0065181D
00651814 MOV EDX,DWORD PTR SS:[EBP-8]
00651817 OR EDX,1
0065181A MOV DWORD PTR SS:[EBP-8],EDX
0065181D MOV EAX,DWORD PTR SS:[EBP-8]
00651820 PUSH EAX
00651821 CALL DWORD PTR DS:[68A720] ; HprSnap5.0064A705
00651827 ADD ESP,4
0065182A POP EDI
0065182B POP ESI
0065182C POP EBX
0065182D MOV ESP,EBP
0065182F POP EBP
00651830 RETN
<--返回
006622D2 ADD ESP,8
006622D5 PUSH EAX
006622D6 MOV ECX,DWORD PTR SS:[EBP-148C]
006622DC MOVSX EDX,BYTE PTR DS:[ECX+68A7A0]
006622E3 CALL DWORD PTR DS:[EDX*4+68A8E8] <--幻影而已
006622EA ADD ESP,4
006622ED MOV DWORD PTR SS:[EBP-1480],EAX
006622F3 MOV EAX,DWORD PTR SS:[EBP-1480] 还原上面的标志
006622F9 AND EAX,1
006622FC TEST EAX,EAX
006622FE JE HprSnap5.006623B2 <--就是根据这个标志判断是否需要跳转的
00662304 PUSHAD
00662305 XOR EAX,EAX
00662307 JNZ SHORT HprSnap5.0066230B
00662309 JMP SHORT HprSnap5.00662320
EAX=1时(即为跳转时)
00662330 MOV ECX,DWORD PTR DS:[ECX*4+68C8E8]
00662337 MOV EAX,DWORD PTR SS:[EBP-1470]
0066233D XOR EDX,EDX
0066233F MOV ESI,10
00662344 DIV ESI
00662346 MOV EAX,DWORD PTR SS:[EBP-1470]
0066234C MOV ECX,DWORD PTR DS:[ECX+EAX*4]
0066234F XOR ECX,DWORD PTR SS:[EBP+EDX*4-1174] <--计算跳转偏移量
00662356 MOV EDX,DWORD PTR SS:[EBP-13B0]
0066235C ADD EDX,ECX
0066235E MOV DWORD PTR SS:[EBP-13B0],EDX <--跳转的地址
00662364 PUSH ECX
00662365 BSWAP ECX
EAX=0时(即不跳转时)
006623BD MOV EAX,DWORD PTR SS:[EBP-119C]
006623C3 MOV ECX,DWORD PTR DS:[EAX*4+68CA10]
006623CA MOV EDX,DWORD PTR SS:[EBP-1470]
006623D0 XOR EAX,EAX
006623D2 MOV AL,BYTE PTR DS:[ECX+EDX] <--取跳转代码的长度-1
表:
003AF160 04 01 05 05 04 01 05 04
003AF168 05 01 05 01 04 05 01 01
003AF170 01 05 01 05 01 01 01 05
003AF178 01 05 01 01 01 01 01 01
003AF180 01 04 05 04 05 01 01 05
003AF188 01 05 01 01 01 01 04 01
003AF190 01 05 01 04 01 01 04 01
003AF198 05 01 01 05 01 05 01 04
003AF1A0 04 01 04 01 01 01 01 01
003AF1A8 01 01 05 01 05 05 01 05
003AF1B0 05 04 01 01 05 04 01 01
003AF1B8 05 01 01 04 04 04 05 01
003AF1C0 04 01 01 01 01 04 01 01
003AF1C8 01 01 05 01 05 01 01 04
003AF1D0 01 05 01 05 01 01 01 05
003AF1D8 01 05 05 05 01 01 04 01
003AF1E0 01 01 01 05 05 01 05 01
003AF1E8 05 01 05 01 05 05 01 01
003AF1F0 04 01 04 01 01 04 01 01
003AF1F8 01 01 01 01 01 01 04 04
003AF200 05 01 04 01 05 01 04 01
006623D5 MOV ECX,DWORD PTR SS:[EBP-13B0]
006623DB ADD ECX,EAX
006623DD MOV DWORD PTR SS:[EBP-13B0],ECX <--子进程EIP指向的地址
006623E3 PUSH EAX
006623E4 NOT EAX
006623E6 BSWAP EAX
CC 的整个处理过程就是这样,要修复CC 必须要知道
1.跳转类型
2.跳转长度
从上面的过程来看,第二个条件容易得到,不再讨论。
现在来分析第一个条件-跳转类型:
从上面的过程来看
006622CC CALL DWORD PTR SS:[EBP-147C] <--处理EFLAGS寄存器值函数,得到跳转标志。
这个调用过程才是得到跳转标志的关键地方,这个变量是
0066228E MOV DWORD PTR SS:[EBP-147C],EAX <--计算EFL函数地址值
从这个地方被赋值的,那么它是怎么计算出来的呢:
00662267 MOV ECX,DWORD PTR SS:[EBP-148C] <--@③
0066226D MOV EDX,DWORD PTR SS:[EBP-1484] <--@④
00662273 MOV EAX,DWORD PTR DS:[ECX*4+68BF38]
0066227A XOR EAX,DWORD PTR DS:[EDX*4+6862AC]
00662281 MOV ECX,DWORD PTR SS:[EBP-1488] <--@⑤
00662287 XOR EAX,DWORD PTR DS:[ECX*4+6862AC]
0066228E MOV DWORD PTR SS:[EBP-147C],EAX <--计算EFL函数地址值
分析这个过程,可以看到过程中使用了参数@③ @④ @⑤ 通过查表计算出处理EFLAGS寄存器值函数,而
0066220A MOV DWORD PTR SS:[EBP-148C],EAX <--@③
00662210 MOV EAX,DWORD PTR SS:[EBP-148C]
00662216 CDQ
00662217 AND EDX,0F
0066221A ADD EAX,EDX
0066221C SAR EAX,4
0066221F MOV DWORD PTR SS:[EBP-1484],EAX <--@④
00662225 MOV ECX,DWORD PTR SS:[EBP-148C]
0066222B AND ECX,8000000F
00662231 JNS SHORT HprSnap5.00662238
00662233 DEC ECX
00662234 OR ECX,FFFFFFF0
00662237 INC ECX
00662238 MOV DWORD PTR SS:[EBP-1488],ECX <--@⑤
0066223E MOV EDX,DWORD PTR SS:[EBP-1484]
00662244 CMP EDX,DWORD PTR SS:[EBP-1488]
0066224A JNZ SHORT HprSnap5.00662267
0066224C MOV EAX,DWORD PTR SS:[EBP-1488]
00662252 ADD EAX,1
00662255 AND EAX,8000000F
0066225A JNS SHORT HprSnap5.00662261
0066225C DEC EAX
0066225D OR EAX,FFFFFFF0
00662260 INC EAX
00662261 MOV DWORD PTR SS:[EBP-1488],EAX <--@⑤_II (补)
这里告诉我们@④和@⑤是@③分离出来的,所以@③才是关键的参数。那么可以这样认为@③才是跳转类型的标志。
个人的一点分析,未必正确。只当是个猜想!
全文完.
fxyang
2004.11.14
[课程]FART 脱壳王!加量不加价!FART作者讲授!