昨天在这看到一个DLL,无事就下了试试,PEID查了是asprotect 1.23RC4,但看了壳代码以后,不知道是什么版本加的壳,本想脱了写个文章发表发表,但无能为力,就将已经完成的写下来吧。
WIN2000SP4+OD1.1
OD1.1载入DLL,忽略所有异常,用插件隐藏OD,然后用OD载入dll文件,停在这里
10055001 P> 60 pushad
10055002 E8 03000000 call test.1005500A
10055007 - E9 EB045D45 jmp 556254F7
1005500C 55 push ebp
1005500D C3 retn
****补上一段找OEP
忽略除内存异常以外的所有异常
用力按shift+f9吧,当出现
0006F844 0006F850 指针到下一个 SEH 记录
0006F848 0089039D SE 句柄
0006F84C 008A04C0
0006F850 0006F8A4 指针到下一个 SEH 记录
0006F854 00890DE5 SE 句柄
0006F858 0006F89C
0006F85C 00870000
0006F860 003D0000
0006F864 00890008
0006F868 00000000
0006F86C 00B01140 ASCII "8AcRFABAWEc="
硬盘指纹时,打开alt+M对test.dll的code段下内存访问断点
接着继续按几次SHIFT+F9可到达OEP。
10035829 . 55 push ebp ***OEP
1003582A . 8BEC mov ebp,esp
1003582C . 68 93DE0210 push TEST.1002DE93 ; SE handler installation
10035831 . 64:FF35 00000000 push dword ptr fs:[0]
10035838 . 64:8925 00000000 mov dword ptr fs:[0],esp
1003583F . EB 21 jmp short test.10035862
10035841 . 42 inc edx
10035842 . 59 pop ecx
10035843 . B8 A8D6FAB9 mov eax,B9FAD6A8
10035848 . A4 movs byte ptr es:[edi],byte ptr ds:[esi]
10035849 . BE DFB8F6C8 mov esi,C8F6B8DF
1003584E . CB retf
一、寻找定位表:
设置断点
bp GetModuleHandleA
SHIFT+F9二次后返回到:
00C194A6 FF95 EC314400 call dword ptr ss:[ebp+4431EC]
00C194AC 85C0 test eax,eax ; KERNEL32.77E60000
//断在这儿
00C194AE 75 07 jnz short 00C194B7
00C194B0 53 push ebx
ctrl+s直接查找如下代码串
mov dx,word ptr ds:[ebx]
movzx eax,dx
shr eax,0C
sub ax,1
找到后向上查下代码如下:
00C0EDAF 8B4424 0C mov eax,dword ptr ss:[esp+C]
00C0EDB3 A3 804BC100 mov dword ptr ds:[C14B80],eax
00C0EDB8 8B4424 08 mov eax,dword ptr ss:[esp+8]
00C0EDBC A3 7C4BC100 mov dword ptr ds:[C14B7C],eax
00C0EDC1 833C24 00 cmp dword ptr ss:[esp],0
00C0EDC5 74 5D je short 00C0EE24
//此处下断,F8后修改Z=0,以便运行下面程序段
00C0EDC7 035C24 04 add ebx,dword ptr ss:[esp+4]
//这儿F8后ebx=1004F000 这就是重定位表的RVA=4F000
00C0EDCB EB 51 jmp short 00C0EE1E
00C0EDCD 8D43 04 lea eax,dword ptr ds:[ebx+4]
00C0EDD0 8B00 mov eax,dword ptr ds:[eax]
00C0EDD2 83E8 08 sub eax,8
00C0EDD5 D1E8 shr eax,1
00C0EDD7 8BFA mov edi,edx
00C0EDD9 037C24 04 add edi,dword ptr ss:[esp+4]
00C0EDDD 83C3 08 add ebx,8
00C0EDE0 8BF0 mov esi,eax
00C0EDE2 85F6 test esi,esi
00C0EDE4 76 38 jbe short 00C0EE1E
00C0EDE6 66:8B13 mov dx,word ptr ds:[ebx]
00C0EDE9 0FB7C2 movzx eax,dx
00C0EDEC C1E8 0C shr eax,0C
00C0EDEF 66:83E8 01 sub ax,1
00C0EDF3 72 23 jb short 00C0EE18
00C0EDF5 66:83E8 02 sub ax,2
00C0EDF9 74 02 je short 00C0EDFD
00C0EDFB EB 11 jmp short 00C0EE0E
00C0EDFD 66:81E2 FF0F and dx,0FFF
00C0EE02 0FB7C2 movzx eax,dx
00C0EE05 03C7 add eax,edi
00C0EE07 8B1424 mov edx,dword ptr ss:[esp]
00C0EE0A 0110 add dword ptr ds:[eax],edx
00C0EE0C EB 0A jmp short 00C0EE18
00C0EE0E 68 44EEC000 push 0C0EE44 ; ASCII "34
"
00C0EE13 E8 9C4FFFFF call 00C03DB4
00C0EE18 83C3 02 add ebx,2
00C0EE1B 4E dec esi
00C0EE1C ^ 75 C8 jnz short 00C0EDE6
00C0EE1E 8B13 mov edx,dword ptr ds:[ebx]
00C0EE20 85D2 test edx,edx
00C0EE22 ^ 75 A9 jnz short 00C0EDCD
00C0EE24 83C4 14 add esp,14
//在此处断下,EBX=1005474C
00C0EE27 5D pop ebp
00C0EE28 5F pop edi
00C0EE29 5E pop esi
00C0EE2A 5B pop ebx
00C0EE2B C3 retn
到处可以算出重定位表值
RVA=4F000,Size=5474C-4F000=574C
二、避开IAT加密
(按2.0脱法,但无法断下,这步我无法完成了,只能等高人指点了)
重新加载DLL
bp GetModuleHandleA
SHIFT+F9二次后返回到:
00C194AC 85C0 test eax,eax ; KERNEL32.77E60000
00C194AE 75 07 jnz short 00C194B7
00C194B0 53 push ebx
00C194B1 FF95 F0314400 call dword ptr ss:[ebp+4431F0]
00C194B7 8985 4D294400 mov dword ptr ss:[ebp+44294D],eax
00C194BD C785 51294400 00000>mov dword ptr ss:[ebp+442951],0
00C194C7 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8]
00C194CD 8B06 mov eax,dword ptr ds:[esi]
00C194CF 85C0 test eax,eax
00C194D1 75 03 jnz short 00C194D6
00C194D3 8B46 10 mov eax,dword ptr ds:[esi+10]
00C194D6 03C2 add eax,edx
00C194D8 0385 51294400 add eax,dword ptr ss:[ebp+442951]
00C194DE 8B18 mov ebx,dword ptr ds:[eax]
00C194E0 8B7E 10 mov edi,dword ptr ds:[esi+10]
00C194E3 03FA add edi,edx
00C194E5 03BD 51294400 add edi,dword ptr ss:[ebp+442951]
00C194EB 85DB test ebx,ebx
00C194ED 0F84 A2000000 je 00C19595
00C194F3 F7C3 00000080 test ebx,80000000
00C194F9 75 04 jnz short 00C194FF
00C194FB 03DA add ebx,edx
00C194FD 43 inc ebx
00C194FE 43 inc ebx
00C194FF 53 push ebx
00C19500 81E3 FFFFFF7F and ebx,7FFFFFFF
00C19506 53 push ebx
00C19507 FFB5 4D294400 push dword ptr ss:[ebp+44294D]
00C1950D FF95 E8314400 call dword ptr ss:[ebp+4431E8]
00C19513 85C0 test eax,eax
00C19515 5B pop ebx
00C19516 75 6F jnz short 00C19587
00C19518 F7C3 00000080 test ebx,80000000
00C1951E 75 19 jnz short 00C19539
00C19520 57 push edi
00C19521 8B46 0C mov eax,dword ptr ds:[esi+C]
00C19524 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00C1952A 50 push eax
00C1952B 53 push ebx
00C1952C 8D85 53314400 lea eax,dword ptr ss:[ebp+443153]
00C19532 50 push eax
00C19533 57 push edi
00C19534 E9 99000000 jmp 00C195D2
00C19539 81E3 FFFFFF7F and ebx,7FFFFFFF
00C1953F 8B85 DC304400 mov eax,dword ptr ss:[ebp+4430DC]
00C19545 3985 4D294400 cmp dword ptr ss:[ebp+44294D],eax
00C1954B 75 24 jnz short 00C19571
00C1954D 57 push edi
00C1954E 8BD3 mov edx,ebx
00C19550 4A dec edx
00C19551 C1E2 02 shl edx,2
00C19554 8B9D 4D294400 mov ebx,dword ptr ss:[ebp+44294D]
00C1955A 8B7B 3C mov edi,dword ptr ds:[ebx+3C]
00C1955D 8B7C3B 78 mov edi,dword ptr ds:[ebx+edi+78]
00C19561 035C3B 1C add ebx,dword ptr ds:[ebx+edi+1C]
00C19565 8B0413 mov eax,dword ptr ds:[ebx+edx]
00C19568 0385 4D294400 add eax,dword ptr ss:[ebp+44294D]
00C1956E 5F pop edi
00C1956F EB 16 jmp short 00C19587
00C19571 57 push edi
00C19572 8B46 0C mov eax,dword ptr ds:[esi+C]
00C19575 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00C1957B 50 push eax
00C1957C 53 push ebx
00C1957D 8D85 A4314400 lea eax,dword ptr ss:[ebp+4431A4]
00C19583 50 push eax
00C19584 57 push edi
00C19585 EB 4B jmp short 00C195D2
00C19587 8907 mov dword ptr ds:[edi],eax
00C19589 8385 51294400 04 add dword ptr ss:[ebp+442951],4
00C19590 ^ E9 32FFFFFF jmp 00C194C7
00C19595 8906 mov dword ptr ds:[esi],eax
00C19597 8946 0C mov dword ptr ds:[esi+C],eax
00C1959A 8946 10 mov dword ptr ds:[esi+10],eax
00C1959D 83C6 14 add esi,14
00C195A0 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8]
00C195A6 ^ E9 EBFEFFFF jmp 00C19496
00C195AB 8B85 652A4400 mov eax,dword ptr ss:[ebp+442A65]
00C195B1 50 push eax
00C195B2 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00C195B8 5B pop ebx
00C195B9 0BDB or ebx,ebx
00C195BB 8985 112F4400 mov dword ptr ss:[ebp+442F11],eax
00C195C1 61 popad
00C195C2 75 08 jnz short 00C195CC
00C195C4 B8 01000000 mov eax,1
00C195C9 C2 0C00 retn 0C
00C195CC 68 00000000 push 0
00C195D1 C3 retn
//运行到这儿断下,C195CC处会压入一个值
以下完成不了了 :(
晚上无事,又打开搞搞,跟到如下处理IAT的代码段了,一步一步来吧(上面是2000,这儿是在XP下的地址,在笔记本上看的)
008858C3 8B43 08 mov eax,dword ptr ds:[ebx+8]
008858C6 8B30 mov esi,dword ptr ds:[eax]
008858C8 8343 08 04 add dword ptr ds:[ebx+8],4
008858CC 8B43 08 mov eax,dword ptr ds:[ebx+8]
008858CF 8A00 mov al,byte ptr ds:[eax]
008858D1 884424 07 mov byte ptr ss:[esp+7],al
008858D5 FF43 08 inc dword ptr ds:[ebx+8]
008858D8 85F6 test esi,esi
008858DA 75 1A jnz short 008858F6
008858DC EB 01 jmp short 008858DF
008858DE 698B C7E876CC FEFFB>imul ecx,dword ptr ds:[ebx+CC76E8C7],1B0FFFE
008858E8 E9 D0030000 jmp 00885CBD
008858ED - E9 E9CA0300 jmp 008C23DB
008858F2 00EB add bl,ch
008858F4 01E8 add eax,ebp
008858F6 337424 28 xor esi,dword ptr ss:[esp+28]
008858FA 0373 3C add esi,dword ptr ds:[ebx+3C]
008858FD 8B43 08 mov eax,dword ptr ds:[ebx+8]
00885900 8A00 mov al,byte ptr ds:[eax]
00885902 FF43 08 inc dword ptr ds:[ebx+8]
00885905 33D2 xor edx,edx
00885907 8AD0 mov dl,al
00885909 8BC7 mov eax,edi
0088590B E8 48F4FFFF call 00884D58
00885910 894424 14 mov dword ptr ss:[esp+14],eax
00885914 8B43 08 mov eax,dword ptr ds:[ebx+8]
00885917 8A00 mov al,byte ptr ds:[eax]
00885919 FF43 08 inc dword ptr ds:[ebx+8]
0088591C 84C0 test al,al //此处根据AL的值进行处理,要写PATCH了
0088591E 75 20 jnz short 00885940
DLL文件
忘了说了,谁搞定了请不吝赐教:)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
