最近学习脱穿山甲,遇到这个壳无法手脱,请教疑问??期待看到脱壳文章。
软件下载地址:http://hyperionics.swmirror.com/HS6Setup.exe
peid查壳
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks [Overlay] (双进程附加数据)
AFP查保护模式
!- Protected Armadillo
<Protection Options>
Standard protection or Minimum protection
CopyMem-II
Enable Import Table Elimination
Enable Memory-Patching Protections
<Backup Key Options>
Variable Backup Keys
Fixed Backup Keys
<Compression Options>
Better/Slower Compression
Best/Slowest Compression
--------------------------------------------------------------------
OD忽略所有异常,载入程序,来到如下代码:
00718000 > 60 pushad //入口点
00718001 E8 00000000 call 00718006
00718006 5D pop ebp
00718007 50 push eax
00718008 51 push ecx
00718009 0FCA bswap edx
0071800B F7D2 not edx
0071800D 9C pushfd
双进程转化单进程
下断点 bp OpenMutexA,Shift+F9运行,断在如下代码:
7C80EAAB > 8BFF mov edi, edi //断在此处
7C80EAAD 55 push ebp
7C80EAAE 8BEC mov ebp, esp
7C80EAB0 51 push ecx
7C80EAB1 51 push ecx
7C80EAB2 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EAB6 56 push esi
去掉IAT加密:
Ctrl+G跟随到00401000,手动添加如些代码:
00401000 60 pushad //右键设置为EIP
00401001 9C pushfd
00401002 68 B8DD1200 push 12DDB8 ; ASCII "5BC::DA3CC3BE78" //此处地址12DDB8,看堆栈MutexName对应的地址,自己修改
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 B5A6A577 call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 7A13A677 jmp kernel32.OpenMutexA
60 9C 68 B8 DD 12 00 33 C0 50 50 E8 B5 A6 A5 77 9D 61 E9 7A 13 A6 77 //上述代码的二进制形式
添加完成,F9运行,断下,F2取消断点,撤销修改.
下断 BP GetModuleHandleA+5,不停的shift+F9运行,同时观察堆栈窗口的变化,经过几次后,堆栈如下:
0012943C /0012EB50
00129440 |00FE5C65 返回到 00FE5C65 来自 kernel32.GetModuleHandleA
00129444 |01011BA8 ASCII "kernel32.dll"
00129448 |01012B44 ASCII "VirtualAlloc" //关键提示信息
0012944C |ED9633DE
00129450 |00728380 HprSnap6.00728380
继续shift+F9,堆栈如下:
0012943C /0012EB50
00129440 |00FE5C83 返回到 00FE5C83 来自 kernel32.GetModuleHandleA
00129444 |01011BA8 ASCII "kernel32.dll"
00129448 |01012B38 ASCII "VirtualFree" //关键提示信息
0012944C |ED9633DE
00129450 |00728380 HprSnap6.00728380
再一次shift+F9,堆栈如下:
0012918C |00FC83E4 返回到 00FC83E4 来自 kernel32.GetModuleHandleA
00129190 |00129308 ASCII "kernel32.dll" //关键提示信息
00129194 |00000000
00129198 |00728380 HprSnap6.00728380
0012919C |00000000
此处是返回程序领空的返回时机,取消断点,ALT+f9来到如下代码:
00FC83E4 8B55 F4 mov edx, dword ptr [ebp-C]
00FC83E7 8B0D 84EF0101 mov ecx, dword ptr [101EF84]
00FC83ED 890491 mov dword ptr [ecx+edx*4], eax
00FC83F0 8B55 F4 mov edx, dword ptr [ebp-C]
00FC83F3 A1 84EF0101 mov eax, dword ptr [101EF84]
00FC83F8 833C90 00 cmp dword ptr [eax+edx*4], 0
00FC83FC 75 5C jnz short 00FC845A
00FC83FE 8B4D F8 mov ecx, dword ptr [ebp-8]
00FC8401 8B51 08 mov edx, dword ptr [ecx+8]
00FC8404 83E2 02 and edx, 2
00FC8407 74 38 je short 00FC8441
00FC8409 B8 12000000 mov eax, 12
00FC840E C1E0 02 shl eax, 2
00FC8411 8B0D 04CB0101 mov ecx, dword ptr [101CB04] ; HprSnap6.00728380
00FC8417 8B15 04CB0101 mov edx, dword ptr [101CB04] ; HprSnap6.00728380
00FC841D 8B35 04CB0101 mov esi, dword ptr [101CB04] ; HprSnap6.00728380
00FC8423 8B5E 30 mov ebx, dword ptr [esi+30]
00FC8426 335A 68 xor ebx, dword ptr [edx+68]
00FC8429 331C01 xor ebx, dword ptr [ecx+eax]
00FC842C 83E3 10 and ebx, 10
00FC842F F7DB neg ebx
00FC8431 1BDB sbb ebx, ebx
00FC8433 F7DB neg ebx
00FC8435 0FB6C3 movzx eax, bl
00FC8438 85C0 test eax, eax
00FC843A 75 05 jnz short 00FC8441
00FC843C ^ E9 1BFFFFFF jmp 00FC835C
00FC8441 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00FC8447 51 push ecx
00FC8448 FF15 88F00001 call dword ptr [100F088] ; kernel32.LoadLibraryA //关键信息
00FC844E 8B55 F4 mov edx, dword ptr [ebp-C]
00FC8451 8B0D 84EF0101 mov ecx, dword ptr [101EF84]
00FC8457 890491 mov dword ptr [ecx+edx*4], eax
00FC845A 8B55 F4 mov edx, dword ptr [ebp-C]
00FC845D A1 84EF0101 mov eax, dword ptr [101EF84]
00FC8462 833C90 00 cmp dword ptr [eax+edx*4], 0
00FC8466 75 05 jnz short 00FC846D //此处为关键点,NOP掉,取消IAT加密
00FC8468 ^ E9 EFFEFFFF jmp 00FC835C
00FC846D C785 BCFEFFFF 0>mov dword ptr [ebp-144], 0
00FC8477 C785 C0FEFFFF 0>mov dword ptr [ebp-140], 0
00FC8481 8B4D F8 mov ecx, dword ptr [ebp-8]
00FC8484 8B51 04 mov edx, dword ptr [ecx+4]
00FC8487 8995 C4FEFFFF mov dword ptr [ebp-13C], edx
00FC848D EB 0F jmp short 00FC849E
00FC848F 8B85 C4FEFFFF mov eax, dword ptr [ebp-13C]
00FC8495 83C0 0C add eax, 0C
00FC8498 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
00FC849E 8B8D C4FEFFFF mov ecx, dword ptr [ebp-13C]
00FC84A4 8339 00 cmp dword ptr [ecx], 0
00FC84A7 74 11 je short 00FC84BA
修改后,继续向下面找到如下代码:
00FC86E2 893481 mov dword ptr [ecx+eax*4], esi
00FC86E5 ^ E9 72FCFFFF jmp 00FC835C
00FC86EA EB 03 jmp short 00FC86EF //此处下F2断点
00FC86EC D6 salc //提示信息
00FC86ED D6 salc //提示信息
00FC86EE 8F ??? ; 未知命令
F9运行,撤销nop修改,取消断点。
下断 bp CreatThread,F9运行断不下来。最后一步F9断不下来,请教这个壳如何脱??CC是什么意思??
我QQ是783552533
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课