首页
社区
课程
招聘
[原创]ORiEN v2.11 - 2.12 -> Fisun Alexander 壳分析
发表于: 2009-1-16 18:10 11008

[原创]ORiEN v2.11 - 2.12 -> Fisun Alexander 壳分析

2009-1-16 18:10
11008

******************************************************
2月12号更新 算法脱壳机     代码放在附件里, 没有接触过这个壳加过的其它文件 不保证
通用  但主要算法是不变的  即使某些地方有错
编译选项:cl /c unpack.c
               nasm -fwin32 uncom.asm
               link unpack.obj uncom.obj
除了压缩算法外 主要算法全部逆出来  
学到了很多东西  越来越佩服 壳作者的汇编功底 资源的递归处理终于逆出来了  花费
了太长的时间 说到底还是太菜。。。本来想用嵌汇编的形式把资源处理的那段直接
嵌进去  最后还是下定决心逆向一把     压缩算法本来也准备逆的  可是发现诸如
adc dl,dl这类 跟 标志位有关的指令 实在是很难跟C 联系起来。。放弃了
下了UPX源码  只可惜 看不懂。。。。。。      
*******************************************************
很简单的壳  不过对我来说  分析它还是要花很长时间的  
花指令 是相当的多  最让我郁闷的是  当我分析完后 BAIDU搜了
一下 这壳居然ESP 定律就能脱。。。。我估计写这壳的作者比我还郁闷
详细的分析就不贴 了  2千多行  把主要的说一下:

1: ANTI  OD:NumberOfRVAandSize  为A
OD载入就错误。。改为10H就行了  我用的OD是RADASM里的  没开隐藏插件
其它版本的OD 可能直接就过这个ANTI了

2:指令变形  花指令相当的多  不过很有规律 也简单  就是N多JMP 跳来跳去郁闷死
指令变形:
00737B82    E8 05000000                CALL 小熊远控.00737B8C                               
00737B87    EB 09                      JMP SHORT 小熊远控.00737B92             ;函数执行完从这里出来
00737B89    88FC                       MOV AH,BH
00737B8B    90                         NOP
00737B8C    E9 B2190000                JMP <小熊远控.zero_memory(address, size)>
花指令:   基本上都是short JMP 和CALL   附件里fake.txt 可以清除这种简单的花指令
另外也有一些 复杂的花指令  不过不多  
比如:
00737168   /EB 01           JMP SHORT 小熊远控.0073716B
0073716A  -|E9 505157E8     JMP E8CAC2BF
0073716F    0000            ADD BYTE PTR DS:[EAX],AL
00737171    0000            ADD BYTE PTR DS:[EAX],AL
00737173    EB 01           JMP SHORT 小熊远控.00737176
00737175  - E9 58EB01B8     JMP B8755CD2
0073717A    85DB            TEST EBX,EBX
0073717C    2BC9            SUB ECX,ECX
0073717E    EB 06           JMP SHORT 小熊远控.00737186
00737180    7A 8B           JPE SHORT 小熊远控.0073710D
00737182    F8              CLC
00737183    EB 04           JMP SHORT 小熊远控.00737189
00737185    0BEB            OR EBP,EBX
00737187    F9              STC
00737188    1F              POP DS                                   ; 段寄存器更改
00737189    EB 01           JMP SHORT 小熊远控.0073718C

去花后:
00737168   /EB 01           JMP SHORT 小熊远控.0073716B
0073716A   |90              NOP
0073716B   \50              PUSH EAX
0073716C    51              PUSH ECX
0073716D    57              PUSH EDI
0073716E    E8 00000000     CALL 小熊远控.00737173
00737173    EB 01           JMP SHORT 小熊远控.00737176             ;ret address 入栈
00737175    90              NOP
00737176    58              POP EAX                                 ;ret address
00737177    EB 01           JMP SHORT 小熊远控.0073717A
00737179    90              NOP
0073717A    85DB            TEST EBX,EBX
0073717C    2BC9            SUB ECX,ECX
0073717E    EB 06           JMP SHORT 小熊远控.00737186
00737180    90              NOP
00737181    8BF8            MOV EDI,EAX                             ;ret address 送EDI
00737183    EB 04           JMP SHORT 小熊远控.00737189
00737185    90              NOP
00737186  ^ EB F9           JMP SHORT 小熊远控.00737181
00737188    1F              POP DS                                  
00737189    EB 01           JMP SHORT 小熊远控.0073718C

3: 花指令 作为解密密钥  调壳时没有手动或者插件去花的同志可以无视这个 而且整个壳中 就只有一次解密是这种类型的

0073720F    8DB3 94020000   LEA ESI,DWORD PTR DS:[EBX+294]           ;定位到737294   解密的起始处     
00737215    EB 06           JMP SHORT 小熊远控.0073721D
00737217    90              NOP
00737218    8BFE            MOV EDI,ESI
0073721A    EB 04           JMP SHORT 小熊远控.00737220
0073721C    90              NOP
0073721D  ^ EB F9           JMP SHORT 小熊远控.00737218
0073721F    1F              POP DS                                   ; 段寄存器更改
00737220    EB 0A           JMP SHORT 小熊远控.0073722C

00737222    90              NOP
00737223    8B93 A6010000   MOV EDX,DWORD PTR DS:[EBX+1A6]           ;定位到7371A6 以7371A6开始的双字做解密KEY 而7371a9是个花指令 千万别NOP
                                                                     ;会造成解密错误

4:变形CRC_TABLE作为解密密钥
经过仔细分析  这个壳是把PE文件的各个节压缩后再加密然后合并到加过壳的文件的第二节(packed节)
解密的时候 先计算出变形CRC_TABLE的200H字节 再把CRC_TABLE 异或加密三次, 把加密后的
CRC_TABLE 作为 解密出原始文件压缩代码的KEY  这中间还校验了一次CRC  不过校验的地方
是个全0区域  正常情况可以无视这个CRC校验
原始的PE文件各个节  存放在packed节的方式:先是一个代表节大小 和地址的结构然后紧跟着压缩数据
压缩数据结束后 跟着下一个节的结构 结构共有8字节  前4字节是加壳前PE文件第一个节的RVA,后四字节则是对应的压缩数据大小

生成CRC_TABLE:
00737B92   /EB 0A                      JMP SHORT 小熊远控.00737B9E
00737B94   |90                         NOP
00737B95   |8B83 A6010000              MOV EAX,DWORD PTR DS:[EBX+1A6]            ;[7371A6] = 3BF5031E
00737B9B   |EB 04                      JMP SHORT 小熊远控.00737BA1
00737B9D   |90                         NOP
00737B9E  ^\EB F5                      JMP SHORT 小熊远控.00737B95
00737BA0    1F                         POP DS                                     ; 段寄存器更改
00737BA1    EB 01                      JMP SHORT 小熊远控.00737BA4
00737BA3    90                         NOP
00737BA4    8DBB EC430000              LEA EDI,DWORD PTR DS:[EBX+43EC]            ;73B3EC  CRC码表起始地址
00737BAA    E8 01000000                CALL 小熊远控.00737BB0
00737BAF    90                         NOP
00737BB0    83EC FC                    SUB ESP,-4
00737BB3    57                         PUSH EDI
00737BB4    68 00020000                PUSH 200
00737BB9    50                         PUSH EAX
00737BBA    E8 05000000                CALL 小熊远控.00737BC4
00737BBF    EB 09                      JMP SHORT 小熊远控.00737BCA
00737BC1    88FC                       MOV AH,BH
00737BC3    90                         NOP
00737BC4    E9 DE180000                JMP <小熊远控.get_crc_table>                ;生成CRC码表

校验CRC:
007383E1   /EB 01                      JMP SHORT 小熊远控.007383E4
007383E3   |90                         NOP
007383E4   \8DBB EC410000              LEA EDI,DWORD PTR DS:[EBX+41EC]             ;73B1EC
007383EA    E8 01000000                CALL 小熊远控.007383F0
007383EF    90                         NOP
007383F0    83EC FC                    SUB ESP,-4                                  ;平衡堆栈
007383F3    68 00020000                PUSH 200
007383F8    57                         PUSH EDI
007383F9    E8 05000000                CALL 小熊远控.00738403
007383FE    EB 09                      JMP SHORT 小熊远控.00738409
00738400    88FC                       MOV AH,BH
00738402    90                         NOP
00738403    E9 21120000                JMP 小熊远控.00739629                       ;得到CRC32
00738409    3983 8B3A0000              CMP DWORD PTR DS:[EBX+3A8B],EAX             ;比较得到的CRC32是否相同  73B1EC的内存区都是0 不明白这里CRC干什么
0073840F    74 0E                      JE SHORT 小熊远控.0073841F
00738411    EB 01                      JMP SHORT 小熊远控.00738414
00738413    90                         NOP
00738414    8D83 A5330000              LEA EAX,DWORD PTR DS:[EBX+33A5]
0073841A    E9 EE060000                JMP <小熊远控.unpack_fail>
0073841F    EB 01                      JMP SHORT 小熊远控.00738422

加密CRC_TABLE:
00738422    8DBB EC430000   LEA EDI,DWORD PTR DS:[EBX+43EC]                        ;EDI指向CRC_TABLE
00738428    EB 01           JMP SHORT 小熊远控.0073842B
0073842A    90              NOP
0073842B    8DB3 EC3D0000   LEA ESI,DWORD PTR DS:[EBX+3DEC]                        ;73ADEC
00738431    E8 01000000     CALL 小熊远控.00738437
00738436    90              NOP
00738437    83EC FC         SUB ESP,-4                                             ;平衡堆栈
0073843A    68 00020000     PUSH 200                                               ;MEM_SIZE_OF_BYTE
0073843F    56              PUSH ESI                                               ;MEM_ADDRESS
00738440    68 00020000     PUSH 200                                               ;CRC_TABLE_SIZE_OF_BYTE
00738445    57              PUSH EDI                                               ;CRC_TABLE
00738446    E8 05000000     CALL 小熊远控.00738450               
0073844B    EB 09           JMP SHORT 小熊远控.00738456
0073844D    88FC            MOV AH,BH
0073844F    90              NOP
00738450    E9 1D110000    JMP <小熊远控.change_crc_table>                         ;计算新的CRC_TABLE

解密出原始PE文件的压缩数据是个大循环 篇幅有限 只贴关键的:
00738508    03B3 E61A0000   ADD ESI,DWORD PTR DS:[EBX+1AE6]          ;IMAGE_BASE +   定位到第二个节60F000
0073850E    EB 03           JMP SHORT 小熊远控.00738513
00738510    CD 20           INT 20
00738512    9F              LAHF
00738513    8B06            MOV EAX,DWORD PTR DS:[ESI]               ;[60F000] = 1000,怀疑是第一个节的RVA [6AF806] = 164000 同样是节的RVA
00738515    83C6 01         ADD ESI,1
00738518    EB 06           JMP SHORT 小熊远控.00738520
0073851A    43              INC EBX
0073851B    66:B8 83C6      MOV AX,0C683
0073851F    90              NOP
00738520    83EE FF         SUB ESI,-1
00738523    83EE FF         SUB ESI,-1
00738526    EB 06           JMP SHORT 小熊远控.0073852E
00738528    43              INC EBX
00738529    66:B8 83C6      MOV AX,0C683
0073852D    90              NOP
0073852E    83EE FF         SUB ESI,-1                               ;esi+4
00738531    83F8 00         CMP EAX,0
00738534    75 0F           JNZ SHORT 小熊远控.00738545              ;跳
00738536    EB 0B           JMP SHORT 小熊远控.00738543
00738538    49              DEC ECX
00738539    E5 24           IN EAX,24                                
0073853B    90              NOP
0073853C    90              NOP
0073853D    E9 B9000000     JMP 小熊远控.007385FB
00738542    90              NOP
00738543  ^ EB F8           JMP SHORT 小熊远控.0073853D
00738545    EB 0A           JMP SHORT 小熊远控.00738551
00738547    90              NOP
00738548    8BBB E61A0000   MOV EDI,DWORD PTR DS:[EBX+1AE6]          IMAGE_BASE
0073854E    EB 04           JMP SHORT 小熊远控.00738554
00738550    90              NOP
00738551  ^ EB F5           JMP SHORT 小熊远控.00738548
00738553    1F              POP DS                                   ;
00738554    EB 01           JMP SHORT 小熊远控.00738557
00738556    90              NOP
00738557    3BC2            CMP EAX,EDX
00738559    03F8            ADD EDI,EAX                              ;定位到节
0073855B    EB 03           JMP SHORT 小熊远控.00738560
0073855D    CD 20           INT 20
0073855F    9F              LAHF
00738560    8B06            MOV EAX,DWORD PTR DS:[ESI]
00738562    83C6 01         ADD ESI,1
00738565    EB 06           JMP SHORT 小熊远控.0073856D
00738567    43              INC EBX
00738568    66:B8 83C6      MOV AX,0C683
0073856C    90              NOP
0073856D    83EE FF         SUB ESI,-1
00738570    83EE FF         SUB ESI,-1
00738573    EB 06           JMP SHORT 小熊远控.0073857B
00738575    43              INC EBX
00738576    66:B8 83C6      MOV AX,0C683
0073857A    90              NOP
0073857B    83EE FF         SUB ESI,-1
0073857E    EB 06           JMP SHORT 小熊远控.00738586
00738580    90              NOP
00738581    8BC8            MOV ECX,EAX
00738583    EB 04           JMP SHORT 小熊远控.00738589
00738585    90              NOP
00738586  ^ EB F9           JMP SHORT 小熊远控.00738581
00738588    1F              POP DS                                   ; 段寄存器更改
00738589    E8 01000000     CALL 小熊远控.0073858F
0073858E    90              NOP
0073858F    83EC FC         SUB ESP,-4
00738592    68 00020000     PUSH 200                                 ;size_of_byte_const
00738597    52              PUSH EDX                                 ;CRC_TABLE
00738598    51              PUSH ECX                                 ;size_of_byte_changed
00738599    56              PUSH ESI                                 ;string_changed
0073859A    E8 05000000     CALL 小熊远控.007385A4
0073859F    EB 09           JMP SHORT 小熊远控.007385AA
007385A1    88FC            MOV AH,BH
007385A3    90              NOP
007385A4    E9 C90F0000     JMP <小熊远控.change_crc_table>         ;最初是在加密CRC_TABLE的时候遇到这个函数的 所以起名为change_crc_table
                                  ;事实上 这个函数 不光加密了CRC_TABLE 解密代码和资源都是用这个函数
                                  ;第三次解压  未加壳的PE文件的原始IAT  57C000 被解压出来 

0073864A    83EC FC           SUB ESP,-4                            ;平衡堆栈
0073864D    50                PUSH EAX                              ; 0
0073864E    68 00020000       PUSH 200                              ; crc_table_size_byte
00738653    57                PUSH EDI                              ; crc_table
00738654    56                PUSH ESI                              ; RES_RVA
00738655    56                PUSH ESI                              ; RES_RVA
00738656    52                PUSH EDX                              ; IMAGE_BASE
00738657    E8 05000000       CALL 小熊远控.00738661          ;处理资源 将资源解密出来
0073865C    EB 09             JMP SHORT 小熊远控.00738667        

5:重点就是IAT的处理了

007386DE    8D83 052C0000      LEA EAX,DWORD PTR DS:[EBX+2C05]
007386E4    50                 PUSH EAX                                 ; GetProcAddress
007386E5    FFB3 483D0000      PUSH DWORD PTR DS:[EBX+3D48]             ; LoadLibraryA
007386EB    FFB3 443D0000      PUSH DWORD PTR DS:[EBX+3D44]             ; GetModuleHandleA
007386F1    FFB3 6F3A0000      PUSH DWORD PTR DS:[EBX+3A6F]             ; 原始IAT_RVA
007386F7    FFB3 E61A0000      PUSH DWORD PTR DS:[EBX+1AE6]             ; IMAGE_BASE
007386FD    E8 A8120000        CALL 小熊远控.007399AA                   ; 处理IAT了= =胜利快来了
{//处理原始IAT
007399AA >  C8 080000          ENTER 8,0
007399AE    53                 PUSH EBX
007399AF    51                 PUSH ECX
007399B0    52                 PUSH EDX
007399B1    56                 PUSH ESI
007399B2    57                 PUSH EDI
007399B3    EB 07              JMP SHORT 小熊远控.007399BC
007399B5    90                 NOP
007399B6    8965 F8            MOV DWORD PTR SS:[EBP-8],ESP
007399B9    EB 04              JMP SHORT 小熊远控.007399BF
007399BB    90                 NOP
007399BC  ^ EB F8              JMP SHORT 小熊远控.007399B6
007399BE    1F                 POP DS                                   
007399BF    EB 07              JMP SHORT 小熊远控.007399C8
007399C1    90                 NOP
007399C2    8B75 0C            MOV ESI,DWORD PTR SS:[EBP+C]             ; 原始IAT_RVA
007399C5    EB 04              JMP SHORT 小熊远控.007399CB
007399C7    90                 NOP
007399C8  ^ EB F8              JMP SHORT 小熊远控.007399C2
007399CA    1F                 POP DS                                   
007399CB    EB 02              JMP SHORT 小熊远控.007399CF
007399CD    FFF0               PUSH EAX
007399CF    85F6               TEST ESI,ESI
007399D1    0F84 FA010000      JE 小熊远控.00739BD1                         ; 原始IAT_RVA 为0则跳
007399D7    EB 01              JMP SHORT 小熊远控.007399DA
007399D9    90                 NOP
007399DA    3BC2               CMP EAX,EDX
007399DC    0375 08            ADD ESI,DWORD PTR SS:[EBP+8]             ; 原始IAT_VA
007399DF    EB 07              JMP SHORT 小熊远控.007399E8
007399E1    90                 NOP
007399E2    8B5E 0C            MOV EBX,DWORD PTR DS:[ESI+C]             ; IMAGE_IMPORT_DESCRIPTOR.name1
007399E5    EB 04              JMP SHORT 小熊远控.007399EB
007399E7    90                 NOP
007399E8  ^ EB F8              JMP SHORT 小熊远控.007399E2
007399EA    1F                 POP DS                                   ; 段寄存器更改
007399EB    EB 02              JMP SHORT 小熊远控.007399EF
007399ED    FFF0               PUSH EAX
007399EF    85DB               TEST EBX,EBX
007399F1    0F84 DA010000      JE 小熊远控.00739BD1                         ; IMAGE_IMPORT_DESCRIPTOR.name1为0则跳 处理完IAT这里跳出
007399F7    EB 01              JMP SHORT 小熊远控.007399FA
007399F9    90                 NOP
007399FA    56                 PUSH ESI
007399FB    EB 01              JMP SHORT 小熊远控.007399FE
007399FD    90                 NOP
007399FE    3BC2               CMP EAX,EDX
00739A00    035D 08            ADD EBX,DWORD PTR SS:[EBP+8]             ; IMGE_BASE+
00739A03    E8 01000000        CALL 小熊远控.00739A09
00739A08    90                 NOP
00739A09    83EC FC            SUB ESP,-4                               ; 平衡堆栈
00739A0C    53                 PUSH EBX
00739A0D    E8 05000000        CALL 小熊远控.00739A17
00739A12    EB 07              JMP SHORT 小熊远控.00739A1B
00739A14    88FC               MOV AH,BH
00739A16    90                 NOP
00739A17    FF65 10            JMP DWORD PTR SS:[EBP+10]                ; GetModuleHandleA
00739A1A    90                 NOP
00739A1B    83F8 00            CMP EAX,0                                ; DLL_IMAGE_BASE
00739A1E    75 24              JNZ SHORT 小熊远控.00739A44
00739A20    E8 01000000        CALL 小熊远控.00739A26
00739A25    90                 NOP
00739A26    83EC FC            SUB ESP,-4
00739A29    53                 PUSH EBX
00739A2A    E8 05000000        CALL 小熊远控.00739A34
00739A2F    EB 07              JMP SHORT 小熊远控.00739A38
00739A31    88FC               MOV AH,BH
00739A33    90                 NOP
00739A34    FF65 14            JMP DWORD PTR SS:[EBP+14]                ; LoadLibraryA
00739A37    90                 NOP
00739A38    EB 02              JMP SHORT 小熊远控.00739A3C
00739A3A    FFF0               PUSH EAX
00739A3C    85C0               TEST EAX,EAX
00739A3E    0F84 A4010000      JE 小熊远控.00739BE8
00739A44    EB 07              JMP SHORT 小熊远控.00739A4D
00739A46    90                 NOP
00739A47    8945 FC            MOV DWORD PTR SS:[EBP-4],EAX
00739A4A    EB 04              JMP SHORT 小熊远控.00739A50
00739A4C    90                 NOP
00739A4D  ^ EB F8              JMP SHORT 小熊远控.00739A47
00739A4F    1F                 POP DS                                   
00739A50    EB 07              JMP SHORT 小熊远控.00739A59
00739A52    90                 NOP
00739A53    8B7E 10            MOV EDI,DWORD PTR DS:[ESI+10]            ; IMAGE_IMPORT_DESCRIPTOR.FirstThunk
00739A56    EB 04              JMP SHORT 小熊远控.00739A5C
00739A58    90                 NOP
00739A59  ^ EB F8              JMP SHORT 小熊远控.00739A53
00739A5B    1F                 POP DS                                   
00739A5C    EB 06              JMP SHORT 小熊远控.00739A64
00739A5E    90                 NOP
00739A5F    8B36               MOV ESI,DWORD PTR DS:[ESI]               ; IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk
00739A61    EB 04              JMP SHORT 小熊远控.00739A67
00739A63    90                 NOP
00739A64  ^ EB F9              JMP SHORT 小熊远控.00739A5F
00739A66    1F                 POP DS                                   
00739A67    EB 02              JMP SHORT 小熊远控.00739A6B
00739A69    FFF0               PUSH EAX
00739A6B    85F6               TEST ESI,ESI
00739A6D    75 0B              JNZ SHORT 小熊远控.00739A7A                  ; IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk为0则使用FirstThunk
00739A6F    EB 06              JMP SHORT 小熊远控.00739A77
00739A71    90                 NOP
00739A72    8BF7               MOV ESI,EDI
00739A74    EB 04              JMP SHORT 小熊远控.00739A7A
00739A76    90                 NOP
00739A77  ^ EB F9              JMP SHORT 小熊远控.00739A72
00739A79    1F                 POP DS                                   
00739A7A    EB 01              JMP SHORT 小熊远控.00739A7D
00739A7C    90                 NOP
00739A7D    3BC2               CMP EAX,EDX
00739A7F    0375 08            ADD ESI,DWORD PTR SS:[EBP+8]             ; +IMAGE_BASE = IMAGE_THUNK_DATA[]
00739A82    EB 01              JMP SHORT 小熊远控.00739A85
00739A84    90                 NOP
00739A85    3BC2               CMP EAX,EDX
00739A87    037D 08            ADD EDI,DWORD PTR SS:[EBP+8]             ; +IMAGE_BASE = fun_address_table[]
00739A8A    EB 06              JMP SHORT 小熊远控.00739A92
00739A8C    90                 NOP
00739A8D    8B1E               MOV EBX,DWORD PTR DS:[ESI]               ; IMAGE_IMPORT_BY_NAME rva
00739A8F    EB 04              JMP SHORT 小熊远控.00739A95
00739A91    90                 NOP
00739A92  ^ EB F9              JMP SHORT 小熊远控.00739A8D
00739A94    1F                 POP DS                                   
00739A95    EB 02              JMP SHORT 小熊远控.00739A99
00739A97    FFF0               PUSH EAX
00739A99    85DB               TEST EBX,EBX
00739A9B    0F84 15010000      JE 小熊远控.00739BB6
00739AA1    EB 02              JMP SHORT 小熊远控.00739AA5
00739AA3    FFF0               PUSH EAX
00739AA5    F7C3 00000080      TEST EBX,80000000                        ; 测试函数是否以序号导出
00739AAB    75 51              JNZ SHORT 小熊远控.00739AFE
00739AAD    EB 01              JMP SHORT 小熊远控.00739AB0
00739AAF    90                 NOP
00739AB0    3BC2               CMP EAX,EDX
00739AB2    035D 08            ADD EBX,DWORD PTR SS:[EBP+8]             ; IMAGE_IMPORT_BY_NAME va
00739AB5    EB 06              JMP SHORT 小熊远控.00739ABD
00739AB7    43                 INC EBX
00739AB8    66:B8 83C3         MOV AX,0C383
00739ABC    90                 NOP
00739ABD    83EB FF            SUB EBX,-1
00739AC0    EB 06              JMP SHORT 小熊远控.00739AC8
00739AC2    43                 INC EBX
00739AC3    66:B8 83C3         MOV AX,0C383
00739AC7    90                 NOP
00739AC8    83EB FF            SUB EBX,-1                               ; ebx+2 定位到函数名
00739ACB    E8 01000000        CALL 小熊远控.00739AD1
00739AD0    90                 NOP
00739AD1    83EC FC            SUB ESP,-4                               ; 平衡堆栈
00739AD4    53                 PUSH EBX
00739AD5    FF75 FC            PUSH DWORD PTR SS:[EBP-4]
00739AD8    E8 05000000        CALL 小熊远控.00739AE2
00739ADD    EB 07              JMP SHORT 小熊远控.00739AE6
00739ADF    88FC               MOV AH,BH
00739AE1    90                 NOP
00739AE2    FF65 18            JMP DWORD PTR SS:[EBP+18]                ; GetProcAddress
00739AE5    90                 NOP
00739AE6    EB 02              JMP SHORT 小熊远控.00739AEA
00739AE8    FFF0               PUSH EAX
00739AEA    85C0               TEST EAX,EAX                             ; 测试函数地址是否为0
00739AEC    0F84 F6000000      JE 小熊远控.00739BE8
00739AF2    EB 08              JMP SHORT 小熊远控.00739AFC
00739AF4    49                 DEC ECX
00739AF5    E5 24              IN EAX,24                                
00739AF7    90                 NOP
00739AF8    90                 NOP
00739AF9    EB 64              JMP SHORT 小熊远控.00739B5F
00739AFB    90                 NOP
00739AFC  ^ EB FB              JMP SHORT 小熊远控.00739AF9
00739AFE    81E3 FFFFFF7F      AND EBX,7FFFFFFF
00739B04    EB 07              JMP SHORT 小熊远控.00739B0D
00739B06    90                 NOP
00739B07    8B45 FC            MOV EAX,DWORD PTR SS:[EBP-4]
00739B0A    EB 04              JMP SHORT 小熊远控.00739B10
00739B0C    90                 NOP
00739B0D  ^ EB F8              JMP SHORT 小熊远控.00739B07
00739B0F    1F                 POP DS                                   
00739B10    EB 01              JMP SHORT 小熊远控.00739B13
00739B12    90                 NOP
00739B13    3BC2               CMP EAX,EDX
00739B15    0340 3C            ADD EAX,DWORD PTR DS:[EAX+3C]
00739B18    EB 07              JMP SHORT 小熊远控.00739B21
00739B1A    90                 NOP
00739B1B    8B40 78            MOV EAX,DWORD PTR DS:[EAX+78]
00739B1E    EB 04              JMP SHORT 小熊远控.00739B24
00739B20    90                 NOP
00739B21  ^ EB F8              JMP SHORT 小熊远控.00739B1B
00739B23    1F                 POP DS                                   
00739B24    EB 01              JMP SHORT 小熊远控.00739B27
00739B26    90                 NOP
00739B27    3BC2               CMP EAX,EDX
00739B29    0345 FC            ADD EAX,DWORD PTR SS:[EBP-4]
00739B2C    EB 01              JMP SHORT 小熊远控.00739B2F
00739B2E    90                 NOP
00739B2F    85DB               TEST EBX,EBX
00739B31    2B58 10            SUB EBX,DWORD PTR DS:[EAX+10]
00739B34    C1E3 02            SHL EBX,2
00739B37    EB 07              JMP SHORT 小熊远控.00739B40
00739B39    90                 NOP
00739B3A    8B40 1C            MOV EAX,DWORD PTR DS:[EAX+1C]
00739B3D    EB 04              JMP SHORT 小熊远控.00739B43
00739B3F    90                 NOP
00739B40  ^ EB F8              JMP SHORT 小熊远控.00739B3A
00739B42    1F                 POP DS                                   
00739B43    EB 01              JMP SHORT 小熊远控.00739B46
00739B45    90                 NOP
00739B46    3BC2               CMP EAX,EDX
00739B48    0345 FC            ADD EAX,DWORD PTR SS:[EBP-4]
00739B4B    EB 07              JMP SHORT 小熊远控.00739B54
00739B4D    90                 NOP
00739B4E    8B0418             MOV EAX,DWORD PTR DS:[EAX+EBX]
00739B51    EB 04              JMP SHORT 小熊远控.00739B57
00739B53    90                 NOP
00739B54  ^ EB F8              JMP SHORT 小熊远控.00739B4E
00739B56    1F                 POP DS                                   
00739B57    EB 01              JMP SHORT 小熊远控.00739B5A
00739B59    90                 NOP
00739B5A    3BC2               CMP EAX,EDX
00739B5C    0345 FC            ADD EAX,DWORD PTR SS:[EBP-4]
00739B5F    EB 02              JMP SHORT 小熊远控.00739B63
00739B61    CD 20              INT 20
00739B63    8907               MOV DWORD PTR DS:[EDI],EAX               ; 存放函数地址
00739B65    EB 06              JMP SHORT 小熊远控.00739B6D
00739B67    43                 INC EBX
00739B68    66:B8 83C7         MOV AX,0C783
00739B6C    90                 NOP
00739B6D    83EF FF            SUB EDI,-1
00739B70    83C7 01            ADD EDI,1
00739B73    83C5 00            ADD EBP,0
00739B76    83EF FF            SUB EDI,-1
00739B79    EB 06              JMP SHORT 小熊远控.00739B81
00739B7B    43                 INC EBX
00739B7C    66:B8 83C7         MOV AX,0C783
00739B80    90                 NOP
00739B81    83EF FF            SUB EDI,-1                               ; edi+4
00739B84    EB 03              JMP SHORT 小熊远控.00739B89
00739B86    CD 20              INT 20
00739B88    9F                 LAHF
00739B89    8B06               MOV EAX,DWORD PTR DS:[ESI]
00739B8B    83C6 01            ADD ESI,1
00739B8E    EB 06              JMP SHORT 小熊远控.00739B96
00739B90    43                 INC EBX
00739B91    66:B8 83C6         MOV AX,0C683
00739B95    90                 NOP
00739B96    83EE FF            SUB ESI,-1
00739B99    83EE FF            SUB ESI,-1
00739B9C    EB 06              JMP SHORT 小熊远控.00739BA4
00739B9E    43                 INC EBX
00739B9F    66:B8 83C6         MOV AX,0C683
00739BA3    90                 NOP
00739BA4    83EE FF            SUB ESI,-1                               ; esi+4
00739BA7    EB 0B              JMP SHORT 小熊远控.00739BB4
00739BA9    49                 DEC ECX
00739BAA    E5 24              IN EAX,24                                
00739BAC    90                 NOP
00739BAD    90                 NOP
00739BAE  ^ E9 D7FEFFFF        JMP 小熊远控.00739A8A
00739BB3    90                 NOP
00739BB4  ^ EB F8              JMP SHORT 小熊远控.00739BAE
00739BB6    EB 01              JMP SHORT 小熊远控.00739BB9
00739BB8    90                 NOP
00739BB9    5E                 POP ESI
00739BBA    EB 01              JMP SHORT 小熊远控.00739BBD
00739BBC    90                 NOP
00739BBD    3BC2               CMP EAX,EDX
00739BBF    83C6 14            ADD ESI,14                               ; 下一个IMAGE_IMPORT_DESCRIPTOR
00739BC2    EB 0B              JMP SHORT 小熊远控.00739BCF
00739BC4    49                 DEC ECX
00739BC5    E5 24              IN EAX,24                                
00739BC7    90                 NOP
00739BC8    90                 NOP
00739BC9  ^ E9 11FEFFFF        JMP 小熊远控.007399DF
00739BCE    90                 NOP
00739BCF  ^ EB F8              JMP SHORT 小熊远控.00739BC9
00739BD1    33C0               XOR EAX,EAX                              ; ntdll.RtlGetLastWin32Error
00739BD3    EB 07              JMP SHORT 小熊远控.00739BDC
00739BD5    90                 NOP
00739BD6    8B65 F8            MOV ESP,DWORD PTR SS:[EBP-8]
00739BD9    EB 04              JMP SHORT 小熊远控.00739BDF
00739BDB    90                 NOP
00739BDC  ^ EB F8              JMP SHORT 小熊远控.00739BD6
00739BDE    1F                 POP DS                                   
00739BDF    5F                 POP EDI
00739BE0    5E                 POP ESI
00739BE1    5A                 POP EDX
00739BE2    59                 POP ECX
00739BE3    5B                 POP EBX
00739BE4    C9                 LEAVE
00739BE5    C2 1400            RETN 14  
}
//此时是做好的DUMP时机了  因为代码解压完毕 资源解密了  IAT修复好了  可以直接DUMP  修正下OEP就可以了
//ImportREC_fix重建输入表 已经可以直接运行了  至于OEP 查找61b8????????83f800找到后  ?号就是OEP的值
//具体的可以看脱壳脚本 实在不会 ESP定律吧

IAT 处理完就开始破坏IAT了 把ExitProcess,  GetCommandLineA,GetCommandLineW这3个函数 替换成壳的代码
0073884F    8907               MOV DWORD PTR DS:[EDI],EAX      ;这一句NOP掉就行了
00738851    EB 06              JMP SHORT 小熊远控.00738859

后记:搞了很长时间了  眼看快过年了  总不能留到年后再弄吧  咬咬牙 每天7点起来。。。。。
脚本 我本来想写通用一点的 但是发现ODSCRIPT的 内存断点 下读断点  它在写的时候断下来 
硬件断点也是这样  不知道是不是开了多个OD的缘故 有点郁闷 所以直接就用查 字符串的形式来写了
运行脚本后 dump时 别选上重建IAT  选上的话 OD 会挂掉 希望只是我人品问题 然后直接ImportREC_fix
就可以了  另外 感觉这个壳可能不是正式版本 我在内存中看到 S-ICE,TRW之类的字符串 估计正式版本
会有其它的ANTI的  去花脚本fake.txt不推荐使用 我调试的时候全是手动去花 搜索内存时可能会把未解密
的数据破坏掉 这样解密就不正确了  脱壳后显示Borland Delphi v3.0 无意中发现 不忽略异常的话
F9后  会在kernel里的一个异常停住  从异常里出来 发现OEP就在上面。。。可能是Borland Delphi v3.0
的特点吧 。。。。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 7
支持
分享
最新回复 (6)
雪    币: 2575
活跃值: (502)
能力值: ( LV2,RANK:85 )
在线值:
发帖
回帖
粉丝
2
学习徐大力这种学习态度
2009-1-16 21:54
0
雪    币: 564
活跃值: (12)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
3
楼主好厉害。

弱弱的问一下,楼主分析花了多少时间?只是好奇~
2009-1-17 12:26
0
雪    币: 179
活跃值: (15)
能力值: ( LV12,RANK:330 )
在线值:
发帖
回帖
粉丝
4
很长时间了吧  大概半个月了  中间停过一阵子
这星期 发狠 早上早点去公司。。工作完成以后 就弄这个

这个壳还是很简单的。。。一句一句慢慢的弄 很费时间
还好目前 有时间      不知道  以后搞4小强的时候
是不是要花几个月的时间。。。。刚刚睡醒  爽。。
2009-1-17 15:20
0
雪    币: 251
活跃值: (25)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
5
楼主的态度很令人敬佩
2009-1-18 11:36
0
雪    币: 4
活跃值: (29)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
好文章,学习~
2009-1-21 08:18
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶
2009-1-22 13:22
0
游客
登录 | 注册 方可回帖
返回
//