PEID查壳:Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
ArmaFP:
!- 目标为Armadillo保护
!- 保护系统级别为 (专业版)
!- <所用到的保护模式有>
标准保护 或 最小保护模式
!- <备份密钥设置>
固定的备份密钥
!- <目标程序压缩设置>
较好 / 较慢 的压缩方式
!- <其它保护设置>
使用 eSellerate 版本密钥
487FDD00 Version 6.04 18-07-2008
!- 共使用的时间 00h 00m 01s 797ms
OD载入 下断BP VirtualProtect Shift+F9
00452000 > 60 PUSHAD
00452001 E8 00000000 CALL P2007.00452006
00452006 5D POP EBP
00452007 50 PUSH EAX
00452008 51 PUSH ECX
00452009 0FCA BSWAP EDX
0045200B F7D2 NOT EDX
0045200D 9C PUSHFD
0045200E F7D2 NOT EDX
00452010 0FCA BSWAP EDX
00452012 EB 0F JMP SHORT P2007.00452023
00452014 B9 EB0FB8EB MOV ECX,EBB80FEB
00452019 07 POP ES ; 段寄存器修饰
第6次缓冲比较大,取消断点返回
7C801FE3 > 8BFF MOV EDI,EDI
7C801FE5 55 PUSH EBP
7C801FE6 8BEC MOV EBP,ESP
7C801FE8 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801FEB FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801FEE FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C801FF1 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801FF4 6A FF PUSH -1
7C801FF6 E8 9DFAFFFF CALL kernel32.VirtualProtectEx
7C801FFB 5D POP EBP
7C801FFC C2 1000 RETN 10
查找push 100 ,上面的push ebp改成retn ,下断he CreateThread,Shift+f9
7C82510F > 8BFF MOV EDI,EDI
7C825111 55 PUSH EBP
7C825112 8BEC MOV EBP,ESP
7C825114 FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C825117 FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C82511A FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C82511D FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C825120 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C825123 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C825126 6A FF PUSH -1
7C825128 E8 66FDFFFF CALL kernel32.CreateRemoteThread
7C82512D 5D POP EBP
7C82512E C2 1800 RETN 18
取消断点返回
00BA614C 50 PUSH EAX
00BA614D FF15 9032BE00 CALL NEAR DWORD PTR DS:[BE3290] ; kernel32.CloseHandle
00BA6153 5E POP ESI
00BA6154 5B POP EBX
00BA6155 8BE5 MOV ESP,EBP
00BA6157 5D POP EBP
00BA6158 C3 RETN
F8走到OEP
00BC30C5 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00BC30C8 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00BC30CB 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
00BC30CE 50 PUSH EAX
00BC30CF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00BC30D2 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
00BC30D5 52 PUSH EDX
00BC30D6 6A 00 PUSH 0
00BC30D8 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00BC30DB 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C]
00BC30DE 51 PUSH ECX
00BC30DF 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00BC30E2 2B55 DC SUB EDX,DWORD PTR SS:[EBP-24]
00BC30E5 FFD2 CALL NEAR EDX ; OEP F7进去
0040148D 68 D8B5915C PUSH 5C91B5D8
00401492 - E9 55F60000 JMP P2007.00410AEC
00401497 59 POP ECX
00401498 36:FF31 PUSH DWORD PTR SS:[ECX]
0040149B E9 96010000 JMP P2007.00401636
004014A0 66:5A POP DX
004014A2 66:59 POP CX
004014A4 F6D2 NOT DL
004014A6 F6D1 NOT CL
004014A8 20CA AND DL,CL
004014AA 66:52 PUSH DX
004014AC 9C PUSHFD
004014AD E9 84010000 JMP P2007.00401636
004014B2 5A POP EDX
004014B3 66:59 POP CX
004014B5 880A MOV BYTE PTR DS:[EDX],CL
看上面的结构应该是VMP过的了,用ArmInLine显示IAT加密了
没办法修复,请教高手解决方法!付上程序
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课