首页
社区
课程
招聘
[原创]小程序antiOllyDBG脱壳&&简单分析
发表于: 2009-5-13 11:45 4812

[原创]小程序antiOllyDBG脱壳&&简单分析

2009-5-13 11:45
4812
看了介绍 觉得不错 刚好下面有海风大大提供的不收费版本 所以下载来分析
保护后发现没什么反应 看来是我的OD和SOD配合得太好了 木哈哈
下面贴下过程 挣点UB花花..
PEID查壳
FSG 2.0 -> bart/xt
载入原版程序
这个壳子比较简单 主要就是解码之后填充IAT 所以贴点代码 一笔带过..
 
00400154 >  8725 C0814100      xchg    dword ptr [4181C0], esp
0040015A    61                 popad
0040015B    94                 xchg    eax, esp
0040015C    55                 push    ebp
0040015D    A4                 movs    byte ptr es:[edi], byte ptr [esi>
0040015E    B6 80              mov     dh, 80
00400160    FF13               call    dword ptr [ebx]
解码填充
还要填充IAT所以 BP GetProcAddress
断下后返回自己代码领空
004001CA 8B07 mov eax, dword ptr [edi]
004001CC 40 inc eax
004001CD ^ 78 F3 js short 004001C2
004001CF 75 03 jnz short 004001D4
004001D1 FF63 0C jmp dword ptr [ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr [ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^ EB EE jmp short 004001CA
循环填充IAT
之后在
004001D1 FF63 0C jmp dword ptr [ebx+C]
上下断
飞向光明之巅..
F8单步到OEP
00401000 . 6A 00 push 0 ; /pModule = NULL
00401002 . E8 DB020000 call 004012E2 ; \GetModuleHandleA
00401007 . A3 75304000 mov dword ptr [403075], eax
0040100C . 6A 00 push 0 ; /lParam = NULL
0040100E . 68 2B104000 push 0040102B ; |DlgProc = antiOlly.0040102B
00401013 . 6A 00 push 0 ; |hOwner = NULL
00401015 . 68 D9324000 push 004032D9 ; |pTemplate = "TESTWIN"
0040101A . FF35 75304000 push dword ptr [403075] ; |hInst = NULL
00401020 . E8 81020000 call 004012A6 ; \DialogBoxParamA
00401025 . 50 push eax ; /ExitCode
00401026 . E8 AB020000 call 004012D6 ; \ExitProcess
之后dump出来映像文件
打开impREC OEP填充
自动获取 发现只有kernel32的函数 看来得手工
看程序代码找到一个API调用 跟到地址
我们选择
00401002 . E8 DB020000 call 004012E2 ; \GetModuleHandleA
右击跟随
004012E2   $- FF25 2C204000 jmp     dword ptr [40202C]               ;  kernel32.GetModuleHandleA
数据窗口中跟随地址
格式改为长型-->地址
我们就能看到程序的IAT
 
00402000  7632311E  comdlg32.GetOpenFileNameA
00402004  FFFFFFFF
00402008  7C834D89  kernel32.lstrcatA
0040200C  7C80B984  kernel32.UnmapViewOfFile
00402010  7C810B9E  kernel32.SetFilePointer
00402014  7C83208E  kernel32.SetEndOfFile
00402018  7C809B57  kernel32.CloseHandle
0040201C  7C801A24  kernel32.CreateFileA
00402020  7C809478  kernel32.CreateFileMappingA
00402024  7C81CDEA  kernel32.ExitProcess
00402028  7C810A87  kernel32.GetFileSize
0040202C  7C80B6B1  kernel32.GetModuleHandleA
00402030  7C80B915  kernel32.MapViewOfFile
00402034  7C922C64  ntdll.RtlZeroMemory
00402038  7FFFFFFF
0040203C  77D2F383  user32.SendMessageA
00402040  77D5058A  user32.MessageBoxA
00402044  77D208CE  user32.LoadIconA
00402048  77D259C9  user32.EndDialog
0040204C  77D3B10C  user32.DialogBoxParamA
00402050  77D1A8AD  user32.wsprintfA
00402054  7FFFFFFF
IATRVA==2000  Size==计算一下
我的size添的1000 宁错10000不漏一个
之后有很多无效的 因为我们的范围大了点 cut掉就好了
修复转存
FIXdump..
之后载入脱好的程序
代码就赤裸裸的躺在你面前了 等什么?调戏吧..
main
 
00401000   .  6A 00         push    0                                ; /pModule = NULL
00401002   .  E8 DB020000   call    004012E2                         ; \GetModuleHandleA
00401007   .  A3 75304000   mov     dword ptr [403075], eax
0040100C   .  6A 00         push    0                                ; /lParam = NULL
0040100E   .  68 2B104000   push    0040102B                         ; |DlgProc = antiOlly.0040102B
00401013   .  6A 00         push    0                                ; |hOwner = NULL
00401015   .  68 D9324000   push    004032D9                         ; |pTemplate = "TESTWIN"
0040101A   .  FF35 75304000 push    dword ptr [403075]               ; |hInst = NULL
00401020   .  E8 81020000   call    004012A6                         ; \DialogBoxParamA
00401025   .  50            push    eax                              ; /ExitCode
00401026   .  E8 AB020000   call    004012D6                         ; \ExitProcess
对话框过程
 
0040102B  /.  55            push    ebp
0040102C  |.  8BEC          mov     ebp, esp
0040102E  |.  817D 0C 10010>cmp     dword ptr [ebp+C], 110
00401035  |.  75 36         jnz     short 0040106D
00401037  |.  68 E1324000   push    004032E1                         ; /lParam = 4032E1
0040103C  |.  6A 00         push    0                                ; |wParam = 0
0040103E  |.  6A 0C         push    0C                               ; |Message = WM_SETTEXT
00401040  |.  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401043  |.  E8 76020000   call    004012BE                         ; \SendMessageA
00401048  |.  68 9A020000   push    29A                              ; /RsrcName = 666.
0040104D  |.  FF35 75304000 push    dword ptr [403075]               ; |hInst = NULL
00401053  |.  E8 5A020000   call    004012B2                         ; \LoadIconA
00401058  |.  50            push    eax                              ; /lParam
00401059  |.  6A 00         push    0                                ; |wParam = 0
0040105B  |.  68 80000000   push    80                               ; |Message = WM_SETICON
00401060  |.  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401063  |.  E8 56020000   call    004012BE                         ; \SendMessageA
00401068  |.  E9 2C020000   jmp     00401299
0040106D  |>  837D 0C 10    cmp     dword ptr [ebp+C], 10
00401071  |.  75 0F         jnz     short 00401082
00401073  |.  6A 00         push    0                                ; /Result = 0
00401075  |.  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401078  |.  E8 2F020000   call    004012AC                         ; \EndDialog
0040107D  |.  E9 17020000   jmp     00401299
00401082  |>  817D 0C 11010>cmp     dword ptr [ebp+C], 111
00401089  |.  0F85 0A020000 jnz     00401299
0040108F  |.  817D 10 EA030>cmp     dword ptr [ebp+10], 3EA
00401096  |.  0F85 E1010000 jnz     0040127D
0040109C  |.  68 04010000   push    104                              ; /Length = 104 (260.)
004010A1  |.  68 79304000   push    00403079                         ; |Destination = antiOlly.00403079
004010A6  |.  E8 43020000   call    004012EE                         ; \RtlZeroMemory
004010AB  |.  68 04010000   push    104                              ; /Length = 104 (260.)
004010B0  |.  68 B0344000   push    004034B0                         ; |Destination = antiOlly.004034B0
004010B5  |.  E8 34020000   call    004012EE                         ; \RtlZeroMemory
004010BA  |.  C705 00304000>mov     dword ptr [403000], 4C
004010C4  |.  6A 00         push    0
004010C6  |.  FF35 04304000 push    dword ptr [403004]
004010CC  |.  FF35 75304000 push    dword ptr [403075]
004010D2  |.  FF35 08304000 push    dword ptr [403008]
004010D8  |.  C705 0C304000>mov     dword ptr [40300C], 0040304C     ;  ASCII "All .exe Files"
004010E2  |.  C705 1C304000>mov     dword ptr [40301C], 00403079
004010EC  |.  C705 20304000>mov     dword ptr [403020], 200
004010F6  |.  C705 34304000>mov     dword ptr [403034], 281804
00401100  |.  C705 30304000>mov     dword ptr [403030], 00403062     ;  ASCII "Browse for file..."
0040110A  |.  68 00304000   push    00403000                         ; /pOpenFileName = antiOlly.00403000
0040110F  |.  E8 F8010000   call    0040130C                         ; \GetOpenFileNameA
00401114  |.  FF35 1C304000 push    dword ptr [40301C]               ; /StringToAdd = NULL
0040111A  |.  68 B0344000   push    004034B0                         ; |ConcatString = ""
0040111F  |.  E8 E2010000   call    00401306                         ; \lstrcatA
00401124  |.  6A 00         push    0                                ; /hTemplateFile = NULL
00401126  |.  68 82000000   push    82                               ; |Attributes = HIDDEN|NORMAL
0040112B  |.  6A 03         push    3                                ; |Mode = OPEN_EXISTING
0040112D  |.  6A 00         push    0                                ; |pSecurity = NULL
0040112F  |.  6A 02         push    2                                ; |ShareMode = FILE_SHARE_WRITE
00401131  |.  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00401136  |.  68 B0344000   push    004034B0                         ; |FileName = ""
0040113B  |.  E8 8A010000   call    004012CA                         ; \CreateFileA
00401140  |.  83F8 FF       cmp     eax, -1
00401143  |.  0F84 1C010000 je      00401265
00401149  |.  BB 06374000   mov     ebx, 00403706
0040114E  |.  8903          mov     dword ptr [ebx], eax
00401150  |.  6A 00         push    0                                ; /pFileSizeHigh = NULL
00401152  |.  50            push    eax                              ; |hFile
00401153  |.  E8 84010000   call    004012DC                         ; \GetFileSize
00401158  |.  BB 12374000   mov     ebx, 00403712
0040115D  |.  8903          mov     dword ptr [ebx], eax
0040115F  |.  6A 00         push    0                                ; /MapName = NULL
00401161  |.  50            push    eax                              ; |MaximumSizeLow
00401162  |.  6A 00         push    0                                ; |MaximumSizeHigh = 0
00401164  |.  6A 04         push    4                                ; |Protection = PAGE_READWRITE
00401166  |.  6A 00         push    0                                ; |pSecurity = NULL
00401168  |.  FF35 06374000 push    dword ptr [403706]               ; |hFile = NULL
0040116E  |.  E8 5D010000   call    004012D0                         ; \CreateFileMappingA
00401173  |.  BB 0A374000   mov     ebx, 0040370A
00401178  |.  8903          mov     dword ptr [ebx], eax
0040117A  |.  6A 00         push    0                                ; /MapSize = 0
0040117C  |.  6A 00         push    0                                ; |OffsetLow = 0
0040117E  |.  6A 00         push    0                                ; |OffsetHigh = 0
00401180  |.  6A 02         push    2                                ; |AccessMode = FILE_MAP_WRITE
00401182  |.  50            push    eax                              ; |hMapObject
00401183  |.  E8 60010000   call    004012E8                         ; \MapViewOfFile
00401188  |.  BB 0E374000   mov     ebx, 0040370E
0040118D  |.  8903          mov     dword ptr [ebx], eax
0040118F  |.  66:8138 4D5A  cmp     word ptr [eax], 5A4D
00401194  |.  0F85 B6000000 jnz     00401250
0040119A  |.  8B1D 0E374000 mov     ebx, dword ptr [40370E]
004011A0  |.  8B43 3C       mov     eax, dword ptr [ebx+3C]
004011A3  |.  A3 16374000   mov     dword ptr [403716], eax
004011A8  |.  66:813C03 504>cmp     word ptr [ebx+eax], 4550
004011AE  |.  0F85 87000000 jnz     0040123B
004011B4  |.  B9 C3906061   mov     ecx, 616090C3
004011B9  |.  894C03 1C     mov     dword ptr [ebx+eax+1C], ecx
004011BD  |.  B9 906861CC   mov     ecx, CC616890
004011C2  |.  894C03 20     mov     dword ptr [ebx+eax+20], ecx
004011C6  |.  B9 00004000   mov     ecx, 00400000                    ;  ASCII "MZ"
004011CB  |.  894C03 2C     mov     dword ptr [ebx+eax+2C], ecx
004011CF  |.  894C03 30     mov     dword ptr [ebx+eax+30], ecx
004011D3  |.  B9 CD912346   mov     ecx, 462391CD
004011D8  |.  894C03 70     mov     dword ptr [ebx+eax+70], ecx
004011DC  |.  B9 182C4B3A   mov     ecx, 3A4B2C18
004011E1  |.  894C03 74     mov     dword ptr [ebx+eax+74], ecx
004011E5  |.  6A 40         push    40                               ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004011E7  |.  68 42334000   push    00403342                         ; |Title = "Success:"
004011EC  |.  68 4B334000   push    0040334B                         ; |Text = "File is now protected!"
004011F1  |.  6A 00         push    0                                ; |hOwner = NULL
004011F3  |.  E8 C0000000   call    004012B8                         ; \MessageBoxA
004011F8  |>  FF35 0E374000 push    dword ptr [40370E]               ; /BaseAddress = NULL
004011FE  |.  E8 FD000000   call    00401300                         ; \UnmapViewOfFile
00401203  |.  FF35 0A374000 push    dword ptr [40370A]               ; /hObject = NULL
00401209  |.  E8 B6000000   call    004012C4                         ; \CloseHandle
0040120E  |.  6A 00         push    0                                ; /Origin = FILE_BEGIN
00401210  |.  6A 00         push    0                                ; |pOffsetHi = NULL
00401212  |.  FF35 12374000 push    dword ptr [403712]               ; |OffsetLo = 0
00401218  |.  FF35 06374000 push    dword ptr [403706]               ; |hFile = NULL
0040121E  |.  E8 D7000000   call    004012FA                         ; \SetFilePointer
00401223  |.  FF35 06374000 push    dword ptr [403706]               ; /hFile = NULL
00401229  |.  E8 C6000000   call    004012F4                         ; \SetEndOfFile
0040122E  |.  FF35 06374000 push    dword ptr [403706]               ; /hObject = NULL
00401234  |.  E8 8B000000   call    004012C4                         ; \CloseHandle
00401239  |.  EB 42         jmp     short 0040127D
0040123B  |>  6A 30         push    30                               ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040123D  |.  68 ED324000   push    004032ED                         ; |Title = "Error:"
00401242  |.  68 14334000   push    00403314                         ; |Text = "Not a valid PE file selected!"
00401247  |.  6A 00         push    0                                ; |hOwner = NULL
00401249  |.  E8 6A000000   call    004012B8                         ; \MessageBoxA
0040124E  |.^ EB A8         jmp     short 004011F8
00401250  |>  6A 30         push    30                               ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401252  |.  68 ED324000   push    004032ED                         ; |Title = "Error:"
00401257  |.  68 F4324000   push    004032F4                         ; |Text = "Not a valid .exe file selected!"
0040125C  |.  6A 00         push    0                                ; |hOwner = NULL
0040125E  |.  E8 55000000   call    004012B8                         ; \MessageBoxA
00401263  |.^ EB 93         jmp     short 004011F8
00401265  |>  6A 30         push    30                               ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401267  |.  68 ED324000   push    004032ED                         ; |Title = "Error:"
0040126C  |.  68 32334000   push    00403332                         ; |Text = "File not found!"
00401271  |.  6A 00         push    0                                ; |hOwner = NULL
00401273  |.  E8 40000000   call    004012B8                         ; \MessageBoxA
00401278  |.^ E9 7BFFFFFF   jmp     004011F8
0040127D  |>  817D 10 EB030>cmp     dword ptr [ebp+10], 3EB
00401284  |.  75 13         jnz     short 00401299
00401286  |.  6A 30         push    30                               ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401288  |.  68 62334000   push    00403362                         ; |Title = "[about]"
0040128D  |.  68 6A334000   push    0040336A                         ; |Text = "antiOllyDBG",CR,LF,CR,LF,"Program coded by: ap0x",CR,LF,"WebSite: [URL]http://ap0x.headcoders.net",CR,LF,CR,LF,"This[/URL] POC makes OllyDBG crash and fail to break on OEP (manual breakpoint must be set), or if ntGlobalFlag plugin is present it w"...
00401292  |.  6A 00         push    0                                ; |hOwner = NULL
00401294  |.  E8 1F000000   call    004012B8                         ; \MessageBoxA
00401299  |>  33C0          xor     eax, eax
0040129B  |.  C9            leave
0040129C  \.  C2 1000       retn    10
有简单注释 经过分析 该程序就是把PE文件mapping一下 之后修改PE头
修改的内容有
 
0040118F  |.  66:8138 4D5A  cmp     word ptr [eax], 5A4D             ;  检测MZ
00401194  |.  0F85 B6000000 jnz     00401250
0040119A  |.  8B1D 0E374000 mov     ebx, dword ptr [40370E]
004011A0  |.  8B43 3C       mov     eax, dword ptr [ebx+3C]
004011A3  |.  A3 16374000   mov     dword ptr [403716], eax
004011A8  |.  66:813C03 504>cmp     word ptr [ebx+eax], 4550         ;  检测PE
004011AE  |.  0F85 87000000 jnz     0040123B
004011B4  |.  B9 C3906061   mov     ecx, 616090C3
004011B9  |.  894C03 1C     mov     dword ptr [ebx+eax+1C], ecx      ;  修改SizeOfCode==0x616090C3
004011BD  |.  B9 906861CC   mov     ecx, CC616890
004011C2  |.  894C03 20     mov     dword ptr [ebx+eax+20], ecx      ;  修改SizeOfInitializedData==CC616890(-866031472.)
004011C6  |.  B9 00004000   mov     ecx, 00400000                    ;  ASCII "MZ"
004011CB  |.  894C03 2C     mov     dword ptr [ebx+eax+2C], ecx      ;  修改BaseOfCode==400000
004011CF  |.  894C03 30     mov     dword ptr [ebx+eax+30], ecx      ;  修改BaseOfData==400000
004011D3  |.  B9 CD912346   mov     ecx, 462391CD
004011D8  |.  894C03 70     mov     dword ptr [ebx+eax+70], ecx      ;  修改LoaderFlags=462391CD
004011DC  |.  B9 182C4B3A   mov     ecx, 3A4B2C18
004011E1  |.  894C03 74     mov     dword ptr [ebx+eax+74], ecx      ;  修改NumberOfRvaAndSizes==3A4B2C18 (978005016.)
了解了它做的事 之后自己写一个这样的anti也就不难了 高手直接修改反汇编代码就OK了..
当然 anti anti也就不在话下了
总的来说该工具对现在的OD来说基本没有作用..
正所谓

脱遍天下压缩壳

by fly

分析结束
感谢您耐心的看到这里 为能忍受菜虫的无知笔记而感谢..
本文原创于一蓑烟雨i + + 看雪学院him cr ack
程序实例 http://ap0x.jezgra.net/antiOllyDBG.rar

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (4)
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
怎么没人支持 !在up上看过了!顶一个!
2009-5-15 16:26
0
雪    币: 264
活跃值: (11)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
3
这么高人气啊 呵呵 果然转移过来是错误 ..
2009-5-19 23:46
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
可否尝试帮我,Blue Marble Desktop v1.1的解密,软件官方网站可以下载,有意请回cosmos2011@yahoo.com,当酬谢。
2009-5-30 14:59
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
分析的够详细,说简单实在过谦了
2009-5-31 19:43
0
游客
登录 | 注册 方可回帖
返回
//