看了介绍 觉得不错 刚好下面有海风大大提供的不收费版本 所以下载来分析
保护后发现没什么反应 看来是我的OD和SOD配合得太好了 木哈哈
下面贴下过程 挣点UB花花..
PEID查壳
FSG 2.0 -> bart/xt
载入原版程序
这个壳子比较简单 主要就是解码之后填充IAT 所以贴点代码 一笔带过..
00400154 > 8725 C0814100 xchg dword ptr [4181C0], esp
0040015A 61 popad
0040015B 94 xchg eax, esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi], byte ptr [esi>
0040015E B6 80 mov dh, 80
00400160 FF13 call dword ptr [ebx]
解码填充
还要填充IAT所以 BP GetProcAddress
断下后返回自己代码领空
004001CA 8B07 mov eax, dword ptr [edi]
004001CC 40 inc eax
004001CD ^ 78 F3 js short 004001C2
004001CF 75 03 jnz short 004001D4
004001D1 FF63 0C jmp dword ptr [ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr [ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^ EB EE jmp short 004001CA
循环填充IAT
之后在
004001D1 FF63 0C jmp dword ptr [ebx+C]
上下断
飞向光明之巅..
F8单步到OEP
00401000 . 6A 00 push 0 ; /pModule = NULL
00401002 . E8 DB020000 call 004012E2 ; \GetModuleHandleA
00401007 . A3 75304000 mov dword ptr [403075], eax
0040100C . 6A 00 push 0 ; /lParam = NULL
0040100E . 68 2B104000 push 0040102B ; |DlgProc = antiOlly.0040102B
00401013 . 6A 00 push 0 ; |hOwner = NULL
00401015 . 68 D9324000 push 004032D9 ; |pTemplate = "TESTWIN"
0040101A . FF35 75304000 push dword ptr [403075] ; |hInst = NULL
00401020 . E8 81020000 call 004012A6 ; \DialogBoxParamA
00401025 . 50 push eax ; /ExitCode
00401026 . E8 AB020000 call 004012D6 ; \ExitProcess
之后dump出来映像文件
打开impREC OEP填充
自动获取 发现只有kernel32的函数 看来得手工
看程序代码找到一个API调用 跟到地址
我们选择
00401002 . E8 DB020000 call 004012E2 ; \GetModuleHandleA
右击跟随
004012E2 $- FF25 2C204000 jmp dword ptr [40202C] ; kernel32.GetModuleHandleA
数据窗口中跟随地址
格式改为长型-->地址
我们就能看到程序的IAT
00402000 7632311E comdlg32.GetOpenFileNameA
00402004 FFFFFFFF
00402008 7C834D89 kernel32.lstrcatA
0040200C 7C80B984 kernel32.UnmapViewOfFile
00402010 7C810B9E kernel32.SetFilePointer
00402014 7C83208E kernel32.SetEndOfFile
00402018 7C809B57 kernel32.CloseHandle
0040201C 7C801A24 kernel32.CreateFileA
00402020 7C809478 kernel32.CreateFileMappingA
00402024 7C81CDEA kernel32.ExitProcess
00402028 7C810A87 kernel32.GetFileSize
0040202C 7C80B6B1 kernel32.GetModuleHandleA
00402030 7C80B915 kernel32.MapViewOfFile
00402034 7C922C64 ntdll.RtlZeroMemory
00402038 7FFFFFFF
0040203C 77D2F383 user32.SendMessageA
00402040 77D5058A user32.MessageBoxA
00402044 77D208CE user32.LoadIconA
00402048 77D259C9 user32.EndDialog
0040204C 77D3B10C user32.DialogBoxParamA
00402050 77D1A8AD user32.wsprintfA
00402054 7FFFFFFF
IATRVA==2000 Size==计算一下
我的size添的1000 宁错10000不漏一个
之后有很多无效的 因为我们的范围大了点 cut掉就好了
修复转存
FIXdump..
之后载入脱好的程序
代码就赤裸裸的躺在你面前了 等什么?调戏吧..
main
00401000 . 6A 00 push 0 ; /pModule = NULL
00401002 . E8 DB020000 call 004012E2 ; \GetModuleHandleA
00401007 . A3 75304000 mov dword ptr [403075], eax
0040100C . 6A 00 push 0 ; /lParam = NULL
0040100E . 68 2B104000 push 0040102B ; |DlgProc = antiOlly.0040102B
00401013 . 6A 00 push 0 ; |hOwner = NULL
00401015 . 68 D9324000 push 004032D9 ; |pTemplate = "TESTWIN"
0040101A . FF35 75304000 push dword ptr [403075] ; |hInst = NULL
00401020 . E8 81020000 call 004012A6 ; \DialogBoxParamA
00401025 . 50 push eax ; /ExitCode
00401026 . E8 AB020000 call 004012D6 ; \ExitProcess
对话框过程
0040102B /. 55 push ebp
0040102C |. 8BEC mov ebp, esp
0040102E |. 817D 0C 10010>cmp dword ptr [ebp+C], 110
00401035 |. 75 36 jnz short 0040106D
00401037 |. 68 E1324000 push 004032E1 ; /lParam = 4032E1
0040103C |. 6A 00 push 0 ; |wParam = 0
0040103E |. 6A 0C push 0C ; |Message = WM_SETTEXT
00401040 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401043 |. E8 76020000 call 004012BE ; \SendMessageA
00401048 |. 68 9A020000 push 29A ; /RsrcName = 666.
0040104D |. FF35 75304000 push dword ptr [403075] ; |hInst = NULL
00401053 |. E8 5A020000 call 004012B2 ; \LoadIconA
00401058 |. 50 push eax ; /lParam
00401059 |. 6A 00 push 0 ; |wParam = 0
0040105B |. 68 80000000 push 80 ; |Message = WM_SETICON
00401060 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401063 |. E8 56020000 call 004012BE ; \SendMessageA
00401068 |. E9 2C020000 jmp 00401299
0040106D |> 837D 0C 10 cmp dword ptr [ebp+C], 10
00401071 |. 75 0F jnz short 00401082
00401073 |. 6A 00 push 0 ; /Result = 0
00401075 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401078 |. E8 2F020000 call 004012AC ; \EndDialog
0040107D |. E9 17020000 jmp 00401299
00401082 |> 817D 0C 11010>cmp dword ptr [ebp+C], 111
00401089 |. 0F85 0A020000 jnz 00401299
0040108F |. 817D 10 EA030>cmp dword ptr [ebp+10], 3EA
00401096 |. 0F85 E1010000 jnz 0040127D
0040109C |. 68 04010000 push 104 ; /Length = 104 (260.)
004010A1 |. 68 79304000 push 00403079 ; |Destination = antiOlly.00403079
004010A6 |. E8 43020000 call 004012EE ; \RtlZeroMemory
004010AB |. 68 04010000 push 104 ; /Length = 104 (260.)
004010B0 |. 68 B0344000 push 004034B0 ; |Destination = antiOlly.004034B0
004010B5 |. E8 34020000 call 004012EE ; \RtlZeroMemory
004010BA |. C705 00304000>mov dword ptr [403000], 4C
004010C4 |. 6A 00 push 0
004010C6 |. FF35 04304000 push dword ptr [403004]
004010CC |. FF35 75304000 push dword ptr [403075]
004010D2 |. FF35 08304000 push dword ptr [403008]
004010D8 |. C705 0C304000>mov dword ptr [40300C], 0040304C ; ASCII "All .exe Files"
004010E2 |. C705 1C304000>mov dword ptr [40301C], 00403079
004010EC |. C705 20304000>mov dword ptr [403020], 200
004010F6 |. C705 34304000>mov dword ptr [403034], 281804
00401100 |. C705 30304000>mov dword ptr [403030], 00403062 ; ASCII "Browse for file..."
0040110A |. 68 00304000 push 00403000 ; /pOpenFileName = antiOlly.00403000
0040110F |. E8 F8010000 call 0040130C ; \GetOpenFileNameA
00401114 |. FF35 1C304000 push dword ptr [40301C] ; /StringToAdd = NULL
0040111A |. 68 B0344000 push 004034B0 ; |ConcatString = ""
0040111F |. E8 E2010000 call 00401306 ; \lstrcatA
00401124 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401126 |. 68 82000000 push 82 ; |Attributes = HIDDEN|NORMAL
0040112B |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040112D |. 6A 00 push 0 ; |pSecurity = NULL
0040112F |. 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
00401131 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401136 |. 68 B0344000 push 004034B0 ; |FileName = ""
0040113B |. E8 8A010000 call 004012CA ; \CreateFileA
00401140 |. 83F8 FF cmp eax, -1
00401143 |. 0F84 1C010000 je 00401265
00401149 |. BB 06374000 mov ebx, 00403706
0040114E |. 8903 mov dword ptr [ebx], eax
00401150 |. 6A 00 push 0 ; /pFileSizeHigh = NULL
00401152 |. 50 push eax ; |hFile
00401153 |. E8 84010000 call 004012DC ; \GetFileSize
00401158 |. BB 12374000 mov ebx, 00403712
0040115D |. 8903 mov dword ptr [ebx], eax
0040115F |. 6A 00 push 0 ; /MapName = NULL
00401161 |. 50 push eax ; |MaximumSizeLow
00401162 |. 6A 00 push 0 ; |MaximumSizeHigh = 0
00401164 |. 6A 04 push 4 ; |Protection = PAGE_READWRITE
00401166 |. 6A 00 push 0 ; |pSecurity = NULL
00401168 |. FF35 06374000 push dword ptr [403706] ; |hFile = NULL
0040116E |. E8 5D010000 call 004012D0 ; \CreateFileMappingA
00401173 |. BB 0A374000 mov ebx, 0040370A
00401178 |. 8903 mov dword ptr [ebx], eax
0040117A |. 6A 00 push 0 ; /MapSize = 0
0040117C |. 6A 00 push 0 ; |OffsetLow = 0
0040117E |. 6A 00 push 0 ; |OffsetHigh = 0
00401180 |. 6A 02 push 2 ; |AccessMode = FILE_MAP_WRITE
00401182 |. 50 push eax ; |hMapObject
00401183 |. E8 60010000 call 004012E8 ; \MapViewOfFile
00401188 |. BB 0E374000 mov ebx, 0040370E
0040118D |. 8903 mov dword ptr [ebx], eax
0040118F |. 66:8138 4D5A cmp word ptr [eax], 5A4D
00401194 |. 0F85 B6000000 jnz 00401250
0040119A |. 8B1D 0E374000 mov ebx, dword ptr [40370E]
004011A0 |. 8B43 3C mov eax, dword ptr [ebx+3C]
004011A3 |. A3 16374000 mov dword ptr [403716], eax
004011A8 |. 66:813C03 504>cmp word ptr [ebx+eax], 4550
004011AE |. 0F85 87000000 jnz 0040123B
004011B4 |. B9 C3906061 mov ecx, 616090C3
004011B9 |. 894C03 1C mov dword ptr [ebx+eax+1C], ecx
004011BD |. B9 906861CC mov ecx, CC616890
004011C2 |. 894C03 20 mov dword ptr [ebx+eax+20], ecx
004011C6 |. B9 00004000 mov ecx, 00400000 ; ASCII "MZ"
004011CB |. 894C03 2C mov dword ptr [ebx+eax+2C], ecx
004011CF |. 894C03 30 mov dword ptr [ebx+eax+30], ecx
004011D3 |. B9 CD912346 mov ecx, 462391CD
004011D8 |. 894C03 70 mov dword ptr [ebx+eax+70], ecx
004011DC |. B9 182C4B3A mov ecx, 3A4B2C18
004011E1 |. 894C03 74 mov dword ptr [ebx+eax+74], ecx
004011E5 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004011E7 |. 68 42334000 push 00403342 ; |Title = "Success:"
004011EC |. 68 4B334000 push 0040334B ; |Text = "File is now protected!"
004011F1 |. 6A 00 push 0 ; |hOwner = NULL
004011F3 |. E8 C0000000 call 004012B8 ; \MessageBoxA
004011F8 |> FF35 0E374000 push dword ptr [40370E] ; /BaseAddress = NULL
004011FE |. E8 FD000000 call 00401300 ; \UnmapViewOfFile
00401203 |. FF35 0A374000 push dword ptr [40370A] ; /hObject = NULL
00401209 |. E8 B6000000 call 004012C4 ; \CloseHandle
0040120E |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00401210 |. 6A 00 push 0 ; |pOffsetHi = NULL
00401212 |. FF35 12374000 push dword ptr [403712] ; |OffsetLo = 0
00401218 |. FF35 06374000 push dword ptr [403706] ; |hFile = NULL
0040121E |. E8 D7000000 call 004012FA ; \SetFilePointer
00401223 |. FF35 06374000 push dword ptr [403706] ; /hFile = NULL
00401229 |. E8 C6000000 call 004012F4 ; \SetEndOfFile
0040122E |. FF35 06374000 push dword ptr [403706] ; /hObject = NULL
00401234 |. E8 8B000000 call 004012C4 ; \CloseHandle
00401239 |. EB 42 jmp short 0040127D
0040123B |> 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040123D |. 68 ED324000 push 004032ED ; |Title = "Error:"
00401242 |. 68 14334000 push 00403314 ; |Text = "Not a valid PE file selected!"
00401247 |. 6A 00 push 0 ; |hOwner = NULL
00401249 |. E8 6A000000 call 004012B8 ; \MessageBoxA
0040124E |.^ EB A8 jmp short 004011F8
00401250 |> 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401252 |. 68 ED324000 push 004032ED ; |Title = "Error:"
00401257 |. 68 F4324000 push 004032F4 ; |Text = "Not a valid .exe file selected!"
0040125C |. 6A 00 push 0 ; |hOwner = NULL
0040125E |. E8 55000000 call 004012B8 ; \MessageBoxA
00401263 |.^ EB 93 jmp short 004011F8
00401265 |> 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401267 |. 68 ED324000 push 004032ED ; |Title = "Error:"
0040126C |. 68 32334000 push 00403332 ; |Text = "File not found!"
00401271 |. 6A 00 push 0 ; |hOwner = NULL
00401273 |. E8 40000000 call 004012B8 ; \MessageBoxA
00401278 |.^ E9 7BFFFFFF jmp 004011F8
0040127D |> 817D 10 EB030>cmp dword ptr [ebp+10], 3EB
00401284 |. 75 13 jnz short 00401299
00401286 |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401288 |. 68 62334000 push 00403362 ; |Title = "[about]"
0040128D |. 68 6A334000 push 0040336A ; |Text = "antiOllyDBG",CR,LF,CR,LF,"Program coded by: ap0x",CR,LF,"WebSite: [URL]http://ap0x.headcoders.net",CR,LF,CR,LF,"This[/URL] POC makes OllyDBG crash and fail to break on OEP (manual breakpoint must be set), or if ntGlobalFlag plugin is present it w"...
00401292 |. 6A 00 push 0 ; |hOwner = NULL
00401294 |. E8 1F000000 call 004012B8 ; \MessageBoxA
00401299 |> 33C0 xor eax, eax
0040129B |. C9 leave
0040129C \. C2 1000 retn 10
有简单注释 经过分析 该程序就是把PE文件mapping一下 之后修改PE头
修改的内容有
0040118F |. 66:8138 4D5A cmp word ptr [eax], 5A4D ; 检测MZ
00401194 |. 0F85 B6000000 jnz 00401250
0040119A |. 8B1D 0E374000 mov ebx, dword ptr [40370E]
004011A0 |. 8B43 3C mov eax, dword ptr [ebx+3C]
004011A3 |. A3 16374000 mov dword ptr [403716], eax
004011A8 |. 66:813C03 504>cmp word ptr [ebx+eax], 4550 ; 检测PE
004011AE |. 0F85 87000000 jnz 0040123B
004011B4 |. B9 C3906061 mov ecx, 616090C3
004011B9 |. 894C03 1C mov dword ptr [ebx+eax+1C], ecx ; 修改SizeOfCode==0x616090C3
004011BD |. B9 906861CC mov ecx, CC616890
004011C2 |. 894C03 20 mov dword ptr [ebx+eax+20], ecx ; 修改SizeOfInitializedData==CC616890(-866031472.)
004011C6 |. B9 00004000 mov ecx, 00400000 ; ASCII "MZ"
004011CB |. 894C03 2C mov dword ptr [ebx+eax+2C], ecx ; 修改BaseOfCode==400000
004011CF |. 894C03 30 mov dword ptr [ebx+eax+30], ecx ; 修改BaseOfData==400000
004011D3 |. B9 CD912346 mov ecx, 462391CD
004011D8 |. 894C03 70 mov dword ptr [ebx+eax+70], ecx ; 修改LoaderFlags=462391CD
004011DC |. B9 182C4B3A mov ecx, 3A4B2C18
004011E1 |. 894C03 74 mov dword ptr [ebx+eax+74], ecx ; 修改NumberOfRvaAndSizes==3A4B2C18 (978005016.)
了解了它做的事 之后自己写一个这样的anti也就不难了 高手直接修改反汇编代码就OK了..
当然 anti anti也就不在话下了
总的来说该工具对现在的OD来说基本没有作用..
正所谓
脱遍天下压缩壳
by fly
分析结束
感谢您耐心的看到这里 为能忍受菜虫的无知笔记而感谢..
本文原创于一蓑烟雨i + + 看雪学院him cr ack
程序实例
http://ap0x.jezgra.net/antiOllyDBG.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课