【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP sp2、ICEODBG、PEiD、LordPE、ImportREC、ArmaFP
【程序实例】:见附件,在国外论坛上见的 保护方式为:
<------- 14-05-2009 21:34:58 ------->
C:\Documents and Settings\Administrator\桌面\Armadillo 6.40\Armadillo 6.40\UnPackMe_Armadillo 6.40.a.exe
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Standard protection or Minimum protection
!- <Backup Key Options>
Fixed Backup Keys
!- <Compression Options>
Best/Slowest Compression
!- <Other Options>
?- No Debug-Blocker, Child not detach
49921500 Version 6.40 11-02-2009
!- Elapsed Time 00h 00m 00s 469ms
【脱壳过程】:
使用OllyDBG修改版ICEODBG,使用IsDebug插件Hide,忽略所有的异常选项。
bp OpenMutexA,shift + F9运行,断下后在一块空地输入如下代码,这里我选择在401000输入:
00401000 60 PUSHAD
00401001 9C PUSHFD
00401002 68 B4FB1200 PUSH 12FD50 ;(12FD50是MutexName,可以通过堆栈看到)
00401007 33C0 XOR EAX,EAX
00401009 50 PUSH EAX
0040100A 50 PUSH EAX
0040100B E8 E694A677 CALL KERNEL32.CreateMutexA
00401010 9D POPFD
00401011 61 POPAD
00401012 - E9 8F9FA777 JMP KERNEL32.OpenMutexA
我的机器上的二进制代码:
60 9C 68 50 FD 12 00 33 C0 50 50 E8 4F D9 40 7C 9D 61 E9 24 DA 40 7C ;这里要注意如果是二进制粘贴的话 两个函数地址可能不一样 应该汇编输入函数名
在401000处新建起源。F9,程序又断回到OpenMutexA处,清除断点和刚才的工作代码。这时我们就完全可以象调试普通标准壳那样调试它了,因为它已经不会生成子进程而是把自己当作子进程运行起来。
BP VirtualProtect
Shift+F9,中断后取消断点
BP CreateFileMappingA
Shift+F9,中断后取消断点
Ctrl+G:GetModuleHandleA
在GetModuleHandleA函数末尾处设断,防止壳检测函数首部的CC断点
代码:
*******************************************************************
7C80B6C1 G> 8BFF mov edi,edi
7C80B6C3 55 push ebp
7C80B6C4 8BEC mov ebp,esp
7C80B6C6 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C80B6CA 74 18 je short kernel32.7C80B6E4
7C80B6CC FF75 08 push dword ptr ss:[ebp+8]
7C80B6CF E8 C0290000 call kernel32.7C80E094
7C80B6D4 85C0 test eax,eax
7C80B6D6 74 08 je short kernel32.7C80B6E0
7C80B6D8 FF70 04 push dword ptr ds:[eax+4]
7C80B6DB E8 7D2D0000 call kernel32.GetModuleHandleW
7C80B6E0 5D pop ebp
7C80B6E1 C2 0400 retn 4 ;这里f2
*******************************************************************
shift + f9运行 看堆栈:
0125F180 7C80B749 RETURN to kernel32.7C80B749 from kernel32.GetModuleHandleA
0125F184 00000000
0125F188 7C80B724 RETURN to kernel32.7C80B724 from kernel32.7C80B742
0125F18C 7FFD6000
shift + f9运行 看堆栈:
0155F180 7C80B749 RETURN to kernel32.7C80B749 from kernel32.GetModuleHandleA
0155F184 00000000
0155F188 7C80B724 RETURN to kernel32.7C80B724 from kernel32.7C80B742
0155F18C 7FFD6000
shift + f9运行 看堆栈:
0012912C 00D0D7FD RETURN to 00D0D7FD from kernel32.GetModuleHandleA
00129130 00D4E3E8 ASCII "kernel32.dll"
00129134 00D50380 ASCII "VirtualAlloc"
shift + f9运行 看堆栈:
0012912C 00D0D81B RETURN to 00D0D81B from kernel32.GetModuleHandleA
00129130 00D4E3E8 ASCII "kernel32.dll"
00129134 00D50374 ASCII "VirtualFree"
shift + f9运行 看堆栈:
00128E78 00CDBED1 RETURN to 00CDBED1 from kernel32.GetModuleHandleA
00128E7C 00128FF4 ASCII "kernel32.dll"
00128E80 00000000
00128E84 004E3A48 UnPackMe.004E3A48
可以取消GetModuleHandleA函数末尾的断点了, ctrl + f9 返回用户代码
*********************************************************************************
00CDBECA 51 push ecx
00CDBECB FF15 E0B0D400 call dword ptr ds:[D4B0E0] ; kernel32.GetModuleHandleA
00CDBED1 8B55 F4 mov edx,dword ptr ss:[ebp-C]
// 返回到了这里
00CDBED4 8B0D 4492D600 mov ecx,dword ptr ds:[D69244]
00CDBEDA 890491 mov dword ptr ds:[ecx+edx*4],eax
00CDBEDD 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00CDBEE0 A1 4492D600 mov eax,dword ptr ds:[D69244]
00CDBEE5 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00CDBEE9 75 5C jnz short 00CDBF47
00CDBEEB 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00CDBEEE 8B51 08 mov edx,dword ptr ds:[ecx+8]
00CDBEF1 83E2 02 and edx,2
00CDBEF4 74 38 je short 00CDBF2E
00CDBEF6 B8 1D000000 mov eax,1D
00CDBEFB C1E0 02 shl eax,2
00CDBEFE 8B0D DC6AD600 mov ecx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00CDBF04 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00CDBF0A 8B35 DC6AD600 mov esi,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00CDBF10 8B5E 50 mov ebx,dword ptr ds:[esi+50]
00CDBF13 335A 40 xor ebx,dword ptr ds:[edx+40]
00CDBF16 331C01 xor ebx,dword ptr ds:[ecx+eax]
00CDBF19 83E3 10 and ebx,10
00CDBF1C F7DB neg ebx
00CDBF1E 1BDB sbb ebx,ebx
00CDBF20 F7DB neg ebx
00CDBF22 0FB6C3 movzx eax,bl
00CDBF25 85C0 test eax,eax
00CDBF27 75 05 jnz short 00CDBF2E
00CDBF29 ^ E9 1BFFFFFF jmp 00CDBE49
00CDBF2E 8D8D C8FEFFFF lea ecx,dword ptr ss:[ebp-138]
00CDBF34 51 push ecx
00CDBF35 FF15 A4B0D400 call dword ptr ds:[D4B0A4] ; kernel32.LoadLibraryA
00CDBF3B 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00CDBF3E 8B0D 4492D600 mov ecx,dword ptr ds:[D69244]
00CDBF44 890491 mov dword ptr ds:[ecx+edx*4],eax
00CDBF47 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00CDBF4A A1 4492D600 mov eax,dword ptr ds:[D69244]
00CDBF4F 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00CDBF53 75 05 jnz short 00CDBF5A ;MagicJmp ★ NOP 掉
00CDBF55 ^ E9 EFFEFFFF jmp 00CDBE49
***************************************************************************************
这里处理完毕后需要恢复原来的代码,防止检验,
鼠标定位在这行:
00CDBF55 ^ E9 EFFEFFFF jmp 00CDBE49
enter键跟随,来到这里:
00CDBE49 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00CDBE4C 83C1 0C add ecx,0C
00CDBE4F 894D F8 mov dword ptr ss:[ebp-8],ecx
00CDBE52 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00CDBE55 83C2 01 add edx,1
00CDBE58 8955 F4 mov dword ptr ss:[ebp-C],edx
00CDBE5B 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00CDBE5E 8338 00 cmp dword ptr ds:[eax],0
00CDBE61 0F84 70030000 je 00CDC1D7 ;鼠标定位在这里enter键跟随, 然后下硬件执行断点
00CDBE67 68 00010000 push 100
00CDBE6C 8D8D C8FEFFFF lea ecx,dword ptr ss:[ebp-138]
00CDBE72 51 push ecx
00CDBE73 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00CDBE76 8B02 mov eax,dword ptr ds:[edx]
代码如下:
00CDC1D7 /EB 03 jmp short 00CDC1DC ;这里下硬件执行断点
00CDC1D9 |D6 salc
00CDC1DA |D6 salc
00CDC1DB |8F ??? ; Unknown command
f9中断在00cdc1d7 取消刚才nop掉的跳转
取消硬件执行断点
BP CreateThread
Shift+F9中断后取消断点,Alt+F9返回
00CE7EAC 50 push eax ;返回到这里, 单步走 f8
00CE7EAD FF15 60B3D400 call dword ptr ds:[D4B360] ; kernel32.CloseHandle
00CE7EB3 5E pop esi
00CE7EB4 5B pop ebx
00CE7EB5 8BE5 mov esp,ebp
00CE7EB7 5D pop ebp
00CE7EB8 C3 retn
00D18B8F 83C4 04 add esp,4 ;上面返回到这里
00D18B92 B9 9064D600 mov ecx,0D66490
00D18B97 E8 0450F8FF call 00C9DBA0
00D18B9C 0FB6C8 movzx ecx,al
00D18B9F 85C9 test ecx,ecx
00D18BA1 74 0C je short 00D18BAF
00D18BA3 6A 01 push 1
00D18BA5 B9 9064D600 mov ecx,0D66490
00D18BAA E8 A15EF9FF call 00CAEA50
00D18BAF C705 5C22D600 B804D5>mov dword ptr ds:[D6225C],0D504B8
00D18BB9 B9 3055D600 mov ecx,0D65530
00D18BBE E8 6D48FEFF call 00CFD430
00D18BC3 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
00D18BCA 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00D18BCD 52 push edx
00D18BCE 68 B08CD100 push 0D18CB0
00D18BD3 FF15 1861D600 call dword ptr ds:[D66118]
00D18BD9 83C4 08 add esp,8
00D18BDC A1 F46AD600 mov eax,dword ptr ds:[D66AF4]
00D18BE1 8945 E4 mov dword ptr ss:[ebp-1C],eax
00D18BE4 B9 20000000 mov ecx,20
00D18BE9 C1E1 02 shl ecx,2
00D18BEC 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18BF2 A1 DC6AD600 mov eax,dword ptr ds:[D66ADC]
00D18BF7 8B35 DC6AD600 mov esi,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18BFD 8B76 28 mov esi,dword ptr ds:[esi+28]
00D18C00 3370 40 xor esi,dword ptr ds:[eax+40]
00D18C03 33340A xor esi,dword ptr ds:[edx+ecx]
00D18C06 0375 E4 add esi,dword ptr ss:[ebp-1C]
00D18C09 8975 F4 mov dword ptr ss:[ebp-C],esi
00D18C0C 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00D18C0F 8339 00 cmp dword ptr ds:[ecx],0
00D18C12 75 3F jnz short 00D18C53 ;这个跳了
00D18C14 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18C1A A1 DC6AD600 mov eax,dword ptr ds:[D66ADC]
00D18C1F 8B4A 48 mov ecx,dword ptr ds:[edx+48]
00D18C22 3348 40 xor ecx,dword ptr ds:[eax+40]
00D18C25 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18C2B 334A 10 xor ecx,dword ptr ds:[edx+10]
00D18C2E 894D E0 mov dword ptr ss:[ebp-20],ecx
00D18C31 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D18C34 8B48 18 mov ecx,dword ptr ds:[eax+18]
00D18C37 51 push ecx
00D18C38 8B55 08 mov edx,dword ptr ss:[ebp+8]
00D18C3B 8B42 14 mov eax,dword ptr ds:[edx+14]
00D18C3E 50 push eax
00D18C3F 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00D18C42 8B51 10 mov edx,dword ptr ds:[ecx+10]
00D18C45 52 push edx
00D18C46 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00D18C49 2B45 E0 sub eax,dword ptr ss:[ebp-20]
00D18C4C FFD0 call eax
00D18C4E 8945 FC mov dword ptr ss:[ebp-4],eax
00D18C51 EB 47 jmp short 00D18C9A
00D18C53 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; UnPackMe.004F1C58
00D18C56 8339 01 cmp dword ptr ds:[ecx],1
00D18C59 75 3F jnz short 00D18C9A
00D18C5B 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18C61 A1 DC6AD600 mov eax,dword ptr ds:[D66ADC]
00D18C66 8B4A 48 mov ecx,dword ptr ds:[edx+48]
00D18C69 3348 40 xor ecx,dword ptr ds:[eax+40]
00D18C6C 8B15 DC6AD600 mov edx,dword ptr ds:[D66ADC] ; UnPackMe.004E3A48
00D18C72 334A 10 xor ecx,dword ptr ds:[edx+10]
00D18C75 894D DC mov dword ptr ss:[ebp-24],ecx
00D18C78 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D18C7B 8B48 04 mov ecx,dword ptr ds:[eax+4]
00D18C7E 51 push ecx
00D18C7F 8B55 08 mov edx,dword ptr ss:[ebp+8]
00D18C82 8B42 08 mov eax,dword ptr ds:[edx+8]
00D18C85 50 push eax
00D18C86 6A 00 push 0
00D18C88 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00D18C8B 8B51 0C mov edx,dword ptr ds:[ecx+C]
00D18C8E 52 push edx
00D18C8F 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00D18C92 2B45 DC sub eax,dword ptr ss:[ebp-24]
00D18C95 FFD0 call eax ;上面到这里一路f8 到这里f7跟进 到oep了
oep:
004271B0 55 push ebp ;oep
004271B1 8BEC mov ebp,esp
004271B3 6A FF push -1
004271B5 68 600E4500 push UnPackMe.00450E60
004271BA 68 C8924200 push UnPackMe.004292C8
004271BF 64:A1 00000000 mov eax,dword ptr fs:[0]
004271C5 50 push eax
004271C6 64:8925 00000000 mov dword ptr fs:[0],esp
004271CD 83C4 A8 add esp,-58
004271D0 53 push ebx
004271D1 56 push esi
004271D2 57 push edi
004271D3 8965 E8 mov dword ptr ss:[ebp-18],esp
004271D6 FF15 DC0A4600 call dword ptr ds:[460ADC] ; kernel32.GetVersion
004271DC 33D2 xor edx,edx
004271DE 8AD4 mov dl,ah
004271E0 8915 34E64500 mov dword ptr ds:[45E634],edx
004271E6 8BC8 mov ecx,eax
004271E8 81E1 FF000000 and ecx,0FF
004271EE 890D 30E64500 mov dword ptr ds:[45E630],ecx
004271F4 C1E1 08 shl ecx,8
004271F7 03CA add ecx,edx
......
LoadPe dump程序 然后
运行ImportREC,选择这个进程
把OEP改为000271B0,点IT AutoSearch,点Get Import,Cut掉填充在DLL间的无效指针FixDump,正常运行
[课程]Linux pwn 探索篇!
上传的附件:
