首页
社区
课程
招聘
[原创] 手脱Armadillo 5.0 (Standard + Debug-Blocker).学习笔记.
发表于: 2009-7-2 16:08 6951

[原创] 手脱Armadillo 5.0 (Standard + Debug-Blocker).学习笔记.

2009-7-2 16:08
6951

【文章标题】: 手脱Armadillo 5.0 (Standard + Debug-Blocker).学习笔记.
【文章作者】: wuhanqi
【作者邮箱】: wuhanqi@qq.com
【软件名称】: 一个unpackme
【下载地址】: 自己搜索下载
【加壳方式】: Armadillo 5.0 (Standard + Debug-Blocker)
【编写语言】: Delphi
【使用工具】: OD.ImportREC.LordPE.Arma Detach.PEID 0.94.FastScanner 2.1
【操作平台】: 盗版XP3
【作者声明】: 小菜一个.高手别笑话我哦~嘿嘿.
--------------------------------------------------------------------------------
【详细过程】
  废话不多说.进入正题.脱壳目标为一个unpackme.
  
  FastScan 2.1 查壳为 Microsoft Visual C++ 8
  PEID 0.94 查壳为 Armadillo V5.0X -> Silicon Realms Toolworks   * Sign.By.fly *
  
  首先运行Armadillo Process Detach.将unpackme脱入Arma Detach中。
  会显示内容如下:
  DONE!
  Child process ID: 000002C8
  Entry point: 004A2DC2
  Original bytes: E8E3
  
  这时我们打开一个od.文件--附加.然后选中PID为2C8的进程.即为Armadillo的子进程.
  我们载入后.F9.再F12.便断到如下代码处:
  

  004A2DC2 >- EB FE           JMP SHORT <ModuleEntryPoint>
  004A2DC4    40              INC EAX
  004A2DC5    0000            ADD BYTE PTR DS:[EAX],AL
  004A2DC7  ^ E9 16FEFFFF     JMP 004A2BE2
  004A2DCC    6A 0C           PUSH 0C
  004A2DCE    68 B0104D00     PUSH 004D10B0
  004A2DD3    E8 44150000     CALL 004A431C
  004A2DD8    8B4D 08         MOV ECX,DWORD PTR SS:[EBP+8]
  004A2DDB    33FF            XOR EDI,EDI
  004A2DDD    3BCF            CMP ECX,EDI
  004A2DDF    76 2E           JBE SHORT 004A2E0F
  004A2DE1    6A E0           PUSH -20
  004A2DE3    58              POP EAX
  004A2DE4    33D2            XOR EDX,EDX
  004A2DE6    F7F1            DIV ECX
  004A2DE8    3B45 0C         CMP EAX,DWORD PTR SS:[EBP+C]
  
  004A2DC2 >  E8 E3400000     CALL 004A6EAA
  004A2DC7  ^ E9 16FEFFFF     JMP 004A2BE2
  004A2DCC    6A 0C           PUSH 0C
  004A2DCE    68 B0104D00     PUSH 004D10B0
  004A2DD3    E8 44150000     CALL 004A431C
  004A2DD8    8B4D 08         MOV ECX,DWORD PTR SS:[EBP+8]
  004A2DDB    33FF            XOR EDI,EDI
  004A2DDD    3BCF            CMP ECX,EDI
  004A2DDF    76 2E           JBE SHORT 004A2E0F
  004A2DE1    6A E0           PUSH -20
  004A2DE3    58              POP EAX
  004A2DE4    33D2            XOR EDX,EDX
  004A2DE6    F7F1            DIV ECX
  004A2DE8    3B45 0C         CMP EAX,DWORD PTR SS:[EBP+C]
  
  0012F648   0048E8F7  /CALL to VirtualProtect from UnpackMe.0048E8F1
  0012F64C   00EB1000  |Address = 00EB1000
  0012F650   0006C82C  |Size = 6C82C (444460.)
  0012F654   00000040  |NewProtect = PAGE_EXECUTE_READWRITE
  0012F658   0012F67C  \pOldProtect = 0012F67C
  
  0012F648   0048E8F7  /CALL to VirtualProtect from UnpackMe.0048E8F1
  0012F64C   00F1E000  |Address = 00F1E000
  0012F650   000088F4  |Size = 88F4 (35060.)
  0012F654   00000002  |NewProtect = PAGE_READONLY
  0012F658   0012F67C  \pOldProtect = 0012F67C
  
  0012F648   0048E8F7  /CALL to VirtualProtect from UnpackMe.0048E8F1
  0012F64C   00F27000  |Address = 00F27000
  0012F650   00012AC4  |Size = 12AC4 (76484.)
  0012F654   00000004  |NewProtect = PAGE_READWRITE
  0012F658   0012F67C  \pOldProtect = 0012F67C
  
  0012F648   0048E8F7  /CALL to VirtualProtect from UnpackMe.0048E8F1
  0012F64C   00F3A000  |Address = 00F3A000
  0012F650   000024C0  |Size = 24C0 (9408.)
  0012F654   00000002  |NewProtect = PAGE_READONLY
  0012F658   0012F67C  \pOldProtect = 0012F67C
  
  0012F648   0048E8F7  /CALL to VirtualProtect from UnpackMe.0048E8F1
  0012F64C   00F3D000  |Address = 00F3D000
  0012F650   00006464  |Size = 6464 (25700.)
  0012F654   00000002  |NewProtect = PAGE_READONLY
  0012F658   0012F67C  \pOldProtect = 0012F67C
  
  00129470   00EF9946  /CALL to VirtualProtect from 00EF9940
  00129474   00401000  |Address = UnpackMe.00401000
  00129478   0005B000  |Size = 5B000 (372736.)
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EF9991  /CALL to VirtualProtect from 00EF998B
  00129474   00401000  |Address = UnpackMe.00401000
  00129478   0005B000  |Size = 5B000 (372736.)
  0012947C   00000020  |NewProtect = PAGE_EXECUTE_READ
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EF9946  /CALL to VirtualProtect from 00EF9940
  00129474   0045C000  |Address = UnpackMe.0045C000
  00129478   00002000  |Size = 2000 (8192.)
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EF9991  /CALL to VirtualProtect from 00EF998B
  00129474   0045C000  |Address = UnpackMe.0045C000
  00129478   00002000  |Size = 2000 (8192.)
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EF9946  /CALL to VirtualProtect from 00EF9940
  00129474   0045F000  |Address = UnpackMe.0045F000
  00129478   00003000  |Size = 3000 (12288.)
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EF9991  /CALL to VirtualProtect from 00EF998B
  00129474   0045F000  |Address = UnpackMe.0045F000
  00129478   00003000  |Size = 3000 (12288.)
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C164  \pOldProtect = 0012C164
  
  00129470   00EFA814  /CALL to VirtualProtect from 00EFA80E
  00129474   0045F118  |Address = UnpackMe.0045F118
  00129478   0000008C  |Size = 8C (140.)    <<--我们一直shift+f9.直到size显示为8c.这样.我们就到了关键处.
  0012947C   00000004  |NewProtect = PAGE_READWRITE
  00129480   0012C028  \pOldProtect = 0012C028
  
  00EFA814    6A 14           PUSH 14                            <<--这里有像之前穿山甲版本一样的push 14.
  00EFA816    E8 FBCA0000     CALL 00F07316
  00EFA81B    83C4 04         ADD ESP,4
  00EFA81E    8985 84ABFFFF   MOV DWORD PTR SS:[EBP+FFFFAB84],EAX
  00EFA824    83BD 84ABFFFF 0>CMP DWORD PTR SS:[EBP+FFFFAB84],0
  00EFA82B    74 59           JE SHORT 00EFA886
  00EFA82D    8B0D EC53F300   MOV ECX,DWORD PTR DS:[F353EC]
  00EFA833    898D 10AAFFFF   MOV DWORD PTR SS:[EBP+FFFFAA10],ECX
  00EFA839    8B95 74D8FFFF   MOV EDX,DWORD PTR SS:[EBP-278C]
  00EFA83F    0395 78D3FFFF   ADD EDX,DWORD PTR SS:[EBP-2C88]
  00EFA845    8B85 84ABFFFF   MOV EAX,DWORD PTR SS:[EBP+FFFFAB84]
  00EFA84B    8910            MOV DWORD PTR DS:[EAX],EDX
  

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 7
支持
分享
最新回复 (3)
雪    币: 246
活跃值: (17)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2

2009-7-2 16:32
0
雪    币: 164
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
学习了。。。。。
2009-7-2 21:05
0
雪    币: 474
活跃值: (96)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
厉害,学习!
2009-7-4 09:54
0
游客
登录 | 注册 方可回帖
返回
//