PEID检测为“UltraProtect 1.x -> RISCO Software Inc.”,应该是 ACProtect 壳,试过几个脱壳机都脱不掉,找了好几个脱壳脚本也不行,按论坛相关教程,手脱,首先在DATA段设置内存访问断点,F9运行断下后,再BP GetModuleHandleA,F9运行断下后,取消该断点,返回很快就到了API处理的部分,如下:
004F023F 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
004F0242 03C2 ADD EAX,EDX
004F0244 0385 CE784000 ADD EAX,DWORD PTR SS:[EBP+4078CE]
004F024A 8B18 MOV EBX,DWORD PTR DS:[EAX]
004F024C 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
004F024F 03FA ADD EDI,EDX
004F0251 03BD CE784000 ADD EDI,DWORD PTR SS:[EBP+4078CE]
004F0257 85DB TEST EBX,EBX
004F0259 0F84 02010000 JE KS.004F0361
004F025F F7C3 00000080 TEST EBX,80000000
004F0265 75 1D JNZ SHORT KS.004F0284
004F0267 90 NOP
004F0268 90 NOP
004F0269 90 NOP
004F026A 90 NOP
004F026B 03DA ADD EBX,EDX
004F026D 83C3 02 ADD EBX,2
004F0270 56 PUSH ESI
004F0271 57 PUSH EDI
004F0272 50 PUSH EAX
004F0273 8BF3 MOV ESI,EBX
004F0275 8BFB MOV EDI,EBX
004F0277 AC LODS BYTE PTR DS:[ESI]
004F0278 C0C0 03 ROL AL,3
004F027B AA STOS BYTE PTR ES:[EDI]
004F027C 803F 00 CMP BYTE PTR DS:[EDI],0
004F027F ^ 75 F6 JNZ SHORT KS.004F0277
004F0281 58 POP EAX
004F0282 5F POP EDI
004F0283 5E POP ESI
004F0284 3B9D D2784000 CMP EBX,DWORD PTR SS:[EBP+4078D2]
004F028A 7C 11 JL SHORT KS.004F029D
004F028C 90 NOP
004F028D 90 NOP
004F028E 90 NOP
004F028F 90 NOP
004F0290 83BD 72184000 00 CMP DWORD PTR SS:[EBP+401872],0
004F0297 75 0A JNZ SHORT KS.004F02A3
004F0299 90 NOP
004F029A 90 NOP
004F029B 90 NOP
004F029C 90 NOP
004F029D 81E3 FFFFFF0F AND EBX,0FFFFFFF
004F02A3 53 PUSH EBX
004F02A4 FFB5 CA784000 PUSH DWORD PTR SS:[EBP+4078CA]
004F02AA FF95 640D4100 CALL DWORD PTR SS:[EBP+410D64]
004F02B0 3B9D D2784000 CMP EBX,DWORD PTR SS:[EBP+4078D2]
004F02B6 7C 0F JL SHORT KS.004F02C7
004F02B8 90 NOP
004F02B9 90 NOP
004F02BA 90 NOP
004F02BB 90 NOP
004F02BC 60 PUSHAD
004F02BD 2BC0 SUB EAX,EAX
004F02BF 8803 MOV BYTE PTR DS:[EBX],AL
004F02C1 43 INC EBX
004F02C2 3803 CMP BYTE PTR DS:[EBX],AL
004F02C4 ^ 75 F9 JNZ SHORT KS.004F02BF
004F02C6 61 POPAD
004F02C7 0BC0 OR EAX,EAX
004F02C9 ^ 0F84 15FFFFFF JE KS.004F01E4
004F02CF 3B85 740D4100 CMP EAX,DWORD PTR SS:[EBP+410D74] ; 判断是否为 MessageBoxA 函数
004F02D5 74 20 JE SHORT KS.004F02F7 ; NOP掉
004F02D7 90 NOP
004F02D8 90 NOP
004F02D9 90 NOP
004F02DA 90 NOP
004F02DB 3B85 407E4000 CMP EAX,DWORD PTR SS:[EBP+407E40] ; 判断是否为 RegisterHotKey 函数
004F02E1 74 09 JE SHORT KS.004F02EC ; NOP掉
004F02E3 90 NOP
004F02E4 90 NOP
004F02E5 90 NOP
004F02E6 90 NOP
004F02E7 EB 14 JMP SHORT KS.004F02FD
004F02E9 90 NOP
004F02EA 90 NOP
004F02EB 90 NOP
004F02EC 8D85 AD7E4000 LEA EAX,DWORD PTR SS:[EBP+407EAD]
004F02F2 EB 09 JMP SHORT KS.004F02FD
004F02F4 90 NOP
004F02F5 90 NOP
004F02F6 90 NOP
004F02F7 8D85 C77E4000 LEA EAX,DWORD PTR SS:[EBP+407EC7]
004F02FD 56 PUSH ESI
004F02FE FFB5 CA784000 PUSH DWORD PTR SS:[EBP+4078CA]
004F0304 5E POP ESI
004F0305 39B5 6A184000 CMP DWORD PTR SS:[EBP+40186A],ESI
004F030B 74 15 JE SHORT KS.004F0322
004F030D 90 NOP
004F030E 90 NOP
004F030F 90 NOP
004F0310 90 NOP
004F0311 39B5 6E184000 CMP DWORD PTR SS:[EBP+40186E],ESI
004F0317 74 09 JE SHORT KS.004F0322
004F0319 90 NOP
004F031A 90 NOP
004F031B 90 NOP
004F031C 90 NOP
004F031D EB 03 JMP SHORT KS.004F0322
004F031F 90 NOP
004F0320 90 NOP
004F0321 90 NOP
004F0322 5E POP ESI
004F0323 60 PUSHAD
004F0324 8BD0 MOV EDX,EAX
004F0326 2BBD D2784000 SUB EDI,DWORD PTR SS:[EBP+4078D2]
004F032C 8BC7 MOV EAX,EDI
004F032E B9 01010000 MOV ECX,101
004F0333 8DBD 786D4000 LEA EDI,DWORD PTR SS:[EBP+406D78]
004F0339 F2:AF REPNE SCAS DWORD PTR ES:[EDI]
004F033B 0BC9 OR ECX,ECX
004F033D 74 13 JE SHORT KS.004F0352
004F033F 90 NOP
004F0340 90 NOP
004F0341 90 NOP
004F0342 90 NOP
004F0343 81E9 01010000 SUB ECX,101
004F0349 F7D1 NOT ECX
004F034B 89948D 78694000 MOV DWORD PTR SS:[EBP+ECX*4+406978],EDX
004F0352 61 POPAD
004F0353 8907 MOV DWORD PTR DS:[EDI],EAX ; 函数地址写入
004F0355 8385 CE784000 04 ADD DWORD PTR SS:[EBP+4078CE],4
004F035C ^ E9 CEFEFFFF JMP KS.004F022F
004F0361 83C6 14 ADD ESI,14
004F0364 8B95 D2784000 MOV EDX,DWORD PTR SS:[EBP+4078D2]
004F036A ^ E9 30FEFFFF JMP KS.004F019F
004F036F 8DBD 786D4000 LEA EDI,DWORD PTR SS:[EBP+406D78]
004F0375 33C0 XOR EAX,EAX
004F0377 B9 00010000 MOV ECX,100
004F037C F3:AB REP STOS DWORD PTR ES:[EDI] ; 4EA178
004F037E 60 PUSHAD ; F4到此处
004F037F E8 00000000 CALL KS.004F0384
004F0384 5E POP ESI
004F0385 83EE 06 SUB ESI,6
004F0388 B9 F9010000 MOV ECX,1F9
004F038D 29CE SUB ESI,ECX
004F038F BA 0715AAA4 MOV EDX,A4AA1507
004F0394 C1E9 02 SHR ECX,2
004F0397 83E9 02 SUB ECX,2
004F039A 83F9 00 CMP ECX,0
004F039D 7C 1A JL SHORT KS.004F03B9
004F039F 8B048E MOV EAX,DWORD PTR DS:[ESI+ECX*4]
004F03A2 8B5C8E 04 MOV EBX,DWORD PTR DS:[ESI+ECX*4+4]
004F03A6 33C3 XOR EAX,EBX
004F03A8 C1C0 1D ROL EAX,1D
004F03AB 33C2 XOR EAX,EDX
004F03AD 81F2 A7FBE7F4 XOR EDX,F4E7FBA7
004F03B3 89048E MOV DWORD PTR DS:[ESI+ECX*4],EAX
004F03B6 49 DEC ECX
004F03B7 ^ EB E1 JMP SHORT KS.004F039A
004F03B9 61 POPAD
004F03BA 61 POPAD
004F03BB E8 22D9FFFF CALL KS.004EDCE2
004F03C0 C3 RETN
到上面注释F4的位置后,在CODE段设置内存访问断点,断下后内容如下:
0046A5BC 68 044F4700 PUSH KS.00474F04
0046A5C1 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0046A5C7 50 PUSH EAX
0046A5C8 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0046A5CC 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
0046A5D0 8D6C24 10 LEA EBP,DWORD PTR SS:[ESP+10]
0046A5D4 2BE0 SUB ESP,EAX
0046A5D6 53 PUSH EBX
0046A5D7 56 PUSH ESI
0046A5D8 57 PUSH EDI
0046A5D9 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0046A5DC 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0046A5DF 50 PUSH EAX
0046A5E0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046A5E3 C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
0046A5EA 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0046A5ED 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0046A5F0 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
0046A5F6 C3 RETN ;此返回
0046A5F7 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0046A5FA 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
0046A601 59 POP ECX
0046A602 5F POP EDI
0046A603 5E POP ESI
0046A604 5B POP EBX
0046A605 C9 LEAVE
0046A606 51 PUSH ECX
0046A607 C3 RETN
一般ACProtect 壳第二次内存断点应该就到了OEP的位置,但该程序好像不是,到标记的那个返回,看到的是下面的代码:
004F21C9 60 PUSHAD
004F21CA E8 0C000000 CALL KS.004F21DB
004F21CF - E9 78197917 JMP 17C83B4C
004F21D4 ^ 74 E8 JE SHORT KS.004F21BE
004F21D6 0900 OR DWORD PTR DS:[EAX],EAX
004F21D8 0000 ADD BYTE PTR DS:[EAX],AL
004F21DA ^ 71 83 JNO SHORT KS.004F215F
004F21DC 04 24 ADD AL,24
004F21DE 06 PUSH ES
004F21DF C3 RETN
004F21E0 ^ EB EE JMP SHORT KS.004F21D0
004F21E2 7A 83 JPE SHORT KS.004F2167
004F21E4 C40474 LES EAX,FWORD PTR SS:[ESP+ESI*2] ; 段寄存器更改
004F21E7 F8 CLC
那个Call KS.004F21DB 只能单步进入,否则程序就运行,F7跟进后,里面的代码似乎还在解密,而且反反复复循环,跟了差不多一天还没摸着门道,哪位有兴趣的帮我看看怎么脱壳,脱壳的程序就不需要了,关键告诉我脱壳过程,现在正在学习脱壳,上午还按照教程手脱了ACProtect 壳,该程序应该是个ACProtect变种。
附件只是个主程序,完整下载地址在:http://www.onlinedown.net/soft/36975.htm
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
