脱壳目标:加了壳的Win98记事本
PEiD查壳:UltraProtect 1.x -> RISCO Software Inc.
存在Stolen Code
OD设置:Debugging Options Exceptions,Exceptions去掉Memory access violation的勾
SOD设置(如需要):去掉Skip Some Exceptions的勾
OD载入
0040D000 > 60 pushad ; 中断在此
0040D001 F9 stc
0040D002 87D6 xchg esi,edx
0040D004 72 03 jb short notepad9.0040D009
0040D006 73 01 jnb short notepad9.0040D009
0040D008 7A 81 jpe short notepad9.0040CF8B
1.SHift+F9运行,跑飞的次数-1
00415719 CD 01 int 1 ; 中断在此
0041571B 40 inc eax
0041571C 40 inc eax
0041571D 0BC0 or eax,eax
0041571F 75 05 jnz short notepad9.00415726
2.查看堆栈,在SE句柄那里选择在反汇编窗口跟随
0012FF20 0012FFC4 Pointer to next SEH record
0012FF24 004156FD SE handler ; 在反汇编窗口跟随
3、在反汇编窗口跟随后,在004156FD下断,运行3次
004156FD 8B5C24 0C mov ebx,dword ptr ss:[esp+C] ; 下断,Memory,on access,Shift+F9三次
00415701 8383 B8000000 0>add dword ptr ds:[ebx+B8],2
00415708 33C0 xor eax,eax
0041570A C3 retn
0041570B 64:67:FF36 0000 push dword ptr fs:[0]
00415711 64:67:8926 0000 mov dword ptr fs:[0],esp
00415717 33C0 xor eax,eax
4、Shift+F9三次后,删除内存断点,运行到00415769
00415761 89048E mov dword ptr ds:[esi+ecx*4],eax ; 中断在此!删除内存断点
00415764 49 dec ecx
00415765 ^ EB E1 jmp short notepad9.00415748
00415767 61 popad
00415768 61 popad
00415769 C3 retn ; 定位到此,F4
5、Alt+M,在00401000下断,Shift+F9运行之
00401000 00004000 notepad .text code Imag R RWE
6、因为本文调试的程序存在Stolen Code,也就是说偷取了程序真正的OEP。所以,下面的是假OEP,我们还要寻找真的OEP
004010D2 56 push esi ; 假OEP
004010D3 FF15 E4634000 call dword ptr ds:[4063E4] ; notepad9.0040D1BA
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short notepad9.004010FC
7、重复以上步骤到步骤4,Ctrl+T,勾上最后那栏的,填上push ebp,Ctrl+F11,跟随之
004254C9 55 push ebp ; 真的OEP
004254CA 8BEC mov ebp,esp
004254CC 83EC 44 sub esp,44 ; 复制这三行
8、重复以上步骤到步骤6,在假的OEP向上拉5行,到达此处
004010C7 000D 0A000051 add byte ptr ds:[5100000A],cl ; nop掉
004010CD 46 inc esi
004010CE B4 E8 mov ah,0E8
004010D0 70 4B jo short notepad9.0040111D ; 选定004010CC — 004010D0,粘贴
9、粘贴后,右键,在004010CC那行,选择New origin here
004010CC 55 push ebp ; 右键,New origin here
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
10、LordPE完整转存,IR修复,无效的指针使用等级3跟踪
修复后能正常运行,PEiD查壳,显示Microsoft Visual C++ 6.0 SPx Method 1,脱壳完毕
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界