[分享]脱壳 eXPressor 1.7.0.1-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[分享]脱壳 eXPressor 1.7.0.1

发表于: 2009-9-10 23:53 3930

[分享]脱壳 eXPressor 1.7.0.1

hxqlky

2009-9-10 23:53

3930

【文章标题】: 脱壳eXPressor 1.7.0.1
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: eXPressor 1.7.0.1
【保护方式】: eXPressor 1.7.0.1
【使用工具】: od,UIF，ImportRE
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  目标程序eXPressor 1.7.0.1  主程序
  Find IAT / Magic Jump /
  E8---- ff15
  00508AC3  /.  55          push ebp          载入程序
  00508AC4  |.  8BEC       mov ebp,esp
  00508AC6  |.  833D 1C805000>cmp dword ptr ds:[50801C],0
  00508ACD  |.  74 07       je short eXPresso.00508AD6
  00508ACF  |.  5D          pop ebp
  00508AD0  |.  FF25 20805000 jmp dword ptr ds:[508020]
  00508AD6  |>  8B45 08    mov eax,[arg.1]


  bp VirtualProtectEx    f9


  7C801A9C >  8BFF          mov edi,edi    看这里
  7C801A9E 55             push ebp
  7C801A9F 8BEC          mov ebp,esp
  7C801AA1 56             push esi
  7C801AA2 8B35 F412807C mov esi,dword ptr ds:[<&ntdll.NtProtectV>;

  ntdll.ZwProtectVirtualMemory
  7C801AA8 57             push edi
  7C801AA9 FF75 18       push dword ptr ss:[ebp+18]


  iat jmp



  打开内存搜索
  1，  E8????????83c40485c00f85
  2，  f38975fceb??ea????????????c9c3


  00D82DFA E8 9DEDFFFF    call 00D81B9C



  00D82DFA E8 9DEDFFFF    call 00D81B9C
  00D82DFF 83C4 04       add esp,4
  00D82E02 85C0          test eax,eax
  00D82E04 0F85 87000000 jnz 00D82E91          jmp

  bp VirtualProtectEx
  E8 9D ED FF FF 83 C4 04 85 C0 0F 85 87 00 00 00


  E8 9D ED FF FF 83 C4 04 85 C0 0F 85

  f38975fceb??ea????????????c9c3
  --------------------------------
  iat E8---- ff15 jmp

  00D83235 C600 E8       mov byte ptr ds:[eax],0E8
  00D83238 8B45 D4       mov eax,dword ptr ss:[ebp-2C]
  00D8323B 40             inc eax
  00D8323C 8945 D0       mov dword ptr ss:[ebp-30],eax
  00D8323F 50             push eax
  00D83240 E8 03000000    call 00D83248

  C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00

  c600e88b45d4408945d050e8
  00E53235 C600 E8       mov byte ptr ds:[eax],0E8
  C6 00 E8 8B 45 D4 40 89 45 D0 50 E8 03 00 00 00


  0012F6A0 7C80200B  /CALL 到 VirtualProtectEx 来自 kernel32.7C802006
  0012F6A4 FFFFFFFF  |hProcess = FFFFFFFF
  0012F6A8 0046D108  |Address = eXPresso.0046D108 跟随数据窗口
  0012F6AC 00000004  |Size = 4
  0012F6B0 00000040  |NewProtect = PAGE_EXECUTE_READWRITE
  0012F6B4 0012FD60  \pOldProtect = 0012FD60

  0046D100  00000000  ....
  0046D104  7C822311  #倈 kernel32.SetEvent
  0046D108  7C837A5F  _z億 kernel32.SuspendThread  iat 出现

  f9 继续

  00E53235 C600 E8       mov byte ptr ds:[eax],0E8 f9 来到这里
  00E53238 8B45 D4       mov eax,dword ptr ss:[ebp-2C]
  00E5323B 40             inc eax
  00E5323C 8945 D0       mov dword ptr ss:[ebp-30],eax
  00E5323F 50             push eax
  00E53240 E8 03000000    call 00E53248
  00E53245 01EB          add ebx,ebp


  0046CFFC  00000000  ....                         iat  0
  0046D000  77F470F9  鵳魒 advapi32.RegOpenKeyA
  0046D004  77F4E0AE  魒 advapi32.RegOpenKeyExA
  0046D008  77F3D96E  n袤w advapi32.RegDeleteValueA

  00401D0E 40             inc eax                      看这里
  00401D0F FA             cli
  00401D10 6A 6C          push 6C
  00401D12  ^ E0 C7          loopdne short eXPresso.00401CDB
  00401D14 0FB75424 1E    movzx edx,word ptr ss:[esp+1E]
  00401D19 52             push edx
  00401D1A E8 2FE40400    call eXPresso.0045014E
  00401D1F 83C4 04       add esp,4

  EAX 00401D0E eXPresso.00401D0E 看这里
  ECX 00401D0E eXPresso.00401D0E
  EDX 00000001
  EBX 7FFD9000
  ESP 0012F688


  EBP-28 > 00484D94  ASCII "kernel32.dll"
  EBP-24 > 7C800000  kernel32.7C800000
  EBP-20 > 00E5AEF2
  EBP-1C > 00CF0000
  EBP-18 > 7C832609  kernel32.GetLocalTime    看这里

  脚本修复E8---- ff15
  var iatadd
  var iattx
  var begin
  mov begin,eip
  start:
  mov iatadd,[ebp-18]
  mov iattx,eax
  esto
  cmp eip,begin
  jne end
  mov [iattx],15ff
  find 0046CFFC,iatadd
  mov iatadd, $RESULT
  add iattx,2
  mov [iattx],iatadd
  jmp  start
  end:
  msg "hxqlky"


  00454573 6A 60          push 60                   oep
  00454575 68 C0324800    push eXPresso.004832C0
  0045457A E8 B5060000    call eXPresso.00454C34
  0045457F 8365 FC 00    and dword ptr ss:[ebp-4],0
  00454583 8D45 90       lea eax,dword ptr ss:[ebp-70]
  00454586 50             push eax
  00454587 FF15 D0D24600 call dword ptr ds:[46D2D0]             ; kernel32.GetStartupInfoA
  0045458D C745 FC FEFFFFF>mov dword ptr ss:[ebp-4],-2
  00454594 BF 94000000    mov edi,94
  00454599 57             push edi
  0045459A 6A 00          push 0
  0045459C 8B1D D8D14600 mov ebx,dword ptr ds:[46D1D8]          ; kernel32.GetProcessHeap
  004545A2 FFD3          call ebx
  004545A4 50             push eax
  004545A5 FF15 9CD14600 call dword ptr ds:[46D19C]             ; ntdll.RtlAllocateHeap
  004545AB 8BF0          mov esi,eax
  004545AD 85F6          test esi,esi
  004545AF 75 0D          jnz short eXPresso.004545BE
  004545B1 6A 12          push 12
  004545B3 E8 56FFFFFF    call eXPresso.0045450E
  004545B8 59             pop ecx
  004545B9 E9 8A010000    jmp eXPresso.00454748

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                   2009年09月10日 23:47:53

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持