ILprotector 22.15壳的脱法研究
手里有一.net程序,加的是ILprotector的混淆,用de4dot干不掉,找了专用脱壳机也不行,于是在网上搜了一下相应资料,找到了wwh1004大牛的 [.NET]详解ILProtector并写出脱壳机 https://www.52pojie.cn/thread-824381-1-1.html,但由于水平有限,未能实现脱壳,但已导出检测hook 涵数的伪代码,通过对比感觉和ILprotector22.15的相似,希望看到本贴的大牛对如何脱掉此壳指点一二,也欢迎更多的高手尝试脱壳。程序地址https://pan.baidu.com/s/1vpzg-3iz-yKnsTfvQmWt-A提取码:ie65
下面是v22.15检测hook涵数伪码(不知找的对不对哈)
char __fastcall sub_1002BCA0(int a1, int a2, int a3, int *a4, int a5, char a6, LONG a7, LONG **a8, int a9, int a10){
int v10; // edi@1
int v11; // edi@6
SAFEARRAY *v12; // edi@10
int v13; // eax@10
HRESULT v14; // edi@12
int v15; // edi@13
int v16; // eax@13
int v17; // eax@17
int v18; // edx@18
char v19; // al@21
int *v20; // edx@30
int v21; // edi@32
int v22; // edi@32
int *v23; // ecx@33
int v24; // edx@35
LONG *v25; // eax@37
int v26; // edi@40
char v27; // al@47
int v28; // esi@51
SAFEARRAY *v29; // eax@51
void (__stdcall *v30)(VARIANTARG *); // edi@51
int v31; // eax@52
int v32; // esi@57
SAFEARRAY *v33; // eax@57
int v34; // edx@57
int v35; // edi@58
int (__stdcall *v36)(LONG, _DWORD); // esi@58
int v37; // eax@58
LONG **v38; // ecx@58
int v39; // eax@58
int v40; // eax@62
int v41; // ecx@64
int v42; // edx@64
_DWORD *v43; // eax@64
int v44; // esi@65
int v45; // eax@67
char v47; // @21
int v48; // @21
int v49; // @21
int v50; // @21
int v51; // @21
int v52; // @21
int v53; // @21
VARIANTARG *v54; // @21
VARIANTARG v55; // @1
VARIANTARG v56; // @51
int v57; // @19
SAFEARRAY *psa; // @10
int v59; // @1
int v60; // @1
int v61; // @1
int v62; // @1
int v63; // @1
LONG **v64; // @1
VARIANTARG pvarg; // @1
int v66; // @1
int (__stdcall *v67)(int, int, int, VARIANTARG *); // @1
LONG v68; // @1
int pv; // @10
int v70; // @32
SAFEARRAY *v71; // @10
VARIANTARG *v72; // @30
int *v73; // @21
int v74; // @1
int v75; // @1
LONG rgIndices; // @1
int v77; // @1
int v78; // @1
char v79; // @1
int v80; // @1
int v81; // @21
int *v82; // @21
VARIANTARG *v83; // @21
VARIANTARG *v84; // @21
VARIANTARG v85; // @21
int v86; // @1
v80 = a3;
v63 = a1;
v66 = a2;
v64 = a8;
v74 = a9;
v75 = a10;
v79 = 0;
rgIndices = 0;
v77 = 0;
v86 = 0;
v78 = 0;
v62 = 0;
v60 = 0;
v67 = 0;
v61 = 0;
v59 = 0;
v68 = 0;
VariantInit(&pvarg);
VariantInit(&v55);
LOBYTE(v86) = 3;
v10 = *(_DWORD *)v63;
if ( !*(_DWORD *)v63 )
sub_1007C060(-2147467261);
if ( v77 )
(*(void (__stdcall **)(int))(*(_DWORD *)v77 + 8))(v77);
v77 = 0;
if ( (*(int (__stdcall **)(int, int *))(*(_DWORD *)v10 + 72))(v10, &v77) >= 0 )
{
v11 = *(_DWORD *)v66;
if ( !*(_DWORD *)v66 )
goto LABEL_80;
if ( v78 )
(*(void (__stdcall **)(int))(*(_DWORD *)v78 + 8))(v78);
v78 = 0;
if ( (*(int (__stdcall **)(int, int *))(*(_DWORD *)v11 + 72))(v11, &v78) >= 0 )
{
LABEL_80:
v12 = SafeArrayCreateVector(0xCu, 0, 1u);
v13 = *a4;
psa = v12;
rgIndices = 0;
LOWORD(pv) = 9;
v71 = (SAFEARRAY *)v13;
if ( v13 )
(*(void (__stdcall **)(int))(*(_DWORD *)v13 + 4))(v13);
v14 = SafeArrayPutElement(v12, &rgIndices, &pv);
VariantClear((VARIANTARG *)&pv);
if ( v14 < 0 )
goto LABEL_71;
v15 = v80;
v16 = *(_DWORD *)(*(_DWORD *)(v80 + 56) + 156);
if ( !v16 )
sub_1007C060(-2147467261);
if ( (*(int (__stdcall **)(int, SAFEARRAY *, VARIANTARG *))(*(_DWORD *)v16 + 156))(v16, psa, &pvarg) < 0 )
goto LABEL_71;
if ( (pvarg.vt & 0xFFF) != 13 )
goto LABEL_71;
v17 = *(_DWORD *)(a7 + 100);
if ( !(v17 & 1) )
goto LABEL_71;
v18 = *(_DWORD *)(v15 + 56);
if ( *(_BYTE *)(v18 + 8) )
{
v57 = a5;
if ( !(a6 & 2) || v17 & 2 )
{
v82 = &v57;
v83 = &pvarg;
v84 = &v55;
*(_DWORD *)&v85.vt = &v77;
*(_QWORD *)&v85.decVal.Hi32 = __PAIR__(&v78, v74);
v81 = v15;
v85.cyVal.Hi = v75;
qmemcpy(&v47, &v81, 0x20u);
sub_1002DA60(&v83, v47, v48, v49, v50, v51, v52, v53, v54);
LOBYTE(v86) = 4;
v73 = &v49;
sub_100254A0();
v19 = sub_1002CC70(v49, v50, v51, v52, v53, v54);
LOBYTE(v86) = 3;
if ( !v19 )
{
sub_10012D00();
goto LABEL_71;
}
sub_10012D00();
v15 = v80;
LABEL_30:
LOWORD(pv) = 20;
v71 = (SAFEARRAY *)(a7 ^ 0x4B4F4F4C);
v72 = (VARIANTARG *)(((unsigned __int64)a7 >> 32) ^ 0x45524548);
LOBYTE(v86) = 5;
v20 = *(int **)(*(_DWORD *)(v15 + 56) + 148);
if ( !v20 )
sub_1007C060(-2147467261);
v21 = *v20;
v51 = pv;
v52 = v70;
v53 = (int)v71;
v54 = v72;
*(_DWORD *)&v47 = *(_DWORD *)&pvarg.vt;
*(_QWORD *)&v48 = *(_QWORD *)&pvarg.decVal.Hi32;
v22 = (*(int (__stdcall **)(int *, _DWORD, ULONG, LONG, __int32, int, int, SAFEARRAY *, VARIANTARG *))(v21 + 100))(
v20,
*(_DWORD *)&pvarg.vt,
pvarg.decVal.Hi32,
pvarg.lVal,
pvarg.cyVal.Hi,
pv,
v70,
v71,
v72);
LOBYTE(v86) = 3;
VariantClear((VARIANTARG *)&pv);
if ( v22 >= 0 )
{
v23 = *(int **)(*(_DWORD *)(v80 + 56) + 152);
if ( !v23 )
sub_1007C060(-2147467261);
v24 = *v23;
*(VARIANTARG *)&v51 = v55;
*(VARIANTARG *)&v47 = pvarg;
if ( (*(int (__stdcall **)(int *, _DWORD, ULONG, LONG, __int32, _DWORD, ULONG, LONG, __int32))(v24 + 100))(
v23,
*(_DWORD *)&pvarg.vt,
pvarg.decVal.Hi32,
pvarg.lVal,
pvarg.cyVal.Hi,
*(_DWORD *)&v55.vt,
v55.decVal.Hi32,
v55.lVal,
v55.cyVal.Hi) >= 0
&& *(_BYTE *)(a7 + 100) & 1 )
{
v25 = (LONG *)operator new(0xCu);
if ( v25 )
{
*v25 = pvarg.lVal;
v25 = a7;
v25 = 0;
}
else
{
v25 = 0;
}
v26 = v80;
*v64 = v25;
if ( (unsigned __int8)sub_1002C4F0(v25) )
{
if ( (!*(_DWORD *)v63 || (unsigned __int8)sub_100240C0(v26, v63, (int)&v62))
&& (!*(_DWORD *)v66 || (unsigned __int8)sub_100240C0(v26, v66, (int)&v60))
&& (unsigned __int8)sub_100242A0(v26, *(_DWORD *)(v26 + 56) + 28, *(_DWORD *)(v26 + 52) + 192, &v67)
&& (unsigned __int8)sub_1002CFB0(v26, *(_DWORD *)(v26 + 56) + 32, (int)&v61) )
{
v83 = (VARIANTARG *)off_1009091C;
v84 = (VARIANTARG *)v26;
*(_DWORD *)&v85.vt = &v59;
v85.lVal = (LONG)&v83;
LOBYTE(v86) = 6;
v73 = &v49;
sub_100254A0();
v27 = sub_100238D0(v49, v50, v51, v52, v53, v54);
LOBYTE(v86) = 3;
if ( v27 )
{
sub_10012D00();
if ( *(_DWORD *)v63 && (*(_WORD *)v74 & 0xFFF) == 13 )
{
v73 = &v51;
v68 = -1;
sub_1001C380(v74);
v28 = v67(v51, v52, v53, v54);
VariantInit((VARIANTARG *)&pv);
VariantInit(&v85);
LOBYTE(v86) = 8;
LOWORD(pv) = 8204;
v29 = SafeArrayCreateVector(0xCu, 0, 1u);
v56.vt = 22;
v71 = v29;
rgIndices = 0;
v56.lVal = -1;
SafeArrayPutElement(v29, &rgIndices, &v56);
v30 = (void (__stdcall *)(VARIANTARG *))VariantClear;
VariantClear(&v56);
sub_10025210(v80, &pv, (int)&v85);
*(_DWORD *)(a7 + 56) = *(_DWORD *)v28;
*(_DWORD *)(a7 + 60) = *(_DWORD *)(v28 + 4);
if ( (*(_BYTE *)v28 ^ 0x80) == 105 )
{
v31 = *(_DWORD *)(v28 + 1) + ((*(_BYTE *)v28 ^ 0xFC) & 0xF);
*(_DWORD *)(a7 + 92) = *(_DWORD *)(v31 + v28);
*(_DWORD *)(a7 + 96) = *(_DWORD *)(v31 + v28 + 4);
}
VariantClear(&v85);
LOBYTE(v86) = 3;
VariantClear((VARIANTARG *)&pv);
}
else
{
v30 = (void (__stdcall *)(VARIANTARG *))VariantClear;
}
if ( *(_DWORD *)v66 && (*(_WORD *)v75 & 0xFFF) == 13 )
{
--v68;
v73 = &v51;
sub_1001C380(v75);
v32 = v67(v51, v52, v53, v54);
VariantInit((VARIANTARG *)&pv);
VariantInit(&v85);
LOBYTE(v86) = 10;
LOWORD(pv) = 8204;
v33 = SafeArrayCreateVector(0xCu, 0, 1u);
v56.vt = 22;
v56.lVal = v68;
v71 = v33;
rgIndices = 0;
SafeArrayPutElement(v33, &rgIndices, &v56);
v30(&v56);
sub_10025210(v80, &pv, (int)&v85);
*(_DWORD *)(a7 + 64) = *(_DWORD *)v32;
v34 = *(_DWORD *)(v32 + 4);
v54 = &v85;
*(_DWORD *)(a7 + 68) = v34;
v30(v54);
LOBYTE(v86) = 3;
v30((VARIANTARG *)&pv);
}
v35 = v80;
v36 = *(int (__stdcall **)(LONG, _DWORD))(*(_DWORD *)(v80 + 56) + 316);
v37 = v36(**v64, *(_DWORD *)(*(_DWORD *)(v80 + 52) + 316));
*(_DWORD *)(a7 + 84) = *(_DWORD *)v37;
v38 = v64;
*(_DWORD *)(a7 + 88) = *(_DWORD *)(v37 + 4);
v39 = v36(**v38, *(_DWORD *)(*(_DWORD *)(v35 + 52) + 240));
*(_DWORD *)(a7 + 80) = v39;
if ( (*(_BYTE *)v39 ^ 0x11) == 68
&& (*(_BYTE *)(v39 + 1) ^ 0x72) == -7
&& (*(_BYTE *)(v39 + 2) ^ 0x61) == -115 )
{
v54 = (VARIANTARG *)16;
*(_DWORD *)(a7 + 36) = v67;
v73 = (int *)operator new((size_t)v54);
LOBYTE(v86) = 11;
if ( v73 )
v40 = sub_1001C380(v74);
else
v40 = 0;
LOBYTE(v86) = 3;
v41 = v61;
v42 = v59;
*(_DWORD *)(a7 + 48) = v40;
*(_DWORD *)(a7 + 40) = v62;
v43 = (_DWORD *)v66;
*(_DWORD *)(a7 + 72) = v41;
*(_DWORD *)(a7 + 76) = v42;
if ( *v43 )
{
v44 = v75;
if ( (*(_WORD *)v75 & 0xFFF) == 13 )
{
v73 = (int *)operator new(0x10u);
LOBYTE(v86) = 12;
if ( v73 )
v45 = sub_1001C380(v44);
else
v45 = 0;
*(_DWORD *)(a7 + 52) = v45;
*(_DWORD *)(a7 + 44) = v60;
}
}
v79 = 1;
}
}
else
{
sub_10012D00();
}
}
}
}
}
goto LABEL_71;
}
}
else if ( (!(a6 & 2) || v17 & 2)
&& (unsigned __int8)sub_10026870(v15, *(_DWORD *)(v15 + 56) + 12, &pvarg, v18 + 196, (int)&v55)
&& (unsigned __int8)sub_10026870(v15, (int)&v77, &pvarg, *(_DWORD *)(v15 + 56) + 200, v74)
&& (!v78 || (unsigned __int8)sub_10026870(v15, (int)&v78, &pvarg, *(_DWORD *)(v15 + 56) + 208, v75)) )
{
goto LABEL_30;
}
LABEL_71:
if ( psa )
SafeArrayDestroy(psa);
goto LABEL_73;
}
}
LABEL_73:
VariantClear(&v55);
VariantClear(&pvarg);
LOBYTE(v86) = 0;
if ( v78 )
(*(void (__stdcall **)(int))(*(_DWORD *)v78 + 8))(v78);
v86 = -1;
if ( v77 )
(*(void (__stdcall **)(int))(*(_DWORD *)v77 + 8))(v77);
return v79;
} 本帖最后由 zhj777 于 2024-9-8 08:39 编辑
SoftCracker 发表于 2024-9-7 21:39
> 只不过样本我用的是22.15保护的
这个程序不是你加的壳吧?(https://pan.baidu.com/s/1vpzg-3iz-yKnsT ...
这个样本是我加的,因为我这有个程序不方便上传,通过对比发现加的混淆和22.15的差不多,所以就传了这个样本。大牛有思路去掉此混淆还请指导一下,如果能出个教程那再好不过了。 本帖最后由 zhj777 于 2024-9-7 08:43 编辑
SoftCracker 发表于 2024-9-5 00:57
跟以前一样啊,我还以为ILProtector更新了呢
更新了,最新的是22.17吧,只不过样本我用的是22.15保护的。不知大牛能不能去掉混淆?如果能的话那能不能麻烦您请指点一下如何去掉混淆。 看来和wwh1004大牛类似的高手们都没空研究这壳了! 跟以前一样啊,我还以为ILProtector更新了呢
> 只不过样本我用的是22.15保护的
这个程序不是你加的壳吧?(https://pan.baidu.com/s/1vpzg-3iz-yKnsTfvQmWt-A) SoftCracker 发表于 2024-9-5 00:57
跟以前一样啊,我还以为ILProtector更新了呢
看到您已经去掉混淆,能不能麻烦您指导一下如何去掉混淆? 确实还是老样子啊。
本帖最后由 zhj777 于 2024-9-21 21:31 编辑
go2crack 发表于 2024-9-15 00:22
确实还是老样子啊。
最新22.17了 本帖最后由 zhj777 于 2024-9-21 21:30 编辑
go2crack 发表于 2024-9-15 00:22
确实还是老样子啊。
最新是22.17,自己已解决。
页:
[1]
2