tELock 0.98 IAT简单分析
本帖最后由 frozenrain 于 2009-3-22 10:02 编辑经常听高手说学习脱壳重在过程不在于结果,我也来自己亲自找壳对IAT的处理部分。
找magic jump。这样水平才能提高。虽然SEH里有很多精彩的地方,但SEH不在本文讨论范围内。
好直接内存CODE段F2下断F9
00406D2B AC lods byte ptr ds:
00406D2C F6D8 neg al
00406D2E 32C3 xor al,bl
00406D30 04 01 add al,1
00406D32 0AC9 or cl,cl
00406D34 02C2 add al,dl
00406D36 F6D0 not al
00406D38 F6D0 not al
00406D3A F6D0 not al
00406D3C 0ADB or bl,bl
00406D3E 04 43 add al,43
00406D40 F6D0 not al
00406D42 04 37 add al,37
00406D44 02C1 add al,cl
00406D46 F6D8 neg al
00406D48 F8 clc
00406D49 90 nop
00406D4A 34 D9 xor al,0D9
单步往下走就到了IAT处理附近了。更简单的方法是下GetModuleHandleA 然后往下找MAGIC跳。
00407210 8B95 62D34000 mov edx,dword ptr ss:
00407216 8BB5 52D34000 mov esi,dword ptr ss:
0040721C 85F6 test esi,esi
0040721E 0F84 06040000 je TasKit.0040762A
00407224 03F2 add esi,edx ;esi指向输入表
00407226 83A5 52D44000 00 and dword ptr ss:,0
0040722D 8B46 0C mov eax,dword ptr ds: ;Name
00407230 8366 0C 00 and dword ptr ds:,0
00407234 85C0 test eax,eax
00407236 0F84 EE030000 je TasKit.0040762A
0040723C 03C2 add eax,edx +offset
0040723E 8BD8 mov ebx,eax
00407240 50 push eax
00407241 FF95 D0D24000 call dword ptr ss: ;GetModuleHandleA
00407247 85C0 test eax,eax
00407249 0F85 BA000000 jnz TasKit.00407309
0040724F 53 push ebx
00407250FF95 E4BA4000 call dword ptr ss: ;LoadLibraryA
00407256 85C0 test eax,eax
00407258 0F85 AB000000 jnz TasKit.00407309
0040725E 8B95 62D34000 mov edx,dword ptr ss:
00407264 0195 2AD34000 add dword ptr ss:,edx
0040726A 0195 36D34000 add dword ptr ss:,edx
00407270 6A 30 push 30
00407272 53 push ebx
00407273 FFB5 36D34000 push dword ptr ss:
00407279 EB 53 jmp short TasKit.004072CE
0040727B 8B95 62D34000 mov edx,dword ptr ss:
00407281 0195 2AD34000 add dword ptr ss:,edx
00407287 0195 2ED34000 add dword ptr ss:,edx
0040728D 0195 3ED34000 add dword ptr ss:,edx
00407293 0195 42D34000 add dword ptr ss:,edx
00407299 0195 46D34000 add dword ptr ss:,edx
0040729F 6A 30 push 30
004072A1 FFB5 2AD34000 push dword ptr ss:
004072A7 48 dec eax
004072A8 75 08 jnz short TasKit.004072B2
004072AA FFB5 46D34000 push dword ptr ss:
004072B0 EB 1C jmp short TasKit.004072CE
004072B2 40 inc eax
004072B3 75 08 jnz short TasKit.004072BD
004072B5 FFB5 2ED34000 push dword ptr ss:
004072BB EB 11 jmp short TasKit.004072CE
004072BD 40 inc eax
004072BE 75 08 jnz short TasKit.004072C8
004072C0 FFB5 3ED34000 push dword ptr ss:
004072C6 EB 06 jmp short TasKit.004072CE
004072C8 FFB5 42D34000 push dword ptr ss:
004072CE 6A 00 push 0
004072D0 FF95 D8D24000 call dword ptr ss:
004072D6 8B85 E8BA4000 mov eax,dword ptr ss:
004072DC 894424 FC mov dword ptr ss:,eax
004072E0 61 popad
004072E1 6A 00 push 0
004072E3 FF5424 E0 call dword ptr ss:
004072E7 8B95 62D34000 mov edx,dword ptr ss:
004072ED 0195 2AD34000 add dword ptr ss:,edx
004072F3 0195 3AD34000 add dword ptr ss:,edx
004072F9 6A 30 push 30
004072FB FFB5 2AD34000 push dword ptr ss:
00407301 FFB5 3AD34000 push dword ptr ss:
00407307 ^ EB C5 jmp short TasKit.004072CE
00407309 8985 4AD34000 mov dword ptr ss:,eax
0040730F 8D85 28CC4000 lea eax,dword ptr ss:
00407315 60 pushad
00407316 33C9 xor ecx,ecx
00407318 2AF6 sub dh,dh
0040731A 8A13 mov dl,byte ptr ds:
0040731C F6C2 40 test dl,40 ; 测试是否为@
0040731F 74 03 je short TasKit.00407324
00407321 80E2 5F and dl,5F ;测试是否为_
00407324 0AD2 or dl,dl
00407326 74 1E je short TasKit.00407346
00407328 43 inc ebx
00407329 FEC6 inc dh
0040732B 41 inc ecx
0040732C 3A5408 FF cmp dl,byte ptr ds:
00407330 ^ 74 E8 je short TasKit.0040731A
00407332 3A5408 08 cmp dl,byte ptr ds:
00407336 ^ 74 E2 je short TasKit.0040731A
00407338 3A5408 12 cmp dl,byte ptr ds:
0040733C ^ 74 DC je short TasKit.0040731A
0040733E 3A5408 1D cmp dl,byte ptr ds:
00407342 ^ 74 D6 je short TasKit.0040731A
00407344 ^ EB D0 jmp short TasKit.00407316 ;清0
00407346 0AF6 or dh,dh
00407348 895424 1C mov dword ptr ss:,edx
0040734C 61 popad
0040734D C685 D7CC4000 00 mov byte ptr ss:,0 ;变量=0
00407354 74 24 je short TasKit.0040737A
00407356 80EC 08 sub ah,8
00407359 B0 01 mov al,1
0040735B FECC dec ah
0040735D 74 04 je short TasKit.00407363
0040735F D0E0 shl al,1
00407361 ^ EB F8 jmp short TasKit.0040735B
00407363 8AA5 52CC4000 mov ah,byte ptr ss:
00407369 0885 52CC4000 or byte ptr ss:,al
0040736F 84C4 test ah,al
00407371 75 07 jnz short TasKit.0040737A
00407373 808D D7CC4000 01 or byte ptr ss:,1 ;修改标志位
0040737A 33C0 xor eax,eax
0040737C 8803 mov byte ptr ds:,al
0040737E 43 inc ebx
0040737F 3803 cmp byte ptr ds:,al
00407381 ^ 75 F7 jnz short TasKit.0040737A ;将DLL名字清0
00407383 83A5 4ED34000 00 and dword ptr ss:,0
0040738A 8B95 62D34000 mov edx,dword ptr ss:
00407390 8B06 mov eax,dword ptr ds: ;OriginalFirstThunk
00407392 85C0 test eax,eax
00407394 75 0B jnz short TasKit.004073A1
00407396 8B46 10 mov eax,dword ptr ds: ;FirstThunk
00407399 85C0 test eax,eax
0040739B ^ 0F84 46FFFFFF je TasKit.004072E7
004073A1 03C2 add eax,edx ;+offset
004073A3 0385 4ED34000 add eax,dword ptr ss:
004073A9 8B18 mov ebx,dword ptr ds: ;IMAGE_THUNK_DATA
004073AB F7C3 00000080 test ebx,80000000 ;是否以序号导出
004073B1 74 06 je short TasKit.004073B9
004073B3 8120 00000080 and dword ptr ds:,80000000
004073B9 8B7E 10 mov edi,dword ptr ds: ; FirstThunk
004073BC 03FA add edi,edx +offset
004073BE 80A5 D6CC4000 FF and byte ptr ss:,0FF
004073C5 0F84 30010000 je TasKit.004074FB
004073CB 80A5 D7CC4000 FF and byte ptr ss:,0FF ;判断变量=0
004073D2 0F84 23010000 je TasKit.004074FB ;MAGIC跳,改JMP
004073D8 89BD 5AD44000 mov dword ptr ss:,edi
004073DE 8B85 52D44000 mov eax,dword ptr ss:
004073E4 40 inc eax
004073E5 0F84 10010000 je TasKit.004074FB
004073EB 48 dec eax
004073EC 0F85 B2000000 jnz TasKit.004074A4
004073F2 60 pushad
004073F3 8BF7 mov esi,edi
004073F5 2BC0 sub eax,eax
004073F7 40 inc eax
004073F8 833F 00 cmp dword ptr ds:,0
004073FB 8D7F 04 lea edi,dword ptr ds:
004073FE ^ 75 F7 jnz short TasKit.004073F7
00407400 48 dec eax
00407401 0F84 EC000000 je TasKit.004074F3
00407407 8BD8 mov ebx,eax
00407409 6BC0 31 imul eax,eax,31
0040740C 6A 04 push 4
0040740E 68 00100000 push 1000
00407413 50 push eax
00407414 6A 00 push 0
如果加密程序会运行到这里来申请地址的。
00407416 FF95 ECBA4000 call dword ptr ss: ;VirtualAlloc
0040741C 85C0 test eax,eax
0040741E 0F84 CF000000 je TasKit.004074F3
00407424 8BFE mov edi,esi
00407426 8BCB mov ecx,ebx
00407428 8BF8 mov edi,eax
0040742A 8985 56D44000 mov dword ptr ss:,eax
00407430 8BCB mov ecx,ebx
00407432 6BDB 29 imul ebx,ebx,29
00407435 03DF add ebx,edi
00407437 891C24 mov dword ptr ss:,ebx
0040743A B0 B8 mov al,0B8
0040743C 6A 00 push 0
0040743E 50 push eax
0040743F 53 push ebx
00407440 0FB74424 08 movzx eax,word ptr ss:
00407445 50 push eax
00407446 8D85 14BB4000 lea eax,dword ptr ss:
0040744C 0FB618 movzx ebx,byte ptr ds:
0040744F FF0C24 dec dword ptr ss:
00407452 7E 09 jle short TasKit.0040745D
00407454 40 inc eax
00407455 03C3 add eax,ebx
00407457 ^ EB F3 jmp short TasKit.0040744C
00407459 0000 add byte ptr ds:,al
0040745B 0000 add byte ptr ds:,al
0040745D 40 inc eax
0040745E 8A38 mov bh,byte ptr ds:
00407460 883F mov byte ptr ds:,bh
00407462 47 inc edi
00407463 FECB dec bl
00407465 ^ 7F F6 jg short TasKit.0040745D
00407467 5B pop ebx
00407468 5B pop ebx
00407469 58 pop eax
0040746A AA stos byte ptr es:
0040746B FF0424 inc dword ptr ss:
0040746E 832424 0F and dword ptr ss:,0F
00407472 4B dec ebx
00407473 891F mov dword ptr ds:,ebx
00407475 43 inc ebx
00407476 83C3 04 add ebx,4
00407479 83C7 04 add edi,4
0040747C B8 40FF30C3 mov eax,C330FF40
00407481 AB stos dword ptr es:
00407482 B0 B8 mov al,0B8
00407484 49 dec ecx
00407485 ^ 7F B7 jg short TasKit.0040743E
00407487 AA stos byte ptr es:
00407488 E8 00000000 call TasKit.0040748D
0040748D 58 pop eax
0040748E AB stos dword ptr es:
0040748F B8 90FF30C3 mov eax,C330FF90
00407494 AB stos dword ptr es:
00407495 58 pop eax
00407496 61 popad
00407497 83A5 FBCA4000 00 and dword ptr ss:,0
0040749E 89BD 52D44000 mov dword ptr ss:,edi
004074A4 8D85 14BB4000 lea eax,dword ptr ss:
004074AA FFB5 FBCA4000 push dword ptr ss:
004074B0 0FB608 movzx ecx,byte ptr ds:
004074B3 FF0C24 dec dword ptr ss:
004074B6 7E 05 jle short TasKit.004074BD
004074B8 40 inc eax
004074B9 03C1 add eax,ecx
004074BB ^ EB F3 jmp short TasKit.004074B0
004074BD 890C24 mov dword ptr ss:,ecx
004074C0 FF85 FBCA4000 inc dword ptr ss:
004074C6 83A5 FBCA4000 0F and dword ptr ss:,0F
004074CD 8BBD 52D44000 mov edi,dword ptr ss:
004074D3 8B85 5AD44000 mov eax,dword ptr ss:
004074D9 0385 4ED34000 add eax,dword ptr ss:
004074DF 8B8D 56D44000 mov ecx,dword ptr ss:
004074E5 8908 mov dword ptr ds:,ecx
004074E7 58 pop eax
004074E8 83C0 09 add eax,9
004074EB 0185 56D44000 add dword ptr ss:,eax
004074F1 EB 08 jmp short TasKit.004074FB
004074F3 838D 52D44000 FF or dword ptr ss:,FFFFFFFF
004074FA 61 popad
004074FB 03BD 4ED34000 add edi,dword ptr ss:
00407501 85DB test ebx,ebx
00407503 0F84 C7000000 je TasKit.004075D0 ;函数提取完毕
00407509 F7C3 00000080 test ebx,80000000
0040750F 6A 00 push 0
00407511 75 0F jnz short TasKit.00407522
00407513 8D5C13 02 lea ebx,dword ptr ds: ;以名字导出
00407517 803B 00 cmp byte ptr ds:,0
0040751A 0F84 93000000 je TasKit.004075B3
00407520 EB 45 jmp short TasKit.00407567
00407522 FF0424 inc dword ptr ss:
00407525 66:85DB test bx,bx
00407528 0F84 85000000 je TasKit.004075B3
0040752E 8B85 4AD34000 mov eax,dword ptr ss:
00407534 3B85 42D44000 cmp eax,dword ptr ss: ;KERNEL32地址
0040753A 75 2B jnz short TasKit.00407567
0040753C 81E3 FFFFFF7F and ebx,7FFFFFFF
00407542 8BD3 mov edx,ebx
00407544 8D1495 FCFFFFFFlea edx,dword ptr ds:
0040754B 8B9D 4AD34000 mov ebx,dword ptr ss:
00407551 8B43 3C mov eax,dword ptr ds:
00407554 8B4418 78 mov eax,dword ptr ds:
00407558 035C18 1C add ebx,dword ptr ds:
0040755C 8B041A mov eax,dword ptr ds:
0040755F 0385 4AD34000 add eax,dword ptr ss:
00407565 EB 13 jmp short TasKit.0040757A
00407567 81E3 FFFFFF7F and ebx,7FFFFFFF ;以序号导出
0040756D 53 push ebx
0040756E FFB5 4AD34000 push dword ptr ss:
00407574 FF95 E0BA4000 call dword ptr ss: ;GetProcAddress
0040757A 40 inc eax
0040757B 48 dec eax
0040757C 75 33 jnz short TasKit.004075B1 ;IAT地址有效
0040757E 58 pop eax
0040757F F9 stc
00407580 ^ 0F82 61FDFFFF jb TasKit.004072E7
00407586 47 inc edi
00407587 44 inc esp
00407588 49 dec ecx
00407589 3332 xor esi,dword ptr ds:
0040758B 2E:44 inc esp
0040758D 4C dec esp
0040758E 4C dec esp
0040758F 55 push ebp
00407590 53 push ebx
00407591 45 inc ebp
00407592 52 push edx
00407593 3332 xor esi,dword ptr ds:
00407595 2E:44 inc esp
00407597 4C dec esp
00407598 4C dec esp
00407599 53 push ebx
0040759A 48 dec eax
0040759B 45 inc ebp
0040759C 4C dec esp
0040759D 4C dec esp
0040759E 3332 xor esi,dword ptr ds:
004075A0 2E:44 inc esp
004075A2 4C dec esp
004075A3 4C dec esp
004075A4 4B dec ebx
004075A5 45 inc ebp
004075A6 52 push edx
004075A7 4E dec esi
004075A8 45 inc ebp
004075A9 4C dec esp
004075AA 3332 xor esi,dword ptr ds:
004075AC 2E:44 inc esp
004075AE 4C dec esp
004075AF 4C dec esp
004075B1 8907 mov dword ptr ds:,eax ;写入IAT地址到内存
004075B3 58 pop eax
004075B4 48 dec eax
004075B5 74 0D je short TasKit.004075C4
004075B7 40 inc eax
004075B8 F8 clc
004075B9 66:8943 FE mov word ptr ds:,ax
004075BD 8803 mov byte ptr ds:,al ;将内存中的API字符填0
004075BF 43 inc ebx
004075C0 3803 cmp byte ptr ds:,al
004075C2 ^ 75 F9 jnz short TasKit.004075BD
004075C4 8385 4ED34000 04 add dword ptr ss:,4 ;指向下一个API
004075CB ^ E9 BAFDFFFF jmp TasKit.0040738A
004075D0 83C6 14 add esi,14 ;指向下一个IID
004075D3 8B95 62D34000 mov edx,dword ptr ss:
004075D9 ^ E9 48FCFFFF jmp TasKit.00407226
004075DE 61 popad
004075DF C3 retn
总结:有时候改了MAGIC JUMP还不能找到IAT那就手动查找IAT。如果多一个无效就咔嚓掉。
MAGIC可能和其他人找的不同,这个跳我测试过可以 。 学习 学习加膜拜 学习学习 顶下 看 看先 学溪下
页:
[1]