NoobyProtect 1.5.3.0 Demo版脱壳
本帖最后由 lal978112 于 2009-5-23 12:55 编辑【文章标题】: NoobyProtect 1.5.3.0 Demo版脱壳
【作者声明】: 初学脱壳,没什么好东西。个人的一些经验,希望与大家分享,错误之处,欢迎指正!
【测试软件】:Notepad + NoobyProtect 1.5.3.0 Demo
【详细过程】
如下:
配置好OD和插件
OD载入:
0112B261 > $ /EB 1D jmp short 0112B280 //入口
0112B263 . |4E 6F 6F 62 7>ascii "NoobyProtect SE "
0112B273 . |31 2E 35 2E 3>ascii "1.5.3.0 Demo",0
0112B280 >^\EB A8 jmp short 0112B22A
0112B282 1B db 1B
0112B283 8A db 8A
0112B284 .187F 8A sbb byte ptr , bh
0112B287 >23A0 2FF48B40 and esp, dword ptr [eax+408>
0112B28D .08EB or bl, ch
0112B28F .3E:FEC3 inc bl
0112B292 >58 pop eax
0112B293 .EB 47 jmp short 0112B2DC
然后向下搜索代码(不选整个块):FF90,找到这里
0112B2FD .B2 20 mov dl, 20
0112B2FF .47 inc edi
0112B300 .B2 35 mov dl, 35
0112B302 .D5 2B aad 2B
0112B304 >81C0 FA697C33 add eax, 337C69FA
0112B30A .FF90 D6058DCD call dword ptr //找到这里
0112B310 >85C0 test eax, eax
0112B312 .^ 0F84 52FEFFFF je 0112B16A
0112B318 .^ E9 99FEFFFF jmp 0112B1B6
在0112B30A .FF90 D6058DCD call dword ptr 下F2断点
shift+F9运行
0112B30A .FF90 D6058DCD call dword ptr ;KERNEL32.GetModuleHandleA
0112B310 >85C0 test eax, eax
0112B312 .^ 0F84 52FEFFFF je 0112B16A
可见这个CALL在调用GetModuleHandleA函数
此时取消断点
打开内存窗口在01001000断下F2断点
中断在这里
0112B1D1 > /8903 mov dword ptr , eax ;USER32.SetWinEventHook
0112B1D3 . |EB 4F jmp short 0112B224
0112B1D5 |A6 db A6
0112B1D6 |33 db 33 ;CHAR '3'
eax=77D3E3D3 (USER32.SetWinEventHook)
ds:=77D3E3D3 (USER32.SetWinEventHook)
跳转来自 0112B216
然后数据窗口跟随到010012AC,发现这里就是IAT了。
单步F8往下走,到这里
0111AA22 >6A 70 push 70 //这里是被偷取的入口代码
0111AA24 .-|E9 76C9EEFF jmp 0100739F //这里跳向OEP
0111AA29 > |E8 00000000 call 0111AA2E
0111AA2E $ |E9 FD010000 jmp 0111AC30
0111AA33 |5B db 5B ;CHAR '['
0100739D B0 7D mov al, 7D //
0100739F 68 98180001 push 01001898 //跳到这里
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC E8 C37D0B00 call 010BF174
010073B1 42 inc edx
010073B2 FFD7 call edi
010073B4 66:8138 4D5A cmp word ptr , 5A4D
010073B9 75 1F jnz short 010073DA
010073BB 8B48 3C mov ecx, dword ptr
010073BE 03C8 add ecx, eax
在0100739D处补上被偷取的入口代码 push 70
新建EIP
0100739D 6A 70 push 70 //改成这样
0100739F 68 98180001 push 01001898
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC E8 C37D0B00 call 010BF174
IAT就在010012AC这个地址上翻
0100100077DA6FC8ADVAPI32.RegQueryValueExW
0100100477DA6BF0ADVAPI32.RegCloseKey
0100100877DC8F7DADVAPI32.RegCreateKeyW
0100100C77DCD5FDADVAPI32.IsTextUnicode
0100101077DA7883ADVAPI32.RegQueryValueExA
0100101477DA761BADVAPI32.RegOpenKeyExA
0100101877DAD7CCADVAPI32.RegSetValueExW
0100101C00000000
010010207718D2EDCOMCTL32.CreateStatusWindowW
0100102400000000
0100102877F05923GDI32.EndPage
0100102C77F23412GDI32.AbortDoc
0100103077F05BB1GDI32.EndDoc
0100103477EF6CA6GDI32.DeleteDC
0100103877F06AA6GDI32.StartPage
0100103C77EF8174GDI32.GetTextExtentPoint32W
0100104077F0F8CFGDI32.CreateDCW
0100104477F23532GDI32.SetAbortProc
0100104877EFB079GDI32.GetTextFaceW
0100104C77EF7CE8GDI32.TextOutW
0100105077F240A2GDI32.StartDocW
0100105477F1EA7CGDI32.EnumFontsW
0100105877EF5FF1GDI32.GetStockObject
0100105C77EF8323GDI32.GetObjectW
0100106077EF58A2GDI32.GetDeviceCaps
0100106477EF8BBAGDI32.CreateFontIndirectW
0100106877EF6A3BGDI32.DeleteObject
0100106C77EF7BF5GDI32.GetTextMetricsW
0100107077EF5D0BGDI32.SetBkMode
0100107477EF8195GDI32.LPtoDP
0100107877F0E3B6GDI32.SetWindowExtEx
0100107C77F0E45FGDI32.SetViewportExtEx
0100108077EFA8F7GDI32.SetMapMode
0100108477EF59A0GDI32.SelectObject
0100108800000000
0100108C7C809737KERNEL32.GetCurrentThreadId
010010907C8092ACKERNEL32.GetTickCount
010010947C80A417KERNEL32.QueryPerformanceCounter
010010987C80C9C1KERNEL32.GetLocalTime
0100109C7C809FC0KERNEL32.GetUserDefaultLCID
010010A07C827C79KERNEL32.GetDateFormatW
010010A47C8284D5KERNEL32.GetTimeFormatW
010010A87C810119KERNEL32.GlobalLock
010010AC7C810082KERNEL32.GlobalUnlock
010010B07C810E85KERNEL32.GetFileInformationByHandle
010010B47C80939EKERNEL32.CreateFileMappingW
010010B87C8017E5KERNEL32.GetSystemTimeAsFileTime
010010BC7C801E16KERNEL32.TerminateProcess
010010C07C80E00DKERNEL32.GetCurrentProcess
010010C47C810386KERNEL32.SetUnhandledExceptionFilter
010010C87C801D77KERNEL32.LoadLibraryA
010010CC7C80B529KERNEL32.GetModuleHandleA
010010D07C801EEEKERNEL32.GetStartupInfoA
010010D47C80FE2FKERNEL32.GlobalFree
010010D87C811772KERNEL32.GetLocaleInfoW
010010DC7C80995DKERNEL32.LocalFree
010010E07C8099BDKERNEL32.LocalAlloc
010010E47C809A39KERNEL32.lstrlenW
010010E87C822E21KERNEL32.LocalUnlock
010010EC7C80A34EKERNEL32.CompareStringW
010010F07C822D88KERNEL32.LocalLock
010010F47C8792E6KERNEL32.FoldStringW
010010F87C809B77KERNEL32.CloseHandle
010010FC7C80B8ECKERNEL32.lstrcpyW
010011007C80180EKERNEL32.ReadFile
010011047C810976KERNEL32.CreateFileW
010011087C80A823KERNEL32.lstrcmpiW
0100110C7C80994EKERNEL32.GetCurrentProcessId
010011107C80AC28KERNEL32.GetProcAddress
010011147C816CFBKERNEL32.GetCommandLineW
010011187C81114AKERNEL32.lstrcatW
0100111C7C80EFD7KERNEL32.FindClose
010011207C80F0E1KERNEL32.FindFirstFileW
010011247C80B5D4KERNEL32.GetFileAttributesW
010011287C80A859KERNEL32.lstrcmpW
0100112C7C8097F4KERNEL32.MulDiv
010011307C80B877KERNEL32.lstrcpynW
010011347C82237CKERNEL32.LocalSize
010011387C930331ntdll.RtlGetLastWin32Error
0100113C7C810F9FKERNEL32.WriteFile
010011407C930340ntdll.RtlSetLastWin32Error
010011447C80A0C7KERNEL32.WideCharToMultiByte
010011487C81E2B1KERNEL32.LocalReAlloc
0100114C7C829047KERNEL32.FormatMessageW
010011507C812DE0KERNEL32.GetUserDefaultUILanguage
010011547C81F850KERNEL32.SetEndOfFile
010011587C81F73DKERNEL32.DeleteFileW
0100115C7C809943KERNEL32.GetACP
010011607C80B7FCKERNEL32.UnmapViewOfFile
010011647C809CADKERNEL32.MultiByteToWideChar
010011687C80B78DKERNEL32.MapViewOfFile
0100116C7C862B8AKERNEL32.UnhandledExceptionFilter
0100117000000000
0100117477453FA2SHELL32.DragFinish
01001178773FFCEESHELL32.DragQueryFileW
0100117C7741A237SHELL32.DragAcceptFiles
010011807743F8EBSHELL32.ShellAboutW
0100118400000000
0100118877D1B556USER32.GetClientRect
0100118C77D1C6A8USER32.SetCursor
0100119077D1866DUSER32.ReleaseDC
0100119477D18697USER32.GetDC
0100119877D26702USER32.DialogBoxParamW
0100119C77D25380USER32.SetActiveWindow
010011A077D1C43CUSER32.GetKeyboardLayout
010011A477D1B1E5USER32.DefWindowProcW
010011A877D1E666USER32.DestroyWindow
010011AC77D402D3USER32.MessageBeep
010011B077D1D4DEUSER32.ShowWindow
010011B477D1C4AEUSER32.GetForegroundWindow
010011B877D1C48AUSER32.IsIconic
010011BC77D1EB14USER32.GetWindowPlacement
010011C077D190AAUSER32.CharUpperW
010011C477D19C36USER32.LoadStringW
010011C877D2372DUSER32.LoadAcceleratorsW
010011CC77D1E7B8USER32.GetSystemMenu
010011D077D1AE29USER32.RegisterClassExW
010011D477D242A4USER32.LoadImageW
010011D877D19B69USER32.LoadCursorW
010011DC77D3FBEAUSER32.SetWindowPlacement
010011E077D21AD5USER32.CreateWindowExW
010011E477D1D7BBUSER32.GetDesktopWindow
010011E877D1C640USER32.GetFocus
010011EC77D22174USER32.LoadIconW
010011F077D1BADEUSER32.SetWindowTextW
010011F477D3EDEBUSER32.PostQuitMessage
010011F877D1ADDEUSER32.RegisterWindowMessageW
010011FC77D1C064USER32.UpdateWindow
0100120077D1F780USER32.SetScrollPos
0100120477D19F64USER32.CharLowerW
0100120877D19278USER32.PeekMessageW
0100120C77D1C4D4USER32.EnableWindow
0100121077D205D2USER32.DrawTextExW
0100121477D3629FUSER32.CreateDialogParamW
0100121877D1C9FDUSER32.GetWindowTextW
0100121C77D18F75USER32.GetSystemMetrics
0100122077D1D515USER32.MoveWindow
0100122477D1B49DUSER32.InvalidateRect
0100122877D617D4USER32.WinHelpW
0100122C77D1C35CUSER32.GetDlgCtrlID
0100123077D38565USER32.ChildWindowFromPoint
0100123477D1C5B8USER32.ScreenToClient
0100123877D1C566USER32.GetCursorPos
0100123C77D327FCUSER32.SendDlgItemMessageW
0100124077D1B762USER32.SendMessageW
0100124477D1E746USER32.CharNextW
0100124877D2711BUSER32.CheckMenuItem
0100124C77D1EEE5USER32.CloseClipboard
0100125077D1CDEDUSER32.IsClipboardFormatAvailable
0100125477D1EEF7USER32.OpenClipboard
0100125877D3749FUSER32.GetMenuState
0100125C77D1FC3CUSER32.EnableMenuItem
0100126077D2355AUSER32.GetSubMenu
0100126477D3EABEUSER32.GetMenu
0100126877D66116USER32.MessageBoxW
0100126C77D1DEF1USER32.SetWindowLongW
0100127077D1887EUSER32.GetWindowLongW
0100127477D252A4USER32.GetDlgItem
0100127877D1E5DCUSER32.SetFocus
0100127C77D32730USER32.SetDlgItemTextW
0100128077D1A862USER32.wsprintfW
0100128477D26B40USER32.GetDlgItemTextW
0100128877D26CC9USER32.EndDialog
0100128C77D1B5D7USER32.GetParent
0100129077D3E544USER32.UnhookWinEvent
0100129477D189D9USER32.DispatchMessageW
0100129877D18BCEUSER32.TranslateMessage
0100129C77D1943DUSER32.TranslateAcceleratorW
010012A077D3E73EUSER32.IsDialogMessageW
010012A477D18CA3USER32.PostMessageW
010012A877D191A3USER32.GetMessageW
010012AC77D3E3D3USER32.SetWinEventHook
010012B000000000
010012B472F76090WINSPOOL.GetPrinterDriverW
010012B872F75390WINSPOOL.ClosePrinter
010012BC72F75749WINSPOOL.OpenPrinterW
010012C000000000
010012C4763448D6COMDLG32.PageSetupDlgW
010012C876338696COMDLG32.FindTextW
010012CC76349D29COMDLG32.PrintDlgExW
010012D07633C4A9COMDLG32.ChooseFontW
010012D476321986COMDLG32.GetFileTitleW
010012D876337C65COMDLG32.GetOpenFileNameW
010012DC763386CACOMDLG32.ReplaceTextW
010012E0763300CECOMDLG32.CommDlgExtendedError
010012E476337CF3COMDLG32.GetSaveFileNameW
010012E800000000
010012EC77C02DAEMSVCRT._XcptFilter
010012F077C09E9AMSVCRT._exit
010012F477C09ECEMSVCRT._c_exit
010012F877C1AEA3MSVCRT.time
010012FC77C1AB3DMSVCRT.localtime
0100130077C09EB6MSVCRT._cexit
0100130477BED036MSVCRT.iswctype
0100130877C05C94MSVCRT._except_handler3
0100130C77BECE77MSVCRT._wtol
0100131077C1802FMSVCRT.wcsncmp
0100131477C0FB0CMSVCRT._snwprintf
0100131877C09E7EMSVCRT.exit
0100131C77C317ACoffset MSVCRT._acmdln
0100132077BEEEEBMSVCRT.__getmainargs
0100132477C09D67MSVCRT._initterm
0100132877C1D675MSVCRT.__setusermatherr
0100132C77C323D8offset MSVCRT._adjust_fdiv
0100133077BEF1A4MSVCRT.__p__commode
0100133477BEF1DBMSVCRT.__p__fmode
0100133877C0537CMSVCRT.__set_app_type
0100133C77C1EE2FMSVCRT._controlfp
0100134077C1806BMSVCRT.wcsncpy
0100134400000000
0100134800000000
IAT的相对地址:1000,大小:348
现在OEP:0100739D
用OD插件DUMP,ImportREC修复
可以运行,第一次写这个东西,写得不好,请见谅!
最后说一下,用Nooby的那个不良信息OD就可以调试。
上传加壳记事本,可以练习 膜拜樓主強悍 学习 先膜拜后学习 :lol demo没啥强度。。。。 lz亮了。。 我只能学习一下,自己还不会搞。。。。。。。。 雖說, demo没啥强度。。。。
但也足夠吓跑一大堆人了. 汗。。我就是用demo的。。。 你这是从看雪转来的吧????
页:
[1]
2