vbsedit6.3.2爆破分析
od载入后程序停止下面:
005839FF > $E8 94950000 call 0058CF98
00583A04 .^ E9 89FEFFFF jmp 00583892
00583A09 $3B0D 605E6200 cmp ecx, dword ptr
00583A0F .75 02 jnz short 00583A13
00583A11 .F3: prefix rep:
00583A12 .C3 retn
00583A13 >E9 1B960000 jmp 0058D033
00583A18 $8BFF mov edi, edi
程序有自校验,随便修改任何一个字节,程序直接报错。
我们写个上面的
00583A18 $8BFF mov edi, edi 为 nop
这样并不会影响程序的运行,但程序会报错。
我们一直F8到出错的地方:
005839A1 .56 push esi
005839A2 .68 00004000 push 00400000
005839A7 .E8 2EC40100 call 0059FDDA ;程序到这里就出错,我们跟进去继续F8
0059FE39|> \8B06 mov eax, dword ptr
0059FE3B|.8BCE mov ecx, esi
0059FE3D|.FF50 50 call dword ptr ;程序到这里就出错,我们跟进去继续F8
00443192|.51 push ecx
00443193|.8BCB mov ecx, ebx
00443195|.E8 B0980500 call 0049CA4A ;程序到这里就出错,我们跟进去继续F8
0049CAAB|.68 00E10000 push 0xE100
0049CAB0|.8BC8 mov ecx, eax
0049CAB2|.FF52 0C call dword ptr ;程序到这里就出错,我们跟进去继续F8
0040EFEA|.8BCE mov ecx, esi
0040EFEC|.FFD2 call edx ;程序到这里就出错,我们跟进去继续F8
00436999|.895D AC mov dword ptr , ebx ; |
0043699C|.E8 F8380400 call 0047A299 ; \程序到这里就出错,我们跟进去继续F8
0047A2DA|.FF53 5C call dword ptr ;程序到这里就出错,我们跟进去继续F8
注意上面的call第四次才出错!我们在第四次call中断才跟进去按F8,到下面地方就出错:
00425D58|.83C4 2C add esp, 0x2C
00425D5B|.8BC6 mov eax, esi
00425D5D|.E8 CE330000 call 00429130 ;程序到这里就出错,我们跟进去继续F8
004291EB|.68 80545E00 push 005E5480 ; /Arg1 = 005E5480
004291F0|.E8 1B040000 call 00429610 ; \程序到这里就出错,我们跟进去继续F8
00429648|.8B4F 20 mov ecx, dword ptr
0042964B|.51 push ecx ; /hWnd
0042964C|.FF15 28795B00 call dword ptr [<&USER32.GetParen>; \GetParent
00429652|.50 push eax ; /Arg1
00429653|.E8 2D1A0500 call 0047B085 ; \vbsedit.0047B085
00429658|.8B9F 60050000 mov ebx, dword ptr ;ebx会有一串字符
0042965E|.33F6 xor esi, esi ;ea303562c76686f61f5d5efdc83e3b55
00429660|.8975 E0 mov dword ptr , esi
00429663|.8975 D8 mov dword ptr , esi
00429666|.8975 DC mov dword ptr , esi
00429669|.8DA424 000000>lea esp, dword ptr
00429670|>0FB69437 5005>/movzx edx, byte ptr [edi+esi+0x55>
00429678|.52 |push edx ; /Arg2
00429679|.68 70505E00 |push 005E5070 ; |Arg1 = 005E5070
0042967E|.8D55 E4 |lea edx, dword ptr ; |
00429681|.E8 DAACFDFF |call 00404360 ; \vbsedit.00404360
00429686|.66:8B04B3 |mov ax, word ptr
0042968A|.83C4 08 |add esp, 0x8
0042968D|.66:3B45 E4 |cmp ax, word ptr
00429691 75 78 |jnz short 0042970B ;不修改这里是不会跳的
00429693|.66:8B4CB3 02|mov cx, word ptr [ebx+esi*4+0x2>
00429698|.66:3B4D E6 |cmp cx, word ptr
0042969C 75 6D |jnz short 0042970B ;不修改这里是不会跳的
0042969E|.46 |inc esi
0042969F|.83FE 10 |cmp esi, 0x10
004296A2|.^ 7C CC \jl short 00429670
004296A4|.33C0 xor eax, eax
004296A6|>8D4D D0 lea ecx, dword ptr
004296A9|.51 push ecx ; /pThreadId
004296AA|.8D55 E0 lea edx, dword ptr ; |
004296AD|.895485 D8 mov dword ptr , >; |
004296B1|.8B45 D4 mov eax, dword ptr ; |
004296B4|.33DB xor ebx, ebx ; |
004296B6|.53 push ebx ; |CreationFlags => 0
004296B7|.8D55 D8 lea edx, dword ptr ; |
004296BA|.52 push edx ; |pThreadParm
004296BB|.68 80954200 push 00429580 ; |ThreadFunction = vbsedit.00429580
004296C0|.53 push ebx ; |StackSize => 0x0
004296C1|.53 push ebx ; |pSecurity => NULL
004296C2|.8945 DC mov dword ptr , eax ; |
004296C5|.FF15 40735B00 call dword ptr [<&KERNEL32.Create>; \CreateThread
004296CB|.8BF0 mov esi, eax
004296CD|.68 E8030000 push 0x3E8 ; /Timeout = 1000. ms
004296D2|.56 push esi ; |原来出错的地方在这里
004296D3|.FF15 44735B00 call dword ptr [<&KERNEL32.WaitFo>; \WaitForSingleObject
将上面两个跳转nop掉即可。但是退出会有问题,再看看
五处call 00404360相关
7522 668B54B702663B55F6 7517
7519 668B44B302663B44242A 75
7578 668B4CB302663B4DE6 75
7575 668B44BE02663B84240A050000 75
0F859D020000668B4CB702663B4DE6 0F858E020000
668B????02663b????
上面的关键比较是
00429681|.E8 DAACFDFF |call 00404360 ; \vbsedit.00404360
00429686|.66:8B04B3 |mov ax, word ptr
0042968A|.83C4 08 |add esp, 0x8
0042968D|.66:3B45 E4 |cmp ax, word ptr ;关键比较
所以我们在上面的call处,对下内存写入断点。程序断在下面:
00597ADF|.8B0E mov ecx, dword ptr
00597AE1|.8B45 08 mov eax, dword ptr
00597AE4|.66:8901 mov word ptr , ax ;这里写入关键数值
00597AE7|.8306 02 add dword ptr , 0x2
0042968D|.66:3B45 E4 |cmp ax, word ptr
这里有一串固定的字符串:
00785BBAea303562c76686f61f5d5efdc83e3b55
c9df9cdc7c003d08ad64c7f1e7ff34fd
下载我们来看文件退出的问题,还是
015D9CE028841ee6f2542a47ce9ae6df76282b569d253b684f0235d8d6566e4a753dc7cd
0040FFEF|.6A 00 push 0x0 ; |pSecurity = NULL
0040FFF1|.FF15 40735B00 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
0040FFF7|.6A FF push -0x1 ; /这里改成 push 0
0040FFF9|.50 push eax ; |hObject
0040FFFA|.FF15 44735B00 call dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00410000|.8B4F 20 mov ecx, dword ptr
00410003|.51 push ecx ; /hWnd
00410004|.FF15 88795B00 call dword ptr [<&USER32.IsIconic>] ; \IsIconic
替换
6A 00 FF 15 ?? ?? ?? ?? 6A FF 50
为
6A 00 FF 15 ?? ?? ?? ?? 6A 00 50
00410119|. /74 0B je short 00410126 ;这里要跳
0041011B|. |6A 01 push 0x1 ; /Arg1 = 00000001
0041011D|. |8BCF mov ecx, edi ; |
0041011F|. |E8 7C0E0000 call 00410FA0 ; \vbsedit.00410FA0
00410124|. |EB 18 jmp short 0041013E
替换
85C0740B6A018BCF
为
85C0eb0B6A018BCF
下面是跳过对话框:
00469957 /0F85 D8000000 jnz 00469A35 ;这里要跳,不然运行时候有对话框
0046995D|. |53 push ebx
0046995E|. |E8 E0A61100 call 00584043
......省略一些代码
00469A68|.52 push edx
00469A69|.E8 E258FEFF call 0044F350
00469A6E|.E8 51920100 call 00482CC4
00469A73|.8B40 04 mov eax, dword ptr
00469A76|.8B10 mov edx, dword ptr
00469A78|.6A 01 push 0x1
00469A7A|.68 307A5E00 push 005E7A30 ;DisplayLogo
00469A7F|.8BC8 mov ecx, eax
00469A81|.8B42 7C mov eax, dword ptr
00469A84|.68 60505E00 push 005E5060 ;Options
00469A89|.FFD0 call eax
00469A8B|.894424 24 mov dword ptr , eax
00469A8F|.E8 30920100 call 00482CC4
00469A94|.8B40 04 mov eax, dword ptr
00469A97|.8B10 mov edx, dword ptr
00469A99|.6A 01 push 0x1
00469A9B|.68 487A5E00 push 005E7A48 ;UseUnicodeForConsole
00469AA0|.8BC8 mov ecx, eax
00469AA2|.8B42 7C mov eax, dword ptr
00469AA5|.68 60505E00 push 005E5060 ;Options
00469AAA|.FFD0 call eax
00469AAC|.894424 20 mov dword ptr , eax
替换
0F85D800000053E8
为
E9D90000009053E8
上面是做loader的关键点1
00443AA2 E8 FF400300 call 00477BA6 ;这里要你nop掉就不会显示注册框
00443AA7|.83F8 FF cmp eax, -0x1
00443AAA|.75 08 jnz short 00443AB4
00443AAC|.6A 00 push 0x0 ; /ExitCode = 0x0
00443AAE|.FF15 F0745B00 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess
00443AB4|>83F8 01 cmp eax, 0x1
00443AB7|.0F85 A1020000 jnz 00443D5E
......省掉一些代码
00443B16|.8D4C24 20 lea ecx, dword ptr ; |
00443B1A|.C68424 14020000 10 mov byte ptr , 0x10 ; |
00443B22|.E8 A903FCFF call 00403ED0 ; \vbsedit.00403ED0
00443B27|.68 C0395F00 push 005F39C0 ; /http://www.vbsedit.com/key37.asp?license=
00443B2C|.8D4C24 1C lea ecx, dword ptr ; |
00443B30|.C68424 14020000 11 mov byte ptr , 0x11 ; |
00443B38|.E8 9303FCFF call 00403ED0 ; \vbsedit.00403ED0
00443B3D|.8D4C24 24 lea ecx, dword ptr
00443B41|.C68424 10020000 12 mov byte ptr , 0x12
00443B49|.E8 72350000 call 004470C0
00443B4E|.8BF0 mov esi, eax
替换
E8????????83F8FF75086a00
为
909090909083F8FF75086a00
上面是做loader的关键点2
0045CB97|.FF15 147A5B00 call dword ptr [<&WINTRUST.WinVerifyT>;wintrust.WinVerifyTrust
0045CB9D|.3BC7 cmp eax, edi
0045CB9F|.74 12 je short 0045CBB3 ;这个要跳,不然代码不会变色
0045CBA1|.3D 09010B80 cmp eax, 0x800B0109
0045CBA6|.74 0B je short 0045CBB3
0045CBA8|.3D 26200980 cmp eax, 0x80092026
0045CBAD|.0F85 F1040000 jnz 0045D0A4
程序不能创建.vbs文件:
0044D56E|.E8 CD6CFBFF call 00404240 ;这个call必须返回为0
0044D573|.8D70 01 lea esi, dword ptr ;这里决定esi的大小
0044D576|.C1E6 1E shl esi, 0x1E
......省略一些代码
0044D634|> \6A 00 push 0x0 ; /hTemplateFile = NULL
0044D636|.68 80000000 push 0x80 ; |Attributes = NORMAL
0044D63B|.6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
0044D63D|.6A 00 push 0x0 ; |pSecurity = NULL
0044D63F|.6A 00 push 0x0 ; |ShareMode = 0
0044D641|.56 push esi ; |Access
0044D642|.8D85 CCFCFFFF lea eax, dword ptr ; |上面的esi必须为40000000
0044D648|.50 push eax ; |FileName
0044D649|.FF15 14735B00 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileW
根据上面的call 00404240
00404240/$55 push ebp
......省略一些代码
004042FB|.^ 7C D3 \jl short 004042D0
004042FD|>397D FC cmp dword ptr , edi
00404300 75 09 jnz short 0040430B ;这里nop掉
00404302|.5F pop edi
00404303|.5E pop esi
00404304|.33C0 xor eax, eax
00404306|.5B pop ebx
00404307|.8BE5 mov esp, ebp
00404309|.5D pop ebp
0040430A|.C3 retn
0040430B|>5F pop edi
0040430C|.5E pop esi
0040430D|.B8 01000000 mov eax, 0x1
00404312|.5B pop ebx
00404313|.8BE5 mov esp, ebp
00404315|.5D pop ebp
00404316\.C3 retn
下面是exe生成的限制:
00477B6D > \3BFB cmp edi, ebx
00477B6F .74 0F je short 00477B80 ;0
00477B71 F646 58 10 test byte ptr , 0x10 ;这里的值要等于10
00477B75 75 09 jnz short 00477B80 ;这里一定要跳
00477B77 .57 push edi ; /hWnd
00477CB4 .F646 58 10 test byte ptr , 0x10 ;关键比较
00477CB8 .74 1E je short 00477CD8 ;0
00477CBA .6A 04 push 0x4
00477CBC .5F pop edi
00477CBD .8BCE mov ecx, esi
00477CBF .E8 85740000 call 0047F149
00477CC4 .A9 00010000 test eax, 0x100
00477CC9 .74 03 je short 00477CCE ;1
00477CCB .6A 05 push 0x5
00477CCD .5F pop edi
00477CCE >57 push edi ; /Arg1
00477CCF .8BCE mov ecx, esi ; |
00477CD1 .E8 5B2E0000 call 0047AB31 ; \弹出对话框
0044F890 .33C0 xor eax, eax
0044F892 >8B8C24 F00200>mov ecx, dword ptr
0044F899 .8D1481 lea edx, dword ptr
0044F89C .899424 F00200>mov dword ptr , edx
0044F8A3 .84DB test bl, bl
0044F8A5 .0F84 B5110000 je 00450A60 ;下面转换exe
0044F8AB .E8 14340300 call 00482CC4
0044F8B0 .8B8C24 F00200>mov ecx, dword ptr
0044F8B7 .8B40 04 mov eax, dword ptr
0044F8BA .8B10 mov edx, dword ptr
0044F8BC .8B92 80000000 mov edx, dword ptr
0044F8C2 .51 push ecx
0044F8C3 .68 0C525F00 push 005F520C ;UNICODE "Bits"
0044F8C8 .68 18525F00 push 005F5218 ;UNICODE "ConvertExe"
0044D4B6/$8B45 D0 mov eax, dword ptr
0044D4B9|.85C0 test eax, eax
0044D4BB|.74 07 je short 0044D4C4
0044D4BD|.50 push eax ; /hObject
0044D4BE|.FF15 20735B00 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0044D4C4|>8B45 E0 mov eax, dword ptr
0044D4C7|.85C0 test eax, eax ;eax应该等于vbs里面的内容
0044D4C9 74 09 je short 0044D4D4 ;下面的call打开vbs会报错
0044D4CB|.50 push eax
0044D4CC|.E8 B1920200 call 00476782
0044D4D1|.83C4 04 add esp, 0x4
0044D4D4|>8B45 D8 mov eax, dword ptr
0044D4D7|.85C0 test eax, eax
0044D4D9|.74 09 je short 0044D4E4
0044D4DB|.50 push eax
0044D4DC|.E8 A1920200 call 00476782
0044D4E1|.83C4 04 add esp, 0x4
0044D4E4\>C3 retn
文章最好提供一下试炼品地址,另外修改做以说明。
页:
[1]