好友
阅读权限10
听众
最后登录1970-1-1
|
从没有分析过小穿的IAT加密以前一直都是照着大牛的做法花了几个小时又看了好多破文。。。。才能搞成现在这把样子惭愧
查壳
<------- 24-10-2008 23:40:59 ------->
C:\Documents and Settings\wesley\Desktop\UnPackMe.exe
!- 目标为Armadillo保护
!- 保护系统级别为 (专业版)
!- <所用到的保护模式有>
标准保护 或 最小保护模式
!- <备份密钥设置>
没有发现注册密钥
!- <目标程序压缩设置>
较好 / 较慢 的压缩方式
!- <其它保护设置>
!- 版本号: 4.40 31October2005
!- 共使用的时间 00h 00m 00s 641ms
OD载入忽略所有异常 直接在CODE段下断shift+f9运行 00BFF9688B12mov edx,dword ptr ds:[edx]00BFF96A8955 DC mov dword ptr ss:[ebp-24],edx00BFF96D834D FC FFor dword ptr ss:[ebp-4],FFFFFFFF00BFF971EB 11 jmp short 00BFF98400BFF9736A 01 push 100BFF97558pop eax
单步几下直达OEP0040170055push ebp004017018BECmov ebp,esp004017036A FF push -10040170568 00254000 push UnPackMe.004025000040170A68 86184000 push UnPackMe.00401886 ; jmp 到0040170F64:A1 00000000mov eax,dword ptr fs:[0]0040171550push eax0040171664:8925 0000000>mov dword ptr fs:[0],esp0040171D83EC 68 sub esp,680040172053push ebx
LordPe脱下来再说ImportREC修复 随便找一个IAT地址 我这里就找0040216c
重新载入程序
在数据窗口 Ctrl+G到0040216c
下硬件写入断点(BYTE)
Shift+F9 Twice
It is broke in this place00BFC6BD8B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]; UnPackMe.0040216C00BFC6C383C0 04 add eax,400BFC6C68985 10D9FFFF mov dword ptr ss:[ebp-26F0],eax00BFC6CC^ E9 4DFCFFFF jmp 00BFC31E单步后到达下面的位置00BFC6D1FF15 7C62C000 call dword ptr ds:[C0627C] ; kernel32.GetTickCount
00C0C31E6A 01 push 1 ; IAT处理开始00C0C32058pop eax00C0C32185C0test eax,eax00C0C3230F84 A8030000 je 00C0C6D100C0C3298B85 84D9FFFF mov eax,dword ptr ss:[ebp-267C]00C0C32F66:8B00 mov ax,word ptr ds:[eax]00C0C33266:8985 64C2FFF>mov word ptr ss:[ebp-3D9C],ax00C0C3398B85 84D9FFFF mov eax,dword ptr ss:[ebp-267C]00C0C33F40inc eax00C0C34040inc eax00C0C3418985 84D9FFFF mov dword ptr ss:[ebp-267C],eax00C0C3470FB785 64C2FFFF movzx eax,word ptr ss:[ebp-3D9C]00C0C34E50push eax00C0C34FFFB5 84D9FFFF push dword ptr ss:[ebp-267C]00C0C3558D85 70CAFFFF lea eax,dword ptr ss:[ebp-3590]00C0C35B50push eax00C0C35CE8 F78E0000 call 00C15258; jmp 到00C0C36183C4 0C add esp,0C00C0C3640FB785 64C2FFFF movzx eax,word ptr ss:[ebp-3D9C]00C0C36B8B8D 84D9FFFF mov ecx,dword ptr ss:[ebp-267C]00C0C37103C8add ecx,eax00C0C373898D 84D9FFFF mov dword ptr ss:[ebp-267C],ecx00C0C37966:83A5 6CCAFFF>and word ptr ss:[ebp-3594],000C0C381A0 60ECC100 mov al,byte ptr ds:[C1EC60]00C0C3868885 68C2FFFF mov byte ptr ss:[ebp-3D98],al00C0C38CB9 FF010000 mov ecx,1FF00C0C39133C0xor eax,eax00C0C3938DBD 69C2FFFF lea edi,dword ptr ss:[ebp-3D97]00C0C399F3:AB rep stos dword ptr es:[edi]00C0C39B66:AB stos word ptr es:[edi]00C0C39DAAstos byte ptr es:[edi]00C0C39E0FB785 64C2FFFF movzx eax,word ptr ss:[ebp-3D9C]00C0C3A585C0test eax,eax00C0C3A774 6E je short 00C0C41700C0C3A98D8D 74D9FFFF lea ecx,dword ptr ss:[ebp-268C]00C0C3AFE8 4C4CFDFF call 00BE100000C0C3B48985 60C2FFFF mov dword ptr ss:[ebp-3DA0],eax00C0C3BA6A 00 push 000C0C3BC0FB785 64C2FFFF movzx eax,word ptr ss:[ebp-3D9C]00C0C3C350push eax00C0C3C48D85 70CAFFFF lea eax,dword ptr ss:[ebp-3590]00C0C3CA50push eax00C0C3CBFFB5 60C2FFFF push dword ptr ss:[ebp-3DA0]00C0C3D1E8 D650FDFF call 00BE14AC; 获取一个函数名00C0C3D683C4 10 add esp,1000C0C3D90FB685 70CAFFFF movzx eax,byte ptr ss:[ebp-3590] ; 函数名首字母 ASCII 送到 EAX00C0C3E03D FF000000 cmp eax,0FF00C0C3E575 10 jnz short 00C0C3F700C0C3E766:8B85 71CAFFF>mov ax,word ptr ss:[ebp-358F]00C0C3EE66:8985 6CCAFFF>mov word ptr ss:[ebp-3594],ax00C0C3F5EB 20 jmp short 00C0C41700C0C3F70FBE85 70CAFFFF movsx eax,byte ptr ss:[ebp-3590] ; 函数名首字母 ASCII 送到 EAX00C0C3FE85C0test eax,eax00C0C40074 15 je short 00C0C41700C0C4028D85 70CAFFFF lea eax,dword ptr ss:[ebp-3590]; 函数名送到 EAX 中保存00C0C40850push eax00C0C4098D85 68C2FFFF lea eax,dword ptr ss:[ebp-3D98]; 函数地址送到 EAX 中保存00C0C40F50push eax00C0C410E8 D58E0000 call 00C152EA; jmp 到00C0C41559pop ecx00C0C41659pop ecx00C0C41783A5 68CAFFFF 0>and dword ptr ss:[ebp-3598],000C0C41E0FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C42585C0test eax,eax00C0C42774 6C je short 00C0C49500C0C42983BD 9CD4FFFF 0>cmp dword ptr ss:[ebp-2B64],000C0C43074 51 je short 00C0C48300C0C4328B85 9CD4FFFF mov eax,dword ptr ss:[ebp-2B64]00C0C4388985 5CC2FFFF mov dword ptr ss:[ebp-3DA4],eax00C0C43EEB 0F jmp short 00C0C44F00C0C4408B85 5CC2FFFF mov eax,dword ptr ss:[ebp-3DA4]00C0C44683C0 0C add eax,0C00C0C4498985 5CC2FFFF mov dword ptr ss:[ebp-3DA4],eax00C0C44F8B85 5CC2FFFF mov eax,dword ptr ss:[ebp-3DA4]00C0C4558378 08 00cmp dword ptr ds:[eax+8],000C0C45974 28 je short 00C0C48300C0C45B0FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C4628B8D 5CC2FFFF mov ecx,dword ptr ss:[ebp-3DA4]00C0C4680FB749 04 movzx ecx,word ptr ds:[ecx+4]00C0C46C3BC1cmp eax,ecx00C0C46E75 11 jnz short 00C0C48100C0C4708B85 5CC2FFFF mov eax,dword ptr ss:[ebp-3DA4]00C0C4768B40 08 mov eax,dword ptr ds:[eax+8]00C0C4798985 68CAFFFF mov dword ptr ss:[ebp-3598],eax00C0C47FEB 02 jmp short 00C0C48300C0C481^ EB BD jmp short 00C0C44000C0C4838B85 A8D4FFFF mov eax,dword ptr ss:[ebp-2B58]00C0C48940inc eax00C0C48A8985 A8D4FFFF mov dword ptr ss:[ebp-2B58],eax00C0C490E9 D0000000 jmp 00C0C56500C0C4950FBE85 68C2FFFF movsx eax,byte ptr ss:[ebp-3D98]00C0C49C85C0test eax,eax ; 比较函数名首位是否为空00C0C49E0F84 8A000000 je 00C0C52E00C0C4A483BD 9CD4FFFF 0>cmp dword ptr ss:[ebp-2B64],000C0C4AB74 72 je short 00C0C51F00C0C4AD8B85 9CD4FFFF mov eax,dword ptr ss:[ebp-2B64]00C0C4B38985 58C2FFFF mov dword ptr ss:[ebp-3DA8],eax00C0C4B9EB 0F jmp short 00C0C4CA00C0C4BB8B85 58C2FFFF mov eax,dword ptr ss:[ebp-3DA8]00C0C4C183C0 0C add eax,0C00C0C4C48985 58C2FFFF mov dword ptr ss:[ebp-3DA8],eax00C0C4CA8B85 58C2FFFF mov eax,dword ptr ss:[ebp-3DA8]00C0C4D08378 08 00cmp dword ptr ds:[eax+8],000C0C4D474 49 je short 00C0C51F00C0C4D668 00010000 push 10000C0C4DB8D85 58C1FFFF lea eax,dword ptr ss:[ebp-3EA8]00C0C4E150push eax00C0C4E28B85 58C2FFFF mov eax,dword ptr ss:[ebp-3DA8]00C0C4E8FF30push dword ptr ds:[eax]00C0C4EAE8 A961FDFF call 00BE269800C0C4EF83C4 0C add esp,0C00C0C4F28D85 58C1FFFF lea eax,dword ptr ss:[ebp-3EA8]00C0C4F850push eax00C0C4F98D85 68C2FFFF lea eax,dword ptr ss:[ebp-3D98]00C0C4FF50push eax00C0C500FF15 8C63C100 call dword ptr ds:[C1638C] ; msvcrt._stricmp00C0C50659pop ecx00C0C50759pop ecx00C0C50885C0test eax,eax00C0C50A75 11 jnz short 00C0C51D00C0C50C8B85 58C2FFFF mov eax,dword ptr ss:[ebp-3DA8]00C0C5128B40 08 mov eax,dword ptr ds:[eax+8]00C0C5158985 68CAFFFF mov dword ptr ss:[ebp-3598],eax00C0C51BEB 02 jmp short 00C0C51F00C0C51D^ EB 9C jmp short 00C0C4BB00C0C51F8B85 A8D4FFFF mov eax,dword ptr ss:[ebp-2B58]00C0C52540inc eax00C0C5268985 A8D4FFFF mov dword ptr ss:[ebp-2B58],eax00C0C52CEB 37 jmp short 00C0C56500C0C52E8D8D 38D9FFFF lea ecx,dword ptr ss:[ebp-26C8]00C0C534E8 074BFDFF call 00BE104000C0C5390FB6C0movzx eax,al00C0C53C99cdq00C0C53D6A 14 push 1400C0C53F59pop ecx00C0C540F7F9idiv ecx00C0C5428B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]00C0C5488B8C95 94D7FFFF mov ecx,dword ptr ss:[ebp+edx*4-286C]00C0C54F8908mov dword ptr ds:[eax],ecx00C0C5518B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]00C0C55783C0 04 add eax,400C0C55A8985 10D9FFFF mov dword ptr ss:[ebp-26F0],eax00C0C560E9 6C010000 jmp 00C0C6D100C0C56583BD 68CAFFFF 0>cmp dword ptr ss:[ebp-3598],0关键00BFC56C /75 42 jnz short 00BFC5B0 majic jump 根据下面的简单分析 这里的跳转不实现 下面的IAT压栈等一系列操作才能完成 直接NOP掉00C0C56E0FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594] ; EAX清000C0C57585C0test eax,eax00C0C57774 0F je short 00C0C58800C0C5790FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C5808985 D8A8FFFF mov dword ptr ss:[ebp+FFFFA8D8],eax00C0C586EB 0C jmp short 00C0C59400C0C5888D85 68C2FFFF lea eax,dword ptr ss:[ebp-3D98]; 函数名送EAX00C0C58E8985 D8A8FFFF mov dword ptr ss:[ebp+FFFFA8D8],eax00C0C5946A 01 push 100C0C596FFB5 D8A8FFFF push dword ptr ss:[ebp+FFFFA8D8] ; 函数名压栈00C0C59CFFB5 A0D4FFFF push dword ptr ss:[ebp-2B60] ; 这里应该是对应的DLL压栈?00C0C5A2E8 6DA0FEFF call 00BF661400C0C5A783C4 0C add esp,0C00C0C5AA8985 68CAFFFF mov dword ptr ss:[ebp-3598],eax; 处理好后送入[ebp-3598]保存00C0C5B083BD 68CAFFFF 0>cmp dword ptr ss:[ebp-3598],000C0C5B775 42 jnz short 00C0C5FB ; 检测该IAT是否已放入那个地址是的话跳走继续00C0C5B90FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C5C085C0test eax,eax00C0C5C274 0F je short 00C0C5D300C0C5C40FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C5CB8985 D4A8FFFF mov dword ptr ss:[ebp+FFFFA8D4],eax00C0C5D1EB 0C jmp short 00C0C5DF00C0C5D38D85 68C2FFFF lea eax,dword ptr ss:[ebp-3D98]00C0C5D98985 D4A8FFFF mov dword ptr ss:[ebp+FFFFA8D4],eax00C0C5DF6A 00 push 000C0C5E1FFB5 D4A8FFFF push dword ptr ss:[ebp+FFFFA8D4]00C0C5E7FFB5 A0D4FFFF push dword ptr ss:[ebp-2B60]00C0C5EDE8 22A0FEFF call 00BF661400C0C5F283C4 0C add esp,0C00C0C5F58985 68CAFFFF mov dword ptr ss:[ebp-3598],eax00C0C5FB83BD 68CAFFFF 0>cmp dword ptr ss:[ebp-3598],0; 再次确认是否放入00C0C6020F85 99000000 jnz 00C0C6A100C0C6080FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C60F85C0test eax,eax00C0C61174 54 je short 00C0C66700C0C613FF15 C060C100 call dword ptr ds:[C160C0] ; ntdll.RtlGetLastWin32Error00C0C61983F8 32 cmp eax,3200C0C61C75 0C jnz short 00C0C62A00C0C61EC785 68CAFFFF 0>mov dword ptr ss:[ebp-3598],0BF660900C0C628EB 3B jmp short 00C0C66500C0C62A8B45 08 mov eax,dword ptr ss:[ebp+8]00C0C62D8B00mov eax,dword ptr ds:[eax]00C0C62FC700 03000000 mov dword ptr ds:[eax],300C0C635FF15 C060C100 call dword ptr ds:[C160C0] ; ntdll.RtlGetLastWin32Error00C0C63B50push eax00C0C63C0FB785 6CCAFFFF movzx eax,word ptr ss:[ebp-3594]00C0C64350push eax00C0C644FFB5 84D3FFFF push dword ptr ss:[ebp-2C7C]00C0C64A68 94CBC100 push 0C1CB94 ; ASCII "File ""%s"", ordinal %d (error %d)"00C0C64F8B45 08 mov eax,dword ptr ss:[ebp+8]00C0C652FF70 04 push dword ptr ds:[eax+4]00C0C655FF15 1063C100 call dword ptr ds:[C16310] ; msvcrt.sprintf00C0C65B83C4 14 add esp,1400C0C65E33C0xor eax,eax00C0C660E9 5B140000 jmp 00C0DAC000C0C665EB 3A jmp short 00C0C6A100C0C6678B45 08 mov eax,dword ptr ss:[ebp+8]00C0C66A8B00mov eax,dword ptr ds:[eax]00C0C66CC700 03000000 mov dword ptr ds:[eax],300C0C672FF15 C060C100 call dword ptr ds:[C160C0] ; ntdll.RtlGetLastWin32Error00C0C67850push eax00C0C6798D85 68C2FFFF lea eax,dword ptr ss:[ebp-3D98]00C0C67F50push eax00C0C680FFB5 84D3FFFF push dword ptr ss:[ebp-2C7C]00C0C68668 70CBC100 push 0C1CB70 ; ASCII "File ""%s"", function ""%s"" (error %d)"00C0C68B8B45 08 mov eax,dword ptr ss:[ebp+8]00C0C68EFF70 04 push dword ptr ds:[eax+4]00C0C691FF15 1063C100 call dword ptr ds:[C16310] ; msvcrt.sprintf00C0C69783C4 14 add esp,1400C0C69A33C0xor eax,eax00C0C69CE9 1F140000 jmp 00C0DAC000C0C6A18B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]; 把该IAT的位置传EAX00C0C6A73B85 64D9FFFF cmp eax,dword ptr ss:[ebp-269C]00C0C6AD73 1D jnb short 00C0C6CC ; EAX值大于等于FFFFFFFF就跳 显然没跳00C0C6AF8B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]; 再次把IAT位置写入EAX00C0C6B58B8D 68CAFFFF mov ecx,dword ptr ss:[ebp-3598]; IAT写入ECX00C0C6BB8908mov dword ptr ds:[eax],ecx ; 将IAT写入EAX对应的内存地址 可以在堆栈中看到已写入此IAT00C0C6BD8B85 10D9FFFF mov eax,dword ptr ss:[ebp-26F0]; 把IAT位置写入EAX00C0C6C383C0 04 add eax,4; 指向下一个要写入的IAT位置00C0C6C68985 10D9FFFF mov dword ptr ss:[ebp-26F0],eax; 将下一个要写入IAT的值 继续放入[ebp-26F0]00C0C6CC^ E9 4DFCFFFF jmp 00C0C31E ; 向上循环00C0C6D1FF15 7C62C100 call dword ptr ds:[C1627C] ; kernel32.GetTickCount
00C0C788E8 C58A0000 call 00C15252; jmp 到00C0C78D59pop ecx00C0C78E^ E9 30F7FFFF jmp 00C0BEC3 ; 继续循环00C0C7938B85 F0D7FFFF mov eax,dword ptr ss:[ebp-2810]; IAT处理完毕在此下F2断点 断下后 把上面的majic jump 改回来 以防壳检测00C0C7998985 A0ABFFFF mov dword ptr ss:[ebp+FFFFABA0],eax
然后在00401000处F2下断 shift+F9运行 来到这里好熟悉的地方00C0F9688B12mov edx,dword ptr ds:[edx]00C0F96A8955 DC mov dword ptr ss:[ebp-24],edx00C0F96D834D FC FFor dword ptr ss:[ebp-4],FFFFFFFF00C0F971EB 11 jmp short 00C0F98400C0F9736A 01 push 100C0F97558pop eax00C0F976C3retn
一路单步00C0F9D1FF77 08 push dword ptr ds:[edi+8]00C0F9D46A 00 push 000C0F9D6FF77 0C push dword ptr ds:[edi+C]00C0F9D98B50 60 mov edx,dword ptr ds:[eax+60]00C0F9DC3350 44 xor edx,dword ptr ds:[eax+44]00C0F9DF3350 1C xor edx,dword ptr ds:[eax+1C]00C0F9E22BCAsub ecx,edx00C0F9E4FFD1call ecx <<==OEP F7进入00C0F9E68945 E4 mov dword ptr ss:[ebp-1C],eax00C0F9E98B45 E4 mov eax,dword ptr ss:[ebp-1C]00C0F9EC8B4D F0 mov ecx,dword ptr ss:[ebp-10]00C0F9EF64:890D 0000000>mov dword ptr fs:[0],ecx00C0F9F65Fpop edi00C0F9F75Epop esi
先前已脱过壳了 这里直接修复就好删除几个无效指针。。。OK成功运行 |
|