ILprotector 22.15壳的脱法研究

zhj777 · 发表于 2024-8-26 11:27

手里有一.net程序，加的是ILprotector的混淆，用de4dot干不掉，找了专用脱壳机也不行，于是在网上搜了一下相应资料，找到了wwh1004大牛的 [.NET]详解ILProtector并写出脱壳机 https://www.52pojie.cn/thread-824381-1-1.html，但由于水平有限，未能实现脱壳，但已导出检测hook 涵数的伪代码，通过对比感觉和ILprotector22.15的相似，希望看到本贴的大牛对如何脱掉此壳指点一二，也欢迎更多的高手尝试脱壳。程序地址https://pan.baidu.com/s/1vpzg-3iz-yKnsTfvQmWt-A
提取码：ie65
下面是v22.15检测hook涵数伪码（不知找的对不对哈）

[C++] 纯文本查看 复制代码

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

char __fastcall sub_1002BCA0(int a1, int a2, int a3, int *a4, int a5, char a6, LONG a7, LONG **a8, int a9, int a10){
  int v10; // edi@1
  int v11; // edi@6
  SAFEARRAY *v12; // edi@10
  int v13; // eax@10
  HRESULT v14; // edi@12
  int v15; // edi@13
  int v16; // eax@13
  int v17; // eax@17
  int v18; // edx@18
  char v19; // al@21
  int *v20; // edx@30
  int v21; // edi@32
  int v22; // edi@32
  int *v23; // ecx@33
  int v24; // edx@35
  LONG *v25; // eax@37
  int v26; // edi@40
  char v27; // al@47
  int v28; // esi@51
  SAFEARRAY *v29; // eax@51
  void (__stdcall *v30)(VARIANTARG *); // edi@51
  int v31; // eax@52
  int v32; // esi@57
  SAFEARRAY *v33; // eax@57
  int v34; // edx@57
  int v35; // edi@58
  int (__stdcall *v36)(LONG, _DWORD); // esi@58
  int v37; // eax@58
  LONG **v38; // ecx@58
  int v39; // eax@58
  int v40; // eax@62
  int v41; // ecx@64
  int v42; // edx@64
  _DWORD *v43; // eax@64
  int v44; // esi@65
  int v45; // eax@67
  char v47; // [sp-20h] [bp-F0h]@21
  int v48; // [sp-1Ch] [bp-ECh]@21
  int v49; // [sp-18h] [bp-E8h]@21
  int v50; // [sp-14h] [bp-E4h]@21
  int v51; // [sp-10h] [bp-E0h]@21
  int v52; // [sp-Ch] [bp-DCh]@21
  int v53; // [sp-8h] [bp-D8h]@21
  VARIANTARG *v54; // [sp-4h] [bp-D4h]@21
  VARIANTARG v55; // [sp+10h] [bp-C0h]@1
  VARIANTARG v56; // [sp+20h] [bp-B0h]@51
  int v57; // [sp+30h] [bp-A0h]@19
  SAFEARRAY *psa; // [sp+34h] [bp-9Ch]@10
  int v59; // [sp+38h] [bp-98h]@1
  int v60; // [sp+3Ch] [bp-94h]@1
  int v61; // [sp+40h] [bp-90h]@1
  int v62; // [sp+44h] [bp-8Ch]@1
  int v63; // [sp+48h] [bp-88h]@1
  LONG **v64; // [sp+4Ch] [bp-84h]@1
  VARIANTARG pvarg; // [sp+50h] [bp-80h]@1
  int v66; // [sp+64h] [bp-6Ch]@1
  int (__stdcall *v67)(int, int, int, VARIANTARG *); // [sp+68h] [bp-68h]@1
  LONG v68; // [sp+6Ch] [bp-64h]@1
  int pv; // [sp+70h] [bp-60h]@10
  int v70; // [sp+74h] [bp-5Ch]@32
  SAFEARRAY *v71; // [sp+78h] [bp-58h]@10
  VARIANTARG *v72; // [sp+7Ch] [bp-54h]@30
  int *v73; // [sp+80h] [bp-50h]@21
  int v74; // [sp+84h] [bp-4Ch]@1
  int v75; // [sp+88h] [bp-48h]@1
  LONG rgIndices; // [sp+8Ch] [bp-44h]@1
  int v77; // [sp+90h] [bp-40h]@1
  int v78; // [sp+94h] [bp-3Ch]@1
  char v79; // [sp+9Bh] [bp-35h]@1
  int v80; // [sp+9Ch] [bp-34h]@1
  int v81; // [sp+A0h] [bp-30h]@21
  int *v82; // [sp+A4h] [bp-2Ch]@21
  VARIANTARG *v83; // [sp+A8h] [bp-28h]@21
  VARIANTARG *v84; // [sp+ACh] [bp-24h]@21
  VARIANTARG v85; // [sp+B0h] [bp-20h]@21
  int v86; // [sp+CCh] [bp-4h]@1
 
  v80 = a3;
  v63 = a1;
  v66 = a2;
  v64 = a8;
  v74 = a9;
  v75 = a10;
  v79 = 0;
  rgIndices = 0;
  v77 = 0;
  v86 = 0;
  v78 = 0;
  v62 = 0;
  v60 = 0;
  v67 = 0;
  v61 = 0;
  v59 = 0;
  v68 = 0;
  VariantInit(&pvarg);
  VariantInit(&v55);
  LOBYTE(v86) = 3;
  v10 = *(_DWORD *)v63;
  if ( !*(_DWORD *)v63 )
    sub_1007C060(-2147467261);
  if ( v77 )
    (*(void (__stdcall **)(int))(*(_DWORD *)v77 + 8))(v77);
  v77 = 0;
  if ( (*(int (__stdcall **)(int, int *))(*(_DWORD *)v10 + 72))(v10, &v77) >= 0 )
  {
    v11 = *(_DWORD *)v66;
    if ( !*(_DWORD *)v66 )
      goto LABEL_80;
    if ( v78 )
      (*(void (__stdcall **)(int))(*(_DWORD *)v78 + 8))(v78);
    v78 = 0;
    if ( (*(int (__stdcall **)(int, int *))(*(_DWORD *)v11 + 72))(v11, &v78) >= 0 )
    {
LABEL_80:
      v12 = SafeArrayCreateVector(0xCu, 0, 1u);
      v13 = *a4;
      psa = v12;
      rgIndices = 0;
      LOWORD(pv) = 9;
      v71 = (SAFEARRAY *)v13;
      if ( v13 )
        (*(void (__stdcall **)(int))(*(_DWORD *)v13 + 4))(v13);
      v14 = SafeArrayPutElement(v12, &rgIndices, &pv);
      VariantClear((VARIANTARG *)&pv);
      if ( v14 < 0 )
        goto LABEL_71;
      v15 = v80;
      v16 = *(_DWORD *)(*(_DWORD *)(v80 + 56) + 156);
      if ( !v16 )
        sub_1007C060(-2147467261);
      if ( (*(int (__stdcall **)(int, SAFEARRAY *, VARIANTARG *))(*(_DWORD *)v16 + 156))(v16, psa, &pvarg) < 0 )
        goto LABEL_71;
      if ( (pvarg.vt & 0xFFF) != 13 )
        goto LABEL_71;
      v17 = *(_DWORD *)(a7 + 100);
      if ( !(v17 & 1) )
        goto LABEL_71;
      v18 = *(_DWORD *)(v15 + 56);
      if ( *(_BYTE *)(v18 + 8) )
      {
        v57 = a5;
        if ( !(a6 & 2) || v17 & 2 )
        {
          v82 = &v57;
          v83 = &pvarg;
          v84 = &v55;
          *(_DWORD *)&v85.vt = &v77;
          *(_QWORD *)&v85.decVal.Hi32 = __PAIR__(&v78, v74);
          v81 = v15;
          v85.cyVal.Hi = v75;
          qmemcpy(&v47, &v81, 0x20u);
          sub_1002DA60(&v83, v47, v48, v49, v50, v51, v52, v53, v54);
          LOBYTE(v86) = 4;
          v73 = &v49;
          sub_100254A0();
          v19 = sub_1002CC70(v49, v50, v51, v52, v53, v54);
          LOBYTE(v86) = 3;
          if ( !v19 )
          {
            sub_10012D00();
            goto LABEL_71;
          }
          sub_10012D00();
          v15 = v80;
LABEL_30:
          LOWORD(pv) = 20;
          v71 = (SAFEARRAY *)(a7 ^ 0x4B4F4F4C);
          v72 = (VARIANTARG *)(((unsigned __int64)a7 >> 32) ^ 0x45524548);
          LOBYTE(v86) = 5;
          v20 = *(int **)(*(_DWORD *)(v15 + 56) + 148);
          if ( !v20 )
            sub_1007C060(-2147467261);
          v21 = *v20;
          v51 = pv;
          v52 = v70;
          v53 = (int)v71;
          v54 = v72;
          *(_DWORD *)&v47 = *(_DWORD *)&pvarg.vt;
          *(_QWORD *)&v48 = *(_QWORD *)&pvarg.decVal.Hi32;
          v22 = (*(int (__stdcall **)(int *, _DWORD, ULONG, LONG, __int32, int, int, SAFEARRAY *, VARIANTARG *))(v21 + 100))(
                  v20,
                  *(_DWORD *)&pvarg.vt,
                  pvarg.decVal.Hi32,
                  pvarg.lVal,
                  pvarg.cyVal.Hi,
                  pv,
                  v70,
                  v71,
                  v72);
          LOBYTE(v86) = 3;
          VariantClear((VARIANTARG *)&pv);
          if ( v22 >= 0 )
          {
            v23 = *(int **)(*(_DWORD *)(v80 + 56) + 152);
            if ( !v23 )
              sub_1007C060(-2147467261);
            v24 = *v23;
            *(VARIANTARG *)&v51 = v55;
            *(VARIANTARG *)&v47 = pvarg;
            if ( (*(int (__stdcall **)(int *, _DWORD, ULONG, LONG, __int32, _DWORD, ULONG, LONG, __int32))(v24 + 100))(
                   v23,
                   *(_DWORD *)&pvarg.vt,
                   pvarg.decVal.Hi32,
                   pvarg.lVal,
                   pvarg.cyVal.Hi,
                   *(_DWORD *)&v55.vt,
                   v55.decVal.Hi32,
                   v55.lVal,
                   v55.cyVal.Hi) >= 0
              && *(_BYTE *)(a7 + 100) & 1 )
            {
              v25 = (LONG *)operator new(0xCu);
              if ( v25 )
              {
                *v25 = pvarg.lVal;
                v25[1] = a7;
                v25[2] = 0;
              }
              else
              {
                v25 = 0;
              }
              v26 = v80;
              *v64 = v25;
              if ( (unsigned __int8)sub_1002C4F0(v25) )
              {
                if ( (!*(_DWORD *)v63 || (unsigned __int8)sub_100240C0(v26, v63, (int)&v62))
                  && (!*(_DWORD *)v66 || (unsigned __int8)sub_100240C0(v26, v66, (int)&v60))
                  && (unsigned __int8)sub_100242A0(v26, *(_DWORD *)(v26 + 56) + 28, *(_DWORD *)(v26 + 52) + 192, &v67)
                  && (unsigned __int8)sub_1002CFB0(v26, *(_DWORD *)(v26 + 56) + 32, (int)&v61) )
                {
                  v83 = (VARIANTARG *)off_1009091C;
                  v84 = (VARIANTARG *)v26;
                  *(_DWORD *)&v85.vt = &v59;
                  v85.lVal = (LONG)&v83;
                  LOBYTE(v86) = 6;
                  v73 = &v49;
                  sub_100254A0();
                  v27 = sub_100238D0(v49, v50, v51, v52, v53, v54);
                  LOBYTE(v86) = 3;
                  if ( v27 )
                  {
                    sub_10012D00();
                    if ( *(_DWORD *)v63 && (*(_WORD *)v74 & 0xFFF) == 13 )
                    {
                      v73 = &v51;
                      v68 = -1;
                      sub_1001C380(v74);
                      v28 = v67(v51, v52, v53, v54);
                      VariantInit((VARIANTARG *)&pv);
                      VariantInit(&v85);
                      LOBYTE(v86) = 8;
                      LOWORD(pv) = 8204;
                      v29 = SafeArrayCreateVector(0xCu, 0, 1u);
                      v56.vt = 22;
                      v71 = v29;
                      rgIndices = 0;
                      v56.lVal = -1;
                      SafeArrayPutElement(v29, &rgIndices, &v56);
                      v30 = (void (__stdcall *)(VARIANTARG *))VariantClear;
                      VariantClear(&v56);
                      sub_10025210(v80, &pv, (int)&v85);
                      *(_DWORD *)(a7 + 56) = *(_DWORD *)v28;
                      *(_DWORD *)(a7 + 60) = *(_DWORD *)(v28 + 4);
                      if ( (*(_BYTE *)v28 ^ 0x80) == 105 )
                      {
                        v31 = *(_DWORD *)(v28 + 1) + ((*(_BYTE *)v28 ^ 0xFC) & 0xF);
                        *(_DWORD *)(a7 + 92) = *(_DWORD *)(v31 + v28);
                        *(_DWORD *)(a7 + 96) = *(_DWORD *)(v31 + v28 + 4);
                      }
                      VariantClear(&v85);
                      LOBYTE(v86) = 3;
                      VariantClear((VARIANTARG *)&pv);
                    }
                    else
                    {
                      v30 = (void (__stdcall *)(VARIANTARG *))VariantClear;
                    }
                    if ( *(_DWORD *)v66 && (*(_WORD *)v75 & 0xFFF) == 13 )
                    {
                      --v68;
                      v73 = &v51;
                      sub_1001C380(v75);
                      v32 = v67(v51, v52, v53, v54);
                      VariantInit((VARIANTARG *)&pv);
                      VariantInit(&v85);
                      LOBYTE(v86) = 10;
                      LOWORD(pv) = 8204;
                      v33 = SafeArrayCreateVector(0xCu, 0, 1u);
                      v56.vt = 22;
                      v56.lVal = v68;
                      v71 = v33;
                      rgIndices = 0;
                      SafeArrayPutElement(v33, &rgIndices, &v56);
                      v30(&v56);
                      sub_10025210(v80, &pv, (int)&v85);
                      *(_DWORD *)(a7 + 64) = *(_DWORD *)v32;
                      v34 = *(_DWORD *)(v32 + 4);
                      v54 = &v85;
                      *(_DWORD *)(a7 + 68) = v34;
                      v30(v54);
                      LOBYTE(v86) = 3;
                      v30((VARIANTARG *)&pv);
                    }
                    v35 = v80;
                    v36 = *(int (__stdcall **)(LONG, _DWORD))(*(_DWORD *)(v80 + 56) + 316);
                    v37 = v36(**v64, *(_DWORD *)(*(_DWORD *)(v80 + 52) + 316));
                    *(_DWORD *)(a7 + 84) = *(_DWORD *)v37;
                    v38 = v64;
                    *(_DWORD *)(a7 + 88) = *(_DWORD *)(v37 + 4);
                    v39 = v36(**v38, *(_DWORD *)(*(_DWORD *)(v35 + 52) + 240));
                    *(_DWORD *)(a7 + 80) = v39;
                    if ( (*(_BYTE *)v39 ^ 0x11) == 68
                      && (*(_BYTE *)(v39 + 1) ^ 0x72) == -7
                      && (*(_BYTE *)(v39 + 2) ^ 0x61) == -115 )
                    {
                      v54 = (VARIANTARG *)16;
                      *(_DWORD *)(a7 + 36) = v67;
                      v73 = (int *)operator new((size_t)v54);
                      LOBYTE(v86) = 11;
                      if ( v73 )
                        v40 = sub_1001C380(v74);
                      else
                        v40 = 0;
                      LOBYTE(v86) = 3;
                      v41 = v61;
                      v42 = v59;
                      *(_DWORD *)(a7 + 48) = v40;
                      *(_DWORD *)(a7 + 40) = v62;
                      v43 = (_DWORD *)v66;
                      *(_DWORD *)(a7 + 72) = v41;
                      *(_DWORD *)(a7 + 76) = v42;
                      if ( *v43 )
                      {
                        v44 = v75;
                        if ( (*(_WORD *)v75 & 0xFFF) == 13 )
                        {
                          v73 = (int *)operator new(0x10u);
                          LOBYTE(v86) = 12;
                          if ( v73 )
                            v45 = sub_1001C380(v44);
                          else
                            v45 = 0;
                          *(_DWORD *)(a7 + 52) = v45;
                          *(_DWORD *)(a7 + 44) = v60;
                        }
                      }
                      v79 = 1;
                    }
                  }
                  else
                  {
                    sub_10012D00();
                  }
                }
              }
            }
          }
          goto LABEL_71;
        }
      }
      else if ( (!(a6 & 2) || v17 & 2)
             && (unsigned __int8)sub_10026870(v15, *(_DWORD *)(v15 + 56) + 12, &pvarg, v18 + 196, (int)&v55)
             && (unsigned __int8)sub_10026870(v15, (int)&v77, &pvarg, *(_DWORD *)(v15 + 56) + 200, v74)
             && (!v78 || (unsigned __int8)sub_10026870(v15, (int)&v78, &pvarg, *(_DWORD *)(v15 + 56) + 208, v75)) )
      {
        goto LABEL_30;
      }
LABEL_71:
      if ( psa )
        SafeArrayDestroy(psa);
      goto LABEL_73;
    }
  }
LABEL_73:
  VariantClear(&v55);
  VariantClear(&pvarg);
  LOBYTE(v86) = 0;
  if ( v78 )
    (*(void (__stdcall **)(int))(*(_DWORD *)v78 + 8))(v78);
  v86 = -1;
  if ( v77 )
    (*(void (__stdcall **)(int))(*(_DWORD *)v77 + 8))(v77);
  return v79;
}

zhj777 · 发表于 2024-9-8 08:35

本帖最后由 zhj777 于 2024-9-8 08:39 编辑

SoftCracker 发表于 2024-9-7 21:39
> 只不过样本我用的是22.15保护的

这个程序不是你加的壳吧？（https://pan.baidu.com/s/1vpzg-3iz-yKnsT ...

这个样本是我加的，因为我这有个程序不方便上传，通过对比发现加的混淆和22.15的差不多，所以就传了这个样本。大牛有思路去掉此混淆还请指导一下，如果能出个教程那再好不过了。

zhj777 · 发表于 2024-9-7 08:39

本帖最后由 zhj777 于 2024-9-7 08:43 编辑

SoftCracker 发表于 2024-9-5 00:57
跟以前一样啊，我还以为ILProtector更新了呢

更新了，最新的是22.17吧，只不过样本我用的是22.15保护的。不知大牛能不能去掉混淆？如果能的话那能不能麻烦您请指点一下如何去掉混淆。

zhj777 · 发表于 2024-9-4 22:43

看来和wwh1004大牛类似的高手们都没空研究这壳了！

SoftCracker · 发表于 2024-9-5 00:57

跟以前一样啊，我还以为ILProtector更新了呢

SoftCracker · 发表于 2024-9-7 21:39

> 只不过样本我用的是22.15保护的

这个程序不是你加的壳吧？（https://pan.baidu.com/s/1vpzg-3iz-yKnsTfvQmWt-A）

zhj777 · 发表于 2024-9-13 04:53

SoftCracker 发表于 2024-9-5 00:57
跟以前一样啊，我还以为ILProtector更新了呢

看到您已经去掉混淆，能不能麻烦您指导一下如何去掉混淆？

go2crack · 发表于 2024-9-15 00:22

确实还是老样子啊。

zhj777 · 发表于 2024-9-17 06:57

本帖最后由 zhj777 于 2024-9-21 21:31 编辑

go2crack 发表于 2024-9-15 00:22
确实还是老样子啊。

帐号		自动登录	找回密码
密码			注册[Register]

[求助] ILprotector 22.15壳的脱法研究