tELock 0.98 IAT简单分析

frozenrain · 发表于 2009-3-21 14:01

本帖最后由 frozenrain 于 2009-3-22 10:02 编辑

经常听高手说学习脱壳重在过程不在于结果，我也来自己亲自找壳对IAT的处理部分。
找magic jump。这样水平才能提高。虽然SEH里有很多精彩的地方，但SEH不在本文讨论范围内。
好直接内存CODE段F2下断F9
00406D2B    AC             lods byte ptr ds:[esi]
00406D2C    F6D8          neg al
00406D2E    32C3          xor al,bl
00406D30    04 01          add al,1
00406D32    0AC9          or cl,cl
00406D34    02C2          add al,dl
00406D36    F6D0          not al
00406D38    F6D0          not al
00406D3A    F6D0          not al
00406D3C    0ADB          or bl,bl
00406D3E    04 43          add al,43
00406D40    F6D0          not al
00406D42    04 37          add al,37
00406D44    02C1          add al,cl
00406D46    F6D8          neg al
00406D48    F8             clc
00406D49    90             nop
00406D4A    34 D9          xor al,0D9
单步往下走就到了IAT处理附近了。更简单的方法是下GetModuleHandleA 然后往下找MAGIC跳。
00407210    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
00407216    8BB5 52D34000 mov esi,dword ptr ss:[ebp+40D352]
0040721C    85F6          test esi,esi
0040721E    0F84 06040000 je TasKit.0040762A
00407224    03F2          add esi,edx                      ;esi指向输入表
00407226    83A5 52D44000 00 and dword ptr ss:[ebp+40D452],0
0040722D    8B46 0C       mov eax,dword ptr ds:[esi+C]       ;Name
00407230    8366 0C 00    and dword ptr ds:[esi+C],0
00407234    85C0          test eax,eax
00407236    0F84 EE030000 je TasKit.0040762A
0040723C    03C2          add eax,edx                      +offset
0040723E    8BD8          mov ebx,eax
00407240    50             push eax
00407241 FF95 D0D24000 call dword ptr ss:[ebp+40D2D0]    ;GetModuleHandleA
00407247    85C0          test eax,eax
00407249    0F85 BA000000 jnz TasKit.00407309
0040724F    53             push ebx
00407250  FF95 E4BA4000 call dword ptr ss:[ebp+40BAE4]    ;LoadLibraryA
00407256    85C0          test eax,eax
00407258    0F85 AB000000 jnz TasKit.00407309
0040725E    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
00407264    0195 2AD34000 add dword ptr ss:[ebp+40D32A],edx
0040726A    0195 36D34000 add dword ptr ss:[ebp+40D336],edx
00407270    6A 30          push 30
00407272    53             push ebx
00407273    FFB5 36D34000 push dword ptr ss:[ebp+40D336]
00407279    EB 53          jmp short TasKit.004072CE
0040727B    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
00407281    0195 2AD34000 add dword ptr ss:[ebp+40D32A],edx
00407287    0195 2ED34000 add dword ptr ss:[ebp+40D32E],edx
0040728D    0195 3ED34000 add dword ptr ss:[ebp+40D33E],edx
00407293    0195 42D34000 add dword ptr ss:[ebp+40D342],edx
00407299    0195 46D34000 add dword ptr ss:[ebp+40D346],edx
0040729F    6A 30          push 30
004072A1    FFB5 2AD34000 push dword ptr ss:[ebp+40D32A]
004072A7    48             dec eax
004072A8    75 08          jnz short TasKit.004072B2
004072AA    FFB5 46D34000 push dword ptr ss:[ebp+40D346]
004072B0    EB 1C          jmp short TasKit.004072CE
004072B2    40             inc eax
004072B3    75 08          jnz short TasKit.004072BD
004072B5    FFB5 2ED34000 push dword ptr ss:[ebp+40D32E]
004072BB    EB 11          jmp short TasKit.004072CE
004072BD    40             inc eax
004072BE    75 08          jnz short TasKit.004072C8
004072C0    FFB5 3ED34000 push dword ptr ss:[ebp+40D33E]
004072C6    EB 06          jmp short TasKit.004072CE
004072C8    FFB5 42D34000 push dword ptr ss:[ebp+40D342]
004072CE    6A 00          push 0
004072D0    FF95 D8D24000 call dword ptr ss:[ebp+40D2D8]
004072D6    8B85 E8BA4000 mov eax,dword ptr ss:[ebp+40BAE8]
004072DC    894424 FC       mov dword ptr ss:[esp-4],eax
004072E0    61             popad
004072E1    6A 00          push 0
004072E3    FF5424 E0       call dword ptr ss:[esp-20]
004072E7    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
004072ED    0195 2AD34000 add dword ptr ss:[ebp+40D32A],edx
004072F3    0195 3AD34000 add dword ptr ss:[ebp+40D33A],edx
004072F9    6A 30          push 30
004072FB    FFB5 2AD34000 push dword ptr ss:[ebp+40D32A]
00407301    FFB5 3AD34000 push dword ptr ss:[ebp+40D33A]
00407307 ^ EB C5          jmp short TasKit.004072CE
00407309    8985 4AD34000 mov dword ptr ss:[ebp+40D34A],eax
0040730F    8D85 28CC4000 lea eax,dword ptr ss:[ebp+40CC28]
00407315    60             pushad
00407316    33C9          xor ecx,ecx
00407318    2AF6          sub dh,dh
0040731A    8A13          mov dl,byte ptr ds:[ebx]
0040731C    F6C2 40       test dl,40                ; 测试是否为@
0040731F    74 03          je short TasKit.00407324
00407321    80E2 5F       and dl,5F                ;测试是否为_
00407324    0AD2          or dl,dl
00407326    74 1E          je short TasKit.00407346
00407328    43             inc ebx
00407329    FEC6          inc dh
0040732B    41             inc ecx
0040732C    3A5408 FF       cmp dl,byte ptr ds:[eax+ecx-1]
00407330 ^ 74 E8          je short TasKit.0040731A
00407332    3A5408 08       cmp dl,byte ptr ds:[eax+ecx+8]
00407336 ^ 74 E2          je short TasKit.0040731A
00407338    3A5408 12       cmp dl,byte ptr ds:[eax+ecx+12]
0040733C ^ 74 DC          je short TasKit.0040731A
0040733E    3A5408 1D       cmp dl,byte ptr ds:[eax+ecx+1D]
00407342 ^ 74 D6          je short TasKit.0040731A
00407344 ^ EB D0          jmp short TasKit.00407316             ;清0
00407346    0AF6          or dh,dh
00407348    895424 1C       mov dword ptr ss:[esp+1C],edx
0040734C    61             popad
0040734D    C685 D7CC4000 00 mov byte ptr ss:[ebp+40CCD7],0       ;变量=0
00407354    74 24          je short TasKit.0040737A
00407356    80EC 08       sub ah,8
00407359    B0 01          mov al,1
0040735B    FECC          dec ah
0040735D    74 04          je short TasKit.00407363
0040735F    D0E0          shl al,1
00407361 ^ EB F8          jmp short TasKit.0040735B
00407363    8AA5 52CC4000 mov ah,byte ptr ss:[ebp+40CC52]
00407369    0885 52CC4000 or byte ptr ss:[ebp+40CC52],al
0040736F    84C4          test ah,al
00407371    75 07          jnz short TasKit.0040737A
00407373    808D D7CC4000 01 or byte ptr ss:[ebp+40CCD7],1          ;修改标志位
0040737A    33C0          xor eax,eax
0040737C    8803          mov byte ptr ds:[ebx],al
0040737E    43             inc ebx
0040737F    3803          cmp byte ptr ds:[ebx],al
00407381 ^ 75 F7          jnz short TasKit.0040737A          ;将DLL名字清0
00407383    83A5 4ED34000 00 and dword ptr ss:[ebp+40D34E],0
0040738A    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
00407390    8B06          mov eax,dword ptr ds:[esi]       ;OriginalFirstThunk
00407392    85C0          test eax,eax
00407394    75 0B          jnz short TasKit.004073A1
00407396    8B46 10       mov eax,dword ptr ds:[esi+10]          ;FirstThunk
00407399    85C0          test eax,eax
0040739B ^ 0F84 46FFFFFF je TasKit.004072E7
004073A1    03C2          add eax,edx                         ;+offset
004073A3    0385 4ED34000 add eax,dword ptr ss:[ebp+40D34E]
004073A9    8B18          mov ebx,dword ptr ds:[eax] ;IMAGE_THUNK_DATA
004073AB    F7C3 00000080 test ebx,80000000             ;是否以序号导出
004073B1    74 06          je short TasKit.004073B9
004073B3    8120 00000080 and dword ptr ds:[eax],80000000
004073B9    8B7E 10       mov edi,dword ptr ds:[esi+10]          ; FirstThunk
004073BC    03FA          add edi,edx                         +offset
004073BE    80A5 D6CC4000 FF and byte ptr ss:[ebp+40CCD6],0FF
004073C5    0F84 30010000 je TasKit.004074FB
004073CB    80A5 D7CC4000 FF and byte ptr ss:[ebp+40CCD7],0FF    ;判断变量=0
004073D2    0F84 23010000 je TasKit.004074FB    ;MAGIC跳，改JMP
004073D8    89BD 5AD44000 mov dword ptr ss:[ebp+40D45A],edi
004073DE    8B85 52D44000 mov eax,dword ptr ss:[ebp+40D452]
004073E4    40             inc eax
004073E5    0F84 10010000 je TasKit.004074FB
004073EB    48             dec eax
004073EC    0F85 B2000000 jnz TasKit.004074A4
004073F2    60             pushad
004073F3    8BF7          mov esi,edi
004073F5    2BC0          sub eax,eax
004073F7    40             inc eax
004073F8    833F 00       cmp dword ptr ds:[edi],0
004073FB    8D7F 04       lea edi,dword ptr ds:[edi+4]
004073FE ^ 75 F7          jnz short TasKit.004073F7
00407400    48             dec eax
00407401    0F84 EC000000 je TasKit.004074F3
00407407    8BD8          mov ebx,eax
00407409    6BC0 31       imul eax,eax,31
0040740C    6A 04          push 4
0040740E    68 00100000    push 1000
00407413    50             push eax
00407414    6A 00          push 0
如果加密程序会运行到这里来申请地址的。
00407416    FF95 ECBA4000 call dword ptr ss:[ebp+40BAEC]       ;VirtualAlloc
0040741C    85C0          test eax,eax
0040741E    0F84 CF000000 je TasKit.004074F3
00407424    8BFE          mov edi,esi
00407426    8BCB          mov ecx,ebx
00407428    8BF8          mov edi,eax
0040742A    8985 56D44000 mov dword ptr ss:[ebp+40D456],eax
00407430    8BCB          mov ecx,ebx
00407432    6BDB 29       imul ebx,ebx,29
00407435    03DF          add ebx,edi
00407437    891C24          mov dword ptr ss:[esp],ebx
0040743A    B0 B8          mov al,0B8
0040743C    6A 00          push 0
0040743E    50             push eax
0040743F    53             push ebx
00407440    0FB74424 08    movzx eax,word ptr ss:[esp+8]
00407445    50             push eax
00407446    8D85 14BB4000 lea eax,dword ptr ss:[ebp+40BB14]
0040744C    0FB618          movzx ebx,byte ptr ds:[eax]
0040744F    FF0C24          dec dword ptr ss:[esp]
00407452    7E 09          jle short TasKit.0040745D
00407454    40             inc eax
00407455    03C3          add eax,ebx
00407457 ^ EB F3          jmp short TasKit.0040744C
00407459    0000          add byte ptr ds:[eax],al
0040745B    0000          add byte ptr ds:[eax],al
0040745D    40             inc eax
0040745E    8A38          mov bh,byte ptr ds:[eax]
00407460    883F          mov byte ptr ds:[edi],bh
00407462    47             inc edi
00407463    FECB          dec bl
00407465 ^ 7F F6          jg short TasKit.0040745D
00407467    5B             pop ebx
00407468    5B             pop ebx
00407469    58             pop eax
0040746A    AA             stos byte ptr es:[edi]
0040746B    FF0424          inc dword ptr ss:[esp]
0040746E    832424 0F       and dword ptr ss:[esp],0F
00407472    4B             dec ebx
00407473    891F          mov dword ptr ds:[edi],ebx
00407475    43             inc ebx
00407476    83C3 04       add ebx,4
00407479    83C7 04       add edi,4
0040747C    B8 40FF30C3    mov eax,C330FF40
00407481    AB             stos dword ptr es:[edi]
00407482    B0 B8          mov al,0B8
00407484    49             dec ecx
00407485 ^ 7F B7          jg short TasKit.0040743E
00407487    AA             stos byte ptr es:[edi]
00407488    E8 00000000    call TasKit.0040748D
0040748D    58             pop eax
0040748E    AB             stos dword ptr es:[edi]
0040748F    B8 90FF30C3    mov eax,C330FF90
00407494    AB             stos dword ptr es:[edi]
00407495    58             pop eax
00407496    61             popad
00407497    83A5 FBCA4000 00 and dword ptr ss:[ebp+40CAFB],0
0040749E    89BD 52D44000 mov dword ptr ss:[ebp+40D452],edi
004074A4    8D85 14BB4000 lea eax,dword ptr ss:[ebp+40BB14]
004074AA    FFB5 FBCA4000 push dword ptr ss:[ebp+40CAFB]
004074B0    0FB608          movzx ecx,byte ptr ds:[eax]
004074B3    FF0C24          dec dword ptr ss:[esp]
004074B6    7E 05          jle short TasKit.004074BD
004074B8    40             inc eax
004074B9    03C1          add eax,ecx
004074BB ^ EB F3          jmp short TasKit.004074B0
004074BD    890C24          mov dword ptr ss:[esp],ecx
004074C0    FF85 FBCA4000 inc dword ptr ss:[ebp+40CAFB]
004074C6    83A5 FBCA4000 0F and dword ptr ss:[ebp+40CAFB],0F
004074CD    8BBD 52D44000 mov edi,dword ptr ss:[ebp+40D452]
004074D3    8B85 5AD44000 mov eax,dword ptr ss:[ebp+40D45A]
004074D9    0385 4ED34000 add eax,dword ptr ss:[ebp+40D34E]
004074DF    8B8D 56D44000 mov ecx,dword ptr ss:[ebp+40D456]
004074E5    8908          mov dword ptr ds:[eax],ecx
004074E7    58             pop eax
004074E8    83C0 09       add eax,9
004074EB    0185 56D44000 add dword ptr ss:[ebp+40D456],eax
004074F1    EB 08          jmp short TasKit.004074FB
004074F3    838D 52D44000 FF or dword ptr ss:[ebp+40D452],FFFFFFFF
004074FA    61             popad
004074FB    03BD 4ED34000 add edi,dword ptr ss:[ebp+40D34E]
00407501    85DB          test ebx,ebx
00407503    0F84 C7000000 je TasKit.004075D0                ;函数提取完毕
00407509    F7C3 00000080 test ebx,80000000
0040750F    6A 00          push 0
00407511    75 0F          jnz short TasKit.00407522
00407513    8D5C13 02       lea ebx,dword ptr ds:[ebx+edx+2] ;以名字导出
00407517    803B 00       cmp byte ptr ds:[ebx],0
0040751A    0F84 93000000 je TasKit.004075B3
00407520    EB 45          jmp short TasKit.00407567
00407522    FF0424          inc dword ptr ss:[esp]
00407525    66:85DB       test bx,bx
00407528    0F84 85000000 je TasKit.004075B3
0040752E    8B85 4AD34000 mov eax,dword ptr ss:[ebp+40D34A]
00407534    3B85 42D44000 cmp eax,dword ptr ss:[ebp+40D442] ;KERNEL32地址
0040753A    75 2B          jnz short TasKit.00407567
0040753C    81E3 FFFFFF7F and ebx,7FFFFFFF
00407542    8BD3          mov edx,ebx
00407544    8D1495 FCFFFFFF  lea edx,dword ptr ds:[edx*4-4]
0040754B    8B9D 4AD34000 mov ebx,dword ptr ss:[ebp+40D34A]
00407551    8B43 3C       mov eax,dword ptr ds:[ebx+3C]
00407554    8B4418 78       mov eax,dword ptr ds:[eax+ebx+78]
00407558    035C18 1C       add ebx,dword ptr ds:[eax+ebx+1C]
0040755C    8B041A          mov eax,dword ptr ds:[edx+ebx]
0040755F    0385 4AD34000 add eax,dword ptr ss:[ebp+40D34A]
00407565    EB 13          jmp short TasKit.0040757A
00407567    81E3 FFFFFF7F and ebx,7FFFFFFF             ;以序号导出
0040756D    53             push ebx
0040756E    FFB5 4AD34000 push dword ptr ss:[ebp+40D34A]
00407574    FF95 E0BA4000 call dword ptr ss:[ebp+40BAE0] ;GetProcAddress
0040757A    40             inc eax
0040757B    48             dec eax
0040757C    75 33          jnz short TasKit.004075B1          ;IAT地址有效
0040757E    58             pop eax
0040757F    F9             stc
00407580 ^ 0F82 61FDFFFF jb TasKit.004072E7
00407586    47             inc edi
00407587    44             inc esp
00407588    49             dec ecx
00407589    3332          xor esi,dword ptr ds:[edx]
0040758B    2E:44          inc esp
0040758D    4C             dec esp
0040758E    4C             dec esp
0040758F    55             push ebp
00407590    53             push ebx
00407591    45             inc ebp
00407592    52             push edx
00407593    3332          xor esi,dword ptr ds:[edx]
00407595    2E:44          inc esp
00407597    4C             dec esp
00407598    4C             dec esp
00407599    53             push ebx
0040759A    48             dec eax
0040759B    45             inc ebp
0040759C    4C             dec esp
0040759D    4C             dec esp
0040759E    3332          xor esi,dword ptr ds:[edx]
004075A0    2E:44          inc esp
004075A2    4C             dec esp
004075A3    4C             dec esp
004075A4    4B             dec ebx
004075A5    45             inc ebp
004075A6    52             push edx
004075A7    4E             dec esi
004075A8    45             inc ebp
004075A9    4C             dec esp
004075AA    3332          xor esi,dword ptr ds:[edx]
004075AC    2E:44          inc esp
004075AE    4C             dec esp
004075AF    4C             dec esp
004075B1    8907          mov dword ptr ds:[edi],eax    ;写入IAT地址到内存
004075B3    58             pop eax
004075B4    48             dec eax
004075B5    74 0D          je short TasKit.004075C4
004075B7    40             inc eax
004075B8    F8             clc
004075B9    66:8943 FE    mov word ptr ds:[ebx-2],ax
004075BD    8803          mov byte ptr ds:[ebx],al    ;将内存中的API字符填0
004075BF    43             inc ebx
004075C0    3803          cmp byte ptr ds:[ebx],al
004075C2 ^ 75 F9          jnz short TasKit.004075BD
004075C4    8385 4ED34000 04 add dword ptr ss:[ebp+40D34E],4 ;指向下一个API
004075CB ^ E9 BAFDFFFF    jmp TasKit.0040738A
004075D0    83C6 14       add esi,14                      ;指向下一个IID
004075D3    8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362]
004075D9 ^ E9 48FCFFFF    jmp TasKit.00407226
004075DE    61             popad
004075DF    C3             retn

总结：有时候改了MAGIC JUMP还不能找到IAT那就手动查找IAT。如果多一个无效就咔嚓掉。
MAGIC可能和其他人找的不同，这个跳我测试过可以。

ximo · 发表于 2009-3-22 20:38

学习[s:369][s:369]

wgz001 · 发表于 2009-3-23 11:38

学习加膜拜 [s:371]

iy0507 · 发表于 2009-3-23 17:56

[s:22]学习学习

89431613 · 发表于 2009-4-15 15:17

顶下看看先学溪下

帐号		自动登录	找回密码
密码			注册[Register]

[分享] tELock 0.98 IAT简单分析

免费评分