好友
阅读权限40
听众
最后登录1970-1-1
|
双层壳:ASPack 2.11+PECompact(原的+脱的在附件)
OD载入在:
003E0001 > 60 pushad-------------------F8
003E0002 E9 3D040000 jmp 1.003E0444---------------------HR ESP---F9
003E0007 A1 30D3CFB9 mov eax,dword ptr ds:[B9CFD330]
003E000C F6 ??? ; 未知命令
003E000D CF iretd
断在:
003E03AB /75 08 jnz short 1.003E03B5---删除断点---F8
003E03AD |B8 01000000 mov eax,1
003E03B2 |C2 0C00 retn 0C
003E03B5 \68 00B03D00 push 1.003DB000
003E03BA C3 retn
003DB000 /EB 06 jmp short 1.003DB008----------第二层壳的入口---F8
003DB002 |68 14450000 push 4514----------OEP的RVA(直接在003D4514处下 硬件执行 断点,或者下内存断点,F9运行就中断在OEP了。但在这个DLL脱了不能运行,只好一步步往下走)
003DB007 |C3 retn
003DB008 \9C pushfd
003DB009 60 pushad
003DB00A E8 02000000 call 1.003DB011--------------------F7
003DB00F 33C0 xor eax,eax
003DB011 8BC4 mov eax,esp
003DB013 83C0 04 add eax,4
003DB016 93 xchg eax,ebx
003DB017 8BE3 mov esp,ebx
003DB019 8B5B FC mov ebx,dword ptr ds:[ebx-4]
003DB01C 81EB 0FA04000 sub ebx,40A00F
003DB022 87DD xchg ebp,ebx
............
003DC1EF /EB 14 jmp short 1.003DC205
003DC1F1 |6E outs dx,byte ptr es:[edi]
003DC1F2 |F1 int1
003DC1F3 |3D 0011B000 cmp eax,0B01100
003DC1F8 |0000 add byte ptr ds:[eax],al
003DC1FA |003D 0000B000 add byte ptr ds:[B00000],bh
003DC200 |0000 add byte ptr ds:[eax],al
003DC202 |F0:0000 lock add byte ptr ds:[eax],al
003DC205 \8BB5 A6A04000 mov esi,dword ptr ss:[ebp+40A0A6]
Ctrl+S在整个段块搜索命令序列:
代码:
add esi,ebx
xor eax,eax
找到以下代码:
003DC575 8B9D A6A04000 mov ebx,dword ptr ss:[ebp+40A0A6]---硬件执行断点---F9
003DC57B 3B9D 3BA64000 cmp ebx,dword ptr ss:[ebp+40A63B]
003DC581 75 01 jnz short 1.003DC584---如与映像基址不符则重定位处理!
003DC583 C3 retn
003DC584 8BB5 3FA64000 mov esi,dword ptr ss:[ebp+40A63F]
ss:[003DC792]=00009000 ---重定位表的开始 RVA
003DC58A 03F3 add esi,ebx
003DC58C 33C0 xor eax,eax
003DC58E 66:8B43 3C mov ax,word ptr ds:[ebx+3C]
003DC592 03C3 add eax,ebx
003DC594 8B80 C0000000 mov eax,dword ptr ds:[eax+C0]
003DC59A 85C0 test eax,eax
003DC59C 75 08 jnz short 1.003DC5A6
003DC59E 2B9D 3BA64000 sub ebx,dword ptr ss:[ebp+40A63B]
003DC5A4 EB 0F jmp short 1.003DC5B5
003DC5A6 03C3 add eax,ebx
003DC5A8 2B9D 3BA64000 sub ebx,dword ptr ss:[ebp+40A63B]
003DC5AE 0118 add dword ptr ds:[eax],ebx
003DC5B0 83C0 04 add eax,4
003DC5B3 0118 add dword ptr ds:[eax],ebx
003DC5B5 AD lods dword ptr ds:[esi]---开始处理一段
003DC5B6 0BC0 or eax,eax
003DC5B8 74 6F je short 1.003DC629
003DC5BA 8BD0 mov edx,eax
003DC5BC 0395 A6A04000 add edx,dword ptr ss:[ebp+40A0A6]
003DC5C2 AD lods dword ptr ds:[esi]
003DC5C3 8BC8 mov ecx,eax
003DC5C5 83E9 08 sub ecx,8
003DC5C8 D1E9 shr ecx,1
003DC5CA 66:C785 31A64000 00>mov word ptr ss:[ebp+40A631],0---初始值, 变形的关键
003DC5D3 33C0 xor eax,eax
003DC5D5 66:AD lods word ptr ds:[esi]
003DC5D7 0BC0 or eax,eax
003DC5D9 74 49 je short 1.003DC624
003DC5DB 66:0385 31A64000 add ax,word ptr ss:[ebp+40A631]
003DC5E2 66:8985 31A64000 mov word ptr ss:[ebp+40A631],ax
003DC5E9 50 push eax---------------变形值已还原(改动为:)
003DC5E9 66:8946 FE mov word ptr ds:[esi-2],ax
003DC5ED 49 dec ecx
003DC5EE ^ 75 E3 jnz short 1.003DC5D3
003DC5F0 ^ EB C3 jmp short 1.003DC5B5
..........
003DC621 /EB 01 jmp short 1.003DC624
003DC623 |58 pop eax
003DC624 \49 dec ecx
003DC625 ^ 75 AC jnz short 1.003DC5D3
003DC627 ^ EB 8C jmp short 1.003DC5B5
003DC629 C3 retn-------------------硬件执行断点---F9
ESI=003D9354
重定位表结束地址=003D9354-4=003D9350
重定位表大小=003D9350-003D9000=350
LordPE 修改重定位表为 重定位=9000, 大小=350, OK.
F8往下:
003DC482 E8 8F0C0000 call 1.003DD116
003DC487 61 popad
003DC488 9D popfd
003DC489 50 push eax
003DC48A 68 14453D00 push 1.003D4514
003DC48F C2 0400 retn 4---------------F8
003D4514 55 push ebp------------------OEP
003D4515 8BEC mov ebp,esp
003D4517 83C4 C4 add esp,-3C
003D451A B8 E4444000 mov eax,4044E4
003D451F E8 CCFBFFFF call 1.003D40F0
003D4524 E8 D3F2FFFF call 1.003D37FC
003D4529 8D40 00 lea eax,dword ptr ds:[eax]
003D452C 0000 add byte ptr ds:[eax],al
003D452E 0000 add byte ptr ds:[eax],al
003D4530 0000 add byte ptr ds:[eax],al
003D4532 0000 add byte ptr ds:[eax],al
003D4534 0000 add byte ptr ds:[eax],al
003D4536 0000 add byte ptr ds:[eax],al
003D4538 0000 add byte ptr ds:[eax],al
003D453A 0000 add byte ptr ds:[eax],al
用LordPE选中OllyDbg的loaddll.exe的进程,在下面的列表里选择1.dll,然后完整脱壳,得到dumped.dll。
Dump完之后,不要关闭Ollydbg,还要为下面的处理重定位表提供点准备。
随便从程序找一个API调用,如:
003D1000 $- FF25 E8703D00 jmp dword ptr ds:[3D70E8] kernel32.CloseHandle
在转存中跟随003D1000,上下看到许多函数地址,很明显的可以找到IAT开始和结束的地址:
开始地址=003D7078
结束地址=003D7128
大小=003D7128-003D7078=50
运行ImportREC,选中Ollydbg的loaddll.exe的进程,然后点“选取DLL”,选择1.dll,填入RVA=00007078、大小=50、OEP=00004514 ,点“Get Import”。用PEditor纠正dumped.dll的DumpFixer,修正区块。FixDump!
脱壳DLL经测试成功! |
|
发表于 2008-5-9 20:14
发表于 2008-5-9 20:20
发表于 2008-5-9 23:06
