NoobyProtect 1.5.3.0 Demo版脱壳

lal978112 · 发表于 2009-5-21 08:42

本帖最后由 lal978112 于 2009-5-23 12:55 编辑

【文章标题】: NoobyProtect 1.5.3.0 Demo版脱壳
【作者声明】: 初学脱壳，没什么好东西。个人的一些经验，希望与大家分享，错误之处，欢迎指正！
【测试软件】：Notepad + NoobyProtect 1.5.3.0 Demo

【详细过程】
如下：
配置好OD和插件
OD载入：

0112B261 > $ /EB 1D       jmp    short 0112B280       //入口
0112B263 . |4E 6F 6F 62 7>ascii "NoobyProtect SE "
0112B273 . |31 2E 35 2E 3>ascii "1.5.3.0 Demo",0
0112B280 >^\EB A8       jmp    short 0112B22A
0112B282    1B          db    1B
0112B283    8A          db    8A
0112B284 .  187F 8A    sbb    byte ptr [edi-76], bh
0112B287 >  23A0 2FF48B40 and    esp, dword ptr [eax+408>
0112B28D .  08EB       or    bl, ch
0112B28F .  3E:FEC3    inc    bl
0112B292 >  58          pop    eax
0112B293 .  EB 47       jmp    short 0112B2DC

然后向下搜索代码(不选整个块)：FF90，找到这里

0112B2FD .  B2 20       mov    dl, 20
0112B2FF .  47          inc    edi
0112B300 .  B2 35       mov    dl, 35
0112B302 .  D5 2B       aad    2B
0112B304 >  81C0 FA697C33 add    eax, 337C69FA
0112B30A .  FF90 D6058DCD call dword ptr [eax+CD8D05D6] //找到这里
0112B310 >  85C0       test eax, eax
0112B312 .^ 0F84 52FEFFFF je    0112B16A
0112B318 .^ E9 99FEFFFF jmp    0112B1B6

在0112B30A .  FF90 D6058DCD call dword ptr [eax+CD8D05D6] 下F2断点
shift＋F9运行
0112B30A .  FF90 D6058DCD call dword ptr [eax+CD8D05D6] ;  KERNEL32.GetModuleHandleA
0112B310 >  85C0       test eax, eax
0112B312 .^ 0F84 52FEFFFF je    0112B16A
可见这个CALL在调用GetModuleHandleA函数
此时取消断点

打开内存窗口在01001000断下F2断点
中断在这里
0112B1D1 > /8903       mov    dword ptr [ebx], eax    ;  USER32.SetWinEventHook
0112B1D3 . |EB 4F       jmp    short 0112B224
0112B1D5    |A6          db    A6
0112B1D6    |33          db    33                      ;  CHAR '3'

eax=77D3E3D3 (USER32.SetWinEventHook)
ds:[010012AC]=77D3E3D3 (USER32.SetWinEventHook)
跳转来自 0112B216

然后数据窗口跟随到010012AC，发现这里就是IAT了。

单步F8往下走，到这里
0111AA22 >  6A 70       push 70             //这里是被偷取的入口代码
0111AA24 .-|E9 76C9EEFF jmp    0100739F       //这里跳向OEP
0111AA29 > |E8 00000000 call 0111AA2E
0111AA2E $ |E9 FD010000 jmp    0111AC30
0111AA33    |5B          db    5B                      ;  CHAR '['

0100739D B0 7D          mov    al, 7D       //
0100739F 68 98180001    push 01001898    //跳到这里
010073A4 E8 BF010000    call 01007568
010073A9 33DB          xor    ebx, ebx
010073AB 53             push ebx
010073AC E8 C37D0B00    call 010BF174
010073B1 42             inc    edx
010073B2 FFD7          call edi
010073B4 66:8138 4D5A cmp    word ptr [eax], 5A4D
010073B9 75 1F          jnz    short 010073DA
010073BB 8B48 3C       mov    ecx, dword ptr [eax+3C]
010073BE 03C8          add    ecx, eax

在0100739D处补上被偷取的入口代码 push 70
新建EIP
0100739D 6A 70          push 70       //改成这样
0100739F 68 98180001    push 01001898
010073A4 E8 BF010000    call 01007568
010073A9 33DB          xor    ebx, ebx
010073AB 53             push ebx
010073AC E8 C37D0B00    call 010BF174

IAT就在010012AC这个地址上翻

01001000  77DA6FC8  ADVAPI32.RegQueryValueExW
01001004  77DA6BF0  ADVAPI32.RegCloseKey
01001008  77DC8F7D  ADVAPI32.RegCreateKeyW
0100100C  77DCD5FD  ADVAPI32.IsTextUnicode
01001010  77DA7883  ADVAPI32.RegQueryValueExA
01001014  77DA761B  ADVAPI32.RegOpenKeyExA
01001018  77DAD7CC  ADVAPI32.RegSetValueExW
0100101C  00000000
01001020  7718D2ED  COMCTL32.CreateStatusWindowW
01001024  00000000
01001028  77F05923  GDI32.EndPage
0100102C  77F23412  GDI32.AbortDoc
01001030  77F05BB1  GDI32.EndDoc
01001034  77EF6CA6  GDI32.DeleteDC
01001038  77F06AA6  GDI32.StartPage
0100103C  77EF8174  GDI32.GetTextExtentPoint32W
01001040  77F0F8CF  GDI32.CreateDCW
01001044  77F23532  GDI32.SetAbortProc
01001048  77EFB079  GDI32.GetTextFaceW
0100104C  77EF7CE8  GDI32.TextOutW
01001050  77F240A2  GDI32.StartDocW
01001054  77F1EA7C  GDI32.EnumFontsW
01001058  77EF5FF1  GDI32.GetStockObject
0100105C  77EF8323  GDI32.GetObjectW
01001060  77EF58A2  GDI32.GetDeviceCaps
01001064  77EF8BBA  GDI32.CreateFontIndirectW
01001068  77EF6A3B  GDI32.DeleteObject
0100106C  77EF7BF5  GDI32.GetTextMetricsW
01001070  77EF5D0B  GDI32.SetBkMode
01001074  77EF8195  GDI32.LPtoDP
01001078  77F0E3B6  GDI32.SetWindowExtEx
0100107C  77F0E45F  GDI32.SetViewportExtEx
01001080  77EFA8F7  GDI32.SetMapMode
01001084  77EF59A0  GDI32.SelectObject
01001088  00000000
0100108C  7C809737  KERNEL32.GetCurrentThreadId
01001090  7C8092AC  KERNEL32.GetTickCount
01001094  7C80A417  KERNEL32.QueryPerformanceCounter
01001098  7C80C9C1  KERNEL32.GetLocalTime
0100109C  7C809FC0  KERNEL32.GetUserDefaultLCID
010010A0  7C827C79  KERNEL32.GetDateFormatW
010010A4  7C8284D5  KERNEL32.GetTimeFormatW
010010A8  7C810119  KERNEL32.GlobalLock
010010AC  7C810082  KERNEL32.GlobalUnlock
010010B0  7C810E85  KERNEL32.GetFileInformationByHandle
010010B4  7C80939E  KERNEL32.CreateFileMappingW
010010B8  7C8017E5  KERNEL32.GetSystemTimeAsFileTime
010010BC  7C801E16  KERNEL32.TerminateProcess
010010C0  7C80E00D  KERNEL32.GetCurrentProcess
010010C4  7C810386  KERNEL32.SetUnhandledExceptionFilter
010010C8  7C801D77  KERNEL32.LoadLibraryA
010010CC  7C80B529  KERNEL32.GetModuleHandleA
010010D0  7C801EEE  KERNEL32.GetStartupInfoA
010010D4  7C80FE2F  KERNEL32.GlobalFree
010010D8  7C811772  KERNEL32.GetLocaleInfoW
010010DC  7C80995D  KERNEL32.LocalFree
010010E0  7C8099BD  KERNEL32.LocalAlloc
010010E4  7C809A39  KERNEL32.lstrlenW
010010E8  7C822E21  KERNEL32.LocalUnlock
010010EC  7C80A34E  KERNEL32.CompareStringW
010010F0  7C822D88  KERNEL32.LocalLock
010010F4  7C8792E6  KERNEL32.FoldStringW
010010F8  7C809B77  KERNEL32.CloseHandle
010010FC  7C80B8EC  KERNEL32.lstrcpyW
01001100  7C80180E  KERNEL32.ReadFile
01001104  7C810976  KERNEL32.CreateFileW
01001108  7C80A823  KERNEL32.lstrcmpiW
0100110C  7C80994E  KERNEL32.GetCurrentProcessId
01001110  7C80AC28  KERNEL32.GetProcAddress
01001114  7C816CFB  KERNEL32.GetCommandLineW
01001118  7C81114A  KERNEL32.lstrcatW
0100111C  7C80EFD7  KERNEL32.FindClose
01001120  7C80F0E1  KERNEL32.FindFirstFileW
01001124  7C80B5D4  KERNEL32.GetFileAttributesW
01001128  7C80A859  KERNEL32.lstrcmpW
0100112C  7C8097F4  KERNEL32.MulDiv
01001130  7C80B877  KERNEL32.lstrcpynW
01001134  7C82237C  KERNEL32.LocalSize
01001138  7C930331  ntdll.RtlGetLastWin32Error
0100113C  7C810F9F  KERNEL32.WriteFile
01001140  7C930340  ntdll.RtlSetLastWin32Error
01001144  7C80A0C7  KERNEL32.WideCharToMultiByte
01001148  7C81E2B1  KERNEL32.LocalReAlloc
0100114C  7C829047  KERNEL32.FormatMessageW
01001150  7C812DE0  KERNEL32.GetUserDefaultUILanguage
01001154  7C81F850  KERNEL32.SetEndOfFile
01001158  7C81F73D  KERNEL32.DeleteFileW
0100115C  7C809943  KERNEL32.GetACP
01001160  7C80B7FC  KERNEL32.UnmapViewOfFile
01001164  7C809CAD  KERNEL32.MultiByteToWideChar
01001168  7C80B78D  KERNEL32.MapViewOfFile
0100116C  7C862B8A  KERNEL32.UnhandledExceptionFilter
01001170  00000000
01001174  77453FA2  SHELL32.DragFinish
01001178  773FFCEE  SHELL32.DragQueryFileW
0100117C  7741A237  SHELL32.DragAcceptFiles
01001180  7743F8EB  SHELL32.ShellAboutW
01001184  00000000
01001188  77D1B556  USER32.GetClientRect
0100118C  77D1C6A8  USER32.SetCursor
01001190  77D1866D  USER32.ReleaseDC
01001194  77D18697  USER32.GetDC
01001198  77D26702  USER32.DialogBoxParamW
0100119C  77D25380  USER32.SetActiveWindow
010011A0  77D1C43C  USER32.GetKeyboardLayout
010011A4  77D1B1E5  USER32.DefWindowProcW
010011A8  77D1E666  USER32.DestroyWindow
010011AC  77D402D3  USER32.MessageBeep
010011B0  77D1D4DE  USER32.ShowWindow
010011B4  77D1C4AE  USER32.GetForegroundWindow
010011B8  77D1C48A  USER32.IsIconic
010011BC  77D1EB14  USER32.GetWindowPlacement
010011C0  77D190AA  USER32.CharUpperW
010011C4  77D19C36  USER32.LoadStringW
010011C8  77D2372D  USER32.LoadAcceleratorsW
010011CC  77D1E7B8  USER32.GetSystemMenu
010011D0  77D1AE29  USER32.RegisterClassExW
010011D4  77D242A4  USER32.LoadImageW
010011D8  77D19B69  USER32.LoadCursorW
010011DC  77D3FBEA  USER32.SetWindowPlacement
010011E0  77D21AD5  USER32.CreateWindowExW
010011E4  77D1D7BB  USER32.GetDesktopWindow
010011E8  77D1C640  USER32.GetFocus
010011EC  77D22174  USER32.LoadIconW
010011F0  77D1BADE  USER32.SetWindowTextW
010011F4  77D3EDEB  USER32.PostQuitMessage
010011F8  77D1ADDE  USER32.RegisterWindowMessageW
010011FC  77D1C064  USER32.UpdateWindow
01001200  77D1F780  USER32.SetScrollPos
01001204  77D19F64  USER32.CharLowerW
01001208  77D19278  USER32.PeekMessageW
0100120C  77D1C4D4  USER32.EnableWindow
01001210  77D205D2  USER32.DrawTextExW
01001214  77D3629F  USER32.CreateDialogParamW
01001218  77D1C9FD  USER32.GetWindowTextW
0100121C  77D18F75  USER32.GetSystemMetrics
01001220  77D1D515  USER32.MoveWindow
01001224  77D1B49D  USER32.InvalIDAteRect
01001228  77D617D4  USER32.WinHelpW
0100122C  77D1C35C  USER32.GetDlgCtrlID
01001230  77D38565  USER32.ChildWindowFromPoint
01001234  77D1C5B8  USER32.ScreenToClient
01001238  77D1C566  USER32.GetCursorPos
0100123C  77D327FC  USER32.SendDlgItemMessageW
01001240  77D1B762  USER32.SendMessageW
01001244  77D1E746  USER32.CharNextW
01001248  77D2711B  USER32.CheckMenuItem
0100124C  77D1EEE5  USER32.CloseClipboard
01001250  77D1CDED  USER32.IsClipboardFormatAvailable
01001254  77D1EEF7  USER32.OpenClipboard
01001258  77D3749F  USER32.GetMenuState
0100125C  77D1FC3C  USER32.EnableMenuItem
01001260  77D2355A  USER32.GetSubMenu
01001264  77D3EABE  USER32.GetMenu
01001268  77D66116  USER32.MessageBoxW
0100126C  77D1DEF1  USER32.SetWindowLongW
01001270  77D1887E  USER32.GetWindowLongW
01001274  77D252A4  USER32.GetDlgItem
01001278  77D1E5DC  USER32.SetFocus
0100127C  77D32730  USER32.SetDlgItemTextW
01001280  77D1A862  USER32.wsprintfW
01001284  77D26B40  USER32.GetDlgItemTextW
01001288  77D26CC9  USER32.EndDialog
0100128C  77D1B5D7  USER32.GetParent
01001290  77D3E544  USER32.UnhookWinEvent
01001294  77D189D9  USER32.DispatchMessageW
01001298  77D18BCE  USER32.TranslateMessage
0100129C  77D1943D  USER32.TranslateAcceleratorW
010012A0  77D3E73E  USER32.IsDialogMessageW
010012A4  77D18CA3  USER32.PostMessageW
010012A8  77D191A3  USER32.GetMessageW
010012AC  77D3E3D3  USER32.SetWinEventHook
010012B0  00000000
010012B4  72F76090  WINSPOOL.GetPrinterDriverW
010012B8  72F75390  WINSPOOL.ClosePrinter
010012BC  72F75749  WINSPOOL.OpenPrinterW
010012C0  00000000
010012C4  763448D6  COMDLG32.PageSetupDlgW
010012C8  76338696  COMDLG32.FindTextW
010012CC  76349D29  COMDLG32.PrintDlgExW
010012D0  7633C4A9  COMDLG32.ChooseFontW
010012D4  76321986  COMDLG32.GetFileTitleW
010012D8  76337C65  COMDLG32.GetOpenFileNameW
010012DC  763386CA  COMDLG32.ReplaceTextW
010012E0  763300CE  COMDLG32.CommDlgExtendedError
010012E4  76337CF3  COMDLG32.GetSaveFileNameW
010012E8  00000000
010012EC  77C02DAE  MSVCRT._XcptFilter
010012F0  77C09E9A  MSVCRT._exit
010012F4  77C09ECE  MSVCRT._c_exit
010012F8  77C1AEA3  MSVCRT.time
010012FC  77C1AB3D  MSVCRT.localtime
01001300  77C09EB6  MSVCRT._cexit
01001304  77BED036  MSVCRT.iswctype
01001308  77C05C94  MSVCRT._except_handler3
0100130C  77BECE77  MSVCRT._wtol
01001310  77C1802F  MSVCRT.wcsncmp
01001314  77C0FB0C  MSVCRT._snwprintf
01001318  77C09E7E  MSVCRT.exit
0100131C  77C317AC  offset MSVCRT._acmdln
01001320  77BEEEEB  MSVCRT.__getmainargs
01001324  77C09D67  MSVCRT._initterm
01001328  77C1D675  MSVCRT.__setusermatherr
0100132C  77C323D8  offset MSVCRT._adjust_fdiv
01001330  77BEF1A4  MSVCRT.__p__commode
01001334  77BEF1DB  MSVCRT.__p__fmode
01001338  77C0537C  MSVCRT.__set_app_type
0100133C  77C1EE2F  MSVCRT._controlfp
01001340  77C1806B  MSVCRT.wcsncpy
01001344  00000000
01001348  00000000

IAT的相对地址：1000，大小：348
现在OEP：0100739D
用OD插件DUMP，ImportREC修复
可以运行，第一次写这个东西，写得不好，请见谅！
最后说一下，用Nooby的那个不良信息OD就可以调试。
上传加壳记事本，可以练习

niliu · 发表于 2009-5-21 09:16

膜拜樓主強悍

roxiel · 发表于 2009-5-21 09:23

学习

wgz001 · 发表于 2009-5-21 09:29

先膜拜后学习

ximo · 发表于 2009-5-21 10:06

demo没啥强度。。。。

wellen · 发表于 2009-5-21 10:11

lz亮了。。

小糊涂虫 · 发表于 2009-5-21 10:34

我只能学习一下，自己还不会搞。。。。。。。。

ZeNiX · 发表于 2009-5-21 12:05

雖說, demo没啥强度。。。。
但也足夠吓跑一大堆人了.

vienna · 发表于 2009-5-21 19:09

汗。。我就是用demo的。。。

mzm999 · 发表于 2009-5-21 21:28

你这是从看雪转来的吧????

帐号		自动登录	找回密码
密码			注册[Register]

[分享] NoobyProtect 1.5.3.0 Demo版脱壳