telock 0.85f

标题：来看更好的：怎样找telock加壳程序的OEip (13千字)
作者：6767[BCG]
时间：2001-9-3 23:35:38

怎样找telock加壳程序的OEip
by Fpc[CCG]/6767[BCG] @2001/09

接着前一篇，仍以记事本为对象

1、运行icedump, superbpm(thanx the guys for such beautyful tOOls!)。用symble Loader载入目标。

:0040C000 E9C750FFFF jmp 004010CC       <- 入口，注意此处是被改过的
:0040C005 00CD add ch, cl
:0040C007 20E8 and al, ch
:0040C009 00000000 BYTE 4 DUP(0)

2、不要乱动，任取程序空间一点，比如下：bpm 402000，用来监视解压过程。按F5。

第一次，在这里停下：
|
:0040C6D4 AC lodsb
:0040C6D5 8D12 lea edx, dword ptr [edx]   <- 这里
:0040C6D7 FEC0 inc al
:0040C6D9 0401 add al, 01

继续，第二次是：
:0040C7D9 C0C801 ror al, 01
:0040C7DC AA stosb
:0040C7DD 69D2A5B0CD4B imul edx, 4BCDB0A5       <- 这里
:0040C7E3 F9 stc
:0040C7E4 7202 jb 0040C7E8
:0040C7E6 CD20 int 20

第三次：
|
:0040C9AE AC lodsb
:0040C9AF EB02 jmp 0040C9B3           <- 这里
:0040C9B1 CD20 int 20

第四次、第五次、第六次：
:0040C9B5 2CE5 sub al, E5
:0040C9B7 32C1 xor al, cl
:0040C9B9 8807 mov byte ptr [edi], al
:0040C9BB D2C8 ror al, cl           <- 这里
:0040C9BD 32C3 xor al, bl
:0040C9BF 021F add bl, byte ptr [edi]
:0040C9C1 12D9 adc bl, cl           <- 这里
:0040C9C3 F6C101 test cl, 01
:0040C9C6 750F jne 0040C9D7
:0040C9C8 D1EB shr ebx, 1

:0040C9CA F7C308000000 test ebx, 00000008
:0040C9D0 7505 jne 0040C9D7
:0040C9D2 D3C3 rol ebx, cl
:0040C9D4 8D1CDB lea ebx, dword ptr [ebx+8*ebx]

:0040C9D7 AA stosb
:0040C9D8 49 dec ecx           <- 这里
:0040C9D9 7FD3 jg 0040C9AE
:0040C9DB 5F pop edi

第七次：
:0040CA4E C1E902 shr ecx, 02
:0040CA51 FC cld
:0040CA52 F3 repz
:0040CA53 A5 movsd               <- 这里
:0040CA54 8BCB mov ecx, ebx
:0040CA56 F3 repz

第八次：
:0040CACA 2BF0 sub esi, eax
:0040CACC F3 repz
:0040CACD A4 movsb               <- 这里
:0040CACE 5E pop esi
:0040CACF EB93 jmp 0040CA64

3、好了，不要按F5。设断点：bpx GetProcAddress。按F5，被拦，按一次F12返回：

:0040CE16 81E3FFFFFF7F and ebx, 7FFFFFFF
:0040CE1C 53 push ebx
:0040CE1D FFB586AE4000 push dword ptr [ebp+0040AE86]
:0040CE23 FF95F4AD4000 call dword ptr [ebp+0040ADF4]

:0040CE29 40 inc eax           <- 返回处
:0040CE2A 48 dec eax
:0040CE2B 7532 jne 0040CE5F           <- 跳走
:0040CE2D 58 pop eax

... ...向下跟

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CE2B(C)
|
:0040CE5F 8907 mov dword ptr [edi], eax
:0040CE61 58 pop eax
:0040CE62 48 dec eax
:0040CE63 740D je 0040CE72           <- 先停下来

4、因为eax!=0所以不会跳，好了先关断点。看看下面的情况，下：G 40CE7E (注意：这是为了跳出循环，在里面转圈是很烦的)：

:0040CE65 40 inc eax
:0040CE66 F8 clc
:0040CE67 668943FE mov word ptr [ebx-02], ax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CE70(C)
|
:0040CE6B 8803 mov byte ptr [ebx], al
:0040CE6D 43 inc ebx
:0040CE6E 3803 cmp byte ptr [ebx], al
:0040CE70 75F9 jne 0040CE6B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CE63(C)
|
:0040CE72 83858AAE400004 add dword ptr [ebp+0040AE8A], 4
:0040CE79 E968FEFFFF jmp 0040CCE6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CDC4(C)
|
:0040CE7E 83C614 add esi, 00000014           <- 到这里
:0040CE81 8B959EAE4000 mov edx, dword ptr [ebp+0040AE9E]
:0040CE87 E945FDFFFF jmp 0040CBD1               <- 返回去了

5、好，继续看代码：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CE87(U)
|
:0040CBD1 83A55EAF400000 and dword ptr [ebp+0040AF5E], 00000000
:0040CBD8 8B460C mov eax, dword ptr [esi+0C]
:0040CBDB 83660C00 and dword ptr [esi+0C], 00000000
:0040CBDF 85C0 test eax, eax
:0040CBE1 0F84E8020000 je 0040CECF               <- 这里是能跳出循环的
:0040CBE7 03C2 add eax, edx
:0040CBE9 8BD8 mov ebx, eax

6、在上面随便哪一条指令上用命令：G 0040CECF 下面的代码可有点长：

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CBC9(C), :0040CBE1(C)
|
:0040CECF 8BBD96AE4000 mov edi, dword ptr [ebp+0040AE96]   <- 车开到这里

7、激活 GetProcAddress ，按F5，会拦下(这里是三次)：

:0040CED5 85FF test edi, edi
:0040CED7 EB03 jmp 0040CEDC
:0040CED9 0100 add dword ptr [eax], eax
:0040CEDB EB74 jmp 0040CF51
:0040CEDD 3203 xor al, byte ptr [ebx]
:0040CEDF BD9EAE4000 mov ebp, 0040AE9E
:0040CEE4 8B85A6AE4000 mov eax, dword ptr [ebp+0040AEA6]
:0040CEEA 85C0 test eax, eax
:0040CEEC 7422 je 0040CF10
:0040CEEE 8B8DAAAE4000 mov ecx, dword ptr [ebp+0040AEAA]
:0040CEF4 85C9 test ecx, ecx
:0040CEF6 7418 je 0040CF10
:0040CEF8 03C7 add eax, edi
:0040CEFA 0385AEAE4000 add eax, dword ptr [ebp+0040AEAE]
:0040CF00 50 push eax
:0040CF01 51 push ecx
:0040CF02 E817FBFFFF call 0040CA1E
:0040CF07 83F8FF cmp eax, FFFFFFFF
:0040CF0A 0F841BFDFFFF je 0040CC2B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CEEC(C), :0040CEF6(C)
|
:0040CF10 B923010000 mov ecx, 00000123
:0040CF15 8DBD57AA4000 lea edi, dword ptr [ebp+0040AA57]
:0040CF1B 8BF7 mov esi, edi
:0040CF1D AC lodsb
:0040CF1E 3206 xor al, byte ptr [esi]
:0040CF20 AA stosb
:0040CF21 E2FA loop 0040CF1D
:0040CF23 E814000000 call 0040CF3C
:0040CF28 47 inc edi
:0040CF29 65 BYTE 065h

:0040CF2A 7443 je 0040CF6F
:0040CF2C 7572 jne 0040CFA0
:0040CF2E 7265 jb 0040CF95
:0040CF30 6E outsb
:0040CF31 7450 je 0040CF83
:0040CF33 726F jb 0040CFA4
:0040CF35 636573 arpl dword ptr [ebp+73], esp
:0040CF38 7349 jnb 0040CF83
:0040CF3A 64 BYTE 64h
:0040CF3B 00 BYTE 00h

* Referenced by a CALL at Address:
|:0040CF23
|
:0040CF3C FFB54EAF4000 push dword ptr [ebp+0040AF4E]
:0040CF42 FF95F4AD4000 call dword ptr [ebp+0040ADF4]   <- 拦在此处
:0040CF48 40 inc eax           <- 一次F12返回
:0040CF49 48 dec eax
:0040CF4A 0F8483000000 je 0040CFD3
:0040CF50 FFD0 call eax           <- call GetCurrentProcessID
:0040CF52 8BD8 mov ebx, eax
:0040CF54 E80C000000 call 0040CF65
:0040CF59 4F dec edi
:0040CF5A 7065 jo 0040CFC1
:0040CF5C 6E outsb
:0040CF5D 50 push eax
:0040CF5E 726F jb 0040CFCF
:0040CF60 636573 arpl dword ptr [ebp+73], esp
:0040CF63 7300 jnb 0040CF65

* Referenced by a CALL at Address:
|:0040CF54
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CF63(C)
|
:0040CF65 FFB54EAF4000 push dword ptr [ebp+0040AF4E]
:0040CF6B FF95F4AD4000 call dword ptr [ebp+0040ADF4]   <- 拦在此处
:0040CF71 40 inc eax           <- 返回处
:0040CF72 48 dec eax
:0040CF73 745E je 0040CFD3
:0040CF75 53 push ebx
:0040CF76 6A00 push 00000000
:0040CF78 68FF0F1F00 push 001F0FFF
:0040CF7D FFD0 call eax           <- call OpenProcess
:0040CF7F 40 inc eax
:0040CF80 48 dec eax
:0040CF81 7450 je 0040CFD3

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CF31(C), :0040CF38(C)
|
:0040CF83 8BD8 mov ebx, eax
:0040CF85 E811000000 call 0040CF9B
:0040CF8A 56 push esi
:0040CF8B 69727475616C50 imul esi, dword ptr [edx+74], 506C6175
:0040CF92 726F jb 0040D003
:0040CF94 7465 je 0040CFFB
:0040CF96 63744578 arpl dword ptr [ebp+2*eax+78], esi
:0040CF9A 00 BYTE 00h

* Referenced by a CALL at Address:
|:0040CF85
|
:0040CF9B FFB54EAF4000 push dword ptr [ebp+0040AF4E]
:0040CFA1 FF95F4AD4000 call dword ptr [ebp+0040ADF4]   <- 拦在此处
:0040CFA7 40 inc eax           <- 返回处
:0040CFA8 48 dec eax
:0040CFA9 7428 je 0040CFD3
:0040CFAB 6A00 push 00000000
:0040CFAD 54 push esp
:0040CFAE 6A04 push 00000004
:0040CFB0 6800100000 push 00001000
:0040CFB5 FFB59EAE4000 push dword ptr [ebp+0040AE9E]
:0040CFBB 53 push ebx
:0040CFBC FFD0 call eax           <- call VirtualProctectEX

8、离出口已经很近了，所以脱这个壳的中断是：bpx VirtualProctectEX 。绝对好用 :)

:0040CFBE 83C404 add esp, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CF5A(C)
|
:0040CFC1 40 inc eax
:0040CFC2 48 dec eax
:0040CFC3 740E je 0040CFD3
:0040CFC5 8BBD9EAE4000 mov edi, dword ptr [ebp+0040AE9E]
:0040CFCB 037F3C add edi, dword ptr [edi+3C]
:0040CFCE 66834F06FF or word ptr [edi+06], FFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040CF4A(C), :0040CF73(C), :0040CF81(C), :0040CFA9(C), :0040CFC3(C)
|
:0040CFD3 8B9DBAAE4000 mov ebx, dword ptr [ebp+0040AEBA]
:0040CFD9 33F6 xor esi, esi                   <- esi=0
:0040CFDB F7D3 not ebx                   <- ebx=OEip
:0040CFDD 0BF3 or esi, ebx
:0040CFDF 7508 jne 0040CFE9
:0040CFE1 8D9D349B4000 lea ebx, dword ptr [ebp+00409B34]
:0040CFE7 EB06 jmp 0040CFEF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CFDF(C)
|
:0040CFE9 039D9EAE4000 add ebx, dword ptr [ebp+0040AE9E]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CFE7(U)
|
:0040CFEF 895C24F0 mov dword ptr [esp-10], ebx
:0040CFF3 8DBD90AD4000 lea edi, dword ptr [ebp+0040AD90]
:0040CFF9 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040CF94(C)
|
:0040CFFB B99C020000 mov ecx, 0000029C
:0040D000 F3 repz                   <- 代码清0，所以在这里：r ecx 0
:0040D001 AA stosb
:0040D002 8DBD349B4000 lea edi, dword ptr [ebp+00409B34]
:0040D008 B90D100000 mov ecx, 0000100D
:0040D00D F3 repz
:0040D00E AA stosb
:0040D00F 66AB stosw                   <- 不要执行
:0040D011 8DBD349B4000 lea edi, dword ptr [ebp+00409B34]
:0040D017 85F6 test esi, esi
:0040D019 7508 jne 0040D023
:0040D01B C70733C040C3 mov dword ptr [edi], C340C033       <- 也是搞破坏
:0040D021 EB0B jmp 0040D02E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D019(C)
|
:0040D023 C607E9 mov byte ptr [edi], E9       <- 一样的破坏
:0040D026 47 inc edi
:0040D027 2BDF sub ebx, edi
:0040D029 83EB04 sub ebx, 00000004
:0040D02C 891F mov dword ptr [edi], ebx       <- 保存OEip

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D021(U)
|
:0040D02E 8DBD41AB4000 lea edi, dword ptr [ebp+0040AB41]

* Possible Reference to String Resource ID=00044: "?嘽"
|
:0040D034 B92C000000 mov ecx, 0000002C
:0040D039 F3 repz                   <- 代码清0，所以在这里：r ecx 0
:0040D03A AA stosb
:0040D03B 66AB stosw                   <- 不要执行
:0040D03D EB02 jmp 0040D041
:0040D03F 90 nop                   <- 这里原是花指令:CD 20，呵呵
:0040D040 90 nop
|
:0040D041 61 popad                   <- 恢复现场
:0040D042 FF6424D0 jmp [esp-30]               <- JMP TO MOTHER!!!
:0040D046 63EB arpl ebx, ebp

That's all! Folks!