[工具]: Ollydbg,lordpe,imprec
[介绍]:(from jingulong)
1.它主要的手段是用RDTSC(时间差)来Anti trace
2.OutputDebugStringA+ZwQueryInformationProcess+IsDebuggerPresent
3.修改文件头anti dump
4.CreateFileA 独占方式打开文件anti ImportREC
5.CRC
[起初办法]:
1、运行mslrh 0.31
2、close mslrh file handle
用一些进程管理器:http://www.sysinternals.com/files/procexpnt.zip这个选择mslrh进程,然后查看handle,把mslrh.exe的handle给关闭掉。
3、ollydbg attach
4、find oep ***根据api查找的***
5、dump & iat
其中第四步是靠经验猜的
[真正快速脱壳方法](比较另类,逃避RDTSC跟踪):
RDTSC anti trace穿插在代码中,用ollydbg跟踪实在是麻烦、头痛。
1、ollydbg载入
2、查找68????????c3 (push ???????? retn),把retn的c3 改成int3(cc)
3、保存修改,关闭ollydbg
4、运行mslrh.exe,发生异常,ollydbg调试
5、把int3改成retn,F8
6、查找 61e9,来到了popad jmp ??????
7、f4到jmp处,F8
8、dump & imprec fix iat
[过程]:
ollydbg载入[mslrh].exe
引用:
00456000 > $ 60 PUSHAD ;***POEP****
00456001 . D1CB ROR EBX,1
00456003 . 0FCA BSWAP EDX
00456005 . C1CA E0 ROR EDX,0E0
00456008 . D1CA ROR EDX,1
0045600A . 0FC8 BSWAP EAX
0045600C . EB 01 JMP SHORT [MSLRH].0045600F
0045600E . F1 INT1
0045600F > 0FC0C9 XADD CL,CL
查找二进制: 68????????c3,修改retn成int3
引用:
0046207E . 68 ADE29F00 PUSH 9FE2AD
00462083 . C3 RETN ;**** 改成int3 (cc)
00462084 33 DB 33 ; CHAR '3'
00462085 C9 DB C9
00462086 E8 DB E8
00462087 00 DB 00
00462088 00 DB 00
00462089 00 DB 00
0046208A 00 DB 00
0046208B 5F DB 5F ; CHAR '_'
0046208C 81 DB 81
保存修改,关闭ollydbg
运行mslrh.exe,发生异常,ollydbg调试
引用:
00462083 CC INT3 ; 停在这里,改成retn
00462084 33C9 XOR ECX,ECX
00462086 E8 00000000 CALL [MSLRH].0046208B
0046208B 5F POP EDI
0046208C 81C7 C5090000 ADD EDI,9C5
00462092 33D2 XOR EDX,EDX
00462094 83C2 15 ADD EDX,15
把int3改成retn,F8
查找 61e9,来到了popad jmp...
引用:
00452A12 61 POPAD
00452A13 ^E9 3E13FCFF JMP [MSLRH].00413D56
00452A18 0000 ADD BYTE PTR DS:[EAX],AL
00452A1A 0000 ADD BYTE PTR DS:[EAX],AL
00452A1C 0000 ADD BYTE PTR DS:[EAX],AL
00452A1E 0000 ADD BYTE PTR DS:[EAX],AL
把光标放置到452a13处,F4
F8,看看我们来到了哪里?哈哈
引用:
00413D56 6A 00 PUSH 0 ; yeah,OEP
00413D58 E8 F10F0000 CALL [MSLRH].00414D4E ; JMP to kernel32.GetModuleHandleA
00413D5D A3 A08F4100 MOV DWORD PTR DS:[418FA0],EAX
00413D62 E8 6B100000 CALL [MSLRH].00414DD2 ; JMP to comctl32.InitCommonControls
00413D67 6A 00 PUSH 0
00413D69 68 843D4100 PUSH [MSLRH].00413D84
00413D6E 6A 00 PUSH 0
00413D70 6A 65 PUSH 65
00413D72 FF35 A08F4100 PUSH DWORD PTR DS:[418FA0]
00413D78 E8 0D100000 CALL [MSLRH].00414D8A ; JMP to USER32.DialogBoxParamA
00413D7D 6A 00 PUSH 0
00413D7F E8 BE0F0000 CALL [MSLRH].00414D42 ; JMP to kernel32.ExitProcess
00413D84 55 PUSH EBP
00413D85 8BEC MOV EBP,ESP
00413D87 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00413D8A 3D 10010000 CMP EAX,110
00413D8F 0F85 3D030000 JNZ [MSLRH].004140D2
00413D95 6A 01 PUSH 1
00413D97 FF35 A08F4100 PUSH DWORD PTR DS:[418FA0]
00413D9D E8 00100000 CALL [MSLRH].00414DA2 ; JMP to USER32.LoadBitmapA
00413DA2 A3 C8934100 MOV DWORD PTR DS:[4193C8],EAX
00413DA7 50 PUSH EAX
lordpe,imprec上场,完工。