一、破解目标: Armadillo 4.2 加壳的DLL(用KEY保护)
二、破解工具:OllyDbg v1.10,ImportREC 1.6 Final,LordPE
三、破解作者:DarkBull@email.com.cn
四、破解过程:
1.分析机器码
用OD载入,入口如下:
KingFor3.>/$ 55 PUSH EBP
00948958 |. 8BEC MOV EBP,ESP
0094895A |. 53 PUSH EBX
0094895B |. 8B5D 08 MOV EBX,[ARG.1]
0094895E |. 56 PUSH ESI
0094895F |. 8B75 0C MOV ESI,[ARG.2]
00948962 |. 57 PUSH EDI
00948963 |. 8B7D 10 MOV EDI,[ARG.3]
00948966 |. 85F6 TEST ESI,ESI
00948968 |. 75 09 JNZ SHORT KingFor3.00948973
0094896A |. 833D 7C46>CMP DWORD PTR DS:[96467C],0
00948971 |. EB 26 JMP SHORT KingFor3.00948999
00948973 |> 83FE 01 CMP ESI,1 ; DLL_PROCESS_ATTACH
00948976 |. 74 05 JE SHORT KingFor3.0094897D
00948978 |. 83FE 02 CMP ESI,2 ; DLL_THREAD_ATTACH
0094897B |. 75 22 JNZ SHORT KingFor3.0094899F
0094897D |> A1 8C4696>MOV EAX,DWORD PTR DS:[96468C]
00948982 |. 85C0 TEST EAX,EAX
00948984 |. 74 09 JE SHORT KingFor3.0094898F
00948986 |. 57 PUSH EDI
00948987 |. 56 PUSH ESI
00948988 |. 53 PUSH EBX
00948989 |. FFD0 CALL NEAR EAX
下断点BP VirtualAlloc,执行到返回EAX=00B10000,大小为51000,然后ARM4.2在该地址写入Security.dll的代码。
ARM对一些硬件信息进行了CRC32计算,形成计算机指纹,以计算机名为例:
00B23D34 50 PUSH EAX
00B23D35 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00B23D38 50 PUSH EAX
00B23D39 FF15 D840B4>CALL NEAR DWORD PTR DS:[B440D8] ; kernel32.GetComputerNameA
00B23D3F 85C0 TEST EAX,EAX
00B23D41 74 26 JE SHORT 00B23D69
00B23D43 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00B23D46 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00B23D49 50 PUSH EAX
00B23D4A E8 AFF30100 CALL 00B430FE ; JMP to MSVCRT.strlen
00B23D4F 59 POP ECX
00B23D50 50 PUSH EAX
00B23D51 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00B23D54 50 PUSH EAX
00B23D55 E8 0DD9FFFF CALL 00B21667 ; CRC32校验
00B23D5A 83C4 0C ADD ESP,0C
00B23D5D 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
00B23D60 EB 07 JMP SHORT 00B23D69
F7进入CRC32的过程,代码如下:
00B21667 FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; Arg3 (FFFFFFFF)
00B2166B FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; Arg2 (nSize)
00B2166F FF7424 0C PUSH DWORD PTR SS:[ESP+C] ; Arg1 (ComputerName)
00B21673 FF15 58D6B4>CALL NEAR DWORD PTR DS:[B4D658] ; F7进入00913980
00B21679 83C4 0C ADD ESP,0C
00B2167C C3 RETN
00913980 /$ 55 PUSH EBP
00913981 |. 8BEC MOV EBP,ESP
00913983 |. 8B45 0C MOV EAX,[ARG.2]
00913986 |. 50 PUSH EAX ; /Arg3 (nSize)
00913987 |. 8B4D 08 MOV ECX,[ARG.1] ; |
0091398A |. 51 PUSH ECX ; |Arg2 (ComputerName)
0091398B |. 8B55 10 MOV EDX,[ARG.3] ; |
0091398E |. 83F2 FF XOR EDX,FFFFFFFF ; |
00913991 |. 52 PUSH EDX ; |Arg1 (0)
00913992 |. E8 63DD02>CALL KingFor3.009416FA ; \KingFor3.009416FA(F7进入)
00913997 |. 83C4 0C ADD ESP,0C
0091399A |. 83F0 FF XOR EAX,FFFFFFFF
0091399D |. 5D POP EBP
0091399E \. C3 RETN
009416FA /$ 55 PUSH EBP
009416FB |. 8BEC MOV EBP,ESP
009416FD |. 837D 0C 0>CMP [ARG.2],0 ; 计算机名是否为空
00941701 |. 75 07 JNZ SHORT KingFor3.0094170A
00941703 |. 33C0 XOR EAX,EAX
00941705 |. E9 C90100>JMP KingFor3.009418D3
0094170A |> 8B45 08 MOV EAX,[ARG.1]
0094170D |. 83F0 FF XOR EAX,FFFFFFFF ; 进行异或运算
00941710 |. 8945 08 MOV [ARG.1],EAX
00941713 |> 837D 10 0>/CMP [ARG.3],8 ; 计算机名以8个字节为一组
00941717 |. 0F82 6E01>|JB KingFor3.0094188B
0094171D |. 8B4D 0C |MOV ECX,[ARG.2]
00941720 |. 33D2 |XOR EDX,EDX
00941722 |. 8A11 |MOV DL,BYTE PTR DS:[ECX] ; 取计算机名的第一个字节
00941724 |. 8B45 08 |MOV EAX,[ARG.1] ; 初始为FFFFFFFF
00941727 |. 33C2 |XOR EAX,EDX ; 第一次进行异或运算
00941729 |. 25 FF0000>|AND EAX,0FF ; 只取一个字节
0094172E |. 8B4D 08 |MOV ECX,[ARG.1]
00941731 |. C1E9 08 |SHR ECX,8
00941734 |. 8B1485 0C>|MOV EDX,DWORD PTR DS:[EAX*4+96240C] ; 进行查表
0094173B |. 33D1 |XOR EDX,ECX ; 第二次异或运算
0094173D |. 8955 08 |MOV [ARG.1],EDX ; 保存结果
00941740 |. 8B45 0C |MOV EAX,[ARG.2]
00941743 |. 83C0 01 |ADD EAX,1
00941746 |. 8945 0C |MOV [ARG.2],EAX
00941749 |. 8B4D 0C |MOV ECX,[ARG.2]
0094174C |. 33D2 |XOR EDX,EDX
0094174E |. 8A11 |MOV DL,BYTE PTR DS:[ECX] ; 取计算机名的第二个字节
00941750 |. 8B45 08 |MOV EAX,[ARG.1] ; 第一个字节运算的结果
00941753 |. 33C2 |XOR EAX,EDX
00941755 |. 25 FF0000>|AND EAX,0FF
0094175A |. 8B4D 08 |MOV ECX,[ARG.1]
0094175D |. C1E9 08 |SHR ECX,8
00941760 |. 8B1485 0C>|MOV EDX,DWORD PTR DS:[EAX*4+96240C] ; 进行查表
00941767 |. 33D1 |XOR EDX,ECX
00941769 |. 8955 08 |MOV [ARG.1],EDX
........ 然后取第三到第七字节进行运算。
00941848 |. 8B45 0C |MOV EAX,[ARG.2]
0094184B |. 83C0 01 |ADD EAX,1
0094184E |. 8945 0C |MOV [ARG.2],EAX
00941851 |. 8B4D 0C |MOV ECX,[ARG.2]
00941854 |. 33D2 |XOR EDX,EDX
00941856 |. 8A11 |MOV DL,BYTE PTR DS:[ECX] ; 取第八个字节
00941858 |. 8B45 08 |MOV EAX,[ARG.1]
0094185B |. 33C2 |XOR EAX,EDX
0094185D |. 25 FF0000>|AND EAX,0FF
00941862 |. 8B4D 08 |MOV ECX,[ARG.1]
00941865 |. C1E9 08 |SHR ECX,8
00941868 |. 8B1485 0C>|MOV EDX,DWORD PTR DS:[EAX*4+96240C]
0094186F |. 33D1 |XOR EDX,ECX
00941871 |. 8955 08 |MOV [ARG.1],EDX ; 保存第八个字节运算结果
00941874 |. 8B45 0C |MOV EAX,[ARG.2]
00941877 |. 83C0 01 |ADD EAX,1
0094187A |. 8945 0C |MOV [ARG.2],EAX
0094187D |. 8B4D 10 |MOV ECX,[ARG.3]
00941880 |. 83E9 08 |SUB ECX,8
00941883 |. 894D 10 |MOV [ARG.3],ECX
00941886 |.^ E9 88FEFF>\JMP KingFor3.00941713 ; 循环
0094188B |> 837D 10 0>CMP [ARG.3],0
0094188F |. 74 3C JE SHORT KingFor3.009418CD
00941891 |> 8B55 0C /MOV EDX,[ARG.2]
00941894 |. 33C0 |XOR EAX,EAX
00941896 |. 8A02 |MOV AL,BYTE PTR DS:[EDX] ; 分组后剩余的第一个字节
00941898 |. 8B4D 08 |MOV ECX,[ARG.1]
0094189B |. 33C8 |XOR ECX,EAX
0094189D |. 81E1 FF00>|AND ECX,0FF
009418A3 |. 8B55 08 |MOV EDX,[ARG.1]
009418A6 |. C1EA 08 |SHR EDX,8
009418A9 |. 8B048D 0C>|MOV EAX,DWORD PTR DS:[ECX*4+96240C] ; 进行查表
009418B0 |. 33C2 |XOR EAX,EDX
009418B2 |. 8945 08 |MOV [ARG.1],EAX ; 保存结果
009418B5 |. 8B4D 0C |MOV ECX,[ARG.2]
009418B8 |. 83C1 01 |ADD ECX,1
009418BB |. 894D 0C |MOV [ARG.2],ECX
009418BE |. 8B55 10 |MOV EDX,[ARG.3]
009418C1 |. 83EA 01 |SUB EDX,1
009418C4 |. 8955 10 |MOV [ARG.3],EDX
009418C7 |. 837D 10 0>|CMP [ARG.3],0
009418CB |.^ 75 C4 \JNZ SHORT KingFor3.00941891
009418CD |> 8B45 08 MOV EAX,[ARG.1]
009418D0 |. 83F0 FF XOR EAX,FFFFFFFF ; 进行异或运算得到CRC32的值
009418D3 |> 5D POP EBP
009418D4 \. C3 RETN
返回后运算结果保存在EAX里。在这个过程下断可以观察到机器码的计算方法:主要是由BIOS信息、BIOS时间和MAC地址计算出来的。
由于注册码验证用到MD5算法,偶实在太菜,搞不定啊,只好找个KEY了。
2. 寻找OEP&DUMP
如果在有KEY的情况下脱壳,难度就大大地降低了。找OEP只需在CODE段下内存访问断点,输入KEY后点击“OK”,程序一下就停在OEP处。此时用LordPE选择LOADDLL.EXE的进程,将被调试的DLL完全DUMP下来,修改EntryPoint项和ImageBase项。
3. 寻找IAT
重新加载DLL,下断点HE VirtualProtectA,按几次F9,当保护地址为.idata段地址时,再按F9并执行到返回,代码如下:
00B3A8F4 8D85 88D4FF>LEA EAX,DWORD PTR SS:[EBP-2B78]
00B3A8FA 50 PUSH EAX
00B3A8FB 6A 04 PUSH 4 ; NewProtect = PAGE_READWRITE
00B3A8FD 8B85 94D4FF>MOV EAX,DWORD PTR SS:[EBP-2B6C]
00B3A903 C1E0 02 SHL EAX,2
00B3A906 50 PUSH EAX
00B3A907 8B85 0CD8FF>MOV EAX,DWORD PTR SS:[EBP-27F4]
00B3A90D 0385 8CD4FF>ADD EAX,DWORD PTR SS:[EBP-2B74]
00B3A913 50 PUSH EAX ; IAT起始地址
00B3A914 FF15 1841B4>CALL NEAR DWORD PTR DS:[B44118] ; kernel32.VirtualProtect
00B3A91A 6A 14 PUSH 14
00B3A91C E8 53870000 CALL 00B43074 ; JMP to MSVCRT.operator new
00B3A921 59 POP ECX
00B3A922 8985 BCAFFF>MOV DWORD PTR SS:[EBP+FFFFAFBC],EAX
00B3A928 83BD BCAFFF>CMP DWORD PTR SS:[EBP+FFFFAFBC],0
00B3A92F 74 58 JE SHORT 00B3A989
00B3A931 A1 9080B500 MOV EAX,DWORD PTR DS:[B58090]
00B3A936 8985 04AEFF>MOV DWORD PTR SS:[EBP+FFFFAE04],EAX
00B3A93C 8B85 0CD8FF>MOV EAX,DWORD PTR SS:[EBP-27F4]
00B3A942 0385 8CD4FF>ADD EAX,DWORD PTR SS:[EBP-2B74]
00B3A948 8B8D BCAFFF>MOV ECX,DWORD PTR SS:[EBP+FFFFAFBC]
00B3A94E 8901 MOV DWORD PTR DS:[ECX],EAX
00B3A950 8B85 94D4FF>MOV EAX,DWORD PTR SS:[EBP-2B6C]
00B3A956 C1E0 02 SHL EAX,2
00B3A959 8B8D BCAFFF>MOV ECX,DWORD PTR SS:[EBP+FFFFAFBC]
00B3A95F 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
00B3A962 8B85 BCAFFF>MOV EAX,DWORD PTR SS:[EBP+FFFFAFBC]
00B3A968 8060 0C 00 AND BYTE PTR DS:[EAX+C],0
00B3A96C 8B85 BCAFFF>MOV EAX,DWORD PTR SS:[EBP+FFFFAFBC]
00B3A972 8B8D 04AEFF>MOV ECX,DWORD PTR SS:[EBP+FFFFAE04]
00B3A978 8948 10 MOV DWORD PTR DS:[EAX+10],ECX
00B3A97B 8B85 BCAFFF>MOV EAX,DWORD PTR SS:[EBP+FFFFAFBC]
00B3A981 8985 F8ACFF>MOV DWORD PTR SS:[EBP+FFFFACF8],EAX
00B3A987 EB 07 JMP SHORT 00B3A990
00B3A989 83A5 F8ACFF>AND DWORD PTR SS:[EBP+FFFFACF8],0
00B3A990 8B85 F8ACFF>MOV EAX,DWORD PTR SS:[EBP+FFFFACF8]
00B3A996 A3 9080B500 MOV DWORD PTR DS:[B58090],EAX
00B3A99B A1 9080B500 MOV EAX,DWORD PTR DS:[B58090]
00B3A9A0 8B8D 88D4FF>MOV ECX,DWORD PTR SS:[EBP-2B78]
00B3A9A6 8948 08 MOV DWORD PTR DS:[EAX+8],ECX
00B3A9A9 83A5 A4D4FF>AND DWORD PTR SS:[EBP-2B5C],0
00B3A9B0 FF15 7842B4>CALL NEAR DWORD PTR DS:[B44278] ; kernel32.GetTickCount(计时开始)
00B3A9B6 8985 A0D4FF>MOV DWORD PTR SS:[EBP-2B60],EAX
00B3A9BC 6A 01 PUSH 1
00B3A9BE 58 POP EAX
00B3A9BF 85C0 TEST EAX,EAX
00B3A9C1 0F84 A80300>JE 00B3AD6F
00B3A9C7 8B85 84D9FF>MOV EAX,DWORD PTR SS:[EBP-267C]
00B3A9CD 66:8B00 MOV AX,WORD PTR DS:[EAX]
00B3A9D0 66:8985 60C>MOV WORD PTR SS:[EBP-3DA0],AX
00B3A9D7 8B85 84D9FF>MOV EAX,DWORD PTR SS:[EBP-267C]
00B3A9DD 40 INC EAX
00B3A9DE 40 INC EAX
00B3A9DF 8985 84D9FF>MOV DWORD PTR SS:[EBP-267C],EAX
00B3A9E5 0FB785 60C2>MOVZX EAX,WORD PTR SS:[EBP-3DA0]
00B3A9EC 50 PUSH EAX
00B3A9ED FFB5 84D9FF>PUSH DWORD PTR SS:[EBP-267C]
00B3A9F3 8D85 6CCAFF>LEA EAX,DWORD PTR SS:[EBP-3594]
00B3A9F9 50 PUSH EAX
00B3A9FA E8 6F860000 CALL 00B4306E ; JMP to MSVCRT.memcpy
00B3A9FF 83C4 0C ADD ESP,0C
00B3AA02 0FB785 60C2>MOVZX EAX,WORD PTR SS:[EBP-3DA0]
00B3AA09 8B8D 84D9FF>MOV ECX,DWORD PTR SS:[EBP-267C]
00B3AA0F 03C8 ADD ECX,EAX
00B3AA11 898D 84D9FF>MOV DWORD PTR SS:[EBP-267C],ECX
00B3AA17 66:83A5 68C>AND WORD PTR SS:[EBP-3598],0
00B3AA1F A0 30CDB400 MOV AL,BYTE PTR DS:[B4CD30]
00B3AA24 8885 64C2FF>MOV BYTE PTR SS:[EBP-3D9C],AL
00B3AA2A B9 FF010000 MOV ECX,1FF
00B3AA2F 33C0 XOR EAX,EAX
00B3AA31 8DBD 65C2FF>LEA EDI,DWORD PTR SS:[EBP-3D9B]
00B3AA37 F3:AB REP STOS DWORD PTR ES:[EDI]
00B3AA39 66:AB STOS WORD PTR ES:[EDI]
00B3AA3B AA STOS BYTE PTR ES:[EDI]
00B3AA3C 0FB785 60C2>MOVZX EAX,WORD PTR SS:[EBP-3DA0]
00B3AA43 85C0 TEST EAX,EAX
00B3AA45 74 6E JE SHORT 00B3AAB5
00B3AA47 8D8D 74D9FF>LEA ECX,DWORD PTR SS:[EBP-268C]
00B3AA4D E8 AE65FDFF CALL 00B11000
00B3AA52 8985 5CC2FF>MOV DWORD PTR SS:[EBP-3DA4],EAX
00B3AA58 6A 00 PUSH 0
00B3AA5A 0FB785 60C2>MOVZX EAX,WORD PTR SS:[EBP-3DA0]
00B3AA61 50 PUSH EAX
00B3AA62 8D85 6CCAFF>LEA EAX,DWORD PTR SS:[EBP-3594]
00B3AA68 50 PUSH EAX
00B3AA69 FFB5 5CC2FF>PUSH DWORD PTR SS:[EBP-3DA4]
00B3AA6F E8 386AFDFF CALL 00B114AC ; 解密函数名
00B3AA74 83C4 10 ADD ESP,10
00B3AA77 0FB685 6CCA>MOVZX EAX,BYTE PTR SS:[EBP-3594]
00B3AA7E 3D FF000000 CMP EAX,0FF
00B3AA83 75 10 JNZ SHORT 00B3AA95
00B3AA85 66:8B85 6DC>MOV AX,WORD PTR SS:[EBP-3593]
00B3AA8C 66:8985 68C>MOV WORD PTR SS:[EBP-3598],AX
00B3AA93 EB 20 JMP SHORT 00B3AAB5
00B3AA95 0FBE85 6CCA>MOVSX EAX,BYTE PTR SS:[EBP-3594]
00B3AA9C 85C0 TEST EAX,EAX
00B3AA9E 74 15 JE SHORT 00B3AAB5
00B3AAA0 8D85 6CCAFF>LEA EAX,DWORD PTR SS:[EBP-3594]
00B3AAA6 50 PUSH EAX
00B3AAA7 8D85 64C2FF>LEA EAX,DWORD PTR SS:[EBP-3D9C]
00B3AAAD 50 PUSH EAX
00B3AAAE E8 57860000 CALL 00B4310A ; JMP to MSVCRT.strcpy
00B3AAB3 59 POP ECX
00B3AAB4 59 POP ECX
00B3AAB5 83A5 64CAFF>AND DWORD PTR SS:[EBP-359C],0
00B3AABC 0FB785 68CA>MOVZX EAX,WORD PTR SS:[EBP-3598]
00B3AAC3 85C0 TEST EAX,EAX
00B3AAC5 74 6C JE SHORT 00B3AB33
00B3AAC7 83BD 98D4FF>CMP DWORD PTR SS:[EBP-2B68],0
00B3AACE 74 51 JE SHORT 00B3AB21
00B3AAD0 8B85 98D4FF>MOV EAX,DWORD PTR SS:[EBP-2B68]
00B3AAD6 8985 58C2FF>MOV DWORD PTR SS:[EBP-3DA8],EAX
00B3AADC EB 0F JMP SHORT 00B3AAED
00B3AADE 8B85 58C2FF>MOV EAX,DWORD PTR SS:[EBP-3DA8]
00B3AAE4 83C0 0C ADD EAX,0C
00B3AAE7 8985 58C2FF>MOV DWORD PTR SS:[EBP-3DA8],EAX
00B3AAED 8B85 58C2FF>MOV EAX,DWORD PTR SS:[EBP-3DA8]
00B3AAF3 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
00B3AAF7 74 28 JE SHORT 00B3AB21
00B3AAF9 0FB785 68CA>MOVZX EAX,WORD PTR SS:[EBP-3598]
00B3AB00 8B8D 58C2FF>MOV ECX,DWORD PTR SS:[EBP-3DA8]
00B3AB06 0FB749 04 MOVZX ECX,WORD PTR DS:[ECX+4]
00B3AB0A 3BC1 CMP EAX,ECX
00B3AB0C 75 11 JNZ SHORT 00B3AB1F
00B3AB0E 8B85 58C2FF>MOV EAX,DWORD PTR SS:[EBP-3DA8]
00B3AB14 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00B3AB17 8985 64CAFF>MOV DWORD PTR SS:[EBP-359C],EAX
00B3AB1D EB 02 JMP SHORT 00B3AB21
00B3AB1F ^ EB BD JMP SHORT 00B3AADE
00B3AB21 8B85 A4D4FF>MOV EAX,DWORD PTR SS:[EBP-2B5C]
00B3AB27 40 INC EAX
00B3AB28 8985 A4D4FF>MOV DWORD PTR SS:[EBP-2B5C],EAX
00B3AB2E E9 D0000000 JMP 00B3AC03
00B3AB33 0FBE85 64C2>MOVSX EAX,BYTE PTR SS:[EBP-3D9C]
00B3AB3A 85C0 TEST EAX,EAX
00B3AB3C 0F84 8A0000>JE 00B3ABCC
00B3AB42 83BD 98D4FF>CMP DWORD PTR SS:[EBP-2B68],0
00B3AB49 74 72 JE SHORT 00B3ABBD
00B3AB4B 8B85 98D4FF>MOV EAX,DWORD PTR SS:[EBP-2B68]
00B3AB51 8985 54C2FF>MOV DWORD PTR SS:[EBP-3DAC],EAX
00B3AB57 EB 0F JMP SHORT 00B3AB68
00B3AB59 8B85 54C2FF>MOV EAX,DWORD PTR SS:[EBP-3DAC]
00B3AB5F 83C0 0C ADD EAX,0C
00B3AB62 8985 54C2FF>MOV DWORD PTR SS:[EBP-3DAC],EAX
00B3AB68 8B85 54C2FF>MOV EAX,DWORD PTR SS:[EBP-3DAC]
00B3AB6E 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
00B3AB72 74 49 JE SHORT 00B3ABBD
00B3AB74 68 00010000 PUSH 100
00B3AB79 8D85 54C1FF>LEA EAX,DWORD PTR SS:[EBP-3EAC]
00B3AB7F 50 PUSH EAX
00B3AB80 8B85 54C2FF>MOV EAX,DWORD PTR SS:[EBP-3DAC]
00B3AB86 FF30 PUSH DWORD PTR DS:[EAX]
00B3AB88 E8 9B74FDFF CALL 00B12028
00B3AB8D 83C4 0C ADD ESP,0C
00B3AB90 8D85 54C1FF>LEA EAX,DWORD PTR SS:[EBP-3EAC]
00B3AB96 50 PUSH EAX
00B3AB97 8D85 64C2FF>LEA EAX,DWORD PTR SS:[EBP-3D9C]
00B3AB9D 50 PUSH EAX
00B3AB9E FF15 8043B4>CALL NEAR DWORD PTR DS:[B44380] ; MSVCRT._stricmp(比较函数名是否需要加密)
00B3ABA4 59 POP ECX
00B3ABA5 59 POP ECX
00B3ABA6 85C0 TEST EAX,EAX ; 改为JMP,避开加密
00B3ABA8 75 11 JNZ SHORT 00B3ABBB
00B3ABAA 8B85 54C2FF>MOV EAX,DWORD PTR SS:[EBP-3DAC]
00B3ABB0 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00B3ABB3 8985 64CAFF>MOV DWORD PTR SS:[EBP-359C],EAX
00B3ABB9 EB 02 JMP SHORT 00B3ABBD
00B3ABBB ^\EB 9C JMP SHORT 00B3AB59 ; 继续比较
00B3ABBD 8B85 A4D4FF>MOV EAX,DWORD PTR SS:[EBP-2B5C]
00B3ABC3 40 INC EAX
00B3ABC4 8985 A4D4FF>MOV DWORD PTR SS:[EBP-2B5C],EAX
00B3ABCA EB 37 JMP SHORT 00B3AC03
00B3ABCC 8D8D 38D9FF>LEA ECX,DWORD PTR SS:[EBP-26C8]
00B3ABD2 E8 6964FDFF CALL 00B11040
00B3ABD7 0FB6C0 MOVZX EAX,AL
00B3ABDA 99 CDQ
00B3ABDB 6A 14 PUSH 14
00B3ABDD 59 POP ECX
00B3ABDE F7F9 IDIV ECX
00B3ABE0 8B85 10D9FF>MOV EAX,DWORD PTR SS:[EBP-26F0]
00B3ABE6 8B8C95 94D7>MOV ECX,DWORD PTR SS:[EBP+EDX*4-286C>
00B3ABED 8908 MOV DWORD PTR DS:[EAX],ECX ; 在每个模块的函数间写入垃圾代码,NOP掉
00B3ABEF 8B85 10D9FF>MOV EAX,DWORD PTR SS:[EBP-26F0]
00B3ABF5 83C0 04 ADD EAX,4
00B3ABF8 8985 10D9FF>MOV DWORD PTR SS:[EBP-26F0],EAX
00B3ABFE E9 6C010000 JMP 00B3AD6F
........
00B3AC32 6A 01 PUSH 1
00B3AC34 FFB5 F4ACFF>PUSH DWORD PTR SS:[EBP+FFFFACF4]
00B3AC3A FFB5 9CD4FF>PUSH DWORD PTR SS:[EBP-2B64]
00B3AC40 E8 09ACFEFF CALL 00B2584E ; GetProcAddress
00B3AC45 83C4 0C ADD ESP,0C
00B3AC48 8985 64CAFF>MOV DWORD PTR SS:[EBP-359C],EAX
00B3AC4E 83BD 64CAFF>CMP DWORD PTR SS:[EBP-359C],0
00B3AC55 75 42 JNZ SHORT 00B3AC99
........
00B3AD4D 8B85 10D9FF>MOV EAX,DWORD PTR SS:[EBP-26F0]
00B3AD53 8B8D 64CAFF>MOV ECX,DWORD PTR SS:[EBP-359C]
00B3AD59 8908 MOV DWORD PTR DS:[EAX],ECX ; 将函数地址写入IAT
00B3AD5B 8B85 10D9FF>MOV EAX,DWORD PTR SS:[EBP-26F0]
00B3AD61 83C0 04 ADD EAX,4
00B3AD64 8985 10D9FF>MOV DWORD PTR SS:[EBP-26F0],EAX
00B3AD6A ^ E9 4DFCFFFF JMP 00B3A9BC ; 继续处理下一个函数
00B3AD6F FF15 7842B4>CALL NEAR DWORD PTR DS:[B44278] ; kernel32.GetTickCount(计时结束)
00B3AD75 2B85 A0D4FF>SUB EAX,DWORD PTR SS:[EBP-2B60]
00B3AD7B 8B8D A4D4FF>MOV ECX,DWORD PTR SS:[EBP-2B5C]
00B3AD81 6BC9 32 IMUL ECX,ECX,32
00B3AD84 81C1 D00700>ADD ECX,7D0 ; 2000 ms
00B3AD8A 3BC1 CMP EAX,ECX ; 是否大于2秒
00B3AD8C 76 07 JBE SHORT 00B3AD95 ; 改为JMP
00B3AD8E C685 34D9FF>MOV BYTE PTR SS:[EBP-26CC],1
00B3AD95 83BD E4D7FF>CMP DWORD PTR SS:[EBP-281C],0
00B3AD9C 0F85 8A0000>JNZ 00B3AE2C
00B3ADA2 0FB685 90D4>MOVZX EAX,BYTE PTR SS:[EBP-2B70]
00B3ADA9 85C0 TEST EAX,EAX
00B3ADAB 74 7F JE SHORT 00B3AE2C
00B3ADAD 6A 00 PUSH 0
00B3ADAF 8B85 94D4FF>MOV EAX,DWORD PTR SS:[EBP-2B6C]
00B3ADB5 C1E0 02 SHL EAX,2
00B3ADB8 50 PUSH EAX
00B3ADB9 8B85 0CD8FF>MOV EAX,DWORD PTR SS:[EBP-27F4]
00B3ADBF 0385 8CD4FF>ADD EAX,DWORD PTR SS:[EBP-2B74]
00B3ADC5 50 PUSH EAX
00B3ADC6 E8 B51C0000 CALL 00B3CA80
00B3ADCB 83C4 0C ADD ESP,0C
00B3ADCE 8B85 94D4FF>MOV EAX,DWORD PTR SS:[EBP-2B6C]
00B3ADD4 C1E0 02 SHL EAX,2
00B3ADD7 50 PUSH EAX
00B3ADD8 FFB5 6CD9FF>PUSH DWORD PTR SS:[EBP-2694]
00B3ADDE 8B85 0CD8FF>MOV EAX,DWORD PTR SS:[EBP-27F4]
00B3ADE4 0385 8CD4FF>ADD EAX,DWORD PTR SS:[EBP-2B74]
00B3ADEA 50 PUSH EAX
00B3ADEB E8 7E820000 CALL 00B4306E ; JMP to MSVCRT.memcpy
00B3ADF0 83C4 0C ADD ESP,0C
00B3ADF3 6A 01 PUSH 1
00B3ADF5 8B85 94D4FF>MOV EAX,DWORD PTR SS:[EBP-2B6C]
00B3ADFB C1E0 02 SHL EAX,2
00B3ADFE 50 PUSH EAX
00B3ADFF 8B85 0CD8FF>MOV EAX,DWORD PTR SS:[EBP-27F4]
00B3AE05 0385 8CD4FF>ADD EAX,DWORD PTR SS:[EBP-2B74]
00B3AE0B 50 PUSH EAX
00B3AE0C E8 6F1C0000 CALL 00B3CA80
00B3AE11 83C4 0C ADD ESP,0C
00B3AE14 8B85 6CD9FF>MOV EAX,DWORD PTR SS:[EBP-2694]
00B3AE1A 8985 B8AFFF>MOV DWORD PTR SS:[EBP+FFFFAFB8],EAX
00B3AE20 FFB5 B8AFFF>PUSH DWORD PTR SS:[EBP+FFFFAFB8]
00B3AE26 E8 3D820000 CALL 00B43068 ; JMP to MSVCRT.operator delete
00B3AE2B 59 POP ECX
00B3AE2C ^ E9 30F7FFFF JMP 00B3A561 ; 继续处理下一个模块的函数
处理完后,用ImportRec选择LOADDLL.EXE并加载被调试的DLL,填入OEP和IAT的起始地址,即可获得完整的IAT,修复时要注意映像基址不同,将得到的IAT地址RVA改为基于被调试DLL基址的RVA。
3.修复资源等
去掉ARM4.2产生的.text等5个段的内容和节表头,将.rsrc段保留,修改资源项的RVA。由于ARM4.2没有加密Relocation Table,所以只需将Relocation 的值改为.reloc段的RVA即可。