我刚看到原来论坛有大虾已经把PE-LOCK1.0X
本来不想发这篇文章,想想既然写了 就发了算了
这个软件是个国内有名的木马,不敢说它的名字,为了逆向学习它的内容
(不是为了搞破坏) 我就试着脱了一下它的壳
找OEP:
我用的是比较原始的方法,在最后一次异常后,单步跟,最后找到
fake oep: 005c694d
补上偷的部分在:
005c692d:
push ebp
mov ebp,esp
add esp,-10
push ebx
push esi
jmp 005c694d
根据后面的单步可以判断是DELPHI
修补IAT:
crtl+f2
在[5D4328]下内存写入断点
边SHIFT+F9 边看 找出哪个异常是用来添充IAT的
第一次中断在第7个异常 但只是中间解码
去掉内存断点 跳出循环 再下一次
边SHIFT+F9 边看 到倒数第2个循环被断下
去掉断点 单步
这时还不是 重复刚才的操作 (可以根据观察内容判断)
一直来到
00374661 mov [ecx],ebx ;ebx=HOOK的地址
呵呵 就在这下手吧 观察到此时EAX=要HOOK的API地址
用脚本把这一句改为:
mov [ecx],eax
我的方法比较笨(这也没办法,主要是人笨),把HOOK的地址改了
注意这有校验,你改完,要再改回来
校验在:
003741c4: test eax,eax
je 00375c12
mov edx,eax
mov esi,edi
mov al,[esi] ;esi=ASCII"kernel32.dll"
inc esi
test al,al
jnz 00374293
mov eax,[esi+1]
mov ecx,6b3
sub eax,[ebp+ecx*4+3b14] ;eax=像密文似的东东(这是那个校验和)
rol eax,cl
dec ecx
jnz 00374351
mov cl,[esi] ;esi=008c000d
add esi,5
push ecx
push eax
push edx ;edx=7c800000
push dword ptr[ebp] ;ebp=0037062d
call 00370005 ;这是处理DLL的地方
说说壳HOOK的办法,总共有8种加花指令方式(这的各种方式不是独立的,还有各种组合)
我跟了第一个API的
处理2:
mov al,68(push的机器码)
stosb (edi=hook 地址)
push edi
stosd
mov dl,3
跳回处理的地方因为加了dl=3 所以跳到处理3
处理3:
mov ah,1
stosw
mov al,bl
stosb
mov al,0c3 (retn)
mov ah,dl
stosw
pop eax(eax=处理2中没处理好的地方)
mov [eax],edi
test al,1
je 0037524c
以上是第一个API的HOOK地址的前奏-----花指令
然后就要STOLEN API了 用到如下算法
用来确定一条OPCODE的长度:
0037501d: mov eax,[esi] ;esi=api地址
mov edx,eax
cmp al,0cc
jnz 00375054
0037508d cmp al,0eb(判断是否是短JMP)跳转1
je 00375149
and ah,0f0(将AH低4位清零)
cmp ax,800f(判断是否为长je jne 之类)
je 00375149
and al,0fe(将AL最低位清,为了与JMP区别)
cmp al,0e8(判断是否为长CALL)
je 00375149
cmp al,0c2(判断是否为retn+参数)
and al,0fch(将AL低2位清零)
cmp al,0e0(判断是否为
je 00375149
and al,0f0(将AL低4位清零)
cmp al,70h(判断是否为
je 00375149
xchg eax,edx(将变完型的取回)
and ax,38ff(将ah的高6位清零,将AH的低3位清零)
cmp ax,10ff(判断是否为call [********]形式)
je 00375149
cmp ax,20ff(没查到是什么)
je 00375149
push esi(最普通的OPCODE)
call 00375310
如果是最普通的代码就STOLEN,前面的为特殊的,STOLEN完就不再STOLEN了
普通处理的代码,我跟了,是用一个大的数组存相应的数据
而那些数据决定了代码的走向
表如下:
因为我对机器码和汇编的对应关系不熟,就先不现丑分析了
0037531A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037532A 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 .?..?.........
0037533A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037534A 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 .?..?.........
0037535A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037536A 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 .?..?.........
0037537A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037538A 00 80 00 00 00 80 00 00 00 00 00 00 00 00 00 00 .?..?.........
0037539A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
003753AA 00 80 00 00 00 80 00 00 08 00 00 00 00 00 00 00 .?..?........
003753BA 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
003753CA 00 80 00 00 00 80 00 00 08 00 00 00 00 00 00 00 .?..?........
003753DA 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
003753EA 00 80 00 00 00 80 00 00 08 00 00 00 00 00 00 00 .?..?........
003753FA 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037540A 00 80 00 00 00 80 00 00 08 00 00 00 00 00 00 00 .?..?........
0037541A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037542A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037543A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037544A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037545A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037546A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037547A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037548A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037549A 00 00 00 00 00 00 00 00 00 40 00 00 00 40 00 00 .........@...@..
003754AA 08 00 00 00 08 00 00 00 08 10 00 00 18 00 00 00 ...........
003754BA 00 20 00 00 00 60 00 00 00 01 00 00 00 41 00 00 . ...`......A..
003754CA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003754DA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003754EA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003754FA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
0037550A 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
0037551A 00 41 00 00 00 60 00 00 00 41 00 00 00 41 00 00 .A...`...A...A..
0037552A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037553A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037554A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037555A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037556A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037557A 00 00 00 00 00 00 00 00 02 20 00 00 00 00 00 00 ........ ......
0037558A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037559A 20 00 00 00 20 00 00 00 20 00 00 00 20 00 00 00 ... ... ... ...
003755AA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003755BA 00 01 00 00 00 20 00 00 00 00 00 00 00 00 00 00 .... ..........
003755CA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003755DA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003755EA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003755FA 00 20 00 00 00 20 00 00 00 20 00 00 00 20 00 00 . ... ... ... ..
0037560A 00 20 00 00 00 20 00 00 00 20 00 00 00 20 00 00 . ... ... ... ..
0037561A 00 41 00 00 00 41 00 00 00 02 00 00 00 00 00 00 .A...A.........
0037562A 00 40 00 00 00 40 00 00 00 41 00 00 00 60 00 00 .@...@...A...`..
0037563A 00 03 00 00 00 00 00 00 00 02 00 00 00 00 00 00 ..............
0037564A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037565A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037566A 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ..............
0037567A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037568A 00 40 00 00 00 40 00 00 00 40 00 00 00 40 00 00 .@...@...@...@..
0037569A 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003756AA 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 ............
003756BA 00 20 00 00 00 20 00 00 02 20 00 00 00 01 00 00 . ... .. .....
003756CA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003756DA 08 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 .............
003756EA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003756FA 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0037570A 00 00 00 00 00 00 00 00 00 40 00 00 00 40 00 00 .........@...@..
表结束
如:
取第一个字节,如果是0C 就将其乘4,在表中找到那个对应的数字,然后将其送给DL中,再判断来选择流程
脱壳后的修复:
要改的396c08为写入的地址
00396838 mov byte ptr[esi],dl ;esi=00396c08
还是脚本,很简单
代码还要用到壳中的内容,所以只要把VIRTUALALLOC申请的那部分补在原程序中就行了
DUMP后就可以了
资源靠那个工具修,而减肥就得看看CcDebuger兄的那篇文章了
脚本在附件中,我的脚本有局限性,代码写的也很差,因为是第一个脚本
大家就凑合着看吧
- 标 题: 纯脆灌水
- 作 者:yiyiguxing
- 时 间:2007-01-20 13:25
- 链 接:http://bbs.pediy.com/showthread.php?t=38266