↑
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、TheODBG、PEiD、LordPE、ImportREC
【脱壳过程】:
Armadillo V5.0X比之V4.X改变了一些,主程序采用了VC8编译
Armadillo新版加壳的输入表加密稍微有点变化。应朋友的邀请,简单写篇教程吧
一、Armadillo V5.0X PEiD Sign
?????????代码:
[Armadillo V5.00 Dll -> Silicon Realms Toolworks * Sign.By.fly]
signature = 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3
ep_only = true
[Armadillo V5.00 -> Silicon Realms Toolworks * Sign.By.fly]
signature = E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3
ep_only = true
[Armadillo V3.X-V5.X -> Silicon Realms Toolworks * Sign.By.fly]
signature = 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33
ep_only = true
二、Armadillo V5.0X EP
使用OllyDBG修改版TheODBG,使用IsDebug插件Hide,忽略所有的异常选项。
使用Armadillo V5.00的Standard Protection Only方式加壳Win98记事本作为试炼品
如果使用Standard Protection Plus Debug-Blocker方式加壳,则需要把双进程处理成单进程运行模式,处理方法和以前版本相同,使用OpenMutexA即可。代码:
00444DC2 E8 E3400000 call 00448EAA
//载入OllyDBG后暂停在EP
00444DC7 E9 16FEFFFF jmp 00444BE2
00444DCC 6A 0C push 0C
00444DCE 68 B0304700 push 4730B0
00444DD3 E8 44150000 call 0044631C
00444DD8 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00444DDB 33FF xor edi,edi
00444DDD 3BCF cmp ecx,edi
00444DDF 76 2E jbe short 00444E0F
00444DE1 6A E0 push -20
00444DE3 58 pop eax
00444DE4 33D2 xor edx,edx
00444DE6 F7F1 div ecx
00444DE8 3B45 0C cmp eax,dword ptr ss:[ebp+C]
00444DEB 1BC0 sbb eax,eax
00444DED 40 inc eax
00444DEE 75 1F jnz short 00444E0F
00444DF0 E8 36130000 call 0044612B
00444DF5 C700 0C000000 mov dword ptr ds:[eax],0C
00444DFB 57 push edi
00444DFC 57 push edi
00444DFD 57 push edi
00444DFE 57 push edi
00444DFF 57 push edi
00444E00 E8 C7120000 call 004460CC
00444E05 83C4 14 add esp,14
00444E08 33C0 xor eax,eax
00444E0A E9 D5000000 jmp 00444EE4
三、MagicJmp避开输入表加密
BP VirtualProtect
Shift+F9,中断后取消断点
BP CreateFileMappingA
Shift+F9,中断后取消断点
Ctrl+G:GetModuleHandleA
在GetModuleHandleA函数末尾处设断,防止壳检测函数首部的CC断点
注意看堆栈:代码:
7C80B6A1 8BFF mov edi,edi
7C80B6A3 55 push ebp
7C80B6A4 8BEC mov ebp,esp
7C80B6A6 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr ss:[ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax,eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr ds:[eax+4]
7C80B6BB E8 7D2D0000 call 7C80E43D ; kernel32.GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 retn 4
//这里设断
Shift+F9代码:
00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA
0013947C 00E30C04 ASCII "kernel32.dll"
00139480 00E31AD0 ASCII "VirtualAlloc"
Shift+F9代码:
00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA
0013947C 00E30C04 ASCII "kernel32.dll"
00139480 00E31AC4 ASCII "VirtualFree"
[ESP+4]处依次显示:VirtualAlloc、VirtualFree,之后[ESP+8]处显示:kernel32.dll代码:
001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA
001391C8 00139340 ASCII "kernel32.dll"
如果有试用提示等,则需要确定之
可以取消GetModuleHandleA函数末尾的断点了,F7返回00DE7F54调用处
这里处理完毕后需要恢复原来的代码,防止检验代码:
00DE7F4E FF15 C0E0E200 call dword ptr ds:[E2E0C0] ; kernel32.GetModuleHandleA
00DE7F54 8B55 F4 mov edx,dword ptr ss:[ebp-C]
//返回这里
00DE7F57 8B0D 7CDFE300 mov ecx,dword ptr ds:[E3DF7C]
00DE7F5D 890491 mov dword ptr ds:[ecx+edx*4],eax
00DE7F60 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE7F63 A1 7CDFE300 mov eax,dword ptr ds:[E3DF7C]
00DE7F68 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00DE7F6C 75 5C jnz short 00DE7FCA
00DE7F6E 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00DE7F71 8B51 08 mov edx,dword ptr ds:[ecx+8]
00DE7F74 83E2 02 and edx,2
00DE7F77 74 38 je short 00DE7FB1
00DE7F79 B8 0B000000 mov eax,0B
00DE7F7E C1E0 02 shl eax,2
00DE7F81 8B0D 04BBE300 mov ecx,dword ptr ds:[E3BB04]
00DE7F87 8B15 04BBE300 mov edx,dword ptr ds:[E3BB04]
00DE7F8D 8B35 04BBE300 mov esi,dword ptr ds:[E3BB04]
00DE7F93 8B5E 78 mov ebx,dword ptr ds:[esi+78]
00DE7F96 335A 34 xor ebx,dword ptr ds:[edx+34]
00DE7F99 331C01 xor ebx,dword ptr ds:[ecx+eax]
00DE7F9C 83E3 10 and ebx,10
00DE7F9F F7DB neg ebx
00DE7FA1 1BDB sbb ebx,ebx
00DE7FA3 F7DB neg ebx
00DE7FA5 0FB6C3 movzx eax,bl
00DE7FA8 85C0 test eax,eax
00DE7FAA 75 05 jnz short 00DE7FB1
00DE7FAC E9 1BFFFFFF jmp 00DE7ECC
00DE7FB1 8D8D C8FEFFFF lea ecx,dword ptr ss:[ebp-138]
00DE7FB7 51 push ecx
00DE7FB8 FF15 D4E1E200 call dword ptr ds:[E2E1D4] ; kernel32.LoadLibraryA
00DE7FBE 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE7FC1 8B0D 7CDFE300 mov ecx,dword ptr ds:[E3DF7C]
00DE7FC7 890491 mov dword ptr ds:[ecx+edx*4],eax
00DE7FCA 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE7FCD A1 7CDFE300 mov eax,dword ptr ds:[E3DF7C]
00DE7FD2 833C90 00 cmp dword ptr ds:[eax+edx*4],0
00DE7FD6 75 05 jnz short 00DE7FDD
//MagicJmp ★ 修改为NOP
Ctrl+B在下面搜索:EB 03 D6 D6
找到在00DE825A处,设断,Shift+F9
MagicJmp处理完了,可以看出与Armadillo V3.X-V4.X的处理没有大的不同代码:
00DE7FD8 E9 EFFEFFFF jmp 00DE7ECC
00DE7FDD C785 BCFEFFFF 0000>mov dword ptr ss:[ebp-144],0
00DE7FE7 C785 C0FEFFFF 0000>mov dword ptr ss:[ebp-140],0
00DE7FF1 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
00DE7FF4 8B51 04 mov edx,dword ptr ds:[ecx+4]
00DE7FF7 8995 C4FEFFFF mov dword ptr ss:[ebp-13C],edx
00DE7FFD EB 0F jmp short 00DE800E
00DE7FFF 8B85 C4FEFFFF mov eax,dword ptr ss:[ebp-13C]
00DE8005 83C0 0C add eax,0C
00DE8008 8985 C4FEFFFF mov dword ptr ss:[ebp-13C],eax
00DE800E 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-13C]
00DE8014 8339 00 cmp dword ptr ds:[ecx],0
00DE8017 74 11 je short 00DE802A
00DE8019 8B95 C0FEFFFF mov edx,dword ptr ss:[ebp-140]
00DE801F 83C2 01 add edx,1
00DE8022 8995 C0FEFFFF mov dword ptr ss:[ebp-140],edx
00DE8028 EB D5 jmp short 00DE7FFF
00DE802A 33C9 xor ecx,ecx
00DE802C 8B85 C0FEFFFF mov eax,dword ptr ss:[ebp-140]
00DE8032 BA 04000000 mov edx,4
00DE8037 F7E2 mul edx
00DE8039 0F90C1 seto cl
00DE803C F7D9 neg ecx
00DE803E 0BC8 or ecx,eax
00DE8040 51 push ecx
00DE8041 E8 09FD0200 call 00E17D4F
00DE8046 83C4 04 add esp,4
00DE8049 8985 7CFDFFFF mov dword ptr ss:[ebp-284],eax
00DE804F 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE8052 8B0D 74DFE300 mov ecx,dword ptr ds:[E3DF74]
00DE8058 8B95 7CFDFFFF mov edx,dword ptr ss:[ebp-284]
00DE805E 891481 mov dword ptr ds:[ecx+eax*4],edx
00DE8061 33C9 xor ecx,ecx
00DE8063 8B85 C0FEFFFF mov eax,dword ptr ss:[ebp-140]
00DE8069 BA 04000000 mov edx,4
00DE806E F7E2 mul edx
00DE8070 0F90C1 seto cl
00DE8073 F7D9 neg ecx
00DE8075 0BC8 or ecx,eax
00DE8077 51 push ecx
00DE8078 E8 D2FC0200 call 00E17D4F
00DE807D 83C4 04 add esp,4
00DE8080 8985 78FDFFFF mov dword ptr ss:[ebp-288],eax
00DE8086 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE8089 8B0D 78DFE300 mov ecx,dword ptr ds:[E3DF78]
00DE808F 8B95 78FDFFFF mov edx,dword ptr ss:[ebp-288]
00DE8095 891481 mov dword ptr ds:[ecx+eax*4],edx
00DE8098 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00DE809B 8B48 04 mov ecx,dword ptr ds:[eax+4]
00DE809E 898D C4FEFFFF mov dword ptr ss:[ebp-13C],ecx
00DE80A4 EB 1E jmp short 00DE80C4
00DE80A6 8B95 C4FEFFFF mov edx,dword ptr ss:[ebp-13C]
00DE80AC 83C2 0C add edx,0C
00DE80AF 8995 C4FEFFFF mov dword ptr ss:[ebp-13C],edx
00DE80B5 8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-144]
00DE80BB 83C0 01 add eax,1
00DE80BE 8985 BCFEFFFF mov dword ptr ss:[ebp-144],eax
00DE80C4 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-13C]
00DE80CA 8339 00 cmp dword ptr ds:[ecx],0
00DE80CD 0F84 47010000 je 00DE821A
00DE80D3 68 00010000 push 100
00DE80D8 8D95 B8FDFFFF lea edx,dword ptr ss:[ebp-248]
00DE80DE 52 push edx
00DE80DF 8B85 C4FEFFFF mov eax,dword ptr ss:[ebp-13C]
00DE80E5 8B08 mov ecx,dword ptr ds:[eax]
00DE80E7 51 push ecx
00DE80E8 E8 E3A5FDFF call 00DC26D0
00DE80ED 83C4 0C add esp,0C
00DE80F0 8B15 04BBE300 mov edx,dword ptr ds:[E3BB04]
00DE80F6 A1 04BBE300 mov eax,dword ptr ds:[E3BB04]
00DE80FB 8B4A 68 mov ecx,dword ptr ds:[edx+68]
00DE80FE 3348 78 xor ecx,dword ptr ds:[eax+78]
00DE8101 8B15 04BBE300 mov edx,dword ptr ds:[E3BB04]
00DE8107 334A 34 xor ecx,dword ptr ds:[edx+34]
00DE810A A1 04BBE300 mov eax,dword ptr ds:[E3BB04]
00DE810F 3348 20 xor ecx,dword ptr ds:[eax+20]
00DE8112 898D 6CFDFFFF mov dword ptr ss:[ebp-294],ecx
00DE8118 8D8D B8FDFFFF lea ecx,dword ptr ss:[ebp-248]
00DE811E 51 push ecx
00DE811F 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE8122 A1 7CDFE300 mov eax,dword ptr ds:[E3DF7C]
00DE8127 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
00DE812A 51 push ecx
00DE812B FF15 04E3E200 call dword ptr ds:[E2E304]
00DE8131 3385 6CFDFFFF xor eax,dword ptr ss:[ebp-294]
00DE8137 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE813A 8B0D 74DFE300 mov ecx,dword ptr ds:[E3DF74]
00DE8140 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
00DE8143 8B8D BCFEFFFF mov ecx,dword ptr ss:[ebp-144]
00DE8149 89048A mov dword ptr ds:[edx+ecx*4],eax
00DE814C 6A 01 push 1
00DE814E 8D95 B8FDFFFF lea edx,dword ptr ss:[ebp-248]
00DE8154 52 push edx
00DE8155 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE8158 8B0D 7CDFE300 mov ecx,dword ptr ds:[E3DF7C]
00DE815E 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
00DE8161 52 push edx
00DE8162 E8 D9090000 call 00DE8B40
00DE8167 83C4 0C add esp,0C
00DE816A 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00DE816D 8B15 78DFE300 mov edx,dword ptr ds:[E3DF78]
00DE8173 8B0C8A mov ecx,dword ptr ds:[edx+ecx*4]
00DE8176 8B95 BCFEFFFF mov edx,dword ptr ss:[ebp-144]
00DE817C 890491 mov dword ptr ds:[ecx+edx*4],eax
00DE817F 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE8182 8B0D 78DFE300 mov ecx,dword ptr ds:[E3DF78]
00DE8188 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
00DE818B 8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-144]
00DE8191 833C82 00 cmp dword ptr ds:[edx+eax*4],0
00DE8195 75 32 jnz short 00DE81C9
00DE8197 6A 00 push 0
00DE8199 8D8D B8FDFFFF lea ecx,dword ptr ss:[ebp-248]
00DE819F 51 push ecx
00DE81A0 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE81A3 A1 7CDFE300 mov eax,dword ptr ds:[E3DF7C]
00DE81A8 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
00DE81AB 51 push ecx
00DE81AC E8 8F090000 call 00DE8B40
00DE81B1 83C4 0C add esp,0C
00DE81B4 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE81B7 8B0D 78DFE300 mov ecx,dword ptr ds:[E3DF78]
00DE81BD 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
00DE81C0 8B8D BCFEFFFF mov ecx,dword ptr ss:[ebp-144]
00DE81C6 89048A mov dword ptr ds:[edx+ecx*4],eax
00DE81C9 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00DE81CC A1 78DFE300 mov eax,dword ptr ds:[E3DF78]
00DE81D1 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
00DE81D4 8B15 04BBE300 mov edx,dword ptr ds:[E3BB04]
00DE81DA A1 04BBE300 mov eax,dword ptr ds:[E3BB04]
00DE81DF 8B35 04BBE300 mov esi,dword ptr ds:[E3BB04]
00DE81E5 8B3D 04BBE300 mov edi,dword ptr ds:[E3BB04]
00DE81EB 8B7F 68 mov edi,dword ptr ds:[edi+68]
00DE81EE 337E 78 xor edi,dword ptr ds:[esi+78]
00DE81F1 3378 34 xor edi,dword ptr ds:[eax+34]
00DE81F4 337A 20 xor edi,dword ptr ds:[edx+20]
00DE81F7 8B95 BCFEFFFF mov edx,dword ptr ss:[ebp-144]
00DE81FD 333C91 xor edi,dword ptr ds:[ecx+edx*4]
00DE8200 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE8203 8B0D 78DFE300 mov ecx,dword ptr ds:[E3DF78]
00DE8209 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
00DE820C 8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-144]
00DE8212 893C82 mov dword ptr ds:[edx+eax*4],edi
00DE8215 E9 8CFEFFFF jmp 00DE80A6
00DE821A 8B0D 04BBE300 mov ecx,dword ptr ds:[E3BB04]
00DE8220 8B15 04BBE300 mov edx,dword ptr ds:[E3BB04]
00DE8226 A1 04BBE300 mov eax,dword ptr ds:[E3BB04]
00DE822B 8B35 04BBE300 mov esi,dword ptr ds:[E3BB04]
00DE8231 8B76 18 mov esi,dword ptr ds:[esi+18]
00DE8234 3370 34 xor esi,dword ptr ds:[eax+34]
00DE8237 3372 50 xor esi,dword ptr ds:[edx+50]
00DE823A 3371 7C xor esi,dword ptr ds:[ecx+7C]
00DE823D 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00DE8240 8B15 7CDFE300 mov edx,dword ptr ds:[E3DF7C]
00DE8246 33348A xor esi,dword ptr ds:[edx+ecx*4]
00DE8249 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00DE824C 8B0D 7CDFE300 mov ecx,dword ptr ds:[E3DF7C]
00DE8252 893481 mov dword ptr ds:[ecx+eax*4],esi
00DE8255 E9 72FCFFFF jmp 00DE7ECC
00DE825A EB 03 jmp short 00DE825F
//中断后取消断点,恢复00DE7FD6处原来的代码
00DE825C D6 salc
00DE825D D6 salc
00DE825E 8F ???
00DE825F 8B15 8C4CE400 mov edx,dword ptr ds:[E44C8C]
00DE8265 8995 B4FDFFFF mov dword ptr ss:[ebp-24C],edx
00DE826B 83BD B4FDFFFF 00 cmp dword ptr ss:[ebp-24C],0
00DE8272 74 36 je short 00DE82AA
00DE8274 8B85 B4FDFFFF mov eax,dword ptr ss:[ebp-24C]
00DE827A 8338 00 cmp dword ptr ds:[eax],0
00DE827D 74 2B je short 00DE82AA
其实也可以在下面的流程中避开输入表加密,并且去掉填充输入表DLL间的垃圾数据,这里就不写了,放脚本里面处理吧
三、OEP
BP CreateThread
Shift+F9中断后取消断点,Alt+F9返回
Ctrl+B在下面搜索:FF D1 89 45 FC 8B 45 FC代码:
00DA3646 FF15 64E1DD00 call dword ptr ds:[DDE164] ; kernel32.CreateThread
00DA364C 50 push eax
//返回这里
00DA364D FF15 84E2DD00 call dword ptr ds:[DDE284] ; kernel32.CloseHandle
00DA3653 5E pop esi
00DA3654 5B pop ebx
00DA3655 8BE5 mov esp,ebp
00DA3657 5D pop ebp
00DA3658 C3 retn
//返回00DBF1EF处
找到在00DBF2F4处,设断,Shift+F9
代码:
00DBF1EA E8 2143FEFF call 00DA3510
00DBF1EF 83C4 04 add esp,4
00DBF1F2 B9 B8B4DE00 mov ecx,0DEB4B8
00DBF1F7 E8 B4BFFBFF call 00D7B1B0
00DBF1FC 0FB6D0 movzx edx,al
00DBF1FF 85D2 test edx,edx
00DBF201 74 0C je short 00DBF20F
00DBF203 6A 01 push 1
00DBF205 B9 B8B4DE00 mov ecx,0DEB4B8
00DBF20A E8 11A6FCFF call 00D89820
00DBF20F C705 3877DE00 081C>mov dword ptr ds:[DE7738],0DE1C08
00DBF219 B9 04A6DE00 mov ecx,0DEA604
00DBF21E E8 5D36FBFF call 00D72880
00DBF223 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
00DBF22A 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00DBF22D 50 push eax
00DBF22E 68 10F3DB00 push 0DBF310
00DBF233 FF15 74B1DE00 call dword ptr ds:[DEB174]
00DBF239 83C4 08 add esp,8
00DBF23C 8B0D 1CBBDE00 mov ecx,dword ptr ds:[DEBB1C]
00DBF242 894D E4 mov dword ptr ss:[ebp-1C],ecx
00DBF245 BA 07000000 mov edx,7
00DBF24A C1E2 02 shl edx,2
00DBF24D A1 04BBDE00 mov eax,dword ptr ds:[DEBB04]
00DBF252 8B0D 04BBDE00 mov ecx,dword ptr ds:[DEBB04]
00DBF258 8B35 04BBDE00 mov esi,dword ptr ds:[DEBB04]
00DBF25E 8B76 04 mov esi,dword ptr ds:[esi+4]
00DBF261 3371 34 xor esi,dword ptr ds:[ecx+34]
00DBF264 333410 xor esi,dword ptr ds:[eax+edx]
00DBF267 0375 E4 add esi,dword ptr ss:[ebp-1C]
00DBF26A 8975 F4 mov dword ptr ss:[ebp-C],esi
00DBF26D 8B55 08 mov edx,dword ptr ss:[ebp+8]
00DBF270 833A 00 cmp dword ptr ds:[edx],0
00DBF273 75 3E jnz short 00DBF2B3
00DBF275 A1 04BBDE00 mov eax,dword ptr ds:[DEBB04]
00DBF27A 8B0D 04BBDE00 mov ecx,dword ptr ds:[DEBB04]
00DBF280 8B50 68 mov edx,dword ptr ds:[eax+68]
00DBF283 3351 34 xor edx,dword ptr ds:[ecx+34]
00DBF286 A1 04BBDE00 mov eax,dword ptr ds:[DEBB04]
00DBF28B 3350 60 xor edx,dword ptr ds:[eax+60]
00DBF28E 8955 E0 mov dword ptr ss:[ebp-20],edx
00DBF291 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00DBF294 8B51 18 mov edx,dword ptr ds:[ecx+18]
00DBF297 52 push edx
00DBF298 8B45 08 mov eax,dword ptr ss:[ebp+8]
00DBF29B 8B48 14 mov ecx,dword ptr ds:[eax+14]
00DBF29E 51 push ecx
00DBF29F 8B55 08 mov edx,dword ptr ss:[ebp+8]
00DBF2A2 8B42 10 mov eax,dword ptr ds:[edx+10]
00DBF2A5 50 push eax
00DBF2A6 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00DBF2A9 2B4D E0 sub ecx,dword ptr ss:[ebp-20]
00DBF2AC FFD1 call ecx
00DBF2AE 8945 FC mov dword ptr ss:[ebp-4],eax
00DBF2B1 EB 46 jmp short 00DBF2F9
00DBF2B3 8B55 08 mov edx,dword ptr ss:[ebp+8]
00DBF2B6 833A 01 cmp dword ptr ds:[edx],1
00DBF2B9 75 3E jnz short 00DBF2F9
00DBF2BB A1 04BBDE00 mov eax,dword ptr ds:[DEBB04]
00DBF2C0 8B0D 04BBDE00 mov ecx,dword ptr ds:[DEBB04]
00DBF2C6 8B50 68 mov edx,dword ptr ds:[eax+68]
00DBF2C9 3351 34 xor edx,dword ptr ds:[ecx+34]
00DBF2CC A1 04BBDE00 mov eax,dword ptr ds:[DEBB04]
00DBF2D1 3350 60 xor edx,dword ptr ds:[eax+60]
00DBF2D4 8955 DC mov dword ptr ss:[ebp-24],edx
00DBF2D7 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
00DBF2DA 8B51 04 mov edx,dword ptr ds:[ecx+4]
00DBF2DD 52 push edx
00DBF2DE 8B45 08 mov eax,dword ptr ss:[ebp+8]
00DBF2E1 8B48 08 mov ecx,dword ptr ds:[eax+8]
00DBF2E4 51 push ecx
00DBF2E5 6A 00 push 0
00DBF2E7 8B55 08 mov edx,dword ptr ss:[ebp+8]
00DBF2EA 8B42 0C mov eax,dword ptr ds:[edx+C]
00DBF2ED 50 push eax
00DBF2EE 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24]
00DBF2F4 FFD1 call ecx ; Armadill.004010CC
//设断,中断后取消断点,F7进入
//飞向光明之巅 ^Q^
00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax
00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4]
00DBF2FC 5E pop esi
00DBF2FD 8BE5 mov esp,ebp
00DBF2FF 5D pop ebp
00DBF300 C3 retn
运行ImportREC,选择这个进程代码:
004010CC 55 push ebp
//OEP
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E0634000 call dword ptr ds:[4063E0] ; kernel32.GetCommandLineA
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 13 jnz short 004010F4
把OEP改为000010CC,点IT AutoSearch,点Get Import,Cut掉填充在DLL间的无效指针FixDump,正常运行
Game Over
代码:
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
fly [CUG]
http://unpack.cn
http://www.unpack.cn
2007.09.16 00:00