新版ACProtect v1.21的手动脱壳
操作系统:WIN2K
工具:OLLYDBG1.1,ImportREC,LordPE
下载地址: http://www.ultraprotect.com/acpr_pro.exe
脱壳程序:用ACPr1.21注册版加壳WIN98记事本
脱壳过程:
1.寻找Stolen code的变形及其伪OEP。
用OLLYDBG1.1加载后,停留在程序的入口:
0040D000 >pushad
0040D001 jo Notepad1.0040D009
0040D007 adc ebx,eax
0040D009 xor ebx,eax
0040D00B stc
0040D00C inc edx
0040D00D jno short Notepad1.0040D010
0040D00F cld
用IsDebug 1.4插件去掉Ollydbg的调试器标志。忽略除了“int3异常”之外的所有其他异常选项。
察看堆栈esp=12ffc4,我们知道程序的入口的第一条指令都是Push ebp,那么执行后必须引起堆栈变化,因此利用此特性来设置硬件访问断点:去转存窗口,Ctrl+G:0012FFC0(入口esp-4),在0012FFC0处的4个字节上,下硬件访问->DWord 断点。
F9开始运行,断下,再取消该硬件断点。
0041E700 mov dword ptr ds:[40DEAB],edi
0041E706 push dword ptr ds:[40DEAB]
0041E70C push esi
0041E70D mov esi,Notepad1.0040DEF3
0041E712 mov edi,esi
0041E714 pop esi ; KERNEL32.77E887E7
0041E715 mov dword ptr ds:[edi],ebx
0041E717 mov edi,dword ptr ss:[esp] ; KERNEL32.77E887E7
0041E71A pop dword ptr ds:[40DEA7] ;
0041E720 push dword ptr ds:[40DEF3]
0041E726 pop dword ptr ds:[40DF07] ; KERNEL32.77E887E7
0041E72C push dword ptr ds:[40DF07]
0041E732 mov dword ptr ss:[esp],ebp //push ebp的变形,第一行
0041E735 mov dword ptr ds:[40DF0F],esp
0041E73B push edi
0041E73C mov edi,Notepad1.0040DEEB
0041E741 mov dword ptr ds:[edi],edx
0041E743 pop edi ; KERNEL32.77E887E7
0041E744 push dword ptr ds:[40DEEB]
0041E74A mov dword ptr ss:[esp],eax
0041E74D mov dword ptr ss:[esp],esi
0041E750 pushad
0041E751 call Notepad1.0041A460
0041E756 call Notepad1.0041E75B
0041E75B pop ebx ; KERNEL32.77E887E7
0041E75C sub ebx,dword ptr ss:[ebp+4023EC]
0041E762 sub ebx,1175B
0041E768 mov dword ptr ss:[ebp+40D2AA],ebx
0041E76E popad
0041E76F push edx
0041E770 pop dword ptr ds:[40DEE7] ; KERNEL32.77E887E7
0041E776 push dword ptr ds:[40DEE7]
0041E77C mov dword ptr ss:[esp],ecx
0041E77F push esi
0041E780 pop dword ptr ds:[40DEE3] ; KERNEL32.77E887E7
0041E786 push dword ptr ds:[40DEE3]
0041E78C push ebx
0041E78D mov dword ptr ss:[esp],Notepad1.0040DF0F
0041E794 pop dword ptr ds:[40DEA3] ; KERNEL32.77E887E7
0041E79A mov esi,dword ptr ds:[40DEA3]
0041E7A0 mov dword ptr ds:[40DE9F],esi
0041E7A6 push dword ptr ds:[40DE9F]
0041E7AC pop dword ptr ds:[40DE9B] ; KERNEL32.77E887E7
0041E7B2 mov ecx,dword ptr ds:[40DE9B]
0041E7B8 mov esi,dword ptr ss:[esp] ; KERNEL32.77E887E7
0041E7BB nop
0041E7BC nop
0041E7BD nop
0041E7BE nop
0041E7BF pushad
0041E7C0 call Notepad1.0041A460
0041E7C5 call Notepad1.0041A1FE
0041E7CA mov dword ptr ss:[ebp+40E205],eax
0041E7D0 popad
0041E7D1 pop dword ptr ds:[40DEDF] ; KERNEL32.77E887E7
0041E7D7 mov dword ptr ds:[40DE97],eax
0041E7DD push dword ptr ds:[40DE97]
0041E7E3 mov dword ptr ss:[esp],ebx
0041E7E6 push edi
0041E7E7 mov edi,Notepad1.0040DEDB
0041E7EC mov dword ptr ds:[edi],ecx
0041E7EE pop edi ; KERNEL32.77E887E7
0041E7EF push edi
0041E7F0 mov edi,Notepad1.0040DEDB
0041E7F5 mov ebx,dword ptr ds:[edi]
0041E7F7 pop edi ; KERNEL32.77E887E7
0041E7F8 mov dword ptr ds:[40DE93],eax
0041E7FE push dword ptr ds:[40DE93]
0041E804 push ebx
0041E805 pop eax ; KERNEL32.77E887E7
0041E806 push edx
0041E807 mov edx,eax
0041E809 mov esi,edx
0041E80B pop edx ; KERNEL32.77E887E7
0041E80C pop dword ptr ds:[40DE8F] ; KERNEL32.77E887E7
0041E812 mov eax,dword ptr ds:[40DE8F]
0041E818 pop dword ptr ds:[40DED7] ; KERNEL32.77E887E7
0041E81E push eax
0041E81F nop
0041E820 nop
0041E821 pushad
0041E822 call Notepad1.0041A460
0041E827 mov byte ptr ss:[ebp+40D1D0],0
0041E82E popad
0041E82F mov eax,Notepad1.0040DED7
0041E834 mov ebx,dword ptr ds:[eax]
0041E836 pop eax ; KERNEL32.77E887E7
0041E837 pop dword ptr ds:[40DEEF] ; KERNEL32.77E887E7
0041E83D push dword ptr ds:[40DEEF]
0041E843 pop dword ptr ds:[40DE8B] ; KERNEL32.77E887E7
0041E849 mov ecx,dword ptr ds:[40DE8B]
0041E84F mov ebp,dword ptr ds:[esi] //mov ebp,esp变形,第2行
0041E851 pop dword ptr ds:[40DF03] ; KERNEL32.77E887E7
0041E857 mov dword ptr ds:[40DE87],ebx
0041E85D push dword ptr ds:[40DE87]
0041E863 mov dword ptr ss:[esp],edx
0041E866 mov dword ptr ds:[40DE83],eax
0041E86C push dword ptr ds:[40DE83]
0041E872 push Notepad1.0040DF03
0041E877 pop eax ; KERNEL32.77E887E7
0041E878 mov dword ptr ds:[40DE7F],eax
0041E87E nop
0041E87F pushad
0041E880 call Notepad1.0041C69A
0041E885 popad
0041E886 mov edx,dword ptr ds:[40DE7F]
0041E88C mov eax,dword ptr ss:[esp] ; KERNEL32.77E887E7
0041E88F pop dword ptr ds:[40DE7B] ; KERNEL32.77E887E7
0041E895 mov esi,dword ptr ds:[edx]
0041E897 mov edx,dword ptr ss:[esp] ; KERNEL32.77E887E7
0041E89A pop dword ptr ds:[40DED3] ; KERNEL32.77E887E7
0041E8A0 sub esp,44 //第3行,没有任何变形
0041E8A3 push ecx
0041E8A4 pop dword ptr ds:[40DECF] ; KERNEL32.77E887E7
0041E8AA push dword ptr ds:[40DECF]
0041E8B0 push ebx
0041E8B1 mov ebx,Notepad1.0040DEFF
0041E8B6 mov dword ptr ds:[40DECB],ebx
0041E8BC pop ebx ; KERNEL32.77E887E7
0041E8BD push edi
0041E8BE mov edi,Notepad1.0040DECB
0041E8C3 mov ecx,dword ptr ds:[edi]
0041E8C5 pop edi ; KERNEL32.77E887E7
0041E8C6 mov dword ptr ds:[ecx],eax
0041E8C8 pop dword ptr ds:[40DEC7] ; KERNEL32.77E887E7
0041E8CE push ebx
0041E8CF mov ebx,Notepad1.0040DEC7
0041E8D4 mov ecx,dword ptr ds:[ebx]
0041E8D6 pushad
0041E8D7 call Notepad1.0041C437
0041E8DC popad
0041E8DD pop ebx ; KERNEL32.77E887E7
0041E8DE push dword ptr ds:[40DEFF]
0041E8E4 push edx
0041E8E5 pop dword ptr ds:[40DEC3] ; KERNEL32.77E887E7
0041E8EB push dword ptr ds:[40DEC3]
0041E8F1 push esi
0041E8F2 mov dword ptr ss:[esp],ebx
0041E8F5 mov dword ptr ds:[40DE77],Notepad1.0040D>
0041E8FF mov ebx,dword ptr ds:[40DE77]
0041E905 push ebx
0041E906 pop edx ; KERNEL32.77E887E7
0041E907 pop ebx ; KERNEL32.77E887E7
0041E908 push esi
0041E909 mov esi,Notepad1.0040DEFB
0041E90E mov dword ptr ds:[esi],edx
0041E910 pop esi ; KERNEL32.77E887E7
0041E911 pop dword ptr ds:[40DEBF] ; KERNEL32.77E887E7
0041E917 mov edx,dword ptr ds:[40DEBF]
0041E91D mov dword ptr ds:[40DEBB],ebx
0041E923 push dword ptr ds:[40DEBB]
0041E929 push eax
0041E92A nop
0041E92B nop
0041E92C nop
0041E92D pushad
0041E92E call Notepad1.0041E6B9
0041E933 popad
0041E934 mov eax,Notepad1.0040DEFB
0041E939 mov ebx,eax
0041E93B pop eax ; KERNEL32.77E887E7
0041E93C mov eax,dword ptr ds:[ebx]
0041E93E mov ebx,dword ptr ss:[esp] ; KERNEL32.77E887E7
0041E941 pop dword ptr ds:[40DEB7] ; KERNEL32.77E887E7
0041E947 mov dword ptr ds:[eax],esi
0041E949 pop dword ptr ds:[40DEF7] ; KERNEL32.77E887E7
0041E94F mov dword ptr ds:[40DEB3],ecx
0041E955 push dword ptr ds:[40DEB3]
0041E95B push edx
0041E95C mov edx,Notepad1.0040DEF7
0041E961 mov ecx,edx
0041E963 pop edx ; KERNEL32.77E887E7
0041E964 mov eax,dword ptr ds:[ecx]
0041E966 pop dword ptr ds:[40DEAF] ; KERNEL32.77E887E7
0041E96C mov ecx,dword ptr ds:[40DEAF]
0041E972 push dword ptr ds:[40DF0B] //push esi的变形,第4行
0041E978 nop
0041E979 nop
0041E97A nop
0041E97B nop
0041E97C nop
0041E97D nop
0041E97E nop
0041E97F nop
0041E980 nop
0041E981 nop
0041E982 nop
0041E983 nop
以上一步一步按F7跟踪,以便分析得出正确的stolen code,注意比较前后esp的变化,然后纪录还原的代码。到0041e978后按F9继续运行。出现异常中断:
0041BCFE int3
0041BCFF nop
0041BD00 pop dword ptr fs:[0] ; 0012FFE0
0041BD06 add esp,4
0041BD09 pushad
0041BD0A call Notepad1.0041BD0F
0041BD0F pop esi ; 0012FFE0
0041BD10 sub esi,6
0041BD13 mov ecx,5B
0041BD18 sub esi,ecx
0041BD1A mov edx,63182994
0041BD1F shr ecx,2
0041BD22 sub ecx,2
0041BD25 cmp ecx,0
0041BD28 jl short Notepad1.0041BD44
0041BD2A mov eax,dword ptr ds:[esi+ecx*4]
0041BD2D mov ebx,dword ptr ds:[esi+ecx*4+4]
0041BD31 sub eax,ebx
0041BD33 rol eax,10
0041BD36 add eax,edx
0041BD38 xor edx,A4DE41D3
0041BD3E mov dword ptr ds:[esi+ecx*4],eax
0041BD41 dec ecx
0041BD42 jmp short Notepad1.0041BD25
0041BD44 popad
0041BD45 popad
0041BD46 retn //在此处按F2,然后按shift-F9,停在此处再按F2取消,F7走1步
去转存窗口,Ctrl+G:0012FF58 到达0012FF58内存处
在0012FF58处的4个字节上下 硬件访问->DWord 断点 F9运行,断下!然后删除该硬件断点。
004260E3 call dword ptr ds:[4063E4] //stolen code的第5行,没有变形
004260E9 push ebx
004260EA pop dword ptr ds:[40DEFF]
004260F0 push dword ptr ds:[40DEFF]
004260F6 pop dword ptr ds:[40DF0F]
004260FC push dword ptr ds:[40DF0F]
00426102 mov dword ptr ds:[40DEE7],esi
00426108 push dword ptr ds:[40DEE7]
0042610E mov dword ptr ss:[esp],edi
00426111 mov dword ptr ds:[40DEE3],Notepad1.0040DF0B
0042611B push dword ptr ds:[40DEE3]
00426121 pop dword ptr ds:[40DEDF]
00426127 mov edi,dword ptr ds:[40DEDF]
0042612D mov dword ptr ds:[edi],eax //保存eax到[40DF0B]
0042612F nop
00426130 nop
00426131 nop
00426132 nop
00426133 pushad
00426134 call Notepad1.0041A460
00426139 mov eax,dword ptr ss:[ebp+41A27A]
0042613F add eax,dword ptr ss:[ebp+40D2AA] //计算伪OEP值,EAX=004010DD
00426145 mov dword ptr ss:[ebp+41A27A],eax
0042614B popad
0042614C pop dword ptr ds:[40DEFB] ; Notepad1.0040DF0B
00426152 push dword ptr ds:[40DEFB] ; Notepad1.0040DF0B
00426158 pop edi
00426159 push dword ptr ds:[40DF0B]
0042615F mov ebx,dword ptr ss:[esp]
00426162 pop dword ptr ds:[40DEF7]
00426168 mov dword ptr ds:[40DEDB],eax
0042616E push dword ptr ds:[40DEDB] ; Notepad1.0040DF0F
00426174 mov dword ptr ss:[esp],edx
00426177 push esi
00426178 mov dword ptr ss:[esp],Notepad1.0040DF07
0042617F pop dword ptr ds:[40DED7]
00426185 mov edx,dword ptr ds:[40DED7]
0042618B mov dword ptr ds:[edx],ebx
0042618D pop dword ptr ds:[40DEF3]
00426193 push dword ptr ds:[40DEF3]
00426199 pop edx
0042619A nop
0042619B nop
0042619C pushad
0042619D call Notepad1.0041A460
004261A2 mov byte ptr ss:[ebp+41A237],0E8
004261A9 popad
004261AA push dword ptr ds:[40DF07]
004261B0 pop dword ptr ds:[40DEEF]
004261B6 push edi
004261B7 mov edi,Notepad1.0040DEEF //[40DEEF]=EAX
004261BC mov esi,dword ptr ds:[edi] //stolen code的第6行,mov esi,eax变形
004261BE pop edi
004261BF pop dword ptr ds:[40DF03]
004261C5 mov dword ptr ds:[40DED3],ebx
004261CB push dword ptr ds:[40DED3]
004261D1 mov dword ptr ss:[esp],edx
004261D4 mov dword ptr ds:[40DECF],Notepad1.0040D>
004261DE push dword ptr ds:[40DECF]
004261E4 pop edx
004261E5 mov ebx,dword ptr ds:[edx]
004261E7 mov edx,dword ptr ss:[esp]
004261EA pop dword ptr ds:[40DEEB]
004261F0 mov al,byte ptr ds:[eax] //stolen code的第7行,没有变形
004261F2 nop
004261F3 nop
004261F4 nop
004261F5 nop
004261F6 nop
004261F7 nop
004261F8 nop
004261F9 nop
004261FA pushad
004261FB call Notepad1.0041A460
00426200 mov dword ptr ss:[ebp+41A238],25FF
0042620A lea eax,dword ptr ss:[ebp+41A27A]
00426210 mov dword ptr ss:[ebp+41A23A],eax
00426216 call Notepad1.0041A460
0042621B lea edi,dword ptr ss:[ebp+419F20]
00426221 lea ecx,dword ptr ss:[ebp+41A22C]
00426227 sub ecx,edi
00426229 shr ecx,2
0042622C call Notepad1.0041A1FE
00426231 stos dword ptr es:[edi]
00426232 loopd short Notepad1.0042622C
00426234 popad
00426235 jmp short Notepad1.00426238
00426238 jmp dword ptr ds:[42627A] //GO!飞向光明之巅!jmp 4010dd
下面就是伪OEP代码,在这儿用LordPE完全DUMP进程。
004010DD cmp al,22
004010DF jnz short Notepad1.004010FC
004010E1 push esi
004010E2 call dword ptr ds:[4064F4] ; Notepad1.0040D4D6
004010E8 mov esi,eax
004010EA mov al,byte ptr ds:[eax]
004010EC test al,al
004010EE je short Notepad1.004010F4
004010F0 cmp al,22
004010F2 jnz short Notepad1.004010E1
004010F4 cmp byte ptr ds:[esi],22
004010F7 jnz short Notepad1.0040110E
2.修复输入表
随便在程序一个空地,写入以下代码并执行:
pushad
mov esi,40d010
aa:mov edi,[esi+8]
xor dword ptr ds:[esi+1],edi
add esi,0d
cmp byte ptr [esi],68
jz aa
popad
运行ImportREC,选择这个进程。把OEP改为000010DD,点IT AutoSearch,点“Get Import”,用层次1即可修复全部无效函数数。FixDump!
3.修复Stolen code
根据分析变形后stolen code得出程序的入口代码,并在004010cc补上
push ebp
mov ebp,esp
sub esp,44
push esi
call dword ptr ds:[4063E4]
mov esi,eax
mov al,byte ptr ds:[eax]