*** Unpacking forgot's PEQuake ***
*** cyclotron[BCG][DFCG][FCG][OCN] ***
PEQuake, 内部代号 shit
作者 forgot
下载 点击此处下载
简介:这个壳的使用了大量花指令反跟踪,调用CreateThread切换线程并挂起主线程,检查父进程、调试器,输入表重构,修改PEB,IAT没有加密,不过使用了一张跳转表(严重盗版!!!),懒的话可以以壳解壳啦。。。话说回来,这是我有能力脱的为数不多的几个壳之一。。。
话不多说,直奔主题:
忽略所有异常,隐藏Olly,载入后来到这里:
代码:
00422000 > E8 A5000000 CALL PEQuake.004220AA 004220AA 5D POP EBP ;PEQuake.00422005 004220AB 81ED 05000000 SUB EBP,5 004220B1 8D75 3D LEA ESI,DWORD PTR SS:[EBP+3D] 004220B4 56 PUSH ESI 004220B5 FF55 31 CALL DWORD PTR SS:[EBP+31] ;GetModuleHandle 004220B8 8DB5 81000000 LEA ESI,DWORD PTR SS:[EBP+81] 004220BE 56 PUSH ESI 004220BF 50 PUSH EAX 004220C0 FF55 2D CALL DWORD PTR SS:[EBP+2D] ;GetProcAddress 004220C3 8985 8E000000 MOV DWORD PTR SS:[EBP+8E],EAX 004220C9 6A 04 PUSH 4 004220CB 68 00100000 PUSH 1000 004220D0 68 0F9C0000 PUSH 9C0F 004220D5 6A 00 PUSH 0 004220D7 FF95 8E000000 CALL DWORD PTR SS:[EBP+8E] ;VirtualAlloc 004220DD 50 PUSH EAX 004220DE 8B9D 7D000000 MOV EBX,DWORD PTR SS:[EBP+7D] 004220E4 03DD ADD EBX,EBP 004220E6 50 PUSH EAX 004220E7 53 PUSH EBX 004220E8 E8 04000000 CALL PEQuake.004220F1 ;对外壳代码解压 004220ED 5A POP EDX 004220EE 55 PUSH EBP 004220EF FFE2 JMP EDX ;典型的hying入口
接下来有一大段SEH和花指令垃圾,我们下断点:bp CreateThread,直接来到副线程。
代码:
0012FFA8 00344799 /CALL to CreateThread from 00344793 0012FFAC 00000000 |pSecurity = NULL 0012FFB0 00000000 |StackSize = 0 0012FFB4 00344761 |ThreadFunction = 00344761 ;在入口处下断点bp 344761 0012FFB8 77E7CA90 |pThreadParm = kErNeL32.77E7CA90 0012FFBC 00000000 |CreationFlags = 0 0012FFC0 00344824 \pThreadId = 00344824 0012FFC4 77E7CA90 RETURN to kErNeL32.77E7CA90
中断在这里:
代码:
00344761 E8 00000000 CALL 00344766 00344766 5D POP EBP 00344767 81ED A4184000 SUB EBP,4018A4 0034476D 68 F4010000 PUSH 1F4 00344772 FF95 B1634000 CALL DWORD PTR SS:[EBP+4063B1] ;Sleep 00344778 8D85 92194000 LEA EAX,DWORD PTR SS:[EBP+401992] 0034477E FFE0 JMP EAX
Ctrl+F搜索指令 CMP EAX,4C505845,找到:
代码:
00345106 25 5F5F5F5F AND EAX,5F5F5F5F 0034510B 3D 4558504C CMP EAX,4C505845 00345110 - 75 FE JNZ SHORT 00345110 ;如果不是EXPLORER.EXE就在这里挂起
好了,把这个跳转改掉,disable父进程检查。后面的反跟踪都没什么用了。
Alt+M对code段下内存访问断点,直接来到OEP。
接下来修复跳转表,从入口点跟进去:
代码:
00406AFA 8D35 C5C14000 LEA ESI,DWORD PTR DS:[40C1C5] ;OEP 00406B00 8D3D E0C74000 LEA EDI,DWORD PTR DS:[40C7E0] 00406B06 B9 10000000 MOV ECX,10 00406B0B F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 00406B0D C705 C4C74000 F>MOV DWORD PTR DS:[40C7C4],-0C 00406B17 C705 D4C74000 0>MOV DWORD PTR DS:[40C7D4],109 00406B21 C605 DBC74000 0>MOV BYTE PTR DS:[40C7DB],1 00406B28 6A 00 PUSH 0 00406B2A E8 45220000 CALL PEQuake.00408D74 ;这里跟进去 00406B2F A3 34C54000 MOV DWORD PTR DS:[40C534],EAX 00406B34 6A 00 PUSH 0 00406B36 68 536B4000 PUSH PEQuake.00406B53
好家伙,JMP TABLE全改了:
代码:
00408D56 90 NOP 00408D57 E8 B9FDF3FF CALL 00348B15 00408D5C 90 NOP 00408D5D E8 B3FDF3FF CALL 00348B15 00408D62 90 NOP 00408D63 E8 ADFDF3FF CALL 00348B15 00408D68 90 NOP 00408D69 E8 A7FDF3FF CALL 00348B15 00408D6E 90 NOP 00408D6F E8 A1FDF3FF CALL 00348B15 00408D74 90 NOP 00408D75 E8 9BFDF3FF CALL 00348B15 00408D7A 90 NOP 00408D7B E8 95FDF3FF CALL 00348B15 00408D80 90 NOP 00408D81 E8 8FFDF3FF CALL 00348B15 00408D86 90 NOP 00408D87 E8 89FDF3FF CALL 00348B15 00408D8C 90 NOP 00408D8D E8 83FDF3FF CALL 00348B15 00408D92 90 NOP 00408D93 E8 7DFDF3FF CALL 00348B15 00408D98 90 NOP 00408D99 E8 77FDF3FF CALL 00348B15 00408D9E 90 NOP 00408D9F E8 71FDF3FF CALL 00348B15 00408DA4 90 NOP 00408DA5 E8 6BFDF3FF CALL 00348B15 00408DAA 90 NOP 00408DAB E8 65FDF3FF CALL 00348B15 00408DB0 90 NOP 00408DB1 E8 5FFDF3FF CALL 00348B15 00408DB6 90 NOP 00408DB7 E8 59FDF3FF CALL 00348B15 00408DBC 90 NOP 00408DBD E8 53FDF3FF CALL 00348B15 00408DC2 90 NOP 00408DC3 E8 4DFDF3FF CALL 00348B15 00408DC8 90 NOP 00408DC9 E8 47FDF3FF CALL 00348B15 00408DCE 90 NOP 00408DCF E8 41FDF3FF CALL 00348B15 00408DD4 90 NOP 00408DD5 E8 3BFDF3FF CALL 00348B15 00408DDA 90 NOP 00408DDB E8 35FDF3FF CALL 00348B15 00408DE0 90 NOP 00408DE1 E8 2FFDF3FF CALL 00348B15 00408DE6 90 NOP 00408DE7 E8 29FDF3FF CALL 00348B15 00408DEC 90 NOP 00408DED E8 23FDF3FF CALL 00348B15 00408DF2 90 NOP 00408DF3 E8 1DFDF3FF CALL 00348B15 00408DF8 90 NOP 00408DF9 E8 17FDF3FF CALL 00348B15 00408DFE 90 NOP 00408DFF E8 11FDF3FF CALL 00348B15 00408E04 90 NOP 00408E05 E8 0BFDF3FF CALL 00348B15 00408E0A 90 NOP 00408E0B E8 05FDF3FF CALL 00348B15 00408E10 90 NOP 00408E11 E8 FFFCF3FF CALL 00348B15 00408E16 90 NOP 00408E17 E8 F9FCF3FF CALL 00348B15 00408E1C 90 NOP 00408E1D E8 F3FCF3FF CALL 00348B15 00408E22 90 NOP 00408E23 E8 EDFCF3FF CALL 00348B15 00408E28 90 NOP 00408E29 E8 E7FCF3FF CALL 00348B15 00408E2E 90 NOP 00408E2F E8 E1FCF3FF CALL 00348B15 00408E34 90 NOP 00408E35 E8 DBFCF3FF CALL 00348B15 00408E3A 90 NOP 00408E3B E8 D5FCF3FF CALL 00348B15 00408E40 90 NOP 00408E41 E8 CFFCF3FF CALL 00348B15 00408E46 90 NOP 00408E47 E8 C9FCF3FF CALL 00348B15 00408E4C 90 NOP 00408E4D E8 C3FCF3FF CALL 00348B15 00408E52 90 NOP 00408E53 E8 BDFCF3FF CALL 00348B15 00408E58 90 NOP 00408E59 E8 B7FCF3FF CALL 00348B15
找一个call跟进349B15,走过一段花指令以后,发现解码算法:
代码:
00348DD3 33D2 XOR EDX,EDX 00348DD5 B9 02000000 MOV ECX,2 00348DDA F7E1 MUL ECX 00348DDC D1E8 SHR EAX,1 ;把最高位去掉 00348DDE 3BF8 CMP EDI,EAX ;是否与对应的JMP调用地址相同 00348DE0 0F85 62010000 JNZ 00348F48
这里是按JMP调用地址进行查表,由此得到IAT的对应位置,最后跳转到相应的API入口,用到码表如下,算法很简单,就是去掉最高位:
代码:
00349AA7 86 8D 40 80 3C B0 40 00 00349AAF AA 8D 40 80 40 B0 40 00 00349AB7 A4 8D 40 80 44 B0 40 00 00349ABF 9E 8D 40 80 48 B0 40 00 00349AC7 98 8D 40 80 4C B0 40 00 00349ACF 92 8D 40 80 50 B0 40 00 00349AD7 8C 8D 40 80 54 B0 40 00 00349ADF 5C 8D 40 80 58 B0 40 00 00349AE7 80 8D 40 80 5C B0 40 00 00349AEF 62 8D 40 80 60 B0 40 00 00349AF7 7A 8D 40 80 64 B0 40 00 00349AFF 74 8D 40 80 68 B0 40 00 00349B07 6E 8D 40 80 6C B0 40 00 00349B0F 68 8D 40 80 70 B0 40 00 00349B17 10 8E 40 80 80 B0 40 00 00349B1F 0A 8E 40 80 84 B0 40 00 00349B27 04 8E 40 80 88 B0 40 00 00349B2F FE 8D 40 80 8C B0 40 00 00349B37 F8 8D 40 80 90 B0 40 00 00349B3F F2 8D 40 80 94 B0 40 00 00349B47 EC 8D 40 80 98 B0 40 00 00349B4F E0 8D 40 80 9C B0 40 00 00349B57 DA 8D 40 80 A0 B0 40 00 00349B5F D4 8D 40 80 A4 B0 40 00 00349B67 CE 8D 40 80 A8 B0 40 00 00349B6F C8 8D 40 80 AC B0 40 00 00349B77 C2 8D 40 80 B0 B0 40 00 00349B7F BC 8D 40 80 B4 B0 40 00 00349B87 B6 8D 40 80 B8 B0 40 00 00349B8F B0 8D 40 80 BC B0 40 00 00349B97 E6 8D 40 80 C0 B0 40 00 00349B9F 16 8E 40 80 00 B0 40 00 ;这个值最小了
码表右边四列就是IAT的VA了,赶快填入ImportRec,RVA:B000,Size:1000,重建输入表,全部识别完成。填入入口点6AFA,Fixdump,收工。
附:跳转表修复结果如下
代码:
00408D56 - FF25 58B04000 JMP DWORD PTR DS:[40B058] ; kErNeL32.CloseHandle 00408D5C - FF25 60B04000 JMP DWORD PTR DS:[40B060] ; kErNeL32.CopyFileA 00408D62 - FF25 70B04000 JMP DWORD PTR DS:[40B070] ; kErNeL32.CreateFileA 00408D68 - FF25 6CB04000 JMP DWORD PTR DS:[40B06C] ; kErNeL32.ExitProcess 00408D6E - FF25 68B04000 JMP DWORD PTR DS:[40B068] ; kErNeL32.GetFileSize 00408D74 - FF25 64B04000 JMP DWORD PTR DS:[40B064] ; kErNeL32.GetModuleHandleA 00408D7A - FF25 5CB04000 JMP DWORD PTR DS:[40B05C] ; kErNeL32.GetPrivateProfileIntA 00408D80 - FF25 3CB04000 JMP DWORD PTR DS:[40B03C] ; kErNeL32.ReadFile 00408D86 - FF25 54B04000 JMP DWORD PTR DS:[40B054] ; ntdll.RtlZeroMemory 00408D8C - FF25 50B04000 JMP DWORD PTR DS:[40B050] ; kErNeL32.SetFilePointer 00408D92 - FF25 4CB04000 JMP DWORD PTR DS:[40B04C] ; kErNeL32.VirtualAlloc 00408D98 - FF25 48B04000 JMP DWORD PTR DS:[40B048] ; kErNeL32.VirtualFree 00408D9E - FF25 44B04000 JMP DWORD PTR DS:[40B044] ; kErNeL32.WriteFile 00408DA4 - FF25 40B04000 JMP DWORD PTR DS:[40B040] ; kErNeL32.WritePrivateProfileStringA 00408DAA - FF25 BCB04000 JMP DWORD PTR DS:[40B0BC] ; uSeR32.BeginPaint 00408DB0 - FF25 B8B04000 JMP DWORD PTR DS:[40B0B8] ; uSeR32.CheckDlgButton 00408DB6 - FF25 B4B04000 JMP DWORD PTR DS:[40B0B4] ; uSeR32.CreateDialogParamA 00408DBC - FF25 B0B04000 JMP DWORD PTR DS:[40B0B0] ; uSeR32.DialogBoxParamA 00408DC2 - FF25 ACB04000 JMP DWORD PTR DS:[40B0AC] ; uSeR32.EnableWindow 00408DC8 - FF25 A8B04000 JMP DWORD PTR DS:[40B0A8] ; uSeR32.EndPaint 00408DCE - FF25 A4B04000 JMP DWORD PTR DS:[40B0A4] ; uSeR32.FillRect 00408DD4 - FF25 A0B04000 JMP DWORD PTR DS:[40B0A0] ; uSeR32.GetDC 00408DDA - FF25 9CB04000 JMP DWORD PTR DS:[40B09C] ; uSeR32.GetDlgItem 00408DE0 - FF25 C0B04000 JMP DWORD PTR DS:[40B0C0] ; uSeR32.LoadBitmapA 00408DE6 - FF25 98B04000 JMP DWORD PTR DS:[40B098] ; uSeR32.PostQuitMessage 00408DEC - FF25 94B04000 JMP DWORD PTR DS:[40B094] ; uSeR32.ReleaseDC 00408DF2 - FF25 90B04000 JMP DWORD PTR DS:[40B090] ; uSeR32.SendDlgItemMessageA 00408DF8 - FF25 8CB04000 JMP DWORD PTR DS:[40B08C] ; uSeR32.SendMessageA 00408DFE - FF25 88B04000 JMP DWORD PTR DS:[40B088] ; uSeR32.SetDlgItemTextA 00408E04 - FF25 84B04000 JMP DWORD PTR DS:[40B084] ; uSeR32.SetTimer 00408E0A - FF25 80B04000 JMP DWORD PTR DS:[40B080] ; uSeR32.ShowWindow 00408E10 - FF25 00B04000 JMP DWORD PTR DS:[40B000] ; comctl32.InitCommonControls 00408E16 - FF25 08B04000 JMP DWORD PTR DS:[40B008] ; comdlg32.GetOpenFileNameA 00408E1C - FF25 10B04000 JMP DWORD PTR DS:[40B010] ; GDI32.BitBlt 00408E22 - FF25 14B04000 JMP DWORD PTR DS:[40B014] ; GDI32.CreateCompatibleBitmap 00408E28 - FF25 18B04000 JMP DWORD PTR DS:[40B018] ; GDI32.CreateCompatibleDC 00408E2E - FF25 1CB04000 JMP DWORD PTR DS:[40B01C] ; GDI32.CreateFontIndirectA 00408E34 - FF25 20B04000 JMP DWORD PTR DS:[40B020] ; GDI32.CreateSolidBrush 00408E3A - FF25 24B04000 JMP DWORD PTR DS:[40B024] ; GDI32.GetTextExtentPoint32A 00408E40 - FF25 28B04000 JMP DWORD PTR DS:[40B028] ; GDI32.SelectObject 00408E46 - FF25 2CB04000 JMP DWORD PTR DS:[40B02C] ; GDI32.SetBkMode 00408E4C - FF25 30B04000 JMP DWORD PTR DS:[40B030] ; GDI32.SetTextColor 00408E52 - FF25 34B04000 JMP DWORD PTR DS:[40B034] ; GDI32.TextOutA 00408E58 - FF25 78B04000 JMP DWORD PTR DS:[40B078] ; SHELL32.ShellExecuteA
dump 下载
http://bbs.pediy.com/upload/file/2004/10/dPEQuake_.rar_223.rar