老王的vfp&exeNc V5.00主程序脱壳+暗桩去除
下载页面: http://www.czkj.com/
软件大小: 390K
软件简介: vfp&exeNc内存型加密软件,采用全新的加密内核精心编制而成,vfp&exeNc采用拦截系统功能调用(hook)技术,还原和运行完全在内存中完成,加密后的文件既保持了VFP原有的运行速度,又足以防止现有的任何反编译软件的反编译,从而保护您的源代码。
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE
—————————————————————————————————
【脱壳过程】:
国内有很多VF程序用PEiD侦壳时显示ASPack 2.x (without poly),其实这是老王的vfp&exeNc加壳的。
[vfp&exeNc V5.00 -> Wang JianGuo]
signature = 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC
ep_only = true
PEiD Sign,选择“External Scan”扫描方式即可侦测出。
我对于Visual Foxpro程序了解很少,不过vfp&exeNc主程序是Delphi的,只好用主程序来脱壳看看,得罪之处,请老王谅解。
设置OllyDbg忽略所有异常选项。用IsDebug插件去掉OllyDbg的调试器标志。
—————————————————————————————————
一、vfp&exeNc V5.00主程序脱壳
004EFB24 60 pushad
//进入Ollydbg后暂停在这
004EFB25 E8 00000000 call vfp&exeN.004EFB2A
004EFB2A 5D pop ebp
004EFB2B 81ED 06104000 sub ebp,vfp&exeN.00401006
004EFB31 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
004EFB37 50 push eax
004EFB38 64:FF35 0000000>push dword ptr fs:[0]
004EFB3F 64:8925 0000000>mov dword ptr fs:[0],esp
004EFB46 CC int3
004EFB47 90 nop
004EFB48 64:8F05 0000000>pop dword ptr fs:[0]
//这里下断,Shift+F9中断下来
004EFB4F 83C4 04 add esp,4
004EFB52 74 05 je short vfp&exeN.004EFB59
004EFB54 75 03 jnz short vfp&exeN.004EFB59
004EFB56 EB 07 jmp short vfp&exeN.004EFB5F
004EFB58 59 pop ecx
004EFB59 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
004EFB5F 53 push ebx
004EFB60 5F pop edi
004EFB61 2BFA sub edi,edx
004EFB63 57 push edi
004EFB64 8A03 mov al,byte ptr ds:[ebx]
004EFB66 3007 xor byte ptr ds:[edi],al
004EFB68 43 inc ebx
004EFB69 47 inc edi
004EFB6A E2 F8 loopd short vfp&exeN.004EFB64
004EFB6C 58 pop eax
004EFB6D 894424 1C mov dword ptr ss:[esp+1C],eax
004EFB71 61 popad
004EFB72 FFE0 jmp eax ; vfp&exeN.004EE001
//直接F4过来,进入下一层
004EE001 60 pushad
//像什么?AsPack? Yes
004EE002 E8 03000000 call vfp&exeN.004EE00A
004EE007 E9 EB045D45 jmp 45ABE4F7
004EE00C 55 push ebp
004EE00D C3 retn
004EE00E E8 01000000 call vfp&exeN.004EE014
004EE013 EB 5D jmp short vfp&exeN.004EE072
明显可以看出是AsPack,OK,现在可以dump下来,修正EP=000EE001,再把原来的IAT复制进dump.exe,就可以直接用stripper_v207f自动脱去这层壳了!
当然,我们可以继续手动跟踪脱壳。
直接按AsPacK的脱壳方法来做就行了,Ctrl+F在当前位置下搜索命令序列:
lods word ptr ds:[esi]
stos word ptr es:[edi]
004EE272 66:AD lods word ptr ds:[esi]
//找到这里
004EE274 66:AB stos word ptr es:[edi]
004EE276 EB F1 jmp short vfp&exeN.004EE269
004EE278 BE 00C00B00 mov esi,0BC000
//F4直接过来 000BC000就是Import Table RVA ★
004EE27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
004EE283 03F2 add esi,edx
004EE285 8B46 0C mov eax,dword ptr ds:[esi+C]
004EE288 85C0 test eax,eax
004EE28A 0F84 0A010000 je vfp&exeN.004EE39A
//输入表处理完毕则跳转
可以运行LordPE完全Dump这个进程了。下面要进行输入表处理,不必管了。
004EE39A B8 435F0B00 mov eax,0B5F43
//F4直接过来
004EE39F 50 push eax
004EE3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
004EE3A6 59 pop ecx
004EE3A7 0BC9 or ecx,ecx
004EE3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
004EE3AF 61 popad
004EE3B0 75 08 jnz short vfp&exeN.004EE3BA
004EE3B2 B8 01000000 mov eax,1
004EE3B7 C2 0C00 retn 0C
004EE3BA 68 435F4B00 push vfp&exeN.004B5F43
004EE3BF C3 retn
//进入第3层
也可以载入上面用stripper_v207f自动脱壳的文件,来脱壳最后一层。
004B5F43 60 pushad
004B5F44 E8 00000000 call vfp&exeN.004B5F49
004B5F49 5D pop ebp
004B5F4A 81ED 06104000 sub ebp,vfp&exeN.00401006
004B5F50 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
004B5F56 50 push eax
004B5F57 64:FF35 0000000>push dword ptr fs:[0]
004B5F5E 64:8925 0000000>mov dword ptr fs:[0],esp
004B5F65 CC int3
004B5F66 90 nop
004B5F67 64:8F05 0000000>pop dword ptr fs:[0]
004B5F6E 83C4 04 add esp,4
004B5F71 74 05 je short _1.004B5F78
004B5F73 75 03 jnz short _1.004B5F78
004B5F75 EB 07 jmp short _1.004B5F7E
004B5F77 59 pop ecx
004B5F78 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
004B5F7E 53 push ebx
004B5F7F 5F pop edi
004B5F80 2BFA sub edi,edx
004B5F82 57 push edi
004B5F83 8A03 mov al,byte ptr ds:[ebx]
004B5F85 3007 xor byte ptr ds:[edi],al
004B5F87 43 inc ebx
004B5F88 47 inc edi
004B5F89 E2 F8 loopd short _1.004B5F83
//解码
004B5F8B 58 pop eax
004B5F8C 894424 1C mov dword ptr ss:[esp+1C],eax
004B5F90 61 popad
004B5F91 FFE0 jmp eax ; vfp&exeN.004B5E40
//飞向光明之巅!^O^
004B5E40 55 push ebp
//OEP
004B5E41 8BEC mov ebp,esp
004B5E43 83C4 F0 add esp,-10
004B5E46 B8 305C4B00 mov eax,vfp&exeN.004B5C30
004B5E4B E8 800BF5FF call vfp&exeN.004069D0
004B5E50 A1 AC834B00 mov eax,dword ptr ds:[4B83AC]
004B5E55 8B00 mov eax,dword ptr ds:[eax]
004B5E57 E8 68F6FAFF call vfp&exeN.004654C4
可以再次dump,把第一次dump文件的IAT复制替换进现在dump的文件,修正OEP RVA=000B5E40和Import Table RVA=000BC000就可以运行了。
或者把上面解码出来的代码直接复制粘贴进stripper_v207f自动脱壳的文件里,修正OEP RVA也行。
习惯用ImportREC的朋友当然也可以用ImportREC来修复输入表。
—————————————————————————————————
二、反跟踪
此时用OllyDbg来调试脱壳后的程序会挂掉,为何?看看吧
BP GetWindowsDirectoryA 中断后取消这个断点。Alt+F9返回
004AD84E E8 6D94F5FF call 00406CC0 ; jmp to kernel32.GetWindowsDirectoryA
//获取系统目录
004AD853 8D95 D4FEFFFF lea edx,dword ptr ss:[ebp-12C]
//返回这里
004AD859 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
004AD85F E8 F8BEF5FF call 0040975C
004AD864 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-12C]
004AD86A 8D95 D8FEFFFF lea edx,dword ptr ss:[ebp-128]
004AD870 E8 CFAFF5FF call 00408844
004AD875 8B95 D8FEFFFF mov edx,dword ptr ss:[ebp-128]
004AD87B B8 B8B64B00 mov eax,4BB6B8
004AD880 E8 8B6DF5FF call 00404610
004AD885 A1 B8B64B00 mov eax,dword ptr ds:[4BB6B8]
004AD88A E8 E56FF5FF call 00404874
004AD88F 8B15 B8B64B00 mov edx,dword ptr ds:[4BB6B8]
004AD895 807C02 FF 5C cmp byte ptr ds:[edx+eax-1],5C
004AD89A 74 0F je short 004AD8AB
004AD89C B8 B8B64B00 mov eax,4BB6B8
004AD8A1 BA D8DA4A00 mov edx,4ADAD8
004AD8A6 E8 D16FF5FF call 0040487C
004AD8AB B9 A4B64B00 mov ecx,4BB6A4
004AD8B0 33D2 xor edx,edx
004AD8B2 33C0 xor eax,eax
004AD8B4 E8 87FCFFFF call UnPacKed.004AD540
004AD8B9 8945 EC mov dword ptr ss:[ebp-14],eax
004AD8BC B9 A4B64B00 mov ecx,UnPacKed.004BB6A4
004AD8C1 33D2 xor edx,edx
004AD8C3 8B45 EC mov eax,dword ptr ss:[ebp-14]
004AD8C6 E8 75FCFFFF call UnPacKed.004AD540
//取得父进程名
004AD8CB 8B15 A4B64B00 mov edx,dword ptr ds:[4BB6A4]
004AD8D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
004AD8D4 E8 A3FDFFFF call UnPacKed.004AD67C
004AD8D9 8D95 CCFEFFFF lea edx,dword ptr ss:[ebp-134]
004AD8DF A1 A4B64B00 mov eax,dword ptr ds:[4BB6A4]
004AD8E4 E8 D3B9F5FF call UnPacKed.004092BC
//取得父进程路径
004AD8E9 8B85 CCFEFFFF mov eax,dword ptr ss:[ebp-134]
004AD8EF 8D95 D0FEFFFF lea edx,dword ptr ss:[ebp-130]
004AD8F5 E8 4AAFF5FF call UnPacKed.00408844
004AD8FA 8B95 D0FEFFFF mov edx,dword ptr ss:[ebp-130]
004AD900 B8 A8B64B00 mov eax,UnPacKed.004BB6A8
004AD905 E8 066DF5FF call UnPacKed.00404610
004AD90A A1 A8B64B00 mov eax,dword ptr ds:[4BB6A8]
//修改为mov eax,dword ptr ds:[4BB6B8]就行了 ★
004AD90F 8B15 B8B64B00 mov edx,dword ptr ds:[4BB6B8]
004AD915 E8 9E70F5FF call UnPacKed.004049B8
//比较父进程目录是否是 系统目录:\Windows\
004AD91A 0F85 37010000 jnz UnPacKed.004ADA57
//否则跳
004ADA57 8B45 EC mov eax,dword ptr ss:[ebp-14]
004ADA5A 50 push eax
004ADA5B E8 1091F5FF call UnPacKed.00406B70 ; jmp to kernel32.DebugActiveProcess
//去调试Ollydbg,当然挂了
—————————————————————————————————
三、解除暗桩
新版vfp&exeNc发现被脱壳后会不断的向C分区写入垃圾数据,直至填满你的C盘!
建议作者还是换一下其他防脱壳技巧,而不要采取这样的手段。
载入脱壳后的程序,下断BP SetFilePointer
中断后取消这个断点。Alt+F9返回2次
004AD7C8 E8 53B7F5FF call 00408F20
004AD7CD A3 F0B64B00 mov dword ptr ds:[4BB6F0],eax
//返回这里 [4BB6F0]=EAX=000EE000 这里其实就是保存脱壳后文件的Size
下面就是检测父进程目录,为了叙述清晰,所以把这部分单独拿出来分析
现在我们选择[4BB6F0]处的4个字节,设置硬件访问断点。
F9运行起来,随意找个VF程序进行加密,中断下来。
004B12CD E8 6EC2FFFF call 004AD540
004B12D2 813D F0B64B00 2>cmp dword ptr ds:[4BB6F0],7D022
//中断在这里 比较!
004B12DC 0F8E A5000000 jle 004B1387
//不跳就惨了!修改为JMP 004B1387
004B12E2 8D45 DC lea eax,dword ptr ss:[ebp-24]
004B12E5 BA B0184B00 mov edx,UnPacKed.004B18B0 ; ASCII "C:"
004B12EA E8 6533F5FF call UnPacKed.00404654
004B12EF B2 01 mov dl,1
004B12F1 A1 A0494100 mov eax,dword ptr ds:[4149A0]
004B12F6 E8 2525F5FF call UnPacKed.00403820
004B12FB 8906 mov dword ptr ds:[esi],eax
004B12FD EB 70 jmp short UnPacKed.004B136F
004B12FF 56 push esi
004B1300 33C9 xor ecx,ecx
004B1302 8B55 DC mov edx,dword ptr ss:[ebp-24]
004B1305 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B1308 E8 0B440000 call UnPacKed.004B5718
004B130D 8B06 mov eax,dword ptr ds:[esi]
004B130F 8B10 mov edx,dword ptr ds:[eax]
004B1311 FF52 14 call dword ptr ds:[edx+14]
004B1314 48 dec eax
004B1315 85C0 test eax,eax
004B1317 7C 2E jl short UnPacKed.004B1347
004B1319 40 inc eax
004B131A 8945 D4 mov dword ptr ss:[ebp-2C],eax
004B131D 33DB xor ebx,ebx
004B131F 8D8D 40FFFFFF lea ecx,dword ptr ss:[ebp-C0]
004B1325 8BD3 mov edx,ebx
004B1327 8B06 mov eax,dword ptr ds:[esi]
004B1329 8B38 mov edi,dword ptr ds:[eax]
004B132B FF57 0C call dword ptr ds:[edi+C]
004B132E 8B95 40FFFFFF mov edx,dword ptr ss:[ebp-C0]
004B1334 B9 BC184B00 mov ecx,UnPacKed.004B18BC ; ASCII "*.*"
004B1339 8B45 FC mov eax,dword ptr ss:[ebp-4]
004B133C E8 47460000 call UnPacKed.004B5988
004B1341 43 inc ebx
004B1342 FF4D D4 dec dword ptr ss:[ebp-2C]
004B1345 75 D8 jnz short UnPacKed.004B131F
//循环向C分区填充垃圾文件
0013F68C 00408EBE /CALL 到 CreateFileA 来自 UnPacKed.00408EB9
0013F690 00E0E754 |FileName = "C:\WINDOWS\SYSTEM\OOBE\MSNSETUPAPI.HTM"
0013F694 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0013F698 00000000 |ShareMode = 0
0013F69C 00000000 |pSecurity = NULL
0013F6A0 00000002 |Mode = CREATE_ALWAYS
0013F6A4 00000080 |Attributes = NORMAL
0013F6A8 00000000 \hTemplateFile = NULL
—————————————————————————————————
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacked By : fly
2005-04-12 12:00