脱壳:csjwaman
原程序下载地址:http://bbs.pediy.com/showthread.php?s=&threadid=22270
壳作者自己的说明:
////////////////////////////////////////////
简单说一下壳采用的几种反跟踪调试的方法:
双进程、
多线程(解码、检测调试、检测api断点)、
iat变形(用importrec自动跟踪可以抓出来)、
自创的花指令等
说实话,我自己跟起都很费力^_^
///////////////////////////////////////////
本人很菜,在壳作者本人的指点下才脱了此壳。在此感谢壳作者的无私奉献!
一、转单进程
脚本:
gpa "OpenEventA","KERNEL32.DLL"
bphws $RESULT,"x"
esto
bphwc $RESULT
exec
push eax
push 0
push 0
push 0
call CreateEventA
jmp OpenEventA
ende
rtu
ret
转单后停在:
0046E541 /EB 02 jmp short 0046E545///停在这里。
0046E543 |9A AA83F800 EB02 call far 02EB:00F883AA
0046E54A 9A BA0F84DC 0D00 call far 000D:DC840FBA
0046E551 00EB add bl,ch
0046E553 029A A550EB02 add bl,byte ptr ds:[edx+2EB50A5]
0046E559 9A 7A50EB02 9AA1 call far A19A:02EB507A
0046E560 FF93 FB1E4000 call near dword ptr ds:[ebx+401EFB]
0046E566 EB 02 jmp short 0046E56A ; 0046E56A
0046E568 9A 4A8F83D8 2040 call far 4020:D8838F4A
0046E56F 00EB add bl,ch
太多的花指令,用脚本清除并只留下有用的代码后:
0046E545 83F8 00 cmp eax,0
0046E54C 0F84 DC0D0000 je 0046F32E///OpenEventA失败则跳,跳则先创建事件,后创建进程。
0046E556 50 push eax
0046E55B 50 push eax
0046E560 FF93 FB1E4000 call near dword ptr ds:[ebx+401EFB]///关闭句柄。
0046E56A 8F83 D8204000 pop dword ptr ds:[ebx+4020D8]
0046E592 8D83 9A1B4000 lea eax,dword ptr ds:[ebx+401B9A]
0046E59F 50 push eax
0046E5A0 6A 01 push 1
0046E5A2 E8 37F3FFFF call 0046D8DE///检测CC
0046E5AE CD F5 int 0F5///制造异常。
0046E5B8 8D83 CA194000 lea eax,dword ptr ds:[ebx+4019CA]
0046E5C1 50 push eax
0046E5C7 CD F6 int 0F6///制造异常。
0046E5D3 838B F8204000 07 or dword ptr ds:[ebx+4020F8],7
0046E5E2 8D83 A5344000 lea eax,dword ptr ds:[ebx+4034A5]
0046E5EC 8983 6A214000 mov dword ptr ds:[ebx+40216A],eax
0046E5F5 838B 56214000 01 or dword ptr ds:[ebx+402156],1
0046E600 8D83 5C3E4000 lea eax,dword ptr ds:[ebx+403E5C]
0046E609 8983 72214000 mov dword ptr ds:[ebx+402172],eax
0046E614 F7D0 not eax
0046E619 CD F7 int 0F7///制造异常。
0046E623 83A3 3F214000 FD and dword ptr ds:[ebx+40213F],FFFFFFFD
0046E631 0183 B4204000 add dword ptr ds:[ebx+4020B4],eax
0046E641 838B 56214000 02 or dword ptr ds:[ebx+402156],2
0046E659 F783 3F214000 02000000 test dword ptr ds:[ebx+40213F],2
0046E668 CD F7 int 0F7///制造异常。
0046E674 ^ 74 DE je short 0046E654
0046E687 E9 190E0000 jmp 0046F4A5///等第2个线程解码结束后跳去执行刚才解码的代码。
0046E697 8D83 CB3D4000 lea eax,dword ptr ds:[ebx+403DCB]
处理异常代码:
0046DB9A /EB 03 jmp short 0046DB9F ; 0046DB9F
0046DB9C |9A F757558B EC53 call far 53EC:8B5557F7
0046DBA3 51 push ecx
0046DBA4 52 push edx
0046DBA5 56 push esi
去花后:
0046DB9F 55 push ebp
0046DBA0 8BEC mov ebp,esp
0046DBA2 53 push ebx
0046DBA3 51 push ecx
0046DBA4 52 push edx
0046DBA5 56 push esi
0046DBA6 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0046DBB1 8B55 10 mov edx,dword ptr ss:[ebp+10]
0046DBBD 8B41 0C mov eax,dword ptr ds:[ecx+C]
0046DBC3 66:8B00 mov ax,word ptr ds:[eax]
0046DBCB 66:3D CDF5 cmp ax,0F5CD///int 0F5异常?
0046DBD2 74 38 je short 0046DC0C ; 0046DC0C
0046DBD9 66:3D CDF6 cmp ax,0F6CD///int 0F6异常?
0046DBE0 74 5F je short 0046DC41 ; 0046DC41
0046DBE7 66:3D CDF7 cmp ax,0F7CD///int 0F7异常?
0046DBF0 0F84 CD000000 je 0046DCC3 ; 0046DCC3
0046DBFA B8 00000000 mov eax,0
0046DC03 E9 16010000 jmp 0046DD1E ; 0046DD1E
0046DC10 B8 00000000 mov eax,0
0046DC19 8942 04 mov dword ptr ds:[edx+4],eax///清DRX
0046DC20 8942 08 mov dword ptr ds:[edx+8],eax///清DRX
0046DC27 8942 0C mov dword ptr ds:[edx+C],eax///清DRX
0046DC2D 8942 10 mov dword ptr ds:[edx+10],eax///清DRX
0046DC38 E9 E1000000 jmp 0046DD1E
0046DC44 51 push ecx
0046DC49 52 push edx
0046DC4D 8B82 C4000000 mov eax,dword ptr ds:[edx+C4]
0046DC56 8B30 mov esi,dword ptr ds:[eax]
0046DC5D 8382 C4000000 04 add dword ptr ds:[edx+C4],4
0046DC67 8B9A A4000000 mov ebx,dword ptr ds:[edx+A4]
0046DC71 8D83 E0204000 lea eax,dword ptr ds:[ebx+4020E0]
0046DC7A 50 push eax
0046DC80 6A 00 push 0
0046DC85 53 push ebx
0046DC8B 56 push esi
0046DC8F 6A 00 push 0
0046DC96 6A 00 push 0
0046DC9B FF93 1B1F4000 call near dword ptr ds:[ebx+401F1B] ; kernel32.CreateThread///int 0F6异常,创建线程。
0046DCB2 5A pop edx
0046DCB6 59 pop ecx
0046DCBA EB 07 jmp short 0046DCC3
0046DCC6 B8 00000000 mov eax,0
0046DCCE 0342 04 add eax,dword ptr ds:[edx+4]///取DRX
0046DCD4 0342 08 add eax,dword ptr ds:[edx+8]///取DRX,并相加
0046DCDA 0342 0C add eax,dword ptr ds:[edx+C]///取DRX,并相加
0046DCE0 0342 10 add eax,dword ptr ds:[edx+10]///取DRX,并相加
0046DCE8 8982 B0000000 mov dword ptr ds:[edx+B0],eax///保存DRX
0046DCF1 B8 00000000 mov eax,0
0046DCFA 8942 04 mov dword ptr ds:[edx+4],eax///清DRX
0046DD00 8942 08 mov dword ptr ds:[edx+8],eax///清DRX
0046DD07 8942 0C mov dword ptr ds:[edx+C],eax///清DRX
0046DD0D 8942 10 mov dword ptr ds:[edx+10],eax///清DRX
0046DD16 EB 06 jmp short 0046DD1E
0046DD21 8382 B8000000 02 add dword ptr ds:[edx+B8],2
0046DD2B B8 00000000 mov eax,0
0046DD42 5E pop esi
0046DD43 5A pop edx
0046DD44 59 pop ecx
0046DD45 5B pop ebx
0046DD46 C9 leave
0046DD47 C2 1000 retn 10
二、线程
当int 0F6异常时会来到0046DC9B处创建线程:
0012FB90 0046DCA1 /CALL 到 CreateThread 来自 ccc.0046DC9B
0012FB94 00000000 |pSecurity = NULL
0012FB98 00000000 |StackSize = 0
0012FB9C 0046D9CA |ThreadFunction = ccc.0046D9CA///线程函数入口。
0012FBA0 0006C000 |pThreadParm = 0006C000
0012FBA4 00000000 |CreationFlags = 0
0012FBA8 0046E0E0 \pThreadId = ccc.0046E0E0
到线程入口处下断:
0046D9CA /EB 01 jmp short 0046D9CD///下断。
0046D9CC |9A 558BEC8B 5D08 call far 085D:8BEC8B55
0046D9D3 EB 02 jmp short 0046D9D7 ; 0046D9D7
0046D9D5 9A B4EB039A 7BEB call far EB7B:9A03EBB4
0046D9DC EB 01 jmp short 0046D9DF ; 0046D9DF
0046D9DE 9A EB039A3B ABEB call far EBAB:3B9A03EB
0046D9E5 019A EB039AEB add dword ptr ds:[edx+EB9A03EB],ebx
0046D9EB 6BEB 01 imul ebp,ebx,1
SHIFT+F9后断下。去花后:
0046D9CD 55 push ebp
0046D9CE 8BEC mov ebp,esp
0046D9D0 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0046DA2B F783 E4204000 00000080 test dword ptr ds:[ebx+4020E4],80000000
0046DA38 0F85 20010000 jnz 0046DB5E
0046DA4A F783 F8204000 01000000 test dword ptr ds:[ebx+4020F8],1
0046DA57 74 36 je short 0046DA8F
0046DA5D 83A3 F8204000 FE and dword ptr ds:[ebx+4020F8],FFFFFFFE
0046DA69 83A3 E4204000 FE and dword ptr ds:[ebx+4020E4],FFFFFFFE
0046DA73 83A3 F0204000 FE and dword ptr ds:[ebx+4020F0],FFFFFFFE
0046DA7E 8D93 F6124000 lea edx,dword ptr ds:[ebx+4012F6]
0046DA87 E9 91000000 jmp 0046DB1D
0046DA92 F783 F8204000 02000000 test dword ptr ds:[ebx+4020F8],2
0046DA9F 74 30 je short 0046DAD1
0046DAA4 83A3 F8204000 FD and dword ptr ds:[ebx+4020F8],FFFFFFFD
0046DAAF 83A3 E4204000 FD and dword ptr ds:[ebx+4020E4],FFFFFFFD
0046DAB9 83A3 F0204000 FD and dword ptr ds:[ebx+4020F0],FFFFFFFD
0046DAC3 8D93 04314000 lea edx,dword ptr ds:[ebx+403104]
0046DACC EB 4F jmp short 0046DB1D
0046DAD4 F783 F8204000 04000000 test dword ptr ds:[ebx+4020F8],4
0046DAE2 74 30 je short 0046DB14
0046DAE7 83A3 F8204000 FB and dword ptr ds:[ebx+4020F8],FFFFFFFB
0046DAF1 83A3 E4204000 FB and dword ptr ds:[ebx+4020E4],FFFFFFFB
0046DAFB 83A3 F0204000 FB and dword ptr ds:[ebx+4020F0],FFFFFFFB
0046DB06 8D93 66284000 lea edx,dword ptr ds:[ebx+402866]
0046DB0F EB 0C jmp short 0046DB1D
0046DB17 EB 38 jmp short 0046DB51
0046DB20 8D83 E0204000 lea eax,dword ptr ds:[ebx+4020E0]
0046DB2A 50 push eax
0046DB2E 6A 00 push 0
0046DB33 53 push ebx
0046DB37 52 push edx
0046DB3C 6A 00 push 0
0046DB41 6A 00 push 0
0046DB48 FF93 1B1F4000 call near dword ptr ds:[ebx+401F1B] ; kernel32.CreateThread///又创建线程了。
0046DB56 ^ E9 CCFEFFFF jmp 0046DA27///循环。
0046DB62 81A3 E4204000 FFFFFF7F and dword ptr ds:[ebx+4020E4],7FFFFFFF
0046DB6F 818B F0204000 00000080 or dword ptr ds:[ebx+4020F0],80000000
0046DB7E C9 leave
0046DB7F C2 0400 retn 4
在0046DB48处共创建3个线程:
1、检测代码完整性
00A4FF9C 0046DB4E /CALL 到 CreateThread 来自 ccc.0046DB48
00A4FFA0 00000000 |pSecurity = NULL
00A4FFA4 00000000 |StackSize = 0
00A4FFA8 0046D2F6 |ThreadFunction = ccc.0046D2F6///线程入口。
00A4FFAC 0006C000 |pThreadParm = 0006C000
00A4FFB0 00000000 |CreationFlags = 0///将0改为4,让线程挂起。
00A4FFB4 0046E0E0 \pThreadId = ccc.0046E0E0
2、解压代码:
00A4FF9C 0046DB4E /CALL 到 CreateThread 来自 ccc.0046DB48
00A4FFA0 00000000 |pSecurity = NULL
00A4FFA4 00000000 |StackSize = 0
00A4FFA8 0046F104 |ThreadFunction = ccc.0046F104///线程入口。
00A4FFAC 0006C000 |pThreadParm = 0006C000
00A4FFB0 00000000 |CreationFlags = 0
00A4FFB4 0046E0E0 \pThreadId = ccc.0046E0E0
这个是关键线程。
3、检测API:
00A4FF9C 0046DB4E /CALL 到 CreateThread 来自 ccc.0046DB48
00A4FFA0 00000000 |pSecurity = NULL
00A4FFA4 00000000 |StackSize = 0
00A4FFA8 0046E866 |ThreadFunction = ccc.0046E866///线程入口。
00A4FFAC 0006C000 |pThreadParm = 0006C000
00A4FFB0 00000000 |CreationFlags = 0///将0改为4,让线程挂起。
00A4FFB4 0046E0E0 \pThreadId = ccc.0046E0E0
上述1、3两个线程挂起后:
0046DB48 FF93 1B1F4000 call near dword ptr ds:[ebx+401F1B] ; kernel32.CreateThread///又创建线程了。
0046DB56 ^ E9 CCFEFFFF jmp 0046DA27///循环。
0046DB62 81A3 E4204000 FFFFFF7F and dword ptr ds:[ebx+4020E4],7FFFFFFF///此处新建EIP,跳出循环。
0046DB6F 818B F0204000 00000080 or dword ptr ds:[ebx+4020F0],80000000
0046DB7E C9 leave
0046DB7F C2 0400 retn 4///返回到系统代码。
77E1A990 50 push eax///返回这里。
77E1A991 E8 E0D40000 call 77E27E76 ; ExitThread///退出线程。
77E1A996 90 nop
走到77E1A990时到第二个线程的入口0046F104处下断:
0046F104 /EB 01 jmp short 0046F107///下断。
0046F106 |9A 558BEC8B 5D08 call far 085D:8BEC8B55
0046F10D EB 03 jmp short 0046F112
0046F10F 9A 09018D83 9A1B call far 1B9A:838D0109
0046F116 40 inc eax
下断后连续F8两次会断在第二个线程的入口处,去花后:
0046F107 55 push ebp
0046F108 8BEC mov ebp,esp
0046F10A 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
0046F112 8D83 9A1B4000 lea eax,dword ptr ds:[ebx+401B9A]
0046F120 50 push eax
0046F121 6A 01 push 1
0046F123 E8 B6E7FFFF call 0046D8DE///检测CC
0046F137 F783 E4204000 02000000 test dword ptr ds:[ebx+4020E4],2
0046F146 0F85 D8000000 jnz 0046F224
0046F14F F783 56214000 02000000 test dword ptr ds:[ebx+402156],2
0046F15E ^ 74 D4 je short 0046F134
0046F173 8BB3 6A214000 mov esi,dword ptr ds:[ebx+40216A]; ccc.0046F4A5///待解压代码起始地址。
0046F183 8BC6 mov eax,esi
0046F18D CD F7 int 0F7///制造异常,根据前面的分析,只要改为xor eax,eax即可。
0046F197 8BBB 72214000 mov edi,dword ptr ds:[ebx+402172]; ccc.0046FE5C///待解压代码结束地址。
0046F1A5 03F8 add edi,eax
0046F1AE 8B83 B4204000 mov eax,dword ptr ds:[ebx+4020B4]
0046F1BC 3BF7 cmp esi,edi
0046F1C2 73 34 jnb short 0046F1F8///解压结束则跳走。
0046F1C7 3006 xor byte ptr ds:[esi],al///开始解压。
0046F1CD 40 inc eax
0046F1D3 C1C8 07 ror eax,7
0046F1DA 8BD0 mov edx,eax
0046F1DF CD F7 int 0F7///制造异常,根据前面的分析,只要改为xor eax,eax即可。
0046F1E9 03C2 add eax,edx
0046F1EE 46 inc esi
0046F1F3 ^ EB C3 jmp short 0046F1B8///继续。
0046F200 83A3 56214000 FD and dword ptr ds:[ebx+402156],FFFFFFFD///F4到这里。这段代码全部解压结束。
0046F20E 838B 3F214000 02 or dword ptr ds:[ebx+40213F],2
0046F218 ^ E9 12FFFFFF jmp 0046F12F
0046F227 83A3 56214000 FD and dword ptr ds:[ebx+402156],FFFFFFFD///新建EIP跳出循环。
0046F232 6A 00 push 0
0046F234 6A 00 push 0
0046F236 E8 A3E6FFFF call 0046D8DE///检测CC
0046F23E 838B F0204000 02 or dword ptr ds:[ebx+4020F0],2
0046F24A C9 leave
0046F24B C2 0400 retn 4///返回到系统代码。
77E1A990 50 push eax///返回到这里。
77E1A991 E8 E0D40000 call 77E27E76 ; ExitThread///F8过。
三、解压子进程代码
走过77E1A991时会陷入死循环。F12暂停。然后到0046F4A5处新建EIP。
0046F4A5 /EB 03 jmp short 0046F4AA///新建EIP。
0046F4A7 |9A 37A7EB01 9AEB call far EB9A:01EBA737
0046F4AE 039A E767EB01 add ebx,dword ptr ds:[edx+1EB67E7]
0046F4B4 9A EB039AB7 27E8 call far E827:B79A03EB
0046F4BB 0000 add byte ptr ds:[eax],al
0046F4BD 0000 add byte ptr ds:[eax],al
新建EIP后用F7走几步。
去花后:
0046F4C3 5B pop ebx
0046F4C9 81EB BF344000 sub ebx,4034BF
0046F4D4 EB 1C jmp short 0046F4F2
0046F4FA 8B93 BF1D4000 mov edx,dword ptr ds:[ebx+401DBF]
0046F503 8B72 3C mov esi,dword ptr ds:[edx+3C]
0046F50A 8DB432 F8000000 lea esi,dword ptr ds:[edx+esi+F8]
0046F516 8BFE mov edi,esi
0046F520 6BB3 76214000 28 imul esi,dword ptr ds:[ebx+402176],28
0046F52B 03F7 add esi,edi
0046F530 EB 37 jmp short 0046F569
0046F539 837E 0C 00 cmp dword ptr ds:[esi+C],0
0046F540 74 1D je short 0046F55F
0046F547 837E 08 00 cmp dword ptr ds:[esi+8],0
0046F54E 74 0F je short 0046F55F
0046F553 83C6 28 add esi,28
0046F559 ^ EB C1 jmp short 0046F51C
0046F562 83EE 28 sub esi,28
0046F56C 83EE 28 sub esi,28
0046F575 3BF7 cmp esi,edi
0046F57B 0F82 63020000 jb 0046F7E4
0046F589 52 push edx
0046F58D 8D83 BC204000 lea eax,dword ptr ds:[ebx+4020BC]
0046F598 50 push eax
0046F59C 8B83 AC204000 mov eax,dword ptr ds:[ebx+4020AC]
0046F5A7 6A 04 push 4
0046F5B6 0183 682B4000 add dword ptr ds:[ebx+402B68],eax
0046F5C3 8B46 08 mov eax,dword ptr ds:[esi+8]
0046F5CF F783 D8204000 FFFFFFFF test dword ptr ds:[ebx+4020D8],FFFFFFFF
0046F5DF 0F84 EA010000 je 0046F7CF
0046F5EF 50 push eax
0046F5F5 8B46 0C mov eax,dword ptr ds:[esi+C]
0046F5FB 03C2 add eax,edx
0046F602 50 push eax
00046F606 FF93 D31E4000 call near dword ptr ds:[ebx+401ED3]
0046F611 5A pop edx
0046F61A FFB3 BC204000 push dword ptr ds:[ebx+4020BC]
0046F62A 8B83 7A214000 mov eax,dword ptr ds:[ebx+40217A]
0046F638 CD F7 int 0F7///改为xor eax,eax
0046F642 0183 CF384000 add dword ptr ds:[ebx+4038CF],eax///破坏正常代码。如果EAX为0则不影响。
0046F654 E9 26010000 jmp 0046F77F
0046F675 8B4A 3C mov ecx,dword ptr ds:[edx+3C]
0046F67B 8D8C0A A8000000 lea ecx,dword ptr ds:[edx+ecx+A8]
0046F687 8B01 mov eax,dword ptr ds:[ecx]
0046F68C 83F8 00 cmp eax,0
0046F693 74 32 je short 0046F6C7
0046F698 0341 04 add eax,dword ptr ds:[ecx+4]
0046F69E 3B46 0C cmp eax,dword ptr ds:[esi+C]
0046F6A4 72 21 jb short 0046F6C7
0046F6AA 8B46 0C mov eax,dword ptr ds:[esi+C]
0046F6B0 0346 08 add eax,dword ptr ds:[esi+8]
0046F6B8 3B01 cmp eax,dword ptr ds:[ecx]
0046F6BD 0F87 0C010000 ja 0046F7CF
0046F6CA 8B4A 3C mov ecx,dword ptr ds:[edx+3C]
0046F6D1 8D8C0A 88000000 lea ecx,dword ptr ds:[edx+ecx+88]
0046F6DB 8B01 mov eax,dword ptr ds:[ecx]
0046F6E0 83F8 00 cmp eax,0
0046F6E6 74 35 je short 0046F71D
0046F6EC 0341 04 add eax,dword ptr ds:[ecx+4]
0046F6F2 3B46 0C cmp eax,dword ptr ds:[esi+C]
0046F6FA 72 21 jb short 0046F71D
0046F6FF 8B46 0C mov eax,dword ptr ds:[esi+C]
0046F707 0346 08 add eax,dword ptr ds:[esi+8]
0046F70D 3B01 cmp eax,dword ptr ds:[ecx]
0046F714 0F87 B5000000 ja 0046F7CF
0046F721 8B4A 3C mov ecx,dword ptr ds:[edx+3C]
0046F727 8D8C0A C0000000 lea ecx,dword ptr ds:[edx+ecx+C0]
0046F733 8B01 mov eax,dword ptr ds:[ecx]
0046F738 83F8 00 cmp eax,0
0046F740 74 39 je short 0046F77B
0046F747 0341 04 add eax,dword ptr ds:[ecx+4]
0046F74D 3B46 0C cmp eax,dword ptr ds:[esi+C]
0046F755 72 24 jb short 0046F77B
0046F75A 8B46 0C mov eax,dword ptr ds:[esi+C]
0046F762 0346 08 add eax,dword ptr ds:[esi+8]
0046F76A 3B01 cmp eax,dword ptr ds:[ecx]
0046F771 77 5C ja short 0046F7CF
0046F784 2983 2F384000 sub dword ptr ds:[ebx+40382F],eax///继续破坏。
0046F78E 8B46 08 mov eax,dword ptr ds:[esi+8]
0046F795 2B93 C0204000 sub edx,dword ptr ds:[ebx+4020C0]
0046F79F 3B46 10 cmp eax,dword ptr ds:[esi+10]
0046F7A6 76 0B jbe short 0046F7B3
0046F7AC 8B46 10 mov eax,dword ptr ds:[esi+10]
0046F7B6 8B4E 0C mov ecx,dword ptr ds:[esi+C]
0046F7C1 6A 00 push 0
0046F7C3 52 push edx
0046F7C4 50 push eax
0046F7C5 51 push ecx
0046F7C6 E8 E1F2FFFF call 0046EAAC///解压各区段代码。
0046F7D6 ^ E9 8EFDFFFF jmp 0046F569///循环解压。
0046F806 8B93 BF1D4000 mov edx,dword ptr ds:[ebx+401DBF]///到这里就可以DUMP了。
此时DUMP出来IAT没被破坏。输入表地址为60000。
继续:
0046F80F 8B72 3C mov esi,dword ptr ds:[edx+3C]///下面开始填充IAT了。
0046F815 8BB3 C4204000 mov esi,dword ptr ds:[ebx+4020C4]
0046F81E 83FE 00 cmp esi,0
0046F824 0F84 88010000 je 0046F9B2
0046F832 8B4432 0C mov eax,dword ptr ds:[edx+esi+C]
0046F83B 83F8 00 cmp eax,0
0046F841 0F84 6B010000 je 0046F9B2
0046F84A 03C2 add eax,edx
0046F84F 52 push edx
0046F854 50 push eax
0046F858 50 push eax
0046F85D FF93 F31E4000 call near dword ptr ds:[ebx+401EF3]
0046F866 E8 EDF9FFFF call 0046F258
0046F86E 5A pop edx
0046F872 8BC8 mov ecx,eax
0046F878 8B7C32 10 mov edi,dword ptr ds:[edx+esi+10]
0046F87F 03FA add edi,edx
0046F884 56 push esi
0046F888 8B0432 mov eax,dword ptr ds:[edx+esi]
0046F88E 83F8 00 cmp eax,0
0046F894 75 0B jnz short 0046F8A1
0046F89A 8B4432 10 mov eax,dword ptr ds:[edx+esi+10]
0046F8A6 8BF0 mov esi,eax
0046F8AE F783 D8204000 FFFFFFFF test dword ptr ds:[ebx+4020D8],FFFFFFFF
0046F8BF 74 0E je short 0046F8CF
0046F8C8 03F2 add esi,edx
0046F8D2 833E 00 cmp dword ptr ds:[esi],0
0046F8DA 0F84 BA000000 je 0046F99A
0046F8E3 8B06 mov eax,dword ptr ds:[esi]
0046F8EA A9 00000080 test eax,80000000
0046F8F4 75 1E jnz short 0046F914
0046F8FB 3BC1 cmp eax,ecx
0046F900 73 12 jnb short 0046F914
0046F907 03C2 add eax,edx
0046F90C 83C0 02 add eax,2
0046F917 50 push eax
0046F91D 50 push eax
0046F921 51 push ecx
0046F926 E8 0DDCFFFF call 0046D538
0046F92E E8 25F9FFFF call 0046F258
0046F937 83F8 00 cmp eax,0
0046F93E 74 13 je short 0046F953
0046F944 E8 79F4FFFF call 0046EDC2
0046F94D 8907 mov dword ptr ds:[edi],eax///加密后的IAT地址移入地址表。
0046F956 8B83 AC204000 mov eax,dword ptr ds:[ebx+4020AC]
0046F960 0107 add dword ptr ds:[edi],eax
0046F967 83C7 04 add edi,4
0046F971 F783 E0204000 FFFFFFFF test dword ptr ds:[ebx+4020E0],FFFFFFFF
0046F983 74 15 je short 0046F99A
0046F98B 83C6 04 add esi,4
0046F991 ^ E9 39FFFFFF jmp 0046F8CF///循环。
0046F99D 5E pop esi
0046F9A3 83C6 14 add esi,14
0046F9A9 ^ E9 81FEFFFF jmp 0046F82F///循环。
0046F9B9 8B83 AC204000 mov eax,dword ptr ds:[ebx+4020AC]///F4到这里。
0046F9C2 8BBB C4204000 mov edi,dword ptr ds:[ebx+4020C4]///EAX=60000 即输入表地址。
0046F9CD 03FA add edi,edx///EDI=460000
0046F9D2 8B8B C8204000 mov ecx,dword ptr ds:[ebx+4020C8]
0046F9DD 3183 B71D4000 xor dword ptr ds:[ebx+401DB7],eax
0046F9E6 B0 00 mov al,0
0046F9FF 8B93 BF1D4000 mov edx,dword ptr ds:[ebx+401DBF]
0046FA0A 8B72 3C mov esi,dword ptr ds:[edx+3C]
0046FA10 8BB3 CC204000 mov esi,dword ptr ds:[ebx+4020CC]
0046FA27 83FE 00 cmp esi,0
0046FA2F 0F84 D5000000 je 0046FB0A
0046FA38 8D3432 lea esi,dword ptr ds:[edx+esi]
0046FA43 833E 00 cmp dword ptr ds:[esi],0
0046FA4B 0F84 B9000000 je 0046FB0A
0046FA54 56 push esi
0046FA5A 8B3E mov edi,dword ptr ds:[esi]
0046FA5F 8B4E 04 mov ecx,dword ptr ds:[esi+4]
0046FA67 83E9 08 sub ecx,8
0046FA6D D1E9 shr ecx,1
0046FA77 0FB746 08 movzx eax,word ptr ds:[esi+8]
0046FA80 50 push eax
0046FA84 66:25 0030 and ax,3000
0046FA8C 66:3D 0030 cmp ax,3000
0046FA94 58 pop eax
0046FA99 75 4B jnz short 0046FAE6
0046FA9F 66:25 FF0F and ax,0FFF
0046FAA7 03C7 add eax,edi
0046FAAC 011402 add dword ptr ds:[edx+eax],edx
0046FAB3 51 push ecx
0046FAB7 8B8B D4204000 mov ecx,dword ptr ds:[ebx+4020D4]
0046FAC1 290C02 sub dword ptr ds:[edx+eax],ecx
0046FAC8 8B8B C0204000 mov ecx,dword ptr ds:[ebx+4020C0]
0046FAD2 038B BB1D4000 add ecx,dword ptr ds:[ebx+401DBB]
0046FADB 290C02 sub dword ptr ds:[edx+eax],ecx
0046FAE2 59 pop ecx
0046FAEA 83C6 02 add esi,2
0046FAF1 ^ E2 81 loopd short 0046FA74
0046FAF7 5E pop esi
0046FAFC 0376 04 add esi,dword ptr ds:[esi+4]
0046FB02 ^ E9 39FFFFFF jmp 0046FA40
0046FB21 8BBB CC204000 mov edi,dword ptr ds:[ebx+4020CC]
0046FB2C 03FA add edi,edx
0046FB31 8B8B D0204000 mov ecx,dword ptr ds:[ebx+4020D0]
0046FB3C B0 00 mov al,0
0046FB4D 8B83 B4204000 mov eax,dword ptr ds:[ebx+4020B4]
0046FB5B 8B93 BF1D4000 mov edx,dword ptr ds:[ebx+401DBF]
0046FB64 8B72 3C mov esi,dword ptr ds:[edx+3C]
0046FB6C 8DB432 F8000000 lea esi,dword ptr ds:[edx+esi+F8]
00046FB76 8BFE mov edi,esi
0046FB7C 3183 B71D4000 xor dword ptr ds:[ebx+401DB7],eax
0046FB89 6BB3 76214000 28 imul esi,dword ptr ds:[ebx+402176],28
0046FB93 03F7 add esi,edi
0046FB9A EB 44 jmp short 0046FBE0
0046FBB7 837E 0C 00 cmp dword ptr ds:[esi+C],0
0046FBBE 74 20 je short 0046FBE0
0046FBC5 837E 08 00 cmp dword ptr ds:[esi+8],0
0046FBCC 74 12 je short 0046FBE0
0046FBD3 83C6 28 add esi,28
0046FBD9 ^ EB AA jmp short 0046FB85
0046FBE3 83EE 28 sub esi,28
0046FBEB 87FE xchg esi,edi
0046FBFA 3BF7 cmp esi,edi
0046FC01 77 69 ja short 0046FC6C
0046FC0A 59 pop ecx
0046FC0F 52 push edx
0046FC19 8D83 BC204000 lea eax,dword ptr ds:[ebx+4020BC]
0046FC23 50 push eax
0046FC2F 51 push ecx
0046FC34 FF76 08 push dword ptr ds:[esi+8]
0046FC3B 8B46 0C mov eax,dword ptr ds:[esi+C]
0046FC42 03C2 add eax,edx
0046FC47 50 push eax
0046FC4C FF93 D31E4000 call near dword ptr ds:[ebx+401ED3] ; kernel32.VirtualProtect
0046FC57 5A pop edx
0046FC5E 83C6 28 add esi,28
0046FC67 ^ EB 89 jmp short 0046FBF2
0046FC73 8B83 B71D4000 mov eax,dword ptr ds:[ebx+401DB7]///eax=0004B720
0046FC7E 03C2 add eax,edx///edx=00400000 (ccc.00400000)
0046FC87 0383 C0204000 add eax,dword ptr ds:[ebx+4020C0]///eax=44b720入口地址!
0046FC93 3383 BB1D4000 xor eax,dword ptr ds:[ebx+401DBB]
0046FCA0 50 push eax
0046FCB1 838B E4204000 07 or dword ptr ds:[ebx+4020E4],7
0046FCBC 818B E4204000 00000080 or dword ptr ds:[ebx+4020E4],80000000
0046FCCE 8B83 F0204000 mov eax,dword ptr ds:[ebx+4020F0]
0046FCD7 25 07000080 and eax,80000007
0046FCE0 35 07000080 xor eax,80000007
0046FCE8 ^ 75 DF jnz short 0046FCC9///死循环。
0046FCF1 58 pop eax///新建EIP跳出循环,弹出入口地址。
0046FCFA 8983 B33D4000 mov dword ptr ds:[ebx+403DB3],eax
0046FD08 6A 00 push 0
0046FD0A 6A 00 push 0
0046FD0C E8 CDDBFFFF call 0046D8DE///检测CC
0046FD22 838B 20214000 01 or dword ptr ds:[ebx+402120],1
0046FD39 80BB DE224000 02 cmp byte ptr ds:[ebx+4022DE],2
0046FD45 75 0D jnz short 0046FD54 ; 0046FD54
0046FD4A EB 3F jmp short 0046FD8B ; 0046FD8B
0046FD6B 8DBB 00104000 lea edi,dword ptr ds:[ebx+401000]///edi=46d000
0046FD76 B9 8B2D0000 mov ecx,2D8B///下面将清零从46D000开始,大小2D8B字节的代码。
0046FD83 B0 00 mov al,0
0046FD89 F3:AA rep stos byte ptr es:[edi]///开始清零。
0046FD98 61 popad
0046FD9D 9D popfd
0046FDB2 68 20B74400 push 44B720///走到这里时PUSH值变成入口地址了。原来是push 0BC614E
0046FDBA C3 retn///返回到入口。
0044B720 55 push ebp///OEP。
0044B721 8BEC mov ebp,esp
0044B723 6A FF push -1
0044B725 68 802D4200 push 422D80
0044B72A 68 1AB74400 push 44B71A
0044B72F 64:A1 00000000 mov eax,dword ptr fs:[0]
0044B735 50 push eax
0044B736 64:8925 00000000 mov dword ptr fs:[0],esp
0044B73D 83EC 68 sub esp,68
0044B740 53 push ebx
0044B741 56 push esi
0044B742 57 push edi
0044B743 8965 E8 mov dword ptr ss:[ebp-18],esp
0044B746 33DB xor ebx,ebx
0044B748 895D FC mov dword ptr ss:[ebp-4],ebx
0044B74B 6A 02 push 2
0044B74D FF15 E0124000 call near dword ptr ds:[4012E0]
0044B753 59 pop ecx
0044B754 830D C8E64400 FF or dword ptr ds:[44E6C8],FFFFFFFF
0044B75B 830D CCE64400 FF or dword ptr ds:[44E6CC],FFFFFFFF
最后将DUMP出来的文件调整一下:
入口地址:4B720
输入表地址:60000
再将最后一个区段删除。
由于DUMP时IAT未被加密,所以不用修复。
保存,OK。可以说是完美脱壳了:)