astonshell 1.90
www.astonshell.com
这是个很好的windows外壳替换工具,可惜是英文版的,我以前脱了1.90的壳,也做了个不完全的汉化(很懒),现在看到有同志要做汉化,所以把1.90的脱壳纪要发出来,算不上教程,呵呵,1.91的我也脱不了,可能用了SDK,期待高人!
a-msater.exe v1.9 ASPR 1.24 RC4壳
再跟踪一遍,整理:
=======
OD-ollscript,专门找ASPR STOLEN BYTES的脚本跟,或者手动跟,注意去掉内存访问异常
0042CA5B 0000 ADD BYTE PTR DS:[EAX],AL
0042CA5D 0000 ADD BYTE PTR DS:[EAX],AL
0042CA5F E8 AC46FDFF CALL A-MAST~2.00401110 >>>
0042CA64 E8 EB18FEFF CALL A-MAST~2.0040E354 ;返回这里,假OEP
0042CA69 E8 9E45FDFF CALL A-MAST~2.0040100C
========
00401110 31C0 XOR EAX,EAX <<< //od可以跟到这里,
///实际这是aspr改变oep附近的一个CALL kernel32.GetModuleHandleA ,所以这里就应该DUMP了.
00401112 50 PUSH EAX
00401113 E8 E8FFFFFF CALL A-MAST~2.00401100 >>>
00401118 8905 08004300 MOV DWORD PTR DS:[430008],EAX
0040111E C3 RETN
00401100 - FF25 08114400 JMP DWORD PTR DS:[441108] <<<..>>>
00401106 8BC0 MOV EAX,EAX
00401108 - FF25 04114400 JMP DWORD PTR DS:[441104]
0040110E 8BC0 MOV EAX,EAX
00401110 31C0 XOR EAX,EAX
009B1C64 55 PUSH EBP <<<<
009B1C65 8BEC MOV EBP,ESP
009B1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009B1C6A 85C0 TEST EAX,EAX
009B1C6C 75 13 JNZ SHORT 009B1C81
009B1C6E 813D A47A9B00 0>CMP DWORD PTR DS:[9B7AA4],400000 ; ASCII "MZP"
009B1C78 75 07 JNZ SHORT 009B1C81
009B1C7A A1 A47A9B00 MOV EAX,DWORD PTR DS:[9B7AA4]
009B1C7F EB 06 JMP SHORT 009B1C87
009B1C81 50 PUSH EAX
009B1C82 E8 3135FFFF CALL 009A51B8 ; JMP to kernel32.GetModuleHandleA
009B1C87 5D POP EBP
009B1C88 C2 0400 RETN 4
===
009C6C92 55 PUSH EBP ;像STOLEN BYTES,就是oep处的代码,计算一下OEP应该是42CA54
009C6C93 8BEC MOV EBP,ESP
009C6C95 53 PUSH EBX
009C6C96 56 PUSH ESI
009C6C97 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
009C6C9A 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] ;//到这里为止
009C6C9D EB 11 JMP SHORT 009C6CB0
=====
===
0042C6D0 . B8 ACE84200 MOV EAX,ADUMP-~3.0042E8AC ;42e8ac开始的13字节被加密.
密文:0042E8AC 5A 5A 88 44 07 8D 07 F7 39 85 0B F3 EE
解密:0042E8AC 5B 58 8B 40 02 8B 00 FF 30 8F 00 FF E3
//通过0042C6D5 3018 XOR BYTE PTR DS:[EAX],BL 解密,BL是逐渐加1的.
0042C6D5 EB 07 JMP SHORT ADUMP-~3.0042C6DE ;修改后的指令,下面的解密代码不执行,可将密文直接还原,因为我们还要修改解密的代码.
0042C6D7 . 43 INC EBX
0042C6D8 . 40 INC EAX
0042C6D9 . 83FB 0E CMP EBX,0E
0042C6DC .^ 75 F7 JNZ SHORT ADUMP-~3.0042C6D5
0042C6DE . 33C0 XOR EAX,EAX ;跳到这里
0042C6E0 . 55 PUSH EBP
0042C6E1 . 68 07C74200 PUSH ADUMP-~3.0042C707
0042C6E6 . 64:FF30 PUSH DWORD PTR FS:[EAX]
---
又一个加密段
0042C727 E8 8C49FDFF CALL A-MAST~2.004010B8
0042C72C BB 01000000 MOV EBX,1
0042C731 B8 ACE84200 MOV EAX,A-MAST~2.0042E8AC ;这里42E8AC
0042C736 3018 XOR BYTE PTR DS:[EAX],BL
0042C738 43 INC EBX
0042C739 40 INC EAX
0042C73A 83FB 0E CMP EBX,0E
0042C73D ^ 75 F7 JNZ SHORT A-MAST~2.0042C736
---
0042E8B3 FF30 PUSH DWORD PTR DS:[EAX] ;EAX,就是GETSYSTEMTIME的地址...注意这段代码在42C6D0动态解密
0042E8B5 8F00 POP DWORD PTR DS:[EAX] ;这里如果脱壳POP到GETSYSTEMTIME函数地址造成异常,这里可能是检测是否脱壳.
0042E8B7 FFE3 JMP EBX
----
0042C48C |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; |
0042C48E |. 50 PUSH EAX ; |hModule
0042C48F |. E8 844DFDFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
0042C494 |. FFD0 CALL EAX ///异常,加壳程序EAX返回1B ,哈哈,其实是剩余天数了.
///可以这样改0042C494 B0 FF MOV AL,0FF
0042C496 |. 8B15 C0EE4200 MOV EDX,DWORD PTR DS:[42EEC0] ; A-MAST~4.00440E7C
0042C49C |. 8902 MOV DWORD PTR DS:[EDX],EAX
0042C49E |. A1 C0EE4200 MOV EAX,DWORD PTR DS:[42EEC0]
0042C4A3 |. 8338 00 CMP DWORD PTR DS:[EAX],0
0042C4A6 |. 74 02 JE SHORT A-MAST~4.0042C4AA
0042C4A8 |. B3 01 MOV BL,1
这样修复IAT后ABOUT窗不闪烁了.但9X下肯定出问题,因为IAT不同
98修复IAT,运行正常。IAT附后,根据以往经验,98下修复的IAT可在2K,XP下运行.
*******************************************************************
===
首次跟踪::>>
ASPRDBGR的调试信息:
AsprDbgr v1.0beta (:P) Made by me... Manko.
iEP=401000 (C:\temp\1\1\A-master19.exe)
GST returns to: 992667
Trick aspr GST... (EAX=12121212h)
GV returns to: 9A1A61
IAT Start: 441104 //IAT开始的地方
End: 4414FC
Length: 3F8 //IAT的大小,可以用IMPORTREC重建IAT表了.
IATentry 441108 = 9A1C64 resolved as GetModuleHandleA
IATentry 441178 = 9A17A4 resolved as GetProcAddress
IATentry 44117C = 9A1C64 resolved as GetModuleHandleA
IATentry 441194 = 9A1CD8 resolved as GetCommandLineA
IATentry 44133C = 9A1D14 resolved as DialogBoxParamA
11 invalid entries erased.
Dip-Table at adress: 9A7AB4
0 412F20 0 0 0 0 0 42C514 40E2F4 40E344 0 0 0 0
Last SEH passed. Searching for signatures. Singlestepping to OEP!
Call + OEP-jump-setup at: 9B73D9 ( Code: E8000000 5D81ED )
Mutated, stolen bytes at: 9B7424 ( Code: 61F2EB01 9A2EEB01 )
Erase of stolen bytes at: 9B7388 ( Code: 9CFCBFC7 739B00B9 )
Repz ... found. Skipping erase of stolen bytes. ;)
Dip from pre-OEP: 401100 (Reached from: 9B7399)
Sugested tempOEP at: 7FFDEFFB
DebugProcess ended. (??)
====
009A1C64 55 PUSH EBP ;这里可能是OEP的原是代码.
009A1C65 8BEC MOV EBP,ESP
009A1C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0 TEST EAX,EAX
009A1C6C 75 13 JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 0>CMP DWORD PTR DS:[9A7AA4],400000 ; ASCII "MZP"
009A1C78 75 07 JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00 MOV EAX,DWORD PTR DS:[9A7AA4] ;这里不久就会返回真正OEP
---
猜想OEP代码(dephi)
push ebp
mov ebp,esp
add esp,-0c
mov eax,4203f8
---
修改后OEP处的代码:
0042CA53 > $ 55 PUSH EBP
0042CA54 . 8BEC MOV EBP,ESP
0042CA56 . 83C4 F4 ADD ESP,-0C
0042CA59 . B8 44C94200 MOV EAX,ADUMP-~4.0042C944
0042CA5E . 90 NOP ;//其实OEP应该在42CA54,因为这里多了一字节,不过这样也行
0042CA5F . E8 AC46FDFF CALL ADUMP-~4.00401110
0042CA64 . E8 EB18FEFF CALL ADUMP-~4.0040E354 //加壳程序会返回这里
0042CA69 . E8 9E45FDFF CALL ADUMP-~4.0040100C
0042CA6E . 8BC0 MOV EAX,EAX
0042CA70 . 0000 ADD BYTE PTR DS:[EAX],AL
0042CA72 . 0000 ADD BYTE PTR DS:[EAX],AL
====
0042C6D0 . B8 ACE84200 MOV EAX,ADUMP-~3.0042E8AC ;42e8ac开始的13字节被加密.
密文:0042E8AC 5A 5A 88 44 07 8D 07 F7 39 85 0B F3 EE
解密:0042E8AC 5B 58 8B 40 02 8B 00 FF 30 8F 00 FF E3
//通过0042C6D5 3018 XOR BYTE PTR DS:[EAX],BL 解密,BL是逐渐加1的.
0042C6D5 EB 07 JMP SHORT ADUMP-~3.0042C6DE ;修改后的指令,下面的解密代码不执行,可将密文直接还原,因为我们还要修改解密的代码.
0042C6D7 . 43 INC EBX
0042C6D8 . 40 INC EAX
0042C6D9 . 83FB 0E CMP EBX,0E
0042C6DC .^ 75 F7 JNZ SHORT ADUMP-~3.0042C6D5
0042C6DE . 33C0 XOR EAX,EAX ;跳到这里
0042C6E0 . 55 PUSH EBP
0042C6E1 . 68 07C74200 PUSH ADUMP-~3.0042C707
0042C6E6 . 64:FF30 PUSH DWORD PTR FS:[EAX]
====
0042E8B1 8B00 MOV EAX,DWORD PTR DS:[EAX];这里即为加密代码
0042E8B3 EB 02 JMP SHORT ADUMP-~4.0042E8B7 ;这是修改后的指令,因为这里会产生非法指令
0042E8B5 8F00 POP DWORD PTR DS:[EAX]
0042E8B7 FFE3 JMP EBX
0042E8B9 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
///这个异常
===
0042C744 . E8 17CCFEFF CALL ADUMP-~4.00419360
0042C749 . EB 03 JMP SHORT ADUMP-~4.0042C74E ;这里异常,直接跳过.
0042C74B 90 NOP
0042C74C 90 NOP
0042C74D 90 NOP
0042C74E > 84C0 TEST AL,AL
0042C750 . 0F84 8C010000 JE ADUMP-~4.0042C8E2
0042C756 . A1 44EE4200 MOV EAX,DWORD PTR DS:[42EE44]
0042C75B . 8B00 MOV EAX,DWORD PTR DS:[EAX]
现在DUMP的程序可以运行了,但是不知是否安全,这只是在XP下.
但是点ABOUT会导致屏幕闪烁.
***********