【文章标题】: 脱MoleBox加壳的EdrLib示例
【文章作者】: CCDebuger
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
写这个是因为看到初级菜鸟的这个求助帖:
http://bbs.pediy.com/showthread.php?t=44385
把他提供的文件拿来做个示例。开个新帖是为了方便查找。这文章没什么技术含量,只是说明一些操作的步骤,方便初学者理解而已。加壳文件及脱壳后的文件还有这篇文章我都放在附件里,大家可以自己下载看。下面进入正题。
主程序脱壳:
1、BP VirtualProtect 中断两次后ALT+F9返回:
堆栈中可以看到这样的内容:
2、在 0012FE54 00407784 ASCII ".data" 这句上右键“数据窗口中跟随”,可以看到未加壳前原程序各个区段的名称及属性。
3、到上面所说的位置后不要关OD,保持原样,直接dump主程序按找到的内容参考修复。
捆绑文件:
1、回到OD中,搜索指令序列:
会找到两个位置,我们在第二个位置定位:
在0041040E地址处设断点,F9断下:
看一下信息窗口:
你那里可能和我这有所不同,只要知道[003E2680]就是[ECX]就行了。数据窗口中跟随003E2680,往上翻翻,看到这样的内容:
003E2520 C1 00 03 00 A6 01 08 00 4D 5A 90 00 03 00 00 00 ?.?.MZ?...
003E2530 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 .....?......
003E2540 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 @...............
003E2550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E2560 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD ....?..?.?
003E2570 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 !?L?This progr
003E2580 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E am cannot be run
003E2590 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A in DOS mode....
003E25A0 24 00 00 00 00 00 00 00 D4 CA 64 C8 90 AB 0A 9B $.......允d?
003E25B0 90 AB 0A 9B 90 AB 0A 9B 78 B4 01 9B 91 AB 0A 9B .???
003E25C0 13 B7 04 9B 99 AB 0A 9B F2 B4 19 9B 95 AB 0A 9B ????
003E25D0 90 AB 0B 9B A7 AB 0A 9B 78 B4 00 9B 87 AB 0A 9B
???
003E25E0 78 B4 0E 9B 91 AB 0A 9B 52 69 63 68 90 AB 0A 9B x??ich.
003E25F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E2600 50 45 00 00 4C 01 04 00 47 08 C7 3D 00 00 00 00 PE..L.G?....
003E2610 00 00 00 00 E0 00 0E 21 0B 01 06 00 00 00 00 00 ....?!
.....
003E2620 00 00 00 00 00 00 00 00 C9 11 00 00 00 10 00 00 ........?.....
003E2630 00 40 00 00 00 00 40 00 00 10 00 00 00 10 00 00 .@....@.......
003E2640 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ..............
003E2650 00 70 00 00 00 06 00 00 00 00 00 00 02 00 00 00 .p............
003E2660 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ............
003E2670 00 00 00 00 10 00 00 00 A0 48 00 00 6D 00 00 00 .........m...
003E2680 2C 44 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 ,D..<...........
003E2690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E26A0 00 60 00 00 B0 03 00 00 00 00 00 00 00 00 00 00 .`..?..........
003E26B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E26C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E26D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E26E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E26F0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
003E2700 96 2B 00 00 00 10 00 00 00 30 00 00 00 10 00 00 ?......0.....
003E2710 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
003E2720 2E 72 64 61 74 61 00 00 0D 09 00 00 00 40 00 00 .rdata.......@..
003E2730 00 10 00 00 00 40 00 00 00 00 00 00 00 00 00 00 ....@..........
003E2740 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ....@..@.data...
003E2750 E0 08 00 00 00 50 00 00 00 10 00 00 00 50 00 00 ?...P......P..
003E2760 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ............@..
003E2770 2E 72 65 6C 6F 63 00 00 9C 04 00 00 00 60 00 00 .reloc..?...`..
003E2780 00 10 00 00 00 60 00 00 00 00 00 00 00 00 00 00 ....`..........
003E2790 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 ....@..B........
003E27A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E27B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
003E27C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
从那个 MZ 开始的地方dump,可以使用 PE Tools 的区域转存功能,在上面所贴代码的例子中区域转存的地址选 003E2528,大小选1000。这里保存的就是原始的PE头。
2、现在删掉前面的断点,BP CreateFileA,会断下,看堆栈:
这里就是创建EdrLib.dll,在0012FC3C那句上数据窗口中跟随,使用二进制编辑把“MBX@F44@3E2510.###”改成“EdrLib.dll”,多余的填0。
3、完成后 BP GetModuleHandleA,断下后就可以dump这个EdrLib.dll了。
4、用 PE Tools 的从文件中删除区段功能删掉dump出来的 EdrLib.dll 的最后一个区段“_BOX_”。
5、用16进制工具打开dump出来的 EdrLib.dll,用原先保存的PE头从 EdrLib.dll 的偏移0处开始覆盖,保存。
6、根据OD中看到的加载这个EdrLib.dll的基址,对dump出来的dll基址进行修正,否则可能重定位不正确。我这里根据OD中所看到的,基址填00A30000。
7、再用PE工具看一下这个dll的各个区段,看看是否有偏移及大小不正确的错误,没有的话就OK了。对于这个示例程序,这里不需修正。
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!