脫Advanced Email Extractor PRO的殼 (19千字)
Advanced Email Extractor PRO
http://www.mailutilities.com/aee/aeepro.zip
首先說說Asprotect的反跟蹤程式碼, SEH(Structure Exception Handling)當然是時下流行的
Exception Handler:
016F:00E6097B MOV EAX,[ESP+0C]
;EAX 是指向 CONTEXT record 的指標
016F:00E6097F ADD DWORD [EAX+B8],BYTE +02 ;
[EAX+B8] 是產生異常的地址,這裡加 2 就是 XOR [EAX],EAX 的下一條指令
016F:00E60986 PUSH ECX
016F:00E60987 XOR ECX,ECX
016F:00E60989 MOV [EAX+04],ECX
;clear dr0, 也就是清除斷點, 呵呵我們有 SuperBPM 就不用擔心了
016F:00E6098C MOV [EAX+08],ECX
;clear dr1
016F:00E6098F MOV [EAX+0C],ECX
;clear dr2
016F:00E60992 MOV [EAX+10],ECX
;clear dr3
016F:00E60995 MOV DWORD [EAX+18],0155
;clear global breakpoint enable flags
016F:00E6099C POP ECX
016F:00E6099D XOR EAX,EAX
;eax=0 reload context and continue execution
016F:00E6099F RET
016F:00E609A0 XOR EAX,EAX
016F:00E609A2 PUSH DWORD [FS:EAX]
016F:00E609A5 MOV [FS:EAX],ESP
016F:00E609A8 XOR [EAX],EAX
;raise exception, 程式碼是兩個位元組
016F:00E609AA POP DWORD `DOSMGR_BackFill_Allowed`
;從這裡繼續執行
016F:00E609B1 POP EAX
好, Load AeePro.exe
bpx getprocaddress
g
F12
bd *
F12
F8
F12
F8
來到:
016F:00E616E8 PUSH EBP
016F:00E616E9 MOV EBP,ESP
016F:00E616EB ADD ESP,BYTE -0C
016F:00E616EE CALL 00E53130
016F:00E616F3 JNZ NEAR 00E53E0C
016F:00E616F9 CALL 00E542C8
016F:00E616FE CALL 00E58A88
016F:00E61703 CALL 00E5941C
016F:00E61708 CALL 00E5BF00
016F:00E6170D CALL 00E53E0C ;<--這裡下斷點, F8
跟進去
016F:00E61712 MOV ESP,EBP ;<--不會返回到這裡
016F:00E61714 POP EBP
016F:00E61715 RET 0C
上面的CALL 00E53E0C F8 跟進去後, 用F8一步一步的跟, 當然要小心那些Exception啦
過不了多遠, 來到:
016F:00E602F7 CALL 00E60336
016F:00E602FC PUSH DWORD 00E60305
016F:00E60301 INC DWORD [ESP]
016F:00E60304 RET
016F:00E60336 XOR EAX,EAX
016F:00E60338 JMP SHORT 00E6033C
016F:00E6033A INT 20
016F:00E6033C PUSH DWORD [FS:EAX]
016F:00E6033F JMP SHORT 00E60342 ;跳到下面
016F:00E60342 MOV [FS:EAX],ESP
016F:00E60345 XOR [EAX],EAX ;raise
exception
016F:00E60347 JMP SHORT 00E6034A ;exception
continue execution here, 將游標移到這裡按 F7
來到:
016F:00E60355 POP EAX
016F:00E60356 PUSH DWORD 00E5E0EC ;<--下斷點 bpx 00E5E0EC
016F:00E6035B PUSH DWORD 00E6043C ;g
016F:00E60360 PUSH DWORD 00E5FAD8
016F:00E60365 PUSH DWORD 00E5F788
016F:00E6036A PUSH DWORD 00E5F15C
016F:00E6036F PUSH DWORD 00E5EC04
016F:00E60374 PUSH DWORD 00E5FE90
016F:00E60379 RET
到 00E5E0EC 後 F12, F8, 來到:
016F:00E60DDC PUSH DWORD E6B8DCDB
016F:00E60DE1 PUSH DWORD 2364
016F:00E60DE6 PUSH DWORD EA74
016F:00E60DEB PUSH DWORD 00016000
016F:00E60DF0 PUSH DWORD [00E63014]
016F:00E60DF6 CALL 00E60DFC
;這段程式碼自檢執行過的程式碼, 不是這個call, 而是後面的程式碼,
被花指令蓋過了
016F:00E60DFB ADD DWORD [EBX+78E804C4],E8FFFFBB
;應該是 00E60DFF 的 CALL 00E5C97C
016F:00E60E05 ADD [EAX],EAX
;如果你改了之前的程式碼, 後面就會出錯
016F:00E60E07 ADD [EAX],AL
016F:00E60E09 ADD DWORD [EBX+043104C4],0001E824
016F:00E60E13 ADD [EAX],AL
016F:00E60E15 PUSH DWORD 8B04C483
016F:00E60E1A ADD EAX,00E63014
016F:00E60E1F CALL 00E60E26 ;<--這裡下斷點
F8 跟進去
016F:00E60E24 CALL 05AA9191
016F:00E60E29 ADD [ESP],EAX
016F:00E60E2C RET
跟進 00E60E26 後幾下 F8, ret 後來到:
016F:00E5FE78 MOV EAX,00E639C4
016F:00E5FE7D MOV EDX,0A
016F:00E5FE82 CALL 00E5C288
016F:00E5FE87 CALL 00E5FC9C
016F:00E5FE8C RET
往上看就是: (因為按邏輯是要跟進上面的 CALL 00E5FC9C ....還有很大一堆!!! 不多寫了, 自己看著辦吧)
016F:00E5FE62 CMP DWORD [EAX],BYTE +00
016F:00E5FE65 JZ 00E5FE69
016F:00E5FE67 PUSH DWORD [EAX]
016F:00E5FE69 PUSH DWORD [EBP-10]
016F:00E5FE6C JMP NEAR [EBP-14] ;跳到 [EBP-14]
後就離 OEP 不遠了, 那裡是一堆“垃圾程式碼”, 看你的啦!
最後來到:
016F:00E76155 JC 00E7611A
016F:00E76157 POP EBX
016F:00E76158 POP EAX
016F:00E76159 ADD EAX,76B922D4
016F:00E7615E POP ESP
016F:00E7615F ADD EAX,EBX
016F:00E76161 MOV [ESP+1C],EAX
016F:00E76165 POPA
016F:00E76166 JMP EAX
;Jump to EOP
;-----------------------------------------------------------------------------------
下面看看原程式的還原和Import Table的重建 (沒有手動脫殼經驗的, 就別往下看了, 很長的一部分!)
016F:00E5F1F0 JMP SHORT 00E5F25C
016F:00E5F1F2 CALL 00E52568
016F:00E5F1F7 MOV ESI,EAX
016F:00E5F1F9 MOV EAX,[EBX] ;[EBX]是Section
RVA
016F:00E5F1FB ADD EAX,[EBP-14] ;[EBP-14]是ImageBase
016F:00E5F1FE MOV [EBP-04],EAX
016F:00E5F201 MOV ECX,[EBX+04] ;[EBX+04]是Section
size
016F:00E5F204 MOV EDX,ESI
016F:00E5F206 MOV EAX,[EBP-04]
016F:00E5F209 CALL 00E5ED00 ;還原
016F:00E5F20E MOV EDI,EAX
016F:00E5F210 CMP EDI,[EBX+04]
016F:00E5F213 JZ 00E5F21F ;還原OK就跳?
016F:00E5F215 MOV EAX,00E5F2E0
016F:00E5F21A CALL 00E5EB18
016F:00E5F21F CMP BYTE [EBP-05],00
016F:00E5F223 JNZ 00E5F243
016F:00E5F225 MOV BYTE [EBP-05],01
016F:00E5F229 PUSH ESI
016F:00E5F22A MOV ESI,[EBP-04]
016F:00E5F22D ADD ESI,BYTE +14
016F:00E5F230 PUSH DWORD [ESI]
016F:00E5F232 MOV BYTE [ESI],C3
016F:00E5F235 CALL ESI
016F:00E5F237 POP DWORD [ESI]
016F:00E5F239 POP ESI
016F:00E5F23A MOV EDX,EDI
016F:00E5F23C MOV EAX,ESI
016F:00E5F23E CALL 00E5ED20
016F:00E5F243 MOV ECX,EDI
016F:00E5F245 MOV EDX,ESI
016F:00E5F247 MOV EAX,[EBP-04]
016F:00E5F24A CALL 00E5449C ;將還原後的data
複製到原程式的空間
016F:00E5F24F MOV EDX,[EBX+04]
016F:00E5F252 MOV EAX,ESI
016F:00E5F254 CALL 00E52580
016F:00E5F259 ADD EBX,BYTE +0C
016F:00E5F25C MOV EAX,[EBX+04] ;eax = next section
size
016F:00E5F25F TEST EAX,EAX
016F:00E5F261 JG 00E5F1F2 ;還沒全部還原完就跳
016F:00E5F263 CMP DWORD [EBP-0C],BYTE +00
016F:00E5F267 JZ 00E5F271
016F:00E5F269 MOV EAX,[EBP-0C]
016F:00E5F26C MOV EDX,[EBP-10]
016F:00E5F26F MOV [EAX],EDX
016F:00E5F271 CALL 00E5F2B0
016F:00E5F276 PUSH DWORD 00E5F27F
016F:00E5F27B INC DWORD [ESP]
016F:00E5F27E RET
;-----------------------------------------------------------------------------------
;===================================================================================
Import Table 的重定向
016F:00E5F962 PUSHA
016F:00E5F963 CLD
016F:00E5F964 MOV ESI,[EBP-04]
016F:00E5F967 LODSD
016F:00E5F968 OR EAX,EAX
016F:00E5F96A JZ 00E5F9B6
;處理完所有DLL了嗎? 是就跳
016F:00E5F96C MOV EDI,EAX
;EAX --> Next IAT RVA
016F:00E5F96E ADD EDI,[00E63560] ;[00E63560]
--> ImageBase
016F:00E5F974 MOV [EBP-08],EDI ;EDI 指向該
DLL 的第一個 IAT
016F:00E5F977 MOV EBX,ESI
;ESI 指向 DLL Name
016F:00E5F979 XOR ECX,ECX
016F:00E5F97B DEC ECX
016F:00E5F97C XCHG EDI,ESI
016F:00E5F97E XOR AL,AL
016F:00E5F980 REPNE SCASB
016F:00E5F982 XCHG EDI,ESI
016F:00E5F984 LODSB
016F:00E5F985 CMP AL,00
016F:00E5F988 JZ 00E5F967 ;該DLL處理完了嗎?
016F:00E5F98A CMP AL,06
;特殊Import function ? 如GetVersion, 下面有列出
016F:00E5F98D JNZ 00E5F995 ;不是就跳(本想把這裡改為jmp,
就以為可以得到完整的IAT, 可惜再細看後才發現該特殊Import function name根本就沒有存起來!
016F:00E5F98F ADD DWORD [EBP-08],BYTE +04 ;是特殊Import
function就跳過不處理, 後面有說這些是怎麼處理的
016F:00E5F993 JMP SHORT 00E5F984
016F:00E5F995 PUSH EBX
;<--DLL name
016F:00E5F996 PUSH ESI
;<--Encrpyted Function Name
016F:00E5F997 PUSH EBX
016F:00E5F998 LEA EBX,[EBP-08] ;<--IAT
016F:00E5F99B PUSH EBX
016F:00E5F99C CMP AL,02
;import function by name or ord?
016F:00E5F99F JZ 00E5F9A7
016F:00E5F9A1 MOVZX ECX,BYTE [ESI]
016F:00E5F9A4 INC ECX
016F:00E5F9A5 JMP SHORT 00E5F9AC
016F:00E5F9A7 MOV ECX,04
016F:00E5F9AC ADD ESI,ECX ;esi --> end of Encrpyted
Function by name or import function by ord?
016F:00E5F9AE CALL 00E5F674 ;<--看下面的 00E5F674
016F:00E5F9B3 POP EBX
016F:00E5F9B4 JMP SHORT 00E5F984
016F:00E5F9B6 POPA
016F:00E5F9B7 CALL 00E5F9F6
016F:00E5F9BC PUSH DWORD 00E5F9C5
016F:00E5F9C1 INC DWORD [ESP]
016F:00E5F9C4 RET
呼叫GetProcAddress, 生成重定向程式碼的函式:
016F:00E5F674 PUSH EBP
016F:00E5F675 MOV EBP,ESP
016F:00E5F677 ADD ESP,FFFFFEFC
016F:00E5F67D PUSH EBX
016F:00E5F67E PUSH ESI
016F:00E5F67F PUSH EDI
016F:00E5F680 MOV ESI,[EBP+10]
016F:00E5F683 MOV EDI,[EBP+08]
016F:00E5F686 MOV EAX,ESI
016F:00E5F688 DEC EAX
016F:00E5F689 XOR EBX,EBX
016F:00E5F68B MOV BL,[EAX]
016F:00E5F68D LEA EAX,[EBP+FFFFFEFF]
016F:00E5F693 XOR ECX,ECX
016F:00E5F695 MOV EDX,0100
016F:00E5F69A CALL 00E52768 ;<--清空eax指向的空間
016F:00E5F69F MOV EAX,EBX
016F:00E5F6A1 DEC EAX
016F:00E5F6A2 SUB EAX,BYTE +02
016F:00E5F6A5 JC 00E5F700
016F:00E5F6A7 JZ NEAR 00E5F772
016F:00E5F6AD DEC EAX
016F:00E5F6AE JZ 00E5F700
016F:00E5F6B0 DEC EAX
016F:00E5F6B1 JNZ NEAR 00E5F77B
016F:00E5F6B7 MOV AL,[ESI]
016F:00E5F6B9 MOV [EBP-01],AL
016F:00E5F6BC INC ESI
016F:00E5F6BD XOR EBX,EBX
016F:00E5F6BF MOV BL,[EBP-01]
016F:00E5F6C2 MOV ECX,EBX
016F:00E5F6C4 LEA EAX,[EBP+FFFFFEFF]
016F:00E5F6CA MOV EDX,ESI
016F:00E5F6CC CALL 00E5449C ;<--Copy encrypted
function name to eax 指向的空間
016F:00E5F6D1 PUSH BYTE +0A
016F:00E5F6D3 MOV ECX,00E639BA
016F:00E5F6D8 MOV EDX,EBX
016F:00E5F6DA LEA EAX,[EBP+FFFFFEFF]
016F:00E5F6E0 CALL 00E5C3E0
;<--還原Import Function Name
016F:00E5F6E5 LEA ESI,[EBP+FFFFFEFF] ;<--esi指向Import
Function Name
016F:00E5F6EB PUSH ESI
016F:00E5F6EC MOV EAX,[EBP+0C]
;<--eax 指向 dll name
016F:00E5F6EF PUSH EAX
016F:00E5F6F0 CALL 00E5F30C
;<--GetProcAddress by name,在eax返回地址
016F:00E5F6F5 CALL 00E5F578
;<--(下面有說明) 在返回的eax指向的空間生成跳到Import Function的程式碼?
;可以將這句 call nop 掉, 直接將 EAX 放到 [EDX] 中,
;整個輸入表就差那些特殊的 Import functions 了要重建了
;(當然Import REConstructor v1.2已經可以重建改輸入表了, 不用這麼麻煩)
;要是真的改了該程式碼, 要在處理完所有的 DLL 後, 還原該程式碼, 因為後面有自檢
016F:00E5F6FA MOV EDX,[EDI]
016F:00E5F6FC MOV [EDX],EAX
;<-- 重定向IAT?
016F:00E5F6FE JMP SHORT 00E5F77B
;<--完成
016F:00E5F700 CMP EBX,BYTE +01
;encrypted funciont name?
016F:00E5F703 JZ 00E5F70A
016F:00E5F705 CMP EBX,BYTE +04
;Import function by ord?
016F:00E5F708 JNZ 00E5F741
016F:00E5F70A MOV AL,[ESI]
016F:00E5F70C MOV [EBP-01],AL
016F:00E5F70F INC ESI
016F:00E5F710 XOR ECX,ECX
016F:00E5F712 MOV CL,[EBP-01]
016F:00E5F715 LEA EAX,[EBP+FFFFFEFF]
016F:00E5F71B MOV EDX,ESI
016F:00E5F71D CALL 00E5449C
;copy encrypted function name to [eax]
016F:00E5F722 PUSH BYTE +0A
016F:00E5F724 MOV ECX,00E639B0
016F:00E5F729 XOR EDX,EDX
016F:00E5F72B MOV DL,[EBP-01]
016F:00E5F72E LEA EAX,[EBP+FFFFFEFF]
016F:00E5F734 CALL 00E5C3E0
;decrypt function name
016F:00E5F739 LEA ESI,[EBP+FFFFFEFF]
016F:00E5F73F JMP SHORT 00E5F743
016F:00E5F741 MOV ESI,[ESI]
016F:00E5F743 CMP EBX,BYTE +04
016F:00E5F746 JNZ 00E5F762
016F:00E5F748 PUSH ESI
;<--Import function name is GetProcAddress ?
016F:00E5F749 MOV EAX,[EBP+0C]
016F:00E5F74C PUSH EAX
016F:00E5F74D CALL 00E5F30C
016F:00E5F752 MOV [00E6355C],EAX
016F:00E5F757 MOV EAX,00E5C490
;<--00E5C490 處的程式碼自己看吧, 應該是 GetProcAddress
016F:00E5F75C MOV EDX,[EDI]
016F:00E5F75E MOV [EDX],EAX
016F:00E5F760 JMP SHORT 00E5F77B
016F:00E5F762 PUSH ESI
;<--esi指向Import Function Name or esi is import function ord
016F:00E5F763 MOV EAX,[EBP+0C]
016F:00E5F766 PUSH EAX
;<--eax 指向 dll name
016F:00E5F767 CALL 00E5F30C ;<--GetProcAddress
by ord,在eax返回地址
016F:00E5F76C MOV EDX,[EDI]
016F:00E5F76E MOV [EDX],EAX
016F:00E5F770 JMP SHORT 00E5F77B
016F:00E5F772 MOV EAX,00E5C468
016F:00E5F777 MOV EDX,[EDI]
016F:00E5F779 MOV [EDX],EAX
016F:00E5F77B ADD DWORD [EDI],BYTE +04
016F:00E5F77E POP EDI
016F:00E5F77F POP ESI
016F:00E5F780 POP EBX
016F:00E5F781 MOV ESP,EBP
016F:00E5F783 POP EBP
016F:00E5F784 RET 0C
生成跳到真正Import Function地址的程式碼:
016F:00E5F578 PUSH EBX
016F:00E5F579 PUSH ESI
016F:00E5F57A PUSH EDI
016F:00E5F57B PUSH EBP
016F:00E5F57C ADD ESP,BYTE -10
016F:00E5F57F MOV [ESP],EAX
016F:00E5F582 MOV EAX,C8
016F:00E5F587 CALL 00E52568
016F:00E5F58C MOV [ESP+04],EAX
016F:00E5F590 MOV EAX,[ESP+04]
016F:00E5F594 MOV [ESP+08],EAX
016F:00E5F598 MOV EBP,[ESP]
016F:00E5F59B CALL 00E5F524
016F:00E5F5A0 MOV EBX,EAX
016F:00E5F5A2 MOV BYTE [ESP+0C],00
016F:00E5F5A7 MOVZX ESI,BYTE [EBX]
016F:00E5F5AA LEA EAX,[EBX+01]
016F:00E5F5AD MOVZX EDI,BYTE [EAX]
016F:00E5F5B0 LEA EDX,[EBX+02]
016F:00E5F5B3 MOV ECX,ESI
016F:00E5F5B5 MOV EAX,EBP
016F:00E5F5B7 CALL 00E5BF44
016F:00E5F5BC TEST AL,AL
016F:00E5F5BE JZ 00E5F5D8
016F:00E5F5C0 MOV ECX,EDI
016F:00E5F5C2 MOV EDX,EBP
016F:00E5F5C4 MOV EAX,[ESP+08]
016F:00E5F5C8 CALL 00E5449C
016F:00E5F5CD ADD [ESP+08],EDI
016F:00E5F5D1 ADD EBP,EDI
016F:00E5F5D3 MOV BYTE [ESP+0C],01
016F:00E5F5D8 ADD ESI,BYTE +02
016F:00E5F5DB ADD EBX,ESI
016F:00E5F5DD CMP BYTE [ESP+0C],00
016F:00E5F5E2 JNZ 00E5F5E9
016F:00E5F5E4 CMP BYTE [EBX],00
016F:00E5F5E7 JNZ 00E5F5A7
016F:00E5F5E9 CMP BYTE [ESP+0C],00
016F:00E5F5EE JNZ 00E5F59B
016F:00E5F5F0 CALL 00E52698
016F:00E5F5F5 MOV ESI,[ESP+08]
016F:00E5F5F9 SUB ESI,[ESP+04]
016F:00E5F5FD LEA EAX,[ESI+06]
016F:00E5F600 CALL 00E52568
016F:00E5F605 MOV EBX,EAX
016F:00E5F607 MOV ECX,ESI
016F:00E5F609 MOV EDI,[ESP+04]
016F:00E5F60D MOV EDX,EDI
016F:00E5F60F MOV EAX,EBX
016F:00E5F611 CALL 00E5449C
016F:00E5F616 MOV EBP,EBX
016F:00E5F618 ADD EBP,ESI
016F:00E5F61A MOV [ESP+08],EBP
016F:00E5F61E MOV EAX,02
016F:00E5F623 CALL 00E52788
016F:00E5F628 SUB EAX,BYTE +01
016F:00E5F62B JNC 00E5F647
016F:00E5F62D MOV EAX,[ESP+08]
016F:00E5F631 MOV BYTE [EAX],E9 ;<--jmp的程式碼,
上面的不說了
016F:00E5F634 ADD EBP,BYTE +05
016F:00E5F637 MOV EAX,[ESP]
016F:00E5F63A SUB EAX,EBP
016F:00E5F63C ADD ESI,EAX
016F:00E5F63E MOV EAX,[ESP+08]
016F:00E5F642 INC EAX
016F:00E5F643 MOV [EAX],ESI
016F:00E5F645 JMP SHORT 00E5F662
016F:00E5F647 MOV EAX,[ESP+08] ;[ESP+08]是要修改的程式碼的首址
016F:00E5F64B MOV BYTE [EAX],68 ;<--push的程式碼
016F:00E5F64E ADD ESI,[ESP] ;[ESP]
為真正的Import Function Address, 如 [ESP] = BFF72535,
016F:00E5F651 MOV EAX,[ESP+08] ;而ESI就是push前的程式碼位元組數,
如 ESI = 1
016F:00E5F655 INC EAX
;eax為下一個要修改的程式碼地址
016F:00E5F656 MOV [EAX],ESI ;exp:
如果 上面的ESI = 1, [ESP] = BFF72535, 則這時的 ESI = BFF72536
016F:00E5F658 MOV EAX,[ESP+08] ;[ESP+08]是要修改的程式碼的首址
016F:00E5F65C ADD EAX,BYTE +05 ;PUSH XXXXXXXX
為 5 個位元組
016F:00E5F65F MOV BYTE [EAX],C3 ;ret 程式碼
016F:00E5F662 MOV EAX,EDI
016F:00E5F664 CALL 00E52580
016F:00E5F669 MOV EAX,EBX
016F:00E5F66B ADD ESP,BYTE +10
016F:00E5F66E POP EBP
016F:00E5F66F POP EDI
016F:00E5F670 POP ESI
016F:00E5F671 POP EBX
016F:00E5F672 RET
處理特殊Import functions:
016F:00E5FA60 PUSHA
016F:00E5FA61 PUSH DWORD 00E621F0
016F:00E5FA66 LEA EAX,[EBP-0C]
016F:00E5FA69 PUSH DWORD [00E63560]
016F:00E5FA6F CALL NEAR [EAX]
;call 下面的 00E71238
016F:00E5FA71 POPA
016F:00E71238 CALL 00E7123D
016F:00E7123D POP EBP
016F:00E7123E CLD
016F:00E7123F LEA ESI,[EBP+2F] ;ESI指向特殊Import
function的相關資訊
016F:00E71242 XOR EAX,EAX
016F:00E71244 LODSB
016F:00E71245 OR AL,AL
016F:00E71247 JZ 00E71265 ;完了嗎?
016F:00E71249 DEC AL
016F:00E7124B SHL EAX,02
016F:00E7124E ADD EAX,[ESP+08] ;[ESP+08]就是指向第一個特殊Import
function的重定向地址, 我看到的就有 10 個這樣的functions
016F:00E71252 MOV EBX,[EAX] ;EBX為該特殊Import
function的重定向地址
016F:00E71254 LODSD
;該EBX指向的程式碼如: mov eax, [xxxxxxxx]
016F:00E71255 ADD EAX,[ESP+04] ;
ret , 這些就是我們要手動修改的 IAT
016F:00E71259 MOV [EAX],EBX ;EAX指向 IAT
016F:00E7125B XOR EAX,EAX
016F:00E7125D MOV [ESI-04],EAX ;clear
016F:00E71260 MOV [ESI-05],AL ;clear
016F:00E71263 JMP SHORT 00E71244
016F:00E71265 RET 08
特殊的Import functions:
016F:00E5C7D8 PUSH BYTE +00
016F:00E5C7DA CALL `KERNEL32!GetModuleHandleA`
016F:00E5C7DF MOV [00E635D4],EAX
016F:00E5C7E4 CALL `KERNEL32!GetVersion`
016F:00E5C7E9 MOV [00E635D8],EAX
016F:00E5C7EE PUSH DWORD 00E635E4
016F:00E5C7F3 CALL `KERNEL32!GetVersionExA`
016F:00E5C7F8 CALL `KERNEL32!GetCurrentProcess`
016F:00E5C7FD MOV [00E635DC],EAX
016F:00E5C802 CALL `KERNEL32!GetCurrentProcessId`
016F:00E5C807 MOV [00E635E0],EAX
016F:00E5C80C CALL `KERNEL32!GetCommandLineA`
016F:00E5C811 MOV [00E63678],EAX
016F:00E5C816 RET
016F:00E5C817 NOP
016F:00E5C818 PUSH EBP
;<--第一個特殊Import function 是 KERNEL32!GetModuleHandleA
016F:00E5C819 MOV EBP,ESP
016F:00E5C81B MOV EAX,[EBP+08]
016F:00E5C81E TEST EAX,EAX
016F:00E5C820 JNZ 00E5C829
016F:00E5C822 MOV EAX,[00E63560]
016F:00E5C827 JMP SHORT 00E5C82F
016F:00E5C829 PUSH EAX
016F:00E5C82A CALL `KERNEL32!GetModuleHandleA`
016F:00E5C82F POP EBP
016F:00E5C830 RET 04
016F:00E5C833 NOP
016F:00E5C834 MOV EAX,[00E635D8] ;<--第二個
KERNEL32!GetVersion
016F:00E5C839 RET
016F:00E5C83A MOV EAX,EAX
016F:00E5C83C PUSH EBP
;<--第三個(暫時沒見過哪個被加殼的軟體有用到, 不知道是什麼, 知道的朋友請指出!)
016F:00E5C83D MOV EBP,ESP
016F:00E5C83F PUSH ESI
016F:00E5C840 PUSH EDI
016F:00E5C841 MOV EAX,[EBP+08]
016F:00E5C844 MOV EDI,EAX
016F:00E5C846 MOV ESI,00E635E4
016F:00E5C84B MOV ECX,25
016F:00E5C850 REP MOVSD
016F:00E5C852 MOV AL,01
016F:00E5C854 POP EDI
016F:00E5C855 POP ESI
016F:00E5C856 POP EBP
016F:00E5C857 RET 04
016F:00E5C85A MOV EAX,EAX
016F:00E5C85C MOV EAX,[00E635DC] ;<--第四個
GetCurrentProcess
016F:00E5C861 RET
016F:00E5C862 MOV EAX,EAX
016F:00E5C864 MOV EAX,[00E635E0] ;<--第五個
GetCurrentProcessId
016F:00E5C869 RET
016F:00E5C86A MOV EAX,EAX
016F:00E5C86C MOV EAX,[00E63678] ;<--第六個
GetCommandLineA
016F:00E5C871 RET
016F:00E5C872 MOV EAX,EAX
016F:00E5C874 PUSH EBP
;<--第七個 KERNEL32!LockResource
016F:00E5C875 MOV EBP,ESP
016F:00E5C877 POP EBP
016F:00E5C878 RET 04
016F:00E5C87B NOP
016F:00E5C87C PUSH EBP
;<--第八個 KERNEL32!FreeResource
016F:00E5C87D MOV EBP,ESP
016F:00E5C87F POP EBP
016F:00E5C880 RET 04
016F:00E5C883 NOP
016F:00E5C884 PUSH EBP
;<--第九個(這個也不知道是什麼!)
016F:00E5C885 MOV EBP,ESP
016F:00E5C887 MOV EAX,[EBP+0C]
016F:00E5C88A ADD EAX,BYTE +04
016F:00E5C88D MOV EAX,[EAX]
016F:00E5C88F ADD EAX,[EBP+08]
016F:00E5C892 POP EBP
016F:00E5C893 RET 08
016F:00E5C896 MOV EAX,EAX
016F:00E5C898 PUSH EBP
;<--第十個
016F:00E5C899 MOV EBP,ESP
016F:00E5C89B PUSH EBX
016F:00E5C89C MOV EBX,[EBP+08]
016F:00E5C89F MOV EAX,[EBP+18]
016F:00E5C8A2 PUSH EAX
016F:00E5C8A3 MOV EAX,[EBP+14]
016F:00E5C8A6 PUSH EAX
016F:00E5C8A7 MOV EAX,[EBP+10]
016F:00E5C8AA PUSH EAX
016F:00E5C8AB PUSH BYTE +05
016F:00E5C8AD MOV EAX,[EBP+0C]
016F:00E5C8B0 PUSH EAX
016F:00E5C8B1 PUSH EBX
016F:00E5C8B2 CALL `KERNEL32!FindResourceA`
016F:00E5C8B7 PUSH EAX
016F:00E5C8B8 PUSH EBX
016F:00E5C8B9 CALL `KERNEL32!LoadResource`
016F:00E5C8BE PUSH EAX
016F:00E5C8BF CALL `KERNEL32!LockResource`
016F:00E5C8C4 PUSH EAX
016F:00E5C8C5 PUSH EBX
016F:00E5C8C6 CALL `USER32!DialogBoxIndirectParamA`
016F:00E5C8CB POP EBX
016F:00E5C8CC POP EBP
016F:00E5C8CD RET 14
其中最特殊的是第十個的DialogBoxIndirectParamA, 但在 AeePro 中沒有用到,
要是用到的話, 可以將該段程式碼dump下來, 加到脫殼後的程式上去, 再改該 IAT 指向我們加上去的程式碼的地址。
這十個特殊函式我想在 1.2, 1.3 中是一樣的。
除了上面的特殊函式以外, Asprotect 提供的 API 我們也應該注意, 這我就沒仔細研究了。
用Asprotect加殼的程式, 脫殼後不能執行, 我知道的有:
1. 原程式呼叫Asprotect的"Export Function", 最簡單的就是:
push ..
push -1
call GetProcAddress
看其返回值是否為0, 為0 就出錯或退出(AeePro就是這樣的)
2. 原程式自檢加殼後的程式(已經加殼了, 真不知道他是怎麼檢的)。
3. Asprotect 呼叫原程式的“初始化”函式, 當到達 OEP 前, 某些全域性變數已經初始化了, 脫殼後執行就很可能出錯,
解決方法是, 修改脫殼後的程式, 先執行該“初始化”函式, 再跳會到 OEP 執行就可以了。
4. 再有就是DialogBoxIndirectParamA等的了。
當然應該還有其他的。
唉, 好長的一篇!(~!@#$%^&*臺下的別扔果皮:)
相關文章
- Asprotect 1.2x 加殼的 Advanced Direct
Remailer 2.17 脫殼 (3千字)2002-06-20REMAI
- 手工脫殼 Advanced Administrative Tools 4.0a (8千字)2000-06-06
- FTPrint的脫殼(asprotect) (2千字)2001-02-05FTP
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- ASPRTECT1.2X加殼的Delphi
Application Peeper Pro 2.3.1.9 脫殼(簡單) (3千字)2002-04-06APP
- 脫殼IglooFTP PRO v3.0的詳細過程 (11千字)2001-09-14FTP
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- jdpack的脫殼及破解 (5千字)2002-06-25
- HTMLZip 1.0 beta 的脫殼 (3千字)2001-02-03HTML
- PicturesToExe3.51的脫殼 (2千字)2001-04-22REST
- telock脫殼總結 (12千字)2001-09-27
- ASPROtect 1.22加殼的ahaview2.0脫殼 (5千字)2002-03-24View
- 脫Flashfxp 1.3 build 780的殼 (10千字)2001-08-15UI
- 脫PicturesToExe v3.60的殼 (1千字)2001-09-15REST
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 先分析,再脫殼(二) (13千字)2003-09-04
- WinKawaks 1.45脫殼筆記
(10千字)2002-08-12筆記
- 一點脫殼經驗。(7千字)2001-04-20
- The Bat! 1.39脫殼筆記 (1千字)2000-03-12BAT筆記
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- 脫殼 ----- AATools v4.0.0.596 (全稱:Advanced
Administrative Tools)2000-08-09
- 殼的工作原理脫殼2013-04-10
- 股市風暴4.0的外殼分析與脫殼方法(一) (7千字)2001-06-10
- 手動脫殼的教程(由petite v2.2加殼) (4千字)2001-11-26
- ArtCursors 3.03 ASPR殼軟體脫殼後修整記 (10千字)2015-11-15
- 對Asprotect脫殼的一點總結
(20千字)2000-08-12
- Armadillo 2.52加殼原理分析和改進的脫殼方法
(12千字)2015-11-15
- 脫Remote Administrator v2.0的殼 (8千字)2001-06-24REM
- 用OD對Aspr加殼程式的手動脫殼及修復 (7千字)2015-11-15
- aspr脫殼總結(部分適用於其他殼保護) (3千字)2001-09-14
- 手動脫掉Asprotect的殼,(給初學者的) (9千字)2002-01-24
- 不脫殼破解極光多能鬧鐘
(16千字)2003-04-14
- EZIP1.0脫殼手記 ――娃娃/[CCG] (3千字)2001-11-16
- Lock98主程式脫殼筆記 (1千字)2015-11-15筆記
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- 談談如何使用加殼保護自己的軟體不被常用方法脫殼(2千字)2000-10-10
- 關於用ASProtect v1.3加殼軟體的脫殼方法體會 (5千字)2001-11-21