HyperSnap-DX 5.61 漢化版主程式脫殼--第一部分
看雪資料發表於2004-11-12
HyperSnap-DX 5.61 漢化版主程式脫殼
HyperSnap-DX 5.61漢化版主程式是Armadillo 3.7以後的版本加的殼,
使用了Armadillo的雙程式+CC+IAT變形+時間效驗,所以脫殼分二部分進行:
第一部分:程式碼的獲得、OEP的獲得以及修復IAT
1.雙程式到單程式的轉換
對於雙程式到單程式的轉換我還是使用ollyScript指令碼進行,指令碼如下:
程式碼:
;================================ /* arm3.75版以後的從雙程式到單程式轉換的Script自動執行指令碼 適用於ollyScript0.92,不要勾上OD異常中的〔忽略以下範圍的異常〕 選項 by fxyang */ dbh //隱藏OD var address gpa "OpenMutexA","kernel32.dll" bp $RESULT run eoe code_1 code_1: mov address,eip //獲取第一次PREFIX LOCK:異常地址 esto lbl3: cmp eip,address //自動越過異常 ja begin esto begin: exec PUSHAD PUSH EDX push 0 push 0 CALL kernel32.CreateMutexA POPAD jmp kernel32.OpenMutexA ende //上面的程式碼就是在Script中執行從雙程式到單程式的轉換 bc $RESULT lbl4: gpa "VirtualProtect","kernel32.dll" bp $RESULT //對VirtualProtect函式下中斷 esto // 中斷後繼續 esto esto esto esto rtr sto rtr sto sto sto sto sto sto sto sto sti sti pause //經過了上面的程式碼程式會停在殼的執行程式碼中 ;==========================
程式停在這裡:
程式碼:
00DEF065 PUSH EBP 00DEF066 MOV EBP,ESP 00DEF068 PUSH EBX 00DEF069 MOV EBX,DWORD PTR SS:[EBP+8] 00DEF06C PUSH ESI 00DEF06D MOV ESI,DWORD PTR SS:[EBP+C] 00DEF070 PUSH EDI 00DEF071 MOV EDI,DWORD PTR SS:[EBP+10] 00DEF074 TEST ESI,ESI 00DEF076 JNZ SHORT 00DEF081 00DEF078 CMP DWORD PTR DS:[E01AB4],0 00DEF07F JMP SHORT 00DEF0A7
2.修改IAT存放地址
由於殼使用了臨時空間存放IAT表,所以要修改到程式可見段中。
Ctrl+S開啟搜尋命令序列視窗,填入:
程式碼:
PUSH EBP MOV EBP,ESP PUSH ECX PUSH EBX XOR EBX,EBX
這是段特徵程式碼,要查詢的第一個anti在這個程式碼段中,查詢來到:
程式碼:
00DEBE33 PUSH EBP 00DEBE34 MOV EBP,ESP 00DEBE36 PUSH ECX 00DEBE37 PUSH EBX 00DEBE38 XOR EBX,EBX //特徵程式碼 00DEBE3A CMP BYTE PTR DS:[DFFFFD],BL 00DEBE40 PUSH ESI 00DEBE41 PUSH EDI 00DEBE42 JNZ SHORT 00DEBE5E 00DEBE44 CMP BYTE PTR DS:[DFFC19],BL 00DEBE4A JNZ SHORT 00DEBE5E 00DEBE4C CALL 00DC7591 00DEBE51 TEST EAX,EAX 00DEBE53 JE SHORT 00DEBE5E 00DEBE55 CALL 00DC82D5 00DEBE5A TEST AL,AL //anti的效驗,游標停在這裡,F4到這個地方。修改Al值為1 00DEBE5C JE SHORT 00DEBE65 00DEBE5E XOR AL,AL 00DEBE60 JMP 00DEBF91
下面是手工活了,F8執行:
程式碼:
00DE45CC MOV EAX,C80F9D61 00DE45D1 NOT ECX 00DE45D3 BSWAP EAX 00DE45D5 NOT ECX 00DE45D7 PUSH DWORD PTR DS:[DF0498] ; USER32.SetTimer <--注意 00DE45DD CALL 00DEA2E1 00DE45E2 POP ECX 00DE45E3 MOVZX EAX,AL 00DE45E6 MOV DWORD PTR SS:[EBP-134],EAX 00DE45EC PUSH ECX 00DE45ED BSWAP ECX 00DE45EF NOT ECX 00DE45F1 PUSH EAX 00DE45F2 NOT EAX 00DE45F4 MOV EAX,6C65696D 00DE45F9 XCHG EAX,ECX
F8繼續,第一個解碼程式碼:
程式碼:
00DE4A21 >CALL 00DC14AC 00DE4A26 >ADD ESP,10 00DE4A29 >MOV EAX,DWORD PTR DS:[DFFA1C] 00DE4A2E >MOV DWORD PTR SS:[EBP-399C],EAX 00DE4A34 >CMP DWORD PTR SS:[EBP-399C],0 00DE4A3B >JE SHORT 00DE4A73 00DE4A3D >MOV EAX,DWORD PTR SS:[EBP-399C] 00DE4A43 >CMP DWORD PTR DS:[EAX],0 00DE4A46 >JE SHORT 00DE4A73 00DE4A48 >MOV EAX,DWORD PTR SS:[EBP-399C] 00DE4A4E >MOV EAX,DWORD PTR DS:[EAX] 00DE4A50 >MOV EAX,DWORD PTR DS:[EAX] 00DE4A52 >ADD EAX,DWORD PTR DS:[E004F0] 00DE4A58 >MOV ECX,DWORD PTR SS:[EBP-399C] 00DE4A5E >MOV ECX,DWORD PTR DS:[ECX] 00DE4A60 >MOV DWORD PTR DS:[ECX],EAX 00DE4A62 >MOV EAX,DWORD PTR SS:[EBP-399C] 00DE4A68 >ADD EAX,4 00DE4A6B >MOV DWORD PTR SS:[EBP-399C],EAX 00DE4A71 ^>JMP SHORT 00DE4A3D 00DE4A73 >XCHG EAX,ESI //這裡結束,F4到這裡 00DE4A74 >XCHG CX,CX 00DE4A77 >XCHG EAX,ESI 00DE4A78 >INS DWORD PTR ES:[EDI],DX ; I/O 命令
F8繼續,到申請臨時空間的程式碼了,這個版本不再使用原來的 VirtualAlloc 函式:
程式碼:
00DE5209 MOV DWORD PTR DS:[DF68CC],0DF7454 ; ASCII "B4" 00DE5213 MOV EAX,DWORD PTR DS:[E00030] 00DE5218 MOV EAX,DWORD PTR DS:[EAX] 00DE521A MOV DWORD PTR SS:[EBP-3924],EAX 00DE5220 MOV EAX,DWORD PTR DS:[E00030] 00DE5225 ADD EAX,4 00DE5228 MOV DWORD PTR DS:[E00030],EAX 00DE522D CALL 00DEB11B 00DE5232 XOR ECX,ECX 00DE5234 TEST EAX,EAX 00DE5236 SETNE CL 00DE5239 INC ECX 00DE523A MOV EAX,DWORD PTR DS:[E00030] 00DE523F MOV EAX,DWORD PTR DS:[EAX] 00DE5241 XOR EDX,EDX 00DE5243 DIV ECX 00DE5245 MOV DWORD PTR SS:[EBP-37C8],EAX 00DE524B MOV EAX,DWORD PTR DS:[E00030] 00DE5250 ADD EAX,4 00DE5253 MOV DWORD PTR DS:[E00030],EAX 00DE5258 MOV EAX,DWORD PTR SS:[EBP-37C8] 00DE525E SHL EAX,2 00DE5261 PUSH EAX 00DE5262 CALL 00DEEF08 ; JMP to msvcrt.??2@YAPAXI@Z //申請函式 00DE5267 POP ECX 00DE5268 MOV DWORD PTR SS:[EBP+FFFFAFE8],EAX <--返回值,修改這個值 00DE526E MOV EAX,DWORD PTR SS:[EBP+FFFFAFE8] 00DE5274 MOV DWORD PTR SS:[EBP-3928],EAX 00DE527A MOV EAX,DWORD PTR DS:[E00028] 00DE527F MOV EAX,DWORD PTR DS:[EAX+78] 00DE5282 MOV DWORD PTR SS:[EBP+FFFFAE28],EAX 00DE5288 MOV EAX,DWORD PTR SS:[EBP+FFFFAE28] 00DE528E MOV DWORD PTR SS:[EBP-39F8],EAX 00DE5294 AND DWORD PTR SS:[EBP-39FC],0 00DE529B JMP SHORT 00DE52AA
修改申請返回值EAX =00646000 殼的第一程式碼段,因為殼執行時不再使用這個段。
下面是計算IAT的第一個加密表:
程式碼:
00DE529D MOV EAX,DWORD PTR SS:[EBP-39FC] 00DE52A3 INC EAX 00DE52A4 MOV DWORD PTR SS:[EBP-39FC],EAX 00DE52AA MOV EAX,DWORD PTR SS:[EBP-39FC] 00DE52B0 CMP EAX,DWORD PTR SS:[EBP-37C8] 00DE52B6 JNB 00DE5379 00DE52BC MOV DWORD PTR SS:[EBP+FFFFAE14],14 00DE52C6 PUSH 1DF5E0D 00DE52CB PUSH DWORD PTR SS:[EBP-39F8] 00DE52D1 LEA ECX,DWORD PTR SS:[EBP-39F8] 00DE52D7 CALL 00DC1071 00DE52DC INC EAX 00DE52DD XOR EDX,EDX 00DE52DF MOV ECX,5F5E100 00DE52E4 DIV ECX 00DE52E6 MOV DWORD PTR SS:[EBP-39F8],EDX 00DE52EC MOV DWORD PTR SS:[EBP+FFFFAE00],100 00DE52F6 PUSH 1DF5E0D 00DE52FB PUSH DWORD PTR SS:[EBP-39F8] 00DE5301 LEA ECX,DWORD PTR SS:[EBP-39F8] 00DE5307 CALL 00DC1071 00DE530C INC EAX 00DE530D XOR EDX,EDX 00DE530F MOV ECX,5F5E100 00DE5314 DIV ECX 00DE5316 MOV DWORD PTR SS:[EBP-39F8],EDX 00DE531C MOV EAX,DWORD PTR SS:[EBP-39F8] 00DE5322 XOR EDX,EDX 00DE5324 MOV ECX,2710 00DE5329 DIV ECX 00DE532B IMUL EAX,DWORD PTR SS:[EBP+FFFFAE14] 00DE5332 XOR EDX,EDX 00DE5334 MOV ECX,2710 00DE5339 DIV ECX 00DE533B MOV ECX,EAX 00DE533D MOV EAX,DWORD PTR SS:[EBP-39F8] 00DE5343 XOR EDX,EDX 00DE5345 MOV ESI,2710 00DE534A DIV ESI 00DE534C IMUL EAX,DWORD PTR SS:[EBP+FFFFAE00] 00DE5353 XOR EDX,EDX 00DE5355 MOV ESI,2710 00DE535A DIV ESI 00DE535C MOV ECX,DWORD PTR SS:[EBP+ECX*4-3978] 00DE5363 ADD ECX,EAX 00DE5365 MOV EAX,DWORD PTR SS:[EBP-39FC] 00DE536B MOV EDX,DWORD PTR SS:[EBP-3928] 00DE5371 MOV DWORD PTR DS:[EDX+EAX*4],ECX //值放到上面修改的地址中 00DE5374 JMP 00DE529D 00DE5379 MOV EAX,DWORD PTR DS:[E00030] //這是出口,F4到這裡
這個表與後面的IAT加密可能有關係,或許可以從這裡闢開iat的加密,我沒有看懂。
3.獲得程式程式碼
F8繼續執行程式,到第二個程式碼解碼的地方:
程式碼:
00DE5963 CALL 00DC14AC 00DE5968 ADD ESP,10 00DE596B MOV EAX,DWORD PTR DS:[DFFA20] 00DE5970 MOV DWORD PTR SS:[EBP-3A34],EAX 00DE5976 CMP DWORD PTR SS:[EBP-3A34],0 00DE597D JE SHORT 00DE59B5 00DE597F MOV EAX,DWORD PTR SS:[EBP-3A34] 00DE5985 CMP DWORD PTR DS:[EAX],0 00DE5988 JE SHORT 00DE59B5 00DE598A MOV EAX,DWORD PTR SS:[EBP-3A34] 00DE5990 MOV EAX,DWORD PTR DS:[EAX] 00DE5992 MOV EAX,DWORD PTR DS:[EAX] 00DE5994 ADD EAX,DWORD PTR DS:[E004F0] 00DE599A MOV ECX,DWORD PTR SS:[EBP-3A34] 00DE59A0 MOV ECX,DWORD PTR DS:[ECX] 00DE59A2 MOV DWORD PTR DS:[ECX],EAX 00DE59A4 MOV EAX,DWORD PTR SS:[EBP-3A34] 00DE59AA ADD EAX,4 00DE59AD MOV DWORD PTR SS:[EBP-3A34],EAX 00DE59B3 JMP SHORT 00DE597F 00DE59B5 XCHG EAX,EDI //這裡結束,F4到這裡 00DE59B6 XCHG CX,CX 00DE59B9 XCHG EAX,EDI 00DE59BA OR ESI,DWORD PTR DS:[ECX+EBX*2]
F8繼續,到這裡:
程式碼:
00DE5A9F MOV EAX,DWORD PTR SS:[EBP-3A48] 00DE5AA5 AND EAX,7FFFFFFF 00DE5AAA MOV ECX,DWORD PTR SS:[EBP-3910] 00DE5AB0 ADD EAX,DWORD PTR DS:[ECX+88] 00DE5AB6 MOV DWORD PTR SS:[EBP-3A48],EAX 00DE5ABC MOV EAX,DWORD PTR DS:[E00030] 00DE5AC1 MOV EAX,DWORD PTR DS:[EAX] 00DE5AC3 XOR EAX,DWORD PTR DS:[E00034] 00DE5AC9 MOV DWORD PTR SS:[EBP-3A44],EAX 00DE5ACF MOV EAX,DWORD PTR DS:[E00030] 00DE5AD4 ADD EAX,4 00DE5AD7 MOV DWORD PTR DS:[E00030],EAX 00DE5ADC MOV EAX,DWORD PTR SS:[EBP-3A44] 00DE5AE2 ADD EAX,10000 ; UNICODE "=::=::\" 00DE5AE7 PUSH EAX 00DE5AE8 CALL 00DEEF08 ; JMP to msvcrt.??2@YAPAXI@Z 00DE5AED POP ECX 00DE5AEE MOV DWORD PTR SS:[EBP+FFFFAFDC],EAX 00DE5AF4 MOV EAX,DWORD PTR SS:[EBP+FFFFAFDC] 00DE5AFA MOV DWORD PTR SS:[EBP-3A40],EAX 00DE5B00 MOV EAX,DWORD PTR SS:[EBP-3A40] 00DE5B06 MOV DWORD PTR SS:[EBP-3A38],EAX 00DE5B0C MOV EAX,DWORD PTR SS:[EBP-3A44] 00DE5B12 ADD EAX,10000 ; UNICODE "=::=::\" 00DE5B17 PUSH EAX 00DE5B18 PUSH 0 00DE5B1A PUSH DWORD PTR SS:[EBP-3A40] 00DE5B20 CALL 00DEEF14 ; JMP to msvcrt.memset 00DE5B25 ADD ESP,0C 00DE5B28 PUSH 1 00DE5B2A POP EAX 00DE5B2B TEST EAX,EAX 00DE5B2D JE 00DE5BBC
上面的程式碼是先申請一個空間,然後設定這個空間的準備解碼程式的程式碼。
F8繼續,到了還原程式程式碼段:
程式碼:
00DE5F3D LEA EAX,DWORD PTR SS:[EBP-3A4C] 00DE5F43 PUSH EAX 00DE5F44 PUSH 4 00DE5F46 PUSH DWORD PTR SS:[EBP-3A44] 00DE5F4C MOV EAX,DWORD PTR SS:[EBP-3900] 00DE5F52 ADD EAX,DWORD PTR SS:[EBP-3A48] 00DE5F58 PUSH EAX 00DE5F59 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect 00DE5F5F PUSH DWORD PTR SS:[EBP-3A44] 00DE5F65 PUSH DWORD PTR SS:[EBP-3A40] 00DE5F6B MOV EAX,DWORD PTR SS:[EBP-3900] 00DE5F71 ADD EAX,DWORD PTR SS:[EBP-3A48] 00DE5F77 PUSH EAX 00DE5F78 CALL 00DEEF02 ; JMP to msvcrt.memcpy 00DE5F7D ADD ESP,0C //記憶體資料複製 00DE5F80 LEA EAX,DWORD PTR SS:[EBP-3A4C] 00DE5F86 PUSH EAX 00DE5F87 PUSH DWORD PTR SS:[EBP-3A4C] 00DE5F8D PUSH DWORD PTR SS:[EBP-3A44] 00DE5F93 MOV EAX,DWORD PTR SS:[EBP-3900] 00DE5F99 ADD EAX,DWORD PTR SS:[EBP-3A48] 00DE5F9F PUSH EAX 00DE5FA0 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect 00DE5FA6 MOV EAX,DWORD PTR SS:[EBP-3A40] 00DE5FAC MOV DWORD PTR SS:[EBP+FFFFAFD8],EAX 00DE5FB2 PUSH DWORD PTR SS:[EBP+FFFFAFD8] 00DE5FB8 CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z 00DE5FBD POP ECX 00DE5FBE JMP 00DE5A57
可以看出來,殼不斷的修改程式的各個段的屬性,然後複製資料,這個迴圈就是解碼這個程式。
5.還原IAT
上面的解碼完成後到這裡:
程式碼:
00DE5FC3 AND DWORD PTR DS:[E00034],0 00DE5FCA CMP DWORD PTR SS:[EBP-379C],0 00DE5FD1 JE SHORT 00DE6006
F8繼續,第三個程式碼解碼:
程式碼:
00DE637D CALL 00DC14AC 00DE6382 ADD ESP,10 00DE6385 MOV EAX,DWORD PTR DS:[DFFA24] 00DE638A MOV DWORD PTR SS:[EBP-3AA0],EAX 00DE6390 CMP DWORD PTR SS:[EBP-3AA0],0 00DE6397 JE SHORT 00DE63CF 00DE6399 MOV EAX,DWORD PTR SS:[EBP-3AA0] 00DE639F CMP DWORD PTR DS:[EAX],0 00DE63A2 JE SHORT 00DE63CF 00DE63A4 MOV EAX,DWORD PTR SS:[EBP-3AA0] 00DE63AA MOV EAX,DWORD PTR DS:[EAX] 00DE63AC MOV EAX,DWORD PTR DS:[EAX] 00DE63AE ADD EAX,DWORD PTR DS:[E004F0] 00DE63B4 MOV ECX,DWORD PTR SS:[EBP-3AA0] 00DE63BA MOV ECX,DWORD PTR DS:[ECX] 00DE63BC MOV DWORD PTR DS:[ECX],EAX 00DE63BE MOV EAX,DWORD PTR SS:[EBP-3AA0] 00DE63C4 ADD EAX,4 00DE63C7 MOV DWORD PTR SS:[EBP-3AA0],EAX 00DE63CD JMP SHORT 00DE6399 00DE63CF PUSH EDI //這裡結束,F4到這裡 00DE63D0 XCHG BX,BX 00DE63D3 POP EDI
F8繼續,到這裡:
程式碼:
00DE68DC CALL 00DC14AC 00DE68E1 ADD ESP,10 00DE68E4 MOV EAX,DWORD PTR DS:[DFFA2C] 00DE68E9 MOV DWORD PTR SS:[EBP-3B64],EAX 00DE68EF CMP DWORD PTR SS:[EBP-3B64],0 00DE68F6 JE SHORT 00DE692E 00DE68F8 MOV EAX,DWORD PTR SS:[EBP-3B64] 00DE68FE CMP DWORD PTR DS:[EAX],0 00DE6901 JE SHORT 00DE692E 00DE6903 MOV EAX,DWORD PTR SS:[EBP-3B64] 00DE6909 MOV EAX,DWORD PTR DS:[EAX] 00DE690B MOV EAX,DWORD PTR DS:[EAX] 00DE690D ADD EAX,DWORD PTR DS:[E004F0] 00DE6913 MOV ECX,DWORD PTR SS:[EBP-3B64] 00DE6919 MOV ECX,DWORD PTR DS:[ECX] 00DE691B MOV DWORD PTR DS:[ECX],EAX 00DE691D MOV EAX,DWORD PTR SS:[EBP-3B64] 00DE6923 ADD EAX,4 00DE6926 MOV DWORD PTR SS:[EBP-3B64],EAX 00DE692C JMP SHORT 00DE68F8 00DE692E XCHG AX,CX //這裡結束,F4到這裡 00DE6930 NOP 00DE6931 XCHG AX,CX
開始處理IAT表了,注意:
程式碼:
00DE6B32 PUSH DWORD PTR SS:[EBP-3B70] 00DE6B38 CALL 00DC9950 00DE6B3D POP ECX 00DE6B3E AND DWORD PTR SS:[EBP-3B74],0 00DE6B45 PUSH 0 00DE6B47 CALL DWORD PTR DS:[DF00D4] ; kernel32.GetModuleHandleA 00DE6B4D CMP DWORD PTR SS:[EBP-3B70],EAX //可以對上面的函式下中斷到這裡 00DE6B53 JNZ SHORT 00DE6B64 00DE6B55 MOV DWORD PTR SS:[EBP-3B74],0DF5180 00DE6B5F JMP 00DE6C28 00DE6B64 AND DWORD PTR SS:[EBP-3D98],0 00DE6B6B MOV DWORD PTR SS:[EBP-3D9C],0DF57C0 00DE6B75 JMP SHORT 00DE6B93 00DE6B77 MOV EAX,DWORD PTR SS:[EBP-3D9C] 00DE6B7D ADD EAX,0C 00DE6B80 MOV DWORD PTR SS:[EBP-3D9C],EAX 00DE6B86 MOV EAX,DWORD PTR SS:[EBP-3D98] 00DE6B8C INC EAX 00DE6B8D MOV DWORD PTR SS:[EBP-3D98],EAX 00DE6B93 MOV EAX,DWORD PTR SS:[EBP-3D9C] 00DE6B99 CMP DWORD PTR DS:[EAX],0 <--這個就是Magic jmp 00DE6B9C JE 00DE6C28 //修改為JMP 00DE6C28 00DE6BA2 MOV EAX,DWORD PTR SS:[EBP-3D9C] 00DE6BA8 MOV EAX,DWORD PTR DS:[EAX+8] 00DE6BAB AND EAX,1 00DE6BAE TEST EAX,EAX 00DE6BB0 JE SHORT 00DE6BD7
解碼IAT表:
程式碼:
00DE6D62 AND DWORD PTR SS:[EBP-3B68],0 00DE6D69 CALL DWORD PTR DS:[DF029C] ; kernel32.GetTickCount 00DE6D6F MOV DWORD PTR SS:[EBP-3B6C],EAX //時間效驗開始 00DE6D75 PUSH 1 00DE6D77 POP EAX 00DE6D78 TEST EAX,EAX 00DE6D7A JE 00DE70A7 00DE6D80 AND WORD PTR SS:[EBP-3DA4],0 00DE6D88 AND DWORD PTR SS:[EBP-3DAC],0 00DE6D8F AND DWORD PTR SS:[EBP-3DA8],0 00DE6D96 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6D9C MOVSX EAX,BYTE PTR DS:[EAX] 00DE6D9F TEST EAX,EAX 00DE6DA1 JNZ SHORT 00DE6DE7 00DE6DA3 LEA ECX,DWORD PTR SS:[EBP-37D4] 00DE6DA9 CALL 00DC1040 00DE6DAE MOVZX EAX,AL 00DE6DB1 CDQ 00DE6DB2 PUSH 14 00DE6DB4 POP ECX 00DE6DB5 IDIV ECX 00DE6DB7 MOV EAX,DWORD PTR SS:[EBP-37FC] 00DE6DBD MOV ECX,DWORD PTR SS:[EBP+EDX*4-3978] //模組分界加密,修改為 XOR ECX,ECX 00DE6DC4 MOV DWORD PTR DS:[EAX],ECX 00DE6DC6 MOV EAX,DWORD PTR SS:[EBP-37FC] 00DE6DCC ADD EAX,4 00DE6DCF MOV DWORD PTR SS:[EBP-37FC],EAX 00DE6DD5 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6DDB INC EAX 00DE6DDC MOV DWORD PTR SS:[EBP-3790],EAX 00DE6DE2 JMP 00DE70A7 00DE6DE7 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6DED MOVZX EAX,BYTE PTR DS:[EAX] 00DE6DF0 CMP EAX,0FF 00DE6DF5 JNZ 00DE6E92 00DE6DFB MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6E01 INC EAX 00DE6E02 MOV DWORD PTR SS:[EBP-3790],EAX 00DE6E08 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6E0E MOV AX,WORD PTR DS:[EAX] 00DE6E11 MOV WORD PTR SS:[EBP-3DA4],AX 00DE6E18 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6E1E INC EAX 00DE6E1F INC EAX 00DE6E20 MOV DWORD PTR SS:[EBP-3790],EAX 00DE6E26 CMP DWORD PTR SS:[EBP-3B74],0 00DE6E2D JE SHORT 00DE6E80 00DE6E2F MOV EAX,DWORD PTR SS:[EBP-3B74] 00DE6E35 MOV DWORD PTR SS:[EBP-3DB0],EAX 00DE6E3B JMP SHORT 00DE6E4C 00DE6E3D MOV EAX,DWORD PTR SS:[EBP-3DB0] 00DE6E43 ADD EAX,0C 00DE6E46 MOV DWORD PTR SS:[EBP-3DB0],EAX 00DE6E4C MOV EAX,DWORD PTR SS:[EBP-3DB0] 00DE6E52 CMP DWORD PTR DS:[EAX+8],0 00DE6E56 JE SHORT 00DE6E80 00DE6E58 MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6E5F MOV ECX,DWORD PTR SS:[EBP-3DB0] 00DE6E65 MOVZX ECX,WORD PTR DS:[ECX+4] 00DE6E69 CMP EAX,ECX 00DE6E6B JNZ SHORT 00DE6E7E 00DE6E6D MOV EAX,DWORD PTR SS:[EBP-3DB0] 00DE6E73 MOV EAX,DWORD PTR DS:[EAX+8] 00DE6E76 MOV DWORD PTR SS:[EBP-3DA8],EAX 00DE6E7C JMP SHORT 00DE6E80 00DE6E7E JMP SHORT 00DE6E3D 00DE6E80 MOV EAX,DWORD PTR SS:[EBP-3B68] 00DE6E86 INC EAX 00DE6E87 MOV DWORD PTR SS:[EBP-3B68],EAX 00DE6E8D JMP 00DE6F3C 00DE6E92 MOV EAX,DWORD PTR SS:[EBP-3790] 00DE6E98 MOV DWORD PTR SS:[EBP-3DAC],EAX 00DE6E9E PUSH 0 00DE6EA0 PUSH DWORD PTR SS:[EBP-3790] 00DE6EA6 CALL DWORD PTR DS:[DF02F0] ; msvcrt.strchr 00DE6EAC POP ECX 00DE6EAD POP ECX 00DE6EAE INC EAX 00DE6EAF MOV DWORD PTR SS:[EBP-3790],EAX 00DE6EB5 CMP DWORD PTR SS:[EBP-3B74],0 00DE6EBC JE SHORT 00DE6F2F 00DE6EBE MOV EAX,DWORD PTR SS:[EBP-3B74] 00DE6EC4 MOV DWORD PTR SS:[EBP-3DB4],EAX 00DE6ECA JMP SHORT 00DE6EDB 00DE6ECC MOV EAX,DWORD PTR SS:[EBP-3DB4] 00DE6ED2 ADD EAX,0C 00DE6ED5 MOV DWORD PTR SS:[EBP-3DB4],EAX 00DE6EDB MOV EAX,DWORD PTR SS:[EBP-3DB4] 00DE6EE1 CMP DWORD PTR DS:[EAX+8],0 00DE6EE5 JE SHORT 00DE6F2F 00DE6EE7 PUSH 100 00DE6EEC LEA EAX,DWORD PTR SS:[EBP-3EB4] 00DE6EF2 PUSH EAX 00DE6EF3 MOV EAX,DWORD PTR SS:[EBP-3DB4] 00DE6EF9 PUSH DWORD PTR DS:[EAX] 00DE6EFB CALL 00DC8092 00DE6F00 ADD ESP,0C 00DE6F03 LEA EAX,DWORD PTR SS:[EBP-3EB4] 00DE6F09 PUSH EAX 00DE6F0A PUSH DWORD PTR SS:[EBP-3DAC] 00DE6F10 CALL DWORD PTR DS:[DF035C] ; msvcrt._stricmp 00DE6F16 POP ECX 00DE6F17 POP ECX 00DE6F18 TEST EAX,EAX 00DE6F1A JNZ SHORT 00DE6F2D 00DE6F1C MOV EAX,DWORD PTR SS:[EBP-3DB4] 00DE6F22 MOV EAX,DWORD PTR DS:[EAX+8] 00DE6F25 MOV DWORD PTR SS:[EBP-3DA8],EAX 00DE6F2B JMP SHORT 00DE6F2F 00DE6F2D JMP SHORT 00DE6ECC 00DE6F2F MOV EAX,DWORD PTR SS:[EBP-3B68] 00DE6F35 INC EAX 00DE6F36 MOV DWORD PTR SS:[EBP-3B68],EAX 00DE6F3C CMP DWORD PTR SS:[EBP-3DA8],0 00DE6F43 JNZ SHORT 00DE6F87 00DE6F45 MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6F4C TEST EAX,EAX 00DE6F4E JE SHORT 00DE6F5F 00DE6F50 MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6F57 MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX 00DE6F5D JMP SHORT 00DE6F6B 00DE6F5F MOV EAX,DWORD PTR SS:[EBP-3DAC] 00DE6F65 MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX 00DE6F6B PUSH 1 00DE6F6D PUSH DWORD PTR SS:[EBP+FFFFAD5C] 00DE6F73 PUSH DWORD PTR SS:[EBP-3B70] 00DE6F79 CALL 00DCA113 00DE6F7E ADD ESP,0C 00DE6F81 MOV DWORD PTR SS:[EBP-3DA8],EAX 00DE6F87 CMP DWORD PTR SS:[EBP-3DA8],0 00DE6F8E JNZ SHORT 00DE6FD2 00DE6F90 MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6F97 TEST EAX,EAX 00DE6F99 JE SHORT 00DE6FAA 00DE6F9B MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6FA2 MOV DWORD PTR SS:[EBP+FFFFAD58],EAX 00DE6FA8 JMP SHORT 00DE6FB6 00DE6FAA MOV EAX,DWORD PTR SS:[EBP-3DAC] 00DE6FB0 MOV DWORD PTR SS:[EBP+FFFFAD58],EAX 00DE6FB6 PUSH 0 00DE6FB8 PUSH DWORD PTR SS:[EBP+FFFFAD58] 00DE6FBE PUSH DWORD PTR SS:[EBP-3B70] 00DE6FC4 CALL 00DCA113 00DE6FC9 ADD ESP,0C 00DE6FCC MOV DWORD PTR SS:[EBP-3DA8],EAX 00DE6FD2 CMP DWORD PTR SS:[EBP-3DA8],0 00DE6FD9 JNZ 00DE7077 00DE6FDF MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE6FE6 TEST EAX,EAX 00DE6FE8 JE SHORT 00DE703E 00DE6FEA CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error 00DE6FF0 CMP EAX,32 00DE6FF3 JNZ SHORT 00DE7001 00DE6FF5 MOV DWORD PTR SS:[EBP-3DA8],0DCA108 00DE6FFF JMP SHORT 00DE703C 00DE7001 MOV EAX,DWORD PTR SS:[EBP+8] 00DE7004 MOV EAX,DWORD PTR DS:[EAX] 00DE7006 MOV DWORD PTR DS:[EAX],3 00DE700C CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error 00DE7012 PUSH EAX 00DE7013 MOVZX EAX,WORD PTR SS:[EBP-3DA4] 00DE701A PUSH EAX 00DE701B PUSH DWORD PTR SS:[EBP-3C8C] 00DE7021 PUSH 0DF73B0 ; ASCII "File "%s", ordinal %d (error %d)" 00DE7026 MOV EAX,DWORD PTR SS:[EBP+8] 00DE7029 PUSH DWORD PTR DS:[EAX+4] 00DE702C CALL DWORD PTR DS:[DF02EC] ; msvcrt.sprintf 00DE7032 ADD ESP,14 00DE7035 XOR EAX,EAX 00DE7037 JMP 00DE81EF 00DE703C JMP SHORT 00DE7077 00DE703E MOV EAX,DWORD PTR SS:[EBP+8] 00DE7041 MOV EAX,DWORD PTR DS:[EAX] 00DE7043 MOV DWORD PTR DS:[EAX],3 00DE7049 CALL DWORD PTR DS:[DF00E4] ; ntdll.RtlGetLastWin32Error 00DE704F PUSH EAX 00DE7050 PUSH DWORD PTR SS:[EBP-3DAC] 00DE7056 PUSH DWORD PTR SS:[EBP-3C8C] 00DE705C PUSH 0DF738C ; ASCII "File "%s", function "%s" (error %d)" 00DE7061 MOV EAX,DWORD PTR SS:[EBP+8] 00DE7064 PUSH DWORD PTR DS:[EAX+4] 00DE7067 CALL DWORD PTR DS:[DF02EC] ; msvcrt.sprintf 00DE706D ADD ESP,14 00DE7070 XOR EAX,EAX 00DE7072 JMP 00DE81EF 00DE7077 MOV EAX,DWORD PTR SS:[EBP-37FC] 00DE707D CMP EAX,DWORD PTR SS:[EBP-37A8] 00DE7083 JNB SHORT 00DE70A2 00DE7085 MOV EAX,DWORD PTR SS:[EBP-37FC] 00DE708B MOV ECX,DWORD PTR SS:[EBP-3DA8] 00DE7091 MOV DWORD PTR DS:[EAX],ECX //寫入IAT表,可以看到寫入到我們修改的地址中了 00DE7093 MOV EAX,DWORD PTR SS:[EBP-37FC] 00DE7099 ADD EAX,4 00DE709C MOV DWORD PTR SS:[EBP-37FC],EAX 00DE70A2 JMP 00DE6D75 00DE70A7 CALL DWORD PTR DS:[DF029C] ; kernel32.GetTickCount 00DE70AD SUB EAX,DWORD PTR SS:[EBP-3B6C] //獲得上面程式碼執行的時間差 00DE70B3 MOV ECX,DWORD PTR SS:[EBP-3B68] 00DE70B9 IMUL ECX,ECX,32 00DE70BC ADD ECX,7D0 00DE70C2 CMP EAX,ECX 00DE70C4 JBE SHORT 00DE70CD //效驗時間,這裡要修改為JMP 00DE70CD 00DE70C6 MOV BYTE PTR SS:[EBP-37D8],1 <--修改標準 00DE70CD CMP DWORD PTR SS:[EBP-3928],0 {說明:如果這個標準修改,就會修改下面排列IAT表的引數值} 00DE70D4 JNZ 00DE7164 00DE70DA MOVZX EAX,BYTE PTR SS:[EBP-3B7C] 00DE70E1 TEST EAX,EAX 00DE70E3 JE SHORT 00DE7164 00DE70E5 PUSH 0 00DE70E7 MOV EAX,DWORD PTR SS:[EBP-3B78] 00DE70ED SHL EAX,2 00DE70F0 PUSH EAX 00DE70F1 MOV EAX,DWORD PTR SS:[EBP-3900] 00DE70F7 ADD EAX,DWORD PTR SS:[EBP-3B80] 00DE70FD PUSH EAX 00DE70FE CALL 00DE8C74 00DE7103 ADD ESP,0C 00DE7106 MOV EAX,DWORD PTR SS:[EBP-3B78] 00DE710C SHL EAX,2 00DE710F PUSH EAX 00DE7110 PUSH DWORD PTR SS:[EBP-37A0] 00DE7116 MOV EAX,DWORD PTR SS:[EBP-3900] 00DE711C ADD EAX,DWORD PTR SS:[EBP-3B80] 00DE7122 PUSH EAX 00DE7123 CALL 00DEEF02 ; JMP to msvcrt.memcpy 00DE7128 ADD ESP,0C 00DE712B PUSH 1 00DE712D MOV EAX,DWORD PTR SS:[EBP-3B78] 00DE7133 SHL EAX,2 00DE7136 PUSH EAX 00DE7137 MOV EAX,DWORD PTR SS:[EBP-3900] 00DE713D ADD EAX,DWORD PTR SS:[EBP-3B80] 00DE7143 PUSH EAX 00DE7144 CALL 00DE8C74 00DE7149 ADD ESP,0C 00DE714C MOV EAX,DWORD PTR SS:[EBP-37A0] 00DE7152 MOV DWORD PTR SS:[EBP+FFFFAFC8],EAX 00DE7158 PUSH DWORD PTR SS:[EBP+FFFFAFC8] 00DE715E CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z 00DE7163 POP ECX 00DE7164 CMP DWORD PTR SS:[EBP-3928],0 00DE716B JNZ SHORT 00DE7197 00DE716D LEA EAX,DWORD PTR SS:[EBP-3B84] 00DE7173 PUSH EAX 00DE7174 PUSH DWORD PTR SS:[EBP-3B84] 00DE717A MOV EAX,DWORD PTR SS:[EBP-3B78] 00DE7180 SHL EAX,2 00DE7183 PUSH EAX 00DE7184 MOV EAX,DWORD PTR SS:[EBP-3900] 00DE718A ADD EAX,DWORD PTR SS:[EBP-3B80] 00DE7190 PUSH EAX 00DE7191 CALL DWORD PTR DS:[DF0148] ; kernel32.VirtualProtect 00DE7197 JMP 00DE697F 00DE719C MOV EAX,DWORD PTR SS:[EBP-391C] <--到這裡完成IAT表
把上面修改的程式碼全部還原,一定要還原!
程式碼:
完整的表: 00646000 4D 22 DB 77 68 6A DB 77 M"whjw 00646008 8B 6F DB 77 F4 6C DB 77 owlw 00646010 10 24 DA 77 9A 22 DA 77 $w?w 00646018 D8 17 DA 77 D4 65 DB 77 ?wew 00646020 B1 63 DB 77 BB 28 DA 77 cw?w 00646028 99 4E DA 77 5B 66 DB 77 Nw[fw 00646030 27 67 DB 77 D9 23 DA 77 'gw?w 00646038 E2 68 DB 77 D6 27 DA 77 hw?w ………… 00646B38 15 88 AC 7C 2D C1 B8 7C |-糧| 00646B40 63 4A AC 7C A6 F2 AD 7C cJ|| 00646B48 11 F0 AD 7C 7B 85 AC 7C 瓠|{| 00646B50 91 05 AC 7C F5 1F AC 7C ?|?| 00646B58 FA 49 AC 7C 16 49 AC 7C I|I| 00646B60 16 72 B0 7C 5F 86 B0 7C r|_| 00646B68 DB 8A B0 7C AF F3 AD 7C || 00646B70 CF 9E B1 7C 0F B3 B1 7C |潮| 00646B78 1D CD B1 7C 31 CC B1 7C 捅|1癱| 00646B80 5B 46 B4 7C D7 48 B4 7C [F|H| 00646B88 00 00 00 00 F3 F0 C9 74 ....箴t 00646B90 00 00 00 00 ....
二進位制複製上面的表,保留這個表用於後面的恢復
程式碼:
4D 22 DB 77 68 6A DB 77 8B 6F DB 77 F4 6C DB 77 10 24 DA 77 9A 22 DA 77 D8 17 DA 77 D4 65 DB 77 B1 63 DB 77 BB 28 DA 77 99 4E DA 77 5B 66 DB 77 27 67 DB 77 D9 23 DA 77 E2 68 DB 77 D6 27 DA 77 69 6D DC 77 8E 5B DC 77 00 00 00 00 B1 38 31 77 13 B3 31 77 3D 51 31 77 B7 4E 31 77 A4 7F 33 77 ………… 00 00 00 00 A3 05 AC 7C 11 B2 B0 7C 2C 88 AE 7C 4E 8C AC 7C 70 97 AC 7C 9A 3E AC 7C 1E 04 AF 7C CA E6 AD 7C 78 12 AD 7C 3C 12 B2 7C 72 83 AF 7C CE 88 AC 7C C7 80 AF 7C 15 88 AC 7C 2D C1 B8 7C 63 4A AC 7C A6 F2 AD 7C 11 F0 AD 7C 7B 85 AC 7C 91 05 AC 7C F5 1F AC 7C FA 49 AC 7C 16 49 AC 7C 16 72 B0 7C 5F 86 B0 7C DB 8A B0 7C AF F3 AD 7C CF 9E B1 7C 0F B3 B1 7C 1D CD B1 7C 31 CC B1 7C 5B 46 B4 7C D7 48 B4 7C 00 00 00 00 F3 F0 C9 74 00 00 00 00
下面是殼對IAT的重新加密:
程式碼:
00DE719C MOV EAX,DWORD PTR SS:[EBP-391C] 00DE71A2 MOV DWORD PTR SS:[EBP+FFFFAFC4],EAX 00DE71A8 PUSH DWORD PTR SS:[EBP+FFFFAFC4] 00DE71AE CALL 00DEEEFC ; JMP to msvcrt.??3@YAXPAX@Z 00DE71B3 POP ECX 00DE71B4 CMP DWORD PTR SS:[EBP-3928],0 00DE71BB JE 00DE731A 00DE71C1 MOV EAX,DWORD PTR DS:[E00028] 00DE71C6 MOV EAX,DWORD PTR DS:[EAX+60] 00DE71C9 MOV DWORD PTR SS:[EBP+FFFFADD4],EAX 00DE71CF MOV EAX,DWORD PTR SS:[EBP+FFFFADD4] 00DE71D5 MOV DWORD PTR SS:[EBP-3EBC],EAX 00DE71DB CALL 00DEA85B 00DE71E0 NEG EAX 00DE71E2 SBB EAX,EAX 00DE71E4 AND EAX,100 00DE71E9 ADD EAX,100 00DE71EE MOV DWORD PTR SS:[EBP+FFFFADC0],EAX 00DE71F4 PUSH 1DF5E0D 00DE71F9 PUSH DWORD PTR SS:[EBP-3EBC] 00DE71FF LEA ECX,DWORD PTR SS:[EBP-3EBC] 00DE7205 CALL 00DC1071 00DE720A INC EAX 00DE720B XOR EDX,EDX 00DE720D MOV ECX,5F5E100 00DE7212 DIV ECX 00DE7214 MOV DWORD PTR SS:[EBP-3EBC],EDX 00DE721A MOVZX ECX,BYTE PTR SS:[EBP-37D8] 00DE7221 NEG ECX 00DE7223 SBB ECX,ECX 00DE7225 AND ECX,100 00DE722B ADD ECX,200 00DE7231 MOV EAX,DWORD PTR SS:[EBP-3EBC] 00DE7237 XOR EDX,EDX 00DE7239 MOV ESI,2710 00DE723E DIV ESI 00DE7240 IMUL EAX,DWORD PTR SS:[EBP+FFFFADC0] 00DE7247 XOR EDX,EDX 00DE7249 MOV ESI,2710 00DE724E DIV ESI 00DE7250 ADD ECX,EAX 00DE7252 MOV DWORD PTR SS:[EBP-3EB8],ECX 00DE7258 AND DWORD PTR SS:[EBP-3EC0],0 00DE725F JMP SHORT 00DE726E 00DE7261 MOV EAX,DWORD PTR SS:[EBP-3EC0] 00DE7267 INC EAX 00DE7268 MOV DWORD PTR SS:[EBP-3EC0],EAX 00DE726E MOV EAX,DWORD PTR SS:[EBP-3EC0] 00DE7274 CMP EAX,DWORD PTR SS:[EBP-3EB8] <--就是這個引數會被上面的時間效驗修改 00DE727A JNB 00DE731A 00DE7280 PUSH 1DF5E0D 00DE7285 PUSH DWORD PTR SS:[EBP-3EBC] 00DE728B LEA ECX,DWORD PTR SS:[EBP-3EBC] 00DE7291 CALL 00DC1071 00DE7296 INC EAX 00DE7297 XOR EDX,EDX 00DE7299 MOV ECX,5F5E100 00DE729E DIV ECX 00DE72A0 MOV DWORD PTR SS:[EBP-3EBC],EDX 00DE72A6 MOV EAX,DWORD PTR SS:[EBP-3EBC] 00DE72AC XOR EDX,EDX 00DE72AE MOV ECX,2710 00DE72B3 DIV ECX 00DE72B5 IMUL EAX,DWORD PTR SS:[EBP-37C8] 00DE72BC XOR EDX,EDX 00DE72BE MOV ECX,2710 00DE72C3 DIV ECX 00DE72C5 MOV DWORD PTR SS:[EBP-3EC8],EAX 00DE72CB MOV EAX,DWORD PTR SS:[EBP-3928] 00DE72D1 MOV EAX,DWORD PTR DS:[EAX] 00DE72D3 MOV DWORD PTR SS:[EBP-3EC4],EAX 00DE72D9 MOV EAX,DWORD PTR SS:[EBP-3EC8] 00DE72DF LEA EAX,DWORD PTR DS:[EAX*4+4] 00DE72E6 PUSH EAX 00DE72E7 MOV EAX,DWORD PTR SS:[EBP-3928] 00DE72ED ADD EAX,4 00DE72F0 PUSH EAX 00DE72F1 PUSH DWORD PTR SS:[EBP-3928] 00DE72F7 CALL DWORD PTR DS:[DF0300] ; msvcrt.memmove 00DE72FD ADD ESP,0C 00DE7300 MOV EAX,DWORD PTR SS:[EBP-3EC8] 00DE7306 MOV ECX,DWORD PTR SS:[EBP-3928] 00DE730C MOV EDX,DWORD PTR SS:[EBP-3EC4] 00DE7312 MOV DWORD PTR DS:[ECX+EAX*4],EDX 00DE7315 JMP 00DE7261 00DE731A PUSH DWORD PTR SS:[EBP-37C4] <--到這裡結束
6.還原始碼中的CALL IAt地址
F8繼續,第四個程式碼解碼:
程式碼:
00DE7614 CALL 00DC14AC 00DE7619 ADD ESP,10 00DE761C MOV EAX,DWORD PTR DS:[DFFA30] 00DE7621 MOV DWORD PTR SS:[EBP-3EF4],EAX 00DE7627 CMP DWORD PTR SS:[EBP-3EF4],0 00DE762E JE SHORT 00DE7666 00DE7630 MOV EAX,DWORD PTR SS:[EBP-3EF4] 00DE7636 CMP DWORD PTR DS:[EAX],0 00DE7639 JE SHORT 00DE7666 00DE763B MOV EAX,DWORD PTR SS:[EBP-3EF4] 00DE7641 MOV EAX,DWORD PTR DS:[EAX] 00DE7643 MOV EAX,DWORD PTR DS:[EAX] 00DE7645 ADD EAX,DWORD PTR DS:[E004F0] 00DE764B MOV ECX,DWORD PTR SS:[EBP-3EF4] 00DE7651 MOV ECX,DWORD PTR DS:[ECX] 00DE7653 MOV DWORD PTR DS:[ECX],EAX 00DE7655 MOV EAX,DWORD PTR SS:[EBP-3EF4] 00DE765B ADD EAX,4 00DE765E MOV DWORD PTR SS:[EBP-3EF4],EAX 00DE7664 JMP SHORT 00DE7630 00DE7666 XCHG EBX,ECX <--這裡結束,F4到這裡 00DE7668 NOP
F8繼續,第五個程式碼解碼:
程式碼:
00DE7BA2 CALL 00DC14AC 00DE7BA7 ADD ESP,10 00DE7BAA MOV EAX,DWORD PTR DS:[DFFA34] 00DE7BAF MOV DWORD PTR SS:[EBP+FFFFB0C4],EAX 00DE7BB5 CMP DWORD PTR SS:[EBP+FFFFB0C4],0 00DE7BBC JE SHORT 00DE7BF4 00DE7BBE MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4] 00DE7BC4 CMP DWORD PTR DS:[EAX],0 00DE7BC7 JE SHORT 00DE7BF4 00DE7BC9 MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4] 00DE7BCF MOV EAX,DWORD PTR DS:[EAX] 00DE7BD1 MOV EAX,DWORD PTR DS:[EAX] 00DE7BD3 ADD EAX,DWORD PTR DS:[E004F0] 00DE7BD9 MOV ECX,DWORD PTR SS:[EBP+FFFFB0C4] 00DE7BDF MOV ECX,DWORD PTR DS:[ECX] 00DE7BE1 MOV DWORD PTR DS:[ECX],EAX 00DE7BE3 MOV EAX,DWORD PTR SS:[EBP+FFFFB0C4] 00DE7BE9 ADD EAX,4 00DE7BEC MOV DWORD PTR SS:[EBP+FFFFB0C4],EAX 00DE7BF2 JMP SHORT 00DE7BBE 00DE7BF4 XCHG EAX,EDI <--這裡結束,F4到這裡 00DE7BF5 XCHG CX,CX
F8來到恢復程式碼CALL 段中:
程式碼:
00DE7D7B MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC] <--計數器 00DE7D81 INC EAX 00DE7D82 MOV DWORD PTR SS:[EBP+FFFFB0BC],EAX 00DE7D88 MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC] 00DE7D8E MOV ECX,DWORD PTR SS:[EBP-37E8] <--CALL 地址表 00DE7D94 CMP DWORD PTR DS:[ECX+EAX*4],0 //表是以00結束的 00DE7D98 JE 00DE7E2E 00DE7D9E MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC] 00DE7DA4 MOV ECX,DWORD PTR SS:[EBP-37E8] 00DE7DAA MOV EDX,DWORD PTR SS:[EBP-3900] //程式碼段的基地址00400000 00DE7DB0 ADD EDX,DWORD PTR DS:[ECX+EAX*4] 00DE7DB3 MOV DWORD PTR SS:[EBP+FFFFB0AC],EDX 00DE7DB9 MOV EAX,DWORD PTR SS:[EBP+FFFFB0AC] 00DE7DBF MOV EAX,DWORD PTR DS:[EAX] 00DE7DC1 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX 00DE7DC7 CMP DWORD PTR SS:[EBP+FFFFB0A8],90909090 00DE7DD1 JE SHORT 00DE7E29 00DE7DD3 MOV EAX,DWORD PTR SS:[EBP+FFFFB0A8] 00DE7DD9 SUB EAX,DWORD PTR SS:[EBP+FFFFB0B8] 00DE7DDF MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX 00DE7DE5 PUSH DWORD PTR SS:[EBP+FFFFB0A8] 00DE7DEB MOV EAX,DWORD PTR SS:[EBP+FFFFB0BC] 00DE7DF1 XOR EDX,EDX 00DE7DF3 PUSH 10 00DE7DF5 POP ECX 00DE7DF6 DIV ECX 00DE7DF8 CALL DWORD PTR DS:[EDX*4+DF0778] <-- CALL地址偏移加密演算法 00DE7DFF POP ECX 00DE7E00 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX 00DE7E06 MOV EAX,DWORD PTR SS:[EBP+FFFFB0A8] 00DE7E0C MOV ECX,DWORD PTR SS:[EBP-3928] 00DE7E12 LEA EAX,DWORD PTR DS:[ECX+EAX*4] 00DE7E15 MOV DWORD PTR SS:[EBP+FFFFB0A8],EAX 00DE7E1B MOV EAX,DWORD PTR SS:[EBP+FFFFB0AC] 00DE7E21 MOV ECX,DWORD PTR SS:[EBP+FFFFB0A8] 00DE7E27 MOV DWORD PTR DS:[EAX],ECX <--寫入CALL地址 00DE7E29 JMP 00DE7D7B 00DE7E2E MOV EAX,DWORD PTR DS:[E00500] <--這裡結束
F4到結束的地方,下面來恢復亂序的IAT表:
這個是參考了 yesky1 兄的方法,在此感謝了!
Ctrl+G 到地址00677000 中,寫入程式碼:
程式碼:
00677000 PUSHAD 00677001 MOV EBX,0EE3FF8 //CALL 表 00677006 MOV EAX,HprSnap5.00400000 0067700B MOV EDX,DWORD PTR DS:[EBX] 0067700D ADD EAX,EDX 0067700F MOV ECX,DWORD PTR DS:[EAX] 00677011 MOV ECX,DWORD PTR DS:[ECX] 00677013 MOV ESI,HprSnap5.00676000 //新的IAT表基地址 00677018 MOV EDI,DWORD PTR DS:[ESI] 0067701A CMP ECX,EDI <--查詢新的地址 0067701C JE SHORT HprSnap5.00677023 0067701E LEA ESI,DWORD PTR DS:[ESI+4] 00677021 JMP SHORT HprSnap5.00677018 00677023 MOV DWORD PTR DS:[EAX],ESI <--寫入新的CALL 地址 00677025 LEA EBX,DWORD PTR DS:[EBX+4] 00677028 CMP DWORD PTR DS:[EBX],0 //完成後結束 0067702B JE SHORT HprSnap5.0067702F 0067702D JMP SHORT HprSnap5.00677006 0067702F POPAD 00677030 JMP 00DE7E2E //回到殼程式碼中 00677035 NOP
複製正確的IAT表的二進位制資料到地址00676000處:
程式碼:
00676000 4D 22 DB 77 68 6A DB 77 M"whjw 00676008 8B 6F DB 77 F4 6C DB 77 owlw 00676010 10 24 DA 77 9A 22 DA 77 $w?w 00676018 D8 17 DA 77 D4 65 DB 77 ?wew 00676020 B1 63 DB 77 BB 28 DA 77 cw?w ………… 00676B58 FA 49 AC 7C 16 49 AC 7C I|I| 00676B60 16 72 B0 7C 5F 86 B0 7C r|_| 00676B68 DB 8A B0 7C AF F3 AD 7C || 00676B70 CF 9E B1 7C 0F B3 B1 7C |潮| 00676B78 1D CD B1 7C 31 CC B1 7C 捅|1癱| 00676B80 5B 46 B4 7C D7 48 B4 7C [F|H| 00676B88 00 00 00 00 F3 F0 C9 74 ....箴t 00676B90 00 00 00 00 ....
CALL地址表:
程式碼:
00EE3FF8 4B 10 00 00 92 10 00 00 K..?.. 00EE4000 A7 10 00 00 B8 10 00 00 ?..?.. 00EE4008 EA 10 00 00 14 11 00 00 ?.... 00EE4010 64 11 00 00 75 11 00 00 d..u.. 00EE4018 88 11 00 00 AB 11 00 00 ?..?.. 00EE4020 0C 12 00 00 30 12 00 00 ...0.. 00EE4028 B8 12 00 00 CB 12 00 00 ?..?.. 00EE4030 E8 12 00 00 37 13 00 00 ?..7.. 00EE4038 AC 13 00 00 B8 14 00 00 ?..?.. …… 00EEB598 CE 8A 1B 00 DC 8A 1B 00 .. 00EEB5A0 EC 8A 1B 00 07 8B 1B 00 .?. 00EEB5A8 2B 8B 1B 00 38 8B 1B 00 +?.8?. 00EEB5B0 96 8B 1B 00 09 8C 1B 00 ..?. 00EEB5B8 7B 8C 1B 00 70 8D 1B 00 {?.p?. 00EEB5C0 B0 8D 1B 00 0F 8E 1B 00 .?.
執行上面的程式碼,回到殼中:
程式碼:
00DE7E2E MOV EAX,DWORD PTR DS:[E00500] 00DE7E33 MOV AL,BYTE PTR DS:[EAX+3D2F] 00DE7E39 MOV BYTE PTR SS:[EBP+FFFFAD8C],AL 00DE7E3F MOVZX EAX,BYTE PTR SS:[EBP+FFFFAD8C]
F8繼續執行:
程式碼:
00DE81D7 PUSH 0DFFC00 00DE81DC CALL DWORD PTR DS:[DF02A0] ; ntdll.RtlLeaveCriticalSection 00DE81E2 MOV DWORD PTR DS:[DF68CC],0DF7364 00DE81EC PUSH 1 00DE81EE POP EAX 00DE81EF MOV ECX,DWORD PTR SS:[EBP-10] 00DE81F2 MOV DWORD PTR FS:[0],ECX 00DE81F9 POP EDI 00DE81FA POP ESI 00DE81FB POP EBX 00DE81FC LEAVE 00DE81FD RETN <--從這裡退出
來到這裡,這是到OEP的程式碼:
程式碼:
00DE0CBD MOV DWORD PTR SS:[EBP-4],EDI 00DE0CC0 MOV DWORD PTR DS:[DF68CC],0DF72D0 ; ASCII "LP9" 00DE0CCA OR EDI,FFFFFFFF 00DE0CCD PUSH EDI 00DE0CCE PUSH EDI 00DE0CCF CALL DWORD PTR DS:[DF0130] ; kernel32.GetCurrentProcess 00DE0CD5 PUSH EAX 00DE0CD6 MOV ESI,DWORD PTR DS:[DF0260] ; kernel32.SetProcessWorkingSetSize 00DE0CDC CALL ESI 00DE0CDE MOV DWORD PTR DS:[DF68CC],0DF72C8 ; ASCII "LP9a" 00DE0CE8 CMP DWORD PTR DS:[E004E4],EBX 00DE0CEE JE SHORT 00DE0D05 <--這裡不能跳 00DE0CF0 CALL 00DC83E3 00DE0CF5 TEST AL,AL 00DE0CF7 JNZ SHORT 00DE0D05 00DE0CF9 PUSH EDI 00DE0CFA PUSH EDI 00DE0CFB MOV EAX,DWORD PTR DS:[E004E4] <--這裡不正確,可能是上面的程式碼引起的。 00DE0D00 PUSH DWORD PTR DS:[EAX+4] 00DE0D03 CALL ESI <--原來的程式到這裡是進入OEP 00DE0D05 MOV DWORD PTR DS:[DF68CC],0DF72C0 ; ASCII "LP9b" 00DE0D0F MOV DWORD PTR SS:[EBP-4],EBX 00DE0D12 JMP SHORT 00DE0D59 00DE0D14 PUSH 1 00DE0D16 POP EAX 00DE0D17 RETN
執行到00DE0D00 PUSH DWORD PTR DS:[EAX+4] 時,對程式的00400000 程式碼段下記憶體訪問中斷,
Shift+F9執行,停在OEP中:
程式碼:
004E9C30 PUSH EBP //OEP 004E9C31 MOV EBP,ESP 004E9C33 PUSH -1 004E9C35 PUSH HprSnap5.005DF7A0 004E9C3A PUSH HprSnap5.004EDAFC 004E9C3F MOV EAX,DWORD PTR FS:[0] 004E9C45 PUSH EAX 004E9C46 MOV DWORD PTR FS:[0],ESP 004E9C4D SUB ESP,58 004E9C50 PUSH EBX 004E9C51 PUSH ESI 004E9C52 PUSH EDI 004E9C53 MOV DWORD PTR SS:[EBP-18],ESP
重新複製正確的IAT表的二進位制資料到地址00676000處:
程式碼:
00676000 4D 22 DB 77 68 6A DB 77 M"whjw 00676008 8B 6F DB 77 F4 6C DB 77 owlw 00676010 10 24 DA 77 9A 22 DA 77 $w?w 00676018 D8 17 DA 77 D4 65 DB 77 ?wew 00676020 B1 63 DB 77 BB 28 DA 77 cw?w ………… 00676B58 FA 49 AC 7C 16 49 AC 7C I|I| 00676B60 16 72 B0 7C 5F 86 B0 7C r|_| 00676B68 DB 8A B0 7C AF F3 AD 7C || 00676B70 CF 9E B1 7C 0F B3 B1 7C |潮| 00676B78 1D CD B1 7C 31 CC B1 7C 捅|1癱| 00676B80 5B 46 B4 7C D7 48 B4 7C [F|H| 00676B88 00 00 00 00 F3 F0 C9 74 ....箴t 00676B90 00 00 00 00 ....
終於走完了全程,完成了修復任務。dump下修改好的程式,用ImportREC修復dump的程式。
寫到這裡,發覺iat表的臨時空間可以不要修改,在第6步中就可以自由修改存放地址。
作為方法,還是保留下來。
fxyang
2004.11.12
相關文章
- ACProtect 1.21專業版主程式的脫殼2015-11-15
- HyperSnap-DX
5.60脫殼(Arm3.70a with IAT Elimination)2004-10-25
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- SoftDefender主程式脫殼2015-11-15
- ExeStealth 常用脫殼方法 + ExeStealth V2.72主程式脫殼2015-11-15
- International CueClub主程式脫殼(Softwrap殼)2004-09-12
- Armadillo 3.6主程式脫殼2015-11-15
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- 殼的工作原理脫殼2013-04-10
- aspr脫殼總結(部分適用於其他殼保護) (3千字)2001-09-14
- [翻譯]利用程式碼注入脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- ASF-AVI-RM-WMV Repair V1.41 脫殼去暗樁+漢化完美爆破2015-11-15AI
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- Krypton
0.5加殼程式脫殼及輸入表修復記2004-10-06
- Armadillo V3.6雙程式標準殼 ------神速脫殼大法2015-11-15
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 脫殼基本知識2015-11-15
- 脫中國遊戲中心大廳程式的殼2000-10-08遊戲
- iOS逆向學習之五(加殼?脫殼?)2019-10-10iOS
- 先分析,再脫殼(一)2003-09-04
- IconEdit2
脫殼2002-03-28
- EncryptPE
2003.5.18 主程式脫殼2004-06-19
- Armadillo V3.01標準加殼方式的脫殼(第一篇)--SoundEdit
Pro2015-11-15
- 十、iOS逆向之《越獄砸殼/ipa脫殼》2021-03-18iOS
- C32Asm外殼脫殼分析筆記2015-11-15ASM筆記
- iOS應用程式的脫殼實現原理淺析2019-03-04iOS
- Alex
Protector V1.0 脫殼――alexprot.exe 主程式2004-10-17
- 關於雙程式Armadillo標準殼的脫法2015-11-15
- XcR V0.11 脫殼――XcR.ExE 主程式2015-11-15
- DAEMON Protect 0.6.7脫殼――protect beta-last.exe主程式2015-11-15AST
- “愛加密” 動態脫殼法2014-11-21加密
- 360加固保動態脫殼2014-11-17
- EasyBoot5.03脫殼+暴破2004-11-17boot
- 用Ollydbg快速手脫Krypton 0.5加殼程式――Krypton主程式
等2015-11-15
- 控制程式碼--而不是跟隨程式碼--脫殼隨想2015-11-15
- 用Arm3.75加殼的cc
版+iat亂序主程式的脫殼 (1)2004-10-02
- 用OD對Aspr加殼程式的手動脫殼及修復 (7千字)2015-11-15