☆Steel Box☆脫殼――taos的New Protection
【作者宣告】:只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
【除錯環境】:WinXP、Ollydbg V1.10、PEiD、LordPE
【例項下載】:點選此處下載
―――――――――――――――――――――――――――――――――
【脫殼過程】:
anota2.exe是taos釋出在exetools論壇上的UnPackMe。“I've working 3 months in this project. A new protection system that includes a packer,antidebugging tricks (old and new), selfmodifying code, compress code section,etc...”
nikita@work很快就搞定了脫殼。“anota2.exe was created with Thinstall v2.4.61-2.5.14。note.exe (YodaProtect v1.02)、DLL45.DLL (YodaProtect v1.02)、steelbox inicio.bmp (just bmp) 、DLL2.DLL (PECompact)”。
脫殼時注意Thinstall和yoda's Protector就行了。
―――――――――――――――――――――――――――――――――
一、黑名單
設定Ollydbg忽略所有異常選項。老規矩:用IsDebug外掛去掉Ollydbg的偵錯程式標誌。
00401A95 55 push ebp
//進入Ollydbg後暫停在這
00401A96 8BEC mov ebp,esp
00401A98 B8 08E180C8 mov eax,C880E108
00401A9D BB E51AAC80 mov ebx,80AC1AE5
00401AA2 50 push eax
00401AA3 E8 00000000 call anota2.00401AA8
如果你跟蹤Thinstall部分,就會發現Thinstall封裝的anota2.exe原來是有13個區段的。
下斷:BP Process32Next
中斷後取消斷點,Alt+F9返回
00413A98 FF12 call dword ptr ds:[edx]; kernel32.Process32Next
00413A9A 85C0 test eax,eax
//返回這裡
00413A9C 0F84 95000000 je anota2.00413B37
00413AA2 33DB xor ebx,ebx
00413AA4 EB 03 jmp short anota2.00413AA9
00413AA6 3E:8D09 lea ecx,dword ptr ds:[ecx]
00413AA9 56 push esi
00413AAA 8BD5 mov edx,ebp
00413AAC 81C2 65664200 add edx,426665
00413AB2 8B42 08 mov eax,dword ptr ds:[edx+8]
00413AB5 8D72 24 lea esi,dword ptr ds:[edx+24]
00413AB8 8BFE mov edi,esi
00413ABA 56 push esi
00413ABB 57 push edi
00413ABC E8 E00B0000 call anota2.004146A1
00413AC1 83C4 08 add esp,8
00413AC4 57 push edi
00413AC5 56 push esi
00413AC6 E8 700D0000 call anota2.0041483B
00413ACB 83C4 08 add esp,8
00413ACE 8BF7 mov esi,edi
00413AD0 56 push esi
00413AD1 57 push edi
00413AD2 8BD5 mov edx,ebp
00413AD4 81C2 15664200 add edx,426615
00413ADA 8D3A lea edi,dword ptr ds:[edx]
00413ADC B9 0D000000 mov ecx,0D
00413AE1 33D2 xor edx,edx
00413AE3 F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:[esi]
//ESI=00415A53 轉存中儲存的是黑名單
004159DF 45 58 50 4C 4F 52 45 52 2E 45 58 45 00 5C 5C 2E>EXPLORER.EXE.\\.
004159EF 5C 53 49 43 45 00 5C 5C 2E 5C 4E 54 49 43 45 00>\SICE.\\.\NTICE.
簡便省事,我們可以順手把這裡用00填充,去掉殼的黑名單就行了。
―――――――――――――――――――――――――――――――――
二、搞定輸入表,不用ImportREC了
Ctrl+S搜尋命令序列:
lods byte ptr ds:[esi]
ror al,4
stos byte ptr es:[edi]
當然,也可以BP LoadLibraryA跟蹤到下面。
00414F3A AC lods byte ptr ds:[esi]
//找到這裡,直接F4過來
00414F3B C0C8 04 ror al,4
00414F3E AA stos byte ptr es:[edi]
//解出DLL名、函式名
00414F3F 3E:803F 00 cmp byte ptr ds:[edi],0
00414F43 75 F5 jnz short anota2.00414F3A
00414F45 5F pop edi
00414F46 5E pop esi
00414F47 C3 retn
00414F48 53 push ebx
00414F49 8BD5 mov edx,ebp
00414F4B 81C2 423E4200 add edx,423E42
00414F51 FF12 call dword ptr ds:[edx]; 7FF66698
//加密的在裡面,如果用ImportREC則進入修改
00414F53 85C0 test eax,eax
00414F55 0F84 46010000 je anota2.004150A1
00414F5B 52 push edx
00414F5C 50 push eax
00414F5D 8BD5 mov edx,ebp
00414F5F 81C2 3D654200 add edx,42653D
00414F65 F702 04000000 test dword ptr ds:[edx],4
00414F6B 74 12 je short anota2.00414F7F
00414F6D 8BD5 mov edx,ebp
00414F6F 81C2 B55B4200 add edx,425BB5
00414F75 8D02 lea eax,dword ptr ds:[edx]
00414F77 50 push eax
00414F78 8BC3 mov eax,ebx
00414F7A E9 14060000 jmp anota2.00415593
//跳下去清空DLL名和函式名
00414F7F 5B pop ebx
00414F80 5A pop edx
00414F81 3E:8B4E 08 mov ecx,dword ptr ds:[esi+8]
00414F85 0BC9 or ecx,ecx
00414F87 75 04 jnz short anota2.00414F8D
00414F89 3E:8B4E 04 mov ecx,dword ptr ds:[esi+4]
00414F8D 53 push ebx
00414F8E 8BDD mov ebx,ebp
00414F90 81C3 55624200 add ebx,426255
00414F96 030B add ecx,dword ptr ds:[ebx]
00414F98 3E:8B56 04 mov edx,dword ptr ds:[esi+4]
00414F9C 0313 add edx,dword ptr ds:[ebx]
00414F9E 5B pop ebx
00414F9F 3E:8339 00 cmp dword ptr ds:[ecx],0
00414FA3 0F84 ED000000 je anota2.00415096
00414FA9 F701 00000080 test dword ptr ds:[ecx],80000000
00414FAF 75 5C jnz short anota2.0041500D
00414FB1 8B01 mov eax,dword ptr ds:[ecx]
00414FB3 83C0 02 add eax,2
00414FB6 53 push ebx
00414FB7 8BDD mov ebx,ebp
00414FB9 81C3 55624200 add ebx,426255
00414FBF 0303 add eax,dword ptr ds:[ebx]
00414FC1 5B pop ebx
00414FC2 50 push eax
00414FC3 E8 6CFFFFFF call anota2.00414F34
00414FC8 58 pop eax
00414FC9 8BF8 mov edi,eax
00414FCB 52 push edx
00414FCC 51 push ecx
00414FCD 50 push eax
00414FCE 53 push ebx
00414FCF 8BD5 mov edx,ebp
00414FD1 81C2 463E4200 add edx,423E46
00414FD7 FF12 call dword ptr ds:[edx]
00414FD9 0BC0 or eax,eax
00414FDB 75 07 jnz short anota2.00414FE4
00414FDD 59 pop ecx
00414FDE 5A pop edx
00414FDF E9 BD000000 jmp anota2.004150A1
00414FE4 59 pop ecx
00414FE5 5A pop edx
00414FE6 52 push edx
00414FE7 60 pushad
00414FE8 8BD5 mov edx,ebp
00414FEA 81C2 3D654200 add edx,42653D
00414FF0 F602 04 test byte ptr ds:[edx],4
00414FF3 74 12 je short anota2.00415007
00414FF5 8BD5 mov edx,ebp
00414FF7 81C2 3D5C4200 add edx,425C3D
00414FFD 8D02 lea eax,dword ptr ds:[edx]
00414FFF 50 push eax
00415000 8BC7 mov eax,edi
00415002 E9 8C050000 jmp anota2.00415593
00415007 61 popad
00415008 5A pop edx
00415009 8902 mov dword ptr ds:[edx],eax
//API函式的系統地址(加密地址)填充到IAT中 NOP掉 ②!★
0041500B EB 1D jmp short anota2.0041502A
0041500D 52 push edx
0041500E 51 push ecx
0041500F 8B01 mov eax,dword ptr ds:[ecx]
00415011 2D 00000080 sub eax,80000000
00415016 50 push eax
00415017 53 push ebx
00415018 8BD5 mov edx,ebp
0041501A 81C2 463E4200 add edx,423E46
00415020 FF12 call dword ptr ds:[edx]
00415022 85C0 test eax,eax
00415024 74 7B je short anota2.004150A1
00415026 59 pop ecx
00415027 5A pop edx
00415028 8902 mov dword ptr ds:[edx],eax
0041502A 51 push ecx
0041502B 8BCD mov ecx,ebp
0041502D 81C1 3D654200 add ecx,42653D
00415033 F701 20000000 test dword ptr ds:[ecx],20
00415039 74 4F je short anota2.0041508A
0041503B 8BCD mov ecx,ebp
0041503D 81C1 45654200 add ecx,426545
00415043 8339 00 cmp dword ptr ds:[ecx],0
00415046 74 14 je short anota2.0041505C
00415048 81FB 00000070 cmp ebx,70000000
0041504E 72 08 jb short anota2.00415058
00415050 81FB FFFFFF77 cmp ebx,77FFFFFF
00415056 76 0E jbe short anota2.00415066
00415058 EB 30 jmp short anota2.0041508A
0041505A EB 0A jmp short anota2.00415066
0041505C 81FB 00000080 cmp ebx,80000000
00415062 73 02 jnb short anota2.00415066
00415064 EB 24 jmp short anota2.0041508A
00415066 57 push edi
00415067 56 push esi
00415068 8BCD mov ecx,ebp
0041506A 81C1 65664200 add ecx,426665
00415070 8D39 lea edi,dword ptr ds:[ecx]
00415072 3E:8B77 04 mov esi,dword ptr ds:[edi+4]
00415076 8932 mov dword ptr ds:[edx],esi
00415078 2BC6 sub eax,esi
0041507A 83E8 05 sub eax,5
0041507D C606 E9 mov byte ptr ds:[esi],0E9
00415080 8946 01 mov dword ptr ds:[esi+1],eax
00415083 3E:8347 04 05 add dword ptr ds:[edi+4],5
00415088 5E pop esi
00415089 5F pop edi
0041508A 59 pop ecx
0041508B 83C1 04 add ecx,4
0041508E 83C2 04 add edx,4
00415091 E9 09FFFFFF jmp anota2.00414F9F
00415096 83C6 0C add esi,0C
00415099 E9 6BFEFFFF jmp anota2.00414F09
//迴圈處理輸入表
0041509E 33C0 xor eax,eax
//修改兩處後直接F4到這裡
004150A0 40 inc eax
004150A1 83F8 01 cmp eax,1
004150A4 74 02 je short anota2.004150A8
004150A6 61 popad
004150A7 C3 retn
00415593 EB 05 jmp short anota2.0041559A
00415595 3E:C600 00 mov byte ptr ds:[eax],0
//清空DLL名和函式名 NOP掉① ! ★
//可以看一下第一個處理的DLL名的儲存地址: 4083BC
00415599 40 inc eax
0041559A 3E:8038 00 cmp byte ptr ds:[eax],0
0041559E 75 F5 jnz short anota2.00415595
004155A0 C3 retn
到達0041509E後,程式程式碼已經解開,直接用Ollydbg的外掛OllyDump先生去掉“重建輸入表”選項來抓取這個程式,另存為UnPacked.exe。修改其NumberOfSections為0D。
上面修改的兩個地方是把殼解壓的DLL/函式名儲存起來,不讓API函式的系統地址/加密地址填充進IAT,這樣就無須使用ImportREC來修復輸入表了,直接找到Import Table地址就行了。下面根據DLL名來反推IID結構地址。
ADVAPI32.DLL在4083BC(0X83BC)處:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000083B0 41 44 56 41 ADVA
000083C0 50 49 33 32 2E 44 4C 4C 00 00 47 44 49 33 32 2E PI32.DLL..GDI32.
000083D0 44 4C 4C 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C DLL.KERNEL32.DLL
用WinHex開啟UnPacked.exe,在000083BC上面搜尋16進位制值:BC830000
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00007400 B4 80 00 00 00 00 00 00 00 00 00 00 BC 83 00 00
00007410 38 82 00 00 C0 80 00 00 00 00 00 00 00 00 00 00
00008000 B4 80 00 00 00 00 00 00 00 00 00 00 BC 83 00 00
00008010 38 82 00 00 C0 80 00 00 00 00 00 00 00 00 00 00
找到了兩處,都可以用,選擇00008000吧。
第一個IID陣列地址就是輸入表的地址,用LordPE修改UnPacked.exe的Import Table=00008000
―――――――――――――――――――――――――――――――――
三、自校驗
上面修改了幾處,接著當然要幹掉殼的自校驗了。
在當前位置下Ctrl+F搜尋命令:xor eax,ebx
找到在004150FF處,F4過去
004150F5 8BD5 mov edx,ebp
004150F7 81C2 41654200 add edx,426541
004150FD 8B1A mov ebx,dword ptr ds:[edx]
004150FF 33C3 xor eax,ebx
//EBX=000C61F5 檢驗值,修改EAX的值等於EBX,使其異或結果為0 ★
00415101 74 08 je short anota2.0041510B
//不跳就OVER了
00415103 EB 01 jmp short anota2.00415106
―――――――――――――――――――――――――――――――――
四、飛向光明之巔
找個快點的方法吧,現在設定Ollydbg不忽略所有的記憶體異常選項
F9執行,中斷在記憶體異常處
0041558B EB 01 jmp short anota2.0041558E
0041558E 0000 add byte ptr ds:[eax],al
//暫停在這裡,看堆疊
0012E700 0012E7EC 指標到下一個 SEH 記錄
0012E704 004152EA SE 控制程式碼
BP 004152EA Shift+F9,中斷下來
004152EA 55 push ebp
004152EB 8BEC mov ebp,esp
004152ED 57 push edi
004152EE 36:8B45 10 mov eax,dword ptr ss:[ebp+10]
004152F2 3E:8BB8 C4000000 mov edi,dword ptr ds:[eax+C4]
004152F9 3E:FF37 push dword ptr ds:[edi]
004152FC 33FF xor edi,edi
004152FE 64:8F07 pop dword ptr fs:[edi]
00415301 3E:8380 C4000000 >add dword ptr ds:[eax+C4],8
00415309 3E:8BB8 A4000000 mov edi,dword ptr ds:[eax+A4]
00415310 C1C7 07 rol edi,7
00415313 3E:89B8 B8000000 mov dword ptr ds:[eax+B8],edi ; anota2.0040E000
//EDI=0040E000
0041531A B8 00000000 mov eax,0
0041531F 5F pop edi
00415320 C9 leave
00415321 C3 retn
BP 0040E000 F9執行,中斷下來
0040E000 EB 18 jmp short anota2.0040E01A
0040E01A 68 02E04000 push anota2.0040E002 ; ASCII "DLL2.dll"
0040E01F E8 44000000 call anota2.0040E068
0040E024 A3 12E04000 mov dword ptr ds:[40E012],eax
0040E029 68 0BE04000 push anota2.0040E00B ; ASCII "TestIt"
0040E02E FF35 12E04000 push dword ptr ds:[40E012]
0040E034 E8 29000000 call anota2.0040E062
0040E039 A3 16E04000 mov dword ptr ds:[40E016],eax
0040E03E FF15 16E04000 call dword ptr ds:[40E016]
//註冊部分
0040E044 8BD0 mov edx,eax
0040E046 EB 04 jmp short anota2.0040E04C
0040E04C FF35 48E04000 push dword ptr ds:[40E048] ; anota2.00404100
//00404100就是OEP值了 ★
0040E052 C3 retn
―――――――――――――――――――――――――――――――――
五、程式碼修正
用PEDitor開啟脫殼的檔案,DumpFixer(RS=VS &RO=V0),修改EntryPoint=00004100,刪除00009000(.rsrc)以下的殼區段,用WinHex移除殼資料。只保留LordPE的“Validate PE”選項,重建PE。
但是現在的UnPacked.exe還是無法執行的,再開一個Ollydbg載入看看。
00404128 68 00F04000 push 40F000
0040412D C3 retn
//出錯了
帶殼的anota2.exe還在上個Ollydbg裡執行,直接去0040F000處看看:
0040F000 EB 0A jmp short anota2.0040F00C
0040F002 C783 08010000 284>mov dword ptr ds:[ebx+108],anota2.00404128
0040F00C 60 pushad
0040F00D BE 02F04000 mov esi,anota2.0040F002
//0040F002
0040F012 8B3D 08F04000 mov edi,dword ptr ds:[40F008] ; anota2.00404128
//目標地址
0040F018 B9 06000000 mov ecx,6
//長度
0040F01D F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//就是這裡了
0040F01F 61 popad
0040F020 EB 19 jmp short anota2.0040F03B
把0040F002處的C78308010000六個位元組複製貼上進UnPacked.exe
00404128 C783 08010000 010>mov dword ptr ds:[ebx+108],1
還有幾處需要處理:
004041A5 68 00004100 push 410000
004041AA C3 retn
004041B6 68 00104100 push 411000
004041BB C3 retn
004041CF 68 00204100 push 412000
004041D4 C3 retn
OK,可以正常執行了,脫殼完畢。
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ \_ , 青春都一晌
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 換了破解輕狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""
UnPacked By : fly
2004-12-12 24:00
相關文章
- Protection Plus V4.X 脫殼――SoftwareKey V1.1 主程式2015-11-15
- 殼的工作原理脫殼2013-04-10
- Vampp 2.0.8 Build 311的脫殼(Vbox 4.10)2000-12-06UI
- Vbox
V4.5脫殼――Macromedia Dreamweaver MX V6.02004-08-15Mac
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- ExeStealth 常用脫殼方法 + ExeStealth V2.72主程式脫殼2015-11-15
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- Asprotect保護的程式脫殼後的修正--DialogBoxIndirectParamA
(7千字)2001-09-09
- 脫殼基本知識2015-11-15
- SoftDefender主程式脫殼2015-11-15
- International CueClub主程式脫殼(Softwrap殼)2004-09-12
- 脫掉QSound Qmp3D V1.0的vbox殼 (2千字)2002-07-223D
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- iOS逆向學習之五(加殼?脫殼?)2019-10-10iOS
- 先分析,再脫殼(一)2003-09-04
- IconEdit2
脫殼2002-03-28
- 十、iOS逆向之《越獄砸殼/ipa脫殼》2021-03-18iOS
- C32Asm外殼脫殼分析筆記2015-11-15ASM筆記
- FTPrint的脫殼(asprotect) (2千字)2001-02-05FTP
- ACProtect 1.21專業版主程式的脫殼2015-11-15
- “愛加密” 動態脫殼法2014-11-21加密
- 360加固保動態脫殼2014-11-17
- EasyBoot5.03脫殼+暴破2004-11-17boot
- Armadillo 3.6主程式脫殼2015-11-15
- Armadillo3.60
加殼的EXE檔案脫殼全過程2004-09-08
- ASPROtect 1.22加殼的ahaview2.0脫殼 (5千字)2002-03-24View
- 脫Crunch/PE -> BitArts的殼。 (3千字)2002-05-03
- jdpack的脫殼及破解 (5千字)2002-06-25
- 脫中國遊戲中心大廳程式的殼2000-10-08遊戲
- HTMLZip 1.0 beta 的脫殼 (3千字)2001-02-03HTML
- PicturesToExe3.51的脫殼 (2千字)2001-04-22REST
- 對PECompact加殼的DLL脫殼的一點分析 (7千字)2000-08-17
- 教你如何寫UPX脫殼指令碼2019-05-11指令碼
- 寫給新手
- 淺談脫殼方法2004-12-18
- EmbedPE
1.13 詳細分析和脫殼2005-01-03
- [翻譯]利用程式碼注入脫殼2015-11-15