Magic Utilities 2003 脱壳手记 上
2007-01-13 20:14:31 来源:WEB开发网核心提示:Fi3.01查得Pecompact v1.68-84加的壳,首先用Peditor查看mgutil.exe的区块信息: Section Virtual SizeVirtual OffsetRaw Size Raw OffsetCharacteristicspec1 000A100000001000 0003EA00000
Fi3.01查得Pecompact v1.68-84加的壳。
首先用Peditor查看mgutil.exe的区块信息:
Section Virtual Size Virtual Offset Raw Size Raw Offset Characteristics
pec1 000A1000 00001000 0003EA00 00000400 E0000020
.rsrc 000C8000 000A2000 00054A00 0003EE00 C0000040
.pec 00004000 0016A000 00000600 00093800 E0000020
.rsrc 00001000 0016E000 00000600 00093E00 C0000040
发现程序加壳后入口点所在的pec块的Characteristics为E0000020,说明该块可执行,于是直接用Softice载入,但是没有中断。于是在Softice中下断点bpint3,单击break'n'enter->Run,使程序强行中断在入口点处。
Softice中断在下面的地方:
001B:0056A000 CC INT 3
/* 这里是用Peditor插入的int3断点 */
001B:0056A001 06 PUSH ES
001B:0056A002 689C120500 PUSH 0005129C
____________________________________________________________
由于插入的int3断点改变了原来的入口指令,为使程序继续运行,必须将指令改回来。用Peditor的FLC查到56A000处的指令码为EB 06 68 9C 12 05 00 C3 9C ,于是再次中断在入口处,在Softice中下命令:eb eip eb (enter)
纠正指令码如下:
001B:0056A000 EB06 JMP 0056A008 (JUMP )
001B:0056A002 689C120500 PUSH 0005129C
/* 其实这个就是OEP,这意味着OEP并没有被加密,不脱壳也可以方便地用SMC补丁主程序 */
001B:0056A007 C3 RET
001B:0056A007 C3 RET
001B:0056A008 9C PUSHFD
001B:0056A009 60 PUSHAD
001B:0056A00A E802000000 CALL 0056A011
/* 这个call是变形的jmp,因为调用地点就在下面第二行,用F8走入 */
001B:0056A00F 33C0 XOR EAX,EAX
001B:0056A011 8BC4 MOV EAX,ESP
001B:0056A013 83C004 ADD EAX,04
001B:0056A016 93 XCHG EAX,EBX
001B:0056A017 8BE3 MOV ESP,EBX
001B:0056A019 8B5BFC MOV EBX,[EBX-04]
001B:0056A01C 81EB3F904000 SUB EBX,0040903F
001B:0056A022 87DD XCHG EBX,EBP
001B:0056A024 8B85E6904000 MOV EAX,[EBP+004090E6]
001B:0056A02A 018533904000 ADD [EBP+00409033],EAX
001B:0056A030 66C785309040009090 MOV WORD PTR [EBP+00409030],9090
001B:0056A039 0185DA904000 ADD [EBP+004090DA],EAX
001B:0056A03F 0185DE904000 ADD [EBP+004090DE],EAX
001B:0056A045 0185E2904000 ADD [EBP+004090E2],EAX
001B:0056A04B BB7B110000 MOV EBX,0000117B
001B:0056A050 039DEA904000 ADD EBX,[EBP+004090EA]
001B:0056A056 039DE6904000 ADD EBX,[EBP+004090E6]
001B:0056A05C 53 PUSH EBX
001B:0056A05D 8BC3 MOV EAX,EBX
001B:0056A05F 8BFB MOV EDI,EBX
001B:0056A061 2DAC904000 SUB EAX,004090AC
001B:0056A066 8985AD904000 MOV [EBP+004090AD],EAX
001B:0056A06C 8DB5AC904000 LEA ESI,[EBP+004090AC]
001B:0056A072 B940040000 MOV ECX,00000440
001B:0056A077 F3A5 REPZ MOVSD
001B:0056A079 8BFB MOV EDI,EBX
001B:0056A07B C3 RET
/* 走过这个ret后来到下面的地方 */
001B:0056B17B BDCF201600 MOV EBP,001620CF
001B:0056B180 8BF7 MOV ESI,EDI
001B:0056B182 83C654 ADD ESI,54
001B:0056B185 81C7FF100000 ADD EDI,000010FF
001B:0056B18B 56 PUSH ESI
001B:0056B18C 57 PUSH EDI
001B:0056B18D 57 PUSH EDI
001B:0056B18E 56 PUSH ESI
001B:0056B18F FF95DA904000 CALL [EBP+004090DA]
001B:0056B195 8BC8 MOV ECX,EAX
001B:0056B197 5E POP ESI
001B:0056B198 5F POP EDI
001B:0056B199 8BC1 MOV EAX,ECX
001B:0056B19B C1F902 SAR ECX,02
001B:0056B19E F3A5 REPZ MOVSD
001B:0056B1A0 03C8 ADD ECX,EAX
001B:0056B1A2 83E103 AND ECX,03
001B:0056B1A5 F3A4 REPZ MOVSB
001B:0056B1A7 EB26 JMP 0056B1CF (JUMP )
/* 注意这个jmp的目的地 */
001B:0056B1A9 B0E3 MOV AL,E3
001B:0056B1AB 56 PUSH ESI
001B:0056B1AC 0098E3560074 ADD [EAX+740056E3],BL
001B:0056B1B2 E356 JECXZ 0056B20A
001B:0056B1B4 0000 ADD [EAX],AL
001B:0056B1B6 004000 ADD [EAX+00],AL
001B:0056B1B9 00A0160000E0 ADD [EAX+E0000016],AH ; STATUS_MORE_PRO
001B:0056B1BF 16 PUSH SS
001B:0056B1C0 0087DB87DB87 ADD [EDI+87DB87DB],AL
001B:0056B1C6 DB87DB87DB87 FILD DWORD PTR [EDI+87DB87DB]
001B:0056B1CC DB87DB8BB5E6 FILD DWORD PTR [EDI+E6B58BDB]
_____________________________________________________________
这里有花指令,下命令
:a 56b1cc
001B:0056B1CC nop
001B:0056B1CD
:
得到:
001B:0056B1CC 90 NOP
001B:0056B1CD 87DB XCHG EBX,EBX
001B:0056B1CF 8BB5E6904000 MOV ESI,[EBP+004090E6]
/* 这才是上面那个jmp的目的地 */
001B:0056B1D5 56 PUSH ESI
001B:0056B1D6 03B5EE904000 ADD ESI,[EBP+004090EE]
001B:0056B1DC 83C614 ADD ESI,14
001B:0056B1DF 03B535974000 ADD ESI,[EBP+00409735]
001B:0056B1E5 8DBD39974000 LEA EDI,[EBP+00409739]
001B:0056B1EB B906000000 MOV ECX,00000006
001B:0056B1F0 F3A5 REPZ MOVSD
001B:0056B1F2 6A04 PUSH 04
001B:0056B1F4 6800100000 PUSH 00001000
001B:0056B1F9 FFB551974000 PUSH DWORD PTR [EBP+00409751]
001B:0056B1FF 6A00 PUSH 00
001B:0056B201 FF9541974000 CALL [EBP+00409741]
001B:0056B207 8BF8 MOV EDI,EAX
001B:0056B209 5B POP EBX
001B:0056B20A 019D83944000 ADD [EBP+00409483],EBX
001B:0056B210 8BB5DE904000 MOV ESI,[EBP+004090DE]
001B:0056B216 80BD6B9D4000C3 CMP BYTE PTR [EBP+00409D6B],C3
001B:0056B21D 742E JZ 0056B24D
001B:0056B21F 60 PUSHAD
001B:0056B220 8B9D39974000 MOV EBX,[EBP+00409739]
001B:0056B226 8B8D3D974000 MOV ECX,[EBP+0040973D]
001B:0056B22C 8B95E6904000 MOV EDX,[EBP+004090E6]
001B:0056B232 8DBD6BA14000 LEA EDI,[EBP+0040A16B]
001B:0056B238 56 PUSH ESI
001B:0056B239 52 PUSH EDX
001B:0056B23A 6A40 PUSH 40
001B:0056B23C 57 PUSH EDI
001B:0056B23D 51 PUSH ECX
001B:0056B23E 53 PUSH EBX
001B:0056B23F E8F60B0000 CALL 0056BE3A
001B:0056B244 85C0 TEST EAX,EAX
001B:0056B246 0F859F000000 JNZ 0056B2EB
001B:0056B24C 61 POPAD
001B:0056B24D 57 PUSH EDI
001B:0056B24E AD LODSD
001B:0056B24F 85C0 TEST EAX,EAX
001B:0056B251 0F849B000000 JZ 0056B2F2
/* 注意这里jz的目的地 */
001B:0056B257 8BD0 MOV EDX,EAX
001B:0056B259 0395E6904000 ADD EDX,[EBP+004090E6]
001B:0056B25F AD LODSD
001B:0056B260 56 PUSH ESI
001B:0056B261 8BC8 MOV ECX,EAX
001B:0056B263 57 PUSH EDI
001B:0056B264 52 PUSH EDX
001B:0056B265 8DB56BA14000 LEA ESI,[EBP+0040A16B]
001B:0056B26B 57 PUSH EDI
001B:0056B26C 51 PUSH ECX
001B:0056B26D 52 PUSH EDX
001B:0056B26E 6A40 PUSH 40
001B:0056B270 56 PUSH ESI
001B:0056B271 FFB53D974000 PUSH DWORD PTR [EBP+0040973D]
001B:0056B277 FFB539974000 PUSH DWORD PTR [EBP+00409739]
001B:0056B27D E8B8090000 CALL 0056BC3A
001B:0056B282 5A POP EDX
001B:0056B283 5F POP EDI
001B:0056B284 8D85E4914000 LEA EAX,[EBP+004091E4]
001B:0056B28A 50 PUSH EAX
001B:0056B28B 6467FF360000 PUSH DWORD PTR FS:[0000]
001B:0056B291 646789260000 MOV FS:[0000],ESP
001B:0056B297 52 PUSH EDX
001B:0056B298 57 PUSH EDI
001B:0056B299 FF95DA904000 CALL [EBP+004090DA]
001B:0056B29F 64678F060000 POP DWORD PTR FS:[0000]
001B:0056B2A5 83C404 ADD ESP,04
001B:0056B2A8 85C0 TEST EAX,EAX
001B:0056B2AA 7407 JZ 0056B2B3
001B:0056B2AC 8BC8 MOV ECX,EAX
001B:0056B2AE 5E POP ESI
001B:0056B2AF 5F POP EDI
001B:0056B2B0 EB9B JMP 0056B24D (JUMP )
001B:0056B2B2 B9E8000000 MOV ECX,000000E8
001B:0056B2B7 005D81 ADD [EBP-7F],BL
001B:0056B2BA ED IN EAX,DX
001B:0056B2BB E9914000E8 JMP E856F351
_____________________________________________________________
001B:0056B2F1处被花了:
001B:0056B2EB FFA549974000 JMP [EBP+00409749]
001B:0056B2F1 245F AND AL,5F
001B:0056B2F3 8BB5E2904000 MOV ESI,[EBP+004090E2]
001B:0056B2F9 AD LODSD
001B:0056B2FA 83F8FF CMP EAX,-01
001B:0056B2FD 7474 JZ 0056B373
下命令:
:a 56b2f1
001B:0056B2F1 nop
001B:0056B2F2
纠正后指令如下:
001B:0056B2EB FFA549974000 JMP [EBP+00409749]
001B:0056B2F1 90 NOP
001B:0056B2F2 5F POP EDI
/* 这才是001B:0056B251处jz的目的地 */
001B:0056B2F3 8BB5E2904000 MOV ESI,[EBP+004090E2]
001B:0056B2F9 AD LODSD
001B:0056B2FA 83F8FF CMP EAX,-01
001B:0056B2FD 7474 JZ 0056B373 (JUMP )
/* 注意这个jz的目的地 */
001B:0056B2FF 0385E6904000 ADD EAX,[EBP+004090E6]
001B:0056B305 8BD8 MOV EBX,EAX
001B:0056B307 AD LODSD
001B:0056B308 0385E6904000 ADD EAX,[EBP+004090E6]
001B:0056B30E 8BD0 MOV EDX,EAX
001B:0056B310 AD LODSD
001B:0056B311 8BC8 MOV ECX,EAX
001B:0056B313 57 PUSH EDI
001B:0056B314 56 PUSH ESI
001B:0056B315 8BF3 MOV ESI,EBX
001B:0056B317 57 PUSH EDI
001B:0056B318 51 PUSH ECX
001B:0056B319 8BC1 MOV EAX,ECX
001B:0056B31B C1F902 SAR ECX,02
001B:0056B31E F3A5 REPZ MOVSD
001B:0056B320 03C8 ADD ECX,EAX
001B:0056B322 83E103 AND ECX,03
001B:0056B325 F3A4 REPZ MOVSB
001B:0056B327 59 POP ECX
001B:0056B328 5E POP ESI
001B:0056B329 8BFA MOV EDI,EDX
001B:0056B32B 8BC1 MOV EAX,ECX
001B:0056B32D C1F902 SAR ECX,02
001B:0056B330 F3A5 REPZ MOVSD
001B:0056B332 03C8 ADD ECX,EAX
001B:0056B334 83E103 AND ECX,03
001B:0056B337 F3A4 REPZ MOVSB
001B:0056B339 5E POP ESI
001B:0056B33A AD LODSD
001B:0056B33B 8BC8 MOV ECX,EAX
001B:0056B33D 8BD0 MOV EDX,EAX
001B:0056B33F 33C0 XOR EAX,EAX
001B:0056B341 C1F902 SAR ECX,02
001B:0056B344 F3AB REPZ STOSD
001B:0056B346 03CA ADD ECX,EDX
001B:0056B348 83E103 AND ECX,03
001B:0056B34B F3AA REPZ STOSB
001B:0056B34D 8B7EF0 MOV EDI,[ESI-10]
001B:0056B350 03BDE6904000 ADD EDI,[EBP+004090E6]
001B:0056B356 8B4EF4 MOV ECX,[ESI-0C]
001B:0056B359 038DE6904000 ADD ECX,[EBP+004090E6]
001B:0056B35F 2BCF SUB ECX,EDI
001B:0056B361 8BD1 MOV EDX,ECX
001B:0056B363 C1F902 SAR ECX,02
001B:0056B366 F3AB REPZ STOSD
001B:0056B368 03CA ADD ECX,EDX
001B:0056B36A 83E103 AND ECX,03
001B:0056B36D F3AA REPZ STOSB
001B:0056B36F 5F POP EDI
001B:0056B370 EB87 JMP 0056B2F9
001B:0056B372 0F6800 PUNPCKHBW MM0,[EAX]
001B:0056B375 40 INC EAX
001B:0056B376 0000 ADD [EAX],AL
001B:0056B378 6A00 PUSH 00
001B:0056B37A 57 PUSH EDI
更多精彩
赞助商链接