WEB开发网
开发学院网络安全黑客技术 用OllyDbg配合ollyDump手动脱壳 阅读

用OllyDbg配合ollyDump手动脱壳

 2007-01-13 20:14:41 来源:WEB开发网   
核心提示:工具:ollydbg1.09B,插件ollyDump V2.11.108基本操作:F8-单步执行,遇到call不进入,用OllyDbg配合ollyDump手动脱壳,F7-单步执行,遇到call进入,到此手动脱壳结束,00403789E8DB E80040378AEEDB EE0040378BFFDB FF0040378

工具:ollydbg1.09B,插件ollyDump V2.11.108

基本操作:F8-单步执行,遇到call不进入。F7-单步执行,遇到call进入。F4-执行到光标所在行。F2-设断

手动脱壳要把握两点:

1、单步往前走,不要回头。

2、观察。注意poshad、poshfd,popad、popfd等,注意地址发生大的变化。

程序用PECompact V1.40-45加的壳,没见过的,在这里只好手动脱壳。

0054DC00 > /EB 06     JMP SHORT wb86.0054DC08
0054DC02 |68 84370000  PUSH 3784
0054DC07 |C3       RETN
0054DC08 9C       PUSHFD
0054DC09  60       PUSHAD
0054DC0A  E8 02000000  CALL wb86.0054DC11 =>单步走到这里,F8过的话程序就运行,所以要F7跟入-------------------------------------------------------------------------------
0054DC11  8BC4      MOV EAX,ESP    =>F7后来到这,继续单步运行
0054DC13  83C0 04    ADD EAX,4
0054DC16  93       XCHG EAX,EBX
0054DC17  8BE3      MOV ESP,EBX
0054DC19  8B5B FC    MOV EBX,DWORD PTR DS:[EBX-4]
0054DC1C  81EB 0FA04000 SUB EBX,wb86.0040A00F
0054DC22  87DD      XCHG EBP,EBX
0054DC24  8B85 A6A04000 MOV EAX,DWORD PTR SS:[EBP+40A0A6]
0054DC2A  0185 03A04000 ADD DWORD PTR SS:[EBP+40A003],EAX
0054DC30  66:C785 00A0400>MOV WORD PTR SS:[EBP+40A000],9090
0054DC39  0185 9EA04000 ADD DWORD PTR SS:[EBP+40A09E],EAX
0054DC3F  BB C3110000  MOV EBX,11C3
0054DC44  039D AAA04000 ADD EBX,DWORD PTR SS:[EBP+40A0AA]
0054DC4A  039D A6A04000 ADD EBX,DWORD PTR SS:[EBP+40A0A6]
0054DC50  53       PUSH EBX
0054DC51  53       PUSH EBX
...............(一直往前走,省略).....................
0054F25E  57       PUSH EDI
0054F25F  AD       LODS DWORD PTR DS:[ESI]
0054F260  0BC0      OR EAX,EAX
0054F262  74 6C     JE SHORT wb86.0054F2D0
0054F264  8BD0      MOV EDX,EAX
0054F266  0395 A6A04000 ADD EDX,DWORD PTR SS:[EBP+40A0A6]
0054F26C  AD       LODS DWORD PTR DS:[ESI]
0054F26D  56       PUSH ESI
0054F26E  8BC8      MOV ECX,EAX
0054F270  57       PUSH EDI
0054F271  52       PUSH EDX
0054F272  8BF2      MOV ESI,EDX
0054F274  8B85 15A64000 MOV EAX,DWORD PTR SS:[EBP+40A615]
0054F27A  8B9D 19A64000 MOV EBX,DWORD PTR SS:[EBP+40A619]
0054F280  E8 910A0000  CALL wb86.0054FD16
0054F285  5A       POP EDX
0054F286  5F       POP EDI
0054F287  52       PUSH EDX
0054F288  57       PUSH EDI
0054F289  FF95 9EA04000 CALL DWORD PTR SS:[EBP+40A09E]
0054F28F  0BC0      OR EAX,EAX
0054F291  74 07     JE SHORT wb86.0054F29A
0054F293  8BC8      MOV ECX,EAX
0054F295  5E       POP ESI
0054F296  5F       POP EDI
0054F297 ^ EB C5     JMP SHORT wb86.0054F25E  ==>走到这里会跳到前面,把光标移动到下一行,F4跳过时程序会直接运行,所以还得单步运行,走到上面的0054F262处会跳到后面去了
0054F299  B9 8D9D97A5  MOV ECX,A5979D8D
0054F29E  40       INC EAX
0054F29F  0053 FF    ADD BYTE PTR DS:[EBX-1],DL
0054F2A2  95       XCHG EAX,EBP
0054F2A3  15 A640008D  ADC EAX,8D0040A6
0054F2A8  9D       POPFD
...............(一直往前走,省略).....................
0054F2CF  24 58     AND AL,58  ==>从上面跳到这,继续单步走
0054F2D1  8DB5 C3A64000 LEA ESI,DWORD PTR SS:[EBP+40A6C3]
0054F2D7  AD       LODS DWORD PTR DS:[ESI]
0054F2D8  0BC0      OR EAX,EAX
0054F2DA  74 74     JE SHORT wb86.0054F350
0054F2DC  0385 A6A04000 ADD EAX,DWORD PTR SS:[EBP+40A0A6]
...............(一直往前走,省略).....................
0054F36E /74 72     JE SHORT wb86.0054F3E2   
0054F36D  49       DEC ECX
0054F36E  74 72     JE SHORT wb86.0054F3E2
0054F370  78 70     JS SHORT wb86.0054F3E2
0054F372  66:8B07    MOV AX,WORD PTR DS:[EDI]
0054F375  2C E8     SUB AL,0E8
0054F377  3C 01     CMP AL,1
0054F379  76 38     JBE SHORT wb86.0054F3B3
0054F37B  66:3D 1725   CMP AX,2517
0054F37F  74 51     JE SHORT wb86.0054F3D2
0054F381  3C 27     CMP AL,27
0054F383  75 0A     JNZ SHORT wb86.0054F38F
0054F385  80FC 80    CMP AH,80
0054F388  72 05     JB SHORT wb86.0054F38F
0054F38A  80FC 8F    CMP AH,8F
0054F38D  76 05     JBE SHORT wb86.0054F394
0054F38F  47       INC EDI
0054F390  43       INC EBX
0054F391 ^ EB DA     JMP SHORT wb86.0054F36D ==>这里又跳到前面,看一下前面那一句会跳到后面的,是JE SHORT 0054F3E2,JS SHORT 0054F3E2,JBE SHORT wb86.0054F3B3,JE SHORT 0054F3D2,依次在其跳往的地方设断。F9运行,会在设断的地方停,最后确定0054F3E2才是正确的设断地方
0054F393  B8 8B47023C  MOV EAX,3C02478B
...............(一直往前走,省略).....................
0054F476  8BB5 15A64000  MOV ESI,DWORD PTR SS:[EBP+40A615]
0054F47C  8BBD 19A64000  MOV EDI,DWORD PTR SS:[EBP+40A619]
0054F482  E8 8F0C0000   CALL wb86.00550116
0054F487  61       POPAD ==>看到希望了,继续单步走
0054F488  9D       POPFD 
0054F489  50       PUSH EAX
0054F48A  68 84374000   PUSH wb86.00403784
0054F48F  C2 0400     RETN 4 ==>走过这里,地址会有很大变化,可以确定,壳已脱完了。
0054F492  8BB5 37A64000  MOV ESI,DWORD PTR SS:[EBP+40A637]
00403781   00      DB 00
00403782 > 0000     ADD BYTE PTR DS:[EAX],AL
00403784 . 68 94FF4300  PUSH wb86.0043FF94  ===>由0054F48F处跳来,在这里运行ollyDump程序dump下来。到此手动脱壳结束。
00403789   E8      DB E8
0040378A   EE      DB EE
0040378B   FF      DB FF
0040378C   FF      DB FF
0040378D   FF      DB FF
0040378E   00      DB 00
0040378F   00      DB 00
00403790   00      DB 00
00403791   00      DB 00
00403792   00      DB 00
脱完后可以用侦壳工具看,是用VB写的。其它壳(如Aspack等)都可以用此法配合OLLYDUMP来手动脱壳

Tags:OllyDbg 配合 ollyDump

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接