WEB开发网
开发学院网络安全黑客技术 telock脱壳总结 阅读

telock脱壳总结

 2007-01-12 20:13:26 来源:WEB开发网   
核心提示: ok,回到sss,telock脱壳总结(2),下面要在入口处脱壳,老规矩打开SuperBPM,下g,停在这里:0187:006ACE09 FF0424INCDWord Ptr [ESP]0187:006ACE0C 0483ADDAL,830187:006ACE0E 2424ANDAL,24

ok,回到sss。下面要在入口处脱壳,老规矩打开SuperBPM,点erase,用trw1.03娃娃修改过的版载入sss,下g 59b9e4,下suspend,用winhex内存编辑功能把400106-400107填回原来的值0800,再用prodump选dump(full)就成功啦。

3.重建import table:

以sss为例,执行sss,然后用ImportRECf导出it,是这个样子的:

Target: D:TOOLSSHADOWSECURITYSCANERSSS.EXE
OEP: 0019B9E4  IATRVA: 001AB1A0  IATSize: 000008A4
FThunk: 001AB1A4  NbFunc: 00000036
0  001AB1A4  ?  0000  009D0000
0  001AB1A8  ?  0000  009D000A
0  001AB1AC  ?  0000  009D0014
0  001AB1B0  ?  0000  009D001E

从telock重建It部分开始吧,用加了superbpm和icedump的s-ice重新载入sss,下bpm 9d0000,下g,停在这里:

0187:006ACE09 FF0424      INC  DWord Ptr [ESP]
0187:006ACE0C 0483       ADD  AL,83
0187:006ACE0E 2424       AND  AL,24
0187:006ACE10 03833C240074   ADD  EAX,[EBX+7400243C]
0187:006ACE16 36833C2401    CMP  DWord Ptr SS:[ESP],00000001
0187:006ACE1B 744D       JZ   006ACE6A
0187:006ACE1D 833C2402     CMP  DWord Ptr [ESP],00000002
0187:006ACE21 7422       JZ   006ACE45
0187:006ACE23 C144240C10    ROL  DWord Ptr [ESP+0C],10
0187:006ACE28 668B44240C    MOV  AX,[ESP+0C]
0187:006ACE2D 66AB       STOSW
0187:006ACE2F 8BC3       MOV  EAX,EBX
0187:006ACE31 C1E803      SHR  EAX,03
0187:006ACE34 83E003      AND  EAX,00000003
0187:006ACE37 8A440404     MOV  AL,[ESP+1*EAX+04]
0187:006ACE3B AA        STOSB
0187:006ACE3C B0C3       MOV  AL,C3
0187:006ACE3E AA        STOSB
0187:006ACE3F 66B8FF35     MOV  AX,35FF
0187:006ACE43 EB2D       JMP  006ACE72
0187:006ACE45 8B442408     MOV  EAX,[ESP+08]
0187:006ACE49 AB        STOSD
0187:006ACE4A 4F        DEC  EDI
0187:006ACE4B EBEF       JMP  006ACE3C
0187:006ACE4D 668B44240C    MOV  AX,[ESP+0C]
0187:006ACE52 66AB       STOSW
0187:006ACE54 B0C3       MOV  AL,C3
0187:006ACE56 AA        STOSB
0187:006ACE57 8BC3       MOV  EAX,EBX
0187:006ACE59 C1E803      SHR  EAX,03
0187:006ACE5C 83E003      AND  EAX,00000003
0187:006ACE5F 8A440404     MOV  AL,[ESP+1*EAX+04]
0187:006ACE63 AA        STOSB
0187:006ACE64 66B8FF35     MOV  AX,35FF
0187:006ACE68 EB08       JMP  006ACE72
0187:006ACE6A 8B442410     MOV  EAX,[ESP+10]
0187:006ACE6E AB        STOSD
0187:006ACE6F 4F        DEC  EDI
0187:006ACE70 EBCA       JMP  006ACE3C
0187:006ACE72 E28C       LOOP  006ACE00
0187:006ACE74 66AB       STOSW
0187:006ACE76 83C414      ADD  ESP,00000014
0187:006ACE79 61        POPAD
0187:006ACE7A 89BD9AB04000   MOV  [EBP+0040B09A],EDI //MOV  [EBP+0040B09A],EBX
       899D9AB04000
0187:006ACE80 8BBD9AB04000   MOV  EDI,[EBP+0040B09A] //MOV  EDI,[EBP+0040B0A2]
       8BBDA2B04000
0187:006ACE86 8B85A2B04000   MOV  EAX,[EBP+0040B0A2]
0187:006ACE8C 03859AAF4000   ADD  EAX,[EBP+0040AF9A]
0187:006ACE92 8B8D9EB04000   MOV  ECX,[EBP+0040B09E]
0187:006ACE98 8908       MOV  [EAX],ECX
0187:006ACE9A 83859EB040000A  ADD  DWord Ptr [EBP+0040B09E],0000000A
0187:006ACEA1 EB08       JMP  006ACEAB
0187:006ACEA3 838D9AB04000FF  OR   DWord Ptr [EBP+0040B09A],FFFFFFFF
0187:006ACEAA 61        POPAD
0187:006ACEAB 03BD9AAF4000   ADD  EDI,[EBP+0040AF9A]
0187:006ACEB1 85DB       TEST  EBX,EBX
0187:006ACEB3 0F84B4000000   JZ   006ACF6D
0187:006ACEB9 F7C300000080   TEST  EBX,80000000
0187:006ACEBF 6A00       PUSH  00000000
0187:006ACEC1 7506       JNZ  006ACEC9
0187:006ACEC3 8D5C1302     LEA  EBX,[EBX+1*EDX+02]
0187:006ACEC7 EB3C       JMP  006ACF05
0187:006ACEC9 FF0424      INC  DWord Ptr [ESP]
0187:006ACECC 8B8596AF4000   MOV  EAX,[EBP+0040AF96]
0187:006ACED2 3B858AB04000   CMP  EAX,[EBP+0040B08A]
0187:006ACED8 752B       JNZ  006ACF05
0187:006ACEDA 81E3FFFFFF7F   AND  EBX,7FFFFFFF
0187:006ACEE0 8BD3       MOV  EDX,EBX
0187:006ACEE2 8D1495FCFFFFFF  LEA  EDX,[FFFFFFFC+4*EDX]
0187:006ACEE9 8B9D96AF4000   MOV  EBX,[EBP+0040AF96]
0187:006ACEEF 8B433C      MOV  EAX,[EBX+3C]
0187:006ACEF2 8B441878     MOV  EAX,[EAX+1*EBX+78]
0187:006ACEF6 035C181C     ADD  EBX,[EAX+1*EBX+1C]
0187:006ACEFA 8B041A      MOV  EAX,[EDX+1*EBX]
0187:006ACEFD 038596AF4000   ADD  EAX,[EBP+0040AF96]
0187:006ACF03 EB13       JMP  006ACF18
0187:006ACF05 81E3FFFFFF7F   AND  EBX,7FFFFFFF
0187:006ACF0B 53        PUSH  EBX
0187:006ACF0C FFB596AF4000   PUSH  DWord Ptr [EBP+0040AF96]
0187:006ACF12 FF9504AF4000   CALL  Near [`KERNEL32!GetProcAddress`] //取函数名
0187:006ACF18 40        INC  EAX
0187:006ACF19 48        DEC  EAX
0187:006ACF1A 7532       JNZ  006ACF4E
0187:006ACF1C 58        POP  EAX
0187:006ACF1D F9        STC 
0187:006ACF1E 0F829BFDFFFF   JB   006ACCBF
0187:006ACF24 47        INC  EDI
0187:006ACF25 44        INC  ESP
0187:006ACF26 49        DEC  ECX
0187:006ACF27 3332       XOR  ESI,[EDX]
0187:006ACF29 2E44       INC  ESP
0187:006ACF2B 4C        DEC  ESP
0187:006ACF2C 4C        DEC  ESP
0187:006ACF2D 55        PUSH  EBP
0187:006ACF2E 53        PUSH  EBX
0187:006ACF2F 45        INC  EBP
0187:006ACF30 52        PUSH  EDX
0187:006ACF31 3332       XOR  ESI,[EDX]
0187:006ACF33 2E44       INC  ESP
0187:006ACF35 4C        DEC  ESP
0187:006ACF36 4C        DEC  ESP
0187:006ACF37 53        PUSH  EBX
0187:006ACF38 48        DEC  EAX
0187:006ACF39 45        INC  EBP
0187:006ACF3A 4C        DEC  ESP
0187:006ACF3B 4C        DEC  ESP
0187:006ACF3C 3332       XOR  ESI,[EDX]
0187:006ACF3E 2E44       INC  ESP
0187:006ACF40 4C        DEC  ESP
0187:006ACF41 4C        DEC  ESP
0187:006ACF42 4B        DEC  EBX
0187:006ACF43 45        INC  EBP
0187:006ACF44 52        PUSH  EDX
0187:006ACF45 4E        DEC  ESI
0187:006ACF46 45        INC  EBP
0187:006ACF47 4C        DEC  ESP
0187:006ACF48 3332       XOR  ESI,[EDX]
0187:006ACF4A 2E44       INC  ESP
0187:006ACF4C 4C        DEC  ESP
0187:006ACF4D 4C        DEC  ESP
0187:006ACF4E 8907       MOV  [EDI],EAX //将函数名放回正确的位置
0187:006ACF50 58        POP  EAX
0187:006ACF51 48        DEC  EAX
0187:006ACF52 740D       JZ   006ACF61
0187:006ACF54 40        INC  EAX
0187:006ACF55 F8        CLC 
0187:006ACF56 668943FE     MOV  [EBX-02],AX
0187:006ACF5A 8803       MOV  [EBX],AL
0187:006ACF5C 43        INC  EBX
0187:006ACF5D 3803       CMP  [EBX],AL
0187:006ACF5F 75F9       JNZ  006ACF5A
0187:006ACF61 83859AAF400004  ADD  DWord Ptr [EBP+0040AF9A],00000004
0187:006ACF68 E9D4FDFFFF    JMP  006ACD41
0187:006ACF6D 83C614      ADD  ESI,00000014
0187:006ACF70 8B95AEAF4000   MOV  EDX,[EBP+0040AFAE]
0187:006ACF76 E9B1FCFFFF    JMP  006ACC2C  //循环
0187:006ACF7B 61        POPAD
0187:006ACF7C C3        RET

按我的方法把006ACE7A和006ACE80改成这个样子,就可以用ImportRECf了。

Tags:telock 脱壳 总结

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接