telock脱壳总结
2007-01-12 20:13:26 来源:WEB开发网核心提示: ok,回到sss,telock脱壳总结(2),下面要在入口处脱壳,老规矩打开SuperBPM,下g,停在这里:0187:006ACE09 FF0424INCDWord Ptr [ESP]0187:006ACE0C 0483ADDAL,830187:006ACE0E 2424ANDAL,24
ok,回到sss。下面要在入口处脱壳,老规矩打开SuperBPM,点erase,用trw1.03娃娃修改过的版载入sss,下g 59b9e4,下suspend,用winhex内存编辑功能把400106-400107填回原来的值0800,再用prodump选dump(full)就成功啦。
3.重建import table:
以sss为例,执行sss,然后用ImportRECf导出it,是这个样子的:
Target: D:TOOLSSHADOWSECURITYSCANERSSS.EXE
OEP: 0019B9E4 IATRVA: 001AB1A0 IATSize: 000008A4
FThunk: 001AB1A4 NbFunc: 00000036
0 001AB1A4 ? 0000 009D0000
0 001AB1A8 ? 0000 009D000A
0 001AB1AC ? 0000 009D0014
0 001AB1B0 ? 0000 009D001E
从telock重建It部分开始吧,用加了superbpm和icedump的s-ice重新载入sss,下bpm 9d0000,下g,停在这里:
0187:006ACE09 FF0424 INC DWord Ptr [ESP]
0187:006ACE0C 0483 ADD AL,83
0187:006ACE0E 2424 AND AL,24
0187:006ACE10 03833C240074 ADD EAX,[EBX+7400243C]
0187:006ACE16 36833C2401 CMP DWord Ptr SS:[ESP],00000001
0187:006ACE1B 744D JZ 006ACE6A
0187:006ACE1D 833C2402 CMP DWord Ptr [ESP],00000002
0187:006ACE21 7422 JZ 006ACE45
0187:006ACE23 C144240C10 ROL DWord Ptr [ESP+0C],10
0187:006ACE28 668B44240C MOV AX,[ESP+0C]
0187:006ACE2D 66AB STOSW
0187:006ACE2F 8BC3 MOV EAX,EBX
0187:006ACE31 C1E803 SHR EAX,03
0187:006ACE34 83E003 AND EAX,00000003
0187:006ACE37 8A440404 MOV AL,[ESP+1*EAX+04]
0187:006ACE3B AA STOSB
0187:006ACE3C B0C3 MOV AL,C3
0187:006ACE3E AA STOSB
0187:006ACE3F 66B8FF35 MOV AX,35FF
0187:006ACE43 EB2D JMP 006ACE72
0187:006ACE45 8B442408 MOV EAX,[ESP+08]
0187:006ACE49 AB STOSD
0187:006ACE4A 4F DEC EDI
0187:006ACE4B EBEF JMP 006ACE3C
0187:006ACE4D 668B44240C MOV AX,[ESP+0C]
0187:006ACE52 66AB STOSW
0187:006ACE54 B0C3 MOV AL,C3
0187:006ACE56 AA STOSB
0187:006ACE57 8BC3 MOV EAX,EBX
0187:006ACE59 C1E803 SHR EAX,03
0187:006ACE5C 83E003 AND EAX,00000003
0187:006ACE5F 8A440404 MOV AL,[ESP+1*EAX+04]
0187:006ACE63 AA STOSB
0187:006ACE64 66B8FF35 MOV AX,35FF
0187:006ACE68 EB08 JMP 006ACE72
0187:006ACE6A 8B442410 MOV EAX,[ESP+10]
0187:006ACE6E AB STOSD
0187:006ACE6F 4F DEC EDI
0187:006ACE70 EBCA JMP 006ACE3C
0187:006ACE72 E28C LOOP 006ACE00
0187:006ACE74 66AB STOSW
0187:006ACE76 83C414 ADD ESP,00000014
0187:006ACE79 61 POPAD
0187:006ACE7A 89BD9AB04000 MOV [EBP+0040B09A],EDI //MOV [EBP+0040B09A],EBX
899D9AB04000
0187:006ACE80 8BBD9AB04000 MOV EDI,[EBP+0040B09A] //MOV EDI,[EBP+0040B0A2]
8BBDA2B04000
0187:006ACE86 8B85A2B04000 MOV EAX,[EBP+0040B0A2]
0187:006ACE8C 03859AAF4000 ADD EAX,[EBP+0040AF9A]
0187:006ACE92 8B8D9EB04000 MOV ECX,[EBP+0040B09E]
0187:006ACE98 8908 MOV [EAX],ECX
0187:006ACE9A 83859EB040000A ADD DWord Ptr [EBP+0040B09E],0000000A
0187:006ACEA1 EB08 JMP 006ACEAB
0187:006ACEA3 838D9AB04000FF OR DWord Ptr [EBP+0040B09A],FFFFFFFF
0187:006ACEAA 61 POPAD
0187:006ACEAB 03BD9AAF4000 ADD EDI,[EBP+0040AF9A]
0187:006ACEB1 85DB TEST EBX,EBX
0187:006ACEB3 0F84B4000000 JZ 006ACF6D
0187:006ACEB9 F7C300000080 TEST EBX,80000000
0187:006ACEBF 6A00 PUSH 00000000
0187:006ACEC1 7506 JNZ 006ACEC9
0187:006ACEC3 8D5C1302 LEA EBX,[EBX+1*EDX+02]
0187:006ACEC7 EB3C JMP 006ACF05
0187:006ACEC9 FF0424 INC DWord Ptr [ESP]
0187:006ACECC 8B8596AF4000 MOV EAX,[EBP+0040AF96]
0187:006ACED2 3B858AB04000 CMP EAX,[EBP+0040B08A]
0187:006ACED8 752B JNZ 006ACF05
0187:006ACEDA 81E3FFFFFF7F AND EBX,7FFFFFFF
0187:006ACEE0 8BD3 MOV EDX,EBX
0187:006ACEE2 8D1495FCFFFFFF LEA EDX,[FFFFFFFC+4*EDX]
0187:006ACEE9 8B9D96AF4000 MOV EBX,[EBP+0040AF96]
0187:006ACEEF 8B433C MOV EAX,[EBX+3C]
0187:006ACEF2 8B441878 MOV EAX,[EAX+1*EBX+78]
0187:006ACEF6 035C181C ADD EBX,[EAX+1*EBX+1C]
0187:006ACEFA 8B041A MOV EAX,[EDX+1*EBX]
0187:006ACEFD 038596AF4000 ADD EAX,[EBP+0040AF96]
0187:006ACF03 EB13 JMP 006ACF18
0187:006ACF05 81E3FFFFFF7F AND EBX,7FFFFFFF
0187:006ACF0B 53 PUSH EBX
0187:006ACF0C FFB596AF4000 PUSH DWord Ptr [EBP+0040AF96]
0187:006ACF12 FF9504AF4000 CALL Near [`KERNEL32!GetProcAddress`] //取函数名
0187:006ACF18 40 INC EAX
0187:006ACF19 48 DEC EAX
0187:006ACF1A 7532 JNZ 006ACF4E
0187:006ACF1C 58 POP EAX
0187:006ACF1D F9 STC
0187:006ACF1E 0F829BFDFFFF JB 006ACCBF
0187:006ACF24 47 INC EDI
0187:006ACF25 44 INC ESP
0187:006ACF26 49 DEC ECX
0187:006ACF27 3332 XOR ESI,[EDX]
0187:006ACF29 2E44 INC ESP
0187:006ACF2B 4C DEC ESP
0187:006ACF2C 4C DEC ESP
0187:006ACF2D 55 PUSH EBP
0187:006ACF2E 53 PUSH EBX
0187:006ACF2F 45 INC EBP
0187:006ACF30 52 PUSH EDX
0187:006ACF31 3332 XOR ESI,[EDX]
0187:006ACF33 2E44 INC ESP
0187:006ACF35 4C DEC ESP
0187:006ACF36 4C DEC ESP
0187:006ACF37 53 PUSH EBX
0187:006ACF38 48 DEC EAX
0187:006ACF39 45 INC EBP
0187:006ACF3A 4C DEC ESP
0187:006ACF3B 4C DEC ESP
0187:006ACF3C 3332 XOR ESI,[EDX]
0187:006ACF3E 2E44 INC ESP
0187:006ACF40 4C DEC ESP
0187:006ACF41 4C DEC ESP
0187:006ACF42 4B DEC EBX
0187:006ACF43 45 INC EBP
0187:006ACF44 52 PUSH EDX
0187:006ACF45 4E DEC ESI
0187:006ACF46 45 INC EBP
0187:006ACF47 4C DEC ESP
0187:006ACF48 3332 XOR ESI,[EDX]
0187:006ACF4A 2E44 INC ESP
0187:006ACF4C 4C DEC ESP
0187:006ACF4D 4C DEC ESP
0187:006ACF4E 8907 MOV [EDI],EAX //将函数名放回正确的位置
0187:006ACF50 58 POP EAX
0187:006ACF51 48 DEC EAX
0187:006ACF52 740D JZ 006ACF61
0187:006ACF54 40 INC EAX
0187:006ACF55 F8 CLC
0187:006ACF56 668943FE MOV [EBX-02],AX
0187:006ACF5A 8803 MOV [EBX],AL
0187:006ACF5C 43 INC EBX
0187:006ACF5D 3803 CMP [EBX],AL
0187:006ACF5F 75F9 JNZ 006ACF5A
0187:006ACF61 83859AAF400004 ADD DWord Ptr [EBP+0040AF9A],00000004
0187:006ACF68 E9D4FDFFFF JMP 006ACD41
0187:006ACF6D 83C614 ADD ESI,00000014
0187:006ACF70 8B95AEAF4000 MOV EDX,[EBP+0040AFAE]
0187:006ACF76 E9B1FCFFFF JMP 006ACC2C //循环
0187:006ACF7B 61 POPAD
0187:006ACF7C C3 RET
按我的方法把006ACE7A和006ACE80改成这个样子,就可以用ImportRECf了。
更多精彩
赞助商链接