【文章标题】: ACProtect V2.0.X脱壳手记
【软件名称】: XorIt.protected.exe
【加壳方式】: ACProtect V2.0.X
【编写语言】: VC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
——————————————————————————–
【详细过程】
用PEID查壳显示为:ACProtect V2.0.X -> RiSco * Sign.By.fly *
用OD载入,设置好OD选项为忽略所有异常:
00401000 > 68 00C04300 push XorIt_pr.0043C000 //OD停在此
00401005 68 0B104000 push XorIt_pr.0040100B
0040100A C3 retn
0040100B C3 retn
F8单步到:
0043C000 55 push ebp
0043C001 0F87 03000000 ja XorIt_pr.0043C00A //注意此时的ESP值,下好ESP断点
下好断点后,F9运行,3次后,停在了:
第1次:
00451B1D 8905 11CB4300 mov dword ptr ds:[43CB11],eax
00451B23 FF35 11CB4300 push dword ptr ds:[43CB11]
00451B29 8F05 8DC94300 pop dword ptr ds:[43C98D]
00451B2F FF35 8DC94300 push dword ptr ds:[43C98D]
00451B35 893D 61C84300 mov dword ptr ds:[43C861],edi
00451B3B FF35 61C84300 push dword ptr ds:[43C861]
00451B41 C70424 45CA4300 mov dword ptr ss:[esp],XorIt_pr.004>
00451B48 8F05 21CB4300 pop dword ptr ds:[43CB21]
00451B4E FF35 21CB4300 push dword ptr ds:[43CB21]
00451B54 58 pop eax
00451B55 8928 mov dword ptr ds:[eax],ebp
00451B57 8F05 59C84300 pop dword ptr ds:[43C859]
00451B5D FF35 59C84300 push dword ptr ds:[43C859]
00451B63 8F05 49C94300 pop dword ptr ds:[43C949]
00451B69 90 nop
00451B6A 90 nop
00451B6B 60 pushad //注意这里
00451B6C E8 0B000000 call XorIt_pr.00451B7C //及这里
将程序中断的位置与pushad之间的代码记录下来(以二进制的形式):
89 05 11 CB 43 00 FF 35 11 CB 43 00 8F 05 8D C9 43 00 FF 35 8D C9 43 00 89 3D 61 C8 43 00 FF 35
61 C8 43 00 C7 04 24 45 CA 43 00 8F 05 21 CB 43 00 FF 35 21 CB 43 00 58 89 28 8F 05 59 C8 43 00
FF 35 59 C8 43 00 8F 05 49 C9 43 00 90 90
然后在pushad的下一行代码,此处的为:
00451B6C E8 0B000000 call XorIt_pr.00451B7C //F2下断,F9运行后中断下来
观察ESP的值,清除旧的ESP断点,下新有ESP断点(当然,相同的就不用理会了,哈)
*****************************************************
参照上面的操作:
*****************************************************
第2次:
00451D7D 8B05 49C94300 mov eax,dword ptr ds:[43C949]
00451D83 FF35 45CA4300 push dword ptr ds:[43CA45] ; ntdll.7C930738
00451D89 8925 ADCA4300 mov dword ptr ds:[43CAAD],esp
00451D8F FF35 ADCA4300 push dword ptr ds:[43CAAD]
00451D95 8B2C24 mov ebp,dword ptr ss:[esp]
00451D98 8F05 3DCA4300 pop dword ptr ds:[43CA3D]
00451D9E 50 push eax
00451D9F B8 71C94300 mov eax,XorIt_pr.0043C971
00451DA4 8910 mov dword ptr ds:[eax],edx
00451DA6 58 pop eax
00451DA7 FF35 71C94300 push dword ptr ds:[43C971]
00451DAD 51 push ecx
00451DAE 890424 mov dword ptr ss:[esp],eax
00451DB1 57 push edi
00451DB2 BF F5CA4300 mov edi,XorIt_pr.0043CAF5
00451DB7 8BC7 mov eax,edi
00451DB9 5F pop edi
00451DBA 57 push edi
00451DBB 8BF8 mov edi,eax
00451DBD 8BD7 mov edx,edi
00451DBF 5F pop edi
00451DC0 8F05 D9C94300 pop dword ptr ds:[43C9D9]
00451DC6 8B05 D9C94300 mov eax,dword ptr ds:[43C9D9]
00451DCC 90 nop
00451DCD 60 pushad
00451DCE EB 0C jmp short XorIt_pr.00451DDC
8B 05 49 C9 43 00 FF 35 45 CA 43 00 89 25 AD CA 43 00 FF 35 AD CA 43 00 8B 2C 24 8F 05 3D CA 43
00 50 B8 71 C9 43 00 89 10 58 FF 35 71 C9 43 00 51 89 04 24 57 BF F5 CA 43 00 8B C7 5F 57 8B F8
8B D7 5F 8F 05 D9 C9 43 00 8B 05 D9 C9 43 00 90
第3次:
00451FBE 8902 mov dword ptr ds:[edx],eax
00451FC0 8F05 DDCA4300 pop dword ptr ds:[43CADD]
00451FC6 51 push ecx
00451FC7 B9 DDCA4300 mov ecx,XorIt_pr.0043CADD
00451FCC 8B11 mov edx,dword ptr ds:[ecx]
00451FCE 59 pop ecx
00451FCF FF35 F5CA4300 push dword ptr ds:[43CAF5]
00451FD5 C70424 FFFFFFFF mov dword ptr ss:[esp],-1
00451FDC 8935 31C94300 mov dword ptr ds:[43C931],esi
00451FE2 FF35 31C94300 push dword ptr ds:[43C931]
00451FE8 8F05 6DC84300 pop dword ptr ds:[43C86D]
00451FEE FF35 6DC84300 push dword ptr ds:[43C86D]
00451FF4 8915 15CA4300 mov dword ptr ds:[43CA15],edx
00451FFA FF35 15CA4300 push dword ptr ds:[43CA15]
00452000 68 98224200 push XorIt_pr.00422298
00452005 5A pop edx
00452006 50 push eax
00452007 B8 C5C84300 mov eax,XorIt_pr.0043C8C5
0045200C 8910 mov dword ptr ds:[eax],edx
0045200E 60 pushad
0045200F 7E 0B jle short XorIt_pr.0045201C
89 02 8F 05 DD CA 43 00 51 B9 DD CA 43 00 8B 11 59 FF 35 F5 CA 43 00 C7 04 24 FF FF FF FF 89 35
31 C9 43 00 FF 35 31 C9 43 00 8F 05 6D C8 43 00 FF 35 6D C8 43 00 89 15 15 CA 43 00 FF 35 15 CA
43 00 68 98 22 42 00 5A 50 B8 C5 C8 43 00 89 10
第4次:
00452213 58 pop eax ; XorIt_pr.0043C8C5
00452214 8B1424 mov edx,dword ptr ss:[esp]
00452217 8F05 75CA4300 pop dword ptr ds:[43CA75]
0045221D FF35 C5C84300 push dword ptr ds:[43C8C5] ; XorIt_pr.00422298
00452223 8B3424 mov esi,dword ptr ss:[esp]
00452226 8F05 91C94300 pop dword ptr ds:[43C991]
0045222C 57 push edi
0045222D BF 69C84300 mov edi,XorIt_pr.0043C869
00452232 8937 mov dword ptr ds:[edi],esi
00452234 5F pop edi
00452235 FF35 69C84300 push dword ptr ds:[43C869]
0045223B 8F05 B9C84300 pop dword ptr ds:[43C8B9]
00452241 8B3424 mov esi,dword ptr ss:[esp]
00452244 8F05 21C94300 pop dword ptr ds:[43C921]
0045224A FF35 B9C84300 push dword ptr ds:[43C8B9]
00452250 891D 81C94300 mov dword ptr ds:[43C981],ebx
00452256 FF35 81C94300 push dword ptr ds:[43C981]
0045225C 891424 mov dword ptr ss:[esp],edx
0045225F 890424 mov dword ptr ss:[esp],eax
00452262 90 nop
00452263 60 pushad
00452264 7A 11 jpe short XorIt_pr.00452277
58 8B 14 24 8F 05 75 CA 43 00 FF 35 C5 C8 43 00 8B 34 24 8F 05 91 C9 43 00 57 BF 69 C8 43 00 89
37 5F FF 35 69 C8 43 00 8F 05 B9 C8 43 00 8B 34 24 8F 05 21 C9 43 00 FF 35 B9 C8 43 00 89 1D 81
C9 43 00 FF 35 81 C9 43 00 89 14 24 89 04 24 90
第5次:
0045248C 891C24 mov dword ptr ss:[esp],ebx
0045248F C70424 D4724000 mov dword ptr ss:[esp],XorIt_pr.004>
00452496 64:A1 00000000 mov eax,dword ptr fs:[0]
0045249C 891D 29CA4300 mov dword ptr ds:[43CA29],ebx
004524A2 FF35 29CA4300 push dword ptr ds:[43CA29]
004524A8 893C24 mov dword ptr ss:[esp],edi
004524AB 891424 mov dword ptr ss:[esp],edx
004524AE 890D D1C94300 mov dword ptr ds:[43C9D1],ecx
004524B4 FF35 D1C94300 push dword ptr ds:[43C9D1]
004524BA 890424 mov dword ptr ss:[esp],eax
004524BD 8915 EDC84300 mov dword ptr ds:[43C8ED],edx
004524C3 FF35 EDC84300 push dword ptr ds:[43C8ED]
004524C9 68 B1C94300 push XorIt_pr.0043C9B1
004524CE 5A pop edx
004524CF 52 push edx
004524D0 58 pop eax
004524D1 5A pop edx
004524D2 50 push eax
004524D3 5A pop edx
004524D4 8F05 4DCA4300 pop dword ptr ds:[43CA4D]
004524DA 90 nop
004524DB 90 nop
004524DC 60 pushad
004524DD EB 0A jmp short XorIt_pr.004524E9
89 1C 24 C7 04 24 D4 72 40 00 64 A1 00 00 00 00 89 1D 29 CA 43 00 FF 35 29 CA 43 00 89 3C 24 89
14 24 89 0D D1 C9 43 00 FF 35 D1 C9 43 00 89 04 24 89 15 ED C8 43 00 FF 35 ED C8 43 00 68 B1 C9
43 00 5A 52 58 5A 50 5A 8F 05 4D CA 43 00 90 90
第6次:
004526D7 55 push ebp
004526D8 8F05 E5CA4300 pop dword ptr ds:[43CAE5]
004526DE 60 pushad
004526DF 61 popad
004526E0 8B05 4DCA4300 mov eax,dword ptr ds:[43CA4D]
004526E6 8902 mov dword ptr ds:[edx],eax
004526E8 8F05 D5C94300 pop dword ptr ds:[43C9D5]
004526EE FF35 D5C94300 push dword ptr ds:[43C9D5]
004526F4 5A pop edx
004526F5 FF35 B1C94300 push dword ptr ds:[43C9B1]
004526FB 64:8925 00000000 mov dword ptr fs:[0],esp
00452702 83C4 A4 add esp,-5C
00452705 57 push edi
00452706 BF C1CA4300 mov edi,XorIt_pr.0043CAC1
0045270B 891F mov dword ptr ds:[edi],ebx
0045270D 5F pop edi
0045270E FF35 C1CA4300 push dword ptr ds:[43CAC1]
00452714 8F05 99CA4300 pop dword ptr ds:[43CA99]
0045271A FF35 99CA4300 push dword ptr ds:[43CA99]
00452720 891D 51CA4300 mov dword ptr ds:[43CA51],ebx
00452726 FF35 51CA4300 push dword ptr ds:[43CA51]
0045272C 893424 mov dword ptr ss:[esp],esi
0045272F 90 nop
00452730 60 pushad
00452731 E8 0E000000 call XorIt_pr.00452744
55 8F 05 E5 CA 43 00 60 61 8B 05 4D CA 43 00 89 02 8F 05 D5 C9 43 00 FF 35 D5 C9 43 00 5A FF 35
B1 C9 43 00 64 89 25 00 00 00 00 83 C4 A4 57 BF C1 CA 43 00 89 1F 5F FF 35 C1 CA 43 00 8F 05 99
CA 43 00 FF 35 99 CA 43 00 89 1D 51 CA 43 00 FF 35 51 CA 43 00 89 34 24 90 [c/ode]
第7次: [code]
0045292F 8F05 2DC94300 pop dword ptr ds:[43C92D] ; kernel32.7C816FD7
00452935 FF35 2DC94300 push dword ptr ds:[43C92D]
0045293B 891D 69C94300 mov dword ptr ds:[43C969],ebx
00452941 FF35 69C94300 push dword ptr ds:[43C969]
00452947 893C24 mov dword ptr ss:[esp],edi
0045294A 8F05 35C84300 pop dword ptr ds:[43C835]
00452950 FF35 35C84300 push dword ptr ds:[43C835]
00452956 8965 E8 mov dword ptr ss:[ebp-18],esp
00452959 FF15 60824200 call dword ptr ds:[428260] ; kernel32.GetVersion
0045295F A3 005A4200 mov dword ptr ds:[425A00],eax
00452964 A1 005A4200 mov eax,dword ptr ds:[425A00]
00452969 C1E8 08 shr eax,8
0045296C 25 FF000000 and eax,0FF
00452971 A3 0C5A4200 mov dword ptr ds:[425A0C],eax
00452976 FF35 005A4200 push dword ptr ds:[425A00]
0045297C 8B0C24 mov ecx,dword ptr ss:[esp]
0045297F 60 pushad
00452980 E8 0C000000 call XorIt_pr.00452991
8F 05 2D C9 43 00 FF 35 2D C9 43 00 89 1D 69 C9 43 00 FF 35 69 C9 43 00 89 3C 24 8F 05 35 C8 43
00 FF 35 35 C8 43 00 89 65 E8 FF 15 60 82 42 00 A3 00 5A 42 00 A1 00 5A 42 00 C1 E8 08 25 FF 00
00 00 A3 0C 5A 42 00 FF 35 00 5A 42 00 8B 0C 24
第8次:
00452B7D 8F05 31C84300 pop dword ptr ds:[43C831]
00452B83 81E1 FF000000 and ecx,0FF
00452B89 8905 B9C94300 mov dword ptr ds:[43C9B9],eax
00452B8F FF35 B9C94300 push dword ptr ds:[43C9B9]
00452B95 C705 BDC84300 D1C8>mov dword ptr ds:[43C8BD],XorIt_pr.>
00452B9F 8B05 BDC84300 mov eax,dword ptr ds:[43C8BD]
00452BA5 8908 mov dword ptr ds:[eax],ecx
00452BA7 8F05 3DC84300 pop dword ptr ds:[43C83D]
00452BAD 8B05 3DC84300 mov eax,dword ptr ds:[43C83D]
00452BB3 FF35 D1C84300 push dword ptr ds:[43C8D1]
00452BB9 8F05 085A4200 pop dword ptr ds:[425A08]
00452BBF 52 push edx
00452BC0 BA 95C94300 mov edx,XorIt_pr.0043C995
00452BC5 893A mov dword ptr ds:[edx],edi
00452BC7 5A pop edx
00452BC8 90 nop
00452BC9 90 nop
00452BCA 60 pushad
00452BCB E8 0B000000 call XorIt_pr.00452BDB
8F 05 31 C8 43 00 81 E1 FF 00 00 00 89 05 B9 C9 43 00 FF 35 B9 C9 43 00 C7 05 BD C8 43 00 D1 C8
43 00 8B 05 BD C8 43 00 89 08 8F 05 3D C8 43 00 8B 05 3D C8 43 00 FF 35 D1 C8 43 00 8F 05 08 5A
42 00 52 BA 95 C9 43 00 89 3A 5A 90 90
第9次:
00452DC7 FF35 95C94300 push dword ptr ds:[43C995]
00452DCD 890C24 mov dword ptr ss:[esp],ecx
00452DD0 56 push esi
00452DD1 8F05 9DCA4300 pop dword ptr ds:[43CA9D]
00452DD7 FF35 9DCA4300 push dword ptr ds:[43CA9D]
00452DDD 56 push esi
00452DDE C70424 085A4200 mov dword ptr ss:[esp],XorIt_pr.004>
00452DE5 8F05 81C84300 pop dword ptr ds:[43C881]
00452DEB 8B35 81C84300 mov esi,dword ptr ds:[43C881]
00452DF1 8905 0DCB4300 mov dword ptr ds:[43CB0D],eax
00452DF7 FF35 0DCB4300 push dword ptr ds:[43CB0D]
00452DFD 57 push edi
00452DFE 8BFE mov edi,esi
00452E00 8BC7 mov eax,edi
00452E02 5F pop edi
00452E03 50 push eax
00452E04 59 pop ecx
00452E05 8F05 0DCA4300 pop dword ptr ds:[43CA0D]
00452E0B 8B05 0DCA4300 mov eax,dword ptr ds:[43CA0D]
00452E11 8B3424 mov esi,dword ptr ss:[esp]
00452E14 90 nop
00452E15 90 nop
00452E16 60 pushad
00452E17 7C 0E jl short XorIt_pr.00452E27
FF 35 95 C9 43 00 89 0C 24 56 8F 05 9D CA 43 00 FF 35 9D CA 43 00 56 C7 04 24 08 5A 42 00 8F 05
81 C8 43 00 8B 35 81 C8 43 00 89 05 0D CB 43 00 FF 35 0D CB 43 00 57 8B FE 8B C7 5F 50 59 8F 05
0D CA 43 00 8B 05 0D CA 43 00 8B 34 24 90 90
第10次:
00453032 8F05 E5C94300 pop dword ptr ds:[43C9E5] ; kernel32.7C816FD7
00453038 8B11 mov edx,dword ptr ds:[ecx]
0045303A 8B0C24 mov ecx,dword ptr ss:[esp]
0045303D 8F05 85C84300 pop dword ptr ds:[43C885]
00453043 C1E2 08 shl edx,8
00453046 0315 0C5A4200 add edx,dword ptr ds:[425A0C]
0045304C 56 push esi
0045304D 891424 mov dword ptr ss:[esp],edx
00453050 8F05 21CA4300 pop dword ptr ds:[43CA21]
00453056 FF35 21CA4300 push dword ptr ds:[43CA21]
0045305C 8F05 045A4200 pop dword ptr ds:[425A04]
00453062 A1 005A4200 mov eax,dword ptr ds:[425A00]
00453067 C1E8 10 shr eax,10
0045306A 25 FFFF0000 and eax,0FFFF
0045306F A3 005A4200 mov dword ptr ds:[425A00],eax
00453074 90 nop
00453075 90 nop
00453076 60 pushad
00453077 EB 0B jmp short XorIt_pr.00453084
8F 05 E5 C9 43 00 8B 11 8B 0C 24 8F 05 85 C8 43 00 C1 E2 08 03 15 0C 5A 42 00 56 89 14 24 8F 05
21 CA 43 00 FF 35 21 CA 43 00 8F 05 04 5A 42 00 A1 00 5A 42 00 C1 E8 10 25 FF FF 00 00 A3 00 5A
42 00 90 90
第11次:
弹出了一个试用窗口,如图: 
我们先确定,Alt+M打开内存镜像,在代码段00401000上F2下断,再确定:
004536FA /EB 01 jmp short XorIt_pr.004536FD //确定后,程序中断在此
004536FC |E8 FF253F37 call 37845D00
00453701 45 inc ebp
00453702 0060 E8 add byte ptr ds:[eax-18],ah
F8运行:
004536FD - FF25 3F374500 jmp dword ptr ds:[45373F] ; XorIt_pr.00401FFC
00453703 60 pushad
00453704 E8 00000000 call XorIt_pr.00453709
jmp dword ptr ds:[45373F]时F8就直奔FOP了:
00401FFC 6A 00 push 0
00401FFE E8 ED500000 call XorIt_pr.004070F0
00402003 83C4 04 add esp,4
00402006 85C0 test eax,eax
00402008 75 0A jnz short XorIt_pr.00402014
0040200A 6A 1C push 1C
0040200C E8 FF000000 call XorIt_pr.00402110
00402011 83C4 04 add esp,4
00402014 C745 FC 00000000 mov dword ptr ss:[ebp-4],0
0040201B E8 604D0000 call XorIt_pr.00406D80
00402020 FF15 5C824200 call dword ptr ds:[42825C] ; kernel32.GetCommandLineA
00402026 A3 58734200 mov dword ptr ds:[427358],eax
0040202B E8 304B0000 call XorIt_pr.00406B60
00402030 A3 C8594200 mov dword ptr ds:[4259C8],eax
00402035 E8 16460000 call XorIt_pr.00406650
0040203A E8 C1440000 call XorIt_pr.00406500
0040203F E8 1C400000 call XorIt_pr.00406060
00402044 C745 D0 00000000 mov dword ptr ss:[ebp-30],0
0040204B 8D4D A4 lea ecx,dword ptr ss:[ebp-5C]
0040204E 51 push ecx
0040204F FF15 58824200 call dword ptr ds:[428258] ; kernel32.GetStartupInfoA
00402055 E8 E6430000 call XorIt_pr.00406440
典型的VC结构,可惜Stolen Code的代码太多了,这就是我们需要记录上面的那么代码的原因了!
我们取消下在代码段上的断点,用LoadPE来dump出完整的程序,然后用ImportREC来修复一下指针:
IAT SIZE的大小需要手动计算一下为:180
修复之后,用OD载入修复的程序,Alt+M打开内存镜像,注意在这里:
Memory map, 条目 30
地址=00455000 //要得是这个地址,哈,我们在这个段一个大范围的空白填补代码
大小=00001000 (4096.)
属主=dumped_ 00400000
区段=.mackt
包含=输入表
类型=Imag 01001002
访问=R
初始访问=RWE
Ctrl+G来到00455000:
找到:
004554C0 0000 add byte ptr ds:[eax],al
选中一个大块(足以填充我们先前找到的代码),然后在结尾补上一个跳转到FOEP的跳转:
push 00401FFC
retn
保存一份,再用LoadPE打开,将程序入口地址改为:554C0 ,保存,运行,哈哈,成功!
——————————————————————————–
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2008年06月15日 18:08:47