脱壳练习(穿山甲的,早期版本)[早期视频]

网上下载的,花了一上午跟了下来
终于脱了出来,虽然简单,还是放上来让大家也练习一下手,
软件不怎么的,主要是练手!

PEid查过显示为:Armadillo 1.xx – 2.xx -> Silicon Realms Toolworks [Overlay]
视频最好都结合着破文一直看为好,哈

用ArmaFp查过显示为:
<------- 05-08-2008 12:26:36 ------->
G:\download\maginame.exe
!- Protected Armadillo
Protection system (Basic)
!-
Standard protection or Minimum protection
!-
No Registry Keys at All
!-
Best/Slowest Compression
!-
!- Version 2.85 19Feb2003 (Build 2673)
!- Elapsed Time 00h 00m 00s 375ms

一、OD载入后,程序停在:

0058B0B9 >  55                 push ebp 
0058B0BA    8BEC               mov ebp,esp
0058B0BC    6A FF              push -1
0058B0BE    68 68325A00        push maginame.005A3268
0058B0C3    68 00AB5800        push maginame.0058AB00
0058B0C8    64:A1 00000000     mov eax,dword ptr fs:[0]
0058B0CE    50                 push eax
0058B0CF    64:8925 00000000   mov dword ptr fs:[0],esp
0058B0D6    83EC 58            sub esp,58
0058B0D9    53                 push ebx
0058B0DA    56                 push esi
0058B0DB    57                 push edi
0058B0DC    8965 E8            mov dword ptr ss:[ebp-18],esp
0058B0DF    FF15 28015A00      call dword ptr ds:[<&KERNEL32.GetVe>; kernel32.GetVersion

按Ctrl+G:VirtualProtect,然后到断尾下段:

0012DF08   00CF1C8A  返回到 00CF1C8A 来自 kernel32.VirtualProtect 
0012DF0C   00401000  maginame.00401000
0012DF10   00152000

此时,取消断点后返回,然后Ctrl+G:CreateThread,在段尾下断。
断下后取消断点,然后单步就来到了这时在:

00CF3C22    03C2               add eax,edx 
00CF3C24    FFD0               call eax
00CF3C26    EB 2C              jmp short 00CF3C54
00CF3C28    83F8 01            cmp eax,1
00CF3C2B    75 29              jnz short 00CF3C56
00CF3C2D    E8 F691FFFF        call 00CECE28
00CF3C32    FF76 04            push dword ptr ds:[esi+4]
00CF3C35    8BF8               mov edi,eax
00CF3C37    A1 2068D000        mov eax,dword ptr ds:[D06820]
00CF3C3C    FF76 08            push dword ptr ds:[esi+8]
00CF3C3F    8B48 74            mov ecx,dword ptr ds:[eax+74]
00CF3C42    3348 44            xor ecx,dword ptr ds:[eax+44]
00CF3C45    6A 00              push 0
00CF3C47    3348 08            xor ecx,dword ptr ds:[eax+8]
00CF3C4A    03F9               add edi,ecx
00CF3C4C    E8 D791FFFF        call 00CECE28
00CF3C51    50                 push eax
00CF3C52    FFD7               call edi===========F7跟进,就到了OEP了,呵呵!
00CF3C54    8BD8               mov ebx,eax
00CF3C56    5F                 pop edi
00CF3C57    8BC3               mov eax,ebx
00CF3C59    5E                 pop esi
00CF3C5A    5B                 pop ebx
00CF3C5B    C3                 retn

进去后,随便找一个CALL跟进,然后找到IAT表寻一加密过的IAT指针:

 
0056C1E0  7C80BDB6  kernel32.lstrlenA
0056C1E4  7C810111  kernel32.lstrcpynA
0056C1E8  7C80BE01  kernel32.lstrcpyA
0056C1EC  00CE5070
0056C1F0  7C80A415  kernel32.GetThreadLocale
0056C1F4  7C801EEE  kernel32.GetStartupInfoA
0056C1F8  00CE4B58
0056C1FC  7C80B6A1  kernel32.GetModuleHandleA

二、我们在00CE5070下硬件访问断点,然后Ctrl+F2重新载入程序,Shift+F9运行

00CF20FD    50                 push eax
00CF20FE    FF15 08B1CF00      call dword ptr ds:[CFB108]          ; kernel32.VirtualProtect
00CF2104    6A 01              push 1
00CF2106    58                 pop eax
00CF2107    85C0               test eax,eax
00CF2109    0F84 7D010000      je 00CF228C00CF220C    8985 9CFEFFFF      mov dword ptr ss:[ebp-164],eax
00CF2212    FFB5 64FCFFFF      push dword ptr ss:[ebp-39C]
00CF2218    FFB5 88FCFFFF      push dword ptr ss:[ebp-378]
00CF221E    E8 3529FFFF        call 00CE4B58
  //关键CALL,返回的EAX里就是加密或者未加IAT指针,F7跟进
{
  

00CE4BBD    66:3BDF            cmp bx,di 
  00CE4BC0    74 06              je short 00CE4BC8
  00CE4BC2    66:3B5E 04         cmp bx,word ptr ds:[esi+4]
  00CE4BC6    EB 0E              jmp short 00CE4BD6
  00CE4BC8    FF36               push dword ptr ds:[esi]
  00CE4BCA    FF75 0C            push dword ptr ss:[ebp+C]
  00CE4BCD    E8 0E5D0100        call 00CFA8E0
  00CE4BD2    59                 pop ecx
  00CE4BD3    59                 pop ecx
  00CE4BD4    85C0               test eax,eax
  00CE4BD6    74 0A              je short 00CE4BE2
  00CE4BD8    83C6 10            add esi,10
  00CE4BDB    397E 08            cmp dword ptr ds:[esi+8],edi
  00CE4BDE  ^ 75 DD              jnz short 00CE4BBD============循环比较看是否需要加密
     //为了避开IAT加密,直接将此跳转NOP掉
  
  00CE4BE0  ^ EB B9              jmp short 00CE4B9B============返回正常的IAT指针
  00CE4BE2    8B46 08            mov eax,dword ptr ds:[esi+8]
  00CE4BE5  ^ EB C1              jmp short 00CE4BA8============返回加密后的IAT指针

}

00CF2223    8985 6CFCFFFF      mov dword ptr ss:[ebp-394],eax
00CF2229    83BD 6CFCFFFF 00   cmp dword ptr ss:[ebp-394],0
00CF2230    75 38              jnz short 00CF226A
00CF226A    8B85 74FCFFFF      mov eax,dword ptr ss:[ebp-38C]
00CF2270    8B8D 6CFCFFFF      mov ecx,dword ptr ss:[ebp-394]
00CF2276    8908               mov dword ptr ds:[eax],ecx
  //这里就是将加密后的IAT指针赋给了0056C1EC这个地址
00CF2278    8B85 74FCFFFF      mov eax,dword ptr ss:[ebp-38C]      ; maginame.0056C1EC
  //几次后就停在了这里:
00CF227E    83C0 04            add eax,4
00CF2281    8985 74FCFFFF      mov dword ptr ss:[ebp-38C],eax
00CF2287  ^ E9 78FEFFFF        jmp 00CF2104

好了,重新来过~#~
在VirtualProtect的段尾下好断点,Shift+F9运行,留意堆栈:

 
0012DF08   00CF1C8A  返回到 00CF1C8A 来自 kernel32.VirtualProtect
0012DF0C   00401000  maginame.00401000
0012DF10   00152000

此时返回,然后来到00CF20FD,按F2下断,F9运行:

 
00CF20FD    50                 push eax                            ; maginame.0056C1A4
00CF20FE    FF15 08B1CF00      call dword ptr ds:[CFB108]          ; kernel32.VirtualProtect
00CF2104    6A 01              push 1
00CF2106    58                 pop eax
00CF2107    85C0               test eax,eax
00CF2109    0F84 7D010000      je 00CF228C
00CF210F    83A5 6CFCFFFF 00   and dword ptr ss:[ebp-394],0

取消断点后,然后直接来到:
00CE4BDE  ^ 75 DD              jnz short 00CE4BBD
将其NOP掉,Shift+F9运行,程序出错,但我们不用管他,我们直接将我们需要的IAT表复制出来,呵呵

00 00 00 00 28 97 80 7C 8A 18 93 7C ED 10 92 7C 05 10 92 7C F1 9E 80 7C E4 9A 80 7C 51 9A 80 7C 
2F 99 80 7C 8D 99 80 7C 7A 97 80 7C 66 97 80 7C D1 B9 80 7C D4 A0 80 7C DD 60 83 7C F8 9B 80 7C
B6 BD 80 7C 11 01 81 7C 01 BE 80 7C 4F 1D 80 7C 15 A4 80 7C EE 1E 80 7C A0 AD 80 7C A1 B6 80 7C
CF B4 80 7C 62 D2 80 7C 31 03 93 7C FE 4F 83 7C 1D 2F 81 7C DE AB 80 7C D9 37 81 7C D7 ED 80 7C
31 52 CE 00 58 C0 80 7C 37 06 81 7C 87 0D 81 7C 2A 2E 86 7C 8E 0B 81 7C 44 20 83 7C 40 7A 95 7C
0E 18 80 7C 09 2A 81 7C 8F 5E 83 7C 39 2F 81 7C 77 0A 81 7C 51 0E 81 7C 24 1A 80 7C 47 9B 80 7C
00 00 00 00 9B 11 D3 77 A8 DF D2 77 36 62 CE 00 50 DF D2 77 00 00 00 00 83 78 DA 77 1B 76 DA 77
F0 6B DA 77 00 00 00 00 EE 6A 0F 77 22 4E 0F 77 20 49 0F 77 7E 4C 0F 77 80 48 0F 77 05 45 12 77
A7 4B 0F 77 00 00 00 00 C5 9B 80 7C 40 97 80 7C 8D 99 80 7C A1 B6 80 7C CF B4 80 7C 00 00 00 00
83 78 DA 77 10 CC DC 77 1B 76 DA 77 08 B9 DB 77 F4 EA DA 77 F0 6B DA 77 00 00 00 00 01 BE 80 7C
74 0D 83 7C 54 5D 83 7C 87 0D 81 7C 6D 13 86 7C 20 25 80 7C D1 B9 80 7C 51 9A 80 7C 74 B9 80 7C
32 97 83 7C 42 24 80 7C 69 BC 80 7C BA BB 81 7C B8 1C 83 7C 8E 0B 81 7C 82 27 81 7C 17 A0 80 7C
0F AC 80 7C 44 20 83 7C F7 28 83 7C 0E 18 80 7C C6 97 80 7C 05 B9 80 7C 97 CC 80 7C 24 55 83 7C
B5 9F 80 7C 77 1D 80 7C ED 10 92 7C F1 9E 80 7C 82 FE 80 7C B9 23 81 7C B9 4C 83 7C 19 FF 80 7C
2F FC 80 7C BB 0B 83 7C 2D FD 80 7C A9 60 83 7C A5 1B 82 7C DE 2A 81 7C DA 11 81 7C 9C 92 80 7C
15 A4 80 7C CA 5D 83 7C FF 08 86 7C 56 2D 81 7C A0 AD 80 7C 56 2B 83 7C A1 B6 80 7C CF B4 80 7C
14 0B 83 7C 62 D2 80 7C D4 A7 80 7C 31 03 93 7C 45 1C 83 7C 77 0A 81 7C 3C 15 81 7C 35 14 82 7C
F2 4A 81 7C E3 14 82 7C ED 02 83 7C EE 61 83 7C 28 97 80 7C 20 99 80 7C 76 2E 81 7C C2 60 82 7C
DE AB 80 7C A0 F7 82 7C 89 BE 80 7C B1 4E 83 7C D9 37 81 7C D7 ED 80 7C 66 E8 80 7C 5D 06 83 7C
11 82 83 7C 05 10 92 7C 4E 21 83 7C AB 1E 83 7C 8A 18 93 7C 37 06 81 7C 5C 94 80 7C 24 1A 80 7C
AD 08 83 7C AC 17 82 7C 77 D0 80 7C 47 9B 80 7C 00 00 00 00 EA 22 A9 71 00 00 00 00 BA 18 BD 77
FF 19 BD 77 50 1A BD 77 00 00 00 00 87 D8 EF 77 67 B0 EF 77 EA BA EF 77 4D 8D EF 77 65 3A F0 77
85 C0 F1 77 4C 7B EF 77 0E 3B F0 77 77 5D EF 77 70 90 EF 77 20 D9 EF 77 EF B4 EF 77 8C CA F1 77
D9 94 EF 77 E5 70 F0 77 93 C2 F0 77 34 87 EF 77 DB 5E EF 77 29 5E EF 77 7A 83 EF 77 70 5B EF 77
A0 7A EF 77 27 8B EF 77 61 8A EF 77 0E EA EF 77 1B 82 EF 77 AB EA EF 77 D3 E0 EF 77 4D 5A F2 77
8F 98 F1 77 E3 85 EF 77 EB AD EF 77 92 AC EF 77 E7 D9 EF 77 D0 34 F2 77 56 6A EF 77 6E DA EF 77
B4 A3 F2 77 95 DF EF 77 4F DD EF 77 CD C1 F0 77 19 B3 EF 77 C1 61 EF 77 39 D7 EF 77 69 B4 EF 77
6A BA EF 77 5E 8C EF 77 0E 9F F2 77 D2 02 F0 77 C7 93 F1 77 6A 5A EF 77 E3 AA EF 77 65 AC EF 77
3F DA EF 77 BD E9 F0 77 3D 83 EF 77 A1 6A EF 77 C5 A2 EF 77 C3 A1 EF 77 86 59 EF 77 4A D4 EF 77
2C A0 EF 77 6B 19 F0 77 25 90 EF 77 FA 6B EF 77 54 FE EF 77 5F 6E EF 77 A5 61 EF 77 86 77 EF 77
D9 3F F0 77 19 B2 EF 77 05 B3 EF 77 1E ED EF 77 2D A9 EF 77 91 9A EF 77 E0 5F EF 77 0A 70 EF 77
B9 D9 EF 77 EF 61 EF 77 3D 74 F0 77 1D 9C EF 77 79 6F EF 77 00 00 00 00 10 A6 D1 77 8E BD D1 77
25 EE D3 77 0C 94 D1 77 7D FB D2 77 F9 D7 D1 77 56 16 D2 77 1D C7 D1 77 1E F2 D1 77 F6 8B D1 77
EF FA D2 77 EE 50 D6 77 62 07 D2 77 A4 D8 D1 77 B3 F2 D2 77 86 5F D5 77 2E FA D2 77 B2 FF D1 77
D1 11 D3 77 2B F5 D2 77 1B C0 D1 77 4C D8 D2 77 0D D6 D1 77 2E 8C D1 77 5B F9 D2 77 10 F7 D2 77
56 90 D1 77 C6 B5 D1 77 C0 FF D2 77 36 AC D6 77 96 F1 D4 77 75 02 D3 77 4D 3D D2 77 60 DA D1 77
58 BF D1 77 5E 0F D3 77 31 FE D2 77 CE D6 D1 77 85 3E D2 77 83 F3 D2 77 47 01 D3 77 F9 FE D2 77
C8 BD D1 77 54 00 D3 77 3E 8D D2 77 9D 86 D1 77 EA D6 D1 77 28 8E D1 77 28 8E D1 77 36 0A D2 77
6C BF D1 77 41 BD D1 77 D1 E1 D2 77 85 CB D1 77 6C C9 D1 77 37 02 D3 77 31 B6 D1 77 97 00 D3 77
89 96 D1 77 36 62 CE 00 3B 1F D3 77 2F BB D1 77 AA FE D2 77 A8 DF D2 77 02 60 D5 77 CE 08 D2 77
69 EF D1 77 F0 54 D2 77 42 8C D1 77 B2 C2 D1 77 65 C4 D1 77 A2 BD D1 77 33 B9 D1 77 26 BF D1 77
27 BE D1 77 51 C6 D3 77 0E 97 D1 77 09 F2 D4 77 AD E5 D3 77 F5 B5 D1 77 3F B5 D1 77 B0 F4 D4 77
EE EC D3 77 FD BE D1 77 80 8A D1 77 2B 21 D3 77 D4 B6 D1 77 87 03 D3 77 5D 94 D1 77 21 90 D1 77
1C F2 D2 77 9C 8F D1 77 70 DB D1 77 78 8E D1 77 8C 0C D2 77 47 F7 D2 77 C4 F6 D2 77 A2 0D D2 77
02 00 D3 77 2F B7 D1 77 7D BC D1 77 08 C4 D1 77 94 BF D1 77 EE EF D4 77 8F 8F D2 77 17 15 D2 77
68 EF D4 77 86 13 D2 77 7A 14 D3 77 3A 15 D3 77 29 EF D1 77 43 C2 D1 77 1E C2 D1 77 05 C5 D1 77
54 F4 D4 77 52 F0 D1 77 4B BE D1 77 F0 BE D1 77 3D 0B D2 77 69 D8 D1 77 D5 EE D1 77 75 E8 D1 77
C7 86 D1 77 76 BD D1 77 49 D7 D1 77 7A 0D D3 77 AE B6 D1 77 20 F4 D2 77 C7 EB D3 77 DA 94 D1 77
58 D6 D1 77 EA F8 D2 77 0A 21 D3 77 87 DE D2 77 57 C2 D1 77 A9 C4 D1 77 97 CD D1 77 F9 F4 D2 77
05 E5 D3 77 1D B6 D1 77 DB D8 D1 77 71 BE D1 77 DD 7D D6 77 87 F7 D1 77 56 0D D3 77 CA C6 D3 77
3C F4 D4 77 4E EB D1 77 34 D0 D3 77 07 E9 D3 77 0F F9 D2 77 B6 FB D2 77 B8 96 D1 77 EA DA D1 77
C8 EF D1 77 3D EF D1 77 3D EF D1 77 55 FA D1 77 29 D9 D1 77 EE D4 D1 77 54 F7 D4 77 05 F7 D4 77
33 FF D1 77 29 8C D2 77 C7 F2 D2 77 8F 6E D5 77 C4 04 D2 77 25 02 D3 77 88 C1 D1 77 D5 86 D2 77
7D 1A D3 77 42 F6 D1 77 5B F8 D1 77 09 B6 D1 77 07 D9 D1 77 F0 E6 D2 77 C2 E5 D2 77 3F AE D1 77
72 02 D2 77 2A D3 D2 77 00 00 00 00 DB 86 A2 76 00 00 00 00 A9 2F 1B 5D 3A E3 17 5D F5 2D 1B 5D
6D 40 1B 5D D6 2B 1B 5D 22 2D 1B 5D 82 2B 1B 5D CF 2C 1B 5D FA 2C 1B 5D A1 2C 1B 5D 1B 2C 1B 5D
59 2C 1B 5D DF 06 18 5D FD 68 18 5D 0C 2F 1B 5D F1 DF 18 5D 80 84 18 5D 6C B6 17 5D F4 C7 17 5D
C5 2E 1B 5D 78 D5 17 5D D8 03 18 5D 05 02 18 5D CF 65 17 5D 00 00 00 00 10 11 61 7D 00 00 00 00
F1 4B 60 7D 59 B3 5F 7D 58 BA 5B 7D 1F 6C 69 7D 00 00 00 00

三、重新载入程序,直奔OEP去:

 
00552CC0    55                 push ebp
00552CC1    8BEC               mov ebp,esp
00552CC3    83C4 F4            add esp,-0C
00552CC6    53                 push ebx
00552CC7    B8 38295500        mov eax,maginame.00552938
00552CCC    E8 E73CEBFF        call maginame.004069B8
00552CD1    8B1D 90ED5500      mov ebx,dword ptr ds:[55ED90]       ; maginame.0055F7D4

然后找到IAT的起始地址,将我们先前找到的完整IAT表粘贴过:

 
IAT STRAT:
0056C1A0  00000000
0056C1A4  7C809728  kernel32.GetCurrentThreadId

然后就直接Dump,然后再修复即OK了,哈,&^&

视频与目标软件打包在一起了:
[url=http://down.huacolor.com/down/blog/脱壳练习(早期版本的穿山甲).rar][color=#FF0000]点击下载[/color][/url]

发表评论