破文作者:8100303
发表时间:2006-5-29 17:53
链接地址:http://www.unpack.cn/viewthread.php?tid=4790
作者声明:只是感兴趣,并无其他目的,一点心得,不妥之处还请各位大侠指正。感谢VolX的脚本。英文不好,见谅。
1、用脚本找oep:
There are stolen code at the OEP:
00ED0257 55 push ebp
00ED0258 336C24 08 xor ebp, [esp+8]
00ED025C 336C24 28 xor ebp, [esp+28]
00ED0260 EB 02 jmp short 00ED0264
00ED0262 CD20 1BED23ED vxdjump ED23ED1B
00ED0268 8D6C0C 1A lea ebp, [esp+ecx+1A]
00ED026C 2E:EB 01 jmp short 00ED0270
00ED026F F3: prefix rep:
00ED0270 2BE9 sub ebp, ecx
There are 真正 OEP:
0043E830 - E9 221AA900 jmp 00ED0257
0043E835 195C89 B9 sbb [ecx+ecx*4-47], ebx
0043E839 2F das
0043E83A A2 8D423C69 mov [693C428D], al
0043E83F B7 03 mov bh, 3
0043E841 68 F9D8C601 push 1C6D8F9
0043E846 8904E6 mov [esi], eax
0043E849 48 dec eax
0043E84A 95 xchg eax, ebp
2、再重新运行,用脚本修复iat。
3、iat修复完成后,修复stolen code然后dump并修复输入表,
修复stolen code有两个方法
一是手动修复,结合一个相同语言程序的oep,还原代码到原oep,适合时间充裕而又苛意追求完美的人
二是直接粘贴区段。我选择了后者,用lordpe区域转存,在dump的程序中粘贴stolen code和VM必须的区段:
内存映射
地址 大小 ? 宿主 区段 包含 类型 访问 初始访问 映射为
00CD0000 00043000 Priv RWE RWE
00D20000 00014000 Priv RW
00EA0000 00001000 Priv RWE RWE
00ED0000 00004000 Priv RWE RWE
00EF0000 00001000 Priv RWE RWE
00F00000 00001000 Priv RWE RWE
00F10000 00001000 Priv RWE RWE
00F20000 00001000 Priv RWE RWE
00F30000 00001000 Priv RWE RWE
00F40000 00001000 Priv RWE RWE
00F50000 00010000 Priv RWE RWE
4、壳有1处检验,解决之:
00CF8A58 /EB 01 jmp short 00CF8A5B
00CF8A5A |90 nop
00CF8A5B \8B73 30 mov esi, [ebx+30]
00CF8A5E 8B7B 14 mov edi, [ebx+14]
00CF8A61 A1 F037D000 mov eax, [D037F0]
00CF8A66 8B40 34 mov eax, [eax+34]
00CF8A69 FFD0 call eax
00CF8A6B 2945 0C sub [ebp+C], eax
00CF8A6E 8B45 0C mov eax, [ebp+C]
00CF8A71 2B43 18 sub eax, [ebx+18]
00CF8A74 2B43 68 sub eax, [ebx+68]
00CF8A77 8945 FC mov [ebp-4], eax
00CF8A7A 8D43 24 lea eax, [ebx+24]
00CF8A7D 8945 F8 mov [ebp-8], eax
00CF8A80 85FF test edi, edi
00CF8A82 76 38 jbe short 00CF8ABC
00CF8A84 EB 01 jmp short 00CF8A87
00CF8A86 C7 ??? ; 未知命令
00CF8A87 8B45 F8 mov eax, [ebp-8]
00CF8A8A 0FB600 movzx eax, byte ptr [eax]
00CF8A8D 8B5483 40 mov edx, [ebx+eax*4+40]
00CF8A91 8BC6 mov eax, esi
00CF8A93 FFD2 call edx
00CF8A95 3B45 FC cmp eax, [ebp-4]
00CF8A98 75 1A jnz short 00CF8AB4
00CF8A9A 8B45 10 mov eax, [ebp+10]
00CF8A9D 50 push eax
00CF8A9E 8B45 14 mov eax, [ebp+14]
00CF8AA1 50 push eax
00CF8AA2 E8 19FAFFFF call 00CF84C0
00CF8AA7 50 push eax
00CF8AA8 8BCE mov ecx, esi
00CF8AAA 8B55 18 mov edx, [ebp+18]
00CF8AAD 8BC3 mov eax, ebx
00CF8AAF E8 D4FDFFFF call 00CF8888
00CF8AB4 4F dec edi
00CF8AB5 0373 6C add esi, [ebx+6C]
00CF8AB8 85FF test edi, edi
00CF8ABA ^ 77 CB ja short 00CF8A87
上面校验,下面就是 error code 111 了。
00CF8ABC 68 D88ACF00 push 0CF8AD8 ; ASCII "111",CR,LF
00CF8AC1 E8 66C3FEFF call 00CE4E2C
00CF8AC6 5F pop edi
00CF8AC7 5E pop esi
00CF8AC8 5B pop ebx
00CF8AC9 59 pop ecx
00CF8ACA 59 pop ecx
00CF8ACB 5D pop ebp
00CF8ACC C2 1400 retn 14
5、破解:不值一提,略。
|
