标题:手脱Armadillo.v5.02 CopyMemII+Debugerblocker
链接:http://www.unpack.cn/viewthread.php?tid=17713
贴者:cxh852456
日期:2007-9-21 22:40
1.拿论坛破解的5.02版本加的壳,
查壳PEID:Armadillo V5.00 -> Silicon Realms Toolworks * Sign.By.fly *
2。脱壳,
载入后停在EP处,是模仿VC8的入口复制内容到剪贴板代码:
004424F2 > $ E8 E3400000 CALL Project1.004465DA
004424F7 .^ E9 16FEFFFF JMP Project1.00442312
004424FC $ 6A 0C PUSH 0C
004424FE . 68 B0004700 PUSH Project1.004700B0
00442503 . E8 44150000 CALL Project1.00443A4C
00442508 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
0044250B . 33FF XOR EDI,EDI对CopyMemII不太了解的可以补习补习,高手跳过
下断BP WaitForDebugEvent+5,运行,中断,看堆栈复制内容到剪贴板代码:
0012DDA4 /0012F724
0012DDA8 |00431A08 返回到 Project1.00431A08 来自 kernel32.WaitForDebugEvent
0012DDAC |0012ECDC ---------------注意这里,在转存中跟随
0012DDB0 |000003E8
0012DDB4 |483502B8清除断点,重新下断BP WriteProcessMemory 运行,中断,看堆栈复制内容到剪贴板代码:
0012DD18 00434C40 /CALL 到 WriteProcessMemory 来自 Project1.00434C3A
0012DD1C 0000004C |hProcess = 0000004C (窗口)
0012DD20 00403000 |Address = 403000------------------------OEP所在段
0012DD24 009D5C78 |Buffer = 009D5C78----------------------写入地址
0012DD28 00001000 |BytesToWrite = 1000 (4096.)------------写入大小
0012DD2C 0012DD64 \pBytesWritten = 0012DD64在看数据窗口复制内容到剪贴板代码:
0012ECDC 00000001
0012ECE0 00000B90
0012ECE4 00000B9C
0012ECE8 80000001
0012ECEC 00000000
0012ECF0 00000000
0012ECF4 00403414 Project1.00403414-----------------------OEP
0012ECF8 00000002
0012ECFC 00000008
0012ED00 00403414 Project1.00403414-----------------------OEP
0012ED04 00403414 Project1.00403414-----------------------OEP
0012ED08 AA1AFD64
0012ED0C 00000000
我门现在来找写入的地方,我们需要做个简单的计算
00403414-403000=414
414+009D5C78=9D608C
我门到这里去看看,Ctrl+G:9D608C复制内容到剪贴板代码:
009D608C 55 8B EC 83 C4 F0 B8 E4 33 40 00 E8 A4 FE FF FF U嬱兡鸶?@.瑜?
009D609C 6A 40 68 3C 34 40 00 68 48 34 40 00 6A 00 E8 45 j@h<4@.hH4@.j.鐴
009D60AC FF FF FF E8 C0 F9 FF FF C0 B6 CC EC B0 D7 D4 C6 枥?
009D60BC 00 00 00 00 41 72 6D 61 64 69 6C 6C 6F 2E 76 35 ....Armadillo.v5
009D60CC 2E 30 32 2E 50 75 62 6C 69 63 20 43 4F 50 59 4D .02.Public COPYM
009D60DC 45 4D 2D 49 49 2B 44 45 42 55 47 42 4C 4F 43 4B EM-II+DEBUGBLOCK
我门将头两个字节55 8b改为EB FE,其实55 8B就是OEP的头两个字节
改完后我门一步一步走,回到壳代码,ALT+F9
CTRL+F9,F8,来到这里复制内容到剪贴板代码:
0043201A . 8B15 F8134700 MOV EDX,DWORD PTR DS:[4713F8]
00432020 . 8D04B2 LEA EAX,DWORD PTR DS:[EDX+ESI*4]
00432023 . 50 PUSH EAX
00432024 . 8B8D A0F5FFFF MOV ECX,DWORD PTR SS:[EBP-A60]
0043202A . 51 PUSH ECX
0043202B . E8 A01A0000 CALL Project1.00433AD0---------------------关键CALL,ENTER进入
00432030 . 83C4 0C ADD ESP,0C--------------------------------返回到这里
跟随后CTRL+R找相关调用,发现有两个地方调用拉这里,我门双击第二个CALL,将他NOP掉,做完这些再来下断
BP WaitForDebugEvent+5,运行中断,反汇编中跟随复制内容到剪贴板代码:
004319F0 DB7A F0 FSTP TBYTE PTR DS:[EDX-10]
004319F3 A0 336168E8 MOV AL,BYTE PTR DS:[E8686133]
004319F8 0300 ADD EAX,DWORD PTR DS:[EAX]
004319FA 008B 95B0F5FF ADD BYTE PTR DS:[EBX+FFF5B095],CL
00431A00 FF52 FF CALL DWORD PTR DS:[EDX-1]
00431A03 15 DCA04600 ADC EAX,<&KERNEL32.WaitForDebugEvent>
00431A08 85C0 TEST EAX,EAX--------------------------------这里新建EIP
00431A0A 0F84 31200000 JE Project1.00433A41-----------------------开始PATCH,该为JMP 00401000
00431A10 0FB645 D3 MOVZX EAX,BYTE PTR SS:[EBP-2D]
00431A14 85C0 TEST EAX,EAX将WaitForDebugEvent NOP掉并在00431a08处新建EIP,00431A0A开始PATCH
在00401000写入以下代码复制内容到剪贴板代码:
00401000 8105 F4EC1200>ADD DWORD PTR DS:[12ECF4],1000
0040100A 8105 00ED1200>ADD DWORD PTR DS:[12ED00],1000
00401014 8105 04ED1200>ADD DWORD PTR DS:[12ED04],1000
0040101E 813D 04ED1200>CMP DWORD PTR DS:[12ED04],Project1.00404000
00401028 - 0F85 E1090300 JNZ Project1.00431A0F
0040102E 68 A40F0000 PUSH 0FA4
00401033 E8 5993457C CALL kernel32.DebugActiveProcessStop
然后回到12ed6c处复制内容到剪贴板代码:
0012ECDC 00000001
0012ECE0 00000B90
0012ECE4 00000B9C
0012ECE8 80000001
0012ECEC 00000000
0012ECF0 00000000
0012ECF4 00403414 Project1.00403414-----------------------改为00400000
0012ECF8 00000002
0012ECFC 00000008
0012ED00 00403414 Project1.00403414-----------------------改为00400000
0012ED04 00403414 Project1.00403414-----------------------改为00400000
0012ED08 AA1AFD64
0012ED0C 00000000做完以上后,SHIFT+F9,中断,EAX=1说明一切正确,到这里已经完成了一半了,回到OD,挂接那个名字不是红色的那个进程
F9,F12,将头两个字节该为55 8B复制内容到剪贴板代码:
00403414 55 PUSH EBP----------------------oep
00403415 8BEC MOV EBP,ESP
00403417 83C4 F0 ADD ESP,-10
0040341A B8 E4334000 MOV EAX,Project1.004033E4
0040341F E8 A4FEFFFF CALL Project1.004032C8
00403424 6A 40 PUSH 40
00403426 68 3C344000 PUSH Project1.0040343C3。修复
上面得到完整的代码,但IAT还是加密的,需要修复,再开个OD ,用ARM PROCESS DETACH载入
DONE!
Child process ID: 00000334
Entry point: 004424F2
Original bytes: E8E3
直接挂接334,F9,F12,修改头两个字节为E8E3,停在复制内容到剪贴板代码:
004424F2 > E8 E3400000 call 004465DA
004424F7 ^ E9 16FEFFFF jmp 00442312
004424FC 6A 0C push 0C
004424FE 68 B0004700 push 004700B0
00442503 E8 44150000 call 00443A4C
00442508 8B4D 08 mov ecx, dword ptr [ebp+8]
0044250B 33FF xor edi, edi
0044250D 3BCF cmp ecx, edi
现在可以想拖标准壳一样脱了,但这个只是为了找回正确的IAT,避开加密
下断点 BP VirtualProtect+5 中断后清除断点
下断点 BP CreateFileMappingA+5 中断后清除断点
下断点 BP GetModuleHandleA+5 ,观察堆栈复制内容到剪贴板代码:
00129474 /0012EB88
00129478 |00CD5205 返回到 00CD5205 来自 kernel32.GetModuleHandleA
0012947C |00D00B98 ASCII "kernel32.dll"
00129480 |00D01A64 ASCII "VirtualAlloc"
00129484 |D8C0806A
00129488 |7AA4EC1B
复制内容到剪贴板代码:
00129474 /0012EB88
00129478 |00CD5223 返回到 00CD5223 来自 kernel32.GetModuleHandleA
0012947C |00D00B98 ASCII "kernel32.dll"
00129480 |00D01A58 ASCII "VirtualFree"
00129484 |D8C0806A
00129488 |7AA4EC1B
0012948C |00000000
复制内容到剪贴板代码:
001291C0 /00129478
001291C4 |00CB7E44 返回到 00CB7E44 来自 kernel32.GetModuleHandleA
001291C8 |00129340 ASCII "kernel32.dll"---------------------------------该返回了
001291CC |00000000
001291D0 |0046A378 Project1.0046A378
001291D4 |00000001
复制内容到剪贴板代码:
00CB7E44 8B55 F4 mov edx, dword ptr [ebp-C]
00CB7E47 8B0D 4CDFD000 mov ecx, dword ptr [D0DF4C]
00CB7E4D 890491 mov dword ptr [ecx+edx*4], eax
00CB7E50 8B55 F4 mov edx, dword ptr [ebp-C]
00CB7E53 A1 4CDFD000 mov eax, dword ptr [D0DF4C]
00CB7E58 833C90 00 cmp dword ptr [eax+edx*4], 0
00CB7E5C 75 5C jnz short 00CB7EBA
00CB7E5E 8B4D F8 mov ecx, dword ptr [ebp-8]
00CB7E61 8B51 08 mov edx, dword ptr [ecx+8]
00CB7E64 83E2 02 and edx, 2
00CB7E67 74 38 je short 00CB7EA1
00CB7E69 B8 17000000 mov eax, 17
00CB7E6E C1E0 02 shl eax, 2
00CB7E71 8B0D 04BBD000 mov ecx, dword ptr [D0BB04] ; Project1.0046A378
00CB7E77 8B15 04BBD000 mov edx, dword ptr [D0BB04] ; Project1.0046A378
00CB7E7D 8B35 04BBD000 mov esi, dword ptr [D0BB04] ; Project1.0046A378
00CB7E83 8B5E 08 mov ebx, dword ptr [esi+8]
00CB7E86 335A 64 xor ebx, dword ptr [edx+64]
00CB7E89 331C01 xor ebx, dword ptr [ecx+eax]
00CB7E8C 83E3 10 and ebx, 10
00CB7E8F F7DB neg ebx
00CB7E91 1BDB sbb ebx, ebx
00CB7E93 F7DB neg ebx
00CB7E95 0FB6C3 movzx eax, bl
00CB7E98 85C0 test eax, eax
00CB7E9A 75 05 jnz short 00CB7EA1
00CB7E9C ^ E9 1BFFFFFF jmp 00CB7DBC
00CB7EA1 8D8D C8FEFFFF lea ecx, dword ptr [ebp-138]
00CB7EA7 51 push ecx
00CB7EA8 FF15 D4E1CF00 call dword ptr [CFE1D4] ; kernel32.LoadLibraryA
00CB7EAE 8B55 F4 mov edx, dword ptr [ebp-C]
00CB7EB1 8B0D 4CDFD000 mov ecx, dword ptr [D0DF4C]
00CB7EB7 890491 mov dword ptr [ecx+edx*4], eax
00CB7EBA 8B55 F4 mov edx, dword ptr [ebp-C]
00CB7EBD A1 4CDFD000 mov eax, dword ptr [D0DF4C]
00CB7EC2 833C90 00 cmp dword ptr [eax+edx*4], 0
00CB7EC6 75 05 jnz short 00CB7ECD--------------------------MAGIC JMP, NOP掉
00CB7EC8 ^ E9 EFFEFFFF jmp 00CB7DBC
00CB7ECD C785 BCFEFFFF 0>mov dword ptr [ebp-144], 0
00CB7ED7 C785 C0FEFFFF 0>mov dword ptr [ebp-140], 0
00CB7EE1 8B4D F8 mov ecx, dword ptr [ebp-8]
00CB7EE4 8B51 04 mov edx, dword ptr [ecx+4]搜索二进制EB 03 D6 D6,找到下面复制内容到剪贴板代码:
00CB8149 /EB 03 jmp short 00CB814E
00CB814B |D6 salc
00CB814C |D6 salc
00CB814D |8F ??? ; 未知命令
在00CB8149处下个断点,运行,中断,撤消所有修改
下断点BP CreateThread
断下后返回,一路F8
看到CALL ECX后进入就是OEP了,到达OEP后复制内容到剪贴板代码:
00403414 9F lahf
00403415 1965 72 sbb dword ptr [ebp+72], esp
00403418 0E push cs
00403419 6231 bound esi, qword ptr [ecx]
0040341B 15 F9D28919 adc eax, 1989D2F9
00403420 6E outs dx, byte ptr es:[edi]
00403421 6C ins byte ptr es:[edi], dx
00403422 76 0E jbe short 00403432
00403424 A0 D2E1CDFE mov al, byte ptr [FECDE1D2]
00403429 D289 9982A6C9 ror byte ptr [ecx+C9A68299], cl
0040342F F1 int1
OEP已经面目全非了,但不要紧,我门只需要真确的IAT
回到先前的OD,来到IAT的其实位置,将前3个IAT的二进制复制下来
在到第二个OD,大开内存,搜索刚才的二进制代码,找到复制内容到剪贴板代码:
00406078 7C93188A ntdll.RtlDeleteCriticalSection
0040607C 7C9210ED ntdll.RtlLeaveCriticalSection
00406080 7C921005 ntdll.RtlEnterCriticalSection
00406084 7C809FA1 kernel32.InitializeCriticalSection
00406088 7C809B14 kernel32.VirtualFree
0040608C 7C809A81 kernel32.VirtualAlloc
00406090 7C80995D kernel32.LocalFree
00406094 7C8099BD kernel32.LocalAlloc
00406098 7C8114AB kernel32.GetVersion
0040609C 7C809737 kernel32.GetCurrentThreadId
004060A0 7C80A405 kernel32.GetThreadLocale
004060A4 7C801EEE kernel32.GetStartupInfoA
004060A8 7C80D47E kernel32.GetLocaleInfoA
004060AC 7C812C8D kernel32.GetCommandLineA
004060B0 7C80AA66 kernel32.FreeLibrary
004060B4 7C81CAA2 kernel32.ExitProcess
004060B8 7C810F9F kernel32.WriteFile
004060BC 7C862B8A kernel32.UnhandledExceptionFilter
004060C0 7C957A40 ntdll.RtlUnwind
004060C4 7C81EAE1 kernel32.RaiseException
004060C8 7C812CA9 kernel32.GetStdHandle
004060CC 00CBA270
004060D0 77D311B3 USER32.GetKeyboardType
004060D4 77D504EA USER32.MessageBoxA
004060D8 00CBA270
004060DC 77DA7883 ADVAPI32.RegQueryValueExA
004060E0 77DA761B ADVAPI32.RegOpenKeyExA
004060E4 77DA6BF0 ADVAPI32.RegCloseKey
004060E8 00CBA260
004060EC 7C809BF5 kernel32.TlsSetValue
004060F0 7C809750 kernel32.TlsGetValue
004060F4 7C8099BD kernel32.LocalAlloc
004060F8 7C80B529 kernel32.GetModuleHandleA
004060FC 00CBA250
00406100 77D504EA USER32.MessageBoxA得到了正确的IAT
将全部正确的IAT二进制代码复制到先前的OD中,
此时就可以关掉第2个OD了。
好拉,现在可以DUMP了,LORDPE完全转存,IMPORT修复,运行,OK,附练习文件
--------------------------------------------------------------------------------
附件地址:http://www.unpack.cn/attachment.php?aid=11771
|
