标题:PECompact 2.x的四种脱壳方法
链接:http://www.unpack.cn/viewthread.php?tid=19571
贴者:ant3000
日期:2007-11-27 12:21
1、第一种方法(ESP定律法)
用OD载入,忽略所有异常,然后载入程序。
载入后,代码停在这里:
00401000 > B8 681B6300 mov eax,JYtmw.00631B68//OD载入停在这里,F8单步走
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]//停到这里,寄存器ESP变红
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
00401018 50 push eax
寄存器:=======================================
EAX 00000000
ECX 0012FFB0
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDB000
ESP 0012FFC4//右键->在数据窗口跟随
EBP 0012FFF0
ESI 019A701F
EDI 00000000
EIP 00401000 JYtmw.<模块入口点>
数据窗口:=============================
0012FFC0 00631B68 JYtmw.00631B68//右键->断点->设置硬件访问断点->Word
0012FFC4 7C816FF7 返回到 kernel32.7C816FF7
0012FFC8 00000000
0012FFCC 019A70CD
0012FFD0 7FFDF000
0012FFD4 805512FA
F9运行,删除硬件断点
7C957826 3B45 F8 cmp eax,dword ptr ss:[ebp-8]//OD停在这里,F8单步走
7C957829 72 09 jb short ntdll.7C957834
7C95782B 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
7C95782E ^ 0F82 F731FFFF jb ntdll.7C94AA2B
7C957834 50 push eax
7C957835 E8 67000000 call ntdll.7C9578A1
7C95783A 84C0 test al,al
7C95783C ^ 0F84 E931FFFF je ntdll.7C94AA2B
7C957842 F605 5AC3997C 8>test byte ptr ds:[7C99C35A],80
7C957849 0F85 20720100 jnz ntdll.7C96EA6F //F8到这里的时候,跳转没有实现,看寄存器
7C95784F FF73 04 push dword ptr ds:[ebx+4]
7C957852 8D45 EC lea eax,dword ptr ss:[ebp-14]
寄存器:=======================================
EAX 0012FC01
ECX 000041BB
EDX 00000000
EBX 0012FFBC
ESP 0012FC4C
EBP 0012FCBC
ESI 0012FCD4
EDI 00000000
EIP 7C957849 ntdll.7C957849
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 1 DS 0023 32位 0(FFFFFFFF)//改Z 1为Z 0,让上面的跳转实现
S 0 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
7C96EA6F 6A 10 push 10//来到这里,F8单步走
7C96EA71 53 push ebx
7C96EA72 6A 00 push 0
7C96EA74 FF75 0C push dword ptr ss:[ebp+C]
7C96EA77 56 push esi
7C96EA78 E8 136B0100 call ntdll.7C985590
7C96EA7D 8945 F0 mov dword ptr ss:[ebp-10],eax
7C96EA80 ^ E9 CA8DFEFF jmp ntdll.7C95784F//往回跳
7C96EA85 57 push edi//选中这里,F4
7C96EA86 FF75 F0 push dword ptr ss:[ebp-10]
7C96EA89 E8 0C6B0100 call ntdll.7C98559A
7C96EA8E ^ E9 DC8DFEFF jmp ntdll.7C95786F
7C96EA93 8366 04 EF and dword ptr ds:[esi+4],FFFFFFEF
7C96EA97 8365 08 00 and dword ptr ss:[ebp+8],0
OD到里这里
00631B9B 53 push ebx
00631B9C 51 push ecx
00631B9D 57 push edi
00631B9E 56 push esi
00631B9F 52 push edx
00631BA0 8D98 57120010 lea ebx,dword ptr ds:[eax+10001257]//F8单步走到这里,ESP方法,右键->在
数
据窗口跟随
00631BA6 8B53 18 mov edx,dword ptr ds:[ebx+18]
00631BA9 52 push edx
00631BAA 8BE8 mov ebp,eax
00631BAC 6A 40 push 40
00631BAE 68 00100000 push 1000
00631BB3 FF73 04 push dword ptr ds:[ebx+4]
00631BB6 6A 00 push 0
00631BB8 8B4B 10 mov ecx,dword ptr ds:[ebx+10]
00631BBB 03CA add ecx,edx
00631BBD 8B01 mov eax,dword ptr ds:[ecx]
数据窗口=========================
0012FFAC 7C92EB94 ntdll.KiFastSystemCallRet//右键->断点->设置硬件访问断点->Word
0012FFB0 019A70E0
0012FFB4 00000000
0012FFB8 0012FFB0
F9运行,删除硬件断点
00631C25 5E pop esi ; JYtmw.005839E0//OD停在这里,F8单步走
00631C26 5F pop edi
00631C27 59 pop ecx
00631C28 5B pop ebx
00631C29 5D pop ebp
00631C2A FFE0 jmp eax//跳到OEP, :-)
OEP======================
005839E0 55 push ebp
005839E1 8BEC mov ebp,esp
005839E3 83C4 F0 add esp,-10
005839E6 B8 40165800 mov eax,JYtmw.00581640
005839EB E8 A43DE8FF call JYtmw.00407794
005839F0 68 783A5800 push JYtmw.00583A78
005839F5 68 8C3A5800 push JYtmw.00583A8C ; ASCII
"TApplication"
005839FA E8 5547E8FF call JYtmw.00408154 ; jmp 到
005839FF 85C0 test eax,eax
00583A01 76 05 jbe short JYtmw.00583A08
00583A03 E8 C815E8FF call JYtmw.00404FD0
00583A08 A1 D0C35800 mov eax,dword ptr ds:[58C3D0]
00583A0D 8B00 mov eax,dword ptr ds:[eax]
00583A0F E8 90A4EFFF call JYtmw.0047DEA4
2、第二种方法
用OD载入,忽略所有异常,然后载入程序。
00401000 > B8 681B6300 mov eax,JYtmw.00631B68//OD载入停在这里,记住00631B68有用
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx//内存访问异常
00401018 50 push eax
由上面的代码知,bp 00631B68,F9运行到该断点
00631B68 B8 ED0863F0 mov eax,F06308ED//OD来到这里,这以下就是异常处理回调函数的代码了
00631B6D 8D88 9E120010 lea ecx,dword ptr ds:[eax+1000129E]
00631B73 8941 01 mov dword ptr ds:[ecx+1],eax
00631B76 8B5424 04 mov edx,dword ptr ss:[esp+4]
00631B7A 8B52 0C mov edx,dword ptr ds:[edx+C]
00631B7D C602 E9 mov byte ptr ds:[edx],0E9
00631B80 83C2 05 add edx,5
00631B83 2BCA sub ecx,edx
00631B85 894A FC mov dword ptr ds:[edx-4],ecx
00631B88 33C0 xor eax,eax
00631B8A C3 retn
00631B8B B8 78563412 mov eax,12345678//F2,下断
这里的异常处理结束后会来到00631B8B处,我们就下在00631B8B下断点,F9到该断点处
00631B8B B8 ED0863F0 mov eax,F06308ED//OD停在这里,F8往下走
00631B90 64:8F05 0000000>pop dword ptr fs:[0]
00631B97 83C4 04 add esp,4//删除刚才插入的异常处理项
00631B9A 55 push ebp
00631B9B 53 push ebx
00631B9C 51 push ecx
00631B9D 57 push edi
00631B9E 56 push esi
00631B9F 52 push edx
00631BA0 8D98 57120010 lea ebx,dword ptr ds:[eax+10001257]
00631BA6 8B53 18 mov edx,dword ptr ds:[ebx+18]
00631BA9 52 push edx
00631BAA 8BE8 mov ebp,eax
00631BAC 6A 40 push 40
00631BAE 68 00100000 push 1000
00631BB3 FF73 04 push dword ptr ds:[ebx+4]
00631BB6 6A 00 push 0
00631BB8 8B4B 10 mov ecx,dword ptr ds:[ebx+10]
00631BBB 03CA add ecx,edx
00631BBD 8B01 mov eax,dword ptr ds:[ecx]
00631BBF FFD0 call eax
00631BC1 5A pop edx
00631BC2 8BF8 mov edi,eax
00631BC4 50 push eax
00631BC5 52 push edx
00631BC6 8B33 mov esi,dword ptr ds:[ebx]
00631BC8 8B43 20 mov eax,dword ptr ds:[ebx+20]
00631BCB 03C2 add eax,edx
00631BCD 8B08 mov ecx,dword ptr ds:[eax]
00631BCF 894B 20 mov dword ptr ds:[ebx+20],ecx
00631BD2 8B43 1C mov eax,dword ptr ds:[ebx+1C]
00631BD5 03C2 add eax,edx
00631BD7 8B08 mov ecx,dword ptr ds:[eax]
00631BD9 894B 1C mov dword ptr ds:[ebx+1C],ecx
00631BDC 03F2 add esi,edx
00631BDE 8B4B 0C mov ecx,dword ptr ds:[ebx+C]
00631BE1 03CA add ecx,edx
00631BE3 8D43 1C lea eax,dword ptr ds:[ebx+1C]
00631BE6 50 push eax
00631BE7 57 push edi
00631BE8 56 push esi
00631BE9 FFD1 call ecx
00631BEB 5A pop edx
00631BEC 58 pop eax
00631BED 0343 08 add eax,dword ptr ds:[ebx+8]
00631BF0 8BF8 mov edi,eax
00631BF2 52 push edx
00631BF3 8BF0 mov esi,eax
00631BF5 8B46 FC mov eax,dword ptr ds:[esi-4]
00631BF8 83C0 04 add eax,4
00631BFB 2BF0 sub esi,eax
00631BFD 8956 08 mov dword ptr ds:[esi+8],edx
00631C00 8B4B 0C mov ecx,dword ptr ds:[ebx+C]
00631C03 894E 14 mov dword ptr ds:[esi+14],ecx
00631C06 FFD7 call edi
00631C08 8985 3F130010 mov dword ptr ss:[ebp+1000133F],eax
00631C0E 8BF0 mov esi,eax
00631C10 8B4B 14 mov ecx,dword ptr ds:[ebx+14]
00631C13 5A pop edx
00631C14 EB 0C jmp short JYtmw.00631C22
00631C16 03CA add ecx,edx
00631C18 68 00800000 push 8000
00631C1D 6A 00 push 0
00631C1F 57 push edi
00631C20 FF11 call dword ptr ds:[ecx]
00631C22 8BC6 mov eax,esi
00631C24 5A pop edx
00631C25 5E pop esi
00631C26 5F pop edi
00631C27 59 pop ecx
00631C28 5B pop ebx
00631C29 5D pop ebp//到这里真实的代码被释放出来
00631C2A FFE0 jmp eax//跳到OEP, :-)
OEP======================
005839E0 55 push ebp
005839E1 8BEC mov ebp,esp
005839E3 83C4 F0 add esp,-10
005839E6 B8 40165800 mov eax,JYtmw.00581640
005839EB E8 A43DE8FF call JYtmw.00407794
005839F0 68 783A5800 push JYtmw.00583A78
005839F5 68 8C3A5800 push JYtmw.00583A8C ; ASCII
"TApplication"
005839FA E8 5547E8FF call JYtmw.00408154 ; jmp 到
005839FF 85C0 test eax,eax
00583A01 76 05 jbe short JYtmw.00583A08
00583A03 E8 C815E8FF call JYtmw.00404FD0
00583A08 A1 D0C35800 mov eax,dword ptr ds:[58C3D0]
00583A0D 8B00 mov eax,dword ptr ds:[eax]
00583A0F E8 90A4EFFF call JYtmw.0047DEA4
3、第三种方法
用OD载入,忽略所有异常,然后载入程序。
00401000 > B8 681B6300 mov eax,JYtmw.00631B68//OD载入停在这里
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
00401018 50 push eax
下断:BP VirtualFree Ctrl+F9两次
中断后取消断点,Alt+F9返回,返回到00F80C67处
00F80C67 8B46 0C mov eax,dword ptr ds:[esi+C]//OD停在这里,F8单步走
00F80C6A 03C7 add eax,edi
00F80C6C 5D pop ebp
00F80C6D 5E pop esi
00F80C6E 5F pop edi
00F80C6F 5B pop ebx
00F80C70 C3 retn//返回
00F80C71 55 push ebp
来到这里====================================
00631C08 8985 3F130010 mov dword ptr ss:[ebp+1000133F],eax ; JYtmw.005839E0//继续F8单步
走
00631C0E 8BF0 mov esi,eax
00631C10 8B4B 14 mov ecx,dword ptr ds:[ebx+14]
00631C13 5A pop edx
00631C14 EB 0C jmp short JYtmw.00631C22
00631C16 03CA add ecx,edx
00631C18 68 00800000 push 8000
00631C1D 6A 00 push 0
00631C1F 57 push edi
00631C20 FF11 call dword ptr ds:[ecx]
00631C22 8BC6 mov eax,esi
00631C24 5A pop edx
00631C25 5E pop esi
00631C26 5F pop edi
00631C27 59 pop ecx
00631C28 5B pop ebx
00631C29 5D pop ebp
00631C2A FFE0 jmp eax//跳到OEP, :-)
OEP======================
005839E0 55 push ebp
005839E1 8BEC mov ebp,esp
005839E3 83C4 F0 add esp,-10
005839E6 B8 40165800 mov eax,JYtmw.00581640
005839EB E8 A43DE8FF call JYtmw.00407794
005839F0 68 783A5800 push JYtmw.00583A78
005839F5 68 8C3A5800 push JYtmw.00583A8C ; ASCII "TApplication"
005839FA E8 5547E8FF call JYtmw.00408154 ; jmp 到
005839FF 85C0 test eax,eax
00583A01 76 05 jbe short JYtmw.00583A08
00583A03 E8 C815E8FF call JYtmw.00404FD0
00583A08 A1 D0C35800 mov eax,dword ptr ds:[58C3D0]
00583A0D 8B00 mov eax,dword ptr ds:[eax]
00583A0F E8 90A4EFFF call JYtmw.0047DEA4
4、第4种方法
用OD载入,忽略所有异常,然后载入程序。
00401000 > B8 681B6300 mov eax,JYtmw.00631B68//OD载入停在这里
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
00401018 50 push eax
bp VirtualAlloc Ctrl+F9运行
中断后取消断点,Alt+F9返回,返回到00631BC1处
00631BC1 5A pop edx ; JYtmw.00400000//OD停在这里,向下拉
00631BC2 8BF8 mov edi,eax
00631BC4 50 push eax
00631BC5 52 push edx
00631BC6 8B33 mov esi,dword ptr ds:[ebx]
00631BC8 8B43 20 mov eax,dword ptr ds:[ebx+20]
00631BCB 03C2 add eax,edx
00631BCD 8B08 mov ecx,dword ptr ds:[eax]
00631BCF 894B 20 mov dword ptr ds:[ebx+20],ecx
00631BD2 8B43 1C mov eax,dword ptr ds:[ebx+1C]
00631BD5 03C2 add eax,edx
00631BD7 8B08 mov ecx,dword ptr ds:[eax]
00631BD9 894B 1C mov dword ptr ds:[ebx+1C],ecx
00631BDC 03F2 add esi,edx
00631BDE 8B4B 0C mov ecx,dword ptr ds:[ebx+C]
00631BE1 03CA add ecx,edx
00631BE3 8D43 1C lea eax,dword ptr ds:[ebx+1C]
00631BE6 50 push eax
00631BE7 57 push edi
00631BE8 56 push esi
00631BE9 FFD1 call ecx
00631BEB 5A pop edx
00631BEC 58 pop eax
00631BED 0343 08 add eax,dword ptr ds:[ebx+8]
00631BF0 8BF8 mov edi,eax
00631BF2 52 push edx
00631BF3 8BF0 mov esi,eax
00631BF5 8B46 FC mov eax,dword ptr ds:[esi-4]
00631BF8 83C0 04 add eax,4
00631BFB 2BF0 sub esi,eax
00631BFD 8956 08 mov dword ptr ds:[esi+8],edx
00631C00 8B4B 0C mov ecx,dword ptr ds:[ebx+C]
00631C03 894E 14 mov dword ptr ds:[esi+14],ecx
00631C06 FFD7 call edi
00631C08 8985 3F130010 mov dword ptr ss:[ebp+1000133F],eax
00631C0E 8BF0 mov esi,eax
00631C10 8B4B 14 mov ecx,dword ptr ds:[ebx+14]
00631C13 5A pop edx
00631C14 EB 0C jmp short JYtmw.00631C22
00631C16 03CA add ecx,edx
00631C18 68 00800000 push 8000
00631C1D 6A 00 push 0
00631C1F 57 push edi
00631C20 FF11 call dword ptr ds:[ecx]
00631C22 8BC6 mov eax,esi
00631C24 5A pop edx
00631C25 5E pop esi
00631C26 5F pop edi
00631C27 59 pop ecx
00631C28 5B pop ebx
00631C29 5D pop ebp
00631C2A FFE0 jmp eax//F4运行到这里 F8跳到OEP, :-)
OEP======================
005839E0 55 push ebp
005839E1 8BEC mov ebp,esp
005839E3 83C4 F0 add esp,-10
005839E6 B8 40165800 mov eax,JYtmw.00581640
005839EB E8 A43DE8FF call JYtmw.00407794
005839F0 68 783A5800 push JYtmw.00583A78
005839F5 68 8C3A5800 push JYtmw.00583A8C ; ASCII "TApplication"
005839FA E8 5547E8FF call JYtmw.00408154 ; jmp 到
005839FF 85C0 test eax,eax
00583A01 76 05 jbe short JYtmw.00583A08
00583A03 E8 C815E8FF call JYtmw.00404FD0
00583A08 A1 D0C35800 mov eax,dword ptr ds:[58C3D0]
00583A0D 8B00 mov eax,dword ptr ds:[eax]
00583A0F E8 90A4EFFF call JYtmw.0047DEA4
剩下的就是脱壳了,收工
|
