ARM4.0双进程脱壳
[转帖] ARM4.0双进程脱壳一、破解目标: Armadillo 4.0 加壳的 XX 软件
二、破解工具:OllyDbg v1.10,ImportREC 1.6 Final,LordPE
CODE:
--------------------------------------------------------------------------------
1.寻找版本号:
ZimoIII.<>/$55 PUSH EBP
0064C364|.8BEC MOV EBP,ESP
0064C366|.6A FF PUSH -1
0064C368|.68 206B6>PUSH ZimoIII.00676B20
0064C36D|.68 A0C06>PUSH ZimoIII.0064C0A0 ;SE handler installation
0064C372|.64:A1 00>MOV EAX,DWORD PTR FS:
0064C378|.50 PUSH EAX
0064C379|.64:8925 >MOV DWORD PTR FS:,ESP
0064C380|.83EC 58SUB ESP,58
0064C383|.53 PUSH EBX
0064C384|.56 PUSH ESI
0064C385|.57 PUSH EDI
0064C386|.8965 E8MOV ,ESP
0064C389|.FF15 881>CALL NEAR DWORD PTR DS:[<&KERNEL32.Ge> ;kernel32.GetVersion
仿VC入口,下断BP OpenMutexA,返回后代码如下:
00637F33 .52 PUSH EDX ; /MutexName
00637F34 .6A 00 PUSH 0 ; |Inheritable = FALSE
00637F36 .68 01001>PUSH 1F0001 ; |Access = 1F0001
00637F3B .FF15 A41>CALL NEAR DWORD PTR DS:[<&KERNEL32.Op> ; \OpenMutexA
00637F41 .85C0 TEST EAX,EAX
00637F43 .74 04 JE SHORT ZimoIII.00637F49 ; 修改ZF=0
按F9运行,再次拦截,取消断点,返回后代码如下:
00638335 .50 PUSH EAX ; /MutexName
00638336 .6A 00 PUSH 0 ; |Inheritable = FALSE
00638338 .68 01001>PUSH 1F0001 ; |Access = 1F0001
0063833D .FF15 A41>CALL NEAR DWORD PTR DS:[<&KERNEL32.Op> ; \OpenMutexA
00638343 .85C0 TEST EAX,EAX
00638345 .0F85 7A0>JNZ ZimoIII.006385C5 ; 修改ZF=0
这就进入子进程了,下断BP OutputDebugStringA,返回后搜索字符串,发现如下:
Address=00E25403
Disassembly=PUSH 0E55800
Text string=ASCII "<armVersion xsi:type="xsd:string">%s</armVersion>
"
00E25402处代码为:PUSH EAX(为版本号4.00)
2.寻找IAT
下断BP LoadLibraryA,执行到返回后代码如下:
00E48851 E8 7237FEF>CALL 00E2BFC8 ; =>LoadLibrary
00E48856 8985 88C3F>MOV DWORD PTR SS:,EAX
00E4885C 83BD 88C3F>CMP DWORD PTR SS:,0
00E48863 0F85 9F000>JNZ 00E48908
........
00E48A0B 8B85 60C1F>MOV EAX,DWORD PTR SS:
00E48A11 8B0D E4C9E>MOV ECX,DWORD PTR DS:
00E48A17 8B15 F81EE>MOV EDX,DWORD PTR DS:
00E48A1D 8B0481 MOV EAX,DWORD PTR DS:
00E48A20 3342 78 XOR EAX,DWORD PTR DS:
00E48A23 8B0D F81EE>MOV ECX,DWORD PTR DS:
00E48A29 3341 14 XOR EAX,DWORD PTR DS:
00E48A2C 8B0D F81EE>MOV ECX,DWORD PTR DS:
00E48A32 3341 58 XOR EAX,DWORD PTR DS:
00E48A35 8B0D F81EE>MOV ECX,DWORD PTR DS:
00E48A3B 3341 24 XOR EAX,DWORD PTR DS:
00E48A3E 3985 88C3F>CMP DWORD PTR SS:,EAX ; 比较是否为系统模块
00E48A44 75 11 JNZ SHORT 00E48A57 ; Magic JMP
00E48A46 8B85 5CC1F>MOV EAX,DWORD PTR SS:
00E48A4C 8B40 04 MOV EAX,DWORD PTR DS:
00E48A4F 8985 84C3F>MOV DWORD PTR SS:,EAX
00E48A55 EB 05 JMP SHORT 00E48A5C
00E48A57^ E9 4FFFFFF>JMP 00E489AB
00E48A5C 80A5 7CC3F>AND BYTE PTR SS:,0
00E48A63 83BD D0C6F>CMP DWORD PTR SS:,0
00E48A6A 75 3F JNZ SHORT 00E48AAB
去掉IAT间隙中填充的4个字节,用ImportREC手动填入RVA=14B1D0,SIZE=12DC,去掉不可用的指针即可获得完整的IAT。
3.寻找OEP及DUMP
重新加载程序,下断BP WaitForDebugEvent,返回后代码如下:
0063C4D8 52 PUSH EDX
0063C4D9 FF15 E0106>CALL NEAR DWORD PTR DS:[<&KERNEL32.Wa> ; kernel32.WaitForDebugEvent
0063C4DF >85C0 TEST EAX,EAX
0012CD90为DebugEvent,按F9运行,当0012CD9C为80000001时,0012CDA8为00401000(=OEP=)。
子进程运行到OEP时产生异常,下断BP VirtualProtectEx,返回后F8单步运行到如下处:
0063F162 A1 4C7F670>MOV EAX,DWORD PTR DS: ; 初始为0
0063F167 83C0 01 ADD EAX,1 ; 计数器加1
0063F16A A3 4C7F670>MOV DWORD PTR DS:,EAX ; 保存计数
........
0063F239 8B15 4C7F6>MOV EDX,DWORD PTR DS: ; 读计数
0063F23F 3B15 D0176>CMP EDX,DWORD PTR DS: ; 与0x97比较
0063F245 0F8E D9010>JLE ZimoIII.0063F424 ; 不跳则加密代码段
修改跳转,再来到ContinueDebugEvent处,将如下代码改为:
0063EBCB .51 PUSH ECX ; /ContinueStatus
0063EBCC .8B95 DCF5FFFF MOV EDX,DWORD PTR SS: ; |
0063EBD2 .8B42 08 MOV EAX,DWORD PTR DS: ; |
0063EBD5 .50 PUSH EAX ; |ThreadId
0063EBD6 .8B8D DCF5FFFF MOV ECX,DWORD PTR SS: ; |
0063EBDC .8B51 04 MOV EDX,DWORD PTR DS: ; |
0063EBDF .52 PUSH EDX ; |ProcessId
0063EBE0 .FF15 D4106700 CALL NEAR DWORD PTR DS:[<&KERNEL32.Co>; \ContinueDebugEvent
Patch代码:
0063EBD2 8105 B4CD12>ADD DWORD PTR DS:,1000 ; 将异常地址加1000h
0063EBDC 8105 A8CD12>ADD DWORD PTR DS:,1000 ; 同上
再将上面WaitForDebugEvent处NOP掉,让子进程停在入口处,改变DebugEvent的异常地址,就可欺骗父进程进行解码了,下条件断点==0052E000(数据段VA),断下后用LordPE DUMP。
去掉.text1等5个段,保留.rsrc段,再作些优化。
4.算法分析:
当出现注册窗口时,下断BP ReadPhysicalDriveIn,返回后代码如下:
0040F3B8|.E8 7B8EFF>CALL ZimoIIII.00408238 ;得到机器码
0040F3BD|.8D55 F8 LEA EDX,
0040F3C0|.33C0 XOR EAX,EAX
0040F3C2|.8D4D FC LEA ECX,
0040F3C5|.8B12 MOV EDX,DWORD PTR DS:
0040F3C7|.8945 FC MOV ,EAX
0040F3CA|.8BC3 MOV EAX,EBX
0040F3CC|.FF46 1C INC DWORD PTR DS:
0040F3CF|.E8 F0FCFF>CALL ZimoIIII.0040F0C4 ; F7进入①
0040F3D4|.FF4E 1C DEC DWORD PTR DS:
0040F3D7|.8D45 F8 LEA EAX,
0040F3DA|.BA 020000>MOV EDX,2
0040F3DF|.E8 28CE11>CALL ZimoIIII.0052C20C
0040F3E4|.66:C746 1>MOV WORD PTR DS:,8
0040F3EA|.66:C746 1>MOV WORD PTR DS:,20
0040F3F0|.33C9 XOR ECX,ECX
0040F3F2|.8BC3 MOV EAX,EBX
0040F3F4|.894D F4 MOV ,ECX
0040F3F7|.8D4D F4 LEA ECX,
0040F3FA|.FF46 1C INC DWORD PTR DS:
0040F3FD|.8B55 FC MOV EDX,
0040F400|.E8 43FEFF>CALL ZimoIIII.0040F248 ;F7进入②
计算过程①:
0040F0C4/$55 PUSH EBP
0040F0C5|.8BEC MOV EBP,ESP
0040F0C7|.83C4 C4 ADD ESP,-3C
0040F0CA|.53 PUSH EBX
0040F0CB|.56 PUSH ESI
0040F0CC|.57 PUSH EDI
0040F0CD|.894D EC MOV ,ECX
0040F0D0|.8955 FC MOV ,EDX
0040F0D3|.8D7D C8 LEA EDI,
0040F0D6|.B8 D85553>MOV EAX,ZimoIIII.005355D8
0040F0DB|.E8 F0BF0F>CALL ZimoIIII.0050B0D0
0040F0E0|.C747 1C 0>MOV DWORD PTR DS:,1
0040F0E7|.8D55 FC LEA EDX,
0040F0EA|.8D45 FC LEA EAX,
0040F0ED|.E8 72CF11>CALL ZimoIIII.0052C064
0040F0F2|.FF47 1C INC DWORD PTR DS:
0040F0F5|.BA 7A5453>MOV EDX,ZimoIIII.0053547A ;ASCII "lovedj"
0040F0FA|.66:C747 1>MOV WORD PTR DS:,8
0040F100|.66:C747 1>MOV WORD PTR DS:,14
0040F106|.8D45 F8 LEA EAX,
0040F109|.E8 1ECF11>CALL ZimoIIII.0052C02C
0040F10E|.FF47 1C INC DWORD PTR DS:
0040F111|.8D55 F8 LEA EDX,
0040F114|.66:C747 1>MOV WORD PTR DS:,8
0040F11A|.66:C747 1>MOV WORD PTR DS:,20
0040F120|.8D45 F4 LEA EAX,
0040F123|.E8 3CCF11>CALL ZimoIIII.0052C064
0040F128|.FF47 1C INC DWORD PTR DS:
0040F12B|.BA 815453>MOV EDX,ZimoIIII.00535481 ;ASCII " "
0040F130|.66:C747 1>MOV WORD PTR DS:,8
0040F136|.66:C747 1>MOV WORD PTR DS:,2C
0040F13C|.8D45 F0 LEA EAX,
0040F13F|.E8 E8CE11>CALL ZimoIIII.0052C02C
0040F144|.FF47 1C INC DWORD PTR DS:
0040F147|.8D55 F0 LEA EDX,
0040F14A|.8D45 FC LEA EAX,
0040F14D|.E8 FED011>CALL ZimoIIII.0052C250
0040F152|.FF4F 1C DEC DWORD PTR DS:
0040F155|.8D45 F0 LEA EAX,
0040F158|.BA 020000>MOV EDX,2
0040F15D|.E8 AAD011>CALL ZimoIIII.0052C20C
0040F162|.8D45 FC LEA EAX,
0040F165|.BA 060000>MOV EDX,6
0040F16A|.E8 05D311>CALL ZimoIIII.0052C474
0040F16F|.66:C747 1>MOV WORD PTR DS:,8
0040F175|.BB 010000>MOV EBX,1 ; EBX为计数器
0040F17A|>8BF3 MOV ESI,EBX
0040F17C|.56 PUSH ESI ; /Arg2 指针
0040F17D|.8D45 FC LEA EAX, ; |
0040F180|.50 PUSH EAX ; |Arg1 机器码地址
0040F181|.E8 22CE11>CALL ZimoIIII.0052BFA8 ; \ZimoIIII.0052BFA8
0040F186|.83C4 08 ADD ESP,8
0040F189|.8D45 FC LEA EAX,
0040F18C|.E8 CFD211>CALL ZimoIIII.0052C460
0040F191|.0375 FC ADD ESI,
0040F194|.8D4D F8 LEA ECX,
0040F197|.4E DEC ESI
0040F198|.8A16 MOV DL,BYTE PTR DS: ; 取机器码第n位
0040F19A|.8BF3 MOV ESI,EBX
0040F19C|.8855 C7 MOV BYTE PTR SS:,DL ; 保存机器码
0040F19F|.66:C747 1>MOV WORD PTR DS:,8
0040F1A5|.56 PUSH ESI ; /Arg2 指针
0040F1A6|.51 PUSH ECX ; |Arg1 "lovedj"地址
0040F1A7|.E8 FCCD11>CALL ZimoIIII.0052BFA8 ; \ZimoIIII.0052BFA8
0040F1AC|.8B45 F8 MOV EAX,
0040F1AF|.83C4 08 ADD ESP,8
0040F1B2|.8D55 F4 LEA EDX,
0040F1B5|.8A4430 FF MOV AL,BYTE PTR DS: ; "lovedj"的第n位
0040F1B9|.3245 C7 XOR AL,BYTE PTR SS: ; 计算1
0040F1BC|.8BF3 MOV ESI,EBX
0040F1BE|.8845 C6 MOV BYTE PTR SS:,AL
0040F1C1|.56 PUSH ESI ; /Arg2 指针
0040F1C2|.52 PUSH EDX ; |Arg1 "lovedj"地址
0040F1C3|.E8 E0CD11>CALL ZimoIIII.0052BFA8 ; \ZimoIIII.0052BFA8
0040F1C8|.83C4 08 ADD ESP,8
0040F1CB|.8D45 F4 LEA EAX,
0040F1CE|.E8 8DD211>CALL ZimoIIII.0052C460
0040F1D3|.0375 F4 ADD ESI,
0040F1D6|.4E DEC ESI
0040F1D7|.8A55 C6 MOV DL,BYTE PTR SS:
0040F1DA|.8816 MOV BYTE PTR DS:,DL ; 保存结果
0040F1DC|.43 INC EBX
0040F1DD|.83FB 06 CMP EBX,6 ; 计算6次
0040F1E0|.^ 7E 98 JLE SHORT ZimoIIII.0040F17A
0040F1E2|.66:C747 1>MOV WORD PTR DS:,38
0040F1E8|.8D55 F4 LEA EDX,
0040F1EB|.8B45 EC MOV EAX,
0040F1EE|.E8 49D011>CALL ZimoIIII.0052C23C
0040F1F3|.8B45 EC MOV EAX,
0040F1F6|.BA 020000>MOV EDX,2
0040F1FB|.66:C747 1>MOV WORD PTR DS:,44
0040F201|.50 PUSH EAX
0040F202|.8D45 F4 LEA EAX,
0040F205|.FF4F 1C DEC DWORD PTR DS:
0040F208|.E8 FFCF11>CALL ZimoIIII.0052C20C
0040F20D|.FF4F 1C DEC DWORD PTR DS:
0040F210|.8D45 F8 LEA EAX,
0040F213|.BA 020000>MOV EDX,2
0040F218|.E8 EFCF11>CALL ZimoIIII.0052C20C
0040F21D|.FF4F 1C DEC DWORD PTR DS:
0040F220|.8D45 FC LEA EAX,
0040F223|.BA 020000>MOV EDX,2
0040F228|.E8 DFCF11>CALL ZimoIIII.0052C20C
0040F22D|.58 POP EAX
0040F22E|.66:C747 1>MOV WORD PTR DS:,38
0040F234|.FF47 1C INC DWORD PTR DS:
0040F237|.8B17 MOV EDX,DWORD PTR DS:
0040F239|.64:8915 0>MOV DWORD PTR FS:,EDX
0040F240|.5F POP EDI
0040F241|.5E POP ESI
0040F242|.5B POP EBX
0040F243|.8BE5 MOV ESP,EBP
0040F245|.5D POP EBP
0040F246\.C3 RETN
计算过程②:
0040F248/$55 PUSH EBP
0040F249|.8BEC MOV EBP,ESP
0040F24B|.83C4 C8 ADD ESP,-38
0040F24E|.53 PUSH EBX
0040F24F|.56 PUSH ESI
0040F250|.57 PUSH EDI
0040F251|.894D EC MOV ,ECX
0040F254|.8955 FC MOV ,EDX
0040F257|.8D7D C8 LEA EDI,
0040F25A|.B8 945653>MOV EAX,ZimoIIII.00535694
0040F25F|.E8 6CBE0F>CALL ZimoIIII.0050B0D0
0040F264|.C747 1C 0>MOV DWORD PTR DS:,1
0040F26B|.8D55 FC LEA EDX,
0040F26E|.8D45 FC LEA EAX,
0040F271|.E8 EECD11>CALL ZimoIIII.0052C064
0040F276|.FF47 1C INC DWORD PTR DS:
0040F279|.8D45 FC LEA EAX,
0040F27C|.66:C747 1>MOV WORD PTR DS:,8
0040F282|.BA 060000>MOV EDX,6
0040F287|.E8 E8D111>CALL ZimoIIII.0052C474
0040F28C|.837D FC 0>CMP ,0
0040F290|.74 05 JE SHORT ZimoIIII.0040F297
0040F292|.8B45 FC MOV EAX,
0040F295|.EB 05 JMP SHORT ZimoIIII.0040F29C
0040F297|>B8 8B5453>MOV EAX,ZimoIIII.0053548B
0040F29C|>66:C747 1>MOV WORD PTR DS:,14
0040F2A2|.33D2 XOR EDX,EDX
0040F2A4|.8955 F8 MOV ,EDX
0040F2A7|.FF47 1C INC DWORD PTR DS:
0040F2AA|.66:C747 1>MOV WORD PTR DS:,8
0040F2B0|.33DB XOR EBX,EBX ; EBX为计数器
0040F2B2|.8BF0 MOV ESI,EAX ; ESI=计算1的地址
0040F2B4|>66:C747 1>/MOV WORD PTR DS:,20
0040F2BA|.33C0 |XOR EAX,EAX
0040F2BC|.8D4D F4 |LEA ECX,
0040F2BF|.8945 F4 |MOV ,EAX
0040F2C2|.BA 020000>|MOV EDX,2
0040F2C7|.FF47 1C |INC DWORD PTR DS:
0040F2CA|.0FBE06 |MOVSX EAX,BYTE PTR DS:
0040F2CD|.83C0 02 |ADD EAX,2 ; 将第n位+2
0040F2D0|.E8 17D111>|CALL ZimoIIII.0052C3EC ; 将ASCII码转换为字符
0040F2D5|.8D55 F4 |LEA EDX,
0040F2D8|.8D45 F8 |LEA EAX,
0040F2DB|.E8 70CF11>|CALL ZimoIIII.0052C250
0040F2E0|.FF4F 1C |DEC DWORD PTR DS:
0040F2E3|.8D45 F4 |LEA EAX,
0040F2E6|.BA 020000>|MOV EDX,2
0040F2EB|.E8 1CCF11>|CALL ZimoIIII.0052C20C
0040F2F0|.83FB 01 |CMP EBX,1
0040F2F3|.74 05 |JE SHORT ZimoIIII.0040F2FA
0040F2F5|.83FB 03 |CMP EBX,3
0040F2F8|.75 31 |JNZ SHORT ZimoIIII.0040F32B
0040F2FA|>66:C747 1>|MOV WORD PTR DS:,2C
0040F300|.BA 8C5453>|MOV EDX,ZimoIIII.0053548C
0040F305|.8D45 F0 |LEA EAX,
0040F308|.E8 1FCD11>|CALL ZimoIIII.0052C02C
0040F30D|.FF47 1C |INC DWORD PTR DS:
0040F310|.8D55 F0 |LEA EDX,
0040F313|.8D45 F8 |LEA EAX,
0040F316|.E8 35CF11>|CALL ZimoIIII.0052C250
0040F31B|.FF4F 1C |DEC DWORD PTR DS:
0040F31E|.8D45 F0 |LEA EAX,
0040F321|.BA 020000>|MOV EDX,2
0040F326|.E8 E1CE11>|CALL ZimoIIII.0052C20C
0040F32B|>43 |INC EBX
0040F32C|.46 |INC ESI
0040F32D|.83FB 06 |CMP EBX,6 ;转换6次
0040F330|.^ 7C 82 \JL SHORT ZimoIIII.0040F2B4
0040F332|.66:C747 1>MOV WORD PTR DS:,38
0040F338|.8D55 F8 LEA EDX,
0040F33B|.8B45 EC MOV EAX,
0040F33E|.E8 F9CE11>CALL ZimoIIII.0052C23C
0040F343|.8B45 EC MOV EAX,
0040F346|.BA 020000>MOV EDX,2
0040F34B|.66:C747 1>MOV WORD PTR DS:,44
0040F351|.50 PUSH EAX
0040F352|.8D45 F8 LEA EAX,
0040F355|.FF4F 1C DEC DWORD PTR DS:
0040F358|.E8 AFCE11>CALL ZimoIIII.0052C20C
0040F35D|.FF4F 1C DEC DWORD PTR DS:
0040F360|.8D45 FC LEA EAX,
0040F363|.BA 020000>MOV EDX,2
0040F368|.E8 9FCE11>CALL ZimoIIII.0052C20C
0040F36D|.58 POP EAX
0040F36E|.66:C747 1>MOV WORD PTR DS:,38
0040F374|.FF47 1C INC DWORD PTR DS:
0040F377|.8B17 MOV EDX,DWORD PTR DS:
0040F379|.64:8915 0>MOV DWORD PTR FS:,EDX
0040F380|.5F POP EDI
0040F381|.5E POP ESI
0040F382|.5B POP EBX
0040F383|.8BE5 MOV ESP,EBP
0040F385|.5D POP EBP
0040F386\.C3 RETN
结果为xxxx-xxxx-xxxx,算法很简单,建议作者改进一下
页:
[1]