关于 Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks的Magic jump脱壳高手进
在Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks 脱壳分析的第二步 即:二、避开IAT加密
下断:He GetModuleHandleA,F9运行
77F45B95 6A 12 PUSH 12
77F45B97 E8 0FEDFFFF CALL 77F448AB
77F45B9C 85C0 TEST EAX,EAX
77F45B9E 0F84 A2000000 JE 77F45C46
77F45BA4 57 PUSH EDI
77F45BA5 68 F44FF477 PUSH 77F44FF4 ; ASCII "KERNEL32.DLL"
77F45BAA FF15 FC11F477 CALL DWORD PTR DS: ; kernel32.GetModuleHandleA
77F45BB0 8BF8 MOV EDI,EAX ; ★返回到这里!★
77F45BB2 85FF TEST EDI,EDI
77F45BB4 0F84 8B000000 JE 77F45C45
77F45BBA 56 PUSH ESI
77F45BBB 8B35 B413F477 MOV ESI,DWORD PTR DS: ; kernel32.GetProcAddress
77F45BC1 68 A45CF477 PUSH 77F45CA4 ; ASCII "CreateTimerQueue"
77F45BC6 57 PUSH EDI
77F45BC7 FFD6 CALL ESI
77F45BC9 85C0 TEST EAX,EAX
77F45BCB 8945 FC MOV DWORD PTR SS:,EAX
77F45BCE 74 74 JE SHORT 77F45C44
77F45BD0 68 905CF477 PUSH 77F45C90 ; ASCII "DeleteTimerQueue"
77F45BD5 57 PUSH EDI
77F45BD6 FFD6 CALL ESI
77F45BD8 85C0 TEST EAX,EAX
77F45BDA 8945 F8 MOV DWORD PTR SS:,EAX
77F45BDD 74 65 JE SHORT 77F45C44
77F45BDF 68 785CF477 PUSH 77F45C78 ; ASCII "CreateTimerQueueTimer"
77F45BE4 57 PUSH EDI
77F45BE5 FFD6 CALL ESI
77F45BE7 85C0 TEST EAX,EAX
77F45BE9 8945 F4 MOV DWORD PTR SS:,EAX
77F45BEC 74 56 JE SHORT 77F45C44
77F45BEE 53 PUSH EBX
77F45BEF 68 605CF477 PUSH 77F45C60 ; ASCII "ChangeTimerQueueTimer"
77F45BF4 57 PUSH EDI
77F45BF5 FFD6 CALL ESI
77F45BF7 8BD8 MOV EBX,EAX
77F45BF9 85DB TEST EBX,EBX
77F45BFB 74 46 JE SHORT 77F45C43
77F45BFD 68 485CF477 PUSH 77F45C48 ; ASCII "DeleteTimerQueueTimer"
77F45C02 57 PUSH EDI
77F45C03 FFD6 CALL ESI
77F45C05 85C0 TEST EAX,EAX
77F45C07 74 3A JE SHORT 77F45C43
77F45C09 8B4D FC MOV ECX,DWORD PTR SS:
77F45C0C 890D 7CD6FA77 MOV DWORD PTR DS:,ECX
77F45C12 8B4D F8 MOV ECX,DWORD PTR SS:
77F45C15 890D 80D6FA77 MOV DWORD PTR DS:,ECX
77F45C1B 8B4D F4 MOV ECX,DWORD PTR SS:
77F45C1E 891D 88D6FA77 MOV DWORD PTR DS:,EBX
77F45C24 C705 84D6FA77 E>MOV DWORD PTR DS:,77FA0DE5
77F45C2E C705 8CD6FA77 2>MOV DWORD PTR DS:,77FA0E26
77F45C38 890D 94D6FA77 MOV DWORD PTR DS:,ECX
77F45C3E A3 98D6FA77 MOV DWORD PTR DS:,EAX
77F45C43 5B POP EBX
77F45C44 5E POP ESI
77F45C45 5F POP EDI
77F45C46 C9 LEAVE
77F45C47 C3 RETN
77F45C48 44 INC ESP
77F45C49 65:6C INS BYTE PTR ES:,DX ; I/O 命令
77F45C4B 65:74 65 JE SHORT 77F45CB3 ; 多余的前缀
77F45C4E 54 PUSH ESP
77F45C4F 696D 65 7251756>IMUL EBP,DWORD PTR SS:,65755172
77F45C56 75 65 JNZ SHORT 77F45CBD
77F45C58 54 PUSH ESP
77F45C59 696D 65 7200909>IMUL EBP,DWORD PTR SS:,90900072
77F45C60 43 INC EBX
77F45C61 68 616E6765 PUSH 65676E61
77F45C66 54 PUSH ESP
77F45C67 696D 65 7251756>IMUL EBP,DWORD PTR SS:,65755172
77F45C6E 75 65 JNZ SHORT 77F45CD5
77F45C70 54 PUSH ESP
77F45C71 696D 65 7200909>IMUL EBP,DWORD PTR SS:,90900072
77F45C78 43 INC EBX
77F45C79 72 65 JB SHORT 77F45CE0
77F45C7B 61 POPAD
77F45C7C 74 65 JE SHORT 77F45CE3
77F45C7E 54 PUSH ESP
77F45C7F 696D 65 7251756>IMUL EBP,DWORD PTR SS:,65755172
77F45C86 75 65 JNZ SHORT 77F45CED
77F45C88 54 PUSH ESP
77F45C89 696D 65 7200909>IMUL EBP,DWORD PTR SS:,90900072
77F45C90 44 INC ESP
77F45C91 65:6C INS BYTE PTR ES:,DX ; I/O 命令
77F45C93 65:74 65 JE SHORT 77F45CFB ; 多余的前缀
77F45C96 54 PUSH ESP
77F45C97 696D 65 7251756>IMUL EBP,DWORD PTR SS:,65755172
77F45C9E 75 65 JNZ SHORT 77F45D05
77F45CA0 0090 90904372 ADD BYTE PTR DS:,DL
77F45CA6 65:61 POPAD ; 多余的前缀
77F45CA8 74 65 JE SHORT 77F45D0F
77F45CAA 54 PUSH ESP
77F45CAB 696D 65 7251756>IMUL EBP,DWORD PTR SS:,65755172
77F45CB2 75 65 JNZ SHORT 77F45D19
77F45CB4 008B 356813F4 ADD BYTE PTR DS:,CL
77F45CBA^ 77 BF JA SHORT 77F45C7B
77F45CBC 60 PUSHAD
77F45CBD D2FA SAR DL,CL
77F45CBF 77 57 JA SHORT 77F45D18
77F45CC1 891D FCD2FA77 MOV DWORD PTR DS:,EBX
77F45CC7 C705 60D2FA77 9>MOV DWORD PTR DS:,9C
77F45CD1 FFD6 CALL ESI
77F45CD3 85C0 TEST EAX,EAX
77F45CD5^ 0F85 E8EBFFFF JNZ 77F448C3
77F45CDB^ E9 0CE9FFFF JMP 77F445EC
77F45CE0 391D 70D2FA77 CMP DWORD PTR DS:,EBX
77F45CE6^ 0F84 3AEAFFFF JE 77F44726
77F45CEC^ E9 A1F0FFFF JMP 77F44D92
77F45CF1 90 NOP
77F45CF2 90 NOP
77F45CF3 90 NOP
77F45CF4 90 NOP
77F45CF5 90 NOP
77F45CF6 8BFF MOV EDI,EDI
77F45CF8 56 PUSH ESI
77F45CF9 6A 07 PUSH 7
77F45CFB 33F6 XOR ESI,ESI
77F45CFD E8 B9060000 CALL 77F463BB
77F45D02 85C0 TEST EAX,EAX
77F45D04 0F84 BCFC0200 JE 77F759C6
77F45D0A 33F6 XOR ESI,ESI
77F45D0C 46 INC ESI
77F45D0D 8BC6 MOV EAX,ESI
77F45D0F 5E POP ESI
77F45D10 C3 RETN
77F45D11 85C0 TEST EAX,EAX
77F45D13^ 74 F8 JE SHORT 77F45D0D
77F45D15^ EB F3 JMP SHORT 77F45D0A
77F45D17 90 NOP
77F45D18 90 NOP
77F45D19 90 NOP
77F45D1A 90 NOP
77F45D1B 90 NOP
77F45D1C- FF25 0810F477 JMP DWORD PTR DS: ; msvcrt._initterm
77F45D22 394E 0C CMP DWORD PTR DS:,ECX
77F45D25 75 3D JNZ SHORT 77F45D64
77F45D27 6A 03 PUSH 3
77F45D29 59 POP ECX
77F45D2A 8D7D F4 LEA EDI,DWORD PTR SS:
77F45D2D 33C0 XOR EAX,EAX
77F45D2F F3:66:A7 REPE CMPS WORD PTR ES:,WORD PTR DS:>
77F45D32 75 30 JNZ SHORT 77F45D64
77F45D34 E9 6F890200 JMP 77F6E6A8
77F45D39 90 NOP
77F45D3A 90 NOP
77F45D3B 90 NOP
77F45D3C 90 NOP
77F45D3D 90 NOP
77F45D3E 8BFF MOV EDI,EDI
77F45D40 55 PUSH EBP
77F45D41 8BEC MOV EBP,ESP
77F45D43 83EC 0C SUB ESP,0C
77F45D46 A1 48D2FA77 MOV EAX,DWORD PTR DS:
77F45D4B 56 PUSH ESI
77F45D4C 8B75 08 MOV ESI,DWORD PTR SS:
77F45D4F 57 PUSH EDI
77F45D50 8945 FC MOV DWORD PTR SS:,EAX
77F45D53 33C9 XOR ECX,ECX
77F45D55 33C0 XOR EAX,EAX
77F45D57 394E 08 CMP DWORD PTR DS:,ECX
77F45D5A 884D F4 MOV BYTE PTR SS:,CL
77F45D5D 8D7D F5 LEA EDI,DWORD PTR SS:
77F45D60 AB STOS DWORD PTR ES:
77F45D61 AA STOS BYTE PTR ES:
77F45D62^ 74 BE JE SHORT 77F45D22
77F45D64 33C0 XOR EAX,EAX
77F45D66 8B4D FC MOV ECX,DWORD PTR SS:
77F45D69 5F POP EDI
77F45D6A 5E POP ESI
77F45D6B E8 B0E2FFFF CALL 77F44020
77F45D70 C9 LEAVE
77F45D71 C2 0400 RETN 4
77F45D74 90 NOP
77F45D75 90 NOP
77F45D76 90 NOP
77F45D77 90 NOP
77F45D78 90 NOP
77F45D79 8BFF MOV EDI,EDI
77F45D7B 55 PUSH EBP
77F45D7C 8BEC MOV EBP,ESP
77F45D7E 83EC 34 SUB ESP,34
77F45D81 A1 48D2FA77 MOV EAX,DWORD PTR DS:
77F45D86 33C9 XOR ECX,ECX
77F45D88 53 PUSH EBX
77F45D89 8B5D 08 MOV EBX,DWORD PTR SS:
77F45D8C 3BD9 CMP EBX,ECX
77F45D8E 57 PUSH EDI
77F45D8F 8B7D 0C MOV EDI,DWORD PTR SS:
77F45D92 8945 FC MOV DWORD PTR SS:,EAX
77F45D95 895D CC MOV DWORD PTR SS:,EBX
77F45D98 C745 F0 0100000>MOV DWORD PTR SS:,1
77F45D9F 894D E4 MOV DWORD PTR SS:,ECX
77F45DA2 897D D4 MOV DWORD PTR SS:,EDI
77F45DA5 894D D8 MOV DWORD PTR SS:,ECX
77F45DA8 894D E0 MOV DWORD PTR SS:,ECX
77F45DAB 894D DC MOV DWORD PTR SS:,ECX
77F45DAE 74 7F JE SHORT 77F45E2F
77F45DB0 3BF9 CMP EDI,ECX
77F45DB2 7E 7B JLE SHORT 77F45E2F
77F45DB4 56 PUSH ESI
77F45DB5 33F6 XOR ESI,ESI
77F45DB7 3BF9 CMP EDI,ECX
77F45DB9 7E 28 JLE SHORT 77F45DE3
77F45DBB 8B04B3 MOV EAX,DWORD PTR DS:
77F45DBE 3948 14 CMP DWORD PTR DS:,ECX
77F45DC1 0F85 F6880200 JNZ 77F6E6BD
77F45DC7 394D E0 CMP DWORD PTR SS:,ECX
77F45DCA 75 0E JNZ SHORT 77F45DDA
77F45DCC 50 PUSH EAX
77F45DCD E8 6CFFFFFF CALL 77F45D3E
77F45DD2 85C0 TEST EAX,EAX
77F45DD4 0F85 EB880200 JNZ 77F6E6C5
77F45DDA 46 INC ESI
77F45DDB 3BF7 CMP ESI,EDI
77F45DDD 7D 04 JGE SHORT 77F45DE3
77F45DDF 33C9 XOR ECX,ECX
77F45DE1^ EB D8 JMP SHORT 77F45DBB
77F45DE3 8BC7 MOV EAX,EDI
77F45DE5 C1E0 02 SHL EAX,2
77F45DE8 50 PUSH EAX
77F45DE9 6A 40 PUSH 40
上面那个是Magic jump呢? 请版主或各位大侠帮帮手!
我是菜鸟先谢谢你们的帮助了!
到论坛里找资料,这个壳兄弟都做了超多教程来了。
[ 本帖最后由 棒棒糖 于 2006-11-30 20:56 编辑 ] 好像不是这里~ 我也是菜,望以后大家能指点。 要脱这壳要从哪入手?是不是要先学汇编呀? 返回的时机不对 根据风飘雪教程上说需要用ESP定律来脱 请注意发到相应版块讨论!
我已将其移动!
下不为例~ 想帮你,字太大,代码看的眼花。
算了。 字体是大了。
干什么这么夸张呀。。。 我认为,这个Magic jump是 JE XXXXXXXX 或是JE short XXXXXXXX
仅跟着下面就是一个xor ecx,ecx或XOR XXX,XXX什么的,呵呵
不知道对不对,老大出来纠正一下
页:
[1]
2