手脱ExeStealth v2.76系列片
本帖最后由 cjteam 于 2010-8-1 19:41 编辑本人是壳盲,菜鸟一个,大牛不经意的看到了请指点下,同时希望比我菜的给个引导学习的方法,估计没有比我菜的 :).
,加壳保护设置,因为我们是练习手脱.而且我们在脱之前未掌握任何知识,只知道一个观念,避开所有的XX到达OEP就是目标,因此不要回跳,下一行F4,OK,我们的工作吧.
用看雪的OD即可,大部分的OD应该是ok的,设置忽略所有异常,无需隐藏OD。00464060 > /EB 65 jmp short 004640C7 //OD载入后停在这.F7单步
00464062 |45 inc ebp
00464063 |78 65 js short 004640CA
00464065 |53 push ebx
00464066 |74 65 je short 004640CD
00464068 |61 popad
00464069 |6C ins byte ptr es:, dx
0046406A |74 68 je short 004640D4
0046406C |2056 32 and byte ptr , dl
----------------------------------------------------
004640C7 60 pushad //F7单步
004640C8 E8 00000000 call 004640CD //近call,F7,以后一直是单步f7,部分F8会有写出
004640CD 5D pop ebp
004640CE 81ED 40284000 sub ebp, 00402840
004640D4 B9 16000000 mov ecx, 16
004640D9 83C1 04 add ecx, 4
004640DC 83C1 01 add ecx, 1
004640DF EB 05 jmp short 004640E6
004640E1- EB FE jmp short 004640E1
004640E3 83C7 56 add edi, 56
004640E6 EB 00 jmp short 004640E8
004640E8 EB 00 jmp short 004640EA
004640EA 83E9 02 sub ecx, 2
004640ED 81C1 78432765 add ecx, 65274378
004640F3 EB 00 jmp short 004640F5
......
0046413F 2C CE sub al, 0CE
00464141 04 10 add al, 10
00464143 F9 stc
00464144 2C 4F sub al, 4F
00464146 AA stos byte ptr es:
00464147^ E2 C7 loopd short 00464110 这里有个循环。我们在下面F4
00464149 A9 603E38A1 test eax, A1383E60
0046414E 58 pop eax
0046414F 36:3091 CC188BE>xor byte ptr ss:, dl
0046417D 8D85 D3274000 lea eax, dword ptr
00464183 B9 10070000 mov ecx, 710
00464188 E8 41020000 call 004643CE
0046418D 8985 41304000 mov dword ptr , eax
00464193 8B85 39304000 mov eax, dword ptr
00464199 83E0 01 and eax, 1
0046419C 74 40 je short 004641DE //这里不跳,下面int3异常,这里是经过多次单步跟踪发现的,enter回车,F2,SHIFT+F9.
0046419E 8DB5 B1314000 lea esi, dword ptr
004641A4 8D85 3E294000 lea eax, dword ptr
004641AA 8946 08 mov dword ptr , eax
004641AD 8BFD mov edi, ebp
004641AF 8D85 CF2F4000 lea eax, dword ptr
004641B5 33DB xor ebx, ebx
004641B7 50 push eax
004641B8 64:FF33 push dword ptr fs:
004641BB 64:8923 mov dword ptr fs:, esp
004641BE BD 4B484342 mov ebp, 4243484B
004641C3 66:B8 0400 mov ax, 4
004641C7 EB 01 jmp short 004641CA
004641C9 FFCC dec esp
004641CB 8BEF mov ebp, edi
004641CD 33DB xor ebx, ebx
004641CF 64:8F03 pop dword ptr fs:
004641D2 83C4 04 add esp, 4
004641D5 3C 04 cmp al, 4
004641D7 74 05 je short 004641DE
004641D9 EB 01 jmp short 004641DC
004641DB- E9 61C38B85 jmp 85D20541
004641E0 3130 xor dword ptr , esi
004641E2 40 inc eax
004641E3 0003 add byte ptr , al
004641E5 40 inc eax
004641E6 3C 05 cmp al, 5
004641E8 8000 00 add byte ptr , 0
004641EB 008B 08038D31 add byte ptr , cl004641DE 8B85 31304000 mov eax, dword ptr //到了这里F8走吧,加快点速度,呵呵
004641E4 0340 3C add eax, dword ptr
004641E7 05 80000000 add eax, 80
004641EC 8B08 mov ecx, dword ptr
004641EE 038D 31304000 add ecx, dword ptr
004641F4 83C1 10 add ecx, 10
004641F7 8B01 mov eax, dword ptr
004641F9 0385 31304000 add eax, dword ptr
004641FF 8B18 mov ebx, dword ptr
00464201 899D BD314000 mov dword ptr , ebx
00464207 83C0 04 add eax, 4
0046420A 8B18 mov ebx, dword ptr
0046420C 899D C1314000 mov dword ptr , ebx
00464212 8D85 C5314000 lea eax, dword ptr
00464218 50 push eax
00464219 FF95 BD314000 call dword ptr
....
004646E9 8339 00 cmp dword ptr , 0
004646EC^ 0F85 34FFFFFF jnz 00464626 //这里一段是处理IAT,我们选择的保护不涉及这个。回跳
004646F2 83C6 0C add esi, 0C //F4走吧,因为我们是菜鸟,不知道什么叫处理IAT,呵呵
004646F5 837E 04 00 cmp dword ptr , 0
004646F9^ 0F85 B4FEFFFF jnz 004645B3
004646FF 33C0 xor eax, eax //F4
00464701 40 inc eax
00464702 83F8 01 cmp eax, 1
00464705 74 02 je short 00464709 //这里跳走了
00464707 61 popad //如果在这里F4程序就跑飞,呵呵,别偷懒.慢慢来.
00464708 C3 retn
........
004643CE 8BF8 mov edi, eax ; no.<模块入口点>//上面还需要走会就来到这里了,
004643D0 33C0 xor eax, eax
004643D2 33DB xor ebx, ebx
004643D4 33D2 xor edx, edx
004643D6 8A07 mov al, byte ptr
004643D8 F7E2 mul edx
004643DA 03D8 add ebx, eax
004643DC 42 inc edx
004643DD 47 inc edi
004643DE^ E2 F6 loopd short 004643D6 //循环.不知道他这个是如何检测的,ecx=00000710,直到ecx=1结束循环,
004643E0 93 xchg eax, ebx //F4
004643E1 C3 retn
004643E2 53 push ebx
004643E3 FF95 40324000 call dword ptr
...
00464740 /EB 01 jmp short 00464743 //retn返回到这里
00464742 |C7 ??? ; 未知命令
00464743 \8B9D 41304000 mov ebx, dword ptr //jmp到这里,我们在转存跟随看下,发现我们的OEP已经出现了
00464749 33C3 xor eax, ebx //异或后
0046474B 74 08 je short 00464755 ; //这里不跳就去int3了,我们要跳.多次跟踪发现的问题.
------
004648BE00400000ASCII "MZP" //转存跟随
004648C200050DA8 //OEP
004648C600000001
004648CA00000000
004648CE00028867
--------------------------------------------
00464755 8DBD E32E4000 lea edi, dword ptr //跳过后来到这里.
0046475B 8BF7 mov esi, edi
0046475D B9 E0000000 mov ecx, 0E0
00464762 33DB xor ebx, ebx
00464764 AC lods byte ptr
00464765 34 61 xor al, 61
00464767 2AC3 sub al, bl
00464769 C0C0 02 rol al, 2
0046476C AA stos byte ptr es:
0046476D 43 inc ebx
0046476E^ E2 F4 loopd short 00464764 //此时ecx为固定值,等到为2就快结束循环了.
00464770 8D85 71324000 lea eax, dword ptr //直接F4
00464776 50 push eax
00464777 FFB5 D2314000 push dword ptr
0046477D FF95 C1314000 call dword ptr
00464783 0BC0 or eax, eax
00464785 74 08 je short 0046478F
00464787 FFD0 call eax //IsDebuggerPresent出现这个,经过多次,我们可以知道这个是反调试了,可以bp IsDebuggerPresent.
00464789 0BC0 or eax, eax
0046478B 74 02 je short 0046478F //这里
0046478D 61 popad
0046478E C3 retn //返回退出
0046478F F785 39304000 0>test dword ptr , 1
00464799 74 4F je short 004647EA //不跳退出
......
00464825 32C0 xor al, al
00464827 8DBD D3274000 lea edi, dword ptr
0046482D B9 93070000 mov ecx, 793
00464832 AA stos byte ptr es:
00464833^ E2 FD loopd short 00464832
00464835 8DBD C32F4000 lea edi, dword ptr //F4
0046483B B9 C0020000 mov ecx, 2C0
00464840 AA stos byte ptr es:
00464841^ E2 FD loopd short 00464840
00464843 61 popad //F4
00464844 50 push eax
00464845 33C0 xor eax, eax
00464847 64:FF30 push dword ptr fs:
0046484A 64:8920 mov dword ptr fs:, esp
0046484D EB 01 jmp short 00464850 //之后就一直F8,虽然有个小异常,但是我们还是到了OEP
0046484F 87EB xchg ebx, ebp
00464851 04 C6 add al, 0C6
00464853 0000 add byte ptr , al
00464855 40 inc eax
00464856 8038 00 cmp byte ptr , 0
00464859^ 75 F7 jnz short 00464852
0046485B C3 retn
-----------------------
00450DA0 0000 add byte ptr , al
00450DA2 0000 add byte ptr , al
00450DA4 A0 0B450055 mov al, byte ptr //这里是处理了一个字节的OEP,我们可以dump,IRC修复,完工了,
00450DA9 8BEC mov ebp, esp //到了这里,熟悉点OEP就知道是DELPHI了,
00450DAB 83C4 F0 add esp, -10
00450DAE B8 C80B4500 mov eax, 00450BC8
00450DB3 E8 104EFBFF call 00405BC8
00450DB8 A1 24204500 mov eax, dword ptr
00450DBD 8B00 mov eax, dword ptr
00450DBF E8 98E1FFFF call 0044EF5C
00450DC4 8B0D 04214500 mov ecx, dword ptr ; no.00453BD0
00450DCA A1 24204500 mov eax, dword ptr
00450DCF 8B00 mov eax, dword ptr
00450DD1 8B15 FC044500 mov edx, dword ptr ; no.00450548
00450DD7 E8 98E1FFFF call 0044EF74
00450DDC A1 24204500 mov eax, dword ptr
00450DE1 8B00 mov eax, dword ptr
00450DE3 E8 0CE2FFFF call 0044EFF4
00450DE8 E8 332FFBFF call 00403D20
00450DED 8D40 00 lea eax, dword ptr
00450DF0 0000 add byte ptr , al
00450DF2 0000 add byte ptr , al API重写保护
-----------------------------00464060 > /EB 65 jmp short 004640C7 OEP载入.在这停下。F7
00464062 |45 inc ebp
00464063 |78 65 js short 004640CA
00464065 |53 push ebx
00464066 |74 65 je short 004640CD
00464068 |61 popad
00464069 |6C ins byte ptr es:, dx
0046406A |74 68 je short 004640D4
0046406C |2056 32 and byte ptr , dl
0046406F |202D 20909090 and byte ptr , ch
00464075 |90 nop
00464076 |90 nop
00464077 |65:62746F 6F bound esi, qword ptr gs:
..........
00464145 F9 stc
00464146 AA stos byte ptr es:
00464147^ E2 C7 loopd short 00464110 //可以在这里F4,
00464149 8B4424 20 mov eax, dword ptr //接着这里F4,因为前面我们已经调试多次了,熟悉了
0046414D 8B4424 20 mov eax, dword ptr
00464151 83C0 0E add eax, 0E
00464154 83E8 0E sub eax, 0E
00464157 83C0 0E add eax, 0E
0046415A 83E8 0E sub eax, 0E
0046415D 40 inc eax
0046415E 78 1D js short 0046417D
00464160 C785 45304000 0>mov dword ptr , 1
0046416A EB 11 jmp short 0046417D
0046416C 8B4424 20 mov eax, dword ptr
00464170 83C0 0E add eax, 0E
00464173 83E8 0E sub eax, 0E
00464176 83C0 0E add eax, 0E
00464179 83E8 0E sub eax, 0E
0046417C 40 inc eax
0046417D 8D85 D3274000 lea eax, dword ptr
00464183 B9 10070000 mov ecx, 710
00464188 E8 41020000 call 004643CE
0046418D 8985 41304000 mov dword ptr , eax
00464193 8B85 39304000 mov eax, dword ptr
00464199 83E0 01 and eax, 1
0046419C 74 40 je short 004641DE //enter
0046419E 8DB5 B1314000 lea esi, dword ptr
004641A4 8D85 3E294000 lea eax, dword ptr
004641AA 8946 08 mov dword ptr , eax
004641AD 8BFD mov edi, ebp
004641AF 8D85 CF2F4000 lea eax, dword ptr
004641B5 33DB xor ebx, ebx
004641B7 50 push eax
004641B8 64:FF33 push dword ptr fs:
004641BB 64:8923 mov dword ptr fs:, esp
004641BE BD 4B484342 mov ebp, 4243484B
004641C3 66:B8 0400 mov ax, 4
004641C7 EB 01 jmp short 004641CA
004641C9 FFCC dec esp //INT3异常,无论F7,F8都过不去,
004641CB 8BEF mov ebp, edi
004641CD 33DB xor ebx, ebx
004641CF 64:8F03 pop dword ptr fs:
004641D2 83C4 04 add esp, 4
004641D5 3C 04 cmp al, 4
004641D7 74 05 je short 004641DE
004641D9 EB 01 jmp short 004641DC
------------------------
004641DE 8B85 31304000 mov eax, dword ptr //F2,SHIFT+F9 ,继续f8
004641E4 0340 3C add eax, dword ptr
004641E7 05 80000000 add eax, 80
004641EC 8B08 mov ecx, dword ptr
004641EE 038D 31304000 add ecx, dword ptr
004641F4 83C1 10 add ecx, 10
004641F7 8B01 mov eax, dword ptr
004641F9 0385 31304000 add eax, dword ptr
004641FF 8B18 mov ebx, dword ptr
00464201 899D BD314000 mov dword ptr , ebx
00464207 83C0 04 add eax, 4
-----------------------
004646E9 8339 00 cmp dword ptr , 0
004646EC^ 0F85 34FFFFFF jnz 00464626
004646F2 83C6 0C add esi, 0C //F4
004646F5 837E 04 00 cmp dword ptr , 0
004646F9^ 0F85 B4FEFFFF jnz 004645B3
004646FF 33C0 xor eax, eax //F4,之后一直F8
00464701 40 inc eax
00464702 83F8 01 cmp eax, 1
00464705 74 02 je short 00464709
00464707 61 popad
00464708 C3 retn
00464709 F785 39304000 0>test dword ptr , 2
00464713 74 18 je short 0046472D
00464715 8BBD 31304000 mov edi, dword ptr
0046471B 037F 3C add edi, dword ptr
0046471E 8B4F 54 mov ecx, dword ptr
00464721 8BB5 31304000 mov esi, dword ptr
00464727 C606 00 mov byte ptr , 0
0046472A 46 inc esi
0046472B^ E2 FA loopd short 00464727
0046472D 8D85 D3274000 lea eax, dword ptr
00464733 B9 10070000 mov ecx, 710
00464738 EB 01 jmp short 0046473B
0046473A- E9 E88EFCFF jmp 0042D627
...
0046473B E8 8EFCFFFF call 004643CE //F8到这里,一般是保险起见的F7,还是几个f8,一个f4
00464740 EB 01 jmp short 00464743
00464742 C7 ??? ; 未知命令
00464743 8B9D 41304000 mov ebx, dword ptr //ss:=0002966B,ebx=000000F4,eax=0002962A
00464749 33C3 xor eax, ebx //eax=00000041,下面就不跳了,程序就退出
0046474B 74 08 je short 00464755 ; 000
0046474D EB 01 jmp short 00464750
0046474F 2C 61 sub al, 61
00464751 EB 01 jmp short 00464754
00464753 E8 C38DBDE3 call E403D51B
------------------------转存跟随可以见OEP,我们可以去OEP看看,应该在这之前注意下,或许就是所谓的OEP,dump时机。
004648BE00400000ASCII "MZP"
004648C200050DA8 //OEP
004648C600000021
004648CA00000000
004648CE0002966B
004648D200000001
004648D600054700
004648DA0005412C
004648DE00000000
004648E200054978
004648E6000541B8
-----------------------
00464762 33DB xor ebx, ebx
00464764 AC lods byte ptr
00464765 34 61 xor al, 61
00464767 2AC3 sub al, bl
00464769 C0C0 02 rol al, 2
0046476C AA stos byte ptr es:
0046476D 43 inc ebx
0046476E^ E2 F4 loopd short 00464764
00464770 8D85 71324000 lea eax, dword ptr //F4,地址=00464AFE, (ASCII "IsDebuggerPresent"),eax=00000087
00464776 50 push eax //反调试了,壳是在进OEP之前进行反调试,及处理OEP的第一个字节
00464777 FFB5 D2314000 push dword ptr
0046477D FF95 C1314000 call dword ptr
00464783 0BC0 or eax, eax
00464785 74 08 je short 0046478F //跳
00464787 FFD0 call eax
00464789 0BC0 or eax, eax
0046478B 74 02 je short 0046478F
0046478D 61 popad
0046478E C3 retn
0046478F F785 39304000 0>test dword ptr , 1 //这里=000000021的值,改为0就跳了。
00464799 74 4F je short 004647EA //不跳就会调用异常退出.
...............
004647EA 90 nop
004647EB 8D85 982F4000 lea eax, dword ptr
004647F1 50 push eax
004647F2 C3 retn
004647F3 55 push ebp
004647F4 8BEC mov ebp, esp
004647F6 57 push edi
004647F7 8B45 10 mov eax, dword ptr
004647FA 8BB8 C4000000 mov edi, dword ptr
00464800 FF37 push dword ptr
00464802 33FF xor edi, edi
00464804 64:8F07 pop dword ptr fs:
00464807 8380 C4000000 0>add dword ptr , 8
0046480E 8BB8 A4000000 mov edi, dword ptr
00464814 C1C7 07 rol edi, 7
00464817 89B8 B8000000 mov dword ptr , edi
0046481D B8 00000000 mov eax, 0
00464822 5F pop edi
00464823 C9 leave
00464824 C3 retn
00464825 32C0 xor al, al
00464827 8DBD D3274000 lea edi, dword ptr
0046482D B9 93070000 mov ecx, 793
00464832 AA stos byte ptr es: //ecx=793,直到2就快结束循环
00464833^ E2 FD loopd short 00464832
00464835 8DBD C32F4000 lea edi, dword ptr //F4
0046483B B9 C0020000 mov ecx, 2C0
00464840 AA stos byte ptr es: //直到ecx=2C0,到2就快结束循环
00464841^ E2 FD loopd short 00464840
00464843 61 popad //F4到这里,我们之前的转存显示的可爱的OEP没了。。
00464844 50 push eax
00464845 33C0 xor eax, eax
00464847 64:FF30 push dword ptr fs:
0046484A 64:8920 mov dword ptr fs:, esp
0046484D EB 01 jmp short 00464850 //此时这之后的00464850的代码被全部晴空了。
0046484F 87EB xchg ebx, ebp
00464851 04 C6 add al, 0C6
00464853 0000 add byte ptr , al
00464855 40 inc eax
00464856 8038 00 cmp byte ptr , 0
00464859^ 75 F7 jnz short 00464852
0046485B C3 retn
0046485C 55 push ebp
0046485D 8BEC mov ebp, esp
0046485F 57 push edi
00464860 8B45 10 mov eax, dword ptr
00464863 8BB8 9C000000 mov edi, dword ptr
00464869 FFB7 B9314000 push dword ptr
0046486F 8F80 B8000000 pop dword ptr
00464875 89B8 B4000000 mov dword ptr , edi
0046487B C780 B0000000 0>mov dword ptr , 4
00464885 B8 00000000 mov eax, 0
0046488A 5F pop edi
------------------------------------------------------------
00464850 0000 add byte ptr , al //但是空代码可以继续F8,1次就可以来到我们的OEP了。
00464852 0000 add byte ptr , al
-------------------------F8后来到这里.
7C92E480 8B1C24 mov ebx, dword ptr
7C92E483 51 push ecx
7C92E484 53 push ebx
7C92E485 E8 F1C00100 call 7C94A57B
7C92E48A 0AC0 or al, al
7C92E48C 74 0C je short 7C92E49A
7C92E48E 5B pop ebx
7C92E48F 59 pop ecx
7C92E490 6A 00 push 0
7C92E492 51 push ecx
7C92E493 E8 C6EBFFFF call ZwContinue
7C92E498 EB 0B jmp short 7C92E4A5 //继续几次F8来到OEP
------------------------
00450DA9 8BEC mov ebp, esp //ctrl+g,00450DA8,新建eip,dump.
00450DAB 83C4 F0 add esp, -10 //一路走来与第一次没什么差别,只是这次写的补充第一次不详细之处.
00450DAE B8 C80B4500 mov eax, 00450BC8
00450DB3 E8 104EFBFF call 00405BC8
00450DB8 A1 24204500 mov eax, dword ptr
00450DBD 8B00 mov eax, dword ptr
00450DBF E8 98E1FFFF call 0044EF5C
00450DC4 8B0D 04214500 mov ecx, dword ptr ; no.00453BD0
00450DCA A1 24204500 mov eax, dword ptr
00450DCF 8B00 mov eax, dword ptr
00450DD1 8B15 FC044500 mov edx, dword ptr ; no.00450548
00450DD7 E8 98E1FFFF call 0044EF74
00450DDC A1 24204500 mov eax, dword ptr
00450DE1 8B00 mov eax, dword ptr
00450DE3 E8 0CE2FFFF call 0044EFF4
00450DE8 E8 332FFBFF call 00403D20
00450DED 8D40 00 lea eax, dword ptr
00450DF0 0000 add byte ptr , al
Import REConstructor,OEP添00050DA8,获取输入表,我们发现很多无效,这就是API重定义保护(iat加密)的效果了,我们可以简单的等级一修复抓取即完工.
现在我们是学习手工做,那我们来看看IAT,第一个无效的,我们000541B8.重新载入程序dd 004541B8(这里我们要加上基址).下硬件写入或内存写入.
第一次断下,我们在堆栈窗口可以看到应该是写入输入表的信息放进内存里,连续5次左右
0012FF7C 004644B2返回到 no.004644B2 来自 no.004644B4
0012FF80 00400100ASCII "PE"
0012FF84 00400270ASCII ".idata"
0012FF88 0006188D
0012FF8C 0012FFA0
0012FF90 00000001
0012FF94 00000003
0012FF98 0012FF4C
0012FF9C 00400000ASCII "MZP"
-----------------------------
004541B877D3119Buser32.GetKeyboardType 转存窗口出现了写入的API,寄存器也显示了。
004541BC00054996
004541C0000549A4
004541C4000549B2
004541C800000000
004541CC000549CC
-------------------------------
00464677 /EB 19 jmp short 00464692 //删除断点,我们手工来看看是那里出现问题,F7
00464679 |52 push edx
0046467A |51 push ecx
0046467B |8B01 mov eax, dword ptr
0046467D |2D 00000080 sub eax, 80000000
00464682 |50 push eax
00464683 |53 push ebx
00464684 |FF95 C1314000 call dword ptr
0046468A |85C0 test eax, eax
0046468C |74 74 je short 00464702
0046468E |59 pop ecx
0046468F |5A pop edx
00464690 |8902 mov dword ptr , eax
00464692 \F785 39304000 2>test dword ptr , 20 //ss:=00000021
0046469C 74 45 je short 004646E3 //没跳
0046469E 83BD 45304000 0>cmp dword ptr , 0 ss:=00000001
004646A5 74 14 je short 004646BB //没跳
004646A7 81FB 00000070 cmp ebx, 70000000 //ebx=77D10000
004646AD 72 08 jb short 004646B7 //没跳
004646AF 81FB FFFFFF77 cmp ebx, 77FFFFFF //ebx=77D10000 (user32.77D10000)
004646B5 76 0E jbe short 004646C5 //跳了
004646B7 EB 2A jmp short 004646E3
004646B9 EB 0A jmp short 004646C5
004646BB 81FB 00000080 cmp ebx, 80000000
004646C1 73 02 jnb short 004646C5
004646C3 EB 1E jmp short 004646E3
004646C5 57 push edi //edi压入
004646C6 56 push esi //esi压入
004646C7 8DBD 9F324000 lea edi, dword ptr //函数放入edi
004646CD 8B77 04 mov esi, dword ptr //
004646D0 8932 mov dword ptr , esi
004646D2 2BC6 sub eax, esi //到了这里,转存中的api就没了,程序就是在这里出了问题的。
004646D4 83E8 05 sub eax, 5 //搞得我们获取不到完整的IAT表。
004646D7 C606 E9 mov byte ptr , 0E9
004646DA 8946 01 mov dword ptr , eax
004646DD 8347 04 05 add dword ptr , 5
004646E1 5E pop esi
004646E2 5F pop edi
004646E3 83C1 04 add ecx, 4
004646E6 83C2 04 add edx, 4
004646E9 8339 00 cmp dword ptr , 0
004646EC^ 0F85 34FFFFFF jnz 00464626
004646F2 83C6 0C add esi, 0C
004646F5 837E 04 00 cmp dword ptr , 0
004646F9^ 0F85 B4FEFFFF jnz 004645B3
004646FF 33C0 xor eax, eax
00464701 40 inc eax
00464702 83F8 01 cmp eax, 1
00464705 74 02 je short 00464709
00464707 61 popad
00464708 C3 retn
00464709 F785 39304000 0>test dword ptr , 2 //
00464713 74 18 je short 0046472D
----------------------------------------------------
经过了上面我们单步处理,我们就开始尝试如何让他不处理加密IAT,
0046469C 74 45 je short 004646E3 //这里修改为jmp就可以了.
----------------------------------------------------
00464755 8DBD E32E4000 lea edi, dword ptr
0046475B 8BF7 mov esi, edi
0046475D B9 E0000000 mov ecx, 0E0
00464762 33DB xor ebx, ebx
00464764 AC lods byte ptr
00464765 34 61 xor al, 61
00464767 2AC3 sub al, bl
00464769 C0C0 02 rol al, 2
0046476C AA stos byte ptr es:
0046476D 43 inc ebx
0046476E^ E2 F4 loopd short 00464764 //再次来到反调试的地方
00464770 8D85 71324000 lea eax, dword ptr //这里变成红色的,与我们最开始反调试保护选项不一样,是解码?不知,f4
00464776 50 push eax
00464777 FFB5 D2314000 push dword ptr
0046477D FF95 C1314000 call dword ptr
00464783 0BC0 or eax, eax
00464785 74 08 je short 0046478F
00464787 FFD0 call eax
00464789 0BC0 or eax, eax
0046478B 74 02 je short 0046478F //必须跳,他有时候跳,有时候不跳.
0046478D 61 popad
0046478E C3 retn
0046478F F785 39304000 0>test dword ptr , 1 //这里应该才是反调试的关键,ss:=00000021,仅仅反调试保护的值不一样.
00464799 74 4F je short 004647EA //不管,这里必须跳.之后就是F8,F4了,跟前面一样,不重复了,
到达OEP,IAT全部有效。OK。
页:
[1]