- UID
- 2001
注册时间2007-9-16
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【文章标题】: PE Spin 1.3 脱壳
【文章作者】: 南宫涤尘
【作者邮箱】: [email protected]
【下载地址】: 附件提供下载
【加壳方式】: Upack
【使用工具】: OD
【作者声明】: 高手请略过!
--------------------------------------------------------------------------------
【详细过程】
这是个加壳程序,但是咖啡报毒,应该是壳的问题,准备脱一下。
PEiD查壳,发现是:UPack,没见过,手动处理吧。
OD载入,停在这里:
00401030 > $- E9 86470200 jmp 004257BB
00401035 . 42 79 44 77 6>ascii "ByDwing@",0
0040103E 00 db 00
0040103F 00 db 00
00401040 . 50 45 00 ascii "PE",0
00401043 00 db 00
00401044 4C db 4C ; CHAR 'L'
先按照手脱的方法,即程序只能往下走,遇到往上的跳转的时候就在它下一行按F4,
跟下去:
004257BB BE 88014000 mov esi, 00400188 ; ASCII "8ZB"
004257C0 AD lods dword ptr [esi]
004257C1 8BF8 mov edi, eax
004257C3 95 xchg eax, ebp
004257C4 AD lods dword ptr [esi]
004257C5 91 xchg eax, ecx
004257C6 F3:A5 rep movs dword ptr es:[edi], dword p>
004257C8 AD lods dword ptr [esi]
004257C9 B5 1C mov ch, 1C
004257CB F3:AB rep stos dword ptr es:[edi]
004257CD AD lods dword ptr [esi]
004257CE 50 push eax
004257CF 97 xchg eax, edi
004257D0 51 push ecx
004257D1 58 pop eax
004257D2 8D5485 5C lea edx, dword ptr [ebp+eax*4+5C]
004257D6 FF16 call dword ptr [esi]
004257D8 72 57 jb short 00425831
004257DA 2C 03 sub al, 3
004257DC 73 02 jnb short 004257E0
004257DE B0 00 mov al, 0
004257E0 3C 07 cmp al, 7
004257E2 72 02 jb short 004257E6
004257E4 2C 03 sub al, 3
004257E6 50 push eax
......
0042593D 5F pop edi
0042593E E3 1B jecxz short 0042595B
00425940 8A07 mov al, byte ptr [edi]
00425942 47 inc edi
00425943 04 18 add al, 18
00425945 3C 02 cmp al, 2
00425947 ^ 73 F7 jnb short 00425940
00425949 8B07 mov eax, dword ptr [edi]
0042594B 3C 09 cmp al, 9
0042594D ^ 75 F1 jnz short 00425940
0042594F B0 00 mov al, 0
00425951 0FC8 bswap eax
00425953 0346 1C add eax, dword ptr [esi+1C]
00425956 2BC7 sub eax, edi
00425958 AB stos dword ptr es:[edi]
00425959 ^ E2 E5 loopd short 00425940
0042595B 8B5E 34 mov ebx, dword ptr [esi+34]
0042595E 8B76 38 mov esi, dword ptr [esi+38]
00425961 46 inc esi ; PESpin_v.0041AFFF
当运行到这里时:
00425971 AC lods byte ptr [esi]
00425972 84C0 test al, al
00425974 ^ 75 FB jnz short 00425971
00425976 3806 cmp byte ptr [esi], al
00425978 ^ 74 E7 je short 00425961
0042597A 8BC6 mov eax, esi
0042597C 79 05 jns short 00425983
0042597E 46 inc esi
0042597F 33C0 xor eax, eax
00425981 66:AD lods word ptr [esi]
00425983 50 push eax
00425984 55 push ebp
00425985 > FF13 call dword ptr [ebx] ;kernel32.GetProcAddress
00425987 AB stos dword ptr es:[edi]
00425988 ^ EB E7 jmp short 00425971
这时观察寄存器:
EAX 0041B011 ASCII "ImageList_LoadImage"
ECX 7C801BF6 kernel32.7C801BF6
EDX 00160608
EBX 00425A0C <&KERNEL32.GetProcAddress>
ESP 0013FFBC
EBP 77180000 offset COMCTL32.#237
ESI 0041B011 ASCII "ImageList_LoadImage"
EDI 0041A000 PESpin_v.0041A000
EIP 00425985
在循环里观察,发现每次执行到00425985时,EAX中都是不一样的API函数地址,猜想这里是否是还原输入表的地方。
但是这个循环不能步过,否则程序就运行起来了。
粗略观察一下,最后出现的API是EnableWindow,那么在00425985下断点:bp 00425985,eax==0041b3ef
(0041b3ef是EnableWindow的地址),这样是为了不小心让程序运行起来以后重新单步起来麻烦。
当所有API恢复完之后,有一个跳转会实现,单步到这里:
00425961 46 inc esi ; PESpin_v.0041B3FC
00425962 AD lods dword ptr [esi]
00425963 85C0 test eax, eax
00425965 - 0F84 6A3FFEFF je 004098D5 ;跳到OEP
跟着最后一个跳转,来到这里:
004098D5 68 db 68 ; CHAR 'h'
004098D6 84 db 84
004098D7 D0 db D0
004098D8 40 db 40 ; CHAR '@'
004098D9 00 db 00
004098DA 6A db 6A ; CHAR 'j'
004098DB 00 db 00
004098DC 6A db 6A ; CHAR 'j'
004098DD 00 db 00
004098DE E8 db E8
004098DF C1 db C1
004098E0 07 db 07
004098E1 00 db 00
这是什么乱七八糟的?不要急,点右键->“分析”->“从模块中删除分析”
然后变成这样子:
004098D5 68 84D04000 push 0040D084 ; ASCII "PE_SPIN_v1.3"
004098DA 6A 00 push 0
004098DC 6A 00 push 0
004098DE E8 C1070000 call 0040A0A4 ; jmp 到 kernel32.CreateMutexA
004098E3 E8 E6070000 call 0040A0CE ; jmp 到 ntdll.RtlGetLastWin32Error
004098E8 3D B7000000 cmp eax, 0B7
004098ED 75 1E jnz short 0040990D
004098EF 68 44010000 push 144
004098F4 68 D0D04000 push 0040D0D0 ; ASCII "友情提示"
004098F9 68 AAD04000 push 0040D0AA
004098FE 6A 00 push 0
00409900 E8 95080000 call 0040A19A ; jmp 到 USER32.MessageBoxA
00409905 2C 07 sub al, 7
00409907 74 3F je short 00409948
00409909 90 nop
0040990A 90 nop
0040990B 90 nop
0040990C 90 nop
0040990D 8B4424 0C mov eax, dword ptr [esp+C]
00409911 6A 00 push 0
00409913 E8 C2070000 call 0040A0DA ; jmp 到 kernel32.GetModuleHandleA
看起来像是到了OEP,拿OD的插件脱一下,发现程序能正常运行,脱壳完毕。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2007年09月24日 23:33:13 |
评分
-
查看全部评分
|
IP卡
发表于 2007-9-26 03:40:58
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-9-30 23:00:29
发表于 2007-9-30 23:15:57
发表于 2007-10-6 09:12:34