简单壳的脱壳

xhn1002 · 发表于 2008-9-22 17:48:22

壳本身比较简单  只是简单的加密  连压缩也没有  比较适合我这样的新手
样本在附件注意样本本身是个木马  运行后会释放一个模拟键盘的驱动
有虚拟机的最好在虚拟机里调试没有虚拟机的  按照下文一步一步跟
基本不会出现问题  自我感觉这个壳分析的应该很详尽了

[ 本帖最后由 xhn1002 于 2008-9-22 18:11 编辑 ]

xhn1002 · 发表于 2008-9-22 17:54:14

00401000 > $  64:A1 3000000>MOV EAX,DWORD PTR FS:[30]          ; ptr PEB
00401006 .  8B40 0C    MOV EAX,DWORD PTR DS:[EAX+C]    ;ptr _PEB_LDR_DATA
00401009 .  8B70 1C    MOV ESI,DWORD PTR DS:[EAX+1C]       ;InInitializationOrderModuleList
0040100C .  AD          LODS DWORD PTR DS:[ESI]             得到ntdll节点
0040100D .  8B58 08    MOV EBX,DWORD PTR DS:[EAX+8]       得到kernel32的基址
00401010 .  B9 FC304000 MOV ECX,8fc59a80.004030FC             ;  ASCII "CloseHandle"
00401015 .  E8 45000000 CALL 8fc59a80.0040105F             ;得到函数地址

00401071 > \FF35 00304000 PUSH DWORD PTR DS:[403000]             ; /MemSize = 1800 (6144.)
00401077 .  6A 40       PUSH 40                               ; |Flags = GPTR
00401079 .  E8 B0010000 CALL <JMP.&kernel32.GlobalAlloc>       ; \GlobalAlloc ;分配内存
0040107E .  85C0       TEST EAX,EAX
00401080 .  0F84 90010000 JE 8fc59a80.00401216

00401087 .  BE 70404000 MOV ESI,8fc59a80.00404070
0040108C .  8BF8       MOV EDI,EAX
0040108E .  8B0D 00304000 MOV ECX,DWORD PTR DS:[403000]
00401094 .  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]  第4节 1800h字节的数据拷到新分配的内存

004010DE .  8B3424       MOV ESI,DWORD PTR SS:[ESP]
004010E1 .  8B3C24       MOV EDI,DWORD PTR SS:[ESP]
004010E4 .  8B0D 00304000 MOV ECX,DWORD PTR DS:[403000]
004010EA .  D1E9       SHR ECX,1
004010EC .  66:832D 04304>SUB WORD PTR DS:[403004],3A
004010F4 >  66:AD       LODS WORD PTR DS:[ESI]
004010F6 .  86C4       XCHG AH,AL
004010F8 .  66:3305 04304>XOR AX,WORD PTR DS:[403004]
004010FF .  66:FF05 04304>INC WORD PTR DS:[403004]
00401106 .  66:AB       STOS WORD PTR ES:[EDI]
00401108 .^ E2 EA       LOOPD SHORT 8fc59a80.004010F4             解密完后得到一个新的PE
/////////////////////////////////////////////////////////////////////////////////////
// 00142BD8  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ?......
有些字符敏感？被截了？

[ 本帖最后由 xhn1002 于 2008-9-22 18:08 编辑 ]

xhn1002 · 发表于 2008-9-22 17:55:05

00401117 .  85C0       TEST EAX,EAX
00401119 .  0F84 F7000000 JE 8fc59a80.00401216
0040111F .  BE 2F114000 MOV ESI,8fc59a80.0040112F
00401124 .  8BF8       MOV EDI,EAX
00401126 .  B9 E7000000 MOV ECX,0E7
0040112B .  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI];将JMP EAX后的指令拷到内存中去
0040112D .  FFE0       JMP EAX

00144608 8B3C24       MOV EDI,DWORD PTR SS:[ESP]                ;DOS header
0014460B 037F 3C       ADD EDI,DWORD PTR DS:[EDI+3C]             ;PE header
0014460E 8BF7          MOV ESI,EDI
00144610 8B7F 34       MOV EDI,DWORD PTR DS:[EDI+34]             ;IMAGEBASE
00144613 8B76 50       MOV ESI,DWORD PTR DS:[ESI+50]             ;SizeOfImage
00144616 03F7          ADD ESI,EDI

0014464C 8B3424       MOV ESI,DWORD PTR SS:[ESP] ;DOS header
0014464F 8BFE          MOV EDI,ESI
00144651 037F 3C       ADD EDI,DWORD PTR DS:[EDI+3C]             ;PE header
00144654 8BCF          MOV ECX,EDI
00144656 8B7F 34       MOV EDI,DWORD PTR DS:[EDI+34]             ;IMAGEBASE
00144659 8B49 54       MOV ECX,DWORD PTR DS:[ECX+54]             ;SizeOfHeaders
0014465C F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI];将头和节表复制到IMAGEBASE 一般为400000H
0014465E 8B0C24       MOV ECX,DWORD PTR SS:[ESP]                ;DOS header
00144661 0349 3C       ADD ECX,DWORD PTR DS:[ECX+3C]             ;PE header
00144664 8BD9          MOV EBX,ECX
00144666 8BD1          MOV EDX,ECX
00144668 8B0424       MOV EAX,DWORD PTR SS:[ESP]                ;DOS header
0014466B 8B5B 34       MOV EBX,DWORD PTR DS:[EBX+34]             ;IMAGEBASE
0014466E 66:8B49 06    MOV CX,WORD PTR DS:[ECX+6]                ;NumberOfSections
00144672 81C2 F8000000 ADD EDX,0F8                               定位到节表处

00144678 51             PUSH ECX
00144679 8B72 14       MOV ESI,DWORD PTR DS:[EDX+14]             PointerToRawData
0014467C 03F0          ADD ESI,EAX                               文件中节的偏移
0014467E 8B7A 0C       MOV EDI,DWORD PTR DS:[EDX+C]             VirtualAddress
00144681 03FB          ADD EDI,EBX                               IMAGEBASE+VirtualAddress= 节的VA
00144683 8B4A 10       MOV ECX,DWORD PTR DS:[EDX+10]             SizeOfRawData
00144686 F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 依次复制节
00144688 83C2 28       ADD EDX,28
0014468B 59             POP ECX
0014468C 66:49          DEC CX
0014468E  ^ 75 E8          JNZ SHORT 00144678

00144690 8BFB          MOV EDI,EBX                               ;IMAGEBASE
00144692 037F 3C       ADD EDI,DWORD PTR DS:[EDI+3C]             ;PE header
00144695 8BBF 80000000 MOV EDI,DWORD PTR DS:[EDI+80]             ;IMAGE_DIRECTORY_ENTRY_IMPORT
0014469B 03FB          ADD EDI,EBX                               ;导入表的VA
0014469D 8B4F 0C       MOV ECX,DWORD PTR DS:[EDI+C]             ;IMAGE_IMPORT_DESCRIPTOR.Name1
001446A0 83F9 00       CMP ECX,0
001446A3 74 34          JE SHORT 001446D9
001446A5 03CB          ADD ECX,EBX                               得到Dll名
001446A7 51             PUSH ECX
001446A8 FF5424 18    CALL DWORD PTR SS:[ESP+18]                LoadLibraryA
001446AC 85C0          TEST EAX,EAX
001446AE 74 39          JE SHORT 001446E9
001446B0 8BE8          MOV EBP,EAX
001446B2 8B77 10       MOV ESI,DWORD PTR DS:[EDI+10]             IMAGE_IMPORT_DESCRIPTOR.FirstThunk
001446B5 03F3          ADD ESI,EBX                               ptr IMAGE_THUNK_DATA
001446B7 83C7 14       ADD EDI,14                               ptr next IMAGE_IMPORT_DESCRIPTOR
001446BA 8B06          MOV EAX,DWORD PTR DS:[ESI]                这里忽略了以符号名导出的情况
001446BC 03C3          ADD EAX,EBX                               ptr IMAGE_IMPORT_BY_NAME
001446BE 83C0 02       ADD EAX,2
001446C1 50             PUSH EAX
001446C2 55             PUSH EBP
001446C3 FF5424 20    CALL DWORD PTR SS:[ESP+20]                GetProAddress
001446C7 85C0          TEST EAX,EAX
001446C9 74 1E          JE SHORT 001446E9
001446CB 8906          MOV DWORD PTR DS:[ESI],EAX
001446CD 83C6 04       ADD ESI,4
001446D0 8B06          MOV EAX,DWORD PTR DS:[ESI]                esi ptr next IMAGE_THUNK_DATA
001446D2 83F8 00       CMP EAX,0
001446D5  ^ 74 C6          JE SHORT 0014469D
001446D7  ^ EB E1          JMP SHORT 001446BA

001446D9 8B0424       MOV EAX,DWORD PTR SS:[ESP]
001446DC 0340 3C       ADD EAX,DWORD PTR DS:[EAX+3C]
001446DF 8B40 28       MOV EAX,DWORD PTR DS:[EAX+28]
001446E2 03C3          ADD EAX,EBX
001446E4 83C4 28       ADD ESP,28
001446E7 FFE0          JMP EAX                                  Entrypoint

根据整个壳的分析脱壳只需要把第4节共1800H的字节解密出来就可以了

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

#define SIZE 0x1800
#define KEY 0x5a4d

BOOL decode(WORD* mem, DWORD key);
void main()
{
char cFileName[20];
HANDLE hFile, hNewFile;
HGLOBAL hGlobal;
DWORD dwRet;
DWORD dwLen;

hGlobal = GlobalAlloc(GPTR,SIZE);
printf("file name: ");
scanf("%s",cFileName);
hFile = CreateFile(cFileName, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == NULL)
{
printf("open error\n");
return;
}
dwRet = SetFilePointer(hFile,0xc70,NULL,FILE_BEGIN);
if (dwRet == -1)
{
printf("%d\n", GetLastError());
return;
}
ReadFile(hFile, hGlobal, SIZE, &dwLen, NULL);
//解密例程
decode((WORD*)hGlobal,KEY);
hNewFile = CreateFile("unpack.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
WriteFile(hNewFile, (PVOID)hGlobal, SIZE, &dwLen, NULL);
CloseHandle(hNewFile);
GlobalFree(hGlobal);
CloseHandle(hFile);
}

BOOL decode(WORD* mem, DWORD key)
{
int i;
key -= 0x3A;
for (i = 0;i < SIZE/2; i++)
{
*mem = *mem >> 8 | *mem << 8;
*mem ^= key;
key++;
mem++;
}
return TRUE;
}

buganxin · 发表于 2008-9-23 13:13:59

学习谢谢!

		自动登录	找回密码
密码			加入我们

[原创] 简单壳的脱壳

本帖子中包含更多资源