现在
Armadillo3.6
脱壳文章还没有所以昨晚小妹闲着没事便用Armadillo V3.60专业版加了记事本壳(XP)
想试试3.6壳有无区别的处脱下来总体感觉标准版壳和3.4差不多所以主要思路方法还是采用以前那些作者思路方法区别的处我加以介绍说明但COPYMEM2方式应该有了变化目前正在研究中 【调试环境】:WinXP、Ollydbg1.10b、PEiD、LordPE、ImportREC
声明
小妹用自己本本调试迅驰CPU1.4G各位
调试若有其它异常问题请指明
本本上调试偶尔会出现些莫名
【脱壳过程】:
首选用IsDebug 1.4插件去掉Ollydbg
调试器标志设置忽略所有异常选项 0103A000 > 60 PUSHAD
>进入OD后断在这! 今天我不用BP GetModuleHandleA
思路方法在我机上总是返回不到个有效地方所以这里小妹用BP VirtualProtect虽然按键次数多点但不失为种稳妥思路方法 在OD
命令行上键入BP VirtualProtect回车(注意大小写)没有任何反应就介绍说明正常 OK
现在我们先来找OEPF9下出现异常按两次shit+f9过去然后断下接下来就直按F9吧按了5次F9会出现个对话框告知在某个地址出错不知如何绕过这时点击对话框中确定按钮然后按sh
t+f9越过(其实这是个AM未注册
提示框在3.4中 5次下来也会出现异常但不会停止下来其实留意下堆栈可以看到基地址信息后面上要加密IAT了)再按f9共按了33次就运行了所以为了找到oep我们可以少按次也就是37次这样便不会运行我们就可以步步跟踪到oep了呵呵好重头再来次做法和前面样共按37次F9 取消断点
按ctrl+f9执行到返回如下: 00AD3462 5E POP ESI ; kernel32.VirtualProtect
00AD3463 5F POP EDI
00AD3464 5B POP EBX
00AD3465 C9 LEAVE
00AD3466 C3 RETN
可以按F8
步步过然后到如下: 00AD264D A1 6C5AAE00 MOV EAX,DWORD PTR DS:[AE5A6C]
00AD2652 8A80 82370000 MOV AL,BYTE PTR DS:[EAX+3782]
00AD2658 8885 E8D1FFFF MOV BYTE PTR SS:[EBP-2E18],AL
00AD265E 0FB685 E8D1FFFF MOVZX EAX,BYTE PTR SS:[EBP-2E18]
00AD2665 85C0 TEST EAX,EAX
00AD2667 74 6C JE SHORT 00AD26D5
00AD2669 8D85 3CD4FFFF LEA EAX,DWORD PTR SS:[EBP-2BC4]
00AD266F 50 PUSH EAX
00AD2670 6A 01 PUSH 1
00AD2672 FFB5 E0FEFFFF PUSH DWORD PTR SS:[EBP-120]
00AD2678 8B85 1CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14E4]
00AD267E 0385 B8FDFFFF ADD EAX,DWORD PTR SS:[EBP-248]
00AD2684 50 PUSH EAX
00AD2685 FF15 3481AD00 CALL DWORD PTR DS:[AD8134] ; kernel32.VirtualProtect
00AD268B C785 40D4FFFF 9>MOV DWORD PTR SS:[EBP-2BC0],94
00AD2695 8D85 40D4FFFF LEA EAX,DWORD PTR SS:[EBP-2BC0]
00AD269B 50 PUSH EAX
00AD269C FF15 C080AD00 CALL DWORD PTR DS:[AD80C0] ; kernel32.GetVersionExA
00AD26A2 83BD 50D4FFFF 0>CMP DWORD PTR SS:[EBP-2BB0],2
00AD26A9 75 2A JNZ SHORT 00AD26D5
00AD26AB 8D85 3CD4FFFF LEA EAX,DWORD PTR SS:[EBP-2BC4]
00AD26B1 50 PUSH EAX
00AD26B2 8B85 3CD4FFFF MOV EAX,DWORD PTR SS:[EBP-2BC4]
00AD26B8 80CC 01 OR AH,1
00AD26BB 50 PUSH EAX
00AD26BC FFB5 E0FEFFFF PUSH DWORD PTR SS:[EBP-120]
00AD26C2 8B85 1CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14E4]
00AD26C8 0385 B8FDFFFF ADD EAX,DWORD PTR SS:[EBP-248]
00AD26CE 50 PUSH EAX
00AD26CF FF15 3481AD00 CALL DWORD PTR DS:[AD8134] ; kernel32.VirtualProtect
00AD26D5 EB 03 JMP SHORT 00AD26DA
00AD26D7 D6 SALC
00AD26D8 D6 SALC
00AD26D9 8DA1 EC4FAE00 LEA ESP,DWORD PTR DS:[ECX+AE4FEC]
00AD26DF 8985 38D4FFFF MOV DWORD PTR SS:[EBP-2BC8],EAX
00AD26E5 83BD 38D4FFFF 0>CMP DWORD PTR SS:[EBP-2BC8],0
00AD26EC 74 36 JE SHORT 00AD2724
00AD26EE 8B85 38D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BC8]
00AD26F4 8338 00 CMP DWORD PTR DS:[EAX],0
00AD26F7 74 2B JE SHORT 00AD2724
00AD26F9 8B85 38D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BC8]
00AD26FF 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AD2701 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AD2703 2B05 5C5AAE00 SUB EAX,DWORD PTR DS:[AE5A5C]
00AD2709 8B8D 38D4FFFF MOV ECX,DWORD PTR SS:[EBP-2BC8]
00AD270F 8B09 MOV ECX,DWORD PTR DS:[ECX]
00AD2711 8901 MOV DWORD PTR DS:[ECX],EAX
00AD2713 8B85 38D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BC8]
00AD2719 83C0 04 ADD EAX,4
00AD271C 8985 38D4FFFF MOV DWORD PTR SS:[EBP-2BC8],EAX
00AD2722 ^ EB CA JMP SHORT 00AD26EE
00AD2724 6A 01 PUSH 1
00AD2726 FF35 14DEAD00 PUSH DWORD PTR DS:[ADDE14]
00AD272C A1 8C55AE00 MOV EAX,DWORD PTR DS:[AE558C]
00AD2731 0305 14DCAD00 ADD EAX,DWORD PTR DS:[ADDC14]
00AD2737 50 PUSH EAX
00AD2738 FFB5 14EBFFFF PUSH DWORD PTR SS:[EBP-14EC]
00AD273E E8 69EDFDFF CALL 00AB14AC
00AD2743 83C4 10 ADD ESP,10
00AD2746 A1 EC4FAE00 MOV EAX,DWORD PTR DS:[AE4FEC]
00AD274B 8985 34D4FFFF MOV DWORD PTR SS:[EBP-2BCC],EAX
00AD2751 83BD 34D4FFFF 0>CMP DWORD PTR SS:[EBP-2BCC],0
00AD2758 74 36 JE SHORT 00AD2790
00AD275A 8B85 34D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BCC]
00AD2760 8338 00 CMP DWORD PTR DS:[EAX],0
00AD2763 74 2B JE SHORT 00AD2790
00AD2765 8B85 34D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BCC]
00AD276B 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AD276D 8B00 MOV EAX,DWORD PTR DS:[EAX]
00AD276F 0305 5C5AAE00 ADD EAX,DWORD PTR DS:[AE5A5C]
00AD2775 8B8D 34D4FFFF MOV ECX,DWORD PTR SS:[EBP-2BCC]
00AD277B 8B09 MOV ECX,DWORD PTR DS:[ECX]
00AD277D 8901 MOV DWORD PTR DS:[ECX],EAX
00AD277F 8B85 34D4FFFF MOV EAX,DWORD PTR SS:[EBP-2BCC]
00AD2785 83C0 04 ADD EAX,4
00AD2788 8985 34D4FFFF MOV DWORD PTR SS:[EBP-2BCC],EAX
00AD278E ^ EB CA JMP SHORT 00AD275A
00AD2790 68 B851AE00 PUSH 0AE51B8
00AD2795 FF15 8882AD00 CALL DWORD PTR DS:[AD8288] ; ntdll.RtlLeaveCriticalSection
00AD279B C705 DCDBAD00 C>MOV DWORD PTR DS:[ADDBDC],0ADE4C4
00AD27A5 6A 01 PUSH 1
00AD27A7 58 POP EAX
00AD27A8 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00AD27AB 64:890D 0000000>MOV DWORD PTR FS:[0],ECX
00AD27B2 5F POP EDI
00AD27B3 5E POP ESI
00AD27B4 5B POP EBX
00AD27B5 C9 LEAVE
00AD27B6 C3 RETN
这里也很简单
F8步步过来就可以了为了加快速度可以看到些jmp是往上跳只要将鼠标定位到jmp下面行F4直接过来就可以了接下来直F8到如下: 01011C73 33C0 XOR EAX,EAX
01011C75 75 18 JNZ SHORT NOTEPAD.01011C8F
01011C77 7A 0C JPE SHORT NOTEPAD.01011C85
01011C79 70 0E JO SHORT NOTEPAD.01011C89
01011C7B EB 0D JMP SHORT NOTEPAD.01011C8A
01011C7D E8 720E79F1 CALL F27A2AF4
01011C82 FF15 00790974 CALL DWORD PTR DS:[74097900]
01011C88 F0:EB 87 LOCK JMP SHORT NOTEPAD.01011C12 ; 锁定前缀是不允许
01011C8B DB7A F0 FSTP TBYTE PTR DS:[EDX-10]
01011C8E A0 33618B0D MOV AL,BYTE PTR DS:[D8B6133]
01011C93 64:A1 040151E8 MOV EAX,DWORD PTR FS:[E8510104]
01011C99 B3 E8 MOV BL,0E8
01011C9B FFFF ??? ; 未知命
令
看到这些命令不必紧张
仍然F8继续 直到如下要注意了: 01011D4D 8BC0 MOV EAX,EAX
01011D4F 6A 00 PUSH 0
01011D51 E8 6E000000 CALL NOTEPAD.01011DC4
01011D56 83C4 04 ADD ESP,4
01011D59 6A 00 PUSH 0
01011D5B E8 FBD40100 CALL NOTEPAD.0102F25B
01011D60 83C4 04 ADD ESP,4
01011D63 837D E4 01 CMP DWORD PTR SS:[EBP-1C],1
01011D67 75 11 JNZ SHORT NOTEPAD.01011D7A
01011D69 68 F0000501 PUSH NOTEPAD.010500F0
01011D6E FF15 14010501 CALL DWORD PTR DS:[1050114] F7进去
01011D74 83C4 04 ADD ESP,4
01011D77 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
01011D7A 68 8C050101 PUSH NOTEPAD.0101058C
01011D7F E8 D7D40100 CALL NOTEPAD.0102F25B
01011D84 83C4 04 ADD ESP,4
01011D6E要进去
不然就飞了即使你机上地址和我不样也没关系看到类似上面结构注意下就可以OK进去 00AD44DC A1 9455AE00 MOV EAX,DWORD PTR DS:[AE5594]
00AD44E1 C605 3057AE00 0>MOV BYTE PTR DS:[AE5730],1
00AD44E8 C705 DCDBAD00 F>MOV DWORD PTR DS:[ADDBDC],0ADE6F0 ; ASCII "RA"
00AD44F2 53 PUSH EBX
00AD44F3 8B48 70 MOV ECX,DWORD PTR DS:[EAX+70]
00AD44F6 56 PUSH ESI
00AD44F7 3348 6C XOR ECX,DWORD PTR DS:[EAX+6C]
00AD44FA 57 PUSH EDI
00AD44FB 6A FE PUSH -2
00AD44FD 3348 58 XOR ECX,DWORD PTR DS:[EAX+58]
00AD4500 5B POP EBX
00AD4501 F6C1 40 TEST CL,40
00AD4504 75 08 JNZ SHORT 00AD450E
00AD4506 6A 01 PUSH 1
00AD4508 E8 8609FEFF CALL 00AB4E93
00AD450D 59 POP ECX
00AD450E 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
00AD4512 833E 02 CMP DWORD PTR DS:[ESI],2
00AD4515 75 40 JNZ SHORT 00AD4557
00AD4517 6A 00 PUSH 0
00AD4519 E8 E231FEFF CALL 00AB7700
00AD451E A1 9455AE00 MOV EAX,DWORD PTR DS:[AE5594]
00AD4523 59 POP ECX
00AD4524 8B48 40 MOV ECX,DWORD PTR DS:[EAX+40]
00AD4527 8B50 70 MOV EDX,DWORD PTR DS:[EAX+70]
00AD452A 3348 08 XOR ECX,DWORD PTR DS:[EAX+8]
00AD452D 33CA XOR ECX,EDX
00AD452F 74 14 JE SHORT 00AD4545
00AD4531 8B78 68 MOV EDI,DWORD PTR DS:[EAX+68]
00AD4534 3378 04 XOR EDI,DWORD PTR DS:[EAX+4]
00AD4537 8B46 18 MOV EAX,DWORD PTR DS:[ESI+18]
00AD453A 33FA XOR EDI,EDX
00AD453C 2BC7 SUB EAX,EDI
00AD453E 03C1 ADD EAX,ECX
00AD4540 8946 1C MOV DWORD PTR DS:[ESI+1C],EAX
00AD4543 EB 04 JMP SHORT 00AD4549
00AD4545 8366 1C 00 AND DWORD PTR DS:[ESI+1C],0
00AD4549 FF76 18 PUSH DWORD PTR DS:[ESI+18]
00AD454C E8 908FFEFF CALL 00ABD4E1
00AD4551 59 POP ECX
00AD4552 E9 AC000000 JMP 00AD4603
00AD4557 E8 7918FEFF CALL 00AB5DD5
00AD455C C705 DCDBAD00 E>MOV DWORD PTR DS:[ADDBDC],0ADE6EC ; ASCII "RB"
00AD4566 FF15 1481AD00 CALL DWORD PTR DS:[AD8114] ; kernel32.GetCurrentThreadId
00AD456C A3 AC56AE00 MOV DWORD PTR DS:[AE56AC],EAX
00AD4571 E8 1537FEFF CALL 00AB7C8B
00AD4576 6A 00 PUSH 0
00AD4578 E8 648FFEFF CALL 00ABD4E1
00AD457D 6A 00 PUSH 0
00AD457F C705 DCDBAD00 E>MOV DWORD PTR DS:[ADDBDC],0ADE6E8 ; ASCII "RC"
00AD4589 E8 7231FEFF CALL 00AB7700
00AD458E 59 POP ECX
00AD458F 59 POP ECX
00AD4590 E8 4A11FFFF CALL 00AC56DF
00AD4595 8BF8 MOV EDI,EAX
00AD4597 A1 9455AE00 MOV EAX,DWORD PTR DS:[AE5594]
00AD459C 8B48 70 MOV ECX,DWORD PTR DS:[EAX+70]
00AD459F 3348 40 XOR ECX,DWORD PTR DS:[EAX+40]
00AD45A2 3348 08 XOR ECX,DWORD PTR DS:[EAX+8]
00AD45A5 03F9 ADD EDI,ECX
00AD45A7 8B0E MOV ECX,DWORD PTR DS:[ESI]
00AD45A9 85C9 TEST ECX,ECX
00AD45AB 75 2F JNZ SHORT 00AD45DC
00AD45AD 8B78 70 MOV EDI,DWORD PTR DS:[EAX+70]
00AD45B0 E8 2A11FFFF CALL 00AC56DF
00AD45B5 8B0D 9455AE00 MOV ECX,DWORD PTR DS:[AE5594] ; NOTEPAD.0104A260
00AD45BB FF76 14 PUSH DWORD PTR DS:[ESI+14]
00AD45BE 8B51 40 MOV EDX,DWORD PTR DS:[ECX+40]
00AD45C1 FF76 10 PUSH DWORD PTR DS:[ESI+10]
00AD45C4 3351 08 XOR EDX,DWORD PTR DS:[ECX+8]
00AD45C7 FF76 0C PUSH DWORD PTR DS:[ESI+C]
00AD45CA 33D7 XOR EDX,EDI
00AD45CC 03C2 ADD EAX,EDX
00AD45CE 8B51 68 MOV EDX,DWORD PTR DS:[ECX+68]
00AD45D1 3351 04 XOR EDX,DWORD PTR DS:[ECX+4]
00AD45D4 33D7 XOR EDX,EDI
00AD45D6 2BC2 SUB EAX,EDX
00AD45D8 FFD0 CALL EAX
00AD45DA EB 25 JMP SHORT 00AD4601
篇文章: 推荐:SSClone非ARP会话劫持原理分析篇文章: CGI Hack和Webshell研究资料整理
最新评论