设为首页收藏本站

 找回密码
 注册
搜索
热搜: 回贴
微赢网络技术论坛 门户 安全攻防 加密解密 查看内容

脱壳技术,脱ExeStealth V2.73加的壳,脱壳

2010-1-30 18:18| 发布者: admin| 查看: 90| 评论: 0|原作者: 柳梦璃


脱壳技术,脱ExeStealth V2.73加的壳,脱壳
2008年06月23日 星期一 下午 02:41
脱壳目标:用ExeStealth V2.73加壳的Win2k的Notepad  



加壳选项:CRC protect、APIRedirection、EraseImportrInformation、AntiProzess Dumping、Anti-SmartCheck、Anti-SoftIce、Anti-Idag



运行平台:win2000pro





先设置Ollydbg忽略所有的异常选项,再用IsDebug 1.4插件去掉Ollydbg的调试器标志。载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。





01010060 > /EB 00 JMP SHORT NOTEPAD.01010062====>进入OD后停在这!用F8走。

01010062 \EB 2F JMP SHORT NOTEPAD.01010093====>跳!

01010064 53 PUSH EBX

01010065 68 61726577 PUSH 77657261

0101006A 61 POPAD

0101006B 72 65 JB SHORT NOTEPAD.010100D2

0101006D 202D 20457865 AND BYTE PTR DS:[65784520],CH

01010073 53 PUSH EBX

01010074 74 65 JE SHORT NOTEPAD.010100DB

01010076 61 POPAD





跳到这里:



01010093 60 PUSHAD====>用F8走。

01010094 90 NOP

01010095 E8 00000000 CALL NOTEPAD.0101009A

0101009A 5D POP EBP

0101009B 81ED F0274000 SUB EBP,4027F0

010100A1 B9 15000000 MOV ECX,15

010100A6 83C1 05 ADD ECX,5

010100A9 EB 05 JMP SHORT NOTEPAD.010100B0

010100AB - EB FE JMP SHORT NOTEPAD.010100AB

010100AD 83C7 56 ADD EDI,56

010100B0 EB 00 JMP SHORT NOTEPAD.010100B2

010100B2 83E9 02 SUB ECX,2

010100B5 81C1 78432765 ADD ECX,65274378

010100BB EB 00 JMP SHORT NOTEPAD.010100BD

010100BD 81C1 10259400 ADD ECX,942510

010100C3 81E9 63850000 SUB ECX,8563

010100C9 B9 770C0000 MOV ECX,0C77

010100CE 90 NOP

010100CF 8DBD 61284000 LEA EDI,DWORD PTR SS:[EBP 402861]

010100D5 8BF7 MOV ESI,EDI

010100D7 AC LODS BYTE PTR DS:[ESI]



中间省略一些代码



01010105 F9 STC

01010106 34 2B XOR AL,2B

01010108 AA STOS BYTE PTR ES:[EDI]

01010109 ^ E2 CC LOOPD SHORT NOTEPAD.010100D7====>当F8走到这里时下面的代码变成了如下所示。

0101010B F4 HLT

0101010C E1 41 LOOPDE SHORT NOTEPAD.0101014F

0101010E 4D DEC EBP

0101010F 2C 6D SUB AL,6D

01010111 AB STOS DWORD PTR ES:[EDI]

01010112 2C 25 SUB AL,25

01010114 AB STOS DWORD PTR ES:[EDI]

01010115 3C 7D CMP AL,7D



变成了如下:



01010109 ^\E2 CC LOOPD SHORT NOTEPAD.010100D7

0101010B 8BE1 MOV ESP,ECX====>用F4到此处时,代码又变了。变后代码如下所示。

0101010D 41 INC ECX

0101010E 4D DEC EBP

0101010F 2C 6D SUB AL,6D

01010111 AB STOS DWORD PTR ES:[EDI]

01010112 2C 25 SUB AL,25

01010114 AB STOS DWORD PTR ES:[EDI]

01010115 3C 7D CMP AL,7D

01010117 AB STOS DWORD PTR ES:[EDI]

01010118 3C 55 CMP AL,55

0101011A 9B WAIT

0101011B FD STD

0101011C E5 BE IN EAX,0BE

0101011E 60 PUSHAD

0101011F 56 PUSH ESI

01010120 07 POP ES





变后代码:



0101010B 8B4424 20 MOV EAX,DWORD PTR SS:[ESP 20] ====>程序停在此处,用F8继续走。

0101010F 83C0 0E ADD EAX,0E

01010112 83E8 0E SUB EAX,0E

01010115 83C0 0E ADD EAX,0E

01010118 83E8 0E SUB EAX,0E

0101011B 40 INC EAX

0101011C 78 1D JS SHORT NOTEPAD.0101013B

0101011E C785 CA2F4000 0>MOV DWORD PTR SS:[EBP 402FCA],1

01010128 EB 11 JMP SHORT NOTEPAD.0101013B

0101012A 8B4424 20 MOV EAX,DWORD PTR SS:[ESP 20]

0101012E 83C0 0E ADD EAX,0E

01010131 83E8 0E SUB EAX,0E

01010134 83C0 0E ADD EAX,0E

01010137 83E8 0E SUB EAX,0E

0101013A 40 INC EAX

0101013B 8D85 B6274000 LEA EAX,DWORD PTR SS:[EBP 4027B6]

01010141 B9 B3060000 MOV ECX,6B3

01010146 E8 41020000 CALL NOTEPAD.0101038C

0101014B 8985 C62F4000 MOV DWORD PTR SS:[EBP 402FC6],EAX



来到这里:



01010188 CC INT3

01010189 8BEF MOV EBP,EDI

0101018B 33DB XOR EBX,EBX

0101018D 64:8F03 POP DWORD PTR FS:[EBX]

01010190 83C4 04 ADD ESP,4

01010193 3C 04 CMP AL,4

01010195 74 05 JE SHORT NOTEPAD.0101019C====>跳!

01010197 EB 01 JMP SHORT NOTEPAD.0101019A

01010199 - E9 61C38B85 JMP 868CC4FF

0101019E B6 2F MOV DH,2F

010101A0 40 INC EAX

010101A1 0003 ADD BYTE PTR DS:[EBX],AL

010101A3 40 INC EAX



跳到这里:



0101019C 8B85 B62F4000 MOV EAX,DWORD PTR SS:[EBP 402FB6]跳到这里。用F8继续走。

010101A2 0340 3C ADD EAX,DWORD PTR DS:[EAX 3C]

010101A5 05 80000000 ADD EAX,80

010101AA 8B08 MOV ECX,DWORD PTR DS:[EAX]

010101AC 038D B62F4000 ADD ECX,DWORD PTR SS:[EBP 402FB6]

010101B2 83C1 10 ADD ECX,10

010101B5 8B01 MOV EAX,DWORD PTR DS:[ECX]

010101B7 0385 B62F4000 ADD EAX,DWORD PTR SS:[EBP 402FB6]

010101BD 8B18 MOV EBX,DWORD PTR DS:[EAX]

010101BF 899D 12344000 MOV DWORD PTR SS:[EBP 403412],EBX

010101C5 83C0 04 ADD EAX,4

010101C8 8B18 MOV EBX,DWORD PTR DS:[EAX]

010101CA 899D 16344000 MOV DWORD PTR SS:[EBP 403416],EBX

010101D0 8D85 1A344000 LEA EAX,DWORD PTR SS:[EBP 40341A]

010101D6 50 PUSH EAX

010101D7 FF95 12344000 CALL DWORD PTR SS:[EBP 403412]

010101DD 8BF0 MOV ESI,EAX

010101DF 8985 27344000 MOV DWORD PTR SS:[EBP 403427],EAX

010101E5 8D85 2B344000 LEA EAX,DWORD PTR SS:[EBP 40342B]

010101EB E8 96000000 CALL NOTEPAD.01010286

010101F0 8985 3C344000 MOV DWORD PTR SS:[EBP 40343C],EAX

010101F6 8D85 40344000 LEA EAX,DWORD PTR SS:[EBP 403440]

010101FC E8 85000000 CALL NOTEPAD.01010286

01010201 8985 4F344000 MOV DWORD PTR SS:[EBP 40344F],EAX

01010207 8D85 53344000 LEA EAX,DWORD PTR SS:[EBP 403453]

0101020D E8 74000000 CALL NOTEPAD.01010286

01010212 8985 66344000 MOV DWORD PTR SS:[EBP 403466],EAX

01010218 8D85 6A344000 LEA EAX,DWORD PTR SS:[EBP 40346A]

0101021E E8 63000000 CALL NOTEPAD.01010286

01010223 8985 76344000 MOV DWORD PTR SS:[EBP 403476],EAX

01010229 8D85 7A344000 LEA EAX,DWORD PTR SS:[EBP 40347A]

0101022F E8 52000000 CALL NOTEPAD.01010286

01010234 8985 86344000 MOV DWORD PTR SS:[EBP 403486],EAX

0101023A 8D85 8A344000 LEA EAX,DWORD PTR SS:[EBP 40348A]

01010240 E8 41000000 CALL NOTEPAD.01010286

01010245 8985 95344000 MOV DWORD PTR SS:[EBP 403495],EAX

0101024B 8D85 99344000 LEA EAX,DWORD PTR SS:[EBP 403499]

01010251 E8 30000000 CALL NOTEPAD.01010286

01010256 8985 A2344000 MOV DWORD PTR SS:[EBP 4034A2],EAX

0101025C 8D85 A6344000 LEA EAX,DWORD PTR SS:[EBP 4034A6]

01010262 E8 1F000000 CALL NOTEPAD.01010286

01010267 8985 B2344000 MOV DWORD PTR SS:[EBP 4034B2],EAX

0101026D 8D85 B6344000 LEA EAX,DWORD PTR SS:[EBP 4034B6]

01010273 E8 0E000000 CALL NOTEPAD.01010286

01010278 8985 C2344000 MOV DWORD PTR SS:[EBP 4034C2],EAX

0101027E 8D85 E5294000 LEA EAX,DWORD PTR SS:[EBP 4029E5]

01010284 50 PUSH EAX

01010285 C3 RETN====>返回到0101028F



0101028F F785 BE2F4000 1>TEST DWORD PTR SS:[EBP 402FBE],10 ====>返回到这里。用F8继续走。

01010299 74 37 JE SHORT NOTEPAD.010102D2

0101029B 64:FF35 3000000>PUSH DWORD PTR FS:[30]

010102A2 58 POP EAX

010102A3 85C0 TEST EAX,EAX

010102A5 78 0F JS SHORT NOTEPAD.010102B6

010102A7 8B40 0C MOV EAX,DWORD PTR DS:[EAX C]

010102AA 8B40 0C MOV EAX,DWORD PTR DS:[EAX C]

010102AD C740 20 0010000>MOV DWORD PTR DS:[EAX 20],1000

010102B4 EB 1C JMP SHORT NOTEPAD.010102D2

010102B6 6A 00 PUSH 0

010102B8 FF95 3C344000 CALL DWORD PTR SS:[EBP 40343C]

010102BE 85D2 TEST EDX,EDX

010102C0 79 10 JNS SHORT NOTEPAD.010102D2

010102C2 837A 08 FF CMP DWORD PTR DS:[EDX 8],-1

010102C6 75 0A JNZ SHORT NOTEPAD.010102D2

010102C8 8B52 04 MOV EDX,DWORD PTR DS:[EDX 4]

010102CB C742 50 0010000>MOV DWORD PTR DS:[EDX 50],1000

010102D2 8BBD B62F4000 MOV EDI,DWORD PTR SS:[EBP 402FB6]

010102D8 037F 3C ADD EDI,DWORD PTR DS:[EDI 3C]

010102DB 8BB5 B62F4000 MOV ESI,DWORD PTR SS:[EBP 402FB6]

010102E1 8B4F 54 MOV ECX,DWORD PTR DS:[EDI 54]

010102E4 8D85 F4344000 LEA EAX,DWORD PTR SS:[EBP 4034F4]

010102EA 50 PUSH EAX

010102EB 6A 04 PUSH 4

010102ED 51 PUSH ECX

010102EE FFB5 B62F4000 PUSH DWORD PTR SS:[EBP 402FB6]

010102F4 FF95 4F344000 CALL DWORD PTR SS:[EBP 40344F]

010102FA F785 BE2F4000 0>TEST DWORD PTR SS:[EBP 402FBE],8

01010304 0F84 A7000000 JE NOTEPAD.010103B1

0101030A 68 04010000 PUSH 104

0101030F 8DBD F4344000 LEA EDI,DWORD PTR SS:[EBP 4034F4]

01010315 57 PUSH EDI

01010316 6A 00 PUSH 0

01010318 FF95 66344000 CALL DWORD PTR SS:[EBP 403466]

0101031E 6A 00 PUSH 0

01010320 68 80000000 PUSH 80

01010325 6A 03 PUSH 3

01010327 6A 00 PUSH 0

01010329 6A 01 PUSH 1

0101032B 68 00000080 PUSH 80000000

01010330 57 PUSH EDI

01010331 FF95 76344000 CALL DWORD PTR SS:[EBP 403476]

01010337 83F8 FF CMP EAX,-1

0101033A 75 04 JNZ SHORT NOTEPAD.01010340

0101033C 33C0 XOR EAX,EAX

0101033E EB 71 JMP SHORT NOTEPAD.010103B1

01010340 8BF8 MOV EDI,EAX

01010342 6A 00 PUSH 0

01010344 57 PUSH EDI

01010345 FF95 B2344000 CALL DWORD PTR SS:[EBP 4034B2]

0101034B 83E8 05 SUB EAX,5

0101034E 96 XCHG EAX,ESI

0101034F 56 PUSH ESI

01010350 6A 40 PUSH 40

01010352 FF95 86344000 CALL DWORD PTR SS:[EBP 403486]

01010358 0BC0 OR EAX,EAX

0101035A 75 02 JNZ SHORT NOTEPAD.0101035E

0101035C EB 4A JMP SHORT NOTEPAD.010103A8

0101035E 93 XCHG EAX,EBX

0101035F 6A 00 PUSH 0

01010361 8D85 F4344000 LEA EAX,DWORD PTR SS:[EBP 4034F4]

01010367 50 PUSH EAX

01010368 56 PUSH ESI

01010369 53 PUSH EBX

0101036A 57 PUSH EDI

0101036B FF95 A2344000 CALL DWORD PTR SS:[EBP 4034A2]

01010371 8BC3 MOV EAX,EBX

01010373 8BCE MOV ECX,ESI

01010375 53 PUSH EBX

01010376 57 PUSH EDI

01010377 E8 10000000 CALL NOTEPAD.0101038C

0101037C 8985 C22F4000 MOV DWORD PTR SS:[EBP 402FC2],EAX

01010382 5F POP EDI

01010383 5B POP EBX

01010384 8D85 F62A4000 LEA EAX,DWORD PTR SS:[EBP 402AF6]

0101038A 50 PUSH EAX

0101038B C3 RETN====>返回到010103A0。





010103A0 53 PUSH EBX ====>返回到这里。用F8继续走。

010103A1 FF95 95344000 CALL DWORD PTR SS:[EBP 403495]

010103A7 96 XCHG EAX,ESI

010103A8 50 PUSH EAX

010103A9 57 PUSH EDI

010103AA FF95 C2344000 CALL DWORD PTR SS:[EBP 4034C2]

010103B0 58 POP EAX

010103B1 8B85 B62F4000 MOV EAX,DWORD PTR SS:[EBP 402FB6]

010103B7 BB 01000000 MOV EBX,1

010103BC E8 08000000 CALL NOTEPAD.010103C9

010103C1 8D85 F52B4000 LEA EAX,DWORD PTR SS:[EBP 402BF5]

010103C7 50 PUSH EAX

010103C8 C3 RETN====>返回到0101049F。



返回到这里:



0101049F 8B9D B62F4000 MOV EBX,DWORD PTR SS:[EBP 402FB6] ====>用F8继续走。这时要小心了,接近入口了。

010104A5 039D BA2F4000 ADD EBX,DWORD PTR SS:[EBP 402FBA]

010104AB C1CB 07 ROR EBX,7====>走到这里时观察一下EBX的值为1006420,这就是OEP值。

010104AE 895C24 10 MOV DWORD PTR SS:[ESP 10],EBX

010104B2 8D9D EB2E4000 LEA EBX,DWORD PTR SS:[EBP 402EEB]

010104B8 895C24 1C MOV DWORD PTR SS:[ESP 1C],EBX

010104BC 8BBD B62F4000 MOV EDI,DWORD PTR SS:[EBP 402FB6]

010104C2 037F 3C ADD EDI,DWORD PTR DS:[EDI 3C]

010104C5 8B9F C0000000 MOV EBX,DWORD PTR DS:[EDI C0]

010104CB 83FB 00 CMP EBX,0





这里CTRL+G,输入1006420,点确定后来到:





01006420 55 PUSH EBP====>在此处右键单击,选内存访问断点,然后按F9运行,程序中断在此处后DUMP。

01006421 8BEC MOV EBP,ESP

01006423 6A FF PUSH -1

01006425 68 88180001 PUSH NOTEPAD.01001888

0100642A 68 D0650001 PUSH NOTEPAD.010065D0

0100642F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

01006435 50 PUSH EAX

01006436 64:8925 0000000>MOV DWORD PTR FS:[0],ESP

0100643D 83C4 98 ADD ESP,-68

01006440 53 PUSH EBX

01006441 56 PUSH ESI

01006442 57 PUSH EDI

01006443 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP

01006446 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0





运行ImportREC,选择这个进程。把OEP改为0006420,点IT AutoSearch,点“Get Import”,用“追踪层次1”全部修复,FixDump,正常运行!



如要优化一下,可以用LordPE删除ExeS区段,然后重建PE!大小52.9k->48.6K





感谢fly兄弟的指点。没有fly兄弟的《ExeStealth 常用脱壳方法 ExeStealth V2.72主程序脱壳 》一文,就没有我这篇破文。


收藏 分享 邀请

最新评论

相关分类

QQ|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )

GMT+8, 2024-9-29 23:38 , Processed in 0.206814 second(s), 12 queries , Gzip On, MemCache On.

Powered by Discuz! X3.5

© 2001-2023 Discuz! Team.

返回顶部