脱壳技术,关于Armadillo 3.**的脱壳,Armadillo 2008年06月23日 星期一 下午 04:13 主程序下载地址: 完整版(15M):http://www.hippo.ru/~sorgelig/files/MyTheatre.v3.12.exe 迷你版(6M):http://www.hippo.ru/~sorgelig/files/MyTheatre.v3.12.lite.exe 使用工具WIN2000,ollydbg1.10a,import Rec 1.6,PIED092,LordPE。 我采取的步骤: 1、使用PIED092查看主程序MyTheatre.exe为:Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] 2、ollydbg载入,设置BP OpenMutexA ,补丁设隐藏。 3、断下后在401000改为:609C68DCFB120033C05050E8E694A6779D61E98F9FA777, 即: 00401000 60 PUSHAD 00401001 9C PUSHFD 00401002 68 DCFB1200 PUSH 12FBDC ; ASCII "480::DAEE2CA7C8" 00401007 33C0 XOR EAX,EAX 00401009 50 PUSH EAX 0040100A 50 PUSH EAX 0040100B E8 E694A677 CALL KERNEL32.CreateMutexA 00401010 9D POPFD 00401011 61 POPAD 00401012 - E9 8F9FA777 JMP KERNEL32.OpenMutexA 4、设BP GetModuleHandleA,经过 0012EFCC 78001E96 /CALL to GetModuleHandleA from MSVCRT.78001E90 0012EFD0 780322D4 \pModule = "KERNEL32" 0012F054 77A03F02 /CALL to GetModuleHandleA from OLEAUT32.77A03EFC 0012F058 779A0630 \pModule = "kernel32.dll" 0012F048 77A072DB /CALL to GetModuleHandleA from OLEAUT32.77A072D5 0012F04C 779A0994 \pModule = "KERNEL32" 0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5 0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL" 0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5 0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL" 0012F540 008C3248 /CALL to GetModuleHandleA from MyTheatr.008C3242 0012F544 00000000 \pModule = NULL 返回到: 008C3240 |> \6A 00 PUSH 0 ; /pModule = NULL 008C3242 |. FF15 84F18F00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA 008C3248 |. 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX ; MyTheatr.00400000 008C324B |> 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C] 008C324E |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX 008C3251 |. A1 5CF28F00 MOV EAX,DWORD PTR DS:[8FF25C] 008C3256 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX 008C3259 |. C745 EC FFFFFFFF MOV DWORD PTR SS:[EBP-14],-1 008C3260 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 008C3263 |. 51 PUSH ECX 008C3264 |. FF55 F0 CALL DWORD PTR SS:[EBP-10] 008C3267 |. 83C4 04 ADD ESP,4 008C326A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 008C326D |. 837D EC FF CMP DWORD PTR SS:[EBP-14],-1 008C3271 |. 74 0B JE SHORT MyTheatr.008C327E 008C3273 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 008C3276 |. 8915 58549000 MOV DWORD PTR DS:[905458],EDX 008C327C |. EB 10 JMP SHORT MyTheatr.008C328E 008C327E |> 837D FC 01 CMP DWORD PTR SS:[EBP-4],1 008C3282 |. 74 0A JE SHORT MyTheatr.008C328E 008C3284 |. C705 58549000 01000000 MOV DWORD PTR DS:[905458],1 008C328E |> 837D B0 00 CMP DWORD PTR SS:[EBP-50],0 008C3292 74 0A JE SHORT MyTheatr.008C329E 008C3294 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] 008C3297 |. 50 PUSH EAX ; /hWnd 008C3298 |. FF15 0CF28F00 CALL DWORD PTR DS:[<&USER32.DestroyWindow>] ; \DestroyWindow 008C329E |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 008C32A1 |> 8BE5 MOV ESP,EBP 008C32A3 |. 5D POP EBP 008C32A4 \. C3 RETN 此处没找到 ★Magic Jump ★ 5、按ALT M设断401000,F9后找到入口地址: 00568CE4 55 PUSH EBP 00568CE5 8BEC MOV EBP,ESP 00568CE7 B9 0C000000 MOV ECX,0C 00568CEC 6A 00 PUSH 0 00568CEE 6A 00 PUSH 0 00568CF0 49 DEC ECX 00568CF1 ^ 75 F9 JNZ SHORT MyTheatr.00568CEC 00568CF3 B8 A4875600 MOV EAX,MyTheatr.005687A4 00568CF8 E8 73E5E9FF CALL MyTheatr.00407270 00568CFD 33C0 XOR EAX,EAX 00568CFF 55 PUSH EBP 00568D00 68 E2985600 PUSH MyTheatr.005698E2 00568D05 64:FF30 PUSH DWORD PTR FS:[EAX] 00568D08 64:8920 MOV DWORD PTR FS:[EAX],ESP 00568D0B 64:8B05 18000000 MOV EAX,DWORD PTR FS:[18] 00568D12 8B40 30 MOV EAX,DWORD PTR DS:[EAX 30] 00568D15 31C9 XOR ECX,ECX 00568D17 8848 02 MOV BYTE PTR DS:[EAX 2],CL 00568D1A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C] 00568D1D A1 C8215700 MOV EAX,DWORD PTR DS:[5721C8] 00568D22 8B00 MOV EAX,DWORD PTR DS:[EAX] 00568D24 E8 BFB8F2FF CALL MyTheatr.004945E8 00568D29 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00568D2C 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18] 00568D2F E8 9019EAFF CALL MyTheatr.0040A6C4 00568D34 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 00568D37 A1 881E5700 MOV EAX,DWORD PTR DS:[571E88] 00568D3C E8 AFBEE9FF CALL MyTheatr.00404BF0 00568D41 68 0C1B5700 PUSH MyTheatr.00571B0C 00568D46 68 24845600 PUSH MyTheatr.00568424 00568D4B E8 E4EFE9FF CALL MyTheatr.00407D34 ; JMP to USER32.EnumWindows 00568D50 8B15 341C5700 MOV EDX,DWORD PTR DS:[571C34] ; MyTheatr.006FD7AC 00568D56 A1 64215700 MOV EAX,DWORD PTR DS:[572164] 00568D5B 8B00 MOV EAX,DWORD PTR DS:[EAX] 00568D5D E8 169DFDFF CALL MyTheatr.00542A78 00568D62 A1 341C5700 MOV EAX,DWORD PTR DS:[571C34] 00568D67 8B00 MOV EAX,DWORD PTR DS:[EAX] 00568D69 33D2 XOR EDX,EDX 00568D6B 8B08 MOV ECX,DWORD PTR DS:[EAX] 00568D6D FF51 48 CALL DWORD PTR DS:[ECX 48] 00568D70 A1 E41A5700 MOV EAX,DWORD PTR DS:[571AE4] 00568D75 A3 0C1B5700 MOV DWORD PTR DS:[571B0C],EAX 00568D7A 33C0 XOR EAX,EAX 00568D7C A3 101B5700 MOV DWORD PTR DS:[571B10],EAX 00568D81 B9 F8985600 MOV ECX,MyTheatr.005698F8 ; ASCII "MyTheatre_Common" 00568D86 33D2 XOR EDX,EDX 00568D88 B8 14995600 MOV EAX,MyTheatr.00569914 ; ASCII "SeparateProfiles" 00568D8D E8 1AB1FCFF CALL MyTheatr.00533EAC 00568D92 84C0 TEST AL,AL 00568D94 0F84 F1000000 JE MyTheatr.00568E8B |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 23:38 , Processed in 0.169597 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.