设为首页收藏本站

 找回密码
 注册
搜索
热搜: 回贴
微赢网络技术论坛 门户 安全攻防 加密解密 查看内容

北斗nspack2.3 dll脱壳,脱壳,脱壳技术

2010-1-30 18:24| 发布者: admin| 查看: 80| 评论: 0|原作者: 情殇


北斗nspack2.3 dll脱壳,脱壳,脱壳技术
2008年06月23日 星期一 下午 07:26
【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]

【作者邮箱】 stasi@163.com

【使用工具】 od

【破解平台】 Win9x/NT/2000/XP

【软件名称】 北斗nspack2.3

【下载地址】 www.nsdsn.com

【软件简介】 北斗nspack2.3 国产优秀加壳软件

【软件大小】 5k

【加壳方式】 nspack2.3

【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)

--------------------------------------------------------------------------------

【破解内容】





下载了有两个版本的北斗2.3和2.6,2.6脱壳不能跨平台,就只有2.3可用。

北斗加密dll,可以选择处理重定位表,直接在oep处脱壳后,找不到重定位表,说明对输出表动过手脚





100045F8 R> 9C pushfd **** entry point

100045F9 60 pushad

100045FA E8 00000000 call REALIGN.100045FF

100045FF 5D pop ebp

10004600 B8 07000000 mov eax,7

10004605 2BE8 sub ebp,eax

10004607 8DB5 88FEFFFF lea esi,dword ptr ss:[ebp-178]

1000460D 8B06 mov eax,dword ptr ds:[esi]

1000460F 83F8 00 cmp eax,0

10004612 74 11 je short REALIGN.10004625



0006FB6C 100045F8 offset REALIGN.

0006FB70 0006FBA0

0006FB74 0006FBAC

0006FB78 0006FB8C



hr 0006FB6C



10004871 9D popfd

10004872 - E9 EAD2FFFF jmp REALIGN.10001B61

10004877 8BB5 3CFEFFFF mov esi,dword ptr ss:[ebp-1C4]

1000487D 0BF6 or esi,esi

1000487F 0F84 97000000 je REALIGN.1000491C



10001B61 /. 55 push ebp **** oep=1B61

10001B62 |. 8BEC mov ebp,esp

10001B64 |. 53 push ebx

10001B65 |. 8B5D 08 mov ebx,dword ptr ss:[ebp 8]

10001B68 |. 56 push esi

10001B69 |. 8B75 0C mov esi,dword ptr ss:[ebp C]

10001B6C |. 57 push edi

10001B6D |. 8B7D 10 mov edi,dword ptr ss:[ebp 10]

10001B70 |. 85F6 test esi,esi

10001B72 |. 75 09 jnz short REALIGN.10001B7D

10001B74 |. 833D 041C0010 >cmp dword ptr ds:[10001C04],0





size=48 的输入表



10001000 77903039 IMAGEHLP.ImageNtHeader

10001004 00000000

10001008 77E69168 KERNEL32.CloseHandle

1000100C 77E6F2A6 KERNEL32.SetEndOfFile

10001010 77E7C912 KERNEL32.DisableThreadLibraryCalls

10001014 77E7D7CC KERNEL32.SetFilePointer

10001018 77E757E2 KERNEL32.CreateFileA

1000101C 77E732AF KERNEL32.GlobalFree

10001020 77E716B4 KERNEL32.GlobalAlloc

10001024 77E7154E KERNEL32.SetHandleCount

10001028 77E6A63A KERNEL32.LoadResource

1000102C 77E7D38D KERNEL32.FindResourceA

10001030 00000000

10001034 780014A9

10001038 7800BD6A

1000103C 78001DB0

10001040 7800119B

10001044 7801F4E5

10001048 7803A670





基址重定位表可手动修复:



找到重定位代码



1000108C 1000170B REALIGN.1000170B

10001090 10001711 REALIGN.10001711

1000109C 100019E9 REALIGN.100019E9

100010A0 100019EF REALIGN.100019EF







1000446C 10001000 REALIGN.10001000

100044B0 10001000 REALIGN.10001000





自己构造基址重定位表:



unsigned char data[320] = {



0x00, 0x10, 0x00, 0x00, 0x30, 0x01, 0x00, 0x00, 0x8C, 0x30, 0x90, 0x30, 0x9C, 0x30, 0xA0, 0x30,

0xBD, 0x30, 0xC3, 0x30, 0xEA, 0x30, 0x07, 0x31, 0x0E, 0x31, 0x15, 0x31, 0x3D, 0x31, 0x6F, 0x31,

0x96, 0x31, 0x9B, 0x31, 0xBE, 0x31, 0xDE, 0x31, 0xE4, 0x31, 0xFD, 0x31, 0x26, 0x32, 0x77, 0x32,

0x8D, 0x32, 0xAE, 0x32, 0xBD, 0x32, 0xC2, 0x32, 0xC8, 0x32, 0xCF, 0x32, 0xD9, 0x32, 0xE0, 0x32,

0xEA, 0x32, 0x1D, 0x33, 0x25, 0x33, 0x2B, 0x33, 0x30, 0x33, 0x4D, 0x33, 0x63, 0x33, 0x75, 0x33,

0x7B, 0x33, 0x83, 0x33, 0xA5, 0x33, 0xAD, 0x33, 0xB3, 0x33, 0xBE, 0x33, 0xC9, 0x33, 0xCF, 0x33,

0xE6, 0x33, 0xEC, 0x33, 0xF4, 0x33, 0xFD, 0x33, 0x0B, 0x34, 0x11, 0x34, 0x1A, 0x34, 0x20, 0x34,

0x2B, 0x34, 0x35, 0x34, 0x3E, 0x34, 0x47, 0x34, 0x4D, 0x34, 0x53, 0x34, 0x5F, 0x34, 0x81, 0x34,

0x9A, 0x34, 0xA1, 0x34, 0xAC, 0x34, 0xB3, 0x34, 0xBF, 0x34, 0xC5, 0x34, 0xCA, 0x34, 0xD6, 0x34,

0xE3, 0x34, 0xEA, 0x34, 0x11, 0x35, 0x17, 0x35, 0x20, 0x35, 0x35, 0x35, 0x3D, 0x35, 0x43, 0x35,

0x49, 0x35, 0x4F, 0x35, 0x5F, 0x35, 0x6C, 0x35, 0x74, 0x35, 0x80, 0x35, 0xB5, 0x35, 0xC2, 0x35,

0xCE, 0x35, 0xDD, 0x35, 0xE6, 0x35, 0xEE, 0x35, 0xF9, 0x35, 0x09, 0x36, 0x10, 0x36, 0x17, 0x36,

0x1D, 0x36, 0x22, 0x36, 0x38, 0x36, 0x3E, 0x36, 0x47, 0x36, 0x4D, 0x36, 0x53, 0x36, 0x5C, 0x36,

0x67, 0x36, 0x71, 0x36, 0x7A, 0x36, 0x80, 0x36, 0x86, 0x36, 0x8C, 0x36, 0x9D, 0x36, 0xAB, 0x36,

0xB1, 0x36, 0xB8, 0x36, 0xC7, 0x36, 0xD4, 0x36, 0xDB, 0x36, 0xE9, 0x36, 0x01, 0x37, 0x17, 0x37,

0x1D, 0x37, 0x29, 0x37, 0x2E, 0x37, 0x39, 0x37, 0x41, 0x37, 0x47, 0x37, 0x4F, 0x37, 0x96, 0x37,

0x9B, 0x37, 0x17, 0x3A, 0xB2, 0x3A, 0xC0, 0x3A, 0xC8, 0x3A, 0xCE, 0x3A, 0xD9, 0x3A, 0xE6, 0x3A,

0xEE, 0x3A, 0xFC, 0x3A, 0x01, 0x3B, 0x06, 0x3B, 0x0B, 0x3B, 0x16, 0x3B, 0x23, 0x3B, 0x2D, 0x3B,

0x42, 0x3B, 0x4E, 0x3B, 0x54, 0x3B, 0x76, 0x3B, 0x88, 0x3B, 0xE4, 0x3B, 0x00, 0x3C, 0x98, 0x3C,

0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x3C, 0x34, 0x6C, 0x34, 0x90, 0x34, 0xB0, 0x34

};



基址重定位表有三部分组成:

0x00, 0x10, 0x00, 0x00 是 VirtualAdress: 0x00001000

0x30, 0x01, 0x00, 0x00 是 SizeOfBlock: 0x00000130 (0x130-0x8)/0x2=0x94 就是有148组

0x8C, 0x30 是 重定位数组 08C是偏移 3是HIGHLOW定义



同样:



0x00, 0x40, 0x00, 0x00,是 VirtualAdress: 0x00004000

0x10, 0x00, 0x00, 0x00 是 SizeOfBlock: 0x00000010 (0x10-0x8)/0x2=0x4 就是有4组

0x3C, 0x34 是 重定位数组 43C是偏移 3是HIGHLOW定义



修正pe头



100000E0 8D4F0000 DD 00004F8D ; Relocation Table address = 4F8D

100000E4 08000000 DD 00000008 ; Relocation Table size = 8



改为:

100000E0 00900000 DD 00009000 ; Relocation Table address = 8E90

100000E4 40010000 DD 00000140 ; Relocation Table size = 140 (320.)





*Relocation Table address 可以随便找个空白的地方,因为重定位表的地方可以任意,我就选择和iat

放在一起。如果想使用reloc段,就要手动增加一个区段,那么段数目还要加一。





也可用relox帮助还原重定位表,比较简单。



; Original filename and image base (the separator is a TAB)

C:\1500000.dll 01500000



; Code section indexes (the separator is a TAB)

0 1



; Syntax for each relocation (the separator is a TAB)

; ---------------------------------------------------

; RVA Type

0000108C 3

00001090 3

0000109C 3

000010A0 3

000010BD 3

000010C3 3

000010EA 3

00001107 3

0000110E 3

00001115 3

0000113D 3

0000116F 3

00001196 3

0000119B 3

000011BE 3

000011DE 3

000011E4 3

000011FD 3

00001226 3

00001277 3

0000128D 3

000012AE 3

000012BD 3

000012C2 3

000012C8 3

000012CF 3

000012D9 3

000012E0 3

000012EA 3

0000131D 3

00001325 3

0000132B 3

00001330 3

0000134D 3

00001363 3

00001375 3

0000137B 3

00001383 3

000013A5 3

000013AD 3

000013B3 3

000013BE 3

000013C9 3

000013CF 3

000013E6 3

000013EC 3

000013F4 3

000013FD 3

0000140B 3

00001411 3

0000141A 3

00001420 3

0000142B 3

00001435 3

0000143E 3

00001447 3

0000144D 3

00001453 3

0000145F 3

00001481 3

0000149A 3

000014A1 3

000014AC 3

000014B3 3

000014BF 3

000014C5 3

000014CA 3

000014D6 3

000014E3 3

000014EA 3

00001511 3

00001517 3

00001520 3

00001535 3

0000153D 3

00001543 3

00001549 3

0000154F 3

0000155F 3

0000156C 3

00001574 3

00001580 3

000015B5 3

000015C2 3

000015CE 3

000015DD 3

000015E6 3

000015EE 3

000015F9 3

00001609 3

00001610 3

00001617 3

0000161D 3

00001622 3

00001638 3

0000163E 3

00001647 3

0000164D 3

00001653 3

0000165C 3

00001667 3

00001671 3

0000167A 3

00001680 3

00001686 3

0000168C 3

0000169D 3

000016AB 3

000016B1 3

000016B8 3

000016C7 3

000016D4 3

000016DB 3

000016E9 3

00001701 3

00001717 3

0000171D 3

00001729 3

0000172E 3

00001739 3

00001741 3

00001747 3

0000174F 3

00001796 3

0000179B 3

00001A17 3

00001AB2 3

00001AC0 3

00001AC8 3

00001ACE 3

00001AD9 3

00001AE6 3

00001AEE 3

00001AFC 3

00001B01 3

00001B06 3

00001B0B 3

00001B16 3

00001B23 3

00001B2D 3

00001B42 3

00001B4E 3

00001B54 3

00001B76 3

00001B88 3

00001BE4 3

00001C00 3

00001C98 3

0000443C 3

0000446C 3

00004490 3

000044B0 3





自动修复基址重定位表。

--------------------------------------------------------------------------------

【破解总结】





搞定dll的同时,温习基址重定位表知识。

--------------------------------------------------------------------------------

【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

2005-8-30


收藏 分享 邀请

最新评论

相关分类

QQ|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )

GMT+8, 2024-9-29 19:21 , Processed in 0.371465 second(s), 13 queries , Gzip On, MemCache On.

Powered by Discuz! X3.5

© 2001-2023 Discuz! Team.

返回顶部