- UID
- 40339
注册时间2007-12-6
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 开心
2020-12-31 08:08 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【文章标题】: NoobyProtect 1.5.3.0 Demo版脱壳
【作者声明】: 初学脱壳,没什么好东西。个人的一些经验,希望与大家分享,错误之处,欢迎指正!
【测试软件】:Notepad + NoobyProtect 1.5.3.0 Demo
【详细过程】
如下:
配置好OD和插件
OD载入:
0112B261 > $ /EB 1D jmp short 0112B280 //入口
0112B263 . |4E 6F 6F 62 7>ascii "NoobyProtect SE "
0112B273 . |31 2E 35 2E 3>ascii "1.5.3.0 Demo",0
0112B280 >^\EB A8 jmp short 0112B22A
0112B282 1B db 1B
0112B283 8A db 8A
0112B284 . 187F 8A sbb byte ptr [edi-76], bh
0112B287 > 23A0 2FF48B40 and esp, dword ptr [eax+408>
0112B28D . 08EB or bl, ch
0112B28F . 3E:FEC3 inc bl
0112B292 > 58 pop eax
0112B293 . EB 47 jmp short 0112B2DC
然后向下搜索代码(不选整个块):FF90,找到这里
0112B2FD . B2 20 mov dl, 20
0112B2FF . 47 inc edi
0112B300 . B2 35 mov dl, 35
0112B302 . D5 2B aad 2B
0112B304 > 81C0 FA697C33 add eax, 337C69FA
0112B30A . FF90 D6058DCD call dword ptr [eax+CD8D05D6] //找到这里
0112B310 > 85C0 test eax, eax
0112B312 .^ 0F84 52FEFFFF je 0112B16A
0112B318 .^ E9 99FEFFFF jmp 0112B1B6
在0112B30A . FF90 D6058DCD call dword ptr [eax+CD8D05D6] 下F2断点
shift+F9运行
0112B30A . FF90 D6058DCD call dword ptr [eax+CD8D05D6] ; KERNEL32.GetModuleHandleA
0112B310 > 85C0 test eax, eax
0112B312 .^ 0F84 52FEFFFF je 0112B16A
可见这个CALL在调用GetModuleHandleA函数
此时取消断点
打开内存窗口在01001000断下F2断点
中断在这里
0112B1D1 > /8903 mov dword ptr [ebx], eax ; USER32.SetWinEventHook
0112B1D3 . |EB 4F jmp short 0112B224
0112B1D5 |A6 db A6
0112B1D6 |33 db 33 ; CHAR '3'
eax=77D3E3D3 (USER32.SetWinEventHook)
ds:[010012AC]=77D3E3D3 (USER32.SetWinEventHook)
跳转来自 0112B216
然后数据窗口跟随到010012AC,发现这里就是IAT了。
单步F8往下走,到这里
0111AA22 > 6A 70 push 70 //这里是被偷取的入口代码
0111AA24 .-|E9 76C9EEFF jmp 0100739F //这里跳向OEP
0111AA29 > |E8 00000000 call 0111AA2E
0111AA2E $ |E9 FD010000 jmp 0111AC30
0111AA33 |5B db 5B ; CHAR '['
0100739D B0 7D mov al, 7D //
0100739F 68 98180001 push 01001898 //跳到这里
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC E8 C37D0B00 call 010BF174
010073B1 42 inc edx
010073B2 FFD7 call edi
010073B4 66:8138 4D5A cmp word ptr [eax], 5A4D
010073B9 75 1F jnz short 010073DA
010073BB 8B48 3C mov ecx, dword ptr [eax+3C]
010073BE 03C8 add ecx, eax
在0100739D处补上被偷取的入口代码 push 70
新建EIP
0100739D 6A 70 push 70 //改成这样
0100739F 68 98180001 push 01001898
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC E8 C37D0B00 call 010BF174
IAT就在010012AC这个地址上翻
01001000 77DA6FC8 ADVAPI32.RegQueryValueExW
01001004 77DA6BF0 ADVAPI32.RegCloseKey
01001008 77DC8F7D ADVAPI32.RegCreateKeyW
0100100C 77DCD5FD ADVAPI32.IsTextUnicode
01001010 77DA7883 ADVAPI32.RegQueryValueExA
01001014 77DA761B ADVAPI32.RegOpenKeyExA
01001018 77DAD7CC ADVAPI32.RegSetValueExW
0100101C 00000000
01001020 7718D2ED COMCTL32.CreateStatusWindowW
01001024 00000000
01001028 77F05923 GDI32.EndPage
0100102C 77F23412 GDI32.AbortDoc
01001030 77F05BB1 GDI32.EndDoc
01001034 77EF6CA6 GDI32.DeleteDC
01001038 77F06AA6 GDI32.StartPage
0100103C 77EF8174 GDI32.GetTextExtentPoint32W
01001040 77F0F8CF GDI32.CreateDCW
01001044 77F23532 GDI32.SetAbortProc
01001048 77EFB079 GDI32.GetTextFaceW
0100104C 77EF7CE8 GDI32.TextOutW
01001050 77F240A2 GDI32.StartDocW
01001054 77F1EA7C GDI32.EnumFontsW
01001058 77EF5FF1 GDI32.GetStockObject
0100105C 77EF8323 GDI32.GetObjectW
01001060 77EF58A2 GDI32.GetDeviceCaps
01001064 77EF8BBA GDI32.CreateFontIndirectW
01001068 77EF6A3B GDI32.DeleteObject
0100106C 77EF7BF5 GDI32.GetTextMetricsW
01001070 77EF5D0B GDI32.SetBkMode
01001074 77EF8195 GDI32.LPtoDP
01001078 77F0E3B6 GDI32.SetWindowExtEx
0100107C 77F0E45F GDI32.SetViewportExtEx
01001080 77EFA8F7 GDI32.SetMapMode
01001084 77EF59A0 GDI32.SelectObject
01001088 00000000
0100108C 7C809737 KERNEL32.GetCurrentThreadId
01001090 7C8092AC KERNEL32.GetTickCount
01001094 7C80A417 KERNEL32.QueryPerformanceCounter
01001098 7C80C9C1 KERNEL32.GetLocalTime
0100109C 7C809FC0 KERNEL32.GetUserDefaultLCID
010010A0 7C827C79 KERNEL32.GetDateFormatW
010010A4 7C8284D5 KERNEL32.GetTimeFormatW
010010A8 7C810119 KERNEL32.GlobalLock
010010AC 7C810082 KERNEL32.GlobalUnlock
010010B0 7C810E85 KERNEL32.GetFileInformationByHandle
010010B4 7C80939E KERNEL32.CreateFileMappingW
010010B8 7C8017E5 KERNEL32.GetSystemTimeAsFileTime
010010BC 7C801E16 KERNEL32.TerminateProcess
010010C0 7C80E00D KERNEL32.GetCurrentProcess
010010C4 7C810386 KERNEL32.SetUnhandledExceptionFilter
010010C8 7C801D77 KERNEL32.LoadLibraryA
010010CC 7C80B529 KERNEL32.GetModuleHandleA
010010D0 7C801EEE KERNEL32.GetStartupInfoA
010010D4 7C80FE2F KERNEL32.GlobalFree
010010D8 7C811772 KERNEL32.GetLocaleInfoW
010010DC 7C80995D KERNEL32.LocalFree
010010E0 7C8099BD KERNEL32.LocalAlloc
010010E4 7C809A39 KERNEL32.lstrlenW
010010E8 7C822E21 KERNEL32.LocalUnlock
010010EC 7C80A34E KERNEL32.CompareStringW
010010F0 7C822D88 KERNEL32.LocalLock
010010F4 7C8792E6 KERNEL32.FoldStringW
010010F8 7C809B77 KERNEL32.CloseHandle
010010FC 7C80B8EC KERNEL32.lstrcpyW
01001100 7C80180E KERNEL32.ReadFile
01001104 7C810976 KERNEL32.CreateFileW
01001108 7C80A823 KERNEL32.lstrcmpiW
0100110C 7C80994E KERNEL32.GetCurrentProcessId
01001110 7C80AC28 KERNEL32.GetProcAddress
01001114 7C816CFB KERNEL32.GetCommandLineW
01001118 7C81114A KERNEL32.lstrcatW
0100111C 7C80EFD7 KERNEL32.FindClose
01001120 7C80F0E1 KERNEL32.FindFirstFileW
01001124 7C80B5D4 KERNEL32.GetFileAttributesW
01001128 7C80A859 KERNEL32.lstrcmpW
0100112C 7C8097F4 KERNEL32.MulDiv
01001130 7C80B877 KERNEL32.lstrcpynW
01001134 7C82237C KERNEL32.LocalSize
01001138 7C930331 ntdll.RtlGetLastWin32Error
0100113C 7C810F9F KERNEL32.WriteFile
01001140 7C930340 ntdll.RtlSetLastWin32Error
01001144 7C80A0C7 KERNEL32.WideCharToMultiByte
01001148 7C81E2B1 KERNEL32.LocalReAlloc
0100114C 7C829047 KERNEL32.FormatMessageW
01001150 7C812DE0 KERNEL32.GetUserDefaultUILanguage
01001154 7C81F850 KERNEL32.SetEndOfFile
01001158 7C81F73D KERNEL32.DeleteFileW
0100115C 7C809943 KERNEL32.GetACP
01001160 7C80B7FC KERNEL32.UnmapViewOfFile
01001164 7C809CAD KERNEL32.MultiByteToWideChar
01001168 7C80B78D KERNEL32.MapViewOfFile
0100116C 7C862B8A KERNEL32.UnhandledExceptionFilter
01001170 00000000
01001174 77453FA2 SHELL32.DragFinish
01001178 773FFCEE SHELL32.DragQueryFileW
0100117C 7741A237 SHELL32.DragAcceptFiles
01001180 7743F8EB SHELL32.ShellAboutW
01001184 00000000
01001188 77D1B556 USER32.GetClientRect
0100118C 77D1C6A8 USER32.SetCursor
01001190 77D1866D USER32.ReleaseDC
01001194 77D18697 USER32.GetDC
01001198 77D26702 USER32.DialogBoxParamW
0100119C 77D25380 USER32.SetActiveWindow
010011A0 77D1C43C USER32.GetKeyboardLayout
010011A4 77D1B1E5 USER32.DefWindowProcW
010011A8 77D1E666 USER32.DestroyWindow
010011AC 77D402D3 USER32.MessageBeep
010011B0 77D1D4DE USER32.ShowWindow
010011B4 77D1C4AE USER32.GetForegroundWindow
010011B8 77D1C48A USER32.IsIconic
010011BC 77D1EB14 USER32.GetWindowPlacement
010011C0 77D190AA USER32.CharUpperW
010011C4 77D19C36 USER32.LoadStringW
010011C8 77D2372D USER32.LoadAcceleratorsW
010011CC 77D1E7B8 USER32.GetSystemMenu
010011D0 77D1AE29 USER32.RegisterClassExW
010011D4 77D242A4 USER32.LoadImageW
010011D8 77D19B69 USER32.LoadCursorW
010011DC 77D3FBEA USER32.SetWindowPlacement
010011E0 77D21AD5 USER32.CreateWindowExW
010011E4 77D1D7BB USER32.GetDesktopWindow
010011E8 77D1C640 USER32.GetFocus
010011EC 77D22174 USER32.LoadIconW
010011F0 77D1BADE USER32.SetWindowTextW
010011F4 77D3EDEB USER32.PostQuitMessage
010011F8 77D1ADDE USER32.RegisterWindowMessageW
010011FC 77D1C064 USER32.UpdateWindow
01001200 77D1F780 USER32.SetScrollPos
01001204 77D19F64 USER32.CharLowerW
01001208 77D19278 USER32.PeekMessageW
0100120C 77D1C4D4 USER32.EnableWindow
01001210 77D205D2 USER32.DrawTextExW
01001214 77D3629F USER32.CreateDialogParamW
01001218 77D1C9FD USER32.GetWindowTextW
0100121C 77D18F75 USER32.GetSystemMetrics
01001220 77D1D515 USER32.MoveWindow
01001224 77D1B49D USER32.InvalidateRect
01001228 77D617D4 USER32.WinHelpW
0100122C 77D1C35C USER32.GetDlgCtrlID
01001230 77D38565 USER32.ChildWindowFromPoint
01001234 77D1C5B8 USER32.ScreenToClient
01001238 77D1C566 USER32.GetCursorPos
0100123C 77D327FC USER32.SendDlgItemMessageW
01001240 77D1B762 USER32.SendMessageW
01001244 77D1E746 USER32.CharNextW
01001248 77D2711B USER32.CheckMenuItem
0100124C 77D1EEE5 USER32.CloseClipboard
01001250 77D1CDED USER32.IsClipboardFormatAvailable
01001254 77D1EEF7 USER32.OpenClipboard
01001258 77D3749F USER32.GetMenuState
0100125C 77D1FC3C USER32.EnableMenuItem
01001260 77D2355A USER32.GetSubMenu
01001264 77D3EABE USER32.GetMenu
01001268 77D66116 USER32.MessageBoxW
0100126C 77D1DEF1 USER32.SetWindowLongW
01001270 77D1887E USER32.GetWindowLongW
01001274 77D252A4 USER32.GetDlgItem
01001278 77D1E5DC USER32.SetFocus
0100127C 77D32730 USER32.SetDlgItemTextW
01001280 77D1A862 USER32.wsprintfW
01001284 77D26B40 USER32.GetDlgItemTextW
01001288 77D26CC9 USER32.EndDialog
0100128C 77D1B5D7 USER32.GetParent
01001290 77D3E544 USER32.UnhookWinEvent
01001294 77D189D9 USER32.DispatchMessageW
01001298 77D18BCE USER32.TranslateMessage
0100129C 77D1943D USER32.TranslateAcceleratorW
010012A0 77D3E73E USER32.IsDialogMessageW
010012A4 77D18CA3 USER32.PostMessageW
010012A8 77D191A3 USER32.GetMessageW
010012AC 77D3E3D3 USER32.SetWinEventHook
010012B0 00000000
010012B4 72F76090 WINSPOOL.GetPrinterDriverW
010012B8 72F75390 WINSPOOL.ClosePrinter
010012BC 72F75749 WINSPOOL.OpenPrinterW
010012C0 00000000
010012C4 763448D6 COMDLG32.PageSetupDlgW
010012C8 76338696 COMDLG32.FindTextW
010012CC 76349D29 COMDLG32.PrintDlgExW
010012D0 7633C4A9 COMDLG32.ChooseFontW
010012D4 76321986 COMDLG32.GetFileTitleW
010012D8 76337C65 COMDLG32.GetOpenFileNameW
010012DC 763386CA COMDLG32.ReplaceTextW
010012E0 763300CE COMDLG32.CommDlgExtendedError
010012E4 76337CF3 COMDLG32.GetSaveFileNameW
010012E8 00000000
010012EC 77C02DAE MSVCRT._XcptFilter
010012F0 77C09E9A MSVCRT._exit
010012F4 77C09ECE MSVCRT._c_exit
010012F8 77C1AEA3 MSVCRT.time
010012FC 77C1AB3D MSVCRT.localtime
01001300 77C09EB6 MSVCRT._cexit
01001304 77BED036 MSVCRT.iswctype
01001308 77C05C94 MSVCRT._except_handler3
0100130C 77BECE77 MSVCRT._wtol
01001310 77C1802F MSVCRT.wcsncmp
01001314 77C0FB0C MSVCRT._snwprintf
01001318 77C09E7E MSVCRT.exit
0100131C 77C317AC offset MSVCRT._acmdln
01001320 77BEEEEB MSVCRT.__getmainargs
01001324 77C09D67 MSVCRT._initterm
01001328 77C1D675 MSVCRT.__setusermatherr
0100132C 77C323D8 offset MSVCRT._adjust_fdiv
01001330 77BEF1A4 MSVCRT.__p__commode
01001334 77BEF1DB MSVCRT.__p__fmode
01001338 77C0537C MSVCRT.__set_app_type
0100133C 77C1EE2F MSVCRT._controlfp
01001340 77C1806B MSVCRT.wcsncpy
01001344 00000000
01001348 00000000
IAT的相对地址:1000,大小:348
现在OEP:0100739D
用OD插件DUMP,ImportREC修复
可以运行,第一次写这个东西,写得不好,请见谅!
上传加壳记事本,可以练习
[ 本帖最后由 lal978112 于 2009-5-23 12:51 编辑 ] |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2009-5-21 08:25:20
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-8-20 22:46:02
发表于 2009-8-21 06:37:31
发表于 2009-8-23 19:38:01
发表于 2009-9-4 17:56:00
