TA的每日心情 | 无聊 2017-5-31 13:17 |
---|
签到天数: 5 天 [LV.2]偶尔看看I
|
楼主 |
发表于 2010-8-1 19:44:22
|
显示全部楼层
API重写保护
------------------------------ 00464060 > /EB 65 jmp short 004640C7 OEP载入.在这停下。F7
- 00464062 |45 inc ebp
- 00464063 |78 65 js short 004640CA
- 00464065 |53 push ebx
- 00464066 |74 65 je short 004640CD
- 00464068 |61 popad
- 00464069 |6C ins byte ptr es:[edi], dx
- 0046406A |74 68 je short 004640D4
- 0046406C |2056 32 and byte ptr [esi+32], dl
- 0046406F |202D 20909090 and byte ptr [90909020], ch
- 00464075 |90 nop
- 00464076 |90 nop
- 00464077 |65:62746F 6F bound esi, qword ptr gs:[edi+ebp*2+6F]
- ..........
- 00464145 F9 stc
- 00464146 AA stos byte ptr es:[edi]
- 00464147 ^ E2 C7 loopd short 00464110 //可以在这里F4,
- 00464149 8B4424 20 mov eax, dword ptr [esp+20] //接着这里F4,因为前面我们已经调试多次了,熟悉了
- 0046414D 8B4424 20 mov eax, dword ptr [esp+20]
- 00464151 83C0 0E add eax, 0E
- 00464154 83E8 0E sub eax, 0E
- 00464157 83C0 0E add eax, 0E
- 0046415A 83E8 0E sub eax, 0E
- 0046415D 40 inc eax
- 0046415E 78 1D js short 0046417D
- 00464160 C785 45304000 0>mov dword ptr [ebp+403045], 1
- 0046416A EB 11 jmp short 0046417D
- 0046416C 8B4424 20 mov eax, dword ptr [esp+20]
- 00464170 83C0 0E add eax, 0E
- 00464173 83E8 0E sub eax, 0E
- 00464176 83C0 0E add eax, 0E
- 00464179 83E8 0E sub eax, 0E
- 0046417C 40 inc eax
- 0046417D 8D85 D3274000 lea eax, dword ptr [ebp+4027D3]
- 00464183 B9 10070000 mov ecx, 710
- 00464188 E8 41020000 call 004643CE
- 0046418D 8985 41304000 mov dword ptr [ebp+403041], eax
- 00464193 8B85 39304000 mov eax, dword ptr [ebp+403039]
- 00464199 83E0 01 and eax, 1
- 0046419C 74 40 je short 004641DE //enter
- 0046419E 8DB5 B1314000 lea esi, dword ptr [ebp+4031B1]
- 004641A4 8D85 3E294000 lea eax, dword ptr [ebp+40293E]
- 004641AA 8946 08 mov dword ptr [esi+8], eax
- 004641AD 8BFD mov edi, ebp
- 004641AF 8D85 CF2F4000 lea eax, dword ptr [ebp+402FCF]
- 004641B5 33DB xor ebx, ebx
- 004641B7 50 push eax
- 004641B8 64:FF33 push dword ptr fs:[ebx]
- 004641BB 64:8923 mov dword ptr fs:[ebx], esp
- 004641BE BD 4B484342 mov ebp, 4243484B
- 004641C3 66:B8 0400 mov ax, 4
- 004641C7 EB 01 jmp short 004641CA
- 004641C9 FFCC dec esp //INT3异常,无论F7,F8都过不去,
- 004641CB 8BEF mov ebp, edi
- 004641CD 33DB xor ebx, ebx
- 004641CF 64:8F03 pop dword ptr fs:[ebx]
- 004641D2 83C4 04 add esp, 4
- 004641D5 3C 04 cmp al, 4
- 004641D7 74 05 je short 004641DE
- 004641D9 EB 01 jmp short 004641DC
- ------------------------
- 004641DE 8B85 31304000 mov eax, dword ptr [ebp+403031] //F2,SHIFT+F9 ,继续f8
- 004641E4 0340 3C add eax, dword ptr [eax+3C]
- 004641E7 05 80000000 add eax, 80
- 004641EC 8B08 mov ecx, dword ptr [eax]
- 004641EE 038D 31304000 add ecx, dword ptr [ebp+403031]
- 004641F4 83C1 10 add ecx, 10
- 004641F7 8B01 mov eax, dword ptr [ecx]
- 004641F9 0385 31304000 add eax, dword ptr [ebp+403031]
- 004641FF 8B18 mov ebx, dword ptr [eax]
- 00464201 899D BD314000 mov dword ptr [ebp+4031BD], ebx
- 00464207 83C0 04 add eax, 4
- -----------------------
- 004646E9 8339 00 cmp dword ptr [ecx], 0
- 004646EC ^ 0F85 34FFFFFF jnz 00464626
- 004646F2 83C6 0C add esi, 0C //F4
- 004646F5 837E 04 00 cmp dword ptr [esi+4], 0
- 004646F9 ^ 0F85 B4FEFFFF jnz 004645B3
- 004646FF 33C0 xor eax, eax //F4,之后一直F8
- 00464701 40 inc eax
- 00464702 83F8 01 cmp eax, 1
- 00464705 74 02 je short 00464709
- 00464707 61 popad
- 00464708 C3 retn
- 00464709 F785 39304000 0>test dword ptr [ebp+403039], 2
- 00464713 74 18 je short 0046472D
- 00464715 8BBD 31304000 mov edi, dword ptr [ebp+403031]
- 0046471B 037F 3C add edi, dword ptr [edi+3C]
- 0046471E 8B4F 54 mov ecx, dword ptr [edi+54]
- 00464721 8BB5 31304000 mov esi, dword ptr [ebp+403031]
- 00464727 C606 00 mov byte ptr [esi], 0
- 0046472A 46 inc esi
- 0046472B ^ E2 FA loopd short 00464727
- 0046472D 8D85 D3274000 lea eax, dword ptr [ebp+4027D3]
- 00464733 B9 10070000 mov ecx, 710
- 00464738 EB 01 jmp short 0046473B
- 0046473A - E9 E88EFCFF jmp 0042D627
- ...
- 0046473B E8 8EFCFFFF call 004643CE //F8到这里,一般是保险起见的F7,还是几个f8,一个f4
- 00464740 EB 01 jmp short 00464743
- 00464742 C7 ??? ; 未知命令
- 00464743 8B9D 41304000 mov ebx, dword ptr [ebp+403041] //ss:[004648CE]=0002966B,ebx=000000F4,eax=0002962A
- 00464749 33C3 xor eax, ebx //eax=00000041,下面就不跳了,程序就退出
- 0046474B 74 08 je short 00464755 ; 000
- 0046474D EB 01 jmp short 00464750
- 0046474F 2C 61 sub al, 61
- 00464751 EB 01 jmp short 00464754
- 00464753 E8 C38DBDE3 call E403D51B
- ------------------------转存跟随可以见OEP,我们可以去OEP看看,应该在这之前注意下,或许就是所谓的OEP,dump时机。
- 004648BE 00400000 ASCII "MZP"
- 004648C2 00050DA8 //OEP
- 004648C6 00000021
- 004648CA 00000000
- 004648CE 0002966B
- 004648D2 00000001
- 004648D6 00054700
- 004648DA 0005412C
- 004648DE 00000000
- 004648E2 00054978
- 004648E6 000541B8
- -----------------------
- 00464762 33DB xor ebx, ebx
- 00464764 AC lods byte ptr [esi]
- 00464765 34 61 xor al, 61
- 00464767 2AC3 sub al, bl
- 00464769 C0C0 02 rol al, 2
- 0046476C AA stos byte ptr es:[edi]
- 0046476D 43 inc ebx
- 0046476E ^ E2 F4 loopd short 00464764
- 00464770 8D85 71324000 lea eax, dword ptr [ebp+403271] //F4,地址=00464AFE, (ASCII "IsDebuggerPresent"),eax=00000087
- 00464776 50 push eax //反调试了,壳是在进OEP之前进行反调试,及处理OEP的第一个字节
- 00464777 FFB5 D2314000 push dword ptr [ebp+4031D2]
- 0046477D FF95 C1314000 call dword ptr [ebp+4031C1]
- 00464783 0BC0 or eax, eax
- 00464785 74 08 je short 0046478F //跳
- 00464787 FFD0 call eax
- 00464789 0BC0 or eax, eax
- 0046478B 74 02 je short 0046478F
- 0046478D 61 popad
- 0046478E C3 retn
- 0046478F F785 39304000 0>test dword ptr [ebp+403039], 1 //这里[ebp+403039]=000000021的值,改为0就跳了。
- 00464799 74 4F je short 004647EA //不跳就会调用异常退出.
- ...............
- 004647EA 90 nop
- 004647EB 8D85 982F4000 lea eax, dword ptr [ebp+402F98]
- 004647F1 50 push eax
- 004647F2 C3 retn
- 004647F3 55 push ebp
- 004647F4 8BEC mov ebp, esp
- 004647F6 57 push edi
- 004647F7 8B45 10 mov eax, dword ptr [ebp+10]
- 004647FA 8BB8 C4000000 mov edi, dword ptr [eax+C4]
- 00464800 FF37 push dword ptr [edi]
- 00464802 33FF xor edi, edi
- 00464804 64:8F07 pop dword ptr fs:[edi]
- 00464807 8380 C4000000 0>add dword ptr [eax+C4], 8
- 0046480E 8BB8 A4000000 mov edi, dword ptr [eax+A4]
- 00464814 C1C7 07 rol edi, 7
- 00464817 89B8 B8000000 mov dword ptr [eax+B8], edi
- 0046481D B8 00000000 mov eax, 0
- 00464822 5F pop edi
- 00464823 C9 leave
- 00464824 C3 retn
- 00464825 32C0 xor al, al
- 00464827 8DBD D3274000 lea edi, dword ptr [ebp+4027D3]
- 0046482D B9 93070000 mov ecx, 793
- 00464832 AA stos byte ptr es:[edi] //ecx=793,直到2就快结束循环
- 00464833 ^ E2 FD loopd short 00464832
- 00464835 8DBD C32F4000 lea edi, dword ptr [ebp+402FC3] //F4
- 0046483B B9 C0020000 mov ecx, 2C0
- 00464840 AA stos byte ptr es:[edi] //直到ecx=2C0,到2就快结束循环
- 00464841 ^ E2 FD loopd short 00464840
- 00464843 61 popad //F4到这里,我们之前的转存显示的可爱的OEP没了。。
- 00464844 50 push eax
- 00464845 33C0 xor eax, eax
- 00464847 64:FF30 push dword ptr fs:[eax]
- 0046484A 64:8920 mov dword ptr fs:[eax], esp
- 0046484D EB 01 jmp short 00464850 //此时这之后的00464850的代码被全部晴空了。
- 0046484F 87EB xchg ebx, ebp
- 00464851 04 C6 add al, 0C6
- 00464853 0000 add byte ptr [eax], al
- 00464855 40 inc eax
- 00464856 8038 00 cmp byte ptr [eax], 0
- 00464859 ^ 75 F7 jnz short 00464852
- 0046485B C3 retn
- 0046485C 55 push ebp
- 0046485D 8BEC mov ebp, esp
- 0046485F 57 push edi
- 00464860 8B45 10 mov eax, dword ptr [ebp+10]
- 00464863 8BB8 9C000000 mov edi, dword ptr [eax+9C]
- 00464869 FFB7 B9314000 push dword ptr [edi+4031B9]
- 0046486F 8F80 B8000000 pop dword ptr [eax+B8]
- 00464875 89B8 B4000000 mov dword ptr [eax+B4], edi
- 0046487B C780 B0000000 0>mov dword ptr [eax+B0], 4
- 00464885 B8 00000000 mov eax, 0
- 0046488A 5F pop edi
- ------------------------------------------------------------
- 00464850 0000 add byte ptr [eax], al //但是空代码可以继续F8,1次就可以来到我们的OEP了。
- 00464852 0000 add byte ptr [eax], al
- -------------------------F8后来到这里.
- 7C92E480 8B1C24 mov ebx, dword ptr [esp]
- 7C92E483 51 push ecx
- 7C92E484 53 push ebx
- 7C92E485 E8 F1C00100 call 7C94A57B
- 7C92E48A 0AC0 or al, al
- 7C92E48C 74 0C je short 7C92E49A
- 7C92E48E 5B pop ebx
- 7C92E48F 59 pop ecx
- 7C92E490 6A 00 push 0
- 7C92E492 51 push ecx
- 7C92E493 E8 C6EBFFFF call ZwContinue
- 7C92E498 EB 0B jmp short 7C92E4A5 //继续几次F8来到OEP
- ------------------------
- 00450DA9 8BEC mov ebp, esp //ctrl+g,00450DA8,新建eip,dump.
- 00450DAB 83C4 F0 add esp, -10 //一路走来与第一次没什么差别,只是这次写的补充第一次不详细之处.
- 00450DAE B8 C80B4500 mov eax, 00450BC8
- 00450DB3 E8 104EFBFF call 00405BC8
- 00450DB8 A1 24204500 mov eax, dword ptr [452024]
- 00450DBD 8B00 mov eax, dword ptr [eax]
- 00450DBF E8 98E1FFFF call 0044EF5C
- 00450DC4 8B0D 04214500 mov ecx, dword ptr [452104] ; no.00453BD0
- 00450DCA A1 24204500 mov eax, dword ptr [452024]
- 00450DCF 8B00 mov eax, dword ptr [eax]
- 00450DD1 8B15 FC044500 mov edx, dword ptr [4504FC] ; no.00450548
- 00450DD7 E8 98E1FFFF call 0044EF74
- 00450DDC A1 24204500 mov eax, dword ptr [452024]
- 00450DE1 8B00 mov eax, dword ptr [eax]
- 00450DE3 E8 0CE2FFFF call 0044EFF4
- 00450DE8 E8 332FFBFF call 00403D20
- 00450DED 8D40 00 lea eax, dword ptr [eax]
- 00450DF0 0000 add byte ptr [eax], al
- Import REConstructor,OEP添00050DA8,获取输入表,我们发现很多无效,这就是API重定义保护(iat加密)的效果了,我们可以简单的等级一修复抓取即完工.
- 现在我们是学习手工做,那我们来看看IAT,第一个无效的,我们000541B8.重新载入程序dd 004541B8(这里我们要加上基址).下硬件写入或内存写入.
- 第一次断下,我们在堆栈窗口可以看到应该是写入输入表的信息放进内存里,连续5次左右
- 0012FF7C 004644B2 返回到 no.004644B2 来自 no.004644B4
- 0012FF80 00400100 ASCII "PE"
- 0012FF84 00400270 ASCII ".idata"
- 0012FF88 0006188D
- 0012FF8C 0012FFA0
- 0012FF90 00000001
- 0012FF94 00000003
- 0012FF98 0012FF4C
- 0012FF9C 00400000 ASCII "MZP"
- -----------------------------
- 004541B8 77D3119B user32.GetKeyboardType 转存窗口出现了写入的API,寄存器也显示了。
- 004541BC 00054996
- 004541C0 000549A4
- 004541C4 000549B2
- 004541C8 00000000
- 004541CC 000549CC
- -------------------------------
- 00464677 /EB 19 jmp short 00464692 //删除断点,我们手工来看看是那里出现问题,F7
- 00464679 |52 push edx
- 0046467A |51 push ecx
- 0046467B |8B01 mov eax, dword ptr [ecx]
- 0046467D |2D 00000080 sub eax, 80000000
- 00464682 |50 push eax
- 00464683 |53 push ebx
- 00464684 |FF95 C1314000 call dword ptr [ebp+4031C1]
- 0046468A |85C0 test eax, eax
- 0046468C |74 74 je short 00464702
- 0046468E |59 pop ecx
- 0046468F |5A pop edx
- 00464690 |8902 mov dword ptr [edx], eax
- 00464692 \F785 39304000 2>test dword ptr [ebp+403039], 20 //ss:[004648C6]=00000021
- 0046469C 74 45 je short 004646E3 //没跳
- 0046469E 83BD 45304000 0>cmp dword ptr [ebp+403045], 0 ss:[004648D2]=00000001
- 004646A5 74 14 je short 004646BB //没跳
- 004646A7 81FB 00000070 cmp ebx, 70000000 //ebx=77D10000
- 004646AD 72 08 jb short 004646B7 //没跳
- 004646AF 81FB FFFFFF77 cmp ebx, 77FFFFFF //ebx=77D10000 (user32.77D10000)
- 004646B5 76 0E jbe short 004646C5 //跳了
- 004646B7 EB 2A jmp short 004646E3
- 004646B9 EB 0A jmp short 004646C5
- 004646BB 81FB 00000080 cmp ebx, 80000000
- 004646C1 73 02 jnb short 004646C5
- 004646C3 EB 1E jmp short 004646E3
- 004646C5 57 push edi //edi压入
- 004646C6 56 push esi //esi压入
- 004646C7 8DBD 9F324000 lea edi, dword ptr [ebp+40329F] //函数放入edi
- 004646CD 8B77 04 mov esi, dword ptr [edi+4] //
- 004646D0 8932 mov dword ptr [edx], esi
- 004646D2 2BC6 sub eax, esi //到了这里,转存中的api就没了,程序就是在这里出了问题的。
- 004646D4 83E8 05 sub eax, 5 //搞得我们获取不到完整的IAT表。
- 004646D7 C606 E9 mov byte ptr [esi], 0E9
- 004646DA 8946 01 mov dword ptr [esi+1], eax
- 004646DD 8347 04 05 add dword ptr [edi+4], 5
- 004646E1 5E pop esi
- 004646E2 5F pop edi
- 004646E3 83C1 04 add ecx, 4
- 004646E6 83C2 04 add edx, 4
- 004646E9 8339 00 cmp dword ptr [ecx], 0
- 004646EC ^ 0F85 34FFFFFF jnz 00464626
- 004646F2 83C6 0C add esi, 0C
- 004646F5 837E 04 00 cmp dword ptr [esi+4], 0
- 004646F9 ^ 0F85 B4FEFFFF jnz 004645B3
- 004646FF 33C0 xor eax, eax
- 00464701 40 inc eax
- 00464702 83F8 01 cmp eax, 1
- 00464705 74 02 je short 00464709
- 00464707 61 popad
- 00464708 C3 retn
- 00464709 F785 39304000 0>test dword ptr [ebp+403039], 2 //
- 00464713 74 18 je short 0046472D
- ----------------------------------------------------
- 经过了上面我们单步处理,我们就开始尝试如何让他不处理加密IAT,
- 0046469C 74 45 je short 004646E3 //这里修改为jmp就可以了.
- ----------------------------------------------------
- 00464755 8DBD E32E4000 lea edi, dword ptr [ebp+402EE3]
- 0046475B 8BF7 mov esi, edi
- 0046475D B9 E0000000 mov ecx, 0E0
- 00464762 33DB xor ebx, ebx
- 00464764 AC lods byte ptr [esi]
- 00464765 34 61 xor al, 61
- 00464767 2AC3 sub al, bl
- 00464769 C0C0 02 rol al, 2
- 0046476C AA stos byte ptr es:[edi]
- 0046476D 43 inc ebx
- 0046476E ^ E2 F4 loopd short 00464764 //再次来到反调试的地方
- 00464770 8D85 71324000 lea eax, dword ptr [ebp+403271] //这里变成红色的,与我们最开始反调试保护选项不一样,是解码?不知,f4
- 00464776 50 push eax
- 00464777 FFB5 D2314000 push dword ptr [ebp+4031D2]
- 0046477D FF95 C1314000 call dword ptr [ebp+4031C1]
- 00464783 0BC0 or eax, eax
- 00464785 74 08 je short 0046478F
- 00464787 FFD0 call eax
- 00464789 0BC0 or eax, eax
- 0046478B 74 02 je short 0046478F //必须跳,他有时候跳,有时候不跳.
- 0046478D 61 popad
- 0046478E C3 retn
- 0046478F F785 39304000 0>test dword ptr [ebp+403039], 1 //这里应该才是反调试的关键,ss:[004648C6]=00000021,仅仅反调试保护的值不一样.
- 00464799 74 4F je short 004647EA //不管,这里必须跳.之后就是F8,F4了,跟前面一样,不重复了,
- 到达OEP,IAT全部有效。OK。
复制代码 |
评分
-
查看全部评分
|