OllyICE三步简单脱SoftwareCompress 1.4加壳程序

Nisy · 发表于 2007-4-6 09:29:28

OllyICE三步简单脱SoftwareCompress 1.4加壳程序

【文章标题】: OllyICE三步简单脱SoftwareCompress 1.4加壳程序
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 加壳后的notepad
【软件大小】: 43.7KB
【下载地址】: 自己搜索下载
【加壳方式】: SoftwareCompress 1.4
【编写语言】: Microsoft Visual C++ 7.0 Method2
【使用工具】: OllyICE
【操作平台】: 盗版非标准XPsp2
【软件介绍】: SoftwareCompress 1.4加壳试炼程序
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  一、OD载入目标程序，隐藏OD后，忽略所有异常

  0101205C >  E8 00000000    call 01012061                      ; OD载入来到这里（壳EP入口）
  01012061 812C24 AA1A4100 sub    dword ptr [esp], 411AAA
  01012068 5D             pop    ebp
  01012069 E8 00000000    call 0101206E
  0101206E 832C24 6E       sub    dword ptr [esp], 6E
  01012072 8B85 5D1A4100    mov    eax, dword ptr [ebp+411A5D]
  01012078 290424          sub    dword ptr [esp], eax
  0101207B 8B0424          mov    eax, dword ptr [esp]
  0101207E 8985 5D1A4100    mov    dword ptr [ebp+411A5D], eax
  01012084 58             pop    eax
  01012085 8B85 5D1A4100    mov    eax, dword ptr [ebp+411A5D]
  0101208B 8B50 3C          mov    edx, dword ptr [eax+3C]
  0101208E 03D0             add    edx, eax
  01012090 8B92 80000000    mov    edx, dword ptr [edx+80]
  01012096 03D0             add    edx, eax
  01012098 8B4A 58          mov    ecx, dword ptr [edx+58]
  0101209B 898D 491A4100    mov    dword ptr [ebp+411A49], ecx
  010120A1 8B4A 5C          mov    ecx, dword ptr [edx+5C]

  Alt+M 打开内存镜像：

  在第一区段(代码段)上F2设置断点F9运行！中断后取消断点。

  -------------------------------
  Memory map, 条目 30
地址=01001000
大小=00008000 (32768.)
属主=vc    01000000
区段=
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
  -------------------------------

  000A5077 A4             movs byte ptr es:[edi], byte ptr [esi] ; 中断在这里，中断后取消断点。
  000A5078 B3 02          mov    bl, 2
  000A507A E8 6D000000    call 000A50EC
  000A507F  ^ 73 F6          jnb    short 000A5077
  000A5081 33C9             xor    ecx, ecx
  000A5083 E8 64000000    call 000A50EC
  000A5088 73 1C          jnb    short 000A50A6
  000A508A 33C0             xor    eax, eax
  000A508C E8 5B000000    call 000A50EC
  000A5091 73 23          jnb    short 000A50B6
  000A5093 B3 02          mov    bl, 2
  000A5095 41             inc    ecx

  二、搜索特定代码，找OEP

  Ctrl+S 搜索代码：
  ------------------------------------
  mov    eax, dword ptr [esp+10]
  add    eax, 14
  ------------------------------------

  000A521B 36:8B4424 10    mov    eax, dword ptr [esp+10]          ; 搜索来到这里
  000A5220 83C0 14          add    eax, 14
  000A5223 36:894424 10    mov    dword ptr [esp+10], eax
  000A5228  ^ 0F85 77FFFFFF    jnz    000A51A5
  000A522E 8BBD B01C4100    mov    edi, dword ptr [ebp+411CB0]
  000A5234 03F9             add    edi, ecx                         ; 这里F2下断，F9到这里，EDI=0000739D（OEP值）
                                                                        ; 中断后取消断点，F8单步跟踪
  000A5236 8D8D 181C4100    lea    ecx, dword ptr [ebp+411C18]
  000A523C 51             push ecx
  000A523D 57             push edi
  000A523E  - FFA5 981C4100    jmp    dword ptr [ebp+411C98]             ; 进入后依旧F8单步

  进入来到：

  7C80FC2F >  6A 18          push 18                               ; F8进入这里，继续F8
  7C80FC31 68 D8FC807C    push 7C80FCD8
  7C80FC36 E8 8B28FFFF    call 7C8024C6
  7C80FC3B 8365 FC 00       and    dword ptr [ebp-4], 0
  7C80FC3F A1 E836887C    mov    eax, dword ptr [7C8836E8]
  7C80FC44 8B5D 08          mov    ebx, dword ptr [ebp+8]
  7C80FC47 85C0             test eax, eax
  7C80FC49 0F85 91070300    jnz    7C8403E0
  7C80FC4F F6C3 04          test bl, 4
  7C80FC52 0F84 98000000    je    7C80FCF0
  7C80FC58 834D FC FF       or    dword ptr [ebp-4], FFFFFFFF
  7C80FC5C FF35 A433887C    push dword ptr [7C8833A4]
  7C80FC62 FF15 9C12807C    call dword ptr [<&ntdll.RtlLockHeap>] ; ntdll.RtlLockHeap
  7C80FC68 C745 FC 01000000  mov    dword ptr [ebp-4], 1
  7C80FC6F 8D73 FC          lea    esi, dword ptr [ebx-4]
  7C80FC72 8975 D8          mov    dword ptr [ebp-28], esi
  7C80FC75 56             push esi
  7C80FC76 BF E030887C    mov    edi, 7C8830E0
  7C80FC7B 57             push edi
  7C80FC7C FF15 AC12807C    call dword ptr [<&ntdll.RtlIsValidHandle>; ntdll.RtlIsValidHandle
  7C80FC82 84C0             test al, al
  7C80FC84 0F84 6C070300    je    7C8403F6
  7C80FC8A 8B5E 04          mov    ebx, dword ptr [esi+4]
  7C80FC8D 895D E4          mov    dword ptr [ebp-1C], ebx
  7C80FC90 56             push esi
  7C80FC91 57             push edi
  7C80FC92 FF15 9412807C    call dword ptr [<&ntdll.RtlFreeHandle>]  ; ntdll.RtlFreeHandle
  7C80FC98 85DB             test ebx, ebx
  7C80FC9A 0F84 67070300    je    7C840407
  7C80FCA0 53             push ebx
  7C80FCA1 6A 01          push 1
  7C80FCA3 FF35 A433887C    push dword ptr [7C8833A4]
  7C80FCA9 FF15 1010807C    call dword ptr [<&ntdll.RtlFreeHeap>] ; ntdll.RtlFreeHeap
  7C80FCAF 84C0             test al, al
  7C80FCB1 74 6C          je    short 7C80FD1F
  7C80FCB3 8365 08 00       and    dword ptr [ebp+8], 0
  7C80FCB7 834D FC FF       or    dword ptr [ebp-4], FFFFFFFF
  7C80FCBB FF35 A433887C    push dword ptr [7C8833A4]
  7C80FCC1 FF15 8C12807C    call dword ptr [<&ntdll.RtlUnlockHeap>]  ; ntdll.RtlUnlockHeap
  7C80FCC7 8B45 08          mov    eax, dword ptr [ebp+8]
  7C80FCCA E8 3228FFFF    call 7C802501
  7C80FCCF C2 0400          retn 4                                  ; F8一直到这里，返回到OEP！

  飞向光明之巅：

  0100739D 6A 70          push 70                               ; OEP
  0100739F 68 98180001    push 01001898
  010073A4 E8 BF010000    call 01007568
  010073A9 33DB             xor    ebx, ebx
  010073AB 53             push ebx
  010073AC 8B3D CC100001    mov    edi, dword ptr [10010CC]          ; kernel32.GetModuleHandleA
  010073B2 FFD7             call edi
  010073B4 66:8138 4D5A    cmp    word ptr [eax], 5A4D
  010073B9 75 1F          jnz    short 010073DA
  010073BB 8B48 3C          mov    ecx, dword ptr [eax+3C]
  010073BE 03C8             add    ecx, eax
  010073C0 8139 50450000    cmp    dword ptr [ecx], 4550
  010073C6 75 12          jnz    short 010073DA
  010073C8 0FB741 18       movzx eax, word ptr [ecx+18]
  010073CC 3D 0B010000    cmp    eax, 10B
  010073D1 74 1F          je    short 010073F2
  010073D3 3D 0B020000    cmp    eax, 20B
  010073D8 74 05          je    short 010073DF
  010073DA 895D E4          mov    dword ptr [ebp-1C], ebx
  010073DD EB 27          jmp    short 01007406
  010073DF 83B9 84000000 0E  cmp    dword ptr [ecx+84], 0E
  010073E6  ^ 76 F2          jbe    short 010073DA
  010073E8 33C0             xor    eax, eax

  三、脱壳修复

  到达OEP后，使用OD自带的脱壳插件就可完成全部的脱壳修复工作。


--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, UnPacKcN , 转载请注明作者并保持文章的完整, 谢谢!
                                                   2007年04月05日 AM 03:49:24

BTW:该文章也适用于主程序

主程序OEP：

00436EE3 E8 568D0000    call 0043FC3E                      ; OEP
00436EE8  ^ E9 16FEFFFF    jmp    00436D03
00436EED 55             push ebp
00436EEE 8BEC          mov    ebp, esp
00436EF0 83EC 20       sub    esp, 20
00436EF3 8B45 08       mov    eax, dword ptr [ebp+8]
00436EF6 56             push esi
00436EF7 57             push edi
00436EF8 6A 08          push 8
00436EFA 59             pop    ecx
00436EFB BE 44A04000    mov    esi, 0040A044
00436F00 8D7D E0       lea    edi, dword ptr [ebp-20]
00436F03 F3:A5          rep    movs dword ptr es:[edi], dword p>
00436F05 8945 F8       mov    dword ptr [ebp-8], eax
00436F08 8B45 0C       mov    eax, dword ptr [ebp+C]
00436F0B 85C0          test eax, eax

Nisy · 发表于 2007-4-6 09:31:52

other way:

start in OllyDbg, make a BP on first instruction of "LoadLibraryA" in "kernel32.dll"
(press CTRL+G and type in "LoadLibraryA", then press F2 )
run application (F9)
when OllyDbg stops on the BP:

right-click on "EDI" (CPU registers window) -> "Follow in dump"
now you will see some zero filled memory:

00093940  00 00 00 00 00 00 00 00  ........
00093948  00 00 00 00 00 00 00 00  ........
00093950  00 00 00 00 00 00 00 00  ........
00093958  00 00 00 00 00 00 00 00  ........
00093960  00 00 00 00 00 00 00 00  ........
00093968  00 00 00 00 00 00 00 00  ........
00093970  00 00 00 00 00 00 00 00  ........
00093978  00 00 00 00 00 00 00 00  ........
00093980  00 00 00 00 00 00 00 00  ........
00093988  00 00 00 00 00 00 00 00  ........
00093990  00 00 00 00 00 00 00 00  ........
00093998  00 00 00 00 00 00 00 00  ........
000939A0  00 00 00 00 32 B3 E5 77  ....2³åw
000939A8  9E 56 E5 77 61 D9 E5 77  žVåwaÙåw
000939B0  D9 57 E5 77 76 64 D3 77  ÙWåwvdÓw
000939B8  00 00 00 01 04 76 00 00  ...v..
000939C0  00 00 00 00 00 00 00 00  ........
000939C8  9D 73 00 00 00 00 00 00  ?s......
000939D0  38 59 09 00 E9 A9 00 00  8Y..é©..
000939D8  00 60 8B 74 24 24 8B 7C  .`‹t$‹|

find the address of the first non-zero byte:
in my case: 000939A4
(I called it "content_address" )

content_address+0x24= OEP (as RVA)
(in my case: 0x939a4+0x24 = 0x0939C8) -> OEP = 0x0739D

content_address+0x18= Import Table address (as RVA)
(in my case: 0x939a4+0x18=0x939BC)-> Import Table address = 7604

now: dump the application and correct with LordPE the OEP and Import Table.
-> unpacked
it works with all packed applications

这一部的计算是如何获得的呢? 以下是我用 softcomp1.4demo得到的数据,如何计算OEP和RVA呢?

Nisy, in  my sample calculation I used KuNgBiM's packed Note-pad.
If you  mean,how  to unpack SoftComp 1.4 Demo:
(this is your posted  memory  dump)

00154730  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
00154740  00 00 00 00  00 00 00 00  00 00 00 00  EC 5F 91 7C
00154750  2D FD 80 7C  9C 5F 91 7C  2F FC 80 7C  8A 05 D5 77
00154760  00 00 40 00  FC 27 05 00  00 00 00 00  00 00 00 00
00154770  E3 6E 03 00  00 00 00 00  E0 66 15 00  E9 A9 00 00
00154780  0060 8B 74  24 24 8B 7C  24 28 FC B2  80 33 DB A4

find the first  non-zero byte address: 15474C,
launch  the  windows-calculator,type the address in and add 24 (in  hexadecimals) =15744c+24=154770, value in address154770: 036EE3 this is the OEP

15474c+0x18 =154764 , value in 154764= 0527FC, this is the Importadress.

If you dump and fix this 2 values, your dump shoud be ok.

的OEP和RVA是如何计算出来的呢迷惑中~~

if you mean why this calculation works: I dont know .
I  packed a  dozen different application (MS C++ 6/7,VB,Boraland C++,MASM)and  searched for some common points and some "general way of  unpacking".
Most  of the easy-level packers work in this way:
1.unpack code
2.get Imports and fill the Import Address Table
3. go to the OEP

"LoadLibraryA"is  called by the part 2. ( IAT filling), so we can  assume that  the  application code is unpacked.  If you pack  some  applications with a  packer, you know their OEPs and  other stuff.
And  most of such packers  save all  informations (OEP,importstuff) in one  data-block.
Duiring reversing  the  packer, you can stop OllyDbg on some  calls(LoadLibraryA,GetProcessAddress) and search for this information/values  in  memory.
Then you  can search for a way, how to  read this information in a  general way

不清楚大家看懂了没有~ 简单的介绍一下:

00154730  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00
00154740  00 00 00 00  00 00 00 00  00 00 00 00  EC 5F 91 7C
00154750  2D FD 80 7C  9C 5F 91 7C  2F FC 80 7C  8A 05 D5 77
00154760  00 00 40 00  FC 27 05 00  00 00 00 00  00 00 00 00
00154770  E3 6E 03 00  00 00 00 00  E0 66 15 00  E9 A9 00 00
00154780  0060 8B 74  24 24 8B 7C  24 28 FC B2  80 33 DB A4

there 这里就是00154770 我们计算得到的地址,OEP 也就是 00036EE3
RVA的计算方法相同这里就不再重述

这几句话希望大家记住:

Most  of the easy-level packers work in this way:
1.unpack code
2.get Imports and fill the Import Address Table
3. go to the OEP

wang8858275 · 发表于 2007-4-6 12:57:54

怎么另一方法是英文的啊。。。。看不懂。。55

Nisy · 发表于 2007-4-6 16:00:59

CDW是德国的一位朋友当然是英文了很简单的英文啊哪不懂?

zsl01 · 发表于 2008-9-27 17:26:52

学习,努力学习./:002

		自动登录	找回密码
密码			加入我们

[转贴] OllyICE三步简单脱SoftwareCompress 1.4加壳程序

本帖子中包含更多资源

相关帖子

another way~ BY:CDW