KYO的地盘

好久没写字了,脱个超easy的壳吧PEtite 2.x [Level 1/9] -> Ian Luck [ 2007-11-13 0:16:46 AM | Author: kyo327 | From: Original ]

好久没写字了,脱个超easy的壳吧PEtite 2.x [Level 1/9] -> Ian Luck

也算是加密壳了.
不过走到OEP用OD直接脱壳后不用修复iat就是OK的.
以我这个附件为例子.
OD加载后有,把异常全钩掉,shift+F9运行,发现有两个异常点.
一个是0040404B . 68 93204000 PUSH Hello2.00402093 ; SE 处理程序安装

这个直接跟随过去按f4,然后发现有个call,f7进去

004020E7 . 33C0 XOR EAX,EAX
004020E9 . 5E POP ESI
004020EA ? 64:8B18 MOV EBX,DWORD PTR FS:[EAX]
004020ED . 8B1B MOV EBX,DWORD PTR DS:[EBX]
004020EF . 8D63 D6 LEA ESP,DWORD PTR DS:[EBX-2A]
004020F2 ? 5D POP EBP
004020F3 . 8D8E CB020000 LEA ECX,DWORD PTR DS:[ESI+2CB]
004020F9 . 894B 04 MOV DWORD PTR DS:[EBX+4],ECX
004020FC ? 64:891D 00000>MOV DWORD PTR FS:[0],EBX
00402103 . 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
00402106 ? FF77 08 PUSH DWORD PTR DS:[EDI+8]
00402109 . FF95 A0070000 CALL DWORD PTR SS:[EBP+7A0]
0040210F . 81C7 3D000000 ADD EDI,3D
00402115 . 6A 0E PUSH 0E
00402117 . 59 POP ECX
00402118 ? F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
0040211A ? FF33 PUSH DWORD PTR DS:[EBX]
0040211C ? 56 PUSH ESI
0040211D . 57 PUSH EDI
0040211E ? 8DB7 55010000 LEA ESI,DWORD PTR DS:[EDI+155]
00402124 ? 8BCE MOV ECX,ESI
00402126 ? 2BCF SUB ECX,EDI
00402128 ? F3:AA REP STOS BYTE PTR ES:[EDI]
0040212A ? 60 PUSHAD
0040212B . FFE0 JMP EAX
走到0040212B处又有个异常,因为EAX=0,JMP 0当然出错了.
dd fs:[0]
发现异常处理回调函数地址是00402363
那么在00402363处下断.然后shift+F9运行就到这里了

00402363 . 33C0 XOR EAX,EAX
00402365 . 64:8B18 MOV EBX,DWORD PTR FS:[EAX]
00402368 ? 8B1B MOV EBX,DWORD PTR DS:[EBX]
0040236A ? 8D63 AE LEA ESP,DWORD PTR DS:[EBX-52]
0040236D . 61 POPAD
0040236E ? 833E 00 CMP DWORD PTR DS:[ESI],0
00402371 .^ 0F84 B6FDFFFF JE Hello2.0040212D
00402377 . 8B7E 08 MOV EDI,DWORD PTR DS:[ESI+8]
0040237A ? 03FD ADD EDI,EBP
0040237C ? 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+C]
0040237F . D1F9 SAR ECX,1
00402381 . 51 PUSH ECX
00402382 ? 72 15 JB SHORT Hello2.00402399
00402384 ? 037E 04 ADD EDI,DWORD PTR DS:[ESI+4]
00402387 . C1F9 02 SAR ECX,2
0040238A ? 33C0 XOR EAX,EAX
0040238C ? F3:AB REP STOS DWORD PTR ES:[EDI]
0040238E ? 59 POP ECX
0040238F . 83E1 03 AND ECX,3
00402392 ? F3:AA REP STOS BYTE PTR ES:[EDI]
00402394 ? 83C6 14 ADD ESI,14
00402397 .^ EB D5 JMP SHORT Hello2.0040236E
00402399 . 8B5E 04 MOV EBX,DWORD PTR DS:[ESI+4]
0040239C ? 83EB 06 SUB EBX,6
0040239F . 33D2 XOR EDX,EDX
004023A1 . 3BD3 CMP EDX,EBX
004023A3 .^ 7D DF JGE SHORT Hello2.00402384
004023A5 . 8A043A MOV AL,BYTE PTR DS:[EDX+EDI]
004023A8 ? 42 INC EDX
004023A9 . 3C E8 CMP AL,0E8
004023AB . 74 12 JE SHORT Hello2.004023BF
004023AD . 3C E9 CMP AL,0E9
004023AF . 74 0E JE SHORT Hello2.004023BF
004023B1 . 3C 0F CMP AL,0F
004023B3 .^ 75 EC JNZ SHORT Hello2.004023A1
004023B5 . 8A043A MOV AL,BYTE PTR DS:[EDX+EDI]
004023B8 ? 24 F0 AND AL,0F0
004023BA ? 3C 80 CMP AL,80
004023BC ?^ 75 E3 JNZ SHORT Hello2.004023A1
004023BE ? 42 INC EDX
004023BF . 8B043A MOV EAX,DWORD PTR DS:[EDX+EDI]
004023C2 ? 3C 00 CMP AL,0
004023C4 ?^ 75 DB JNZ SHORT Hello2.004023A1
004023C6 ? 66:C1E8 08 SHR AX,8
004023CA ? C1C0 10 ROL EAX,10
004023CD . 86C4 XCHG AH,AL
004023CF . 83C2 04 ADD EDX,4
004023D2 ? 2BC2 SUB EAX,EDX
004023D4 ? 89443A FC MOV DWORD PTR DS:[EDX+EDI-4],EAX
004023D8 ?^ EB C7 JMP SHORT Hello2.004023A1
004023DA ? 59 POP ECX
004023DB . 5E POP ESI
004023DC ? FD STD
004023DD . 33C0 XOR EAX,EAX
004023DF . B9 57030000 MOV ECX,357
004023E4 ? E8 FC78CFDF CALL E00F9CE5

然后看到004023e4处有个CALL,可以直接F4过来,然后F7进去.

0040403D ? 5F POP EDI ; Hello2.004023E9
0040403E . F3:AA REP STOS BYTE PTR ES:[EDI]
00404040 . 61 POPAD
00404041 . 66:9D POPFW
00404043 ? 83C4 08 ADD ESP,8
00404046 > $- E9 B5CFFFFF JMP Hello2.00401000
0040404B .- E9 0F02A577 JMP USER32.MessageBoxA ; SE 处理程序安装

呵呵这样一直走到404046有个大的跳转,JMP后就来到这里

00401000 6A 00 PUSH 0
00401002 68 00304000 PUSH Hello2.00403000 ; ASCII "A MessageBox !"
00401007 68 0F304000 PUSH Hello2.0040300F ; ASCII "Hello, World !"
0040100C 6A 00 PUSH 0
0040100E E8 07000000 CALL Hello2.0040101A
00401013 6A 00 PUSH 0
00401015 E8 06000000 CALL Hello2.00401020
0040101A - FF25 08204000 JMP DWORD PTR DS:[402008] ; Hello2.0040404B
00401020 - FF25 00204000 JMP DWORD PTR DS:[402000] ; Hello2.00404050

这下不用我说了吧到达OEP了,可以直接用OD脱壳. 测试运行下,也没问题.

好了,就到这 ,完了.
测试程序发上来给大家玩.

File: Click to Download

Comments RSS Feed

http://www.kyospace.com/feedcomm.asp?logID=253

kyo327 Posted at 2009-04-10 12:38:20 AM

我发现现在OD插件厉害的话
再设置忽略所有异常,脱这个壳也不用这么麻烦
直接hr esp f9 f9 f9 就OK了.

Post Comment
Topic Locked or You don't have the Permission. No Comment Allowed.