穿山甲标准双进程的简单脱法【目 标】:Word Cleaner v2.0
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:当然是脱壳了
【操作平台】:WINXP pro sp1
【作 者】:loveboom[DFCG][FCG]
【相关链接】: www.wordcleaner.com
【简要说明】:这是我第一次脱ARM的壳,如有什么不足之处,还请各位老大指教一二。今天刚好有点时间,去EXEtools那里转了一下,发现牛人Lownoise写一篇关于ARM的文章,于是下了看看,看完后感觉太复杂了,所以自己根据以前牛人们写的文章,我也就学了这么一招。【详细过程】:设置:忽略全部异常,并加上C000001E这个异常。开工的说:载入后停在这里004F0000 > 60 PUSHAD ;EP004F0001 E8 00000000 CALL wordclea.004F0006004F0006 5D POP EBP004F0007 50 PUSH EAX现在下断bp OpenMutexA,并运行程序,这样会停在OpenMutexA的入口处77E62391 > 55 PUSH EBP77E62392 8BEC MOV EBP,ESP77E62394 51 PUSH ECX停下后取消断点,CODEBASE段找个地方写上几句(默认imgbase为400000),我选择的是401000,于是乎写了这么几句:00401000 60 PUSHAD00401001 9C PUSHFD00401002 68 C8FB1200 PUSH 12FBC8 ; ASCII "5D4::DAA2FD56DE" 00401007 33C0 XOR EAX,EAX00401009 50 PUSH EAX0040100A 50 PUSH EAX0040100B E8 B5A6A577 CALL kernel32.CreateMutexA00401010 9D POPFD00401011 61 POPAD00401012 - E9 7A13A677 JMP kernel32.OpenMutexA00401017 90 NOP注意00401002那行那个值是哪里的呢,看看堆栈吧。对,就是堆栈里的那个值。0012F588 004D4FC2 /CALL to OpenMutexA from wordclea.004D4FBC0012F58C 001F0001 |Access = 1F00010012F590 00000000 |Inheritable = FALSE0012F594 0012FBC8 \MutexName = "5D4::DAA2FD56DE"写完后按Ctrl+*重新定位开始处为401000,定位后,先别急着运行,我们先下HE GetModuleHandleA,下断完毕后,按F9飞几次,飞的过程注意一下堆栈的变化。0012DAC8 004D76D8 /CALL to GetModuleHandleA from wordclea.004D76D20012DACC 00000000 \pModule = NULL……0012BEB8 00E56714 /CALL to GetModuleHandleA from 00E5670E ;第十五次F9后停在这里(指堆栈)0012BEBC 0012BFF4 \pModule = "advapi32.dll"最后一次在这里:0012C144 00E6E3B0 /CALL to GetModuleHandleA from 00E6E3AA0012C148 00000000 \pModule = NULL到这里之后,先HD GetModuleHandleA去除硬件断点,去除后,ALT+F9执行到返回。00E6E3B0 3985 BCE9FFFF CMP DWORD PTR SS:[EBP-1644],EAX ; wordclea.0040000000E6E3B6 75 0F JNZ SHORT 00E6E3C700E6E3B8 C785 B8E9FFFF 0>MOV DWORD PTR SS:[EBP-1648],0E8020000E6E3C2 E9 C4000000 JMP 00E6E48B00E6E3C7 83A5 90E7FFFF 0>AND DWORD PTR SS:[EBP-1870],000E6E3CE C785 8CE7FFFF 0>MOV DWORD PTR SS:[EBP-1874],0E8080000E6E3D8 EB 1C JMP SHORT 00E6E3F600E6E3DA 8B85 8CE7FFFF MOV EAX,DWORD PTR SS:[EBP-1874]00E6E3E0 83C0 0C ADD EAX,0C00E6E3E3 8985 8CE7FFFF MOV DWORD PTR SS:[EBP-1874],EAX00E6E3E9 8B85 90E7FFFF MOV EAX,DWORD PTR SS:[EBP-1870]00E6E3EF 40 INC EAX00E6E3F0 8985 90E7FFFF MOV DWORD PTR SS:[EBP-1870],EAX00E6E3F6 8B85 8CE7FFFF MOV EAX,DWORD PTR SS:[EBP-1874]00E6E3FC 8338 00 CMP DWORD PTR DS:[EAX],0 ;****00E6E3FF 0F84 86000000 JE 00E6E48B00E6E405 8B85 8CE7FFFF MOV EAX,DWORD PTR SS:[EBP-1874]00E6E40B 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]返回后,按F4直接执行到*的这一行,到达目的地后,修改[eax]的值为0,这样就可以跳过IAT的加密。修改完后,在CODE段F2下断,之后当然是运行了,运行的结果就是直接到OEP,不错吧。Memory map, item 23 Address=00401000 Size=000C9000 (823296.) Owner=wordclea 00400000 Section=.text Type=Imag 01001002 Access=R Initial access=RWE到达目的地:00403608 68 F4414100 PUSH wordclea.004141F40040360D E8 EEFFFFFF CALL wordclea.00403600 ; JMP to MSVBVM60.ThunRTMain赶快DUMP FULL吧,dump完后,用IMP来CUT一些无效的东东。如果是WIN2K好像不用FIX DUMP 也可以运行哦。好了脱壳完毕!闪人。
Warning:在调试的时候记住去掉讨厌的家伙(去掉病毒防火墙瑞星),要不死的难看!L Greetz: Fly.Jingulong,yock,tDasm.David.ahao.UFO(brother).alan(sister).all of my friends and you! By loveboom[DFCG][FCG]Email:
[email protected]
本文地址:http://com.8s8s.com/it/it22383.htm