【目 标】: 自己随便写的一个(用Pespinv0.7加的壳)【工 具】:Olydbg1.1【任 务】:说说它的壳的Stolen code的找回【操作平台】:WINXP pro sp1 【作 者】:loveboom[DFCG][FCG]【相关链接】: 去dfcg里下吧,因一不小心加了两张图进去,这里又不上让这么大的家伙【简要说明】:今天和二哥聊了这么久,二哥都写了这么多东西,我不也不好意思,所以就凑着写一篇吧【详细过程】: 本来想写个完整的脱文,没想到自己水平太菜,所以只搞出这么外东东出来.这个壳的stolen code其实很好找的,新版比旧版在抽代码和iat已经改进了很多,iai也像aspr差不多,把部分iat转到壳中,因水平有限,对那些进壳的IAT我也不知道怎么弄,还请高手指点一二,谢谢!开始了,我们先准备一下,我是用flyfancy那个去花指令插件,如果你的是hoto写的插件的话,可能要改一下,不过这个应该没什么问题的吧.在脚本配置文件里加上如下代码:在junktype里加上,pespin像这样子JunkType=Common,TELock,UltraProtect,Custom,PEsPin再添加这样的东东:)PatList_PEsPin=_Pes1,_jmp01,_call0111,_PESPIN1,_Pespin_jne01,_pESPIN_JMP01我把原有的jmp01改成了这样:[CODE_jmp01] S = EB01??R = EB0190在文件后面加上:[CODE_Pes1]; jmp label1; S =EB04??EB04??EBFB??R =909090909090909090[CODE_call0111]; call label1; db _junkcode S =E801000000??R =E80100000090 [CODE_PESPIN1] S =E803000000EB04??EBFB??R =E803000000909090909090 [CODE_Pespin_jne01] S =7501??R =909090 [CODE_Pespin_JMP01]S =EB04??EB04??EBFB??R =909090909090909090各位老大应该看得懂上面的吧,可能有点乱,但懒得整理了:D写好这些后就用OD来开工了,设置一下OD:alt+o除Invalid or privileged instruction这项外的其它都打钩.加载后隐一下身,要不壳会发现你的OD的。操作好后看看这里吧.载入后就有一个异常,还没看到代码呢,按shift+f9一次,这样就到了入口处005F6087 > /EB 01 JMP SHORT Project1.005F608A ;入口005F6089 |68 60E80000 PUSH 0E860按f9一次,这样会出现异常:005F7E9C FB STI ;F9一次后,这里异常了005F7E9D FFFF ??? ; Unknown command......异常后按两次shift+f9看到很多???哦00400201 FFFF ??? ; Unknown command00400203 FFFF ??? ; Unknown command00400205 FFFF ??? ; Unknown command00400207 FFFF ??? ; Unknown command看到这些信息后,下断bp LoadLibraryA,然后按shift+f9,到系统了吧:77E5D961 > 837C24 04 00 CMP DWORD PTR SS:[ESP+4],0 ;断了后,取消断点77E5D966 53 PUSH EBX取消这个断点,然后alt+f9执行到返回到程序的地盘:005F6E0E 85C0 TEST EAX,EAX ; kernel32.77E40000005F6E10 0F84 2F070000 JE Project1.005F7545返回按CTRL+F查找命令'OR [EDX],0,很近的,其实一下就看到的005F6E89 830A 00 OR DWORD PTR DS:[EDX],0 ;这里就是我们要找的005F6E8C 0F84 EF000000 JE Project1.005F6F81005F6E92 8B02 MOV EAX,DWORD PTR DS:[EDX]找到后,按F4直接到5F6E89处,如果是VB或DELPHI的文件的话,那个edx一般就是iat的开始处的VA,然后ctrl+f9执行到ret处:005F6EB1 012C24 ADD DWORD PTR SS:[ESP],EBP005F6EB4 810424 B4466F06 ADD DWORD PTR SS:[ESP],66F46B4005F6EBB 68 286F630F PUSH 0F636F28005F6EC0 812C24 9643230F SUB DWORD PTR SS:[ESP],0F234396005F6EC7 012C24 ADD DWORD PTR SS:[ESP],EBP005F6ECA C3 RETN ;执行到这里到了后按f8一次进了这里,这里有我们要的东西哦,005F6887 60 PUSHAD005F6888 EB 04 JMP SHORT Project1.005F688E好了,现在用上我的去花指令帮它清爽一下ALT+shift+S选择pespin范围为01FFF然后就好看很多了,我清了114个哦清除后:005F6887 60 PUSHAD005F6888 90 NOP005F6889 90 NOP005F688A 90 NOP005F688B 90 NOP005F688C 90 NOP005F688D 90 NOP005F688E 90 NOP005F688F 90 NOP005F6890 90 NOP005F6891 0BFF OR EDI,EDI005F6893 75 16 JNZ SHORT Project1.005F68AB005F6895 8B9D 8D2B4000 MOV EBX,DWORD PTR SS:[EBP+402B8D]005F689B 2D 01000000 SUB EAX,1......005F68CC 90 NOP005F68CD 90 NOP005F68CE 90 NOP005F68CF 8B3B MOV EDI,DWORD PTR DS:[EBX]005F68D1 03BD 852B4000 ADD EDI,DWORD PTR SS:[EBP+402B85]005F68D7 803F 4C CMP BYTE PTR DS:[EDI],4C005F68DA 75 2C JNZ SHORT Project1.005F6908005F68DC E8 260F0000 CALL Project1.005F7807 ;直接F4到这里005F68E1 3D 531EF917 CMP EAX,17F91E53005F68E6 75 20 JNZ SHORT Project1.005F6908005F68E8 8B85 812B4000 MOV EAX,DWORD PTR SS:[EBP+402B81]005F68EE D1E1 SHL ECX,1在005F68DC 处直接按F4执行到那里。然后向下继续找:005F6918 8BBD 792B4000 MOV EDI,DWORD PTR SS:[EBP+402B79]005F691E 3BC7 CMP EAX,EDI005F6920 76 35 JBE SHORT Project1.005F6957 ;这里要改成Jmp 005F6957 005F6922 03BD 7D2B4000 ADD EDI,DWORD PTR SS:[EBP+402B7D]改上面的,注意如果是VB的程序就不要跳这里,一跳程序就over了改完后再看这里吧:005F6951 FF95 C4394000 CALL DWORD PTR SS:[EBP+4039C4]005F6957 EB 01 JMP SHORT Project1.005F695A005F6959 90 NOP005F695A 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX;这里改成mov ss:[edx],EAX005F695E 61 POPAD005F695F FF0424 INC DWORD PTR SS:[ESP]005F6962 0BC0 OR EAX,EAX005F6964 C3 RETN005F6965 EB 01 JMP SHORT Project1.005F6968005F6967 90 NOP到这里完了吗?没有,后面还有呢.005F6968 57 PUSH EDI005F6969 51 PUSH ECX005F696A 90 NOP005F696B 90 NOP005F696C 90 NOP005F696D 90 NOP005F696E 90 NOP005F696F 90 NOP005F6970 90 NOP005F6971 90 NOP005F6972 90 NOP005F6973 BF 4F825F00 MOV EDI,Project1.005F824F005F6978 EB 01 JMP SHORT Project1.005F697B005F697A 90 NOP005F697B B9 65060000 MOV ECX,665005F6980 EB 01 JMP SHORT Project1.005F6983005F6982 90 NOP005F6983 3917 CMP DWORD PTR DS:[EDI],EDX005F6985 74 0A JE SHORT Project1.005F6991005F6987 47 INC EDI005F6988 ^ E2 F9 LOOPD SHORT Project1.005F6983005F698A EB 01 JMP SHORT Project1.005F698D005F698C 90 NOP005F698D 8902 MOV DWORD PTR DS:[EDX],EAX;这里nop掉005F698F EB 25 JMP SHORT Project1.005F69B6改好这几个地方后(这样就可以得到全部API函数,可惜有函数还是不行的,这个后面再说),按F4运行到005F6964处005F6962 0BC0 OR EAX,EAX005F6964 C3 RETN ;在这里按F4现在我们看到esp的值了吧0012FFA0,这个和以前的版本一样下断hr esp+4也就是下断hr 12FFA4,下断后运行就直接到stolen code处了.下面的就要看清楚了哦,不过用我的去花指令脚本清理后好看很多.这个版本把stolen code里的call全部变形了不过太过简单.不过抽代码之多确实变态. 005F7088 55 PUSH EBP :*****005F7089 EB 01 JMP SHORT Project1.005F708C005F708B 90 NOP005F708C 8BEC MOV EBP,ESP :*****005F708E EB 01 JMP SHORT Project1.005F7091005F7090 90 NOP005F7091 83C4 F0 ADD ESP,-10 :*****005F7094 EB 01 JMP SHORT Project1.005F7097005F7096 90 NOP005F7097 B8 983A4600 MOV EAX,Project1.00463A98 :*****005F709C EB 01 JMP SHORT Project1.005F709F005F709E 90 NOP005F709F 68 A9705F00 PUSH Project1.005F70A9005F70A4 - E9 8BEBE0FF JMP Project1.00405C34 :*****005F70A9 A1 F8584600 MOV EAX,DWORD PTR DS:[4658F8] :*****005F70AE EB 01 JMP SHORT Project1.005F70B1005F70B0 90 NOP005F70B1 8B00 MOV EAX,DWORD PTR DS:[EAX] :*****005F70B3 EB 01 JMP SHORT Project1.005F70B6005F70B5 90 NOP005F70B6 68 C0705F00 PUSH Project1.005F70C0005F70BB - E9 F07DE5FF JMP Project1.0044EEB0 :*****005F70C0 8B0D DC594600 MOV ECX,DWORD PTR DS:[4659DC] :***** ; Project1.00466BD8005F70C6 EB 01 JMP SHORT Project1.005F70C9005F70C8 90 NOP005F70C9 A1 F8584600 MOV EAX,DWORD PTR DS:[4658F8] :*****005F70CE EB 01 JMP SHORT Project1.005F70D1005F70D0 90 NOP005F70D1 8B00 MOV EAX,DWORD PTR DS:[EAX] :*****005F70D3 EB 01 JMP SHORT Project1.005F70D6005F70D5 90 NOP005F70D6 8B15 8C384600 MOV EDX,DWORD PTR DS:[46388C] :***** ; Project1.004638D8005F70DC EB 01 JMP SHORT Project1.005F70DF005F70DE 90 NOP005F70DF 68 E9705F00 PUSH Project1.005F70E9005F70E4 - E9 DF7DE5FF JMP Project1.0044EEC8 :*****005F70E9 A1 F8584600 MOV EAX,DWORD PTR DS:[4658F8] :*****005F70EE EB 01 JMP SHORT Project1.005F70F1005F70F0 90 NOP005F70F1 8B00 MOV EAX,DWORD PTR DS:[EAX] :*****005F70F3 EB 01 JMP SHORT Project1.005F70F6005F70F5 90 NOP005F70F6 68 00715F00 PUSH Project1.005F7100 ; ASCII "hq_"005F70FB - E9 487EE5FF JMP Project1.0044EF48 :*****005F7100 68 0A715F00 PUSH Project1.005F710A005F7105 - E9 52CCE0FF JMP Project1.00403D5C :*****005F710A 8D40 00 LEA EAX,DWORD PTR DS:[EAX] :*****005F710D EB 01 JMP SHORT Project1.005F7110005F710F 90 NOP005F7110 - E9 BBCBE6FF JMP Project1.00463CD0 :*****还好没有再变形要不就难了,好了整理一下:push ebpmov ebp,espadd esp,-10mov eax,463a98call 405c34MOV EAX,DWORD PTR DS:[4658F8]MOV EAX,DWORD PTR DS:[EAX]Call 0044EEB0MOV ECX,DWORD PTR DS:[4659DC] MOV EAX,DWORD PTR DS:[4658F8]MOV EAX,DWORD PTR DS:[EAX]MOV EDX,DWORD PTR DS:[46388C] CALL 0044EEC8MOV EAX,DWORD PTR DS:[4658F8]MOV EAX,DWORD PTR DS:[EAX]CALL 0044EF48CALL 00403D5CLEA EAX,DWORD PTR DS:[EAX]嘿嘿,下面的一段全给pespin给吃光了,可恶!到这里就把所抽的代码给找回来了,但是运行一下晕倒,异常.看看变态呢004011FC - FF25 F0825F00 JMP DWORD PTR DS:[5F82F0]00401202 8BC0 MOV EAX,EAX00401204 - FF25 EB825F00 JMP DWORD PTR DS:[5F82EB]0040120A 8BC0 MOV EAX,EAX0040120C - FF25 E6825F00 JMP DWORD PTR DS:[5F82E6]00401212 8BC0 MOV EAX,EAX00401214 - FF25 E1825F00 JMP DWORD PTR DS:[5F82E1]0040121A 8BC0 MOV EAX,EAX0040121C - FF25 0A835F00 JMP DWORD PTR DS:[5F830A]00401222 8BC0 MOV EAX,EAX00401224 - FF25 DC825F00 JMP DWORD PTR DS:[5F82DC]0040122A 8BC0 MOV EAX,EAX0040122C - FF25 05835F00 JMP DWORD PTR DS:[5F8305]00401232 8BC0 MOV EAX,EAX00401234 - FF25 D7825F00 JMP DWORD PTR DS:[5F82D7]这个怎么修复我现在还没有任何方法解决:(还请高手们指点指点,谢谢!文章就此打住,已是凌晨2点多了,不再写了,如果可能明天再看看有没有办法修复好.附一个脱VB的自动脚本:/*////////////////////////////////////////////////// PESpin 0.3x - 0.4x -> cyberbob Unpack Script v0.1(only for vb) Author: loveboom Email :
[email protected] OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85 Date : 02:06 2004-07-05 Config: Ignore other exceptions except 'Invalid or privileged instruction' Note : If you have one or more question, email me please,thank you!//////////////////////////////////////////////////*/ code: msgyn "Setting:Ignore other exceptions except 'Invalid or privileged instruction',Continue?" cmp $RESULT,0 je lblret var addrvar espval //esp valuevar iatstart //iat start address var cbasevar csizegmi eip,CODEBASEmov cbase,$RESULTgmi eip,CODESIZEmov csize,$RESULT start: dbh run esto esto lbl1: gpa "LoadLibraryA","kernel32.dll" bp $RESULT esto lbl2: bc $RESULT rtu cmp eip,70000000 jb lbl3 sto rtu lbl3: findop eip,#830A00# cmp $RESULT,0 je lblabort go $RESULT mov iatstart,edx rtr sto lbl4: mov espval,esp //esp value add espval,4 //esp+4 bphws espval,"r" run lbl5: bphwc espval bprm cbase,csize run lbl6: bpmc lblfixoep: mov addr,eip add addr,6 log "OEP is:" log addr mov [addr],68 add addr,1 mov espval,esp add espval,4 mov [addr],[espval] add addr,4 mov [addr],#E8F0FFFFFF# add addr,5 log "IAT start address is:" log iatstart cmt addr,"Please Open log window,you will see iat start address." lblend: msg "Script by loveboom[DFCG][FCG],Thank you for using my script!" lblret: ret lblabort: msg "Error,Script aborted!,Maybetaget is not protect by PESpin 0.3x - 0.4x -> cyberbob" ret Greetz: Fly,Jingulong,yock,tDasm,David,ahao,vcasm,UFO(brother),alan(sister),all of my friends and you! By loveboom[DFCG][FCG] Email:
[email protected]
本文地址:http://com.8s8s.com/it/it22390.htm