PESPIN v0.7脱壳(完结篇) 【目 标】: win98’s notepad和自己随便写的一个masm程序【工 具】:Olydbg1.1【任 务】:完成上篇文章里没有完成的任务脱壳and修复【操作平台】:WINXP pro sp1 【作 者】:loveboom[DFCG][FCG]【相关链接】: 见附见【简要说明】:看过我上篇关于脱pespin 的文章就知道我上次只做了一半的工作,所以我们这次的任务是脱衣+说服”她”(修复)。【详细过程】:上次我们说怎么到关键代码处,所以这里不再多讲了,如果你没看过的话,可以先去看看我的上篇文章,话说通过上一篇我们到了关键代码处(这次的程序和上次不同,不过关键代码是一样的,LoadLibraryA断后,来到了这里:[CODE]0040C887 60 PUSHAD ;最后到了这里0040C888 EB 04 JMP SHORT VC.0040C88E0040C88A CB RETF ; Far return0040C88B EB 04 JMP SHORT VC.0040C891[/CODE]现在清除一点垃圾代码,清理过后,向下看看这里的代码:[CODE]0040C918 8BBD 792B4000 MOV EDI,DWORD PTR SS:[EBP+402B79]0040C91E 3BC7 CMP EAX,EDI0040C920 76 35 JBE SHORT VC.0040C957 ;找到这里后,改成jmp xxxx0040C922 03BD 7D2B4000 ADD EDI,DWORD PTR SS:[EBP+402B7D]……0040C950 50 PUSH EAX0040C951 FF95 C4394000 CALL DWORD PTR SS:[EBP+4039C4]0040C957 EB 01 JMP SHORT VC.0040C95A0040C959 90 NOP0040C95A 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX;这里改成 mov ss:[edx],eax,移入正确的函数0040C95E 61 POPAD[/CODE]上面的全部改完后,就要注意了,现在有两种情况,分别对应vc/Delphi,和masm两种情况(VB的就不用说了,相当简单,上面的都不用改).先说vc/delphi这种情况:在第一个ret向下看不远处就会看到.VC/delphi的解决方法:[CODE]0040C962 0BC0 OR EAX,EAX0040C964 C3 RETN ;这里就是Ret0040C965 EB 01 JMP SHORT VC.0040C9680040C967 90 NOP0040C968 57 PUSH EDI0040C969 51 PUSH ECX0040C96A 90 NOP0040C96B 90 NOP0040C96C 90 NOP0040C96D 90 NOP0040C96E 90 NOP0040C96F 90 NOP0040C970 90 NOP0040C971 90 NOP0040C972 90 NOP0040C973 BF 4FE24000 MOV EDI,VC.0040E24F0040C978 EB 01 JMP SHORT VC.0040C97B0040C97A 90 NOP0040C97B B9 7F020000 MOV ECX,27F0040C980 EB 01 JMP SHORT VC.0040C9830040C982 90 NOP0040C983 3917 CMP DWORD PTR DS:[EDI],EDX0040C985 74 0A JE SHORT VC.0040C9910040C987 47 INC EDI0040C988 ^ E2 F9 LOOPD SHORT VC.0040C9830040C98A EB 01 JMP SHORT VC.0040C98D0040C98C 90 NOP0040C98D 8902 MOV DWORD PTR DS:[EDX],EAX;这里就是进行搞破坏,所以这里要NOP它0040C98F EB 25 JMP SHORT VC.0040C9B60040C991 90 NOP0040C992 90 NOP0040C993 90 NOP0040C994 90 NOP0040C995 90 NOP0040C996 90 NOP0040C997 90 NOP0040C998 90 NOP0040C999 90 NOP0040C99A 807F FF 00 CMP BYTE PTR DS:[EDI-1],00040C99E 74 11 JE SHORT VC.0040C9B10040C9A0 807F FF E9 CMP BYTE PTR DS:[EDI-1],0E9;这里是判断是不是MASM的程序.后面再讲0040C9A4 ^ 75 E7 JNZ SHORT VC.0040C98D0040C9A6 83C7 04 ADD EDI,40040C9A9 2BC7 SUB EAX,EDI0040C9AB 8947 FC MOV DWORD PTR DS:[EDI-4],EAX0040C9AE EB 06 JMP SHORT VC.0040C9B60040C9B0 90 NOP ;这里是花指令,nop掉0040C9B1 8907 MOV DWORD PTR DS:[EDI],EAX;对于VC/DELPHI加的壳的程序,这里是最重要的了0040C9B3 EB 01 JMP SHORT VC.0040C9B60040C9B5 90 NOP0040C9B6 59 POP ECX[/CODE]并且经过多次跟踪,每个跳去壳中的IAT里装的就是真正的iat位置,所以我们要想办法让它改回去,运行到0040C9B1处看看,刚好edi就是壳的iat,edx就是真正的iat,得到这些信息后就好办很多,把0040C9B1这里改成跳到一个空闲的地方,写上我们自己的代码,我找的是4113F0,找到地方后,就把0040c9b1的代码改成:[CODE]0040C9B1 /E9 3A4A0000 JMP VC.004113F0[/CODE]在4113F0处写上几行代码:[CODE]004113F0 60 PUSHAD004113F1 9C PUSHFD004113F2 BB 00104000 MOV EBX,VC.00401000 ; CODEBASE004113F7 B9 00400000 MOV ECX,4000 ; CODESIZE004113FC 8B13 MOV EDX,DWORD PTR DS:[EBX]004113FE 3BD7 CMP EDX,EDI00411400 75 0C JNZ SHORT VC.0041140E00411402 8B17 MOV EDX,DWORD PTR DS:[EDI]00411404 8913 MOV DWORD PTR DS:[EBX],EDX00411406 83C3 04 ADD EBX,400411409 83E9 03 SUB ECX,30041140C EB 03 JMP SHORT VC.004114110041140E 83C3 01 ADD EBX,100411411 ^ E2 E9 LOOPD SHORT VC.004113FC00411413 9D POPFD00411414 61 POPAD00411415 ^ E9 9CB5FFFF JMP VC.0040C9B6 ;找完后回去老地方[/CODE]上面这段代码的作用就是在code段里找跳到壳iat的那个地址,然后用那个地址里的值来替换它.好了,现在看看效果如何,在12ffa4处下断 hr 12ffa4,断下后,用imp填入oep为10cc,然后AUTOSEARCH-+Get一下看看,怎么样,可以自动找到,iat了吧,看看简单看一下stolen code:[CODE]0040D088 55 PUSH EBP ;*****0040D089 EB 01 JMP SHORT VC.0040D08C0040D08B 90 NOP0040D08C 8BEC MOV EBP,ESP ;*****0040D08E EB 01 JMP SHORT VC.0040D0910040D090 90 NOP0040D091 83EC 44 SUB ESP,44 ;*****0040D094 EB 01 JMP SHORT VC.0040D0970040D096 90 NOP0040D097 56 PUSH ESI ;*****0040D098 EB 01 JMP SHORT VC.0040D09B0040D09A 90 NOP0040D09B FF15 19E34000 CALL DWORD PTR DS:[40E319] ;*****; VC.004063E4 这里要注意一下,这里要改成 CALL DWORD PTR DS:[4063E4]0040D0A1 EB 01 JMP SHORT VC.0040D0A40040D0A3 90 NOP0040D0A4 8BF0 MOV ESI,EAX ;*****0040D0A6 EB 01 JMP SHORT VC.0040D0A90040D0A8 90 NOP0040D0A9 8A00 MOV AL,BYTE PTR DS:[EAX] ;*****0040D0AB EB 01 JMP SHORT VC.0040D0AE0040D0AD 90 NOP0040D0AE 3C 22 CMP AL,22 ;*****0040D0B0 EB 01 JMP SHORT VC.0040D0B30040D0B2 90 NOP0040D0B3 - E9 2740FFFF JMP VC.004010DF ;抽的代码并不多,到这里总算把控制权交还回程序了.[/CODE]补上壳所抽代码,然后dump,fixdump就搞定了.。好了,现在VC/DELPHI的已经搞定了,我们来看看masm的了。[CODE]00405918 8BBD 792B4000 MOV EDI,DWORD PTR SS:[EBP+402B79]0040591E 3BC7 CMP EAX,EDI00405920 76 35 JBE SHORT masm.00405957;这里一样改成 jmp xxxx00405922 03BD 7D2B4000 ADD EDI,DWORD PTR SS:[EBP+402B7D]00405959 90 NOP0040595A 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX;这里改成 mov ss:[edx],eax0040595E 61 POPAD……0040598D 8902 MOV DWORD PTR DS:[EDX],EAX;这里也nop掉[/CODE]下面的就要注意了,MASM的就会走这条路:[CODE]0040599A 807F FF 00 CMP BYTE PTR DS:[EDI-1],00040599E 74 11 JE SHORT masm.004059B1004059A0 807F FF E9 CMP BYTE PTR DS:[EDI-1],0E9;如果是MASM的它的IAT又玩另外一种花样,MASM的程序它就变成了远程跳了004059A4 ^ 75 E7 JNZ SHORT masm.0040598D004059A6 83C7 04 ADD EDI,4 ;如果是 远程跳的话,就到这里,进行”解释”了004059A9 2BC7 SUB EAX,EDI004059AB 8947 FC MOV DWORD PTR DS:[EDI-4],EAX004059AE EB 06 JMP SHORT masm.004059B6004059B0 90 NOP004059B1 8907 MOV DWORD PTR DS:[EDI],EAX[/CODE]看看上面的代码再分析分析,可以发现,其实 [edi-1]就是原程序的FF25的地址,[EDI+1]就是放正确iat的地址,所以我们又来写几行代码,这个就更容易的。改成这样子:[CODE]004059A6 66:C747 FF FF25 MOV WORD PTR DS:[EDI-1],25FF004059AC 8957 01 MOV DWORD PTR DS:[EDI+1],EDX004059AF EB 05 JMP SHORT masm.004059B6004059B1 8907 MOV DWORD PTR DS:[EDI],EAX004059B3 EB 01 JMP SHORT masm.004059B6004059B5 90 NOP004059B6 59 POP ECX004059B7 5F POP EDI004059B8 C3 RETN[/CODE]呵呵,改好去用hr 12ffa4的方法到stolen code处:[CODE]00406088 6A 00 PUSH 00040608A EB 01 JMP SHORT masm.0040608D0040608C 90 NOP0040608D 68 97604000 PUSH masm.0040609700406092 - E9 2FB0FFFF JMP masm.004010C600406097 A3 00304000 MOV DWORD PTR DS:[403000],EAX0040609C EB 01 JMP SHORT masm.0040609F0040609E 90 NOP0040609F 68 A9604000 PUSH masm.004060A9004060A4 - E9 35B0FFFF JMP masm.004010DE ; JMP to COMCTL32.InitCommonControls004060A9 6A 00 PUSH 0004060AB EB 01 JMP SHORT masm.004060AE004060AD 90 NOP004060AE 68 962628E1 PUSH E1282696004060B3 810424 98E9171F ADD DWORD PTR SS:[ESP],1F17E998004060BA 6A 00 PUSH 0004060BC EB 01 JMP SHORT masm.004060BF004060BE 90 NOP004060BF 6A 65 PUSH 65004060C1 EB 01 JMP SHORT masm.004060C4004060C3 90 NOP004060C4 FF35 00304000 PUSH DWORD PTR DS:[403000]004060CA EB 01 JMP SHORT masm.004060CD004060CC 90 NOP004060CD 68 D7604000 PUSH masm.004060D7004060D2 - E9 F5AFFFFF JMP masm.004010CC004060D7 6A 00 PUSH 0004060D9 EB 01 JMP SHORT masm.004060DC004060DB 90 NOP004060DC 68 E6604000 PUSH masm.004060E6004060E1 - E9 DAAFFFFF JMP masm.004010C0[/CODE]这里具体的代码我就不在多讲了,自己看也看得懂吧.好了,到了这里也算是到了终点站吧,收工! Greetz: Fly,Jingulong,yock,tDasm,David,ahao,vcasm,UFO(brother),alan(sister),all of my friends and you! By loveboom[DFCG][FCG] Email:
[email protected]
本文地址:http://com.8s8s.com/it/it22397.htm