|
|
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:
CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点
一.EP
用LordPE察看目标文件的PE信息: ImageBase=00570000 SizeOfImage=00075000
设置OllyDbg忽略所有异常选项,用IsDebugPresent插件Hide,清除以前的所有断点
CODE
00571744 3C 20 cmp al,20
//进入OllyDbg后暂停在这
00571746 F5 cmc
00571747 79 01 jns short 0057174A
00571749 F8 clc
0057174A F5 cmc
0057174B F9 stc
0057174C 60 pushad
0057174D C0C1 70 rol cl,70
00571750 E9 1B000000 jmp 00571770
_______________________________________________________
二.数据恢复
BP VirtualAlloc
Shift+F9,中断后取消断点,Alt+F9返回
CODE
0013FD6C 005713CC /CALL to VirtualAlloc from UnPackMe.005713CA
0013FD70 00400000 |Address = 00400000
0013FD74 0006B000 |Size = 6B000 (438272.)
0013FD78 00003000 |AllocationType = MEM_COMMIT|MEM_RESERVE
0013FD7C 00000040 \Protect = PAGE_EXECUTE_READWRITE
我们看到申请的内存地址是00400000
一般EXE文件的基址大多是00400000,而CI Crypt加壳后这个文件基址是ImageBase=00570000
原来CI Crypt加壳后改了基址,运行时要把代码还原的。
多看代码,最好能看明白壳的流程,这样看的多了就能学习到很多知识了。
CODE
005713C0 51 push ecx
005713C1 6A 40 push 40
005713C3 68 00300000 push 3000
005713C8 51 push ecx
005713C9 50 push eax
005713CA FFD3 call near ebx; kernel32.VirtualAlloc
005713CC 59 pop ecx
//返回这里
005713CD 85C0 test eax,eax
005713CF 75 13 jnz short 005713E4
005713D1 6A 40 push 40
005713D3 68 00100000 push 1000
005713D8 51 push ecx
005713D9 50 push eax
005713DA FFD3 call near ebx
005713DC 85C0 test eax,eax
005713DE 0F84 4D020000 je 00571631
005713E4 8945 F4 mov dword ptr ss:[ebp-C],eax
005713E7 89C7 mov edi,eax
005713E9 8B75 08 mov esi,dword ptr ss:[ebp+8]
005713EC 56 push esi
005713ED 89F1 mov ecx,esi
005713EF 034E 3C add ecx,dword ptr ds:[esi+3C]
005713F2 8B49 54 mov ecx,dword ptr ds:[ecx+54]
005713F5 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00000400 (decimal 1024.)
//ds:[esi]=[00571B79]=4D ('M')
//es:[edi]=[00400000]=00
//开始把PE头数据复制回00400000
005713F7 5E pop esi
005713F8 0376 3C add esi,dword ptr ds:[esi+3C]
005713FB 81C6 F8000000 add esi,0F8
00571401 8B45 08 mov eax,dword ptr ss:[ebp+8]
00571404 0340 3C add eax,dword ptr ds:[eax+3C]
00571407 0FB640 06 movzx eax,byte ptr ds:[eax+6]
0057140B 8D7D C8 lea edi,dword ptr ss:[ebp-38]
0057140E 57 push edi
0057140F 6A 0A push 0A
00571411 59 pop ecx
00571412 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
//[esi]处是加壳前文件的区段信息
00571414 5F pop edi
00571415 8B57 14 mov edx,dword ptr ds:[edi+14]
00571418 85D2 test edx,edx
0057141A 74 14 je short 00571430
0057141C 56 push esi
0057141D 8B75 08 mov esi,dword ptr ss:[ebp+8]
00571420 01D6 add esi,edx
00571422 8B4F 10 mov ecx,dword ptr ds:[edi+10]
00571425 8B57 0C mov edx,dword ptr ds:[edi+C]
00571428 8B7D F4 mov edi,dword ptr ss:[ebp-C]
0057142B 01D7 add edi,edx
0057142D F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00049200 (decimal 299520.)
//ds:[esi]=[00571F79]=56 ('V') |
|
狗仔卡
发表于 2010-1-6 20:04:34
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡