先Od直接修改上句为
00C2E9FB /E9 87000000 JMP 00C2EA87
00C2EA00 |90 NOP
00C2EA01 8B85 80E7FFFF MOV EAX,DWORD PTR SS:[EBP-1880]
00C2EA07 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00C2EA0A 83E0 01 AND EAX,1
00C2EA0D 85C0 TEST EAX,EAX
00C2EA0F 74 25 JE SHORT 00C2EA36
..................................................................
观察它的流程。
00C2EA87 80A5 A4E9FFFF 0>AND BYTE PTR SS:[EBP-165C],0 //Jmp跳转到这里。
00C2EA8E A1 3CCAC400 MOV EAX,DWORD PTR DS:[C4CA3C]
00C2EA93 8A80 66350000 MOV AL,BYTE PTR DS:[EAX+3566]
00C2EA99 8885 F4D3FFFF MOV BYTE PTR SS:[EBP-2C0C],AL
00C2EA9F 0FB685 F4D3FFFF MOVZX EAX,BYTE PTR SS:[EBP-2C0C]
00C2EAA6 85C0 TEST EAX,EAX
00C2EAA8 74 23 JE SHORT 00C2EACD
00C2EACD 8B85 A8E9FFFF MOV EAX,DWORD PTR SS:[EBP-1658]
00C2EAD3 40 INC EAX
00C2EAD4 8985 A8E9FFFF MOV DWORD PTR SS:[EBP-1658],EAX
00C2EADA 8B85 3CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14C4]
00C2EAE0 0385 A0E9FFFF ADD EAX,DWORD PTR SS:[EBP-1660]
00C2EAE6 8985 B4E9FFFF MOV DWORD PTR SS:[EBP-164C],EAX
00C2EAEC 8B85 B4E9FFFF MOV EAX,DWORD PTR SS:[EBP-164C]
00C2EAF2 8985 98E9FFFF MOV DWORD PTR SS:[EBP-1668],EAX
00C2EAF8 0FB685 A4E9FFFF MOVZX EAX,BYTE PTR SS:[EBP-165C]
00C2EAFF 85C0 TEST EAX,EAX
00C2EB01 74 2E JE SHORT 00C2EB31
00C2EB31 8D85 9CE9FFFF LEA EAX,DWORD PTR SS:[EBP-1664]
00C2EB37 50 PUSH EAX
00C2EB38 6A 04 PUSH 4
00C2EB3A 8B85 A8E9FFFF MOV EAX,DWORD PTR SS:[EBP-1658]
00C2EB40 C1E0 02 SHL EAX,2
00C2EB43 50 PUSH EAX
00C2EB44 8B85 3CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14C4]
00C2EB4A 0385 A0E9FFFF ADD EAX,DWORD PTR SS:[EBP-1660]
00C2EB50 50 PUSH EAX
00C2EB51 FF15 34D1C300 CALL DWORD PTR DS:[C3D134] ; KERNEL32.VirtualProtect
00C2EB57 6A 01 PUSH 1 //这里是个小循环
00C2EB59 58 POP EAX
00C2EB5A 85C0 TEST EAX,EAX
00C2EB5C 0F84 79030000 JE 00C2EEDB
00C2EB62 66:83A5 7CE7FFF>AND WORD PTR SS:[EBP-1884],0
00C2EB6A 83A5 74E7FFFF 0>AND DWORD PTR SS:[EBP-188C],0
00C2EB71 83A5 78E7FFFF 0>AND DWORD PTR SS:[EBP-1888],0
00C2EB78 8B85 88ECFFFF MOV EAX,DWORD PTR SS:[EBP-1378]
00C2EB7E 0FBE00 MOVSX EAX,BYTE PTR DS:[EAX]
00C2EB81 85C0 TEST EAX,EAX
00C2EB83 0F85 0C010000 JNZ 00C2EC95
00C2EC95 8B85 88ECFFFF MOV EAX,DWORD PTR SS:[EBP-1378]
00C2EC9B 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00C2EC9E 3D FF000000 CMP EAX,0FF
00C2ECA3 0F85 8A000000 JNZ 00C2ED33
00C2ED33 8B85 88ECFFFF MOV EAX,DWORD PTR SS:[EBP-1378]
00C2ED39 8985 74E7FFFF MOV DWORD PTR SS:[EBP-188C],EAX
00C2ED3F 6A 00 PUSH 0
00C2ED41 FFB5 88ECFFFF PUSH DWORD PTR SS:[EBP-1378]
00C2ED47 E8 D45F0000 CALL 00C34D20
00C2ED4C 59 POP ECX
00C2ED4D 59 POP ECX
00C2ED4E 40 INC EAX
00C2ED4F 8985 88ECFFFF MOV DWORD PTR SS:[EBP-1378],EAX
00C2ED55 83BD ACE9FFFF 0>CMP DWORD PTR SS:[EBP-1654],0
00C2ED5C 74 70 JE SHORT 00C2EDCE
00C2EDCE 83BD 78E7FFFF 0>CMP DWORD PTR SS:[EBP-1888],0
00C2EDD5 75 3F JNZ SHORT 00C2EE16
00C2EDD7 0FB785 7CE7FFFF MOVZX EAX,WORD PTR SS:[EBP-1884]
00C2EDDE 85C0 TEST EAX,EAX
00C2EDE0 74 0F JE SHORT 00C2EDF1
00C2EDF1 8B85 74E7FFFF MOV EAX,DWORD PTR SS:[EBP-188C]
00C2EDF7 8985 B0D3FFFF MOV DWORD PTR SS:[EBP-2C50],EAX
00C2EDFD FFB5 B0D3FFFF PUSH DWORD PTR SS:[EBP-2C50]
00C2EE03 FFB5 B0E9FFFF PUSH DWORD PTR SS:[EBP-1650]
00C2EE09 E8 E780FEFF CALL 00C16EF5
00C2EE0E 59 POP ECX
00C2EE0F 59 POP ECX
00C2EE10 8985 78E7FFFF MOV DWORD PTR SS:[EBP-1888],EAX
00C2EE16 83BD 78E7FFFF 0>CMP DWORD PTR SS:[EBP-1888],0
00C2EE1D 0F85 96000000 JNZ 00C2EEB9
00C2EEB9 8B85 98E9FFFF MOV EAX,DWORD PTR SS:[EBP-1668] ; MrCaptor.00470948
00C2EEBF 8B8D 78E7FFFF MOV ECX,DWORD PTR SS:[EBP-1888]
00C2EEC5 8908 MOV DWORD PTR DS:[EAX],ECX
00C2EEC7 8B85 98E9FFFF MOV EAX,DWORD PTR SS:[EBP-1668]
00C2EECD 83C0 04 ADD EAX,4
00C2EED0 8985 98E9FFFF MOV DWORD PTR SS:[EBP-1668],EAX
00C2EED6 ^ E9 7CFCFFFF JMP 00C2EB57 //这里配合00C2EB57成为一个小循环。
00C2EEDB 0FB685 A4E9FFFF MOVZX EAX,BYTE PTR SS:[EBP-165C] //于是F4直接下来。
00C2EEE2 85C0 TEST EAX,EAX
00C2EEE4 74 7F JE SHORT 00C2EF65
00C2EF65 8D85 9CE9FFFF LEA EAX,DWORD PTR SS:[EBP-1664]
00C2EF6B 50 PUSH EAX
00C2EF6C FFB5 9CE9FFFF PUSH DWORD PTR SS:[EBP-1664]
00C2EF72 8B85 A8E9FFFF MOV EAX,DWORD PTR SS:[EBP-1658]
00C2EF78 C1E0 02 SHL EAX,2
00C2EF7B 50 PUSH EAX
00C2EF7C 8B85 3CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14C4]
00C2EF82 0385 A0E9FFFF ADD EAX,DWORD PTR SS:[EBP-1660]
00C2EF88 50 PUSH EAX
00C2EF89 FF15 34D1C300 CALL DWORD PTR DS:[C3D134] ; KERNEL32.VirtualProtect
00C2EF8F ^ E9 4DF8FFFF JMP 00C2E7E1 //这里和00C2E7E1组成一个大循环,直到Magic jmp 运行完毕,可以跟踪它看看流程。
00C2EF94 8B85 24EBFFFF MOV EAX,DWORD PTR SS:[EBP-14DC] //于是我们F4直接下来,这时Arm认为加密IAT已经执行完毕,我们现在必须回到
*************************************
00C2E9FB 0F84 86000000 JE 00C2EA87 //很大一个magic jmp 跳转,注意,修改它为jmp 00a3142a 程序将异常无法继续运行,但IAT已经没有加密了。这里用Fly的另类方法。
先Od直接修改上句为
00C2E9FB /E9 87000000 JMP 00C2EA87 //点右键->“撤销选择”即可。
00C2EA00 |90 NOP
**************************************
00C2EF9A 8985 E4D4FFFF MOV DWORD PTR SS:[EBP-2B1C],EAX
00C2EFA0 FFB5 E4D4FFFF PUSH DWORD PTR SS:[EBP-2B1C]
00C2EFA6 E8 87540000 CALL 00C34432
00C2EFAB 59 POP ECX
00C2EFAC FFB5 68ECFFFF PUSH DWORD PTR SS:[EBP-1398]
00C2EFB2 E8 2B23FEFF CALL 00C112E2
00C2EFB7 59 POP ECX
00C2EFB8 EB 03 JMP SHORT 00C2EFBD
00C2EFBA D6 SALC
00C2EFBB D6 SALC
00C2EFBC 8BA1 DCC0C400 MOV ESP,DWORD PTR DS:[ECX+C4C0DC]
00C2EFC2 8985 18E6FFFF MOV DWORD PTR SS:[EBP-19E8],EAX
00C2EFC8 83BD 18E6FFFF 0>CMP DWORD PTR SS:[EBP-19E8],0
00C2EFCF 74 36 JE SHORT 00C2F007
...............................................................
上一页 1 2 3 下一页 |
安全中国首页 > 文章中心 > 加壳技术