三.修改PEB中信息
新手可以跳开这个部分,直接看第四部分的Dump
PEB (Process Environment Block)——进程环境块,存放进程信息。
PEB +008 处是ImageBaseAddress
CODE
00571497 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
//ECX=[ebp-C]=00400000 新基址
0057149A 8B55 B0 mov edx,dword ptr ss:[ebp-50]
0057149D 0155 B4 add dword ptr ss:[ebp-4C],edx
005714A0 64:8B05 30000000 mov eax,dword ptr fs:[30]
//获得PEB首地址
005714A7 837D BC 00 cmp dword ptr ss:[ebp-44],0
005714AB 75 03 jnz short 005714B0
005714AD 8948 08 mov dword ptr ds:[eax+8],ecx
//写入00400000新基址
005714B0 8B40 0C mov eax,dword ptr ds:[eax+C]
005714B3 8B40 0C mov eax,dword ptr ds:[eax+C]
005714B6 89C6 mov esi,eax
005714B8 8B50 18 mov edx,dword ptr ds:[eax+18]
005714BB 3B55 B0 cmp edx,dword ptr ss:[ebp-50]
005714BE 75 27 jnz short 005714E7
005714C0 8B50 1C mov edx,dword ptr ds:[eax+1C]
005714C3 3B55 B4 cmp edx,dword ptr ss:[ebp-4C]
005714C6 75 1F jnz short 005714E7
005714C8 8B50 20 mov edx,dword ptr ds:[eax+20]
005714CB 3B55 B8 cmp edx,dword ptr ss:[ebp-48]
005714CE 75 17 jnz short 005714E7
005714D0 8948 18 mov dword ptr ds:[eax+18],ecx
005714D3 038D 30FEFFFF add ecx,dword ptr ss:[ebp-1D0]
005714D9 8948 1C mov dword ptr ds:[eax+1C],ecx
//写入新的EP
005714DC 8B8D 58FEFFFF mov ecx,dword ptr ss:[ebp-1A8]
005714E2 8948 20 mov dword ptr ds:[eax+20],ecx
//写入新的SizeOfImage
005714E5 EB 08 jmp short 005714EF
005714E7 3930 cmp dword ptr ds:[eax],esi
005714E9 74 04 je short 005714EF
005714EB 8B00 mov eax,dword ptr ds:[eax]
005714ED EB C9 jmp short 005714B8
_____________________________________________________________
四.Dump
从上面走到这里就可以dump了
现在壳还没有把输入表填充系统函数地址,而所有数据都已还原,正是dump的最佳时机
由于壳把数据恢复到新的基址,因此LordPE需要设置一下,这样才可以完美的抓取进程
Options->Task Viewer->去掉 Full dump:Paste header from disk 选项,也就是不使用物理文件的PE头
看看保存的dump.exe,基本就是加壳前的原始文件了。到这里CI Crypt脱壳就完成了
下面在继续看看壳的流程吧
CODE
005714EF 8B9D 88FEFFFF mov ebx,dword ptr ss:[ebp-178]
//[ebp-178]是输入表RVA
005714F5 85DB test ebx,ebx
005714F7 74 6C je short 00571565
005714F9 8B75 F4 mov esi,dword ptr ss:[ebp-C]
005714FC 01F3 add ebx,esi
005714FE 8B43 0C mov eax,dword ptr ds:[ebx+C]
00571501 85C0 test eax,eax
00571503 74 60 je short 00571565
00571505 8B4B 10 mov ecx,dword ptr ds:[ebx+10]
00571508 01F1 add ecx,esi
0057150A 894D C4 mov dword ptr ss:[ebp-3C],ecx
0057150D 8B0B mov ecx,dword ptr ds:[ebx]
0057150F 85C9 test ecx,ecx
00571511 75 03 jnz short 00571516
00571513 8B4B 10 mov ecx,dword ptr ds:[ebx+10]
00571516 01F1 add ecx,esi
00571518 894D C0 mov dword ptr ss:[ebp-40],ecx
0057151B 01F0 add eax,esi
0057151D 50 push eax
0057151E 8B45 10 mov eax,dword ptr ss:[ebp+10]
00571521 FF10 call near dword ptr ds:[eax]; kernel32.LoadLibraryA
00571523 85C0 test eax,eax
00571525 0F84 06010000 je 00571631
0057152B 89C7 mov edi,eax
0057152D 8B4D C0 mov ecx,dword ptr ss:[ebp-40]
00571530 8B11 mov edx,dword ptr ds:[ecx]
00571532 85D2 test edx,edx
00571534 74 2A je short 00571560
00571536 F7C2 00000080 test edx,80000000
0057153C 74 08 je short 00571546
0057153E 81E2 FFFFFF7F and edx,7FFFFFFF
00571544 EB 04 jmp short 0057154A
00571546 01F2 add edx,esi
00571548 42 inc edx
00571549 42 inc edx
0057154A 52 push edx
0057154B 57 push edi
0057154C 8B45 0C mov eax,dword ptr ss:[ebp+C]
0057154F FF10 call near dword ptr ds:[eax]; kernel32.GetProcAddress
00571551 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
00571554 8901 mov dword ptr ds:[ecx],eax
//填充函数系统地址
00571556 8345 C4 04 add dword ptr ss:[ebp-3C],4
0057155A 8345 C0 04 add dword ptr ss:[ebp-40],4
0057155E EB CD jmp short 0057152D
00571560 83C3 14 add ebx,14
00571563 EB 99 jmp short 005714FE
//循环处理输入表
_____________________________________________________________
五.OEP
CODE
0057161D 8B1B mov ebx,dword ptr ds:[ebx]
0057161F 3B5D 90 cmp ebx,dword ptr ss:[ebp-70]
00571622 0F85 4DFFFFFF jnz 00571575
00571628 8B85 30FEFFFF mov eax,dword ptr ss:[ebp-1D0]
//[ebp-1D0]=000271B0 OEP RVA
0057162E 0345 F4 add eax,dword ptr ss:[ebp-C]
//EAX=000271B0+00400000=004271B0
00571631 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00571634 5E pop esi
00571635 5F pop edi
00571636 5B pop ebx
00571637 C9 leave
00571638 C2 0C00 retn 0C
//返回00571217
00571217 5F pop edi
00571218 5E pop esi
00571219 5D pop ebp
0057121A 83C4 04 add esp,4
0057121D 5B pop ebx
0057121E 5A pop edx
0057121F 83C4 08 add esp,8
00571222 894C24 04 mov dword ptr ss:[esp+4],ecx
00571226 FFE0 jmp near eax
//飞向光明之巅
CODE
004271B0 55 push ebp
//OEP
004271B1 8BEC mov ebp,esp
004271B3 6A FF push -1
004271B5 68 600E4500 push 00450E60
004271BA 68 C8924200 push 004292C8
004271BF 64:A1 00000000 mov eax,dword ptr fs:[0]
004271C5 50 push eax
004271C6 64:8925 00000000 mov dword ptr fs:[0],esp
004271CD 83C4 A8 add esp,-58
004271D0 53 push ebx
004271D1 56 push esi
004271D2 57 push edi
004271D3 8965 E8 mov dword ptr ss:[ebp-18],esp
004271D6 FF15 DC0A4600 call near dword ptr ds:[460ADC]; kernel32.GetVersion
_____________________________________________________________
六.简化脱壳流程
OllyDBG载入CI Crypt V0.1加壳文件暂停在EP
BP VirtualAlloc Shift+F9,中断后取消断点,Alt+F9返回
Ctrl+F向下搜索命令: mov ebx,dword ptr ss:[ebp-178]
找到在005714EF处后F4过去,或者设断后Shift+F9中断
此时就可以使用LordPE抓取进程了,注意LordPE的Task Viewer选项设置
在这里脱壳可以说是完美脱壳,dump的文件基本就是加壳前的原始文件了
Game Over上一页 1 2 
安全中国首页 > 文章中心 > 脱壳技术