1 00EB1184 kernel32.dll 001F CloseHandle
1 00EB1188 kernel32.dll 02C4 Sleep
1 00EB118C kernel32.dll 011D GetEnvironmentVariableA
1 00EB1190 kernel32.dll 01E0 LoadLibraryA
1 00EB1194 kernel32.dll 0154 GetProcAddress
1 00EB1198 kernel32.dll 0139 GetModuleFileNameA
1 00EB119C kernel32.dll 012A GetFullPathNameA
1 00EB11A0 kernel32.dll 01DE LCMapStringW
1 00EB11A4 kernel32.dll 02DC UnhandledExceptionFilter
1 00EB11A8 kernel32.dll 00C2 FreeEnvironmentStringsA
1 00EB11AC kernel32.dll 00C3 FreeEnvironmentStringsW
1 00EB11B0 kernel32.dll 011A GetEnvironmentStrings
1 00EB11B4 kernel32.dll 011C GetEnvironmentStringsW
1 00EB11B8 kernel32.dll 01F3 LockResource
1 00EB11BC kernel32.dll 0169 GetStdHandle
1 00EB11C0 kernel32.dll 0129 GetFileType
1 00EB11C4 kernel32.dll 0190 GetVersionExA
1 00EB11C8 kernel32.dll 01B9 HeapDestroy
1 00EB11CC kernel32.dll 01B7 HeapCreate
1 00EB11D0 kernel32.dll 02F2 VirtualFree
1 00EB11D4 kernel32.dll 02EF VirtualAlloc
1 00EB11D8 kernel32.dll 016A GetStringTypeA
1 00EB11DC kernel32.dll 016D GetStringTypeW
1 00EB11E0 kernel32.dll 02A9 SetStdHandle
1 00EB11E4 kernel32.dll 00BA FlushFileBuffers
1 00EB11E8 kernel32.dll 00D0 GetCPInfo
1 00EB11EC kernel32.dll 00CA GetACP
1 00EB11F0 kernel32.dll 0147 GetOEMCP
1 00EB11F4 kernel32.dll 028D SetEndOfFile
1 00EB11F8 kernel32.dll 0025 CompareStringA
1 00EB11FC kernel32.dll 010D GetCurrentThreadId
1 00EB1200 kernel32.dll 0026 CompareStringW
FThunk: 00EB1208 NbFunc: 00000001
1 00EB1208 shell32.dll 016F ShellExecuteA
FThunk: 00EB1210 NbFunc: 0000004C
1 00EB1210 user32.dll 01D9 OpenClipboard
1 00EB1214 user32.dll 018B IsClipboardFormatAvailable
1 00EB1218 user32.dll 014A GetSystemMetrics
1 00EB121C user32.dll 019A KillTimer
1 00EB1220 user32.dll 01E2 PeekMessageA
1 00EB1224 user32.dll 0261 SetWindowPos
1 00EB1228 user32.dll 01BF MapWindowPoints
1 00EB122C user32.dll 0161 GetWindowRect
1 00EB1230 user32.dll 01CF MoveWindow
1 00EB1234 user32.dll 003C ClientToScreen
1 00EB1238 user32.dll 0051 CreateDialogParamA
1 00EB123C user32.dll 018C IsDialogMessage
1 00EB1240 user32.dll 018A IsChild
1 00EB1244 user32.dll 0116 GetKeyState
1 00EB1248 user32.dll 010B GetFocus
1 00EB124C user32.dll 0197 IsWindowVisible
1 00EB1250 user32.dll 0157 GetWindow
1 00EB1254 user32.dll 010C GetForegroundWindow
1 00EB1258 user32.dll 020F ScreenToClient
1 00EB125C user32.dll 02B1 WindowFromPoint
1 00EB1260 user32.dll 0100 GetCursorPos
1 00EB1264 user32.dll 0208 ReleaseDC
1 00EB1268 user32.dll 0101 GetDC
1 00EB126C user32.dll 015B GetWindowLongA
1 00EB1270 user32.dll 0194 IsWindow
1 00EB1274 user32.dll 01C3 MessageBeep
1 00EB1278 user32.dll 013E GetPropA
1 00EB127C user32.dll 0139 GetParent
1 00EB1280 user32.dll 00F6 GetClipboardData
1 00EB1284 user32.dll 0017 CallWindowProcA
1 00EB1288 user32.dll 0248 SetPropA
1 00EB128C user32.dll 025E SetWindowLongA
1 00EB1290 user32.dll 0195 IsWindowEnabled
1 00EB1294 user32.dll 0163 GetWindowTextA
1 00EB1298 user32.dll 00BA EnableWindow
1 00EB129C user32.dll 0234 SetFocus
1 00EB12A0 user32.dll 0096 DialogBoxParamA
1 00EB12A4 user32.dll 00BC EndDialog
1 00EB12A8 user32.dll 00E7 GetAsyncKeyState
1 00EB12AC user32.dll 0106 GetDlgItem
1 00EB12B0 user32.dll 0258 SetTimer
1 00EB12B4 user32.dll 01A5 LoadImageA
1 00EB12B8 user32.dll 0219 SendMessageA
1 00EB12BC user32.dll 0059 CreateMenu
1 00EB12C0 user32.dll 0146 GetSubMenu
1 00EB12C4 user32.dll 008A DeleteMenu
1 00EB12C8 user32.dll 0008 AppendMenuA
1 00EB12CC user32.dll 019D LoadBitmapA
1 00EB12D0 user32.dll 00F4 GetClientRect
1 00EB12D4 user32.dll 00D7 FillRect
1 00EB12D8 user32.dll 0147 GetSysColor
1 00EB12DC user32.dll 00B2 DrawTextA
1 00EB12E0 user32.dll 00BE EndPaint
1 00EB12E4 user32.dll 0160 GetWindowPlacement
1 00EB12E8 user32.dll 0198 IsZoomed
1 00EB12EC user32.dll 01E6 PostQuitMessage
1 00EB12F0 user32.dll 0091 DestroyWindow
1 00EB12F4 user32.dll 0087 DefWindowProcA
1 00EB12F8 user32.dll 01E4 PostMessageA
1 00EB12FC user32.dll 003E CloseClipboard
1 00EB1300 user32.dll 01A3 LoadIconA
1 00EB1304 user32.dll 019F LoadCursorA
1 00EB1308 user32.dll 01F7 RegisterClassA
1 00EB130C user32.dll 005B CreateWindowExA
1 00EB1310 user32.dll 0277 SystemParametersInfoA
1 00EB1314 user32.dll 01C4 MessageBoxA
1 00EB1318 user32.dll 0270 ShowWindow
1 00EB131C user32.dll 0297 UpdateWindow
1 00EB1320 user32.dll 019B LoadAcceleratorsA
1 00EB1324 user32.dll 012E GetMessageA
1 00EB1328 user32.dll 0284 TranslateAccelerator
1 00EB132C user32.dll 0288 TranslateMessage
1 00EB1330 user32.dll 0098 DispatchMessageA
1 00EB1334 user32.dll 01F6 RedrawWindow
1 00EB1338 user32.dll 0264 SetWindowTextA
1 00EB133C user32.dll 000D BeginPaint
FThunk: 00EB1344 NbFunc: 0000000E
1 00EB1344 wsock32.dll 0074 WSACleanup
1 00EB1348 wsock32.dll 0009 htons
1 00EB134C wsock32.dll 0034 gethostbyname
1 00EB1350 wsock32.dll 0013 send
1 00EB1354 wsock32.dll 0004 connect
1 00EB1358 wsock32.dll 0016 shutdown
1 00EB135C wsock32.dll 0003 closesocket
1 00EB1360 wsock32.dll 0008 htonl
1 00EB1364 wsock32.dll 0073 WSAStartup
1 00EB1368 wsock32.dll 0017 socket
1 00EB136C wsock32.dll 0002 bind
1 00EB1370 wsock32.dll 0011 recvfrom
1 00EB1374 wsock32.dll 0010 recv
1 00EB1378 wsock32.dll 006F WSAGetLastError
FThunk: 00EB1380 NbFunc: 00000002
1 00EB1380 comdlg32.dll 0070 GetSaveFileNameA
1 00EB1384 comdlg32.dll 006E GetOpenFileNameA
下面我们再看看arma是怎样进一步处理这个表,使得我们因“ api在 iat中不是连续的...”
而苦恼。这时你只要继续F8,很快到达这里(此前 iat中数据没有变化):
00DF1CE2 MOV EAX,DWORD PTR SS:[EBP-1A94]
00DF1CE8 INC EAX
00DF1CE9 MOV DWORD PTR SS:[EBP-1A94],EAX
00DF1CEF MOV EAX,DWORD PTR SS:[EBP-1A94]
00DF1CF5 CMP EAX,DWORD PTR SS:[EBP-1A8C]
00DF1CFB JNB 00DF1D9B
00DF1D01 PUSH 1DF5E0D
00DF1D06 PUSH DWORD PTR SS:[EBP-1A90]
00DF1D0C LEA ECX,DWORD PTR SS:[EBP-1A90]
00DF1D12 CALL 00DD1071 ;被调函数见后面
00DF1D17 INC EAX
00DF1D18 XOR EDX,EDX
00DF1D1A MOV ECX,5F5E100
00DF1D1F DIV ECX
00DF1D21 MOV DWORD PTR SS:[EBP-1A90],EDX
00DF1D27 MOV EAX,DWORD PTR SS:[EBP-1A90]
00DF1D2D XOR EDX,EDX
00DF1D2F MOV ECX,2710
00DF1D34 DIV ECX
00DF1D36 IMUL EAX,DWORD PTR SS:[EBP-13B0]
00DF1D3D XOR EDX,EDX
00DF1D3F MOV ECX,2710
00DF1D44 DIV ECX
00DF1D46 MOV DWORD PTR SS:[EBP-1A9C],EAX
00DF1D4C MOV EAX,DWORD PTR SS:[EBP-150C]
00DF1D52 MOV EAX,DWORD PTR DS:[EAX]
00DF1D54 MOV DWORD PTR SS:[EBP-1A98],EAX
00DF1D5A MOV EAX,DWORD PTR SS:[EBP-1A9C]
00DF1D60 LEA EAX,DWORD PTR DS:[EAX*4+4]
00DF1D67 PUSH EAX
00DF1D68 MOV EAX,DWORD PTR SS:[EBP-150C]
00DF1D6E ADD EAX,4
00DF1D71 PUSH EAX
00DF1D72 PUSH DWORD PTR SS:[EBP-150C]
00DF1D78 CALL DWORD PTR DS:[DF82D8] ; MSVCRT.memmove
00DF1D7E ADD ESP,0C
00DF1D81 MOV EAX,DWORD PTR SS:[EBP-1A9C]
00DF1D87 MOV ECX,DWORD PTR SS:[EBP-150C]
00DF1D8D MOV EDX,DWORD PTR SS:[EBP-1A98]
00DF1D93 MOV DWORD PTR DS:[ECX+EAX*4],EDX
00DF1D96 JMP 00DF1CE2 ;循环
00DF1D9B PUSH DWORD PTR SS:[EBP-13AC] ; iat变换完后从0DF1CFB跳到这里
这就是arma对 iat“变换”的完整代码,这段代码中除MSVCRT.memmove外只在0DF1D12调用了下面
这个函数,显然此时arma并未导入其它 api函数。
00DD1071 PUSH EBP
00DD1072 MOV EBP,ESP
00DD1074 PUSH ECX
00DD1075 MOV EAX,DWORD PTR SS:[EBP+8]
00DD1078 PUSH EBX
00DD1079 MOV ECX,2710
00DD107E PUSH ESI
00DD107F CDQ
00DD1080 MOV ESI,ECX
00DD1082 PUSH EDI
00DD1083 IDIV ESI
00DD1085 MOV EAX,DWORD PTR SS:[EBP+C]
00DD1088 MOV EDI,ECX
00DD108A MOV EBX,ECX
00DD108C MOV DWORD PTR SS:[EBP-4],EDX
00DD108F CDQ
00DD1090 IDIV ESI
00DD1092 MOV EAX,DWORD PTR SS:[EBP+8]
00DD1095 MOV ESI,EDX
00DD1097 CDQ
00DD1098 IDIV EDI
00DD109A MOV EDI,EAX
00DD109C MOV EAX,DWORD PTR SS:[EBP+C]
00DD109F CDQ
00DD10A0 IMUL EDI,ESI
00DD10A3 IDIV EBX
00DD10A5 IMUL ESI,DWORD PTR SS:[EBP-4]
00DD10A9 XOR EDX,EDX
00DD10AB IMUL EAX,DWORD PTR SS:[EBP-4]
00DD10AF ADD EAX,EDI
00DD10B1 POP EDI
00DD10B2 DIV ECX
00DD10B4 MOV ECX,5F5E100
00DD10B9 MOV EAX,EDX
00DD10BB XOR EDX,EDX
00DD10BD IMUL EAX,EAX,2710
00DD10C3 ADD EAX,ESI
00DD10C5 POP ESI
00DD10C6 DIV ECX
00DD10C8 POP EBX
00DD10C9 MOV EAX,EDX
00DD10CB LEAVE
00DD10CC RETN 8
当程序停在0DF1D9B时再次用ImportREC处理12B1008开始的数据,会看到size此时要设为580,区块
内出现了不少无效指针,仔细选中这些无效指针,cut掉后,我们发现得到了与 tDasm得到的数据
完全一致,当然是“api在 iat中不是连续的...”,呵呵,这是arma精心设计的又一个加密 iat而已!!上一页 1 2 |
安全中国首页 > 文章中心 > 脱壳技术