OS 2K
od 1.1b
od设置:异常除Memory access violation外全部选中
本文目的是为了澄清armadillo 3.6主程序对 iat处理手法的认识。
借用fxyang的一句话“前面都是定式了,不要我说…… ”
当在OpenMutexA入口处中断后,ctrl+g转到401000,键入:
pusha
push edx
push 0
push 0
call CreateMutexA
popa
jmp OpenMutexA
光标置于401000,Ctrl+Gray *,再f9,程序将在mov [eax],eax处发生异常,连续shift+f9(共13次),堆栈
中出现指向串"WSOCK32.DLL"的指针,下bp 0DF18A7,再shift+f9,来到处理 iat代码区,如图,修改两个位置
(0DF1A5B和0DF1A8F),去掉0DF18A7断点,再下bp LoadLibraryA以在Arma把 api导入完毕时给我们机会,并
把od选项中“Memory access violation”打勾,F9执行程序...
00DF18A7 PUSH 1
00DF18A9 POP EAX
00DF18AA TEST EAX,EAX
00DF18AC JE 00DF1B71
00DF18B2 AND WORD PTR SS:[EBP-1978],0
00DF18BA AND DWORD PTR SS:[EBP-1980],0
00DF18C1 AND DWORD PTR SS:[EBP-197C],0
00DF18C8 MOV EAX,DWORD PTR SS:[EBP-137C]
00DF18CE MOVSX EAX,BYTE PTR DS:[EAX]
00DF18D1 TEST EAX,EAX
00DF18D3 JNZ SHORT 00DF1919
00DF18D5 LEA ECX,DWORD PTR SS:[EBP-13BC]
00DF18DB CALL 00DD1040
00DF18E0 MOVZX EAX,AL
00DF18E3 CDQ
00DF18E4 PUSH 14
00DF18E6 POP ECX
00DF18E7 IDIV ECX
00DF18E9 MOV EAX,DWORD PTR SS:[EBP-13E0]
00DF18EF MOV ECX,DWORD PTR SS:[EBP+EDX*4-155C]
00DF18F6 MOV DWORD PTR DS:[EAX],ECX
00DF18F8 MOV EAX,DWORD PTR SS:[EBP-13E0]
00DF18FE ADD EAX,4
00DF1901 MOV DWORD PTR SS:[EBP-13E0],EAX
00DF1907 MOV EAX,DWORD PTR SS:[EBP-137C]
00DF190D INC EAX
00DF190E MOV DWORD PTR SS:[EBP-137C],EAX
00DF1914 JMP 00DF1B71
00DF1919 MOV EAX,DWORD PTR SS:[EBP-137C]
00DF191F MOVZX EAX,BYTE PTR DS:[EAX]
00DF1922 CMP EAX,0FF
00DF1927 JNZ 00DF19B7
00DF192D MOV EAX,DWORD PTR SS:[EBP-137C]
00DF1933 INC EAX
00DF1934 MOV DWORD PTR SS:[EBP-137C],EAX
00DF193A MOV EAX,DWORD PTR SS:[EBP-137C]
00DF1940 MOV AX,WORD PTR DS:[EAX]
00DF1943 MOV WORD PTR SS:[EBP-1978],AX
00DF194A MOV EAX,DWORD PTR SS:[EBP-137C]
00DF1950 INC EAX
00DF1951 INC EAX
00DF1952 MOV DWORD PTR SS:[EBP-137C],EAX
00DF1958 CMP DWORD PTR SS:[EBP-1748],0
00DF195F JE SHORT 00DF19B2
00DF1961 MOV EAX,DWORD PTR SS:[EBP-1748]
00DF1967 MOV DWORD PTR SS:[EBP-1984],EAX
00DF196D JMP SHORT 00DF197E
00DF196F MOV EAX,DWORD PTR SS:[EBP-1984]
00DF1975 ADD EAX,0C
00DF1978 MOV DWORD PTR SS:[EBP-1984],EAX
00DF197E MOV EAX,DWORD PTR SS:[EBP-1984]
00DF1984 CMP DWORD PTR DS:[EAX+8],0
00DF1988 JE SHORT 00DF19B2
00DF198A MOVZX EAX,WORD PTR SS:[EBP-1978]
00DF1991 MOV ECX,DWORD PTR SS:[EBP-1984]
00DF1997 MOVZX ECX,WORD PTR DS:[ECX+4]
00DF199B CMP EAX,ECX
00DF199D JNZ SHORT 00DF19B0
00DF199F MOV EAX,DWORD PTR SS:[EBP-1984]
00DF19A5 MOV EAX,DWORD PTR DS:[EAX+8]
00DF19A8 MOV DWORD PTR SS:[EBP-197C],EAX
00DF19AE JMP SHORT 00DF19B2
00DF19B0 JMP SHORT 00DF196F
00DF19B2 JMP 00DF1A54
00DF19B7 MOV EAX,DWORD PTR SS:[EBP-137C]
00DF19BD MOV DWORD PTR SS:[EBP-1980],EAX
00DF19C3 PUSH 0
00DF19C5 PUSH DWORD PTR SS:[EBP-137C]
00DF19CB CALL DWORD PTR DS:[DF82C8] ; MSVCRT.strchr
00DF19D1 POP ECX
00DF19D2 POP ECX
00DF19D3 INC EAX
00DF19D4 MOV DWORD PTR SS:[EBP-137C],EAX
00DF19DA CMP DWORD PTR SS:[EBP-1748],0
00DF19E1 JE SHORT 00DF1A54
00DF19E3 MOV EAX,DWORD PTR SS:[EBP-1748]
00DF19E9 MOV DWORD PTR SS:[EBP-1988],EAX
00DF19EF JMP SHORT 00DF1A00
00DF19F1 MOV EAX,DWORD PTR SS:[EBP-1988]
00DF19F7 ADD EAX,0C
00DF19FA MOV DWORD PTR SS:[EBP-1988],EAX
00DF1A00 MOV EAX,DWORD PTR SS:[EBP-1988]
00DF1A06 CMP DWORD PTR DS:[EAX+8],0
00DF1A0A JE SHORT 00DF1A54
00DF1A0C PUSH 100
00DF1A11 LEA EAX,DWORD PTR SS:[EBP-1A88]
00DF1A17 PUSH EAX
00DF1A18 MOV EAX,DWORD PTR SS:[EBP-1988]
00DF1A1E PUSH DWORD PTR DS:[EAX]
00DF1A20 CALL 00DD604D
00DF1A25 ADD ESP,0C
00DF1A28 LEA EAX,DWORD PTR SS:[EBP-1A88]
00DF1A2E PUSH EAX
00DF1A2F PUSH DWORD PTR SS:[EBP-1980]
00DF1A35 CALL DWORD PTR DS:[DF8334] ; MSVCRT._stricmp
00DF1A3B POP ECX
00DF1A3C POP ECX
00DF1A3D TEST EAX,EAX
00DF1A3F JNZ SHORT 00DF1A52
00DF1A41 MOV EAX,DWORD PTR SS:[EBP-1988]
00DF1A47 MOV EAX,DWORD PTR DS:[EAX+8]
00DF1A4A MOV DWORD PTR SS:[EBP-197C],EAX
00DF1A50 JMP SHORT 00DF1A54
00DF1A52 JMP SHORT 00DF19F1
00DF1A54 CMP DWORD PTR SS:[EBP-197C],0
00DF1A5B JNZ SHORT 00DF1A9C ;此处nop掉
00DF1A5D MOVZX EAX,WORD PTR SS:[EBP-1978]
00DF1A64 TEST EAX,EAX
00DF1A66 JE SHORT 00DF1A77
00DF1A68 MOVZX EAX,WORD PTR SS:[EBP-1978]
00DF1A6F MOV DWORD PTR SS:[EBP-2E38],EAX
00DF1A75 JMP SHORT 00DF1A83
00DF1A77 MOV EAX,DWORD PTR SS:[EBP-1980]
00DF1A7D MOV DWORD PTR SS:[EBP-2E38],EAX
00DF1A83 PUSH DWORD PTR SS:[EBP-2E38]
00DF1A89 PUSH DWORD PTR SS:[EBP-1744]
00DF1A8F CALL 00DD7EC6 ;call GetProcAddress
00DF1A94 POP ECX ;nop
00DF1A95 POP ECX ;nop
00DF1A96 MOV DWORD PTR SS:[EBP-197C],EAX
00DF1A9C CMP DWORD PTR SS:[EBP-197C],0
00DF1AA3 JNZ 00DF1B41
00DF1AA9 MOVZX EAX,WORD PTR SS:[EBP-1978]
00DF1AB0 TEST EAX,EAX
00DF1AB2 JE SHORT 00DF1B08
00DF1AB4 CALL DWORD PTR DS:[DF80D4] ; KERNEL32.GetLastError
00DF1ABA CMP EAX,32
00DF1ABD JNZ SHORT 00DF1ACB
00DF1ABF MOV DWORD PTR SS:[EBP-197C],0DD7EBB
00DF1AC9 JMP SHORT 00DF1B06
00DF1ACB MOV EAX,DWORD PTR SS:[EBP+8]
00DF1ACE MOV EAX,DWORD PTR DS:[EAX]
00DF1AD0 MOV DWORD PTR DS:[EAX],3
00DF1AD6 CALL DWORD PTR DS:[DF80D4] ; KERNEL32.GetLastError
00DF1ADC PUSH EAX
00DF1ADD MOVZX EAX,WORD PTR SS:[EBP-1978]
00DF1AE4 PUSH EAX
00DF1AE5 PUSH DWORD PTR SS:[EBP-1860]
00DF1AEB PUSH 0DFE510 ; ASCII "File "%s", ordinal %d (error %d)"
00DF1AF0 MOV EAX,DWORD PTR SS:[EBP+8]
00DF1AF3 PUSH DWORD PTR DS:[EAX+4]
00DF1AF6 CALL DWORD PTR DS:[DF82C4] ; MSVCRT.sprintf
00DF1AFC ADD ESP,14
00DF1AFF XOR EAX,EAX
00DF1B01 JMP 00DF2AEE
00DF1B06 JMP SHORT 00DF1B41
00DF1B08 MOV EAX,DWORD PTR SS:[EBP+8]
00DF1B0B MOV EAX,DWORD PTR DS:[EAX]
00DF1B0D MOV DWORD PTR DS:[EAX],3
00DF1B13 CALL DWORD PTR DS:[DF80D4] ; KERNEL32.GetLastError
00DF1B19 PUSH EAX
00DF1B1A PUSH DWORD PTR SS:[EBP-1980]
00DF1B20 PUSH DWORD PTR SS:[EBP-1860]
00DF1B26 PUSH 0DFE4EC ; ASCII "File "%s", function "%s" (error %d)"
00DF1B2B MOV EAX,DWORD PTR SS:[EBP+8]
00DF1B2E PUSH DWORD PTR DS:[EAX+4]
00DF1B31 CALL DWORD PTR DS:[DF82C4] ; MSVCRT.sprintf
00DF1B37 ADD ESP,14
00DF1B3A XOR EAX,EAX
00DF1B3C JMP 00DF2AEE
00DF1B41 MOV EAX,DWORD PTR SS:[EBP-13E0]
00DF1B47 CMP EAX,DWORD PTR SS:[EBP-1394]
00DF1B4D JNB SHORT 00DF1B6C
00DF1B4F MOV EAX,DWORD PTR SS:[EBP-13E0]
00DF1B55 MOV ECX,DWORD PTR SS:[EBP-197C]
00DF1B5B MOV DWORD PTR DS:[EAX],ECX ;在此处设一次断以找到 iat的位置
00DF1B5D MOV EAX,DWORD PTR SS:[EBP-13E0]
00DF1B63 ADD EAX,4
00DF1B66 MOV DWORD PTR SS:[EBP-13E0],EAX
00DF1B6C JMP 00DF18A7
00DF1B71 CMP DWORD PTR SS:[EBP-150C],0
00DF1B78 JNZ 00DF1C08
00DF1B7E MOVZX EAX,BYTE PTR SS:[EBP-1750]
00DF1B85 TEST EAX,EAX
00DF1B87 JE SHORT 00DF1C08
00DF1B89 PUSH 0
00DF1B8B MOV EAX,DWORD PTR SS:[EBP-174C]
00DF1B91 SHL EAX,2
00DF1B94 PUSH EAX
00DF1B95 MOV EAX,DWORD PTR SS:[EBP-14E4] ; Armadill.00400000
00DF1B9B ADD EAX,DWORD PTR SS:[EBP-1754]
00DF1BA1 PUSH EAX
00DF1BA2 CALL 00DF34E5
00DF1BA7 ADD ESP,0C
00DF1BAA MOV EAX,DWORD PTR SS:[EBP-174C]
00DF1BB0 SHL EAX,2
00DF1BB3 PUSH EAX
00DF1BB4 PUSH DWORD PTR SS:[EBP-138C]
00DF1BBA MOV EAX,DWORD PTR SS:[EBP-14E4] ; Armadill.00400000
00DF1BC0 ADD EAX,DWORD PTR SS:[EBP-1754]
00DF1BC6 PUSH EAX
00DF1BC7 CALL 00DF7A54 ; JMP to MSVCRT.memcpy
00DF1BCC ADD ESP,0C
00DF1BCF PUSH 1
00DF1BD1 MOV EAX,DWORD PTR SS:[EBP-174C]
00DF1BD7 SHL EAX,2
00DF1BDA PUSH EAX
00DF1BDB MOV EAX,DWORD PTR SS:[EBP-14E4] ; Armadill.00400000
00DF1BE1 ADD EAX,DWORD PTR SS:[EBP-1754]
00DF1BE7 PUSH EAX
00DF1BE8 CALL 00DF34E5
00DF1BED ADD ESP,0C
00DF1BF0 MOV EAX,DWORD PTR SS:[EBP-138C]
00DF1BF6 MOV DWORD PTR SS:[EBP-2C04],EAX
00DF1BFC PUSH DWORD PTR SS:[EBP-2C04]
00DF1C02 CALL 00DF7A4E ; JMP to MSVCRT.??3@YAXPAX@Z
00DF1C07 POP ECX
00DF1C08 CMP DWORD PTR SS:[EBP-150C],0
00DF1C0F JNZ SHORT 00DF1C3B
00DF1C11 LEA EAX,DWORD PTR SS:[EBP-1758]
00DF1C17 PUSH EAX
00DF1C18 PUSH DWORD PTR SS:[EBP-1758]
00DF1C1E MOV EAX,DWORD PTR SS:[EBP-174C]
00DF1C24 SHL EAX,2
00DF1C27 PUSH EAX
00DF1C28 MOV EAX,DWORD PTR SS:[EBP-14E4] ; Armadill.00400000
00DF1C2E ADD EAX,DWORD PTR SS:[EBP-1754]
00DF1C34 PUSH EAX
00DF1C35 CALL DWORD PTR DS:[DF8134] ; KERNEL32.VirtualProtect
00DF1C3B JMP 00DF14BE
当程序中断在00DF1B5B时去掉此处断点,由此时的eax,可使我们找到 iat的位置,我这里是
12B1000附近。不断F9,直到LoadLibraryA要载入shell32.dll,这时又对00DF1B5B下断,再
F9,断在00DF1B5B后,F8走过该语句,好了, api导入完毕!
用ImportREC处理12B1008~12B1388(size=380)的数据,cut掉该区块内的无效指针,我们得
到有序排列的 iat,所有指针当然没有加密!
FThunk: 00EB1008 NbFunc: 00000009
1 00EB1008 advapi32.dll 018C RegDeleteKeyA
1 00EB100C advapi32.dll 01A7 RegQueryValueA
1 00EB1010 advapi32.dll 019E RegOpenKeyExA
1 00EB1014 advapi32.dll 01B3 RegSetValueExA
1 00EB1018 advapi32.dll 018E RegDeleteValueA
1 00EB101C advapi32.dll 0189 RegCreateKeyExA
1 00EB1020 advapi32.dll 01A8 RegQueryValueExA
1 00EB1024 advapi32.dll 0185 RegCloseKey
1 00EB1028 advapi32.dll 0191 RegEnumKeyA
FThunk: 00EB1030 NbFunc: 00000004
1 00EB1030 comctl32.dll 003F ImageList_LoadImage
1 00EB1034 comctl32.dll 002C ImageList_Create
1 00EB1038 comctl32.dll 0046 ImageList_ReplaceIcon
1 00EB103C comctl32.dll 0011 InitCommonControls
FThunk: 00EB1044 NbFunc: 00000015
1 00EB1044 gdi32.dll 01D0 SelectPalette
1 00EB1048 gdi32.dll 002D CreateDCA
1 00EB104C gdi32.dll 0046 CreatePen
1 00EB1050 gdi32.dll 01B4 RealizePalette
1 00EB1054 gdi32.dll 01D6 SetBkMode
1 00EB1058 gdi32.dll 0032 CreateDIBitmap
1 00EB105C gdi32.dll 0052 DeleteDC
1 00EB1060 gdi32.dll 002C CreateCompatibleDC
1 00EB1064 gdi32.dll 0013 BitBlt
1 00EB1068 gdi32.dll 0168 GetStockObject
1 00EB106C gdi32.dll 004F CreateSolidBrush
1 00EB1070 gdi32.dll 01AE Polygon
1 00EB1074 gdi32.dll 0192 MoveToEx
1 00EB1078 gdi32.dll 018E LineTo
1 00EB107C gdi32.dll 0039 CreateFontIndirectA
1 00EB1080 gdi32.dll 01CF SelectObject
1 00EB1084 gdi32.dll 01D5 SetBkColor
1 00EB1088 gdi32.dll 01FB SetTextColor
1 00EB108C gdi32.dll 0044 CreatePalette
1 00EB1090 gdi32.dll 0055 DeleteObject
1 00EB1094 gdi32.dll 017F GetTextMetricsA
FThunk: 00EB109C NbFunc: 0000005A
1 00EB109C kernel32.dll 0303 WinExec
1 00EB10A0 kernel32.dll 0165 GetShortPathNameA
1 00EB10A4 kernel32.dll 025C SearchPathA
1 00EB10A8 kernel32.dll 005D DeleteFileA
1 00EB10AC kernel32.dll 017F GetTempPathA
1 00EB10B0 kernel32.dll 014D GetPrivateProfileSectionNamesA
1 00EB10B4 kernel32.dll 0150 GetPrivateProfileStringA
1 00EB10B8 kernel32.dll 0314 WritePrivateProfileStringA
1 00EB10BC kernel32.dll 0296 SetFilePointer
1 00EB10C0 kernel32.dll 023E ReadFile
1 00EB10C4 kernel32.dll 0038 CreateFileA
1 00EB10C8 kernel32.dll 00A0 FindClose
1 00EB10CC kernel32.dll 00A4 FindFirstFileA
1 00EB10D0 kernel32.dll 002C CopyFileA
1 00EB10D4 kernel32.dll 030F WriteFile
1 00EB10D8 kernel32.dll 01FC MoveFileA
1 00EB10DC kernel32.dll 0130 GetLocalTime
1 00EB10E0 kernel32.dll 0126 GetFileSize
1 00EB10E4 kernel32.dll 004E CreateThread
1 00EB10E8 kernel32.dll 013B GetModuleHandleA
1 00EB10EC kernel32.dll 008E ExitThread
1 00EB10F0 kernel32.dll 0108 GetCurrentDirectoryA
1 00EB10F4 kernel32.dll 02DF UnmapViewOfFile
1 00EB10F8 kernel32.dll 01F6 MapViewOfFile
1 00EB10FC kernel32.dll 0039 CreateFileMappingA
1 00EB1100 kernel32.dll 01AF GlobalUnlock
1 00EB1104 kernel32.dll 01A8 GlobalLock
1 00EB1108 kernel32.dll 0043 CreateMutexA
1 00EB110C kernel32.dll 028E SetEnvironmentVariableA
1 00EB1110 kernel32.dll 0187 GetTickCount
1 00EB1114 kernel32.dll 008D ExitProcess
1 00EB1118 kernel32.dll 01DF LeaveCriticalSection
1 00EB111C kernel32.dll 0070 EnterCriticalSection
1 00EB1120 kernel32.dll 01C6 InitializeCriticalSection
1 00EB1124 kernel32.dll 005B DeleteCriticalSection
1 00EB1128 kernel32.dll 01F3 LockResource
1 00EB112C kernel32.dll 01E5 LoadResource
1 00EB1130 kernel32.dll 02C3 SizeofResource
1 00EB1134 kernel32.dll 00B3 FindResourceA
1 00EB1138 kernel32.dll 017D GetTempFileNameA
1 00EB113C kernel32.dll 01DD LCMapStringA
1 00EB1140 kernel32.dll 0203 MultiByteToWideChar
1 00EB1144 kernel32.dll 0302 WideCharToMultiByte
1 00EB1148 kernel32.dll 01BF HeapSize
1 00EB114C kernel32.dll 010A GetCurrentProcess
1 00EB1150 kernel32.dll 02CC TerminateProcess
1 00EB1154 kernel32.dll 01BE HeapReAlloc
1 00EB1158 kernel32.dll 01BB HeapFree
1 00EB115C kernel32.dll 01B5 HeapAlloc
1 00EB1160 kernel32.dll 018F GetVersion
1 00EB1164 kernel32.dll 00DB GetCommandLineA
1 00EB1168 kernel32.dll 0167 GetStartupInfoA
1 00EB116C kernel32.dll 0258 RtlUnwind
1 00EB1170 kernel32.dll 0175 GetSystemTime
1 00EB1174 kernel32.dll 018A GetTimeZoneInformation
1 00EB1178 kernel32.dll 0048 CreateProcessA
1 00EB117C kernel32.dll 012E GetLastError
1 00EB1180 kernel32.dll 0255 ResumeThread
1 2 下一页 |
安全中国首页 > 文章中心 > 脱壳技术