ÔÙÒ»´ÎÌáÐÑÄ㣺²»ÒªÔËÐÐÕâ¸ö API£¡Òò¶øÔÚ0043776EÄÚ°´ÓÒ¼üÈ»ºóÑ¡Ôñ[н¨ÆðÔ´]¡£ÕâÊÇÌø¹ý¸Ã API µÄÕýÈ·×ö·¨¡£ÏÖÔÚÎÒÃDZØÐëÓà NOP À´Ìî³äµ÷Óõ½¸Ã API ¼°ÆäÓÐ¹Ø Push¡£
°ÑÏÂÃæµÄ´úÂëÓÃnopÐ޸ĵô£º
00437759 MOV AL,BYTE PTR DS:[E8686133]
0043775E ADD EAX,DWORD PTR DS:[EAX]
00437760 ADD BYTE PTR DS:[EBX+FFFA3895],CL
00437766 CALL NEAR DWORD PTR DS:[EDX-1]
00437769 ADC EAX,<&KERNEL32.WaitForDebugEvent>
£¨²»ÖªµÀΪʲôÕâ¶Î´úÂëÊǶ¯Ì¬µÄ£©
¸ÄΪ£º
00437759 NOP
0043775A NOP
0043775B NOP
0043775C NOP
0043775D NOP
0043775E NOP
0043775F NOP
00437760 NOP
00437761 NOP
00437762 NOP
00437763 NOP
00437764 NOP
00437765 NOP
00437766 NOP
00437767 NOP
00437768 NOP
00437769 NOP
0043776A NOP
0043776B NOP
0043776C NOP
0043776D NOP
0043776E TEST EAX,EAX
SETUP 7 ´ò²¹¶¡
¡°µ±´¦ÀíÕâ¸ö²½ÖèʱҪÌرðСÐÄ! ¶àÊýÈ˲¢²»ÖªµÀ¾¿¾¹ÊÇÈçºÎ´ò²¹¶¤µÄÕýÈ··½·¨£¬ËùÒÔÒª¾¡Á¦Áì»áÎÒÔÚÕâÀïÊÇÔõÑù×ö£¬²¢ÇÒÄ㻹ÐèÒªÔÚÆäËüÇé¿öÏ»áÍê³É¡£¡± ÎÒÊÇÊÔÁ˼¸´Î²Å³É¹¦µÄ£¡
µÚÒ»²½ÊǸü¸Ä´ËÌøת£º
0043776E TEST EAX,EAX
00437770 JE armadill.004398A5 //°ÑÕâÀïÐÞ¸ÄΪ Jmp 00401000
Why£¿ ÒòΪ¸¸½ø³ÌµÄÆ«ÒÆÊÇ00401000 ÎÒÃÇÐèÒªÔÚÄÇÀï´ò²¹¶¡¡£
ÏÖÔÚgo 00401000 ×¼±¸´ò²¹¶¡ÁË£º
00401000 ADD BYTE PTR DS:[EAX],AL
00401002 ADD BYTE PTR DS:[EAX],AL
00401004 ADD BYTE PTR DS:[EAX],AL
00401006 ADD BYTE PTR DS:[EAX],AL
00401008 ADD BYTE PTR DS:[EAX],AL
À´¿´¿´ÄÚ´æ¾µÏóÖеÄÊý¾Ý£¬Alt+M ´ò¿ªÄÚ´æ¾µÏó´°¿Ú£º
00400000 00001000 armadill PE header Imag R RWE
00401000 00025000 armadill CODE Imag R RWE
00426000 00001000 armadill DATA Imag R RWE
00427000 00001000 armadill BSS Imag R RWE
00428000 00002000 armadill .idata Imag R RWE
0042A000 00001000 armadill .tls Imag R RWE
0042B000 00001000 armadill .rdata Imag R RWE
0042C000 00003000 armadill .reloc Imag R RWE
0042F000 00020000 armadill .text code Imag R RWE
0044F000 00010000 armadill .adata Imag R RWE
0045F000 00010000 armadill .data data,imports Imag R RWE
0046F000 00010000 armadill .reloc1 relocations Imag R RWE
0047F000 00040000 armadill .pdata Imag R RWE
004BF000 00011000 armadill .rsrc resources Imag R RWE
¿´¿´³ÌÐòµÄ´úÂë¶Î¿ªÊ¼ÓÚ00401000 ½áÊøÓÚ00425FFF
ÔÚת´æ´°¿ÚÖаÑOEPµÄÈë¿ÚÐÞ¸ÄΪ400000£¬Ð޸ĺóÊÇÕâÑùµÄ£º
0012EFF4 01 00 00 00 B0 0E 00 00 ...?..
0012EFFC B8 0E 00 00 01 00 00 80 ?.. ..€
0012F004 00 00 00 00 00 00 00 00 ........
0012F00C 00 00 40 00 02 00 00 00 ..@. ... //*******
0012F014 00 00 00 00 00 00 40 00 ......@. //*******
0012F01C 00 00 40 00 00 00 00 00 ..@..... //*******
ÒòΪÿ¸ö¿éÑ»·ÒÔ 1000×÷ÔöÁ¿²¹¶¤£¬ËùÒÔÒª½âѹµÄµÚÒ»¿é±ØÐëÊÇ401000¡£
ÏÖÔÚÎÒÃDZØÐëÔÚÖ÷´°¿ÚÏÂÒÔ 401000 ×÷¿ªÊ¼ÐУ¬²¢Ð´Èë
00401000 8105 0CF01200 00100000 ADD DWORD PTR DS:[12F00C],1000
0040100A 8105 18F01200 00100000 ADD DWORD PTR DS:[12F018],1000
00401014 8105 1CF01200 00100000 ADD DWORD PTR DS:[12F01C],1000
ÕâÀï²¹¶¡ÒªºÍת´æ´°¿ÚÖеĵØÖ·Ò»Ö¡£
ÏÂÒ»ÐоÍÒªÕâÑùд¡Ã
0040101E CMP DWORD PTR DS:[12F01C],armadill.00426000
//²âÊÔ´úÂë¶Î½áÊøÁËÂð£¿
ÒªÖªµÀºÎʱÎÒÃÇÒѾ½âѹÁËÈ«²¿¿é¡£
Ôò±ØÐëдÈë¡Ã
00401028 - 0F85 F6341F00 JNZ 00437775 //ûÓÐÍê³É¾Í¼ÌÐø
Èç¹û±È½Ï½á¹û²»ÊÇ True£¬ÄÇÕâ¸öÑ»··µ»Øµ½µÄλÖýô°¤×ÅÄÄÀïÊǵ÷ÓøÃÑ»·¡£È»ºóÎÒÃDZØÐëдÈëÏÂÒ»ÐÐд NOP £¬ÎÒÃǽ«·ÅÖÃÒ»¸ö BP£¬ÊÇÒªÔÚÍê³Éת´¢²Ù×÷ʱÀ´Í£Ö¹Ëü¡£
ÏÂÃæÊÇ´òºÃ²¹¶¡µÄÈ«²¿´úÂ룺
00401000 ADD DWORD PTR DS:[12F00C],1000
0040100A ADD DWORD PTR DS:[12F018],1000
00401014 ADD DWORD PTR DS:[12F01C],1000
0040101E CMP DWORD PTR DS:[12F01C],armadill.00426000
00401028 JNZ armadill.00437775
0040102E NOP //ÕâÀïϸöÖжϣ¬Èç¹ûÍê³ÉÁ˾ͶÏÔÚÕâÀï¡£
0040102F NOP
ºÃÁË£¬×î¹Ø¼üµÄ²¿·ÖÍê³ÉÁË£¬ÏÂÃæ¾Í¿ÉÒÔÍÑ¿ÇÁË¡£
SETUP 8 ÍÑ¿ÇÁË
¼ì²éÒ»ÏÂÇ°ÃæµÄ¼¸²½£¬±£Ö¤ËûµÄÕýÈ·ºó¾ÍÔËÐÐÕâ¸ö³ÌÐòÁË¡£F9һϣ¬¹þ¹þÖжÏÔÚ£º
0040102E NOP //ÕâÀïϸöÖжϣ¬Èç¹ûÍê³ÉÁ˾ͶÏÔÚÕâÀï
ºÃÏñ³É¹¦ÁËÒ®£¡
¿´¿´¼Ç¼ÀïÓÐЩʲô£¬Alt+L´ò¿ª¼Ç¼´°¿Ú£º
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
77E65A12 COND: δ֪µÄ±êʾ·û
0040102E ÖжÏÔÚ armadill.0040102E
ÎÒ²»ÖªµÀΪʲô³ÉÁËδ֪µÄ±êʾ·û£¬¿ÉÄÜÊÇÎÒµÄÌõ¼þ¼Ç¼ûÓÐÉèÖú㬲»¹ýÄǾÍÊǸ´ÖƵĴúÂë¿é¡£ÓÐÁËÕâ¸öÐÅÏ¢¾Í˵Ã÷´úÂë±»ÍêÈ«µÄ¸´ÖƹýÀ´ÁË¡£
SETUP 9Óɸ¸½ø³Ì½â³ö×Ó½ø³Ì
ÏÈÓÃODµÄ¸½¼Ó¹¦Äܲ鿴×Ó½ø³ÌµÄ¾ä±ú£¬´ò¿ª¸½¼Ó´°¿Ú£¬¿´µ½Ã»ÓбäÉ«µÄÄǸöarmadillo3.exe¾ÍÊÇ×Ó½ø³Ì£¬ËûµÄ¾ä±úÊÇOBDC £¨Õâ¸öֵÿ´Î¼ÓÔغó¾Í»á±ä£©
ÔÚ³ÌÐòÖÐдÈëÏÂÃæµÄ´úÂ룺
0040102E PUSH 0BDC //PUSH (×Ó½ø³Ì¾ä±ú)
00401033 CALL kernel32.DebugActiveProcessStop
00401038 NOP // ÕâÀïϸöÖжÏ
ÔËÐгÌÐò¡£¿´¿´¼Ä´æÆ÷´°¿Ú£¬Èç¹ûµ± ³ÌÐò ÔÚ EAX = 1 Í£ÏÂʱ£¬¿ÉÒÔÈ·¶¨×Ó½ø³ÌÓëËûµÄ¸¸½ø³ÌÒѾ·ÖÀ룬ȻºóÎÒÃÇ¿ÉÒÔ¹Ø±Õ OllyDbg¡£¶øÈç¹û EAX = 0£¬ÄÇÊÇÒòΪÄãдÈëÓе㲻¶Ô¾¢£¨¿ÉÄÜÊǾä±ú£©£¬ÔòÄã±ØÐëÒª´ÓÍ·µ½Î²ºË¶ÔÄÇЩÐС£Äã¿ÉÒÔÖØÐÂдÈë´úÂ룬ÔÙÀ´Ò»´Î¡£
ÏÖÔÚ¹Ø±Õ OllyDbg È»ºóÔٴδò¿ªËü¡£²»Òª×°ÈëÈκζ«Î÷¡£×ªµ½²Ëµ¥ Îļþ|¸½¼Ó È»ºóÑ°ÕÒ×Ó½ø³Ì²¢ÇÒ ¸½¼ÓÉÏ Ëü(ÎÒÃÇÒѾɱËÀËûµÄ¸¸½ø³Ì :X)¡£
Ö»Òª³É¹¦¸½¼ÓÉÏ£¬ÔËÐÐһϣ¬³ÌÐò¾Í»áÔÚËÀÑ»·ÔËÐУ¬Òò´Ë°´ F12 À´ÔÝÍ£³ÌÐò£¬È»ºóÔÚPUPEÖаÑOEPµÄ´úÂ뻹ԳÉ55 8B £¬ÔÙ¡°Parchear¡±Ò»Ï¾ͻỹԳÉÔÀ´µÄ´úÂëÁË¡£
´ò¿ª LordPE È»ºóËÑË÷armadillo3.exeÕâ¸ö½ø³Ì¡£Ñ¡ÔñÕâ½ø³ÌÒÔ¼°Ñ¡Ôñ¡²active dump engine¡³| ¡²IntelliDump¡³|¡²select¡³£¬È»ºóµã»÷ Dump full £¬Ò»µ©±£´æÍê³É£¬Á¢¼´ÔËÐÐ PEditor (£¬È»ºóÔÙдÈëÕâ¸öÓÐЧµÄÈë¿Úµã( ENTRY POINT)¡£¼ÆËãÒ»ÏÂÊÇ4251D0-400000£½251D0 ÐÞ¸´¼´¿É¡£
µÚÒ»²¿·ÖÒÑÍ꣬дÁËÒ»¸öÍíÉÏ¡£Ì«ÀäÁË£¬µÚ¶þ²¿·Ö¹ØÓÚÈçºÎ²éÕÒÕâÆæÃîÌøתÀ´Íê³ÉÒýÈë±í¡¢ÐÞ¸´ IAT ºÍÉú³É³ÌÐòÔËÐÐ »¹ÊÇÁô¸øÃ÷Ìì°É¡£
fxyang[OCN][BCG][FCG]
2003.11.26Ò¹ÉÏÒ»Ò³ 1 2 |
°²È«ÖйúÊ×Ò³ > ÎÄÕÂÖÐÐÄ > ÍѿǼ¼Êõ