【破文标题】 Upx之enablewebcompiler1.0 去除Crc校验
【脱文作者】 weiyi75[Dfcg]
【作者邮箱】 weiyi75@sohu.com
【作者主页】 Dfcg官方大本营 --- http://www.chinadfcg.com/
【使用工具】 Fi3.01,Upxshell,olldbg1.10b
【脱壳平台】 Win2K/Xp
【软件名称】 enablewebcompiler
【下载地址】 本地下载
【软件简介】 普通Upx壳,Crc脱壳校验。
【软件大小】 76.5k
【加壳方式】 UPX V1.20
【脱壳声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【脱壳内容】
Fi查壳,为Upx V1.20。用Upxshell干净完美脱壳,运行程序提示Crc校验错误,请重装软件。
本来很简单的一个问题,搞了半天。
先从麻烦入手吧,软件Crc校验,当然和GetfileSize有关。
命令行 bp GetFileSize F9运行。
77E68854 > 55 PUSH EBP //中断,这里是系统领空,我们要返回到程序领空才能爆破或者修改Z标志。不能简单的Ctrl+F9或Alt+F9返回用户代码。
77E68855 8BEC MOV EBP,ESP
77E68857 51 PUSH ECX
77E68858 51 PUSH ECX
77E68859 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
77E6885C 50 PUSH EAX
77E6885D FF75 08 PUSH DWORD PTR SS:[EBP+8]
77E68860 E8 24000000 CALL KERNEL32.GetFileSizeEx
77E68865 85C0 TEST EAX,EAX
77E68867 0F84 D3690200 JE KERNEL32.77E8F240
77E6886D 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
77E68870 85C0 TEST EAX,EAX
77E68872 ^ 0F85 B5E6FFFF JNZ KERNEL32.77E66F2D
77E68878 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1
77E6887C 0F84 B2690200 JE KERNEL32.77E8F234
77E68882 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
77E68885 C9 LEAVE
77E68886 C2 0800 RETN 8
..........................................................
取消断点,Alt+M打开内存镜像。
内存镜像,项目 13
地址=0043A000 //这次要对data段下内存访问断点。
大小=00004000 (16384.)
Owner=enablewe 00400000
区段=.data
包含=data
类型=Imag 01001002
访问=R
初始访问=RWE
00420912 . FF50 04 CALL DWORD PTR DS:[EAX+4] ; MSVBVM50.BASIC_CLASS_AddRef //好,回家了,清除内存断点。Getfilesize只是取文件大小,比较过程还要往下看。
00420915 . C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
0042091C . C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2
00420923 . 6A FF PUSH -1
00420925 . FF15 00E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>; MSVBVM50.__vbaOnError
0042092B . C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3
00420932 . E8 99420100 CALL enablewe.00434BD0
00420937 . C745 FC 04000>MOV DWORD PTR SS:[EBP-4],4
0042093E . E8 1D160100 CALL enablewe.00431F60 //经过这个Call,Crc校验错误。
....................................................................
Vb语言特点是容易入手,但代码效率实在无法恭维,垃圾代码非常多。
要找到这个Magic Jmp 还不是很容易的事。
Ctrl+F2 重启Od,直接 Ctrl+G 0042093E ,F4直接到达,F7跟进。
00431F60 $Content$nbsp; 55 PUSH EBP //跟进后,代码实在太多,Ctrl+F8让Od帮我们减一点负担。一段眼花缭乱后,转标签1
00431F61 . 8BEC MOV EBP,ESP
00431F63 . 83EC 18 SUB ESP,18
00431F66 . 68 261D4000 PUSH <JMP.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
00431F6B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00431F71 . 50 PUSH EAX
00431F72 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00431F79 . B8 58110000 MOV EAX,1158
00431F7E . E8 9DFDFCFF CALL <JMP.&MSVBVM50.__vbaChkstk>
00431F83 . 53 PUSH EBX
00431F84 . 56 PUSH ESI
00431F85 . 57 PUSH EDI
00431F86 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00431F89 . C745 EC 501A4>MOV DWORD PTR SS:[EBP-14],enablewe.00401>
00431F90 . C745 F0 00000>MOV DWORD PTR SS:[EBP-10],0
00431F97 . C745 F4 00000>MOV DWORD PTR SS:[EBP-C],0
00431F9E . C745 FC 01000>MOV DWORD PTR SS:[EBP-4],1
00431FA5 . C745 FC 02000>MOV DWORD PTR SS:[EBP-4],2
00431FAC . 6A FF PUSH -1
00431FAE . FF15 00E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaOnErr>; MSVBVM50.__vbaOnError
00431FB4 . C745 FC 03000>MOV DWORD PTR SS:[EBP-4],3
00431FBB . 833D CCAA4300>CMP DWORD PTR DS:[43AACC],0
00431FC2 . 75 1C JNZ SHORT enablewe.00431FE0
00431FC4 . 68 CCAA4300 PUSH enablewe.0043AACC
00431FC9 . 68 2C674000 PUSH enablewe.0040672C
00431FCE . FF15 14E44300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaNew2>>; MSVBVM50.__vbaNew2
00431FD4 . C785 D4EEFFFF>MOV DWORD PTR SS:[EBP-112C],enablewe.004>
00431FDE . EB 0A JMP SHORT enablewe.00431FEA
...................................................................
标签1,向上找Magic Jmp 吧,再转标签2
004341D2 . FF15 08E34300 CALL DWORD PTR DS:[<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
004341D8 . 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228]
004341DE . 50 PUSH EAX
004341DF . 8D8D E8FDFFFF LEA ECX,DWORD PTR SS:[EBP-218]
004341E5 . 51 PUSH ECX
004341E6 . 8D95 F8FDFFFF LEA EDX,DWORD PTR SS:[EBP-208]
004341EC . 52 PUSH EDX
004341ED . 8D85 08FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F8]
004341F3 . 50 PUSH EAX
004341F4 . 8D8D 18FEFFFF LEA ECX,DWORD PTR SS:[EBP-1E8]
004341FA . 51 PUSH ECX
004341FB . 8D95 28FEFFFF LEA EDX,DWORD PTR SS:[EBP-1D8]
00434201 . 52 PUSH EDX
...................................................................
标签2
00433EB4 . FF15 34E44300 CALL DWORD PTR DS:[<&MSVBVM50.#578>] ; MSVBVM50.rtcFileLen
00433EBA . 8985 A4EEFFFF MOV DWORD PTR SS:[EBP-115C],EAX
00433EC0 . DB85 A4EEFFFF FILD DWORD PTR SS:[EBP-115C]
00433EC6 . DD9D 9CEEFFFF FSTP QWORD PTR SS:[EBP-1164]
00433ECC . DD85 10EFFFFF FLD QWORD PTR SS:[EBP-10F0]
00433ED2 . FF15 24E34300 CALL DWORD PTR DS:[<&MSVBVM50.__vbaFpR8>>; MSVBVM50.__vbaFpR8
00433ED8 . DC9D 9CEEFFFF FCOMP QWORD PTR SS:[EBP-1164]
00433EDE . DFE0 FSTSW AX
00433EE0 . F6C4 01 TEST AH,1
00433EE3 . 74 0C JE SHORT enablewe.00433EF1
00433EE5 . C785 98EEFFFF>MOV DWORD PTR SS:[EBP-1168],1
00433EEF . EB 0A JMP SHORT enablewe.00433EFB
00433EF1 > C785 98EEFFFF>MOV DWORD PTR SS:[EBP-1168],0
00433EFB > 8B8D 98EEFFFF MOV ECX,DWORD PTR SS:[EBP-1168]
00433F01 . F7D9 NEG ECX
00433F03 . 0FBFD1 MOVSX EDX,CX
00433F06 . 85D2 TEST EDX,EDX
00433F08 . 0F84 33040000 JE enablewe.00434341 //找了半天就是这里,直接爆破它。
直接修改为
00433F08 /0F85 33040000 JNZ enablewe.00434341
保存为一个文件。
00433F0E . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00433F15 . 6A 41 PUSH 41
00433F17 . 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00433F1A . 50 PUSH EAX
00433F1B . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F21 . 6A 6C PUSH 6C
00433F23 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00433F26 . 51 PUSH ECX
00433F27 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F2D . 6A 65 PUSH 65
00433F2F . 8D95 78FFFFFF LEA EDX,DWORD PTR SS:[EBP-88]
00433F35 . 52 PUSH EDX
00433F36 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F3C . 6A 72 PUSH 72
00433F3E . 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8]
00433F44 . 50 PUSH EAX
00433F45 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F4B . 6A 74 PUSH 74
00433F4D . 8D8D 38FFFFFF LEA ECX,DWORD PTR SS:[EBP-C8]
00433F53 . 51 PUSH ECX
00433F54 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F5A . 6A 21 PUSH 21
00433F5C . 8D95 18FFFFFF LEA EDX,DWORD PTR SS:[EBP-E8]
00433F62 . 52 PUSH EDX
00433F63 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F69 . 6A 20 PUSH 20
00433F6B . 8D85 F8FEFFFF LEA EAX,DWORD PTR SS:[EBP-108]
00433F71 . 50 PUSH EAX
00433F72 . FF15 C4E34300 CALL DWORD PTR DS:[<&MSVBVM50.#608>] ; MSVBVM50.rtcVarBstrFromAnsi
00433F78 . 6A 3A PUSH 3A
00433F7A . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128]
00433F80 . 51 PUSH ECX
1 2 下一页 |
安全中国首页 > 文章中心 > 脱壳技术