PE-ARM0.765到达OEP---脚本

最新推荐文章于 2022-02-25 21:57:21 发布

instruder

最新推荐文章于 2022-02-25 21:57:21 发布

阅读量1.2k

点赞数

分类专栏：第三方插件:OD/IDA/.etc CRACK/逆向/反调试文章标签： c byte 解密 hook api 脚本

本文链接：https://blog.csdn.net/instruder/article/details/6112429

版权

CRACK/逆向/反调试同时被 2 个专栏收录

13 篇文章 1 订阅

订阅专栏

第三方插件:OD/IDA/.etc

3 篇文章 0 订阅

订阅专栏

这个壳每执行一个函数或者步骤都要先去堆栈中跑一圈然后回来调用API是先获取地址，然后自己拷贝一份到自己分配的内存中，然后执行这个copy的在调回去一般可以在该API的retn处下断点总共有3处anti debug的一处是ZwSetInfomationThread一处是ZwQueryInformationProcess一处是OutDebugStringA 在第一次调用ZwSetInfomationThread检测是否有调试之前都不能下硬件断点的，这个壳用硬件断点来解码的，如果下了硬件断点会不停的异常直至进程结束并且有anti dump和修改pe文件头防止importrec输入表修复同时独占文件，这样importrec的使用磁盘中的pe头选项就不行了 //检测是否单步调试的 003B63EF 0F31 RDTSC 003B63F1 83C4 04 ADD ESP,4 003B63F4 2BC1 SUB EAX,ECX 003B63F6 3D 00000200 CMP EAX,20000 003B63FB 76 04 JBE SHORT 003B6401 //检测filemon regmon 之类的 003B6436 83F8 FF CMP EAX,-1 //判断是否存在 003B6439 74 05 JE SHORT 003B6440 003B643B E9 67FB0000 JMP 003C5FA7 003B6440 56 PUSH ESI 003B6441 AC LODS BYTE PTR DS:[ESI] 003B6442 EB 06 JMP SHORT 003B644A//跳向死亡 003B6444 F6D0 NOT AL 003B6446 8846 FF MOV BYTE PTR DS:[ESI-1],AL ; 加密刚才要打开的工具的字符串 003B6449 AC LODS BYTE PTR DS:[ESI] 003B644A 0AC0 OR AL,AL .......... 检测ZwSetInformationThread是否被修改，下这个函数的地址内存访问就能看到 003C4ED6 60 PUSHAD 003C4ED7 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24] 003C4EDB 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28] 003C4EDF 803E C2 CMP BYTE PTR DS:[ESI],0C2 003C4EE2 0F84 BF100000 JE 003C5FA7 003C4EE8 803E C3 CMP BYTE PTR DS:[ESI],0C3 003C4EEB 0F84 B6100000 JE 003C5FA7 003C4EF1 8A06 MOV AL,BYTE PTR DS:[ESI] 003C4EF3 3C B8 CMP AL,0B8 003C4EF5 75 04 JNZ SHORT 003C4EFB 003C4EF7 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003C4EF8 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003C4EF9 EB 33 JMP SHORT 003C4F2E 003C4EFB 3C 8D CMP AL,8D 003C4EFD 75 03 JNZ SHORT 003C4F02 003C4EFF A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003C4F00 EB 2C JMP SHORT 003C4F2E 003C4F02 3C CD CMP AL,0CD 003C4F04 75 04 JNZ SHORT 003C4F0A 003C4F06 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003C4F08 EB 24 JMP SHORT 003C4F2E 003C4F0A 3C BA CMP AL,0BA 003C4F0C 75 04 JNZ SHORT 003C4F12 003C4F0E A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003C4F0F A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003C4F10 EB 1C JMP SHORT 003C4F2E 003C4F12 3C FF CMP AL,0FF 003C4F14 75 04 JNZ SHORT 003C4F1A 003C4F16 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003C4F18 EB 14 JMP SHORT 003C4F2E 003C4F1A 3C C2 CMP AL,0C2 003C4F1C 75 0A JNZ SHORT 003C4F28 003C4F1E A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003C4F1F 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003C4F21 61 POPAD 003C4F22 33C0 XOR EAX,EAX 003C4F24 40 INC EAX 003C4F25 C2 0C00 RETN 0C 先用CreateFileA检测是否有调试工具之类的，然后得到NtDll获取其输入表中的ZwSetThreadInfomation来anti debug 003B4933 66:8B06 MOV AX,WORD PTR DS:[ESI] 003B4EDF 803E C2 CMP BYTE PTR DS:[ESI],0C2 003A6F5A 68 00FE98C7 PUSH C798FE00 003A6F5F 50 PUSH EAX 003A6F60 E8 5D000000 CALL 003A6FC2 003A70A9 8BF8 MOV EDI,EAX ; ntdll.ZwSetInformationThread 003A70AB 50 PUSH EAX 003A70AC 52 PUSH EDX 003A712D 6A 00 PUSH 0 003A712F 6A 00 PUSH 0 003A7131 6A 11 PUSH 11 ; 参数？？ 003A7133 6A FE PUSH -2 003A7135 8D85 EE5F4000 LEA EAX,DWORD PTR SS:[EBP+405FEE] 003A713B 50 PUSH EAX 003A713C 8BC7 MOV EAX,EDI 003B4D68 6A 00 PUSH 0 003B4D6A 50 PUSH EAX 003B4D6B 8B85 E74A4100 MOV EAX,DWORD PTR SS:[EBP+414AE7] 003B4D71 68 00FE2FC7 PUSH C72FFE00 003B4D76 50 PUSH EAX 003B4D77 E8 5D000000 CALL 003B4DD9 ///中间进过一次堆栈中执行 003B4DC8 8B0424 MOV EAX,DWORD PTR SS:[ESP] 003B4DCB 83EC FC SUB ESP,-4 003B4DCE EB 01 JMP SHORT 003B4DD1 // 7C92DC90 608B7C2424 /003B4ED6 60 PUSHAD 003B4ED7 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24] 003B4EDB 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28] 003B4EDF 803E C2 CMP BYTE PTR DS:[ESI],0C2 //记录的 003B4EE2 0F84 BF100000 JE 003B5FA7 003B4EE8 803E C3 CMP BYTE PTR DS:[ESI],0C3 003B4EEB 0F84 B6100000 JE 003B5FA7 003B4EF1 8A06 MOV AL,BYTE PTR DS:[ESI] 003B4EF3 3C B8 CMP AL,0B8 003B4EF5 75 04 JNZ SHORT 003B4EFB 003B4EF7 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003B4EF8 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003B4EF9 EB 33 JMP SHORT 003B4F2E 003B4EFB 3C 8D CMP AL,8D 003B4EFD 75 03 JNZ SHORT 003B4F02 003B4EFF A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003B4F00 EB 2C JMP SHORT 003B4F2E 003B4F02 3C CD CMP AL,0CD 003B4F04 75 04 JNZ SHORT 003B4F0A 003B4F06 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003B4F08 EB 24 JMP SHORT 003B4F2E 003B4F0A 3C BA CMP AL,0BA 003B4F0C 75 04 JNZ SHORT 003B4F12 003B4F0E A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003B4F0F A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 003B4F10 EB 1C JMP SHORT 003B4F2E 003B4F12 3C FF CMP AL,0FF 003B4F14 75 04 JNZ SHORT 003B4F1A 003B4F16 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003B4F18 EB 14 JMP SHORT 003B4F2E 003B4F1A 3C C2 CMP AL,0C2 003B4F1C 75 0A JNZ SHORT 003B4F28 003B4F1E A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 003B4F1F 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI] 003B4F21 61 POPAD 003B4F22 33C0 XOR EAX,EAX 003B4F24 40 INC EAX 003B4F25 C2 0C00 RETN 0C 003B4F28 61 POPAD 003B4F29 33C0 XOR EAX,EAX 003B4F2B C2 0C00 RETN 0C 003B4EC6 85C0 TEST EAX,EAX //应该返回1的 003B4EC8 0F84 D9100000 JE 003B5FA7 003B4ECE 8B85 E74A4100 MOV EAX,DWORD PTR SS:[EBP+414AE7] 003B4ED4 FFE0 JMP EAX//跳到刚才修改的地方执行 //这里就是调用这个函数的地方，应该让他跳到 pop edx retn 10执行好像下面就是开始解密401000处的数据了 //在这就可以先到 003A732A E8 66BD0000 CALL 003B3095 .. 003B3095 55 PUSH EBP 003B3096 8BEC MOV EBP,ESP 003B3098 83C4 FC ADD ESP,-4 003B309B 60 PUSHAD 003B309C 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10] 003B309F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 003B30A2 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C] 003B30A5 D1EB SHR EBX,1 003B30A7 EB 41 JMP SHORT 003B30EA 003B30A9 53 PUSH EBX 003B30AA 33DB XOR EBX,EBX 003B30AC 66:C745 FE 0000 MOV WORD PTR SS:[EBP-2],0 003B30B2 EB 25 JMP SHORT 003B30D9 003B30B4 66:8B16 MOV DX,WORD PTR DS:[ESI] 003B30B7 66:23145F AND DX,WORD PTR DS:[EDI+EBX*2] 003B30BB B9 10000000 MOV ECX,10 003B30C0 33C0 XOR EAX,EAX 003B30C2 66:D1E2 SHL DX,1 003B30C5 73 01 JNB SHORT 003B30C8 003B30C7 40 INC EAX 003B30C8 ^ E2 F8 LOOPD SHORT 003B30C2 003B30CA 66:83E0 01 AND AX,1 003B30CE 66:8BCB MOV CX,BX 003B30D1 66:D3E0 SHL AX,CL 003B30D4 66:0145 FE ADD WORD PTR SS:[EBP-2],AX 003B30D8 43 INC EBX 003B30D9 83FB 10 CMP EBX,10 003B30DC ^ 72 D6 JB SHORT 003B30B4 003B30DE 5B POP EBX 003B30DF 66:8B45 FE MOV AX,WORD PTR SS:[EBP-2] 003B30E3 66:8906 MOV WORD PTR DS:[ESI],AX 003B30E6 83C6 02 ADD ESI,2 003B30E9 4B DEC EBX 003B30EA 0BDB OR EBX,EBX 003B30EC ^ 75 BB JNZ SHORT 003B30A9 003B30EE 61 POPAD 003B30EF C9 LEAVE 003B30F0 C2 0C00 RETN 0C 然后又去堆栈中执行了然后看见 003A7537 8B85 45414100 MOV EAX,DWORD PTR SS:[EBP+414145] ; kernel32.VirtualAlloc 003A753D E9 82D20000 JMP 003B47C4 然后又去堆栈中执行了然后又对这个VirtualAlloc函数进行检测，是否被修改 003B492B 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24] 003B492F 8B7424 28 MOV ESI,DWORD PTR SS:[ESP+28] 003B4933 66:8B06 MOV AX,WORD PTR DS:[ESI] 003B4936 66:3D 558B CMP AX,8B55 003B493A 75 4B JNZ SHORT 003B4987 003B493C 807E 02 EC CMP BYTE PTR DS:[ESI+2],0EC 003B4940 75 45 JNZ SHORT 003B4987 003B4942 66:817E 03 83C4 CMP WORD PTR DS:[ESI+3],0C483 003B4948 75 1B JNZ SHORT 003B4965 003B494A 0FBE56 05 MOVSX EDX,BYTE PTR DS:[ESI+5] 003B494E 33C0 XOR EAX,EAX ..... 003B4D46 61 POPAD //要搜索的，然后直接下端到这 003B4D47 8B4424 DC MOV EAX,DWORD PTR SS:[ESP-24] //拷贝结束了 003B4D4B C2 0C00 RETN 0C 然后将这个函数拷贝到30000处，和上面的函数执行都是一样的，就是HOOK----------------------------------------------------------------------------------- 可以直接在VirtualAlloc出的RETN10下断点就行了，这个没有拷贝然后继续跟，就又在堆栈中执行了一遍然后就开始判断exe的code段[004DF17F]中的一些数据了，用的和判断VirtualAlloc一样的代码跳到30000处执行 00030000 C8 0C0000 ENTER 0C,0 00030004 EB 00 JMP SHORT 00030006 00030006 68 85F14D00 PUSH 4DF185 0003000B C3 RETN 然后就到4DF185 004DF185 FC CLD 004DF186 53 PUSH EBX 004DF187 57 PUSH EDI 004DF188 56 PUSH ESI 004DF189 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20] 004DF18D 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24] 004DF191 8B36 MOV ESI,DWORD PTR DS:[ESI] ; 1.00401000 004DF193 33DB XOR EBX,EBX 004DF195 43 INC EBX 004DF196 8BD3 MOV EDX,EBX 004DF198 D1EA SHR EDX,1 004DF19A C74424 14 08000>MOV DWORD PTR SS:[ESP+14],8 004DF1A2 E8 43010000 CALL 1.004DF2EA 004DF1A7 73 10 JNB SHORT 1.004DF1B9 004DF1A9 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] 004DF1AD E8 2B010000 CALL 1.004DF2DD 004DF1B2 024424 0C ADD AL,BYTE PTR SS:[ESP+C] 004DF1B6 AA STOS BYTE PTR ES:[EDI] 004DF1B7 ^ EB E9 JMP SHORT 1.004DF1A2 004DF1B9 E8 2C010000 CALL 1.004DF2EA 004DF1BE 0F82 A4000000 JB 1.004DF268 004DF1C4 E8 21010000 CALL 1.004DF2EA 004DF1C9 73 64 JNB SHORT 1.004DF22F 004DF1CB B9 04000000 MOV ECX,4 004DF1D0 E8 08010000 CALL 1.004DF2DD 004DF1D5 48 DEC EAX 004DF1D6 ^ 74 DE JE SHORT 1.004DF1B6 004DF1D8 0F89 D2000000 JNS 1.004DF2B0 004DF1DE E8 07010000 CALL 1.004DF2EA 004DF1E3 73 1C JNB SHORT 1.004DF201 004DF1E5 BD 00010000 MOV EBP,100 004DF1EA B9 08000000 MOV ECX,8 004DF1EF E8 E9000000 CALL 1.004DF2DD 004DF1F4 AA STOS BYTE PTR ES:[EDI] 004DF1F5 4D DEC EBP 004DF1F6 ^ 75 F2 JNZ SHORT 1.004DF1EA 004DF1F8 E8 ED000000 CALL 1.004DF2EA 004DF1FD ^ 72 E6 JB SHORT 1.004DF1E5 004DF1FF ^ EB A1 JMP SHORT 1.004DF1A2 004DF201 B9 01000000 MOV ECX,1 004DF206 E8 D2000000 CALL 1.004DF2DD 004DF20B 83C0 07 ADD EAX,7 004DF20E 894424 10 MOV DWORD PTR SS:[ESP+10],EAX 004DF212 C64424 0C 00 MOV BYTE PTR SS:[ESP+C],0 004DF217 83F8 08 CMP EAX,8 004DF21A ^ 74 86 JE SHORT 1.004DF1A2 004DF21C B9 08000000 MOV ECX,8 004DF221 E8 B7000000 CALL 1.004DF2DD 004DF226 884424 0C MOV BYTE PTR SS:[ESP+C],AL 004DF22A ^ E9 73FFFFFF JMP 1.004DF1A2 004DF22F B9 07000000 MOV ECX,7 004DF234 E8 A4000000 CALL 1.004DF2DD 004DF239 8BE8 MOV EBP,EAX 004DF23B B9 02000000 MOV ECX,2 004DF240 E8 98000000 CALL 1.004DF2DD 004DF245 8BC8 MOV ECX,EAX 004DF247 8BC5 MOV EAX,EBP 004DF249 83C1 02 ADD ECX,2 004DF24C 85C0 TEST EAX,EAX 004DF24E 74 04 JE SHORT 1.004DF254 004DF250 8BD8 MOV EBX,EAX 004DF252 EB 5D JMP SHORT 1.004DF2B1 004DF254 83F9 02 CMP ECX,2 004DF257 74 65 JE SHORT 1.004DF2BE 004DF259 41 INC ECX 004DF25A E8 7E000000 CALL 1.004DF2DD 004DF25F 894424 14 MOV DWORD PTR SS:[ESP+14],EAX 004DF263 ^ E9 3AFFFFFF JMP 1.004DF1A2 004DF268 E8 5C000000 CALL 1.004DF2C9 004DF26D 49 DEC ECX 004DF26E 49 DEC ECX 004DF26F 75 09 JNZ SHORT 1.004DF27A 004DF271 8BC3 MOV EAX,EBX 004DF273 E8 51000000 CALL 1.004DF2C9 004DF278 EB 37 JMP SHORT 1.004DF2B1 004DF27A 49 DEC ECX 004DF27B 8BE9 MOV EBP,ECX 004DF27D 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14] 004DF281 33C0 XOR EAX,EAX 004DF283 D3E5 SHL EBP,CL 004DF285 E8 53000000 CALL 1.004DF2DD 004DF28A 0BC5 OR EAX,EBP 004DF28C 8BD8 MOV EBX,EAX 004DF28E E8 36000000 CALL 1.004DF2C9 004DF293 3D 00000100 CMP EAX,10000 ; UNICODE "ALLUSERSPROFILE=C://Documents and Settings//All Users" 004DF298 73 14 JNB SHORT 1.004DF2AE 004DF29A 3D FF370000 CMP EAX,37FF 004DF29F 73 0E JNB SHORT 1.004DF2AF 004DF2A1 3D 7F020000 CMP EAX,27F 004DF2A6 73 08 JNB SHORT 1.004DF2B0 004DF2A8 83F8 7F CMP EAX,7F 004DF2AB 77 04 JA SHORT 1.004DF2B1 004DF2AD 41 INC ECX 004DF2AE 41 INC ECX 004DF2AF 41 INC ECX 004DF2B0 41 INC ECX 004DF2B1 56 PUSH ESI 004DF2B2 8BF7 MOV ESI,EDI 004DF2B4 2BF0 SUB ESI,EAX 004DF2B6 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 004DF2B8 5E POP ESI 004DF2B9 ^ E9 E4FEFFFF JMP 1.004DF1A2 004DF2BE 8D6C24 18 LEA EBP,DWORD PTR SS:[ESP+18] 004DF2C2 5E POP ESI 004DF2C3 5F POP EDI 004DF2C4 5B POP EBX 004DF2C5 C9 LEAVE 004DF2C6 C2 0800 RETN 8 然后到 003A7BB0 52 PUSH EDX 003A7BB1 E8 EEFFFFFF CALL 003A7BA4 。。。。。。。。。。好像就清0了401000处的一部分 003A7D19 83C4 04 ADD ESP,4 003A7D1C 8B85 49414100 MOV EAX,DWORD PTR SS:[EBP+414149] ; kernel32.VirtualFree 下断VirtualFree末尾处，f9运行 003A7D7D 51 PUSH ECX 003A7D7E E8 ECFFFFFF CALL 003A7D6F 。。。 //解密004A4170 003B3095 55 PUSH EBP 003B3096 8BEC MOV EBP,ESP 003B3098 83C4 FC ADD ESP,-4 003B309B 60 PUSHAD 003B309C 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10] 003B309F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 003B30A2 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C] 003B30A5 D1EB SHR EBX,1 003B30A7 EB 41 JMP SHORT 003B30EA 003B30A9 53 PUSH EBX 003B30AA 33DB XOR EBX,EBX 003B30AC 66:C745 FE 0000 MOV WORD PTR SS:[EBP-2],0 003B30B2 EB 25 JMP SHORT 003B30D9 003B30B4 66:8B16 MOV DX,WORD PTR DS:[ESI] 003B30B7 66:23145F AND DX,WORD PTR DS:[EDI+EBX*2] 003B30BB B9 10000000 MOV ECX,10 003B30C0 33C0 XOR EAX,EAX 003B30C2 66:D1E2 SHL DX,1 003B30C5 73 01 JNB SHORT 003B30C8 003B30C7 40 INC EAX 003B30C8 ^ E2 F8 LOOPD SHORT 003B30C2 003B30CA 66:83E0 01 AND AX,1 003B30CE 66:8BCB MOV CX,BX 003B30D1 66:D3E0 SHL AX,CL 003B30D4 66:0145 FE ADD WORD PTR SS:[EBP-2],AX 003B30D8 43 INC EBX 003B30D9 83FB 10 CMP EBX,10 003B30DC ^ 72 D6 JB SHORT 003B30B4 003B30DE 5B POP EBX 003B30DF 66:8B45 FE MOV AX,WORD PTR SS:[EBP-2] 003B30E3 66:8906 MOV WORD PTR DS:[ESI],AX 003B30E6 83C6 02 ADD ESI,2 003B30E9 4B DEC EBX 003B30EA 0BDB OR EBX,EBX 003B30EC ^ 75 BB JNZ SHORT 003B30A9 003B30EE 61 POPAD 003B30EF C9 LEAVE 003B30F0 C2 0C00 RETN 0C 。。。。。。。 003A7537 8B85 45414100 MOV EAX,DWORD PTR SS:[EBP+414145] ; kernel32.VirtualAlloc 003A753D E9 82D20000 JMP 003B47C4 ........ 跳到处执行004DF17F //执行完就清0 在调用kernel32.VirtualFree 释放,此时代码段大部分都被解密了，但是有call和部分call E*****没有处理用esp解密了好像 003A7F0A 87E6 XCHG ESI,ESP 003A7F0C B9 C59A0000 MOV ECX,9AC5 003A7F11 58 POP EAX 003A7F12 EB 04 JMP SHORT 003A7F18 ... 003A7F32 ^/E2 DD LOOPD SHORT 003A7F11 003A7F85 BEBE827A z偩 003A7F89 FC9563FF c朁 003A7F8D FD14F48C 岕 003A7F91 F9178A8A 妸 003A7F95 99FFFFFF  003A7F34 87E6 XCHG ESI,ESP //这下断点 003A7F36 6A 04 PUSH 4 003A7F38 68 00100000 PUSH 1000 003A7F3D 68 00400000 PUSH 4000 ........ 003A7F61 83C4 04 ADD ESP,4 003A7F64 8B85 45414100 MOV EAX,DWORD PTR SS:[EBP+414145] 003A7F6A EB 04 J IAT的处理 ******************************************************************************************* 下断VirtualAlloc+retn ALT+F9 003A7F77 8985 EF4A4100 MOV DWORD PTR SS:[EBP+414AEF],EAX 003A7F7D 83A5 F34A4100 0>AND DWORD PTR SS:[EBP+414AF3],0 003A7F84 8B85 7D414100 MOV EAX,DWORD PTR SS:[EBP+41417D] //SS:[003B52D3]=00000001//IAT已经加密的标志 EAX=00A00000 ...... 003A8C73 83C4 04 ADD ESP,4 003A8C76 8B85 39414100 MOV EAX,DWORD PTR SS:[EBP+414139] ; kernel32.GetModuleHandleA 003A8C7C EB 04 JMP SHORT 003A8C82 .... 003A8CC1 0BC0 OR EAX,EAX ; MSVBVM60.#1374 003A8CC3 75 05 JNZ SHORT 003A8CCA ...................... 003A9866 83C4 04 ADD ESP,4 003A9869 8B85 45414100 MOV EAX,DWORD PTR SS:[EBP+414145] ; kernel32.VirtualAlloc 003A986F EB 04 JMP SHORT 003A9875 ...... //搜索 3D C01F0000 CMP EAX,1FC0 ;看是不是buffer不够然后向下走看到解密出函数名，然后再相应的dll中自己查找函数地址，所有用GetProcAddress是不行的获取函数地址后向下跟不知怎么就进去异常了 003AA8CC 68 3E3F8F00 PUSH 8F3F3E 003AA8D1 8DBD A4464100 LEA EDI,DWORD PTR SS:[EBP+4146A4] //取函数名获取到函数地址后，然后貌似就把这个函数拷贝到自己分配的内存中去了，这个就是hook iat？在获取到函数地址后，有2个比较，带向不同的路线，仔细研究下 003B5005 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8] ; MSVBVM60.733B2D50 003B5008 76 0B JBE SHORT 003B5015 ; <=arg1 || >=arg3 003B500A 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C] ;//733B7E6E 003B500D 73 06 JNB SHORT 003B5015 003B500F 50 PUSH EAX 003B5010 E8 12000000 CALL 003B5027 003B5015 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 003B5018 61 POPAD 003B5019 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 003B501C C9 LEAVE 003B501D C2 0800 RETN 8 走了一遍发现没有函数走另一跳路线的随机拷贝一部分API 函数体的code到自己分配的内存这里可以修改成 003B4933 C607 E9 MOV BYTE PTR DS:[EDI],0E9 003B4936 2BF7 SUB ESI,EDI 003B4938 83EE 05 SUB ESI,5 003B493B 8977 01 MOV DWORD PTR DS:[EDI+1],ESI 003B493E 83C7 05 ADD EDI,5 003B4941 E9 00040000 JMP 003B4D46 C6 07 E9 2B F7 83 EE 05 89 77 01 83 C7 05 89 7C 24 FC E9 FC 03 00 00 //现在来重新看下壳是怎么保存这些edi中值的，从而找到一对一的函数调用关系哈，发现获取堆栈 SS:[0013FF8C]=7C923400 (ntdll.7C923400) EAX=7C92D7E0 (ntdll.ZwQueryInformationProcess了然后后面有个OR EAX,EAX JE **** //这里改下。让他跳走 003B4F25 C2 0C00 RETN 0C 003AE2E6 /EB 58 JMP SHORT 003AE340 003AE2E8 |0BC0 OR EAX,EAX 003AE2EA |0F84 61010000 JE 003AE451 然后一直F7就看到有GetModuleFileNameA了 003AEB17 83C4 04 ADD ESP,4 003AEB1A 8B85 52434100 MOV EAX,DWORD PTR SS:[EBP+414352] //EAX==GetModuleFileNameA 003AEB20 EB 04 JMP SHORT 003AEB26 ... //直接下断MapViewOfFile末尾 003AED5B 8985 59414100 MOV DWORD PTR SS:[EBP+414159],EAX 003AED61 53 PUSH EBX 003AED62 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C] 003AED65 8B8D 51414100 MOV ECX,DWORD PTR SS:[EBP+414151] 003AED6B 2BC8 SUB ECX,EAX //然后直接搜索cmp esi,edi//这出就是文件校验的地方了 003AF0DB 0175 08 ADD DWORD PTR SS:[EBP+8],ESI 003AF0DE 3BF7 CMP ESI,EDI ---文件检验 003AF0E0 0F85 C16E0000 JNZ 003B5FA7 ... 然后到这之前有想e80000写入跳转的api类似与push **** xor [esp],*****，retn 003AF3AC 66:8B06 MOV AX,WORD PTR DS:[ESI] //esi指向401000处这里面是一张跳转地址表，地址里面都是API的地址（另一种形式的hookapi地址） 003AF3AF 3C E8 CMP AL,0E8 003AF3B1 0F85 C0010000 JNZ 003AF577 003AF3B7 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] 003AF3BA C1C0 08 ROL EAX,8 003AF3BD 3A85 DE484100 CMP AL,BYTE PTR SS:[EBP+4148DE] 003AF3C3 0F85 A3010000 JNZ 003AF56C 003AF577 3C E9 CMP AL,0E9 003AF579 0F85 C0010000 JNZ 003AF73F 003AF57F 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] 003AF582 C1C0 08 ROL EAX,8 003AF585 3A85 DE484100 CMP AL,BYTE PTR SS:[EBP+4148DE] 003AF58B 0F85 A3010000 JNZ 003AF734 003AF73F 3C 0F CMP AL,0F 003AF741 0F85 D0010000 JNZ 003AF917 003AF747 80FC 7F CMP AH,7F 003AF74A 0F86 C7010000 JBE 003AF917 003AF750 80FC 90 CMP AH,90 003AF753 0F83 BE010000 JNB 003AF917 003AF759 8B46 02 MOV EAX,DWORD PTR DS:[ESI+2] 003AF75C C1C0 08 ROL EAX,8 003AF75F 3A85 DE484100 CMP AL,BYTE PTR SS:[EBP+4148DE]//判断是否是E1 程序中有很多的******E1call 003AF765 0F85 A6010000 JNZ 003AF911 //对于0047A372 - E9 13A507E1 JMP E14F488A ESI=0047A372 003AF57F 8B46 01 MOV EAX,DWORD PTR DS:[ESI+1] 003AF582 C1C0 08 ROL EAX,8 0013FF98 C1E8 08 SHR EAX,8 0013FF9B 8946 01 MOV DWORD PTR DS:[ESI+1],EAX 0013FF9E 8BC6 MOV EAX,ESI 0013FFA0 83C0 05 ADD EAX,5 //算法二 003AF563 2B85 4D414100 SUB EAX,DWORD PTR SS:[EBP+41414D] ; SUB EAX,400000 003AF569 2946 01 SUB DWORD PTR DS:[ESI+1],EAX 003AF56C 83C6 04 ADD ESI,4 上面那一段需要在脚本中得到并且更改ecx值为code段大小，解密所有的call 上面形成的那张表 00401000 00E90000 00401004 00E90020 00401008 00E90040 0040100C 00E90060 00401010 00E90080 00401014 00E900A0 00401018 00E900C0 0040101C 00E900E0 00401020 00E90100 00401024 00E90120 00401028 00E90140 0040102C 00E90160 00401030 00E90180 00401034 00E901A0 00401038 00E901C0 0040103C 00E901E0 00401040 00E90200 00401044 00E90220 00401048 00E90240 0040104C 00E90260 00401050 00E90280 00401054 00E902A0 00401058 00E902C0 0040105C 00E902E0 00401060 00E90300 00401064 00E90320 00401068 00E90340 0040106C 00E90360 00401070 00E90380 00401074 00E903A0 00401078 00E903C0 0040107C 00E903E0 00401080 00E90400 00401084 00E90420 00401088 00E90440 0040108C 00E90460 00401090 00E90480 00401094 00E904A0 00401098 00E904C0 0040109C 00E904E0 004010A0 00E90500 004010A4 00E90520 004010A8 00E90540 004010AC 00E90560 004010B0 00E90580 004010B4 00E905A0 004010B8 00E905C0 004010BC 00E905E0 004010C0 00E90600 004010C4 00E90620 004010C8 00E90640 004010CC 00E90660 004010D0 00E90680 004010D4 00E906A0 004010D8 00E906C0 004010DC 00E906E0 004010E0 00E90700 004010E4 00E90720 004010E8 00E90740 004010EC 00E90760 004010F0 00E90780 004010F4 00E907A0 004010F8 00E907C0 004010FC 00E907E0 00401100 00E90800 00401104 00E90820 00401108 00E90840 0040110C 00E90860 00401110 00E90880 00401114 00E908A0 00401118 00E908C0 0040111C 00E908E0 00401120 00E90900 00401124 00E90920 00401128 00E90940 0040112C 00E90960 00401130 00E90980 00401134 00E909A0 00401138 00E909C0 0040113C 00E909E0 00401140 00E90A00 00401144 00E90A20 00401148 00E90A40 0040114C 00E90A60 00401150 00E90A80 00401154 00E90AA0 00401158 00E90AC0 0040115C 00E90AE0 00401160 00E90B00 00401164 00E90B20 00401168 00E90B40 0040116C 00E90B60 00401170 00E90B80 00401174 00E90BA0 00401178 00E90BC0 0040117C 00E90BE0 00401180 00E90C00 00401184 00E90C20 00401188 00E90C40 0040118C 00E90C60 00401190 00E90C80 00401194 00E90CA0 00401198 00E90CC0 0040119C 00E90CE0 004011A0 00E90D00 004011A4 00E90D20 004011A8 00E90D40 004011AC 00E90D60 004011B0 00E90D80 004011B4 00E90DA0 004011B8 00E90DC0 004011BC 00E90DE0 004011C0 00E90E00 004011C4 00E90E20 004011C8 00E90E40 004011CC 00E90E60 004011D0 00E90E80 004011D4 00E90EA0 004011D8 00E90EC0 004011DC 00E90EE0 004011E0 00E90F00 004011E4 00E90F20 004011E8 00E90F40 004011EC 00E90F60 004011F0 00E90F80 004011F4 00E90FA0 004011F8 00E90FC0 004011FC 00E90FE0 00401200 00E91000 00401204 00E91020 00401208 00E91040 0040120C 00E91060 00401210 00E91080 00401214 00E910A0 00401218 00E910C0 0040121C 00E910E0 00401220 00E91100 00401224 00E91120 00401228 00E91140 0040122C 00E91160 00401230 00E91180 00401234 00E911A0 00401238 00E911C0 0040123C 00E911E0 00401240 00E91200 00401244 00E91220 00401248 00E91240 0040124C 00E91260 00401250 00E91280 00401254 00E912A0 00401258 00E912C0 0040125C 00E912E0 00401260 00E91300 00401264 00E91320 00401268 00E91340 0040126C 00E91360 00401270 00E91380 00401274 00E913A0 00401278 00E913C0 0040127C 00E913E0 00401280 00E91400 00401284 00E91420 00401288 00E91440 0040128C 00E91460 00401290 00E91480 00401294 00E914A0 00401298 00E914C0 0040129C 00E914E0 004012A0 00E91500 004012A4 00E91520 004012A8 00E91540 004012AC 00E91560 004012B0 00E91580 004012B4 00E915A0 004012B8 00E915C0 004012BC 00E915E0 004012C0 00E91600 004012C4 00E91620 004012C8 00E91640 004012CC 00E91660 004012D0 00E91680 004012D4 00E916A0 004012D8 00E916C0 004012DC 00E916E0 004012E0 00E91700 004012E4 00E91720 004012E8 00E91740 004012EC 00E91760 004012F0 00E91780 004012F4 00E917A0 004012F8 00E917C0 004012FC 00E917E0 00401300 00E91800 00401304 00E91820 00401308 00E91840 0040130C 00E91860 00401310 00E91880 00401314 00E918A0 00401318 00E918C0 0040131C 00E918E0 00401320 00E91900 ... 到GetVerSion ... ... 下断VirtualAlloc+RETN --------------这里这里貌似就有ANTI DUMP 003B0EF7 85C0 TEST EAX,EAX 003B0EF9 78 12 JS SHORT 003B0F0D 003B0EFB 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C] 003B0EFE 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C] 003B0F01 C740 20 00100000 MOV DWORD PTR DS:[EAX+20],1000 //这里要更改DS:[00251F00]=000FCAE9 VirtualProtect+RETN //设置pe头可写可读可执行 VirtualAlloc+RETN // ... 这里要仔细跟因为把PE头给抹掉了 //这里要更改 003B1619 8746 3C XCHG DWORD PTR DS:[ESI+3C],EAX 003B16A0 51 PUSH ECX 003B16A1 C1E9 02 SHR ECX,2 003B16A4 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; PE头 003B16A6 59 POP ECX 003B16A7 83E1 03 AND ECX,3 003B16AA F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] .... 003B17C6 51 PUSH ECX 003B17C7 C1E9 02 SHR ECX,2 003B17CA F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 003B17CC 59 POP ECX 003B17CD 83E1 03 AND ECX,3 003B17D0 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 然后看见了OutDebugStringA 003B1825 83C4 04 ADD ESP,4 003B1828 8B85 B7434100 MOV EAX,DWORD PTR SS:[EBP+4143B7] ; kernel32.OutputDebugStringA 003B1879 83F8 01 CMP EAX,1 003B187C 0F85 6B010000 JNZ 003B19ED //跳走了就执行SetTimer 003B1A11 83BD C1414100 0>CMP DWORD PTR SS:[EBP+4141C1],0 003B1A18 74 2F JE SHORT 003B1A49 003B1A1A 8B8D 4D414100 MOV ECX,DWORD PTR SS:[EBP+41414D] 003B1A20 2B8D 71414100 SUB ECX,DWORD PTR SS:[EBP+414171] 003B1A26 8DBD 901E4000 LEA EDI,DWORD PTR SS:[EBP+401E90] 003B1A2C 03BD C1414100 ADD EDI,DWORD PTR SS:[EBP+4141C1] 003B1A32 8DB5 901E4000 LEA ESI,DWORD PTR SS:[EBP+401E90] 003B1A38 03B5 C5414100 ADD ESI,DWORD PTR SS:[EBP+4141C5] 003B1A3E AD LODS DWORD PTR DS:[ESI] 003B1A3F EB 04 JMP SHORT 003B1A45 003B1A41 010C38 ADD DWORD PTR DS:[EAX+EDI],ECX ECX=0 003B1A44 AD LODS DWORD PTR DS:[ESI] 003B1A45 0BC0 OR EAX,EAX 003B1A47 ^ 75 F8 JNZ SHORT 003B1A41 ....... 003B1CF3 894424 EC MOV DWORD PTR SS:[ESP-14],EAX ; 1.0041DC19 003B1CF7 9C PUSHFD 003B1DF1 C1E9 02 SHR ECX,2 003B1DF4 /EB 08 JMP SHORT 003B1DFE 003B1DF6 |AD LODS DWORD PTR DS:[ESI] 003B1DF7 |3185 95414100 XOR DWORD PTR SS:[EBP+414195],EAX //解密3B52EB的code？ 003B1DFD |49 DEC ECX 003B1DFE /0BC9 OR ECX,ECX 003B1E00 ^ 75 F4 JNZ SHORT 003B1DF6 003B1E02 8B4424 EC MOV EAX,DWORD PTR SS:[ESP-14] 003B1E06 2B85 4D414100 SUB EAX,DWORD PTR SS:[EBP+41414D] 003B1E0C 8985 C1414100 MOV DWORD PTR SS:[EBP+4141C1],EAX 003B1E12 8B6C24 E8 MOV EBP,DWORD PTR SS:[ESP-18] 003B1E16 8B85 69414100 MOV EAX,DWORD PTR SS:[EBP+414169] 003B1E1C 0BC0 OR EAX,EAX 003B1E1E 74 0F JE SHORT 003B1E2F 003B1E20 0385 4D414100 ADD EAX,DWORD PTR SS:[EBP+41414D] 003B1E26 8D8D DD1E4100 LEA ECX,DWORD PTR SS:[EBP+411EDD] 003B1E2C 8948 02 MOV DWORD PTR DS:[EAX+2],ECX 003B1E2F 8B85 95414100 MOV EAX,DWORD PTR SS:[EBP+414195] 003B1E35 E8 48000000 CALL 003B1E82 //这里设置异常 003B1E3A 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] //异常的返回句柄就是这里 003B1E3E FF81 B8000000 INC DWORD PTR DS:[ECX+B8] .. retn就到ntdll领空去了 ******************************************************* 003B1E82 33C9 XOR ECX,ECX 003B1E84 64:FF31 PUSH DWORD PTR FS:[ECX] 003B1E87 64:8921 MOV DWORD PTR FS:[ECX],ESP 003B1E8A CC INT3 003B1E8B 90 NOP 003B1E8C 64:8F01 POP DWORD PTR FS:[ECX] 003B1E8F 83C4 04 ADD ESP,4 ******************************************************* //按三次SHIFT+F9就到 003AECA1 6285 F74A4100 BOUND EAX,QWORD PTR SS:[EBP+414AF7] //看堆栈SEH句柄 003AECA7 ^ EB F8 JMP SHORT 003AECA1 003AECA9 8BD8 MOV EBX,EAX //到这里 003B5D82 8BD4 MOV EDX,ESP 003B5D84 60 PUSHAD 003B5D85 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] 003B5D88 8BAF B4000000 MOV EBP,DWORD PTR DS:[EDI+B4] 003B5D8E 8BB5 084B4100 MOV ESI,DWORD PTR SS:[EBP+414B08] 003B5D94 8B5A 04 MOV EBX,DWORD PTR DS:[EDX+4] 003B5D97 AD LODS DWORD PTR DS:[ESI] 003B5D98 3B03 CMP EAX,DWORD PTR DS:[EBX] 003B5D9A 0F85 70010000 JNZ 003B5F10 然后又跑去堆栈中执行了 0013FBA8 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> //清0 0013FBA9 A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 0013FBAA A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 0013FBAB A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 0013FBAC A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 0013FBAD A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> RETN ---进去ntdll领空了按SHIFT+F9就到CreateFileA独占文件了，****处下断点SetThreadPriority末尾 -----------可以直接下断点到这，中间忽略异常 003AC559 83C4 04 ADD ESP,4 003AC55C 8B85 52434100 MOV EAX,DWORD PTR SS:[EBP+414352] ; kernel32.GetModuleFileNameA ****//又CreateFileA //这一次的打开文件应该是独占用的，这里面将文件打开的共享属性改成3就行了就是共享读和共享写 //EnableWindow+ALT+F9返回后 003A7585 83EC 08 SUB ESP,8 003A7588 B8 2E414100 MOV EAX,41412E 003A758D 50 PUSH EAX 003A758E 64:FF35 0000000>PUSH DWORD PTR FS:[0] 快到OEP 003A76F3 61 POPAD 003A76F4 50 PUSH EAX 003A76F5 52 PUSH EDX .........继续走好像开始要记录stolen code 了 003C0C1E 58 POP EAX 003C0C1F 8B00 MOV EAX,DWORD PTR DS:[EAX] 003C0C21 870424 XCHG DWORD PTR SS:[ESP],EAX 003C0C24 C3 RETN //返回到 00403BF0 (1.00403BF0)哈哈，这里就是OEP啦 //貌似没有stole code 00403BF0 90 NOP 00403BF1 E8 94EBFAFF CALL 003B278A

自己脱的时候写的脚本

var func1 var func2 var addr var createw var zwthread var esiaddr var cmpcc var virtuaddr var addr1 gpa "CreateFileW","kernel32.dll" cmp $RESULT,0 jz error1 mov func1,$RESULT mov createw,$RESULT gpa "VirtualAlloc","kernel32.dll" cmp $RESULT,0 jz error8 mov virtuaddr,$RESULT dbh log func1 //恢复函数hook gpa "ZwSetInformationThread","ntdll.dll" cmp $RESULT,0 jz error1 mov zwthread,$RESULT //asm zwthread,"mov eax,0e5" bp func1 eob first1 run first1: bc func1 gpa "GetModuleHandleW","kernel32.dll" cmp $RESULT,0 jz error2 mov func1,$RESULT bp func1 eob second1 run second1: bc func1 rtu //ALT+F9返回 mov addr,eip find addr,#663D558B# //cmp ax,8b55 cmp $RESULT,0 jz error5 mov addr,$RESULT find addr,#803EC2# cmp $RESULT,0 jz error6 mov cmpcc,$RESULT //先记录下判断ZwSetInfoMationThread 是否被修改的代码 bp addr eob third1 run third1: bc addr mov esiaddr,esi add esiaddr,0c bp esiaddr eob third2 run third2: bc esiaddr //现在达到获取zwsetinfomationthread 地址出 find esiaddr,#C20800# //获取函数地址的ret 08 cmp $RESULT,0 jz error7 mov esiaddr,$RESULT bp esiaddr eob third3 //到达这里之后有2次去堆栈中执行，然后就开始调用ZwSetInfoMationThread run //调用这个函数之前先检查了是否被修改了 third3: bc esiaddr //retn 08 //判断是否被修改了函数 mov addr,cmpcc add addr,3 bp addr eob third4 run third4: //在这里面将那个函数改回来，奇怪exe 刚载入他就被hook 了 bc addr //然后会进入到壳的那个函数修改，记得是不相等跳到pop edx retn 10的，先记下 add virtuaddr,19 bp virtuaddr eob fourth1 run fourth1: bc virtuaddr /// bp virtuaddr eob fourth2 run fourth2: bc virtuaddr //下面应该到达esp 解密出 bp virtuaddr eob fourth3 run fourth3: bc virtuaddr rtu //ALT+F9返回 //开始处理iat 了 //直接搜索3D C01F0000 find eip,#3DC01F0000# //cmp eax,1FC0 cmp $RESULT,0 jz lab1 mov addr,$RESULT bp addr eob fourth4 run fourth4: bc addr lab1: find eip,#0345083B45F8# //获取到函数地址的指令 cmp $RESULT,0 jz error11 mov addr,$RESULT bp addr eob fourth5 run fourth5: bc addr /// add addr,6 repl addr,#76#,#EB#,1 // //------------- mov addr1,addr gpa "ZwQueryInformationProcess","ntdll.dll" cmp $RESULT,0 jz error12 mov addr,$RESULT bprm addr,4 //设置内存访问断点 eob fourth6 run fourth6: bpmc //清除内存断点 //此时快要到调用ZwQueryInformationProcess了 //pass 掉ZwQueryInformationProcess就可以直接下断点到文件校验的函数了MapViewOfFile gpa "MapViewOfFile","kernel32.dll" cmp $RESULT,0 jz error13 mov addr,$RESULT add addr,1c bp addr eob fourth7 run fourth7: bc addr rtu // //ALT+F9返回 find eip,#3BF70f85# //查找文件校验的比较, cmp $RESULT,0 //文件检验要查找共有几处比较，然后都patch 掉 jz error14 mov addr,$RESULT log addr bp addr eob fourth71 run fourth71: bc addr log esi log edi log eip mov esi,edi //去掉文件校验 find eip,#668B063CE8# //查找替换code段call 的代码 cmp $RESULT,0 jnz fourth72 msg "未找到替换code段call 出" jmp end fourth72: mov addr,$RESULT bp addr eob fourth73 run fourth73: bc addr // gmi esi,CODESIZE mov ecx,0a3000 //硬编码算了 log ecx // log virtuaddr bp virtuaddr eob fourth8 run fourth8: bc virtuaddr rtu // log eip //往下运行就会有anti dump 的 find eip,#C74020# //MOV DWORD PTR DS:[EAX+20],1000 cmp $RESULT,0 jnz fourth81 msg "未找到anti dump 地方" jmp end fourth81: log $RESULT mov addr,$RESULT repl addr,#C7402000100000#,#90909090909090#,7 //nop 到antidump bp virtuaddr eob fourth9 run fourth9: bc virtuaddr //往下运行有抹掉PE头的nop 掉 rtu find eip,#87463C# //XCHG DWORD PTR DS:[ESI+3C],EAX cmp $RESULT,0 jnz fourth82 msg "未找到替换文件头3C内容处" jmp end fourth82: mov addr,$RESULT log addr repl addr,#87463C#,#909090#,3 find addr,#51C1E902F3A559# //REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] cmp $RESULT,0 jnz fourth83 msg "未找到填0pe头" jmp end fourth83: mov addr,$RESULT log addr repl addr,#51C1E902F3A55983E103F3A4#,#909090909090909090909090#,12 find addr,#51C1E902F3A559# cmp $RESULT,0 jnz fourth84 msg "未找到第二处PE头" jmp end fourth84: mov addr,$RESULT log addr repl addr,#51C1E902F3A55983E103F3A4#,#909090909090909090909090#,12 bp createw gpa "EnableWindow","user32.dll" cmp $RESULT,0 jnz five msg "未找到函数EnableWindow" jmp end five: mov addr,$RESULT add addr,13 bp createw //修改文件独占 eob five01 //这之间有异常，要按SHIFT+F9 ESTO ESTO five01: bc createw //修改堆栈 mov [esp+c],3 bp addr eob five1 run five1: bc addr rtu find eip,#588B00870424C3# // cmp $RESULT,0 jnz tooep msg "未找到返回到OEP处指令" jmp end tooep: mov addr,$RESULT bp addr eob oep run oep: bc addr sto sto sto sto cmt eip,"this is oep" jmp end error1: msg "not have find createfileW" jmp end error2: msg "not find getmodulehandleW" jmp end error4: msg "virtualaddr error" jmp end error3: msg "1" jmp end error5: msg "cmp ax,8b55查找失败" jmp end error6: msg "803EC2失败" jmp end error7: msg "ret 08 失败" jmp end error8: msg "virtualaddr error" jmp end error10: msg "未能找到比较buffer 处" jmp end error11: msg "未能找到获取函数地址的指令" jmp end error12: msg "未找到ZwQueryInformationProcess" jmp end error13: msg "未找到MapViewOfFile " jmp end error14: msg "未找到crc 校验的地方" jmp end end: ret

跟了3个晚上+一天，悲剧的是到达OEP后总是无法运行，用strong +OD直接能在调试器运行，慢慢跟却不行，郁闷

003B2B28    8B00            MOV EAX,DWORD PTR DS:[EAX]----------eax总是不对，直接运行的却可以，纠结
003B2B2A    894424 24       MOV DWORD PTR SS:[ESP+24],EAX
003B2B2E    61              POPAD
003B2B2F    83C4 04         ADD ESP,4
003B2B32    C3              RETN

看一些同类的脱壳文章中也没提到这个，不知道哪有暗装还是怎么