目标:Registry Crawler注册表工具
操作系统:WINDOWS7 64位操作系统
1:侦壳为:PECompact 2.x -> Jeremy Collake
2:OD载入:
0041B27E > B8 D0684700 mov eax,rcrawler.004768D0 ; <== Original Entry Point ///停在这里
0041B283 50 push eax ; OEP Found,Please dumped it!
0041B284 64:FF35 0000000>push dword ptr fs:[0]
0041B28B 64:8925 0000000>mov dword ptr fs:[0],esp
0041B292 33C0 xor eax,eax ; This is the entry point (OEP)
0041B294 8908 mov dword ptr ds:[eax],ecx
0041B296 50 push eax
0041B297 45 inc ebp
0041B298 43 inc ebx
0041B299 6F outs dx,dword ptr es:[edi]
0041B29A 6D ins dword ptr es:[edi],dx
0041B29B 70 61 jo Xrcrawler.0041B2FE
0041B29D 637432 00 arpl word ptr ds:[edx+esi],si
看上去很乱,非常的不正规
3:下断点:bp VirtualFree 或bpx VirtualFree shift+F9运行
7D85F06A > 8BFF mov edi,edi //停在这里 F2取消断点 ALT+F9返回
7D85F06C 55 push ebp
7D85F06D 8BEC mov ebp,esp
7D85F06F FF75 10 push dword ptr ss:[ebp+0x10]
7D85F072 FF75 0C push dword ptr ss:[ebp+0xC]
7D85F075 FF75 08 push dword ptr ss:[ebp+0x8]
7D85F078 6A FF push -0x1
7D85F07A E8 B2FEFFFF call KernelBa.VirtualFreeEx
7D85F07F 5D pop ebp
7D85F080 C2 0C00 retn 0xC
4:用前辈留下的经验搜索:CTRL+F push 8000
0002133F 8BC8 mov ecx,eax //停在这里
00021341 40 inc eax
00021342 74 74 je X000213B8
00021344 33C0 xor eax,eax
00021346 0345 F4 add eax,dword ptr ss:[ebp-0xC]
00021349 74 12 je X0002135D
0002134B 48 dec eax
0002134C 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0002134F FF75 EC push dword ptr ss:[ebp-0x14]
00021352 FF75 E8 push dword ptr ss:[ebp-0x18]
00021355 8F45 EC pop dword ptr ss:[ebp-0x14]
00021358 8F45 E8 pop dword ptr ss:[ebp-0x18]
0002135B ^ EB CA jmp X00021327
0002135D 5A pop edx
0002135E 56 push esi
0002135F 8B7E 04 mov edi,dword ptr ds:[esi+0x4]
00021362 03FA add edi,edx
00021364 3B7D E8 cmp edi,dword ptr ss:[ebp-0x18]
00021367 75 04 jnz X0002136D
00021369 03F9 add edi,ecx
0002136B EB 11 jmp X0002137E
0002136D 8B75 E8 mov esi,dword ptr ss:[ebp-0x18]
5:
00020F84 68 00800000 push 0x8000 //停在这里
00020F89 6A 00 push 0x0
00020F8B FFB5 551F0010 push dword ptr ss:[ebp+0x10001F55]
00020F91 FF95 691F0010 call dword ptr ss:[ebp+0x10001F69]
00020F97 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00020F9A 03C7 add eax,edi
00020F9C 5D pop ebp
00020F9D 5E pop esi
00020F9E 5F pop edi
00020F9F 5B pop ebx
00020FA0 C3 retn //F2下段-- F9运行--- 取消F2断点
6:单步F8往下走来到这里
00476970 8985 3F130010 mov dword ptr ss:[ebp+0x1000133F],eax ; rcrawler.<ModuleEntryPoint> //来到这里
00476976 8BF0 mov esi,eax
00476978 8B4B 14 mov ecx,dword ptr ds:[ebx+0x14]
0047697B 5A pop edx
0047697C EB 0C jmp Xrcrawler.0047698A
0047697E 03CA add ecx,edx
00476980 68 00800000 push 0x8000
00476985 6A 00 push 0x0
00476987 57 push edi
00476988 FF11 call dword ptr ds:[ecx]
0047698A 8BC6 mov eax,esi
0047698C 5A pop edx
0047698D 5E pop esi
0047698E 5F pop edi
0047698F 59 pop ecx
00476990 5B pop ebx
00476991 5D pop ebp
00476992 FFE0 jmp eax //这里看上去很像快到达OEP 我第一次也是这么认为 好简单吔!
00476994 0000 add byte ptr ds:[eax],al
00476996 0000 add byte ptr ds:[eax],al
7:F8单步走到:00476992 FFE0 jmp eax
8:跳到这里又回到了初始地方,感觉一脸懵逼,不像OEP ????
0041B27E > B8 00304700 mov eax,rcrawler.00473000 ; <== Original Entry Point //跳向这里 感觉又回到了初始地方
0041B283 FFD0 call eax ; OEP Found,Please dumped it!
0041B285 74 44 je Xrcrawler.0041B2CB
0041B287 0068 34 add byte ptr ds:[eax+0x34],ch
0041B28A 07 pop es
0041B28B 42 inc edx
0041B28C 0064A1 00 add byte ptr ds:[ecx],ah
0041B290 0000 add byte ptr ds:[eax],al
0041B292 0050 64 add byte ptr ds:[eax+0x64],dl ; This is the entry point (OEP)
0041B295 8925 00000000 mov dword ptr ds:[0],esp
0041B29B 83EC 58 sub esp,0x58
0041B29E 53 push ebx
0041B29F 56 push esi
0041B2A0 57 push edi
0041B2A1 8965 E8 mov dword ptr ss:[ebp-0x18],esp
0041B2A4 FF15 C0924400 call dword ptr ds:[0x4492C0] ; kernel32.GetVersion
9:F8单步走,近CALL --F7
0041B27E > B8 00304700 mov eax,rcrawler.00473000 ; <== Original Entry Point
0041B283 FFD0 call eax ; OEP Found,Please dumped it!
0041B285 74 44 je Xrcrawler.0041B2CB
10:
00473000 /E9 25010000 jmp rcrawler.0047312A
00473005 |57 push edi
00473006 |65:6E outs dx,byte ptr es:[edi]
00473008 |64:696E 67 0050>imul ebp,dword ptr fs:[esi+0x67],0x6F685>
00473010 |74 6F je Xrcrawler.00473081
00473012 |73 68 jnb Xrcrawler.0047307C
00473014 |6F outs dx,dword ptr es:[edi]
00473015 |70 20 jo Xrcrawler.00473037
00473017 |53 push ebx
11:F8一直往下走
004732A9 59 pop ecx
004732AA 5F pop edi
004732AB 5E pop esi
004732AC C3 retn // 走到这里 仔细看就会明白 下一个就是真正的OEP
004732AD E8 94010000 call rcrawler.00473446
004732B2 C3 retn
004732B3 E8 8E010000 call rcrawler.00473446
12:真正的OEP到了,脱壳 试运行
0041B27E > 55 push ebp ; <== Original Entry Point
0041B27F 8BEC mov ebp,esp ; OEP Or Next Shell To Get,Please dumped it,Enjoy!
0041B281 6A FF push -0x1
0041B283 68 48F84400 push rcrawler.0044F848 ; OEP Found,Please dumped it!
0041B288 68 34074200 push rcrawler.00420734
0041B28D 64:A1 00000000 mov eax,dword ptr fs:[0]
0041B293 50 push eax
0041B294 64:8925 0000000>mov dword ptr fs:[0],esp
0041B29B 83EC 58 sub esp,0x58
0041B29E 53 push ebx
0041B29F 56 push esi
0041B2A0 57 push edi
0041B2A1 8965 E8 mov dword ptr ss:[ebp-0x18],esp
0041B2A4 FF15 C0924400 call dword ptr ds:[0x4492C0] ; kernel32.GetVersion
13:修正映像大小 转存运行出现下列情况
用到:lmpport 修复工具
有很多无效指针 全部OUT掉 转存 结果程序无法运行!!!!
此时我们记录下无效指针的地址:
00049119+00400000=00449119 函数:SelectObject
(004589BC ASCII "SelectObject")
000492E4+00400000=004492E4 函数:GetProcAddress
重新载入:下HR 00449119 F9运行 找到给这个地址需要的函数
找到这些函数进行修复
程序完美运行:
侦壳后:
此方法对那些 用脱脚本 脱壳机脱不掉此壳奉献的一种方法,有你们的鼓励就是我最大的进步!!!
(友情提示:ESP定律,转存跟踪法 有兴趣的朋友试试!!) |