yoda 1.0x Protector和PECompact 2.x双层壳脱壳笔记
下面是脱壳的简单记录:
程序开始处:
00465060 > 55 push ebp
00465061 8BEC mov ebp, esp
00465063 53 push ebx
00465064 56 push esi
00465065 57 push edi
00465066 E8 03000000 call 0046506E
0046506B EB 01 jmp short 0046506E
0046506D E8 E8860000 call 0046D75A
00465072 00E8 add al, ch
00465074 0300 add eax, dword ptr [eax]
00465076 0000 add byte ptr [eax], al
00465078 EB 01 jmp short 0046507B
0046507A E9 E8790000 jmp 0046CA67
004651D2 8BD5 mov edx, ebp
004651D4 81C2 B6E54100 add edx, 0041E5B6
004651DA 8D02 lea eax, dword ptr [edx] ; entrypoint ebp+41e5b6=00465066
004651DC B9 77F94100 mov ecx, 0041F977
004651E1 81E9 B6E54100 sub ecx, 0041E5B6
004651E7 51 push ecx
004651E8 50 push eax
004651E9 E8 A8060000 call 00465896 ; 计算壳EP处长度13c1的校验值
004651EE 83C4 08 add esp, 8
004651F1 8BD5 mov edx, ebp
004651F3 81C2 D4FC4100 add edx, 0041FCD4
004651F9 8902 mov dword ptr [edx], eax ; 校验值(846f4)放入ebp+41fcd4
省略一部分代码
anti检查
00465574 8D3A lea edi, dword ptr [edx]
00465576 6A 00 push 0
00465578 68 80000000 push 80
0046557D 6A 03 push 3
0046557F 6A 00 push 0
00465581 6A 03 push 3
00465583 68 000000C0 push C0000000
00465588 57 push edi
00465589 8BD5 mov edx, ebp
0046558B 81C2 E0FD4100 add edx, 0041FDE0
00465591 FF12 call dword ptr [edx] ; createfile检查softice
00465593 83F8 FF cmp eax, -1
00465596 74 19 je short 004655B1
00465598 8BF8 mov edi, eax
0046559A 57 push edi
0046559B 8BD5 mov edx, ebp
0046559D 81C2 2CFE4100 add edx, 0041FE2C
004655A3 FF12 call dword ptr [edx]
004655A5 6A 00 push 0
004655A7 8BD5 mov edx, ebp
004655A9 81C2 F3FE4100 add edx, 0041FEF3
004655AF FF12 call dword ptr [edx]
004655B1 8BD5 mov edx, ebp
004655B3 81C2 46FF4100 add edx, 0041FF46
004655B9 8D3A lea edi, dword ptr [edx]
004655BB 6A 00 push 0
004655BD 68 80000000 push 80
004655C2 6A 03 push 3
004655C4 6A 00 push 0
004655C6 6A 03 push 3
004655C8 68 000000C0 push C0000000
004655CD 57 push edi
004655CE 8BD5 mov edx, ebp
004655D0 81C2 E0FD4100 add edx, 0041FDE0
004655D6 FF12 call dword ptr [edx]
计算校验值
0046572A 8BD5 mov edx, ebp
0046572C 81C2 D0FC4100 add edx, 0041FCD0
00465732 F702 10000000 test dword ptr [edx], 10
00465738 74 3B je short 00465775
0046573A 64:FF35 3000000>push dword ptr fs:[30]
00465741 58 pop eax
00465742 85C0 test eax, eax
00465744 78 0F js short 00465755
00465746 8B40 0C mov eax, dword ptr [eax+C]
00465749 8B40 0C mov eax, dword ptr [eax+C]
0046574C C740 20 0010000>mov dword ptr [eax+20], 1000
00465753 EB 20 jmp short 00465775
00465755 6A 00 push 0
00465757 8BDD mov ebx, ebp
00465759 81C3 A6FD4100 add ebx, 0041FDA6
0046575F FF13 call dword ptr [ebx]
00465761 85D2 test edx, edx
00465763 79 10 jns short 00465775
00465765 837A 08 FF cmp dword ptr [edx+8], -1
00465769 75 0A jnz short 00465775
0046576B 8B52 04 mov edx, dword ptr [edx+4]
0046576E C742 50 0010000>mov dword ptr [edx+50], 1000
00465775 E8 03000000 call 0046577D
0046577A EB 01 jmp short 0046577D
0046577C - E9 8BD581C2 jmp C2C82D0C
00465781 50 push eax
00465782 FB sti
00465783 41 inc ecx
00465784 008B 3A037F3C add byte ptr [ebx+3C7F033A], cl
0046578A 8B32 mov esi, dword ptr [edx]
0046578C 8B4F 54 mov ecx, dword ptr [edi+54]
0046578F 8BD5 mov edx, ebp
00465791 81C2 74FF4100 add edx, 0041FF74
00465797 8D02 lea eax, dword ptr [edx]
00465799 50 push eax
0046579A 6A 04 push 4
0046579C 51 push ecx
0046579D 8BD5 mov edx, ebp
0046579F 81C2 50FB4100 add edx, 0041FB50
004657A5 FF32 push dword ptr [edx]
004657A7 8BD5 mov edx, ebp
004657A9 81C2 B9FD4100 add edx, 0041FDB9
004657AF FF12 call dword ptr [edx] ; VirtualProtect
004657B1 E8 61FEFFFF call 00465617
004657B6 8BD5 mov edx, ebp
004657B8 81C2 D0FC4100 add edx, 0041FCD0
004657BE F702 08000000 test dword ptr [edx], 8
004657C4 0F84 19010000 je 004658E3
004657CA 68 04010000 push 104
004657CF 8BD5 mov edx, ebp
004657D1 81C2 74FF4100 add edx, 0041FF74
004657D7 8D3A lea edi, dword ptr [edx]
004657D9 57 push edi
004657DA 6A 00 push 0
004657DC 8BD5 mov edx, ebp
004657DE 81C2 D0FD4100 add edx, 0041FDD0
004657E4 FF12 call dword ptr [edx] ; GetModuleFileNameA
004657E6 6A 00 push 0
004657E8 68 80000000 push 80
004657ED 6A 03 push 3
004657EF 6A 00 push 0
004657F1 6A 01 push 1
004657F3 68 00000080 push 80000000
004657F8 57 push edi
004657F9 8BD5 mov edx, ebp
004657FB 81C2 E0FD4100 add edx, 0041FDE0
00465801 FF12 call dword ptr [edx] ; CreateFileA
00465803 83F8 FF cmp eax, -1
00465806 75 07 jnz short 0046580F
00465808 33C0 xor eax, eax
0046580A E9 D4000000 jmp 004658E3
0046580F 8BF8 mov edi, eax
00465811 6A 00 push 0
00465813 57 push edi
00465814 8BD5 mov edx, ebp
00465816 81C2 1CFE4100 add edx, 0041FE1C
0046581C FF12 call dword ptr [edx] ; GetFileSizeA
0046581E BA 78FF4100 mov edx, 0041FF78
00465823 81EA 77F94100 sub edx, 0041F977
00465829 2BC2 sub eax, edx
0046582B 83E8 02 sub eax, 2
0046582E 96 xchg eax, esi
0046582F 56 push esi
00465830 6A 40 push 40
00465832 8BD5 mov edx, ebp
00465834 81C2 F0FD4100 add edx, 0041FDF0
0046583A FF12 call dword ptr [edx] ; GlobalAllocA
0046583C 83F8 00 cmp eax, 0
0046583F 75 05 jnz short 00465846
00465841 E9 90000000 jmp 004658D6
00465846 93 xchg eax, ebx
00465847 6A 00 push 0
00465849 8BD5 mov edx, ebp
0046584B 81C2 74FF4100 add edx, 0041FF74
00465851 8D02 lea eax, dword ptr [edx]
00465853 50 push eax
00465854 56 push esi
00465855 53 push ebx
00465856 57 push edi
00465857 8BD5 mov edx, ebp
00465859 81C2 0CFE4100 add edx, 0041FE0C
0046585F FF12 call dword ptr [edx] ; ReadFileA
00465861 8BC3 mov eax, ebx
00465863 8BCE mov ecx, esi
00465865 53 push ebx
00465866 57 push edi
00465867 51 push ecx
00465868 50 push eax
00465869 E8 28000000 call 00465896 ; 计算校验值
0046586E 83C4 08 add esp, 8
00465871 8BD5 mov edx, ebp
00465873 81C2 54FB4100 add edx, 0041FB54
00465879 8902 mov dword ptr [edx], eax ; 校验值=1A4DBC9放入ebp+41fb54
; 开始处理输入表
00466177 8BD5 mov edx, ebp ; 开始处理输入表
00466179 81C2 58FB4100 add edx, 0041FB58
0046617F 8D32 lea esi, dword ptr [edx]
00466181 53 push ebx
00466182 8BDD mov ebx, ebp
00466184 81C3 D0FC4100 add ebx, 0041FCD0
0046618A F703 20000000 test dword ptr [ebx], 20
00466190 74 5A je short 004661EC
00466192 56 push esi
00466193 8BDD mov ebx, ebp
00466195 81C3 74FF4100 add ebx, 0041FF74
0046619B 8D3B lea edi, dword ptr [ebx]
0046619D 33C9 xor ecx, ecx
0046619F 3E:837E 04 00 cmp dword ptr [esi+4], 0
004661A4 74 1F je short 004661C5
004661A6 3E:8B56 04 mov edx, dword ptr [esi+4]
004661AA 8BDD mov ebx, ebp
004661AC 81C3 50FB4100 add ebx, 0041FB50
004661B2 0313 add edx, dword ptr [ebx]
004661B4 3E:833A 00 cmp dword ptr [edx], 0
004661B8 74 06 je short 004661C0
004661BA 41 inc ecx
004661BB 83C2 04 add edx, 4
004661BE ^ EB F4 jmp short 004661B4
004661C0 83C6 0C add esi, 0C
004661C3 ^ EB DA jmp short 0046619F ; 循环计算输入表的数量
004661C5 33D2 xor edx, edx
004661C7 B8 05000000 mov eax, 5
004661CC F7E1 mul ecx
004661CE 50 push eax
004661CF 6A 00 push 0
004661D1 8BDD mov ebx, ebp
004661D3 81C3 F0FD4100 add ebx, 0041FDF0
004661D9 FF13 call dword ptr [ebx] ; GlobalAlloc
004661DB 0BC0 or eax, eax
004661DD 75 05 jnz short 004661E4
004661DF 83C4 04 add esp, 4
004661E2 61 popad
004661E3 C3 retn
004661E4 3E:8907 mov dword ptr [edi], eax
004661E7 3E:8947 04 mov dword ptr [edi+4], eax
004661EB 5E pop esi
004661EC 5B pop ebx
004661ED 3E:837E 04 00 cmp dword ptr [esi+4], 0 ; esi+4保存FirstThunk
004661F2 0F84 8A010000 je 00466382 ; 输入表处理完跳转
004661F8 3E:8B1E mov ebx, dword ptr [esi] ; esi=00466608取NameRVA
004661FB 8BD5 mov edx, ebp
004661FD 81C2 50FB4100 add edx, 0041FB50
00466203 031A add ebx, dword ptr [edx]
00466205 8BC3 mov eax, ebx
00466207 E8 0C000000 call 00466218 ; 解码DLL名
0046620C 8BD5 mov edx, ebp
0046620E 81C2 7CF74100 add edx, 0041F77C
00466214 8D02 lea eax, dword ptr [edx]
00466216 50 push eax
00466217 C3 retn
00466218 56 push esi
00466219 57 push edi
0046621A 8BF0 mov esi, eax
0046621C 8BF8 mov edi, eax
0046621E AC lods byte ptr [esi]
0046621F C0C8 04 ror al, 4
00466222 AA stos byte ptr es:[edi]
00466223 3E:803F 00 cmp byte ptr [edi], 0
00466227 ^ 75 F5 jnz short 0046621E
00466229 5F pop edi
0046622A 5E pop esi
0046622B C3 retn
0046622C 53 push ebx ; ebx=kernel32.dll
0046622D 8BD5 mov edx, ebp
0046622F 81C2 7CFD4100 add edx, 0041FD7C
00466235 FF12 call dword ptr [edx] ; LoadLibraryA
00466237 85C0 test eax, eax
00466239 0F84 46010000 je 00466385
0046623F 52 push edx
00466240 50 push eax
00466241 8BD5 mov edx, ebp
00466243 81C2 D0FC4100 add edx, 0041FCD0
00466249 F702 04000000 test dword ptr [edx], 4
0046624F 74 12 je short 00466263
00466251 8BD5 mov edx, ebp
00466253 81C2 B3F74100 add edx, 0041F7B3
00466259 8D02 lea eax, dword ptr [edx]
0046625B 50 push eax
0046625C 8BC3 mov eax, ebx
0046625E E9 15030000 jmp 00466578 ; 跳去对dll名清零
00466263 5B pop ebx
00466264 5A pop edx
00466265 3E:8B4E 08 mov ecx, dword ptr [esi+8] ; [esi+8]处保存的是OriginaFirstThunk
00466269 0BC9 or ecx, ecx
0046626B 75 04 jnz short 00466271
0046626D 3E:8B4E 04 mov ecx, dword ptr [esi+4]
00466271 53 push ebx
00466272 8BDD mov ebx, ebp
00466274 81C3 50FB4100 add ebx, 0041FB50
0046627A 030B add ecx, dword ptr [ebx]
0046627C 3E:8B56 04 mov edx, dword ptr [esi+4]
00466280 0313 add edx, dword ptr [ebx]
00466282 5B pop ebx
00466283 3E:8339 00 cmp dword ptr [ecx], 0
00466287 0F84 ED000000 je 0046637A
0046628D F701 00000080 test dword ptr [ecx], 80000000
00466293 75 5C jnz short 004662F1
00466295 8B01 mov eax, dword ptr [ecx]
00466297 83C0 02 add eax, 2
0046629A 53 push ebx
0046629B 8BDD mov ebx, ebp
0046629D 81C3 50FB4100 add ebx, 0041FB50
004662A3 0303 add eax, dword ptr [ebx]
004662A5 5B pop ebx
004662A6 50 push eax
004662A7 E8 6CFFFFFF call 00466218 ; 解码出函数名
004662AC 58 pop eax
004662AD 8BF8 mov edi, eax
004662AF 52 push edx
004662B0 51 push ecx
004662B1 50 push eax
004662B2 53 push ebx
004662B3 8BD5 mov edx, ebp
004662B5 81C2 80FD4100 add edx, 0041FD80
004662BB FF12 call dword ptr [edx] ; GetProcessAddress
004662BD 0BC0 or eax, eax
004662BF 75 07 jnz short 004662C8
004662C1 59 pop ecx
004662C2 5A pop edx
004662C3 E9 BD000000 jmp 00466385
004662C8 59 pop ecx
004662C9 5A pop edx
004662CA 52 push edx
004662CB 60 pushad
004662CC 8BD5 mov edx, ebp
004662CE 81C2 D0FC4100 add edx, 0041FCD0
004662D4 F602 04 test byte ptr [edx], 4
004662D7 74 12 je short 004662EB
004662D9 8BD5 mov edx, ebp
004662DB 81C2 3BF84100 add edx, 0041F83B
004662E1 8D02 lea eax, dword ptr [edx]
004662E3 50 push eax
004662E4 8BC7 mov eax, edi
004662E6 E9 8D020000 jmp 00466578 ; 跳去对函数名清零
004662EB 61 popad
004662EC 5A pop edx
004662ED 90 nop ; 修改②: NOP掉 mov dword ptr ds:[edx],eax
004662EE 90 nop ; 用GetProcAddress得到的系统函数地址填充IAT
004662EF EB 1D jmp short 0046630E
004662F1 52 push edx
004662F2 51 push ecx
004662F3 8B01 mov eax, dword ptr [ecx]
004662F5 2D 00000080 sub eax, 80000000
004662FA 50 push eax
004662FB 53 push ebx
004662FC 8BD5 mov edx, ebp
004662FE 81C2 80FD4100 add edx, 0041FD80
00466304 FF12 call dword ptr [edx]
00466306 85C0 test eax, eax
00466308 74 7B je short 00466385
0046630A 59 pop ecx
0046630B 5A pop edx
0046630C 8902 mov dword ptr [edx], eax
0046630E 51 push ecx
0046630F 8BCD mov ecx, ebp
00466311 81C1 D0FC4100 add ecx, 0041FCD0
00466317 F701 20000000 test dword ptr [ecx], 20
0046631D 74 4F je short 0046636E
0046631F 8BCD mov ecx, ebp
00466321 81C1 D8FC4100 add ecx, 0041FCD8
00466327 8339 00 cmp dword ptr [ecx], 0
0046632A 74 14 je short 00466340
0046632C 81FB 00000070 cmp ebx, 70000000
00466332 72 08 jb short 0046633C
00466334 81FB FFFFFF77 cmp ebx, 77FFFFFF
0046633A 76 0E jbe short 0046634A
0046633C EB 30 jmp short 0046636E
0046633E EB 0A jmp short 0046634A
00466340 81FB 00000080 cmp ebx, 80000000
00466346 73 02 jnb short 0046634A
00466348 EB 24 jmp short 0046636E
0046634A 57 push edi
0046634B 56 push esi
0046634C 8BCD mov ecx, ebp
0046634E 81C1 74FF4100 add ecx, 0041FF74
00466354 8D39 lea edi, dword ptr [ecx]
00466356 3E:8B77 04 mov esi, dword ptr [edi+4]
0046635A 90 nop ; 修改③:NOP掉 ★ 填充加密地址mov dword ptr ds:[edx],esi
0046635B 90 nop
0046635C 2BC6 sub eax, esi
0046635E 83E8 05 sub eax, 5
00466361 C606 E9 mov byte ptr [esi], 0E9
00466364 8946 01 mov dword ptr [esi+1], eax
00466367 3E:8347 04 05 add dword ptr [edi+4], 5
0046636C 5E pop esi
0046636D 5F pop edi
0046636E 59 pop ecx
0046636F 83C1 04 add ecx, 4
00466372 83C2 04 add edx, 4
00466375 ^ E9 09FFFFFF jmp 00466283
0046637A 83C6 0C add esi, 0C
0046637D ^ E9 6BFEFFFF jmp 004661ED
00466382 33C0 xor eax, eax
00466384 40 inc eax
00466385 83F8 01 cmp eax, 1
00466388 74 02 je short 0046638C
0046638A 61 popad
0046638B C3 retn
0046638C 8BD5 mov edx, ebp
0046638E 81C2 D0FC4100 add edx, 0041FCD0
00466394 F702 02000000 test dword ptr [edx], 2
0046639A 74 18 je short 004663B4
0046639C 8BD5 mov edx, ebp
0046639E 81C2 50FB4100 add edx, 0041FB50
004663A4 8B3A mov edi, dword ptr [edx]
004663A6 037F 3C add edi, dword ptr [edi+3C]
004663A9 8B32 mov esi, dword ptr [edx]
004663AB 8B4F 54 mov ecx, dword ptr [edi+54]
004663AE 90 nop
004663AF 90 nop ; 修改:NOP掉 ★ 对使用过的DLL名和函数名清0
004663B0 90 nop
004663B1 46 inc esi
004663B2 ^ E2 FA loopd short 004663AE
校验计算
004663B4 8BD5 mov edx, ebp
004663B6 81C2 B6E54100 add edx, 0041E5B6
004663BC 8D02 lea eax, dword ptr [edx]
004663BE B9 77F94100 mov ecx, 0041F977
004663C3 81E9 B6E54100 sub ecx, 0041E5B6
004663C9 EB 02 jmp short 004663CD
004663CB CD 09 int 9
004663CD 51 push ecx ; ecx=131c计算壳EP处长度13c1的校验值
004663CE 50 push eax
004663CF E8 C2F4FFFF call 00465896 ; 校验计算
004663D4 83C4 08 add esp, 8
004663D7 EB 02 jmp short 004663DB
004663D9 CD 0C int 0C
004663DB 8BD5 mov edx, ebp
004663DD 81C2 D4FC4100 add edx, 0041FCD4
004663E3 8B1A mov ebx, dword ptr [edx]
004663E5 33C3 xor eax, ebx
004663E7 74 08 je short 004663F1 ; 修改标志z=1使其跳转否则over
004663E9 EB 01 jmp short 004663EC
004663EB CC int3
004663EC 61 popad
004663ED EB 01 jmp short 004663F0
004663EF CC int3
004663F0 C3 retn
004663F1 8BD5 mov edx, ebp ; 解码00466428处运行的代码
004663F3 81C2 77F94100 add edx, 0041F977
004663F9 8D3A lea edi, dword ptr [edx]
004663FB 8BF7 mov esi, edi
004663FD 8D3A lea edi, dword ptr [edx]
004663FF B9 C3FA4100 mov ecx, 0041FAC3
00466404 81E9 77F94100 sub ecx, 0041F977
0046640A 33C0 xor eax, eax
0046640C AC lods byte ptr [esi]
0046640D 34 79 xor al, 79
0046640F 2AC1 sub al, cl
00466411 C0C0 02 rol al, 2
00466414 AA stos byte ptr es:[edi]
00466415 ^ E2 F5 loopd short 0046640C ; 循环解码
00466417 8BD5 mov edx, ebp
00466419 81C2 77F94100 add edx, 0041F977
0046641F 8D02 lea eax, dword ptr [edx]
00466421 50 push eax
00466422 C3 retn
00466423 90 nop
00466424 EB 01 jmp short 00466427
00466426 C2 8BD5 retn 0D58B
============================================
//对dll名清零的一段代码
0046657A 3E:C600 00 mov byte ptr [eax], 0 ; 对dll名清零
0046657E 40 inc eax
0046657F 3E:8038 00 cmp byte ptr [eax], 0
00466583 ^ 75 F5 jnz short 0046657A
00466585 C3 retn
==========================================
00466429 81C2 30FE4100 add edx, 0041FE30 ; 开始清扫战场:引用fly的话
0046642F 8D02 lea eax, dword ptr [edx]
00466431 50 push eax
00466432 8BD5 mov edx, ebp
00466434 81C2 91FD4100 add edx, 0041FD91
0046643A FF32 push dword ptr [edx]
0046643C 8BD5 mov edx, ebp
0046643E 81C2 80FD4100 add edx, 0041FD80
00466444 FF12 call dword ptr [edx] ;isdebugpresent
00466446 0BC0 or eax, eax
00466448 74 08 je short 00466452
0046644A FFD0 call eax
0046644C 0BC0 or eax, eax
0046644E 74 02 je short 00466452
00466450 61 popad
00466451 C3 retn
00466452 8BD5 mov edx, ebp
00466454 81C2 D0FC4100 add edx, 0041FCD0
0046645A F702 01000000 test dword ptr [edx], 1
00466460 0F84 8A000000 je 004664F0
00466466 8BD5 mov edx, ebp
00466468 81C2 3DFF4100 add edx, 0041FF3D
0046646E 8D3A lea edi, dword ptr [edx]
00466470 6A 00 push 0
00466472 68 80000000 push 80
00466477 6A 03 push 3
00466479 6A 00 push 0
0046647B 6A 03 push 3
0046647D 68 000000C0 push C0000000
00466482 57 push edi
00466483 8BD5 mov edx, ebp
00466485 81C2 E0FD4100 add edx, 0041FDE0
0046648B FF12 call dword ptr [edx] ;CreateFileA检查softice
0046648D 83F8 FF cmp eax, -1
00466490 74 19 je short 004664AB
00466492 8BF8 mov edi, eax
00466494 57 push edi
00466495 8BD5 mov edx, ebp
00466497 81C2 2CFE4100 add edx, 0041FE2C
0046649D FF12 call dword ptr [edx]
0046649F 6A 00 push 0
004664A1 8BD5 mov edx, ebp
004664A3 81C2 F3FE4100 add edx, 0041FEF3
004664A9 FF12 call dword ptr [edx]
004664AB 8BD5 mov edx, ebp
004664AD 81C2 46FF4100 add edx, 0041FF46
004664B3 8D3A lea edi, dword ptr [edx]
004664B5 6A 00 push 0
004664B7 68 80000000 push 80
004664BC 6A 03 push 3
004664BE 6A 00 push 0
004664C0 6A 03 push 3
004664C2 68 000000C0 push C0000000
004664C7 57 push edi
004664C8 8BD5 mov edx, ebp
004664CA 81C2 E0FD4100 add edx, 0041FDE0
004664D0 FF12 call dword ptr [edx] ;;CreateFileA检查softice
004664D2 83F8 FF cmp eax, -1
004664D5 74 19 je short 004664F0
004664D7 8BF8 mov edi, eax
004664D9 57 push edi
004664DA 8BD5 mov edx, ebp
004664DC 81C2 2CFE4100 add edx, 0041FE2C
004664E2 FF12 call dword ptr [edx]
004664E4 6A 00 push 0
004664E6 8BD5 mov edx, ebp
004664E8 81C2 F3FE4100 add edx, 0041FEF3
004664EE FF12 call dword ptr [edx]
004664F0 8BD5 mov edx, ebp
004664F2 81C2 84FA4100 add edx, 0041FA84
004664F8 8D02 lea eax, dword ptr [edx]
004664FA 50 push eax
004664FB C3 retn
·····对一些地址处进行清零操作
00466534 32C0 xor al, al
00466536 8BD5 mov edx, ebp
00466538 81C2 B6E54100 add edx, 0041E5B6
0046653E 8D3A lea edi, dword ptr [edx]
00466540 B9 4CFA4100 mov ecx, 0041FA4C
00466545 81E9 B6E54100 sub ecx, 0041E5B6
0046654B AA stos byte ptr es:[edi] ; 清扫战场
0046654C ^ E2 FD loopd short 0046654B
0046654E 8BD5 mov edx, ebp
00466550 81C2 C3FA4100 add edx, 0041FAC3
00466556 8D3A lea edi, dword ptr [edx]
00466558 B9 50FF4100 mov ecx, 0041FF50
0046655D 81E9 C3FA4100 sub ecx, 0041FAC3
00466563 AA stos byte ptr es:[edi] ; 清扫战场
00466564 ^ E2 FD loopd short 00466563
00466566 61 popad
00466567 50 push eax
00466568 33C0 xor eax, eax
0046656A 64:FF30 push dword ptr fs:[eax]
0046656D 64:8920 mov dword ptr fs:[eax], esp
00466570 EB 01 jmp short 00466573 ;异常
00466572 CC int3
===============
0012EBB4 0012EC64 指向下一个 SEH 记录的指针
0012EBB8 004664FC SE处理程序
==========================
在004664FC处下断,shift+F9运行
断在这
004664FC 55 push ebp
004664FD 8BEC mov ebp, esp
004664FF 57 push edi
00466500 36:8B45 10 mov eax, dword ptr [ebp+10]
00466504 3E:8BB8 C400000>mov edi, dword ptr [eax+C4]
0046650B 3E:FF37 push dword ptr [edi]
0046650E 33FF xor edi, edi
00466510 64:8F07 pop dword ptr fs:[edi]
00466513 3E:8380 C400000>add dword ptr [eax+C4], 8
0046651B 3E:8BB8 A400000>mov edi, dword ptr [eax+A4]
00466522 C1C7 07 rol edi, 7
00466525 3E:89B8 B800000>mov dword ptr [eax+B8], edi ; 此处是显示oep=[eax+B8]=004233de
0046652C B8 00000000 mov eax, 0
00466531 5F pop edi
00466532 C9 leave
直接在004233de处下断,shift+F9运行
到达OEP,到达OEP处发现还是一层壳,是PEcompact的壳,很容易就脱掉。。。
004233DE B8 D0474600 mov eax, 004647D0 ;PEcompact的壳
004233E3 50 push eax
004233E4 64:FF35 0000000>push dword ptr fs:[0]
004233EB 64:8925 0000000>mov dword ptr fs:[0], esp
004233F2 33C0 xor eax, eax
004233F4 8908 mov dword ptr [eax], ecx
004233F6 50 push eax
004233F7 45 inc ebp
004233F8 43 inc ebx
004233F9 6F outs dx, dword ptr es:[edi]
004233FA 6D ins dword ptr es:[edi], dx
004233FB 70 61 jo short 0042345E
004233FD 637432 00 arpl word ptr [edx+esi], si
00423401 39EB cmp ebx, ebp
脱掉后是这样。。
一看就是MFC程序,直接用OD插件脱下来
004233DE 55 push ebp
004233DF 8BEC mov ebp, esp
004233E1 6A FF push -1
004233E3 68 88B04200 push 0042B088
004233E8 68 42354200 push 00423542 ; jmp 到 msvcrt._except_handler3
004233ED 64:A1 00000000 mov eax, dword ptr fs:[0]
004233F3 50 push eax
004233F4 64:8925 0000000>mov dword ptr fs:[0], esp
004233FB 83EC 68 sub esp, 68
004233FE 53 push ebx
004233FF 56 push esi
00423400 57 push edi
00423401 8965 E8 mov dword ptr [ebp-18], esp
00423404 33DB xor ebx, ebx
00423406 895D FC mov dword ptr [ebp-4], ebx
00423409 6A 02 push 2
0042340B FF15 80554200 call dword ptr [425580] ; msvcrt.__set_app_type
00423411 59 pop ecx
00423412 830D 68684500 F>or dword ptr [456868], FFFFFFFF
00423419 830D 6C684500 F>or dword ptr [45686C], FFFFFFFF
00423420 FF15 84554200 call dword ptr [425584] ; msvcrt.__p__fmode
再用importREC修复输入表,有些必须进行手动修复,否则程序没法运行。。。
通过跟踪发现IAT地址从00425090到0042514c的输入函数是这样被调用的。在dump出来的程序运行是没有这一段代码的,
00A20000 B8 82FE807C mov eax, kernel32.GlobalUnlock
00A20005 FFE0 jmp eax
00A20007 B8 19FF807C mov eax, kernel32.GlobalLock
00A2000C FFE0 jmp eax
00A2000E B8 2DFD807C mov eax, kernel32.GlobalAlloc
00A20013 FFE0 jmp eax
00A20015 B8 CFB4807C mov eax, kernel32.GetModuleFileNameA
00A2001A FFE0 jmp eax
00A2001C B8 1599807C mov eax, kernel32.GetACP
00A20021 FFE0 jmp eax
00A20023 B8 4224807C mov eax, kernel32.Sleep
00A20028 FFE0 jmp eax
00A2002A B8 DA11817C mov eax, kernel32.GetVersion
00A2002F FFE0 jmp eax
00A20031 B8 25043A00 mov eax, 3A0425
00A20036 FFE0 jmp eax
00A20038 B8 3103937C mov eax, ntdll.RtlGetLastWin32Error
00A2003D FFE0 jmp eax
00A2003F B8 AD08837C mov eax, kernel32.CreateEventA
00A20044 FFE0 jmp eax
00A20046 B8 161E807C mov eax, kernel32.TerminateProcess
00A2004B FFE0 jmp eax
00A2004D B8 2025807C mov eax, kernel32.WaitForSingleObjec>
00A20052 FFE0 jmp eax
00A20054 B8 479B807C mov eax, kernel32.CloseHandle
00A20059 FFE0 jmp eax
00A2005B B8 F728837C mov eax, kernel32.ResumeThread
00A20060 FFE0 jmp eax
00A20062 B8 F19E807C mov eax, kernel32.InitializeCritical>
00A20067 FFE0 jmp eax
00A20069 B8 6D13867C mov eax, kernel32.WinExec
00A2006E FFE0 jmp eax
00A20070 B8 3BA0807C mov eax, kernel32.ResetEvent
00A20075 FFE0 jmp eax
00A20077 B8 2516807C mov eax, kernel32.DeviceIoControl
00A2007C FFE0 jmp eax
00A2007E B8 241A807C mov eax, kernel32.CreateFileA
00A20083 FFE0 jmp eax
00A20085 B8 DE2A817C mov eax, kernel32.GetVersionExA
00A2008A FFE0 jmp eax
00A2008C B8 A1B6807C mov eax, kernel32.GetModuleHandleA
00A20091 FFE0 jmp eax
00A20093 B8 ED10927C mov eax, ntdll.RtlLeaveCriticalSecti>
00A20098 FFE0 jmp eax
00A2009A B8 0510927C mov eax, ntdll.RtlEnterCriticalSecti>
00A2009F FFE0 jmp eax
00A200A1 B8 8A18937C mov eax, ntdll.RtlDeleteCriticalSect>
00A200A6 FFE0 jmp eax
00A200A8 B8 17A0807C mov eax, kernel32.SetEvent
00A200AD FFE0 jmp eax
00A200AF B8 A51B827C mov eax, kernel32.GetVolumeInformati>
00A200B4 FFE0 jmp eax
00A200B6 B8 6313827C mov eax, kernel32.GetWindowsDirector>
00A200BB FFE0 jmp eax
00A200BD B8 CA5D837C mov eax, kernel32.GetTempPathA
00A200C2 FFE0 jmp eax
00A200C4 B8 D7ED807C mov eax, kernel32.FindClose
00A200C9 FFE0 jmp eax
00A200CB B8 B14E837C mov eax, kernel32.FindNextFileA
00A200D0 FFE0 jmp eax
00A200D2 B8 D937817C mov eax, kernel32.FindFirstFileA
00A200D7 FFE0 jmp eax
00A200D9 B8 6FD3827C mov eax, kernel32.GetSystemTimeAdjus>
00A200DE FFE0 jmp eax
00A200E0 B8 6B17807C mov eax, kernel32.GetSystemTime
00A200E5 FFE0 jmp eax
00A200E7 B8 D952837C mov eax, kernel32.GetProcessTimes
00A200EC FFE0 jmp eax
00A200EE B8 F5DD807C mov eax, kernel32.GetCurrentProcess
00A200F3 FFE0 jmp eax
00A200F5 B8 642C867C mov eax, kernel32.GetThreadTimes
00A200FA FFE0 jmp eax
00A200FC B8 EB98807C mov eax, kernel32.GetCurrentThread
00A20101 FFE0 jmp eax
00A20103 B8 F210837C mov eax, kernel32.GlobalMemoryStatus
00A20108 FFE0 jmp eax
00A2010A B8 0E18807C mov eax, kernel32.ReadFile
00A2010F FFE0 jmp eax
00A20111 B8 F24A817C mov eax, kernel32.GetEnvironmentVari>
00A20116 FFE0 jmp eax
00A20118 B8 870D817C mov eax, kernel32.WriteFile
00A2011D FFE0 jmp eax
00A2011F B8 EE1E807C mov eax, kernel32.GetStartupInfoA
00A20124 FFE0 jmp eax
00A20126 B8 89BE807C mov eax, kernel32.FindResourceA
00A2012B FFE0 jmp eax
00A2012D B8 B59F807C mov eax, kernel32.LoadResource
00A20132 FFE0 jmp eax
00A20134 B8 97CC807C mov eax, kernel32.SetHandleCount
00A20139 FFE0 jmp eax
00A2013B B8 BABB817C mov eax, kernel32.SetThreadLocale
00A20140 FFE0 jmp eax
00A20142 B8 69BC807C mov eax, kernel32.SizeofResource
00A20147 FFE0 jmp eax
所以程序是没法运行的,手动把00425090到0042514c处改为函数的真正地址。。。
修改前是这样的。。。
00425090 00 00 A2 00 07 00 A2 00 0E 00 A2 00 15 00 A2 00
004250A0 1C 00 A2 00 23 00 A2 00 2A 00 A2 00 31 00 A2 00
004250B0 38 00 A2 00 3F 00 A2 00 46 00 A2 00 4D 00 A2 00
004250C0 54 00 A2 00 5B 00 A2 00 62 00 A2 00 69 00 A2 00
004250D0 70 00 A2 00 77 00 A2 00 7E 00 A2 00 85 00 A2 00
004250E0 8C 00 A2 00 93 00 A2 00 9A 00 A2 00 A1 00 A2 00
004250F0 A8 00 A2 00 AF 00 A2 00 B6 00 A2 00 BD 00 A2 00
00425100 C4 00 A2 00 CB 00 A2 00 D2 00 A2 00 D9 00 A2 00
00425110 E0 00 A2 00 E7 00 A2 00 EE 00 A2 00 F5 00 A2 00
00425120 FC 00 A2 00 03 01 A2 00 0A 01 A2 00 11 01 A2 00
00425130 18 01 A2 00 1F 01 A2 00 26 01 A2 00 2D 01 A2 00
修改后
00425090 82 FE 80 7C 19 FF 80 7C 2D FD 80 7C CF B4 80 7C
004250A0 15 99 80 7C 42 24 80 7C DA 11 81 7C 25 E4 49 00
004250B0 31 03 93 7C AD 08 83 7C 16 1E 80 7C 20 25 80 7C
004250C0 47 9B 80 7C F7 28 83 7C F1 9E 80 7C 6D 13 86 7C
004250D0 3B A0 80 7C 25 16 80 7C 24 1A 80 7C DE 2A 81 7C
004250E0 A1 B6 80 7C ED 10 92 7C 05 10 92 7C 8A 18 93 7C
004250F0 17 A0 80 7C A5 1B 82 7C 63 13 82 7C CA 5D 83 7C
00425100 D7 ED 80 7C B1 4E 83 7C D9 37 81 7C 6F D3 82 7C
00425110 6B 17 80 7C D9 52 83 7C F5 DD 80 7C 64 2C 86 7C
00425120 EB 98 80 7C F2 10 83 7C 0E 18 80 7C F2 4A 81 7C
00425130 87 0D 81 7C EE 1E 80 7C 89 BE 80 7C B5 9F 80 7C
00425140 97 CC 80 7C BA BB 81 7C 69 BC 80 7C 00 00 00 00
其中在004250AC处的地址是调用一段代码,这段代码在dump出来的程序中是没有的,
所以要在没脱壳的程序中将这段代码复制出来到到已脱壳的程序中,这样程序就可以运行了,脱壳也就结束了。。。。
参考文章:FLY的yoda's Protector V1.03.2.02脱壳——yP.exe全过程分析