peid查壳显示 bambam V0.04 -> bedrock * Sign.By.fly *
脱它很简单,用二次内存断点法即可。或者直接在入口处搜索ret指令,在第二处下断,shift+F9断下后F7就到OEP了^_
小分析下它:
0046B2B0 > BF 4CD04600 MOV EDI,0046D04C ; 外壳入口
0046B2B5 83C9 FF OR ECX,FFFFFFFF
0046B2B8 33C0 XOR EAX,EAX
0046B2BA 68 34D04600 PUSH 0046D034
0046B2BF F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0046B2C1 F7D1 NOT ECX
0046B2C3 49 DEC ECX
0046B2C4 51 PUSH ECX
0046B2C5 68 4CD04600 PUSH 0046D04C
0046B2CA E8 110A0000 CALL 0046BCE0
0046B2CF 83C4 0C ADD ESP,0C
0046B2D2 68 4CD04600 PUSH 0046D04C
0046B2D7 FF15 00C04600 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
刚开始主要是获取一些壳所需API的地址;接着就是解码,如下:
0046B58E FF15 D4D04600 CALL DWORD PTR DS:[46D0D4] ; 申请临时空间
0046B594 8BD0 MOV EDX,EAX
0046B596 8A45 FF MOV AL,BYTE PTR SS:[EBP-1]
0046B599 84C0 TEST AL,AL
0046B59B 8955 EC MOV DWORD PTR SS:[EBP-14],EDX ; ntdll.KiFastSystemCallRet
0046B59E C745 F4 0000000>MOV DWORD PTR SS:[EBP-C],0
0046B5A5 74 7C JE SHORT 0046B623
0046B5A7 BF 44D04600 MOV EDI,0046D044
0046B5AC 83C9 FF OR ECX,FFFFFFFF
0046B5AF 33C0 XOR EAX,EAX
0046B5B1 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0046B5B3 F7D1 NOT ECX
0046B5B5 49 DEC ECX
0046B5B6 BF 44D04600 MOV EDI,0046D044
0046B5BB 8BF1 MOV ESI,ECX
0046B5BD C1E9 02 SHR ECX,2
0046B5C0 F3:AB REP STOS DWORD PTR ES:[EDI]
0046B5C2 8BCE MOV ECX,ESI
0046B5C4 8B35 E0D04600 MOV ESI,DWORD PTR DS:[46D0E0]
0046B5CA 83E1 03 AND ECX,3
0046B5CD F3:AA REP STOS BYTE PTR ES:[EDI]
0046B5CF A1 0CD04600 MOV EAX,DWORD PTR DS:[46D00C]
0046B5D4 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
0046B5D7 8B7B 0C MOV EDI,DWORD PTR DS:[EBX+C]
0046B5DA 03F0 ADD ESI,EAX
0046B5DC 2BC8 SUB ECX,EAX
0046B5DE 03F7 ADD ESI,EDI ; ntdll.7C933BBF
0046B5E0 8BFA MOV EDI,EDX ; ntdll.KiFastSystemCallRet
0046B5E2 8BD1 MOV EDX,ECX
0046B5E4 C1E9 02 SHR ECX,2
0046B5E7 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0046B5E9 8BCA MOV ECX,EDX ; ntdll.KiFastSystemCallRet
0046B5EB 83E1 03 AND ECX,3
0046B5EE F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0046B5F0 A1 0CD04600 MOV EAX,DWORD PTR DS:[46D00C]
0046B5F5 85C0 TEST EAX,EAX
0046B5F7 74 48 JE SHORT 0046B641
0046B5F9 50 PUSH EAX
0046B5FA 6A 40 PUSH 40
0046B5FC FF15 D4D04600 CALL DWORD PTR DS:[46D0D4]
0046B602 8B35 E0D04600 MOV ESI,DWORD PTR DS:[46D0E0]
0046B608 8B7B 0C MOV EDI,DWORD PTR DS:[EBX+C]
0046B60B 8B0D 0CD04600 MOV ECX,DWORD PTR DS:[46D00C]
0046B611 03F7 ADD ESI,EDI ; ntdll.7C933BBF
0046B613 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0046B616 8BF8 MOV EDI,EAX
0046B618 8BC1 MOV EAX,ECX
0046B61A C1E9 02 SHR ECX,2
0046B61D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0046B61F 8BC8 MOV ECX,EAX
0046B621 EB 19 JMP SHORT 0046B63C
0046B623 8B35 E0D04600 MOV ESI,DWORD PTR DS:[46D0E0]
0046B629 8B7B 0C MOV EDI,DWORD PTR DS:[EBX+C]
0046B62C 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
0046B62F 03F7 ADD ESI,EDI ; ntdll.7C933BBF
0046B631 8BFA MOV EDI,EDX ; ntdll.KiFastSystemCallRet
0046B633 8BD1 MOV EDX,ECX
0046B635 C1E9 02 SHR ECX,2
0046B638 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0046B63A 8BCA MOV ECX,EDX ; ntdll.KiFastSystemCallRet
0046B63C 83E1 03 AND ECX,3
0046B63F F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0046B641 8B35 E0D04600 MOV ESI,DWORD PTR DS:[46D0E0]
0046B647 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C]
0046B64A 8B4B 08 MOV ECX,DWORD PTR DS:[EBX+8] ; UnPackMe.00400000
0046B64D 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0046B650 50 PUSH EAX
0046B651 03F2 ADD ESI,EDX ; ntdll.KiFastSystemCallRet
0046B653 6A 04 PUSH 4
0046B655 51 PUSH ECX
0046B656 56 PUSH ESI
0046B657 FF15 CCD04600 CALL DWORD PTR DS:[46D0CC] ; 更改内存页属性
0046B65D 8B7D EC MOV EDI,DWORD PTR SS:[EBP-14]
0046B660 56 PUSH ESI
0046B661 57 PUSH EDI ; ntdll.7C933BBF
0046B662 E8 99F9FFFF CALL 0046B000 ; 解码
0046B667 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; kernel32.7C816FF0
0046B66A 8B4B 08 MOV ECX,DWORD PTR DS:[EBX+8] ; UnPackMe.00400000
0046B66D 83C4 08 ADD ESP,8
0046B670 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0046B673 52 PUSH EDX ; ntdll.KiFastSystemCallRet
0046B674 50 PUSH EAX
0046B675 51 PUSH ECX
0046B676 56 PUSH ESI
0046B677 FF15 CCD04600 CALL DWORD PTR DS:[46D0CC] ; 恢复原属性
0046B67D 57 PUSH EDI ; ntdll.7C933BBF
0046B67E FF15 DCD04600 CALL DWORD PTR DS:[46D0DC] ; 释放临时空间
0046B684 8A45 FF MOV AL,BYTE PTR SS:[EBP-1]
0046B687 84C0 TEST AL,AL
0046B689 74 41 JE SHORT 0046B6CC
0046B68B A1 0CD04600 MOV EAX,DWORD PTR DS:[46D00C]
0046B690 85C0 TEST EAX,EAX
0046B692 74 38 JE SHORT 0046B6CC
0046B694 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8] ; UnPackMe.00400000
0046B697 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0046B69A 52 PUSH EDX ; ntdll.KiFastSystemCallRet
0046B69B 6A 04 PUSH 4
0046B69D 50 PUSH EAX
0046B69E 56 PUSH ESI
0046B69F FF15 CCD04600 CALL DWORD PTR DS:[46D0CC]
0046B6A5 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-C] ; kernel32.7C839AF0
0046B6A8 56 PUSH ESI
0046B6A9 57 PUSH EDI ; ntdll.7C933BBF
0046B6AA E8 41020000 CALL 0046B8F0
0046B6AF 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; kernel32.7C816FF0
0046B6B2 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8] ; UnPackMe.00400000
0046B6B5 83C4 08 ADD ESP,8
0046B6B8 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
0046B6BB 51 PUSH ECX
0046B6BC 52 PUSH EDX ; ntdll.KiFastSystemCallRet
0046B6BD 50 PUSH EAX
0046B6BE 56 PUSH ESI
0046B6BF FF15 CCD04600 CALL DWORD PTR DS:[46D0CC]
0046B6C5 57 PUSH EDI ; ntdll.7C933BBF
0046B6C6 FF15 DCD04600 CALL DWORD PTR DS:[46D0DC]
0046B6CC 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0046B6CF 83C3 28 ADD EBX,28
0046B6D2 48 DEC EAX
0046B6D3 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0046B6D6 ^ 0F85 64FEFFFF JNZ 0046B540 ; 继续解压下一个区段?
完了后就是填充IAT了,经典的二次大循环处理:
0046B709 E8 32000000 CALL 0046B740 ; 填充IAT
{
0046B7CD 8B37 MOV ESI,DWORD PTR DS:[EDI]
0046B7CF 85F6 TEST ESI,ESI
0046B7D1 75 0B JNZ SHORT 0046B7DE
0046B7D3 8B77 10 MOV ESI,DWORD PTR DS:[EDI+10]
0046B7D6 85F6 TEST ESI,ESI
0046B7D8 0F84 EE000000 JE 0046B8CC
0046B7DE 8B5F 0C MOV EBX,DWORD PTR DS:[EDI+C]
0046B7E1 8B0C06 MOV ECX,DWORD PTR DS:[ESI+EAX]
0046B7E4 03F0 ADD ESI,EAX
0046B7E6 03D8 ADD EBX,EAX
0046B7E8 03C8 ADD ECX,EAX
0046B7EA 53 PUSH EBX
0046B7EB 894D FC MOV DWORD PTR SS:[EBP-4],ECX
0046B7EE FF15 00C04600 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
0046B7F4 8BD0 MOV EDX,EAX
0046B7F6 83FA FF CMP EDX,-1
0046B7F9 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX ; ntdll.KiFastSystemCallRet
0046B7FC 0F84 A7000000 JE 0046B8A9
0046B802 8BFB MOV EDI,EBX
0046B804 83C9 FF OR ECX,FFFFFFFF
0046B807 33C0 XOR EAX,EAX
0046B809 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0046B80B F7D1 NOT ECX
0046B80D 49 DEC ECX
0046B80E 8BFB MOV EDI,EBX
0046B810 8BD9 MOV EBX,ECX
0046B812 C1E9 02 SHR ECX,2
0046B815 F3:AB REP STOS DWORD PTR ES:[EDI]
0046B817 8BCB MOV ECX,EBX
0046B819 83E1 03 AND ECX,3
0046B81C F3:AA REP STOS BYTE PTR ES:[EDI]
0046B81E 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; kernel32.7C816FF0
0046B821 8B1D E0D04600 MOV EBX,DWORD PTR DS:[46D0E0]
0046B827 8B78 10 MOV EDI,DWORD PTR DS:[EAX+10]
0046B82A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0046B82C 03DF ADD EBX,EDI ; ntdll.7C933BBF
0046B82E 85C0 TEST EAX,EAX
0046B830 74 74 JE SHORT 0046B8A6
0046B832 EB 03 JMP SHORT 0046B837
0046B834 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
0046B837 A9 00000080 TEST EAX,80000000
0046B83C 74 09 JE SHORT 0046B847
0046B83E 25 FFFF0000 AND EAX,0FFFF
0046B843 33FF XOR EDI,EDI ; ntdll.7C933BBF
0046B845 EB 0B JMP SHORT 0046B852
0046B847 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0046B84A BF 01000000 MOV EDI,1
0046B84F 8D41 02 LEA EAX,DWORD PTR DS:[ECX+2]
0046B852 50 PUSH EAX
0046B853 52 PUSH EDX ; ntdll.KiFastSystemCallRet
0046B854 FF15 04C04600 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; 获取地址
0046B85A 85FF TEST EDI,EDI ; ntdll.7C933BBF
0046B85C 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0046B85F 74 28 JE SHORT 0046B889
0046B861 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0046B864 83C9 FF OR ECX,FFFFFFFF
0046B867 83C2 02 ADD EDX,2
0046B86A 33C0 XOR EAX,EAX
0046B86C 8BFA MOV EDI,EDX ; ntdll.KiFastSystemCallRet
0046B86E F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0046B870 F7D1 NOT ECX
0046B872 49 DEC ECX
0046B873 8BFA MOV EDI,EDX ; ntdll.KiFastSystemCallRet
0046B875 8BD1 MOV EDX,ECX
0046B877 C1E9 02 SHR ECX,2
0046B87A F3:AB REP STOS DWORD PTR ES:[EDI]
0046B87C 8BCA MOV ECX,EDX ; ntdll.KiFastSystemCallRet
0046B87E 83E1 03 AND ECX,3
0046B881 F3:AA REP STOS BYTE PTR ES:[EDI]
0046B883 C706 00000000 MOV DWORD PTR DS:[ESI],0
0046B889 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0046B88C 83C6 04 ADD ESI,4
0046B88F 8903 MOV DWORD PTR DS:[EBX],EAX ; 填充
0046B891 8B0D E0D04600 MOV ECX,DWORD PTR DS:[46D0E0]
0046B897 8B06 MOV EAX,DWORD PTR DS:[ESI]
0046B899 83C3 04 ADD EBX,4
0046B89C 85C0 TEST EAX,EAX
0046B89E 8D1408 LEA EDX,DWORD PTR DS:[EAX+ECX]
0046B8A1 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; ntdll.KiFastSystemCallRet
0046B8A4 ^ 75 8E JNZ SHORT 0046B834 ; 下一个API?
0046B8A6 8B7D F8 MOV EDI,DWORD PTR SS:[EBP-8] ; kernel32.7C816FF0
0046B8A9 8BCF MOV ECX,EDI ; ntdll.7C933BBF
0046B8AB 33C0 XOR EAX,EAX
0046B8AD 83C7 14 ADD EDI,14
0046B8B0 8901 MOV DWORD PTR DS:[ECX],EAX
0046B8B2 897D F8 MOV DWORD PTR SS:[EBP-8],EDI ; ntdll.7C933BBF
0046B8B5 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
0046B8B8 8941 08 MOV DWORD PTR DS:[ECX+8],EAX
0046B8BB 8941 0C MOV DWORD PTR DS:[ECX+C],EAX
0046B8BE 8941 10 MOV DWORD PTR DS:[ECX+10],EAX
0046B8C1 A1 E0D04600 MOV EAX,DWORD PTR DS:[46D0E0]
0046B8C6 ^ 0F85 01FFFFFF JNZ 0046B7CD ; 下一个dll?
}
填充完后再往下走,就ret回OEP了
0046B72B B9 0D000000 MOV ECX,0D
0046B730 33C0 XOR EAX,EAX
0046B732 BF 00D04600 MOV EDI,0046D000
0046B737 F3:AB REP STOS DWORD PTR ES:[EDI]
0046B739 C3 RET ; 跳向OEP
很简单,没什么技术含量,适合新手学习壳的基本流程。
已经有(0)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/technique/389.html 欢迎订阅Eddy Blog。