RLPack脱壳手记
本帖最后由 十二 于 2012-3-12 13:58 编辑勾选除转换 OEP 到虚拟机和高级输入表重定向(我WIN7勾选这个程序报错跑不起来),还有密码保护以外的所有保护选项。
Ollydbg - F3 载入 被加壳的程序代码如下:
00401000 > [ DISCUZ_CODE_813 ]nbsp; 57 PUSH EDI
00401001 .C7C7 72AFB4DF MOV EDI,DFB4AF72
00401007 .8D3D 5FBA581A LEA EDI,DWORD PTR DS:
0040100D .FFCF DEC EDI
0040100F .0FACF7 F2 SHRD EDI,ESI,0F2 ;移位常量超出 1..31 的范围
。。。。。。。
。。。。。。。
往下翻能找到一个远跳; F4此处,004011EA .- E9 15680A00 JMP RLPack.004A7A04。
F8步过得到如下代码:
004A7A04 60 PUSHAD
004A7A05 E8 00000000 CALL RLPack.004A7A0A
004A7A0A 83C4 04 ADD ESP,4
004A7A0D 8B6C24 FC MOV EBP,DWORD PTR SS:
004A7A11 E8 8B020000 CALL RLPack.004A7CA1 -----------------申请内存,解压代码,更新004A9E8F代码段
004A7A16 E8 74240000 CALL RLPack.004A9E8F -----------------得到kernel32和user32的基址
004A7A1B E8 88430000 CALL RLPack.004ABDA8 -----------------保存VirtualFree的地址004A7A20 837C24 28 01 CMP DWORD PTR SS:,1
004A7A25 75 0C JNZ SHORT RLPack.004A7A33
004A7A27 8B4424 24 MOV EAX,DWORD PTR SS:
004A7A2B 8985 7E470000 MOV DWORD PTR SS:,EAX kernel32.BaseThreadInitThunk
004A7A31 EB 0C JMP SHORT RLPack.004A7A3F
004A7A33 8B85 7A470000 MOV EAX,DWORD PTR SS:
004A7A39 8985 7E470000 MOV DWORD PTR SS:,EAX kernel32.BaseThreadInitThunk
004A7A3F E8 100D0000 CALL RLPack.004A8754 -------------------------对PE头进行操作得到.packed的大小,入口点,等信息并保存。
004A7A44 E8 6F240000 CALL RLPack.004A9EB8 -----------------------得到kernel32的基址遍历导出表得到Openmutex和CreateMutex完成互斥操作。
004A7A49 E8 1F230000 CALL RLPack.004A9D6D -------------------------得到User32的基址得到MessageBoxA完成以后的校验报错的功能此函数内部拥有一个SEH检测,如果你的OD过不了可以手动NOP【004A9DDB 8700 XCHG DWORD PTR DS:,EAX】此句。
004A7A4E 8DB5 75550000 LEA ESI,DWORD PTR SS:
004A7A54 8D9D 17030000 LEA EBX,DWORD PTR SS:
004A7A5A 33FF XOR EDI,EDI
004A7A5C E8 3B3D0000 CALL RLPack.004AB79C-------------------------------得到之前保存的PE头信息,此函数对PE头做了一些奇怪又邪恶的事情(抹掉了PE头中区段的大小和RVA,使其无法被正常dump)
使其变正常的方法,F7进入CALL RLPack.004AB79C找到一下这段代码:
{
004AB79C 60 PUSHAD
004AB79D E8 4D030000 CALL RLPack.004ABAEF---------------------得到镜像基址
004AB7A2 E8 FB020000 CALL RLPack.004ABAA2----------------------邪恶的抹区段大小和RVA
004AB7A7 E8 AC030000 CALL RLPack.004ABB58----------------------做一些不可告人的秘密,具体如下
得到一下函数地址:
004AC53B77023EA8kernel32.IsDebuggerPresent
004AC53F77043F81kernel32.CheckRemoteDebuggerPresent
004AC54377033861kernel32.GetVersionExA
004AC5477702CEE8kernel32.CreateFileA
004AC54B7702CAC4kernel32.GetCurrentProcessId
}
F7进入CALL RLPack.004ABAA2
找到如下代码,Nop掉JA就可以了
{
004ABAE3 C60401 00 MOV BYTE PTR DS:,0
004ABAE7 49 DEC ECX
004ABAE8 83F9 00 CMP ECX,0
004ABAEB^ 77 F6 JA SHORT RLPack.004ABAE3
}
004A7A61 EB 03 JMP SHORT RLPack.004A7A66
004A7A66 /EB 1B JMP SHORT RLPack.004A7A83
004A7A68 |8B85 7E470000 MOV EAX,DWORD PTR SS: ; RLPack.00400000
004A7A6E |FF7437 04 PUSH DWORD PTR DS:
004A7A72 |010424 ADD DWORD PTR SS:,EAX ; RLPack.00400000
004A7A75 |FF3437 PUSH DWORD PTR DS:
004A7A78 |010424 ADD DWORD PTR SS:,EAX ; RLPack.00400000
004A7A7B |FFD3 CALL EBX ; RLPack.004A7D21---------------------------------------解压大量代码
004A7A7D |83C4 08 ADD ESP,8
004A7A80 |83C7 08 ADD EDI,8
004A7A83 \833C37 00 CMP DWORD PTR DS:,0
004A7A87^ 75 DF JNZ SHORT RLPack.004A7A68
004A7A89 83BD 55550000 0>CMP DWORD PTR SS:,0
004A7A90 74 0E JE SHORT RLPack.004A7AA0
004A7A92 83BD 59550000 0>CMP DWORD PTR SS:,0
004A7A99 74 05 JE SHORT RLPack.004A7AA0
004A7A9B E8 F30B0000 CALL RLPack.004A8693---------------------------------------对解压出.packed段的代码进行CALL的修正
004A7AA0 8D7437 04 LEA ESI,DWORD PTR DS:
004A7AA4 E8 660B0000 CALL RLPack.004A860F
004A7AA9 8B85 D44D0000 MOV EAX,DWORD PTR SS:
004A7AAF 0BC0 OR EAX,EAX ; RLPack.00400000
004A7AB1 74 0B JE SHORT RLPack.004A7ABE
004A7AB3 0385 7E470000 ADD EAX,DWORD PTR SS: ; RLPack.00400000
004A7AB9 E8 C2030000 CALL RLPack.004A7E80----------------------------------------------------------抽取代码进行重定向
004A7ABE 83BD DA4F0000 0>CMP DWORD PTR SS:,1
004A7AC5 75 13 JNZ SHORT RLPack.004A7ADA
004A7AC7 89B5 DE4F0000 MOV DWORD PTR SS:,ESI ; RLPack.004ACF7F
004A7ACD EB 03 JMP SHORT RLPack.004A7AD2
004A7ACF 83C6 04 ADD ESI,4
004A7AD2 837E FC FF CMP DWORD PTR DS:,-1
004A7AD6^ 75 F7 JNZ SHORT RLPack.004A7ACF
004A7AD8 EB 03 JMP SHORT RLPack.004A7ADD
004A7ADA 83C6 08 ADD ESI,8
004A7ADD 8B06 MOV EAX,DWORD PTR DS:
004A7ADF 8985 9E470000 MOV DWORD PTR SS:,EAX ; RLPack.00400000
004A7AE5 83C6 04 ADD ESI,4
004A7AE8 E8 3A400000 CALL RLPack.004ABB27-----------------------------------对代码进行校验此CALL没过之前不能对004A7A04-004AD283内存段做任何修改否则进程退出。
004A7AED 83C6 04 ADD ESI,4
004A7AF0 53 PUSH EBX ; RLPack.004A7D21
004A7AF1 6A 40 PUSH 40
004A7AF3 68 00100000 PUSH 1000
004A7AF8 68 AC020000 PUSH 2AC
004A7AFD 6A 00 PUSH 0
004A7AFF FF95 FD030000 CALL DWORD PTR SS: ; kernel32.VirtualAlloc
004A7B05 8985 71550000 MOV DWORD PTR SS:,EAX ; RLPack.00400000
004A7B0B 5B POP EBX ; RLPack.004A7D21
004A7B0C FFB5 71550000 PUSH DWORD PTR SS: ; RLPack.004A7A0A
004A7B12 56 PUSH ESI ; RLPack.004ACF7F
004A7B13 FFD3 CALL EBX ; RLPack.004A7D21
004A7B15 83C4 08 ADD ESP,8
004A7B18 E8 D53E0000 CALL RLPack.004AB9F2---------------------------------NOP掉
004A7B1D E8 91340000 CALL RLPack.004AAFB3
004A7B22 83BD 83500000 0>CMP DWORD PTR SS:,0
004A7B29 74 13 JE SHORT RLPack.004A7B3E
004A7B2B 83BD A34E0000 0>CMP DWORD PTR SS:,0
004A7B32 74 0A JE SHORT RLPack.004A7B3E
004A7B34 E8 38330000 CALL RLPack.004AAE71
004A7B39 E8 4F2C0000 CALL RLPack.004AA78D
004A7B3E 8BB5 71550000 MOV ESI,DWORD PTR SS: ; RLPack.004A7A0A
004A7B44 8BC6 MOV EAX,ESI ; RLPack.004ACF7F
004A7B46 EB 01 JMP SHORT RLPack.004A7B49
004A7B48 40 INC EAX ; RLPack.00400000
004A7B49 8038 01 CMP BYTE PTR DS:,1
004A7B4C^ 75 FA JNZ SHORT RLPack.004A7B48-----------------------------------得到原始的导出DLL名,准备处理IAT。
004A7B4E 40 INC EAX ; RLPack.00400000
004A7B4F 8B38 MOV EDI,DWORD PTR DS:
004A7B51 8B8D 7A470000 MOV ECX,DWORD PTR SS: ; RLPack.00400000
004A7B57 3B8D 7E470000 CMP ECX,DWORD PTR SS: ; RLPack.00400000
004A7B5D 74 1A JE SHORT RLPack.004A7B79
004A7B5F 83BD E04D0000 0>CMP DWORD PTR SS:,0
004A7B66 76 11 JBE SHORT RLPack.004A7B79
004A7B68 83BD F84D0000 0>CMP DWORD PTR SS:,0
004A7B6F 75 08 JNZ SHORT RLPack.004A7B79
004A7B71 03F9 ADD EDI,ECX
004A7B73 2BBD 7E470000 SUB EDI,DWORD PTR SS: ; RLPack.00400000
004A7B79 03BD 7E470000 ADD EDI,DWORD PTR SS: ; RLPack.00400000
004A7B7F 83C0 04 ADD EAX,4
004A7B82 8985 6D550000 MOV DWORD PTR SS:,EAX ; RLPack.00400000
004A7B88 E8 250C0000 CALL RLPack.004A87B2
004A7B8D E8 1B0D0000 CALL RLPack.004A88AD
004A7B92 E8 B3100000 CALL RLPack.004A8C4A
004A7B97 E8 DC390000 CALL RLPack.004AB578
004A7B9C E9 B1000000 JMP RLPack.004A7C52
004A7BA1 E8 71200000 CALL RLPack.004A9C17
004A7BA6 56 PUSH ESI ; RLPack.004ACF7F
004A7BA7 FF95 09040000 CALL DWORD PTR SS: ; kernel32.GetModuleHandleA
004A7BAD 85C0 TEST EAX,EAX ; RLPack.00400000
004A7BAF 0F84 BF200000 JE RLPack.004A9C74
004A7BB5 8985 69550000 MOV DWORD PTR SS:,EAX ; RLPack.00400000
004A7BBB 8BC6 MOV EAX,ESI ; RLPack.004ACF7F
004A7BBD EB 43 JMP SHORT RLPack.004A7C02
004A7BBF 8B85 6D550000 MOV EAX,DWORD PTR SS: ; RLPack.004A9DDD
004A7BC5 8B00 MOV EAX,DWORD PTR DS:
004A7BC7 E8 16360000 CALL RLPack.004AB1E2
004A7BCC 50 PUSH EAX ; RLPack.00400000
004A7BCD FFB5 69550000 PUSH DWORD PTR SS:
004A7BD3 E8 E9400000 CALL RLPack.004ABCC1
004A7BD8 85C0 TEST EAX,EAX ; RLPack.00400000
004A7BDA 0F84 5B200000 JE RLPack.004A9C3B
004A7BE0 E8 FF360000 CALL RLPack.004AB2E4
004A7BE5 E8 85350000 CALL RLPack.004AB16F
004A7BEA 83C7 04 ADD EDI,4
004A7BED 8B85 6D550000 MOV EAX,DWORD PTR SS: ; RLPack.004A9DDD
004A7BF3 8938 MOV DWORD PTR DS:,EDI
004A7BF5 8385 6D550000 0>ADD DWORD PTR SS:,4
004A7BFC 8B85 6D550000 MOV EAX,DWORD PTR SS: ; RLPack.004A9DDD
004A7C02 8338 00 CMP DWORD PTR DS:,0
004A7C05^ 75 B8 JNZ SHORT RLPack.004A7BBF
004A7C07 EB 01 JMP SHORT RLPack.004A7C0A
004A7C09 46 INC ESI ; RLPack.004ACF7F
004A7C0A 803E 00 CMP BYTE PTR DS:,0
004A7C0D^ 75 FA JNZ SHORT RLPack.004A7C09
004A7C0F 46 INC ESI ; RLPack.004ACF7F
004A7C10 83C0 04 ADD EAX,4
004A7C13 8B38 MOV EDI,DWORD PTR DS:
004A7C15 8B8D 7A470000 MOV ECX,DWORD PTR SS: ; RLPack.00400000
004A7C1B 3B8D 7E470000 CMP ECX,DWORD PTR SS: ; RLPack.00400000
004A7C21 74 1A JE SHORT RLPack.004A7C3D
004A7C23 83BD E04D0000 0>CMP DWORD PTR SS:,0
004A7C2A 76 11 JBE SHORT RLPack.004A7C3D
004A7C2C 83BD F84D0000 0>CMP DWORD PTR SS:,0
004A7C33 75 08 JNZ SHORT RLPack.004A7C3D
004A7C35 03F9 ADD EDI,ECX
004A7C37 2BBD 7E470000 SUB EDI,DWORD PTR SS: ; RLPack.00400000
004A7C3D 03BD 7E470000 ADD EDI,DWORD PTR SS: ; RLPack.00400000
004A7C43 C700 FFFFFFFF MOV DWORD PTR DS:,-1
004A7C49 83C0 04 ADD EAX,4
004A7C4C 8985 6D550000 MOV DWORD PTR SS:,EAX ; RLPack.00400000
004A7C52 803E 01 CMP BYTE PTR DS:,1
004A7C55^ 0F85 46FFFFFF JNZ RLPack.004A7BA1-------------------------------------处理IAT
004A7C5B E8 B0350000 CALL RLPack.004AB210
004A7C60 68 00400000 PUSH 4000
004A7C65 68 AC020000 PUSH 2AC
004A7C6A FFB5 71550000 PUSH DWORD PTR SS: ; RLPack.004A7A0A
004A7C70 FF95 05040000 CALL DWORD PTR SS: ; RLPack.004ABDC3
004A7C76 E8 D0220000 CALL RLPack.004A9F4B
004A7C7B E8 CC340000 CALL RLPack.004AB14C
004A7C80 E8 DF0B0000 CALL RLPack.004A8864
004A7C85 E8 850A0000 CALL RLPack.004A870F
004A7C8A 83BD 0C4E0000 0>CMP DWORD PTR SS:,0
004A7C91 74 07 JE SHORT RLPack.004A7C9A
004A7C93 E9 10100000 JMP RLPack.004A8CA8
004A7C98 EB 01 JMP SHORT RLPack.004A7C9B
004A7C9A 61 POPAD
004A7C9B- E9 0096F5FF JMP RLPack.004012A0---------------------------------入口点,下断点
IA处理函数:
004A7BA1 E8 71200000 CALL RLPack.004A9C17---------------------得到模块名
004A7BA6 56 PUSH ESI
004A7BA7 FF95 09040000 CALL DWORD PTR SS: ; kernel32.GetModuleHandleA
004A7BAD 85C0 TEST EAX,EAX
004A7BAF 0F84 BF200000 JE RLPack.004A9C74
004A7BB5 8985 69550000 MOV DWORD PTR SS:,EAX
004A7BBB 8BC6 MOV EAX,ESI
004A7BBD EB 43 JMP SHORT RLPack.004A7C02
004A7BBF 8B85 6D550000 MOV EAX,DWORD PTR SS:
004A7BC5 8B00 MOV EAX,DWORD PTR DS:
004A7BC7 E8 16360000 CALL RLPack.004AB1E2-------------------------代码校验段
004AB1E2 60 PUSHAD
004AB1E3 8BF0 MOV ESI,EAX
004AB1E5 8D85 D8370000 LEA EAX,DWORD PTR SS:
004AB1EB 8D8D 6E3B0000 LEA ECX,DWORD PTR SS:
004AB1F1 2BC8 SUB ECX,EAX
004AB1F3 33DB XOR EBX,EBX ; RLPack.004A7D21
004AB1F5 33D2 XOR EDX,EDX
004AB1F7 EB 0A JMP SHORT RLPack.004AB203
004AB1F9 FF30 PUSH DWORD PTR DS:----------------------校验004AB1E2段校验大小00000396,这里的处理是个仁者人间智者见智的,你可以复制004AB1E2的代码到一块新内存中然后修改004AB1E5、004AB1EB、004AB1F1 EAX到你申请的内存中过校验。也可以call前修该xx然后校验的时候修改回来。
004AB1FB 5A POP EDX
004AB1FC 32DA XOR BL,DL
004AB1FE C1C3 07 ROL EBX,7
004AB201 40 INC EAX
004AB202 49 DEC ECX ; ntdll.77606570
004AB203 83F9 00 CMP ECX,0
004AB206^ 77 F1 JA SHORT RLPack.004AB1F9
004AB208 33F3 XOR ESI,EBX ; RLPack.004A7D21
004AB20A 897424 1C MOV DWORD PTR SS:,ESI
004AB20E 61 POPAD
004AB20F C3 RETN
004A7BCC 50 PUSH EAX
004A7BCD FFB5 69550000 PUSH DWORD PTR SS: ; msvcrt.76C10000
004A7BD3 E8 E9400000 CALL RLPack.004ABCC1------------------------得到函数地址
004A7BD8 85C0 TEST EAX,EAX
004A7BDA 0F84 5B200000 JE RLPack.004A9C3B
004A7BE0 E8 FF360000 CALL RLPack.004AB2E4----------------------------填充IAT**004AB2E4 60 PUSHAD
004AB2E5 83BD F44D0000 0>CMP DWORD PTR SS:,0
004AB2EC 0F85 FA000000 JNZ RLPack.004AB3E
。。。。。。。。。
。。。。。。。。。
{
004AB3EC 8BBD 69550000 MOV EDI,DWORD PTR SS:
004AB3F2 83BD F84D0000 0>CMP DWORD PTR SS:,0
004AB3F9 74 14 JE SHORT RLPack.004AB40F
004AB3FB 3BBD A2470000 CMP EDI,DWORD PTR SS:
004AB401 74 0C JE SHORT RLPack.004AB40F
004AB403 3BBD A6470000 CMP EDI,DWORD PTR SS: ; user32.#2372
};括号中的代码全部nop掉
004AB409 0F85 67010000 JNZ RLPack.004AB576 此句改成 JNZ 改成 JMP 表示处理全部IAT不进行加密。(**如上所说此地址范围是被校验的,过校验的方法上面也已经提到了,不要说这里一改就挂掉那一定是上面的校验没处理
004A7BE5 E8 85350000 CALL RLPack.004AB16F
004A7BEA 83C7 04 ADD EDI,4
004A7BED 8B85 6D550000 MOV EAX,DWORD PTR SS:
004A7BF3 8938 MOV DWORD PTR DS:,EDI ; RLPack.00478314
004A7BF5 8385 6D550000 0>ADD DWORD PTR SS:,4
004A7BFC 8B85 6D550000 MOV EAX,DWORD PTR SS:
004A7C02 8338 00 CMP DWORD PTR DS:,0
004A7C05^ 75 B8 JNZ SHORT RLPack.004A7BBF
004A7C07 EB 01 JMP SHORT RLPack.004A7C0A
004A7C09 46 INC ESI
004A7C0A 803E 00 CMP BYTE PTR DS:,0
004A7C0D^ 75 FA JNZ SHORT RLPack.004A7C09
全部处理之后F9你就会断在004A7C9B- E9 0096F5FF JMP RLPack.004012A0 F8 飞向入口点。
importRec修复IAT全部有效 dump 出来
不出意外程序无法运行 因为004A7AB9 E8 C2030000 CALL RLPack.004A7E80抽取了代码进行了重定
位可以看到dump出来的pe中有很多这种代码:004012A0 .55 PUSH EBP ;RLPack.004A7A0A
004012A1 .89E5 MOV EBP,ESP
004012A3 .83EC 08 SUB ESP,8
004012A6 .C70424 020000>MOV DWORD PTR SS:,2
004012AD .FF15 40834700 CALL DWORD PTR DS:
004012B3 .- E9 70F01301 JMP 01540328******
处理这种状况可以根据01540328 内存段的大小 VirtualAlloc下断修改返回值到你申请的内存必须高于 0x00400000然后dump 这段内存修改PE文件计算基址和内存段,在PE节表中添加dump出来的内存。
没了
页:
[1]