首页 | 编程语言 | 网站建设 | 游戏天堂 | 冲浪宝典 | 网络安全 | 操作系统 | 软件时空 | 硬件指南 | 病毒相关 | IT 认证
软讯网络 > 网络安全 > 黑客技术 > Magic Utilities 2003 脱壳手记 上
【标  题】:Magic Utilities 2003 脱壳手记 上
【关键字】:c,ie,agi,20,2003,03,Utilities,Magic,200,Magic,Utilities,2003
【来  源】:网络

Magic Utilities 2003 脱壳手记 上

Fi3.01查得Pecompact v1.68-84加的壳。
  首先用Peditor查看mgutil.exe的区块信息:

Section   Virtual Size  Virtual Offset  Raw Size   Raw Offset  Characteristics

pec1       000A1000      00001000       0003EA00    00000400      E0000020
.rsrc      000C8000      000A2000       00054A00    0003EE00      C0000040
.pec       00004000      0016A000       00000600    00093800      E0000020
.rsrc      00001000      0016E000       00000600    00093E00      C0000040

   发现程序加壳后入口点所在的pec块的Characteristics为E0000020,说明该块可执行,于是直接用Softice载入,但是没有中断。于是在Softice中下断点bpint3,单击break'n'enter->Run,使程序强行中断在入口点处。
   Softice中断在下面的地方:
001B:0056A000  CC                  INT       3
/* 这里是用Peditor插入的int3断点 */
001B:0056A001  06                  PUSH      ES
001B:0056A002  689C120500          PUSH      0005129C
____________________________________________________________
   由于插入的int3断点改变了原来的入口指令,为使程序继续运行,必须将指令改回来。用Peditor的FLC查到56A000处的指令码为EB 06 68 9C 12 05 00 C3 9C ,于是再次中断在入口处,在Softice中下命令:eb eip eb (enter)
   纠正指令码如下:
001B:0056A000  EB06                JMP       0056A008             (JUMP )
001B:0056A002  689C120500          PUSH      0005129C
/* 其实这个就是OEP,这意味着OEP并没有被加密,不脱壳也可以方便地用SMC补丁主程序 */
001B:0056A007  C3                  RET
001B:0056A007  C3                  RET
001B:0056A008  9C                  PUSHFD
001B:0056A009  60                  PUSHAD
001B:0056A00A  E802000000          CALL      0056A011
/* 这个call是变形的jmp,因为调用地点就在下面第二行,用F8走入 */
001B:0056A00F  33C0                XOR       EAX,EAX
001B:0056A011  8BC4                MOV       EAX,ESP
001B:0056A013  83C004              ADD       EAX,04
001B:0056A016  93                  XCHG      EAX,EBX
001B:0056A017  8BE3                MOV       ESP,EBX
001B:0056A019  8B5BFC              MOV       EBX,[EBX-04]
001B:0056A01C  81EB3F904000        SUB       EBX,0040903F
001B:0056A022  87DD                XCHG      EBX,EBP
001B:0056A024  8B85E6904000        MOV       EAX,[EBP+004090E6]
001B:0056A02A  018533904000        ADD       [EBP+00409033],EAX
001B:0056A030  66C785309040009090  MOV       WORD PTR [EBP+00409030],9090
001B:0056A039  0185DA904000        ADD       [EBP+004090DA],EAX
001B:0056A03F  0185DE904000        ADD       [EBP+004090DE],EAX
001B:0056A045  0185E2904000        ADD       [EBP+004090E2],EAX
001B:0056A04B  BB7B110000          MOV       EBX,0000117B
001B:0056A050  039DEA904000        ADD       EBX,[EBP+004090EA]
001B:0056A056  039DE6904000        ADD       EBX,[EBP+004090E6]
001B:0056A05C  53                  PUSH      EBX
001B:0056A05D  8BC3                MOV       EAX,EBX
001B:0056A05F  8BFB                MOV       EDI,EBX
001B:0056A061  2DAC904000          SUB       EAX,004090AC
001B:0056A066  8985AD904000        MOV       [EBP+004090AD],EAX
001B:0056A06C  8DB5AC904000        LEA       ESI,[EBP+004090AC]
001B:0056A072  B940040000          MOV       ECX,00000440
001B:0056A077  F3A5                REPZ MOVSD
001B:0056A079  8BFB                MOV       EDI,EBX
001B:0056A07B  C3                  RET
/* 走过这个ret后来到下面的地方 */
001B:0056B17B  BDCF201600          MOV       EBP,001620CF
001B:0056B180  8BF7                MOV       ESI,EDI
001B:0056B182  83C654              ADD       ESI,54
001B:0056B185  81C7FF100000        ADD       EDI,000010FF
001B:0056B18B  56                  PUSH      ESI
001B:0056B18C  57                  PUSH      EDI
001B:0056B18D  57                  PUSH      EDI
001B:0056B18E  56                  PUSH      ESI
001B:0056B18F  FF95DA904000        CALL      [EBP+004090DA]
001B:0056B195  8BC8                MOV       ECX,EAX
001B:0056B197  5E                  POP       ESI
001B:0056B198  5F                  POP       EDI
001B:0056B199  8BC1                MOV       EAX,ECX
001B:0056B19B  C1F902              SAR       ECX,02
001B:0056B19E  F3A5                REPZ MOVSD
001B:0056B1A0  03C8                ADD       ECX,EAX
001B:0056B1A2  83E103              AND       ECX,03
001B:0056B1A5  F3A4                REPZ MOVSB
001B:0056B1A7  EB26                JMP       0056B1CF             (JUMP )
/* 注意这个jmp的目的地 */
001B:0056B1A9  B0E3                MOV       AL,E3
001B:0056B1AB  56                  PUSH      ESI
001B:0056B1AC  0098E3560074        ADD       [EAX+740056E3],BL
001B:0056B1B2  E356                JECXZ     0056B20A
001B:0056B1B4  0000                ADD       [EAX],AL
001B:0056B1B6  004000              ADD       [EAX+00],AL
001B:0056B1B9  00A0160000E0        ADD       [EAX+E0000016],AH ; STATUS_MORE_PRO
001B:0056B1BF  16                  PUSH      SS
001B:0056B1C0  0087DB87DB87        ADD       [EDI+87DB87DB],AL
001B:0056B1C6  DB87DB87DB87        FILD      DWORD PTR [EDI+87DB87DB]
001B:0056B1CC  DB87DB8BB5E6        FILD      DWORD PTR [EDI+E6B58BDB]
_____________________________________________________________

   这里有花指令,下命令
   :a 56b1cc
   001B:0056B1CC nop
   001B:0056B1CD
   :
   得到:
001B:0056B1CC  90                  NOP
001B:0056B1CD  87DB                XCHG      EBX,EBX
001B:0056B1CF  8BB5E6904000        MOV       ESI,[EBP+004090E6]
/* 这才是上面那个jmp的目的地 */
001B:0056B1D5  56                  PUSH      ESI
001B:0056B1D6  03B5EE904000        ADD       ESI,[EBP+004090EE]
001B:0056B1DC  83C614              ADD       ESI,14
001B:0056B1DF  03B535974000        ADD       ESI,[EBP+00409735]
001B:0056B1E5  8DBD39974000        LEA       EDI,[EBP+00409739]
001B:0056B1EB  B906000000          MOV       ECX,00000006
001B:0056B1F0  F3A5                REPZ MOVSD
001B:0056B1F2  6A04                PUSH      04
001B:0056B1F4  6800100000          PUSH      00001000
001B:0056B1F9  FFB551974000        PUSH      DWORD PTR [EBP+00409751]
001B:0056B1FF  6A00                PUSH      00
001B:0056B201  FF9541974000        CALL      [EBP+00409741]
001B:0056B207  8BF8                MOV       EDI,EAX
001B:0056B209  5B                  POP       EBX
001B:0056B20A  019D83944000        ADD       [EBP+00409483],EBX
001B:0056B210  8BB5DE904000        MOV       ESI,[EBP+004090DE]
001B:0056B216  80BD6B9D4000C3      CMP       BYTE PTR [EBP+00409D6B],C3
001B:0056B21D  742E                JZ        0056B24D
001B:0056B21F  60                  PUSHAD
001B:0056B220  8B9D39974000        MOV       EBX,[EBP+00409739]
001B:0056B226  8B8D3D974000        MOV       ECX,[EBP+0040973D]
001B:0056B22C  8B95E6904000        MOV       EDX,[EBP+004090E6]
001B:0056B232  8DBD6BA14000        LEA       EDI,[EBP+0040A16B]
001B:0056B238  56                  PUSH      ESI
001B:0056B239  52                  PUSH      EDX
001B:0056B23A  6A40                PUSH      40
001B:0056B23C  57                  PUSH      EDI
001B:0056B23D  51                  PUSH      ECX
001B:0056B23E  53                  PUSH      EBX
001B:0056B23F  E8F60B0000          CALL      0056BE3A
001B:0056B244  85C0                TEST      EAX,EAX
001B:0056B246  0F859F000000        JNZ       0056B2EB
001B:0056B24C  61                  POPAD
001B:0056B24D  57                  PUSH      EDI
001B:0056B24E  AD                  LODSD
001B:0056B24F  85C0                TEST      EAX,EAX
001B:0056B251  0F849B000000        JZ        0056B2F2
/* 注意这里jz的目的地 */
001B:0056B257  8BD0                MOV       EDX,EAX
001B:0056B259  0395E6904000        ADD       EDX,[EBP+004090E6]
001B:0056B25F  AD                  LODSD
001B:0056B260  56                  PUSH      ESI
001B:0056B261  8BC8                MOV       ECX,EAX
001B:0056B263  57                  PUSH      EDI
001B:0056B264  52                  PUSH      EDX
001B:0056B265  8DB56BA14000        LEA       ESI,[EBP+0040A16B]
001B:0056B26B  57                  PUSH      EDI
001B:0056B26C  51                  PUSH      ECX
001B:0056B26D  52                  PUSH      EDX
001B:0056B26E  6A40                PUSH      40
001B:0056B270  56                  PUSH      ESI
001B:0056B271  FFB53D974000        PUSH      DWORD PTR [EBP+0040973D]
001B:0056B277  FFB539974000        PUSH      DWORD PTR [EBP+00409739]
001B:0056B27D  E8B8090000          CALL      0056BC3A
001B:0056B282  5A                  POP       EDX
001B:0056B283  5F                  POP       EDI
001B:0056B284  8D85E4914000        LEA       EAX,[EBP+004091E4]
001B:0056B28A  50                  PUSH      EAX
001B:0056B28B  6467FF360000        PUSH      DWORD PTR FS:[0000]
001B:0056B291  646789260000        MOV       FS:[0000],ESP
001B:0056B297  52                  PUSH      EDX
001B:0056B298  57                  PUSH      EDI
001B:0056B299  FF95DA904000        CALL      [EBP+004090DA]
001B:0056B29F  64678F060000        POP       DWORD PTR FS:[0000]
001B:0056B2A5  83C404              ADD       ESP,04
001B:0056B2A8  85C0                TEST      EAX,EAX
001B:0056B2AA  7407                JZ        0056B2B3
001B:0056B2AC  8BC8                MOV       ECX,EAX
001B:0056B2AE  5E                  POP       ESI
001B:0056B2AF  5F                  POP       EDI
001B:0056B2B0  EB9B                JMP       0056B24D             (JUMP )
001B:0056B2B2  B9E8000000          MOV       ECX,000000E8
001B:0056B2B7  005D81              ADD       [EBP-7F],BL
001B:0056B2BA  ED                  IN        EAX,DX
001B:0056B2BB  E9914000E8          JMP       E856F351
_____________________________________________________________
   001B:0056B2F1处被花了:
001B:0056B2EB  FFA549974000        JMP       [EBP+00409749]
001B:0056B2F1  245F                AND       AL,5F
001B:0056B2F3  8BB5E2904000        MOV       ESI,[EBP+004090E2]
001B:0056B2F9  AD                  LODSD
001B:0056B2FA  83F8FF              CMP       EAX,-01
001B:0056B2FD  7474                JZ        0056B373    
   下命令:
   :a 56b2f1
   001B:0056B2F1 nop
   001B:0056B2F2
   纠正后指令如下:
001B:0056B2EB  FFA549974000        JMP       [EBP+00409749]
001B:0056B2F1  90                  NOP
001B:0056B2F2  5F                  POP       EDI
/* 这才是001B:0056B251处jz的目的地 */
001B:0056B2F3  8BB5E2904000        MOV       ESI,[EBP+004090E2]
001B:0056B2F9  AD                  LODSD
001B:0056B2FA  83F8FF              CMP       EAX,-01
001B:0056B2FD  7474                JZ        0056B373             (JUMP )
/* 注意这个jz的目的地 */
001B:0056B2FF  0385E6904000        ADD       EAX,[EBP+004090E6]
001B:0056B305  8BD8                MOV       EBX,EAX
001B:0056B307  AD                  LODSD
001B:0056B308  0385E6904000        ADD       EAX,[EBP+004090E6]
001B:0056B30E  8BD0                MOV       EDX,EAX
001B:0056B310  AD                  LODSD
001B:0056B311  8BC8                MOV       ECX,EAX
001B:0056B313  57                  PUSH      EDI
001B:0056B314  56                  PUSH      ESI
001B:0056B315  8BF3                MOV       ESI,EBX
001B:0056B317  57                  PUSH      EDI
001B:0056B318  51                  PUSH      ECX
001B:0056B319  8BC1                MOV       EAX,ECX
001B:0056B31B  C1F902              SAR       ECX,02
001B:0056B31E  F3A5                REPZ MOVSD
001B:0056B320  03C8                ADD       ECX,EAX
001B:0056B322  83E103              AND       ECX,03
001B:0056B325  F3A4                REPZ MOVSB
001B:0056B327  59                  POP       ECX
001B:0056B328  5E                  POP       ESI
001B:0056B329  8BFA                MOV       EDI,EDX
001B:0056B32B  8BC1                MOV       EAX,ECX
001B:0056B32D  C1F902              SAR       ECX,02
001B:0056B330  F3A5                REPZ MOVSD
001B:0056B332  03C8                ADD       ECX,EAX
001B:0056B334  83E103              AND       ECX,03
001B:0056B337  F3A4                REPZ MOVSB
001B:0056B339  5E                  POP       ESI
001B:0056B33A  AD                  LODSD
001B:0056B33B  8BC8                MOV       ECX,EAX
001B:0056B33D  8BD0                MOV       EDX,EAX
001B:0056B33F  33C0                XOR       EAX,EAX
001B:0056B341  C1F902              SAR       ECX,02
001B:0056B344  F3AB                REPZ STOSD
001B:0056B346  03CA                ADD       ECX,EDX
001B:0056B348  83E103              AND       ECX,03
001B:0056B34B  F3AA                REPZ STOSB
001B:0056B34D  8B7EF0              MOV       EDI,[ESI-10]
001B:0056B350  03BDE6904000        ADD       EDI,[EBP+004090E6]
001B:0056B356  8B4EF4              MOV       ECX,[ESI-0C]
001B:0056B359  038DE6904000        ADD       ECX,[EBP+004090E6]
001B:0056B35F  2BCF                SUB       ECX,EDI
001B:0056B361  8BD1                MOV       EDX,ECX
001B:0056B363  C1F902              SAR       ECX,02
001B:0056B366  F3AB                REPZ STOSD
001B:0056B368  03CA                ADD       ECX,EDX
001B:0056B36A  83E103              AND       ECX,03
001B:0056B36D  F3AA                REPZ STOSB
001B:0056B36F  5F                  POP       EDI
001B:0056B370  EB87                JMP       0056B2F9
001B:0056B372  0F6800              PUNPCKHBW MM0,[EAX]
001B:0056B375  40                  INC       EAX
001B:0056B376  0000                ADD       [EAX],AL
001B:0056B378  6A00                PUSH      00
001B:0056B37A  57                  PUSH      EDI
____________________________________________________

Magic Utilities 2003 脱壳手记 下:【上一篇】
脱DLL文件的ASPROTECT的壳(英文):【下一篇】
【相关文章】
  • 自动脱壳之ProcDump应用文章一
  • 自动脱壳之ProcDump应用文章二
  • 自动脱壳之ProcDump应用文章三
  • 自动脱壳之Procdump中文说明书(1)
  • 自动脱壳之Procdump中文说明书(2)
  • 手动脱壳之ASPack v1.083
  • 用OLLYDBG快速脱tElock V0.98的壳。
  • 脱壳高级篇之IceDump和NticeDump使用
  • 脱壳高级篇之Import REConstructor使用
  • 脱Visual Protect V2.1.0的壳
    • 【随机文章】
  • 【分享】【10-10】注册精品软件下载
  • Photoshop 7.0 橡皮工具
  • J2EE之我见
  • 工厂方法模式 - Factory Method - 文物管理衙门 - 和申的为官经营之道第二部分
  • perl doc 文档分类索引
  • ORACLE常用傻瓜问题1000问(七)
  • c#把cs文件编译为dll文件
  • 一针见血方案:控制抄房
  • JXL实例
  • 笔记本电脑启动故障两则
    • 【相关评论】
    没有相关评论
    【发表评论】
    姓名:
    邮件:
    随机码*
    评论*
          
    |  首 页  |  版权声明  |  联系我们   |  网站地图  |
    CopyRight © 2004-2007 软讯网络 All Rigths Reserved.