標籤:pe格式 加密
菜駒也玩加密殼之ACProtect之OEP的處理
附件下載:加殼檔案和pdf
1. 加密過程:
ACProctect v1.41版本
分析對OEP進入點代碼的偷取
2. 分析過程:
載入後,EIP= 00412000
00412000> 60 pushad
00412001 E8 01000000 call vcmfc庫1.00412007
00412006 - 7E 83 jle Xvcmfc庫1.00411F8B
00412008 04 24 add al,0x24
0041200A 06 push es
0041200B C3 retn
0041200C 77 01 ja Xvcmfc庫1.0041200F
0041200E 43 inc ebx
0041200F FC cld
00412010 75 01 jnz Xvcmfc庫1.00412013
進入點是在殼段(地址:00412000,大小:19000)
根據殼的特徵,用ESP,在00412001處下HR ESP
來到這裡:
0041254A 56 push esi
0041254B 8F05 A1294100 pop dword ptr ds:[0x4129A1]
00412551 60 pushad
00412552 78 03 js Xvcmfc庫1.00412557
00412554 79 01 jns Xvcmfc庫1.00412557
00412556 7B 40 jpo Xvcmfc庫1.00412598
可以看到pushad,清除上面的硬體斷點後,在pushad下面下HR ESP
來到這裡:
00427753 51 push ecx
00427754 8F05 89284100 pop dword ptr ds:[0x412889] ; [889] = ecx
0042775A 60 pushad
0042775B 61 popad
0042775C 51 push ecx
0042775D 8F05 CD294100 pop dword ptr ds:[0x4129CD] ; [9cd] = ecx
00427763 FF35 CD294100 push dword ptr ds:[0x4129CD]
00427769 8915 E1284100 mov dword ptr ds:[0x4128E1],edx
0042776F FF35 E1284100 push dword ptr ds:[0x4128E1]
00427775 56 push esi
00427776 BE 11294100 mov esi,vcmfc庫1.00412911
0042777B 8BD6 mov edx,esi
0042777D 5E pop esi
0042777E 52 push edx
0042777F 59 pop ecx ; ecx =edx = 412911
00427780 8F05 3D284100 pop dword ptr ds:[0x41283D]
00427786 8B15 3D284100 mov edx,dword ptr ds:[0x41283D]
0042778C 8929 mov dword ptr ds:[ecx],ebp ; [412911] = ebp
0042778E 8F05 A12A4100 pop dword ptr ds:[0x412AA1]
00427794 56 push esi
00427795 BE A12A4100 mov esi,vcmfc庫1.00412AA1
0042779A 8B0E mov ecx,dword ptr ds:[esi]
0042779C 5E pop esi
0042779D FF35 11294100 push dword ptr ds:[0x412911] ; 這地方就是被偷的第一句代碼pushebp
004277A3 8925 192B4100 mov dword ptr ds:[0x412B19],esp
004277A9 90 nop
004277AA 90 nop
004277AB 60 pushad
004277AC E8 01000000 call vcmfc庫1.004277B2
004277B1 ^ 77 83 ja Xvcmfc庫1.00427736
注意其中的nop nop pushad 這三條指令,出現這個意味著這就是偷取的代碼的開始。。。。當然,這裡的nop是隨意填充的,可能沒有,也可能有一個,也可能有兩個,也可能多個..關鍵是pushad指令
把NOP之前的指令全部複製成二進位儲存。
00427753 51 push ecx
00427754 8F05 89284100 pop dword ptr ds:[0x412889] ; [889] = ecx
0042775A 60 pushad
0042775B 61 popad
0042775C 51 push ecx
0042775D 8F05 CD294100 pop dword ptr ds:[0x4129CD] ; [9cd] = ecx
00427763 FF35 CD294100 push dword ptr ds:[0x4129CD]
00427769 8915 E1284100 mov dword ptr ds:[0x4128E1],edx
0042776F FF35 E1284100 push dword ptr ds:[0x4128E1]
00427775 56 push esi
00427776 BE 11294100 mov esi,vcmfc庫1.00412911
0042777B 8BD6 mov edx,esi
0042777D 5E pop esi
0042777E 52 push edx
0042777F 59 pop ecx ; ecx =edx = 412911
00427780 8F05 3D284100 pop dword ptr ds:[0x41283D]
00427786 8B15 3D284100 mov edx,dword ptr ds:[0x41283D]
0042778C 8929 mov dword ptr ds:[ecx],ebp ; [412911] = ebp
0042778E 8F05 A12A4100 pop dword ptr ds:[0x412AA1]
00427794 56 push esi
00427795 BE A12A4100 mov esi,vcmfc庫1.00412AA1
0042779A 8B0E mov ecx,dword ptr ds:[esi]
0042779C 5E pop esi
0042779D FF35 11294100 push dword ptr ds:[0x412911] ; 這地方就是被偷的第一句代碼pushebp
004277A3 8925 192B4100 mov dword ptr ds:[0x412B19],esp
這段代碼的位元據為:
51 8F 05 89 2841 00 60 61 51 8F 05 CD 29 41 00 FF 35 CD 29 41 00 89 15 E1 28 41 00 FF 35 E128 41 00 56 BE 11 29 41 00 8B D6 5E 52 59 8F 05 3D 28 41 00 8B 15 3D 28 41 0089 29 8F 05 A1 2A 41 00 56 BE A1 2A 41 00 8B 0E 5E FF 35 11 29 41 00 89 25 192B 41 00
重複上面的步驟,直到n次,怎麼確定n,我這裡是彈出試用版nag之後就出現了。
把這n次之間的位元據都儲存下來。
00429106 /EB 01 jmp Xvcmfc庫1.00429109
00429108 |E8 FF254B91 call 918DB70C
0042910D 42 inc edx
00429106處是一個近跳,F7進去
00429109 - FF25 4B914200 jmp dword ptr ds:[0x42914B] ; vcmfc庫1.00405391
0042910F 60 pushad
00429110 E8 00000000 call vcmfc庫1.00429115
00429115 5E pop esi
00429116 83EE 06 sub esi,0x6
其中:
ds:[0042914B]=00405391 (vcmfc庫1.00405391)
這是一個跨段的長跳轉,何為跨段?當前指令是在00429109 它要跳到00405391,
從模組圖中看出,它是要從.perplex段跳到.text段執行..這就是傳說中的跨段
所以說,進到程式碼片段後,就是傳說中的偽OEP了,偽OEP是長得這個樣子的
下面就把它DUMP出來
用import rec修複下IAT,沒有問題 fix一下dump出來的檔案
Import rec會給檔案加一個.mackt的區段,裡面存的是輸入表,大小為1000,輸入表用不了這麼大的空間,我們把被偷的代碼放在這個區段裡好了。
用OD開啟修複過和dump_.exe,在0042b000的段處找一個空的位置,
我找的是0042BBA0,把上面得到的二進位貼上去,貼完後,再加上一句JMP 00405391(跳到偽OEP)
0042BEBF 58 POP EAX
0042BEC0 8908 MOV DWORD PTR DS:[EAX], ECX
0042BEC2 A1 A4604000 MOV EAX, DWORD PTR DS:[0x4060A4]
0042BEC7 - E9 C594FDFF JMP dumped_.<ModuleEntryPoint>
用LOAD PE把進入點修改成0042BBA0,OK,完工。。。
儲存的所有的位元據:
00427753 51 push ecx
00427754 8F05 89284100 pop dword ptrds:[0x412889] ; [889]= ecx
0042775A 60 pushad
0042775B 61 popad
0042775C 51 push ecx
0042775D 8F05 CD294100 pop dword ptrds:[0x4129CD] ; [9cd]= ecx
00427763 FF35 CD294100 push dword ptrds:[0x4129CD]
00427769 8915 E1284100 mov dword ptrds:[0x4128E1],edx
0042776F FF35 E1284100 push dword ptrds:[0x4128E1]
00427775 56 push esi
00427776 BE 11294100 mov esi,vcmfc庫1.00412911
0042777B 8BD6 mov edx,esi
0042777D 5E pop esi
0042777E 52 push edx
0042777F 59 pop ecx ; ecx =edx = 412911
00427780 8F05 3D284100 pop dword ptrds:[0x41283D]
00427786 8B15 3D284100 mov edx,dword ptrds:[0x41283D]
0042778C 8929 mov dword ptrds:[ecx],ebp ;[412911] = ebp
0042778E 8F05 A12A4100 pop dword ptrds:[0x412AA1]
00427794 56 push esi
00427795 BE A12A4100 mov esi,vcmfc庫1.00412AA1
0042779A 8B0E mov ecx,dword ptrds:[esi]
0042779C 5E pop esi
0042779D FF35 11294100 push dword ptrds:[0x412911] ; 這地方就是被偷的第一句代碼pushebp
004277A3 8925 192B4100 mov dword ptrds:[0x412B19],esp
51 8F 05 89 28 41 00 60 61 51 8F 05 CD 2941 00 FF 35 CD 29 41 00 89 15 E1 28 41 00 FF 35 E1 28
41 00 56 BE 11 29 41 00 8B D6 5E 52 59 8F05 3D 28 41 00 8B 15 3D 28 41 00 89 29 8F 05 A1 2A 41
00 56 BE A1 2A 41 00 8B 0E 5E FF 35 11 2941 00 89 25 19 2B 41 00
FF 35 19 2B 41 00 8F 05 C1 29 41 00 56 BEC1 29 41 00 8B 2E 5E 57 BF 9D 29 41 00 89 1F 5F FF 35
9D 29 41 00 89 35 31 28 41 00 FF 35 31 2841 00 68 FF FF FF FF 5E 89 35 99 2A 41 00 8B 1D 99 2A
41 00 8F 05 0D 2A 41 00 8B 35 0D 2A 41 0057
89 1C 24 8F 05 05 29 41 00 8F 05 19 28 4100 FF 35 19 28 41 00 5B FF 35 05 29 41 00 89 05 D5 2A
41 00 FF 35 D5 2A 41 00 89 3C 24 89 0C 24C7 04 24 A0 61 40 00 57 8F 05 E1 2A 41 00 FF 35 E1 2A
41 00 89 1C 24 C7 04 24 C0 54 40 00
64 A1 00 00 00 00 89 05 A5 29 41 00 FF 35A5 29 41 00 89 1C 24 89 0D 85 2A 41 00 FF 35 85 2A 41
00 57 BF 91 29 41 00 8B CF 5F 56 8B F1 8BDE 5E 8B 0C 24 8F 05 B5 2A 41 00 89 03 8B 1C 24 8F 05
ED 28 41 00 FF 35 91 29 41 00
64 89 25 00 00 00 00 83 EC 68 53 8F 05 D529 41 00 FF 35 D5 29 41 00 8F 05 99 28 41 00 FF 35 99
28 41 00 57 89 04 24 8F 05 65 29 41 00 FF35 65 29 41 00 89 34 24 52 8F 05 F1 28 41 00 FF 35 F1
28 41 00 89 3D C9 2A 41 00 FF 35 C9 2A 4100
56 8F 05 31 2A 41 00 60 61 68 E5 2A 41 005F 51 8B CF 8B D1 59 8F 05 B9 28 41 00 8B 3D B9 28 41
00 89 3A 8F 05 D1 28 41 00 53 BB D1 28 4100 8B 13 5B FF 35 E5 2A 41 00 89 65 E8 33 DB 89 5D FC
89 15 85 29 41 00 FF 35 85 29 41 00 89 3424 53 89 14 24 50 B8 02 00 00 00 60
8B D0 58 52 5E 8F 05 01 2A 41 00 8B 15 012A 41 00 56 89 14 24 50 B8 25 29 41 00 8B D0 58 89 32
8F 05 AD 29 41 00 8B 15 AD 29 41 00 8B 3424 8F 05 B9 2A 41 00 FF 35 25 29 41 00 FF 15 98 60 40
00 8F 05 01 29 41 00 50 B8 5D 2A 41 00 8938 58
FF 35 5D 2A 41 00 51 C7 04 24 01 29 41 008F 05 85 28 41 00 8B 3D 85 28 41 00 8B 0F 8B 3C 24 8F
05 61 29 41 00 83 0D B4 F1 40 00 FF 83 0DB8 F1 40 00 FF FF 15 9C 60 40 00 89 05 C1 28 41 00 FF
35 C1 28 41 00 57 BF 35 28 41 00 8B C7 5F89 30
8B 04 24 8F 05 41 28 41 00 FF 35 35 28 4100 50 8F 05 6D 2A 41 00 FF 35 6D 2A 41 00 89 3D 39 28
41 00 FF 35 39 28 41 00 51 B9 7C 71 40 008B F9 59 57 58 5F 50 5E 8F 05 2D 2A 41 00 8B 05 2D 2A
41 00 8B 0E 8F 05 11 2B 41 00 FF 35 11 2B41 00
55 8F 05 25 2B 41 00 60 61 5E 89 08 FF 15A0 60 40 00 52 8F 05 55 2A 41 00 FF 35 55 2A 41 00 C7
05 29 29 41 00 78 71 40 00 FF 35 29 29 4100 8F 05 35 2A 41 00 8B 15 35 2A 41 00 8B 0A 8F 05 C9
28 41 00 50 B8 C9 28 41 00 8B 10 58 89 08A1 A4 60 40 00
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
