分享
 
 
 

又见TLS-Unpacking read-me's UnpackMe

王朝other·作者佚名  2006-01-10
窄屏简体版  字體: |||超大  

又见TLS-Unpacking read-me's UnpackMe

作者:来自轻院的狼[+Immlep+]

目标:umpakme_by-read-me.

加壳方式:Unknow

注:Tls泛滥了,这几天心情乱,教程写的也比较乱,大家就将就下了,如果你要脱这个UnpackMe的话自己动手看看是最好的。

这个壳是在Crackl@b上看到的,作者在上面发布了这个CrackMe,出于习惯,所以就下载来看看,本来也没有想要去脱的,一来,已经很久没有

脱壳了,二来,现在的壳要么简单,要么BT。习惯性的试试用OllyDbg载入,F9看看,如果可以运行,那么我就会把这个壳丢到一旁去,可是。

。。。。当然我用OllyDbg时,连F9也没有按,突然间,我机上的程序全部不能动弹了,ALT+Ctrl+Del也没用了。。。。汗个,重启。。

这个鸟壳,用了什么恶毒的招数?而且没有中断在入口点,估计是用了Tls,用PETools看了一下,果然看到Tls表,address of Callbacks 指

向了00464B40,打开OllyDbg,在设置选项中选择“中断在系统断点(System BreakPonit)”,ok,现在用OllyDbg载入,命令行中输入 follow

[00464B40],来到Tls回调函数处:

00464000 E8 00000000 CALL umpakme_.00464005 ;Tls回调函数处,这里下断点

00464005 5D POP EBP

00464006 81ED 05000000 SUB EBP, 5

0046400C E8 D9030000 CALL umpakme_.004643EA ;这里进去是一个IsDebuggerPresent的anti

00464011 E8 BF020000 CALL umpakme_.004642D5 ;这里进去,发生一个异常,清除硬件断点。

00464016 EB 01 JMP SHORT umpakme_.00464019

在0464000处下断点后,F9运行,中断在464000处,现在开始我们的脱壳之旅。

--------IsDebuggerPresent----------

004643EA 64:A1 18000000 MOV EAX, DWORD PTR FS:[18]

004643F0 8B40 30 MOV EAX, DWORD PTR [EAX+30]

004643F3 0FB640 02 MOVZX EAX, BYTE PTR [EAX+2]

004643F7 83F8 01 CMP EAX, 1

004643FA 74 01 JE SHORT umpakme_.004643FD

004643FC C3 RETN

--------IsDebuggerPresent----------

--------anti hardware breackpoint------

00464306 8B4424 0C MOV EAX, DWORD PTR [ESP+C]

0046430A C780 B0000000 C4F91200 MOV DWORD PTR [EAX+B0], 12F9C4

00464314 C740 04 00000000 MOV DWORD PTR [EAX+4], 0

0046431B C740 08 00000000 MOV DWORD PTR [EAX+8], 0

00464322 C740 0C 00000000 MOV DWORD PTR [EAX+C], 0

00464329 C740 10 00000000 MOV DWORD PTR [EAX+10], 0

00464330 C740 14 00000000 MOV DWORD PTR [EAX+14], 0

00464337 C740 18 00000000 MOV DWORD PTR [EAX+18], 0

0046433E B8 00000000 MOV EAX, 0

00464343 C3 RETN

--------anti hardware breackpoint-------

F7慢慢走。。

--------恶毒代码开始---------------

0046444A E8 52070000 CALL umpakme_.00464BA1 ;取kernel base

0046444F 8BF8 MOV EDI, EAX

00464451 8D85 3A090000 LEA EAX, DWORD PTR [EBP+93A] ;LoadLibraryA

00464457 50 PUSH EAX ;LoadLibraryA

00464458 57 PUSH EDI

00464459 E8 58070000 CALL umpakme_.00464BB6 ;取LoadLibraryA地址

0046445E 8D9D EF060000 LEA EBX, DWORD PTR [EBP+6EF]

00464464 53 PUSH EBX ;ASCII "ntDLL"

00464465 FFD0 CALL NEAR EAX ;加载ntDLL.dll

00464467 8BF0 MOV ESI, EAX

00464469 8D9D 5B070000 LEA EBX, DWORD PTR [EBP+75B] ;ASCII "NtSuspendProcess"

0046446F 53 PUSH EBX

00464470 56 PUSH ESI

00464471 E8 40070000 CALL umpakme_.00464BB6 ;取NtSuspendProcess的地址

00464476 8D9D 57070000 LEA EBX, DWORD PTR [EBP+757]

0046447C 8903 MOV DWORD PTR [EBX], EAX

0046447E 8D9D 70070000 LEA EBX, DWORD PTR [EBP+770] ; ASCII "NtResumeProcess"

00464484 53 PUSH EBX

00464485 56 PUSH ESI

00464486 E8 2B070000 CALL umpakme_.00464BB6 ;取NtResumeProcess的地址

0046448B 8D9D 6C070000 LEA EBX, DWORD PTR [EBP+76C]

00464491 8903 MOV DWORD PTR [EBX], EAX

00464493 8D85 09070000 LEA EAX, DWORD PTR [EBP+709] ;ASCII "CreateToolhelp32Snapshot"

00464499 50 PUSH EAX

0046449A 57 PUSH EDI

0046449B E8 16070000 CALL umpakme_.00464BB6

004644A0 8D9D 05070000 LEA EBX, DWORD PTR [EBP+705]

004644A6 8903 MOV DWORD PTR [EBX], EAX

004644A8 8D85 26070000 LEA EAX, DWORD PTR [EBP+726] ;ASCII "Process32First"

004644AE 50 PUSH EAX

004644AF 57 PUSH EDI

004644B0 E8 01070000 CALL umpakme_.00464BB6

004644B5 8D9D 22070000 LEA EBX, DWORD PTR [EBP+722]

004644BB 8903 MOV DWORD PTR [EBX], EAX

004644BD 8D85 4B070000 LEA EAX, DWORD PTR [EBP+74B] ;ASCII "OpenProcess"

004644C3 50 PUSH EAX

004644C4 57 PUSH EDI

004644C5 E8 EC060000 CALL umpakme_.00464BB6

004644CA 8D9D 47070000 LEA EBX, DWORD PTR [EBP+747]

004644D0 8903 MOV DWORD PTR [EBX], EAX

004644D2 8D85 39070000 LEA EAX, DWORD PTR [EBP+739] ;ASCII "Process32Next"

004644D8 50 PUSH EAX

004644D9 57 PUSH EDI

004644DA E8 D7060000 CALL umpakme_.00464BB6

004644DF 8D9D 35070000 LEA EBX, DWORD PTR [EBP+735]

004644E5 8903 MOV DWORD PTR [EBX], EAX

004644E7 8D85 F9060000 LEA EAX, DWORD PTR [EBP+6F9] ;ASCII "CloseHandle"

004644ED 50 PUSH EAX

004644EE 57 PUSH EDI

004644EF E8 C2060000 CALL umpakme_.00464BB6

004644F4 8D9D F5060000 LEA EBX, DWORD PTR [EBP+6F5]

004644FA 8903 MOV DWORD PTR [EBX], EAX

004644FC 6A 00 PUSH 0

004644FE 6A 02 PUSH 2

00464500 8D85 05070000 LEA EAX, DWORD PTR [EBP+705]

00464506 8B00 MOV EAX, DWORD PTR [EAX]

00464508 FFD0 CALL NEAR EAX ; CreateToolhelp32Snapshot

0046450A 8D9D BF050000 LEA EBX, DWORD PTR [EBP+5BF]

00464510 8903 MOV DWORD PTR [EBX], EAX

00464512 8D9D C3050000 LEA EBX, DWORD PTR [EBP+5C3]

00464518 C703 28010000 MOV DWORD PTR [EBX], 128

0046451E 8D85 C3050000 LEA EAX, DWORD PTR [EBP+5C3]

00464524 50 PUSH EAX

00464525 8D85 BF050000 LEA EAX, DWORD PTR [EBP+5BF]

0046452B FF30 PUSH DWORD PTR [EAX]

0046452D 8D85 22070000 LEA EAX, DWORD PTR [EBP+722]

00464533 8B00 MOV EAX, DWORD PTR [EAX]

00464535 FFD0 CALL NEAR EAX ; Process32First

00464537 8D9D BB050000 LEA EBX, DWORD PTR [EBP+5BB]

0046453D 8903 MOV DWORD PTR [EBX], EAX

0046453F 8D9D DB050000 LEA EBX, DWORD PTR [EBP+5DB]

00464545 8B03 MOV EAX, DWORD PTR [EBX]

00464547 64:8B0D 18000000 MOV ECX, DWORD PTR FS:[18]

0046454E 8B49 20 MOV ECX, DWORD PTR [ECX+20]

00464551 3BC1 CMP EAX, ECX

00464553 74 1D JE SHORT umpakme_.00464572 ;比较是不是本身进程

00464555 50 PUSH EAX

00464556 6A 01 PUSH 1

00464558 68 FF0F1F00 PUSH 1F0FFF

0046455D 8D85 47070000 LEA EAX, DWORD PTR [EBP+747]

00464563 8B00 MOV EAX, DWORD PTR [EAX]

00464565 FFD0 CALL NEAR EAX ; OpenProcess

00464567 50 PUSH EAX

00464568 8D85 57070000 LEA EAX, DWORD PTR [EBP+757]

0046456E 8B00 MOV EAX, DWORD PTR [EAX]

00464570 FFD0 CALL NEAR EAX ;NtSuspendProcess,好毒,挂起所有的进程,不死才怪

00464572 8D85 C3050000 LEA EAX, DWORD PTR [EBP+5C3]

00464578 50 PUSH EAX

00464579 8D85 BF050000 LEA EAX, DWORD PTR [EBP+5BF]

0046457F FF30 PUSH DWORD PTR [EAX]

00464581 8D85 35070000 LEA EAX, DWORD PTR [EBP+735]

00464587 8B00 MOV EAX, DWORD PTR [EAX]

00464589 FFD0 CALL NEAR EAX ;Process32Next

0046458B 8D9D BB050000 LEA EBX, DWORD PTR [EBP+5BB]

00464591 8903 MOV DWORD PTR [EBX], EAX

00464593 83F8 00 CMP EAX, 0

00464596 ^ 75 A7 JNZ SHORT umpakme_.0046453F ;取完所有的进程?

00464598 8D85 BF050000 LEA EAX, DWORD PTR [EBP+5BF]

0046459E FF30 PUSH DWORD PTR [EAX]

004645A0 8D85 F5060000 LEA EAX, DWORD PTR [EBP+6F5]

004645A6 8B00 MOV EAX, DWORD PTR [EAX]

004645A8 FFD0 CALL NEAR EAX ;CloseHandle

004645AA 8D85 E5000000 LEA EAX, DWORD PTR [EBP+E5]

004645B0 8B18 MOV EBX, DWORD PTR [EAX]

004645B2 81F3 A0860100 XOR EBX, 186A0

004645B8 8918 MOV DWORD PTR [EAX], EBX

004645BA C3 RETN

--------恶毒代码结束---------------

可以看到,上面的一段代码,是把本身进程外的其它进程挂起,本来如果这个壳按照平常那样运行的话,对于一些系统的进程,它没有足够的

权限,它是无法挂起的系统进程,这样的话,一旦壳出错的话,问题就不大,至少不用重启,不过如果用OllyDbg调试的话,这个壳的进程的权

限就会提高,这样它就可以打开系统进程,就会把系统进程也挂起,这样搞不好的话就要重启了。。躲个这个anti的方法比较简单,在

00464553和00464596处改标志位让它跳就可以了。。

f7继续。。。。

-------RDTSC Anti---------

0046425C 8D85 8E020000 LEA EAX, DWORD PTR [EBP+28E]

00464262 50 PUSH EAX

00464263 64:FF35 00000000 PUSH DWORD PTR FS:[0]

0046426A 64:8925 00000000 MOV DWORD PTR FS:[0], ESP

00464271 8D85 92020000 LEA EAX, DWORD PTR [EBP+292]

00464277 8D9D 9F020000 LEA EBX, DWORD PTR [EBP+29F]

0046427D 8958 06 MOV DWORD PTR [EAX+6], EBX

00464280 8D8D CD020000 LEA ECX, DWORD PTR [EBP+2CD]

00464286 0F31 RDTSC

00464288 8901 MOV DWORD PTR [ECX], EAX ;RDTSC保存第一个值

0046428A 33D2 XOR EDX, EDX

0046428C 8802 MOV BYTE PTR [EDX], AL ;异常

0046428E 8B7424 0C MOV ESI, DWORD PTR [ESP+C]

00464292 C786 B8000000 9F>MOV DWORD PTR [ESI+B8], 29F

0046429C 33C0 XOR EAX, EAX

0046429E C3 RETN

0046429F 64:8F05 00000000 POP DWORD PTR FS:[0] ; 异常恢复后到这里

004642A6 83C4 04 ADD ESP, 4

004642A9 8D8D CD020000 LEA ECX, DWORD PTR [EBP+2CD]

004642AF 0F31 RDTSC ;RDTSC保存第二个值

004642B1 8B19 MOV EBX, DWORD PTR [ECX]

004642B3 2BC3 SUB EAX, EBX

004642B5 8901 MOV DWORD PTR [ECX], EAX

004642B7 8B01 MOV EAX, DWORD PTR [ECX]

004642B9 3D 00093D00 CMP EAX, 3D0900

004642BE 7F 01 JG SHORT umpakme_.004642C1 ;计算前后两次RDTSC的值差,超过3D0900的话就over了,这里不

要让它跳。

004642C0 C3 RETN

-------RDTSC Anti---------

F7继续。。。

一会儿就来到核心了,看来这个壳似乎还是挺温柔的。。。没有什么小花。。

004640A6 E8 5A010000 CALL umpakme_.00464205 ;OutputDebugStringA。。。。又一个anti

004640AB E8 F0020000 CALL umpakme_.004643A0 ;里面发生了一个异常,没有什么看头。。。

004640B0 E8 4F030000 CALL umpakme_.00464404 ;又一个anti,调用无用的OpenServiceA函数来鸟掉OllyDbg

004640B5 E8 10090000 CALL umpakme_.004649CA ;这里进去,解压各个区段。。。。

004640BA E8 A0090000 CALL umpakme_.00464A5F ;这里进去取一个随即数

004640BF E8 00000000 CALL umpakme_.004640C4

004640C4 5D POP EBP

004640C5 81ED C4000000 SUB EBP, 0C4

004640CB E8 86080000 CALL umpakme_.00464956 ;这里进入处理输入表

004640D0 E8 6A070000 CALL umpakme_.0046483F ;这个call可以步过。。

004640D5 E8 6F090000 CALL umpakme_.00464A49 ;这个call可以步过。。

004640DA E8 F1090000 CALL umpakme_.00464AD0 ;又一个anti--ZwSetInformationThread

004640DF E8 9C060000 CALL umpakme_.00464780 ;恢复被挂起的进程

004640E4 68 5C004500 PUSH umpakme_.0045005C ;OEP

004640E9 C3 RETN

---------OutputDebugStringA anti-----------

00464205 E8 97090000 CALL umpakme_.00464BA1

0046420A 8BF8 MOV EDI, EAX

0046420C 8D85 49020000 LEA EAX, DWORD PTR [EBP+249]

00464212 50 PUSH EAX

00464213 57 PUSH EDI ; kernel32.77E40000

00464214 E8 9D090000 CALL umpakme_.00464BB6

00464219 8D8D 44020000 LEA ECX, DWORD PTR [EBP+244]

0046421F 51 PUSH ECX ; umpakme_.004642CD

00464220 FFD0 CALL NEAR EAX ; kernel32.OutputDebugStringA

00464222 8D8D 44020000 LEA ECX, DWORD PTR [EBP+244]

00464228 8139 3A2D2900 CMP DWORD PTR [ECX], 292D3A ;OutputDebugStringA一下,看是不是笑脸“:-)”

0046422E 75 13 JNZ SHORT umpakme_.00464243 ;看到OllDbg笑的话,就Over了啊,这里让它跳。。

00464230 E8 04000000 CALL umpakme_.00464239

00464235 33C0 XOR EAX, EAX

00464237 3100 XOR DWORD PTR [EAX], EAX

00464239 33C0 XOR EAX, EAX

0046423B 50 PUSH EAX

0046423C 64:8920 MOV DWORD PTR FS:[EAX], ESP

0046423F - FF6424 04 JMP NEAR DWORD PTR [ESP+4]

00464243 C3 RETN

---------OutputDebugStringA anti-----------

一下这个anti比较少见,可以看到OpenServiceA这个函数的参数的是乱压栈的,经过分析知道,在OllyDbg中,因为OpenServiceA传递的错误的

参数,所以OllyDbg中会异常,无法在执行,而如果按照平常方式运行这个CrackMe的话,系统就会处理这个这乱搞的函数,程序还是可以继续

运行,只不过OpenServiceA调用返回失败,按照推理的话,应该有不少这样的函数可以用来Anti OllyDbg,对付这种anti的方法就是不要让它

执行这个函数。

---------OpenServiceA anti--------------

00464404 E8 98070000 CALL umpakme_.00464BA1

00464409 8BF8 MOV EDI, EAX

0046440B 8D85 3A090000 LEA EAX, DWORD PTR [EBP+93A]

00464411 50 PUSH EAX

00464412 57 PUSH EDI

00464413 E8 9E070000 CALL umpakme_.00464BB6

00464418 8D9D 41040000 LEA EBX, DWORD PTR [EBP+441]

0046441E 53 PUSH EBX

0046441F FFD0 CALL NEAR EAX

00464421 8D9D 34040000 LEA EBX, DWORD PTR [EBP+434]

00464427 53 PUSH EBX

00464428 50 PUSH EAX

00464429 E8 88070000 CALL umpakme_.00464BB6

0046442E 83EC 0C SUB ESP, 0C ;执行到这里的时候直接跳到00464433执行

00464431 FFD0 CALL NEAR EAX ; OpenServiceA

00464433 C3 RETN ;当执行到0046442E时直接修改EIP到这里,Return to 004640B5

---------OpenServiceA anti--------------

--------处理输入表--------------

00464956 8D8D EF000000 LEA ECX, DWORD PTR [EBP+EF]

0046495C 8B09 MOV ECX, DWORD PTR [ECX]

0046495E 038D 87010000 ADD ECX, DWORD PTR [EBP+187] ;

00464964 81E9 0A000000 SUB ECX, 0A

0046496A 8B9D 4C0B0000 MOV EBX, DWORD PTR [EBP+B4C]

00464970 039D 87010000 ADD EBX, DWORD PTR [EBP+187]

00464976 4B DEC EBX

00464977 43 INC EBX

00464978 8BF3 MOV ESI, EBX

0046497A 43 INC EBX

0046497B 803B 00 CMP BYTE PTR [EBX], 0

0046497E ^ 75 FA JNZ SHORT umpakme_.0046497A

00464980 43 INC EBX

00464981 8B13 MOV EDX, DWORD PTR [EBX]

00464983 0395 87010000 ADD EDX, DWORD PTR [EBP+187]

00464989 83C3 04 ADD EBX, 4

0046498C 8942 04 MOV DWORD PTR [EDX+4], EAX

0046498F 81C1 0A000000 ADD ECX, 0A

00464995 890A MOV DWORD PTR [EDX], ECX ;ECX等于处理后的函数的地址。

00464997 60 PUSHAD

00464998 9C PUSHFD

00464999 E8 28F8FFFF CALL umpakme_.004641C6 ;这里要进去,有一个anti。。。。

0046499E 83F8 00 CMP EAX, 0

004649A1 74 02 JE SHORT umpakme_.004649A5

004649A3 ^ EB D5 JMP SHORT umpakme_.0046497A

004649A5 9D POPFD

004649A6 61 POPAD

004649A7 43 INC EBX

004649A8 803B 00 CMP BYTE PTR [EBX], 0

004649AB ^ 75 FA JNZ SHORT umpakme_.004649A7

004649AD 83C2 04 ADD EDX, 4

004649B0 43 INC EBX

004649B1 807B 01 00 CMP BYTE PTR [EBX+1], 0

004649B5 74 12 JE SHORT umpakme_.004649C9

004649B7 803B 00 CMP BYTE PTR [EBX], 0

004649BA ^ 74 BB JE SHORT umpakme_.00464977

004649BC 8942 04 MOV DWORD PTR [EDX+4], EAX

004649BF 81C1 0A000000 ADD ECX, 0A

004649C5 890A MOV DWORD PTR [EDX], ECX

004649C7 ^ EB DE JMP SHORT umpakme_.004649A7

004649C9 C3 RETN

--------处理输入表--------------

下面来看看00464999处一个Call的代码

-----------------------

004641C6 64:A1 30000000 MOV EAX, DWORD PTR FS:[30]

004641CC 8B40 0C MOV EAX, DWORD PTR [EAX+C] ;指向Ldr

004641CF 25 0000FFFF AND EAX, FFFF0000 ;取高位,基址???

004641D4 8B40 10 MOV EAX, DWORD PTR [EAX+10] ;这个anti不太清楚,我看了一下发现,如果被调试的话

[EAX+10]的值为4000060

004641D7 C3 RETN ;如果没有被调试的话,[EAX+10] 的值为000000,所以在这

我们转到数据窗口

;把[EAX+10]指向的地址中的四个字节清为零就可以了,我这

里的地址是00240010

-----------------------

---------anti ZwSetInformationThread--------

00464AD0 E8 CC000000 CALL umpakme_.00464BA1

00464AD5 8BF8 MOV EDI, EAX

00464AD7 <> 8D85 3A090000 LEA EAX, DWORD PTR [EBP+93A]

00464ADD 50 PUSH EAX

00464ADE 57 PUSH EDI

00464ADF E8 D2000000 CALL umpakme_.00464BB6

00464AE4 8D8D 1E0B0000 LEA ECX, DWORD PTR [EBP+B1E]

00464AEA 51 PUSH ECX

00464AEB FFD0 CALL NEAR EAX

00464AED 8D9D 070B0000 LEA EBX, DWORD PTR [EBP+B07]

00464AF3 53 PUSH EBX

00464AF4 50 PUSH EAX

00464AF5 E8 BC000000 CALL umpakme_.00464BB6

00464AFA 8BD8 MOV EBX, EAX ;执行到这里是直接修改EIP到00464B06执行。也就是不要让它调

用这个函数。

00464AFC 6A 00 PUSH 0

00464AFE 6A 00 PUSH 0

00464B00 6A 11 PUSH 11

00464B02 6A FE PUSH -2

00464B04 FFD3 CALL NEAR EBX ; ntdll.ZwSetInformationThread

00464B06 C3 RETN Return to 004640DF

---------anti ZwSetInformationThread--------

现在到了OEP了

------------

0045005C 55 PUSH EBP ; umpakme_.00464000

0045005D 8BEC MOV EBP, ESP

0045005F 83C4 F0 ADD ESP, -10

00450062 B8 7CFE4400 MOV EAX, umpakme_.0044FE7C

00450067 E8 5C5BFBFF CALL umpakme_.00405BC8

0045006C A1 30204500 MOV EAX, DWORD PTR [452030]

00450071 8B00 MOV EAX, DWORD PTR [EAX]

00450073 E8 F0E5FFFF CALL umpakme_.0044E668

00450078 8B0D 10214500 MOV ECX, DWORD PTR [452110] ; umpakme_.00453BD0

0045007E A1 30204500 MOV EAX, DWORD PTR [452030]

00450083 8B00 MOV EAX, DWORD PTR [EAX]

00450085 8B15 08FC4400 MOV EDX, DWORD PTR [44FC08] ; umpakme_.0044FC54

0045008B E8 F0E5FFFF CALL umpakme_.0044E680

00450090 A1 30204500 MOV EAX, DWORD PTR [452030]

00450095 8B00 MOV EAX, DWORD PTR [EAX]

00450097 E8 64E6FFFF CALL umpakme_.0044E700

0045009C E8 7F3CFBFF CALL umpakme_.00403D20

------------

修复输入表:

对于输入表,有兴趣的可以看看,这个壳对输入表处理的方法我觉得还是不错,所有的函数名被保存,通过壳中编好的序列号来调用函数。

00466167 B8 01000000 MOV EAX, 1

0046616C ^ E9 26E7FFFF JMP umpakme_.00464897

00466171 B8 02000000 MOV EAX, 2

00466176 ^ E9 1CE7FFFF JMP umpakme_.00464897

0046617B B8 03000000 MOV EAX, 3

00466180 ^ E9 12E7FFFF JMP umpakme_.00464897

00466185 B8 04000000 MOV EAX, 4

0046618A ^ E9 08E7FFFF JMP umpakme_.00464897

0046618F B8 05000000 MOV EAX, 5

00466194 ^ E9 FEE6FFFF JMP umpakme_.00464897

00466199 B8 06000000 MOV EAX, 6

0046619E ^ E9 F4E6FFFF JMP umpakme_.00464897

004661A3 B8 07000000 MOV EAX, 7

004661A8 ^ E9 EAE6FFFF JMP umpakme_.00464897

004661AD B8 08000000 MOV EAX, 8

通过查看EAX里面的编号查看函数的函数名,然后通过00464897处获取这个函数的地址,调到这个函数执行。我找了个地方写入如下代码来恢复

00464555 60 PUSHAD

00464556 B9 18414500 MOV ECX, umpakme_.00454118 ;00454118 为输入表函数开始地址。

0046455B 51 PUSH ECX ; ntdll.77F532FA

0046455C 51 PUSH ECX ; ntdll.77F532FA

0046455D 8B01 MOV EAX, DWORD PTR [ECX]

0046455F FFD0 CALL NEAR EAX ; ntdll.RtlDeleteCriticalSection

00464561 59 POP ECX ; ntdll.77F532FA

00464562 8B3424 MOV ESI, DWORD PTR [ESP]

00464565 83C4 04 ADD ESP, 4

00464568 8931 MOV DWORD PTR [ECX], ESI ; umpakme_.00464C52

0046456A 83C1 04 ADD ECX, 4

0046456D 66:8379 02 46 CMP WORD PTR [ECX+2], 46

00464572 74 03 JE SHORT umpakme_.00464577

00464574 83C1 04 ADD ECX, 4

00464577 8339 00 CMP DWORD PTR [ECX], 0

0046457A 74 02 JE SHORT umpakme_.0046457E

0046457C ^ EB DD JMP SHORT umpakme_.0046455B

0046457E 61 POPAD

0046457F 90 NOP

写完代码后不要执行先,跳到00464933处:

-----

00464933 894424 24 MOV DWORD PTR [ESP+24], EAX

00464937 9D POPFD

00464938 61 POPAD

00464939 C3 RETN

这里还要处理一下,找到地方写补丁代码,修改后的代码为:

00464933 ^\E9 4AFCFFFF JMP umpakme_.00464582

00464938 61 POPAD

00464939 C3 RETN

到00464582处,写入代码:

00464582 894424 30 MOV DWORD PTR [ESP+30], EAX

00464586 9D POPFD

00464587 61 POPAD

00464588 83C4 04 ADD ESP, 4

0046458B C3 RET

------

写完上面的代码后,将EIP改到00464555,在0046457E下断点,F9让它执行玩这段补丁代码。执行所有补丁代码后,撤销这些补丁代码,将eip

转到OEP=0045005C处,现在可以dump了,然后用ImpRec修复输入表,保存为Unpacked_.exe,用PETools打开数据目录表中tls表,除了Address

of index和Address of callbacks外,其它的按照脱壳前的填写,Address of callbacks我们这里需要将它修改为一个指向000000的地址。通

过看tls段,发现开始地址处457000处的字节为00000000,所以这里将Address of index和Address of callbacks的值都填上457000,保存修改

,运行,OK。。。。叫老猫test了一下。。他说2003不能运行~晕~不鸟它了。。有兴趣的可以看看。。

附件包含了脱壳和未脱壳的文件,脱壳的文件本机XP运行没问题。

http://bbs.pediy.com/upload/2005/8/files/umpakme_by_read_me.rar

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有