壳学习一:PECompact 2.x 加壳脱壳
SkyJackerHttp://blog.csdn.net/skyjackerEmail:HeMiaoYu <At> gmail.comQQ:677055172007-2-5
1、加壳过程
自动动手编写一个简单的窗体程序NullForm.exe。使用PECompact2.7加壳(按默认选项),生成已加壳程序NullFormPe.exe.
原始文件与加壳后文件信息描述:原始文件大小:379 KB (388,096 字节)原始文件占用空间:384 KB (393,216 字节)加壳文件大小:147 KB (150,528 字节)加壳文件占用空间:160 KB (163,840 字节)Aspack2.12 压缩率:38%
2、脱壳过程
使用PEID查壳: PECompact 2.x -> Jeremy CollakeOllyDbg加载,停在程序入口点:
00401000 > $ B8 20684600 mov eax, 0046682000401005 . 50 push eax00401006 . 64:FF35 00000>push dword ptr fs:[0]0040100D . 64:8925 00000>mov dword ptr fs:[0], esp00401014 . 33C0 xor eax, eax00401016 . 8908 mov dword ptr [eax], ecx
下断:bp VirtualFree ,运行 //PECompact用VirtualAlloc VirtualFree管理内存停在:7C809B14 > 8BFF mov edi, edi7C809B16 55 push ebp7C809B17 8BEC mov ebp, esp7C809B19 FF75 10 push dword ptr [ebp+10]7C809B1C FF75 0C push dword ptr [ebp+C]7C809B1F FF75 08 push dword ptr [ebp+8]7C809B22 6A FF push -17C809B24 E8 09000000 call VirtualFreeEx7C809B29 5D pop ebp7C809B2A C2 0C00 retn 0C
一直按F8,到retn 0C,返回上一层003D0934 8B4424 20 mov eax, dword ptr [esp+20]003D0938 5F pop edi003D0939 5E pop esi003D093A 5B pop ebx003D093B 83C4 10 add esp, 10003D093E C2 0C00 retn 0C
继续按F8,返回到003D0F91 8BC8 mov ecx, eax003D0F93 40 inc eax003D0F94 74 74 je short 003D100A003D0F96 33C0 xor eax, eax003D0F98 0345 F4 add eax, dword ptr [ebp-C]003D0F9B 74 12 je short 003D0FAF003D0F9D 48 dec eax003D0F9E 8945 F4 mov dword ptr [ebp-C], eax003D0FA1 FF75 EC push dword ptr [ebp-14]003D0FA4 FF75 E8 push dword ptr [ebp-18]003D0FA7 8F45 EC pop dword ptr [ebp-14]003D0FAA 8F45 E8 pop dword ptr [ebp-18]003D0FAD ^ EB CA jmp short 003D0F79003D0FAF 5A pop edx003D0FB0 56 push esi
继续F8003D0F0C 51 push ecx003D0F0D 52 push edx003D0F0E 56 push esi003D0F0F 0FB746 10 movzx eax, word ptr [esi+10]003D0F13 A9 10000000 test eax, 10003D0F18 0F84 D6000000 je 003D0FF4 //成功调转003D0F1E 56 push esi003D0F1F 8BBB 191E0010 mov edi, dword ptr [ebx+10001E19]003D0F25 897D EC mov dword ptr [ebp-14], edi
继续F8003D0FF4 5E pop esi ; 003D0A10003D0FF5 5A pop edx003D0FF6 59 pop ecx003D0FF7 83C6 1C add esi, 1C003D0FFA 49 dec ecx003D0FFB ^ 0F85 0BFFFFFF jnz 003D0F0C //成功调转003D1001 33C0 xor eax, eax003D1003 5E pop esi003D1004 5F pop edi003D1005 5B pop ebx003D1006 C9 leave003D1007 C2 0400 retn 4
继续F8003D0F0C 51 push ecx003D0F0D 52 push edx003D0F0E 56 push esi003D0F0F 0FB746 10 movzx eax, word ptr [esi+10]003D0F13 A9 10000000 test eax, 10003D0F18 0F84 D6000000 je 003D0FF4 //成功调转
F8003D0FF4 5E pop esi003D0FF5 5A pop edx003D0FF6 59 pop ecx003D0FF7 83C6 1C add esi, 1C003D0FFA 49 dec ecx003D0FFB ^ 0F85 0BFFFFFF jnz 003D0F0C003D1001 33C0 xor eax, eax003D1003 5E pop esi003D1004 5F pop edi003D1005 5B pop ebx003D1006 C9 leave003D1007 C2 0400 retn 4 //返回
F8003D0AC3 8B4E 2C mov ecx, dword ptr [esi+2C]003D0AC6 898D 1D1E0010 mov dword ptr [ebp+10001E1D], ecx003D0ACC 6A 40 push 40003D0ACE 68 00100000 push 1000003D0AD3 51 push ecx003D0AD4 6A 00 push 0003D0AD6 FF95 291E0010 call dword ptr [ebp+10001E29]003D0ADC 8985 191E0010 mov dword ptr [ebp+10001E19], eax003D0AE2 56 push esi003D0AE3 E8 E8030000 call 003D0ED0003D0AE8 8D8D C81C0010 lea ecx, dword ptr [ebp+10001CC8]003D0AEE 85C0 test eax, eax003D0AF0 0F85 94000000 jnz 003D0B8A003D0AF6 56 push esi003D0AF7 E8 32030000 call 003D0E2E003D0AFC 56 push esi003D0AFD E8 47020000 call 003D0D49003D0B02 90 nop 003D0B03 90 nop003D0B04 90 nop003D0B05 90 nop003D0B06 90 nop003D0B07 90 nop003D0B08 90 nop003D0B09 90 nop003D0B0A 90 nop003D0B0B 90 nop003D0B0C 90 nop003D0B0D 90 nop003D0B0E 90 nop003D0B0F 90 nop003D0B10 8B4E 34 mov ecx, dword ptr [esi+34]003D0B13 85C9 test ecx, ecx003D0B15 0F84 89000000 je 003D0BA4003D0B1B 034E 08 add ecx, dword ptr [esi+8]003D0B1E 51 push ecx003D0B1F 56 push esi003D0B20 E8 39060000 call 003D115E003D0B25 85C0 test eax, eax003D0B27 74 7B je short 003D0BA4 //调转实现003D0B29 8B95 571A0010 mov edx, dword ptr [ebp+10001A57]003D0B2F 8B8D 5B1A0010 mov ecx, dword ptr [ebp+10001A5B]003D0B35 85C9 test ecx, ecx003D0B37 75 08 jnz short 003D0B41
F8003D0BA4 8B7B 08 mov edi, dword ptr [ebx+8] ; NullForm.00400000003D0BA7 8BDE mov ebx, esi003D0BA9 837B 48 01 cmp dword ptr [ebx+48], 1003D0BAD 75 15 jnz short 003D0BC4 //调转实现003D0BAF 8B43 0C mov eax, dword ptr [ebx+C]003D0BB2 8B4B 40 mov ecx, dword ptr [ebx+40]003D0BB5 8BF1 mov esi, ecx003D0BB7 03F7 add esi, edi003D0BB9 C606 E9 mov byte ptr [esi], 0E9003D0BBC 83C1 05 add ecx, 5003D0BBF 2BC1 sub eax, ecx003D0BC1 8946 01 mov dword ptr [esi+1], eax003D0BC4 8BF3 mov esi, ebx003D0BC6 90 nop
F8003D0BC4 8BF3 mov esi, ebx003D0BC6 90 nop003D0BC7 90 nop003D0BC8 90 nop003D0BC9 90 nop003D0BCA 90 nop003D0BCB 90 nop003D0BCC 90 nop003D0BCD 90 nop003D0BCE 90 nop003D0BCF 90 nop003D0BD0 90 nop003D0BD1 90 nop003D0BD2 57 push edi003D0BD3 E8 35070000 call 003D130D003D0BD8 68 00800000 push 8000003D0BDD 6A 00 push 0003D0BDF FFB5 191E0010 push dword ptr [ebp+10001E19]003D0BE5 FF95 2D1E0010 call dword ptr [ebp+10001E2D] //进入调用VirtualFreeEx的函数003D0BEB 8B46 0C mov eax, dword ptr [esi+C]003D0BEE 03C7 add eax, edi003D0BF0 5D pop ebp003D0BF1 5E pop esi003D0BF2 5F pop edi003D0BF3 5B pop ebx003D0BF4 C3 retn
因为没关VirtualFree断点,因此进入7C809B14 > 8BFF mov edi, edi ; NullForm.004000007C809B16 55 push ebp7C809B17 8BEC mov ebp, esp7C809B19 FF75 10 push dword ptr [ebp+10]7C809B1C FF75 0C push dword ptr [ebp+C]7C809B1F FF75 08 push dword ptr [ebp+8]7C809B22 6A FF push -17C809B24 E8 09000000 call VirtualFreeEx7C809B29 5D pop ebp7C809B2A C2 0C00 retn 0C
F8004668C0 8985 FA120010 mov dword ptr [ebp+100012FA], eax ; NullForm.00453284004668C6 8BF0 mov esi, eax004668C8 8B4B 14 mov ecx, dword ptr [ebx+14]004668CB 5A pop edx004668CC EB 0C jmp short 004668DA //无条件调转004668CE 03CA add ecx, edx004668D0 68 00800000 push 8000004668D5 6A 00 push 0004668D7 57 push edi004668D8 FF11 call dword ptr [ecx]004668DA 8BC6 mov eax, esi004668DC 5A pop edx004668DD 5E pop esi
来到004668DA 8BC6 mov eax, esi ; NullForm.00453284004668DC 5A pop edx004668DD 5E pop esi004668DE 5F pop edi004668DF 59 pop ecx004668E0 5B pop ebx004668E1 5D pop ebp004668E2 FFE0 jmp eax //EAX=$453284 程序OEP 脱壳成功
//程序入口处,单字节显示的//然后使用OllyDump,存为NullFormPEDump.exe .//OllyDump自动修改Entry Point为$53284,运行之,OK00453284 55 db 55 ; CHAR 'U'00453285 8B db 8B00453286 EC db EC00453287 83 db 8300453288 C4 db C400453289 F0 db F00045328A B8 db B80045328B 14 db 140045328C 31 db 31 ; CHAR '1'0045328D 45 db 45 ; CHAR 'E'0045328E 00 db 000045328F E8 db E800453290 80 db 8000453291 33 db 33 ; CHAR '3'00453292 FB db FB00453293 FF db FF00453294 A1 db A100453295 20 db 20 ; CHAR ' '00453296 4F db 4F ; CHAR 'O'00453297 45 db 45 ; CHAR 'E'00453298 00 db 0000453299 8B db 8B0045329A 00 db 000045329B E8 db E80045329C F0 db F00045329D E6 db E60045329E FF db FF0045329F FF db FF004532A0 8B db 8B004532A1 0D db 0D004532A2 FC db FC004532A3 4F db 4F ; CHAR 'O'004532A4 45 db 45 ; CHAR 'E'004532A5 00 db 00004532A6 A1 db A1004532A7 20 db 20 ; CHAR ' '004532A8 4F db 4F ; CHAR 'O'004532A9 45 db 45 ; CHAR 'E'004532AA 00 db 00004532AB 8B db 8B004532AC 00 db 00004532AD 8B db 8B004532AE 15 db 15004532AF EC db EC004532B0 2E db 2E ; CHAR '.'004532B1 45 db 45 ; CHAR 'E'004532B2 00 db 00004532B3 E8 db E8004532B4 F0 db F0004532B5 E6 db E6004532B6 FF db FF004532B7 FF db FF004532B8 A1 db A1004532B9 20 db 20 ; CHAR ' '004532BA 4F db 4F ; CHAR 'O'004532BB 45 db 45 ; CHAR 'E'004532BC 00 db 00004532BD 8B db 8B004532BE 00 db 00004532BF E8 db E8004532C0 64 db 64 ; CHAR 'd'004532C1 E7 db E7004532C2 FF db FF004532C3 FF db FF004532C4 E8 db E8004532C5 AB db AB004532C6 0E db 0E004532C7 FB db FB004532C8 FF db FF004532C9 8D db 8D004532CA 40 db 40 ; CHAR '@'004532CB 00 db 00004532CC 00 db 00004532CD 00 db 00004532CE 00 db 00004532CF 00 db 00004532D0 00 db 00004532D1 00 db 00004532D2 00 db 00
