脱壳目标:用ExeStealth V2.73加壳的Win2k的Notepad
加壳选项:CRC protect、APIRedirection、EraseImportrInformation、AntiProzess Dumping、Anti-SmartCheck、Anti-SoftIce、Anti-Idag
运行平台:win2000pro
先设置Ollydbg忽略所有的异常选项,再用IsDebug 1.4插件去掉Ollydbg的调试器标志。载入后弹出“是压缩代码——要继续进行分析吗?”,点“否”。
01010060 > /EB 00 JMP SHORT NOTEPAD.01010062====>进入OD后停在这!用F8走。
01010062 \EB 2F JMP SHORT NOTEPAD.01010093====>跳!
01010064 53 PUSH EBX
01010065 68 61726577 PUSH 77657261
0101006A 61 POPAD
0101006B 72 65 JB SHORT NOTEPAD.010100D2
0101006D 202D 20457865 AND BYTE PTR DS:[65784520],CH
01010073 53 PUSH EBX
01010074 74 65 JE SHORT NOTEPAD.010100DB
01010076 61 POPAD
跳到这里:
01010093 60 PUSHAD====>用F8走。
01010094 90 NOP
01010095 E8 00000000 CALL NOTEPAD.0101009A
0101009A 5D POP EBP
0101009B 81ED F0274000 SUB EBP,4027F0
010100A1 B9 15000000 MOV ECX,15
010100A6 83C1 05 ADD ECX,5
010100A9 EB 05 JMP SHORT NOTEPAD.010100B0
010100AB - EB FE JMP SHORT NOTEPAD.010100AB
010100AD 83C7 56 ADD EDI,56
010100B0 EB 00 JMP SHORT NOTEPAD.010100B2
010100B2 83E9 02 SUB ECX,2
010100B5 81C1 78432765 ADD ECX,65274378
010100BB EB 00 JMP SHORT NOTEPAD.010100BD
010100BD 81C1 10259400 ADD ECX,942510
010100C3 81E9 63850000 SUB ECX,8563
010100C9 B9 770C0000 MOV ECX,0C77
010100CE 90 NOP
010100CF 8DBD 61284000 LEA EDI,DWORD PTR SS:[EBP+402861]
010100D5 8BF7 MOV ESI,EDI
010100D7 AC LODS BYTE PTR DS:[ESI]
中间省略一些代码
01010105 F9 STC
01010106 34 2B XOR AL,2B
01010108 AA STOS BYTE PTR ES:[EDI]
01010109 ^ E2 CC LOOPD SHORT NOTEPAD.010100D7====>当F8走到这里时下面的代码变成了如下所示。
0101010B F4 HLT
0101010C E1 41 LOOPDE SHORT NOTEPAD.0101014F
0101010E 4D DEC EBP
0101010F 2C 6D SUB AL,6D
01010111 AB STOS DWORD PTR ES:[EDI]
01010112 2C 25 SUB AL,25
01010114 AB STOS DWORD PTR ES:[EDI]
01010115 3C 7D CMP AL,7D
变成了如下:
01010109 ^\E2 CC LOOPD SHORT NOTEPAD.010100D7
0101010B 8BE1 MOV ESP,ECX====>用F4到此处时,代码又变了。变后代码如下所示。
0101010D 41 INC ECX
0101010E 4D DEC EBP
0101010F 2C 6D SUB AL,6D
01010111 AB STOS DWORD PTR ES:[EDI]
01010112 2C 25 SUB AL,25
01010114 AB STOS DWORD PTR ES:[EDI]
01010115 3C 7D CMP AL,7D
01010117 AB STOS DWORD PTR ES:[EDI]
01010118 3C 55 CMP AL,55
0101011A 9B WAIT
0101011B FD STD
0101011C E5 BE IN EAX,0BE
0101011E 60 PUSHAD
0101011F 56 PUSH ESI
01010120 07 POP ES
变后代码:
0101010B 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20] ====>程序停在此处,用F8继续走。
0101010F 83C0 0E ADD EAX,0E
01010112 83E8 0E SUB EAX,0E
01010115 83C0 0E ADD EAX,0E
01010118 83E8 0E SUB EAX,0E
0101011B 40 INC EAX
0101011C 78 1D JS SHORT NOTEPAD.0101013B
0101011E C785 CA2F4000 0>MOV DWORD PTR SS:[EBP+402FCA],1
01010128 EB 11 JMP SHORT NOTEPAD.0101013B
0101012A 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
0101012E 83C0 0E ADD EAX,0E
01010131 83E8 0E SUB EAX,0E
01010134 83C0 0E ADD EAX,0E
01010137 83E8 0E SUB EAX,0E
0101013A 40 INC EAX
0101013B 8D85 B6274000 LEA EAX,DWORD PTR SS:[EBP+4027B6]
01010141 B9 B3060000 MOV ECX,6B3
01010146 E8 41020000 CALL NOTEPAD.0101038C
0101014B 8985 C62F4000 MOV DWORD PTR SS:[EBP+402FC6],EAX
来到这里:
01010188 CC INT3
01010189 8BEF MOV EBP,EDI
0101018B 33DB XOR EBX,EBX
0101018D 64:8F03 POP DWORD PTR FS:[EBX]
01010190 83C4 04 ADD ESP,4
01010193 3C 04 CMP AL,4
01010195 74 05 JE SHORT NOTEPAD.0101019C====>跳!
01010197 EB 01 JMP SHORT NOTEPAD.0101019A
01010199 - E9 61C38B85 JMP 868CC4FF
0101019E B6 2F MOV DH,2F
010101A0 40 INC EAX
010101A1 0003 ADD BYTE PTR DS:[EBX],AL
010101A3 40 INC EAX
跳到这里:
0101019C 8B85 B62F4000 MOV EAX,DWORD PTR SS:[EBP+402FB6]跳到这里。用F8继续走。
010101A2 0340 3C ADD EAX,DWORD PTR DS:[EAX+3C]
010101A5 05 80000000 ADD EAX,80
010101AA 8B08 MOV ECX,DWORD PTR DS:[EAX]
010101AC 038D B62F4000 ADD ECX,DWORD PTR SS:[EBP+402FB6]
010101B2 83C1 10 ADD ECX,10
010101B5 8B01 MOV EAX,DWORD PTR DS:[ECX]
010101B7 0385 B62F4000 ADD EAX,DWORD PTR SS:[EBP+402FB6]
010101BD 8B18 MOV EBX,DWORD PTR DS:[EAX]
010101BF 899D 12344000 MOV DWORD PTR SS:[EBP+403412],EBX
010101C5 83C0 04 ADD EAX,4
010101C8 8B18 MOV EBX,DWORD PTR DS:[EAX]
010101CA 899D 16344000 MOV DWORD PTR SS:[EBP+403416],EBX
010101D0 8D85 1A344000 LEA EAX,DWORD PTR SS:[EBP+40341A]
010101D6 50 PUSH EAX
010101D7 FF95 12344000 CALL DWORD PTR SS:[EBP+403412]
010101DD 8BF0 MOV ESI,EAX
010101DF 8985 27344000 MOV DWORD PTR SS:[EBP+403427],EAX
010101E5 8D85 2B344000 LEA EAX,DWORD PTR SS:[EBP+40342B]
010101EB E8 96000000 CALL NOTEPAD.01010286
010101F0 8985 3C344000 MOV DWORD PTR SS:[EBP+40343C],EAX
010101F6 8D85 40344000 LEA EAX,DWORD PTR SS:[EBP+403440]
010101FC E8 85000000 CALL NOTEPAD.01010286
01010201 8985 4F344000 MOV DWORD PTR SS:[EBP+40344F],EAX
01010207 8D85 53344000 LEA EAX,DWORD PTR SS:[EBP+403453]
0101020D E8 74000000 CALL NOTEPAD.01010286
01010212 8985 66344000 MOV DWORD PTR SS:[EBP+403466],EAX
01010218 8D85 6A344000 LEA EAX,DWORD PTR SS:[EBP+40346A]
0101021E E8 63000000 CALL NOTEPAD.01010286
01010223 8985 76344000 MOV DWORD PTR SS:[EBP+403476],EAX
01010229 8D85 7A344000 LEA EAX,DWORD PTR SS:[EBP+40347A]
0101022F E8 52000000 CALL NOTEPAD.01010286
01010234 8985 86344000 MOV DWORD PTR SS:[EBP+403486],EAX
0101023A 8D85 8A344000 LEA EAX,DWORD PTR SS:[EBP+40348A]
01010240 E8 41000000 CALL NOTEPAD.01010286
01010245 8985 95344000 MOV DWORD PTR SS:[EBP+403495],EAX
0101024B 8D85 99344000 LEA EAX,DWORD PTR SS:[EBP+403499]
01010251 E8 30000000 CALL NOTEPAD.01010286
01010256 8985 A2344000 MOV DWORD PTR SS:[EBP+4034A2],EAX
0101025C 8D85 A6344000 LEA EAX,DWORD PTR SS:[EBP+4034A6]
01010262 E8 1F000000 CALL NOTEPAD.01010286
01010267 8985 B2344000 MOV DWORD PTR SS:[EBP+4034B2],EAX
0101026D 8D85 B6344000 LEA EAX,DWORD PTR SS:[EBP+4034B6]
01010273 E8 0E000000 CALL NOTEPAD.01010286
01010278 8985 C2344000 MOV DWORD PTR SS:[EBP+4034C2],EAX
0101027E 8D85 E5294000 LEA EAX,DWORD PTR SS:[EBP+4029E5]
01010284 50 PUSH EAX
01010285 C3 RETN====>返回到0101028F
0101028F F785 BE2F4000 1>TEST DWORD PTR SS:[EBP+402FBE],10 ====>返回到这里。用F8继续走。
01010299 74 37 JE SHORT NOTEPAD.010102D2
0101029B 64:FF35 3000000>PUSH DWORD PTR FS:[30]
010102A2 58 POP EAX
010102A3 85C0 TEST EAX,EAX
010102A5 78 0F JS SHORT NOTEPAD.010102B6
010102A7 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
010102AA 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
010102AD C740 20 0010000>MOV DWORD PTR DS:[EAX+20],1000
010102B4 EB 1C JMP SHORT NOTEPAD.010102D2
010102B6 6A 00 PUSH 0
010102B8 FF95 3C344000 CALL DWORD PTR SS:[EBP+40343C]
010102BE 85D2 TEST EDX,EDX
010102C0 79 10 JNS SHORT NOTEPAD.010102D2
010102C2 837A 08 FF CMP DWORD PTR DS:[EDX+8],-1
010102C6 75 0A JNZ SHORT NOTEPAD.010102D2
010102C8 8B52 04 MOV EDX,DWORD PTR DS:[EDX+4]
010102CB C742 50 0010000>MOV DWORD PTR DS:[EDX+50],1000
010102D2 8BBD B62F4000 MOV EDI,DWORD PTR SS:[EBP+402FB6]
010102D8 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
010102DB 8BB5 B62F4000 MOV ESI,DWORD PTR SS:[EBP+402FB6]
010102E1 8B4F 54 MOV ECX,DWORD PTR DS:[EDI+54]
010102E4 8D85 F4344000 LEA EAX,DWORD PTR SS:[EBP+4034F4]
010102EA 50 PUSH EAX
010102EB 6A 04 PUSH 4
010102ED 51 PUSH ECX
010102EE FFB5 B62F4000 PUSH DWORD PTR SS:[EBP+402FB6]
010102F4 FF95 4F344000 CALL DWORD PTR SS:[EBP+40344F]
010102FA F785 BE2F4000 0>TEST DWORD PTR SS:[EBP+402FBE],8
01010304 0F84 A7000000 JE NOTEPAD.010103B1
0101030A 68 04010000 PUSH 104
0101030F 8DBD F4344000 LEA EDI,DWORD PTR SS:[EBP+4034F4]
01010315 57 PUSH EDI
01010316 6A 00 PUSH 0
01010318 FF95 66344000 CALL DWORD PTR SS:[EBP+403466]
0101031E 6A 00 PUSH 0
01010320 68 80000000 PUSH 80
01010325 6A 03 PUSH 3
01010327 6A 00 PUSH 0
01010329 6A 01 PUSH 1
0101032B 68 00000080 PUSH 80000000
01010330 57 PUSH EDI
01010331 FF95 76344000 CALL DWORD PTR SS:[EBP+403476]
01010337 83F8 FF CMP EAX,-1
0101033A 75 04 JNZ SHORT NOTEPAD.01010340
0101033C 33C0 XOR EAX,EAX
0101033E EB 71 JMP SHORT NOTEPAD.010103B1
01010340 8BF8 MOV EDI,EAX
01010342 6A 00 PUSH 0
01010344 57 PUSH EDI
01010345 FF95 B2344000 CALL DWORD PTR SS:[EBP+4034B2]
0101034B 83E8 05 SUB EAX,5
0101034E 96 XCHG EAX,ESI
0101034F 56 PUSH ESI
01010350 6A 40 PUSH 40
01010352 FF95 86344000 CALL DWORD PTR SS:[EBP+403486]
01010358 0BC0 OR EAX,EAX
0101035A 75 02 JNZ SHORT NOTEPAD.0101035E
0101035C EB 4A JMP SHORT NOTEPAD.010103A8
0101035E 93 XCHG EAX,EBX
0101035F 6A 00 PUSH 0
01010361 8D85 F4344000 LEA EAX,DWORD PTR SS:[EBP+4034F4]
01010367 50 PUSH EAX
01010368 56 PUSH ESI
01010369 53 PUSH EBX
0101036A 57 PUSH EDI
0101036B FF95 A2344000 CALL DWORD PTR SS:[EBP+4034A2]
01010371 8BC3 MOV EAX,EBX
01010373 8BCE MOV ECX,ESI
01010375 53 PUSH EBX
01010376 57 PUSH EDI
01010377 E8 10000000 CALL NOTEPAD.0101038C
0101037C 8985 C22F4000 MOV DWORD PTR SS:[EBP+402FC2],EAX
01010382 5F POP EDI
01010383 5B POP EBX
01010384 8D85 F62A4000 LEA EAX,DWORD PTR SS:[EBP+402AF6]
0101038A 50 PUSH EAX
0101038B C3 RETN====>返回到010103A0。
010103A0 53 PUSH EBX ====>返回到这里。用F8继续走。
010103A1 FF95 95344000 CALL DWORD PTR SS:[EBP+403495]
010103A7 96 XCHG EAX,ESI
010103A8 50 PUSH EAX
010103A9 57 PUSH EDI
010103AA FF95 C2344000 CALL DWORD PTR SS:[EBP+4034C2]
010103B0 58 POP EAX
010103B1 8B85 B62F4000 MOV EAX,DWORD PTR SS:[EBP+402FB6]
010103B7 BB 01000000 MOV EBX,1
010103BC E8 08000000 CALL NOTEPAD.010103C9
010103C1 8D85 F52B4000 LEA EAX,DWORD PTR SS:[EBP+402BF5]
010103C7 50 PUSH EAX
010103C8 C3 RETN====>返回到0101049F。
返回到这里:
0101049F 8B9D B62F4000 MOV EBX,DWORD PTR SS:[EBP+402FB6] ====>用F8继续走。这时要小心了,接近入口了。
010104A5 039D BA2F4000 ADD EBX,DWORD PTR SS:[EBP+402FBA]
010104AB C1CB 07 ROR EBX,7====>走到这里时观察一下EBX的值为1006420,这就是OEP值。
010104AE 895C24 10 MOV DWORD PTR SS:[ESP+10],EBX
010104B2 8D9D EB2E4000 LEA EBX,DWORD PTR SS:[EBP+402EEB]
010104B8 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX
010104BC 8BBD B62F4000 MOV EDI,DWORD PTR SS:[EBP+402FB6]
010104C2 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]
010104C5 8B9F C0000000 MOV EBX,DWORD PTR DS:[EDI+C0]
010104CB 83FB 00 CMP EBX,0
这里CTRL+G,输入1006420,点确定后来到:
01006420 55 PUSH EBP====>在此处右键单击,选内存访问断点,然后按F9运行,程序中断在此处后DUMP。
01006421 8BEC MOV EBP,ESP
01006423 6A FF PUSH -1
01006425 68 88180001 PUSH NOTEPAD.01001888
0100642A 68 D0650001 PUSH NOTEPAD.010065D0
0100642F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
01006435 50 PUSH EAX
01006436 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0100643D 83C4 98 ADD ESP,-68
01006440 53 PUSH EBX
01006441 56 PUSH ESI
01006442 57 PUSH EDI
01006443 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
01006446 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
运行ImportREC,选择这个进程。把OEP改为0006420,点IT AutoSearch,点“Get Import”,用“追踪层次1”全部修复,FixDump,正常运行!
如要优化一下,可以用LordPE删除ExeS区段,然后重建PE!大小52.9k->48.6K
感谢fly兄弟的指点。没有fly兄弟的《ExeStealth 常用脱壳方法 + ExeStealth V2.72主程序脱壳 》一文,就没有我这篇破文。
您现在的位置: 
