Armadillo脱壳练习笔记(一)
加壳工具:Armadillo_Custom4.40.0250
脱壳工具:armadillo-fp壳分析,ICEODBG.exe,ImportRec16f.exe
目标程序:CrackMe.exe (看雪论坛上的一个练习注册码的程序,极为简单)
目标程序下载地址: 点击到看雪下载
目标程序运行效果:
加壳过程:
Files to Protect: CrackMe3rzh.exe
Language: -Default-
Splash Screen 1: No splash screen
Enter Key Dialog Options:Two-Line Text Enter Kdy Dialog(default)
Protection Options: Standard protection only
Backup Key Options: No Registry Keys at All
Compression Options: Better/Slower Compression
SoftICE Detection: Standard SoftICE Detection
Data-After-Program Options:Protect and leave at end of file
Interception Options: Intercept Selected DLLs
std Hardware Locking:
Enh Hardware Locking:
Certificates: XXX[Default Certificate]
查壳情况:(armadillo-fp壳分析)
C:\cffo-3\CrackMe3rzh.exe
!- Protected Armadillo
Version 4.40.0250 (Custom Build)
Protection system (Professional)
!- <Protection Options>
Standard protection or Minimum protection
!- <Backup Key Options>
No Registry Keys at All
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
脱壳过程:
1、设置OD异常参数: 菜单--》选项--》调试设置-->异常--》全勾选;(如图)
2、载入CrackMe3rzh.exe切工作(经上述加壳后产生的文件,为保留原文件对其进行了重命名)
3、隐藏OD:菜单--》插件--》HideOD-->Hide
0049D001 E8 00000000 call 0049D006
0049D006 5D pop ebp
0049D007 50 push eax
0049D008 51 push ecx
0049D009 0FCA bswap edx
0049D00B F7D2 not edx
0049D00D 9C pushfd
0049D00E F7D2 not edx
0049D010 0FCA bswap edx
0049D012 EB 0F jmp short 0049D023
0049D014 B9 EB0FB8EB mov ecx, EBB80FEB
4、Ctrl+G跟随 输入:7C82474A >GetModuleHandleA
7C82474C 55 push ebp
7C82474D 8BEC mov ebp,esp
7C82474F 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C824753 74 18 je short kernel32.7C82476D<--下硬件断点
7C824755 FF75 08 push dword ptr ss:[ebp+8]
7C824758 E8 C2040000 call kernel32.7C824C1F
7C82475D 85C0 test eax,eax
7C82475F 74 08 je short kernel32.7C824769
7C824761 FF70 04 push dword ptr ds:[eax+4]
5、Shift+F9 一下一下按,注意堆栈窗口,当看到如下内容时留意
00129500 |00C47105 返回到 00C47105 来自 kernel32.GetModuleHandleA
00129504 |00C5BC1C ASCII "kernel32.dll"
00129508 |00C5CEC4 ASCII "VirtualAlloc"
0012950C |00C5FA98
00129510 |7C94A3AB ntdll.RtlLeaveCriticalSection
6、Shift+F9 再按一下,如我们期望的,不远了
00129500 |00C47122 返回到 00C47122 来自 kernel32.GetModuleHandleA
00129504 |00C5BC1C ASCII "kernel32.dll"
00129508 |00C5CEB8 ASCII "VirtualFree"
0012950C |00C5FA98
00129510 |7C94A3AB ntdll.RtlLeaveCriticalSection
7、Shift+F9再一下一下按,好了,如下,这里就是关键!返回时机到了!
00129264 |00C35FC9 返回到 00C35FC9 来自 kernel32.GetModuleHandleA
00129268 |001293B4 ASCII "kernel32.dll"
8、删除硬件断点,Alt+F9返回,我们看看代码窗口
00C35FCF 89040E mov dword ptr ds:[esi+ecx],eax
00C35FD2 A1 AC40C600 mov eax,dword ptr ds:[C640AC]
00C35FD7 391C06 cmp dword ptr ds:[esi+eax],ebx
00C35FDA 75 16 jnz short 00C35FF2
00C35FDC 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00C35FE2 50 push eax
00C35FE3 FF15 BC62C500 call dword ptr ds:[C562BC] ; kernel32.LoadLibraryA
00C35FE9 8B0D AC40C600 mov ecx,dword ptr ds:[C640AC]
00C35FEF 89040E mov dword ptr ds:[esi+ecx],eax
00C35FF2 A1 AC40C600 mov eax,dword ptr ds:[C640AC]
00C35FF7 391C06 cmp dword ptr ds:[esi+eax],ebx
00C35FFA 0F84 2F010000 je 00C3612F ;<--把Je改为Jmp(修改Magic Jump)改好后回车
00C36000 33C9 xor ecx,ecx
00C36002 8B07 mov eax,dword ptr ds:[edi]
00C36004 3918 cmp dword ptr ds:[eax],ebx
00C36006 74 06 je short 00C3600E
00C36008 41 inc ecx
00C36009 83C0 0C add eax,0C
00C3600C ^ EB F6 jmp short 00C36004
00C3600E 8BD9 mov ebx,ecx
00C36010 C1E3 02 shl ebx,2
9、 回车后来到这里
00C36132 89BD 78FDFFFF mov dword ptr ss:[ebp-288],edi
00C36138 83C6 04 add esi,4
00C3613B 395F FC cmp dword ptr ds:[edi-4],ebx
00C3613E ^ 0F85 49FEFFFF jnz 00C35F8D
00C36144 EB 03 jmp short 00C36149 ;<--这里下F2断点
00C36146 D6 salc
00C36147 D6 salc
00C36148 8F ??? ; 未知命令
00C36149 8B0D 6C8FC600 mov ecx,dword ptr ds:[C68F6C]
00C3614F 3BCB cmp ecx,ebx
00C36151 74 13 je short 00C36166
00C36153 8B01 mov eax,dword ptr ds:[ecx]
10、Shift+F9断下后,返回上面找到修改处,把我们改的jmp 改回来,CTRL+G 输入CreateThread
7C825111 55 push ebp
7C825112 8BEC mov ebp,esp
7C825114 FF75 1C push dword ptr ss:[ebp+1C]
7C825117 FF75 18 push dword ptr ss:[ebp+18]
11、Shift+F9断下后,取消断点,ALT+F9返回
00C3C51F FF15 4C62C500 call dword ptr ds:[C5624C] ; kernel32.CloseHandle
00C3C525 5F pop edi
00C3C526 5E pop esi
00C3C527 C9 leave
00C3C528 C3 retn
12、F8步进到此处
00C4F9E6 8945 E4 mov dword ptr ss:[ebp-1C],eax
00C4F9E9 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00C4F9EC 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
再看看寄存器的值: ECX 00441270 和现在的内存地址比,差距好大.F7跟进去!
00441271 8BEC mov ebp,esp
00441273 83C4 F4 add esp,-0C
00441276 B8 60114400 mov eax,CrackMe3.00441160
0044127B E8 E848FCFF call CrackMe3.00405B68
00441280 A1 442C4400 mov eax,dword ptr ds:[442C44]
00441285 8B00 mov eax,dword ptr ds:[eax]
00441287 E8 ECBBFFFF call CrackMe3.0043CE78
0044128C A1 442C4400 mov eax,dword ptr ds:[442C44]
00441291 8B00 mov eax,dword ptr ds:[eax]
00441293 BA D0124400 mov edx,CrackMe3.004412D0 ; ASCII "Crackers For Freedom CrackMe v3.0"
00441298 E8 17B8FFFF call CrackMe3.0043CAB4
0044129D 8B0D 102D4400 mov ecx,dword ptr ds:[442D10] ; CrackMe3.00443830
到这里,我们可以DUMP了,可以直接用OD的接件功能,也可以用LordPE。由于加壳时没有用到Import Table Elimination和Strategic Code Splicing,现在用ImportRec.exe剪切掉无用的IAT指针后。我们的脱壳就完成了。
剪切掉无用的IAT指针。如图:
最后运行一下试试看,然后选用PEID看一下:Borland Delphi 4.0 - 5.0编写的小东西。
posted on 2008-08-05 19:17 northstarlight 阅读(2567) 评论(1) 编辑 收藏 举报