好友
阅读权限40
听众
最后登录1970-1-1
|
cyto
发表于 2009-1-24 11:46
WinLicense_UnPack Me!.exe 2.0.1.0
这个在tuts4you里下载的.
1.获取iat及dump文件:
内存写入断点,第2次停在:
007627B8 8F02 pop dword ptr ds:[edx] ; 02A50000
007627BA ^ E9 F8FBFFFF jmp 007623B7 ; WinLicen.007623B7
patch CRC:
00857D60 3985 C102F711 cmp dword ptr ss:[ebp+11F702C1],eax
00857D66 0F84 92000000 je 00857DFE ; WinLicen.00857DFE
Magic Jmp:
008588BE 2BD9 sub ebx,ecx
008588C0 0F84 C6000000 je 0085898C ; WinLicen.0085898C
008588EE 2BD9 sub ebx,ecx
008588F0 0F84 96000000 je 0085898C ; WinLicen.0085898C
0085890D 2BD9 sub ebx,ecx
0085890F 0F84 77000000 je 0085898C ; WinLicen.0085898C
hookVM:参考nooby的脚本
3BC8 9C E9
00762576 3BC8 cmp ecx,eax
00762578 9C pushfd
00762579 ^ E9 39FEFFFF jmp 007623B7 ; WinLicen.007623B7
00873E88 3D 0000E677 cmp eax,77E60000
00873E8D 74 1A je short 00873EA9 ; WinLicen.00873EA9
00873E8F 3D 00006D79 cmp eax,796D0000
00873E94 74 13 je short 00873EA9 ; WinLicen.00873EA9
00873E96 3D 0000DF77 cmp eax,77DF0000
00873E9B 74 0C je short 00873EA9 ; WinLicen.00873EA9
00873E9D EB 11 jmp short 00873EB0 ; WinLicen.00873EB0
00873E9F 0000 add byte ptr ds:[eax],al
00873EA1 0000 add byte ptr ds:[eax],al
00873EA3 0000 add byte ptr ds:[eax],al
00873EA5 0000 add byte ptr ds:[eax],al
00873EA7 0000 add byte ptr ds:[eax],al
00873EA9 C70424 87020000 mov dword ptr ss:[esp],287
00873EB0 ^ E9 02E5EEFF jmp 007623B7 ; WinLicen.007623B7
3D 00 00 E6 77 74 1A 3D 00 00 6D 79 74 13 3D 00 00 DF 77 74 0C EB 11 00 00 00 00 00 00 00 00 00
00 C7 04 24 87 02 00 00 E9 02 E5 EE FF
有一个函数地址没出来:004130A0 >02A50000
跟踪后知道是这个:004130A0 >77FACCB2 ntdll.RtlUnwind
需要在code里修改jmp 02a50000为:
00407526 - E9 D58A6402 jmp 02A50000
00407526 - FF25 A0304100 jmp dword ptr ds:[4130A0] ; ntdll.RtlUnwind
内存断点继续来到foep:
00404A2A 33C0 xor eax,eax ;=call 404a2a,此时eax=893
00404A2C 6A 00 push 0
此时dump并获取iat.
2.stolen oep:
停在foep时的堆栈:
0012FB84 0012FFE0 指针到下一个 SEH 记录
0012FB88 00404A90 SE 句柄 ; push
0012FB8C 00414558 WinLicen.00414558 ; push
0012FB90 FFFFFFFF ; push -1
peid查为典型的vc6.0程序,找个程序对比可以找到oep:
00401E6E 05 9EA03E72 add eax,723EA09E
都是乱码.
拷贝粘贴后再修改.
分析下:
停在00404A2A后,从堆栈的信息得到oep为:
00401E6E f> 55 push ebp
00401E6F 8BEC mov ebp,esp
00401E71 6A FF push -1
00401E73 68 58454100 push 414558
00401E78 68 904A4000 push 404A90
00401E7D 64:A1 00000000 mov eax,dword ptr fs:[0]
然后第一个函数为GetVersion,所以:
00401E94 FF15 AC314100 call dword ptr ds:[4131AC] ; KERNEL32.GetVersion
此时eax=893,搜索内存得到:
0041D100 00000893
只有这么一个,因此在call 404A2A之前的几个地址为:
00401E9E 8915 0CD14100 mov dword ptr ds:[41D10C],edx
00401EA4 8BC8 mov ecx,eax
00401EA6 81E1 FF000000 and ecx,0FF
00401EAC 890D 08D14100 mov dword ptr ds:[41D108],ecx
00401EB2 C1E1 08 shl ecx,8
00401EB5 03CA add ecx,edx
00401EB7 890D 04D14100 mov dword ptr ds:[41D104],ecx
00401EBD C1E8 10 shr eax,10
00401EC0 A3 00D14100 mov dword ptr ds:[41D100],eax
00401EC5 6A 01 push 1
00401EC7 E8 5E2B0000 call 00404A2A ; fix__.00404A2A
这个就是第一次停在code得到的信息,根据相应的程序推断的代码.
根据参考程序搜索二进制进行定位call的地址.
另外函数可根据iat修改地址.
对于[addr]的,可以根据前后call返回保存的值搜索原程序的内存得到地址.
修复后的stolen oep代码:
55 8B EC 6A FF 68 58 45 41 00 68 90 4A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58
53 56 57 89 65 E8 FF 15 AC 31 41 00 33 D2 8A D4 89 15 0C D1 41 00 8B C8 81 E1 FF 00 00 00 89 0D
08 D1 41 00 C1 E1 08 03 CA 89 0D 04 D1 41 00 C1 E8 10 A3 00 D1 41 00 6A 01 E8 5E 2B 00 00 59 85
C0 75 08 6A 1C E8 C3 00 00 00 59 E8 8E 20 00 00 85 C0 75 08 6A 10 E8 B2 00 00 00 59 33 F6 89 75
FC E8 05 28 00 00 FF 15 A8 30 41 00 A3 1C D8 41 00 E8 C3 26 00 00 A3 F0 D0 41 00 E8 6C 24 00 00
E8 AE 23 00 00 E8 36 01 00 00 89 75 D0 8D 45 A4 50 FF 15 A4 30 41 00 E8 3F 23 00 00 89 45 9C F6
45 D0 01 74 06 0F B7 45 D4 EB 03 6A 0A 58 50 FF 75 9C 56 56 FF 15 C4 31 41 00 50 E8 29 8D 00 00
89 45 A0 50 E8 24 01 00 00 8B 45 EC 8B 08 8B 09 89 4D 98 50 51 E8 89 21 00 00 59 59 C3
3.修复跨平台:
载入脱壳后的程序,申请个空间,写入代码,然后新建eip运行下即可:
修复call api的:
B8 00 10 40 00 BB 00 30 41 00 80 38 E8 74 0D 83 C0 01 3D 00 F0 41 00 72 F1 EB FE 90 80 78 FF 90
74 09 80 78 05 90 74 03 EB E5 90 8B 48 01 03 C8 83 C1 05 8B 13 3B CA 74 0E 83 C3 04 81 FB D0 33
41 00 76 EF EB 10 90 80 78 FF 90 75 14 66 C7 40 FF FF 15 89 58 01 BB 00 30 41 00 EB B2 90 90 90
90 66 C7 00 FF 15 89 58 02 EB EB
修复jmp api的:
B8 00 10 40 00 BB 00 30 41 00 80 38 E9 74 1C 83 C0 01 3D 00 F0 41 00 72 F1 EB FE 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 8B 48 01 03 C8 83 C1 05 8B 13 3B CA 74 0E 83 C3 04 81 FB D0 33
41 00 76 EF EB 10 90 80 78 FF 90 75 14 66 C7 40 FF FF 25 89 58 01 BB 00 30 41 00 EB B2 90 90 90
90 66 C7 00 FF 25 89 58 02 EB EB
4.Stolen code:
这个时候还不能运行,发现这里错误:
0040ECA0 - E9 9C354400 jmp 00852241 ; 到壳里去
这个找类似的VC6.0程序可以搜索到:
0040ECA0 FF15 C8314100 call dword ptr ds:[4131C8] ; KERNEL32.GetProcAddress
0040ECA6 85C0 test eax,eax ; comctl32.#241
0040ECA8 75 1B jnz short 0040ECC5 ; fix_.0040ECC5
0040ECAA 8B4424 14 mov eax,dword ptr ss:[esp+14] ; fix_.0040EE21
0040ECAE BF C03F0000 mov edi,3FC0
0040ECB3 23C7 and eax,edi ; comctl32.#241
0040ECB5 3B4424 14 cmp eax,dword ptr ss:[esp+14] ; fix_.0040EE21
0040ECB9 75 27 jnz short 0040ECE2 ; fix_.0040ECE2
o了.
5.感谢
修复stolen oep和code选用的参考程序为门神.n久前下载的小G的东西,一直没用上,这里特别感谢下.哈哈 |
|
发表于 2009-1-24 13:40
发表于 2009-1-24 13:43
发表于 2009-1-25 00:43
送大礼~
