好友
阅读权限30
听众
最后登录1970-1-1
|
风吹屁屁凉
发表于 2011-5-25 16:41
主要修复的思路是The Enigma Protector的在模拟API函数的时候调用了反汇编引擎,我将反汇编引擎返回值即当前地址指令的大小改为0,此时The Enigma Protector只会对IAT做一些简单的加密处理.
反汇编引擎反回值改为0,IAT加密后的效果:01278358 68 A0309906 PUSH 69930A0
0127835D 813424 4A374C71 XOR DWORD PTR SS:[ESP],714C374A
01278364 C3 RETN
01278365 68 732F659A PUSH 9A652F73
0127836A 813424 58A2B4ED XOR DWORD PTR SS:[ESP],EDB4A258
01278371 C3 RETN
01278372 68 C144F44E PUSH 4EF444C1
01278377 813424 B6462739 XOR DWORD PTR SS:[ESP],392746B6
0127837E C3 RETN
0127837F 68 3DE5D377 PUSH user32.EnumClipboardFormats
01278384 C3 RETN
01278385 68 960DD377 PUSH user32.EmptyClipboard
0127838A C3 RETN
0127838B 68 13F704BD PUSH BD04F713
01278390 813424 62ADEBCA XOR DWORD PTR SS:[ESP],CAEBAD62
01278397 C3 RETN
01278398 68 7E06DD67 PUSH 67DD067E
0127839D 813424 B0EA3210 XOR DWORD PTR SS:[ESP],1032EAB0
012783A4 C3 RETN
012783A5 68 DB5EEF77 PUSH GDI32.SetBkMode
012783AA C3 RETN
012783AB 68 FC6DE88D PUSH 8DE86DFC
012783B0 813424 8B3007FA XOR DWORD PTR SS:[ESP],FA07308B
012783B7 C3 RETN
012783B8 68 705BEF77 PUSH GDI32.SelectObject
012783BD C3 RETN
012783BE 68 801B5941 PUSH 41591B80
012783C3 813424 7A70B636 XOR DWORD PTR SS:[ESP],36B6707A
012783CA C3 RETN
012783CB 68 107C3376 PUSH comdlg32.GetSaveFileNameA
012783D0 C3 RETN
012783D1 68 9F303276 PUSH comdlg32.GetOpenFileNameA
012783D6 C3 RETN
012783D7 68 F4E9DA77 PUSH advapi32.RegCreateKeyExA
012783DC C3 RETN
012783DD 68 E7EADA77 PUSH advapi32.RegSetValueExA
012783E2 C3 RETN
012783E3 68 38C2DC77 PUSH advapi32.LookupPrivilegeValueA
012783E8 C3 RETN
012783E9 68 62DDDB6A PUSH 6ADBDD62
012783EE 813424 E9A4011D XOR DWORD PTR SS:[ESP],1D01A4E9
012783F5 C3 RETN
OD设置忽略所有异常,SOD全选上,PhantOm的protect DRx勾上。
补区段注意的几点:
对于Stolen Code有两处虚拟机运行时需要的内存段要补上.
1.VM_Entry
EDI+4的内存地址段补上区段0050E926 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0050E92A 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
0050E92D 8B4C24 20 MOV ECX,DWORD PTR SS:[ESP+20]
0050E931 8908 MOV DWORD PTR DS:[EAX],ECX
0050E933 8340 10 04 ADD DWORD PTR DS:[EAX+10],4
0050E937 8DBE 24195500 LEA EDI,DWORD PTR DS:[ESI+551924]
0050E93D 89F8 MOV EAX,EDI ; ntdll.7C930228
0050E93F E8 68B1FFFF CALL 00509AAC
0050E944 89F8 MOV EAX,EDI ; ntdll.7C930228
0050E946 E8 A9B1FFFF CALL 00509AF4
0050E94B 8B67 04 MOV ESP,DWORD PTR DS:[EDI+4] ; EDI+4的内存地址段补上区段
0050E94E 57 PUSH EDI ; ntdll.7C930228
0050E94F 8D4F 10 LEA ECX,DWORD PTR DS:[EDI+10]
0050E952 8B49 10 MOV ECX,DWORD PTR DS:[ECX+10]
0050E955 FF71 FC PUSH DWORD PTR DS:[ECX-4]
0050E958 E8 57C3FFFF CALL 0050ACB4
0050E95D 50 PUSH EAX
0050E95E 89F8 MOV EAX,EDI ; ntdll.7C930228
0050E960 E8 6BB1FFFF CALL 00509AD0
0050E965 58 POP EAX ; ntdll.7C930228
PCode的内存地址补上区段即可0050ACB4 55 PUSH EBP
0050ACB5 8BEC MOV EBP,ESP
0050ACB7 83C4 CC ADD ESP,-34
0050ACBA 53 PUSH EBX
0050ACBB 56 PUSH ESI
0050ACBC 57 PUSH EDI ; ntdll.7C930228
0050ACBD 33C0 XOR EAX,EAX
0050ACBF 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
0050ACC2 33C0 XOR EAX,EAX
0050ACC4 55 PUSH EBP
0050ACC5 68 8FE75000 PUSH 0050E78F
0050ACCA 64:FF30 PUSH DWORD PTR FS:[EAX]
0050ACCD 64:8920 MOV DWORD PTR FS:[EAX],ESP
0050ACD0 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] ; dumped_.<ModuleEntryPoint>
0050ACD3 33D2 XOR EDX,EDX ; ntdll.KiFastSystemCallRet
0050ACD5 55 PUSH EBP
0050ACD6 68 56E75000 PUSH 0050E756
0050ACDB 64:FF32 PUSH DWORD PTR FS:[EDX]
0050ACDE 64:8922 MOV DWORD PTR FS:[EDX],ESP
0050ACE1 8D34DB LEA ESI,DWORD PTR DS:[EBX+EBX*8]
0050ACE4 A1 441C5500 MOV EAX,DWORD PTR DS:[551C44] ; [5511c44]的内存值起始地址补上区段即可
0050ACE9 8B04F0 MOV EAX,DWORD PTR DS:[EAX+ESI*8]
0050ACEC 83C0 FD ADD EAX,-3
0050ACEF 83F8 63 CMP EAX,63
0050ACF2 ^ 77 ED JA SHORT 0050ACE1
0050ACF4 FF2485 FBAC5000 JMP DWORD PTR DS:[EAX*4+50ACFB] ; dumped_.0050AE8B
0050ACFB 8BAE 500091AE MOV EBP,DWORD PTR DS:[ESI+AE910050]
0050AD01 50 PUSH EAX
0050AD02 0065 AF ADD BYTE PTR SS:[EBP-51],AH
0050AD05 50 PUSH EAX
///Enigma Protector V2.xx OEP Finder + IAT Fixer
// by bianfeng
////////////////////////////////////////
VAR Temp
VAR Var1
VAR Var2
VAR Var3
VAR Var4
VAR CodeBase
VAR CodeSize
VAR IAT
VAR Mem
VAR VirtualQuery
//初始化
BPHWCALL
BPMC
GMI eip,MODULEBASE
MOV CodeBase,$RESULT
ADD CodeBase,1000
GMI eip,CODESIZE
MOV CodeSize,$RESULT
GPA "VirtualProtectEx","kernel32.dll"
MOV Var4,$RESULT
GPA "VirtualQuery","kernel32.dll"
MOV VirtualQuery,$RESULT
GPA "VirtualAlloc","kernel32.dll"
Bp $RESULT
ERUN
ERUN
BC $RESULT
//Patch The Enigma Protector指定的加密函数
FINDMEM #89431083C31C4E75B75F5E5BC3#
CMP $RESULT,0
JE End
ASM $RESULT,"MOV DWORD PTR DS:[EBX+14],EAX"
//反汇编引擎Return下硬件断点
FINDMEM #83BC243003000000740233C081C4380300005BC3#
MOV Temp,$RESULT
ADD Temp,13
BPHWS Temp,"x"
FINDMEM #C602824633C08A062DE00000008901BF020000008BC75F5E5B5DC20C00#
MOV Temp,$RESULT
ADD Temp,1a
BPHWS Temp,"x"
BP Var4
Lab2:
CMP eip,Var4 //程序是否停在VirtualProtectEx
JE Lab3
XOR eax,eax
ERUN
JMP Lab2
//反反内存断点
Lab3:
BPHWCALL
BPRM CodeBase,CodeSize
ASM VirtualQuery,"RETN C"
//到达OEP
JMP Lab9
Lab10:
MOV Temp,[esp+8]
SUB Temp,1000
MOV [esp+8],Temp
MOV [esp+c],1000
Lab8:
CMP [esp+8],CodeBase,4
JE Lab10
ERUN
Lab9:
CMP eip,Var4
JE Lab8
MSG "到达OEP或FOEP,偷取了入口的请补上虚拟机运行时需要的区段"
BPMC
BC Var4
//恢复
ASM VirtualQuery,"MOV EDI,EDI"
ADD VirtualQuery,2
ASM VirtualQuery,"PUSH EBP"
Lab4:
ASK "IAT起始地址:"
MOV IAT,$RESULT
//修复IAT
Lab5:
//PAUSE
MOV Temp,[IAT],4
CMP [Temp],68,1
JNE C
CMP [Temp+5],3481,2
JNE B
MOV Var1,[Temp+1],4
MOV Var2,[Temp+8],4
XOR Var1,Var2
MOV [IAT],Var1
JMP C
B:
CMP [Temp+5],c3,1
JNE C
MOV Temp,[Temp+1],4
MOV [IAT],Temp,4
C:
ADD IAT,4
CMP [IAT],0
JNE Lab5
ADD IAT,4
CMP [IAT],0
JNE Lab5
End:
ret
|
|
