奥运倒计时: 设为首页 加入收藏
点击进入太平洋安全网首页
论坛登陆 用户名: 密码:
首页 新闻资讯 文章中心 黑客资源 黑客点睛 安全防护 软件下载 动画教程 商城中心 技术问答 论坛社区
文章 下载 图片
点睛  
 您现在的位置: 太平洋安全网 >> 黑客点晴 >> 免杀技术 >> 正文

新手脱壳系列教程——CI Crypt V0.1 手动脱壳
作者:佚名    黑客点晴来源:网络转载    点击数:    更新时间:2008-5-12
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:


CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点
一.EP

用LordPE察看目标文件的PE信息: ImageBase=00570000 SizeOfImage=00075000
设置OllyDbg忽略所有异常选项,用IsDebugPresent插件Hide,清除以前的所有断点

CODE
00571744    3C 20               cmp al,20
//进入OllyDbg后暂停在这
00571746    F5                  cmc
00571747    79 01               jns short 0057174A
00571749    F8                  clc
0057174A    F5                  cmc
0057174B    F9                  stc
0057174C    60                  pushad
0057174D    C0C1 70             rol cl,70
00571750    E9 1B000000         jmp 00571770


_______________________________________________________
二.数据恢复

BP VirtualAlloc
Shift+F9,中断后取消断点,Alt+F9返回

CODE

0013FD6C   005713CC  /CALL to VirtualAlloc from UnPackMe.005713CA
0013FD70   00400000  |Address = 00400000
0013FD74   0006B000  |Size = 6B000 (438272.)
0013FD78   00003000  |AllocationType = MEM_COMMIT|MEM_RESERVE
0013FD7C   00000040  \Protect = PAGE_EXECUTE_READWRITE

我们看到申请的内存地址是00400000

一般EXE文件的基址大多是00400000,而CI Crypt加壳后这个文件基址是ImageBase=00570000
原来CI Crypt加壳后改了基址,运行时要把代码还原的。
多看代码,最好能看明白壳的流程,这样看的多了就能学习到很多知识了。

CODE

005713C0    51                  push ecx
005713C1    6A 40               push 40
005713C3    68 00300000         push 3000
005713C8    51                  push ecx
005713C9    50                  push eax
005713CA    FFD3                call near ebx; kernel32.VirtualAlloc
005713CC    59                  pop ecx
//返回这里
005713CD    85C0                test eax,eax
005713CF    75 13               jnz short 005713E4
005713D1    6A 40               push 40
005713D3    68 00100000         push 1000
005713D8    51                  push ecx
005713D9    50                  push eax
005713DA    FFD3                call near ebx
005713DC    85C0                test eax,eax
005713DE    0F84 4D020000       je 00571631
005713E4    8945 F4             mov dword ptr ss:[ebp-C],eax
005713E7    89C7                mov edi,eax
005713E9    8B75 08             mov esi,dword ptr ss:[ebp+8]
005713EC    56                  push esi
005713ED    89F1                mov ecx,esi
005713EF    034E 3C             add ecx,dword ptr ds:[esi+3C]
005713F2    8B49 54             mov ecx,dword ptr ds:[ecx+54]
005713F5    F3:A4               rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00000400 (decimal 1024.)
//ds:[esi]=[00571B79]=4D ('M')
//es:[edi]=[00400000]=00
//开始把PE头数据复制回00400000
005713F7    5E                  pop esi
005713F8    0376 3C             add esi,dword ptr ds:[esi+3C]
005713FB    81C6 F8000000       add esi,0F8
00571401    8B45 08             mov eax,dword ptr ss:[ebp+8]
00571404    0340 3C             add eax,dword ptr ds:[eax+3C]
00571407    0FB640 06           movzx eax,byte ptr ds:[eax+6]
0057140B    8D7D C8             lea edi,dword ptr ss:[ebp-38]
0057140E    57                  push edi
0057140F    6A 0A               push 0A
00571411    59                  pop ecx
00571412    F3:A5               rep movs dword ptr es:[edi],dword ptr ds:[esi]
//[esi]处是加壳前文件的区段信息
00571414    5F                  pop edi
00571415    8B57 14             mov edx,dword ptr ds:[edi+14]
00571418    85D2                test edx,edx
0057141A    74 14               je short 00571430
0057141C    56                  push esi
0057141D    8B75 08             mov esi,dword ptr ss:[ebp+8]
00571420    01D6                add esi,edx
00571422    8B4F 10             mov ecx,dword ptr ds:[edi+10]
00571425    8B57 0C             mov edx,dword ptr ds:[edi+C]
00571428    8B7D F4             mov edi,dword ptr ss:[ebp-C]
0057142B    01D7                add edi,edx
0057142D    F3:A4               rep movs byte ptr es:[edi],byte ptr ds:[esi]
//ecx=00049200 (decimal 299520.)
//ds:[esi]=[00571F79]=56 ('V')
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:


CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点

//es:[edi]=[00401000]=00
//复制回各区段数据
0057142F    5E                  pop esi
00571430    48                  dec eax
//原始 NumberOfSections
00571431    75 D8               jnz short 0057140B
//依次复制回所有的区段数据
00571433    8B55 F4             mov edx,dword ptr ss:[ebp-C]
00571436    2B55 FC             sub edx,dword ptr ss:[ebp-4]
00571439    74 5C               je short 00571497
//判断是否需要重定位处理,DLL使用
0057143B    8B45 F4             mov eax,dword ptr ss:[ebp-C]
0057143E    89C3                mov ebx,eax
00571440    035B 3C             add ebx,dword ptr ds:[ebx+3C]
00571443    8B9B A0000000       mov ebx,dword ptr ds:[ebx+A0]
00571449    85DB                test ebx,ebx
0057144B    74 4A               je short 00571497
0057144D    01C3                add ebx,eax
0057144F    8B43 04             mov eax,dword ptr ds:[ebx+4]
00571452    85C0                test eax,eax
00571454    74 41               je short 00571497
00571456    8D48 F8             lea ecx,dword ptr ds:[eax-8]
00571459    D1E9                shr ecx,1
0057145B    8D7B 08             lea edi,dword ptr ds:[ebx+8]
0057145E    0FB707              movzx eax,word ptr ds:[edi]
00571461    52                  push edx
00571462    89C2                mov edx,eax
00571464    C1E8 0C             shr eax,0C
00571467    8B75 F4             mov esi,dword ptr ss:[ebp-C]
0057146A    66:81E2 FF0F        and dx,0FFF
0057146F    0333                add esi,dword ptr ds:[ebx]
00571471    01D6                add esi,edx
00571473    5A                  pop edx
00571474    48                  dec eax
00571475    75 07               jnz short 0057147E
00571477    89D0                mov eax,edx
00571479    C1E8 10             shr eax,10
0057147C    EB 06               jmp short 00571484
0057147E    48                  dec eax
0057147F    75 08               jnz short 00571489
00571481    0FB7C2              movzx eax,dx
00571484    66:0106             add word ptr ds:[esi],ax
00571487    EB 05               jmp short 0057148E
00571489    48                  dec eax
0057148A    75 02               jnz short 0057148E
0057148C    0116                add dword ptr ds:[esi],edx
0057148E    47                  inc edi
0057148F    47                  inc edi
00571490    E2 CC               loopd short 0057145E
00571492    035B 04             add ebx,dword ptr ds:[ebx+4]
00571495    EB B8               jmp short 0057144F


_____________________________________________________________
三.修改PEB中信息

新手可以跳开这个部分,直接看第四部分的Dump
PEB (Process Environment Block)——进程环境块,存放进程信息。
PEB +008 处是ImageBaseAddress

CODE

00571497    8B4D F4             mov ecx,dword ptr ss:[ebp-C]
//ECX=[ebp-C]=00400000 新基址
0057149A    8B55 B0             mov edx,dword ptr ss:[ebp-50]
0057149D    0155 B4             add dword ptr ss:[ebp-4C],edx
005714A0    64:8B05 30000000    mov eax,dword ptr fs:[30]
//获得PEB首地址
005714A7    837D BC 00          cmp dword ptr ss:[ebp-44],0
005714AB    75 03               jnz short 005714B0
005714AD    8948 08             mov dword ptr ds:[eax+8],ecx
//写入00400000新基址
005714B0    8B40 0C             mov eax,dword ptr ds:[eax+C]
005714B3    8B40 0C             mov eax,dword ptr ds:[eax+C]
005714B6    89C6                mov esi,eax
005714B8    8B50 18             mov edx,dword ptr ds:[eax+18]
005714BB    3B55 B0             cmp edx,dword ptr ss:[ebp-50]
005714BE    75 27               jnz short 005714E7
005714C0    8B50 1C             mov edx,dword ptr ds:[eax+1C]
005714C3    3B55 B4             cmp edx,dword ptr ss:[ebp-4C]
005714C6    75 1F               jnz short 005714E7
005714C8    8B50 20             mov edx,dword ptr ds:[eax+20]
005714CB    3B55 B8             cmp edx,dword ptr ss:[ebp-48]
005714CE    75 17               jnz short 005714E7
005714D0    8948 18             mov dword ptr ds:[eax+18],ecx
005714D3    038D 30FEFFFF       add ecx,dword ptr ss:[ebp-1D0]
005714D9    8948 1C             mov dword ptr ds:[eax+1C],ecx
//写入新的EP
005714DC    8B8D 58FEFFFF       mov ecx,dword ptr ss:[ebp-1A8]
005714E2    8948 20             mov dword ptr ds:[eax+20],ecx
//写入新的SizeOfImage
005714E5    EB 08               jmp short 005714EF
005714E7    3930                cmp dword ptr ds:[eax],esi
005714E9    74 04               je short 005714EF
005714EB    8B00                mov eax,dword ptr ds:[eax]
005714ED    EB C9               jmp short 005714B8
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:


CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点

四.Dump

从上面走到这里就可以dump了
现在壳还没有把输入表填充系统函数地址,而所有数据都已还原,正是dump的最佳时机
由于壳把数据恢复到新的基址,因此LordPE需要设置一下,这样才可以完美的抓取进程
Options->Task Viewer->去掉 Full dump:Paste header from disk 选项,也就是不使用物理文件的PE头
看看保存的dump.exe,基本就是加壳前的原始文件了。到这里CI Crypt脱壳就完成了
下面在继续看看壳的流程吧

CODE

005714EF    8B9D 88FEFFFF       mov ebx,dword ptr ss:[ebp-178]
//[ebp-178]是输入表RVA
005714F5    85DB                test ebx,ebx
005714F7    74 6C               je short 00571565
005714F9    8B75 F4             mov esi,dword ptr ss:[ebp-C]
005714FC    01F3                add ebx,esi
005714FE    8B43 0C             mov eax,dword ptr ds:[ebx+C]
00571501    85C0                test eax,eax
00571503    74 60               je short 00571565
00571505    8B4B 10             mov ecx,dword ptr ds:[ebx+10]
00571508    01F1                add ecx,esi
0057150A    894D C4             mov dword ptr ss:[ebp-3C],ecx
0057150D    8B0B                mov ecx,dword ptr ds:[ebx]
0057150F    85C9                test ecx,ecx
00571511    75 03               jnz short 00571516
00571513    8B4B 10             mov ecx,dword ptr ds:[ebx+10]
00571516    01F1                add ecx,esi
00571518    894D C0             mov dword ptr ss:[ebp-40],ecx
0057151B    01F0                add eax,esi
0057151D    50                  push eax
0057151E    8B45 10             mov eax,dword ptr ss:[ebp+10]
00571521    FF10                call near dword ptr ds:[eax]; kernel32.LoadLibraryA
00571523    85C0                test eax,eax
00571525    0F84 06010000       je 00571631
0057152B    89C7                mov edi,eax
0057152D    8B4D C0             mov ecx,dword ptr ss:[ebp-40]
00571530    8B11                mov edx,dword ptr ds:[ecx]
00571532    85D2                test edx,edx
00571534    74 2A               je short 00571560
00571536    F7C2 00000080       test edx,80000000
0057153C    74 08               je short 00571546
0057153E    81E2 FFFFFF7F       and edx,7FFFFFFF
00571544    EB 04               jmp short 0057154A
00571546    01F2                add edx,esi
00571548    42                  inc edx
00571549    42                  inc edx
0057154A    52                  push edx
0057154B    57                  push edi
0057154C    8B45 0C             mov eax,dword ptr ss:[ebp+C]
0057154F    FF10                call near dword ptr ds:[eax]; kernel32.GetProcAddress
00571551    8B4D C4             mov ecx,dword ptr ss:[ebp-3C]
00571554    8901                mov dword ptr ds:[ecx],eax
//填充函数系统地址
00571556    8345 C4 04          add dword ptr ss:[ebp-3C],4
0057155A    8345 C0 04          add dword ptr ss:[ebp-40],4
0057155E    EB CD               jmp short 0057152D
00571560    83C3 14             add ebx,14
00571563    EB 99               jmp short 005714FE
//循环处理输入表


_____________________________________________________________
五.OEP
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教
【调试环境】:WinXP、OllyDbg、PEiD、LordPE、ImportREC
_____________________________________________________________
【脱壳过程】:


CI Crypt是个不常见的壳,脱壳比压缩壳稍微复杂点


CODE
0057161D    8B1B                mov ebx,dword ptr ds:[ebx]
0057161F    3B5D 90             cmp ebx,dword ptr ss:[ebp-70]
00571622    0F85 4DFFFFFF       jnz 00571575
00571628    8B85 30FEFFFF       mov eax,dword ptr ss:[ebp-1D0]
//[ebp-1D0]=000271B0     OEP RVA
0057162E    0345 F4             add eax,dword ptr ss:[ebp-C]
//EAX=000271B0+00400000=004271B0
00571631    8B4D F4             mov ecx,dword ptr ss:[ebp-C]
00571634    5E                  pop esi
00571635    5F                  pop edi
00571636    5B                  pop ebx
00571637    C9                  leave
00571638    C2 0C00             retn 0C
//返回00571217

00571217    5F                  pop edi
00571218    5E                  pop esi
00571219    5D                  pop ebp
0057121A    83C4 04             add esp,4
0057121D    5B                  pop ebx
0057121E    5A                  pop edx
0057121F    83C4 08             add esp,8
00571222    894C24 04           mov dword ptr ss:[esp+4],ecx
00571226    FFE0                jmp near eax
//飞向光明之巅


CODE

004271B0    55                  push ebp
//OEP
004271B1    8BEC                mov ebp,esp
004271B3    6A FF               push -1
004271B5    68 600E4500         push 00450E60
004271BA    68 C8924200         push 004292C8
004271BF    64:A1 00000000      mov eax,dword ptr fs:[0]
004271C5    50                  push eax
004271C6    64:8925 00000000    mov dword ptr fs:[0],esp
004271CD    83C4 A8             add esp,-58
004271D0    53                  push ebx
004271D1    56                  push esi
004271D2    57                  push edi
004271D3    8965 E8             mov dword ptr ss:[ebp-18],esp
004271D6    FF15 DC0A4600       call near dword ptr ds:[460ADC]; kernel32.GetVersion


_____________________________________________________________
六.简化脱壳流程

OllyDBG载入CI Crypt V0.1加壳文件暂停在EP
BP VirtualAlloc Shift+F9,中断后取消断点,Alt+F9返回
Ctrl+F向下搜索命令: mov ebx,dword ptr ss:[ebp-178]
找到在005714EF处后F4过去,或者设断后Shift+F9中断
此时就可以使用LordPE抓取进程了,注意LordPE的Task Viewer选项设置
在这里脱壳可以说是完美脱壳,dump的文件基本就是加壳前的原始文件了
Game Over
黑客点晴录入:随风追忆    责任编辑:随风追忆 
  • 上一个黑客点晴:

  • 下一个黑客点晴:
    • 发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
     推荐点睛
    推荐黑客点晴[易语言二课]如何增加易语言的组件 ,以及组…
    推荐黑客点晴[易语言一课]简单了解与实例易语言
    推荐黑客点晴10秒钟让你和任意QQ号聊天
    推荐黑客点晴菜鸟黑客入门攻击及防范技巧
    推荐黑客点晴黑客利器流光使用技巧
    推荐黑客点晴PHP实战--入侵郑州广播在线
     热门点睛
    推荐黑客点晴[易语言一课]简单了解与实例易语言
    推荐黑客点晴10秒钟让你和任意QQ号聊天
    推荐黑客点晴菜鸟黑客入门攻击及防范技巧
    推荐黑客点晴黑客利器流光使用技巧
    推荐黑客点晴PHP实战--入侵郑州广播在线
    推荐黑客点晴灰鸽子简单写下载者做搭配
     本站推荐

    关于我们 | 联系方法 | 招聘信息 | 加入会员 | 诚征代理 | 广告服务 | 欢迎投稿 | 站长信箱 | 友情链接 | 网站地图
    24小时客服:0374-7126138 技术支持:0374-7126138 投诉电话:0374-7967536
    客服QQ:883039 售后QQ:827520 技术QQ:78305152 投稿-商业:576880739
    Copyright 太平洋科技 2003-2007 版权所有 All Rights Reserved
      许可证号:豫ICP备07005385号