首先需要说的是,这个壳是ximo大神视频教程里的

0041F000 >                pushad                                   ; //程序入口点
0041F001 E8 call NgaMy.0041F007
0041F006 E8 call 0665F48E
0041F00B C3 retn
0041F00C inc ebx
0041F00D D3DA rcr edx,cl
0041F00F BE 75FC1F8F mov esi,8F1FFC75
 

3.打开内存界面,在”.rdata”处下段,然后shift+F9运行,有些程序可能没有”.rdata”,那么就找”.idata”,之所以会有不同,应该是因为程序的编程语言不同导致。

Memory map, 项目
地址=0040A000
大小= (.)
属主=NgaMy
区段=.rdata
包含=代码,数据
类型=映像
访问=R
初始访问=RWE
 

4.落脚点应该是这个位置,首先看下这段代码,据说这段代码fly大神曾经解读过,可惜我没有找到,如果有朋友找到了可以分享一下,感激不尽。在这里我们需要做的是看我写的注释位置,有两行代码要nop掉(右键单击需要nop掉的那一行—二进制—使用nop填充),还有一行代码改成jmp跳(je改为jmp)。

0043383D    8B46 0C         mov eax,dword ptr ds:[esi+C]             ; //落脚点
0BC0 or eax,eax
0F84 je NgaMy.00433A6D
0C and dword ptr ds:[esi+C],
0043384C 03C2 add eax,edx
0043384E 8BD8 mov ebx,eax
push esi
push edi
push eax
8BF3 mov esi,ebx
8BFB mov edi,ebx
AC lods byte ptr ds:[esi]
C0C0 rol al,
0043385B AA stos byte ptr es:[edi]
0043385C 803F cmp byte ptr ds:[edi],
0043385F ^ F6 jnz short NgaMy.
pop eax
5F pop edi
5E pop esi
push eax
FF95 90E24100 call dword ptr ss:[ebp+41E290]
0043386B 0BC0 or eax,eax
0043386D jnz short NgaMy.004338B2
0043386F nop
nop
nop
nop
push ebx
FF95 94E24100 call dword ptr ss:[ebp+41E294]
0043387A 0BC0 or eax,eax
0043387C jnz short NgaMy.004338B2
0043387E nop
0043387F nop
nop
nop
8B95 1FFC4000 mov edx,dword ptr ss:[ebp+40FC1F]
1D1F4000 add dword ptr ss:[ebp+401F1D],edx
0043388E 211F4000 add dword ptr ss:[ebp+401F21],edx
6A push
FFB5 1D1F4000 push dword ptr ss:[ebp+401F1D]
0043389C FFB5 211F4000 push dword ptr ss:[ebp+401F21]
004338A2 6A push
004338A4 FF95 9CE24100 call dword ptr ss:[ebp+41E29C]
004338AA 6A push
004338AC FF95 98E24100 call dword ptr ss:[ebp+41E298]
004338B2 pushad
004338B3 2BC0 sub eax,eax
004338B5 mov byte ptr ds:[ebx],al
004338B7 inc ebx
004338B8 cmp byte ptr ds:[ebx],al
004338BA ^ F9 jnz short NgaMy.004338B5
004338BC popad
004338BD 17FC4000 mov dword ptr ss:[ebp+40FC17],eax
004338C3 C785 1BFC4000 >mov dword ptr ss:[ebp+40FC1B],
004338CD 8B95 1FFC4000 mov edx,dword ptr ss:[ebp+40FC1F]
004338D3 8B06 mov eax,dword ptr ds:[esi]
004338D5 0BC0 or eax,eax
004338D7 jnz short NgaMy.004338E0
004338D9 nop
004338DA nop
004338DB nop
004338DC nop
004338DD 8B46 mov eax,dword ptr ds:[esi+]
004338E0 03C2 add eax,edx
004338E2 1BFC4000 add eax,dword ptr ss:[ebp+40FC1B]
004338E8 8B18 mov ebx,dword ptr ds:[eax]
004338EA 8B7E mov edi,dword ptr ds:[esi+]
004338ED 03FA add edi,edx
004338EF 03BD 1BFC4000 add edi,dword ptr ss:[ebp+40FC1B]
004338F5 85DB test ebx,ebx
004338F7 0F84 je NgaMy.00433A5F
004338FD F7C3 test ebx,
1D jnz short NgaMy.
nop
nop
nop
nop
03DA add ebx,edx
0043390B 83C3 add ebx,
0043390E push esi
0043390F push edi
push eax
8BF3 mov esi,ebx
8BFB mov edi,ebx
AC lods byte ptr ds:[esi]
C0C0 rol al,
AA stos byte ptr es:[edi]
0043391A 803F cmp byte ptr ds:[edi],
0043391D ^ F6 jnz short NgaMy.
0043391F pop eax
5F pop edi
5E pop esi
3B9D 1FFC4000 cmp ebx,dword ptr ss:[ebp+40FC1F]
7C jl short NgaMy.0043393B
0043392A nop
0043392B nop
0043392C nop
0043392D nop
0043392E 83BD >cmp dword ptr ss:[ebp+],
0A jnz short NgaMy.
nop
nop
nop
0043393A nop
0043393B 81E3 FFFFFF0F and ebx,0FFFFFFF
push ebx
FFB5 17FC4000 push dword ptr ss:[ebp+40FC17]
FF95 8CE24100 call dword ptr ss:[ebp+41E28C]
0043394E 3B9D 1FFC4000 cmp ebx,dword ptr ss:[ebp+40FC1F]
7C 0F jl short NgaMy.
nop
nop
nop
nop
0043395A pushad
0043395B 2BC0 sub eax,eax
0043395D mov byte ptr ds:[ebx],al
0043395F inc ebx
cmp byte ptr ds:[ebx],al
^ F9 jnz short NgaMy.0043395D
popad
0BC0 or eax,eax
^ 0F84 15FFFFFF je NgaMy.
0043396D 3B85 9CE24100 cmp eax,dword ptr ss:[ebp+41E29C] ; //比较是否是MessageBoxA
je short NgaMy. ; //这里要nop掉
nop
nop
nop
nop
3B85 9D014100 cmp eax,dword ptr ss:[ebp+41019D] ; //比较是否是RegisterHotKey
0043397F je short NgaMy.0043398A ; //这里要nop掉
nop
nop
nop
nop
EB jmp short NgaMy.0043399B
nop
nop
nop
0043398A 8D85 0A024100 lea eax,dword ptr ss:[ebp+41020A]
EB jmp short NgaMy.0043399B
nop
nop
nop
8D85 lea eax,dword ptr ss:[ebp+]
0043399B push esi
0043399C FFB5 17FC4000 push dword ptr ss:[ebp+40FC17]
004339A2 5E pop esi
004339A3 39B5 FA234000 cmp dword ptr ss:[ebp+4023FA],esi
004339A9 je short NgaMy.004339C0
004339AB nop
004339AC nop
004339AD nop
004339AE nop
004339AF 39B5 FE234000 cmp dword ptr ss:[ebp+4023FE],esi
004339B5 je short NgaMy.004339C0
004339B7 nop
004339B8 nop
004339B9 nop
004339BA nop
004339BB EB jmp short NgaMy.00433A20
004339BD nop
004339BE nop
004339BF nop
004339C0 80BD D2594100 >cmp byte ptr ss:[ebp+4159D2],
004339C7 je short NgaMy.00433A20 ; //magic跳,je改jmp
004339C9 nop
004339CA nop
004339CB nop
004339CC nop
004339CD EB jmp short NgaMy.004339D6
004339CF nop
004339D0 nop
004339D1 nop
004339D2 add dword ptr ds:[eax],eax
004339D4 add byte ptr ds:[eax],al
004339D6 8BB5 E4FC4000 mov esi,dword ptr ss:[ebp+40FCE4]
004339DC 83C6 0D add esi,0D
004339DF 81EE EA1B4000 sub esi,NgaMy.00401BEA
004339E5 2BF5 sub esi,ebp
004339E7 83FE cmp esi,
004339EA 7F jg short NgaMy.00433A20
004339EC nop
004339ED nop
004339EE nop
004339EF nop

5.步骤4执行完毕后再次打开内存界面,在00401000处内存访问断点,SHIFT+F9一次,下面是他的落脚点,落脚后先清除内存访问断点然后在下面最近的retn处F4,然后F8一次

    3D          cmp eax,                //落脚点
0E jnb short NgaMy.
F7D8 neg eax
03C4 add eax,esp
0040556B 83C0 add eax,
0040556E test dword ptr ds:[eax],eax
xchg eax,esp
8B00 mov eax,dword ptr ds:[eax]
push eax
C3 retn //F4,然后F8
 

6.然后再次来到内存界面,在00401000处下内存访问断点,shift+F9运行一次,下面是落脚点,落脚后先清除内存访问断点,然后在retn处F4,F8一次

    3D          cmp eax,                //落脚点
0E jnb short NgaMy.
F7D8 neg eax
03C4 add eax,esp
0040556B 83C0 add eax,
0040556E test dword ptr ds:[eax],eax
xchg eax,esp
8B00 mov eax,dword ptr ds:[eax]
push eax
C3 retn //F4,然后F8
 

7.然后再次来到内存界面在00401000处下内存访问断点,shift+F9运行一次,来到假的OEP

0040305C    83F9              cmp ecx,              //这里就是假OEP
0040305F 0C je short NgaMy.0040306D
81CE or esi,
B0DE4000 mov dword ptr ds:[40DEB0],esi
0040306D C1E0 shl eax,
03C2 add eax,edx
A3 B4DE4000 mov dword ptr ds:[40DEB4],eax
33F6 xor esi,esi
push esi
0040307A 8B3D B0A04000 mov edi,dword ptr ds:[40A0B0]
FFD7 call edi
: 4D5A cmp word ptr ds:[eax],5A4D
 

8.至此可以先脱壳了,脱壳的时候需要手动查找IAT,这个比较简单,起始位置是A000,结尾位置是A171

9.重新载入原程序(Ctrl+F2),程序的入口点是一个pushad,F8到下一行使用ESP定律,下硬件访问断点然后shift+F9运行到最后一次异常

0041F000 >                pushad                                   ; //入口点
0041F001 E8 call NgaMy.0041F007 ; //ESP
0041F006 E8 call 0665F48E
0041F00B C3 retn
0041F00C inc ebx
0041F00D D3DA rcr edx,cl
0041F00F BE 75FC1F8F mov esi,0x8F1FFC75
 

10.最后一次异常法的落脚点,pushad 上面的就是Stolen Code(NOP可以不复制),二进制复制一下,然后F4运行到注释中的位置(记得清除硬件断点),也就是pushad下一行再次使用ESP定律,下硬件断点然后shift+F9一次

004365F4     F5FD4100       mov dword ptr ds:[41FDF5],edx                   ; //落脚点
004365FA FF35 F5FD4100 push dword ptr ds:[41FDF5]
8F05 2DFE4100 pop dword ptr ds:[41FE2D]
FF35 2DFE4100 push dword ptr ds:[41FE2D]
0043660C C70424 mov dword ptr ss:[esp],
push esi
890C24 mov dword ptr ss:[esp],ecx
8DFD4100 push NgaMy.0041FD8D
0043661C pop ecx
0043661D mov dword ptr ds:[ecx],ebx
0043661F 8B0C24 mov ecx,dword ptr ss:[esp]
8F05 ADFE4100 pop dword ptr ds:[41FEAD]
FF35 8DFD4100 push dword ptr ds:[41FD8D]
0043662E C70424 48A24000 mov dword ptr ss:[esp],NgaMy.0040A248
B9FD4100 mov dword ptr ds:[41FDB9],eax
0043663B FF35 B9FD4100 push dword ptr ds:[41FDB9]
nop
nop
pushad
E8 call NgaMy.0043664A //F4到这里,然后用ESP
89 15 F5 FD 41 00 FF 35 F5 FD 41 00 8F 05 2D FE 41 00 FF 35 2D FE 41 00 C7 04 24 60 00 00 00 56
89 0C 24 68 8D FD 41 00 59 89 19 8B 0C 24 8F 05 AD FE 41 00 FF 35 8D FD 41 00 C7 04 24 48 A2 40
00 89 05 B9 FD 41 00 FF 35 B9 FD 41 00

11.落脚点到这个位置,还是一样二进制复制pushad上面的代码(记得清除硬件断点),然后F4运行到pushad下面一行使用ESP定律,下硬件访问断点,shift+F9一次

00436F16     1DFD4100         push NgaMy.0041FD1D     ;//落脚点
00436F1B pop eax
00436F1C mov dword ptr ds:[eax],esi
00436F1E 8F05 79FC4100 pop dword ptr ds:[41FC79]
00436F24 8B05 79FC4100 mov eax,dword ptr ds:[41FC79]
00436F2A FF35 1DFD4100 push dword ptr ds:[41FD1D]
00436F30 push esi
00436F31 891C24 mov dword ptr ss:[esp],ebx
00436F34 C70424 383D4000 mov dword ptr ss:[esp],NgaMy.00403D38
00436F3B 8B3424 mov esi,dword ptr ss:[esp]
00436F3E 8F05 A5FE4100 pop dword ptr ds:[41FEA5]
00436F44 01FF4100 mov dword ptr ds:[41FF01],eax
00436F4A FF35 01FF4100 push dword ptr ds:[41FF01]
00436F50 891C24 mov dword ptr ss:[esp],ebx
00436F53 push esi
00436F54 C70424 45FE4100 mov dword ptr ss:[esp],NgaMy.0041FE45
00436F5B 8F05 31FE4100 pop dword ptr ds:[41FE31]
00436F61 nop
00436F62 nop
00436F63 pushad
00436F64 E8 call NgaMy.00436F6A ;//F4到这里,然后ESP
68 1D FD 41 00 58 89 30 8F 05 79 FC 41 00 8B 05 79 FC 41 00 FF 35 1D FD 41 00 56 89 1C 24 C7 04
24 38 3D 40 00 8B 34 24 8F 05 A5 FE 41 00 89 05 01 FF 41 00 FF 35 01 FF 41 00 89 1C 24 56 C7 04
24 45 FE 41 00 8F 05 31 FE 41 00

12.同步骤10和步骤11一样的操作,再来一次ESP,shift+F9运行一次

0043783F    8B1D 31FE4100       mov ebx,dword ptr ds:[41FE31]                   ; //落脚点
mov dword ptr ds:[ebx],esi
8F05 39FC4100 pop dword ptr ds:[41FC39]
0043784D FF35 39FC4100 push dword ptr ds:[41FC39]
5B pop ebx
8F05 09FE4100 pop dword ptr ds:[41FE09]
0043785A 891D 21FC4100 mov dword ptr ds:[41FC21],ebx
FF35 21FC4100 push dword ptr ds:[41FC21]
C705 19FC4100 09FE4>mov dword ptr ds:[41FC19],NgaMy.0041FE09
8B1D 19FC4100 mov ebx,dword ptr ds:[41FC19]
8B33 mov esi,dword ptr ds:[ebx]
8F05 FDFB4100 pop dword ptr ds:[41FBFD]
0043787E 8B1D FDFB4100 mov ebx,dword ptr ds:[41FBFD]
FF15 45FE4100 call dword ptr ds:[41FE45]
0043788A nop
0043788B nop
0043788C pushad
0043788D E8 call NgaMy. ;//F4到这里,然后ESP
8B 1D 31 FE 41 00 89 33 8F 05 39 FC 41 00 FF 35 39 FC 41 00 5B 8F 05 09 FE 41 00 89 1D 21 FC 41
00 FF 35 21 FC 41 00 C7 05 19 FC 41 00 09 FE 41 00 8B 1D 19 FC 41 00 8B 33 8F 05 FD FB 41 00 8B
1D FD FB 41 00 FF 15 45 FE 41 00

13.落脚后,还是二进制复制pushad上面的代码(记得清除硬件断点),然后F4运行到pushad下一行,然后shift+F9,不过这次要多运行几次,找到和我们需要的代码长得差不多的。

0043813D    890D B1FD4100       mov dword ptr ds:[41FDB1],ecx   ;//落脚点
FF35 B1FD4100 push dword ptr ds:[41FDB1]
8F05 B5FC4100 pop dword ptr ds:[41FCB5]
0043814F FF35 B5FC4100 push dword ptr ds:[41FCB5]
push esi
BE FDFC4100 mov esi,NgaMy.0041FCFD
0043815B 893E mov dword ptr ds:[esi],edi
0043815D 5E pop esi
0043815E FF35 FDFC4100 push dword ptr ds:[41FCFD]
push
8F05 E5FC4100 pop dword ptr ds:[41FCE5]
0043816F FF35 E5FC4100 push dword ptr ds:[41FCE5]
5F pop edi
893D 3DFE4100 mov dword ptr ds:[41FE3D],edi
0043817C FF35 3DFE4100 push dword ptr ds:[41FE3D]
8B0C24 mov ecx,dword ptr ss:[esp]
8F05 7DFE4100 pop dword ptr ds:[41FE7D]
0043818B nop
0043818C nop
0043818D pushad
0043818E push eax ;//F4到这里,然后ESP
89 0D B1 FD 41 00 FF 35 B1 FD 41 00 8F 05 B5 FC 41 00 FF 35 B5 FC 41 00 56 BE FD FC 41 00 89 3E
5E FF 35 FD FC 41 00 68 94 00 00 00 8F 05 E5 FC 41 00 FF 35 E5 FC 41 00 5F 89 3D 3D FE 41 00 FF
35 3D FE 41 00 8B 0C 24 8F 05 7D FE 41 00

14.同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,还是多运行几次

00438ACD    8B3C24              mov edi,dword ptr ss:[esp]      ; //落脚点
00438AD0 8F05 79FD4100 pop dword ptr ds:[41FD79]
00438AD6 25FC4100 mov dword ptr ds:[41FC25],esi
00438ADC FF35 25FC4100 push dword ptr ds:[41FC25]
00438AE2 890C24 mov dword ptr ss:[esp],ecx
00438AE5 8B3C24 mov edi,dword ptr ss:[esp]
00438AE8 8F05 B9FC4100 pop dword ptr ds:[41FCB9]
00438AEE 8F05 19FE4100 pop dword ptr ds:[41FE19]
00438AF4 89FD4100 mov dword ptr ds:[41FD89],eax
00438AFA FF35 89FD4100 push dword ptr ds:[41FD89]
00438B00 push edi
00438B01 BF 19FE4100 mov edi,NgaMy.0041FE19
00438B06 8BC7 mov eax,edi
00438B08 5F pop edi
00438B09 8B08 mov ecx,dword ptr ds:[eax]
00438B0B 8F05 95FC4100 pop dword ptr ds:[41FC95]
00438B11 8B05 95FC4100 mov eax,dword ptr ds:[41FC95]
00438B17 push ebx
00438B18 nop
00438B19 nop
00438B1A pushad
00438B1B push eax ;//F4到这里,然后ESP
8B 3C 24 8F 05 79 FD 41 00 89 35 25 FC 41 00 FF 35 25 FC 41 00 89 0C 24 8B 3C 24 8F 05 B9 FC 41
00 8F 05 19 FE 41 00 89 05 89 FD 41 00 FF 35 89 FD 41 00 57 BF 19 FE 41 00 8B C7 5F 8B 08 8F 05
95 FC 41 00 8B 05 95 FC 41 00 53

15.同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,还是多运行几次

004393FF    8F05 5DFE4100       pop dword ptr ds:[41FE5D]                       ; //落脚点
FF35 5DFE4100 push dword ptr ds:[41FE5D]
0043940B 890C24 mov dword ptr ss:[esp],ecx
0043940E 893D 91FE4100 mov dword ptr ds:[41FE91],edi
FF35 91FE4100 push dword ptr ds:[41FE91]
0043941A 8F05 81FC4100 pop dword ptr ds:[41FC81]
891D 89FE4100 mov dword ptr ds:[41FE89],ebx
FF35 89FE4100 push dword ptr ds:[41FE89]
0043942C 81FC4100 push NgaMy.0041FC81
5B pop ebx
8B0B mov ecx,dword ptr ds:[ebx]
8F05 C9FC4100 pop dword ptr ds:[41FCC9]
0043943A 8B1D C9FC4100 mov ebx,dword ptr ds:[41FCC9]
push edi
mov dword ptr ss:[esp],eax
890C24 mov dword ptr ss:[esp],ecx
8B0424 mov eax,dword ptr ss:[esp]
0043944A nop
0043944B nop
0043944C pushad
0043944D jbe short NgaMy. ;//F4到这里,然后ESP
 
8F 05 5D FE 41 00 FF 35 5D FE 41 00 89 0C 24 89 3D 91 FE 41 00 FF 35 91 FE 41 00 8F 05 81 FC 41
00 89 1D 89 FE 41 00 FF 35 89 FE 41 00 68 81 FC 41 00 5B 8B 0B 8F 05 C9 FC 41 00 8B 1D C9 FC 41
00 57 89 04 24 89 0C 24 8B 04 24

16.同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,还是多运行几次

00439D39    8F05 D5FD4100       pop dword ptr ds:[41FDD5]                       ; //落脚点
00439D3F 8B0C24 mov ecx,dword ptr ss:[esp]
00439D42 8F05 4DFC4100 pop dword ptr ds:[41FC4D]
00439D48 push eax
00439D49 mov dword ptr ss:[esp],edx
00439D4C 8F05 BDFE4100 pop dword ptr ds:[41FEBD]
00439D52 FF35 BDFE4100 push dword ptr ds:[41FEBD]
00439D58 push ecx
00439D59 B9 DDFD4100 mov ecx,NgaMy.0041FDDD
00439D5E mov dword ptr ds:[ecx],edi
00439D60 pop ecx
00439D61 FF35 DDFD4100 push dword ptr ds:[41FDDD]
00439D67 C705 A9FE4100 >mov dword ptr ds:[41FEA9],NgaMy.
00439D71 FF35 A9FE4100 push dword ptr ds:[41FEA9]
00439D77 8B3C24 mov edi,dword ptr ss:[esp]
00439D7A 8F05 95FD4100 pop dword ptr ds:[41FD95]
00439D80 891D 29FD4100 mov dword ptr ds:[41FD29],ebx
00439D86 nop
00439D87 nop
00439D88 pushad
00439D89 E8 call NgaMy.00439D8F ;//F4到这里,然后ESP
 
8F 05 D5 FD 41 00 8B 0C 24 8F 05 4D FC 41 00 50 89 14 24 8F 05 BD FE 41 00 FF 35 BD FE 41 00 51
B9 DD FD 41 00 89 39 59 FF 35 DD FD 41 00 C7 05 A9 FE 41 00 60 55 40 00 FF 35 A9 FE 41 00 8B 3C
24 8F 05 95 FD 41 00 89 1D 29 FD 41 00

17.我已经想吐了,同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,还是多运行几次

0043A6FB    FF35 29FD4100       push dword ptr ds:[41FD29]      ; //落脚点
0043A701 8BDF mov ebx,edi
0043A703 8BD3 mov edx,ebx
0043A705 5B pop ebx
0043A706 8F05 E9FE4100 pop dword ptr ds:[41FEE9]
0043A70C 8B3D E9FE4100 mov edi,dword ptr ds:[41FEE9]
0043A712 push edx
0043A713 891C24 mov dword ptr ss:[esp],ebx
0043A716 9DFE4100 push NgaMy.0041FE9D
0043A71B 5B pop ebx
0043A71C mov dword ptr ds:[ebx],edx
0043A71E 8B1C24 mov ebx,dword ptr ss:[esp]
0043A721 8F05 49FE4100 pop dword ptr ds:[41FE49]
0043A727 8B1424 mov edx,dword ptr ss:[esp]
0043A72A 8F05 69FD4100 pop dword ptr ds:[41FD69]
0043A730 FF15 9DFE4100 call dword ptr ds:[41FE9D]
0043A736 E8 mov dword ptr ss:[ebp-],esp
0043A739 C5FD4100 mov dword ptr ds:[41FDC5],esp
0043A73F 891D 21FD4100 mov dword ptr ds:[41FD21],ebx
0043A745 FF35 21FD4100 push dword ptr ds:[41FD21]
0043A74B pushad
0043A74C je short NgaMy.0043A751 ;//F4到这里,然后ESP
FF 35 29 FD 41 00 8B DF 8B D3 5B 8F 05 E9 FE 41 00 8B 3D E9 FE 41 00 52 89 1C 24 68 9D FE 41 00
5B 89 13 8B 1C 24 8F 05 49 FE 41 00 8B 14 24 8F 05 69 FD 41 00 FF 15 9D FE 41 00 89 65 E8 89 25
C5 FD 41 00 89 1D 21 FD 41 00 FF 35 21 FD 41 00

18.同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,还是多运行几次

0043B097     C5FD4100         push NgaMy.0041FDC5         ; //落脚点
0043B09C 5B pop ebx
0043B09D 8B33 mov esi,dword ptr ds:[ebx]
0043B09F 8B1C24 mov ebx,dword ptr ss:[esp]
0043B0A2 8F05 A9FC4100 pop dword ptr ds:[41FCA9]
0043B0A8 893E mov dword ptr ds:[esi],edi
0043B0AA push edi
0043B0AB 8F05 F5FE4100 pop dword ptr ds:[41FEF5]
0043B0B1 FF35 F5FE4100 push dword ptr ds:[41FEF5]
0043B0B7 mov dword ptr ss:[esp],esi
0043B0BA FF15 BCA04000 call dword ptr ds:[40A0BC]
0043B0C0 8B4E mov ecx,dword ptr ds:[esi+]
0043B0C3 push eax
0043B0C4 B8 F9FB4100 mov eax,NgaMy.0041FBF9
0043B0C9 mov dword ptr ds:[eax],edx
0043B0CB pop eax
0043B0CC FF35 F9FB4100 push dword ptr ds:[41FBF9]
0043B0D2 push esi
0043B0D3 C70424 ACDE4000 mov dword ptr ss:[esp],NgaMy.0040DEAC
0043B0DA 8B1424 mov edx,dword ptr ss:[esp]
0043B0DD 8F05 ADFD4100 pop dword ptr ds:[41FDAD]
0043B0E3 890A mov dword ptr ds:[edx],ecx
0043B0E5 nop
0043B0E6 nop
0043B0E7 pushad
0043B0E8 E8 call NgaMy.0043B0EE ;//F4到这里,然后ESP
68 C5 FD 41 00 5B 8B 33 8B 1C 24 8F 05 A9 FC 41 00 89 3E 57 8F 05 F5 FE 41 00 FF 35 F5 FE 41 00
89 34 24 FF 15 BC A0 40 00 8B 4E 10 50 B8 F9 FB 41 00 89 10 58 FF 35 F9 FB 41 00 56 C7 04 24 AC
DE 40 00 8B 14 24 8F 05 AD FD 41 00 89 0A

19.同样复制pushad上面的代码,清除硬件断点,F4运行到pushad下一面一行ESP定律,这次只要运行一次就好了

0043B9DA    8F05 29FE4100       pop dword ptr ds:[41FE29]                       ; //落脚点
0043B9E0 FF35 29FE4100 push dword ptr ds:[41FE29]
0043B9E6 5A pop edx
0043B9E7 8B46 mov eax,dword ptr ds:[esi+]
0043B9EA A3 B8DE4000 mov dword ptr ds:[40DEB8],eax
0043B9EF 8B56 mov edx,dword ptr ds:[esi+]
0043B9F2 push edx
0043B9F3 8F05 3DFD4100 pop dword ptr ds:[41FD3D]
0043B9F9 FF35 3DFD4100 push dword ptr ds:[41FD3D]
0043B9FF 8F05 BCDE4000 pop dword ptr ds:[40DEBC]
0043BA05 8B76 0C mov esi,dword ptr ds:[esi+C]
0043BA08 81E6 FF7F0000 and esi,7FFF
0043BA0E push ebx
0043BA0F BB 35FE4100 mov ebx,NgaMy.0041FE35
0043BA14 mov dword ptr ds:[ebx],esi
0043BA16 5B pop ebx
0043BA17 FF35 35FE4100 push dword ptr ds:[41FE35]
0043BA1D 8F05 B0DE4000 pop dword ptr ds:[40DEB0]
0043BA23 nop
0043BA24 nop
0043BA25 pushad
0043BA26 E8 call NgaMy.0043BA2C ;//F4到这里,然后ESP
8F 05 29 FE 41 00 FF 35 29 FE 41 00 5A 8B 46 04 A3 B8 DE 40 00 8B 56 08 52 8F 05 3D FD 41 00 FF
35 3D FD 41 00 8F 05 BC DE 40 00 8B 76 0C 81 E6 FF 7F 00 00 53 BB 35 FE 41 00 89 33 5B FF 35 35
FE 41 00 8F 05 B0 DE 40 00

20.落脚点是一个大跳转,F8单步跟一次

0043BE77   /EB                jmp short NgaMy.0043BE7A    ;//落脚点
0043BE79 |E8 FF25BCBE call BEFFE47D
0043BE7E inc ebx
0043BE7F E8 add byte ptr ds:[eax-],ah
0043BE82 add byte ptr ds:[eax],al
0043BE84 add byte ptr ds:[eax],al
0043BE86 5E pop esi
0043BE87 83EE sub esi,
0043BE8A B9 mov ecx,
0043BE8F 29CE sub esi,ecx
0043BE91 BA 8A261D6A mov edx,6A1D268A
0043BE96 C1E9 shr ecx,
0043BE99 83E9 sub ecx,
0043BE9C 83F9 cmp ecx,
 

21.程序来到这里,这就是跳向假的OEP的地方了

0043BE7A  - FF25 BCBE4300       jmp dword ptr ds:[43BEBC]                       ;  //跳到假的OEP
 

22.把被抽取的代码整合一下

89 15 F5 FD 41 00 FF 35 F5 FD 41 00 8F 05 2D FE 41 00 FF 35 2D FE 41 00 C7 04 24 60 00 00 00 56
89 0C 24 68 8D FD 41 00 59 89 19 8B 0C 24 8F 05 AD FE 41 00 FF 35 8D FD 41 00 C7 04 24 48 A2 40
00 89 05 B9 FD 41 00 FF 35 B9 FD 41 00 68 1D FD 41 00 58 89 30 8F 05 79 FC 41 00 8B 05 79 FC 41
00 FF 35 1D FD 41 00 56 89 1C 24 C7 04 24 38 3D 40 00 8B 34 24 8F 05 A5 FE 41 00 89 05 01 FF 41
00 FF 35 01 FF 41 00 89 1C 24 56 C7 04 24 45 FE 41 00 8F 05 31 FE 41 00 8B 1D 31 FE 41 00 89 33
8F 05 39 FC 41 00 FF 35 39 FC 41 00 5B 8F 05 09 FE 41 00 89 1D 21 FC 41 00 FF 35 21 FC 41 00 C7
05 19 FC 41 00 09 FE 41 00 8B 1D 19 FC 41 00 8B 33 8F 05 FD FB 41 00 8B 1D FD FB 41 00 FF 15 45
FE 41 00 89 0D B1 FD 41 00 FF 35 B1 FD 41 00 8F 05 B5 FC 41 00 FF 35 B5 FC 41 00 56 BE FD FC 41
00 89 3E 5E FF 35 FD FC 41 00 68 94 00 00 00 8F 05 E5 FC 41 00 FF 35 E5 FC 41 00 5F 89 3D 3D FE
41 00 FF 35 3D FE 41 00 8B 0C 24 8F 05 7D FE 41 00 8B 3C 24 8F 05 79 FD 41 00 89 35 25 FC 41 00
FF 35 25 FC 41 00 89 0C 24 8B 3C 24 8F 05 B9 FC 41 00 8F 05 19 FE 41 00 89 05 89 FD 41 00 FF 35
89 FD 41 00 57 BF 19 FE 41 00 8B C7 5F 8B 08 8F 05 95 FC 41 00 8B 05 95 FC 41 00 53 8F 05 5D FE
41 00 FF 35 5D FE 41 00 89 0C 24 89 3D 91 FE 41 00 FF 35 91 FE 41 00 8F 05 81 FC 41 00 89 1D 89
FE 41 00 FF 35 89 FE 41 00 68 81 FC 41 00 5B 8B 0B 8F 05 C9 FC 41 00 8B 1D C9 FC 41 00 57 89 04
24 89 0C 24 8B 04 24 8F 05 D5 FD 41 00 8B 0C 24 8F 05 4D FC 41 00 50 89 14 24 8F 05 BD FE 41 00
FF 35 BD FE 41 00 51 B9 DD FD 41 00 89 39 59 FF 35 DD FD 41 00 C7 05 A9 FE 41 00 60 55 40 00 FF
35 A9 FE 41 00 8B 3C 24 8F 05 95 FD 41 00 89 1D 29 FD 41 00 FF 35 29 FD 41 00 8B DF 8B D3 5B 8F
05 E9 FE 41 00 8B 3D E9 FE 41 00 52 89 1C 24 68 9D FE 41 00 5B 89 13 8B 1C 24 8F 05 49 FE 41 00
8B 14 24 8F 05 69 FD 41 00 FF 15 9D FE 41 00 89 65 E8 89 25 C5 FD 41 00 89 1D 21 FD 41 00 FF 35
21 FD 41 00 68 C5 FD 41 00 5B 8B 33 8B 1C 24 8F 05 A9 FC 41 00 89 3E 57 8F 05 F5 FE 41 00 FF 35
F5 FE 41 00 89 34 24 FF 15 BC A0 40 00 8B 4E 10 50 B8 F9 FB 41 00 89 10 58 FF 35 F9 FB 41 00 56
C7 04 24 AC DE 40 00 8B 14 24 8F 05 AD FD 41 00 89 0A 8F 05 29 FE 41 00 FF 35 29 FE 41 00 5A 8B
46 04 A3 B8 DE 40 00 8B 56 08 52 8F 05 3D FD 41 00 FF 35 3D FD 41 00 8F 05 BC DE 40 00 8B 76 0C
81 E6 FF 7F 00 00 53 BB 35 FE 41 00 89 33 5B FF 35 35 FE 41 00 8F 05 B0 DE 40 00

23.使用工具新建一个区段,ximo教程中使用的是topo.exe,打开该工具,浏览选中刚刚脱壳后的程序,然后数一下整合好的字节数,将字节数填入工具中(最好自己估摸着输入一个大于整合好代码字节数的数字),单击执行,执行完之后记录下工具中显示的内存地址,这个地址就是新增区段的起始地址

记录下的地址:0043E000

24.OD载入新topo处理过的程序,载入后跟随表达式,地址填写记录下的地址,也就是”0043E000”.跟随过去之后将整合好的代码粘贴到OD中nop的位置上去。

25.然后在粘贴好的代码下面一行输入汇编命令”jmp 0040305C”,这个地址也就是假的OEP地址。这些操作都做完之后保存文件(选中这些新增代码右键—-复制到可执行文件–选择部分—右键–保存文件)

26.文件保存好后还需要进行最后一步,就是用loadPE打开保存好的文件,把入口点改为0043E000-00400000也就是3E000,为什么减00400000这个大家应该懂得,就不在解释了,改完后记得保存一下。至此这个壳就算脱掉了。虽然使用peid查壳查不出来,但是确确实实是脱掉了。

05-17 05:50