用OllyDbg手脱RLPack V1.17加壳的DLL
一.OEP通常压缩壳加壳的DLL找OEP是比较简单的<br />
DLL卸载时会再次从EP处运行,几个跳转后就会到OEP了
0094BEA0 807C24 08 01 cmp byte ptr ss:,1<br />
//进入OllyDBG后暂停在EP<br />
0094BEA5 0F85 7E010000 jnz 0094C029<br />
//这里在DLL卸载时会跳转,就是去OEP的捷径了
0094C029 E9 BE3AFAFF jmp 008EFAEC<br />
//这里就是跳OEP了
<br />
_____________________________________________<br />
二.输入表
RLPack V1.1X Full Edition加壳exe文件会加密某些输入表,而加壳DLL则很少加密输入表的<br />
BP GetProcAddress<br />
Shift F9,中断后取消断点,Alt F9返回
0094BF57 56 push esi<br />
0094BF58 FF95 E3090000 call near dword ptr ss: ; kernel32.LoadLibraryA<br />
0094BF5E 8985 4E0A0000 mov dword ptr ss:,eax<br />
0094BF64 85C0 test eax,eax<br />
0094BF66 0F84 C2000000 je 0094C02E<br />
0094BF6C 8BC6 mov eax,esi<br />
0094BF6E EB 5F jmp short 0094BFCF<br />
0094BF70 8B85 520A0000 mov eax,dword ptr ss:<br />
0094BF76 8B00 mov eax,dword ptr ds:<br />
0094BF78 A9 00000080 test eax,80000000<br />
0094BF7D 74 14 je short 0094BF93<br />
0094BF7F 35 00000080 xor eax,80000000<br />
0094BF84 50 push eax<br />
0094BF85 8B85 520A0000 mov eax,dword ptr ss:<br />
0094BF8B C700 20202000 mov dword ptr ds:,202020 ; UNICODE " Hercegovina"<br />
0094BF91 EB 06 jmp short 0094BF99<br />
0094BF93 FFB5 520A0000 push dword ptr ss:<br />
0094BF99 FFB5 4E0A0000 push dword ptr ss:<br />
0094BF9F FF95 E7090000 call near dword ptr ss: ; kernel32.GetProcAddress<br />
0094BFA5 85C0 test eax,eax<br />
//返回这里<br />
0094BFA7 0F84 81000000 je 0094C02E<br />
0094BFAD 8907 mov dword ptr ds:,eax ; ntdll.RtlDeleteCriticalSection<br />
//填充系统函数地址<br />
//EDI=008F3154 注意观察这个地址<br />
0094BFAF 83C7 04 add edi,4<br />
0094BFB2 8B85 520A0000 mov eax,dword ptr ss:<br />
0094BFB8 EB 01 jmp short 0094BFBB<br />
0094BFBA 40 inc eax<br />
0094BFBB 8038 00 cmp byte ptr ds:,0<br />
0094BFBE 75 FA jnz short 0094BFBA<br />
0094BFC0 40 inc eax<br />
0094BFC1 8985 520A0000 mov dword ptr ss:,eax<br />
0094BFC7 66:8178 02 0080 cmp word ptr ds:,8000<br />
0094BFCD 74 A1 je short 0094BF70<br />
0094BFCF 8038 00 cmp byte ptr ds:,0<br />
0094BFD2 75 9C jnz short 0094BF70<br />
0094BFD4 EB 01 jmp short 0094BFD7<br />
0094BFD6 46 inc esi<br />
0094BFD7 803E 00 cmp byte ptr ds:,0<br />
0094BFDA 75 FA jnz short 0094BFD6<br />
0094BFDC 46 inc esi<br />
0094BFDD 40 inc eax<br />
0094BFDE 8B38 mov edi,dword ptr ds:<br />
0094BFE0 E8 4B000000 call 0094C030<br />
0094BFE5 83C0 04 add eax,4<br />
0094BFE8 8985 520A0000 mov dword ptr ss:,eax<br />
0094BFEE 803E 01 cmp byte ptr ds:,1<br />
0094BFF1 0F85 60FFFFFF jnz 0094BF57<br />
//循环处理输入表
现在来手动确定输入表的RVA和Size<br />
在左下角的数据窗口Ctrl G:008F3154,点右键->Long->Address<br />
008F315000000000<br />
008F31547C93188Antdll.RtlDeleteCriticalSection<br />
008F31587C9210EDntdll.RtlLeaveCriticalSection<br />
……<br />
008F37E07D610EC0shell32.ShellExecuteA<br />
008F37E400000000<br />
008F37E876337CD8<br />
008F37EC7632311E<br />
008F37F000000000
输入表开始RVA=008F3154-00870000=00083154<br />
输入表Size=008F37F0-008F3154=0000069C
三.重定位表
其实写这篇教程的价值就在于这部分了<br />
经过跟踪发现RLPack没有加密重定位表,这就为我们脱壳减少了麻烦
0094BFF7 68 00400000 push 4000<br />
0094BFFC 68 54180000 push 1854<br />
0094C001 FFB5 560A0000 push dword ptr ss:<br />
0094C007 FF95 EF090000 call near dword ptr ss: ; kernel32.VirtualFree<br />
0094C00D 68 00400000 push 4000<br />
0094C012 68 00200C00 push 0C2000<br />
0094C017 FFB5 3A0A0000 push dword ptr ss:<br />
0094C01D FF95 EF090000 call near dword ptr ss: ; kernel32.VirtualFree<br />
//清理战场了<br />
0094C023 E8 55000000 call 0094C07D<br />
//重定位处理0094C07D 60 pushad<br />
0094C07E 8BB5 460A0000 mov esi,dword ptr ss:<br />
//=00087000 重定位表RVA★<br />
0094C084 0BF6 or esi,esi<br />
0094C086 74 67 je short 0094C0EF<br />
0094C088 8BBD 3E0A0000 mov edi,dword ptr ss:<br />
//=00400000 文件基址<br />
0094C08E 8B4424 48 mov eax,dword ptr ss:<br />
//=00870000 映像基址<br />
0094C092 8985 420A0000 mov dword ptr ss:,eax<br />
0094C098 3BC7 cmp eax,edi<br />
//比较是否相同<br />
0094C09A 74 53 je short 0094C0EF<br />
//不同不跳就需要重定位处理了<br />
//注意:此时程序没有重定位,可以现在Dump,这样脱壳后就不需要修改dump文件基址了★<br />
0094C09C 03F0 add esi,eax<br />
//ESI=00087000 00870000=008F7000 重定位表VA<br />
0094C09E EB 4A jmp short 0094C0EA<br />
0094C0A0 8B16 mov edx,dword ptr ds:<br />
0094C0A2 8B46 04 mov eax,dword ptr ds:<br />
0094C0A5 8985 4A0A0000 mov dword ptr ss:,eax<br />
0094C0AB 01B5 4A0A0000 add dword ptr ss:,esi<br />
0094C0B1 83C6 08 add esi,8<br />
0094C0B4 EB 2C jmp short 0094C0E2<br />
0094C0B6 0FB706 movzx eax,word ptr ds:<br />
0094C0B9 8BD8 mov ebx,eax<br />
0094C0BB C1EB 0C shr ebx,0C<br />
0094C0BE 8BCB mov ecx,ebx<br />
0094C0C0 69DB 00100000 imul ebx,ebx,1000<br />
0094C0C6 2BC3 sub eax,ebx<br />
0094C0C8 03C2 add eax,edx<br />
0094C0CA 0385 420A0000 add eax,dword ptr ss:<br />
0094C0D0 83F9 03 cmp ecx,3<br />
0094C0D3 75 0A jnz short 0094C0DF<br />
0094C0D5 2938 sub dword ptr ds:,edi<br />
0094C0D7 8B8D 420A0000 mov ecx,dword ptr ss:<br />
0094C0DD 0108 add dword ptr ds:,ecx<br />
0094C0DF 83C6 02 add esi,2<br />
0094C0E2 3BB5 4A0A0000 cmp esi,dword ptr ss:<br />
0094C0E8 72 CC jb short 0094C0B6<br />
0094C0EA 833E 00 cmp dword ptr ds:,0<br />
0094C0ED 75 B1 jnz short 0094C0A0<br />
//循环重定位处理<br />
0094C0EF 61 popad<br />
//处理完后ESI=009000F8<br />
//Relocation Table Size=009000F8-008F7000=000090F8★<br />
0094C0F0 C3 retn
<br />
_____________________________________________<br />
四.完成脱壳
0094C028 61 popad<br />
0094C029 E9 BE3AFAFF jmp 008EFAEC<br />
//飞向光明之巅<br />
0094C02E 61 popad<br />
0094C02F C3 retn
008EFAEC 55 push ebp<br />
//OEP RVA=008EFAEC-00870000=0007FAEC<br />
008EFAED 8BEC mov ebp,esp<br />
008EFAEF 83C4 C4 add esp,-3C<br />
008EFAF2 B8 04F98E00 mov eax,008EF904<br />
008EFAF7 E8 CC6DF8FF call 008768C8<br />
008EFAFC 33C0 xor eax,eax<br />
008EFAFE A3 442C8F00 mov dword ptr ds:,eax<br />
008EFB03 E8 DC4BF8FF call 008746E4
运行ImportREC,由于此DLL加载后已经进行重定位处理,所以去掉“Use PE Header From Disk”选项<br />
选择OllyDbg的loaddll.exe进程,Pick DLL选择iBox.dll<br />
填入OEP RVA=0007FAEC,输入表RVA=00083154,输入表Size=0000069C,Get Imports<br />
可以新增区段修复,也可以把输入表放在程序无用的空白处。
使用LordPE修改dumped_.dll的Relocation Table RVA=00087000,Relocation Table Size=000090F8<br />
附件中iBox.UnPacKed.dll只是简单优化,如果想优化的完美点那就要多费时间了。<br />
脱壳完成
<br />
頁:
[1]