通行证│用户名: 密码: 验证码: 验证码,看不清楚?请点击刷新验证码 电信网通铁通移动   在线
文章搜索:
热门搜索:红客 黑鹰 红客技术 安全动画 红客培训
首页 文章 软件 动画 资源 励志 论坛 邮箱 会员 军事 科技 博客 爱心红客 最近更新 800g资源
 业内新闻 漏洞公告 病毒公告 电脑知识 网络知识 菜鸟入门 攻防教程 黑客攻防 安全编程 工具使用 综合安全 个人安全 安全相关 Q Q安全 原创精华 红客人物 站内事件
您现在的位置: 爱国者安全网 >> 文章类 >> 红客教程 >> 网络攻防 >> 文章正文
Thinstall2.517 Unpackme 脱壳
责任编辑:酷酷の鱼   更新日期:2008-1-21
 

【脱文作者】 simonzh2000

【使用工具】 Ollydbg1.10, LordPE

【破解平台】 Win2000 Pro SP4 English

【软件名称】 用 Thinstall2.517 加壳的 Mole.exe

【作者声明】 本笔记只用于学习交流, 初学Crack,只是感兴趣技术,没有其他目的, 如有不妥之处, 希望作者谅解.
            
            学了 DardBull 兄弟的脱文, 我也脱了一下, 补充点东西.

用 OD 载入 Mole.exe, 用IsDebug V1.4插件去掉 OD 的调试器标志, 不忽略异常, 

F9,  竟然运行了, 一个异常也没有, 和一般的壳有点不一样, 哈.

再用 TaskMgr 看看, 有二个进程, 看来是个调试壳. 这就好办了.

1.父进程 CreatePrcess 创建子进程, 再为子进程做个被调试标志
2.子进程在父进程调试下开始运行, 由于标志, 走不同的路线 
3.父进程 用 WaitForDebugEvent 接受子进程产生的调试事件, 采取响应的措施
4.父进程处理好后, 调用 ContinueDebugEvent 继续子进程的运行, 重复3, 直到结束


重新来过,  BP CreateProcessA,  F9 ,  断在下面

7FF760FA    FF15 7470F87F   CALL DWORD PTR DS:[7FF87074]             ; KERNEL32.CreateProcessA


上下看看


7FF7600A    55              PUSH EBP
7FF7600B    8BEC            MOV EBP,ESP
7FF7600D    81EC E0000000   SUB ESP,0E0
7FF76013    833D E86FF97F 0>CMP DWORD PTR DS:[7FF96FE8],0            // IsDebuggerPresent 地址有吗?
7FF7601A    75 1C           JNZ SHORT 7FF76038

7FF7601C    68 F87BF87F     PUSH 7FF87BF8                            ; ASCII "IsDebuggerPresent"
7FF76021    68 EC7BF87F     PUSH 7FF87BEC                            ; ASCII "kernel32"
7FF76026    FF15 D872F87F   CALL DWORD PTR DS:[7FF872D8]             ; KERNEL32.GetModuleHandleA
7FF7602C    50              PUSH EAX
7FF7602D    FF15 C872F87F   CALL DWORD PTR DS:[7FF872C8]             ; KERNEL32.GetProcAddress
7FF76033    A3 E86FF97F     MOV DWORD PTR DS:[7FF96FE8],EAX

7FF76038    C705 F06FF97F 9>MOV DWORD PTR DS:[7FF96FF0],94
7FF76042    68 F06FF97F     PUSH 7FF96FF0                            // LPOSVERSIONINFO
7FF76047    FF15 9C70F87F   CALL DWORD PTR DS:[7FF8709C]             ; KERNEL32.GetVersionExA
7FF7604D    A1 AC69F97F     MOV EAX,DWORD PTR DS:[7FF969AC]
7FF76052    25 00000002     AND EAX,2000000
7FF76057    85C0            TEST EAX,EAX
7FF76059    0F84 B3010000   JE 7FF76212

7FF7605F    FF15 9870F87F   CALL DWORD PTR DS:[7FF87098]             ; KERNEL32.GetCurrentProcessId
7FF76065    50              PUSH EAX
7FF76066    68 FCCEF87F     PUSH 7FF8CEFC                            ; ASCII "%d.df"
7FF7606B    8D85 38FFFFFF   LEA EAX,DWORD PTR SS:[EBP-C8]
7FF76071    50              PUSH EAX
7FF76072    E8 5A0B0000     CALL 7FF76BD1                            // sprintf(buffer, "%d.df", pid)
7FF76077    83C4 0C         ADD ESP,0C
7FF7607A    8985 30FFFFFF   MOV DWORD PTR SS:[EBP-D0],EAX
7FF76080    8B85 30FFFFFF   MOV EAX,DWORD PTR SS:[EBP-D0]
7FF76086    8B00            MOV EAX,DWORD PTR DS:[EAX]               // buffer1
7FF76088    8985 2CFFFFFF   MOV DWORD PTR SS:[EBP-D4],EAX
7FF7608E    FFB5 2CFFFFFF   PUSH DWORD PTR SS:[EBP-D4]
7FF76094    6A 00           PUSH 0
7FF76096    6A 04           PUSH 4
7FF76098    FF15 9470F87F   CALL DWORD PTR DS:[7FF87094]             ; KERNEL32.OpenFileMappingA
7FF7609E    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX             ; hFileMap
7FF760A1    8D8D 38FFFFFF   LEA ECX,DWORD PTR SS:[EBP-C8]
7FF760A7    E8 690E0000     CALL 7FF76F15                            // RtlFreeHeap(buffer1)
7FF760AC    837D FC 00      CMP DWORD PTR SS:[EBP-4],0               // OpenFileMapping  是否成功?
7FF760B0    0F85 5C010000   JNZ 7FF76212                             // 成功了, 是子进程, 跳

  

7FF760B6    C785 58FFFFFF 4>MOV DWORD PTR SS:[EBP-A8],44             // 不成功, 是父进程
7FF760C0    8D85 58FFFFFF   LEA EAX,DWORD PTR SS:[EBP-A8]            // LPSTARTUPINFO
7FF760C6    50              PUSH EAX
7FF760C7    FF15 7870F87F   CALL DWORD PTR DS:[7FF87078]             ; KERNEL32.GetStartupInfoA
7FF760CD    E8 0017FFFF     CALL 7FF677D2                            // 最终调用 GetCommandLine
7FF760D2    8985 40FFFFFF   MOV DWORD PTR SS:[EBP-C0],EAX

7FF760D8    8D85 44FFFFFF   LEA EAX,DWORD PTR SS:[EBP-BC]            // LPPROCESS_INFORMATION          
7FF760DE    50              PUSH EAX
7FF760DF    8D85 58FFFFFF   LEA EAX,DWORD PTR SS:[EBP-A8]            // LPSTARTUPINFO
7FF760E5    50              PUSH EAX
7FF760E6    6A 00           PUSH 0                                   // lpCurrentDirectory
7FF760E8    6A 00           PUSH 0                                   // lpEnvironment
7FF760EA    6A 02           PUSH 2                                   // CreationFlags = DEBUG_ONLY_THIS_PROCESS
7FF760EC    6A 00           PUSH 0                                   // bInheritHandles
7FF760EE    6A 00           PUSH 0                                   // lpThreadAttributes
7FF760F0    6A 00           PUSH 0                                   // lpProcessAttributes
7FF760F2    FFB5 40FFFFFF   PUSH DWORD PTR SS:[EBP-C0]               // lpCommandLine
7FF760F8    6A 00           PUSH 0                                   // lpApplicationName
7FF760FA    FF15 7470F87F   CALL DWORD PTR DS:[7FF87074]             ; KERNEL32.CreateProcessA
7FF76100    85C0            TEST EAX,EAX
7FF76102    75 08           JNZ SHORT 7FF7610C

7FF76104    6A 00           PUSH 0
7FF76106    FF15 D472F87F   CALL DWORD PTR DS:[7FF872D4]             ; KERNEL32.ExitProcess

7FF7610C    833D E86FF97F 0>CMP DWORD PTR DS:[7FF96FE8],0
7FF76113    74 0F           JE SHORT 7FF76124
7FF76115    FF15 E86FF97F   CALL DWORD PTR DS:[7FF96FE8]             ; KERNEL32.IsDebuggerPresent
7FF7611B    85C0            TEST EAX,EAX
7FF7611D    74 05           JE SHORT 7FF76124
7FF7611F    E8 458CFEFF     CALL 7FF5ED69                            // 有 Debuger, 进入死循环

7FF76124    FFB5 4CFFFFFF   PUSH DWORD PTR SS:[EBP-B4]               // LPPROCESS_INFORMATION 中 子进程 pid
7FF7612A    68 FCCEF87F     PUSH 7FF8CEFC                            ; ASCII "%d.df"
7FF7612F    8D85 34FFFFFF   LEA EAX,DWORD PTR SS:[EBP-CC]
7FF76135    50              PUSH EAX                                 // buffer2
7FF76136    E8 960A0000     CALL 7FF76BD1                            // sprintf()
7FF7613B    83C4 0C         ADD ESP,0C

7FF7613E    8985 28FFFFFF   MOV DWORD PTR SS:[EBP-D8],EAX            // 为子进程建立调试标志
7FF76144    8B85 28FFFFFF   MOV EAX,DWORD PTR SS:[EBP-D8]
7FF7614A    8B00            MOV EAX,DWORD PTR DS:[EAX]
7FF7614C    8985 24FFFFFF   MOV DWORD PTR SS:[EBP-DC],EAX
7FF76152    FFB5 24FFFFFF   PUSH DWORD PTR SS:[EBP-DC]
7FF76158    6A 04           PUSH 4
7FF7615A    6A 00           PUSH 0
7FF7615C    68 04000008     PUSH 8000004
7FF76161    6A 00           PUSH 0
7FF76163    6A FF           PUSH -1
7FF76165    FF15 8C70F87F   CALL DWORD PTR DS:[7FF8708C]             ; KERNEL32.CreateFileMappingA
7FF7616B    8985 54FFFFFF   MOV DWORD PTR SS:[EBP-AC],EAX            // hFileMap

7FF76171    8D8D 34FFFFFF   LEA ECX,DWORD PTR SS:[EBP-CC]            
7FF76177    E8 990D0000     CALL 7FF76F15                            // RtlFreeHeap(buffer2)

7FF7617C    6A 01           PUSH 1
7FF7617E    58              POP EAX
7FF7617F    85C0            TEST EAX,EAX
7FF76181    0F84 8B000000   JE 7FF76212                              // While( True ) { ... }


7FF76187    833D E86FF97F 0>CMP DWORD PTR DS:[7FF96FE8],0
7FF7618E    74 0F           JE SHORT 7FF7619F
7FF76190    FF15 E86FF97F   CALL DWORD PTR DS:[7FF96FE8]             ; KERNEL32.IsDebuggerPresent
7FF76196    85C0            TEST EAX,EAX
7FF76198    74 05           JE SHORT 7FF7619F
7FF7619A    E8 CA8BFEFF     CALL 7FF5ED69                            // 有 Debuger, 进入死循环


7FF7619F    6A FF           PUSH -1                                  // Timeout = INFINITE
7FF761A1    8D45 9C         LEA EAX,DWORD PTR SS:[EBP-64]            // pDebugEvent
7FF761A4    50              PUSH EAX
7FF761A5    FF15 6072F87F   CALL DWORD PTR DS:[7FF87260]             ; KERNEL32.WaitForDebugEvent
7FF761AB    85C0            TEST EAX,EAX
7FF761AD    75 08           JNZ SHORT 7FF761B7

7FF761AF    6A 00           PUSH 0                                   
7FF761B1    FF15 D472F87F   CALL DWORD PTR DS:[7FF872D4]             ; KERNEL32.ExitProcess

7FF761B7    C785 3CFFFFFF 0>MOV DWORD PTR SS:[EBP-C4],10002          // DBG_Continue

7FF761C1    8B45 9C         MOV EAX,DWORD PTR SS:[EBP-64]            
7FF761C4    8985 20FFFFFF   MOV DWORD PTR SS:[EBP-E0],EAX            // dwDebugEventCode

7FF761CA    83BD 20FFFFFF 0>CMP DWORD PTR SS:[EBP-E0],1              // EXCEPTION_DEBUG_EVENT
7FF761D1    74 0B           JE SHORT 7FF761DE
7FF761D3    83BD 20FFFFFF 0>CMP DWORD PTR SS:[EBP-E0],5              // EXIT_PROCESS_DEBUG_EVENT
7FF761DA    74 17           JE SHORT 7FF761F3
7FF761DC    EB 1D           JMP SHORT 7FF761FB

7FF761DE    817D A8 0300008>CMP DWORD PTR SS:[EBP-58],80000003       // 调试时因代码中int3中断
7FF761E5    74 0A           JE SHORT 7FF761F1
7FF761E7    C785 3CFFFFFF 0>MOV DWORD PTR SS:[EBP-C4],80010001       // DBG_EXCEPTION_NOT_HANDLED, 除了 int3, 子进程自己处理异常
7FF761F1    EB 08           JMP SHORT 7FF761FB

7FF761F3    6A 00           PUSH 0
7FF761F5    FF15 D472F87F   CALL DWORD PTR DS:[7FF872D4]             ; KERNEL32.ExitProcess

7FF761FB    FFB5 3CFFFFFF   PUSH DWORD PTR SS:[EBP-C4]               // ContinueStatus
7FF76201    FF75 A4         PUSH DWORD PTR SS:[EBP-5C]               // ThreadID
7FF76204    FF75 A0         PUSH DWORD PTR SS:[EBP-60]               // pid
7FF76207    FF15 5C72F87F   CALL DWORD PTR DS:[7FF8725C]             ; KERNEL32.ContinueDebugEvent

7FF7620D  ^ E9 6AFFFFFF     JMP 7FF7617C                             // End of While

[1] [2] 下一页

  • 上一篇文章:
  • 下一篇文章: 没有了
    		•
    最近更新
    推荐文章 瑞星公司01月21日发布 每日计算机病毒及木马播报
    普通文章 网络上最流行的“杀毒常识”
    普通文章 一个简单的端口扫描编程序题
    普通文章 一个截获用户输入的编程例子
    推荐文章 推荐:防火墙的分类及优缺点综述
    普通文章 Thinstall2.517 Unpackme 脱壳
    普通文章 强大的HA1过微软签名
    普通文章 巧用EasyShare突破限制实现宽带共享主义
    普通文章 做好预防 春节前后最易爆发的三类病毒
    普通文章 “VB邮件蠕虫变种EA”通过MSN发送带毒链接
    热门文章
    普通文章2007年新增电脑病毒36.3万种
    普通文章微软本月安全公告 两个紧急补丁
    普通文章损失过亿 全球十大计算机病毒排名
    普通文章Windows Vista 本月无安全补丁
    普通文章美媒:中国网络战攻防战力世界第一
    普通文章麦咖啡误报:错将合法网站当贼抓
    普通文章截获MSN Photo木马新变种“小欧”
    普通文章微软:我们的代码比赛门铁克更安全
    普通文章Dvbbs8.1 0DAY(通杀Access和mssql版本)
    普通文章浅谈国内的渗透评估过程
    精彩专题