用OllyDbg手脱RLPack V1.17加壳的DLL
发布日期:2022-01-17 15:11 | 文章来源:源码之家
一.OEP
通常压缩壳加壳的DLL找OEP是比较简单的
DLL卸载时会再次从EP处运行,几个跳转后就会到OEP了 0094BEA0 807C24 08 01 cmp byte ptr ss:[esp 8],1
//进入OllyDBG后暂停在EP
0094BEA5 0F85 7E010000jnz 0094C029
//这里在DLL卸载时会跳转,就是去OEP的捷径了 0094C029 E9 BE3AFAFF jmp 008EFAEC
//这里就是跳OEP了
_____________________________________________
二.输入表 RLPack V1.1X Full Edition加壳exe文件会加密某些输入表,而加壳DLL则很少加密输入表的
BP GetProcAddress
Shift F9,中断后取消断点,Alt F9返回 0094BF57 56 push esi
0094BF58 FF95 E3090000call near dword ptr ss:[ebp 9E3] ; kernel32.LoadLibraryA
0094BF5E 8985 4E0A0000mov dword ptr ss:[ebp A4E],eax
0094BF64 85C0test eax,eax
0094BF66 0F84 C2000000je 0094C02E
0094BF6C 8BC6mov eax,esi
0094BF6E EB 5F jmp short 0094BFCF
0094BF70 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BF76 8B00mov eax,dword ptr ds:[eax]
0094BF78 A9 00000080 test eax,80000000
0094BF7D 74 14 je short 0094BF93
0094BF7F 35 00000080 xor eax,80000000
0094BF84 50 push eax
0094BF85 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BF8B C700 20202000mov dword ptr ds:[eax],202020 ; UNICODE " Hercegovina"
0094BF91 EB 06 jmp short 0094BF99
0094BF93 FFB5 520A0000push dword ptr ss:[ebp A52]
0094BF99 FFB5 4E0A0000push dword ptr ss:[ebp A4E]
0094BF9F FF95 E7090000call near dword ptr ss:[ebp 9E7] ; kernel32.GetProcAddress
0094BFA5 85C0test eax,eax
//返回这里
0094BFA7 0F84 81000000je 0094C02E
0094BFAD 8907mov dword ptr ds:[edi],eax ; ntdll.RtlDeleteCriticalSection
//填充系统函数地址
//EDI=008F3154 注意观察这个地址
0094BFAF 83C7 04add edi,4
0094BFB2 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BFB8 EB 01 jmp short 0094BFBB
0094BFBA 40 inc eax
0094BFBB 8038 00cmp byte ptr ds:[eax],0
0094BFBE 75 FA jnz short 0094BFBA
0094BFC0 40 inc eax
0094BFC1 8985 520A0000mov dword ptr ss:[ebp A52],eax
0094BFC7 66:8178 02 0080 cmp word ptr ds:[eax 2],8000
0094BFCD 74 A1 je short 0094BF70
0094BFCF 8038 00cmp byte ptr ds:[eax],0
0094BFD2 75 9C jnz short 0094BF70
0094BFD4 EB 01 jmp short 0094BFD7
0094BFD6 46 inc esi
0094BFD7 803E 00cmp byte ptr ds:[esi],0
0094BFDA 75 FA jnz short 0094BFD6
0094BFDC 46 inc esi
0094BFDD 40 inc eax
0094BFDE 8B38mov edi,dword ptr ds:[eax]
0094BFE0 E8 4B000000 call 0094C030
0094BFE5 83C0 04add eax,4
0094BFE8 8985 520A0000mov dword ptr ss:[ebp A52],eax
0094BFEE 803E 01cmp byte ptr ds:[esi],1
0094BFF1 0F85 60FFFFFFjnz 0094BF57
//循环处理输入表 现在来手动确定输入表的RVA和Size
在左下角的数据窗口Ctrl G:008F3154,点右键->Long->Address
008F3150 00000000
008F3154 7C93188A ntdll.RtlDeleteCriticalSection
008F3158 7C9210ED ntdll.RtlLeaveCriticalSection
……
008F37E0 7D610EC0 shell32.ShellExecuteA
008F37E4 00000000
008F37E8 76337CD8
008F37EC 7632311E
008F37F0 00000000 输入表开始RVA=008F3154-00870000=00083154
输入表Size=008F37F0-008F3154=0000069C 三.重定位表 其实写这篇教程的价值就在于这部分了
经过跟踪发现RLPack没有加密重定位表,这就为我们脱壳减少了麻烦 0094BFF7 68 00400000 push 4000
0094BFFC 68 54180000 push 1854
0094C001 FFB5 560A0000push dword ptr ss:[ebp A56]
0094C007 FF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree
0094C00D 68 00400000 push 4000
0094C012 68 00200C00 push 0C2000
0094C017 FFB5 3A0A0000push dword ptr ss:[ebp A3A]
0094C01D FF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree
//清理战场了
0094C023 E8 55000000 call 0094C07D
//重定位处理[/code][code]0094C07D 60 pushad
0094C07E 8BB5 460A0000mov esi,dword ptr ss:[ebp A46]
//[ebp A46]=00087000 重定位表RVA ★
0094C084 0BF6or esi,esi
0094C086 74 67 je short 0094C0EF
0094C088 8BBD 3E0A0000mov edi,dword ptr ss:[ebp A3E]
//[ebp A3E]=00400000 文件基址
0094C08E 8B4424 48 mov eax,dword ptr ss:[esp 48]
//[esp 48]=00870000 映像基址
0094C092 8985 420A0000mov dword ptr ss:[ebp A42],eax
0094C098 3BC7cmp eax,edi
//比较是否相同
0094C09A 74 53 je short 0094C0EF
//不同不跳就需要重定位处理了
//注意:此时程序没有重定位,可以现在Dump,这样脱壳后就不需要修改dump文件基址了 ★
0094C09C 03F0add esi,eax
//ESI=00087000 00870000=008F7000 重定位表VA
0094C09E EB 4A jmp short 0094C0EA
0094C0A0 8B16mov edx,dword ptr ds:[esi]
0094C0A2 8B46 04mov eax,dword ptr ds:[esi 4]
0094C0A5 8985 4A0A0000mov dword ptr ss:[ebp A4A],eax
0094C0AB 01B5 4A0A0000add dword ptr ss:[ebp A4A],esi
0094C0B1 83C6 08add esi,8
0094C0B4 EB 2C jmp short 0094C0E2
0094C0B6 0FB706 movzx eax,word ptr ds:[esi]
0094C0B9 8BD8mov ebx,eax
0094C0BB C1EB 0Cshr ebx,0C
0094C0BE 8BCBmov ecx,ebx
0094C0C0 69DB 00100000imul ebx,ebx,1000
0094C0C6 2BC3sub eax,ebx
0094C0C8 03C2add eax,edx
0094C0CA 0385 420A0000add eax,dword ptr ss:[ebp A42]
0094C0D0 83F9 03cmp ecx,3
0094C0D3 75 0A jnz short 0094C0DF
0094C0D5 2938sub dword ptr ds:[eax],edi
0094C0D7 8B8D 420A0000mov ecx,dword ptr ss:[ebp A42]
0094C0DD 0108add dword ptr ds:[eax],ecx
0094C0DF 83C6 02add esi,2
0094C0E2 3BB5 4A0A0000cmp esi,dword ptr ss:[ebp A4A]
0094C0E8 72 CC jb short 0094C0B6
0094C0EA 833E 00cmp dword ptr ds:[esi],0
0094C0ED 75 B1 jnz short 0094C0A0
//循环重定位处理
0094C0EF 61 popad
//处理完后ESI=009000F8
//Relocation Table Size=009000F8-008F7000=000090F8 ★
0094C0F0 C3 retn
_____________________________________________
四.完成脱壳 0094C028 61 popad
0094C029 E9 BE3AFAFF jmp 008EFAEC
//飞向光明之巅
0094C02E 61 popad
0094C02F C3 retn 008EFAEC 55 push ebp
//OEP RVA=008EFAEC-00870000=0007FAEC
008EFAED 8BECmov ebp,esp
008EFAEF 83C4 C4add esp,-3C
008EFAF2 B8 04F98E00 mov eax,008EF904
008EFAF7 E8 CC6DF8FF call 008768C8
008EFAFC 33C0xor eax,eax
008EFAFE A3 442C8F00 mov dword ptr ds:[8F2C44],eax
008EFB03 E8 DC4BF8FF call 008746E4 运行ImportREC,由于此DLL加载后已经进行重定位处理,所以去掉“Use PE Header From Disk”选项
选择OllyDbg的loaddll.exe进程,Pick DLL选择iBox.dll
填入OEP RVA=0007FAEC,输入表RVA=00083154,输入表Size=0000069C,Get Imports
可以新增区段修复,也可以把输入表放在程序无用的空白处。 使用LordPE修改dumped_.dll的Relocation Table RVA=00087000,Relocation Table Size=000090F8
附件中iBox.UnPacKed.dll只是简单优化,如果想优化的完美点那就要多费时间了。
脱壳完成
DLL卸载时会再次从EP处运行,几个跳转后就会到OEP了 0094BEA0 807C24 08 01 cmp byte ptr ss:[esp 8],1
//进入OllyDBG后暂停在EP
0094BEA5 0F85 7E010000jnz 0094C029
//这里在DLL卸载时会跳转,就是去OEP的捷径了 0094C029 E9 BE3AFAFF jmp 008EFAEC
//这里就是跳OEP了
_____________________________________________
二.输入表 RLPack V1.1X Full Edition加壳exe文件会加密某些输入表,而加壳DLL则很少加密输入表的
BP GetProcAddress
Shift F9,中断后取消断点,Alt F9返回 0094BF57 56 push esi
0094BF58 FF95 E3090000call near dword ptr ss:[ebp 9E3] ; kernel32.LoadLibraryA
0094BF5E 8985 4E0A0000mov dword ptr ss:[ebp A4E],eax
0094BF64 85C0test eax,eax
0094BF66 0F84 C2000000je 0094C02E
0094BF6C 8BC6mov eax,esi
0094BF6E EB 5F jmp short 0094BFCF
0094BF70 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BF76 8B00mov eax,dword ptr ds:[eax]
0094BF78 A9 00000080 test eax,80000000
0094BF7D 74 14 je short 0094BF93
0094BF7F 35 00000080 xor eax,80000000
0094BF84 50 push eax
0094BF85 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BF8B C700 20202000mov dword ptr ds:[eax],202020 ; UNICODE " Hercegovina"
0094BF91 EB 06 jmp short 0094BF99
0094BF93 FFB5 520A0000push dword ptr ss:[ebp A52]
0094BF99 FFB5 4E0A0000push dword ptr ss:[ebp A4E]
0094BF9F FF95 E7090000call near dword ptr ss:[ebp 9E7] ; kernel32.GetProcAddress
0094BFA5 85C0test eax,eax
//返回这里
0094BFA7 0F84 81000000je 0094C02E
0094BFAD 8907mov dword ptr ds:[edi],eax ; ntdll.RtlDeleteCriticalSection
//填充系统函数地址
//EDI=008F3154 注意观察这个地址
0094BFAF 83C7 04add edi,4
0094BFB2 8B85 520A0000mov eax,dword ptr ss:[ebp A52]
0094BFB8 EB 01 jmp short 0094BFBB
0094BFBA 40 inc eax
0094BFBB 8038 00cmp byte ptr ds:[eax],0
0094BFBE 75 FA jnz short 0094BFBA
0094BFC0 40 inc eax
0094BFC1 8985 520A0000mov dword ptr ss:[ebp A52],eax
0094BFC7 66:8178 02 0080 cmp word ptr ds:[eax 2],8000
0094BFCD 74 A1 je short 0094BF70
0094BFCF 8038 00cmp byte ptr ds:[eax],0
0094BFD2 75 9C jnz short 0094BF70
0094BFD4 EB 01 jmp short 0094BFD7
0094BFD6 46 inc esi
0094BFD7 803E 00cmp byte ptr ds:[esi],0
0094BFDA 75 FA jnz short 0094BFD6
0094BFDC 46 inc esi
0094BFDD 40 inc eax
0094BFDE 8B38mov edi,dword ptr ds:[eax]
0094BFE0 E8 4B000000 call 0094C030
0094BFE5 83C0 04add eax,4
0094BFE8 8985 520A0000mov dword ptr ss:[ebp A52],eax
0094BFEE 803E 01cmp byte ptr ds:[esi],1
0094BFF1 0F85 60FFFFFFjnz 0094BF57
//循环处理输入表 现在来手动确定输入表的RVA和Size
在左下角的数据窗口Ctrl G:008F3154,点右键->Long->Address
008F3150 00000000
008F3154 7C93188A ntdll.RtlDeleteCriticalSection
008F3158 7C9210ED ntdll.RtlLeaveCriticalSection
……
008F37E0 7D610EC0 shell32.ShellExecuteA
008F37E4 00000000
008F37E8 76337CD8
008F37EC 7632311E
008F37F0 00000000 输入表开始RVA=008F3154-00870000=00083154
输入表Size=008F37F0-008F3154=0000069C 三.重定位表 其实写这篇教程的价值就在于这部分了
经过跟踪发现RLPack没有加密重定位表,这就为我们脱壳减少了麻烦 0094BFF7 68 00400000 push 4000
0094BFFC 68 54180000 push 1854
0094C001 FFB5 560A0000push dword ptr ss:[ebp A56]
0094C007 FF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree
0094C00D 68 00400000 push 4000
0094C012 68 00200C00 push 0C2000
0094C017 FFB5 3A0A0000push dword ptr ss:[ebp A3A]
0094C01D FF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree
//清理战场了
0094C023 E8 55000000 call 0094C07D
//重定位处理[/code][code]0094C07D 60 pushad
0094C07E 8BB5 460A0000mov esi,dword ptr ss:[ebp A46]
//[ebp A46]=00087000 重定位表RVA ★
0094C084 0BF6or esi,esi
0094C086 74 67 je short 0094C0EF
0094C088 8BBD 3E0A0000mov edi,dword ptr ss:[ebp A3E]
//[ebp A3E]=00400000 文件基址
0094C08E 8B4424 48 mov eax,dword ptr ss:[esp 48]
//[esp 48]=00870000 映像基址
0094C092 8985 420A0000mov dword ptr ss:[ebp A42],eax
0094C098 3BC7cmp eax,edi
//比较是否相同
0094C09A 74 53 je short 0094C0EF
//不同不跳就需要重定位处理了
//注意:此时程序没有重定位,可以现在Dump,这样脱壳后就不需要修改dump文件基址了 ★
0094C09C 03F0add esi,eax
//ESI=00087000 00870000=008F7000 重定位表VA
0094C09E EB 4A jmp short 0094C0EA
0094C0A0 8B16mov edx,dword ptr ds:[esi]
0094C0A2 8B46 04mov eax,dword ptr ds:[esi 4]
0094C0A5 8985 4A0A0000mov dword ptr ss:[ebp A4A],eax
0094C0AB 01B5 4A0A0000add dword ptr ss:[ebp A4A],esi
0094C0B1 83C6 08add esi,8
0094C0B4 EB 2C jmp short 0094C0E2
0094C0B6 0FB706 movzx eax,word ptr ds:[esi]
0094C0B9 8BD8mov ebx,eax
0094C0BB C1EB 0Cshr ebx,0C
0094C0BE 8BCBmov ecx,ebx
0094C0C0 69DB 00100000imul ebx,ebx,1000
0094C0C6 2BC3sub eax,ebx
0094C0C8 03C2add eax,edx
0094C0CA 0385 420A0000add eax,dword ptr ss:[ebp A42]
0094C0D0 83F9 03cmp ecx,3
0094C0D3 75 0A jnz short 0094C0DF
0094C0D5 2938sub dword ptr ds:[eax],edi
0094C0D7 8B8D 420A0000mov ecx,dword ptr ss:[ebp A42]
0094C0DD 0108add dword ptr ds:[eax],ecx
0094C0DF 83C6 02add esi,2
0094C0E2 3BB5 4A0A0000cmp esi,dword ptr ss:[ebp A4A]
0094C0E8 72 CC jb short 0094C0B6
0094C0EA 833E 00cmp dword ptr ds:[esi],0
0094C0ED 75 B1 jnz short 0094C0A0
//循环重定位处理
0094C0EF 61 popad
//处理完后ESI=009000F8
//Relocation Table Size=009000F8-008F7000=000090F8 ★
0094C0F0 C3 retn
_____________________________________________
四.完成脱壳 0094C028 61 popad
0094C029 E9 BE3AFAFF jmp 008EFAEC
//飞向光明之巅
0094C02E 61 popad
0094C02F C3 retn 008EFAEC 55 push ebp
//OEP RVA=008EFAEC-00870000=0007FAEC
008EFAED 8BECmov ebp,esp
008EFAEF 83C4 C4add esp,-3C
008EFAF2 B8 04F98E00 mov eax,008EF904
008EFAF7 E8 CC6DF8FF call 008768C8
008EFAFC 33C0xor eax,eax
008EFAFE A3 442C8F00 mov dword ptr ds:[8F2C44],eax
008EFB03 E8 DC4BF8FF call 008746E4 运行ImportREC,由于此DLL加载后已经进行重定位处理,所以去掉“Use PE Header From Disk”选项
选择OllyDbg的loaddll.exe进程,Pick DLL选择iBox.dll
填入OEP RVA=0007FAEC,输入表RVA=00083154,输入表Size=0000069C,Get Imports
可以新增区段修复,也可以把输入表放在程序无用的空白处。 使用LordPE修改dumped_.dll的Relocation Table RVA=00087000,Relocation Table Size=000090F8
附件中iBox.UnPacKed.dll只是简单优化,如果想优化的完美点那就要多费时间了。
脱壳完成
版权声明:本站文章来源标注为YINGSOO的内容版权均为本站所有,欢迎引用、转载,请保持原文完整并注明来源及原文链接。禁止复制或仿造本网站,禁止在非www.yingsoo.com所属的服务器上建立镜像,否则将依法追究法律责任。本站部分内容来源于网友推荐、互联网收集整理而来,仅供学习参考,不代表本站立场,如有内容涉嫌侵权,请联系alex-e#qq.com处理。
相关文章
上一篇:
关注官方微信