特定码——用OllyDBG手脱Enigma Protector V1.12加壳的试炼品.doc

特定码用OllyDBG手脱Enigma Protector V1.12加壳的试炼品减小字体 增大字体 作者：佚名来源：不详发布时间：2009-11-3 4:59:37 收藏到网摘： 合作洽谈 破解下载：/viewthread.php?tid=3806软件大小：1.21M软件简介：EnigmaProtectorservesforsoftwareprotectionofapplications.Itdefendingyourworkfromprogramcrackerswithstate-of-the-artencryption,datacompression,andothersecurityfeatures.EnigmaProtectorprovidescreationtrialandregisteredapplications,withpossibilityofthecheckingmodeparameterswithhelpinternalEnigmaAPIfunctions.Itallowsyoutodesignandaddacompletesoftwareprotectionandregistration-keysystemtoyourexistingprograms.ItworkswithanylanguagewhichproduceWindowsPEfiles.EnigmaworkswithWinPE32executables(*.exe),screensavers(*.scr),dynamiclibraryes(*.dll,*.ocx).【作者声明】：只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教【调试环境】：WinXP、OllyDBD、PEiD、LordPE、ImportREC【脱壳过程】：ENIGMAProtector是俄罗斯新出的一款保护壳，有发展为猛壳的潜质。使用ENIGMAProtectorV1.12.CracKed.eXe对Win98的记事本加壳。选项如下：一、特定码特定码？先简单说个例子吧，UPX的手动脱壳大家想必都清楚了。一般我们会Ctrl+F搜索popad，或者Ctrl+B搜索61E90040EA1E61popad/会搜索到这里0040EA1FE9A826FFFFjmp004010CC/飞向光明之巅我们都知道，对于UPX来说，popad就是其跳转OEP前的特定命令。如果写OllyScript脚本的话可以这样：findopeip,#61#推而广之：对于其它壳来说，我们在其处理输入表、跳OEP等过程中有的也可以找到这样特定的命令，而这些命令对于某壳某些版本来说是固定的，可以被反复验证使用，借助这些特定代码，可以大大简化对此壳的脱壳步骤、节省脱壳时间。此类代码姑且我名之曰：特定码。当然，你可以用其它的名称。下面就使用ENIGMAProtector的特定码来演示对其试炼品脱壳。shoooo写过EnigmaprotectorV1.02.build.4.00主程序脱壳，建议先参看。二、代码段解码+首次处理输入表加密设置OllyDBD忽略所有异常选项。清除以前的所有断点，用IsDebug插件去掉OllyDBD的调试器标志。00421B9360pushad/进入OllyDBG后暂停在这00421B94E800000000call00421B9900421B995Dpopebp00421B9A83C5FAaddebp,-6Alt+M，在代码段401000段设置内存写入断点，Shift+F9Wait00D4267FF3:A5repmovsdwordptres:edi,dwordptrds:esi/中断在这里00D4268189C1movecx,eax00D4268383E103andecx,300D42686F3:A4repmovsbyteptres:edi,byteptrds:esi00D426885Fpopedi00D426895Epopesi00D4268AC3retnEnigmaProtector对程序输入表加密的样式如下：0040343AFF15F0634000calldwordptrds:4063F0;SHELL32.ShellExecuteA/原始的0040343AFF15396ED900calldwordptrds:D96E39;00D97318/加密后D96E39处原先保存的是API系统函数地址，EnigmaProtector在下面要改成加密地址。或许不容易理解，多做几遍认真分析就明白了。Ctrl+S搜索命令序列：incesidecebp00D509D98B07moveax,dwordptrds:edi00D509DB33D2xoredx,edx00D509DDE8DA050000call00D50FBC00D509E28BD8movebx,eax00D509E484DBtestbl,bl00D509E67424jeshort00D50A0C00D509E833C9xorecx,ecx00D509EA8ACBmovcl,bl00D509EC8BD7movedx,edi00D509EE8B442408moveax,dwordptrss:esp+800D509F2E8C145FFFFcall00D44FB800D509F733C0xoreax,eax00D509F98AC3moval,bl00D509FB03F8addedi,eax00D509FD33C0xoreax,eax00D509FF8AC3moval,bl00D50A0101442408adddwordptrss:esp+8,eax00D50A0533DBxorebx,ebx00D50A07E982F8FFFFjmp00D5028E00D50A0C803C2400cmpbyteptrss:esp,000D50A107521jnzshort00D50A3300D50A128B442408moveax,dwordptrss:esp+800D50A16C60068movbyteptrds:eax,6800D50A19FF442408incdwordptrss:esp+800D50A1D8B442408moveax,dwordptrss:esp+800D50A218938movdwordptrds:eax,edi00D50A238344240804adddwordptrss:esp+8,400D50A288B442408moveax,dwordptrss:esp+800D50A2CC600C3movbyteptrds:eax,0C300D50A2FFF442408incdwordptrss:esp+800D50A338D04F6leaeax,dwordptrds:esi+esi*800D50A368B151000D700movedx,dwordptrds:D7001000D50A3C8B4C2404movecx,dwordptrss:esp+400D50A40894C0201movdwordptrds:edx+eax+1,ecx/改写加密的API地址，需要修改。00D50A4446incesi/找到这里00D50A454Ddecebp00D50A460F85D3F7FFFFjnz00D5021F00D50A4C83C414addesp,1400D50A4F5Dpopebp00D50A505Fpopedi00D50A515Epopesi00D50A525Bpopebx00D50A53C3retn但是现在还不能修改00D50A40，因为有检验。继续看三、去除壳检验注意，此时我们不能使用硬件断点也不能使用普通断点以及修改壳代码。硬件断点的Anti没有分析，猜测是采用类似tELock清除DRx的方法，而壳代码内的普通断点则是由壳检验来“包含”检测。现在选择00D50A40处的几个字节，右键-断点-内存访问Shit+F9，中断在00D525E8处，这里就是计算检验值了。00D525E333F6xoresi,esi00D525E58D143Eleaedx,dwordptrds:esi+edi00D525E88A12movdl,byteptrds:edx00D525EA92xchgeax,edx00D525EBE8BCFFFFFFcall00D525AC00D525F046incesi00D525F14Bdecebx00D525F275F1jnzshort00D525E5/循环计算壳代码检验值00D525F483F0FFxoreax,FFFFFFFF00D525F7EB02jmpshort00D525FB00D525F933C0xoreax,eax00D525FB5Fpopedi00D525FC5Epopesi00D525FD5Bpopebx00D525FE5Dpopebp00D525FFC20800retn8清除内存断点，F4至00D525F7处，EAX=6386B0E0，这个就是此程序壳代码的检验值。因为我们避开代码段、输入表加密时要修改壳代码，所以这里需要把检验值固定下来，否则壳就挂了。0D525F4处固定检验值修改如下：00D525F4B8E0B08663moveax,6386B0E000D525F990nop00D525FA90nop00D525FB5Fpopedi00D525FC5Epopesi00D525FD5Bpopebx00D525FE5Dpopebp00D525FFC20800retn8现在可以修改00D50A40处避开加密了：00D50A40894C0201movdwordptrds:edx+eax+1,ecx/改写加密的API地址，修改为NOP00D50A4446incesi附：ENIGMAProtector对API普通断点的检测00D50BAA8B1Emovebx,dwordptrds:esi00D50BAC80FBCCcmpbl,0CC00D50BAF7518jnzshort00D50BC900D50BB18D45F8leaeax,dwordptrss:ebp-800D50BB48B15E0D4D500movedx,dwordptrds:D5D4E000D50BBA8B12movedx,dwordptrds:edx00D50BBCE8872DFFFFcall00D4394800D50BC18B45F8moveax,dwordptrss:ebp-800D50BC4E84F000000call00D50C1800D50BC9B201movdl,100D50BCB8BC3moveax,ebx00D50BCDE8EA030000call00D50FBC00D50BD225FF000000andeax,0FF00D50BD703F0addesi,eax00D50BD980C33Eaddbl,3E00D50BDC80EB02subbl,200D50BDF7209jbshort00D50BEA00D50BE180EB25subbl,2500D50BE47404jeshort00D50BEA00D50BE685C0testeax,eax00D50BE875C0jnzshort00D50BAA00D50BEA83C704addedi,400D50BEDFF4DFCdecdwordptrss:ebp-400D50BF075ABjnzshort00D50B9D四、搞定普通加密的输入表Ctrl+S在“整个段块”搜索命令序列：incebxdecdwordptrss:esp找到在00D4FB00处，在其上的00D4FAFA处下断，Shift+F9，确定弹出的演示提示，中断下来00D4FAA8E83B47FFFFcall00D441E800D4FAAD48deceax00D4FAAE85C0testeax,eax00D4FAB07254jbshort00D4FB0600D4FAB240inceax00D4FAB3890424movdwordptrss:esp,eax00D4FAB633DBxorebx,ebx00D4FAB88D04DBleaeax,dwordptrds:ebx+ebx*800D4FABB8B16movedx,dwordptrds:esi00D4FABD8B440205moveax,dwordptrds:edx+eax+500D4FAC1E82247FFFFcall00D441E800D4FAC68BD0movedx,eax00D4FAC84Adecedx00D4FAC985D2testedx,edx00D4FACB7233jbshort00D4FB0000D4FACD42incedx00D4FACE33C0xoreax,eax00D4FAD08D0CDBleaecx,dwordptrds:ebx+ebx*800D4FAD38B3Emovedi,dwordptrds:esi00D4FAD58B7C0F05movedi,dwordptrds:edi+ecx+500D4FAD9833C8700cmpdwordptrds:edi+eax*4,000D4FADD741Djeshort00D4FAFC00D4FADF8B3Emovedi,dwordptrds:esi00D4FAE18D4C0F01leaecx,dwordptrds:edi+ecx+100D4FAE58D3CDBleaedi,dwordptrds:ebx+ebx*800D4FAE88B2Emovebp,dwordptrds:esi00D4FAEA8B7C3D05movedi,dwordptrss:ebp+edi+500D4FAEE8B3C87movedi,dwordptrds:edi+eax*400D4FAF18B2DC4D5D500movebp,dwordptrds:D5D5C400D4FAF7037D00addedi,dwordptrss:ebp00D4FAFA890Fmovdwordptrds:edi,ecx/修改IAT地址为加密地址，这里下断。/修改为：JMP00D4FB0C00D4FAFC40inceax00D4FAFD4Adecedx00D4FAFE75D0jnzshort00D4FAD000D4FB0043incebx/找到这里00D4FB01FF0C24decdwordptrss:esp00D4FB0475B2jnzshort00D4FAB800D4FB065Apopedx00D4FB075Dpopebp00D4FB085Fpopedi00D4FB095Epopesi00D4FB0A5Bpopebx00D4FB0BC3retn/再次下断Patch代码如下：00D4FB0C56pushesi00D4FB0D53pushebx00D4FB0E8B31movesi,dwordptrds:ecx;shell32.ShellExecuteA/ecx是正确的API函数系统地址00D4FB108B1Fmovebx,dwordptrds:edi/edi是IAT地址00D4FB128933movdwordptrds:ebx,esi/放入正确的API函数系统地址00D4FB145Bpopebx00D4FB155Epopesi00D4FB16EBE4jmpshort00D4FAFC/循环从OllyDBG中二进制复制：56538B318B1F89335B5EEBE4写好Patch代码后在00D4FB0B处下断，Shift+F9，中断后输入表处理完毕可以运行LordPE完全Dump此进程了，否则下面要进行某些重定位处理了在数据窗口察看输入表函数：004062DC00000000004062E077DAEBE7advapi32.RegSetValueExA/开始004062E477DA7883advapi32.RegQueryValueExA00406514763300CEcomdlg32.CommDlgExtendedError0040651876322533comdlg32.GetFileTitleA0040651C00000000/结束运行ImportREC，填入IATRVA=000062E0，Size=0000023C获取输入表，发现几个无效的特殊函数，等到OEP后再分析看看。五、避开数据段地址重定位EnigmaProtector还会对数据段地址重定位，如：00401159A1B8574000moveax,dwordptrds:4057B8/原始的00401159A1B8F7D800moveax,dwordptrds:D8F7B8/重定位后Ctrl+F搜索命令:andeax,7FFFFFFF找到在00D5AC35处，在其上的00D5ABE0处下断，Shift+F9，中断后取消断点00D5ABE0A900000080testeax,80000000/这里下断00D5ABE57528jnzshort00D5AC0F00D5ABE78B1584D4D500movedx,dwordptrds:D5D48400D5ABED8B12movedx,dwordptrds:edx/edx=00D5C304=00D8F00000D5ABEF8B0DC4D5D500movecx,dwordptrds:D5D5C400D5ABF52B11subedx,dwordptrds:ecx00D5ABF78B0DC8D5D500movecx,dwordptrds:D5D5C800D5ABFD2B91ED000000subedx,dwordptrds:ecx+ED00D5AC038B0DC4D5D500movecx,dwordptrds:D5D5C400D5AC090301addeax,dwordptrds:ecx00D5AC0B0110adddwordptrds:eax,edx00D5AC0DEB36jmpshort00D5AC4500D5AC0F8B0D84D4D500movecx,dwordptrds:D5D48400D5AC158B09movecx,dwordptrds:ecx00D5AC178B35C4D5D500movesi,dwordptrds:D5D5C400D5AC1D2B0Esubecx,dwordptrds:esi00D5AC1F8B15C8D5D500movedx,dwordptrds:D5D5C800D5AC258B92ED000000movedx,dwordptrds:edx+ED00D5AC2B2BCAsubecx,edx00D5AC2D8B3584D4D500movesi,dwordptrds:D5D48400D5AC338B36movesi,dwordptrds:esi00D5AC3525FFFFFF7Fandeax,7FFFFFFF/找到这里00D5AC3A03F0addesi,eax00D5AC3CA1C8D5D500moveax,dwordptrds:D5D5C800D5AC412BF2subesi,edx00D5AC43010Eadddwordptrds:esi,ecx00D5AC458305D002D70004adddwordptrds:D702D0,400D5AC4CA1D002D700moveax,dwordptrds:D702D000D5AC518B00moveax,dwordptrds:eax00D5AC5385C0testeax,eax00D5AC557589jnzshort00D5ABE000D5AC57A1C8D5D500moveax,dwordptrds:D5D5C8/数据段地址重定位处理完毕00D5AC5C83783400cmpdwordptrds:eax+34,000D5AC600F849E000000je00D5AD04当我们走至00D5ABED时，在数据窗口中跟随edx，00D8F000处保存的就是还未重定位的数据段！看看Test.ENIGMA.Protector.eXe的数据段VirtualSize=00001000，00D8F000+0000100000D90000在OllyDBG中把00D8F000-00D90000处数据二进制复制，然后用WinHex保存为data.binF4至00D5AC57处，数据段地址重定位处理完毕六、OEP+StolenOEPCode准备找OEP吧，你也可以根据目标程序的语言特征或者其它方法来走至OEPCtrl+S在“整个段块”搜索命令序列：popadretn找到在00D4B4DB处，选择00D4B4DB处一些字节，设置内存访问断点00D4B4C468544F4550push50454F5400D4B4C960pushad00D4B4CA31C0xoreax,eax00D4B4CCB95453495Amovecx,5A49535400D4B4D1BF54414452movedi,5244415400D4B4D6F2:AArepnestosbyteptres:edi00D4B4D847incedi00D4B4D9ABstosdwordptres:edi00D4B4DAABstosdwordptres:edi00D4B4DB61popad/找到这里，设置内存访问断点00D4B4DCC3retnShift+F9，中断后取消内存断点00D525E88A12movdl,byteptrds:edx/中断在这里00D525EA92xchgeax,edx00D525EBE8BCFFFFFFcall00D525AC00D525F046incesi00D525F14Bdecebx00D525F275F1jnzshort00D525E500D525F4B8E0B08663moveax,6386B0E000D525F990nop00D525FA90nop00D525FB5Fpopedi00D525FC5Epopesi00D525FD5Bpopebx00D525FE5Dpopebp00D525FFC20800retn8原来这里还要校验，取消内存断点，00D525FF处下断，Shift+F9，中断后取消断点。再次在00D4B4DB处设置内存访问断点，Shift+F9，中断后取消断点。00D4B52C8B16movedx,dwordptrds:esi/中断在这里00D4B52E81FA54414452cmpedx,5244415400D4B5347418jeshort00D4B54E00D4B53681FA544F4550cmpedx,50454F5400D4B53C7410jeshort00D4B54E00D4B53E81FA5453495Acmpedx,5A49535400D4B5447408jeshort00D4B54E00D4B54681FA43524354cmpedx,5443524300D4B54C7540jnzshort00D4B58E00D4B54E8BDAmovebx,edx00D4B55081EB544F4550subebx,50454F5400D4B556741Fjeshort00D4B57700D4B55881EB00F2FE01subebx,1FEF20000D4B55E7412jeshort00D4B57200D4B56081EBEF10FF01subebx,1FF10EF00D4B5667419jeshort00D4B58100D4B56881EB11010606subebx,606011100D4B56E740Cjeshort00D4B57C00D4B570EB12jmpshort00D4B58400D4B5728B550Cmovedx,dwordptrss:ebp+C00D4B575EB0Djmpshort00D4B58400D4B5778B55FCmovedx,dwordptrss:ebp-400D4B57AEB08jmpshort00D4B58400D4B57C8B5510movedx,dwordptrss:ebp+1000D4B57FEB03jmpshort00D4B58400D4B5818B5508movedx,dwordptrss:ebp+800D4B5848910movdwordptrds:eax,edx00D4B58683C004addeax,400D4B58983C604addesi,400D4B58CEB9Ejmpshort00D4B52C00D4B58E81FA54454E44cmpedx,444E455400D4B5947406jeshort00D4B59C00D4B5968810movbyteptrds:eax,dl/注意这里，EAX=00D92CD8，壳把00D4B4DB处数据又挪移了00D4B59840inceax00D4B59946incesi00D4B59AEB90jmpshort00D4B52C00D4B59C2BF1subesi,ecx00D4B59E8BCEmovecx,esi00D4B5A08BC1moveax,ecx00D4B5A25Epopesi00D4B5A35Bpopebx00D4B5A459popecx00D4B5A55Dpopebp00D4B5A6C20C00retn0C/这里下断，Shift+F9，中断后取消断点。EnigmaProtector当完搬运工后我们去00D92CD8处看看在00D92CDB的popad处下断，Shift+F9，中断后取消断点。00D92CD7AAstosbyteptres:edi/清理战场00D92CD847incedi00D92CD9ABstosdwordptres:edi00D92CDAABstosdwordptres:edi00D92CDB61popad/这里下断00D92CDCC3retn/返回到004010D3-飞向光明之巅004010D3FF15E0634000calldwordptrds:4063E0/StolenOEP004010D98BF0movesi,eax004010DB8A00moval,byteptrds:eax004010DD3C22cmpal,22004010DF7513jnzshort004010F4很明显，OEP被Stolen了几行代码。由于EnigmaProtector这部分处理比较长，