[转载]用Ollydbg手脱Armadillo加壳的DLL——Visual.Assist.X.V10.2.1437.0
<P>文章作者:fly</P><P><FONT face=宋体>下载地址:[url]http://www.wholetomato.com/downloads/VA_X_Setup1437.exe[/url]<BR>软件大小:3318KB<BR>软件语言:英文<BR>软件类别:国外软件/共享版/其它控件<BR>应用平台:Win9x/NT/2000/XP<BR>加入时间:2005-12-10<BR>下载次数:21401<BR>开发商:[url]http://www.wholetomato.com/index.html[/url]<BR>软件简介:Visual.Assist.X是一款非常好的VisualStudio.NET2003、2002插件,支持C/C++、C#、ASP、VisualBasic、Java和HTML等语言,也支持VC++6、VC++5,能自动识别各种关键字、系统函数、成员变量、自动给出输入提示、自动更正大小写错误、自动标示错误等,有助于提高开发过程地自动化和开发效率。<BR><BR>【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!<BR><BR>【调试环境】:WinXP、OllyDBG、PEiD、LordPE、ImportREC、DT_FixRes、PeMove、WinHex<BR><BR>—————————————————————————————————<BR>【脱壳过程】:<BR><BR><BR>有兄弟要求再写篇Armadillo加壳DLL的脱壳教程,所以用VAX作个例子了。<BR>用VC的人很多喜欢这个软件,其核心VA_X.dll加了Armadillo壳。<BR>—————————————————————————————————<BR>一、OllyDBG设置<BR><BR><BR>用修改版OllyDBG,原版会被检测到。<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/anti.gif" border=0><BR>如何避开这些Anti将在ArmadilloV4.0-V4.4.DLL.osc脚本里面实现。<BR><BR>首先要设置OllyDBG忽略除了“内存访问异常”和“异常范围”之外的其他异常选项<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/option.gif" border=0><BR>否则直接运行下面不好演示清楚<BR><BR>现在我们暂停在第一个内存异常处:<BR>009997818900movdwordptrds:[eax],eax<BR><BR>可以设置OllyDBG或略所有异常选项了。<BR>老规矩:用IsDebug插件去掉OllyDBG的调试器标志。<BR><BR><BR>—————————————————————————————————<BR>二、MagicJump<BR><BR><BR>下断:HEGetModuleHandleA<BR>如果硬件断点无法中断,可以Ctrl+G:GetModuleHandleA,在函数末尾设断<BR>Shift+F9,注意看堆栈<BR><BR>000698E400990D97/CALL到GetModuleHandleA来自00990D91<BR>000698E8009A4D68\pModule="kernel32.dll"<BR>000698EC009A5F58ASCII"VirtualAlloc"<BR><BR>000698E400990DB4/CALL到GetModuleHandleA来自00990DAE<BR>000698E8009A4D68\pModule="kernel32.dll"<BR>000698EC009A5F4CASCII"VirtualFree"<BR><BR>0006965C00979A2D/CALL到GetModuleHandleA来自00979A27<BR>0006966000069798\pModule="kernel32.dll"<BR><BR>当堆栈如上显示变化是,就可以删除GetModuleHandleA处硬件断点了,Alt+F9返回<BR><BR>00979A27FF15CCF09900calldwordptrds:[99F0CC];kernel32.GetModuleHandleA<BR>00979A2D8B0D40A19A00movecx,dwordptrds:[9AA140]<BR>//返回这里<BR>00979A3389040Emovdwordptrds:[esi+ecx],eax<BR>00979A36A140A19A00moveax,dwordptrds:[9AA140]<BR>00979A3B393C06cmpdwordptrds:[esi+eax],edi<BR>00979A3E7516jnzshort00979A56<BR>00979A408D85B4FEFFFFleaeax,dwordptrss:[ebp-14C]<BR>00979A4650pusheax<BR>00979A47FF15D4F09900calldwordptrds:[99F0D4];kernel32.LoadLibraryA<BR>00979A4D8B0D40A19A00movecx,dwordptrds:[9AA140]<BR>00979A5389040Emovdwordptrds:[esi+ecx],eax<BR>00979A56A140A19A00moveax,dwordptrds:[9AA140]<BR>00979A5B393C06cmpdwordptrds:[esi+eax],edi<BR>00979A5E0F84B0000000je00979B14<BR>//MagicJump!修改为:jmp00979B14★<BR>00979A6433C9xorecx,ecx<BR>00979A668B03moveax,dwordptrds:[ebx]<BR>00979A683938cmpdwordptrds:[eax],edi<BR>00979A6A7406jeshort00979A72<BR>00979A6C41incecx<BR>00979A6D83C00Caddeax,0C<BR>00979A70EBF6jmpshort00979A68<BR><BR><BR>—————————————————————————————————<BR>三、OEP<BR><BR><BR>下断:BP_set_new_handler<BR>Shift+F9,中断后取消断点,Alt+F9返回<BR><BR>1EFBCD3CFF154061FE1Ecalldwordptrds:[1EFE6140];msvcrt._set_new_handler<BR>1EFBCD4283C404addesp,4<BR>//返回这里<BR>1EFBCD45837DFC01cmpdwordptrss:[ebp-4],1<BR>1EFBCD49750Ejnzshort1EFBCD59<BR>1EFBCD4B68A896FE1Epush1EFE96A8<BR>1EFBCD50FF15CC96FE1Ecalldwordptrds:[1EFE96CC]<BR>1EFBCD5683C404addesp,4<BR>1EFBCD598B45FCmoveax,dwordptrss:[ebp-4]<BR>1EFBCD5C8BE5movesp,ebp<BR>1EFBCD5E5Dpopebp<BR>1EFBCD5FC3retn<BR>//返回1EFBCDCD<BR><BR>1EFBCDCD8945FCmovdwordptrss:[ebp-4],eax<BR>1EFBCDD0837DFC01cmpdwordptrss:[ebp-4],1<BR>1EFBCDD47540jnzshort1EFBCE16<BR>1EFBCDD6833DC496FE1E00cmpdwordptrds:[1EFE96C4],0<BR>1EFBCDDD7430jeshort1EFBCE0F<BR>1EFBCDDF68E898FE1Epush1EFE98E8<BR>1EFBCDE46A01push1<BR>1EFBCDE68B0D9096FE1Emovecx,dwordptrds:[1EFE9690]<BR>1EFBCDEC51pushecx<BR>1EFBCDEDFF15C496FE1Ecalldwordptrds:[1EFE96C4];VA_X.1EE42A48<BR>//飞向光明之巅<BR><BR><BR>1EE42A486A0Cpush0C<BR>//OEP<BR>1EE42A4A683867EE1Epush1EEE6738<BR>1EE42A4FE8D4130000call1EE43E28<BR>1EE42A5433C0xoreax,eax<BR>1EE42A5640inceax<BR>1EE42A578945E4movdwordptrss:[ebp-1C],eax<BR>1EE42A5A8B750Cmovesi,dwordptrss:[ebp+C]<BR>1EE42A5D33FFxoredi,edi<BR>1EE42A5F3BF7cmpesi,edi<BR>1EE42A61750Cjnzshort1EE42A6F<BR><BR><BR>—————————————————————————————————<BR>四、CodeSplicing<BR><BR><BR>某些兄弟对如何知道程序有CodeSplicing感到困惑,下面提供2种方法吧。<BR>1、一切按正常流程操作,修复后运行程序若有CodeSplicing肯定会崩溃,而崩溃的地方就能看见CodeSplicing地址了。<BR>2、根据CodeSplicing段的特征来查找<BR><BR>目前版本Armadillo的CodeSplicing区段长度为00020000,可以根据此特征来判断。<BR>Alt+M,察看目标程序的区段上下,可以看到02B70000段的长度为00020000<BR><BR>地址大小物主区段包含<BR>02B7000000020000<BR>1ED0000000001000VA_X<BR>1ED010000019D000VA_X.text<BR>1EE9E00000018000VA_XCODE<BR>1EEB600000059000VA_X.rdata<BR>1EF0F00000023000VA_X.data<BR>1EF3200000001000VA_X.SHARED<BR>1EF3300000001000VA_XDATA<BR>1EF3400000042000VA_XBSS<BR>1EF7600000030000VA_X.reloc<BR>1EFA600000030000VA_X.text1<BR>1EFD600000010000VA_X.adatacode<BR>1EFE600000010000VA_X.data1imports<BR>1EFF600000010000VA_X.reloc1relocations<BR>1F13600000041000VA_X.rsrcresources<BR>5D17000000001000COMCTL32PEheader<BR><BR>Alt+C,返回代码窗口,Ctrl+G:02B70000<BR>02B7000066:87F3xchgbx,si<BR>02B7000366:96xchgax,si<BR>02B700057B02jposhort02B70009<BR>02B700077B09jposhort02B70012<BR>02B7000987F9xchgecx,edi<BR>02B7000B90nop<BR>02B7000C87F9xchgecx,edi<BR>02B7000E66:96xchgax,si<BR>02B7001066:87F3xchgbx,si<BR>02B7001355pushebp<BR>02B700148BECmovebp,esp<BR>02B700166AFFpush-1<BR>02B70018E9E80F191Cjmp1ED01005<BR>//注意,跳到目标程序空间<BR><BR>1ED01000E9FBEFE6E3jmp02B70000<BR>//CodeSplicing<BR>1ED0100568606BEB1Epush1EEB6B60<BR>1ED0100A6878D3E31Epush1EE3D378<BR>1ED0100F64:A100000000moveax,dwordptrfs:[0]<BR>1ED01015E903F0E6E3jmp02B7001D<BR><BR>好了,这样就找到了CodeSplicing区段,用ArmInline来修复吧,注意各参数的填写<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/arminline.gif" border=0><BR>可以用LordPE把此DLL抓取下来了。<BR><BR><BR>—————————————————————————————————<BR>五、输入表修复<BR><BR><BR>VA_X.dll没有使用ImportTableElimination,输入表函数都是有序排列的,可以正常获取。<BR>运行ImportREC,由于此DLL加载后没有进行重定位,所以保留“UsePEHeaderFromDisk”选项<BR>填入OEPRVA=00142A48,获取输入表后Cut掉函数中填充的无效垃圾指针。<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/fixiat.gif" border=0><BR><BR>可以新增区段来修复输入表,但是这样会增加大小,所以还是放在近似原来的位置吧<BR>用WinHex打开dump.exe,搜索输入表中函数的DLL名,Armadillo没有清掉输入表的函数DLL名,当找到很多00中的输入表中函数DLL名处就可以放输入表了。当然,Size要算好,一般是够用的。<BR><BR>0020CF2000000000000000000000000000000000................<BR>0020CF300000000000004B45524E454C33322E64......KERNEL32.d<BR>0020CF406C6C0000000000000000000000000000ll..............<BR><BR>此例中输入表可以放在0X0020C050处,FixDump<BR>但是用LordPE察看dumped_.dll输入表时会发现最后一个函数显示[Error],怎么回事?<BR>呵呵,输入表所在段的Size有问题,修正001B6000段VSize和RSize为0020F000-001B6000=00059000即可<BR><BR><BR>—————————————————————————————————<BR>六、输出表修复<BR><BR><BR>由于上面输入表的修复覆盖了输出表,所以我们要把输出表重新挪个位置<BR>打开dumped.dll把0020EC10处输出表数据复制写入到dumped_.dll的0X001B5300处<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/exporttable.gif" border=0><BR>修正ExportTable各指针,再修正dumped_.dll的ExportTableRVA<BR><BR>也可以用看雪老师的PeMove挪移输出表。复制dumped.dll,用PeMove打开,ExportTable'sFileOffset填入001B5300,点击Move后把001B5300处的输出表复制写入到dumped_.dll中,修正ExportTableRVA<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/pemove.gif" border=0><BR>修正输出表所在区段0019E000段的VSize和RSize为001B6000-0019E000=00018000<BR><BR><BR>—————————————————————————————————<BR>七、重定位表修复<BR><BR><BR>Armadillo对于DLL比较友好,没有加密重定位表,因此就没有再调试时跟踪此重定位处理了<BR><BR>LordPE察看区段,“.reloc”段RVA即是重定位表RVA,Size看看其结尾的00就知道了<BR>00297590A33AB83AD73ADC3DE03DE43DE83DEC3D????????<BR>002975A0F03DF43D000000000000000000000000??............<BR><BR>修正dumped_.dll的RelocationRVA=00276000,Size=002975A4-00276000=215A4<BR><BR><BR>—————————————————————————————————<BR>八、Armadillo脱壳文件的优化<BR><BR><BR>其实优化已经在《ArmInline——Armadillo客户版CodeSplicing+ImportTableElimination的简便修复方法》中说过了,再重复一次吧。<BR>用LordPE删除“.reloc”区段下的所有壳区段,记住第一个壳区段“.text1”段的RVA=002A6000<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/cutsections.gif" border=0><BR><BR>用WinHex移除0X002A6000至末尾的所有数据,另存为UnPacKed.dll。好了,壳数据基本清理完了。<BR><BR>用DT_FixRes修复资源。DT_FixRes打开修复前的dumped.dll<BR><IMG alt="" src="http://bbs.pediy.com/upload/2005/8/image/dt_fixres.gif_891.gif" border=0><BR>NewRva=002A6000,FileAlignment=1000,DumpResource,获得rsrc.bin<BR>用LordPE把rsrc.bin载入UnPacKed.dll,修正ResourceRVA=002A6000<BR><BR><BR>—————————————————————————————————<BR>九、破解<BR><BR><BR>启动VC时会弹出“LicenseError”的提示,无法使用。以这个为线索就很容易定位了<BR>————————————————————————<BR>1、LicenseError<BR><BR>1ED411D3385C2413cmpbyteptrss:[esp+13],bl<BR>1ED411D77447jeshort1ED41220<BR>//修改为:jmp1ED41220<BR>1ED411D9A1C44CF21Emoveax,dwordptrds:[1EF24CC4]<BR>1ED411DE53pushebx<BR>1ED411DF6838AFEB1Epush1EEBAF38;ASCII"License"<BR>1ED411E46830AFEB1Epush1EEBAF30;ASCII"Error"<BR>1ED411E950pusheax<BR>1ED411EAFF152C69EB1Ecalldwordptrds:[1EEB692C];USER32.MessageBoxA<BR><BR>————————————————————————<BR>2、过期<BR><BR>1ED413848B54244Cmovedx,dwordptrss:[esp+4C]<BR>1ED413888B442450moveax,dwordptrss:[esp+50]<BR>1ED4138C8B4C2454movecx,dwordptrss:[esp+54]<BR>1ED4139052pushedx<BR>1ED4139150pusheax<BR>1ED4139251pushecx<BR>1ED41393E858D80900call1EDDEBF0<BR>1ED4139883C41Caddesp,1C<BR>1ED4139BE890DC0900call1EDDF030<BR>1ED413A03BC3cmpeax,ebx<BR>1ED413A20F8433010000je1ED414DB<BR>//修改为:jmp1ED414DB<BR><BR>————————————————————————<BR>3、局域网验证<BR><BR>1ED673FF68E495EB1Epush1EEB95E4;ASCII"UserName"<BR>1ED6740468BC95EB1Epush1EEB95BC;ASCII"Software\WholeTomato\VisualAssistX"<BR>1ED674098D442410leaeax,dwordptrss:[esp+10]<BR>1ED6740D6801000080push80000001<BR>1ED6741250pusheax<BR>1ED67413C744242400000000movdwordptrss:[esp+24],0<BR>1ED6741BE8602F0000call1ED6A380<BR>1ED674208B4C2418movecx,dwordptrss:[esp+18]<BR>1ED6742451pushecx<BR>1ED674258D542418leaedx,dwordptrss:[esp+18]<BR>1ED6742968E8EDEB1Epush1EEBEDE8;ASCII"Allinstancesofthelicense",LF,"""%s""",LF,"areinuse.VisualAssistXwillbedisabled.YoumustunloadoruninstallVisualAssistX",LF,"andrestartyourIDEtopreventthisPCfrombeingcountedbyotherlicensechecks."<BR><BR>向上回溯:<BR>1ED6748055pushebp<BR>1ED674818BECmovebp,esp<BR>1ED674836AFFpush-1<BR>1ED67485680AA5E81Epush1EE8A50A<BR>1ED6748A64:A100000000moveax,dwordptrfs:[0]<BR>1ED6749050pusheax<BR>1ED6749164:892500000000movdwordptrfs:[0],esp<BR><BR>//修改为:<BR>1ED67480B801000000moveax,1<BR>1ED67485C3retn</FONT><BR></P>
页:
[1]