信息来源: 看雪学院
这段时间学习了一下ASProtectSKE2.11的壳,感谢shoooo给与技巧指点,让我少走了不少弯路。shoooo一文nspack3.5主程序脱壳分析(AsprSKE2.X)给人启发不少,看懂这篇文章,再展开一下,ASProtectSKE的壳基本能拿下。
ASProtect脱壳其实也可以不修复StolenCode,直接将壳的这段代码借用过来。但如果要完美脱壳的话,就必须了解点ASProtect中的一些变形技巧了,将代码一句句还原(是个体力活)。
ASProtectSKE难点就在代码变形,用了一段代码来模拟如下指令(可能是作者自己写的变形引擎):
cmpx,y
jxxn
callxxxxx
jmpxxxxx
jxxn
等等…
例如:
下面这段变形代码的作用是模拟cmp指令。
cmpx,y
jxxn
00A8896A8BCEmovecx,esi
00A8896C8B550Cmovedx,[ebp+C]
00A8896F8B45F8moveax,[ebp-8]
00A88972E8D5FDFFFFcall00A8874C
{
00A8877E8B548340movedx,[ebx+eax*4+40]
00A887828BC7moveax,edi
00A88784FFD2calledx;此CALL返回决定是何寄存器(x)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
……
00A887BA8B548340movedx,[ebx+eax*4+40]
00A887BE8BC7moveax,edi
00A887C0FFD2calledx;(y)0=eax,1=ecx,2=edx,3=ebx,4=esp,5=ebp,6=esi,7=edi
……
}
00A88977894510mov[ebp+10],eax
00A8897AEB01jmpshort00A8897D
00A8897C-E933C08A43jmp443349B4
00A88981048Baddal,8B
00A8898355pushebp
00A88984F8clc
00A889858B548240movedx,[edx+eax*4+40]
00A889898BC6moveax,esi
00A8898BFFD2calledx;此CALL返回值决定跳转类型3=jnb,2=jb,……
00A8898D8BD8movebx,eax
00A8898F8B4D10movecx,[ebp+10]
00A889928BD3movedx,ebx
00A889948B45F8moveax,[ebp-8]
00A88997E874FBFFFFcall00A88510;里面比较(cmpx,y)
00A8899C84C0testal,al
00A8899E7417jeshort00A889B7
ASProtectSKE最新版也在这方面加强了,这部分我还没搞明白,别问我。;(
对于一般的指令ASProtect也变形,这部分识别起来简单多了,自己用ASProtectSKE压一个软件,对比跟踪一下,很快能找到规律。下面列出的是ASProtect常用的一些简单变形指令。原理是利用lea来指令来计算加,减,乘法,或利用堆栈来传递一些数据。
1.
原代码:
addesi,8
变形后的代码:
leaesi,[esi+8]//esi=esi+8
2
原代码:
addedi,4
变形后的代码:
leaedi,[edi+ecx+4]//edi=edi+ecx+4
subedi,ecx//edi=edi-ecx=edi+ecx+4-ecx=edi+4
3.
原代码:
movecx,eax
变形后的代码:
leaecx,[eax+C]//ecx=eax+c
leaecx,[ecx-C]//ecx=ecx-c=eax+c-c=eax
4.
原代码:movesi,eax
变形后的代码:
oresi,BD20817E
pusheax//有效指令
rolesi,9D
xoresi,[esp+8]
popesi//有效指令
5.
movesi,eax
变形后的代码:
subesi,ecx
leaesi,[eax+2B]
leaesi,[esi+ebp-2B]
subesi,ebp
6.
movedi,eax
变形后的代码:
leaedi,[edx+edi*2+50]
adcedi,F299E634
leaedi,[eax+56]//edi=eax+56
leaedi,[edi+ecx-56]//edi=eax+56+ecx-56=eax+ecx
subedi,ecx//edi=edi-ecx=eax+ecx-ecx=eax
7
movedi,eax
变形后的代码:
leaedi,[ebx+ecx+48612E]
subedi,ecx
xoredi,1ABFD486
leaedi,[eax+ecx+39]//edi=eax+ecx+39
subedi,ecx//edi=edi-ecx=eax+ecx+39-ecx=eax+39
leaedi,[edi-39]//edi=edi-39=eax+39-39=eax
8.
movedi,eax
变形后的代码:
leaedi,[ebx+ecx+48612E]
subedi,ecx
xoredi,1ABFD486
leaedi,[eax+ecx+39]
subedi,ecx
leaedi,[edi-39]
9.
原代码:
moveax,800
变形后的代码:
pushABCAA2A8
pushfw
pushebx
xorebx,C567C100
andebx,edi
leaebx,[esp+69]
subebx,69
prefixrepne:
jmpL010
prefixrep:
L010:
addebx,6
movdwordptr[ebx],800//有效指令
popebx
popfw
addeax,A38396E6
popeax//有效指令
10
原代码:
movecx,edi
变形后的代码:
movecx,42338A
movecx,42A4FA
xorecx,[esp+8]
movecx,4780E2
rcrecx,0ED
leaecx,[edi+eax+5C]//ecx=edi+eax+5C
subecx,eax//ecx=ecx-eax=edi+eax+5C-eax=edi+5C
leaecx,[ecx-5C]//ecx=ecx-5c=edi+5C-5C=edi
sareax,5
andecx,1F
11
原代码:
movedi,405904
变形后的代码:
andedi,ebx
movedi,43FB92
roredi,0C5
leaedi,[ebp+esi*2+53]
leaedi,[eax+ecx+405904]//edi=eax+ecx+405904
subedi,ecx//edi=edi-ecx=eax+ecx+405904-ecx=eax+405904
subedi,eax//edi=edi-eax=eax+405904-eax=405904
12.
原代码:
movebp,esp
变形后的代码:
leaebp,[esp+ecx+5C]//ebp=esp+ecx+5c
subebp,ecx//ebp=ebp-ecx=esp+ecx+5c-ecx=esp+5c
leaebp,[ebp+ebx-5C]//ebp=ebp+ebx-5C=esp+5c+ebx-5C=esp+ebx
subebp,ebx//ebp=ebp-ebx=esp+ebx-ebx=esp
13
moveax,[405A10]
变形后的代码:
leaeax,[ecx+405A10]
subeax,ecx
pushdwordptr[eax]
xoreax,[esp+28]
xoreax,[esp+8]
popeax
14.
原代码:movecx,[eax]
变形后的代码:
xorecx,ebx
pushdwordptr[eax]//[eax]入栈
rcrecx,0C9
movecx,43378A
popecx//栈入数据放到ecx
15.
原代码:
moveax,[405900]
变形后的代码:
leaeax,[ebp+esi+424388]
subeax,esi
leaeax,[ecx+405900]//eax=ecx+405900
subeax,ecx//eax=eax-ecx=ecx+405900-ecx=405900
moveax,[eax]
16.
原代码:
movesi,[eax]
变形后的代码:
oresi,edi
pushdwordptr[eax]
subesi,-45
rolesi,97
popesi
17
moveax,[405900]
变形后的代码:
leaeax,[edi+42CA6C]
xoreax,710E8EFA
moveax,427EBE
addeax,[esp+18]
leaeax,[ebp+esi+405900]
subeax,esi
subeax,ebp
moveax,[eax]
18.
moveax,[405664]
变形后的代码:
leaeax,[ecx+edx-7F]
leaeax,[edi+405664]//eax=edi+405664
subeax,edi//eax=eax-edi=edi+405664-edi=405664
prefixrepne:
jmpL006
???
L006:
pushdwordptr[eax]//[405664]入栈
addeax,[esp+18]
moveax,4487CE
popeax//[405664]出栈
19.
原代码:
movebp,esp
变形后的代码:
addebp,ebx
movebp,45A51E
movebp,[esp+10]
movebp,4A54FE
movebp,463636
leaebp,[esp+esi+E]//ebp=esp+esi+E
pusheax
pushedx
pushecx
movedx,45F39E
movedx,447AD6
movedx,7DF8A705//edx=7DF8A705
movecx,4A86CA
movecx,488942
movecx,edx//ecx=edx=7DF8A705
subecx,B783FC03//ecx=ecx-B783FC03=7DF8A705-B783FC03=C674AB02
negecx//ecx=398B54FE
pushecx//398B54FE入栈
xoredx,[esp+8]
rcledx,0EB
popedx//398B54FE出栈入edx中
addedx,63BE880B//edx=edx+63BE880B=398B54FE+63BE880B=9D49DD09
xoreax,[esp+28]
rcleax,49
pushedx//值9D49DD09入栈
subeax,ebx
popeax//值9D49DD09出栈进eax
xoreax,62B622F9//9D49DD09XOR62B622F9=FFFFFFF0
negeax//eax=10
leaedx,[ebp+esi+6C]//edx=ebp+esi+6C
pusheax//10入栈
pushedi
moveax,93D3D3A9
xchgeax,edi
xoredi,4B566F99
negedi
subedi,6A63E261
negedi
xchgedi,eax
subeax,42E99E29
deceax
leaedx,[edx+eax*2+6A]
leaedx,[edx+ecx-6A]
subedx,ecx
subedx,eax
popedi
popeax
subedx,esi
pusheax
sbbedx,-17
roredx,7B
popedx//10出栈放edx,edx=10
leaebp,[ebp+edx+6F]//ebp=esp+esi+E+10+6F
leaebp,[ebp+ecx-6F]//ebp=esp+esi+E+edx+6F+ecx-6F=esp+esi+E+10+ecx
subebp,ecx//ebp=ebp-ecx=esp+esi+E+edx+ecx-ecx=esp+esi+E+10
leaecx,[ecx+edx*2+72]
leaecx,[ecx+ebx-72]
subecx,ebx
popecx
xoredx,EF5EAB78
popedx
addeax,[esp+38]
sbbeax,2B
popeax
subebp,esi//ebp=ebp-esi=esp+esi+E+edx-esi=esp+E+10=esp+1E
leaebp,[ebp-1E]//ebp=ebp-1E=esp+1E-1E=esp
20.
原代码:push004040D0
变形后的代码:
push-6
pushfw
pushebp
subebp,61388612
movebp,esp
leaebp,[ebp+ebx+6]
subebp,ebx
push4040D0
popdwordptr[ebp]
popebp
popfw
21.
原代码:push00401ED4
变形后的代码:
pushdwordptr[esp+14]
pushfw
pushecx
xorecx,ebp
movecx,esp//ecx=esp
leaecx,[ecx+edi+6]//ecx=ecx+edi+6=esp+edi+6
subecx,edi//ecx=ecx-edi=esp+edi+6-edi=esp+6
pushedi
subedi,-59
subedi,-3D
leaedi,[eax+401ED4]//edi=eax+401ED4
subedi,eax//edi=edi-eax=401ED4
mov[ecx],edi
popedi
popecx//相当于mov[esp+6],401ED4
popfw
22.
原代码:push100
变形后的代码:
pushdwordptrfs:[0]
pushfw
pushecx
xorecx,428F6676
movecx,esp
leaecx,[ecx+edi+6]
subecx,edi
pushedi
subedi,-57
movedi,46894A
adcedi,1AA636D6
leaedi,[eax+ecx+100]//edi=eax+ecx+100
subedi,ecx//edi=edi-ecx=eax+ecx+100-ecx=eax+100
subedi,eax//edi=edi-eax=eax+100-eax=100
pushedi
popdwordptr[ecx]
popedi
popecx
popfw
