网站首页 | IT博客 | 江西SEO

免费杀毒软件,全面病毒解决方案

投递文章  投稿指南 金山毒霸非官方通告:
搜索: 您的位置毒霸首页>毒霸资讯>黑客动态>阅读资讯:关于Armadillo 3.**的脱壳

关于Armadillo 3.**的脱壳

2008-05-03 09:29:43   来源:   作者:   【 评论:0

  使用工具WIN2000,ollydbg1.10a,import Rec 1.6,PIED092,LordPE。

  我采取的步骤:

  1、使用PIED092查看主程序MyTheatre.exe为:Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]

  2、ollydbg载入,设置BP OpenMutexA ,补丁设隐藏。

  3、断下后在401000改为:609C68DCFB120033C05050E8E694A6779D61E98F9FA777,

  即:

  00401000 60 PUSHAD

  00401001 9C PUSHFD

  00401002 68 DCFB1200 PUSH 12FBDC ; ASCII "480::DAEE2CA7C8"

  00401007 33C0 XOR EAX,EAX

  00401009 50 PUSH EAX

  0040100A 50 PUSH EAX

  0040100B E8 E694A677 CALL KERNEL32.CreateMutexA

  00401010 9D POPFD

  00401011 61 POPAD

  00401012 - E9 8F9FA777 JMP KERNEL32.OpenMutexA

  4、设BP GetModuleHandleA,经过

  0012EFCC 78001E96 /CALL to GetModuleHandleA from MSVCRT.78001E90

  0012EFD0 780322D4 \pModule = "KERNEL32"

  0012F054 77A03F02 /CALL to GetModuleHandleA from OLEAUT32.77A03EFC

  0012F058 779A0630 \pModule = "kernel32.dll"

  0012F048 77A072DB /CALL to GetModuleHandleA from OLEAUT32.77A072D5

  0012F04C 779A0994 \pModule = "KERNEL32"

  0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5

  0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL"

  0012EF80 779A83DB /CALL to GetModuleHandleA from OLEAUT32.779A83D5

  0012EF84 77A1ADA8 \pModule = "KERNEL32.DLL"

  0012F540 008C3248 /CALL to GetModuleHandleA from MyTheatr.008C3242

  0012F544 00000000 \pModule = NULL

  返回到:

  008C3240 |> \6A 00 PUSH 0 ; /pModule = NULL

  008C3242 |. FF15 84F18F00 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA

  008C3248 |. 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX ; MyTheatr.00400000

  008C324B |> 8B55 A4 MOV EDX,DWORD PTR SS:[EBP-5C]

  008C324E |. 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX

  008C3251 |. A1 5CF28F00 MOV EAX,DWORD PTR DS:[8FF25C]

  008C3256 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX

  008C3259 |. C745 EC FFFFFFFF MOV DWORD PTR SS:[EBP-14],-1

  008C3260 |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]

  008C3263 |. 51 PUSH ECX

  008C3264 |. FF55 F0 CALL DWORD PTR SS:[EBP-10]

  008C3267 |. 83C4 04 ADD ESP,4

  008C326A |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX

  008C326D |. 837D EC FF CMP DWORD PTR SS:[EBP-14],-1

  008C3271 |. 74 0B JE SHORT MyTheatr.008C327E

  008C3273 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]

  008C3276 |. 8915 58549000 MOV DWORD PTR DS:[905458],EDX

  008C327C |. EB 10 JMP SHORT MyTheatr.008C328E

  008C327E |> 837D FC 01 CMP DWORD PTR SS:[EBP-4],1

  008C3282 |. 74 0A JE SHORT MyTheatr.008C328E

  008C3284 |. C705 58549000 01000000 MOV DWORD PTR DS:[905458],1

  008C328E |> 837D B0 00 CMP DWORD PTR SS:[EBP-50],0

  008C3292 74 0A JE SHORT MyTheatr.008C329E

  008C3294 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]

  008C3297 |. 50 PUSH EAX ; /hWnd

  008C3298 |. FF15 0CF28F00 CALL DWORD PTR DS:[<&USER32.DestroyWindow>] ; \DestroyWindow

  008C329E |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]

  008C32A1 |> 8BE5 MOV ESP,EBP

  008C32A3 |. 5D POP EBP

  008C32A4 \. C3 RETN

  此处没找到 ★Magic Jump ★

  5、按ALT+M设断401000,F9后找到入口地址:

  00568CE4 55 PUSH EBP

  00568CE5 8BEC MOV EBP,ESP

  00568CE7 B9 0C000000 MOV ECX,0C

  00568CEC 6A 00 PUSH 0

  00568CEE 6A 00 PUSH 0

  00568CF0 49 DEC ECX

  00568CF1 ^ 75 F9 JNZ SHORT MyTheatr.00568CEC

  00568CF3 B8 A4875600 MOV EAX,MyTheatr.005687A4

  00568CF8 E8 73E5E9FF CALL MyTheatr.00407270

  00568CFD 33C0 XOR EAX,EAX

  00568CFF 55 PUSH EBP

  00568D00 68 E2985600 PUSH MyTheatr.005698E2

  00568D05 64:FF30 PUSH DWORD PTR FS:[EAX]

  00568D08 64:8920 MOV DWORD PTR FS:[EAX],ESP

  00568D0B 64:8B05 18000000 MOV EAX,DWORD PTR FS:[18]

  00568D12 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]

  00568D15 31C9 XOR ECX,ECX

  00568D17 8848 02 MOV BYTE PTR DS:[EAX+2],CL

  00568D1A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]

  00568D1D A1 C8215700 MOV EAX,DWORD PTR DS:[5721C8]

  00568D22 8B00 MOV EAX,DWORD PTR DS:[EAX]

  00568D24 E8 BFB8F2FF CALL MyTheatr.004945E8

  00568D29 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]

  00568D2C 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]

  00568D2F E8 9019EAFF CALL MyTheatr.0040A6C4

  00568D34 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]

  00568D37 A1 881E5700 MOV EAX,DWORD PTR DS:[571E88]

  00568D3C E8 AFBEE9FF CALL MyTheatr.00404BF0

  00568D41 68 0C1B5700 PUSH MyTheatr.00571B0C

  00568D46 68 24845600 PUSH MyTheatr.00568424

  00568D4B E8 E4EFE9FF CALL MyTheatr.00407D34 ; JMP to USER32.EnumWindows

  00568D50 8B15 341C5700 MOV EDX,DWORD PTR DS:[571C34] ; MyTheatr.006FD7AC

  00568D56 A1 64215700 MOV EAX,DWORD PTR DS:[572164]

  00568D5B 8B00 MOV EAX,DWORD PTR DS:[EAX]

  00568D5D E8 169DFDFF CALL MyTheatr.00542A78

  00568D62 A1 341C5700 MOV EAX,DWORD PTR DS:[571C34]

  00568D67 8B00 MOV EAX,DWORD PTR DS:[EAX]

  00568D69 33D2 XOR EDX,EDX

  00568D6B 8B08 MOV ECX,DWORD PTR DS:[EAX]

  00568D6D FF51 48 CALL DWORD PTR DS:[ECX+48]

  00568D70 A1 E41A5700 MOV EAX,DWORD PTR DS:[571AE4]

  00568D75 A3 0C1B5700 MOV DWORD PTR DS:[571B0C],EAX

  00568D7A 33C0 XOR EAX,EAX

  00568D7C A3 101B5700 MOV DWORD PTR DS:[571B10],EAX

  00568D81 B9 F8985600 MOV ECX,MyTheatr.005698F8 ; ASCII "MyTheatre_Common"

  00568D86 33D2 XOR EDX,EDX

  00568D88 B8 14995600 MOV EAX,MyTheatr.00569914 ; ASCII "SeparateProfiles"

  00568D8D E8 1AB1FCFF CALL MyTheatr.00533EAC

  00568D92 84C0 TEST AL,AL

  00568D94 0F84 F1000000 JE MyTheatr.00568E8B



  返回首页
Tags:  
责任编辑:
  • 上一篇:网络攻击技术与攻击工具六大趋势
  • 下一篇:看看黑客是如何给我们的系统种上木马的
    • 相关文章列表
    请文明参与讨论,禁止漫骂攻击。 用户名:新注册) 密码: 匿名:
    评论总数:0 [ 查看全部 ] 网友评论
    推荐文章
    热门文章
    关于我们 - 联系我们 - 广告服务 - 法律声明 - RSS订阅 - 网站地图 - 返回顶部 -

    Copyright ? 2008 - 2009 jinshanduba2008 Organization, All Rights Reserved


    金山毒霸后援团 www.jinshanduba2008.org 版权所有,未经授权禁止转载、摘编、复制或建立镜像.如有违反,追究法律责任.


    赣ICP备07001615号