¹¤¾ß£ºOllyDBG1.1ºº»¯°æ£»LordPE
²Ù×÷ϵͳ£ºWIN2K
Ä¿±ê³ÌÐò£ºArmadillo.exe(3.6Ö÷³ÌÐò)
¡¡¡¡×î½ü´ó¼Ò¶ÔArmadillo 3.6ÍѵÄÑо¿ÓÐËùÉýΣ¬Óбê×¼¼Ó¿ÇµÄ»¹ÓÐCopyMemII+DebugģʽµÄ¼Ó¿ÇµÄµÈµÈ¡£ÓÚÊDZ¾ÈËÒ²´Õ¸öÈÈÄÖ£ºÀ´¸öÆäÖ÷³ÌÐòµÄÍÑÎÄ¡£½ÏÖ®ËûÃǵIJ»Í¬µãÊÇ£ºÒ»ÊÇÖ÷³ÌÐòÍÑ¿ÇÄѶȴóµã£»¶þÊDz»ÓÃÆäËü¸¨Öúdump¹¤¾ß¡££¨³õ²½ÍÑ¿Ç£¬Ã»ÓÐÐÞ¸´£©
Ò»¡¢Ñ°ÕÒOEP²¢Dump½ø³Ì
¡¡¡¡ÓÃOllyDBG¼ÓÔغó£¬Í£ÁôÔÚÈë¿Ú004A2000´¦£¬¼ÇÏÂÈë¿Ú¿ªÊ¼¶þ×Ö½Ú(60E8)ÒÔ±ãÐÞ¸´IATÓá£Óòå¼þIsDebuggerPresentÒþ²Øollydbg²¢ÔÚµ÷ÊÔÉèÖÃÀïºöÂÔµôËùÓÐÒì³£(È«¹³ÉÏ)¡£
ÔÚÃüÁî´°¿ÚÀï϶ϵ㣺bp WaitForDebugEvent£¬È»ºóF9ÔËÐС£¶ÏÔÚWaitForDebugEventÈë¿Ú(°´F2È¡Ïû¶Ïµã)¡£²é¿´¶ÑÕ»´°¿Ú£º
0012DA98 00487F67 /CALL µ½ WaitForDebugEvent À´×Ô Armadill.00487F61
0012DA9C 0012EB5C |pDebugEvent = 0012EB5C
0012DAA0 000003E8 \Timeout = 1000. ms
0012DAA4 0012FF04
0012DAA8 00000000
0012DAAC 00497B99 Armadill.00497B99
ÆäÖеÚ2ÐÐ0012EB5C¾ÍÊÇ·¢Éúµ÷ÊÔʼþʱ¾ßÌåÄÚÈÝ´æ·ÅµØÖ·¡£µ½´ÎÐеã»÷Êó±êÓÒ¼üÈ»ºóÔڲ˵¥Ñ¡Ôñ¡°×ª´æÖиúË桱£¬ÒÔ±ãÔÚת´æ´°¿ÚËæʱ¹Û²ì0012EB5C¿ªÊ¼Ò»¶ÎµØÖ·ÖеÄÊý¾Ý±ä»¯¡£
µ½CPU´°¿Ú£¬Ctrl-G:0048858A,È»ºóÔÚ0048858A´¦ÉèÖÃÓ²¼þÖ´Ðжϵ㡣´Ë¶ÏµãÊÇż¾¹ýÎÞÊý´Î¸ú×Ù·ÖÎö¶øÕÒµ½µÄ×î¼ÑÇÐÈëµã(±¾È˶À´´£¬¾øÎÞ2¼Ò)£¬Ö÷ÒªÊÇΪÁ˱ãÓÚDump½ø³Ì£¬ÖÁÓÚΪʲô´ó¼Ò¿´ÔÚ´Ë´¦¶ÏϺóµÄ´úÂë·ÖÎöƬ¶Ï¡£
ok,ÔÚËùÉèÓ²¼þ¶Ïµã´¦¶ÏÏ¡£²ì¿´0012EB5C¿ªÊ¼Ò»¶ÎµØÖ·ÖеÄÊý¾Ý£º
0012EB5C 01 00 00 00 58 06 00 00 �...X�..
0012EB64 30 04 00 00 01 00 00 80 0�..�..€
0012EB6C 00 00 00 00 00 00 00 00 ........
0012EB74 B0 28 44 00 02 00 00 00 ?D.�...
[0012EB74]=004428B0,Õâ¾ÍÊÇÎÒÃÇÒªÕÒµÄOEP£¡
½Ó×ÅÀ´¿´¶Ïµã´¦µÄ´úÂëÿÐÐβ²¿//Ϊ˵Ã÷)
0048858A CMP DWORD PTR SS:[EBP-A30],0¡¡//[EBP-A30]Ϊ01000H´óСµÄ¿éºÅ(0-47),0¶ÔÓ¦00401000¿é£»1¶ÔÓ¦00402000¿é£»ÒÀ´ÎÀàÍÆ¡£
00488591 JL Armadill.00488840
00488597 MOV ECX,DWORD PTR SS:[EBP-A30]
0048859D CMP ECX,DWORD PTR DS:[4B85E4] //[4B85E4]Ϊ¿éµÄ×ܸöÊý£¬±¾³ÌÐò=48h
004885A3 JGE Armadill.00488840
004885A9 MOV EDX,DWORD PTR SS:[EBP-9BC]
004885AF AND EDX,0FF
004885B5 TEST EDX,EDX
004885B7 JE Armadill.0048866A
004885BD PUSH 0
004885BF MOV ESI,DWORD PTR SS:[EBP-A30]
004885C5 SHL ESI,4
004885C8 MOV EAX,DWORD PTR SS:[EBP-A30]
004885CE AND EAX,80000007
004885D3 JNS SHORT Armadill.004885DA
004885D5 DEC EAX
004885D6 OR EAX,FFFFFFF8
004885D9 INC EAX
004885DA XOR ECX,ECX
004885DC MOV CL,BYTE PTR DS:[EAX+4B6A80]
004885E2 MOV EDX,DWORD PTR SS:[EBP-A30]
004885E8 AND EDX,80000007
004885EE JNS SHORT Armadill.004885F5
004885F0 DEC EDX
004885F1 OR EDX,FFFFFFF8
004885F4 INC EDX
004885F5 XOR EAX,EAX
004885F7 MOV AL,BYTE PTR DS:[EDX+4B6A81]
004885FD MOV EDI,DWORD PTR DS:[ECX*4+4B2260]
00488604 XOR EDI,DWORD PTR DS:[EAX*4+4B2260]
0048860B MOV ECX,DWORD PTR SS:[EBP-A30]
00488611 AND ECX,80000007
00488617 JNS SHORT Armadill.0048861E
00488619 DEC ECX
0048861A OR ECX,FFFFFFF8
0048861D INC ECX
0048861E XOR EDX,EDX
00488620 MOV DL,BYTE PTR DS:[ECX+4B6A82]
00488626 XOR EDI,DWORD PTR DS:[EDX*4+4B2260]
0048862D MOV EAX,DWORD PTR SS:[EBP-A30]
00488633 CDQ
00488634 MOV ECX,1C
00488639 IDIV ECX
0048863B MOV ECX,EDX
0048863D SHR EDI,CL
0048863F AND EDI,0F
00488642 ADD ESI,EDI
00488644 MOV EDX,DWORD PTR DS:[4B85D4]
0048864A LEA EAX,DWORD PTR DS:[EDX+ESI*4]
0048864D PUSH EAX
0048864E MOV ECX,DWORD PTR SS:[EBP-A30]
00488654 PUSH ECX
00488655 CALL Armadill.0048A659 //½âÃÜÊý¾Ý²¢¸´ÖƵ½¶ÔÓ¦µÄ¿é¡£
0048865A ADD ESP,0C
0048865D AND EAX,0FF
00488662 TEST EAX,EAX
00488664 JE Armadill.00488840
²ì¿´[EBP-A30]µÄÖµÈçÏ£º
0012EB48 41 00 00 00 01 49 13 00 A...�I�.
ÐÞ¸Ä0012eb48´¦µÄֵΪ0,´ÓµÚÒ»¿é¿ªÊ¼½âÃܲ¢¸´ÖÆÊý¾Ýµ½00401000´¦£¬´óС01000H.ΪÁËÑ»·Ö±µ½ËùÓÐÊý¾ÝÈ«²¿½âÃÜ£¬Å¼ÐÞ¸ÄÁË0048865D´¦µÄ´úÂëÈçÏÂ:
0048865D:inc dword ptr [0012eb48]
00488663:nop
00488664:jmp 0048858A
µ½Êý¾Ýת´æ´°¿Ú£¬Ctrl-G:004B85E4,ÓÃÀ´¹Û²ì004B85E4ºÍ004B85E8¶þ´¦Êý¾Ý¡£ÆäÖÐ004B85E4µ¥ÔªÎª×Ü¿éÊý£»004B85E8µ¥ÔªÎªÒѾ½âÃܵĿéÊý£¬Èç¹û½âÃÜ¿éÊý>=23H,Ôò»á¶ÔµÚ0¿é¼´00401000´¦´úÂëʵÏÖ¼ÓÃܲ¢¸Ä±ä¸Ã¿é¶ÁдȨÏÞ²»ÄܽøÐÐÈκβÙ×÷(GUARD),ËùÒÔµ±004B85E8
µÄÖµµ½ÁË20hʱ¾ÍÐÞ¸ÄΪ0(Ò²¿ÉÒÔÔÚ21/22Hʱ¸Ä£¬µ«²»Äܳ¬¹ý23H).
F9¼ÌÐøÔËÐУ¬(Öмä¼ÇµÃÐÞ¸Ä004B85E8µÄÖµ)ÔÚ¸ÃÓ²¼þ¶ÏµãÖжÏ48h´Îºó£¬ÔËÐÐLordPE,Ñ¡ÔñµÚ2¸ö½ø³Ì(ÓÐ2¸öͬÃû½ø³Ì)£¬¼´¿ÉÍêÈ«dump.
¶þ¡¢µÃµ½ÒýÈë±í
ÖØÍ·ÔÙÀ´£¬ÓÃOllyDBG¼ÓÔØ£¬ÉèÖÃbp DebugActiveProcess¡£¶ÏϺó²ì¿´¶ÑÕ»´°¿Ú£º
0012DA9C 00487DDB /CALL µ½ DebugActiveProcess À´×Ô Armadill.00487DD5
0012DAA0 0000057C \ProcessId = 57C
0012DAA4 0012FF04
0012DAA8 00000000
×Ó½ø³ÌIDΪ57C,ÁíÍâ´ò¿ªÒ»¸öollydbg³ÌÐò£¬¸½¼Óµ½Õâ¸ö57c½ø³Ì£¬OK¡£
°´ALT+F9À´µ½Èë¿Ú´¦£¬ÐÞ¸ÄÈë¿ÚÖ¸ÁîEB FEΪ60 E8(µÚÒ»²½¼ÇϵÄ),½á¹û£º
004A2000 >PUSHAD
004A2001 CALL Armadill.004A2006
004A2006 POP EBP
004A2007 PUSH EAX
004A2008 PUSH ECX
004A2009 JMP SHORT Armadill.004A201A
È¡ÏûDebugActiveProcess¶Ïµã£¬ÉèÖÃbp OpenMutexA¶Ïµã£¬¶ÏϺóÈ¡Ïû¡£
²ì¿´¶ÑÕ»´°¿Ú£º
0012F574 004797F1 /CALL µ½ OpenMutexA À´×Ô Armadill.004797EB
0012F578 001F0001 |Access = 1F0001
0012F57C 00000000 |Inheritable = FALSE
0012F580 0012FBB4 \MutexName = "57C::DAAD341ECC"
0012F584 0012FF04
ÔÚ00401000¿Õ°×´¦ÊäÈë´úÂ룺
00401000 60 PUSHAD
00401001 68 B4FB1200 PUSH 12FBB4
00401006 6A 00 PUSH 0
00401008 6A 00 PUSH 0
0040100A E8 D08BA877 CALL KERNEL32.CreateMutexA
0040100F 61 POPAD
00401010 -E9 D48CA877 JMP KERNEL32.OpenMutexA
ÔÚ00401000µØÖ·°´Êó±êÓÒ¼ü£¬È»ºóÔڲ˵¥ÖÐÑ¡Ôñ¡°´Ë´¦Ð½¨EIP¡±¡£
ÉèÖÃbp LoadLibraryA¶Ïµã,µÚ2´Î¶ÏϺó£¬ÔÙF8¸ú£¬¾Í»á·¢ÏÖ00E18000¿ªÊ¼¾ÍÊÇÔÀ´Î´¾ÈκÎÐ޸ĵÄÒýÈë±í¡£ÓÃLordPe°ÑÆðʼµØÖ·00e18000,´óС03000hÈ«²¿dump³öÀ´£¬²¢±à¼Ð޸ĵ½µÚÒ»²½dump³öÀ´µÄÎļþµÄͬһµØÖ·¡£ |
