TA的每日心情 | 怒
2010-12-17 09:30 |
|---|
签到天数: 4 天 [LV.2]偶尔看看I
|
标 题: 【原创】NsPack3.7分析和静态脱壳机(附源码)
作 者: nissassA
时 间: 2009-07-30,16:57
链 接: http://bbs.pediy.com/showthread.php?t=94673
NsPack3.7分析和静态脱壳机(附源码)
科锐第四阶段壳专题课后作业。感谢钱老师的细心教导。让我从一个仅仅知道C的人能用C/C++做一些开发,并学会了一些逆向知识。
由于本人技术有限,所以分析的不是很详细。还请各位大牛见谅。如有不足的地方,希望各位及时指出。谢谢。
由于是脱壳机有部分是边分析边写,所以代码风格很差。各位尽管拍砖头吧..
壳版本: Nspack3.7.Cracked.exe
工具: IDA, OD
引用:
外壳shell简单分析
外壳第一部分:
1.申请堆空间
2.处理shell第二部分,并拷贝到堆空间
3.执行完shell第二部分后循环处理E8
4.填写IAT
5.恢复内存属性
6.跳转到OEP
外壳第二部分:
解压数据并拷贝到原地址
外壳shell分析:
代码:
.nsp1:0040A219 pushf ; (1).nsp1:0040A21A pusha.nsp1:0040A21B call $+5.nsp1:0040A220 pop ebp.nsp1:0040A221 sub ebp, 7 ; 获得当前(1)处地址.nsp1:0040A224 lea ecx, [ebp-19Dh].nsp1:0040A22A cmp byte ptr [ecx], 1 ; 标记位.nsp1:0040A22D jz loc_40A475.nsp1:0040A233 mov byte ptr [ecx], 1 ; 标记位置1.nsp1:0040A236 mov eax, ebp.nsp1:0040A238 sub eax, [ebp-209h] ; [ebp-209] 存放当前 OEP RVA.nsp1:0040A23E mov [ebp-209h], eax ; image base.nsp1:0040A244 add [ebp-1D9h], eax ; image base + code seg RVA.nsp1:0040A24A lea esi, [ebp-195h].nsp1:0040A250 add [esi], eax ; image base + code seg RVA.nsp1:0040A252 push ebp ; 保存ebp(加壳后程序入口点).nsp1:0040A253 push esi ; 保存esi(DWORD指针,指向未加壳程序代码段内存偏移).nsp1:0040A254 push 40h ; 参数(PAGE_EXECUTE_READWRITE 0x40).nsp1:0040A256 push 1000h ; 参数(MEM_COMMIT 0x1000 ).nsp1:0040A25B push 1000h ; 参数(dwSize).nsp1:0040A260 push 0 ; 起始地址,为0则系统自动分配.nsp1:0040A262 call dword ptr [ebp-171h] ; CALL kernel32.VirtualAlloc.nsp1:0040A268 test eax, eax ; 是否申请成功.nsp1:0040A26A jz loc_40A5D9.nsp1:0040A270 mov [ebp-1E1h], eax ; 保存申请的堆空间首地址.nsp1:0040A276 call $+5.nsp1:0040A27B pop ebx.nsp1:0040A27C mov ecx, 367h.nsp1:0040A281 add ebx, ecx.nsp1:0040A283 push eax ; 目的,申请的堆空间.nsp1:0040A284 push ebx ; 源数据,shell第二部分代码.nsp1:0040A285 call __ShellDecode ; 把shell第二部分代码修正并拷贝到堆空间.nsp1:0040A28A pop esi.nsp1:0040A28B pop ebp.nsp1:0040A28C mov esi, [esi] ; [esi] 00401000.nsp1:0040A28E mov edi, ebp ; 加壳后OEP内存偏移.nsp1:0040A290 add edi, [ebp-219h] ; [ebp-219] 取得偏移 906h.nsp1:0040A296 mov ebx, edi.nsp1:0040A298 cmp dword ptr [edi], 0.nsp1:0040A29B jnz short loc_40A2A7.nsp1:0040A29D add edi, 4.nsp1:0040A2A0 mov ecx, 0.nsp1:0040A2A5 jmp short loc_40A2BD.nsp1:0040A2A7 ; ---------------------------------------------------------------------------.nsp1:0040A2A7.nsp1:0040A2A7 loc_40A2A7: ; CODE XREF: start+82�j.nsp1:0040A2A7 mov ecx, 1.nsp1:0040A2AC add edi, [ebx].nsp1:0040A2AE add ebx, 4.nsp1:0040A2B1.nsp1:0040A2B1 loc_40A2B1: ; CODE XREF: start+CF�j.nsp1:0040A2B1 cmp dword ptr [ebx], 0.nsp1:0040A2B4 jz short loc_40A2EA.nsp1:0040A2B6 add [ebx], edx.nsp1:0040A2B8 mov esi, [ebx].nsp1:0040A2BA add edi, [ebx+4].nsp1:0040A2BD.nsp1:0040A2BD loc_40A2BD: ; CODE XREF: start+8C�j.nsp1:0040A2BD push edi.nsp1:0040A2BE push ecx.nsp1:0040A2BF push ebx.nsp1:0040A2C0 push dword ptr [ebp-16Dh] ; VirtualFree.nsp1:0040A2C6 push dword ptr [ebp-171h] ; [EBP-171] kernel32.VirtualAlloc.nsp1:0040A2CC mov edx, esi.nsp1:0040A2CE mov ecx, edi.nsp1:0040A2D0 mov eax, [ebp-1E1h] ; VirtualAlloc返回的首地址.nsp1:0040A2D6 add eax, 5AAh.nsp1:0040A2DB call eax ; __Shell_Decode_Data 数据解压并拷贝到原虚拟地址.nsp1:0040A2DD pop ebx.nsp1:0040A2DE pop ecx.nsp1:0040A2DF pop edi.nsp1:0040A2E0 cmp ecx, 0.nsp1:0040A2E3 jz short loc_40A2EA.nsp1:0040A2E5 add ebx, 8.nsp1:0040A2E8 jmp short loc_40A2B1.nsp1:0040A2EA ; ---------------------------------------------------------------------------.nsp1:0040A2EA.nsp1:0040A2EA loc_40A2EA: ; CODE XREF: start+9B�j.nsp1:0040A2EA ; start+CA�j.nsp1:0040A2EA push 8000h.nsp1:0040A2EF push 0.nsp1:0040A2F1 push dword ptr [ebp-1E1h].nsp1:0040A2F7 call dword ptr [ebp-16Dh] ; kernel32.VirtualFree.nsp1:0040A2FD lea esi, [ebp-1D9h].nsp1:0040A303 mov ecx, [esi+8].nsp1:0040A306 lea edx, [esi+10h].nsp1:0040A309 mov esi, [esi].nsp1:0040A30B mov edi, esi.nsp1:0040A30D cmp ecx, 0 ; 循环处理near call(ecx循环次数).nsp1:0040A310 jz short loc_40A351.nsp1:0040A312.nsp1:0040A312 loc_40A312: ; CODE XREF: start+100�j.nsp1:0040A312 ; start+10E�j.nsp1:0040A312 mov al, [edi] ; 处理开始.nsp1:0040A314 inc edi.nsp1:0040A315 sub al, 0E8h ; E8是near call的机器码.nsp1:0040A317.nsp1:0040A317 loc_40A317: ; CODE XREF: start+136�j.nsp1:0040A317 cmp al, 1.nsp1:0040A319 ja short loc_40A312 ; 大于1跳过.nsp1:0040A31B mov eax, [edi].nsp1:0040A31D cmp byte ptr [edx+1], 0.nsp1:0040A321 jz short loc_40A337 ; 是near call则跳去处理.nsp1:0040A323 mov bl, [edx].nsp1:0040A325 cmp [edi], bl.nsp1:0040A327 jnz short loc_40A312.nsp1:0040A329 mov bl, [edi+4].nsp1:0040A32C shr ax, 8.nsp1:0040A330 rol eax, 10h.nsp1:0040A333 xchg al, ah.nsp1:0040A335 jmp short loc_40A341.nsp1:0040A337 ; ---------------------------------------------------------------------------.nsp1:0040A337.nsp1:0040A337 loc_40A337: ; CODE XREF: start+108�j.nsp1:0040A337 mov bl, [edi+4].nsp1:0040A33A xchg al, ah.nsp1:0040A33C rol eax, 10h.nsp1:0040A33F xchg al, ah.nsp1:0040A341.nsp1:0040A341 loc_40A341: ; CODE XREF: start+11C�j.nsp1:0040A341 sub eax, edi.nsp1:0040A343 add eax, esi.nsp1:0040A345 mov [edi], eax.nsp1:0040A347 add edi, 5.nsp1:0040A34A sub bl, 0E8h.nsp1:0040A34D mov eax, ebx.nsp1:0040A34F loop loc_40A317 ; near call处理结束.nsp1:0040A351.nsp1:0040A351 loc_40A351: ; CODE XREF: start+F7�j.nsp1:0040A351 call __Fill_IAT_Table ; 填IAT表.nsp1:0040A356 lea ecx, [ebp-1C5h].nsp1:0040A35C mov eax, [ecx+8].nsp1:0040A35F cmp eax, 0.nsp1:0040A362 jz loc_40A3E9.nsp1:0040A368 mov esi, edx.nsp1:0040A36A sub esi, [ecx+10h].nsp1:0040A36D jz short loc_40A3E9.nsp1:0040A36F mov [ecx+10h], esi.nsp1:0040A372 lea esi, [ebp-195h].nsp1:0040A378 mov esi, [esi].nsp1:0040A37A lea ebx, [esi-4].nsp1:0040A37D mov eax, [ecx].nsp1:0040A37F cmp eax, 1.nsp1:0040A382 jz short loc_40A38E.nsp1:0040A384 mov edi, edx.nsp1:0040A386 add edi, [ecx+8].nsp1:0040A389 mov ecx, [ecx+10h].nsp1:0040A38C jmp short loc_40A396.nsp1:0040A38E ; ---------------------------------------------------------------------------.nsp1:0040A38E.nsp1:0040A38E loc_40A38E: ; CODE XREF: start+169�j.nsp1:0040A38E mov edi, esi.nsp1:0040A390 add edi, [ecx+8].nsp1:0040A393 mov ecx, [ecx+10h].nsp1:0040A396.nsp1:0040A396 loc_40A396: ; CODE XREF: start+173�j.nsp1:0040A396 ; start+18E�j.nsp1:0040A396 xor eax, eax.nsp1:0040A398 mov al, [edi].nsp1:0040A39A inc edi.nsp1:0040A39B or eax, eax.nsp1:0040A39D jz short loc_40A3BF.nsp1:0040A39F cmp al, 0EFh.nsp1:0040A3A1 ja short loc_40A3A9.nsp1:0040A3A3.nsp1:0040A3A3 loc_40A3A3: ; CODE XREF: start+19D�j.nsp1:0040A3A3 ; start+1A4�j.nsp1:0040A3A3 add ebx, eax.nsp1:0040A3A5 add [ebx], ecx.nsp1:0040A3A7 jmp short loc_40A396.nsp1:0040A3A9 ; ---------------------------------------------------------------------------.nsp1:0040A3A9.nsp1:0040A3A9 loc_40A3A9: ; CODE XREF: start+188�j.nsp1:0040A3A9 and al, 0Fh.nsp1:0040A3AB shl eax, 10h.nsp1:0040A3AE mov ax, [edi].nsp1:0040A3B1 add edi, 2.nsp1:0040A3B4 or eax, eax.nsp1:0040A3B6 jnz short loc_40A3A3.nsp1:0040A3B8 mov eax, [edi].nsp1:0040A3BA add edi, 4.nsp1:0040A3BD jmp short loc_40A3A3.nsp1:0040A3BF ; ---------------------------------------------------------------------------.nsp1:0040A3BF.nsp1:0040A3BF loc_40A3BF: ; CODE XREF: start+184�j.nsp1:0040A3BF xor ebx, ebx.nsp1:0040A3C1 xchg edi, esi.nsp1:0040A3C3 mov eax, [esi].nsp1:0040A3C5 cmp eax, 0.nsp1:0040A3C8 jz short loc_40A3E9.nsp1:0040A3CA.nsp1:0040A3CA loc_40A3CA: ; CODE XREF: start+1BC�j.nsp1:0040A3CA lodsd.nsp1:0040A3CB or eax, eax.nsp1:0040A3CD jz short loc_40A3D7.nsp1:0040A3CF add ebx, eax.nsp1:0040A3D1 add [edi+ebx], cx.nsp1:0040A3D5 jmp short loc_40A3CA.nsp1:0040A3D7 ; ---------------------------------------------------------------------------.nsp1:0040A3D7.nsp1:0040A3D7 loc_40A3D7: ; CODE XREF: start+1B4�j.nsp1:0040A3D7 xor ebx, ebx.nsp1:0040A3D9 shr ecx, 10h.nsp1:0040A3DC.nsp1:0040A3DC loc_40A3DC: ; CODE XREF: start+1CE�j.nsp1:0040A3DC lodsd.nsp1:0040A3DD or eax, eax.nsp1:0040A3DF jz short loc_40A3E9.nsp1:0040A3E1 add ebx, eax.nsp1:0040A3E3 add [edi+ebx], cx.nsp1:0040A3E7 jmp short loc_40A3DC.nsp1:0040A3E9 ; ---------------------------------------------------------------------------.nsp1:0040A3E9.nsp1:0040A3E9 loc_40A3E9: ; CODE XREF: start+149�j.nsp1:0040A3E9 ; start+154�j ....nsp1:0040A3E9 lea esi, [ebp-209h].nsp1:0040A3EF mov edx, [esi].nsp1:0040A3F1 lea esi, [ebp-1ADh].nsp1:0040A3F7 mov al, [esi].nsp1:0040A3F9 cmp al, 1.nsp1:0040A3FB jnz short loc_40A43C.nsp1:0040A3FD add edx, [esi+4].nsp1:0040A400 push esi.nsp1:0040A401 push edx.nsp1:0040A402 push esi.nsp1:0040A403 push 4.nsp1:0040A405 push 100h.nsp1:0040A40A push edx.nsp1:0040A40B call dword ptr [ebp-175h] ; kernel32.VirtualProtect.nsp1:0040A411 pop edi.nsp1:0040A412 pop esi.nsp1:0040A413 cmp eax, 1.nsp1:0040A416 jnz loc_40A5D9.nsp1:0040A41C add esi, 8.nsp1:0040A41F mov ecx, 8.nsp1:0040A424 rep movsb.nsp1:0040A426 sub esi, 0Ch.nsp1:0040A429 sub edi, 8.nsp1:0040A42C push esi.nsp1:0040A42D push dword ptr [esi-4].nsp1:0040A430 push 100h.nsp1:0040A435 push edi.nsp1:0040A436 call dword ptr [ebp-175h] ; kernel32.VirtualProtect.nsp1:0040A43C.nsp1:0040A43C loc_40A43C: ; CODE XREF: start+1E2�j.nsp1:0040A43C push ebp.nsp1:0040A43D pop ebx.nsp1:0040A43E sub ebx, 21h.nsp1:0040A444 xor ecx, ecx.nsp1:0040A446 mov cl, [ebx].nsp1:0040A448 cmp cl, 0 ; 循环还原属性(cl存放循环次数).nsp1:0040A44B jz short loc_40A475.nsp1:0040A44D inc ebx ; 原程序 代码块 和 数据块 属性还原.nsp1:0040A44E lea esi, [ebp-209h].nsp1:0040A454 mov edx, [esi].nsp1:0040A456.nsp1:0040A456 loc_40A456: ; CODE XREF: start+25A�j.nsp1:0040A456 push esi.nsp1:0040A457 push ecx.nsp1:0040A458 push ebx.nsp1:0040A459 push edx.nsp1:0040A45A push esi.nsp1:0040A45B push dword ptr [ebx].nsp1:0040A45D push dword ptr [ebx+4].nsp1:0040A460 mov eax, [ebx+8].nsp1:0040A463 add eax, edx.nsp1:0040A465 push eax.nsp1:0040A466 call dword ptr [ebp-175h] ; kernel32.VirtualProtect.nsp1:0040A46C pop edx.nsp1:0040A46D pop ebx.nsp1:0040A46E pop ecx.nsp1:0040A46F pop esi.nsp1:0040A470 add ebx, 0Ch.nsp1:0040A473 loop loc_40A456.nsp1:0040A475.nsp1:0040A475 loc_40A475: ; CODE XREF: start+14�j.nsp1:0040A475 ; start+232�j.nsp1:0040A475 mov eax, 0.nsp1:0040A47A cmp eax, 0.nsp1:0040A47D jz short loc_40A489.nsp1:0040A47F popa.nsp1:0040A480 popf.nsp1:0040A481 mov eax, 1.nsp1:0040A486 retn 0Ch.nsp1:0040A489 ; ---------------------------------------------------------------------------.nsp1:0040A489.nsp1:0040A489 loc_40A489: ; CODE XREF: start+264�j.nsp1:0040A489 popa.nsp1:0040A48A popf.nsp1:0040A48B jmp near ptr dword_401000 ; jmp to OEP.nsp1:0040A48B start endp |
|
发表于 2009-8-16 11:17:04
