Netsowell新壳之脱壳 脱壳机制作

1.0 前言
========

想想也好久没写过什么东西了，没有花指令和反调试，
所以比较简单就写一个。

1.1 寻找 IAT
============

首先用 OllyDbg 载入：


代码:--------------------------------------------------------------------------------
01001000 >  60              PUSHA
01001001    6A 00           PUSH    0
01001003    E8 00000000     CALL    01001008
01001008    55              PUSH    EBP
01001009    8BEC            MOV     EBP, ESP
0100100B    81EC 20020000   SUB     ESP, 220
01001011    53              PUSH    EBX
01001012    56              PUSH    ESI
01001013    57              PUSH    EDI                              ; ntdll.7C930738
01001014    8DBD E0FDFFFF   LEA     EDI, [EBP-220]
0100101A    B9 88000000     MOV     ECX, 88
0100101F    B8 CCCCCCCC     MOV     EAX, CCCCCCCC
01001024    F3:AB           REP     STOS DWORD PTR ES:[EDI]
01001026    C745 F8 0000000>MOV     DWORD PTR [EBP-8], 0
0100102D    8B45 08         MOV     EAX, [EBP+8]                     ; notepad.<ModuleEntryPoint>
01001030    8985 E0FDFFFF   MOV     [EBP-220], EAX
--------------------------------------------------------------------------------



在 Cmdbar 里面输入“hr esp-4”
按 F9 运行后输入密码“123456”中断在 OEP 附近：



代码:--------------------------------------------------------------------------------
00A01F41    E8 00000000     CALL    00A01F46
00A01F46    58              POP     EAX                              ; kernel32.7C816D4F
00A01F47    2D 461FA000     SUB     EAX, 0A01F46
00A01F4C    8B9D 74FCFFFF   MOV     EBX, [EBP-38C]
00A01F52    035D 08         ADD     EBX, [EBP+8]                     ; notepad.<ModuleEntryPoint>
00A01F55    8998 621FA000   MOV     [EAX+A01F62], EBX
00A01F5B    C9              LEAVE
00A01F5C    C9              LEAVE
00A01F5D    83C4 10         ADD     ESP, 10
00A01F60    61              POPA
00A01F61    68 9D730001     PUSH    100739D                          ; 中断在这里
00A01F66    C3              RETN
--------------------------------------------------------------------------------



可以看出 OEP = 100739D。

1.2 修复 IAT
============

走到 OEP，选择一个调用：


代码:--------------------------------------------------------------------------------
0100739D    6A 70           PUSH    70
0100739F    68 98180001     PUSH    01001898
010073A4    E8 BF010000     CALL    01007568
010073A9    33DB            XOR     EBX, EBX
010073AB    53              PUSH    EBX
010073AC    8B3D CC100001   MOV     EDI, [10010CC]                   ; 就这个吧
010073B2    FFD7            CALL    EDI                              ; ntdll.7C930738
--------------------------------------------------------------------------------



进入 [10010CC] 看看：



代码:--------------------------------------------------------------------------------
01770000    68 9F6E2719     PUSH    19276E9F
01770005    68 816B2819     PUSH    19286B81
0177000A    68 D61EC686     PUSH    86C61ED6
0177000F    68 01028819     PUSH    19880201
01770014    E8 E7FFF9FF     CALL    01710000
01770019    0000            ADD     [EAX], AL
0177001B    0000            ADD     [EAX], AL
0177001D    0000            ADD     [EAX], AL
0177001F    0000            ADD     [EAX], AL
01770021    0000            ADD     [EAX], AL
01770023    0000            ADD     [EAX], AL
01770025    0000            ADD     [EAX], AL
01770027    0000            ADD     [EAX], AL
01770029    0000            ADD     [EAX], AL
--------------------------------------------------------------------------------



似乎参数不少，进入 CALL 看看：


代码:--------------------------------------------------------------------------------
01710000    55              PUSH    EBP
01710001    8BEC            MOV     EBP, ESP
01710003    60              PUSHA
01710004    9C              PUSHF
01710005    8B85 08000000   MOV     EAX, [EBP+8]                     ; ntdll.7C930738
0171000B    81F0 7277B93B   XOR     EAX, 3BB97772
01710011    81F8 76753122   CMP     EAX, 22317576
01710017    0F85 B5000000   JNZ     017100D2
0171001D    E8 11000000     CALL    01710033
01710022    58              POP     EAX                              ; 01770019
01710023    9D              POPF
01710024    61              POPA
01710025    C9              LEAVE
01710026    81C4 14000000   ADD     ESP, 14
0171002C  - FFA424 C0FFFFFF JMP     [ESP-40]
01710033    5E              POP     ESI                              ; 01770019
01710034    81EE 05000000   SUB     ESI, 5
0171003A    68 44656C65     PUSH    656C6544
0171003F    68 00008F00     PUSH    8F0000
01710044    68 2E646C6C     PUSH    6C6C642E
01710049    68 454C3332     PUSH    32334C45
0171004E    68 4B45524E     PUSH    4E52454B
01710053    54              PUSH    ESP
01710054    8B85 10000000   MOV     EAX, [EBP+10]
0171005A    81F0 19068819   XOR     EAX, 19880619
01710060    FF10            CALL    [EAX]
01710062    81F8 00000000   CMP     EAX, 0
01710068    0F85 0F000000   JNZ     0171007D
0171006E    54              PUSH    ESP
0171006F    8B85 14000000   MOV     EAX, [EBP+14]
01710075    81F0 03038719   XOR     EAX, 19870303
0171007B    FF10            CALL    [EAX]
0171007D    68 46035465     PUSH    65540346
01710082    68 696D6500     PUSH    656D69
01710087    68 696C6554     PUSH    54656C69
0171008C    68 65417346     PUSH    46734165
01710091    68 6D54696D     PUSH    6D69546D
01710096    68 79737465     PUSH    65747379
0171009B    68 47657453     PUSH    53746547
017100A0    54              PUSH    ESP
017100A1    50              PUSH    EAX
017100A2    8B85 0C000000   MOV     EAX, [EBP+C]
017100A8    81F0 42736686   XOR     EAX, 86667342
017100AE    FF10            CALL    [EAX]
017100B0    C606 68         MOV     BYTE PTR [ESI], 68
017100B3    8986 01000000   MOV     [ESI+1], EAX
017100B9    C9              LEAVE
017100BA    81EC 28000000   SUB     ESP, 28
017100C0    50              PUSH    EAX
017100C1    58              POP     EAX                              ; 01770019
017100C2    9D              POPF
017100C3    61              POPA
017100C4    C9              LEAVE
017100C5    81C4 14000000   ADD     ESP, 14
017100CB  - FFA424 C0FFFFFF JMP     [ESP-40]
--------------------------------------------------------------------------------