--- --- restore content begins
review
-
What Magic code PE files (magic number, magic number)?
MZ header, PE header
-
PE file header information of what?
-
PE file header extension of what?
The EP RVA, ImageBase (400000), the starting address of the code segment, the data segment start address of the table of contents, the data directory entry number, document alignment, memory alignment, the total size of the image
-
PE file information section What?
Section name, the virtual address, the virtual size, file offset, file size, attributes section (C0000020,60000020)
-
PE file data in the table of contents What table?
Export table, import table, exception table, table TLS, resource table, the IAT, the relocation table
-
A process, which under the three-ring data structure?
Process Environment Block (PEB), a thread environment block (TEB), tls structure
-
Import table structure has several fields, what are
5 fields, the first one is OrginalFirstThunk, which is RVA, directed INT, the second timestamp, and the third is used ForwarderChain forwarding mechanism, a fourth name, rva, dll name string, the first five is FirstThunk, points to the IAT. INT IAT or stored in the same file, is stored rva point name string or a number
Hand packers
Objectives: The code segment encrypted to prevent IDA and other static analysis tools.
step:
-
Adding a section (file size, number of segments)
-
The original OEP revised to address new segments of
-
The encrypted code segment or isobutyl
-
In the new OEP at the new section, or decrypted code is added iso
note:
① The default code segment can not write property that needs to be modified.
② random base address attribute relocatable code program, we will generally remove this property if not removed, it needs to be relocated in the case of the code
Specifically: 1. Add section
Use only LordPE, we have added sections, the program is not running, because the virtual size, file size are empty
Use LordPE edited section information
Then use the data file to add 010Editor
010Editor- Edit - Insert
-
Modify OEP, an increase OEP code for the original OEP: 000011D2 new OEP: 17000
Modify OEP
010Editor- find extension header -EOP
Add code
通过技巧获取基地址再跳转
另一种改法
关于代码的演化 ① 如果直接去掉随机基址,我们可以在新OEP处,直接写代码跳转到原始OEP
② 我们可以在新OEP处定义出模块基地址,然后再加上原始OEP RVA
③ 可以在新OEP处通过call pop 组合获取当前指令地址,再减去偏移,计算出模块基址
以上代码的机器码复制到有随机基址的同一程序同一位置中,同样也是可以正常运行的
-
加密代码段
代码段信息
在010Editor中操作代码段
③ 选中代码段
④ 异或代码段
因为后面要解密A000次.所以加密范围要从400-到A400
-
增加解密代码 由于代码段本身有重定位信息,那么如果加密之后,重定位会出现问题,所以应该去掉随机 基址
40 81 > 00 81
00417000 > 60 pushad 00417001 BB 00104000 mov ebx,00.00401000 00417006 B9 00A00000 mov ecx,0xA000 0041700B 49 dec ecx 0041700C 803419 15 xor byte ptr ds:[ecx+ebx],0x15 00417010 83F9 00 cmp ecx,0x0 00417013 ^ 75 F6 jnz short 00.0041700B 00417015 61 popad 00417016 B8 D2110000 mov eax,0x11D2 0041701B 05 00004000 add eax,00.00400000 00417020 - FFE0 jmp eax
pushad mov ebx,00401000 mov ecx,0xA000 dec ecx xor byte ptr ds:[ecx+ebx],0x15 cmp ecx,0x0 jnz 0041700B popad mov eax,0x11D2 add eax,00400000 jmp eax
脱壳 脱壳的目的:
-
Cracker(破解者) 脱壳、解密、破解
-
杀毒引擎(脱壳引擎、反病毒虚拟机) 解密、查杀病毒、扫描特征
脱壳的步骤:
-
找到原始OEP 一般来说,找到原始OEP或者我们跟踪到原始OEP时,程序都会完成解密操作 2. D
-
ump内存到文件
当可执行文件在内存已经完成解密之后,我们将内存中代码数据转储(dump)到文件,就 可以进行进一步分析。
-
修复文件(常见于修复IAT)
从内存中转储的内存数据代码有一些与原本文件中的内容是不一致的。比如说IAT表,内 存中IAT表会被初始为函数地址表,而文件中IAT表与INT表内容一致。所以要想让程序 正常运行,一般都需要修复IAT,因为加壳之后程序一般都会自己去处理导入表、IAT以 及重定位等。
IAT表在文件中保存的是一个RVA数组,每一项指向指向了函数字符串结构
在内存中,这个RVA数组,被修改为函数地址,每一个函数地址就是之前对应的函数字符串 的函数
所以从内存中dump出的文件,必须进行IAT修复或者修复导入表。
脱自己加的壳
-
找到原始OEP
单步跟踪,很容易找到原始OEP
-
Dump内存到文件
在原始OEP处进行DUMP内存,原因就是这个时候内存没有做太多的初始化
注意:
1.要在解密完之后再使用插件脱
2.不勾选插件的重建定位表
-
修复IAT或者修复导入表 使用ImportREC修复。
