[求助]tElock1.0壳疑惑-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助]tElock1.0壳疑惑 0.00雪花

发表于: 2007-12-12 19:58 4212

[旧帖] [求助]tElock1.0壳疑惑 0.00雪花

jdjb

2007-12-12 19:58

4212

本人才书学浅对壳没有几天研究。
看到一程序用peid查壳。显示tElock 1.0 (private) -> tE! [Overlay]
od载入停在
0048809D处

0048809D >^\E9 5EDFFFFF    jmp 03_2.00486000
004880A2 0000          add byte ptr ds:[eax],al
004880A4 0012          add byte ptr ds:[edx],dl
004880A6 9E             sahf
004880A7 8E32          mov seg?,word ptr ds:[edx]             ; 不明确的段位寄存器
004880A9 E5 80          in eax,80
004880AB 0800          or byte ptr ds:[eax],al
004880AD 0000          add byte ptr ds:[eax],al
004880AF 0000          add byte ptr ds:[eax],al
004880B1 0000          add byte ptr ds:[eax],al
004880B3 0000          add byte ptr ds:[eax],al
004880B5 05 810800F5    add eax,F5000881
004880BA 8008 00       or byte ptr ds:[eax],0
004880BD ED             in eax,dx
004880BE 8008 00       or byte ptr ds:[eax],0
004880C1 0000          add byte ptr ds:[eax],al
004880C3 0000          add byte ptr ds:[eax],al
004880C5 0000          add byte ptr ds:[eax],al
004880C7 0000          add byte ptr ds:[eax],al
004880C9 1281 0800FD80 adc al,byte ptr ds:[ecx+80FD0008]
004880CF 0800          or byte ptr ds:[eax],al

按脱tElock 0.9-1.0 (private) -> tE!的方法找magic jump，找到三个.data段包含列中均无数据。直接迷茫。
然后只设置内存访问异常，每次中断查找一次特征码
pushad
sub eax,eax
inc eax
cmp dword ptr ds:[edi],0
lea edi,dword ptr ds:[edi+4]

第二次中断后查到特征码段

004876FC 60             pushad
004876FD 33C9          xor ecx,ecx
004876FF 2AF6          sub dh,dh
00487701 8A13          mov dl,byte ptr ds:[ebx]
00487703 F6C2 40       test dl,40
00487706 74 03          je short 03_2.0048770B
00487708 80E2 5F       and dl,5F
0048770B 0AD2          or dl,dl
0048770D 74 1E          je short 03_2.0048772D    \magic jump 1
0048770F 43             inc ebx
00487710 FEC6          inc dh
00487712 41             inc ecx
00487713 3A5408 FF    cmp dl,byte ptr ds:[eax+ecx-1]
00487717  ^ 74 E8          je short 03_2.00487701
00487719 3A5408 08    cmp dl,byte ptr ds:[eax+ecx+8]
0048771D  ^ 74 E2          je short 03_2.00487701
0048771F 3A5408 12    cmp dl,byte ptr ds:[eax+ecx+12]
00487723  ^ 74 DC          je short 03_2.00487701
00487725 3A5408 1D    cmp dl,byte ptr ds:[eax+ecx+1D]
00487729  ^ 74 D6          je short 03_2.00487701
0048772B  ^ EB D0          jmp short 03_2.004876FD
0048772D 0AF6          or dh,dh
0048772F 895424 1C    mov dword ptr ss:[esp+1C],edx
00487733 61             popad
00487734 C685 FD2F4000 0>mov byte ptr ss:[ebp+402FFD],0
0048773B 74 24          je short 03_2.00487761          \* magic jump 2
0048773D 80EC 08       sub ah,8
00487740 B0 01          mov al,1
00487742 FECC          dec ah
00487744 74 04          je short 03_2.0048774A
00487746 D0E0          shl al,1
00487748  ^ EB F8          jmp short 03_2.00487742
0048774A 8AA5 BE2E4000 mov ah,byte ptr ss:[ebp+402EBE]
00487750 0885 BE2E4000 or byte ptr ss:[ebp+402EBE],al
00487756 84C4          test ah,al
00487758 75 07          jnz short 03_2.00487761
0048775A 808D FD2F4000 0>or byte ptr ss:[ebp+402FFD],1
00487761 33C0          xor eax,eax
00487763 8803          mov byte ptr ds:[ebx],al
00487765 43             inc ebx
00487766 3803          cmp byte ptr ds:[ebx],al
00487768  ^ 75 F7          jnz short 03_2.00487761
0048776A 83A5 4F374000 0>and dword ptr ss:[ebp+40374F],0
00487771 8B95 63374000 mov edx,dword ptr ss:[ebp+403763]
00487777 8B06          mov eax,dword ptr ds:[esi]
00487779 85C0          test eax,eax
0048777B 75 0C          jnz short 03_2.00487789
0048777D FF76 10       push dword ptr ds:[esi+10]
00487780 58             pop eax
00487781 85C0          test eax,eax
00487783  ^ 0F84 28FFFFFF je 03_2.004876B1
00487789 35 89674523    xor eax,23456789
0048778E E8 40FFFFFF    call 03_2.004876D3
00487793 03C2          add eax,edx
00487795 0385 4F374000 add eax,dword ptr ss:[ebp+40374F]
0048779B 8B18          mov ebx,dword ptr ds:[eax]
0048779D 85DB          test ebx,ebx
0048779F 74 1F          je short 03_2.004877C0
004877A1 81F3 9A785634 xor ebx,3456789A
004877A7 50             push eax
004877A8 8BC3          mov eax,ebx
004877AA E8 24FFFFFF    call 03_2.004876D3
004877AF 8BD8          mov ebx,eax
004877B1 58             pop eax
004877B2 F7C3 00000080 test ebx,80000000
004877B8 74 06          je short 03_2.004877C0
004877BA 8120 00000080 and dword ptr ds:[eax],80000000
004877C0 FF76 10       push dword ptr ds:[esi+10]
004877C3 5F             pop edi
004877C4 85FF          test edi,edi
004877C6 74 11          je short 03_2.004877D9
004877C8 81F7 89674523 xor edi,23456789
004877CE 50             push eax
004877CF 8BC7          mov eax,edi
004877D1 E8 FDFEFFFF    call 03_2.004876D3
004877D6 8BF8          mov edi,eax
004877D8 58             pop eax
004877D9 03FA          add edi,edx
004877DB 03BD 4F374000 add edi,dword ptr ss:[ebp+40374F]
004877E1 8B85 53384000 mov eax,dword ptr ss:[ebp+403853]
004877E7 40             inc eax
004877E8 48             dec eax
004877E9 75 36          jnz short 03_2.00487821
004877EB 60             pushad                         \*特征码段
004877EC 2BC0          sub eax,eax
004877EE 40             inc eax
004877EF 833F 00       cmp dword ptr ds:[edi],0
004877F2 8D7F 04       lea edi,dword ptr ds:[edi+4]  \*特征码段
004877F5  ^ 75 F7          jnz short 03_2.004877EE
004877F7 48             dec eax

按两个教程中设置 magic jump的方法在magic jump 1处和magic jump 2处两次分别修改为jmp 然后设置内存断点00401000 取消只设置内存访问异常。shift+f9运行。
两次运行均断在004870c1处。
以下代码均为红色
00487036 396B 64       cmp dword ptr ds:[ebx+64],ebp
00487039 3378 5A       xor edi,dword ptr ds:[eax+5A]
0048703C 5A             pop edx
0048703D 50             push eax
0048703E 57             push edi
0048703F 008D B5032640 add byte ptr ss:[ebp+402603B5],cl
00487045 008D 7E10578A add byte ptr ss:[ebp+8A57107E],cl
0048704B C3             retn
0048704C 24 0F          and al,0F
0048704E 8A0406       mov al,byte ptr ds:[esi+eax]
00487051 AA             stos byte ptr es:[edi]
00487052 C1EB 04       shr ebx,4
00487055  ^ E2 F3          loopd short 03_2.0048704A
00487057 58             pop eax
00487058 50             push eax
00487059 6A 01          push 1
0048705B 51             push ecx
0048705C FF95 821C4000 call dword ptr ss:[ebp+401C82]
00487062 8770 48       xchg dword ptr ds:[eax+48],esi
00487065 00E8          add al,ch
00487067 04 01          add al,1
00487069 0000          add byte ptr ds:[eax],al
0048706B 8BB5 7F374000 mov esi,dword ptr ss:[ebp+40377F]
00487071 8BFD          mov edi,ebp
00487073 8D85 3E264000 lea eax,dword ptr ss:[ebp+40263E]
00487079 E8 00000000    call 03_2.0048707E
0048707E 5B             pop ebx
0048707F 81C3 09000000 add ebx,9
00487085 8918          mov dword ptr ds:[eax],ebx
00487087 8B9D 63374000 mov ebx,dword ptr ss:[ebp+403763]
0048708D 8B87 87374000 mov eax,dword ptr ds:[edi+403787]
00487093 03D8          add ebx,eax
00487095 8B8F 8B374000 mov ecx,dword ptr ds:[edi+40378B]
0048709B 81E1 FFFFFF7F and ecx,7FFFFFFF
004870A1 75 08          jnz short 03_2.004870AB
004870A3 8D85 81294000 lea eax,dword ptr ss:[ebp+402981]
004870A9 FFE0          jmp eax
004870AB 60             pushad
004870AC 8BF3          mov esi,ebx
004870AE BA 936477A6    mov edx,A6776493
004870B3 8BFE          mov edi,esi
004870B5 0FB6DE       movzx ebx,dh
004870B8 EB 01          jmp short 03_2.004870BB
004870BA EB 69          jmp short 03_2.00487125
004870BC DB             ???                                     ; 未知命令
004870BD  ^ 73 FA          jnb short 03_2.004870B9
004870BF 73 6A          jnb short 03_2.0048712B
004870C1 AC             lods byte ptr ds:[esi]       \*  停在此处
004870C2 F6D8          neg al
004870C4 0AD2          or dl,dl
004870C6 32C3          xor al,bl
004870C8 02C1          add al,cl
004870CA F6D0          not al
004870CC F6D8          neg al
004870CE 8D12          lea edx,dword ptr ds:[edx]
004870D0 85C0          test eax,eax
004870D2 8BC0          mov eax,eax
004870D4 8D12          lea edx,dword ptr ds:[edx]
004870D6 02C1          add al,cl
004870D8 F6D8          neg al
004870DA 34 FF          xor al,0FF
004870DC 0BF6          or esi,esi
004870DE 04 DB          add al,0DB
004870E0 04 BF          add al,0BF
004870E2 D2C8          ror al,cl
004870E4 8BC0          mov eax,eax
004870E6 04 77          add al,77
004870E8 0BF6          or esi,esi
004870EA 8D09          lea ecx,dword ptr ds:[ecx]
004870EC 04 01          add al,1
004870EE 85D2          test edx,edx
004870F0 85D2          test edx,edx
004870F2 02C2          add al,dl
004870F4 02C1          add al,cl
004870F6 34 83          xor al,83
004870F8 D2C8          ror al,cl
004870FA F6D8          neg al
004870FC 02C2          add al,dl
004870FE 04 01          add al,1
00487100 02C1          add al,cl
00487102 0AC9          or cl,cl
00487104 0ADB          or bl,bl
00487106 8D1B          lea ebx,dword ptr ds:[ebx]
00487108 F6D0          not al
0048710A 85C9          test ecx,ecx
0048710C D2C8          ror al,cl
0048710E 85FF          test edi,edi
00487110 02C1          add al,cl
00487112 02C1          add al,cl
00487114 04 FD          add al,0FD
00487116 04 01          add al,1
00487118 34 FF          xor al,0FF
0048711A 04 37          add al,37
0048711C F6D8          neg al
0048711E F6D0          not al
00487120 02C1          add al,cl
00487122 04 41          add al,41
00487124 D2C8          ror al,cl
00487126 F6D0          not al
00487128 8AD2          mov dl,dl
0048712A F6D0          not al
0048712C 8D1B          lea ebx,dword ptr ds:[ebx]
0048712E D2C8          ror al,cl
00487130 F6D0          not al
00487132 F6D8          neg al
00487134 02C2          add al,dl
00487136 02C2          add al,dl
00487138 90             nop
00487139 90             nop
0048713A 90             nop
0048713B 90             nop
0048713C 90             nop
0048713D 90             nop
0048713E 90             nop
0048713F 90             nop
00487140 90             nop
00487141 90             nop
00487142 90             nop
00487143 90             nop
00487144 32C2          xor al,dl
00487146 C0C8 05       ror al,5
00487149 AA             stos byte ptr es:[edi]
0048714A 69D2 A5B0CD4B imul edx,edx,4BCDB0A5
00487150 F9             stc
00487151 72 02          jb short 03_2.00487155
00487153 CD20 D1C269DB vxdjump DB69C2D1
00487159 70 1F          jo short 03_2.0048717A
0048715B EE             out dx,al
0048715C 6A 03          push 3
0048715E DA49 0F       fimul dword ptr ds:[ecx+F]
00487161 8F             ???                                     ; 未知命令
00487162 5B             pop ebx
00487163 FFFF          ???                                     ; 未知命令
00487165 FF8D 85452940 dec dword ptr ss:[ebp+40294585]
0048716B 00FF          add bh,bh
0048716D  ^ E0 85          loopdne short 03_2.004870F4

寄存器值为
EAX 00001000
ECX 00034A00
EDX A6776493
EBX 954DD4EC
ESP 0012FF84
EBP 00084A24
ESI 00401000 03_2.00401000
EDI 00401000 03_2.00401000
EIP 004870C1 03_2.004870C1
C 1  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 1  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 1  LastErr ERROR_SUCCESS (00000000)
EFL 00010A83 (O,B,NE,BE,S,PO,GE,G)
ST0 empty -1.5900332977481782700e+1680
ST1 empty 0.0000000000000000040e-4933
ST2 empty -7.8436800480030092670e+3223
ST3 empty -UNORM A020 00000017 E3894080
ST4 empty 5.6552586889569112830e-4925
ST5 empty -2.6459405880297034400e+3498
ST6 empty -UNORM EBC0 00010101 E3894138
ST7 empty 2.8507755058840809250e-3652
            3 2 1 0    E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  掩码 1 1 1 1 1 1

到此处不知方向了。。。我猜测这段代码是tElock释放出来的代码但是汇编水平太低。没搞明白它在说什么。
哪位大侠指点一二？？

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
jdjb 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 11 粉丝 0 关注私信	jdjb 2 楼哪位高手告诉我这段程序大概是做什么的吧昨天又研究半天无果 2007-12-13 09:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jdjb

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
jdjb 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 11 粉丝 0 关注私信	jdjb 2 楼哪位高手告诉我这段程序大概是做什么的吧昨天又研究半天无果 2007-12-13 09:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复