en.txt

SDprotector Pro Edition v1.12脱壳技术资料 中英文翻译 Armadillo 4.01a (Public Build) 手动脱壳

004010F6   A1 F3204000      MOV EAX,DWORD PTR DS:[4020F3]



  Good place for an entry point,because we see a call at GetModuleHandleA (many progs need the
  return value from such an API call,and call it some opcodes after the OEP) and we don't see any
  other API calls of any kind before the opcode at 004010C2 (and generally,after the OEP API calls
  like GetVersion,GetModuleHandleA,LoadLibrary or GetCommandLineA follow.).U may say,why could it
  be not an earlier?Well,I tried and after the IAT rebuilding (that will follow) I couldn't make it
  work.Eventually the OEP is 004010C2.In some other cases,when an exe is compiled with a 
  language compiler eg. C++,at the OEP arefour to five opcodes that are the same for every 
  produced with the same compiler exe.So,after landing at a place of code after the attach and 
  dump,the OEP cannot be far away,since not many opcode sequences like these exist from the place
  we landed,and near it.Anyway,have in mind that it is NOT ALWAYS necessary to land exactly at 
  OEP,in order for the dump to work.We just say that OEP is the most ideal place,becuase all sections
  are intact,nice and clean (and not changed by self-modifications or of modifications that happen during
  runtime,between the exe in memory and other processes,or by itself).Remove the memory breakpoint.


  Before dumping,right click in all section that u see in tha patched Olly (and PEheader as well) and 
  set access->Full access.This is done becuase during unpacking,the protector has protected the 
  access of those memory locations using probably VirtualProtect API's,and if we try to dump the
  dumper will fail,or may create a false dump.Also,ImpreC will not be able to read the process from
  memory,meaning the data that are contained and to be used,in order to fix the Imports (u can check
  it!)  
  
  Now,dump the exe with OllyDump,without having checked the IMport Rebuilding,and as an OEP the
  value of (OEP as seen in addressing)-Imagebase=004010C2-00400000=10C2.We now have the dump.

  
  For the rebuilding part we will do everything without executing anything in Olly,just seing the code,
  because we cannot put any software or hardware breakpoints,the packer detects them all.But don't
  mind,because code at that time is not self-modified any more and the mem locations that we will
  need contain hard-coded bytes,so no need to run it in Olly actually.Just using Olly as 
  a Dasm.OpenImpRec and put as OEP the value 10C2.Now IAT  autosearch and Get Imports.
  Now press Show invalid.We have many invalid.Select one invalid and right click in
  it->Disassemble.What we see here is that in the place where the code of a valid  API 
  should have been,are instructions that generate the call to that API.So the only thing 
  we have to do for all those invalids,is to follow in debugger this codes and
  see where they finally jamp,at API's.We will know that we are for the first time in 
  API's code,because the address of the first opcode will be (and all those who follow and
  are in the API!) in 7XXXXXXX format.Then,just a search in all module names in Olly will reveal
  which API has as starting address this value,and we can identify this API.Then,we will manually
  put the name of that API at the invalid thunk.

  But how are we going to follow all those invlid thunks?We,check the Disassm of one invalid,eg
   the 00143B98h:


00143B98   58               POP EAX
00143B99   50               PUSH EAX
00143B9A   60               PUSHAD
00143B9B   9C               PUSHFD
00143B9C   68 02000000      PUSH 2
00143BA1   50               PUSH EAX
00143BA2   B8 32DEE44B      MOV EAX,4BE4DE32
00143BA7   50               PUSH EAX
00143BA8   B8 2C1CB9C3      MOV EAX,C3B91C2C
00143BAD   50               PUSH EAX
00143BAE   E8 BD5C3200      CALL sdprotec.00469870
00143BB3   9D               POPFD
00143BB4   61               POPAD
00143BB5   B8 2C1CB9C3      MOV EAX,C3B91C2C
00143BBA   9C               PUSHFD
00143BBB   2D 32DEE44B      SUB EAX,4BE4DE32
00143BC0   9D               POPFD
00143BC1   50               PUSH EAX
00143BC2   C3               RETN




  Well,all code till 00143BB5  is junk code,to confuse the reverser.So at 00143BB5 moves a value at
  EAX,then a PUSHFD (junk opcode also,don't care about this) and at 00143BBB subtract 4BE4DE32 and
  in EAX=77D43DFA.Then,the POPFD of junk,and we jamp at 77D43DFA.What API is there?Look in Olly 
  in Search for all module names and this API is TransLateMessage.So,in ImpRec,invalidate the thunk and
  double click on it,and select from user32.dll the TransLateMessage API.Now again show invalid.Good,we
  reduced invalids to one.As u can see,by this way we can fix all the invalid thunks.Do the same thing
  for every invalid then.But there is one thunk that has not a Push eax-retn that jamps at an API.This
  is thunk 468AB3.Well,in Olly go at 468AB3.U see this:


00468AB3   8B4424 04        MOV EAX,DWORD PTR SS:[ESP+4]
00468AB7   85C0             TEST EAX,EAX
00468AB9   7D 1D            JGE SHORT sdprotec.00468AD8
00468ABB   83F8 F5          CMP EAX,-0B
00468ABE   7E 18            JLE SHORT sdprotec.00468AD8
00468AC0   8B4C24 10        MOV ECX,DWORD PTR SS:[ESP+10]
00468AC4   8B5424 0C        MOV EDX,DWORD PTR SS:[ESP+C]
00468AC8   51               PUSH ECX
00468AC9   8B4C24 0C        MOV ECX,DWORD PTR SS:[ESP+C]
00468ACD   52               PUSH EDX
00468ACE   51               PUSH ECX
00468ACF   50               PUSH EAX
00468AD0   E8 A1F7FFFF      CALL sdprotec.00468276
00468AD5   C2 1000          RETN 10
00468AD8   8B5424 10        MOV EDX,DWORD PTR SS:[ESP+10]
00468ADC   8B4C24 0C        MOV ECX,DWORD PTR SS:[ESP+C]
00468AE0   52               PUSH EDX
00468AE1   8B5424 0C        MOV EDX,DWORD PTR SS:[ESP+C]
00468AE5   51               PUSH ECX
00468AE6   52               PUSH EDX
00468AE7   50               PUSH EAX
00468AE8   E8 BD3F0000      CALL sdprotec.0046CAAA
00468AED   C2 1000          RETN 10


  The call at 00468AE8 goes to the API.All till here is junk code.So in Olly go now at 
  0046CAAA and we are HeRe:

0046CAAA   E8 01000000      CALL sdprotec.0046CAB0
0046CAAF   FF58 05          CALL FAR FWORD PTR DS:[EAX+5]            ; Far call
0046CAB2   C9               LEAVE
0046CAB3   0A00             OR AL,BYTE PTR DS:[EAX]
0046CAB5   008B 008038CC    ADD BYTE PTR DS:[EBX+CC388000],CL
0046CABB   74 0A            JE SHORT sdprotec.0046CAC7
0046CABD   50               PUSH EAX
0046CABE   C3               RETN

  
  It jamps at 0046CAB0.We cannot see the opcode of that,because it is mixed.So just go at 
  0046CAB0 and u see that:


0046CAB0   58               POP EAX
0046CAB1   05 C90A0000      ADD EAX,0AC9
0046CAB6   8B00             MOV EAX,DWORD PTR DS:[EAX]
0046CAB8   8038 CC          CMP BYTE PTR DS:[EAX],0CC
0046CABB   74 0A            JE SHORT sdprotec.0046CAC7
0046CABD   50               PUSH EAX
0046CABE   C3               RETN


  Well at 0046CABE jamps at the good API we are looking for.So,at 0046CAB0, EAX=0046CAAF
  because of the call at 0046CAAA (so stack has return address 0046CAAA ),then adds 
  the value of 0AC9 so eax is now 0046D578.Now at [EAX] is the API address to fix this thunk.A
  small trick that seeks for a software breakpoint there and then a PUSH EAX-RETN and we jamp there.

  What is in [EAX]?Well,go at 0046D578 and U see that:


0046D578   76 64            JBE SHORT sdprotec.0046D5DE
0046D57A   D6               SALC
0046D57B  ^77 E3            JA SHORT sdprotec.0046D560
0046D57D   A6               CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
0046D57E   D4 77            AAM 77



  We are interested for the first four bytes in reverse,which give us the address of
  77D66476h.I look in Olly,and this is API MessageBoxA.Then,I give this name to out final
  invalid API thunk.Now press show invalid,no invalids.Fix dump now.

  
  Run the fixed exe and...Yeeeaaahh!!!Last version of the so called SDprotector defeated!!!


  Well,this was a hard protector.Took me at least 6 hours,including writing this tutor.This
  is one contribution to all of U,that are really interested to see how other people think,
  including the makers of this packer...

  I can hear a voice in my mind...time to talk to it...