用OllyDbg手脱RLPack V1.17加壳的DLL

一.OEP

通常压缩壳加壳的DLL找OEP是比较简单的

DLL卸载时会再次从EP处运行，几个跳转后就会到OEP了

0094BEA0807C24 08 01 cmp byte ptr ss:[esp 8],1

//进入OllyDBG后暂停在EP

0094BEA50F85 7E010000jnz 0094C029

//这里在DLL卸载时会跳转，就是去OEP的捷径了

0094C029E9 BE3AFAFFjmp 008EFAEC

//这里就是跳OEP了

_________

二.输入表

RLPack V1.1X Full Edition加壳exe文件会加密某些输入表，而加壳DLL则很少加密输入表的

BP GetProcAddress

Shift F9，中断后取消断点，Alt F9返回

0094BF5756 push esi

0094BF58FF95 E3090000call near dword ptr ss:[ebp 9E3] ; kernel32.LoadLibraryA

0094BF5E8985 4E0A0000mov dword ptr ss:[ebp A4E],eax

0094BF6485C0 test eax,eax

0094BF660F84 C2000000je 0094C02E

0094BF6C8BC6 mov eax,esi

0094BF6EEB 5Fjmp short 0094BFCF

0094BF708B85 520A0000mov eax,dword ptr ss:[ebp A52]

0094BF768B00 mov eax,dword ptr ds:[eax]

0094BF78A9 00000080test eax,80000000

0094BF7D74 14je short 0094BF93

0094BF7F35 00000080xor eax,80000000

0094BF8450 push eax

0094BF858B85 520A0000mov eax,dword ptr ss:[ebp A52]

0094BF8BC700 20202000mov dword ptr ds:[eax],202020 ; UNICODE " Hercegovina"

0094BF91EB 06jmp short 0094BF99

0094BF93FFB5 520A0000push dword ptr ss:[ebp A52]

0094BF99FFB5 4E0A0000push dword ptr ss:[ebp A4E]

0094BF9FFF95 E7090000call near dword ptr ss:[ebp 9E7] ; kernel32.GetProcAddress

0094BFA585C0 test eax,eax

//返回这里

0094BFA70F84 81000000je 0094C02E

0094BFAD8907 mov dword ptr ds:[edi],eax ; ntdll.RtlDeleteCriticalSection

//填充系统函数地址

//EDI=008F3154注意观察这个地址

0094BFAF83C7 04add edi,4

0094BFB28B85 520A0000mov eax,dword ptr ss:[ebp A52]

0094BFB8EB 01jmp short 0094BFBB

0094BFBA40 inc eax

0094BFBB8038 00cmp byte ptr ds:[eax],0

0094BFBE75 FAjnz short 0094BFBA

0094BFC040 inc eax

0094BFC18985 520A0000mov dword ptr ss:[ebp A52],eax

0094BFC766:8178 02 0080cmp word ptr ds:[eax 2],8000

0094BFCD74 A1je short 0094BF70

0094BFCF8038 00cmp byte ptr ds:[eax],0

0094BFD275 9Cjnz short 0094BF70

0094BFD4EB 01jmp short 0094BFD7

0094BFD646 inc esi

0094BFD7803E 00cmp byte ptr ds:[esi],0

0094BFDA75 FAjnz short 0094BFD6

0094BFDC46 inc esi

0094BFDD40 inc eax

0094BFDE8B38 mov edi,dword ptr ds:[eax]

0094BFE0E8 4B000000call 0094C030

0094BFE583C0 04add eax,4

0094BFE88985 520A0000mov dword ptr ss:[ebp A52],eax

0094BFEE803E 01cmp byte ptr ds:[esi],1

0094BFF10F85 60FFFFFFjnz 0094BF57

//循环处理输入表

现在来手动确定输入表的RVA和Size

在左下角的数据窗口Ctrl G:008F3154，点右键->Long->Address

008F315000000000

008F31547C93188Antdll.RtlDeleteCriticalSection

008F31587C9210EDntdll.RtlLeaveCriticalSection

……

008F37E07D610EC0shell32.ShellExecuteA

008F37E400000000

008F37E876337CD8

008F37EC7632311E

008F37F000000000

输入表开始RVA=008F3154-00870000=00083154

输入表Size=008F37F0-008F3154=0000069C

三.重定位表

其实写这篇教程的价值就在于这部分了

经过跟踪发现RLPack没有加密重定位表，这就为我们脱壳减少了麻烦

0094BFF768 00400000push 4000

0094BFFC68 54180000push 1854

0094C001FFB5 560A0000push dword ptr ss:[ebp A56]

0094C007FF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree

0094C00D68 00400000push 4000

0094C01268 00200C00push 0C2000

0094C017FFB5 3A0A0000push dword ptr ss:[ebp A3A]

0094C01DFF95 EF090000call near dword ptr ss:[ebp 9EF] ; kernel32.VirtualFree

//清理战场了

0094C023E8 55000000call 0094C07D

//重定位处理[/code][code]0094C07D60 pushad

0094C07E8BB5 460A0000mov esi,dword ptr ss:[ebp A46]

//[ebp A46]=00087000重定位表RVA★

0094C0840BF6 or esi,esi

0094C08674 67je short 0094C0EF

0094C0888BBD 3E0A0000mov edi,dword ptr ss:[ebp A3E]

//[ebp A3E]=00400000文件基址

0094C08E8B4424 48mov eax,dword ptr ss:[esp 48]

//[esp 48]=00870000映像基址

0094C0928985 420A0000mov dword ptr ss:[ebp A42],eax

0094C0983BC7 cmp eax,edi

//比较是否相同

0094C09A74 53je short 0094C0EF

//不同不跳就需要重定位处理了

//注意：此时程序没有重定位，可以现在Dump，这样脱壳后就不需要修改dump文件基址了★

0094C09C03F0 add esi,eax

//ESI=00087000 00870000=008F7000重定位表VA

0094C09EEB 4Ajmp short 0094C0EA

0094C0A08B16 mov edx,dword ptr ds:[esi]

0094C0A28B46 04mov eax,dword ptr ds:[esi 4]

0094C0A58985 4A0A0000mov dword ptr ss:[ebp A4A],eax

0094C0AB01B5 4A0A0000add dword ptr ss:[ebp A4A],esi

0094C0B183C6 08add esi,8

0094C0B4EB 2Cjmp short 0094C0E2

0094C0B60FB706 movzx eax,word ptr ds:[esi]

0094C0B98BD8 mov ebx,eax

0094C0BBC1EB 0Cshr ebx,0C

0094C0BE8BCB mov ecx,ebx

0094C0C069DB 00100000imul ebx,ebx,1000

0094C0C62BC3 sub eax,ebx

0094C0C803C2 add eax,edx

0094C0CA0385 420A0000add eax,dword ptr ss:[ebp A42]

0094C0D083F9 03cmp ecx,3

0094C0D375 0Ajnz short 0094C0DF

0094C0D52938 sub dword ptr ds:[eax],edi

0094C0D78B8D 420A0000mov ecx,dword ptr ss:[ebp A42]

0094C0DD0108 add dword ptr ds:[eax],ecx

0094C0DF83C6 02add esi,2

0094C0E23BB5 4A0A0000cmp esi,dword ptr ss:[ebp A4A]

0094C0E872 CCjb short 0094C0B6

0094C0EA833E 00cmp dword ptr ds:[esi],0

0094C0ED75 B1jnz short 0094C0A0

//循环重定位处理

0094C0EF61 popad

//处理完后ESI=009000F8

//Relocation Table Size=009000F8-008F7000=000090F8★

0094C0F0C3 retn

_________

四.完成脱壳

0094C02861 popad

0094C029E9 BE3AFAFFjmp 008EFAEC

//飞向光明之巅

0094C02E61 popad

0094C02FC3 retn

008EFAEC55 push ebp

//OEP RVA=008EFAEC-00870000=0007FAEC

008EFAED8BEC mov ebp,esp

008EFAEF83C4 C4add esp,-3C

008EFAF2B8 04F98E00mov eax,008EF904

008EFAF7E8 CC6DF8FFcall 008768C8

008EFAFC33C0 xor eax,eax

008EFAFEA3 442C8F00mov dword ptr ds:[8F2C44],eax

008EFB03E8 DC4BF8FFcall 008746E4

运行ImportREC，由于此DLL加载后已经进行重定位处理，所以去掉“Use PE Header From Disk”选项

选择OllyDbg的loaddll.exe进程，Pick DLL选择iBox.dll

填入OEP RVA=0007FAEC，输入表RVA=00083154，输入表Size=0000069C，Get Imports

可以新增区段修复，也可以把输入表放在程序无用的空白处。

使用LordPE修改dumped_.dll的Relocation Table RVA=00087000，Relocation Table Size=000090F8

附件中iBox.UnPacKed.dll只是简单优化，如果想优化的完美点那就要多费时间了。

脱壳完成