脱壳 ASPack 2.12 带IAT
脱壳 ASPack 2.12 带IAT方法一
00BFD001 >60 PUSHAD
00BFD002 E8 03000000 CALL uc.00BFD00AF7
00BFD007- E9 EB045D45 JMP 461CD4F7
00BFD00C 55 PUSH EBP
00BFD00D C3 RETN
00BFD00E E8 01000000 CALL uc.00BFD014
00BFD00A 5D POP EBP
00BFD00B 45 INC EBP ; uc.00BFD007
00BFD00C 55 PUSH EBP
00BFD00D C3 RETN
00BFD00E E8 01000000 CALL uc.00BFD014F4然后F7
00BFD014 5D POP EBP ; uc.00BFD013
00BFD015 BB EDFFFFFF MOV EBX,-13
00BFD01A 03DD ADD EBX,EBP
00BFD01C 81EB 00D07F00 SUB EBX,uc.007FD000
00BFD022 83BD 22040000 0>CMP DWORD PTR SS:,0
00BFD029 899D 22040000 MOV DWORD PTR SS:,EBX
00BFD02F /0F85 65030000 JNZ uc.00BFD39A跳转未实现 让它实现
00BFD035 |8D85 2E040000 LEA EAX,DWORD PTR SS:
00BFD03B |50 PUSH EAX
00BFD03C |FF95 4D0F0000 CALL DWORD PTR SS:
00BFD042 |8985 26040000 MOV DWORD PTR SS:,EAX
00BFD39A B8 B41F0000 MOV EAX,1FB4
00BFD39F 50 PUSH EAX
00BFD3A0 0385 22040000 ADD EAX,DWORD PTR SS:
00BFD3A6 59 POP ECX
00BFD39A B8 B41F0000 MOV EAX,1FB4
00BFD39F 50 PUSH EAX
00BFD3A0 0385 22040000 ADD EAX,DWORD PTR SS:
00BFD3A6 59 POP ECX
00BFD3A7 0BC9 OR ECX,ECX
00BFD3A9 8985 A8030000 MOV DWORD PTR SS:,EAX
00BFD3AF 61 POPAD oep标志
00BFD3B0 75 08 JNZ SHORT uc.00BFD3BA
00BFD3B2 B8 01000000 MOV EAX,1
00BFD3B7 C2 0C00 RETN 0C
00BFD3BA 68 B41F4000 PUSH uc.00401FB4
00BFD3BF C3 RETN
00401FB4 /EB 10 JMP SHORT uc.00401FC6 oep直接脱壳
00401FB6 |66:623A BOUND DI,DWORD PTR DS:
00401FB9 |43 INC EBX
00401FBA |2B2B SUB EBP,DWORD PTR DS:
00401FBC |48 DEC EAX
00401FBD |4F DEC EDI
00401FBE |4F DEC EDI
00401FBF |4B DEC EBX
方法二 用esp定律直接到达oep
IAT 开始007C2F10- FF25 18AC9900 JMP DWORD PTR DS: ; vcl60.@Consts@initialization$qqrv
IAT 结束007C6AC2- FF25 D0FF9900 JMP DWORD PTR DS: ; wininet.InternetSetOptionA
99AC18-400000=59AC18
99FFD0-400000=59FFD0
59FFD0-59AC18=53B8 大小
教程md5 65167a35f8c8c38604cfa2a1c6bda069
http://www.fs2you.com/zh-cn/files/8b3dcf11-c2b1-11dc-b638-00142218fc6e/
页:
[1]