支持中 我昨天下载过来脱了,修复时后不能运行,没反应
可能动画技术上不够完整
今天重做了一次,行了。
谢谢了!!
不过对于有自我较验的加FSG2.0 的壳??
[ 本帖最后由 微微虫 于 2006-6-22 19:02 编辑 ] 这个东西不好修复,看看老大怎么弄的~~ 嘿嘿,回了再下 感谢分享的说 老大的OD弹出的右键菜单和我的不一样,
什么hit那一项,我的OD就没有,老大能不能再详细说一下,为什么要那么找RVA和SIZE,以及为什么从那里找而不从别的地方找,还有右键那一项是什么意思,动画太快了,看不太明白 现在论坛的速度可真快,是免费空间? 原帖由 快雪时晴 于 2006-7-3 10:38 发表
现在论坛的速度可真快,是免费空间?
不是的,是咱们论坛的一位朋友支持飘云阁送的。
我的脱壳笔记,详细+简单
FSG2.0加壳记事本脱壳ALT+M对CODE段下内存写中断,F9,跟踪几步发现在写内存1001000处,并来到这里
010001BC F3:A4 rep movs byte ptr es:, byte ptr
010001BE 5E pop esi
010001BF^ EB 9F jmp short 01000160
010001C1 5E pop esi
010001C2 AD lods dword ptr
010001C3 97 xchg eax, edi
010001C4 AD lods dword ptr
010001C5 50 push eax ; 下一个DLL
010001C6 FF53 10 call ; ds:=77E80221 (KERNEL32.LoadLibraryA)
010001C9 95 xchg eax, ebp
010001CA 8B07 mov eax,
010001CC 40 inc eax
010001CD^ 78 F3 js short 010001C2
010001CF 75 03 jnz short 010001D4
010001D1 FF63 0C jmp ;只有这里才能跳出循环,下断点
010001D4 50 push eax
010001D5 55 push ebp
010001D6 FF53 14 call ; ds:=77E80CAB (KERNEL32.GetProcAddress)
010001D9 AB stos dword ptr es:
010001DA^ EB EE jmp short 010001CA
从“010001D1 FF63 0C jmp ”跳出来到达0100739D,
把地址0100739D以后所有代码选上,右键-〉分析-〉视作command
0100739D 6A 70 push 70
0100739F 68 9818>push 01001898
010073A4 E8 BF01>call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC 8B3D CC>mov edi, ;KERNEL32.GetModuleHandleA
010073B2 FFD7 call edi
此时,所有DLL和API解析完毕,再次ALT+M,CTRL+G 010010000,右键--〉long--〉地址,
整齐的IAT表出现了,OFFSET=010010000 SIZE=344
01001000796F4ABA ADVAPI32.RegQueryValueExW
01001004796F45B2 ADVAPI32.RegCloseKey
01001008796E9954 ADVAPI32.RegCreateKeyW
0100100C796E83F1 ADVAPI32.IsTextUnicode
01001010796EF5E6 ADVAPI32.RegQueryValueExA
01001014796EF4C0 ADVAPI32.RegOpenKeyExA
01001018796EE5CB ADVAPI32.RegSetValueExW
0100101C7FFFFFFF
01001020717514D8 COMCTL32.CreateStatusWindowW
010010247FFFFFFF
0100102877F608BF GDI32.EndPage
0100102C77F60A90 GDI32.AbortDoc
0100103077F609C0 GDI32.EndDoc
0100103477F44B1E GDI32.DeleteDC
0100103877F608DB GDI32.StartPage
0100103C77F528FA GDI32.GetTextExtentPoint32W
0100104077F5296F GDI32.CreateDCW
0100104477F611A4 GDI32.SetAbortProc
0100104877F4DA75 GDI32.GetTextFaceW
0100104C77F43209 GDI32.TextOutW
0100105077F60CB8 GDI32.StartDocW
0100105477F56CFE GDI32.EnumFontsW
0100105877F458BF GDI32.GetStockObject
0100105C77F46EA7 GDI32.GetObjectW
0100106077F44DA1 GDI32.GetDeviceCaps
0100106477F4356F GDI32.CreateFontIndirectW
0100106877F42EC7 GDI32.DeleteObject
0100106C77F47BE8 GDI32.GetTextMetricsW
0100107077F4243E GDI32.SetBkMode
0100107477F47E12 GDI32.LPtoDP
0100107877F47096 GDI32.SetWindowExtEx
0100107C77F48972 GDI32.SetViewportExtEx
0100108077F46486 GDI32.SetMapMode
0100108477F41D10 GDI32.SelectObject
010010887FFFFFFF
0100108C77E8BB4F KERNEL32.GetCurrentThreadId
0100109077E6EDD2 KERNEL32.GetTickCount
0100109477E845D7 KERNEL32.QueryPerformanceCounter
0100109877E6EC16 KERNEL32.GetLocalTime
0100109C77EA10A3 KERNEL32.GetUserDefaultLCID
010010A077EABF09 KERNEL32.GetDateFormatW
010010A477EABD7F KERNEL32.GetTimeFormatW
010010A877E7E08F KERNEL32.GlobalLock
010010AC77E7E237 KERNEL32.GlobalUnlock
010010B077E76792 KERNEL32.GetFileInformationByHandle
010010B477E76F47 KERNEL32.CreateFileMappingW
010010B877E6ED16 KERNEL32.GetSystemTimeAsFileTime
010010BC77E86A51 KERNEL32.TerminateProcess
010010C077E87909 KERNEL32.GetCurrentProcess
010010C477E8BC45 KERNEL32.SetUnhandledExceptionFilter
010010C877E80221 KERNEL32.LoadLibraryA
010010CC77E80B1A KERNEL32.GetModuleHandleA
010010D077E86B5E KERNEL32.GetStartupInfoA
010010D477E7E533 KERNEL32.GlobalFree
010010D877EA1245 KERNEL32.GetLocaleInfoW
010010DC77E692B8 KERNEL32.LocalFree
010010E077E69129 KERNEL32.LocalAlloc
010010E477E7F462 KERNEL32.lstrlenW
010010E877E69547 KERNEL32.LocalUnlock
010010EC77E69802 KERNEL32.CompareStringW
010010F077E69625 KERNEL32.LocalLock
010010F477EA5690 KERNEL32.FoldStringW
010010F877E67E6D KERNEL32.CloseHandle
010010FC77E6AB2C KERNEL32.lstrcpyW
0100110077E761B4 KERNEL32.ReadFile
0100110477E7C229 KERNEL32.CreateFileW
0100110877E6B2D1 KERNEL32.lstrcmpiW
0100110C77E8790D KERNEL32.GetCurrentProcessId
0100111077E80CAB KERNEL32.GetProcAddress
0100111477E86E45 KERNEL32.GetCommandLineW
0100111877E7F407 KERNEL32.lstrcatW
0100111C77E758BE KERNEL32.FindClose
0100112077E75615 KERNEL32.FindFirstFileW
0100112477E7741C KERNEL32.GetFileAttributesW
0100112877E6AAC8 KERNEL32.lstrcmpW
0100112C77E6B5E0 KERNEL32.MulDiv
0100113077E7F377 KERNEL32.lstrcpynW
0100113477E7F4BF KERNEL32.LocalSize
0100113877E68265 KERNEL32.GetLastError
0100113C77E7639C KERNEL32.WriteFile
0100114077E68252 KERNEL32.SetLastError
0100114477EA906F KERNEL32.WideCharToMultiByte
0100114877E6A302 KERNEL32.LocalReAlloc
0100114C77E7FDE2 KERNEL32.FormatMessageW
0100115077EA106B KERNEL32.GetUserDefaultUILanguage
0100115477E76502 KERNEL32.SetEndOfFile
0100115877E775F7 KERNEL32.DeleteFileW
0100115C77EA811A KERNEL32.GetACP
0100116077E77279 KERNEL32.UnmapViewOfFile
0100116477EA87E2 KERNEL32.MultiByteToWideChar
0100116877E771A8 KERNEL32.MapViewOfFile
0100116C77E8BD28 KERNEL32.UnhandledExceptionFilter
010011707FFFFFFF
01001174790044BB SHELL32.DragFinish
0100117878FC610D SHELL32.DragQueryFileW
0100117C78FD0C0C SHELL32.DragAcceptFiles
0100118078FD13FC SHELL32.ShellAboutW
010011847FFFFFFF
0100118877E1C62B USER32.GetClientRect
0100118C77E1C1E3 USER32.SetCursor
0100119077E1AAC7 USER32.ReleaseDC
0100119477E1AAB4 USER32.GetDC
0100119877E09187 USER32.DialogBoxParamW
0100119C77E189A3 USER32.SetActiveWindow
010011A077E00DC9 USER32.GetKeyboardLayout
010011A477E1C133 USER32.DefWindowProcW
010011A877E13F1D USER32.DestroyWindow
010011AC77DFF38E USER32.MessageBeep
010011B077E19E55 USER32.ShowWindow
010011B477E124E8 USER32.GetForegroundWindow
010011B877E1B4E2 USER32.IsIconic
010011BC77E1B44B USER32.GetWindowPlacement
010011C077E04A62 USER32.CharUpperW
010011C477E1B552 USER32.LoadStringW
010011C877E0F8EE USER32.LoadAcceleratorsW
010011CC77E116BD USER32.GetSystemMenu
010011D077E02787 USER32.RegisterClassExW
010011D477E09659 USER32.LoadImageW
010011D877E22985 USER32.LoadCursorW
010011DC77E00054 USER32.SetWindowPlacement
010011E077E123C2 USER32.CreateWindowExW
010011E477E0C063 USER32.GetDesktopWindow
010011E877E1BB82 USER32.GetFocus
010011EC77E084D6 USER32.LoadIconW
010011F077E1B9CA USER32.SetWindowTextW
010011F477E0806A USER32.PostQuitMessage
010011F877E0B350 USER32.RegisterWindowMessageW
010011FC77E1B1D2 USER32.UpdateWindow
0100120077E080B8 USER32.SetScrollPos
0100120477E1332E USER32.CharLowerW
0100120877E1C53F USER32.PeekMessageW
0100120C77E195AC USER32.EnableWindow
0100121077E1AA4B USER32.DrawTextExW
0100121477E09F33 USER32.CreateDialogParamW
0100121877E16176 USER32.GetWindowTextW
0100121C77E13277 USER32.GetSystemMetrics
0100122077E0D262 USER32.MoveWindow
0100122477E1B395 USER32.InvalidateRect
0100122877E05C1C USER32.WinHelpW
0100122C77E1BE2F USER32.GetDlgCtrlID
0100123077E0596E USER32.ChildWindowFromPoint
0100123477E1CD38 USER32.ScreenToClient
0100123877E1C797 USER32.GetCursorPos
0100123C77E0F16B USER32.SendDlgItemMessageW
0100124077E1B7C8 USER32.SendMessageW
0100124477E13EBD USER32.CharNextW
0100124877E0A495 USER32.CheckMenuItem
0100124C77E009BB USER32.CloseClipboard
0100125077E0025D USER32.IsClipboardFormatAvailable
0100125477E009CC USER32.OpenClipboard
0100125877E0A5DC USER32.GetMenuState
0100125C77E0A3D8 USER32.EnableMenuItem
0100126077E115B1 USER32.GetSubMenu
0100126477E0A44F USER32.GetMenu
0100126877DFB70F USER32.MessageBoxW
0100126C77E1266A USER32.SetWindowLongW
0100127077E21760 USER32.GetWindowLongW
0100127477E139AB USER32.GetDlgItem
0100127877E13AC0 USER32.SetFocus
0100127C77E0A2A1 USER32.SetDlgItemTextW
0100128077E1A0A0 USER32.wsprintfW
0100128477E0F239 USER32.GetDlgItemTextW
0100128877E16BC5 USER32.EndDialog
0100128C77E19794 USER32.GetParent
0100129077DFFECF USER32.UnhookWinEvent
0100129477E21E73 USER32.DispatchMessageW
0100129877E21E49 USER32.TranslateMessage
0100129C77E1BF08 USER32.TranslateAcceleratorW
010012A077E129CA USER32.IsDialogMessageW
010012A477E23415 USER32.PostMessageW
010012A877E21EBB USER32.GetMessageW
010012AC77DFD504 USER32.SetWinEventHook
010012B0FFFFFFFF
010012B4777C4DD4 WINSPOOL.GetPrinterDriverW
010012B8777C4964 WINSPOOL.ClosePrinter
010012BC777C44A4 WINSPOOL.OpenPrinterW
010012C07FFFFFFF
010012C476B0987A comdlg32.PageSetupDlgW
010012C876B0556C comdlg32.FindTextW
010012CC76B0E83C comdlg32.PrintDlgExW
010012D076B05ABD comdlg32.ChooseFontW
010012D476AF16E2 comdlg32.GetFileTitleW
010012D876AFED3F comdlg32.GetOpenFileNameW
010012DC76B0557C comdlg32.ReplaceTextW
010012E076AFDFE8 comdlg32.CommDlgExtendedError
010012E476AFED9B comdlg32.GetSaveFileNameW
010012E87FFFFFFF
010012EC7800C03E msvcrt._XcptFilter
010012F078007CDA msvcrt._exit
010012F4780011B7 msvcrt._c_exit
010012F8780290A1 msvcrt.time
010012FC78028D0E msvcrt.localtime
0100130078007CEB msvcrt._cexit
01001304780127FF msvcrt.iswctype
010013087800BD6A msvcrt._except_handler3
0100130C780145C2 msvcrt._wtol
0100131078027782 msvcrt.wcsncmp
010013147802197B msvcrt._snwprintf
0100131878007C53 msvcrt.exit
0100131C7803A020 offset msvcrt._acmdln
0100132078007EDA msvcrt.__getmainargs
010013247800119B msvcrt._initterm
0100132878007778 msvcrt.__setusermatherr
0100132C7803A670 offset msvcrt._adjust_fdiv
0100133078007FB9 msvcrt.__p__commode
0100133478007FD7 msvcrt.__p__fmode
010013387800776E msvcrt.__set_app_type
0100133C78001EC9 msvcrt._controlfp
01001340780104FC msvcrt.wcsncpy
010013447FFFFFFF
0100134800000000
再仔细看这段,怎么那么像未加壳的记事本呀
0100739D 6A 70 push 70
0100739F 68 9818>push 01001898
010073A4 E8 BF01>call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC 8B3D CC>mov edi, ;KERNEL32.GetModuleHandleA
010073B2 FFD7 call edi
010073B4 66:8138>cmp word ptr , 5A4D ;="MZ"?,看是不是PE头
010073B9 75 1F jnz short 010073DA
010073BB 8B48 3C mov ecx,
010073BE 03C8 add ecx, eax
010073C0 8139 50>cmp dword ptr , 4550
010073C6 75 12 jnz short 010073DA
010073C8 0FB741 >movzx eax, word ptr
010073CC 3D 0B01>cmp eax, 10B
010073D1 74 1F je short 010073F2
010073D3 3D 0B02>cmp eax, 20B
010073D8 74 05 je short 010073DF
010073DA 895D E4 mov , ebx
010073DD EB 27 jmp short 01007406
010073DF 83B9 84>cmp dword ptr , 0E
010073E6 ^ 76 F2 jbe short 010073DA
010073E8 33C0 xor eax, eax
010073EA 3999 F8>cmp , ebx
010073F0 EB 0E jmp short 01007400
010073F2 8379 74>cmp dword ptr , 0E
010073F6 ^ 76 E2 jbe short 010073DA
010073F8 33C0 xor eax, eax
010073FA 3999 E8>cmp , ebx
01007400 0F95C0setne al
01007403 8945 E4 mov , eax
01007406 895D FC mov , ebx
01007409 6A 02 push 2
0100740B FF15 38>call ;msvcrt.__set_app_type
01007411 59 pop ecx
01007412 830D 9C>or dword ptr , FFFFFFFF
01007419 830D A0>or dword ptr , FFFFFFFF
01007420 FF15 34>call ;msvcrt.__p__fmode
01007426 8B0D B8>mov ecx,
0100742C 8908 mov , ecx
0100742E FF15 30>call ;msvcrt.__p__commode
01007434 8B0D B4>mov ecx,
0100743A 8908 mov , ecx
0100743C A1 2C13>mov eax,
01007441 8B00 mov eax,
01007443 A3 A4AB>mov , eax
01007448 E8 A701>call 010075F4
0100744D 391D 08>cmp , ebx
01007453 75 0C jnz short 01007461
01007455 68 F475>push 010075F4
0100745A FF15 28>call ;msvcrt.__setusermatherr
01007460 59 pop ecx
01007461 E8 7701>call 010075DD
01007466 68 1090>push 01009010
0100746B 68 0C90>push 0100900C
01007470 E8 5D01>call 010075D2 ;jmp 到 msvcrt._initterm
01007475 A1 B09A>mov eax,
0100747A 8945 DC mov , eax
0100747D 8D45 DC lea eax,
01007480 50 push eax
01007481 FF35 AC>push dword ptr
01007487 8D45 D4 lea eax,
0100748A 50 push eax
0100748B 8D45 D0 lea eax,
0100748E 50 push eax
0100748F 8D45 CC lea eax,
01007492 50 push eax
01007493 FF15 20>call ;msvcrt.__getmainargs
对比不加壳的记事本:
01006420 > $5>push ebp
01006421 .8>mov ebp, esp
01006423 .6>push -1
01006425 .6>push 01001888
0100642A .6>push <jmp.&MSVCRT._except_handler3> ;SE 处理程序安装
0100642F .6>mov eax, fs:
01006435 .5>push eax
01006436 .6>mov fs:, esp
0100643D .8>add esp, -68
01006440 .5>push ebx
01006441 .5>push esi
01006442 .5>push edi
01006443 .8>mov , esp
01006446 .C>mov dword ptr , 0
0100644D .6>push 2
0100644F .F>call [<&MSVCRT.__set_app_type>] ;msvcrt.__set_app_type
01006455 .8>add esp, 4
01006458 .C>mov dword ptr , -1
01006462 .C>mov dword ptr , -1
0100646C .F>call [<&MSVCRT.__p__fmode>] ;msvcrt.__p__fmode
01006472 .8>mov ecx,
01006478 .8>mov , ecx
0100647A .F>call [<&MSVCRT.__p__commode>] ;msvcrt.__p__commode
01006480 .8>mov edx,
01006486 .8>mov , edx
01006488 .A>mov eax, [<&MSVCRT._adjust_fdiv>]
0100648D .8>mov ecx,
0100648F .8>mov , ecx
01006495 .E>call 01006620
0100649A .A>mov eax,
0100649F .8>test eax, eax
010064A1 .7>jnz short 010064B1
010064A3 .6>push 01006610
010064A8 .F>call [<&MSVCRT.__setusermatherr>] ;msvcrt.__setusermatherr
010064AE .8>add esp, 4
010064B1 >E>call 010065F0
010064B6 .6>push 0100800C
010064BB .6>push 01008008
010064C0 .E>call <jmp.&MSVCRT._initterm>
010064C5 .8>add esp, 8
010064C8 .8>mov edx,
010064CE .8>mov , edx
010064D1 .8>lea eax,
010064D4 .5>push eax
010064D5 .8>mov ecx,
010064DB .5>push ecx
010064DC .8>lea edx,
010064DF .5>push edx
010064E0 .8>lea eax,
010064E3 .5>push eax
010064E4 .8>lea ecx,
010064E7 .5>push ecx
010064E8 .F>call [<&MSVCRT.__getmainargs>] ;msvcrt.__getmainargs
虽然头部有点不同,但作用是一样地,就是检查PE头是否有效。
好了,DUMP吧,OEP=739D,然后ImpREC1.6final修复,IAT RVA=1000 SIZE=344,获取输入表,
显示有一个无效指针,把它剪切了,再看,IAT表完整显现了。
FIX DUMP,
运行修复后的程序,很好,正常运行。
收工!
快雪时晴,2006-7-3
挂个我做的flash动画
FSG2.0手动脱壳flash录像不为别的,仅试验下