- UID
- 34573
注册时间2007-8-17
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
忘各位大牛指正
1 脱壳+修复
PEID查看,nSPack 2.2 -> North Star/Liu Xing Ping
用OD载入程序,来到入口处。
00496AB5 > 9C PUSHFD
00496AB6 60 PUSHAD
00496AB7 E8 00000000 CALL runserve.00496ABC
00496ABC 5D POP EBP
00496ABD B8 07000000 MOV EAX,7
00496AC2 2BE8 SUB EBP,EAX
00496AC4 8DB5 5BFBFFFF LEA ESI,DWORD PTR SS:[EBP-4A5]
00496ACA 8B06 MOV EAX,DWORD PTR DS:[ESI]
00496ACC 83F8 00 CMP EAX,0
00496ACF 74 11 JE SHORT runserve.00496AE2
00496AD1 8DB5 83FBFFFF LEA ESI,DWORD PTR SS:[EBP-47D]
00496AD7 8B06 MOV EAX,DWORD PTR DS:[ESI]
00496AD9 83F8 01 CMP EAX,1
00496ADC 0F84 4B020000 JE runserve.00496D2D
00496AE2 C706 01000000 MOV DWORD PTR DS:[ESI],1
00496AE8 8BD5 MOV EDX,EBP
00496AEA 8B85 17FBFFFF MOV EAX,DWORD PTR SS:[EBP-4E9]
00496AF0 2BD0 SUB EDX,EAX
普通壳,用ESP定律,下硬件断点
我这边载入程序后,ESP=13FFC4,所以灵活灵用
直接下命令,HR 13FFC4 忽略所有异常,SHIFT+F9,很容易就来到入口处。
004753FC 55 PUSH EBP
004753FD 8BEC MOV EBP,ESP
004753FF 83C4 EC ADD ESP,-14
00475402 33C0 XOR EAX,EAX
00475404 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00475407 B8 EC504700 MOV EAX,runserve.004750EC
0047540C E8 9313F9FF CALL runserve.004067A4
00475411 33C0 XOR EAX,EAX
00475413 55 PUSH EBP
00475414 68 DA544700 PUSH runserve.004754DA
00475419 64:FF30 PUSH DWORD PTR FS:[EAX]
0047541C 64:8920 MOV DWORD PTR FS:[EAX],ESP
0047541F A1 CC764700 MOV EAX,DWORD PTR DS:[4776CC]
00475424 8B00 MOV EAX,DWORD PTR DS:[EAX]
00475426 E8 D521FDFF CALL runserve.00447600
0047542B A1 68774700 MOV EAX,DWORD PTR DS:[477768]
打开LOADPE,找到程序,直接DUMP
然后打开ImportREC,直接修复
2 去除自效验
打开脱壳后的程序,发现没有反应,软件有自校验,通常处理自校验的方法,就是下文件断点
BP GetFileSize,SHIFT+F9
0013FF88 004030B1 /CALL 到 GetFileSize 来自 dumped_.004030AC
0013FF8C 00000074 |hFile = 00000074
0013FF90 00000000 \pFileSizeHigh = NULL
0013FF94 FFFFFFFF
断下了,ALT+F9
004030B1 |. 8BF0 MOV ESI,EAX
004030B3 |. 83FE FF CMP ESI,-1
004030B6 |. 75 07 JNZ SHORT dumped_.004030BF
004030B8 |. E8 87F8FFFF CALL dumped_.00402944
004030BD |. EB 15 JMP SHORT dumped_.004030D4
004030BF |> 8BC6 MOV EAX,ESI
004030C1 |. 33D2 XOR EDX,EDX
004030C3 |. F773 08 DIV DWORD PTR DS:[EBX+8]
004030C6 |. 8BF0 MOV ESI,EAX
004030C8 |. EB 0A JMP SHORT dumped_.004030D4
004030CA |> B8 67000000 MOV EAX,67
004030CF |. E8 60F8FFFF CALL dumped_.00402934
004030D4 |> 8BC6 MOV EAX,ESI
004030D6 |. 5E POP ESI
004030D7 |. 5B POP EBX
004030D8 \. C3 RETN
F8继续往下走,看返回到什么地方
00475468 |. E8 23DCF8FF CALL dumped_.00403090
0047546D |. E8 A2D4F8FF CALL dumped_.00402914
00475472 |. 3D 73060000 CMP EAX,673
00475477 |. 75 30 JNZ SHORT dumped_.004754A
00475479 |. 8B0D A8744700 MOV ECX,DWORD PTR DS:[4774A8] ; dumped_.00478E70
0047547F |. A1 CC764700 MOV EAX,DWORD PTR DS:[4776CC]
00475484 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00475486 |. 8B15 B4044700 MOV EDX,DWORD PTR DS:[4704B4] ; dumped_.00470500
0047548C |. E8 8721FDFF CALL dumped_.00447618
00475491 |. 8B0D 5C754700 MOV ECX,DWORD PTR DS:[47755C] ; dumped_.00478E44
发现上面对比的地方了,呵呵,爆破之
00475477处,改为 JZ 004754A或NOP掉就可以了,保存,运行,
OK一切正常,可以运行了。
[ 本帖最后由 邪秀才 于 2008-4-13 18:49 编辑 ] |
|