|
|
这个FSG 2.0 -> bart/xt我好象找到OEP了,可是脱了后修复不好~~~
大家来看看~~~~~
先用OD查壳,发现是FSG 2.0 -> bart/xt
用OD载入:
00400154 > 8725 94334100 XCHG DWORD PTR DS:[413394],ESP
0040015A 61 POPAD
0040015B 94 XCHG EAX,ESP --------这里堆栈也有提示
0040015C 55 PUSH EBP
0040015D A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040015E B6 80 MOV DH,80
00400160 FF13 CALL DWORD PTR DS:[EBX]
00400162 ^ 73 F9 JNB SHORT fsg.0040015D
00400164 33C9 XOR ECX,ECX
00400166 FF13 CALL DWORD PTR DS:[EBX]
00400168 73 16 JNB SHORT fsg.00400180
0040016A 33C0 XOR EAX,EAX
0040016C FF13 CALL DWORD PTR DS:[EBX]
0040016E 73 1F JNB SHORT fsg.0040018F
00400170 B6 80 MOV DH,80
00400172 41 INC ECX
00400173 B0 10 MOV AL,10
00400175 FF13 CALL DWORD PTR DS:[EBX]
00400177 12C0 ADC AL,AL
00400179 ^ 73 FA JNB SHORT fsg.00400175
0040017B 75 3A JNZ SHORT fsg.004001B7
0040017D AA STOS BYTE PTR ES:[EDI]
0040017E ^ EB E0 JMP SHORT fsg.00400160
00400180 FF53 08 CALL DWORD PTR DS:[EBX+8]
00400183 02F6 ADD DH,DH
00400185 83D9 01 SBB ECX,1
00400188 75 0E JNZ SHORT fsg.00400198
0040018A FF53 04 CALL DWORD PTR DS:[EBX+4]
0040018D EB 24 JMP SHORT fsg.004001B3
0040018F AC LODS BYTE PTR DS:[ESI]
00400190 D1E8 SHR EAX,1
00400192 74 2D JE SHORT fsg.004001C1
00400194 13C9 ADC ECX,ECX
00400196 EB 18 JMP SHORT fsg.004001B0
00400198 91 XCHG EAX,ECX
00400199 48 DEC EAX
0040019A C1E0 08 SHL EAX,8
0040019D AC LODS BYTE PTR DS:[ESI]
0040019E FF53 04 CALL DWORD PTR DS:[EBX+4]
004001A1 3B43 F8 CMP EAX,DWORD PTR DS:[EBX-8]
004001A4 73 0A JNB SHORT fsg.004001B0
004001A6 80FC 05 CMP AH,5
004001A9 73 06 JNB SHORT fsg.004001B1
004001AB 83F8 7F CMP EAX,7F
004001AE 77 02 JA SHORT fsg.004001B2
004001B0 41 INC ECX
004001B1 41 INC ECX
004001B2 95 XCHG EAX,EBP
004001B3 8BC5 MOV EAX,EBP
004001B5 B6 00 MOV DH,0
004001B7 56 PUSH ESI
004001B8 8BF7 MOV ESI,EDI
004001BA 2BF0 SUB ESI,EAX
004001BC F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004001BE 5E POP ESI
004001BF ^ EB 9F JMP SHORT fsg.00400160
004001C1 5E POP ESI
004001C2 AD LODS DWORD PTR DS:[ESI]
004001C3 97 XCHG EAX,EDI
004001C4 AD LODS DWORD PTR DS:[ESI]
004001C5 50 PUSH EAX
004001C6 FF53 10 CALL DWORD PTR DS:[EBX+10]
004001C9 95 XCHG EAX,EBP
004001CA 8B07 MOV EAX,DWORD PTR DS:[EDI]
004001CC 40 INC EAX
004001CD ^ 78 F3 JS SHORT fsg.004001C2
004001CF 75 03 JNZ SHORT fsg.004001D4
004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C]----------直接按F4到这里,F7跟进
+++++++++++++++++++++++++++++++++++++++++++++++++++
00401000 2B DB 2B ; CHAR '+'
00401001 DB DB DB
00401002 B8 DB B8
00401003 4C DB 4C ; CHAR 'L'
00401004 A0 DB A0
00401005 40 DB 40 ; CHAR '@'
00401006 00 DB 00
00401007 C7 DB C7
00401008 00 DB 00
00401009 08 DB 08
0040100A 00 DB 00
0040100B 00 DB 00
0040100C 00 DB 00
0040100D C7 DB C7
0040100E 40 DB 40 ; CHAR '@'
0040100F 04 DB 04
00401010 FF DB FF
Od 右键分析代码为
00401000 2BDB SUB EBX,EBX ; fsg.00413398-----------在这里用LordPE脱壳
00401002 B8 4CA04000 MOV EAX,fsg.0040A04C
00401007 C700 08000000 MOV DWORD PTR DS:[EAX],8
0040100D C740 04 FF00000>MOV DWORD PTR DS:[EAX+4],0FF
00401014 50 PUSH EAX
00401015 E8 DC620000 CALL fsg.004072F6 ; JMP 到 COMCTL32.InitCommonControlsEx
0040101A 68 41A64000 PUSH fsg.0040A641
0040101F E8 D3020000 CALL fsg.004012F7
00401024 53 PUSH EBX
00401025 E8 36620000 CALL fsg.00407260 ; JMP 到 kernel32.GetModuleHandleA
0040102A A3 45AE4000 MOV DWORD PTR DS:[40AE45],EAX
0040102F BF 43AA4000 MOV EDI,fsg.0040AA43
00401034 68 01020000 PUSH 201
00401039 57 PUSH EDI
++++++++++++++++++++++++++++++
用OD脱壳后不能正常运行~~按照猫兄的教程:
用LordPE脱壳后用ImportREC修复
选择正在运行的fsg程序,在OEP框中输入1000然后点IAT自动搜索~
显示可能发现原始的IAT地址等~~~
然后点获得输入信息在找到的输入函数框里没有什么反映,什么都没有出现.
偶郁闷了~~~
偶这样的菜鸟只能到这里了`~~
高手指点一下应该怎么修复哦~~~ |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2006-6-26 00:58:27
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-6-26 10:21:18
楼主
发表于 2006-6-28 22:03:43