新手玩家
- 贡献度
- 2
- 金元
- 675
- 积分
- 16
- 精华
- 0
- 注册时间
- 2008-8-20
|
找到一篇以前的手记好象是以前脱的个外挂时写,发出来给大家学习哈。。
我大致看了看,菜鸟好象不是那么容易的,慢慢啃吧。。看日期是06年的。。。都忘记了撒。。
再翻翻。。。有好点的就发出来。
//-------------------------------------------------------------------------------
[em15][em15]
高手们都说这个是老王的壳,我看像点,关键是载入程序后提示是DLL文件,有点汗了。
按常规的ESP定律
//-------------------------------------------------------------
005C2000 > $ 60 pushad
005C2001 . 9C pushfd
005C2002 . 64:FF35 00000>push dword ptr fs:[0] ;ESP=0012FFA0
005C2009 . E8 79010000 call 005C2187
程序太大了,N久后才断下来!
//------------------------------------------------------------
711A233A 25 00010000 and eax, 100
711A233F 3D 00010000 cmp eax, 100
711A2344 74 05 je short 711A234B
711A2346 E8 C996FFFF call 7119BA14
711A234B 6A 10 push 10
711A234D A1 90B71B71 mov eax, dword ptr [711BB790]
711A2352 8B00 mov eax, dword ptr [eax]
711A2354 E8 CB27F8FF call 71124B24
711A2359 50 push eax
711A235A A1 38B81B71 mov eax, dword ptr [711BB838]
711A235F 8B00 mov eax, dword ptr [eax]
711A2361 E8 BE27F8FF call 71124B24
711A2366 50 push eax
711A2367 6A 00 push 0
711A2369 E8 AE50F8FF call <jmp.&user32.MessageBoxA>
711A236E 59 pop ecx
711A236F 5D pop ebp
711A2370 C2 0400 retn 4
按照脱文我们需要下内存断点,可是我们这里就没的下了,程序就下面一个区段,谁知道下那哦!
干脆点就下这个上了,大不了麻烦点
//--------------------------------------------------------------
Memory map, 条目 22
地址=00400000
大小=0032B000 (3321856.)
属主=MUSky 00400000 (自身)
区段=
包含=PE 文件头
类型=Imag 01001002
访问=R
初始访问=RWE
哈!F9一下就到了,有点意思哈哈!,很熟悉的OEP吧!,我怎么知道是OEP呢,一看就知道是DELPHI写的,估计是PASCAL之类的语言
如果是BC++之类写的,第一句是JMP跳转,最不喜欢脱这一类壳,因为,修复API是个问题.
//------------------------------------------------------------
00555A68 55 push ebp
00555A69 8BEC mov ebp, esp
00555A6B 83C4 F0 add esp, -10
00555A6E B8 58555500 mov eax, 00555558
00555A73 E8 3015EBFF call 00406FA8
00555A78 A1 2CA65500 mov eax, dword ptr [55A62C]
00555A7D 8B00 mov eax, dword ptr [eax]
00555A7F E8 DC57F1FF call 0046B260
00555A84 8B0D ACA65500 mov ecx, dword ptr [55A6AC] ; MUSky.00572B64
00555A8A A1 2CA65500 mov eax, dword ptr [55A62C]
00555A8F 8B00 mov eax, dword ptr [eax]
00555A91 8B15 184A5400 mov edx, dword ptr [544A18] ; MUSky.00544A64
00555A97 E8 DC57F1FF call 0046B278
00555A9C 8B0D 24A25500 mov ecx, dword ptr [55A224] ; MUSky.0057282C
00555AA2 A1 2CA65500 mov eax, dword ptr [55A62C]
00555AA7 8B00 mov eax, dword ptr [eax]
00555AA9 8B15 643C5300 mov edx, dword ptr [533C64] ; MUSky.00533CB0
00555AAF E8 C457F1FF call 0046B278
00555AB4 8B0D E0A35500 mov ecx, dword ptr [55A3E0] ; MUSky.00572780
00555ABA A1 2CA65500 mov eax, dword ptr [55A62C]
00555ABF 8B00 mov eax, dword ptr [eax]
00555AC1 8B15 BC515100 mov edx, dword ptr [5151BC] ; MUSky.00515208
00555AC7 E8 AC57F1FF call 0046B278
00555ACC A1 2CA65500 mov eax, dword ptr [55A62C]
00555AD1 8B00 mov eax, dword ptr [eax]
00555AD3 E8 2058F1FF call 0046B2F8
00555AD8 E8 73ECEAFF call 00404750
第一次修复看看,没想到ImportRec提示不是OEP,汗了,高兴就没了.....看来人懒惰了什么事情也办不成,我们知道OEP了
那就继续吧!
//--------------------------------------------------------------------------
继续按教程做!BP IsDebuggerPresent
7C812E03 > 64:A1 18000000 mov eax, dword ptr fs:[18]
7C812E09 8B40 30 mov eax, dword ptr [eax+30]
7C812E0C 0FB640 02 movzx eax, byte ptr [eax+2]
7C812E10 C3 retn
继续下断 BP GetProcAddress,还没出来就报出异常错误,不管点掉,继续,还没到地点,就递归异常在下面:
//--------------------------------------------------------------------------
7112684D 68 00040000 push 400
71126852 8D4424 04 lea eax, dword ptr [esp+4]
71126856 50 push eax
71126857 8B43 04 mov eax, dword ptr [ebx+4]
7112685A 50 push eax
7112685B 8B03 mov eax, dword ptr [ebx]
7112685D 8B00 mov eax, dword ptr [eax]
7112685F E8 34F5FFFF call 71125D98
71126864 50 push eax
71126865 E8 AEAAFFFF call <jmp.&user32.LoadStringA>
7112686A 8BC8 mov ecx, eax
7112686C 8BD4 mov edx, esp
7112686E 8BC6 mov eax, esi
71126870 E8 EFDEFFFF call 71124764
71126875 EB 0A jmp short 71126881
71126877 8BC6 mov eax, esi
71126879 8B53 04 mov edx, dword ptr [ebx+4]
7112687C E8 E3DFFFFF call 71124864
71126881 81C4 00040000 add esp, 400
71126887 5E pop esi
71126888 5B pop ebx
71126889 C3 retn
再运行结果程序终止^^^^^^^^^经过3次测试,并不是手误需要重新来做!
//---------------------------------------------------------------
下BP LoadLibraryA断点,断下来如下面:
//---------------------------------------------------------------
7C801D77 > 8BFF mov edi, edi
7C801D79 55 push ebp
7C801D7A 8BEC mov ebp, esp
7C801D7C 837D 08 00 cmp dword ptr [ebp+8], 0
7C801D80 53 push ebx
7C801D81 56 push esi
7C801D82 74 14 je short 7C801D98
7C801D84 68 F0E2807C push 7C80E2F0 ; ASCII "twain_32.dll"
7C801D89 FF75 08 push dword ptr [ebp+8]
7C801D8C FF15 9C13807C call dword ptr [<&ntdll._strcmpi>] ; ntdll._stricmp
7C801D92 85C0 test eax, eax
7C801D94 59 pop ecx
7C801D95 59 pop ecx
7C801D96 74 12 je short 7C801DAA
7C801D98 6A 00 push 0
7C801D9A 6A 00 push 0
7C801D9C FF75 08 push dword ptr [ebp+8]
7C801D9F E8 ABFFFFFF call LoadLibraryExA
7C801DA4 5E pop esi
7C801DA5 5B pop ebx
7C801DA6 5D pop ebp
7C801DA7 C2 0400 retn 4
堆栈:
//---------------------------------------------------------------
0012FF94 005C2283 /CALL 到 LoadLibraryA 来自 MUSky.005C2281
0012FF98 005C205A FileName = "C:WINDOWSsystem32V12003518.EPE" ;我们不就是要找它的地址嘛!
通常它是第一个被加载的哦!如果不是那么可以,在看看,只要做为模块它不加载那是说不过去的
返回后,我们可以看到内存中改有的全都有了.往下翻找到了在这里.
//-------------------------------------------------------------
Memory map, 条目 32
地址=71121000
大小=00083000 (536576.)
属主=V1200351 71120000
区段=CODE
包含=代码
类型=Imag 01001002
访问=R
初始访问=RWE
下内存访问断点.F9一下到家,删除内存断点
//-------------------------------------------------------------
711A37FC > 55 push ebp
711A37FD 8BEC mov ebp, esp
711A37FF 83C4 C4 add esp, -3C
711A3802 B8 24361A71 mov eax, 711A3624
711A3807 E8 A832F8FF call 71126AB4
711A380C E8 EF0CF8FF call 71124500
现在Ctrl+S 在“整个区段”搜索命令序列:
//-----------------------------------------------------------
mov eax,edi
mov edx,dword ptr ss:[ebp-8]
mov dword ptr ds:[eax],edx
xor eax,eax
//-------------------------------------------------------------
711A1F2B 8BC7 mov eax, edi ;这里下断点,F9停在这里
711A1F2D 8B55 F8 mov edx, dword ptr [ebp-8] ;这里改EBP-4
711A1F30 8910 mov dword ptr [eax], edx
711A1F32 33C0 xor eax, eax
711A1F34 5A pop edx
711A1F35 59 pop ecx
711A1F36 59 pop ecx
711A1F37 64:8910 mov dword ptr fs:[eax], edx
711A1F3A EB 0A jmp short 711A1F46
再Ctrl+S搜索命令序列:
//--------------------------------------------------------------
add ebx,4
mov eax,dword ptr ss:[ebp-4C]
add eax,4
//---------------------------------------------------------------
711A2F4E 83C3 04 add ebx, 4 ;找到在这里
711A2F51 8B45 B4 mov eax, dword ptr [ebp-4C]
711A2F54 83C0 04 add eax, 4
711A2F57 8945 B4 mov dword ptr [ebp-4C], eax
711A2F5A 8B03 mov eax, dword ptr [ebx]
711A2F5C 85C0 test eax, eax
711A2F5E ^ 0F87 39FDFFFF ja 711A2C9D
711A2F64 A1 78B71B71 mov eax, dword ptr [711BB778]
711A2F69 8038 00 cmp byte ptr [eax], 0
711A2F6C 75 1F jnz short 711A2F8D
711A2F6E 8B45 C4 mov eax, dword ptr [ebp-3C]
711A2F71 83C0 14 add eax, 14
711A2F74 8945 C4 mov dword ptr [ebp-3C], eax
711A2F77 8B45 C4 mov eax, dword ptr [ebp-3C]
711A2F7A 8378 0C 00 cmp dword ptr [eax+C], 0
711A2F7E 76 0D jbe short 711A2F8D
711A2F80 8B45 C4 mov eax, dword ptr [ebp-3C]
711A2F83 8378 10 00 cmp dword ptr [eax+10], 0
711A2F87 ^ 0F87 38FCFFFF ja 711A2BC5
711A2F8D 33C0 xor eax, eax ;这里F2下断点,EAX=IAT表地址005731B8
数据窗口显示如下,返回前面把我们修改的代码撤消:
//----------------------------------------------------------------------------------
005731B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
005731C8 00 00 00 00 8A 18 93 7C ED 10 92 7C 05 10 92 7C ....?搢?抾��抾
005731D8 A1 9F 80 7C 14 9B 80 7C 81 9A 80 7C 5D 99 80 7C |
|
发表于 2008-8-20 07:12
收藏
