|
|
论坛网址 https://www.52hb.com/
1.最近学到恒老师的教程的脱壳篇,正好用这个图标工具来练一练。
壳:PECompact 2.x -> Jeremy Collake
[Asm] 纯文本查看 复制代码 00466227 > B8 AC965400 mov eax,专属卡图.005496AC //载入进来是这个样子的
0046622C 50 push eax
0046622D 64:FF35 0000000>push dword ptr fs:[0] //F8单步在这里,我们用ESP定律(不懂ESP定律的回去看教程)
00466234 64:8925 0000000>mov dword ptr fs:[0],esp
0046623B 33C0 xor eax,eax
0046623D 8908 mov dword ptr ds:[eax],ecx
0046623F 50 push eax
00466240 45 inc ebp
00466241 43 inc ebx
00466242 6F outs dx,dword ptr es:[edi]
00466243 6D ins dword ptr es:[edi],dx
00466244 70 61 jo short 专属卡图.004662A7
00466246 637432 00 arpl word ptr ds:[edx+esi],si
0046624A F631 div byte ptr ds:[ecx]
0046624C 229F 1237A733 and bl,byte ptr ds:[edi+0x33A73712]
00466252 ^ 71 A6 jno short 专属卡图.004661FA
00466254 891A mov dword ptr ds:[edx],ebx
00466256 D6 salc
00466257 37 aaa
00466258 69DA 29A3D061 imul ebx,edx,0x61D0A329 ; ntdll.KiFastSystemCallRet
[Asm] 纯文本查看 复制代码 7C94A573 3B45 F8 cmp eax,dword ptr ss:[ebp-0x8] //然后会断在这里,我们一步一步F8出CALL
7C94A576 72 09 jb short ntdll.7C94A581
7C94A578 3B45 F4 cmp eax,dword ptr ss:[ebp-0xC]
7C94A57B 0F82 FA050000 jb ntdll.7C94AB7B
7C94A581 50 push eax ; 专属卡图.005496AC
7C94A582 E8 67000000 call ntdll.7C94A5EE
7C94A587 84C0 test al,al
7C94A589 0F84 EC050000 je ntdll.7C94AB7B
7C94A58F F605 1AE4997C 8>test byte ptr ds:[0x7C99E41A],0x80
7C94A596 0F85 A75C0200 jnz ntdll.7C970243
7C94A59C FF73 04 push dword ptr ds:[ebx+0x4] ; 专属卡图.005496AC
7C94A59F 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
7C94A5A2 50 push eax ; 专属卡图.005496AC
7C94A5A3 FF75 0C push dword ptr ss:[ebp+0xC]
7C94A5A6 53 push ebx
7C94A5A7 56 push esi
7C94A5A8 E8 9A8CFDFF call ntdll.7C923247
7C94A5AD F605 1AE4997C 8>test byte ptr ds:[0x7C99E41A],0x80
7C94A5B4 8BF8 mov edi,eax ; 专属卡图.005496AC
7C94A5B6 0F85 9D5C0200 jnz ntdll.7C970259
7C94A5BC 395D 08 cmp dword ptr ss:[ebp+0x8],ebx
7C94A5BF 0F84 A25C0200 je ntdll.7C970267
7C94A5C5 8BC7 mov eax,edi ; ntdll.7C930228
7C94A5C7 33C9 xor ecx,ecx
7C94A5C9 2BC1 sub eax,ecx
7C94A5CB 0F85 89050000 jnz ntdll.7C94AB5A
7C94A5D1 F646 04 01 test byte ptr ds:[esi+0x4],0x1
7C94A5D5 0F85 D65C0200 jnz ntdll.7C9702B1
7C94A5DB C645 FF 01 mov byte ptr ss:[ebp-0x1],0x1
7C94A5DF 5F pop edi ; ntdll.7C930228
7C94A5E0 5B pop ebx ; ntdll.7C930228
7C94A5E1 8A45 FF mov al,byte ptr ss:[ebp-0x1]
7C94A5E4 5E pop esi ; ntdll.7C930228
7C94A5E5 C9 leave
7C94A5E6 C2 0800 retn 0x8
[Asm] 纯文本查看 复制代码 7C92E48A 0AC0 or al,al //出第一个call,我们还要继续(F8)出,因为还在系统领空
7C92E48C 74 0C je short ntdll.7C92E49A
7C92E48E 5B pop ebx ; 0012FCD4
7C92E48F 59 pop ecx ; 0012FCD4
7C92E490 6A 00 push 0x0
7C92E492 51 push ecx
7C92E493 E8 C6EBFFFF call ntdll.ZwContinue
7C92E498 EB 0B jmp short ntdll.7C92E4A5
7C92E49A 5B pop ebx ; 0012FCD4
7C92E49B 59 pop ecx ; 0012FCD4
7C92E49C 6A 00 push 0x0
7C92E49E 51 push ecx
7C92E49F 53 push ebx
7C92E4A0 E8 09F5FFFF call ntdll.ZwRaiseException
7C92E4A5 83C4 EC add esp,-0x14
7C92E4A8 890424 mov dword ptr ss:[esp],eax
7C92E4AB C74424 04 01000>mov dword ptr ss:[esp+0x4],0x1
7C92E4B3 895C24 08 mov dword ptr ss:[esp+0x8],ebx
7C92E4B7 C74424 10 00000>mov dword ptr ss:[esp+0x10],0x0
7C92E4BF 54 push esp
7C92E4C0 E8 63000000 call ntdll.RtlRaiseException
7C92E4C5 C2 0800 retn 0x8
[Asm] 纯文本查看 复制代码 005496DF 53 push ebx //出来了,看最下面的:0054976D - FFE0 jmp eax 很可疑,我们F8单步下去
005496E0 51 push ecx
005496E1 57 push edi ; ntdll.7C930228
005496E2 56 push esi
005496E3 52 push edx ; ntdll.KiFastSystemCallRet
005496E4 8D98 57120010 lea ebx,dword ptr ds:[eax+0x10001257]
005496EA 8B53 18 mov edx,dword ptr ds:[ebx+0x18]
005496ED 52 push edx ; ntdll.KiFastSystemCallRet
005496EE 8BE8 mov ebp,eax
005496F0 6A 40 push 0x40
005496F2 68 00100000 push 0x1000
005496F7 FF73 04 push dword ptr ds:[ebx+0x4]
005496FA 6A 00 push 0x0
005496FC 8B4B 10 mov ecx,dword ptr ds:[ebx+0x10]
005496FF 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549701 8B01 mov eax,dword ptr ds:[ecx]
00549703 FFD0 call eax
00549705 5A pop edx ; 0012FFB0
00549706 8BF8 mov edi,eax
00549708 50 push eax
00549709 52 push edx ; ntdll.KiFastSystemCallRet
0054970A 8B33 mov esi,dword ptr ds:[ebx]
0054970C 8B43 20 mov eax,dword ptr ds:[ebx+0x20] ; ntdll.RtlEnterCriticalSection
0054970F 03C2 add eax,edx ; ntdll.KiFastSystemCallRet
00549711 8B08 mov ecx,dword ptr ds:[eax]
00549713 894B 20 mov dword ptr ds:[ebx+0x20],ecx
00549716 8B43 1C mov eax,dword ptr ds:[ebx+0x1C] ; ntdll.7C9A0620
00549719 03C2 add eax,edx ; ntdll.KiFastSystemCallRet
0054971B 8B08 mov ecx,dword ptr ds:[eax]
0054971D 894B 1C mov dword ptr ds:[ebx+0x1C],ecx
00549720 03F2 add esi,edx ; ntdll.KiFastSystemCallRet
00549722 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC]
00549725 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549727 8D43 1C lea eax,dword ptr ds:[ebx+0x1C]
0054972A 50 push eax
0054972B 57 push edi ; ntdll.7C930228
0054972C 56 push esi
0054972D FFD1 call ecx
0054972F 5A pop edx ; 0012FFB0
00549730 58 pop eax ; 0012FFB0
00549731 0343 08 add eax,dword ptr ds:[ebx+0x8] ; 专属卡图.00400000
00549734 8BF8 mov edi,eax
00549736 52 push edx ; ntdll.KiFastSystemCallRet
00549737 8BF0 mov esi,eax
00549739 8B46 FC mov eax,dword ptr ds:[esi-0x4]
0054973C 83C0 04 add eax,0x4
0054973F 2BF0 sub esi,eax
00549741 8956 08 mov dword ptr ds:[esi+0x8],edx ; ntdll.KiFastSystemCallRet
00549744 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC]
00549747 894E 14 mov dword ptr ds:[esi+0x14],ecx
0054974A FFD7 call edi ; ntdll.7C930228
0054974C 5A pop edx ; 0012FFB0
0054974D 33C9 xor ecx,ecx
0054974F 66:3B4E 2A cmp cx,word ptr ds:[esi+0x2A]
00549753 75 12 jnz short 专属卡图.00549767
00549755 8BF0 mov esi,eax
00549757 68 00800000 push 0x8000
0054975C 51 push ecx
0054975D 8B4B 14 mov ecx,dword ptr ds:[ebx+0x14]
00549760 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00549762 57 push edi ; ntdll.7C930228
00549763 FF11 call dword ptr ds:[ecx]
00549765 8BC6 mov eax,esi
00549767 5A pop edx ; 0012FFB0
00549768 5E pop esi ; 0012FFB0
00549769 5F pop edi ; 0012FFB0
0054976A 59 pop ecx ; 0012FFB0
0054976B 5B pop ebx ; 0012FFB0
0054976C 5D pop ebp ; 0012FFB0
0054976D - FFE0 jmp eax
[Asm] 纯文本查看 复制代码 00466227 >/$ 55 push ebp //到达OEP
00466228 |. 8BEC mov ebp,esp
0046622A |. 6A FF push -0x1
0046622C |. 68 58CF4C00 push 专属卡图.004CCF58
00466231 |. 68 ACAE4600 push 专属卡图.0046AEAC ; SE 处理程序安装
00466236 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
0046623C |. 50 push eax ; 专属卡图.<ModuleEntryPoint>
0046623D |. 64:8925 00000>mov dword ptr fs:[0],esp
00466244 |. 83EC 58 sub esp,0x58
00466247 |. 53 push ebx
00466248 |. 56 push esi
00466249 |. 57 push edi ; ntdll.7C930228
0046624A |. 8965 E8 mov [local.6],esp
0046624D |. FF15 6C634800 call dword ptr ds:[0x48636C] ; kernel32.GetVersion
00466253 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet
00466255 |. 8AD4 mov dl,ah
00466257 |. 8915 30D34F00 mov dword ptr ds:[0x4FD330],edx ; ntdll.KiFastSystemCallRet
0046625D |. 8BC8 mov ecx,eax ; 专属卡图.<ModuleEntryPoint>
0046625F |. 81E1 FF000000 and ecx,0xFF
00466265 |. 890D 2CD34F00 mov dword ptr ds:[0x4FD32C],ecx
0046626B |. C1E1 08 shl ecx,0x8
0046626E |. 03CA add ecx,edx ; ntdll.KiFastSystemCallRet
00466270 |. 890D 28D34F00 mov dword ptr ds:[0x4FD328],ecx
00466276 |. C1E8 10 shr eax,0x10
00466279 |. A3 24D34F00 mov dword ptr ds:[0x4FD324],eax ; 专属卡图.<ModuleEntryPoint>
0046627E |. 6A 01 push 0x1
PS:修复很简单,论坛都有。
|
评分
-
| 参与人数 13 | 威望 +1 |
HB +32 |
THX +9 |
收起
理由
|
|
禽大师
| |
+ 1 |
|
|
|
花盗睡鼠
| |
+ 2 |
+ 1 |
[吾爱汇编论坛52HB.COM]-学破解防破解,知进攻懂防守! |
|
sjtkxy
| |
+ 1 |
+ 1 |
|
|
zxjzzh
| |
|
+ 1 |
[吾爱汇编论坛52HB.COM]-软件反汇编逆向分析,软件安全必不可少! |
|
一路走来不容易
| |
|
+ 1 |
|
|
消逝的过去
| |
+ 2 |
|
|
|
小菜虫
| |
|
+ 1 |
[吾爱汇编论坛52HB.COM]-感谢楼主热心分享,小小评分不成敬意! |
|
徐闯
| |
|
+ 1 |
|
|
车太震
| |
+ 1 |
|
[吾爱汇编论坛52HB.COM]-软件反汇编逆向分析,软件安全必不可少! |
|
lies
| |
+ 1 |
|
|
|
准女婿
| |
+ 1 |
+ 1 |
[快捷评语] - 吃水不忘打井人,给个评分懂感恩! |
|
syzh802618
| |
+ 3 |
+ 1 |
[快捷评语] - 2018,狗年发发发,狗年旺旺旺! |
|
Shark恒
| + 1 |
+ 20 |
+ 1 |
[快捷评语] - 吃水不忘打井人,给个评分懂感恩! |
查看全部评分
|
|RSS|手机版|小黑屋|帮助|吾爱汇编
( 
京公网安备11011502005403号 , 京ICP备20003498号-6 )|网站地图
窥视卡
雷达卡
楼主
