|
[求助]有UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo的脱壳机吗?
自校验: 00498C00 . 3D F0BA0400 CMP EAX,4BAF0 ; 比较大小 00498C05 76 0E JBE SHORT Thaiphoo.00498C15 ; 小于310000字节则退出,这里把JBE直接改成JMP |
|
ASProtect 1.2x - 1.3x 脱壳
先在PEiD中用VerA 0.15插件看一下 Asprotect 的具体版本再说。 |
|
[求助]改熊猫问题
想改了接着害人? |
|
[求助]中病毒了,给病毒脱壳的时候脱不了,望高手帮忙.
OD中忽略所有异常,设断点 bp VirtualAlloc: 7C809A51 > 8BFF MOV EDI,EDI ; 断在这里 7C809A53 55 PUSH EBP 7C809A54 8BEC MOV EBP,ESP 7C809A56 FF75 14 PUSH DWORD PTR SS:[EBP+14] 7C809A59 FF75 10 PUSH DWORD PTR SS:[EBP+10] 7C809A5C FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C809A5F FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C809A62 6A FF PUSH -1 7C809A64 E8 09000000 CALL kernel32.VirtualAllocEx 7C809A69 5D POP EBP 7C809A6A C2 1000 RETN 10 看一下堆栈: 0012FF80 0040DDDE /CALL 到 VirtualAlloc 来自 Main.0040DDDC 0012FF84 00000000 |Address = NULL 0012FF88 00020000 |Size = 20000 (131072.) 0012FF8C 00001000 |AllocationType = MEM_COMMIT 0012FF90 00000040 \Protect = PAGE_EXECUTE_READWRITE 0012FF94 7C882FC4 kernel32.LoadLibraryA 0012FF98 7C80ADA0 kernel32.GetProcAddress 0012FF9C 7C809AE4 kernel32.VirtualFree 0012FFA0 7C930738 ntdll.7C930738 现在删除断点,ALT+F9返回: 0040DDDE 5F POP EDI ; 返回到这里 0040DDDF 5E POP ESI 0040DDE0 50 PUSH EAX 0040DDE1 6A 00 PUSH 0 0040DDE3 57 PUSH EDI 0040DDE4 56 PUSH ESI 0040DDE5 50 PUSH EAX 0040DDE6 E8 00000000 CALL Main.0040DDEB 0040DDEB 58 POP EAX 看一下寄存器内容: EAX 00390000 ECX 7C809AB9 kernel32.7C809AB9 EDX 7C92EB94 ntdll.KiFastSystemCallRet EBX 7C809A51 kernel32.VirtualAlloc ESP 0012FF94 EBP 0012FFF0 ESI 7C80ADA0 kernel32.GetProcAddress EDI 7C882FC4 kernel32.LoadLibraryA EIP 0040DDDE Main.0040DDDE 在EAX寄存器上右键选“数据窗口中跟随”,跟随 00390000 这个地址,然后设内存写入断点,F9,会被断下: 0040DE4F F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 断在这里 0040DE51 8BC8 MOV ECX,EAX 0040DE53 83E1 03 AND ECX,3 0040DE56 85D2 TEST EDX,EDX 0040DE58 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 0040DE5A 76 30 JBE SHORT Main.0040DE8C 0040DE5C 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C] 看信息窗口: ECX=00000100 (十进制 256.) DS:[ESI]=[0040E222]=00905A4D ES:[EDI]=[00390000]=00000000 在信息窗口中的 DS:[ESI]=[0040E222]=00905A4D 这条上右键选“数据窗口中跟随地址”,会在数据窗口中看到这样的内容: 0040E222 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........ 0040E232 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@....... 0040E242 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E252 00 00 00 00 00 00 00 00 00 00 00 00 B8 00 00 00 ............?.. 0040E262 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th 0040E272 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 0040E282 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 0040E292 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... 0040E2A2 25 A5 72 C7 61 C4 1C 94 61 C4 1C 94 61 C4 1C 94 %莂?攁?攁? 0040E2B2 61 C4 1D 94 77 C4 1C 94 E2 CC 41 94 64 C4 1C 94 a?攚?斺藺攄? 0040E2C2 89 DB 17 94 63 C4 1C 94 52 69 63 68 61 C4 1C 94 壽攃?擱icha? 0040E2D2 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 ........PE..L. 0040E2E2 FA 28 1E 46 00 00 00 00 00 00 00 00 E0 00 0E 21 ?F........?! 0040E2F2 0B 01 06 00 00 20 00 00 00 10 00 00 00 50 00 00 .. ......P.. 0040E302 90 7C 00 00 00 60 00 00 00 80 00 00 00 00 00 10 恷...`...€..... 0040E312 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 ............. 0040E322 04 00 00 00 00 00 00 00 00 90 00 00 00 10 00 00 ........?.... 0040E332 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 ............. 0040E342 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ............. 0040E352 00 00 00 00 00 00 00 00 00 80 00 00 94 00 00 00 .........€..?.. 0040E362 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E372 00 00 00 00 00 00 00 00 94 80 00 00 0C 00 00 00 ........攢...... 0040E382 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E392 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E3A2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E3B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E3C2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040E3D2 55 50 58 30 00 00 00 00 00 50 00 00 00 10 00 00 UPX0.....P..... 0040E3E2 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ............... 0040E3F2 00 00 00 00 80 00 00 E0 55 50 58 31 00 00 00 00 ....€..郩PX1.... 0040E402 00 20 00 00 00 60 00 00 00 20 00 00 00 04 00 00 . ...`... ..... 0040E412 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0 ............@.. 0040E422 55 50 58 32 00 00 00 00 00 10 00 00 00 80 00 00 UPX2........€.. 0040E432 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 ....$.......... 这就是个PE文件。现在用LordPE或PETools的区域转存功能,开始地址选我们这里看到的 0040E222,大小可以选大点,如 10000,dump。 把 dump 后的文件后缀名改为 DLL,用 010Editor 打开,删除多余的字节(就是 010Editor 采用 PE 模板时所看到的 Overlay 数据)用PEiD 扫描一下处理过的文件,是UPX加的壳。这时就可以直接用 UPX 的 -d 命令脱壳了。 分析你自己分析吧。这个东西是直接通过VirtualAlloc释放里面这个 DLL,然后再从内存中运行的。不要去脱什么原版的壳,等你跑一遍下来,病毒早运行了。 放个脱了壳的附件,密码是 muma |
|
关于Radasm的项目命令行[求助]
如果你是用我那个汉化增强版,第一个问题我在汉化说明里就说过了: 4、如果你第一次编译 MASM 的 Dos App,可能会在构建的时候提示找不到 *.obj 文件,其实这时 *.obj 文件已经生成了。简单的方法就是重新启动一下 RadASM,再编译、构建时就正常了。 第二个问题,既然你看了RadASM的帮助文件,你再看看Assembler.ini那一节: DelCheck is the file to delete before build and the file to check if exist after build. Use 0 to avoid this check. |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值