|
|
|
请教各位大大什么是"加壳秘脱壳"
偶也不懂,高手来看看:D |
|
|
|
怎样把幻影改成专业版
谢谢 |
|
新手请大家帮忙脱个壳~我实在是搞不定他了..那个老大帮我
最后一眼,谁放的马儿? |
|
请问如何把低于400000地址的数据粘贴到文件末尾?
脚本怎么使用,我一次都没成功过:( |
|
请问如何把低于400000地址的数据粘贴到文件末尾?
这个是我见过的最古老的Hying外壳了,对跳转加密简单之极,Anti也没有变态, 简单说一下快速脱壳过程: 用OD加载等脱壳程序,略去所有异常: 停在这里: ----------------------------------------------------------------------- 00405000??E8 AA000000?? CALL MASM32.004050AF 00405005??2D 50000000?? SUB EAX,50 0040500A??0000??????ADD BYTE PTR DS:[EAX],AL 0040500C??0000??????ADD BYTE PTR DS:[EAX],AL 0040500E??0000??????ADD BYTE PTR DS:[EAX],AL 00405010??003D 5000002D? ADD BYTE PTR DS:[2D000050],BH Alt+M 打开内存镜象,如下: ---------------------------------------------------------------------- 内存镜像 地址??? 大小??? Owner???区段??? 包含??????? 类型? 访问???初始访问? 00400000? 00001000? MASM32??????? PE header????? Imag? R???? RWE 00401000? 00003000? MASM32??????? code????????Imag? R???? RWE 00404000? 00001000? MASM32??????? resources????? Imag? R???? RWE 00405000? 00001000? MASM32??????? SFX,data,imports??Imag? R???? RWE 在code区段下内存写入断点,F9运行,中断在如下: ---------------------------------------------------------------------- 00341D68??F3:A4????? REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] //中断在这里 00341D6A??5E???????POP ESI 00341D6B??53???????PUSH EBX 00341D6C??68 00800000?? PUSH 8000 00341D71??6A 00????? PUSH 0 00341D73??56???????PUSH ESI 00341D74??FF95 E9020000? CALL DWORD PTR SS:[EBP+2E9] 中断后取消内存断点,下命令bp GetProcAddress, F9运行,中断后取消断点, Alt+F9返回在如下: -------------------------------------------------------------------------- 78746E95??A3 A4827578?? MOV DWORD PTR DS:[787582A4],EAX?//返回在这里 78746E9A??C705 A0827578 0>MOV DWORD PTR DS:[787582A0],1 78746EA4??A1 A4827578?? MOV EAX,DWORD PTR DS:[787582A4] 78746EA9??85C0??????TEST EAX,EAX 78746EAB??74 0D????? JE SHORT 78746EBA 78746EAD??FF75 10???? PUSH DWORD PTR SS:[EBP+10] 78746EB0??FF75 0C???? PUSH DWORD PTR SS:[EBP+C] 78746EB3??FF75 08???? PUSH DWORD PTR SS:[EBP+8] 78746EB6??FFD0??????CALL EAX Alt+M 打开内存镜象,在code下内存写入断点,F9运行,断在如下: ----------------------------------------------------------------------- 00341E72??8907??????MOV DWORD PTR DS:[EDI],EAX? //中断在这里,中断后清除内存断点 00341E74??5A???????POP EDX 00341E75??0FB642 FF??? MOVZX EAX,BYTE PTR DS:[EDX-1] 00341E79??03D0??????ADD EDX,EAX 00341E7B??42???????INC EDX 00341E7C??83C7 04???? ADD EDI,4 00341E7F??59???????POP ECX 00341E80?^ E2 CA????? LOOPD SHORT 00341E4C 00341E82?^ EB 93????? JMP SHORT 00341E17?? //循环初始化IAT 00341E84??8B85 BC020000? MOV EAX,DWORD PTR SS:[EBP+2BC] 00341E8A??83F8 01???? CMP EAX,1 00341E8D??75 27????? JNZ SHORT 00341EB6 00341E8F??8BBD C4020000? MOV EDI,DWORD PTR SS:[EBP+2C4] 00341E95??03FD??????ADD EDI,EBP 00341E97??8DB5 4D020000? LEA ESI,DWORD PTR SS:[EBP+24D] 00341E9D??8B07??????MOV EAX,DWORD PTR DS:[EDI] 00341E9F??0BC0??????OR EAX,EAX 00341EA1??75 02????? JNZ SHORT 00341EA5 00341EA3??EB 11????? JMP SHORT 00341EB6 00341EA5??25 FFFFFF7F?? AND EAX,7FFFFFFF 00341EAA??8BDE??????MOV EBX,ESI?///////这里开始打补丁,改为JMP 00342500 00341EAC??2BD8??????SUB EBX,EAX 00341EAE??8958 FC???? MOV DWORD PTR DS:[EAX-4],EBX 00341EB1??83C7 08???? ADD EDI,8 00341EB4?^ EB E7????? JMP SHORT 00341E9D 00341EB6??64:FF35 3000000>PUSH DWORD PTR FS:[30] 00341EBD??58???????POP EAX 00341EBE??85C0??????TEST EAX,EAX 00341EC0??78 0F????? JS SHORT 00341ED1 00341EC2??8B40 0C???? MOV EAX,DWORD PTR DS:[EAX+C] 00341EC5??8B40 0C???? MOV EAX,DWORD PTR DS:[EAX+C] 00341EC8??C740 20 0010000>MOV DWORD PTR DS:[EAX+20],1000 00341ECF??EB 1C????? JMP SHORT 00341EED 00341ED1??6A 00????? PUSH 0 00341ED3??FF95 A8020000? CALL DWORD PTR SS:[EBP+2A8] 00341ED9??85D2??????TEST EDX,EDX 00341EDB??79 10????? JNS SHORT 00341EED 00341EDD??837A 08 FF???CMP DWORD PTR DS:[EDX+8],-1 00341EE1??75 0A????? JNZ SHORT 00341EED 00341EE3??8B52 04???? MOV EDX,DWORD PTR DS:[EDX+4] 00341EE6??C742 50 0010000>MOV DWORD PTR DS:[EDX+50],1000 00341EED??89AD 58020000? MOV DWORD PTR SS:[EBP+258],EBP 00341EF3??8B85 C8020000? MOV EAX,DWORD PTR SS:[EBP+2C8] 00341EF9??0385 B4020000? ADD EAX,DWORD PTR SS:[EBP+2B4] 00341EFF??FFE0??????JMP EAX?//这里跳OEP 到OEP后跟进任何一个CALL,可以看到跳转表被加密了,不过解码再简单不过了,代码如下: -------------------------------------------------------------------------- 00341F01??50???????PUSH EAX 00341F02??8BC4??????MOV EAX,ESP 00341F04??60???????PUSHAD 00341F05??8BD8??????MOV EBX,EAX 00341F07??E8 04000000?? CALL 00341F10 00341F0C??B4 1C????? MOV AH,1C 00341F0E??34 00????? XOR AL,0 00341F10??5D???????POP EBP 00341F11??8B6D 00???? MOV EBP,DWORD PTR SS:[EBP] 00341F14??8B7B 04???? MOV EDI,DWORD PTR DS:[EBX+4] 00341F17??8BB5 C4020000? MOV ESI,DWORD PTR SS:[EBP+2C4] 00341F1D??03F5??????ADD ESI,EBP 00341F1F??8B06??????MOV EAX,DWORD PTR DS:[ESI] 00341F21??33D2??????XOR EDX,EDX 00341F23??B9 02000000?? MOV ECX,2 00341F28??F7E1??????MUL ECX 00341F2A??D1E8??????SHR EAX,1 00341F2C??3BF8??????CMP EDI,EAX 00341F2E??75 0A????? JNZ SHORT 00341F3A 00341F30??0AD2??????OR DL,DL 00341F32??75 04????? JNZ SHORT 00341F38 00341F34??EB 09????? JMP SHORT 00341F3F 00341F36??EB 02????? JMP SHORT 00341F3A 00341F38??EB 10????? JMP SHORT 00341F4A 00341F3A??83C6 08???? ADD ESI,8 00341F3D?^ EB E0????? JMP SHORT 00341F1F 00341F3F??8B46 04???? MOV EAX,DWORD PTR DS:[ESI+4] 00341F42??8903??????MOV DWORD PTR DS:[EBX],EAX 00341F44??61???????POPAD 00341F45??58???????POP EAX 00341F46??8B00??????MOV EAX,DWORD PTR DS:[EAX] 00341F48??FFE0??????JMP EAX 00341F4A??8B46 04???? MOV EAX,DWORD PTR DS:[ESI+4] 00341F4D??8903??????MOV DWORD PTR DS:[EBX],EAX 00341F4F??61???????POPAD 00341F50??58???????POP EAX 00341F51??83C4 04???? ADD ESP,4 00341F54??8B00??????MOV EAX,DWORD PTR DS:[EAX] 00341F56??FFE0??????JMP EAX 只要认得汇编代码的人都能看出是怎么回事,分析后我打了如下补丁 (注意我是在未到OEP之前打的补丁,省得自己设计循环,我在00341EAA处进始修补的, 随便在此内存段末尾找片空白片,我找的是00342500这里,所以在00341EAA代码改成了JMP 00342500) 补丁代码如下: ------------------------------------------------------------------------------------------- 00342500??8BF0??????MOV ESI,EAX???????????????; MASM32.00401AAE 00342502??83C6 FA???? ADD ESI,-6 00342505??66:C706 FF25??MOV WORD PTR DS:[ESI],25FF 0034250A??8B47 04???? MOV EAX,DWORD PTR DS:[EDI+4] 0034250D??8946 02???? MOV DWORD PTR DS:[ESI+2],EAX 00342510??E9 9CF9FFFF?? JMP 00341EB1 补丁完后F4到00341EFF这行就到OEP,DUMP、修复之后就可以运行了。 附件:Unpacked.rar |
|
|
|
这个脱不了壳,帮忙我吧!
仅仅重组了资源而已 |
|
请大家介绍一下目前的壳什么好用啊!我自己的程序用!呵呵!
upx 或 Aspack 很不错的~!:D |
|
|
|
在WIN2000脱壳后出现错误!!
TLS表没有修复 |
|
请问用IMPORTREC修复DUMP文件时为何出现如下提示?
有OVerLay,你把IAT建在程序里面去吧,不要再增加区段 |
|
UPXFix的解压缩方式
修正效验 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值