|
[求助]脱壳问题
现将脱壳经IAT修复后程序在ollydbg中的调试情况如下,请大侠们诊断: 00524AEA >/$ 55 PUSH EBP 00524AEB |. 8BEC MOV EBP,ESP 00524AED |. 6A FF PUSH -1 00524AEF |. 68 F0DB5700 PUSH 2_.0057DBF0 00524AF4 |. 68 DC9F5200 PUSH 2_.00529FDC ; SE 处理程序安装 00524AF9 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 00524AFF |. 50 PUSH EAX 00524B00 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00524B07 |. 83EC 58 SUB ESP,58 00524B0A |. 53 PUSH EBX 00524B0B |. 56 PUSH ESI 00524B0C |. 57 PUSH EDI 00524B0D |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00524B10 |. FF15 9CA35600 CALL DWORD PTR DS:[56A39C] ; kernel32.GetVersion 00524B16 |. 33D2 XOR EDX,EDX 00524B18 |. 8AD4 MOV DL,AH 00524B1A |. 8915 24B45A00 MOV DWORD PTR DS:[5AB424],EDX 00524B20 |. 8BC8 MOV ECX,EAX 00524B22 |. 81E1 FF000000 AND ECX,0FF 00524B28 |. 890D 20B45A00 MOV DWORD PTR DS:[5AB420],ECX 00524B2E |. C1E1 08 SHL ECX,8 00524B31 |. 03CA ADD ECX,EDX 00524B33 |. 890D 1CB45A00 MOV DWORD PTR DS:[5AB41C],ECX 00524B39 |. C1E8 10 SHR EAX,10 00524B3C |. A3 18B45A00 MOV DWORD PTR DS:[5AB418],EAX 00524B41 |. 6A 01 PUSH 1 00524B43 |. E8 656D0000 CALL 2_.0052B8AD 00524B48 |. 59 POP ECX 00524B49 |. 85C0 TEST EAX,EAX 00524B4B |. 75 08 JNZ SHORT 2_.00524B55 00524B4D |. 6A 1C PUSH 1C 00524B4F |. E8 C3000000 CALL 2_.00524C17 00524B54 |. 59 POP ECX 00524B55 |> E8 723B0000 CALL 2_.005286CC 00524B5A |. 85C0 TEST EAX,EAX 00524B5C |. 75 08 JNZ SHORT 2_.00524B66 00524B5E |. 6A 10 PUSH 10 00524B60 |. E8 B2000000 CALL 2_.00524C17 00524B65 |. 59 POP ECX 00524B66 |> 33F6 XOR ESI,ESI 00524B68 |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00524B6B |. E8 83510000 CALL 2_.00529CF3 00524B70 |. FF15 CCA25600 CALL DWORD PTR DS:[56A2CC] ; [GetCommandLineA 00524B76 |. A3 28BB5A00 MOV DWORD PTR DS:[5ABB28],EAX 00524B7B |. E8 06880000 CALL 2_.0052D386 00524B80 |. A3 58B45A00 MOV DWORD PTR DS:[5AB458],EAX 00524B85 |. E8 AF850000 CALL 2_.0052D139 00524B8A |. E8 F1840000 CALL 2_.0052D080 00524B8F |. E8 D7FBFFFF CALL 2_.0052476B ;F7进入。 00524B94 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI 00524B97 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] 00524B9A |. 50 PUSH EAX ; /pStartupinfo 0052476B /$ A1 E0525A00 MOV EAX,DWORD PTR DS:[5A52E0] ;来到这里 00524770 |. 85C0 TEST EAX,EAX 00524772 |. 74 02 JE SHORT 2_.00524776 00524774 |. FFD0 CALL EAX ;F7进入 00524776 |> 68 C0805900 PUSH 2_.005980C0 0052477B |. 68 AC805900 PUSH 2_.005980AC 00524780 |. E8 EC000000 CALL 2_.00524871 00524785 |. 68 A8805900 PUSH 2_.005980A8 0052478A |. 68 00805900 PUSH 2_.00598000 0052478F |. E8 DD000000 CALL 2_.00524871 00524794 |. 83C4 10 ADD ESP,10 00524797 \. C3 RETN 00521EB8 . E8 13000000 CALL 2_.00521ED0 ;来到这,F7进入 00521EBD . E8 EF530000 CALL 2_.005272B1 ;再次来到着,F7进入 00521EC2 . A3 F0B35A00 MOV DWORD PTR DS:[5AB3F0],EAX 00521EC7 . E8 95530000 CALL 2_.00527261 00521ECC . DBE2 FCLEX 00521ECE . C3 RETN 00521ECF . C3 RETN 00521ED0 /$ B8 8A765200 MOV EAX,2_.0052768A ;来到这 00521ED5 |. C705 08595A00>MOV DWORD PTR DS:[5A5908],2_.00527334 00521EDF |. A3 04595A00 MOV DWORD PTR DS:[5A5904],EAX 00521EE4 |. C705 0C595A00>MOV DWORD PTR DS:[5A590C],2_.0052739A 00521EEE |. C705 10595A00>MOV DWORD PTR DS:[5A5910],2_.005272DA 00521EF8 |. C705 14595A00>MOV DWORD PTR DS:[5A5914],2_.00527382 00521F02 |. A3 18595A00 MOV DWORD PTR DS:[5A5918],EAX 00521F07 \. C3 RETN ;返回 005272B1 |$ 68 188F5700 PUSH 2_.00578F18 ; /pModule = "KERNEL32",来到这 005272B6 |. FF15 ACA35600 CALL DWORD PTR DS:[56A3AC] ; \GetModuleHandleA,F7进入 005272BC |. 85C0 TEST EAX,EAX ;继续F7 005272BE |. 74 15 JE SHORT 2_.005272D5 005272C0 |. 68 C8DD5700 PUSH 2_.0057DDC8 ; ASCII "IsProcessorFeaturePresent" 005272C5 |. 50 PUSH EAX 005272C6 |. FF15 B0A35600 CALL DWORD PTR DS:[56A3B0] ; kernel32.7C915FEC,F7进入 005272CC |. 85C0 TEST EAX,EAX 005272CE |. 74 05 JE SHORT 2_.005272D5 005272D0 |. 6A 00 PUSH 0 005272D2 |. FFD0 CALL EAX 005272D4 |. C3 RETN 7C80B6A1 > 8BFF MOV EDI,EDI ; ntdll.7C93094E,来到这 7C80B6A3 55 PUSH EBP 7C80B6A4 8BEC MOV EBP,ESP 7C80B6A6 837D 08 00 CMP DWORD PTR SS:[EBP+8],0 7C80B6AA 74 18 JE SHORT kernel32.7C80B6C4 7C80B6AC FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C80B6AF E8 C0290000 CALL kernel32.7C80E074 7C80B6B4 85C0 TEST EAX,EAX 7C80B6B6 74 08 JE SHORT kernel32.7C80B6C0 7C80B6B8 FF70 04 PUSH DWORD PTR DS:[EAX+4] 7C80B6BB E8 7D2D0000 CALL kernel32.GetModuleHandleW 7C80B6C0 5D POP EBP 7C80B6C1 C2 0400 RETN 4 ;返回 7C915FD2 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令 7C915FD3 006400 75 ADD BYTE PTR DS:[EAX+EAX+75],AH 7C915FD7 0063 00 ADD BYTE PTR DS:[EBX],AH 7C915FDA 74 00 JE SHORT kernel32.7C915FDC 7C915FDC 56 PUSH ESI 7C915FDD 0065 00 ADD BYTE PTR SS:[EBP],AH 7C915FE0 72 00 JB SHORT kernel32.7C915FE2 7C915FE2 73 00 JNB SHORT kernel32.7C915FE4 7C915FE4 6900 6F006E00 IMUL EAX,DWORD PTR DS:[EAX],6E006F 7C915FEA 0000 ADD BYTE PTR DS:[EAX],AL 7C915FE 35 002E0031 XOR EAX,31002E00 ;来到此,F7 7C915FF1 002E ADD BYTE PTR DS:[ESI],CH ;F7,出错:“调试的程序无法处理例外”,不能继续下去 7C915FF3 0032 ADD BYTE PTR DS:[EDX],DH 7C915FF5 0036 ADD BYTE PTR DS:[ESI],DH 7C915FF7 0030 ADD BYTE PTR DS:[EAX],DH 7C915FF9 0030 ADD BYTE PTR DS:[EAX],DH 7C915FFB 002E ADD BYTE PTR DS:[ESI],CH 7C915FFD 0033 ADD BYTE PTR DS:[EBX],DH 7C915FFF 0031 ADD BYTE PTR DS:[ECX],DH 7C916001 0031 ADD BYTE PTR DS:[ECX],DH 7C916003 0039 ADD BYTE PTR DS:[ECX],BH 7C916005 0000 ADD BYTE PTR DS:[EAX],AL 7C916007 004400 00 ADD BYTE PTR DS:[EAX+EAX],AL 7C91600B 0001 ADD BYTE PTR DS:[ECX],AL 7C91600D 0056 00 ADD BYTE PTR DS:[ESI],DL 7C916010 61 POPAD 7C916011 0072 00 ADD BYTE PTR DS:[EDX],DH 7C916014 46 INC ESI 7C916015 0069 00 ADD BYTE PTR DS:[ECX],CH 7C916018 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令 7C916019 0065 00 ADD BYTE PTR SS:[EBP],AH 7C91601C 49 DEC ECX 7C91601D 006E 00 ADD BYTE PTR DS:[ESI],CH 7C916020 66:006F 00 ADD BYTE PTR DS:[EDI],CH 7C916024 0000 ADD BYTE PTR DS:[EAX],AL 7C916026 0000 ADD BYTE PTR DS:[EAX],AL 7C916028 24 00 AND AL,0 7C91602A 04 00 ADD AL,0 7C91602C 0000 ADD BYTE PTR DS:[EAX],AL 7C91602E 54 PUSH ESP 7C91602F 0072 00 ADD BYTE PTR DS:[EDX],DH 7C916032 61 POPAD 7C916033 006E 00 ADD BYTE PTR DS:[ESI],CH 7C916036 73 00 JNB SHORT kernel32.7C916038 7C916038 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令 7C916039 0061 00 ADD BYTE PTR DS:[ECX],AH 7C91603C 74 00 JE SHORT kernel32.7C91603E 7C91603E 6900 6F006E00 IMUL EAX,DWORD PTR DS:[EAX],6E006F |
|
[转帖]脱壳的各种方法(新手入门)
对初学者来说,帖子很好. |
|
软件安全系列图书之一:《加密与解密》第三版
希望能在本网站上买到此书的电子版。 |
|
|
|
『分享』HASP/Hardlock Emulator 2006工具
请问各位老大:有没有一个能dump任意狗数据的工具? |
|
关于6BA异常的问题
该软件用PRiD查壳,显示Microsoft Visual C++ 6.0 [Debug]信息,请问各位高手这是什么壳,遇到这种情形该如何下手? |
|
关于6BA异常的问题
最后的提示信息是:“进程已终止,退出代码为 1C(28). |
|
关于6BA异常的问题
SHIFT+F9一过就在ntdll中夭折了,下一步就走不出去了哦. |
|
关于fly ollydbg 1.10
版住太客气了,都在用这个版本,关键是我才开始接触,都得按图索骥呀,没这个就无法了.谢谢以上各位老大,pediy上的调试工具中的ollydbg1.1我已经下载了,谢谢! |
|
有关SE处理程序
请问斑竹:SE与SEH是什么关系?是不是一回事? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值