|
|
|
请求讲解脱ExeCryptor如何确定加密IAT表地址[求助]
用LordPE得到的结构列表 ->DOS Header e_magic: 0x5A4D e_cblp: 0x0090 e_cp: 0x0003 e_crlc: 0x0000 e_cparhdr: 0x0004 e_minalloc: 0x0000 e_maxalloc: 0xFFFF e_ss: 0x0000 e_sp: 0x00B8 e_csum: 0x0000 e_ip: 0x0000 e_cs: 0x0000 e_lfarlc: 0x0040 e_ovno: 0x0000 e_res: 0x0000000000000000 e_oemid: 0x0000 e_oeminfo: 0x0000 e_res2: 0x0000000000000000000000000000000000000000 e_lfanew: 0x00000120 ->File Header Machine: 0x014C (I386) NumberOfSections: 0x0007 TimeDateStamp: 0x45896BFC (GMT: Wed Dec 20 16:59:40 2006) PointerToSymbolTable: 0x00000000 NumberOfSymbols: 0x00000000 SizeOfOptionalHeader: 0x00E0 Characteristics: 0x010F (RELOCS_STRIPPED) (EXECUTABLE_IMAGE) (LINE_NUMS_STRIPPED) (LOCAL_SYMS_STRIPPED) (32BIT_MACHINE) ->Optional Header Magic: 0x010B (HDR32_MAGIC) MajorLinkerVersion: 0x06 MinorLinkerVersion: 0x00 -> 6.00 SizeOfCode: 0x0002D000 SizeOfInitializedData: 0x00020000 SizeOfUninitializedData: 0x00000000 AddressOfEntryPoint: 0x000F4C9C BaseOfCode: 0x0008F000 BaseOfData: 0x0002E000 ImageBase: 0x00400000 SectionAlignment: 0x00001000 FileAlignment: 0x00001000 MajorOperatingSystemVersion: 0x0004 MinorOperatingSystemVersion: 0x0000 -> 4.00 MajorImageVersion: 0x0000 MinorImageVersion: 0x0000 -> 0.00 MajorSubsystemVersion: 0x0004 MinorSubsystemVersion: 0x0000 -> 4.00 Win32VersionValue: 0x00000000 SizeOfImage: 0x000F5000 SizeOfHeaders: 0x00001000 CheckSum: 0x000697F7 Subsystem: 0x0002 (WINDOWS_GUI) DllCharacteristics: 0x0000 SizeOfStackReserve: 0x00100000 SizeOfStackCommit: 0x00001000 SizeOfHeapReserve: 0x00100000 SizeOfHeapCommit: 0x00001000 LoaderFlags: 0x00000000 NumberOfRvaAndSizes: 0x00000010 DataDirectory (16) RVA Size ------------- ---------- ---------- ExportTable 0x00000000 0x00000000 ImportTable 0x0008F000 0x00000110 ("qf5f32zs") Resource 0x0004A000 0x00003058 (".rsrc") Exception 0x00000000 0x00000000 Security 0x00000000 0x00000000 Relocation 0x00000000 0x00000000 Debug 0x00000000 0x00000000 Copyright 0x00000000 0x00000000 GlobalPtr 0x00000000 0x00000000 TLSTable 0x0008F110 0x00000018 ("qf5f32zs") LoadConfig 0x00000000 0x00000000 BoundImport 0x00000000 0x00000000 IAT 0x00000000 0x00000000 DelayImport 0x00000000 0x00000000 COM 0x00000000 0x00000000 Reserved 0x00000000 0x00000000 |
|
请求讲解脱ExeCryptor如何确定加密IAT表地址[求助]
教训的没错,我是新手,还有很多不明白的地方,还在摸索中。 BBS区段我的确没有弄懂,能描述一下吗? 执行完Bypass AntiDBG OEP-ESTO脚本后停在下面: 0047542C E8 79090100 CALL assassin.00485DAA 00475431 8210 9E ADC BYTE PTR DS:[EAX],-62 00475434 8366 04 A0 AND DWORD PTR DS:[ESI+4],FFFFFFA0 00475438 43 INC EBX 00475439 E8 6C090100 CALL assassin.00485DAA 0047543E DC5E FA FCOMP QWORD PTR DS:[ESI-6] 00475441 9E SAHF 00475442 8204F0 38 ADD BYTE PTR DS:[EAX+ESI*8],38 00475446 52 PUSH EDX 00475447 68 3E7832B6 PUSH B632783E 0047544C 5A POP EDX 0047544D 81E2 5D9B633B AND EDX,3B639B5D 00475453 81EA 39C84656 SUB EDX,5646C839 00475459 ^ E9 04C8FEFF JMP assassin.00461C62 0047545E 0F81 89070000 JNO assassin.00475BED 00475464 9C PUSHFD 00475465 ^ E9 945BFFFF JMP assassin.0046AFFE 0047546A 870424 XCHG DWORD PTR SS:[ESP],EAX 0047546D 58 POP EAX 0047546E C600 C3 MOV BYTE PTR DS:[EAX],0C3 00475471 ^ E9 FFBEFEFF JMP assassin.00461375 00475476 E8 15000000 CALL assassin.00475490 0047547B ^ FF25 5CE24200 JMP NEAR DWORD PTR DS:[42E25C] ; assassin.00475476 00475481 ^ E9 341FFEFF JMP assassin.004573BA |
|
请求讲解脱ExeCryptor如何确定加密IAT表地址[求助]
有没有什么好的办法呢?我该如何继续?恳求赐教。谢谢! |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值