|
|
|
[求助指导下UPX变异壳linux脱壳
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-92.el6) Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /root/test...(no debugging symbols found)...done. (gdb) b 0x8048418 No symbol table is loaded. Use the "file" command. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (0x8048418) pending. (gdb) r Starting program: /root/test /usr/bin/|12Oexe Program exited with code 0177. (gdb) |
|
|
|
[求助指导下UPX变异壳linux脱壳
crackwiki 你要在入口点dump出程序来 Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - Linux ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0xe29700 Start of program headers: 52 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 2 Size of section headers: 40 (bytes) Number of section headers: 0 Section header string table index: 0 There are no sections in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00c01000 0x00c01000 0x229310 0x229310 RWE 0x1000 LOAD 0x000f58 0x0882ff58 0x0882ff58 0x00000 0x00000 RW 0x1000 查看入口点为
0xe29700 GNU gdb (GDB) Red Hat Enterprise Linux (7.2-92.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/test...(no debugging symbols found)...done.
(gdb) b 0xe29700
No symbol table is loaded. Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (0xe29700) pending.
(gdb) r
Starting program: /root/test
/usr/bin/|12Oexe
Program exited with code 0177.
b 0xe29700 断点后 r运行 程序直接退出 入口处根本到不了 |
|
[求助指导下UPX变异壳linux脱壳
crackwiki 脱壳文件附上,测试下。 ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x4c725ee6 Start of program headers: 52 (bytes into file) Start of section headers: 6915068 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 5 Size of section headers: 40 (bytes) Number of section headers: 26 Section header string table index: 25 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] PhD▒m^H▒^W!A <unknown>: 341 00000343 000344 000345 349 AIOG 838 839 840 readelf: Warning: section 0: sh_link value of 838 is larger than the number of sections [ 1] <unknown>: 34b 0000034d 00034e 00034f 353 XxIOG 848 849 850 readelf: Warning: section 1: sh_link value of 848 is larger than the number of sections [ 2] P▒ A <unknown>: 355 00000357 000358 000359 35d AXMIOG 858 859 860 readelf: Warning: section 2: sh_link value of 858 is larger than the number of sections [ 3] ▒^L▒E▒P▒y▒< <unknown>: 35f 00000361 000362 000363 367 SIOG 868 869 870 readelf: Warning: section 3: sh_link value of 868 is larger than the number of sections [ 4] <unknown>: 369 0000036b 00036c 00036d 371 AxSIOG 878 879 880 readelf: Warning: section 4: sh_link value of 878 is larger than the number of sections [ 5] ▒^L▒E▒P▒E▒< <unknown>: 373 00000375 000376 000377 37b XMSIOG 888 889 890 readelf: Warning: section 5: sh_link value of 888 is larger than the number of sections [ 6] <unknown>: 37d 0000037f 000380 000381 385 AXxMSIOG 898 899 900 readelf: Warning: section 6: sh_link value of 898 is larger than the number of sections [ 7] ▒^D▒U▒RP▒E▒P▒▒QA <unknown>: 387 00000389 00038a 00038b 38f xLOG 908 909 910 readelf: Warning: section 7: sh_link value of 908 is larger than the number of sections [ 8] P▒▒QA <unknown>: 391 00000393 000394 000395 399 AMLOG 918 919 920 readelf: Warning: section 8: sh_link value of 918 is larger than the number of sections [ 9] ▒^H▒E▒PhL▒m^H▒ A <unknown>: 39b 0000039d 00039e 00039f 3a3 XxMLOG 928 929 930 readelf: Warning: section 9: sh_link value of 928 is larger than the number of sections [10] ^H▒ A <unknown>: 3a5 000003a7 0003a8 0003a9 3ad AXSLOG 938 939 940 readelf: Warning: section 10: sh_link value of 938 is larger than the number of sections [11] ▒^L▒E▒P▒9 A <unknown>: 3af 000003b1 0003b2 0003b3 3b7 MSLOG 948 949 950 readelf: Warning: section 11: sh_link value of 948 is larger than the number of sections [12] <unknown>: 3b9 000003bb 0003bc 0003bd 3c1 AxMSLOG 958 959 960 readelf: Warning: section 12: sh_link value of 958 is larger than the number of sections [13] P▒^Z▒< <unknown>: 3c3 000003c5 0003c6 0003c7 3cb XILOG 968 969 970 readelf: Warning: section 13: sh_link value of 968 is larger than the number of sections [14] w▒▒^L▒E▒P▒▒▒< <unknown>: 3cd 000003cf 0003d0 0003d1 3d5 AXxILOG 978 979 980 readelf: Warning: section 14: sh_link value of 978 is larger than the number of sections [15] ▒< <unknown>: 3d7 000003d9 0003da 0003db 3df xMILOG 988 989 990 readelf: Warning: section 15: sh_link value of 988 is larger than the number of sections [16] ^H▒▒^D▒U▒RP▒E▒P▒p <unknown>: 3e1 000003e3 0003e4 0003e5 3e9 ASILOG 998 999 1000 readelf: Warning: section 16: sh_link value of 998 is larger than the number of sections [17] E▒P▒pQA <unknown>: 3eb 000003ed 0003ee 0003ef 3f3 XxSILOG 1008 1009 1010 readelf: Warning: section 17: sh_link value of 1008 is larger than the number of sections [18] ^P▒▒^H▒E▒PhH▒m^H▒ <unknown>: 3f5 000003f7 0003f8 0003f9 3fd AXMSILOG 1018 1019 1020 readelf: Warning: section 18: sh_link value of 1018 is larger than the number of sections [19] ▒m^H▒\ A <unknown>: 3ff 00000401 000402 000403 407 T 1028 1029 1030 readelf: Warning: section 19: sh_link value of 1028 is larger than the number of sections [20] ^P▒▒^L▒E▒P▒▒^_A <unknown>: 409 0000040b 00040c 00040d 411 AxT 1038 1039 1040 readelf: Warning: section 20: sh_link value of 1038 is larger than the number of sections [21] ^_A <unknown>: 413 00000415 000416 000417 41b XMT 1048 1049 1050 readelf: Warning: section 21: sh_link value of 1048 is larger than the number of sections [22] E▒P▒▒< <unknown>: 41d 0000041f 000420 000421 425 AXxMT 1058 1059 1060 readelf: Warning: section 22: sh_link value of 1058 is larger than the number of sections [23] ^P▒^[▒▒^Lh^XZN^H▒ <unknown>: 427 00000429 00042a 00042b 42f xST 1068 1069 1070 readelf: Warning: section 23: sh_link value of 1068 is larger than the number of sections [24] ^H▒\^QE <unknown>: 431 00000433 000434 000435 439 AMST 1078 1079 1080 readelf: Warning: section 24: sh_link value of 1078 is larger than the number of sections [25] ▒^Lj <unknown>: 43b 0000043d 00043e 00043f 443 XxMST 1088 1089 1090 readelf: Warning: section 25: sh_link value of 1088 is larger than the number of sections Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x08048000 0x08048000 0x683b88 0x683b88 R E 0x1000 LOAD 0x683b88 0x086ccb88 0x086ccb88 0x1042c 0x1633d0 RW 0x1000 NOTE 0x0000d4 0x080480d4 0x080480d4 0x00020 0x00020 R 0x4 TLS 0x683b88 0x086ccb88 0x086ccb88 0x00014 0x00034 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x10
亲 我运行程序后dump出程序查看到是这样的 我按照
LOAD
NOTE
TLS 各字段进行修复了 清空
Start of section headers 值为0 有2个问题 1 真实入口处怎么计算的 2 我是直接正常运行dump出来 我不知道你怎么计算的真实入口处 但是我按照你给的文件修改了入口对比了两个文件 左图为我提取的 右图为你提取的 为什么我的程序前面80%以上都一样 但是后段 我这边多了点东西 有很少差异 我是dump方式不对吗
|
|
[求助指导下UPX变异壳linux脱壳
采臣·宁 ![](upload/attach/201910/7619_DXQ5VW62QAVWERR.png) 这个程序对于初学破解的人不友好还有的救吗? 我用之前给别人DUMP的方式 提取出来的和 原程序已经很接近了 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值