|
[结束][第二阶段◇第四题]看雪论坛.珠海金山2007逆向分析挑战赛
无聊的算法,可以直接ida么 |
|
[求助]不想被人破解,请高手解惑
太强了,最新至尊潜水王 |
|
[讨论]期待同路人出现,关于处理加壳文件的IAT表的问题
能读到IAT,可是通常是加密了的 |
|
[KAO]-------->2.3
只分析了level1-9 004E3046 > B8 00304E00 mov eax, 004E3000 ; eax = loaderbase 004E304B 68 E3644100 push 004164E3 004E3050 64:FF35 0000000>push dword ptr fs:[0] 004E3057 64:8925 0000000>mov dword ptr fs:[0], esp 004E305E 66:9C pushfw 004E3060 60 pushad 004E3061 50 push eax 004E3062 8BD8 mov ebx, eax ; ebx = 4e3000 = loaderbase 004E3064 0300 add eax, dword ptr [eax] ; import offset 004E3066 68 A4A50000 push 0A5A4 004E306B 6A 00 push 0 004E306D FF50 1C call dword ptr [eax+1C] 004E3070 8943 08 mov dword ptr [ebx+8], eax ; ldrbase+8 = decode buffer 004E3073 68 00004000 push 00400000 ; [esp] = imagebase 004E3078 8B3C24 mov edi, dword ptr [esp] ; edi = imagebase 004E307B 8B33 mov esi, dword ptr [ebx] ; esi = # bytes passed 004E307D 66:81C7 8007 add di, 780 ; edi = ...buf 004E3082 8D741E 08 lea esi, dword ptr [esi+ebx+8] 004E3086 893B mov dword ptr [ebx], edi 004E3088 53 push ebx 004E3089 8B5E 10 mov ebx, dword ptr [esi+10] 004E308C B8 80080000 mov eax, 880 004E3091 56 push esi 004E3092 6A 02 push 2 004E3094 50 push eax 004E3095 57 push edi 004E3096 6A 15 push 15 004E3098 6A 0A push 0A 004E309A 56 push esi 004E309B 6A 04 push 4 004E309D 50 push eax 004E309E 57 push edi 004E309F FFD3 call ebx ; fuck rva780 004E30A1 83EE 08 sub esi, 8 004E30A4 59 pop ecx 004E30A5 F3:A5 rep movs dword ptr es:[edi], dword p> 004E30A7 59 pop ecx ; 复制import 004E30A8 66:83C7 58 add di, 58 004E30AC 81C6 02010000 add esi, 102 004E30B2 F3:A5 rep movs dword ptr es:[edi], dword p>; 需要的dll strings 004E30B4 FFD3 call ebx ; fuck page 004E30B6 58 pop eax 004E30B7 8D90 A0010000 lea edx, dword ptr [eax+1A0] 004E30BD 8B0A mov ecx, dword ptr [edx] 004E30BF 83C2 14 add edx, 14 ; next block 004E30C2 8B5A F0 mov ebx, dword ptr [edx-10] 004E30C5 85DB test ebx, ebx 004E30C7 ^ 74 F4 je short 004E30BD 004E30C9 8B0424 mov eax, dword ptr [esp] ; eax = imagebase 004E30CC 8D3401 lea esi, dword ptr [ecx+eax] ; esi = compressed 004E30CF 8B6C24 04 mov ebp, dword ptr [esp+4] ; import 004E30D3 8B6D 08 mov ebp, dword ptr [ebp+8] ; allocated buffer 004E30D6 8B4A FC mov ecx, dword ptr [edx-4] ; ecx = size 004E30D9 8BFD mov edi, ebp 004E30DB 52 push edx 004E30DC F3:A5 rep movs dword ptr es:[edi], dword p> 004E30DE 8BF5 mov esi, ebp 004E30E0 8B7A F4 mov edi, dword ptr [edx-C] 004E30E3 03F8 add edi, eax 004E30E5 EB 28 jmp short 004E310F //解压缩算法,直接照抄用就可以 004E30E7 58 pop eax 004E30E8 58 pop eax 004E30E9 58 pop eax 004E30EA 58 pop eax 004E30EB 5A pop edx 004E30EC ^ 74 CF je short 004E30BD 004E30EE ^ E9 19FFFFFF jmp 004E300C 解压缩后面有个段rva =0,会引发异常,转到004164E3这里 00416537 33C0 xor eax, eax 00416539 5E pop esi 0041653A 64:8B18 mov ebx, dword ptr fs:[eax] 0041653D 8B1B mov ebx, dword ptr [ebx] 0041653F 8D63 D6 lea esp, dword ptr [ebx-2A] 00416542 5D pop ebp 00416543 8D8E CB020000 lea ecx, dword ptr [esi+2CB] 00416549 894B 04 mov dword ptr [ebx+4], ecx//设置seh,这个seh是用来还原e8 e9等指令的,也是照抄就可以 0041654C 64:891D 0000000>mov dword ptr fs:[0], ebx 00416553 8B3C24 mov edi, dword ptr [esp] 00416556 FF77 08 push dword ptr [edi+8] 00416559 FF95 A0070000 call dword ptr [ebp+7A0] 0041655F 81C7 3D000000 add edi, 3D 00416565 6A 0E push 0E 00416567 59 pop ecx 00416568 F3:A4 rep movs byte ptr es:[edi], byte ptr> 0041656A FF33 push dword ptr [ebx] 0041656C 56 push esi 0041656D 57 push edi 0041656E 8DB7 55010000 lea esi, dword ptr [edi+155] 00416574 8BCE mov ecx, esi 00416576 2BCF sub ecx, edi 00416578 F3:AA rep stos byte ptr es:[edi] 0041657A 60 pushad 0041657B FFE0 jmp eax//调用seh 004167D1 51 push ecx 004167D2 72 15 jb short 004167E9 004167D4 037E 04 add edi, dword ptr [esi+4] 004167D7 C1F9 02 sar ecx, 2 004167DA 33C0 xor eax, eax 004167DC F3:AB rep stos dword ptr es:[edi] 004167DE 59 pop ecx 004167DF 83E1 03 and ecx, 3 004167E2 F3:AA rep stos byte ptr es:[edi] 004167E4 83C6 14 add esi, 14 004167E7 ^ EB D5 jmp short 004167BE 004167E9 8B5E 04 mov ebx, dword ptr [esi+4] 004167EC 83EB 06 sub ebx, 6 004167EF 33D2 xor edx, edx 004167F1 3BD3 cmp edx, ebx 004167F3 ^ 7D DF jge short 004167D4 004167F5 8A043A mov al, byte ptr [edx+edi] 004167F8 42 inc edx 004167F9 3C E8 cmp al, 0E8 004167FB 74 12 je short 0041680F 004167FD 3C E9 cmp al, 0E9 004167FF 74 0E je short 0041680F 00416801 3C 0F cmp al, 0F 00416803 ^ 75 EC jnz short 004167F1 00416805 8A043A mov al, byte ptr [edx+edi] 00416808 24 F0 and al, 0F0 0041680A 3C 80 cmp al, 80 0041680C ^ 75 E3 jnz short 004167F1 0041680E 42 inc edx 0041680F 8B043A mov eax, dword ptr [edx+edi] 00416812 3C 0A cmp al, 0A // 这个会变 00416814 ^ 75 DB jnz short 004167F1 00416816 66:C1E8 08 shr ax, 8 0041681A C1C0 10 rol eax, 10 0041681D 86C4 xchg ah, al 0041681F 83C2 04 add edx, 4 00416822 2BC2 sub eax, edx 00416824 89443A FC mov dword ptr [edx+edi-4], eax 00416828 ^ EB C7 jmp short 004167F1 0041682A 59 pop ecx 下面解密一些东西 0041657D 5B pop ebx 0041657E 5A pop edx 0041657F 64:8F05 0000000>pop dword ptr fs:[0] 00416586 58 pop eax 00416587 6A 03 push 3 //这个是计算OEP用的种子,好好保存 00416589 53 push ebx 0041658A 33DB xor ebx, ebx 0041658C 68 3E030000 push 33E 00416591 8B0C24 mov ecx, dword ptr [esp] 00416594 0FBAE3 00 bt ebx, 0 00416598 72 16 jb short 004165B0 0041659A 64:8B35 1C00000>mov esi, dword ptr fs:[1C] ; esi = 0 004165A1 0FBAF6 00 btr esi, 0 004165A5 64:0335 2200000>add esi, dword ptr fs:[22] ; what? 004165AC 46 inc esi ; 让 si = 1 就可以借马勒 004165AD 66:33DE xor bx, si 004165B0 321C11 xor bl, byte ptr [ecx+edx] 004165B3 C1C3 0F rol ebx, 0F 004165B6 49 dec ecx 004165B7 ^ 7D DB jge short 00416594 004165B9 8D48 3B lea ecx, dword ptr [eax+3B] ; ebx=key 004165BC 3119 xor dword ptr [ecx], ebx 004165BE 3159 04 xor dword ptr [ecx+4], ebx 004165C1 3159 08 xor dword ptr [ecx+8], ebx 004165C4 3159 0C xor dword ptr [ecx+C], ebx 004165C7 59 pop ecx 自校验,跟脱壳没啥关系,不管了 004165C8 315C11 01 xor dword ptr [ecx+edx+1], ebx 004165CC 33DB xor ebx, ebx 004165CE 8BF2 mov esi, edx 004165D0 81BA 769BFEFF 4>cmp dword ptr [edx+FFFE9B76], 0E3046 004165DA 75 21 jnz short 004165FD 004165DC 81EE B2640100 sub esi, 164B2 004165E2 0FB64E 06 movzx ecx, byte ptr [esi+6] 004165E6 6BC9 0A imul ecx, ecx, 0A 004165E9 66:81C1 3E00 add cx, 3E 004165EE 331E xor ebx, dword ptr [esi] 004165F0 D3C3 rol ebx, cl 004165F2 83C6 04 add esi, 4 004165F5 49 dec ecx 004165F6 ^ 75 F6 jnz short 004165EE 004165F8 3958 04 cmp dword ptr [eax+4], ebx 004165FB 74 08 je short 00416605 004165FD 83C4 2A add esp, 2A 00416600 - E9 14CA0C00 jmp 004E3019 开始填写输入表,顺便计算OEP 00416605 8DB5 CC590100 lea esi, dword ptr [ebp+159CC] 0041660B 8D8D 00080000 lea ecx, dword ptr [ebp+800] 00416611 8BD8 mov ebx, eax 00416613 833E 00 cmp dword ptr [esi], 0 00416616 0F84 0E020000 je 0041682A 0041661C 51 push ecx ; save name list ptr 0041661D 51 push ecx 0041661E FF95 A4070000 call dword ptr [ebp+7A4] 00416624 85C0 test eax, eax 00416626 75 11 jnz short 00416639 00416628 83EC 04 sub esp, 4 0041662B FF95 90070000 call dword ptr [ebp+790] 00416631 85C0 test eax, eax 00416633 0F84 DF000000 je 00416718 00416639 8BF8 mov edi, eax ; edi = dll base 0041663B 0340 3C add eax, dword ptr [eax+3C] 0041663E 8B40 78 mov eax, dword ptr [eax+78] ; eax = export rva 00416641 FF7438 18 push dword ptr [eax+edi+18] ; # of func 00416645 8B4C38 24 mov ecx, dword ptr [eax+edi+24] ; addr base 00416649 03CF add ecx, edi ; +base 0041664B 51 push ecx 0041664C 8B4C38 20 mov ecx, dword ptr [eax+edi+20] 00416650 03CF add ecx, edi 00416652 51 push ecx 00416653 FF7438 10 push dword ptr [eax+edi+10] 00416657 FF7438 14 push dword ptr [eax+edi+14] 0041665B 8B4438 1C mov eax, dword ptr [eax+edi+1C] 0041665F 03C7 add eax, edi 00416661 50 push eax 00416662 56 push esi 00416663 8B36 mov esi, dword ptr [esi] ; thunk 00416665 03F5 add esi, ebp 00416667 8B06 mov eax, dword ptr [esi] 00416669 85C0 test eax, eax 0041666B 0F84 81000000 je 004166F2 00416671 79 2F jns short 004166A2 00416673 0FBAE0 1E bt eax, 1E ; check bit 31,序号的 00416677 72 29 jb short 004166A2 00416679 0FB7C0 movzx eax, ax 0041667C 2B4424 0C sub eax, dword ptr [esp+C] 00416680 0F82 AB000000 jb 00416731 00416686 3B4424 08 cmp eax, dword ptr [esp+8] 0041668A 0F83 A1000000 jnb 00416731 00416690 C1E0 02 shl eax, 2 00416693 034424 04 add eax, dword ptr [esp+4] 00416697 8B00 mov eax, dword ptr [eax] 00416699 03C7 add eax, edi 0041669B 8906 mov dword ptr [esi], eax 0041669D 83C6 04 add esi, 4 004166A0 ^ EB C5 jmp short 00416667 004166A2 03C6 add eax, esi 004166A4 50 push eax 004166A5 50 push eax 004166A6 57 push edi 004166A7 FF95 94070000 call dword ptr [ebp+794] 004166AD 85C0 test eax, eax 004166AF 74 7F je short 00416730 004166B1 FF4C24 28 dec dword ptr [esp+28] ; decrase #注意这个种子 004166B5 7D 1F jge short 004166D6 004166B7 8B5424 24 mov edx, dword ptr [esp+24] 004166BB C602 E9 mov byte ptr [edx], 0E9 ; 抽函数 004166BE 2BC2 sub eax, edx 004166C0 83E8 05 sub eax, 5 004166C3 8942 01 mov dword ptr [edx+1], eax 004166C6 8BC2 mov eax, edx 004166C8 83C2 05 add edx, 5 004166CB 895424 24 mov dword ptr [esp+24], edx 004166CF 83E2 07 and edx, 7 004166D2 895424 28 mov dword ptr [esp+28], edx 004166D6 8906 mov dword ptr [esi], eax ; PATCH IAT 004166D8 873C24 xchg dword ptr [esp], edi ; eax = api name 004166DB 83C9 FF or ecx, FFFFFFFF 004166DE 33C0 xor eax, eax 004166E0 F2:AE repne scas byte ptr es:[edi] 004166E2 FD std 004166E3 F7D1 not ecx 004166E5 4F dec edi 004166E6 F3:AA rep stos byte ptr es:[edi] 004166E8 5F pop edi 004166E9 FC cld 004166EA 83C6 04 add esi, 4 004166ED ^ E9 75FFFFFF jmp 00416667 004166F2 5E pop esi 004166F3 83C4 18 add esp, 18 004166F6 8B16 mov edx, dword ptr [esi] 004166F8 03D5 add edx, ebp 004166FA 8D43 47 lea eax, dword ptr [ebx+47] 004166FD 8B4C24 04 mov ecx, dword ptr [esp+4] 00416701 833A 00 cmp dword ptr [edx], 0 00416704 74 12 je short 00416718 00416706 3B1A cmp ebx, dword ptr [edx] 00416708 8318 00 sbb dword ptr [eax], 0 ; 抽 -2 0041670B 390A cmp dword ptr [edx], ecx 0041670D 8318 00 sbb dword ptr [eax], 0 ; 不抽得-1 00416710 83C2 04 add edx, 4 00416713 C108 03 ror dword ptr [eax], 3 ;这个3好像不变 00416716 ^ EB E9 jmp short 00416701 00416718 C706 00000000 mov dword ptr [esi], 0 0041671E 5F pop edi 0041671F 83C9 FF or ecx, FFFFFFFF 00416722 33C0 xor eax, eax 00416724 F2:AE repne scas byte ptr es:[edi] 00416726 8BCF mov ecx, edi 00416728 83C6 04 add esi, 4 0041672B ^ E9 E3FEFFFF jmp 00416613 往下走道popad jmp oep了 脱壳机就是抄算法,体力活,没意思。 |
|
pe rebuilder v1.00 +src by forgot/iPB
莫须有的问题你还去解决? |
|
pe rebuilder v1.00 +src by forgot/iPB
等 到 2.0 吧 |
|
[结束][第二阶段◇第三题]看雪论坛.珠海金山2007逆向分析挑战赛
阅读了上面上面上面,我怀疑其中有些不可告人的秘密 |
|
[原创]我写的大整数和素域运算库
蒙哥xx的好一些? |
|
看雪论坛.珠海金山2007逆向分析挑战赛--第二阶段成绩(1,2,3,4题)
我损失大了,555555 |
|
看雪论坛.珠海金山2007逆向分析挑战赛--第二阶段成绩(1,2,3,4题)
我觉得我的楼层附近有背背出没 |
|
[结束][第二阶段◇第三题]看雪论坛.珠海金山2007逆向分析挑战赛
大头是iPB boss,我们小喽罗不能比。 |
|
[结束][第二阶段◇第三题]看雪论坛.珠海金山2007逆向分析挑战赛
支持大头,支持ipb |
|
[KAO]-------->2.3
fuck reloc and ord bug and optmize |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值