-
-
[旧帖] [求助]小菜向各位高手请教~~~~~ 0.00雪花
-
发表于: 2010-4-20 17:04
-
地道菜鸟一只,弱弱的向各位高手请教。
我用“SFX”法
1:设置OD,忽略所有异常,也就是说异常选项卡里面都打上勾
2:切换到SFX选项卡,选择“字节模式跟踪实际入口(速度非常慢)”,确定。
3:重载程序后到达这里,尝试确认00789068跳转后为oep,ImportREC修复失败
00789000 > 83EC 04 sub esp,4
00789003 50 push eax
00789004 53 push ebx
00789005 E8 01000000 call Wanderfull.0078900B
0078900A 0058 8B add byte ptr ds:[eax-75],bl
0078900D D840 2D fadd dword ptr ds:[eax+2D]
00789010 0070 18 add byte ptr ds:[eax+18],dh
00789013 002D 99F36000 add byte ptr ds:[60F399],ch
00789019 05 8EF36000 add eax,Wanderfull.0060F38E
0078901E 803B CC cmp byte ptr ds:[ebx],0CC
00789021 75 19 jnz short Wanderfull.0078903C
00789023 C603 00 mov byte ptr ds:[ebx],0
00789026 BB 00100000 mov ebx,1000
0078902B 68 73DCC81D push 1DC8DC73
00789030 68 92A8750C push 0C75A892
00789035 53 push ebx
00789036 50 push eax
00789037 E8 0A000000 call Wanderfull.00789046
0078903C 83C0 00 add eax,0
0078903F 894424 08 mov dword ptr ss:[esp+8],eax
00789043 5B pop ebx ; 7FFDB000
00789044 58 pop eax
00789045 C3 retn
00789046 55 push ebp
00789047 8BEC mov ebp,esp
00789049 60 pushad
0078904A 8B75 08 mov esi,dword ptr ss:[ebp+8]
0078904D 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
00789050 C1E9 02 shr ecx,2
00789053 8B45 10 mov eax,dword ptr ss:[ebp+10]
00789056 8B5D 14 mov ebx,dword ptr ss:[ebp+14]
00789059 EB 08 jmp short Waterfal.00789063
0078905B 3106 xor dword ptr ds:[esi],eax
0078905D 011E add dword ptr ds:[esi],ebx
0078905F 83C6 04 add esi,4
00789062 49 dec ecx
00789063 0BC9 or ecx,ecx
00789065 ^ 75 F4 jnz short Wanderfull.0078905B
00789067 61 popad
00789068 C9 leave
00789069 C2 1000 retn 10
0078906C 0000 add byte ptr ds:[eax],al
0078906E 0000 add byte ptr ds:[eax],al
00789070 0000 add byte ptr ds:[eax],al
00789072 0000 add byte ptr ds:[eax],al
00789074 0000 add byte ptr ds:[eax],al
00789076 0000 add byte ptr ds:[eax],al
00789068后跳转到:
00602000 B8 00000000 mov eax,0
00602005 60 pushad
00602006 0BC0 or eax,eax
00602008 74 68 je short Wanderfull.00602072
0060200A E8 00000000 call Wanderfull.0060200F
0060200F 58 pop eax
00602010 05 53000000 add eax,53
00602015 8038 E9 cmp byte ptr ds:[eax],0E9
00602018 75 13 jnz short Wanderfull.0060202D
0060201A 61 popad
0060201B EB 45 jmp short Wanderfull.00602062
0060201D DB2D 5C476A00 fld tbyte ptr ds:[6A475C]
00602023 FFFF ??? ; 未知命令
00602025 FFFF ??? ; 未知命令
00602027 FFFF ??? ; 未知命令
00602029 FFFF ??? ; 未知命令
0060202B 3D 40E80000 cmp eax,0E840
00602030 0000 add byte ptr ds:[eax],al
00602032 58 pop eax
00602033 25 00F0FFFF and eax,FFFFF000
00602038 33FF xor edi,edi
0060203A 66:BB 195A mov bx,5A19
0060203E 66:83C3 34 add bx,34
00602042 66:3918 cmp word ptr ds:[eax],bx
00602045 75 12 jnz short Wanderfull.00602059
00602047 0FB750 3C movzx edx,word ptr ds:[eax+3C]
0060204B 03D0 add edx,eax
0060204D BB E9440000 mov ebx,44E9
00602052 83C3 67 add ebx,67
00602055 391A cmp dword ptr ds:[edx],ebx
00602057 74 07 je short Wanderfull.00602060
00602059 2D 00100000 sub eax,1000
0060205E ^ EB DA jmp short Wanderfull.0060203A
00602060 8BF8 mov edi,eax
00602062 B8 14300400 mov eax,43014
00602067 03C7 add eax,edi
00602069 B9 59222000 mov ecx,202259
0060206E 03CF add ecx,edi
00602070 EB 0A jmp short Wanderfull.0060207C
00602072 B8 14304400 mov eax,Wanderfull.00443014
00602077 B9 59226000 mov ecx,Wanderfull.00602259
0060207C 50 push eax
0060207D 51 push ecx
0060207E E8 87000000 call Wanderfull.0060210A
00602083 E8 00000000 call Wanderfull.00602088
00602088 58 pop eax
00602089 2D 26000000 sub eax,26
0060208E B9 8D496A00 mov ecx,Wanderfull.006A498D
00602093 81E9 A0476A00 sub ecx,Wanderfull006A47A0
00602099 8948 01 mov dword ptr ds:[eax+1],ecx
0060209C C600 E9 mov byte ptr ds:[eax],0E9
0060209F 61 popad
006020A0 E9 AF010000 jmp Wanderfull.00602254
006020A5 04 00 add al,0
006020A7 0000 add byte ptr ds:[eax],al
006020A9 98 cwde
006020AA 0000 add byte ptr ds:[eax],al
006020AC 0000 add byte ptr ds:[eax],al
006020AE 0000 add byte ptr ds:[eax],al
006020B0 0000 add byte ptr ds:[eax],al
006020B2 0000 add byte ptr ds:[eax],al
006020B4 0000 add byte ptr ds:[eax],al
006020B6 0000 add byte ptr ds:[eax],al
006020B8 0000 add byte ptr ds:[eax],al
006020BA 0000 add byte ptr ds:[eax],al
尝试006020A0为OEP,失败。
然后跳到:
00602254 - E9 BB0DE4FF jmp Waterfal.00443014
00602259 - E9 381C3753 jmp 53973E96
0060225E 01EA add edx,ebp
00602260 F2: prefix repne:
00602261 223B and bh,byte ptr ds:[ebx]
00602263 842F test byte ptr ds:[edi],ch
00602265 07 pop es
00602266 72 65 jb short Waterfal.006022CD
00602268 67:6B30 79 imul esi,dword ptr ds:[bx+si],79
0060226C 2E: prefix cs:
0060226D 64:61 popad
请问这么多的POPAD,到底哪里是OEP呢?盼望各位不吝赐教。
我用“SFX”法
1:设置OD,忽略所有异常,也就是说异常选项卡里面都打上勾
2:切换到SFX选项卡,选择“字节模式跟踪实际入口(速度非常慢)”,确定。
3:重载程序后到达这里,尝试确认00789068跳转后为oep,ImportREC修复失败
00789000 > 83EC 04 sub esp,4
00789003 50 push eax
00789004 53 push ebx
00789005 E8 01000000 call Wanderfull.0078900B
0078900A 0058 8B add byte ptr ds:[eax-75],bl
0078900D D840 2D fadd dword ptr ds:[eax+2D]
00789010 0070 18 add byte ptr ds:[eax+18],dh
00789013 002D 99F36000 add byte ptr ds:[60F399],ch
00789019 05 8EF36000 add eax,Wanderfull.0060F38E
0078901E 803B CC cmp byte ptr ds:[ebx],0CC
00789021 75 19 jnz short Wanderfull.0078903C
00789023 C603 00 mov byte ptr ds:[ebx],0
00789026 BB 00100000 mov ebx,1000
0078902B 68 73DCC81D push 1DC8DC73
00789030 68 92A8750C push 0C75A892
00789035 53 push ebx
00789036 50 push eax
00789037 E8 0A000000 call Wanderfull.00789046
0078903C 83C0 00 add eax,0
0078903F 894424 08 mov dword ptr ss:[esp+8],eax
00789043 5B pop ebx ; 7FFDB000
00789044 58 pop eax
00789045 C3 retn
00789046 55 push ebp
00789047 8BEC mov ebp,esp
00789049 60 pushad
0078904A 8B75 08 mov esi,dword ptr ss:[ebp+8]
0078904D 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
00789050 C1E9 02 shr ecx,2
00789053 8B45 10 mov eax,dword ptr ss:[ebp+10]
00789056 8B5D 14 mov ebx,dword ptr ss:[ebp+14]
00789059 EB 08 jmp short Waterfal.00789063
0078905B 3106 xor dword ptr ds:[esi],eax
0078905D 011E add dword ptr ds:[esi],ebx
0078905F 83C6 04 add esi,4
00789062 49 dec ecx
00789063 0BC9 or ecx,ecx
00789065 ^ 75 F4 jnz short Wanderfull.0078905B
00789067 61 popad
00789068 C9 leave
00789069 C2 1000 retn 10
0078906C 0000 add byte ptr ds:[eax],al
0078906E 0000 add byte ptr ds:[eax],al
00789070 0000 add byte ptr ds:[eax],al
00789072 0000 add byte ptr ds:[eax],al
00789074 0000 add byte ptr ds:[eax],al
00789076 0000 add byte ptr ds:[eax],al
00789068后跳转到:
00602000 B8 00000000 mov eax,0
00602005 60 pushad
00602006 0BC0 or eax,eax
00602008 74 68 je short Wanderfull.00602072
0060200A E8 00000000 call Wanderfull.0060200F
0060200F 58 pop eax
00602010 05 53000000 add eax,53
00602015 8038 E9 cmp byte ptr ds:[eax],0E9
00602018 75 13 jnz short Wanderfull.0060202D
0060201A 61 popad
0060201B EB 45 jmp short Wanderfull.00602062
0060201D DB2D 5C476A00 fld tbyte ptr ds:[6A475C]
00602023 FFFF ??? ; 未知命令
00602025 FFFF ??? ; 未知命令
00602027 FFFF ??? ; 未知命令
00602029 FFFF ??? ; 未知命令
0060202B 3D 40E80000 cmp eax,0E840
00602030 0000 add byte ptr ds:[eax],al
00602032 58 pop eax
00602033 25 00F0FFFF and eax,FFFFF000
00602038 33FF xor edi,edi
0060203A 66:BB 195A mov bx,5A19
0060203E 66:83C3 34 add bx,34
00602042 66:3918 cmp word ptr ds:[eax],bx
00602045 75 12 jnz short Wanderfull.00602059
00602047 0FB750 3C movzx edx,word ptr ds:[eax+3C]
0060204B 03D0 add edx,eax
0060204D BB E9440000 mov ebx,44E9
00602052 83C3 67 add ebx,67
00602055 391A cmp dword ptr ds:[edx],ebx
00602057 74 07 je short Wanderfull.00602060
00602059 2D 00100000 sub eax,1000
0060205E ^ EB DA jmp short Wanderfull.0060203A
00602060 8BF8 mov edi,eax
00602062 B8 14300400 mov eax,43014
00602067 03C7 add eax,edi
00602069 B9 59222000 mov ecx,202259
0060206E 03CF add ecx,edi
00602070 EB 0A jmp short Wanderfull.0060207C
00602072 B8 14304400 mov eax,Wanderfull.00443014
00602077 B9 59226000 mov ecx,Wanderfull.00602259
0060207C 50 push eax
0060207D 51 push ecx
0060207E E8 87000000 call Wanderfull.0060210A
00602083 E8 00000000 call Wanderfull.00602088
00602088 58 pop eax
00602089 2D 26000000 sub eax,26
0060208E B9 8D496A00 mov ecx,Wanderfull.006A498D
00602093 81E9 A0476A00 sub ecx,Wanderfull006A47A0
00602099 8948 01 mov dword ptr ds:[eax+1],ecx
0060209C C600 E9 mov byte ptr ds:[eax],0E9
0060209F 61 popad
006020A0 E9 AF010000 jmp Wanderfull.00602254
006020A5 04 00 add al,0
006020A7 0000 add byte ptr ds:[eax],al
006020A9 98 cwde
006020AA 0000 add byte ptr ds:[eax],al
006020AC 0000 add byte ptr ds:[eax],al
006020AE 0000 add byte ptr ds:[eax],al
006020B0 0000 add byte ptr ds:[eax],al
006020B2 0000 add byte ptr ds:[eax],al
006020B4 0000 add byte ptr ds:[eax],al
006020B6 0000 add byte ptr ds:[eax],al
006020B8 0000 add byte ptr ds:[eax],al
006020BA 0000 add byte ptr ds:[eax],al
尝试006020A0为OEP,失败。
然后跳到:
00602254 - E9 BB0DE4FF jmp Waterfal.00443014
00602259 - E9 381C3753 jmp 53973E96
0060225E 01EA add edx,ebp
00602260 F2: prefix repne:
00602261 223B and bh,byte ptr ds:[ebx]
00602263 842F test byte ptr ds:[edi],ch
00602265 07 pop es
00602266 72 65 jb short Waterfal.006022CD
00602268 67:6B30 79 imul esi,dword ptr ds:[bx+si],79
0060226C 2E: prefix cs:
0060226D 64:61 popad
请问这么多的POPAD,到底哪里是OEP呢?盼望各位不吝赐教。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
 继续跟进吧,那是没有解码完毕,... 当然看不到OEP咯 |
|
|
|
|
|
|
