一款软件加的是这壳,查过好象是07年出的。
就不知道我的脱壳步骤对不对
10001000 >/$ E8 17000000 call DNF挂.1000101C
10001005 |. E8 68000000 call DNF挂.10001072
1000100A |. FF35 2C370010 push dword ptr ds:[1000372C]
10001010 |. E8 ED010000 call DNF挂.10001202
10001015 |. 6A 00 push 0 ; /ExitCode = 0
10001017 \. E8 2E040000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
1000101C /$ E8 41040000 call <jmp.&kernel32.GetTickCount> ; [GetTickCount
10001021 |. A3 74370010 mov dword ptr ds:[10003774],eax
10001026 |. 6A 64 push 64 ; /Timeout = 100. ms
10001028 |. E8 5F040000 call <jmp.&kernel32.Sleep> ; \Sleep
1000102D |. E8 30040000 call <jmp.&kernel32.GetTickCount> ; [GetTickCount
10001032 |. A3 78370010 mov dword ptr ds:[10003778],eax
10001037 |. 6A 64 push 64 ; /Timeout = 100. ms
10001039 |. E8 4E040000 call <jmp.&kernel32.Sleep> ; \Sleep
1000103E |. E8 1F040000 call <jmp.&kernel32.GetTickCount> ; [GetTickCount
首先程序载入OD,直接F9运行,程序直接跑飞。
然后我们下断
bp CreateProcessA,F9
然后看堆寨
0012FF8C 1000136A /CALL 到 CreateProcessA 来自 DNF挂.10001365
0012FF90 00000000 |ModuleFileName = NULL
0012FF94 10003780 |CommandLine = "C:\Documents and Settings\Administrator\桌面\DNF挂.exe"
0012FF98 00000000 |pProcessSecurity = NULL
0012FF9C 00000000 |pThreadSecurity = NULL
0012FFA0 00000000 |InheritHandles = FALSE
0012FFA4 00000004 |CreationFlags = CREATE_SUSPENDED
0012FFA8 00000000 |pEnvironment = NULL
0012FFAC 00000000 |CurrentDir = NULL
0012FFB0 10003000 |pStartupInfo = DNF挂.10003000
0012FFB4 10003044 \pProcessInfo = DNF挂.10003044
然后继续下断
bp WriteProcessMemory,F9后看堆寨
0012FFA0 100013D9 /CALL 到 WriteProcessMemory 来自 DNF挂.100013D4
0012FFA4 0000002C |hProcess = 0000002C
0012FFA8 005F0000 |Address = 5F0000
0012FFAC 003C0000 |Buffer = 003C0000
0012FFB0 000F3000 |BytesToWrite = F3000 (995328.)
0012FFB4 00000000 \pBytesWritten = NULL
这时我们可以看到数据了
0012FFA8 005F0000 |Address = 5F0000
0012FFAC 003C0000 |Buffer = 003C0000
0012FFB0 000F3000 |BytesToWrite = F3000 (995328.)
这时我们打开LOADPE,选择“部分转存”
然后“地址”上写003C0000
“大小”上写F3000
然后直接点确定,DUMP下来了
然后把DUMP下来的文件改成EXE文件,运行不了
然后载打开LOADPE,对DUMP文件进行重建PE
但是还是不行,我不知道是哪个步骤错了
还是漏了什么步骤?
重建后的文件运行后直接提示
[课程]Android-CTF解题方法汇总!