拜读了fly的VFP&EXENC主程序脱壳之后,我动了下面这个软件,
但效果很不理想,大家帮忙看看是什么原因?
胜新生产管理系统加强网络版V7.16
win2k + od_fix + importRec 忽略所有异常,隐藏OD,载入:
00432BA2 > 60 pushad
00432BA3 E8 00000000 call SXSCGLZQ.00432BA8
00432BA8 5D pop ebp
00432BA9 81ED 06104000 sub ebp,SXSCGLZQ.00401006
00432BAF 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
00432BB5 50 push eax
00432BB6 64:FF35 0000000>push dword ptr fs:[0]
00432BBD 64:8925 0000000>mov dword ptr fs:[0],esp
00432BC4 CC int3
00432BC5 90 nop
00432BC6 64:8F05 0000000>pop dword ptr fs:[0]
00432BCD 83C4 04 add esp,4
00432BD0 74 05 je short SXSCGLZQ.00432BD7
00432BD2 75 03 jnz short SXSCGLZQ.00432BD7
00432BD4 EB 07 jmp short SXSCGLZQ.00432BDD
00432BD6 59 pop ecx
00432BD7 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
00432BDD 53 push ebx
00432BDE 5F pop edi
00432BDF 2BFA sub edi,edx
00432BE1 57 push edi
00432BE2 8A03 mov al,byte ptr ds:[ebx]
00432BE4 3007 xor byte ptr ds:[edi],al
00432BE6 43 inc ebx////////////
////////在这里下断点,F9运行。断下后取消这个断点,再hr esp下硬件断点。继续F9运行
00432BE7 47 inc edi
00432BE8 ^ E2 F8 loopd short SXSCGLZQ.00432BE2
00432BEA 58 pop eax
00432BEB 894424 1C mov dword ptr ss:[esp+1C],eax///////
////在这里被硬件中断,取消上面设的硬件断点。F8到JMP EAX之后。
00432BEF 61 popad
00432BF0 FFE0 jmp eax
跳转后如下:
0042F001 60 pushad
0042F002 E8 03000000 call SXSCGLZQ.0042F00A
0042F007 - E9 EB045D45 jmp 459FF4F7
0042F00C 55 push ebp
0042F00D C3 retn
0042F00E E8 01000000 call SXSCGLZQ.0042F014
搜索指令lods word ptr ds:[esi]到如下:
0042F272 66:AD lods word ptr ds:[esi]
0042F274 66:AB stos word ptr es:[edi]
0042F276 ^ EB F1 jmp short SXSCGLZQ.0042F269
0042F278 BE 00500200 mov esi,25000/////FLY老大说是RVA,所以我在下面使用importRec时就填的这个。
0042F27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0042F283 03F2 add esi,edx
0042F285 8B46 0C mov eax,dword ptr ds:[esi+C]
0042F288 85C0 test eax,eax
0042F28A 0F84 0A010000 je SXSCGLZQ.0042F39A
所以在命令栏输入G 42F39A到如下:
0042F39A B8 430F0200 mov eax,20F43
0042F39F 50 push eax
0042F3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0042F3A6 59 pop ecx
0042F3A7 0BC9 or ecx,ecx
0042F3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0042F3AF 61 popad
0042F3B0 75 08 jnz short SXSCGLZQ.0042F3BA
0042F3B2 B8 01000000 mov eax,1
0042F3B7 C2 0C00 retn 0C
0042F3BA 68 430F4200 push SXSCGLZQ.00420F43
0042F3BF C3 retn////////////直接F4运行到这句,
再F8即返回到如下:
00420F43 60 pushad
00420F44 E8 00000000 call SXSCGLZQ.00420F49
00420F49 5D pop ebp
00420F4A 81ED 06104000 sub ebp,SXSCGLZQ.00401006
00420F50 8D85 56104000 lea eax,dword ptr ss:[ebp+401056]
00420F56 50 push eax
00420F57 64:FF35 0000000>push dword ptr fs:[0]
00420F5E 64:8925 0000000>mov dword ptr fs:[0],esp
00420F65 CC int3
00420F66 90 nop
00420F67 64:8F05 0000000>pop dword ptr fs:[0]
00420F6E 83C4 04 add esp,4
00420F71 74 05 je short SXSCGLZQ.00420F78
00420F73 75 03 jnz short SXSCGLZQ.00420F78
00420F75 EB 07 jmp short SXSCGLZQ.00420F7E
00420F77 59 pop ecx
00420F78 8D9D 00104000 lea ebx,dword ptr ss:[ebp+401000]
00420F7E 53 push ebx
00420F7F 5F pop edi
00420F80 2BFA sub edi,edx
00420F82 57 push edi
00420F83 8A03 mov al,byte ptr ds:[ebx]
00420F85 3007 xor byte ptr ds:[edi],al
00420F87 43 inc ebx////////////与最开始时相同
////////在这里下断点,F9运行。断下后取消这个断点,再hr esp下硬件断点。继续F9运行
00420F88 47 inc edi
00420F89 ^ E2 F8 loopd short SXSCGLZQ.00420F83
00420F8B 58 pop eax
00420F8C 894424 1C mov dword ptr ss:[esp+1C],eax///////与开始时相同
////在这里被硬件中断,取消上面设的硬件断点。F8到JMP EAX之后。
00420F90 61 popad
00420F91 FFE0 jmp eax
跳转之后如下:这里应该是最深层的OEP了吧?我dump成dump.exe
0041FBD8 55 push ebp
0041FBD9 8BEC mov ebp,esp
0041FBDB B9 0A000000 mov ecx,0A
0041FBE0 6A 00 push 0
0041FBE2 6A 00 push 0
0041FBE4 49 dec ecx
0041FBE5 ^ 75 F9 jnz short SXSCGLZQ.0041FBE0
0041FBE7 53 push ebx
0041FBE8 56 push esi
0041FBE9 57 push edi
此时,使用importRec,填IAT的oep=1FBD8,rva=25000,size=1000,get imports,删掉所有valid:NO条目,修复dump.exe
这时我运行dump.exe,发现打开了fox环境,但提示不是foxpro的exe.
这个过程我还缺少了哪些工作没做呀?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)