arm 双进程的壳,按照脱壳方法,已经dump出exe文件
这步是查找Magic Jmp,跋山涉水以后来到这里,有个问题
00C1E6AB 6A 00 push 0
00C1E6AD FF15 C4C0C200 call dword ptr ds:[C2C0C4] ; KERNEL32.GetModuleHandleA
00C1E6B3 3985 B0E9FFFF cmp dword ptr ss:[ebp-1650],eax ; ttt.00400000
00C1E6B9 75 0F jnz short 00C1E6CA
00C1E6BB C785 ACE9FFFF 4002>mov dword ptr ss:[ebp-1654],0C30240
00C1E6C5 E9 C3000000 jmp 00C1E78D
00C1E6CA 83A5 84E7FFFF 00 and dword ptr ss:[ebp-187C],0
00C1E6D1 C785 80E7FFFF 5008>mov dword ptr ss:[ebp-1880],0C30850
00C1E6DB EB 1C jmp short 00C1E6F9
00C1E6DD 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00C1E6E3 83C0 0C add eax,0C
00C1E6E6 8985 80E7FFFF mov dword ptr ss:[ebp-1880],eax
00C1E6EC 8B85 84E7FFFF mov eax,dword ptr ss:[ebp-187C]
00C1E6F2 40 inc eax
00C1E6F3 8985 84E7FFFF mov dword ptr ss:[ebp-187C],eax
00C1E6F9 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00C1E6FF 8338 00 cmp dword ptr ds:[eax],0
00C1E702 0F84 85000000 je 00C1E78D <<<====这里是不是Magic Jmp
00C1E708 8B85 80E7FFFF mov eax,dword ptr ss:[ebp-1880]
00C1E70E 8B40 08 mov eax,dword ptr ds:[eax+8]
00C1E711 83E0 01 and eax,1
00C1E714 85C0 test eax,eax
00C1E716 74 25 je short 00C1E73D
00C1E718 A1 DCB8C300 mov eax,dword ptr ds:[C3B8DC]
00C1E71D 8B0D DCB8C300 mov ecx,dword ptr ds:[C3B8DC] ; ttt.005F1260
00C1E723 8B40 78 mov eax,dword ptr ds:[eax+78]
00C1E726 3341 70 xor eax,dword ptr ds:[ecx+70]
00C1E729 8B0D DCB8C300 mov ecx,dword ptr ds:[C3B8DC] ; ttt.005F1260
00C1E72F 3341 68 xor eax,dword ptr ds:[ecx+68]
00C1E732 25 80000000 and eax,80
00C1E737 85C0 test eax,eax
00C1E739 74 02 je short 00C1E73D
00C1E73B ^ EB A0 jmp short 00C1E6DD
00C1E73D 8B85 84E7FFFF mov eax,dword ptr ss:[ebp-187C]
00C1E743 8B0D 0876C300 mov ecx,dword ptr ds:[C37608]
00C1E749 8B15 DCB8C300 mov edx,dword ptr ds:[C3B8DC] ; ttt.005F1260
我在修改了上面Magic Jmp以后,F9以后,结果发生内存访问错误(SEH链是否太长?)
于是改成手动修改Z标志,可是只改了5-7次就运行到oep了,输入表还是没有避开加密。
请各位大大看看小弟那里出的问题,先谢谢了
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法