能力值:
( LV8,RANK:130 )
|
-
-
9 楼
ctrl+g 0101F6DF
F4
0101F6DF E8 A3080000 CALL calc.0101FF87 ;不要进入执行
0101F6E4 60 PUSHAD ;直接把eip转到这行
......
0101F7AB 61 POPAD
0101F7AC C3 RETN
ret 回到这里:
00280000 E8 09020000 CALL 0028020E
00280005 55 PUSH EBP
为了不影响校验,先备份一部分代码
(OllyHelper Plugin) AllocMem at 290000
mem 280000 select all,binary copy
mem 290000 select all,binary paste
ctrl+g 00281AFA
00281AFA 2B848D C1180000 SUB EAX,DWORD PTR SS:[EBP+ECX*4+18C1]
change to:
00281AFA 2B848D C1180100 SUB EAX,DWORD PTR SS:[EBP+ECX*4+118C1]
这里面的118C1=18C1+290000-280000,这样就解决了校验
观察分析010209E0处的代码:
010209E0 8B85 FCF7FFFF MOV EAX,DWORD PTR SS:[EBP-804]
010209E6 3D B168DEFA CMP EAX,FADE68B1
010209EB 0F85 0B010000 JNZ calc.01020AFC
......
01020A8C E8 CD060000 CALL calc.0102115E
通过上面的分析,修改下面几行代码:
00281B1D E8 0C000000 CALL 00281B2E
00281B22 83EC 04 SUB ESP,4
00281B25 830424 0D ADD DWORD PTR SS:[ESP],0D
00281B29 68 B168DEFA PUSH FADE68B1
00281B2E C3 RETN
change to:
00281B1D E8 3CF6D900 CALL calc.0102115E
00281B22 83C4 1C ADD ESP,1C
00281B25 90 NOP
00281B26 90 NOP
00281B27 90 NOP
00281B28 90 NOP
00281B29 90 NOP
00281B2A 90 NOP
00281B2B 90 NOP
00281B2C 90 NOP
00281B2D 90 NOP
00281B2E 90 NOP
ctrl+g :
00282650 8DBD 03180000 LEA EDI,DWORD PTR SS:[EBP+1803]
此时IAT处理完成了
后面就简单了,一路跟踪下去就到这里了,OEP就应该在前面,stolen code怎么修我就懒得看了
0101247C E8 47030000 CALL calc.010127C8
01012481 33DB XOR EBX,EBX
01012483 53 PUSH EBX
01012484 8B3D 20100001 MOV EDI,DWORD PTR DS:[1001020] ; KERNEL32.GetModuleHandleA
0101248A FFD7 CALL EDI
剩下的就是CC了,相关代码如下:
0102089A 8B85 FCF7FFFF MOV EAX,DWORD PTR SS:[EBP-804]
010208A0 48 DEC EAX
010208A1 33D2 XOR EDX,EDX
010208A3 0FA4C2 10 SHLD EDX,EAX,10
010208A7 80E2 0F AND DL,0F
010208AA 8BBD D8F6FFFF MOV EDI,DWORD PTR SS:[EBP-928]
010208B0 81C7 DC090000 ADD EDI,9DC ;cc table
010208B6 0FB60F MOVZX ECX,BYTE PTR DS:[EDI]
010208B9 898D 84F6FFFF MOV DWORD PTR SS:[EBP-97C],ECX
010208BF EB 16 JMP SHORT calc.010208D7
010208C1 8D7C8F 02 LEA EDI,DWORD PTR DS:[EDI+ECX*4+2]
010208C5 0FB60F MOVZX ECX,BYTE PTR DS:[EDI]
010208C8 018D 84F6FFFF ADD DWORD PTR SS:[EBP-97C],ECX
010208CE 83BD 84F6FFFF 78 CMP DWORD PTR SS:[EBP-97C],78
010208D5 73 5F JNB SHORT calc.01020936
010208D7 3A57 01 CMP DL,BYTE PTR DS:[EDI+1]
010208DA ^75 E5 JNZ SHORT calc.010208C1
010208DC 8B8D 84F6FFFF MOV ECX,DWORD PTR SS:[EBP-97C]
010208E2 D1E1 SHL ECX,1
010208E4 83C7 02 ADD EDI,2
010208E7 F2:66:AF REPNE SCAS WORD PTR ES:[EDI]
010208EA 74 02 JE SHORT calc.010208EE
010208EC EB 48 JMP SHORT calc.01020936
010208EE 66:8B17 MOV DX,WORD PTR DS:[EDI]
010208F1 8B9D 04F8FFFF MOV EBX,DWORD PTR SS:[EBP-7FC]
010208F7 9C PUSHFD
010208F8 0AD2 OR DL,DL
010208FA 75 0A JNZ SHORT calc.01020906 ;jz short xxxx
010208FC 53 PUSH EBX
010208FD 9D POPFD
010208FE 75 0E JNZ SHORT calc.0102090E
01020900 8AD6 MOV DL,DH
01020902 EB 0A JMP SHORT calc.0102090E
01020904 EB 08 JMP SHORT calc.0102090E
01020906 8AD6 MOV DL,DH ;jnz short xxxx
01020908 53 PUSH EBX
01020909 9D POPFD
0102090A 75 02 JNZ SHORT calc.0102090E
0102090C 32D2 XOR DL,DL
0102090E 9D POPFD
0102090F 0FB6D2 MOVZX EDX,DL
01020912 42 INC EDX
01020913 84D2 TEST DL,DL
01020915 79 06 JNS SHORT calc.0102091D
01020917 81CA 00FFFFFF OR EDX,FFFFFF00
0102091D 0195 FCF7FFFF ADD DWORD PTR SS:[EBP-804],EDX
我写段代码来修复它:
00283C00 60 PUSHAD
00283C01 BB 00000001 MOV EBX,1000000
00283C06 BE 00F00101 MOV ESI,101F000
00283C0B 81C6 DC090000 ADD ESI,9DC
00283C11 0FB60E MOVZX ECX,BYTE PTR DS:[ESI]
00283C14 0FB656 01 MOVZX EDX,BYTE PTR DS:[ESI+1]
00283C18 C1E2 10 SHL EDX,10
00283C1B 03D3 ADD EDX,EBX
00283C1D 83C6 02 ADD ESI,2
00283C20 0FB706 MOVZX EAX,WORD PTR DS:[ESI]
00283C23 03C2 ADD EAX,EDX
00283C25 8BF8 MOV EDI,EAX
00283C27 66:813F CC90 CMP WORD PTR DS:[EDI],90CC
00283C2C 75 0B JNZ SHORT 00283C39
00283C2E B0 74 MOV AL,74
00283C30 0246 02 ADD AL,BYTE PTR DS:[ESI+2]
00283C33 8A66 03 MOV AH,BYTE PTR DS:[ESI+3]
00283C36 66:8907 MOV WORD PTR DS:[EDI],AX
00283C39 83C6 04 ADD ESI,4
00283C3C 49 DEC ECX
00283C3D ^75 E1 JNZ SHORT 00283C20
00283C3F 803E 00 CMP BYTE PTR DS:[ESI],0
00283C42 ^75 CD JNZ SHORT 00283C11
00283C44 61 POPAD
00283C45 90 NOP
这样就可以在我的OD里,以单进程方式运行了,前面的过程中好像会有Zw...的anti我没提到,不知道为什么闭着眼就过去了
|
能力值:
( LV12,RANK:2670 )
|
-
-
12 楼
最初由 heXer 发布 ctrl+g 0101F6DF F4 0101F6DF E8 A3080000 CALL calc.0101FF87 ;不要进入执行 0101F6E4 60 PUSHAD ;直接把eip转到这行 ...... ........ 牛人终于现身了~~!!!
|