脱壳修复问题
脱壳目标 DivX.dll (C:\Windows\System32\DivX.dll)
DivX 下载 http://www.divx.com/divx/divxpro/download/
测试工具 TMPGENC
http://download.pegasys-inc.com/download_files/TMPGEnc-2.524.63.181-Free.zip
按F8停在10202A7D
10202A67 > B8 58332010 mov eax,DivX.10203358 ------->入口点
10202A6C 50 push eax
10202A6D 64:FF35 0000>push dword ptr fs:[0]
10202A74 64:8925 0000>mov dword ptr fs:[0],esp
10202A7B 33C0 xor eax,eax
10202A7D 8908 mov dword ptr ds:[eax],ecx
Go to 10203358 直接在 1020337A 新建EIP->下断点->按两次F9->取消断点
10203358 B8 02222000 mov eax,202202
1020335D 8D88 7911001>lea ecx,dword ptr ds:[eax+10001179]
10203363 8941 01 mov dword ptr ds:[ecx+1],eax
10203366 8B5424 04 mov edx,dword ptr ss:[esp+4]
1020336A 8B52 0C mov edx,dword ptr ds:[edx+C]
1020336D C602 E9 mov byte ptr ds:[edx],0E9
10203370 83C2 05 add edx,5
10203373 2BCA sub ecx,edx
10203375 894A FC mov dword ptr ds:[edx-4],ecx
10203378 33C0 xor eax,eax
1020337A C3 retn
1020337B B8 78563412 mov eax,12345678
变成这样
1020337A C3 retn
1020337B B8 02222000 mov eax,202202
在1020337B新建EIP按F8直到10203423进到OEP
1020341B 8BC6 mov eax,esi
1020341D 5A pop edx
1020341E 5E pop esi
1020341F 5F pop edi
10203420 59 pop ecx
10203421 5B pop ebx
10203422 5D pop ebp
10203423 FFE0 jmp eax ------->进到 OEP 101117F0
10203425 F0:17 lock pop ss ; 锁定前缀是禁止的
101117F0 ? 55 push ebp ------->OEP
101117F1 . 8BEC mov ebp,esp
101117F3 . 53 push ebx
101117F4 ? 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
101117F7 . 56 push esi
101117F8 ? 8B75 0C mov esi,dword ptr ss:[ebp+C]
101117FB . 57 push edi
101117FC ? 8B7D 10 mov edi,dword ptr ss:[ebp+10]
101117FF . 85F6 test esi,esi
10111801 . 75 09 jnz short DivX.1011180C
Dump 修复输入表之后 使用 TMPGENC 进行 MPEG-4 编码时 无法叫出 DivX 的窗口
不晓得是不是 IAT 错误
修复的 IAT 文件
求助高手指导 THX
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
