se 加壳时,会回合拼区段,但是各段头的信息没有全部擦掉
资源信息仍保存的比较完整
用 OD 运行脚本完成修复 IAT . 调用 . 被抽取的代码 等等后,程序已经还原为
最初状态(除了 IAT 排序外,调用地址也由脚本修正为现行状态),基本完美时
对下的就是修复资源了
从 OEP 处搜索 04080000????0000000000000000000000000000000001000408
可以找到原资源段的完整信息
但资源片指针被替换了,起始修复的任务也就是修正这些指针,把被 SE 抽取到内存
各个新段中分散的资源数据重新排列回 404000 段,这样脱壳才能完美
00404000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 404000 原资源段起始位置
00404010 03 00 00 00 38 00 00 80 05 00 00 00 58 00 00 80
00404020 06 00 00 00 78 00 00 80 0E 00 00 00 90 00 00 80
00404030 10 00 00 00 A8 00 00 80 00 00 00 00 00 00 00 00
00404040 00 00 00 00 00 00 02 00 01 00 00 00 C0 00 00 80
00404050 02 00 00 00 D8 00 00 80 00 00 00 00 00 00 00 00
00404060 00 00 00 00 00 00 02 00 64 00 00 00 F0 00 00 80
00404070 66 00 00 00 08 01 00 80 00 00 00 00 00 00 00 00
00404080 00 00 00 00 00 00 01 00 07 00 00 00 20 01 00 80
00404090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
004040A0 80 00 00 00 38 01 00 80 00 00 00 00 00 00 00 00
004040B0 00 00 00 00 00 00 01 00 01 00 00 00 50 01 00 80
004040C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
004040D0 04 08 00 00 68 01 00 00 00 00 00 00 00 00 00 00
004040E0 00 00 00 00 00 00 01 00 04 08 00 00 78 01 00 00 二进制找到的是这里
004040F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404100 04 08 00 00 88 01 00 00 00 00 00 00 00 00 00 00
00404110 00 00 00 00 00 00 01 00 04 08 00 00 98 01 00 00
00404120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404130 04 08 00 00 A8 01 00 00 00 00 00 00 00 00 00 00
00404140 00 00 00 00 00 00 01 00 04 08 00 00 B8 01 00 00
00404150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404160 04 08 00 00 C8 01 00 00 38 01 6E 00 E8 02 00 00 从这行开始可以获取到 资源片被抽取到新地址的全部指针
00404170 00 00 00 00 00 00 00 00 48 0D 6F 00 28 01 00 00
00404180 00 00 00 00 00 00 00 00 D4 05 70 00 C6 00 00 00
00404190 00 00 00 00 00 00 00 00 E4 02 71 00 74 00 00 00
004041A0 00 00 00 00 00 00 00 00 F0 0A 72 00 38 00 00 00
004041B0 00 00 00 00 00 00 00 00 B8 05 73 00 22 00 00 00
004041C0 00 00 00 00 00 00 00 00 E0 04 74 00 BC 02 00 00 是什么不重要,我们让脚本来完成这个任务
004041D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 从最后一个指针处偏移 0x10 的资源数据被全部擦除
004041E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
004041F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00404200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
脚本的好处不用你去对神马 Stud_PE 等工具的熟悉(我还真不会用,呵呵)
最后,如果对壳有兴趣,还是老实去学习 PE 等最基础的东西,一上来就问 VMP 如何还原,如果脱 TMD, 没用的
奉上脚本: 基本通用
var Dlg
var new_rc_addr
var rc_start
var rc_len
var rc_addr
var rc_data
var i
var tmp
var temp
call _find_rc
_loop_w:
cmp rc_start,Dlg
jne next
add new_rc_addr,2
next:
mov rc_addr,[rc_start],4
add rc_start,4
mov rc_len,[rc_start],4
add rc_addr,400000 // 记着加上 基址
mov rc_data,[rc_addr],rc_len
mov [new_rc_addr],rc_data
mov temp,new_rc_addr
sub temp,400000
sub rc_start,4
mov [rc_start],#00000000#
mov [rc_start],temp // 更新数据指针
mov tmp,rc_start
mov tmp,[tmp]
add rc_start,10
add new_rc_addr,rc_len
dec i
cmp i,0
je fix_end // 出口
jmp _loop_w
_find_rc:
find 401000,#04080000????0000000000000000000000000000000001000408#
mov temp,$RESULT
mov tmp,temp
div tmp,1000
mul tmp,1000
mov rc_addr,tmp
add tmp,10
mov i,8
_find_05:
add tmp,i
cmp [tmp],#05#,1
jne _find_05
mov tmp,[tmp+4],1
add tmp,rc_addr
mov tmp,[tmp+14],1
add tmp,rc_addr
mov tmp,[tmp+14],2
add tmp,rc_addr
mov Dlg,tmp
_find_804_end:
add temp,18
cmp [temp],#0408#,2
je _find_804_end
mov rc_start,temp
sub rc_start,10
mov i,0
_find_end:
inc i
add temp,10
cmp [temp],0
jne _find_end
inc i
mov new_rc_addr,temp
ret
fix_end:
ret
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
支持
