首页
社区
课程
招聘
[原创]Shielden v2.1.70 资源修复
发表于: 2012-9-29 08:49 9457

[原创]Shielden v2.1.70 资源修复

2012-9-29 08:49
9457

se 加壳时,会回合拼区段,但是各段头的信息没有全部擦掉

资源信息仍保存的比较完整
用 OD 运行脚本完成修复 IAT . 调用 . 被抽取的代码 等等后,程序已经还原为
最初状态(除了 IAT 排序外,调用地址也由脚本修正为现行状态),基本完美时
对下的就是修复资源了

从 OEP 处搜索  04080000????0000000000000000000000000000000001000408

可以找到原资源段的完整信息

但资源片指针被替换了,起始修复的任务也就是修正这些指针,把被 SE 抽取到内存
各个新段中分散的资源数据重新排列回 404000 段,这样脱壳才能完美

00404000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00       404000 原资源段起始位置
00404010  03 00 00 00 38 00 00 80 05 00 00 00 58 00 00 80
00404020  06 00 00 00 78 00 00 80 0E 00 00 00 90 00 00 80
00404030  10 00 00 00 A8 00 00 80 00 00 00 00 00 00 00 00
00404040  00 00 00 00 00 00 02 00 01 00 00 00 C0 00 00 80
00404050  02 00 00 00 D8 00 00 80 00 00 00 00 00 00 00 00
00404060  00 00 00 00 00 00 02 00 64 00 00 00 F0 00 00 80
00404070  66 00 00 00 08 01 00 80 00 00 00 00 00 00 00 00
00404080  00 00 00 00 00 00 01 00 07 00 00 00 20 01 00 80
00404090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
004040A0  80 00 00 00 38 01 00 80 00 00 00 00 00 00 00 00
004040B0  00 00 00 00 00 00 01 00 01 00 00 00 50 01 00 80
004040C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
004040D0  04 08 00 00 68 01 00 00 00 00 00 00 00 00 00 00
004040E0  00 00 00 00 00 00 01 00    04 08 00 00 78 01 00 00    二进制找到的是这里
004040F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404100  04 08 00 00 88 01 00 00 00 00 00 00 00 00 00 00
00404110  00 00 00 00 00 00 01 00 04 08 00 00 98 01 00 00
00404120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404130  04 08 00 00 A8 01 00 00 00 00 00 00 00 00 00 00
00404140  00 00 00 00 00 00 01 00 04 08 00 00 B8 01 00 00
00404150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00
00404160  04 08 00 00 C8 01 00 00 38 01 6E 00 E8 02 00 00    从这行开始可以获取到 资源片被抽取到新地址的全部指针
00404170  00 00 00 00 00 00 00 00 48 0D 6F 00 28 01 00 00
00404180  00 00 00 00 00 00 00 00 D4 05 70 00 C6 00 00 00  
00404190  00 00 00 00 00 00 00 00 E4 02 71 00 74 00 00 00
004041A0  00 00 00 00 00 00 00 00 F0 0A 72 00 38 00 00 00
004041B0  00 00 00 00 00 00 00 00 B8 05 73 00 22 00 00 00
004041C0  00 00 00 00 00 00 00 00 E0 04 74 00 BC 02 00 00    是什么不重要,我们让脚本来完成这个任务
004041D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   从最后一个指针处偏移 0x10 的资源数据被全部擦除
004041E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
004041F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00404200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

脚本的好处不用你去对神马 Stud_PE 等工具的熟悉(我还真不会用,呵呵)

最后,如果对壳有兴趣,还是老实去学习 PE 等最基础的东西,一上来就问 VMP 如何还原,如果脱 TMD, 没用的

奉上脚本: 基本通用

var Dlg
var new_rc_addr
var rc_start
var rc_len
var rc_addr
var rc_data
var i
var tmp
var temp

call _find_rc

_loop_w:
cmp rc_start,Dlg
jne next
add new_rc_addr,2

next:
mov rc_addr,[rc_start],4
add rc_start,4
mov rc_len,[rc_start],4
add rc_addr,400000           // 记着加上 基址

mov rc_data,[rc_addr],rc_len
mov [new_rc_addr],rc_data
mov temp,new_rc_addr
sub temp,400000
sub rc_start,4
mov [rc_start],#00000000#

mov [rc_start],temp         // 更新数据指针
mov tmp,rc_start
mov tmp,[tmp]
add rc_start,10
add new_rc_addr,rc_len

dec i
cmp i,0
je fix_end                  // 出口
jmp _loop_w

_find_rc:
find 401000,#04080000????0000000000000000000000000000000001000408#
mov temp,$RESULT
mov tmp,temp
div tmp,1000
mul tmp,1000
mov rc_addr,tmp         
add tmp,10
mov i,8
_find_05:
add tmp,i     
cmp [tmp],#05#,1
jne _find_05
mov tmp,[tmp+4],1
add tmp,rc_addr
mov tmp,[tmp+14],1
add tmp,rc_addr

mov tmp,[tmp+14],2
add tmp,rc_addr
mov Dlg,tmp

_find_804_end:
add temp,18
cmp [temp],#0408#,2
je _find_804_end
mov rc_start,temp
sub rc_start,10
mov i,0
_find_end:
inc i
add temp,10
cmp [temp],0
jne _find_end

inc i
mov new_rc_addr,temp
ret

fix_end:
ret


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 6
支持
分享
最新回复 (2)
雪    币: 2882
活跃值: (1315)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
yjd
2
支持
2012-9-29 10:18
0
雪    币: 170
活跃值: (187)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
看了加密与解密的PE资源的章节
回来再看看这个
终于明白了.....
2013-8-31 20:26
0
游客
登录 | 注册 方可回帖
返回
//