本人练手脱壳fsg2.0的xp记事本时,运行时出了点故障,脱壳以堆?中找到入口点,一般都一样的格式如:
0101F470 010001>notepad.010001E8
0101F474 010001>notepad.010001DC
0101F478 010001>notepad.010001DE
0101F47C 010073>notepad.0100739D <---程序的eip
0101F480 <> 7C801D>kernel32.LoadLibraryA
0101F484 <> 7C80AC>kernel32.GetProcAddress
随即用ctrl+G来到eip处(100739d),设硬件执行断点,f9,断下来,删除断点,dump,再用常规的方法用IR1.6修复,两分钟能搞定。但不能运行,(98的记事本可以修复后运行)
跟踪如下
01002936 8BFF mov edi,edi
01002938 55 push ebp
01002939 8BEC mov ebp,esp
0100293B 83EC 20 sub esp,20
0100293E 56 push esi
0100293F 57 push edi
01002940 FF15 141100>call dword ptr ds:[1001114] ; [GetCommandLineW
01002946 68 D8130001 push 1_.010013D8 ; ASCII "RegisterPenApp"
0100294B 6A 29 push 29
0100294D 8BF8 mov edi,eax
0100294F FF15 1C1200>call dword ptr ds:[100121C] 到此不能继续
01002955 50 push eax ; |hModule
01002956 FF15 101100>call dword ptr ds:[1001110] ; \GetProcAddress
0100295C 33F6 xor esi,esi
0100295E 3BC6 cmp eax,esi
01002960 8945 FC mov dword ptr ss:[ebp-4],eax
01002963 74 06 je short 1_.0100296B
而跟踪未加壳的记事本如下代码:
01002936 /$ 8BFF mov edi,edi
01002938 |. 55 push ebp
01002939 |. 8BEC mov ebp,esp
0100293B |. 83EC 20 sub esp,20
0100293E |. 56 push esi
0100293F |. 57 push edi
01002940 |. FF15 141100>call dword ptr ds:[<&KERNEL32.GetCommandLineW>] ; [GetCommandLineW
01002946 |. 68 D8130001 push notepad.010013D8 ; /ProcNameOrOrdinal = "RegisterPenApp"
0100294B |. 6A 29 push 29 ; |/Index = SM_PENWINDOWS
0100294D |. 8BF8 mov edi,eax ; ||
0100294F |. FF15 1C1200>call dword ptr ds:[<&USER32.GetSystemMetrics>] ; |\GetSystemMetric〈---系统认出
01002955 |. 50 push eax ; |hModule
01002956 |. FF15 101100>call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
0100295C |. 33F6 xor esi,esi
0100295E |. 3BC6 cmp eax,esi
01002960 |. 8945 FC mov dword ptr ss:[ebp-4],eax
01002963 |. 74 06 je short notepad.0100296B
各位大虾,请问这是为何?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
