-
-
[原创]FSG 2.0脱壳及找RVA、Sixe的方法(写给新手,老鸟勿笑)
-
发表于: 2013-5-6 19:14
-
我也是新手,前天学习脱FSG 2.0,找到OEP后用,import rec修复IAT出了问题
经过求助大牛们后,终于解决,现分享FSG 2.0脱壳及找RVA、Sixe的方法给和我一样的新手们,同时申请转正
1.FSG 2.0脱壳,用ESP专用脱壳方法:OD载入后(程序在:http://pan.baidu.com/share/link?shareid=489535&uk=1865878465&third=15)
00400154 > 8725 0CB64800 xchg dword ptr ds:[0x48B60> 停在这
0040015A 61 popad
0040015B 94 xchg eax,esp 单步到这,看堆栈
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi],byt>
0040015E B6 80 mov dh,0x80
00400160 FF13 call dword ptr ds:[ebx]
00400162 ^ 73 F9 jnb short fsg_delp.0040015>
00400164 33C9 xor ecx,ecx
00400166 FF13 call dword ptr ds:[ebx]
00400168 73 16 jnb short fsg_delp.0040018>
0040016A 33C0 xor eax,eax
0040016C FF13 call dword ptr ds:[ebx]
堆栈:
0048B610 004001E8 fsg_delp.004001E8
0048B614 004001DC fsg_delp.004001DC
0048B618 004001DE fsg_delp.004001DE
0048B61C 0044CA98 fsg_delp.0044CA98 这就是OEP了
0048B620 > 7C801D7B kernel32.LoadLibraryA
0048B624 > 7C80AE40 kernel32.GetProcAddress
然后,点堆栈中的“0048B61C 0044CA98 fsg_delp.0044CA98 ” 右键选:“数据窗口中跟随”
数据窗口中选中0044CA98,然后下硬件断点:右键---断点----硬件执行
F4运行吧
这就到达OEP了:
0044CA98 55 push ebp ; comctl32.5D1700000044CA99 8BEC mov ebp,esp
0044CA9B 83C4 F0 add esp,-0x10
0044CA9E B8 B8C84400 mov eax,fsg_delp.0044C8B8
0044CAA3 E8 2091FBFF call fsg_delp.00405BC8
0044CAA8 A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CAAD 8B00 mov eax,dword ptr ds:[eax]
0044CAAF E8 9CE6FFFF call fsg_delp.0044B150
0044CAB4 8B0D 94E04400 mov ecx,dword ptr ds:[0x44>; fsg_delp.0044FBD0
0044CABA A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CABF 8B00 mov eax,dword ptr ds:[eax]
0044CAC1 8B15 F0C64400 mov edx,dword ptr ds:[0x44>; fsg_delp.0044C73C
“0044CA98 55 push ebp”就是OEP
用import rec看下IAT,大家会发现:
OEP:0004CA98
RVA:000501D8
Sixe:0000000C
看出问题了吧,不可能Sixe才0000000C,函数才有一个,错定了!
接下来就要我们手动找RVA和Sixe
0044CA98 55 push ebp
0044CA99 8BEC mov ebp,esp
0044CA9B 83C4 F0 add esp,-0x10
0044CA9E B8 B8C84400 mov eax,fsg_delp.0044C8B8
0044CAA3 E8 2091FBFF call fsg_delp.00405BC8 跟入吧!
0044CAA8 A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CAAD 8B00 mov eax,dword ptr ds:[eax]
入后:
00405BC9 8BD8 mov ebx,eax ; fsg_delp.0044C8B8
00405BCB 33C0 xor eax,eax
00405BCD A3 9CD04400 mov dword ptr ds:[0x44D09C>
00405BD2 6A 00 push 0x0
00405BD4 E8 2BFFFFFF call fsg_delp.00405B04 ; jmp 到 kernel32.GetModuleHandleA跟入吧!
入后:
00405B04 - FF25 E4014500 jmp dword ptr ds:[0x4501E4>; kernel32.GetModuleHandleA
00405B0A 8BC0 mov eax,eax
00405B0C - FF25 E0014500 jmp dword ptr ds:[0x4501E0>; kernel32.LocalAlloc
00405B12 8BC0 mov eax,eax
00405B14 - FF25 DC014500 jmp dword ptr ds:[0x4501DC>; kernel32.TlsGetValue
00405B1A 8BC0 mov eax,eax
00405B1C - FF25 D8014500 jmp dword ptr ds:[0x4501D8>; kernel32.TlsSetValue
00405B22 8BC0 mov eax,eax
00405B24 50 push eax
00405B25 6A 40 push 0x40
00405B27 E8 E0FFFFFF call fsg_delp.00405B0C ; jmp 到 kernel32.LocalAlloc
00405B2C C3 retn
看到了吧,这就是调用了,
点数据窗口跟随,来到这:
004501E4 7C80B741 kernel32.GetModuleHandleA
004501E8 7FFFFFFF
004501EC 77DA7ABB advapi32.RegQueryValueExA
004501F0 77DA7852 advapi32.RegOpenKeyExA
004501F4 77DA6C27 advapi32.RegCloseKey
004501F8 7FFFFFFF
004501FC 7C80BEA1 kernel32.lstrcpyA
00450200 7C810E27 kernel32.WriteFile
上下翻,把“004501F8 7FFFFFFF”“004501E8 7FFFFFFF”这种数值=7FFFFFFF的会0掉
在用import rec用,发现
OEP:0004CA98
RVA:00050114
Sixe:000005D4
正确了!
求转正!
求转正!
求转正!
求转正!
经过求助大牛们后,终于解决,现分享FSG 2.0脱壳及找RVA、Sixe的方法给和我一样的新手们,同时申请转正
1.FSG 2.0脱壳,用ESP专用脱壳方法:OD载入后(程序在:http://pan.baidu.com/share/link?shareid=489535&uk=1865878465&third=15)
00400154 > 8725 0CB64800 xchg dword ptr ds:[0x48B60> 停在这
0040015A 61 popad
0040015B 94 xchg eax,esp 单步到这,看堆栈
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi],byt>
0040015E B6 80 mov dh,0x80
00400160 FF13 call dword ptr ds:[ebx]
00400162 ^ 73 F9 jnb short fsg_delp.0040015>
00400164 33C9 xor ecx,ecx
00400166 FF13 call dword ptr ds:[ebx]
00400168 73 16 jnb short fsg_delp.0040018>
0040016A 33C0 xor eax,eax
0040016C FF13 call dword ptr ds:[ebx]
堆栈:
0048B610 004001E8 fsg_delp.004001E8
0048B614 004001DC fsg_delp.004001DC
0048B618 004001DE fsg_delp.004001DE
0048B61C 0044CA98 fsg_delp.0044CA98 这就是OEP了
0048B620 > 7C801D7B kernel32.LoadLibraryA
0048B624 > 7C80AE40 kernel32.GetProcAddress
然后,点堆栈中的“0048B61C 0044CA98 fsg_delp.0044CA98 ” 右键选:“数据窗口中跟随”
数据窗口中选中0044CA98,然后下硬件断点:右键---断点----硬件执行
F4运行吧
这就到达OEP了:
0044CA98 55 push ebp ; comctl32.5D1700000044CA99 8BEC mov ebp,esp
0044CA9B 83C4 F0 add esp,-0x10
0044CA9E B8 B8C84400 mov eax,fsg_delp.0044C8B8
0044CAA3 E8 2091FBFF call fsg_delp.00405BC8
0044CAA8 A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CAAD 8B00 mov eax,dword ptr ds:[eax]
0044CAAF E8 9CE6FFFF call fsg_delp.0044B150
0044CAB4 8B0D 94E04400 mov ecx,dword ptr ds:[0x44>; fsg_delp.0044FBD0
0044CABA A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CABF 8B00 mov eax,dword ptr ds:[eax]
0044CAC1 8B15 F0C64400 mov edx,dword ptr ds:[0x44>; fsg_delp.0044C73C
“0044CA98 55 push ebp”就是OEP
用import rec看下IAT,大家会发现:
OEP:0004CA98
RVA:000501D8
Sixe:0000000C
看出问题了吧,不可能Sixe才0000000C,函数才有一个,错定了!
接下来就要我们手动找RVA和Sixe
0044CA98 55 push ebp
0044CA99 8BEC mov ebp,esp
0044CA9B 83C4 F0 add esp,-0x10
0044CA9E B8 B8C84400 mov eax,fsg_delp.0044C8B8
0044CAA3 E8 2091FBFF call fsg_delp.00405BC8 跟入吧!
0044CAA8 A1 B8DF4400 mov eax,dword ptr ds:[0x44>
0044CAAD 8B00 mov eax,dword ptr ds:[eax]
入后:
00405BC9 8BD8 mov ebx,eax ; fsg_delp.0044C8B8
00405BCB 33C0 xor eax,eax
00405BCD A3 9CD04400 mov dword ptr ds:[0x44D09C>
00405BD2 6A 00 push 0x0
00405BD4 E8 2BFFFFFF call fsg_delp.00405B04 ; jmp 到 kernel32.GetModuleHandleA跟入吧!
入后:
00405B04 - FF25 E4014500 jmp dword ptr ds:[0x4501E4>; kernel32.GetModuleHandleA
00405B0A 8BC0 mov eax,eax
00405B0C - FF25 E0014500 jmp dword ptr ds:[0x4501E0>; kernel32.LocalAlloc
00405B12 8BC0 mov eax,eax
00405B14 - FF25 DC014500 jmp dword ptr ds:[0x4501DC>; kernel32.TlsGetValue
00405B1A 8BC0 mov eax,eax
00405B1C - FF25 D8014500 jmp dword ptr ds:[0x4501D8>; kernel32.TlsSetValue
00405B22 8BC0 mov eax,eax
00405B24 50 push eax
00405B25 6A 40 push 0x40
00405B27 E8 E0FFFFFF call fsg_delp.00405B0C ; jmp 到 kernel32.LocalAlloc
00405B2C C3 retn
看到了吧,这就是调用了,
点数据窗口跟随,来到这:
004501E4 7C80B741 kernel32.GetModuleHandleA
004501E8 7FFFFFFF
004501EC 77DA7ABB advapi32.RegQueryValueExA
004501F0 77DA7852 advapi32.RegOpenKeyExA
004501F4 77DA6C27 advapi32.RegCloseKey
004501F8 7FFFFFFF
004501FC 7C80BEA1 kernel32.lstrcpyA
00450200 7C810E27 kernel32.WriteFile
上下翻,把“004501F8 7FFFFFFF”“004501E8 7FFFFFFF”这种数值=7FFFFFFF的会0掉
在用import rec用,发现
OEP:0004CA98
RVA:00050114
Sixe:000005D4
正确了!
求转正!
求转正!
求转正!
求转正!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
