前几天看到个软件,名字叫:电影音乐提取机,peid看是DBPE 2.x -> Ding Boy [Overlay],od载入下跟几步发现不是,走到入口后看代码是delphi的
004FB1E8 55 push ebp
004FB1E9 8BEC mov ebp,esp
004FB1EB 83C4 F0 add esp,-10
004FB1EE 53 push ebx
004FB1EF B8 00AC4F00 mov eax,AudioExt.004FAC00
004FB1F4 E8 6FB8F0FF call AudioExt.00406A68
004FB1F9 8B1D 48225000 mov ebx,dword ptr ds:[502248] ; AudioExt.00503BEC
004FB1FF 8B03 mov eax,dword ptr ds:[ebx]
004FB201 E8 DA25F7FF call AudioExt.0046D7E0
004FB206 8B0B mov ecx,dword ptr ds:[ebx]
004FB208 B2 01 mov dl,1
iat也保存的好好的
005091B4 00000000 ....
005091B8 >7C93188A ?? ntdll.RtlDeleteCriticalSection
005091BC >7C9210ED ?? ntdll.RtlLeaveCriticalSection
005091C0 >7C921005 ? ntdll.RtlEnterCriticalSection
005091C4 >7C809FA1 ?€| kernel32.InitializeCriticalSection
005091C8 >7C809B14 ?| kernel32.VirtualFree
005091CC >7C809A81 ?€| kernel32.VirtualAlloc
005091D0 >7C80995D ]?| kernel32.LocalFree
但是程序里的代码变形很多,好像是学的Asprotect的样子,所有jmp[]形式的调用api的地方都被改了
004069A3 90 nop
004069A4 90 nop
004069A5 E8 0813F7FF call 00377CB2
004069AA 8BC0 mov eax,eax
004069AC 90 nop
004069AD E8 0013F7FF call 00377CB2
004069B2 8BC0 mov eax,eax
004069B4 90 nop
004069B5 E8 F812F7FF call 00377CB2
004069BA 8BC0 mov eax,eax
004069BC 90 nop
004069BD E8 F012F7FF call 00377CB2
004069C2 8BC0 mov eax,eax
004069C4 50 push eax
004069C5 6A 40 push 40
004069C7 E8 E0FFFFFF call AudioExt.004069AC
004069CC C3 retn
从csjwaman兄那里搞来一段脚本,修复了下,ok了,不敢独享,放出来共享之,还望csjwaman不要责怪
var addr
var star
var api1
var api2
var finded
var iat
mov star,401000
l1:
mov iat,005091B8 ;iat start
find star,#90e8#
log $RESULT
cmp $RESULT,0
je l4
mov finded,$RESULT
mov addr,$RESULT
mov star,addr
add star,6
add addr,2
mov addr,[addr]
add addr,star
cmp addr,400000
ja l1
eob l2
mov eip,finded
run
l2:
mov api1,eax
l3:
add iat,4
cmp iat,5099d4 ;iat end
je l4
mov api2,[iat]
cmp api1,api2
jne l3
mov [finded],#ff25#
add finded,2
mov [finded],iat
jmp l1
l4:
ret
用的时候,跟进那个 call 00377CB2,下tc eip>400000,断下后在看记录,那个调到api的jmp eax处下断点,再运行脚本。
我的这个地址是
00378515 - FFE0 jmp eax
年末了,给大家拜个早年了.
[课程]FART 脱壳王!加量不加价!FART作者讲授!