首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 加壳脱壳
    3. 发新帖
EncryptPE 2003.5.18 主程序脱壳
2004-6-19 17:14 11617

EncryptPE 2003.5.18 主程序脱壳

simonzh2000 活跃值
24
2004-6-19 17:14
11617
【脱文作者】 simonzh2000[US]

【使用工具】 Peid0.92, Ollydbg1.10(反Antidbg版), ImportREC1.60, LordPE

【破解平台】 Win2000SP4 English

【软件名称】 EncryptPE 2003.5.18  

【软件简介】 老王的壳 2003.5.18

【加壳方式】 自己

【作者声明】 本笔记只用于学习交流, 初学Crack,只是感兴趣技术,没有其他目的, 如有不妥之处, 请谅解.
           老王同志很大方, 免费给大家使用. 我也为大家抛快砖, 引点玉出来.

用 IsDebug 插件去掉 OD的调试器标志。
忽略除了 “INT3异常” 之外的其它异常, 添加“ 忽略0EEDFADE ”异常。 


004B7000 >  60              PUSHAD  //进入OD后停在这
004B7001    9C              PUSHFD
004B7002    64:FF35 0000000>PUSH DWORD PTR FS:[0]
004B7009    E8 79010000     CALL EncryptP.004B7187


F9运行,程序会中断在INT3异常处,Shift+F9通过异常, 有时会出来警告, 恭喜, 你中奖了, 重新来过.

经过几次 INT3 异常后, 程序会在 0EEDFADE 处长时间异常,所以上面忽略了这个指定异常。 

上个 WC , 回来后, OD 已停下,

7119CF57     CC                   int3                  //异常, Shift+F9 过
7119CF58     90                   nop 
7119CF59     64:8F05 00000000     pop dword ptr fs:[0] 
7119CF60     C3                   retn 


77F9FFE4    8B0424          MOV EAX,DWORD PTR SS:[ESP]  // C0000008 异常, 二次, shift+F9 过
77F9FFE7    8BE5            MOV ESP,EBP
77F9FFE9    5D              POP EBP
77F9FFEA    C3              RETN

7119CF57     CC                   int3                  //异常, 停,看看堆栈 
7119CF58     90                   nop 
7119CF59     64:8F05 00000000     pop dword ptr fs:[0] 
7119CF60     C3                   retn 


// Stack 
0012FF98   0012FFE0  Pointer to next SEH record
0012FF9C   7119CE8D  SE handler                         // 到 7119C8ED 下断, Shift+F9


7119CE8D    53              PUSH EBX
7119CE8E    52              PUSH EDX
7119CE8F    8B5C24 14       MOV EBX,DWORD PTR SS:[ESP+14]            // CONTEXT 结构的指针 
7119CE93    8B93 C4000000   MOV EDX,DWORD PTR DS:[EBX+C4]
7119CE99    8B83 C0000000   MOV EAX,DWORD PTR DS:[EBX+C0]
7119CE9F    A3 38F61B71     MOV DWORD PTR DS:[711BF638],EAX
7119CEA4    E8 8F040000     CALL V1200351.7119D338                   // F8
7119CEA9    9C              PUSHFD
7119CEAA    58              POP EAX
7119CEAB    A3 38F61B71     MOV DWORD PTR DS:[711BF638],EAX
7119CEB0    E8 83040000     CALL V1200351.7119D338                   // F8
7119CEB5    8B83 B8000000   MOV EAX,DWORD PTR DS:[EBX+B8]
7119CEBB    40              INC EAX
7119CEBC    8983 B8000000   MOV DWORD PTR DS:[EBX+B8],EAX
7119CEC2    8B4424 0C       MOV EAX,DWORD PTR SS:[ESP+C]
7119CEC6    8B00            MOV EAX,DWORD PTR DS:[EAX]
7119CEC8    3D 03000080     CMP EAX,80000003
7119CECD    75 71           JNZ SHORT V1200351.7119CF40
7119CECF    803D 54F61B71 0>CMP BYTE PTR DS:[711BF654],1
7119CED6    74 4F           JE SHORT V1200351.7119CF27
7119CED8    8B42 0C         MOV EAX,DWORD PTR DS:[EDX+C]
7119CEDB    8983 9C000000   MOV DWORD PTR DS:[EBX+9C],EAX
7119CEE1    8B42 10         MOV EAX,DWORD PTR DS:[EDX+10]
7119CEE4    8983 A0000000   MOV DWORD PTR DS:[EBX+A0],EAX
7119CEEA    8B42 14         MOV EAX,DWORD PTR DS:[EDX+14]
7119CEED    8983 B4000000   MOV DWORD PTR DS:[EBX+B4],EAX
7119CEF3    8B42 1C         MOV EAX,DWORD PTR DS:[EDX+1C]
7119CEF6    8983 A4000000   MOV DWORD PTR DS:[EBX+A4],EAX
7119CEFC    8B42 20         MOV EAX,DWORD PTR DS:[EDX+20]
7119CEFF    8983 A8000000   MOV DWORD PTR DS:[EBX+A8],EAX
7119CF05    8B42 24         MOV EAX,DWORD PTR DS:[EDX+24]
7119CF08    8983 AC000000   MOV DWORD PTR DS:[EBX+AC],EAX
7119CF0E    8B42 28         MOV EAX,DWORD PTR DS:[EDX+28]
7119CF11    8983 B0000000   MOV DWORD PTR DS:[EBX+B0],EAX            // EAX = 499780, 异常处理完毕这里继续, OEP
7119CF17    8B02            MOV EAX,DWORD PTR DS:[EDX]
7119CF19    8942 24         MOV DWORD PTR DS:[EDX+24],EAX
7119CF1C    89D0            MOV EAX,EDX
7119CF1E    83C0 24         ADD EAX,24
7119CF21    8983 C4000000   MOV DWORD PTR DS:[EBX+C4],EAX
7119CF27    31C0            XOR EAX,EAX
7119CF29    8943 04         MOV DWORD PTR DS:[EBX+4],EAX
7119CF2C    8943 08         MOV DWORD PTR DS:[EBX+8],EAX
7119CF2F    8943 0C         MOV DWORD PTR DS:[EBX+C],EAX
7119CF32    8943 10         MOV DWORD PTR DS:[EBX+10],EAX
7119CF35    C743 18 5501000>MOV DWORD PTR DS:[EBX+18],155
7119CF3C    5A              POP EDX
7119CF3D    5B              POP EBX
7119CF3E    C3              RETN



00499780    55              PUSH EBP                                 // 到这里下断, F9,  下面修复 IAT 
00499781    8BEC            MOV EBP,ESP
00499783    83C4 F0         ADD ESP,-10
00499786    B8 98954900     MOV EAX,EncryptP.00499598
0049978B    E8 D4D3F6FF     CALL EncryptP.00406B64


// 往下找找, 发现程序里有很多这样的东西

00406AA0    90              NOP
00406AA1  - E9 8A70A000     JMP 00E0DB30
00406AA6    8BC0            MOV EAX,EAX
00406AA8    90              NOP
00406AA9  - E9 E26FA000     JMP 00E0DA90
00406AAE    8BC0            MOV EAX,EAX
00406AB0    90              NOP
00406AB1  - E9 4670A000     JMP 00E0DAFC
00406AB6    8BC0            MOV EAX,EAX
00406AB8    90              NOP
00406AB9  - E9 1270A000     JMP 00E0DAD0
00406ABE    8BC0            MOV EAX,EAX


// API 
00406AA0    90              NOP
00406AA1  - E9 EE71A000     JMP 00E0DC94
...

7119D2FD    8B4424 0C       MOV EAX,DWORD PTR SS:[ESP+C]     // 如果JMP E0DC94
7119D301    89C3            MOV EBX,EAX                      // 那么 EAX=E0DC99
7119D303    83C0 02         ADD EAX,2
7119D306    8B00            MOV EAX,DWORD PTR DS:[EAX]
7119D308    8B00            MOV EAX,DWORD PTR DS:[EAX]
7119D30A    31D8            XOR EAX,EBX
7119D30C    894424 0C       MOV DWORD PTR SS:[ESP+C],EAX     // EAX 即 API
7119D310    8B00            MOV EAX,DWORD PTR DS:[EAX]
7119D312    3C CC           CMP AL,0CC                       // 检查1
7119D314    74 14           JE SHORT V1200351.7119D32A
7119D316    80FC CC         CMP AH,0CC                       // 检查2
7119D319    74 0F           JE SHORT V1200351.7119D32A
7119D31B    C1E8 10         SHR EAX,10
7119D31E    3C CC           CMP AL,0CC                       // 检查3
7119D320    74 08           JE SHORT V1200351.7119D32A
7119D322    80FC CC         CMP AH,0CC                       // 检查4
7119D325    74 03           JE SHORT V1200351.7119D32A
7119D327    EB 08           JMP SHORT V1200351.7119D331
7119D329  - E9 C60554F6     JMP 676DD8F4
7119D32E    1B71 01         SBB ESI,DWORD PTR DS:[ECX+1]
7119D331    5B              POP EBX
7119D332    58              POP EAX
7119D333    9D              POPFD
7119D334    C3              RETN


// 上面就是壳解密 API 的过程

// 写一段恢复 API 的补丁程序, 放到 7119CF60


7119CF60    60                 PUSHAD
7119CF61    B8 50124000        MOV EAX,401250                              ; // 搜索从 401250 开始
7119CF66    BA 00000101        MOV EDX,1010000                             ; // 把 API 放到 1010000 开始的空闲区域
7119CF6B    66:8138 90E9       CMP WORD PTR DS:[EAX],0E990                 ; // 90 E9 = NOP, JMP XXXXXXX
7119CF70    0F85 2F000000      JNZ V1200351.7119CFA5
7119CF76    8BC8               MOV ECX,EAX                                 ; // [EAX] is  90 E9
7119CF78    8B40 02            MOV EAX,DWORD PTR DS:[EAX+2]                ; // EAX = XXXXXXXX
7119CF7B    03C1               ADD EAX,ECX
7119CF7D    83C0 06            ADD EAX,6
7119CF80    3D 00000070        CMP EAX,70000000                            ; // > 7000 0000 就是 API
7119CF85    0F87 0E000000      JA V1200351.7119CF99
7119CF8B    83C0 05            ADD EAX,5
7119CF8E    8BD8               MOV EBX,EAX                                 
7119CF90    83C0 02            ADD EAX,2
7119CF93    8B00               MOV EAX,DWORD PTR DS:[EAX]
7119CF95    8B00               MOV EAX,DWORD PTR DS:[EAX]
7119CF97    33C3               XOR EAX,EBX                                 ; // < 7000 0000 的 API
7119CF99    8902               MOV DWORD PTR DS:[EDX],EAX                  ; // 保存 API Address
7119CF9B    83C2 04            ADD EDX,4
7119CF9E    8BC1               MOV EAX,ECX
7119CFA0    90                 NOP
7119CFA1    90                 NOP
7119CFA2    90                 NOP
7119CFA3    90                 NOP
7119CFA4    90                 NOP
7119CFA5    83C0 04            ADD EAX,4
7119CFA8    3D 208C4300        CMP EAX,438C20                             ; // 搜索到 438C20 结束
7119CFAD  ^ 72 BC              JB SHORT V1200351.7119CF6B
7119CFAF    61                 POPAD


60 B8 50 12 40 00 BA 00 00 01 01 66 81 38 90 E9 0F 85 2F 00 00 00 8B C8 8B 40 02 03 C1 83 C0 06 3D 00 00 00
70 0F 87 0E 00 00 00 83 C0 05 8B D8 83 C0 02 8B 00 8B 00 33 C3 89 02 83 C2 04 8B C1 90 90 90 90 90 83 C0 04 
3D 20 8C 43 00 72 BC 61                



IMPortRec,  VA=1010000, RVA = C10000, Size = 688, Get Imports 得到IAT

OEP: 00099780	IATRVA: 00C10000	IATSize: 00000688

FThunk: 00C10000	NbFunc: 000001A2
1	00C10000	kernel32.dll	001F	CloseHandle                            	            
1	00C10004	kernel32.dll	0039	CreateFileA                            
1	00C10008	kernel32.dll	012D	GetFileType				
1	00C1000C	kernel32.dll	012A	GetFileSize
1	00C10010	kernel32.dll	016D	GetStdHandle
1	00C10014	kernel32.dll	0237	RaiseException
1	00C10018	kernel32.dll	0244	ReadFile
1	00C1001C	kernel32.dll	025E	RtlUnwind
1	00C10020	kernel32.dll	0293	SetEndOfFile
1	00C10024	kernel32.dll	029C	SetFilePointer
1	00C10028	kernel32.dll	02E2	UnhandledExceptionFilter
1	00C1002C	kernel32.dll	0315	WriteFile

1	00C10030	user32.dll	0026	CharNextA

1	00C10034	kernel32.dll	0091	ExitProcess

1	00C10038	user32.dll	01C4	MessageBoxA

1	00C1003C	kernel32.dll	00A4	FindClose
1	00C10040	kernel32.dll	00A8	FindFirstFileA
1	00C10044	kernel32.dll	00C8	FreeLibrary
1	00C10048	kernel32.dll	00DF	GetCommandLineA
1	00C1004C	kernel32.dll	0132	GetLastError
1	00C10050	kernel32.dll	0135	GetLocaleInfoA
1	00C10054	kernel32.dll	013D	GetModuleFileNameA
1	00C10058	kernel32.dll	013F	GetModuleHandleA
1	00C1005C	kernel32.dll	0158	GetProcAddress
1	00C10060	kernel32.dll	016B	GetStartupInfoA
1	00C10064	kernel32.dll	0186	GetThreadLocale
1	00C10068	kernel32.dll	01E7	LoadLibraryExA

1	00C1006C	user32.dll	01B0	LoadStringA

1	00C10070	kernel32.dll	0338	lstrcpyn
1	00C10074	kernel32.dll	033B	lstrlen
1	00C10078	kernel32.dll	0209	MultiByteToWideChar

1	00C1007C	advapi32.dll	018C	RegCloseKey
1	00C10080	advapi32.dll	01A5	RegOpenKeyExA
1	00C10084	advapi32.dll	01AF	RegQueryValueExA

1	00C10088	kernel32.dll	0308	WideCharToMultiByte
1	00C1008C	kernel32.dll	02FD	VirtualQuery

1	00C10090	oleaut32.dll	0004	SysAllocStringLen
1	00C10094	oleaut32.dll	0005	SysReAllocStringLen
1	00C10098	oleaut32.dll	0006	SysFreeString

1	00C1009C	kernel32.dll	01D2	InterlockedIncrement
1	00C100A0	kernel32.dll	01CF	InterlockedDecrement
1	00C100A4	kernel32.dll	0111	GetCurrentThreadId
1	00C100A8	kernel32.dll	01EC	LocalAlloc
1	00C100AC	kernel32.dll	01F0	LocalFree
1	00C100B0	kernel32.dll	02F5	VirtualAlloc
1	00C100B4	kernel32.dll	02F8	VirtualFree
1	00C100B8	kernel32.dll	01CC	InitializeCriticalSection
1	00C100BC	kernel32.dll	0074	EnterCriticalSection
1	00C100C0	kernel32.dll	01E5	LeaveCriticalSection
1	00C100C4	kernel32.dll	005F	DeleteCriticalSection
1	00C100C8	kernel32.dll	0244	ReadFile
1	00C100CC	kernel32.dll	0315	WriteFile

1	00C100D0	user32.dll	011C	GetKeyboardType

1	00C100D4	kernel32.dll	013F	GetModuleHandleA
1	00C100D8	kernel32.dll	01EC	LocalAlloc
1	00C100DC	kernel32.dll	02D9	TlsGetValue
1	00C100E0	kernel32.dll	02DA	TlsSetValue

1	00C100E4	advapi32.dll	018C	RegCloseKey
1	00C100E8	advapi32.dll	01A5	RegOpenKeyExA
1	00C100EC	advapi32.dll	01AF	RegQueryValueExA

1	00C100F0	kernel32.dll	001F	CloseHandle
1	00C100F4	kernel32.dll	0025	CompareStringA
1	00C100F8	kernel32.dll	002C	CopyFileA
1	00C100FC	kernel32.dll	0035	CreateEventA
1	00C10100	kernel32.dll	0039	CreateFileA
1	00C10104	kernel32.dll	0052	CreateThread
1	00C10108	kernel32.dll	005F	DeleteCriticalSection
1	00C1010C	kernel32.dll	0061	DeleteFileA
1	00C10110	kernel32.dll	0074	EnterCriticalSection
1	00C10114	kernel32.dll	0075	EnumCalendarInfoA
1	00C10118	kernel32.dll	009C	FileTimeToDosDateTime
1	00C1011C	kernel32.dll	009D	FileTimeToLocalFileTime
1	00C10120	kernel32.dll	00A4	FindClose
1	00C10124	kernel32.dll	00A8	FindFirstFileA
1	00C10128	kernel32.dll	00B7	FindResourceA
1	00C1012C	kernel32.dll	00C3	FormatMessageA
1	00C10130	kernel32.dll	00C8	FreeLibrary
1	00C10134	kernel32.dll	00CA	FreeResource
1	00C10138	kernel32.dll	00CE	GetACP
1	00C1013C	kernel32.dll	00D4	GetCPInfo
1	00C10140	kernel32.dll	010F	GetCurrentProcessId
1	00C10144	kernel32.dll	0111	GetCurrentThreadId
1	00C10148	kernel32.dll	0112	GetDateFormatA
1	00C1014C	kernel32.dll	0118	GetDiskFreeSpaceA
1	00C10150	kernel32.dll	012C	GetFileTime
1	00C10154	kernel32.dll	0132	GetLastError
1	00C10158	kernel32.dll	0134	GetLocalTime
1	00C1015C	kernel32.dll	0135	GetLocaleInfoA
1	00C10160	kernel32.dll	013D	GetModuleFileNameA
1	00C10164	kernel32.dll	013F	GetModuleHandleA
1	00C10168	kernel32.dll	0158	GetProcAddress
1	00C1016C	kernel32.dll	0166	GetProfileStringA
1	00C10170	kernel32.dll	016D	GetStdHandle
1	00C10174	kernel32.dll	016F	GetStringTypeExA
1	00C10178	kernel32.dll	0175	GetSystemDirectoryA
1	00C1017C	kernel32.dll	0177	GetSystemInfo
1	00C10180	kernel32.dll	0186	GetThreadLocale
1	00C10184	kernel32.dll	018B	GetTickCount
1	00C10188	kernel32.dll	0193	GetVersion
1	00C1018C	kernel32.dll	0194	GetVersionExA
1	00C10190	kernel32.dll	019F	GlobalAddAtomA
1	00C10194	kernel32.dll	01A1	GlobalAlloc
1	00C10198	kernel32.dll	01A3	GlobalDeleteAtom
1	00C1019C	kernel32.dll	01A4	GlobalFindAtomA
1	00C101A0	kernel32.dll	01A8	GlobalFree
1	00C101A4	kernel32.dll	01AC	GlobalLock
1	00C101A8	kernel32.dll	01AB	GlobalHandle
1	00C101AC	kernel32.dll	01AF	GlobalReAlloc
1	00C101B0	kernel32.dll	01B3	GlobalUnlock
1	00C101B4	kernel32.dll	01CC	InitializeCriticalSection
1	00C101B8	kernel32.dll	01E5	LeaveCriticalSection
1	00C101BC	kernel32.dll	01E6	LoadLibraryA
1	00C101C0	kernel32.dll	01EB	LoadResource
1	00C101C4	kernel32.dll	01F9	LockResource
1	00C101C8	kernel32.dll	01FC	MapViewOfFile
1	00C101CC	kernel32.dll	0208	MulDiv
1	00C101D0	kernel32.dll	0212	OpenFileMappingA
1	00C101D4	kernel32.dll	0244	ReadFile
1	00C101D8	kernel32.dll	0259	ResetEvent
1	00C101DC	kernel32.dll	0293	SetEndOfFile
1	00C101E0	kernel32.dll	0296	SetErrorMode
1	00C101E4	kernel32.dll	0297	SetEvent
1	00C101E8	kernel32.dll	029C	SetFilePointer
1	00C101EC	kernel32.dll	029E	SetFileTime
1	00C101F0	kernel32.dll	02BA	SetThreadLocale
1	00C101F4	kernel32.dll	02C9	SizeofResource
1	00C101F8	kernel32.dll	02CA	Sleep
1	00C101FC	kernel32.dll	02E5	UnmapViewOfFile
1	00C10200	kernel32.dll	02F5	VirtualAlloc
1	00C10204	kernel32.dll	02FD	VirtualQuery
1	00C10208	kernel32.dll	0304	WaitForSingleObject
1	00C1020C	kernel32.dll	0315	WriteFile
1	00C10210	kernel32.dll	032F	lstrcmp
1	00C10214	kernel32.dll	0335	lstrcpy

1	00C10218	version.dll	0001	GetFileVersionInfoA
1	00C1021C	version.dll	0002	GetFileVersionInfoSizeA
1	00C10220	version.dll	000B	VerQueryValueA

1	00C10224	gdi32.dll	0013	BitBlt
1	00C10228	gdi32.dll	0022	CopyEnhMetaFileA
1	00C1022C	gdi32.dll	0026	CreateBitmap
1	00C10230	gdi32.dll	0028	CreateBrushIndirect
1	00C10234	gdi32.dll	002B	CreateCompatibleBitmap
1	00C10238	gdi32.dll	002C	CreateCompatibleDC
1	00C1023C	gdi32.dll	002D	CreateDCA
1	00C10240	gdi32.dll	0031	CreateDIBSection
1	00C10244	gdi32.dll	0032	CreateDIBitmap
1	00C10248	gdi32.dll	0039	CreateFontIndirectA
1	00C1024C	gdi32.dll	003E	CreateHalftonePalette
1	00C10250	gdi32.dll	0040	CreateICA
1	00C10254	gdi32.dll	0044	CreatePalette
1	00C10258	gdi32.dll	0047	CreatePenIndirect
1	00C1025C	gdi32.dll	004F	CreateSolidBrush
1	00C10260	gdi32.dll	0052	DeleteDC
1	00C10264	gdi32.dll	0053	DeleteEnhMetaFile
1	00C10268	gdi32.dll	0055	DeleteObject
1	00C1026C	gdi32.dll	005C	EndDoc
1	00C10270	gdi32.dll	005E	EndPage
1	00C10274	gdi32.dll	009D	ExcludeClipRect
1	00C10278	gdi32.dll	00A3	ExtTextOutA
1	00C1027C	gdi32.dll	00E0	GdiFlush
1	00C10280	gdi32.dll	010E	GetBitmapBits
1	00C10284	gdi32.dll	0113	GetBrushOrgEx
1	00C10288	gdi32.dll	0123	GetClipBox
1	00C1028C	gdi32.dll	0128	GetCurrentPositionEx
1	00C10290	gdi32.dll	012A	GetDCOrgEx
1	00C10294	gdi32.dll	012C	GetDIBColorTable
1	00C10298	gdi32.dll	012D	GetDIBits
1	00C1029C	gdi32.dll	012E	GetDeviceCaps
1	00C102A0	gdi32.dll	0134	GetEnhMetaFileBits
1	00C102A4	gdi32.dll	0137	GetEnhMetaFileHeader
1	00C102A8	gdi32.dll	0138	GetEnhMetaFilePaletteEntries
1	00C102AC	gdi32.dll	0158	GetObjectA
1	00C102B0	gdi32.dll	015D	GetPaletteEntries
1	00C102B4	gdi32.dll	015F	GetPixel
1	00C102B8	gdi32.dll	0168	GetStockObject
1	00C102BC	gdi32.dll	016C	GetSystemPaletteEntries
1	00C102C0	gdi32.dll	0177	GetTextExtentPoint32A
1	00C102C4	gdi32.dll	017F	GetTextMetricsA
1	00C102C8	gdi32.dll	0184	GetWinMetaFileBits
1	00C102CC	gdi32.dll	0186	GetWindowOrgEx
1	00C102D0	gdi32.dll	018A	IntersectClipRect
1	00C102D4	gdi32.dll	0190	LineTo
1	00C102D8	gdi32.dll	0191	MaskBlt
1	00C102DC	gdi32.dll	0194	MoveToEx
1	00C102E0	gdi32.dll	01A0	PatBlt
1	00C102E4	gdi32.dll	01A3	PlayEnhMetaFile
1	00C102E8	gdi32.dll	01B1	Polyline
1	00C102EC	gdi32.dll	01B6	RealizePalette
1	00C102F0	gdi32.dll	01B8	RectVisible
1	00C102F4	gdi32.dll	01B9	Rectangle
1	00C102F8	gdi32.dll	01C3	RestoreDC
1	00C102FC	gdi32.dll	01CA	SaveDC
1	00C10300	gdi32.dll	01D1	SelectObject
1	00C10304	gdi32.dll	01D2	SelectPalette
1	00C10308	gdi32.dll	01D3	SetAbortProc
1	00C1030C	gdi32.dll	01D7	SetBkColor
1	00C10310	gdi32.dll	01D8	SetBkMode
1	00C10314	gdi32.dll	01DA	SetBrushOrgEx
1	00C10318	gdi32.dll	01DF	SetDIBColorTable
1	00C1031C	gdi32.dll	01E3	SetEnhMetaFileBits
1	00C10320	gdi32.dll	01EC	SetMapMode
1	00C10324	gdi32.dll	01F2	SetPixel
1	00C10328	gdi32.dll	01F6	SetROP2
1	00C1032C	gdi32.dll	01F9	SetStretchBltMode
1	00C10330	gdi32.dll	01FD	SetTextColor
1	00C10334	gdi32.dll	0200	SetViewportOrgEx
1	00C10338	gdi32.dll	0202	SetWinMetaFileBits
1	00C1033C	gdi32.dll	0204	SetWindowOrgEx
1	00C10340	gdi32.dll	0206	StartDocA
1	00C10344	gdi32.dll	0209	StartPage
1	00C10348	gdi32.dll	020A	StretchBlt
1	00C1034C	gdi32.dll	0213	UnrealizeObject

1	00C10350	user32.dll	0001	ActivateKeyboardLayout
1	00C10354	user32.dll	0003	AdjustWindowRectEx
1	00C10358	user32.dll	0022	CharLowerA
1	00C1035C	user32.dll	0008	AppendMenuA
1	00C10360	user32.dll	000D	BeginPaint
1	00C10364	user32.dll	0016	CallNextHookEx
1	00C10368	user32.dll	0017	CallWindowProcA
1	00C1036C	user32.dll	0023	CharLowerBuffA
1	00C10370	user32.dll	0026	CharNextA
1	00C10374	user32.dll	0031	CharUpperBuffA
1	00C10378	user32.dll	0035	CheckMenuItem
1	00C1037C	user32.dll	0038	ChildWindowFromPoint
1	00C10380	user32.dll	003C	ClientToScreen
1	00C10384	user32.dll	0053	CreateIcon
1	00C10388	user32.dll	0059	CreateMenu
1	00C1038C	user32.dll	005A	CreatePopupMenu
1	00C10390	user32.dll	005B	CreateWindowExA
1	00C10394	user32.dll	0083	DefFrameProcA
1	00C10398	user32.dll	0085	DefMDIChildProcA
1	00C1039C	user32.dll	0087	DefWindowProcA
1	00C103A0	user32.dll	008A	DeleteMenu
1	00C103A4	user32.dll	008E	DestroyCursor
1	00C103A8	user32.dll	008E	DestroyCursor
1	00C103AC	user32.dll	0090	DestroyMenu
1	00C103B0	user32.dll	0091	DestroyWindow
1	00C103B4	user32.dll	0098	DispatchMessageA
1	00C103B8	user32.dll	00A8	DrawEdge
1	00C103BC	user32.dll	00A9	DrawFocusRect
1	00C103C0	user32.dll	00AB	DrawFrameControl
1	00C103C4	user32.dll	00AC	DrawIcon
1	00C103C8	user32.dll	00AD	DrawIconEx
1	00C103CC	user32.dll	00AE	DrawMenuBar
1	00C103D0	user32.dll	00B2	DrawTextA
1	00C103D4	user32.dll	00B8	EnableMenuItem
1	00C103D8	user32.dll	00B9	EnableScrollBar
1	00C103DC	user32.dll	00BA	EnableWindow
1	00C103E0	user32.dll	00BE	EndPaint
1	00C103E4	user32.dll	00D0	EnumThreadWindows
1	00C103E8	user32.dll	00D3	EnumWindows
1	00C103EC	user32.dll	00D4	EqualRect
1	00C103F0	user32.dll	00D7	FillRect
1	00C103F4	user32.dll	00D8	FindWindowA
1	00C103F8	user32.dll	00DE	FrameRect
1	00C103FC	user32.dll	00E0	GetActiveWindow
1	00C10400	user32.dll	00E8	GetCapture
1	00C10404	user32.dll	00EB	GetClassInfoA
1	00C10408	user32.dll	00F1	GetClassNameA
1	00C1040C	user32.dll	00F4	GetClientRect
1	00C10410	user32.dll	00F6	GetClipboardData
1	00C10414	user32.dll	00FD	GetCursor
1	00C10418	user32.dll	0100	GetCursorPos
1	00C1041C	user32.dll	0101	GetDC
1	00C10420	user32.dll	0102	GetDCEx
1	00C10424	user32.dll	0103	GetDesktopWindow
1	00C10428	user32.dll	0106	GetDlgItem
1	00C1042C	user32.dll	010B	GetFocus
1	00C10430	user32.dll	010C	GetForegroundWindow
1	00C10434	user32.dll	010F	GetIconInfo
1	00C10438	user32.dll	0114	GetKeyNameTextA
1	00C1043C	user32.dll	0116	GetKeyState
1	00C10440	user32.dll	0117	GetKeyboardLayout
1	00C10444	user32.dll	0118	GetKeyboardLayoutList
1	00C10448	user32.dll	011B	GetKeyboardState
1	00C1044C	user32.dll	011D	GetLastActivePopup
1	00C10450	user32.dll	0120	GetMenu
1	00C10454	user32.dll	0126	GetMenuItemCount
1	00C10458	user32.dll	0127	GetMenuItemID
1	00C1045C	user32.dll	0128	GetMenuItemInfoA
1	00C10460	user32.dll	012B	GetMenuState
1	00C10464	user32.dll	012C	GetMenuStringA
1	00C10468	user32.dll	0130	GetMessagePos
1	00C1046C	user32.dll	0157	GetWindow
1	00C10470	user32.dll	0139	GetParent
1	00C10474	user32.dll	013E	GetPropA
1	00C10478	user32.dll	0142	GetScrollInfo
1	00C1047C	user32.dll	0143	GetScrollPos
1	00C10480	user32.dll	0144	GetScrollRange
1	00C10484	user32.dll	0146	GetSubMenu
1	00C10488	user32.dll	0147	GetSysColor
1	00C1048C	user32.dll	0149	GetSystemMenu
1	00C10490	user32.dll	014A	GetSystemMetrics
1	00C10494	user32.dll	0150	GetTopWindow
1	00C10498	user32.dll	0151	GetUpdateRect
1	00C1049C	user32.dll	0157	GetWindow
1	00C104A0	user32.dll	0159	GetWindowDC
1	00C104A4	user32.dll	015B	GetWindowLongA
1	00C104A8	user32.dll	0160	GetWindowPlacement
1	00C104AC	user32.dll	0161	GetWindowRect
1	00C104B0	user32.dll	0163	GetWindowTextA
1	00C104B4	user32.dll	0167	GetWindowThreadProcessId
1	00C104B8	user32.dll	0167	GetWindowThreadProcessId
1	00C104BC	user32.dll	0176	InflateRect
1	00C104C0	user32.dll	0179	InsertMenuA
1	00C104C4	user32.dll	017A	InsertMenuItemA
1	00C104C8	user32.dll	017E	IntersectRect
1	00C104CC	user32.dll	017F	InvalidateRect
1	00C104D0	user32.dll	018A	IsChild
1	00C104D4	user32.dll	018C	IsDialogMessage
1	00C104D8	user32.dll	0191	IsIconic
1	00C104DC	user32.dll	0193	IsRectEmpty
1	00C104E0	user32.dll	0194	IsWindow
1	00C104E4	user32.dll	0195	IsWindowEnabled
1	00C104E8	user32.dll	0197	IsWindowVisible
1	00C104EC	user32.dll	0198	IsZoomed
1	00C104F0	user32.dll	019A	KillTimer
1	00C104F4	user32.dll	019D	LoadBitmapA
1	00C104F8	user32.dll	019F	LoadCursorA
1	00C104FC	user32.dll	01A3	LoadIconA
1	00C10500	user32.dll	01A7	LoadKeyboardLayoutA
1	00C10504	user32.dll	01B0	LoadStringA
1	00C10508	user32.dll	01BB	MapVirtualKeyA
1	00C1050C	user32.dll	01BF	MapWindowPoints
1	00C10510	user32.dll	01C4	MessageBoxA
1	00C10514	user32.dll	01D4	OemToCharA
1	00C10518	user32.dll	01D8	OffsetRect
1	00C1051C	user32.dll	01E2	PeekMessageA
1	00C10520	user32.dll	01E4	PostMessageA
1	00C10524	user32.dll	01E6	PostQuitMessage
1	00C10528	user32.dll	01EF	PtInRect
1	00C1052C	user32.dll	01F6	RedrawWindow
1	00C10530	user32.dll	01F7	RegisterClassA
1	00C10534	user32.dll	01FB	RegisterClipboardFormatA
1	00C10538	user32.dll	01FB	RegisterClipboardFormatA
1	00C1053C	user32.dll	0207	ReleaseCapture
1	00C10540	user32.dll	0208	ReleaseDC
1	00C10544	user32.dll	0209	RemoveMenu
1	00C10548	user32.dll	020A	RemovePropA
1	00C1054C	user32.dll	020F	ScreenToClient
1	00C10550	user32.dll	0212	ScrollWindow
1	00C10554	user32.dll	0219	SendMessageA
1	00C10558	user32.dll	0221	SetActiveWindow
1	00C1055C	user32.dll	0222	SetCapture
1	00C10560	user32.dll	0225	SetClassLongA
1	00C10564	user32.dll	022B	SetCursor
1	00C10568	user32.dll	0234	SetFocus
1	00C1056C	user32.dll	0235	SetForegroundWindow
1	00C10570	user32.dll	023B	SetMenu
1	00C10574	user32.dll	0240	SetMenuItemInfoA
1	00C10578	user32.dll	0248	SetPropA
1	00C1057C	user32.dll	024A	SetRect
1	00C10580	user32.dll	024C	SetScrollInfo
1	00C10584	user32.dll	024D	SetScrollPos
1	00C10588	user32.dll	024E	SetScrollRange
1	00C1058C	user32.dll	0258	SetTimer
1	00C10590	user32.dll	025E	SetWindowLongA
1	00C10594	user32.dll	0260	SetWindowPlacement
1	00C10598	user32.dll	0261	SetWindowPos
1	00C1059C	user32.dll	0264	SetWindowTextA
1	00C105A0	user32.dll	0268	SetWindowsHookExA
1	00C105A4	user32.dll	026C	ShowCursor
1	00C105A8	user32.dll	026D	ShowOwnedPopups
1	00C105AC	user32.dll	026E	ShowScrollBar
1	00C105B0	user32.dll	0270	ShowWindow
1	00C105B4	user32.dll	0277	SystemParametersInfoA
1	00C105B8	user32.dll	0282	TrackPopupMenu
1	00C105BC	user32.dll	0287	TranslateMDISysAccel
1	00C105C0	user32.dll	0288	TranslateMessage
1	00C105C4	user32.dll	028C	UnhookWindowsHookEx
1	00C105C8	user32.dll	0291	UnregisterClassA
1	00C105CC	user32.dll	0297	UpdateWindow
1	00C105D0	user32.dll	02AC	WaitMessage
1	00C105D4	user32.dll	02AE	WinHelpA
1	00C105D8	user32.dll	02B1	WindowFromPoint

1	00C105DC	kernel32.dll	02CA	Sleep

1	00C105E0	oleaut32.dll	0008	VariantInit
1	00C105E4	oleaut32.dll	0009	VariantClear
1	00C105E8	oleaut32.dll	000A	VariantCopy
1	00C105EC	oleaut32.dll	000B	VariantCopyInd
1	00C105F0	oleaut32.dll	000C	VariantChangeType
1	00C105F4	oleaut32.dll	000F	SafeArrayCreate
1	00C105F8	oleaut32.dll	0028	SafeArrayRedim
1	00C105FC	oleaut32.dll	0014	SafeArrayGetLBound
1	00C10600	oleaut32.dll	0013	SafeArrayGetUBound
1	00C10604	oleaut32.dll	0019	SafeArrayGetElement
1	00C10608	oleaut32.dll	001A	SafeArrayPutElement
1	00C1060C	oleaut32.dll	0094	SafeArrayPtrOfIndex

1	00C10610	ole32.dll	0018	CoCreateGuid

1	00C10614	comctl32.dll	0011	InitCommonControls
1	00C10618	comctl32.dll	002C	ImageList_Create
1	00C1061C	comctl32.dll	002D	ImageList_Destroy
1	00C10620	comctl32.dll	003C	ImageList_GetImageCount
1	00C10624	comctl32.dll	0027	ImageList_Add
1	00C10628	comctl32.dll	0046	ImageList_ReplaceIcon
1	00C1062C	comctl32.dll	004B	ImageList_SetBkColor
1	00C10630	comctl32.dll	0037	ImageList_GetBkColor
1	00C10634	comctl32.dll	0032	ImageList_Draw
1	00C10638	comctl32.dll	0033	ImageList_DrawEx
1	00C1063C	comctl32.dll	0044	ImageList_Remove
1	00C10640	comctl32.dll	002A	ImageList_BeginDrag
1	00C10644	comctl32.dll	0036	ImageList_EndDrag
1	00C10648	comctl32.dll	002E	ImageList_DragEnter
1	00C1064C	comctl32.dll	002F	ImageList_DragLeave
1	00C10650	comctl32.dll	0030	ImageList_DragMove
1	00C10654	comctl32.dll	004C	ImageList_SetDragCursorImage
1	00C10658	comctl32.dll	0031	ImageList_DragShowNolock
1	00C1065C	comctl32.dll	0038	ImageList_GetDragImage
1	00C10660	comctl32.dll	0043	ImageList_Read
1	00C10664	comctl32.dll	0052	ImageList_Write
1	00C10668	comctl32.dll	003B	ImageList_GetIconSize
1	00C1066C	comctl32.dll	004F	ImageList_SetIconSize

1	00C10670	winspool.drv	0086	ClosePrinter
1	00C10674	winspool.drv	00B1	DocumentPropertiesA
1	00C10678	winspool.drv	00DC	EnumPrintersA
1	00C1067C	winspool.drv	00F6	OpenPrinterA

1	00C10680	shell32.dll	016C	ShellAboutA

1	00C10684	comdlg32.dll	006E	GetOpenFileNameA



所有函数都 OK 了, 但顺序不对, 重新整理, 
找一个空闲空间 4A8000-4AB000, 放整理好后的 IAT

Kernel32     122    4A8000 - 4A81E4
User32       167    4A81EC - 4A8484
GDI32        75     4A848C - 4A85B4
comctl32     23     4A85BC - 4A8614
Oleaut32     15     4A861C - 4A8654
Advapi32     6      4A865C - 4A8670
version      3      4A8678 - 4A8680
Ole32        1      4A8688 - 4A8688
winspool     4      4A8690 - 4A869C
shell32      1      4A86A4 - 4A86A4
comdlg32     1      4A86AC - 4A86AC

把下面数据拷贝到 1011000(用Excel 花了我半小时)

00 80 4A 00 
04 80 4A 00 
08 80 4A 00 
0C 80 4A 00
10 80 4A 00 
14 80 4A 00 
18 80 4A 00 
1C 80 4A 00
20 80 4A 00 
24 80 4A 00 
28 80 4A 00 
2C 80 4A 00

EC 81 4A 00 

30 80 4A 00 

F0 81 4A 00 

34 80 4A 00 
38 80 4A 00 
3C 80 4A 00 
40 80 4A 00
44 80 4A 00 
48 80 4A 00 
4C 80 4A 00 
50 80 4A 00
54 80 4A 00 
58 80 4A 00 
5C 80 4A 00 
60 80 4A 00

F4 81 4A 00 

64 80 4A 00
68 80 4A 00
6C 80 4A 00

5C 86 4A 00
60 86 4A 00
64 86 4A 00

70 80 4A 00
74 80 4A 00

1C 86 4A 00
20 86 4A 00
24 86 4A 00

78 80 4A 00
7C 80 4A 00
80 80 4A 00
84 80 4A 00
88 80 4A 00
8C 80 4A 00
90 80 4A 00
94 80 4A 00
98 80 4A 00
9C 80 4A 00
A0 80 4A 00
A4 80 4A 00
A8 80 4A 00

F8 81 4A 00

AC 80 4A 00
B0 80 4A 00
B4 80 4A 00
B8 80 4A 00

68 86 4A 00
6C 86 4A 00
70 86 4A 00

BC 80 4A 00
C0 80 4A 00
C4 80 4A 00
C8 80 4A 00
CC 80 4A 00
D0 80 4A 00
D4 80 4A 00
D8 80 4A 00
DC 80 4A 00
E0 80 4A 00
E4 80 4A 00
E8 80 4A 00
EC 80 4A 00
F0 80 4A 00
F4 80 4A 00
F8 80 4A 00
FC 80 4A 00
00 81 4A 00
04 81 4A 00
08 81 4A 00
0C 81 4A 00
10 81 4A 00
14 81 4A 00
18 81 4A 00
1C 81 4A 00
20 81 4A 00
24 81 4A 00
28 81 4A 00
2C 81 4A 00
30 81 4A 00
34 81 4A 00
38 81 4A 00
3C 81 4A 00
40 81 4A 00
44 81 4A 00
48 81 4A 00
4C 81 4A 00
50 81 4A 00
54 81 4A 00
58 81 4A 00
5C 81 4A 00
60 81 4A 00
64 81 4A 00
68 81 4A 00
6C 81 4A 00
70 81 4A 00
74 81 4A 00
78 81 4A 00
7C 81 4A 00
80 81 4A 00
84 81 4A 00
88 81 4A 00
8C 81 4A 00
90 81 4A 00
94 81 4A 00
98 81 4A 00
9C 81 4A 00
A0 81 4A 00
A4 81 4A 00
A8 81 4A 00
AC 81 4A 00
B0 81 4A 00
B4 81 4A 00
B8 81 4A 00
BC 81 4A 00
C0 81 4A 00
C4 81 4A 00
C8 81 4A 00
CC 81 4A 00
D0 81 4A 00
D4 81 4A 00
D8 81 4A 00
DC 81 4A 00
E0 81 4A 00

78 86 4A 00
7C 86 4A 00
80 86 4A 00

8C 84 4A 00
90 84 4A 00
94 84 4A 00
98 84 4A 00
9C 84 4A 00
A0 84 4A 00
A4 84 4A 00
A8 84 4A 00
AC 84 4A 00
B0 84 4A 00
B4 84 4A 00
B8 84 4A 00
BC 84 4A 00
C0 84 4A 00
C4 84 4A 00
C8 84 4A 00
CC 84 4A 00
D0 84 4A 00
D4 84 4A 00
D8 84 4A 00
DC 84 4A 00
E0 84 4A 00
E4 84 4A 00
E8 84 4A 00
EC 84 4A 00
F0 84 4A 00
F4 84 4A 00
F8 84 4A 00
FC 84 4A 00
00 85 4A 00
04 85 4A 00
08 85 4A 00
0C 85 4A 00
10 85 4A 00
14 85 4A 00
18 85 4A 00
1C 85 4A 00
20 85 4A 00
24 85 4A 00
28 85 4A 00
2C 85 4A 00
30 85 4A 00
34 85 4A 00
38 85 4A 00
3C 85 4A 00
40 85 4A 00
44 85 4A 00
48 85 4A 00
4C 85 4A 00
50 85 4A 00
54 85 4A 00
58 85 4A 00
5C 85 4A 00
60 85 4A 00
64 85 4A 00
68 85 4A 00
6C 85 4A 00
70 85 4A 00
74 85 4A 00
78 85 4A 00
7C 85 4A 00
80 85 4A 00
84 85 4A 00
88 85 4A 00
8C 85 4A 00
90 85 4A 00
94 85 4A 00
98 85 4A 00
9C 85 4A 00
A0 85 4A 00
A4 85 4A 00
A8 85 4A 00
AC 85 4A 00
B0 85 4A 00
B4 85 4A 00

FC 81 4A 00
00 82 4A 00
04 82 4A 00
08 82 4A 00
0C 82 4A 00
10 82 4A 00
14 82 4A 00
18 82 4A 00
1C 82 4A 00
20 82 4A 00
24 82 4A 00
28 82 4A 00
2C 82 4A 00
30 82 4A 00
34 82 4A 00
38 82 4A 00
3C 82 4A 00
40 82 4A 00
44 82 4A 00
48 82 4A 00
4C 82 4A 00
50 82 4A 00
54 82 4A 00
58 82 4A 00
5C 82 4A 00
60 82 4A 00
64 82 4A 00
68 82 4A 00
6C 82 4A 00
70 82 4A 00
74 82 4A 00
78 82 4A 00
7C 82 4A 00
80 82 4A 00
84 82 4A 00
88 82 4A 00
8C 82 4A 00
90 82 4A 00
94 82 4A 00
98 82 4A 00
9C 82 4A 00
A0 82 4A 00
A4 82 4A 00
A8 82 4A 00
AC 82 4A 00
B0 82 4A 00
B4 82 4A 00
B8 82 4A 00
BC 82 4A 00
C0 82 4A 00
C4 82 4A 00
C8 82 4A 00
CC 82 4A 00
D0 82 4A 00
D4 82 4A 00
D8 82 4A 00
DC 82 4A 00
E0 82 4A 00
E4 82 4A 00
E8 82 4A 00
EC 82 4A 00
F0 82 4A 00
F4 82 4A 00
F8 82 4A 00
FC 82 4A 00
00 83 4A 00
04 83 4A 00
08 83 4A 00
0C 83 4A 00
10 83 4A 00
14 83 4A 00
18 83 4A 00
1C 83 4A 00
20 83 4A 00
24 83 4A 00
28 83 4A 00
2C 83 4A 00
30 83 4A 00
34 83 4A 00
38 83 4A 00
3C 83 4A 00
40 83 4A 00
44 83 4A 00
48 83 4A 00
4C 83 4A 00
50 83 4A 00
54 83 4A 00
58 83 4A 00
5C 83 4A 00
60 83 4A 00
64 83 4A 00
68 83 4A 00
6C 83 4A 00
70 83 4A 00
74 83 4A 00
78 83 4A 00
7C 83 4A 00
80 83 4A 00
84 83 4A 00
88 83 4A 00
8C 83 4A 00
90 83 4A 00
94 83 4A 00
98 83 4A 00
9C 83 4A 00
A0 83 4A 00
A4 83 4A 00
A8 83 4A 00
AC 83 4A 00
B0 83 4A 00
B4 83 4A 00
B8 83 4A 00
BC 83 4A 00
C0 83 4A 00
C4 83 4A 00
C8 83 4A 00
CC 83 4A 00
D0 83 4A 00
D4 83 4A 00
D8 83 4A 00
DC 83 4A 00
E0 83 4A 00
E4 83 4A 00
E8 83 4A 00
EC 83 4A 00
F0 83 4A 00
F4 83 4A 00
F8 83 4A 00
FC 83 4A 00
00 84 4A 00
04 84 4A 00
08 84 4A 00
0C 84 4A 00
10 84 4A 00
14 84 4A 00
18 84 4A 00
1C 84 4A 00
20 84 4A 00
24 84 4A 00
28 84 4A 00
2C 84 4A 00
30 84 4A 00
34 84 4A 00
38 84 4A 00
3C 84 4A 00
40 84 4A 00
44 84 4A 00
48 84 4A 00
4C 84 4A 00
50 84 4A 00
54 84 4A 00
58 84 4A 00
5C 84 4A 00
60 84 4A 00
64 84 4A 00
68 84 4A 00
6C 84 4A 00
70 84 4A 00
74 84 4A 00
78 84 4A 00
7C 84 4A 00
80 84 4A 00
84 84 4A 00

E4 81 4A 00

28 86 4A 00
2C 86 4A 00
30 86 4A 00
34 86 4A 00
38 86 4A 00
3C 86 4A 00
40 86 4A 00
44 86 4A 00
48 86 4A 00
4C 86 4A 00
50 86 4A 00
54 86 4A 00

88 86 4A 00

BC 85 4A 00
C0 85 4A 00
C4 85 4A 00
C8 85 4A 00
CC 85 4A 00
D0 85 4A 00
D4 85 4A 00
D8 85 4A 00
DC 85 4A 00
E0 85 4A 00
E4 85 4A 00
E8 85 4A 00
EC 85 4A 00
F0 85 4A 00
F4 85 4A 00
F8 85 4A 00
FC 85 4A 00
00 86 4A 00
04 86 4A 00
08 86 4A 00
0C 86 4A 00
10 86 4A 00
14 86 4A 00

90 86 4A 00
94 86 4A 00
98 86 4A 00
9C 86 4A 00

A4 86 4A 00
AC 86 4A 00


再写一段程序, 修复

7119CF60    60              PUSHAD
7119CF61    B8 50124000     MOV EAX,401250                              ; // 搜索从 401250 开始
7119CF66    BA 00000101     MOV EDX,1010000                             ; // 从 1010000 开始的区域取API
7119CF6B    66:8138 90E9    CMP WORD PTR DS:[EAX],0E990                 ; // 90 E9 = NOP, 
7119CF70    0F85 2F000000   JNZ V1200351.7119CFA5
7119CF76    8BC8            MOV ECX,EAX                                 ; // EAX SAVE IN ECX
7119CF78    8B40 02         NOP                
7119CF79    90              NOP
7119CF7A    90              NOP
7119CF7B    66:C700 FF25    MOV WORD PTR DS:[EAX],25FF                  ; // 改成 JMP [XXXXXXX]
7119CF80    83C0 02         ADD EAX,2
7119CF83    8BDA            MOV EBX,EDX
7119CF85    81C3 00100000   ADD EBX,1000                                ; // 1011000 开始区域放 IAT 地址
7119CF8B    8B1B            MOV EBX,DWORD PTR DS:[EBX]                  ; // 取出 XXXXXXX
7119CF8D    8918            MOV DWORD PTR DS:[EAX],EBX
7119CF8F    90              NOP
7119CF90    8B02            MOV EAX,DWORD PTR DS:[EDX]                  ; // 取出 API
7119CF92    8903            MOV DWORD PTR DS:[EBX],EAX                  ; // [XXXXXXX] = API
7119CF94    90              NOP
7119CF95    90              NOP
7119CF96    90              NOP
7119CF97    90              NOP
7119CF98    90              NOP
7119CF99    90              NOP
7119CF9A    90              NOP
7119CF9B    83C2 04         ADD EDX,4
7119CF9E    8BC1            MOV EAX,ECX
7119CFA0    90              NOP
7119CFA1    90              NOP
7119CFA2    90              NOP
7119CFA3    90              NOP
7119CFA4    90              NOP
7119CFA5    83C0 04         ADD EAX,4
7119CFA8    3D 208C4300     CMP EAX,438C20
7119CFAD  ^ 72 BC           JB SHORT V1200351.7119CF6B
7119CFAF    61              POPAD

60 B8 50 12 40 00 BA 00 00 01 01 66 81 38 90 E9 0F 85 2F 00 00 00 8B C8 90 90 90 66 C7 00 FF 25
83 C0 02 8B DA 81 C3 00 10 00 00 8B 1B 89 18 90 8B 02 89 03 90 90 90 90 90 90 90 83 C2 04 8B C1
90 90 90 90 90 83 C0 04 3D 20 8C 43 00 72 BC 61

回到 499780 dump
IMPortRec,  VA=4A8000, RVA = A8000, Size = 6B0, Get Imports 得到IAT

RVA = A9000, Fixdump

[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

收藏
点赞8
打赏
分享
最新回复 (7)
forgot
雪    币: 6073
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
私信
forgot 26 2004-6-19 17:30
2
0
要是换个年份...:D
softworm
雪    币: 494
活跃值: (629)
能力值: ( LV9,RANK:1210 )
在线值:
发帖
回帖
粉丝
私信
softworm 30 2004-6-19 18:41
3
0
学习!没有处理过被打乱顺序的确IAT;)
fly
雪    币: 892
活跃值: (4039)
能力值: ( LV9,RANK:3410 )
在线值:
发帖
回帖
粉丝
私信
fly 85 2004-6-19 21:35
4
0
不错
老王
雪    币: 272
活跃值: (165)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
老王 1 2004-6-19 23:21
5
0
:)
jwh51
雪    币: 203
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
jwh51 2004-6-20 15:16
6
0
:p
loveaixing
雪    币: 96
活跃值: (718)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
loveaixing 2004-7-25 14:10
7
0
写的好啊,现在很多壳对API的处理都是这样的!

可以举一反N!!:)
loveaixing
雪    币: 96
活跃值: (718)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
loveaixing 2004-7-31 21:50
8
0
谢谢simonzh2000写和这么好的文章,我用这个方法修复了HYING以前壳对API的HOOK!可是API地址在用IP1。6修复后,老报错!
那位大哥指点一下!
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回