-
-
[求助]手脱Armadillo 的问题
-
发表于: 2015-7-15 13:58
-
参考的是这篇文章 http://blog.sina.com.cn/s/blog_4bd46ac70100ifro.html
Peid查询为Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
测试文件 http://pan.baidu.com/s/1jGpeaJO
用OllyDump输出文件
dump出的文件会崩溃,发现问题出在
005AE72C 56 push esi
005AE72D 8B35 6C615C00 mov esi, dword ptr [5C616C] ; //ds:[005C616C]=02B273A0
005AE733 68 80C45D00 push 005DC480 ; ASCII "FlsAlloc"
005AE738 57 push edi
005AE739 FFD6 call esi ; //程序在这里会崩溃,02B273A0位置的内存数据在dump.exe中是无效的。如果想把OllyDump输出的Size改大到包括02B273A0在内的数据一起dump,会提示内存不可读取
是不是oep的位置找错了?还是修复出错了?
Peid查询为Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
测试文件 http://pan.baidu.com/s/1jGpeaJO
02B5721D 8945 FC mov dword ptr [ebp-4], eax 02B57220 EB 48 jmp short 02B5726A 02B57222 8B45 08 mov eax, dword ptr [ebp+8] 02B57225 8338 01 cmp dword ptr [eax], 1 02B57228 75 40 jnz short 02B5726A 02B5722A 8B0D 9C7AC202 mov ecx, dword ptr [2C27A9C] ; cg_se_30.0118A848 02B57230 8B15 9C7AC202 mov edx, dword ptr [2C27A9C] ; cg_se_30.0118A848 02B57236 8B41 28 mov eax, dword ptr [ecx+28] 02B57239 3342 18 xor eax, dword ptr [edx+18] 02B5723C 8B0D 9C7AC202 mov ecx, dword ptr [2C27A9C] ; cg_se_30.0118A848 02B57242 3341 74 xor eax, dword ptr [ecx+74] 02B57245 8945 D8 mov dword ptr [ebp-28], eax 02B57248 8B55 08 mov edx, dword ptr [ebp+8] 02B5724B 8B42 04 mov eax, dword ptr [edx+4] 02B5724E 50 push eax 02B5724F 8B4D 08 mov ecx, dword ptr [ebp+8] 02B57252 8B51 08 mov edx, dword ptr [ecx+8] 02B57255 52 push edx 02B57256 6A 00 push 0 02B57258 8B45 08 mov eax, dword ptr [ebp+8] 02B5725B 8B48 10 mov ecx, dword ptr [eax+10] 02B5725E 51 push ecx 02B5725F 8B55 F4 mov edx, dword ptr [ebp-C] 02B57262 2B55 D8 sub edx, dword ptr [ebp-28] 02B57265 FFD2 call edx ; //edx=005AB3AB (cg_se_30.005AB3AB)//应该是oep了? 02B57267 8945 FC mov dword ptr [ebp-4], eax 02B5726A 8B45 FC mov eax, dword ptr [ebp-4] 02B5726D 5E pop esi 02B5726E 8BE5 mov esp, ebp 02B57270 5D pop ebp 02B57271 C3 retn
跟进到大概是oep的位置 005AB23E 6A 58 push 58 005AB240 68 10C05E00 push 005EC010 005AB245 E8 965A0000 call 005B0CE0 005AB24A 8D45 98 lea eax, dword ptr [ebp-68] 005AB24D 50 push eax 005AB24E FF15 04615C00 call dword ptr [5C6104] ; kernel32.GetStartupInfoW 005AB254 33F6 xor esi, esi 005AB256 3935 4C720B01 cmp dword ptr [10B724C], esi 005AB25C 75 0B jnz short 005AB269 005AB25E 56 push esi 005AB25F 56 push esi 005AB260 6A 01 push 1 005AB262 56 push esi 005AB263 FF15 08615C00 call dword ptr [5C6108] ; kernel32.HeapSetInformation 005AB269 B8 4D5A0000 mov eax, 5A4D 005AB26E 66:3905 0000400>cmp word ptr [400000], ax 005AB275 74 05 je short 005AB27C 005AB277 8975 E4 mov dword ptr [ebp-1C], esi 005AB27A EB 36 jmp short 005AB2B2 005AB27C A1 3C004000 mov eax, dword ptr [40003C] 005AB281 81B8 00004000 5>cmp dword ptr [eax+400000], 4550 005AB28B ^ 75 EA jnz short 005AB277 005AB28D B9 0B010000 mov ecx, 10B 005AB292 66:3988 1800400>cmp word ptr [eax+400018], cx 005AB299 ^ 75 DC jnz short 005AB277 005AB29B 83B8 74004000 0>cmp dword ptr [eax+400074], 0E 005AB2A2 ^ 76 D3 jbe short 005AB277 005AB2A4 33C9 xor ecx, ecx 005AB2A6 39B0 E8004000 cmp dword ptr [eax+4000E8], esi 005AB2AC 0F95C1 setne cl 005AB2AF 894D E4 mov dword ptr [ebp-1C], ecx 005AB2B2 E8 FE1F0000 call 005AD2B5 ; // 005AB2B7 85C0 test eax, eax 005AB2B9 75 08 jnz short 005AB2C3 005AB2BB 6A 1C push 1C 005AB2BD E8 53FFFFFF call 005AB215 005AB2C2 59 pop ecx 005AB2C3 E8 47340000 call 005AE70F ; //这个位置进入 005AB2C8 85C0 test eax, eax 005AB2CA 75 08 jnz short 005AB2D4 005AB2CC 6A 10 push 10 005AB2CE E8 42FFFFFF call 005AB215 005AB2D3 59 pop ecx 005AB2D4 E8 C9CA0000 call 005B7DA2 ; // 005AB2D9 8975 FC mov dword ptr [ebp-4], esi 005AB2DC E8 8D6F0000 call 005B226E ; // 005AB2E1 85C0 test eax, eax 005AB2E3 79 08 jns short 005AB2ED 005AB2E5 6A 1B push 1B 005AB2E7 E8 06B8FFFF call 005A6AF2 005AB2EC 59 pop ecx 005AB2ED FF15 E0615C00 call dword ptr [5C61E0] ; // 005AB2F3 A3 48720B01 mov dword ptr [10B7248], eax 005AB2F8 E8 B53D0100 call 005BF0B2 ; // 005AB2FD A3 54630B01 mov dword ptr [10B6354], eax 005AB302 E8 F03C0100 call 005BEFF7 ; // 005AB307 85C0 test eax, eax 005AB309 79 08 jns short 005AB313 005AB30B 6A 08 push 8 005AB30D E8 E0B7FFFF call 005A6AF2 005AB312 59 pop ecx 005AB313 E8 693A0100 call 005BED81 ; // 005AB318 85C0 test eax, eax 005AB31A 79 08 jns short 005AB324 005AB31C 6A 09 push 9 005AB31E E8 CFB7FFFF call 005A6AF2 005AB323 59 pop ecx 005AB324 6A 01 push 1 005AB326 E8 A6B5FFFF call 005A68D1 ; // 005AB32B 59 pop ecx 005AB32C 3BC6 cmp eax, esi 005AB32E 74 07 je short 005AB337 005AB330 50 push eax 005AB331 E8 BCB7FFFF call 005A6AF2 005AB336 59 pop ecx 005AB337 E8 E6390100 call 005BED22 ; // 005AB33C F645 C4 01 test byte ptr [ebp-3C], 1 005AB340 74 06 je short 005AB348 005AB342 0FB74D C8 movzx ecx, word ptr [ebp-38] 005AB346 EB 03 jmp short 005AB34B 005AB348 6A 0A push 0A 005AB34A 59 pop ecx 005AB34B 51 push ecx 005AB34C 50 push eax 005AB34D 56 push esi 005AB34E 68 00004000 push 00400000 005AB353 E8 8865EDFF call 004818E0 ; // 005AB358 8945 E0 mov dword ptr [ebp-20], eax 005AB35B 3975 E4 cmp dword ptr [ebp-1C], esi 005AB35E 75 06 jnz short 005AB366 005AB360 50 push eax 005AB361 E8 42B7FFFF call 005A6AA8 005AB366 E8 69B7FFFF call 005A6AD4 005AB36B EB 2E jmp short 005AB39B 005AB36D 8B45 EC mov eax, dword ptr [ebp-14] 005AB370 8B08 mov ecx, dword ptr [eax] 005AB372 8B09 mov ecx, dword ptr [ecx] 005AB374 894D DC mov dword ptr [ebp-24], ecx 005AB377 50 push eax 005AB378 51 push ecx 005AB379 E8 5A380100 call 005BEBD8 005AB37E 59 pop ecx 005AB37F 59 pop ecx 005AB380 C3 retn 005AB381 8B65 E8 mov esp, dword ptr [ebp-18] 005AB384 8B45 DC mov eax, dword ptr [ebp-24] 005AB387 8945 E0 mov dword ptr [ebp-20], eax 005AB38A 837D E4 00 cmp dword ptr [ebp-1C], 0 005AB38E 75 06 jnz short 005AB396 005AB390 50 push eax 005AB391 E8 28B7FFFF call 005A6ABE 005AB396 E8 48B7FFFF call 005A6AE3 005AB39B C745 FC FEFFFFF>mov dword ptr [ebp-4], -2 005AB3A2 8B45 E0 mov eax, dword ptr [ebp-20] 005AB3A5 E8 7B590000 call 005B0D25 005AB3AA C3 retn 005AB3AB E8 993D0100 call 005BF149 ; //开始 005AB3B0 ^ E9 89FEFFFF jmp 005AB23E
用OllyDump输出文件
dump出的文件会崩溃,发现问题出在
005AE72C 56 push esi
005AE72D 8B35 6C615C00 mov esi, dword ptr [5C616C] ; //ds:[005C616C]=02B273A0
005AE733 68 80C45D00 push 005DC480 ; ASCII "FlsAlloc"
005AE738 57 push edi
005AE739 FFD6 call esi ; //程序在这里会崩溃,02B273A0位置的内存数据在dump.exe中是无效的。如果想把OllyDump输出的Size改大到包括02B273A0在内的数据一起dump,会提示内存不可读取
是不是oep的位置找错了?还是修复出错了?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
