-
-
[原创]一个小程序的几种OEP寻找方法及IAT重建
-
2016-4-10 19:01
-
查看壳:
一、寻找OEP
1、一步直达法
(1)载入程序:
(2)不要运行,往下翻页,直到看到如下图的无效代码,有一个 JMP 跳转指令,对它下F2断点
(3)重新载入OD,F9运行,如图:
(4)成功到达OEP
2、堆栈平衡(ESP定律)
(1)载入OD:
(2)F8 运行,寻找第一次ESP寄存器改变的值为:0018FF6C , 右键“数据窗口中跟随”
(3)给 0018FF6C 数据下硬件断点【PS:在调(Debug)中可找到 硬件断点查看硬件断点】
(4)和上述过程一样
3、利用应用程序调用的第一个API函数来定位OEP
(1)载入OD,和上述方法一样,不在赘述
(2)Ctrl + G 输入“GetVersion”,对它F2下断
(3)重新载入OD,F9执行,然后F8 执行到返回
(4)返回后,可以看到如下图所示,然后网上翻阅就可以看到OEP
二、IAT重建
使用的工具有 LoadPE 和 ImportREC
(1)OD中定位到 OEP 处,使用LoadPE工具dump为文件dumped[此时不可执行],之后可以关闭LoadPE
(2)下面来 定位IAT的 起始位置 和 结束位置
由于很明显的找到了GetVersion 这个由系统动态链接库调用的函数,可以作为切入点
咦,看到了好多地址唉,可以点击"M"窗口看到他们是那个模块的动态链接库对吧
(PS:往往我们看这个可读性低,可以直接转换成 地址形式 查看)
转换成 如下:
------- ---- 这个总共用到了这些函数:
00464000 769A1B71 advapi32.RegCreateKeyExA
00464004 769ABED4 advapi32.RegCloseKey
00464008 7699D403 ASCII "jh"
0046400C 769ABC0D advapi32.RegOpenKeyExA
00464010 769A1B96 advapi32.RegSetValueExA
00464014 00000000
00464018 763E1739 comctl32.InitCommonControls
0046401C 763E7968 comctl32.ImageList_Destroy
00464020 00000000
00464024 76935171 gdi32.StartDocA
00464028 7691EBE8 gdi32.GetSystemPaletteEntries
0046402C 769096A3 gdi32.CreatePalette
00464030 76905A86 gdi32.SelectPalette
00464034 7690A103 gdi32.RealizePalette
00464038 76906001 gdi32.GetDIBits
0046403C 76905221 gdi32.SetBkColor
00464040 7690DDB1 gdi32.CreatePolygonRgn
00464044 76907F51 gdi32.GetWindowExtEx
00464048 76908234 gdi32.GetViewportOrgEx
0046404C 7690DCD0 gdi32.GetWindowOrgEx
00464050 76906FB9 gdi32.SetStretchBltMode
00464054 7690BA55 gdi32.StretchBlt
00464058 76907050 gdi32.CreateDIBitmap
0046405C 76908D53 gdi32.GetClipRgn
00464060 76908C0D gdi32.SelectClipRgn
00464064 76905689 gdi32.DeleteObject
00464068 76909750 gdi32.LPtoDP
0046406C 7690972F gdi32.CreateRectRgnIndirect
00464070 76905876 gdi32.DeleteDC
00464074 769353ED gdi32.BeginPath
00464078 769354F6 gdi32.EndPath
0046407C 769355FB gdi32.PathToRegion
00464080 769336C6 gdi32.CreateEllipticRgn
00464084 769336FD gdi32.CreateRoundRectRgn
00464088 76933F19 gdi32.EndDoc
0046408C 7690B665 gdi32.GetTextColor
00464090 769087F8 gdi32.GetBkMode
00464094 7690B776 gdi32.GetBkColor
00464098 7690B835 gdi32.GetROP2
0046409C 7691A73D gdi32.GetPolyFillMode
004640A0 7693400A gdi32.StartPage
004640A4 76916665 gdi32.EndPage
004640A8 76905F49 gdi32.CreateCompatibleBitmap
004640AC 769095F4 gdi32.CreateDCA
004640B0 76904DF0 gdi32.GetDeviceCaps
004640B4 76908767 gdi32.DPtoLP
004640B8 76905D53 gdi32.CreateBitmap
004640BC 769054F4 gdi32.CreateCompatibleDC
004640C0 76904EB0 gdi32.SelectObject
004640C4 76905EA6 gdi32.BitBlt
004640C8 76908964 gdi32.GetObjectA
004640CC 7690BC0F gdi32.CreatePen
004640D0 7690A17A gdi32.PatBlt
004640D4 7690B7C5 gdi32.Rectangle
004640D8 76934482 gdi32.Ellipse
004640DC 769164B0 gdi32.RoundRect
004640E0 7690E7F8 gdi32.FillRgn
004640E4 76906ABF gdi32.GetCurrentObject
004640E8 769077CE gdi32.CreateRectRgn
004640EC 76909A4B gdi32.CombineRgn
004640F0 7690D0D5 gdi32.GetTextExtentPoint32A
004640F4 76905427 gdi32.CreateSolidBrush
004640F8 76905443 gdi32.GetStockObject
004640FC 7690CDC5 gdi32.CreateFontIndirectA
00464100 7690CFB9 gdi32.GetTextMetricsA
00464104 7690988E gdi32.GetClipBox
00464108 76905176 gdi32.SetTextColor
0046410C 76906E3B gdi32.SaveDC
00464110 76906EE3 gdi32.RestoreDC
00464114 769050EB gdi32.SetBkMode
00464118 76914BD0 gdi32.SetPolyFillMode
0046411C 7690BE14 gdi32.SetROP2
00464120 76909C75 gdi32.SetMapMode
00464124 769082A7 gdi32.SetViewportOrgEx
00464128 76909D83 gdi32.OffsetViewportOrgEx
0046412C 769115A1 gdi32.SetViewportExtEx
00464130 7692858F gdi32.ScaleViewportExtEx
00464134 769097F9 gdi32.SetWindowOrgEx
00464138 7691168D gdi32.SetWindowExtEx
0046413C 7692866A gdi32.ScaleWindowExtEx
00464140 7690A904 gdi32.ExcludeClipRect
00464144 769086B6 gdi32.MoveToEx
00464148 7690BBA5 gdi32.LineTo
0046414C 7691C250 gdi32.GetStretchBltMode
00464150 769113BD gdi32.Escape
00464154 7690D8BF gdi32.ExtTextOutA
00464158 7690E190 gdi32.TextOutA
0046415C 76908D8A gdi32.RectVisible
00464160 76935E80 gdi32.PtVisible
00464164 76907EDA gdi32.GetViewportExtEx
00464168 769089E9 gdi32.ExtSelectClipRgn
0046416C 00000000
00464170 77041AA5 kernel32.MultiByteToWideChar
00464174 77059BE0 kernel32.SetEndOfFile
00464178 7705DA88 kernel32.UnlockFile
0046417C 7705DA70 kernel32.LockFile
00464180 7704C606 kernel32.FlushFileBuffers
00464184 7704177B kernel32.SetFilePointer
00464188 77041568 kernel32.GetCurrentProcess
0046418C 77041796 kernel32.DuplicateHandle
00464190 77041199 jmp 到 ntdll_1.RtlSetLastWin32Error
00464194 7704E7B5 kernel32.lstrcpynA
00464198 7704344D kernel32.GetVersion
0046419C 770B979C kernel32.GlobalGetAtomNameA
004641A0 7705C47D kernel32.GlobalAddAtomA
004641A4 7706C2BC kernel32.GlobalFindAtomA
004641A8 7705A0BF kernel32.GlobalDeleteAtom
004641AC 7705DC90 kernel32.lstrcmpA
004641B0 770599B3 kernel32.lstrcmpiA
004641B4 770C478F kernel32.SetStdHandle
004641B8 77042F57 kernel32.CompareStringW
004641BC 770599A6 kernel32.CompareStringA
004641C0 7706C269 kernel32.IsBadCodePtr
004641C4 7706C0DC kernel32.IsBadReadPtr
004641C8 77041ABD kernel32.GetStringTypeW
004641CC 770667BD kernel32.GetStringTypeExA
004641D0 7704D03C kernel32.SetUnhandledExceptionFilter
004641D4 7704DE57 kernel32.SetEnvironmentVariableA
004641D8 7706C385 kernel32.IsBadWritePtr
004641DC 77041801 kernel32.VirtualAlloc
004641E0 77041826 kernel32.LCMapStringW
004641E4 7706B4FB kernel32.LCMapStringA
004641E8 7704183E kernel32.VirtualFree
004641EC 77044CE0 kernel32.HeapCreate
004641F0 7704BFDC kernel32.HeapDestroy
004641F4 77041512 kernel32.GetEnvironmentVariableA
004641F8 770438E6 kernel32.GetFileType
004641FC 77044EF8 kernel32.GetStdHandle
00464200 77049729 kernel32.SetHandleCount
00464204 77044F1D kernel32.GetEnvironmentStringsW
00464208 7704DE87 kernel32.GetEnvironmentStrings
0046420C 77044F10 kernel32.FreeEnvironmentStringsW
00464210 7704DE6F kernel32.FreeEnvironmentStringsA
00464214 77069775 kernel32.UnhandledExceptionFilter
00464218 7704170C kernel32.GetACP
0046421C 775E2EA2 ntdll_1.RtlSizeHeap
00464220 77063FB8 kernel32.WritePrivateProfileStringA
00464224 7704CABC kernel32.GetFileAttributesA
00464228 77044EE6 kernel32.GetCommandLineA
0046422C 77059562 kernel32.SetCurrentDirectoryA
00464230 7706C230 kernel32.CreateSemaphoreA
00464234 7704356A kernel32.ResumeThread
00464238 77059A6C kernel32.ReleaseSemaphore
0046423C 775D2260 ntdll_1.RtlEnterCriticalSection
00464240 775D2220 ntdll_1.RtlLeaveCriticalSection
00464244 77044E28 kernel32.CreateEventA
00464248 7704DDF4 kernel32.GetFullPathNameA
0046424C 7705CCE2 kernel32.FindResourceA
00464250 77041CA8 kernel32.LoadResource
00464254 77041CB5 kernel32.LockResource
00464258 77041EA8 kernel32.CreateThread
0046425C 770414FA kernel32.GetModuleFileNameA
00464260 770410EF kernel32.Sleep
00464264 77062B13 kernel32.GetProfileStringA
00464268 7704CA6E kernel32.CreateFileA
0046426C 77041262 kernel32.WriteFile
00464270 77041856 kernel32.ReadFile
00464274 770411B0 kernel32.GetLastError
00464278 77041909 kernel32.WaitForMultipleObjects
0046427C 77041653 kernel32.SetEvent
00464280 77041B2A kernel32.GlobalAlloc
00464284 77041126 kernel32.WaitForSingleObject
00464288 770413D0 kernel32.CloseHandle
0046428C 77041B60 kernel32.MulDiv
00464290 77041450 kernel32.GetCurrentThreadId
00464294 7704734E kernel32.ExitProcess
00464298 77041225 kernel32.GetModuleHandleA
0046429C 77041202 kernel32.GetProcAddress
004642A0 77044BC6 kernel32.LoadLibraryA
004642A4 77041DE2 kernel32.FreeLibrary
004642A8 7705A3FF kernel32.GlobalSize
004642AC 7705A337 kernel32.GlobalLock
004642B0 7704BF76 kernel32.GlobalFree
004642B4 775E4475 ntdll_1.RtlDeleteCriticalSection
004642B8 775E2AE2 ntdll_1.RtlInitializeCriticalSection
004642BC 7704CF57 kernel32.GetLocalTime
004642C0 7704CF2F kernel32.GetSystemTime
004642C4 7704C0A4 kernel32.GetTimeZoneInformation
004642C8 77041B42 kernel32.RaiseException
004642CC 77059DD9 kernel32.TerminateProcess
004642D0 7706C2AB kernel32.RtlUnwind
004642D4 77040DF0 kernel32.GetStartupInfoA
004642D8 770431F2 kernel32.SetErrorMode
004642DC 7706C25F kernel32.GetOEMCP
004642E0 77044ECE kernel32.GetCPInfo
004642E4 7706C2D6 kernel32.GetProcessVersion
004642E8 770411C0 kernel32.TlsGetValue
004642EC 77041D1B kernel32.LocalReAlloc
004642F0 77041484 kernel32.TlsSetValue
004642F4 7704393C kernel32.TlsFree
004642F8 7706C019 kernel32.GlobalHandle
004642FC 77044D22 kernel32.TlsAlloc
00464300 77041A39 kernel32.LocalAlloc
00464304 77043582 kernel32.GetFileTime
00464308 77041AE2 kernel32.GetFileSize
0046430C 77061EAE kernel32.GlobalFlags
00464310 77041EDC kernel32.GetVersionExA
00464314 77062951 kernel32.lstrcatA
00464318 77059A09 kernel32.lstrlenA
0046431C 770C2EC9 kernel32.WinExec
00464320 770628B1 kernel32.lstrcpyA
00464324 7704DDDC kernel32.FindFirstFileA
00464328 77062921 kernel32.FindNextFileA
0046432C 770432CD kernel32.FindClose
00464330 7704DDC4 kernel32.FileTimeToLocalFileTime
00464334 7704CAD4 kernel32.FileTimeToSystemTime
00464338 77044114 kernel32.LocalFree
0046433C 770416B3 kernel32.WideCharToMultiByte
00464340 770413B0 kernel32.InterlockedDecrement
00464344 770413C0 kernel32.InterlockedIncrement
00464348 77063D40 kernel32.GetVolumeInformationA
0046434C 770410FC kernel32.GetTickCount
00464350 7705A272 kernel32.GlobalUnlock
00464354 7705CA09 kernel32.GlobalReAlloc
00464358 770414BD kernel32.HeapFree
0046435C 775F2321 ntdll_1.RtlReAllocateHeap
00464360 770414DD kernel32.GetProcessHeap
00464364 775DDEC6 ntdll_1.RtlAllocateHeap
00464368 7704154B kernel32.GetCurrentThread
0046436C 00000000
00464370 76FB0AA2 oleaut32.LoadTypeLib
00464374 76FC1EF6 oleaut32.RegisterTypeLib
00464378 76FD1CFD oleaut32.UnRegisterTypeLib
0046437C 00000000
00464380 75479BA5 shell32.ShellExecuteA
00464384 7547B61E shell32.Shell_NotifyIconA
00464388 00000000
0046438C 75EB766C user32.GetWindowRect
00464390 75EB7467 user32.GetSystemMetrics
00464394 75EC2B82 user32.RedrawWindow
00464398 75EC2A58 user32.InvalidateRect
0046439C 75EC3F54 user32.EnableWindow
004643A0 75ECAF26 user32.wsprintfA
004643A4 75EC0CD5 user32.IsWindowVisible
004643A8 75EC09A0 user32.FillRect
004643AC 75EC0832 user32.OffsetRect
004643B0 75EC08E5 user32.GetClientRect
004643B4 75EC0DDE user32.PtInRect
004643B8 75EC3F14 user32.SetParent
004643BC 75EDEEF4 user32.SendMessageA
004643C0 75EBD75B user32.LoadCursorA
004643C4 75EC042B user32.IsRectEmpty
004643C8 75EB6947 user32.IsWindow
004643CC 75EC4FF1 user32.DestroyIcon
004643D0 75EC045D user32.IntersectRect
004643D4 75EC0971 user32.SetRect
004643D8 75EC2F59 user32.InflateRect
004643DC 75EC88CD user32.SetScrollPos
004643E0 75EE0207 user32.SetScrollRange
004643E4 75EBC9AC user32.GetWindowLongA
004643E8 75EDEF4A user32.SetWindowLongA
004643EC 75EC8FAC user32.GetScrollRange
004643F0 75EC3CBF user32.PostMessageA
004643F4 75EC2ED1 user32.SetCapture
004643F8 75EB7959 user32.GetSysColor
004643FC 75EC0B0E user32.GetParent
00464400 75EC2DBD user32.GetCapture
00464404 75EC2EC4 user32.ReleaseCapture
00464408 75EB7E72 user32.SetTimer
0046440C 75EB7E52 user32.KillTimer
00464410 75ED7443 user32.WinHelpA
00464414 75EC7C38 user32.LoadBitmapA
00464418 75EC2265 user32.CopyRect
0046441C 75EC0DB1 user32.GetFocus
00464420 75EDDAC8 user32.ChildWindowFromPointEx
00464424 75EC361B user32.ScreenToClient
00464428 75EC2BC7 user32.GetMessagePos
0046442C 75EC2D12 user32.UpdateWindow
00464430 75EC255D user32.SetWindowRgn
00464434 75EC4FF1 user32.DestroyIcon
00464438 75EC4217 user32.DestroyAcceleratorTable
0046443C 75EC34D6 user32.IsChild
00464440 75EBCB00 user32.GetWindow
00464444 75EC7A54 user32.GetTopWindow
00464448 75EC4408 user32.GetActiveWindow
0046444C 75EBCDB4 user32.SetWindowPos
00464450 75EC1B99 user32.SetFocus
00464454 75EC3FA5 user32.DestroyMenu
00464458 75EC2890 user32.SetActiveWindow
0046445C 75EC2EFA user32.IsIconic
00464460 75EDED58 user32.PeekMessageA
00464464 75EC2DA2 user32.SetMenu
00464468 75EC56B1 user32.GetMenu
0046446C 75EF9C8D user32.SetCursorPos
00464470 75EC0E0D user32.GetCursorPos
00464474 75EC1D34 user32.SetForegroundWindow
00464478 75ED08C6 user32.ValidateRect
0046447C 75EDF9B0 user32.SystemParametersInfoA
00464480 75EB7D79 user32.TranslateMessage
00464484 75EBD781 user32.LoadIconA
00464488 75EDFF31 user32.CreatePopupMenu
0046448C 75F1698B user32.AppendMenuA
00464490 75F169C8 user32.ModifyMenuA
00464494 75EC6DA9 user32.CreateMenu
00464498 75EDE024 user32.CreateAcceleratorTableA
0046449C 75EC04E2 user32.EqualRect
004644A0 75EDFD0A user32.GetSubMenu
004644A4 75EDFE36 user32.EnableMenuItem
004644A8 75EB7246 user32.GetDC
004644AC 75EB730E user32.ReleaseDC
004644B0 75EC2AC3 user32.GetDlgCtrlID
004644B4 75EC68D0 user32.EnumDisplaySettingsA
004644B8 75EC8430 user32.LoadImageA
004644BC 75F0FEAE user32.MessageBoxA
004644C0 75ECD947 user32.CreateIconFromResourceEx
004644C4 75EFD26B user32.CreateIconFromResource
004644C8 75EC4F4F user32.DrawIconEx
004644CC 75ED33B5 user32.DrawFrameControl
004644D0 75EC6DD6 user32.DrawEdge
004644D4 75EC8AEA user32.DrawFocusRect
004644D8 75EF9F3B user32.GetClipboardData
004644DC 75EC2BE6 user32.GetWindowPlacement
004644E0 75EC05FF user32.RegisterWindowMessageA
004644E4 75EC36C0 user32.GetForegroundWindow
004644E8 75EE065F user32.GetLastActivePopup
004644EC 75EC43FB user32.GetMessageTime
004644F0 75EC828C user32.RemovePropA
004644F4 75EC7AF4 user32.CallWindowProcA
004644F8 75EE0331 user32.GetPropA
004644FC 75EE0EFC user32.UnhookWindowsHookEx
00464500 75EC8234 user32.SetPropA
00464504 75EC8766 user32.GetClassLongA
00464508 75EDF006 user32.CallNextHookEx
0046450C 75EC8364 user32.SetWindowsHookExA
00464510 75EBA5E6 user32.CreateWindowExA
00464514 75EC1E6E user32.DestroyWindow
00464518 75EBFB86 user32.GetWindowTextA
0046451C 75ECA9E3 user32.GetWindowTextLengthA
00464520 75EE0BC5 user32.GetDlgItem
00464524 75EDE541 user32.GetMenuItemID
00464528 75EC6C88 user32.GetMenuItemCount
0046452C 75EC4B80 user32.RegisterClassA
00464530 75EC4741 user32.GetScrollPos
00464534 75EC583A user32.AdjustWindowRectEx
00464538 75EB819D user32.MapWindowPoints
0046453C 75ECC991 user32.SendDlgItemMessageA
00464540 75EBDD98 user32.CharUpperA
00464544 75EC4125 user32.UnregisterClassA
00464548 75EE0267 user32.ScrollWindowEx
0046454C 75ED7051 user32.IsDialogMessageA
00464550 75EC7B22 user32.SetWindowTextA
00464554 75EC35FB user32.MoveWindow
00464558 75EB79D8 user32.GetWindowDC
0046455C 75EC0EBA user32.BeginPaint
00464560 75EC0E9A user32.EndPaint
00464564 75F01980 user32.TabbedTextOutA
00464568 75ECB056 user32.DrawTextA
0046456C 75EF93E5 user32.GrayStringA
00464570 75ECC814 user32.GetNextDlgTabItem
00464574 75EDE6A4 user32.CheckMenuItem
00464578 75EC78DC user32.SetMenuItemBitmaps
0046457C 75EDE5D9 user32.GetMenuState
00464580 75F0D6DA user32.GetMenuCheckMarkDimensions
00464584 75ECB1DD user32.CreateDialogIndirectParamA
00464588 75ECC184 user32.EndDialog
0046458C 75EC7C95 user32.GetClassNameA
00464590 75EC06D6 user32.GetDesktopWindow
00464594 75EC308A user32.GetSysColorBrush
00464598 75EBDCF6 user32.LoadStringA
0046459C 75EC9232 user32.OpenClipboard
004645A0 75F17E49 user32.EmptyClipboard
004645A4 75EF8DE7 user32.SetClipboardData
004645A8 75EC91F4 user32.CloseClipboard
004645AC 75EB811B user32.GetMessageA
004645B0 75EB8103 user32.DispatchMessageA
004645B4 75EC085B user32.SetRectEmpty
004645B8 75EC05FF user32.RegisterWindowMessageA
004645BC 75EC2337 user32.ClientToScreen
004645C0 75EC2DDB user32.WindowFromPoint
004645C4 75EC0DBE user32.ShowWindow
004645C8 75EC4076 user32.SetCursor
004645CC 75EC3DCD user32.IsWindowEnabled
004645D0 75EC8656 user32.TranslateAcceleratorA
004645D4 75EC2902 user32.GetKeyState
004645D8 75EDAF7A user32.CopyAcceleratorTableA
004645DC 75EC3927 user32.PostQuitMessage
004645E0 75EC2F82 user32.IsZoomed
004645E4 75EE037C user32.GetSystemMenu
004645E8 75EDFCC1 user32.DeleteMenu
004645EC 75EDF85E user32.GetClassInfoA
004645F0 775F2893 ntdll_1.NtdllDefWindowProc_A
004645F4 00000000
004645F8 7347FFE1 winmm.midiStreamRestart
004645FC 7347FD9E winmm.midiStreamClose
00464600 7347EB67 winmm.midiOutReset
00464604 7347FF83 winmm.midiStreamStop
00464608 73480113 winmm.midiStreamOut
0046460C 7347E6EA winmm.midiOutPrepareHeader
00464610 7347FF00 winmm.midiStreamProperty
00464614 7347F863 winmm.midiStreamOpen
00464618 7347E8EC winmm.midiOutUnprepareHeader
0046461C 734645A5 winmm.waveOutOpen
00464620 73464B6B winmm.waveOutGetNumDevs
00464624 73464D72 winmm.waveOutClose
00464628 7346C249 winmm.waveOutReset
0046462C 7348533C winmm.waveOutPause
00464630 73465361 winmm.waveOutWrite
00464634 734652F5 winmm.waveOutPrepareHeader
00464638 73464E60 winmm.waveOutUnprepareHeader
0046463C 00000000
00464640 71CDCABF winspool.ClosePrinter
00464644 71CCA63A winspool.DocumentPropertiesA
00464648 71CC74CE winspool.OpenPrinterA
0046464C 00000000
00464650 768BC355 ws2_32.getpeername
00464654 768BE64B ws2_32.accept
00464658 768B47DF ws2_32.recv
0046465C 768B3131 ws2_32.ioctlsocket
00464660 768BBF39 ws2_32.recvfrom
00464664 768B9F8C ws2_32.inet_ntoa
00464668 768CAACC ws2_32.WSAAsyncSelect
0046466C 768B3BED ws2_32.closesocket
00464670 768B3661 ws2_32.WSACleanup
00464674 00000000
00464678 76102713 comdlg32.GetFileTitleA
0046467C 7613B4A3 comdlg32.GetSaveFileNameA
00464680 7613B3F9 comdlg32.GetOpenFileNameA
00464684 761320F5 comdlg32.ChooseColorA
00464688 00000000
0046468C 75FBE952 ole32.OleUninitialize
00464690 75FBE30D ole32.CLSIDFromString
00464694 75FBEF0B ole32.OleInitialize
00464698 00000000
可以看出来:IAT 起始位置是 00464000 结束位置是 00464698
计算的SIZE = 00464698 - 00464000 = 698(十六进制)
综上所述:RVA :464000 - 400000(映像基址) = 64000
SIZE = 00464698 - 00464000 = 698OEP
OEP = 00445151 - 400000(映像基址) = 45151
(3)下面来使用 ImportREC 修复 IAT
--------- 填充数据(上述计算的)
111. 选中123.exe程序
222. 填充数据
333. 按下“Get Imports”
444. 出现一个无效的提示:
555. 点击"Show Invalid",然后做如下操作
666. 之后就没有了 无效的 提示了
777. 之后 "Fix Dump",选中已经 Dump的文件,然后就可以修正文件了,之后会提示 sucessfully
888. 现在你可以执行修正后的文件 Dumped_.exe
现在查看一下,可以看到增加了一个区段:.mackt ,这就是刚才成功添加的区段
PS:这是对自己学习的总结,大神不要吐槽
, 如果能帮到 刚学习壳的朋友也很高兴
此文件 杀软会提示病毒软件:
123.zip
一、寻找OEP
1、一步直达法
(1)载入程序:
(2)不要运行,往下翻页,直到看到如下图的无效代码,有一个 JMP 跳转指令,对它下F2断点
(3)重新载入OD,F9运行,如图:
(4)成功到达OEP
2、堆栈平衡(ESP定律)
(1)载入OD:
(2)F8 运行,寻找第一次ESP寄存器改变的值为:0018FF6C , 右键“数据窗口中跟随”
(3)给 0018FF6C 数据下硬件断点【PS:在调(Debug)中可找到 硬件断点查看硬件断点】
(4)和上述过程一样
3、利用应用程序调用的第一个API函数来定位OEP
(1)载入OD,和上述方法一样,不在赘述
(2)Ctrl + G 输入“GetVersion”,对它F2下断
(3)重新载入OD,F9执行,然后F8 执行到返回
(4)返回后,可以看到如下图所示,然后网上翻阅就可以看到OEP
二、IAT重建
使用的工具有 LoadPE 和 ImportREC
(1)OD中定位到 OEP 处,使用LoadPE工具dump为文件dumped[此时不可执行],之后可以关闭LoadPE
(2)下面来 定位IAT的 起始位置 和 结束位置
由于很明显的找到了GetVersion 这个由系统动态链接库调用的函数,可以作为切入点
咦,看到了好多地址唉,可以点击"M"窗口看到他们是那个模块的动态链接库对吧
(PS:往往我们看这个可读性低,可以直接转换成 地址形式 查看)
转换成 如下:
------- ---- 这个总共用到了这些函数:
00464000 769A1B71 advapi32.RegCreateKeyExA
00464004 769ABED4 advapi32.RegCloseKey
00464008 7699D403 ASCII "jh"
0046400C 769ABC0D advapi32.RegOpenKeyExA
00464010 769A1B96 advapi32.RegSetValueExA
00464014 00000000
00464018 763E1739 comctl32.InitCommonControls
0046401C 763E7968 comctl32.ImageList_Destroy
00464020 00000000
00464024 76935171 gdi32.StartDocA
00464028 7691EBE8 gdi32.GetSystemPaletteEntries
0046402C 769096A3 gdi32.CreatePalette
00464030 76905A86 gdi32.SelectPalette
00464034 7690A103 gdi32.RealizePalette
00464038 76906001 gdi32.GetDIBits
0046403C 76905221 gdi32.SetBkColor
00464040 7690DDB1 gdi32.CreatePolygonRgn
00464044 76907F51 gdi32.GetWindowExtEx
00464048 76908234 gdi32.GetViewportOrgEx
0046404C 7690DCD0 gdi32.GetWindowOrgEx
00464050 76906FB9 gdi32.SetStretchBltMode
00464054 7690BA55 gdi32.StretchBlt
00464058 76907050 gdi32.CreateDIBitmap
0046405C 76908D53 gdi32.GetClipRgn
00464060 76908C0D gdi32.SelectClipRgn
00464064 76905689 gdi32.DeleteObject
00464068 76909750 gdi32.LPtoDP
0046406C 7690972F gdi32.CreateRectRgnIndirect
00464070 76905876 gdi32.DeleteDC
00464074 769353ED gdi32.BeginPath
00464078 769354F6 gdi32.EndPath
0046407C 769355FB gdi32.PathToRegion
00464080 769336C6 gdi32.CreateEllipticRgn
00464084 769336FD gdi32.CreateRoundRectRgn
00464088 76933F19 gdi32.EndDoc
0046408C 7690B665 gdi32.GetTextColor
00464090 769087F8 gdi32.GetBkMode
00464094 7690B776 gdi32.GetBkColor
00464098 7690B835 gdi32.GetROP2
0046409C 7691A73D gdi32.GetPolyFillMode
004640A0 7693400A gdi32.StartPage
004640A4 76916665 gdi32.EndPage
004640A8 76905F49 gdi32.CreateCompatibleBitmap
004640AC 769095F4 gdi32.CreateDCA
004640B0 76904DF0 gdi32.GetDeviceCaps
004640B4 76908767 gdi32.DPtoLP
004640B8 76905D53 gdi32.CreateBitmap
004640BC 769054F4 gdi32.CreateCompatibleDC
004640C0 76904EB0 gdi32.SelectObject
004640C4 76905EA6 gdi32.BitBlt
004640C8 76908964 gdi32.GetObjectA
004640CC 7690BC0F gdi32.CreatePen
004640D0 7690A17A gdi32.PatBlt
004640D4 7690B7C5 gdi32.Rectangle
004640D8 76934482 gdi32.Ellipse
004640DC 769164B0 gdi32.RoundRect
004640E0 7690E7F8 gdi32.FillRgn
004640E4 76906ABF gdi32.GetCurrentObject
004640E8 769077CE gdi32.CreateRectRgn
004640EC 76909A4B gdi32.CombineRgn
004640F0 7690D0D5 gdi32.GetTextExtentPoint32A
004640F4 76905427 gdi32.CreateSolidBrush
004640F8 76905443 gdi32.GetStockObject
004640FC 7690CDC5 gdi32.CreateFontIndirectA
00464100 7690CFB9 gdi32.GetTextMetricsA
00464104 7690988E gdi32.GetClipBox
00464108 76905176 gdi32.SetTextColor
0046410C 76906E3B gdi32.SaveDC
00464110 76906EE3 gdi32.RestoreDC
00464114 769050EB gdi32.SetBkMode
00464118 76914BD0 gdi32.SetPolyFillMode
0046411C 7690BE14 gdi32.SetROP2
00464120 76909C75 gdi32.SetMapMode
00464124 769082A7 gdi32.SetViewportOrgEx
00464128 76909D83 gdi32.OffsetViewportOrgEx
0046412C 769115A1 gdi32.SetViewportExtEx
00464130 7692858F gdi32.ScaleViewportExtEx
00464134 769097F9 gdi32.SetWindowOrgEx
00464138 7691168D gdi32.SetWindowExtEx
0046413C 7692866A gdi32.ScaleWindowExtEx
00464140 7690A904 gdi32.ExcludeClipRect
00464144 769086B6 gdi32.MoveToEx
00464148 7690BBA5 gdi32.LineTo
0046414C 7691C250 gdi32.GetStretchBltMode
00464150 769113BD gdi32.Escape
00464154 7690D8BF gdi32.ExtTextOutA
00464158 7690E190 gdi32.TextOutA
0046415C 76908D8A gdi32.RectVisible
00464160 76935E80 gdi32.PtVisible
00464164 76907EDA gdi32.GetViewportExtEx
00464168 769089E9 gdi32.ExtSelectClipRgn
0046416C 00000000
00464170 77041AA5 kernel32.MultiByteToWideChar
00464174 77059BE0 kernel32.SetEndOfFile
00464178 7705DA88 kernel32.UnlockFile
0046417C 7705DA70 kernel32.LockFile
00464180 7704C606 kernel32.FlushFileBuffers
00464184 7704177B kernel32.SetFilePointer
00464188 77041568 kernel32.GetCurrentProcess
0046418C 77041796 kernel32.DuplicateHandle
00464190 77041199 jmp 到 ntdll_1.RtlSetLastWin32Error
00464194 7704E7B5 kernel32.lstrcpynA
00464198 7704344D kernel32.GetVersion
0046419C 770B979C kernel32.GlobalGetAtomNameA
004641A0 7705C47D kernel32.GlobalAddAtomA
004641A4 7706C2BC kernel32.GlobalFindAtomA
004641A8 7705A0BF kernel32.GlobalDeleteAtom
004641AC 7705DC90 kernel32.lstrcmpA
004641B0 770599B3 kernel32.lstrcmpiA
004641B4 770C478F kernel32.SetStdHandle
004641B8 77042F57 kernel32.CompareStringW
004641BC 770599A6 kernel32.CompareStringA
004641C0 7706C269 kernel32.IsBadCodePtr
004641C4 7706C0DC kernel32.IsBadReadPtr
004641C8 77041ABD kernel32.GetStringTypeW
004641CC 770667BD kernel32.GetStringTypeExA
004641D0 7704D03C kernel32.SetUnhandledExceptionFilter
004641D4 7704DE57 kernel32.SetEnvironmentVariableA
004641D8 7706C385 kernel32.IsBadWritePtr
004641DC 77041801 kernel32.VirtualAlloc
004641E0 77041826 kernel32.LCMapStringW
004641E4 7706B4FB kernel32.LCMapStringA
004641E8 7704183E kernel32.VirtualFree
004641EC 77044CE0 kernel32.HeapCreate
004641F0 7704BFDC kernel32.HeapDestroy
004641F4 77041512 kernel32.GetEnvironmentVariableA
004641F8 770438E6 kernel32.GetFileType
004641FC 77044EF8 kernel32.GetStdHandle
00464200 77049729 kernel32.SetHandleCount
00464204 77044F1D kernel32.GetEnvironmentStringsW
00464208 7704DE87 kernel32.GetEnvironmentStrings
0046420C 77044F10 kernel32.FreeEnvironmentStringsW
00464210 7704DE6F kernel32.FreeEnvironmentStringsA
00464214 77069775 kernel32.UnhandledExceptionFilter
00464218 7704170C kernel32.GetACP
0046421C 775E2EA2 ntdll_1.RtlSizeHeap
00464220 77063FB8 kernel32.WritePrivateProfileStringA
00464224 7704CABC kernel32.GetFileAttributesA
00464228 77044EE6 kernel32.GetCommandLineA
0046422C 77059562 kernel32.SetCurrentDirectoryA
00464230 7706C230 kernel32.CreateSemaphoreA
00464234 7704356A kernel32.ResumeThread
00464238 77059A6C kernel32.ReleaseSemaphore
0046423C 775D2260 ntdll_1.RtlEnterCriticalSection
00464240 775D2220 ntdll_1.RtlLeaveCriticalSection
00464244 77044E28 kernel32.CreateEventA
00464248 7704DDF4 kernel32.GetFullPathNameA
0046424C 7705CCE2 kernel32.FindResourceA
00464250 77041CA8 kernel32.LoadResource
00464254 77041CB5 kernel32.LockResource
00464258 77041EA8 kernel32.CreateThread
0046425C 770414FA kernel32.GetModuleFileNameA
00464260 770410EF kernel32.Sleep
00464264 77062B13 kernel32.GetProfileStringA
00464268 7704CA6E kernel32.CreateFileA
0046426C 77041262 kernel32.WriteFile
00464270 77041856 kernel32.ReadFile
00464274 770411B0 kernel32.GetLastError
00464278 77041909 kernel32.WaitForMultipleObjects
0046427C 77041653 kernel32.SetEvent
00464280 77041B2A kernel32.GlobalAlloc
00464284 77041126 kernel32.WaitForSingleObject
00464288 770413D0 kernel32.CloseHandle
0046428C 77041B60 kernel32.MulDiv
00464290 77041450 kernel32.GetCurrentThreadId
00464294 7704734E kernel32.ExitProcess
00464298 77041225 kernel32.GetModuleHandleA
0046429C 77041202 kernel32.GetProcAddress
004642A0 77044BC6 kernel32.LoadLibraryA
004642A4 77041DE2 kernel32.FreeLibrary
004642A8 7705A3FF kernel32.GlobalSize
004642AC 7705A337 kernel32.GlobalLock
004642B0 7704BF76 kernel32.GlobalFree
004642B4 775E4475 ntdll_1.RtlDeleteCriticalSection
004642B8 775E2AE2 ntdll_1.RtlInitializeCriticalSection
004642BC 7704CF57 kernel32.GetLocalTime
004642C0 7704CF2F kernel32.GetSystemTime
004642C4 7704C0A4 kernel32.GetTimeZoneInformation
004642C8 77041B42 kernel32.RaiseException
004642CC 77059DD9 kernel32.TerminateProcess
004642D0 7706C2AB kernel32.RtlUnwind
004642D4 77040DF0 kernel32.GetStartupInfoA
004642D8 770431F2 kernel32.SetErrorMode
004642DC 7706C25F kernel32.GetOEMCP
004642E0 77044ECE kernel32.GetCPInfo
004642E4 7706C2D6 kernel32.GetProcessVersion
004642E8 770411C0 kernel32.TlsGetValue
004642EC 77041D1B kernel32.LocalReAlloc
004642F0 77041484 kernel32.TlsSetValue
004642F4 7704393C kernel32.TlsFree
004642F8 7706C019 kernel32.GlobalHandle
004642FC 77044D22 kernel32.TlsAlloc
00464300 77041A39 kernel32.LocalAlloc
00464304 77043582 kernel32.GetFileTime
00464308 77041AE2 kernel32.GetFileSize
0046430C 77061EAE kernel32.GlobalFlags
00464310 77041EDC kernel32.GetVersionExA
00464314 77062951 kernel32.lstrcatA
00464318 77059A09 kernel32.lstrlenA
0046431C 770C2EC9 kernel32.WinExec
00464320 770628B1 kernel32.lstrcpyA
00464324 7704DDDC kernel32.FindFirstFileA
00464328 77062921 kernel32.FindNextFileA
0046432C 770432CD kernel32.FindClose
00464330 7704DDC4 kernel32.FileTimeToLocalFileTime
00464334 7704CAD4 kernel32.FileTimeToSystemTime
00464338 77044114 kernel32.LocalFree
0046433C 770416B3 kernel32.WideCharToMultiByte
00464340 770413B0 kernel32.InterlockedDecrement
00464344 770413C0 kernel32.InterlockedIncrement
00464348 77063D40 kernel32.GetVolumeInformationA
0046434C 770410FC kernel32.GetTickCount
00464350 7705A272 kernel32.GlobalUnlock
00464354 7705CA09 kernel32.GlobalReAlloc
00464358 770414BD kernel32.HeapFree
0046435C 775F2321 ntdll_1.RtlReAllocateHeap
00464360 770414DD kernel32.GetProcessHeap
00464364 775DDEC6 ntdll_1.RtlAllocateHeap
00464368 7704154B kernel32.GetCurrentThread
0046436C 00000000
00464370 76FB0AA2 oleaut32.LoadTypeLib
00464374 76FC1EF6 oleaut32.RegisterTypeLib
00464378 76FD1CFD oleaut32.UnRegisterTypeLib
0046437C 00000000
00464380 75479BA5 shell32.ShellExecuteA
00464384 7547B61E shell32.Shell_NotifyIconA
00464388 00000000
0046438C 75EB766C user32.GetWindowRect
00464390 75EB7467 user32.GetSystemMetrics
00464394 75EC2B82 user32.RedrawWindow
00464398 75EC2A58 user32.InvalidateRect
0046439C 75EC3F54 user32.EnableWindow
004643A0 75ECAF26 user32.wsprintfA
004643A4 75EC0CD5 user32.IsWindowVisible
004643A8 75EC09A0 user32.FillRect
004643AC 75EC0832 user32.OffsetRect
004643B0 75EC08E5 user32.GetClientRect
004643B4 75EC0DDE user32.PtInRect
004643B8 75EC3F14 user32.SetParent
004643BC 75EDEEF4 user32.SendMessageA
004643C0 75EBD75B user32.LoadCursorA
004643C4 75EC042B user32.IsRectEmpty
004643C8 75EB6947 user32.IsWindow
004643CC 75EC4FF1 user32.DestroyIcon
004643D0 75EC045D user32.IntersectRect
004643D4 75EC0971 user32.SetRect
004643D8 75EC2F59 user32.InflateRect
004643DC 75EC88CD user32.SetScrollPos
004643E0 75EE0207 user32.SetScrollRange
004643E4 75EBC9AC user32.GetWindowLongA
004643E8 75EDEF4A user32.SetWindowLongA
004643EC 75EC8FAC user32.GetScrollRange
004643F0 75EC3CBF user32.PostMessageA
004643F4 75EC2ED1 user32.SetCapture
004643F8 75EB7959 user32.GetSysColor
004643FC 75EC0B0E user32.GetParent
00464400 75EC2DBD user32.GetCapture
00464404 75EC2EC4 user32.ReleaseCapture
00464408 75EB7E72 user32.SetTimer
0046440C 75EB7E52 user32.KillTimer
00464410 75ED7443 user32.WinHelpA
00464414 75EC7C38 user32.LoadBitmapA
00464418 75EC2265 user32.CopyRect
0046441C 75EC0DB1 user32.GetFocus
00464420 75EDDAC8 user32.ChildWindowFromPointEx
00464424 75EC361B user32.ScreenToClient
00464428 75EC2BC7 user32.GetMessagePos
0046442C 75EC2D12 user32.UpdateWindow
00464430 75EC255D user32.SetWindowRgn
00464434 75EC4FF1 user32.DestroyIcon
00464438 75EC4217 user32.DestroyAcceleratorTable
0046443C 75EC34D6 user32.IsChild
00464440 75EBCB00 user32.GetWindow
00464444 75EC7A54 user32.GetTopWindow
00464448 75EC4408 user32.GetActiveWindow
0046444C 75EBCDB4 user32.SetWindowPos
00464450 75EC1B99 user32.SetFocus
00464454 75EC3FA5 user32.DestroyMenu
00464458 75EC2890 user32.SetActiveWindow
0046445C 75EC2EFA user32.IsIconic
00464460 75EDED58 user32.PeekMessageA
00464464 75EC2DA2 user32.SetMenu
00464468 75EC56B1 user32.GetMenu
0046446C 75EF9C8D user32.SetCursorPos
00464470 75EC0E0D user32.GetCursorPos
00464474 75EC1D34 user32.SetForegroundWindow
00464478 75ED08C6 user32.ValidateRect
0046447C 75EDF9B0 user32.SystemParametersInfoA
00464480 75EB7D79 user32.TranslateMessage
00464484 75EBD781 user32.LoadIconA
00464488 75EDFF31 user32.CreatePopupMenu
0046448C 75F1698B user32.AppendMenuA
00464490 75F169C8 user32.ModifyMenuA
00464494 75EC6DA9 user32.CreateMenu
00464498 75EDE024 user32.CreateAcceleratorTableA
0046449C 75EC04E2 user32.EqualRect
004644A0 75EDFD0A user32.GetSubMenu
004644A4 75EDFE36 user32.EnableMenuItem
004644A8 75EB7246 user32.GetDC
004644AC 75EB730E user32.ReleaseDC
004644B0 75EC2AC3 user32.GetDlgCtrlID
004644B4 75EC68D0 user32.EnumDisplaySettingsA
004644B8 75EC8430 user32.LoadImageA
004644BC 75F0FEAE user32.MessageBoxA
004644C0 75ECD947 user32.CreateIconFromResourceEx
004644C4 75EFD26B user32.CreateIconFromResource
004644C8 75EC4F4F user32.DrawIconEx
004644CC 75ED33B5 user32.DrawFrameControl
004644D0 75EC6DD6 user32.DrawEdge
004644D4 75EC8AEA user32.DrawFocusRect
004644D8 75EF9F3B user32.GetClipboardData
004644DC 75EC2BE6 user32.GetWindowPlacement
004644E0 75EC05FF user32.RegisterWindowMessageA
004644E4 75EC36C0 user32.GetForegroundWindow
004644E8 75EE065F user32.GetLastActivePopup
004644EC 75EC43FB user32.GetMessageTime
004644F0 75EC828C user32.RemovePropA
004644F4 75EC7AF4 user32.CallWindowProcA
004644F8 75EE0331 user32.GetPropA
004644FC 75EE0EFC user32.UnhookWindowsHookEx
00464500 75EC8234 user32.SetPropA
00464504 75EC8766 user32.GetClassLongA
00464508 75EDF006 user32.CallNextHookEx
0046450C 75EC8364 user32.SetWindowsHookExA
00464510 75EBA5E6 user32.CreateWindowExA
00464514 75EC1E6E user32.DestroyWindow
00464518 75EBFB86 user32.GetWindowTextA
0046451C 75ECA9E3 user32.GetWindowTextLengthA
00464520 75EE0BC5 user32.GetDlgItem
00464524 75EDE541 user32.GetMenuItemID
00464528 75EC6C88 user32.GetMenuItemCount
0046452C 75EC4B80 user32.RegisterClassA
00464530 75EC4741 user32.GetScrollPos
00464534 75EC583A user32.AdjustWindowRectEx
00464538 75EB819D user32.MapWindowPoints
0046453C 75ECC991 user32.SendDlgItemMessageA
00464540 75EBDD98 user32.CharUpperA
00464544 75EC4125 user32.UnregisterClassA
00464548 75EE0267 user32.ScrollWindowEx
0046454C 75ED7051 user32.IsDialogMessageA
00464550 75EC7B22 user32.SetWindowTextA
00464554 75EC35FB user32.MoveWindow
00464558 75EB79D8 user32.GetWindowDC
0046455C 75EC0EBA user32.BeginPaint
00464560 75EC0E9A user32.EndPaint
00464564 75F01980 user32.TabbedTextOutA
00464568 75ECB056 user32.DrawTextA
0046456C 75EF93E5 user32.GrayStringA
00464570 75ECC814 user32.GetNextDlgTabItem
00464574 75EDE6A4 user32.CheckMenuItem
00464578 75EC78DC user32.SetMenuItemBitmaps
0046457C 75EDE5D9 user32.GetMenuState
00464580 75F0D6DA user32.GetMenuCheckMarkDimensions
00464584 75ECB1DD user32.CreateDialogIndirectParamA
00464588 75ECC184 user32.EndDialog
0046458C 75EC7C95 user32.GetClassNameA
00464590 75EC06D6 user32.GetDesktopWindow
00464594 75EC308A user32.GetSysColorBrush
00464598 75EBDCF6 user32.LoadStringA
0046459C 75EC9232 user32.OpenClipboard
004645A0 75F17E49 user32.EmptyClipboard
004645A4 75EF8DE7 user32.SetClipboardData
004645A8 75EC91F4 user32.CloseClipboard
004645AC 75EB811B user32.GetMessageA
004645B0 75EB8103 user32.DispatchMessageA
004645B4 75EC085B user32.SetRectEmpty
004645B8 75EC05FF user32.RegisterWindowMessageA
004645BC 75EC2337 user32.ClientToScreen
004645C0 75EC2DDB user32.WindowFromPoint
004645C4 75EC0DBE user32.ShowWindow
004645C8 75EC4076 user32.SetCursor
004645CC 75EC3DCD user32.IsWindowEnabled
004645D0 75EC8656 user32.TranslateAcceleratorA
004645D4 75EC2902 user32.GetKeyState
004645D8 75EDAF7A user32.CopyAcceleratorTableA
004645DC 75EC3927 user32.PostQuitMessage
004645E0 75EC2F82 user32.IsZoomed
004645E4 75EE037C user32.GetSystemMenu
004645E8 75EDFCC1 user32.DeleteMenu
004645EC 75EDF85E user32.GetClassInfoA
004645F0 775F2893 ntdll_1.NtdllDefWindowProc_A
004645F4 00000000
004645F8 7347FFE1 winmm.midiStreamRestart
004645FC 7347FD9E winmm.midiStreamClose
00464600 7347EB67 winmm.midiOutReset
00464604 7347FF83 winmm.midiStreamStop
00464608 73480113 winmm.midiStreamOut
0046460C 7347E6EA winmm.midiOutPrepareHeader
00464610 7347FF00 winmm.midiStreamProperty
00464614 7347F863 winmm.midiStreamOpen
00464618 7347E8EC winmm.midiOutUnprepareHeader
0046461C 734645A5 winmm.waveOutOpen
00464620 73464B6B winmm.waveOutGetNumDevs
00464624 73464D72 winmm.waveOutClose
00464628 7346C249 winmm.waveOutReset
0046462C 7348533C winmm.waveOutPause
00464630 73465361 winmm.waveOutWrite
00464634 734652F5 winmm.waveOutPrepareHeader
00464638 73464E60 winmm.waveOutUnprepareHeader
0046463C 00000000
00464640 71CDCABF winspool.ClosePrinter
00464644 71CCA63A winspool.DocumentPropertiesA
00464648 71CC74CE winspool.OpenPrinterA
0046464C 00000000
00464650 768BC355 ws2_32.getpeername
00464654 768BE64B ws2_32.accept
00464658 768B47DF ws2_32.recv
0046465C 768B3131 ws2_32.ioctlsocket
00464660 768BBF39 ws2_32.recvfrom
00464664 768B9F8C ws2_32.inet_ntoa
00464668 768CAACC ws2_32.WSAAsyncSelect
0046466C 768B3BED ws2_32.closesocket
00464670 768B3661 ws2_32.WSACleanup
00464674 00000000
00464678 76102713 comdlg32.GetFileTitleA
0046467C 7613B4A3 comdlg32.GetSaveFileNameA
00464680 7613B3F9 comdlg32.GetOpenFileNameA
00464684 761320F5 comdlg32.ChooseColorA
00464688 00000000
0046468C 75FBE952 ole32.OleUninitialize
00464690 75FBE30D ole32.CLSIDFromString
00464694 75FBEF0B ole32.OleInitialize
00464698 00000000
可以看出来:IAT 起始位置是 00464000 结束位置是 00464698
计算的SIZE = 00464698 - 00464000 = 698(十六进制)
综上所述:RVA :464000 - 400000(映像基址) = 64000
SIZE = 00464698 - 00464000 = 698OEP
OEP = 00445151 - 400000(映像基址) = 45151
(3)下面来使用 ImportREC 修复 IAT
--------- 填充数据(上述计算的)
111. 选中123.exe程序
222. 填充数据
333. 按下“Get Imports”
444. 出现一个无效的提示:
555. 点击"Show Invalid",然后做如下操作
666. 之后就没有了 无效的 提示了
777. 之后 "Fix Dump",选中已经 Dump的文件,然后就可以修正文件了,之后会提示 sucessfully
888. 现在你可以执行修正后的文件 Dumped_.exe
现在查看一下,可以看到增加了一个区段:.mackt ,这就是刚才成功添加的区段
PS:这是对自己学习的总结,大神不要吐槽
, 如果能帮到 刚学习壳的朋友也很高兴此文件 杀软会提示病毒软件:
123.zip
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
|
|
|
|
