一个变态的花指令的arm
问题:这是arm的什么保护形式?iat如何得到?
找oep非常容易。
找到oep为00401EBC,如下:
0012EB74 01 00 00 00 A8 08 00 00 ...?..
0012EB7C 64 0F 00 00 01 00 00 80 d....?
0012EB84 00 00 00 00 00 00 00 00 ........
0012EB8C BC 1E 40 00 02 00 00 00 ?@....
0012EB94 00 00 00 00 BC 1E 40 00 ....?@.
0012EB9C BC 1E 40 00 CC 06 00 00 ?@.?..
0012EBA4 00 00 00 00 90 34 4E 80 ....?N?
0012EBAC 00 00 00 00 00 00 00 00 ........
0012EBB4 13 00 00 00 2C D6 CC 00 ...,痔.
0012EBBC 64 6D 16 F4 18 27 4E 80 dm?'N?
0012EBC4 00 00 00 00 BC 1E 40 00 ....?@.
0012EBCC 01 00 00 00 01 00 00 00 ......
0012EBD4 01 00 00 00 00 00 00 00 .......
但是,oep处代码是:
00401EBC 089C93 D56014EC or [ebx+edx*4+EC1460D5], bl
00401EC3 6A 9F push -61
00401EC5 0302 add eax, [edx]
00401EC7 95 xchg eax, ebp
00401EC8 20FC and ah, bh
00401ECA 0295 50FC0295 add dl, [ebp+9502FC50]
00401ED0 58 pop eax
00401ED1 FC cld
00401ED2 0295 60FC0295 add dl, [ebp+9502FC60]
00401ED8 2D 04FDA334 sub eax, 34A3FD04
00401EDD 1E push ds
00401EDE FB sti
00401EDF DF ??? ; 未知命令
00401EE0 C9 leave
00401EE1 E4 18 in al, 18
找path处就有许多花指令了:
返回后找到这里:
00439EBD 83BD D8F5FFFF 0>cmp dword ptr [ebp-A28], 0
00439EC4 0F8C 41020000 jl 0043A10B
00439ECA 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439ED0 3B0D DC4A4600 cmp ecx, [464ADC]
00439ED6 0F8D 2F020000 jge 0043A10B
00439EDC 8B95 48F6FFFF mov edx, [ebp-9B8]
00439EE2 81E2 FF000000 and edx, 0FF
00439EE8 85D2 test edx, edx
00439EEA 0F84 AD000000 je 00439F9D
00439EF0 6A 00 push 0
00439EF2 8BB5 D8F5FFFF mov esi, [ebp-A28]
00439EF8 C1E6 04 shl esi, 4
00439EFB 8B85 D8F5FFFF mov eax, [ebp-A28]
00439F01 25 07000080 and eax, 80000007
00439F06 79 05 jns short 00439F0D
00439F08 48 dec eax
00439F09 83C8 F8 or eax, FFFFFFF8
00439F0C 40 inc eax
00439F0D 33C9 xor ecx, ecx
00439F0F 8A88 30424600 mov cl, [eax+464230]
00439F15 8B95 D8F5FFFF mov edx, [ebp-A28]
00439F1B 81E2 07000080 and edx, 80000007
00439F21 79 05 jns short 00439F28
00439F23 4A dec edx
00439F24 83CA F8 or edx, FFFFFFF8
00439F27 42 inc edx
00439F28 33C0 xor eax, eax
00439F2A 8A82 31424600 mov al, [edx+464231]
00439F30 8B3C8D 58124600 mov edi, [ecx*4+461258]
00439F37 333C85 58124600 xor edi, [eax*4+461258]
00439F3E 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439F44 81E1 07000080 and ecx, 80000007
00439F4A 79 05 jns short 00439F51
00439F4C 49 dec ecx
00439F4D 83C9 F8 or ecx, FFFFFFF8
00439F50 41 inc ecx
00439F51 33D2 xor edx, edx
00439F53 8A91 32424600 mov dl, [ecx+464232]
00439F59 333C95 58124600 xor edi, [edx*4+461258]
00439F60 8B85 D8F5FFFF mov eax, [ebp-A28]
00439F66 99 cdq
00439F67 B9 1C000000 mov ecx, 1C
00439F6C F7F9 idiv ecx
00439F6E 8BCA mov ecx, edx
00439F70 D3EF shr edi, cl
00439F72 83E7 0F and edi, 0F
00439F75 03F7 add esi, edi
00439F77 8B15 CC4A4600 mov edx, [464ACC]
00439F7D 8D04B2 lea eax, [edx+esi*4]
00439F80 50 push eax
00439F81 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439F87 51 push ecx
00439F88 E8 621D0000 call 0043BCEF
00439F8D 83C4 0C add esp, 0C
00439F90 25 FF000000 and eax, 0FF 这里path后可以得到解码后的程序
00439F95 85C0 test eax, eax
00439F97 0F84 6E010000 je 0043A10B
00439F9D 8B95 D4F5FFFF mov edx, [ebp-A2C]
00439FA3 3B15 D44A4600 cmp edx, [464AD4]
00439FA9 72 1C jb short 00439FC7
需要在代码窗口按住鼠标左键向上选定,否则代码会变成:
00439EB8 ^\EB D2 jmp short 00439E8C
00439EBA B8 619D83BD mov eax, BD839D61
00439EBF D8F5 fdiv st, st(5)
00439EC1 FFFF ??? ; 未知命令
00439EC3 000F add [edi], cl
00439EC5 8C41 02 mov [ecx+2], es
00439EC8 0000 add [eax], al
00439ECA 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439ED0 3B0D DC4A4600 cmp ecx, [464ADC]
00439ED6 0F8D 2F020000 jge 0043A10B
00439EDC 8B95 48F6FFFF mov edx, [ebp-9B8]
00439EE2 81E2 FF000000 and edx, 0FF
00439EE8 85D2 test edx, edx
00439EEA 0F84 AD000000 je 00439F9D
00439EF0 6A 00 push 0
00439EF2 8BB5 D8F5FFFF mov esi, [ebp-A28]
00439EF8 C1E6 04 shl esi, 4
00439EFB 8B85 D8F5FFFF mov eax, [ebp-A28]
00439F01 25 07000080 and eax, 80000007
00439F06 79 05 jns short 00439F0D
00439F08 48 dec eax
00439F09 83C8 F8 or eax, FFFFFFF8
00439F0C 40 inc eax
00439F0D 33C9 xor ecx, ecx
00439F0F 8A88 30424600 mov cl, [eax+464230]
00439F15 8B95 D8F5FFFF mov edx, [ebp-A28]
00439F1B 81E2 07000080 and edx, 80000007
00439F21 79 05 jns short 00439F28
00439F23 4A dec edx
00439F24 83CA F8 or edx, FFFFFFF8
00439F27 42 inc edx
00439F28 33C0 xor eax, eax
00439F2A 8A82 31424600 mov al, [edx+464231]
00439F30 8B3C8D 58124600 mov edi, [ecx*4+461258]
00439F37 333C85 58124600 xor edi, [eax*4+461258]
00439F3E 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439F44 81E1 07000080 and ecx, 80000007
00439F4A 79 05 jns short 00439F51
00439F4C 49 dec ecx
00439F4D 83C9 F8 or ecx, FFFFFFF8
00439F50 41 inc ecx
00439F51 33D2 xor edx, edx
00439F53 8A91 32424600 mov dl, [ecx+464232]
00439F59 333C95 58124600 xor edi, [edx*4+461258]
00439F60 8B85 D8F5FFFF mov eax, [ebp-A28]
00439F66 99 cdq
00439F67 B9 1C000000 mov ecx, 1C
00439F6C F7F9 idiv ecx
00439F6E 8BCA mov ecx, edx
00439F70 D3EF shr edi, cl
00439F72 83E7 0F and edi, 0F
00439F75 03F7 add esi, edi
00439F77 8B15 CC4A4600 mov edx, [464ACC]
00439F7D 8D04B2 lea eax, [edx+esi*4]
00439F80 50 push eax
00439F81 8B8D D8F5FFFF mov ecx, [ebp-A28]
00439F87 51 push ecx
00439F88 E8 621D0000 call 0043BCEF
00439F8D 83C4 0C add esp, 0C
00439F90 25 FF000000 and eax, 0FF
00439F95 85C0 test eax, eax
00439F97 0F84 6E010000 je 0043A10B
魔法跳处:
00AB5331 8B0D 60D8AD00 mov ecx, [ADD860]
00AB5337 89040E mov [esi+ecx], eax
00AB533A A1 60D8AD00 mov eax, [ADD860]
00AB533F 393C06 cmp [esi+eax], edi
00AB5342 75 16 jnz short 00AB535A
00AB5344 8D85 B4FEFFFF lea eax, [ebp-14C]
00AB534A 50 push eax
00AB534B FF15 B850AD00 call [AD50B8] ; kernel32.LoadLibraryA
00AB5351 8B0D 60D8AD00 mov ecx, [ADD860]
00AB5357 89040E mov [esi+ecx], eax
00AB535A A1 60D8AD00 mov eax, [ADD860]
00AB535F 393C06 cmp [esi+eax], edi
00AB5362 0F84 AD000000 je 00AB5415 这里改jmp后无法得到iat。只找到一个无效指针。
00AB5368 33C9 xor ecx, ecx
00AB536A 8B03 mov eax, [ebx]
00AB536C 3938 cmp [eax], edi
00AB536E 74 06 je short 00AB5376
00AB5370 41 inc ecx
00AB5371 83C0 0C add eax, 0C
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课