手工修复Armadillo壳中的CC方法之一
准备--必须有完成了代码和iat表修复后的dump文件
工具--修改后的OD 等
试验对象:Easy CD-DA Extractor
下载地址:http://www.hanzify.org/?Go=Show::List&ID=7377
试验中使用machenglin提供的dump文件
让我们开始:
1.获得修复CC环境
已知主程序ezcddax.exe是Armadillo壳,且使用了CC保护方式。OD加载主程序ezcddax.exe 在Command窗口中:bp GetThreadContext 运行。
第一次中断后,F9继续,被中断在函数GetThreadContext中:
7C838EEB > 8BFF MOV EDI, EDI
7C838EED 55 PUSH EBP
7C838EEE 8BEC MOV EBP, ESP
7C838EF0 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C838EF3 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C838EF6 FF15 F814807C CALL DWORD PTR DS:[<&ntdll.NtGetConte>; ntdll.ZwGetContextThread
7C838EFC 85C0 TEST EAX, EAX
7C838EFE 0F8C 57B60000 JL kernel32.7C84455B
7C838F04 33C0 XOR EAX, EAX
7C838F06 40 INC EAX
7C838F07 5D POP EBP
7C838F08 C2 0800 RETN 8
Alt+F9到:
00805E47 . 50 PUSH EAX
00805E48 . F7D0 NOT EAX
00805E4A . 0FC8 BSWAP EAX
00805E4C . 58 POP EAX
00805E4D . 73 00 JNB SHORT ezcddax.00805E4F
00805E4F > 9C PUSHFD
00805E50 . 60 PUSHAD
00805E51 . EB 2B JMP SHORT ezcddax.00805E7E
在OD中删除分析,还原壳的代码,分析这段处理CC的代码。
请参考:http://bbs.pediy.com//showthread ... 0&threadid=6991
这里就不再分析了:
00805E26 83C4 0C ADD ESP, 0C
00805E29 C785 7CEBFFFF 0>MOV DWORD PTR SS:[EBP-1484], 10001
00805E33 8D85 7CEBFFFF LEA EAX, DWORD PTR SS:[EBP-1484]
00805E39 50 PUSH EAX
00805E3A 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0]
00805E40 51 PUSH ECX
00805E41 FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThre>; kernel32.GetThreadContext
00805E47 50 PUSH EAX
00805E48 F7D0 NOT EAX
00805E4A 0FC8 BSWAP EAX
{处理代码}
00806201 66:92 XCHG AX, DX
00806203 8BC0 MOV EAX, EAX
00806205 8D95 7CEBFFFF LEA EDX, DWORD PTR SS:[EBP-1484]
0080620B 52 PUSH EDX
0080620C 8B85 50EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B0]
00806212 50 PUSH EAX
00806213 FF15 DC808300 CALL DWORD PTR DS:[<&KERNEL32.SetThre>; kernel32.SetThreadContext
00806219 60 PUSHAD
0080621A 33C0 XOR EAX, EAX
0080621C 75 02 JNZ SHORT ezcddax.00806220
0080621E EB 15 JMP SHORT ezcddax.00806235
00806220 EB 33 JMP SHORT ezcddax.00806255
2.通过这段代码,大概查找CC的范围
通过分析知道:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
00805EC9 52 PUSH EDX
00805ECA 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
这段代码中的:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
是把Context域的CC发生时的下一字节地址传送的EDX中,在
00805E9F 52 PUSH EDX
设置[条件记录断点]
表达式:[EDX]
暂停程序:从不
记录表达式数据:永远
设置[记录]到文件,输入文件名保存,取消断点GetThreadContext 。
设置好后运行程序,最好运行程序的所有功能,关闭OD得到一个CC地址表:
00805E9F COND: 00439891
7C838EEB 断点位于 kernel32.GetThreadContext
00805E9F COND: 0043989E
00805E9F COND: 00439962
00805E9F COND: 00439989
00805E9F COND: 004399A3
00805E9F COND: 004399AD
00805E9F COND: 00439B5A
00805E9F COND: 00439B84
00805E9F COND: 00439B92
00805E9F COND: 00439C2D
00805E9F COND: 00439B9C
00805E9F COND: 00439BA4
00805E9F COND: 00439BE2
00805E9F COND: 00439C2D
00805E9F COND: 00439B9C
00805E9F COND: 00439BA4
00805E9F COND: 00439BE2
00805E9F COND: 00439C2D
00805E9F COND: 00439C52
00805E9F COND: 0046C5D4
00805E9F COND: 0046C604
00805E9F COND: 0046C786
00805E9F COND: 0046C82B
00805E9F COND: 004E3251
00805E9F COND: 004E3262
00805E9F COND: 004E3280
00805E9F COND: 004E32B1
00805E9F COND: 004E33D1
00805E9F COND: 004E34F1
00805E9F COND: 004E35A7
00805E9F COND: 0046DB82
00805E9F COND: 0046DBC7
00805E9F COND: 0046DC19
00400000 卸载 C:\Program Files\Easy CD-DA Extractor 9\ezcddax.exe
操作完成
由于只是演示方法,所以这个表可能不完整。
从上面的记录中可以看到CC的大概范围,用OD打开dump下的文件,到内存窗口中把text段的二进制代码保存到一个文件code.txt中待用。
3.查找CC地址
OD重新加载主程序,bp GetThreadContext 运行,第二次依然来得:
00805E26 83C4 0C ADD ESP, 0C
00805E29 C785 7CEBFFFF 0>MOV DWORD PTR SS:[EBP-1484], 10001
00805E33 8D85 7CEBFFFF LEA EAX, DWORD PTR SS:[EBP-1484]
00805E39 50 PUSH EAX
00805E3A 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0]
00805E40 51 PUSH ECX
00805E41 FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThre>; kernel32.GetThreadContext
00805E47 50 PUSH EAX //停在这里
到OD的内存窗口中,选择text段 双击打开text段:
00401000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
打开保存的code.txt文件把二进制代码复制到text段的内存中,在壳的段中找一段暂时不用的地址,存放获得的CC地址,如:
00828000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
记下现在的寄存器:
EAX 00000001
ECX 0012DC78
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDE000
ESP 0012DC98
EBP 0012F79C
ESI 00000017
EDI 0012E2EC
EIP 00805E47 ezcddax.00805E47
C 0 ES 0023 32位 0(FFFFFFFF)
P 0 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SEM_TIMEOUT (00000079)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM D1D8 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
写段代码,查找CC地址:
007D8000 9C PUSHFD
007D8001 60 PUSHAD
007D8002 B8 00984300 MOV EAX, ezcddax.00439800
007D8007 BB 00808200 MOV EBX, ezcddax.00828000
007D800C 8038 CC CMP BYTE PTR DS:[EAX], 0CC
007D800F 74 0C JE SHORT ezcddax.007D801D
007D8011 83C0 01 ADD EAX, 1
007D8014 3D 00004700 CMP EAX, ezcddax.00470000
007D8019 74 11 JE SHORT ezcddax.007D802C
007D801B ^ EB EF JMP SHORT ezcddax.007D800C
007D801D 8D40 01 LEA EAX, DWORD PTR DS:[EAX+1]
007D8020 8903 MOV DWORD PTR DS:[EBX], EAX
007D8022 83C0 01 ADD EAX, 1
007D8025 83C3 04 ADD EBX, 4
007D8028 ^ EB E5 JMP SHORT ezcddax.007D800F
007D802A 90 NOP
007D802B 90 NOP
007D802C 61 POPAD
007D802D 9D POPFD
007D802E 90 NOP
二进制代码:
9C 60 B8 00 98 43 00 BB 00 80 82 00 80 38 CC 74 0C 83 C0 01 3D 00 00 47 00 74 11 EB EF 8D 40 01
89 03 83 C0 01 83 C3 04 EB E5 90 90 61 9D 90
在007D8000 新建EIP,007D802E 下中断,运行这段代码,在地址00828000处得到一张CC地址表:
00828000 91 98 43 00 9E 98 43 00 62 99 43 00 73 99 43 00 ?C.?C.b?.s?.
00828010 89 99 43 00 A3 99 43 00 A7 99 43 00 AD 99 43 00 ?C.?C.?C.?C.
00828020 5A 9B 43 00 84 9B 43 00 92 9B 43 00 9C 9B 43 00 Z?.?C.?C.?C.
00828030 A4 9B 43 00 E2 9B 43 00 F7 9B 43 00 FB 9B 43 00 ?C.?C.?C.?C.
00828040 2D 9C 43 00 52 9C 43 00 BC 9D 43 00 87 9F 43 00 -?.R?.?C.?C.
00828050 F2 A0 43 00 14 A1 43 00 A6 A3 43 00 D2 A4 43 00 蜻C.∶.ΓC.窑C.
00828060 E3 A4 43 00 11 A5 43 00 D9 A5 43 00 CC A9 43 00 悚C.ッ.佶C.泰C.
00828070 37 AA 43 00 74 AA 43 00 87 AA 43 00 8F AA 43 00 7?.t?.?C.?C.
00828080 27 B4 43 00 45 B5 43 00 C5 B6 43 00 DA B6 43 00 '疵.E得.哦C.诙C.
00828090 5A B7 43 00 C3 B7 43 00 CC B7 43 00 60 B8 43 00 Z访.梅C.谭C.`该.
008280A0 81 B8 43 00 EC B8 43 00 29 B9 43 00 3C B9 43 00 ?C.旄C.)姑.<姑.
008280B0 44 B9 43 00 B5 BD 43 00 8F C1 43 00 95 C1 43 00 D姑.到C.?C.?C.
008280C0 AF C1 43 00 3E C2 43 00 C6 CC 43 00 5F CD 43 00 ?C.>旅.铺C._兔.
008280D0 65 CD 43 00 77 CD 43 00 86 CD 43 00 F9 CF 43 00 e兔.w兔.?C.?C.
008280E0 FC CF 43 00 03 D0 43 00 B6 D2 43 00 BC D2 43 00 ?C.忻.兑C.家C.
008280F0 56 D4 43 00 91 D4 43 00 97 D4 43 00 AA D4 43 00 V悦.?C.?C.?C.
00828100 BD D4 43 00 D0 D4 43 00 E3 D4 43 00 F6 D4 43 00 皆C.性C.阍C.鲈C.
00828110 09 D5 43 00 1C D5 43 00 2F D5 43 00 42 D5 43 00 .彰.彰./彰.B彰.
00828120 55 D5 43 00 6D D5 43 00 A3 D6 43 00 05 DD 43 00 U彰.m彰.VC.菝.
00828130 BD E1 43 00 2A E6 43 00 45 E6 43 00 71 E8 43 00 结C.*婷.E婷.q杳.
00828140 3C EE 43 00 6B EF 43 00 96 F8 43 00 19 F9 43 00 <蠲.k锩.?C.?.
00828150 37 FA 43 00 6D FA 43 00 A3 FA 43 00 D9 FA 43 00 7?.m?.zC.羸C.
00828160 0F FB 43 00 53 FB 43 00 DD FB 43 00 2E FC 43 00 ?.S?.蓰C..?.
00828170 AE 00 44 00 46 01 44 00 72 01 44 00 86 01 44 00 ?D.FD.rD.?D.
00828180 14 02 44 00 D0 02 44 00 FD 02 44 00 4F 03 44 00 D.?D.?D.OD.
00828190 89 03 44 00 B5 03 44 00 98 08 44 00 C0 08 44 00 ?D.?D.?D.?D.
008281A0 2A 09 44 00 9F 09 44 00 BC 0D 44 00 BF 0D 44 00 *.D.?D.?D.?D.
008281B0 D9 0D 44 00 46 0E 44 00 3B 11 44 00 7D 12 44 00 ?D.FD.;D.}D.
008281C0 1F 13 44 00 63 13 44 00 B5 16 44 00 AD 19 44 00 D.cD.?D.?D.
008281D0 D4 19 44 00 E5 19 44 00 04 1A 44 00 5E 20 44 00 ?D.?D.D.^ D.
008281E0 72 20 44 00 8C 20 44 00 9A 20 44 00 F8 20 44 00 r D.?D.?D.?D.
008281F0 FD 20 44 00 61 22 44 00 7D 22 44 00 95 22 44 00 ?D.a"D.}"D.?D.
00828200 AC 22 44 00 75 23 44 00 F9 23 44 00 FF 23 44 00 ?D.u#D.?D.?D.
00828210 8F 28 44 00 A5 28 44 00 BB 28 44 00 D1 28 44 00 ?D.?D.?D.?D.
00828220 37 2A 44 00 3D 2A 44 00 54 2A 44 00 B5 2A 44 00 7*D.=*D.T*D.?D.
00828230 D7 2A 44 00 0A 2D 44 00 D4 2D 44 00 23 2E 44 00 ?D..-D.?D.#.D.
00828240 0A 31 44 00 1C 31 44 00 BB 31 44 00 CB 31 44 00 .1D.1D.?D.?D.
00828250 DD 31 44 00 7C 32 44 00 E1 33 44 00 B5 34 44 00 ?D.|2D.?D.?D.
00828260 EC 36 44 00 61 37 44 00 54 39 44 00 15 3B 44 00 ?D.a7D.T9D.;D.
00828270 14 3E 44 00 4D 3E 44 00 CD 3E 44 00 D6 3F 44 00 >D.M>D.?D.?D.
00828280 62 41 44 00 9F 43 44 00 F5 43 44 00 6E 44 44 00 bAD.?D.趺D.nDD.
00828290 EF 44 44 00 F2 44 44 00 57 45 44 00 5D 45 44 00 锬D.蚰D.WED.]ED.
008282A0 73 45 44 00 87 45 44 00 AB 45 44 00 93 46 44 00 sED.?D.?D.?D.
008282B0 AD 47 44 00 72 48 44 00 75 48 44 00 5B 4F 44 00 ?D.rHD.uHD.[OD.
008282C0 5E 4F 44 00 9A 4F 44 00 3B 51 44 00 3E 51 44 00 ^OD.?D.;QD.>QD.
008282D0 7A 51 44 00 3E 53 44 00 71 53 44 00 74 53 44 00 zQD.>SD.qSD.tSD.
008282E0 00 54 44 00 2A 54 44 00 3E 54 44 00 76 54 44 00 .TD.*TD.>TD.vTD.
008282F0 A9 54 44 00 AC 54 44 00 D1 54 44 00 3E 55 44 00 ┰D.?D.言D.>UD.
00828300 68 55 44 00 7C 55 44 00 15 59 44 00 AF 59 44 00 hUD.|UD.YD.?D.
00828310 BA 59 44 00 47 5A 44 00 0C 67 44 00 0F 67 44 00 嘿D.GZD..gD.gD.
00828320 32 67 44 00 5E 67 44 00 39 6A 44 00 C9 6A 44 00 2gD.^gD.9jD.申D.
00828330 D9 6A 44 00 1E 6B 44 00 33 6C 44 00 5B 6C 44 00 訇D.kD.3lD.[lD.
00828340 69 6C 44 00 89 6D 44 00 8E 6D 44 00 AA 6D 44 00 ilD.?D.?D.?D.
00828350 29 71 44 00 4A 71 44 00 0A 7C 44 00 15 7C 44 00 )qD.JqD..|D.|D.
00828360 23 7C 44 00 36 7F 44 00 5E 7F 44 00 61 7F 44 00 #|D.6D.^D.aD.
00828370 CE 7F 44 00 F3 7F 44 00 07 80 44 00 40 81 44 00 ?D.?D.?.@?.
00828380 43 81 44 00 53 81 44 00 1B 82 44 00 39 82 44 00 C?.S?.?.9?.
00828390 33 83 44 00 47 83 44 00 D5 85 44 00 E5 85 44 00 3?.G?.?D.?D.
008283A0 1E 8B 44 00 29 8B 44 00 6A 8B 44 00 E8 91 44 00 ?.)?.j?.?D.
008283B0 77 95 44 00 85 95 44 00 97 95 44 00 B5 A1 44 00 w?.?D.?D.怠D.
008283C0 85 BA 44 00 D6 BA 44 00 12 BB 44 00 33 BB 44 00 ?D.趾D.荒.3荒.
008283D0 DF BD 44 00 0D C3 44 00 F2 C4 44 00 FB C4 44 00 呓D..媚.蚰D.?D.
008283E0 06 C5 44 00 17 C5 44 00 28 C5 44 00 39 C5 44 00 拍.拍.(拍.9拍.
008283F0 4A C5 44 00 5B C5 44 00 64 C5 44 00 6C C5 44 00 J拍.[拍.d拍.l拍.
00828400 7D C5 44 00 8E C5 44 00 9F C5 44 00 B0 C5 44 00 }拍.?D.?D.芭D.
00828410 C1 C5 44 00 CD C5 44 00 D9 C5 44 00 E5 C5 44 00 僚D.团D.倥D.迮D.
00828420 F1 C5 44 00 FD C5 44 00 09 C6 44 00 3D C9 44 00 衽D.?D..颇.=赡.
00828430 B5 CA 44 00 08 CD 44 00 0E CD 44 00 1F CD 44 00 凳D.湍.湍.湍.
00828440 3B CD 44 00 D8 D7 44 00 DF D7 44 00 D5 DF 44 00 ;湍.刈D.咦D.者D.
00828450 50 E6 44 00 05 EB 44 00 65 EB 44 00 7E EC 44 00 P婺.肽.e肽.~炷.
00828460 78 EF 44 00 CD F5 44 00 68 F6 44 00 40 FC 44 00 x锬.王D.h瞿.@?.
00828470 43 FC 44 00 4E FC 44 00 5A FC 44 00 66 FC 44 00 C?.N?.Z?.f?.
00828480 DF 04 45 00 05 05 45 00 2D 05 45 00 42 05 45 00 ?E.E.-E.BE.
00828490 8B 05 45 00 C2 05 45 00 80 0A 45 00 DF 0A 45 00 ?E.?E.?E.?E.
008284A0 FB 15 45 00 FE 15 45 00 07 16 45 00 7E 16 45 00 ?E.?E.E.~E.
008284B0 91 16 45 00 C0 16 45 00 CA 16 45 00 F3 16 45 00 ?E.?E.?E.?E.
008284C0 40 17 45 00 6A 17 45 00 D8 17 45 00 E1 17 45 00 @E.jE.?E.?E.
008284D0 EA 17 45 00 F4 17 45 00 FC 17 45 00 B3 18 45 00 ?E.?E.?E.?E.
008284E0 58 1A 45 00 AE 1A 45 00 64 1F 45 00 C3 1F 45 00 XE.?E.dE.?E.
008284F0 BA 20 45 00 E1 22 45 00 AE 24 45 00 BB 24 45 00 ?E.?E.?E.?E.
00828500 C1 24 45 00 D7 24 45 00 DF 25 45 00 F5 25 45 00 ?E.?E.?E.?E.
00828510 55 26 45 00 69 26 45 00 72 26 45 00 76 26 45 00 U&E.i&E.r&E.v&E.
00828520 81 26 45 00 8B 26 45 00 93 26 45 00 55 27 45 00 ?E.?E.?E.U'E.
00828530 99 28 45 00 2F 29 45 00 97 2B 45 00 C7 2B 45 00 ?E./)E.?E.?E.
00828540 28 2C 45 00 84 30 45 00 DE 30 45 00 57 32 45 00 (,E.?E.?E.W2E.
00828550 5B 33 45 00 D8 33 45 00 DD 33 45 00 2A 34 45 00 [3E.?E.?E.*4E.
00828560 5C 37 45 00 BA 37 45 00 94 42 45 00 B0 42 45 00 \7E.?E.?E.奥E.
00828570 D0 42 45 00 00 43 45 00 93 45 45 00 EC 45 45 00 新E..CE.?E.炫E.
00828580 FA 45 45 00 24 54 45 00 32 54 45 00 90 54 45 00 ?E.$TE.2TE.?E.
00828590 FB 56 45 00 0D 57 45 00 27 5D 45 00 ED 62 45 00 ?E..WE.']E.礅E.
008285A0 51 70 45 00 C9 71 45 00 0D 77 45 00 22 78 45 00 QpE.神E..wE."xE.
008285B0 33 78 45 00 9A 78 45 00 FD 7C 45 00 19 82 45 00 3xE.?E.?E.?.
008285C0 1F 82 45 00 AA 84 45 00 3A 85 45 00 C3 87 45 00 ?.?E.:?.?E.
008285D0 4C 8D 45 00 68 8D 45 00 1D 92 45 00 71 93 45 00 L?.h?.?.q?.
008285E0 8C 93 45 00 B9 93 45 00 CA 93 45 00 05 94 45 00 ?E.?E.?E.?.
008285F0 0D 94 45 00 13 94 45 00 1A 94 45 00 22 94 45 00 .?.?.?."?.
00828600 58 94 45 00 C4 94 45 00 53 95 45 00 76 95 45 00 X?.?E.S?.v?.
00828610 96 95 45 00 B9 95 45 00 D9 95 45 00 DF 95 45 00 ?E.?E.?E.?E.
00828620 FB 95 45 00 14 96 45 00 31 96 45 00 4A 96 45 00 ?E.?.1?.J?.
00828630 67 96 45 00 7C 96 45 00 8F 96 45 00 95 96 45 00 g?.|?.?E.?E.
00828640 B1 96 45 00 C6 96 45 00 D9 96 45 00 DF 96 45 00 ?E.?E.?E.?E.
00828650 FB 96 45 00 10 97 45 00 23 97 45 00 FD 97 45 00 ?E.?.#?.?E.
00828660 19 98 45 00 65 98 45 00 75 98 45 00 87 98 45 00 ?.e?.u?.?E.
00828670 95 98 45 00 A3 98 45 00 B1 98 45 00 BF 98 45 00 ?E.?E.?E.?E.
00828680 CD 98 45 00 DB 98 45 00 E9 98 45 00 F7 98 45 00 ?E.?E.?E.?E.
00828690 31 9A 45 00 3D 9A 45 00 4C 9A 45 00 56 9A 45 00 1?.=?.L?.V?.
008286A0 67 9A 45 00 73 9A 45 00 84 9A 45 00 90 9A 45 00 g?.s?.?E.?E.
008286B0 A1 9A 45 00 AD 9A 45 00 BE 9A 45 00 CA 9A 45 00 ?E.?E.?E.?E.
008286C0 DB 9A 45 00 E7 9A 45 00 F5 9A 45 00 01 9B 45 00 ?E.?E.?E.?.
008286D0 0F 9B 45 00 1B 9B 45 00 29 9B 45 00 35 9B 45 00 ?.?.)?.5?.
008286E0 43 9B 45 00 14 9D 45 00 84 9D 45 00 A5 9E 45 00 C?.?.?E.?E.
008286F0 B2 9E 45 00 F4 9E 45 00 FE 9E 45 00 94 9F 45 00 ?E.?E.?E.?E.
00828700 09 A0 45 00 B5 A0 45 00 D3 A0 45 00 EE A0 45 00 ._E.颠E.舆E.钸E.
00828710 30 A2 45 00 3D A2 45 00 17 A3 45 00 1D A3 45 00 0⑴.=⑴.E.E.
00828720 6A A3 45 00 72 A3 45 00 8D A3 45 00 95 A3 45 00 jE.rE.?E.?E.
00828730 9F A3 45 00 A5 A3 45 00 A9 A3 45 00 AD A3 45 00 ?E.ィE.?E.?E.
00828740 52 A4 45 00 AB A4 45 00 45 A5 45 00 48 A5 45 00 Rづ.?E.Eヅ.Hヅ.
00828750 50 A5 45 00 65 A5 45 00 E3 A7 45 00 6D A9 45 00 Pヅ.eヅ.悃E.m┡.
00828760 7E A9 45 00 9E A9 45 00 C8 A9 45 00 23 AA 45 00 ~┡.?E.醛E.#?.
00828770 43 AA 45 00 65 AB 45 00 D2 AB 45 00 E5 AB 45 00 C?.e?.耀E.瀚E.
00828780 83 AC 45 00 E1 AC 45 00 5E AD 45 00 8F AD 45 00 ?E.岈E.^?.?E.
00828790 AC AD 45 00 B6 AD 45 00 CA AD 45 00 D6 AD 45 00 ?E.董E.虱E.汁E.
008287A0 E2 AD 45 00 EE AD 45 00 02 AE 45 00 16 AE 45 00 猸E.瞽E.?.?.
008287B0 69 AF 45 00 75 AF 45 00 81 AF 45 00 57 B2 45 00 i?.u?.?E.W才.
008287C0 98 B4 45 00 77 B6 45 00 DA B7 45 00 DB BC 45 00 ?E.w杜.诜E.奂E.
008287D0 ED BC 45 00 00 BF 45 00 03 BF 45 00 0F BF 45 00 砑E..颗.颗.颗.
008287E0 A1 BF 45 00 FD BF 45 00 C3 C0 45 00 DC C0 45 00 】E.?E.美E.芾E.
008287F0 EE C0 45 00 13 C1 45 00 25 C1 45 00 4A C1 45 00 罾E.僚.%僚.J僚.
00828800 5C C1 45 00 81 C1 45 00 93 C1 45 00 A5 C1 45 00 \僚.?E.?E.チE.
00828810 B8 C2 45 00 D1 C2 45 00 F3 C2 45 00 28 C3 45 00 嘎E.崖E.舐E.(门.
00828820 4A C3 45 00 7F C3 45 00 A1 C3 45 00 D6 C3 45 00 J门.门.∶E.置E.
00828830 F8 C3 45 00 1A C4 45 00 D8 C6 45 00 F6 C6 45 00 ?E.呐.仄E.銎E.
00828840 8D C7 45 00 D7 C7 45 00 18 C8 45 00 26 C8 45 00 ?E.浊E.扰.&扰.
00828850 70 C8 45 00 9E C8 45 00 A1 C8 45 00 A4 C8 45 00 p扰.?E.∪E.とE.
00828860 B1 C8 45 00 B7 C8 45 00 A5 C9 45 00 B5 C9 45 00 比E.啡E.ドE.瞪E.
00828870 0C CB 45 00 3D CB 45 00 75 CB 45 00 0B CD 45 00 .伺.=伺.u伺. 团.
00828880 31 CD 45 00 39 D8 45 00 0A DD 45 00 0D DD 45 00 1团.9嘏..菖..菖.
00828890 C5 DD 45 00 5E DE 45 00 A3 DE 45 00 F1 DE 45 00 泡E.^夼.^E.褶E.
008288A0 F5 DE 45 00 06 E1 45 00 2C E1 45 00 0E E9 45 00 蹀E.崤.,崤.榕.
008288B0 7F F5 45 00 C6 F5 45 00 87 F6 45 00 A2 F6 45 00 跖.契E.?E.ⅥE.
008288C0 00 FB 45 00 9E FB 45 00 A1 FB 45 00 CC FB 45 00 .?.?E.←E.帖E.
008288D0 4F FC 45 00 C3 FC 45 00 12 FD 45 00 D5 FF 45 00 O?.命E.?.?E.
008288E0 3E 00 46 00 FA 01 46 00 15 02 46 00 31 02 46 00 >.F.?F.F.1F.
008288F0 4D 02 46 00 14 04 46 00 52 04 46 00 FE 04 46 00 MF.F.RF.?F.
00828900 20 0F 46 00 ED 12 46 00 8E 14 46 00 2D 18 46 00 F.?F.?F.-F.
00828910 61 1C 46 00 3E 23 46 00 7F 23 46 00 09 24 46 00 aF.>#F.#F..$F.
00828920 13 24 46 00 1D 24 46 00 4F 24 46 00 59 24 46 00 $F.$F.O$F.Y$F.
00828930 7D 24 46 00 8D 24 46 00 99 24 46 00 A3 24 46 00 }$F.?F.?F.?F.
00828940 AD 24 46 00 DF 24 46 00 E9 24 46 00 10 25 46 00 ?F.?F.?F.%F.
00828950 20 25 46 00 2C 25 46 00 36 25 46 00 40 25 46 00 %F.,%F.6%F.@%F.
00828960 72 25 46 00 7C 25 46 00 A3 25 46 00 B3 25 46 00 r%F.|%F.?F.?F.
00828970 BF 25 46 00 C9 25 46 00 D3 25 46 00 05 26 46 00 ?F.?F.?F.&F.
00828980 0F 26 46 00 36 26 46 00 46 26 46 00 52 26 46 00 &F.6&F.F&F.R&F.
00828990 5C 26 46 00 66 26 46 00 98 26 46 00 A2 26 46 00 \&F.f&F.?F.?F.
008289A0 C9 26 46 00 D9 26 46 00 EB 26 46 00 F5 26 46 00 ?F.?F.?F.?F.
008289B0 03 27 46 00 38 27 46 00 42 27 46 00 6F 27 46 00 'F.8'F.B'F.o'F.
008289C0 7F 27 46 00 91 27 46 00 9B 27 46 00 A9 27 46 00 'F.?F.?F.?F.
008289D0 DE 27 46 00 E8 27 46 00 15 28 46 00 25 28 46 00 ?F.?F.(F.%(F.
008289E0 37 28 46 00 41 28 46 00 4F 28 46 00 84 28 46 00 7(F.A(F.O(F.?F.
008289F0 8E 28 46 00 BB 28 46 00 CB 28 46 00 DD 28 46 00 ?F.?F.?F.?F.
00828A00 E7 28 46 00 F5 28 46 00 2A 29 46 00 34 29 46 00 ?F.?F.*)F.4)F.
00828A10 61 29 46 00 71 29 46 00 83 29 46 00 8D 29 46 00 a)F.q)F.?F.?F.
00828A20 9B 29 46 00 D0 29 46 00 DA 29 46 00 07 2A 46 00 ?F.?F.?F.*F.
00828A30 17 2A 46 00 29 2A 46 00 33 2A 46 00 41 2A 46 00 *F.)*F.3*F.A*F.
00828A40 76 2A 46 00 80 2A 46 00 AD 2A 46 00 BD 2A 46 00 v*F.?F.?F.?F.
00828A50 CF 2A 46 00 D9 2A 46 00 E7 2A 46 00 1C 2B 46 00 ?F.?F.?F.+F.
00828A60 26 2B 46 00 53 2B 46 00 63 2B 46 00 75 2B 46 00 &+F.S+F.c+F.u+F.
00828A70 7F 2B 46 00 8D 2B 46 00 C2 2B 46 00 CC 2B 46 00 +F.?F.?F.?F.
00828A80 F9 2B 46 00 09 2C 46 00 F2 2C 46 00 F8 2C 46 00 ?F..,F.?F.?F.
00828A90 11 2D 46 00 9A 33 46 00 AD 33 46 00 39 41 46 00 -F.?F.?F.9AF.
00828AA0 6B 41 46 00 8C 41 46 00 B0 41 46 00 FD 41 46 00 kAF.?F.傲F.?F.
00828AB0 87 42 46 00 A2 42 46 00 98 43 46 00 BA 43 46 00 ?F.⒙F.?F.好F.
00828AC0 E9 43 46 00 48 44 46 00 E5 44 46 00 07 46 46 00 槊F.HDF.迥F.FF.
00828AD0 2D 46 46 00 50 46 46 00 74 46 46 00 0A 47 46 00 -FF.PFF.tFF..GF.
00828AE0 15 47 46 00 1B 47 46 00 3A 47 46 00 3D 47 46 00 GF.GF.:GF.=GF.
00828AF0 68 47 46 00 FD 51 46 00 F1 67 46 00 D2 76 46 00 hGF.?F.耒F.姻F.
00828B00 9D 78 46 00 D8 79 46 00 EA 7B 46 00 4F 7D 46 00 ?F.伫F.犒F.O}F.
00828B10 52 7D 46 00 5D 7D 46 00 66 7D 46 00 8F 7D 46 00 R}F.]}F.f}F.?F.
00828B20 A3 7D 46 00 B4 7D 46 00 65 7E 46 00 A5 7E 46 00 }F.待F.e~F.?F.
00828B30 B5 7E 46 00 FE 7E 46 00 0D 80 46 00 0D 81 46 00 叠F.?F..?..?.
00828B40 7D 81 46 00 51 82 46 00 1D 83 46 00 4B 83 46 00 }?.Q?.?.K?.
00828B50 74 84 46 00 9A 84 46 00 86 85 46 00 C1 85 46 00 t?.?F.?F.?F.
00828B60 54 86 46 00 82 86 46 00 D2 87 46 00 F5 87 46 00 T?.?F.?F.?F.
00828B70 DD 88 46 00 A1 89 46 00 D1 89 46 00 D6 89 46 00 ?F.?F.?F.?F.
00828B80 9A 8A 46 00 BE 8A 46 00 E2 8B 46 00 BE 8C 46 00 ?F.?F.?F.?F.
00828B90 EE 8C 46 00 E2 8D 46 00 CF 91 46 00 E4 91 46 00 ?F.?F.?F.?F.
00828BA0 14 92 46 00 1E 92 46 00 27 92 46 00 38 92 46 00 ?.?.'?.8?.
00828BB0 41 92 46 00 26 93 46 00 29 93 46 00 F6 93 46 00 A?.&?.)?.?F.
00828BC0 F9 93 46 00 C4 97 46 00 44 98 46 00 5F 98 46 00 ?F.?F.D?._?.
00828BD0 68 98 46 00 8E 98 46 00 EA 98 46 00 00 99 46 00 h?.?F.?F..?.
00828BE0 19 9C 46 00 27 9C 46 00 3F 9C 46 00 6B 9D 46 00 ?.'?.??.k?.
00828BF0 77 9D 46 00 99 9D 46 00 A5 9D 46 00 04 9E 46 00 w?.?F.?F.?.
00828C00 0E 9E 46 00 14 9E 46 00 C8 9E 46 00 10 9F 46 00 ?.?.?F.?.
00828C10 3C 9F 46 00 5D 9F 46 00 0A A4 46 00 A4 A4 46 00 <?.]?..て.いF.
00828C20 03 A5 46 00 E7 AB 46 00 03 AC 46 00 CC AC 46 00 テ.绔F.?.态F.
00828C30 94 AD 46 00 AF AD 46 00 78 AE 46 00 03 B0 46 00 ?F.?F.x?.捌.
00828C40 D3 B0 46 00 12 B1 46 00 18 B1 46 00 29 B1 46 00 影F.逼.逼.)逼.
00828C50 77 B1 46 00 3A B3 46 00 2A B8 46 00 4A B8 46 00 w逼.:称.*钙.J钙.
00828C60 90 B8 46 00 9E B8 46 00 0B B9 46 00 3A B9 46 00 ?F.?F. 蛊.:蛊.
00828C70 44 B9 46 00 6D B9 46 00 8F B9 46 00 3C BA 46 00 D蛊.m蛊.?F.<浩.
00828C80 4A BA 46 00 A4 BA 46 00 12 BC 46 00 15 BC 46 00 J浩.ずF.计.计.
00828C90 18 BC 46 00 AE BC 46 00 B1 BC 46 00 B4 BC 46 00 计.?F.奔F.醇F.
00828CA0 07 BD 46 00 29 BD 46 00 C6 BD 46 00 97 C3 46 00 狡.)狡.平F.?F.
00828CB0 B5 C3 46 00 C6 C5 46 00 D4 C5 46 00 04 C6 46 00 得F.婆F.耘F.破.
00828CC0 11 C6 46 00 23 C6 46 00 A5 C6 46 00 86 C7 46 00 破.#破.テF.?F.
00828CD0 C8 C7 46 00 2B C8 46 00 32 CB 46 00 80 CC 46 00 惹F.+绕.2似.?F.
00828CE0 DE CC 46 00 85 D7 46 00 8B D7 46 00 B2 D7 46 00 尢F.?F.?F.沧F.
00828CF0 CE D7 46 00 9A D9 46 00 2E DB 46 00 82 DB 46 00 巫F.?F..燮.?F.
00828D00 C7 DB 46 00 15 DC 46 00 19 DC 46 00 2D DC 46 00 芹F.芷.芷.-芷.
00828D10 7D DC 46 00 B1 DC 46 00 08 DF 46 00 40 E0 46 00 }芷.避F.咂.@嗥.
00828D20 90 E1 46 00 EC E2 46 00 24 E4 46 00 74 E5 46 00 ?F.焘F.$淦.t迤.
00828D30 86 E7 46 00 89 E7 46 00 D2 E7 46 00 AD E8 46 00 ?F.?F.溢F.?F.
00828D40 D0 E8 46 00 D8 E8 46 00 EE E8 46 00 03 E9 46 00 需F.罔F.铊F.槠.
00828D50 20 E9 46 00 1D EA 46 00 40 EA 46 00 48 EA 46 00 槠.昶.@昶.H昶.
00828D60 5E EA 46 00 73 EA 46 00 90 EA 46 00 DC EA 46 00 ^昶.s昶.?F.荜F.
00828D70 FA EA 46 00 91 EB 46 00 DB EB 46 00 1C EC 46 00 ?F.?F.垭F.炱.
00828D80 2A EC 46 00 74 EC 46 00 A2 EC 46 00 A5 EC 46 00 *炱.t炱.㈧F.レF.
00828D90 A8 EC 46 00 B8 EC 46 00 D6 EC 46 00 6D ED 46 00 ?F.胳F.朱F.m砥.
00828DA0 B7 ED 46 00 F8 ED 46 00 06 EE 46 00 50 EE 46 00 讽F.?F.钇.P钇.
00828DB0 7E EE 46 00 81 EE 46 00 84 EE 46 00 DC EE 46 00 ~钇.?F.?F.茴F.
00828DC0 EA EE 46 00 1D EF 46 00 4D EF 46 00 7F F1 46 00 觐F.锲.M锲.衿.
00828DD0 89 F1 46 00 B7 F1 46 00 D8 F1 46 00 CC F2 46 00 ?F.否F.伛F.舔F.
00828DE0 DD F2 46 00 15 F3 46 00 45 F6 46 00 48 F6 46 00 蒡F.笃.E銎.H銎.
00828DF0 6B F6 46 00 AC F6 46 00 84 F7 46 00 A5 F7 46 00 k銎.?F.?F.?F.
00828E00 B3 F7 46 00 0B F8 46 00 3F F8 46 00 7A F8 46 00 橱F. ?.??.z?.
00828E10 C4 FD 46 00 A1 FF 46 00 00 00 00 00 00 00 00 00 凝F.?F.........
91 98 43 00 9E 98 43 00 62 99 43 00 73 99 43 00 89 99 43 00 A3 99 43 00 A7 99 43 00 AD 99 43 00
5A 9B 43 00 84 9B 43 00 92 9B 43 00 9C 9B 43 00 A4 9B 43 00 E2 9B 43 00 F7 9B 43 00 FB 9B 43 00
2D 9C 43 00 52 9C 43 00 BC 9D 43 00 87 9F 43 00 F2 A0 43 00 14 A1 43 00 A6 A3 43 00 D2 A4 43 00
E3 A4 43 00 11 A5 43 00 D9 A5 43 00 CC A9 43 00 37 AA 43 00 74 AA 43 00 87 AA 43 00 8F AA 43 00
27 B4 43 00 45 B5 43 00 C5 B6 43 00 DA B6 43 00 5A B7 43 00 C3 B7 43 00 CC B7 43 00 60 B8 43 00
81 B8 43 00 EC B8 43 00 29 B9 43 00 3C B9 43 00 44 B9 43 00 B5 BD 43 00 8F C1 43 00 95 C1 43 00
AF C1 43 00 3E C2 43 00 C6 CC 43 00 5F CD 43 00 65 CD 43 00 77 CD 43 00 86 CD 43 00 F9 CF 43 00
FC CF 43 00 03 D0 43 00 B6 D2 43 00 BC D2 43 00 56 D4 43 00 91 D4 43 00 97 D4 43 00 AA D4 43 00
BD D4 43 00 D0 D4 43 00 E3 D4 43 00 F6 D4 43 00 09 D5 43 00 1C D5 43 00 2F D5 43 00 42 D5 43 00
55 D5 43 00 6D D5 43 00 A3 D6 43 00 05 DD 43 00 BD E1 43 00 2A E6 43 00 45 E6 43 00 71 E8 43 00
3C EE 43 00 6B EF 43 00 96 F8 43 00 19 F9 43 00 37 FA 43 00 6D FA 43 00 A3 FA 43 00 D9 FA 43 00
0F FB 43 00 53 FB 43 00 DD FB 43 00 2E FC 43 00 AE 00 44 00 46 01 44 00 72 01 44 00 86 01 44 00
14 02 44 00 D0 02 44 00 FD 02 44 00 4F 03 44 00 89 03 44 00 B5 03 44 00 98 08 44 00 C0 08 44 00
2A 09 44 00 9F 09 44 00 BC 0D 44 00 BF 0D 44 00 D9 0D 44 00 46 0E 44 00 3B 11 44 00 7D 12 44 00
1F 13 44 00 63 13 44 00 B5 16 44 00 AD 19 44 00 D4 19 44 00 E5 19 44 00 04 1A 44 00 5E 20 44 00
72 20 44 00 8C 20 44 00 9A 20 44 00 F8 20 44 00 FD 20 44 00 61 22 44 00 7D 22 44 00 95 22 44 00
AC 22 44 00 75 23 44 00 F9 23 44 00 FF 23 44 00 8F 28 44 00 A5 28 44 00 BB 28 44 00 D1 28 44 00
37 2A 44 00 3D 2A 44 00 54 2A 44 00 B5 2A 44 00 D7 2A 44 00 0A 2D 44 00 D4 2D 44 00 23 2E 44 00
0A 31 44 00 1C 31 44 00 BB 31 44 00 CB 31 44 00 DD 31 44 00 7C 32 44 00 E1 33 44 00 B5 34 44 00
EC 36 44 00 61 37 44 00 54 39 44 00 15 3B 44 00 14 3E 44 00 4D 3E 44 00 CD 3E 44 00 D6 3F 44 00
62 41 44 00 9F 43 44 00 F5 43 44 00 6E 44 44 00 EF 44 44 00 F2 44 44 00 57 45 44 00 5D 45 44 00
73 45 44 00 87 45 44 00 AB 45 44 00 93 46 44 00 AD 47 44 00 72 48 44 00 75 48 44 00 5B 4F 44 00
5E 4F 44 00 9A 4F 44 00 3B 51 44 00 3E 51 44 00 7A 51 44 00 3E 53 44 00 71 53 44 00 74 53 44 00
00 54 44 00 2A 54 44 00 3E 54 44 00 76 54 44 00 A9 54 44 00 AC 54 44 00 D1 54 44 00 3E 55 44 00
68 55 44 00 7C 55 44 00 15 59 44 00 AF 59 44 00 BA 59 44 00 47 5A 44 00 0C 67 44 00 0F 67 44 00
32 67 44 00 5E 67 44 00 39 6A 44 00 C9 6A 44 00 D9 6A 44 00 1E 6B 44 00 33 6C 44 00 5B 6C 44 00
69 6C 44 00 89 6D 44 00 8E 6D 44 00 AA 6D 44 00 29 71 44 00 4A 71 44 00 0A 7C 44 00 15 7C 44 00
23 7C 44 00 36 7F 44 00 5E 7F 44 00 61 7F 44 00 CE 7F 44 00 F3 7F 44 00 07 80 44 00 40 81 44 00
43 81 44 00 53 81 44 00 1B 82 44 00 39 82 44 00 33 83 44 00 47 83 44 00 D5 85 44 00 E5 85 44 00
1E 8B 44 00 29 8B 44 00 6A 8B 44 00 E8 91 44 00 77 95 44 00 85 95 44 00 97 95 44 00 B5 A1 44 00
85 BA 44 00 D6 BA 44 00 12 BB 44 00 33 BB 44 00 DF BD 44 00 0D C3 44 00 F2 C4 44 00 FB C4 44 00
06 C5 44 00 17 C5 44 00 28 C5 44 00 39 C5 44 00 4A C5 44 00 5B C5 44 00 64 C5 44 00 6C C5 44 00
7D C5 44 00 8E C5 44 00 9F C5 44 00 B0 C5 44 00 C1 C5 44 00 CD C5 44 00 D9 C5 44 00 E5 C5 44 00
F1 C5 44 00 FD C5 44 00 09 C6 44 00 3D C9 44 00 B5 CA 44 00 08 CD 44 00 0E CD 44 00 1F CD 44 00
3B CD 44 00 D8 D7 44 00 DF D7 44 00 D5 DF 44 00 50 E6 44 00 05 EB 44 00 65 EB 44 00 7E EC 44 00
78 EF 44 00 CD F5 44 00 68 F6 44 00 40 FC 44 00 43 FC 44 00 4E FC 44 00 5A FC 44 00 66 FC 44 00
DF 04 45 00 05 05 45 00 2D 05 45 00 42 05 45 00 8B 05 45 00 C2 05 45 00 80 0A 45 00 DF 0A 45 00
FB 15 45 00 FE 15 45 00 07 16 45 00 7E 16 45 00 91 16 45 00 C0 16 45 00 CA 16 45 00 F3 16 45 00
40 17 45 00 6A 17 45 00 D8 17 45 00 E1 17 45 00 EA 17 45 00 F4 17 45 00 FC 17 45 00 B3 18 45 00
58 1A 45 00 AE 1A 45 00 64 1F 45 00 C3 1F 45 00 BA 20 45 00 E1 22 45 00 AE 24 45 00 BB 24 45 00
C1 24 45 00 D7 24 45 00 DF 25 45 00 F5 25 45 00 55 26 45 00 69 26 45 00 72 26 45 00 76 26 45 00
81 26 45 00 8B 26 45 00 93 26 45 00 55 27 45 00 99 28 45 00 2F 29 45 00 97 2B 45 00 C7 2B 45 00
28 2C 45 00 84 30 45 00 DE 30 45 00 57 32 45 00 5B 33 45 00 D8 33 45 00 DD 33 45 00 2A 34 45 00
5C 37 45 00 BA 37 45 00 94 42 45 00 B0 42 45 00 D0 42 45 00 00 43 45 00 93 45 45 00 EC 45 45 00
FA 45 45 00 24 54 45 00 32 54 45 00 90 54 45 00 FB 56 45 00 0D 57 45 00 27 5D 45 00 ED 62 45 00
51 70 45 00 C9 71 45 00 0D 77 45 00 22 78 45 00 33 78 45 00 9A 78 45 00 FD 7C 45 00 19 82 45 00
1F 82 45 00 AA 84 45 00 3A 85 45 00 C3 87 45 00 4C 8D 45 00 68 8D 45 00 1D 92 45 00 71 93 45 00
8C 93 45 00 B9 93 45 00 CA 93 45 00 05 94 45 00 0D 94 45 00 13 94 45 00 1A 94 45 00 22 94 45 00
58 94 45 00 C4 94 45 00 53 95 45 00 76 95 45 00 96 95 45 00 B9 95 45 00 D9 95 45 00 DF 95 45 00
FB 95 45 00 14 96 45 00 31 96 45 00 4A 96 45 00 67 96 45 00 7C 96 45 00 8F 96 45 00 95 96 45 00
B1 96 45 00 C6 96 45 00 D9 96 45 00 DF 96 45 00 FB 96 45 00 10 97 45 00 23 97 45 00 FD 97 45 00
19 98 45 00 65 98 45 00 75 98 45 00 87 98 45 00 95 98 45 00 A3 98 45 00 B1 98 45 00 BF 98 45 00
CD 98 45 00 DB 98 45 00 E9 98 45 00 F7 98 45 00 31 9A 45 00 3D 9A 45 00 4C 9A 45 00 56 9A 45 00
67 9A 45 00 73 9A 45 00 84 9A 45 00 90 9A 45 00 A1 9A 45 00 AD 9A 45 00 BE 9A 45 00 CA 9A 45 00
DB 9A 45 00 E7 9A 45 00 F5 9A 45 00 01 9B 45 00 0F 9B 45 00 1B 9B 45 00 29 9B 45 00 35 9B 45 00
43 9B 45 00 14 9D 45 00 84 9D 45 00 A5 9E 45 00 B2 9E 45 00 F4 9E 45 00 FE 9E 45 00 94 9F 45 00
09 A0 45 00 B5 A0 45 00 D3 A0 45 00 EE A0 45 00 30 A2 45 00 3D A2 45 00 17 A3 45 00 1D A3 45 00
6A A3 45 00 72 A3 45 00 8D A3 45 00 95 A3 45 00 9F A3 45 00 A5 A3 45 00 A9 A3 45 00 AD A3 45 00
52 A4 45 00 AB A4 45 00 45 A5 45 00 48 A5 45 00 50 A5 45 00 65 A5 45 00 E3 A7 45 00 6D A9 45 00
7E A9 45 00 9E A9 45 00 C8 A9 45 00 23 AA 45 00 43 AA 45 00 65 AB 45 00 D2 AB 45 00 E5 AB 45 00
83 AC 45 00 E1 AC 45 00 5E AD 45 00 8F AD 45 00 AC AD 45 00 B6 AD 45 00 CA AD 45 00 D6 AD 45 00
E2 AD 45 00 EE AD 45 00 02 AE 45 00 16 AE 45 00 69 AF 45 00 75 AF 45 00 81 AF 45 00 57 B2 45 00
98 B4 45 00 77 B6 45 00 DA B7 45 00 DB BC 45 00 ED BC 45 00 00 BF 45 00 03 BF 45 00 0F BF 45 00
A1 BF 45 00 FD BF 45 00 C3 C0 45 00 DC C0 45 00 EE C0 45 00 13 C1 45 00 25 C1 45 00 4A C1 45 00
5C C1 45 00 81 C1 45 00 93 C1 45 00 A5 C1 45 00 B8 C2 45 00 D1 C2 45 00 F3 C2 45 00 28 C3 45 00
4A C3 45 00 7F C3 45 00 A1 C3 45 00 D6 C3 45 00 F8 C3 45 00 1A C4 45 00 D8 C6 45 00 F6 C6 45 00
8D C7 45 00 D7 C7 45 00 18 C8 45 00 26 C8 45 00 70 C8 45 00 9E C8 45 00 A1 C8 45 00 A4 C8 45 00
B1 C8 45 00 B7 C8 45 00 A5 C9 45 00 B5 C9 45 00 0C CB 45 00 3D CB 45 00 75 CB 45 00 0B CD 45 00
31 CD 45 00 39 D8 45 00 0A DD 45 00 0D DD 45 00 C5 DD 45 00 5E DE 45 00 A3 DE 45 00 F1 DE 45 00
F5 DE 45 00 06 E1 45 00 2C E1 45 00 0E E9 45 00 7F F5 45 00 C6 F5 45 00 87 F6 45 00 A2 F6 45 00
00 FB 45 00 9E FB 45 00 A1 FB 45 00 CC FB 45 00 4F FC 45 00 C3 FC 45 00 12 FD 45 00 D5 FF 45 00
3E 00 46 00 FA 01 46 00 15 02 46 00 31 02 46 00 4D 02 46 00 14 04 46 00 52 04 46 00 FE 04 46 00
20 0F 46 00 ED 12 46 00 8E 14 46 00 2D 18 46 00 61 1C 46 00 3E 23 46 00 7F 23 46 00 09 24 46 00
13 24 46 00 1D 24 46 00 4F 24 46 00 59 24 46 00 7D 24 46 00 8D 24 46 00 99 24 46 00 A3 24 46 00
AD 24 46 00 DF 24 46 00 E9 24 46 00 10 25 46 00 20 25 46 00 2C 25 46 00 36 25 46 00 40 25 46 00
72 25 46 00 7C 25 46 00 A3 25 46 00 B3 25 46 00 BF 25 46 00 C9 25 46 00 D3 25 46 00 05 26 46 00
0F 26 46 00 36 26 46 00 46 26 46 00 52 26 46 00 5C 26 46 00 66 26 46 00 98 26 46 00 A2 26 46 00
C9 26 46 00 D9 26 46 00 EB 26 46 00 F5 26 46 00 03 27 46 00 38 27 46 00 42 27 46 00 6F 27 46 00
7F 27 46 00 91 27 46 00 9B 27 46 00 A9 27 46 00 DE 27 46 00 E8 27 46 00 15 28 46 00 25 28 46 00
37 28 46 00 41 28 46 00 4F 28 46 00 84 28 46 00 8E 28 46 00 BB 28 46 00 CB 28 46 00 DD 28 46 00
E7 28 46 00 F5 28 46 00 2A 29 46 00 34 29 46 00 61 29 46 00 71 29 46 00 83 29 46 00 8D 29 46 00
9B 29 46 00 D0 29 46 00 DA 29 46 00 07 2A 46 00 17 2A 46 00 29 2A 46 00 33 2A 46 00 41 2A 46 00
76 2A 46 00 80 2A 46 00 AD 2A 46 00 BD 2A 46 00 CF 2A 46 00 D9 2A 46 00 E7 2A 46 00 1C 2B 46 00
26 2B 46 00 53 2B 46 00 63 2B 46 00 75 2B 46 00 7F 2B 46 00 8D 2B 46 00 C2 2B 46 00 CC 2B 46 00
F9 2B 46 00 09 2C 46 00 F2 2C 46 00 F8 2C 46 00 11 2D 46 00 9A 33 46 00 AD 33 46 00 39 41 46 00
6B 41 46 00 8C 41 46 00 B0 41 46 00 FD 41 46 00 87 42 46 00 A2 42 46 00 98 43 46 00 BA 43 46 00
E9 43 46 00 48 44 46 00 E5 44 46 00 07 46 46 00 2D 46 46 00 50 46 46 00 74 46 46 00 0A 47 46 00
15 47 46 00 1B 47 46 00 3A 47 46 00 3D 47 46 00 68 47 46 00 FD 51 46 00 F1 67 46 00 D2 76 46 00
9D 78 46 00 D8 79 46 00 EA 7B 46 00 4F 7D 46 00 52 7D 46 00 5D 7D 46 00 66 7D 46 00 8F 7D 46 00
A3 7D 46 00 B4 7D 46 00 65 7E 46 00 A5 7E 46 00 B5 7E 46 00 FE 7E 46 00 0D 80 46 00 0D 81 46 00
7D 81 46 00 51 82 46 00 1D 83 46 00 4B 83 46 00 74 84 46 00 9A 84 46 00 86 85 46 00 C1 85 46 00
54 86 46 00 82 86 46 00 D2 87 46 00 F5 87 46 00 DD 88 46 00 A1 89 46 00 D1 89 46 00 D6 89 46 00
9A 8A 46 00 BE 8A 46 00 E2 8B 46 00 BE 8C 46 00 EE 8C 46 00 E2 8D 46 00 CF 91 46 00 E4 91 46 00
14 92 46 00 1E 92 46 00 27 92 46 00 38 92 46 00 41 92 46 00 26 93 46 00 29 93 46 00 F6 93 46 00
F9 93 46 00 C4 97 46 00 44 98 46 00 5F 98 46 00 68 98 46 00 8E 98 46 00 EA 98 46 00 00 99 46 00
19 9C 46 00 27 9C 46 00 3F 9C 46 00 6B 9D 46 00 77 9D 46 00 99 9D 46 00 A5 9D 46 00 04 9E 46 00
0E 9E 46 00 14 9E 46 00 C8 9E 46 00 10 9F 46 00 3C 9F 46 00 5D 9F 46 00 0A A4 46 00 A4 A4 46 00
03 A5 46 00 E7 AB 46 00 03 AC 46 00 CC AC 46 00 94 AD 46 00 AF AD 46 00 78 AE 46 00 03 B0 46 00
D3 B0 46 00 12 B1 46 00 18 B1 46 00 29 B1 46 00 77 B1 46 00 3A B3 46 00 2A B8 46 00 4A B8 46 00
90 B8 46 00 9E B8 46 00 0B B9 46 00 3A B9 46 00 44 B9 46 00 6D B9 46 00 8F B9 46 00 3C BA 46 00
4A BA 46 00 A4 BA 46 00 12 BC 46 00 15 BC 46 00 18 BC 46 00 AE BC 46 00 B1 BC 46 00 B4 BC 46 00
07 BD 46 00 29 BD 46 00 C6 BD 46 00 97 C3 46 00 B5 C3 46 00 C6 C5 46 00 D4 C5 46 00 04 C6 46 00
11 C6 46 00 23 C6 46 00 A5 C6 46 00 86 C7 46 00 C8 C7 46 00 2B C8 46 00 32 CB 46 00 80 CC 46 00
DE CC 46 00 85 D7 46 00 8B D7 46 00 B2 D7 46 00 CE D7 46 00 9A D9 46 00 2E DB 46 00 82 DB 46 00
C7 DB 46 00 15 DC 46 00 19 DC 46 00 2D DC 46 00 7D DC 46 00 B1 DC 46 00 08 DF 46 00 40 E0 46 00
90 E1 46 00 EC E2 46 00 24 E4 46 00 74 E5 46 00 86 E7 46 00 89 E7 46 00 D2 E7 46 00 AD E8 46 00
D0 E8 46 00 D8 E8 46 00 EE E8 46 00 03 E9 46 00 20 E9 46 00 1D EA 46 00 40 EA 46 00 48 EA 46 00
5E EA 46 00 73 EA 46 00 90 EA 46 00 DC EA 46 00 FA EA 46 00 91 EB 46 00 DB EB 46 00 1C EC 46 00
2A EC 46 00 74 EC 46 00 A2 EC 46 00 A5 EC 46 00 A8 EC 46 00 B8 EC 46 00 D6 EC 46 00 6D ED 46 00
B7 ED 46 00 F8 ED 46 00 06 EE 46 00 50 EE 46 00 7E EE 46 00 81 EE 46 00 84 EE 46 00 DC EE 46 00
EA EE 46 00 1D EF 46 00 4D EF 46 00 7F F1 46 00 89 F1 46 00 B7 F1 46 00 D8 F1 46 00 CC F2 46 00
DD F2 46 00 15 F3 46 00 45 F6 46 00 48 F6 46 00 6B F6 46 00 AC F6 46 00 84 F7 46 00 A5 F7 46 00
B3 F7 46 00 0B F8 46 00 3F F8 46 00 7A F8 46 00 C4 FD 46 00 A1 FF 46 00 00 00 00 00 00 00 00 00
恢复修改的代码,回到原来的EIP处,检查各个寄存器值保持和原来的一样。
4.修改处理部分的代码,完成修复CC工作
要利用处理代码修复CC必须具备几个条件:
1.> CC 地址,这个我们通过上面的方法得到了。
2.> jump 的长度,这个通过分析知道在处理代码中提供给了我们,下面将会直接使用。
3.> jump 的跳转类型,这是个重点,也是个难点,我们将利用壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的代码。
让我们一个一个的来修改处理代码:
提供我们得到的CC地址给处理代码,利用这个代码--
修改这个代码为:
00805E51 8B15 00808200 MOV EDX, DWORD PTR DS:[828000] ; ezcddax.00439891
00805E57 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX ;传送参数
00805E5D C705 108F8200 0>MOV DWORD PTR DS:[828F10], ezcddax.00828000
00805E67 90 NOP
00805E68 90 NOP
00805E69 90 NOP
00805E6A 90 NOP
00805E6B 90 NOP
00805E6C 90 NOP
00805E6D 90 NOP
00805E6E 90 NOP
00805E6F 90 NOP
00805E70 90 NOP
00805E71 90 NOP
00805E72 90 NOP
00805E73 90 NOP
00805E74 90 NOP
00805E75 90 NOP
00805E76 90 NOP
00805E77 90 NOP
00805E78 90 NOP
00805E79 90 NOP
00805E7A 90 NOP
00805E7B 90 NOP
00805E7C EB 03 JMP SHORT ezcddax.00805E81
看看原来的取地址:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC] //取Context域
00805EC9 52 PUSH EDX
修改方法是在地址00828F00 写入CC地址表的第一个地址:00439891 然后通过上面的修改把这个提供给处理代码使用。
下面这段代码是计算CC地址在不在表中
00805ECA 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00805ED0 FF1485 98CD8300 CALL DWORD PTR DS:[EAX*4+83CD98]
00805ED7 83C4 04 ADD ESP, 4
00805EDA 8985 78EBFFFF MOV DWORD PTR SS:[EBP-1488], EAX
00805EE0 C785 74EBFFFF 0>MOV DWORD PTR SS:[EBP-148C], 0
00805EEA 8B8D 48EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B8]
00805EF0 8B148D 00F38300 MOV EDX, DWORD PTR DS:[ECX*4+83F300]
00805EF7 8995 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], EDX
00805EFD 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
00805F03 3B85 54EEFFFF CMP EAX, DWORD PTR SS:[EBP-11AC]
00805F09 7D 5C JGE SHORT ezcddax.00805F67
00805F0B 8B85 54EEFFFF MOV EAX, DWORD PTR SS:[EBP-11AC]
00805F11 2B85 74EBFFFF SUB EAX, DWORD PTR SS:[EBP-148C]
00805F17 99 CDQ
00805F18 2BC2 SUB EAX, EDX
00805F1A D1F8 SAR EAX, 1
00805F1C 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805F22 03C8 ADD ECX, EAX
00805F24 898D 70EBFFFF MOV DWORD PTR SS:[EBP-1490], ECX
00805F2A 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F30 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F37 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F3D 8B95 78EBFFFF MOV EDX, DWORD PTR SS:[EBP-1488]
00805F43 3B1488 CMP EDX, DWORD PTR DS:[EAX+ECX*4]
00805F46 76 11 JBE SHORT ezcddax.00805F59
00805F48 8B85 70EBFFFF MOV EAX, DWORD PTR SS:[EBP-1490]
00805F4E 83C0 01 ADD EAX, 1
00805F51 8985 74EBFFFF MOV DWORD PTR SS:[EBP-148C], EAX
00805F57 EB 0C JMP SHORT ezcddax.00805F65
00805F59 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F5F 898D 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], ECX
00805F65 ^ EB 96 JMP SHORT ezcddax.00805EFD
00805F67 60 PUSHAD
00805F68 33C0 XOR EAX, EAX
00805F6A 75 02 JNZ SHORT ezcddax.00805F6E
00805F6C EB 15 JMP SHORT ezcddax.00805F83
00805F6E EB 33 JMP SHORT ezcddax.00805FA3
00805F70 C075 18 7A SAL BYTE PTR SS:[EBP+18], 7A
00805F74 0C 70 OR AL, 70
00805F76 0E PUSH CS
00805F77 EB 0D JMP SHORT ezcddax.00805F86
00805F79 E8 720E79F1 CALL F1F96DF0
00805F7E FF15 00790974 CALL DWORD PTR DS:[74097900]
00805F84 F0:EB 87 LOCK JMP SHORT ezcddax.00805F0E ; 不允许锁定前缀
00805F87 DB7A F0 FSTP TBYTE PTR DS:[EDX-10]
00805F8A A0 33618B95 MOV AL, BYTE PTR DS:[958B6133]
00805F8F 48 DEC EAX
00805F90 EE OUT DX, AL
00805F91 FFFF ??? ; 未知命令
00805F93 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F9A 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805FA0 8B1488 MOV EDX, DWORD PTR DS:[EAX+ECX*4]
00805FA3 3B95 78EBFFFF CMP EDX, DWORD PTR SS:[EBP-1488] //比较表中的值和CC地址计算的值是否相等,测试CC地址是否有效
00805FA9 0F85 90020000 JNZ ezcddax.0080623F
下面来到壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口,而这个入口是个与CC地址有关的变量。
00806006 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
0080600C 8B0C85 64F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F364]
00806013 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806019 8B0491 MOV EAX, DWORD PTR DS:[ECX+EDX*4]
0080601C 8985 5CEBFFFF MOV DWORD PTR SS:[EBP-14A4], EAX
00806022 8B8D 3CECFFFF MOV ECX, DWORD PTR SS:[EBP-13C4]
00806028 81E1 D70F0000 AND ECX, 0FD7
0080602E 898D 6CEBFFFF MOV DWORD PTR SS:[EBP-1494], ECX
00806034 8B95 5CEBFFFF MOV EDX, DWORD PTR SS:[EBP-14A4]
0080603A 81E2 000000FF AND EDX, FF000000
00806040 C1EA 18 SHR EDX, 18
00806043 8995 60EBFFFF MOV DWORD PTR SS:[EBP-14A0], EDX
00806049 8B85 5CEBFFFF MOV EAX, DWORD PTR SS:[EBP-14A4]
0080604F 25 FFFFFF00 AND EAX, 0FFFFFF
00806054 8985 64EBFFFF MOV DWORD PTR SS:[EBP-149C], EAX
0080605A 8B8D 28ECFFFF MOV ECX, DWORD PTR SS:[EBP-13D8]
00806060 51 PUSH ECX
00806061 8B95 6CEBFFFF MOV EDX, DWORD PTR SS:[EBP-1494]
00806067 52 PUSH EDX
00806068 8B85 64EBFFFF MOV EAX, DWORD PTR SS:[EBP-149C]
0080606E 50 PUSH EAX
0080606F 8B8D 60EBFFFF MOV ECX, DWORD PTR SS:[EBP-14A0]
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] //模拟模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
0080607C 83C4 0C ADD ESP, 0C
0080607F 8985 68EBFFFF MOV DWORD PTR SS:[EBP-1498], EAX
00806085 8B95 68EBFFFF MOV EDX, DWORD PTR SS:[EBP-1498] //取标志
0080608B 83E2 01 AND EDX, 1
0080608E 85D2 TEST EDX, EDX
00806090 0F84 AE000000 JE ezcddax.00806144 //判断是否需要跳转
在 00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] 下断点,这个就是手工修复的麻烦所在,要每次跟踪看看。
正是这种方法没有技术,所以一直觉得没必要写出来,怕误人。
中断在上面的地址处,看看函数的入口是:
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; ezcddax.007FCAE9
DS:[00838BBC]=007FCAE9 (ezcddax.007FCAE9)
F7进入,看看这个处理过程:
007FCAE9 55 PUSH EBP
007FCAEA 8BEC MOV EBP, ESP
007FCAEC 83EC 40 SUB ESP, 40
007FCAEF C745 D0 6400000>MOV DWORD PTR SS:[EBP-30], 64
007FCAF6 C745 D4 5900000>MOV DWORD PTR SS:[EBP-2C], 59
007FCAFD C745 D8 8400000>MOV DWORD PTR SS:[EBP-28], 84
007FCB04 C745 DC 9C00000>MOV DWORD PTR SS:[EBP-24], 9C
007FCB0B C745 E0 C500000>MOV DWORD PTR SS:[EBP-20], 0C5
007FCB12 C745 E4 7800000>MOV DWORD PTR SS:[EBP-1C], 78
007FCB19 C745 E8 9D00000>MOV DWORD PTR SS:[EBP-18], 9D
007FCB20 C745 EC 4700000>MOV DWORD PTR SS:[EBP-14], 47
007FCB27 C745 F0 0400000>MOV DWORD PTR SS:[EBP-10], 4
007FCB2E C745 C0 0700000>MOV DWORD PTR SS:[EBP-40], 7
007FCB35 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007FCB38 C1E8 04 SHR EAX, 4
007FCB3B 83E0 07 AND EAX, 7
007FCB3E 8B4C85 D0 MOV ECX, DWORD PTR SS:[EBP+EAX*4-30]
007FCB42 894D C4 MOV DWORD PTR SS:[EBP-3C], ECX
007FCB45 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007FCB48 99 CDQ
007FCB49 B9 19000000 MOV ECX, 19
007FCB4E F7F9 IDIV ECX
007FCB50 8945 CC MOV DWORD PTR SS:[EBP-34], EAX
007FCB53 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007FCB56 99 CDQ
007FCB57 B9 19000000 MOV ECX, 19
007FCB5C F7F9 IDIV ECX
007FCB5E 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007FCB61 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
007FCB64 3B55 C8 CMP EDX, DWORD PTR SS:[EBP-38]
007FCB67 75 11 JNZ SHORT ezcddax.007FCB7A
007FCB69 8B45 C8 MOV EAX, DWORD PTR SS:[EBP-38]
007FCB6C 83C0 01 ADD EAX, 1
007FCB6F 99 CDQ
007FCB70 B9 19000000 MOV ECX, 19
007FCB75 F7F9 IDIV ECX
007FCB77 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007FCB7A 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007FCB7D 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
007FCB80 8B0C95 48E48300 MOV ECX, DWORD PTR DS:[EDX*4+83E448]
007FCB87 330C85 CC828300 XOR ECX, DWORD PTR DS:[EAX*4+8382CC]
007FCB8E 8B55 C8 MOV EDX, DWORD PTR SS:[EBP-38]
007FCB91 330C95 CC828300 XOR ECX, DWORD PTR DS:[EDX*4+8382CC]
007FCB98 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007FCB9B 8B45 0C MOV EAX, DWORD PTR SS:[EBP+C]
007FCB9E 50 PUSH EAX
007FCB9F 8B4D C4 MOV ECX, DWORD PTR SS:[EBP-3C]
007FCBA2 0FBE91 88CC8300 MOVSX EDX, BYTE PTR DS:[ECX+83CC88]
007FCBA9 FF1495 C0CB8300 CALL DWORD PTR DS:[EDX*4+83CBC0]
007FCBB0 83C4 04 ADD ESP, 4
007FCBB3 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007FCBB6 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10]
007FCBB9 50 PUSH EAX
007FCBBA 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
007FCBBD 51 PUSH ECX
007FCBBE FF55 F8 CALL DWORD PTR SS:[EBP-8] //真正的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
007FCBC1 83C4 08 ADD ESP, 8
007FCBC4 50 PUSH EAX
007FCBC5 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007FCBC8 0FBE82 88CC8300 MOVSX EAX, BYTE PTR DS:[EDX+83CC88]
007FCBCF FF1485 24CC8300 CALL DWORD PTR DS:[EAX*4+83CC24]
007FCBD6 83C4 04 ADD ESP, 4
007FCBD9 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007FCBDC 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
007FCBDF 83E0 01 AND EAX, 1
007FCBE2 8BE5 MOV ESP, EBP
007FCBE4 5D POP EBP
007FCBE5 C3 RETN
F7进入 007FCBBE (模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数 )
分析这个函数:
007E8FE9 55 PUSH EBP
007E8FEA 8BEC MOV EBP, ESP
007E8FEC 83EC 0C SUB ESP, 0C
007E8FEF 53 PUSH EBX
007E8FF0 56 PUSH ESI
007E8FF1 57 PUSH EDI
007E8FF2 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E8FF5 50 PUSH EAX
007E8FF6 FF15 5CCC8300 CALL DWORD PTR DS:[83CC5C] ; ezcddax.007DDF8E
007E8FFC 83C4 04 ADD ESP, 4
007E8FFF 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E9002 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] //取域中EFLAGS寄存器值
堆栈 SS:[0012DC30]=00000246 <--CC发生时EFLAGS寄存器值
EAX=00000246
007E9005 70 07 JO SHORT ezcddax.007E900E
007E9007 7C 03 JL SHORT ezcddax.007E900C
007E9009 EB 05 JMP SHORT ezcddax.007E9010
007E900B - E9 74FBEBF9 JMP FA6A8B84
007E9010 53 PUSH EBX
007E9011 8B5D 0C MOV EBX, DWORD PTR SS:[EBP+C]
007E9014 BB FFFF0000 MOV EBX, 0FFFF
007E9019 23C3 AND EAX, EBX //取后面2个字节,注意对EAX的处理
007E901B 51 PUSH ECX
007E901C B5 2C MOV CH, 2C
007E901E 80ED 01 SUB CH, 1
007E9021 80ED 20 SUB CH, 20
007E9024 FECD DEC CH
007E9026 FECD DEC CH
007E9028 80ED 04 SUB CH, 4
007E902B FECD DEC CH
007E902D 80ED 03 SUB CH, 3
007E9030 FECD DEC CH
007E9032 22E5 AND AH, CH
007E9034 B1 70 MOV CL, 70
007E9036 80E9 02 SUB CL, 2
007E9039 FEC9 DEC CL
007E903B FEC9 DEC CL
007E903D FEC9 DEC CL
007E903F 80E9 06 SUB CL, 6
007E9042 F6D0 NOT AL
007E9044 0FC9 BSWAP ECX
007E9046 F6D0 NOT AL
007E9048 83E0 00 AND EAX, 0 //EAX and 0 *
007E904B 0FC9 BSWAP ECX
007E904D FEC9 DEC CL
007E904F FEC9 DEC CL
007E9051 80E9 12 SUB CL, 12
007E9054 80C1 0B ADD CL, 0B
007E9057 FEC9 DEC CL
007E9059 FEC9 DEC CL
007E905B 70 07 JO SHORT ezcddax.007E9064
007E905D 7C 03 JL SHORT ezcddax.007E9062
007E905F EB 05 JMP SHORT ezcddax.007E9066
007E9061 C7 ???
007E9062 ^ 74 FB JE SHORT ezcddax.007E905F
007E9064 ^ EB F9 JMP SHORT ezcddax.007E905F
007E9066 FEC9 DEC CL
007E9068 FEC9 DEC CL
007E906A FEC9 DEC CL
007E906C FEC9 DEC CL
007E906E 80E9 40 SUB CL, 40
007E9071 80E9 01 SUB CL, 1
007E9074 FEC9 DEC CL
007E9076 FEC9 DEC CL
007E9078 FEC9 DEC CL
007E907A FEC9 DEC CL
007E907C FEC9 DEC CL
007E907E FEC9 DEC CL
007E9080 FEC9 DEC CL
007E9082 40 INC EAX // EAX +1 **
007E9083 FEC9 DEC CL
007E9085 F7D1 NOT ECX
007E9087 0FC8 BSWAP EAX
007E9089 F7D1 NOT ECX
007E908B 0FC8 BSWAP EAX
007E908D FEC1 INC CL
007E908F 80C1 02 ADD CL, 2
007E9092 59 POP ECX
007E9093 5B POP EBX
007E9094 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX // 得到的答案EAX=1 ***
007E9097 8B0D CC838300 MOV ECX, DWORD PTR DS:[8383CC]
007E909D 330D D0838300 XOR ECX, DWORD PTR DS:[8383D0]
007E90A3 D1E1 SHL ECX, 1
007E90A5 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E90A8 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E90AC 74 09 JE SHORT ezcddax.007E90B7 // 会跳吗?永远不
007E90AE 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E90B1 83CA 01 OR EDX, 1
007E90B4 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E90B7 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E90BA 50 PUSH EAX
007E90BB FF15 F8CB8300 CALL DWORD PTR DS:[83CBF8] ; ezcddax.007DDE09
007E90C1 83C4 04 ADD ESP, 4
007E90C4 5F POP EDI
007E90C5 5E POP ESI
007E90C6 5B POP EBX
007E90C7 8BE5 MOV ESP, EBP
007E90C9 5D POP EBP
007E90CA C3 RETN
继续到跳转时的计算偏移量的代码:
008060BB 61 POPAD
008060BC 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
008060C2 8B0C85 18F28300 MOV ECX, DWORD PTR DS:[EAX*4+83F218]
008060C9 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060CF 33D2 XOR EDX, EDX
008060D1 BE 17000000 MOV ESI, 17
008060D6 F7F6 DIV ESI
008060D8 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060DE 8B0C81 MOV ECX, DWORD PTR DS:[ECX+EAX*4]
008060E1 338C95 70EEFFFF XOR ECX, DWORD PTR SS:[EBP+EDX*4-1190] ; 计算偏移量
008060E8 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC] ;CC发生时的地址
008060EE 03D1 ADD EDX, ECX
ECX=00000004 计算偏移量
EDX=00439891 (ezcddax.00439891) CC发生时的地址
008060F0 8995 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], EDX
如果不跳转就到计算jump代码长度:
0080614F 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00806155 8B0C85 D0F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F3D0]
0080615C 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806162 33C0 XOR EAX, EAX
00806164 8A0411 MOV AL, BYTE PTR DS:[ECX+EDX]
///////////////////////////////////////////////////////////////
指向一张跳转代码长度表,这个表中数值是代码长度-1位(因为CC占了一位)
01E8DC70 01 05 01 01 04 01 01 01 01 01 01 05 05 01 01 01
01E8DC80 01 05 04 01 05 01 01 01 01 04 01 01 01 01 05 04
01E8DC90 01 05 05 01 01 01 01 01 01 01 01 01 01 05 01 01
01E8DCA0 01 01 01 05 05 01 01 05 01 01 01 01 01 05 01 04
01E8DCB0 01 01 05 05 04 01 01 01 05 01 05 01 01 05 05 01
01E8DCC0 01 01 01 01 05 01 04 BA 0D F0 AD BA 0D F0 AD BA ?瓠?瓠
01E8DCD0 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ????........
分析一般程序的代码都知道,跳转的长度存在3种情况:
I 短距离jump 长度为2个字节
II 长距离jump 长度为6个字节
III 长距离jmp 长度为5个字节
根据这个表的长度就能知道是长短jump,因为长短不同的jump的二进制表示方法不同。
//////////////////////////////////////////////////////////////////
00806167 8B8D 34ECFFFF MOV ECX, DWORD PTR SS:[EBP-13CC]
0080616D 03C8 ADD ECX, EAX
0080616F 898D 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], ECX
0080613A 61 POPAD
0080613B 9D POPFD
0080613C 66:92 XCHG AX, DX
0080613E 66:92 XCHG AX, DX
00806140 8BC0 MOV EAX, EAX
00806142 EB 75 JMP SHORT ezcddax.008061B9
重新传输参数,再次修复CC
008061B9 8305 108F8200 0>ADD DWORD PTR DS:[828F10], 4 ; 参数+1
008061C0 8B15 108F8200 MOV EDX, DWORD PTR DS:[828F10]
008061C6 8B12 MOV EDX, DWORD PTR DS:[EDX]
008061C8 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX
008061CE 83FA 00 CMP EDX, 0
008061D1 ^ 74 E6 JE SHORT ezcddax.008061B9 ; 如果出现00000000,表示这个地址不是CC
008061D3 83FA FF CMP EDX, -1
008061D6 74 08 JE SHORT ezcddax.008061E0 ; 如果是ffffffff 表示修复结束。
008061D8 ^ E9 A6FCFFFF JMP ezcddax.00805E83
008061DD 90 NOP
008061DE 90 NOP
008061DF 90 NOP
008061E0 90 NOP
008061E1 90 NOP
008061E2 90 NOP
83 05 10 8F 82 00 04 8B 15 10 8F 82 00 8B 12 89 15 00 8F 82 00 83 FA 00 74 E6 83 FA FF 74 08 E9
A6 FC FF FF 90 90 90 90 90 90
经过调试,把处理代码修改为下面这样,实行的功能基本完成。
运行修改代码前必须做到:
<1>. 把dump下的.text段二进制复制到,现在调试时的.text段中。
<2>. Alt+M 在内存窗口中修改.text段的[访问属性]为[完全访问]。
<3>. 把收集的CC地址的二进制值复制到指定的内存中,我是放在[00828000]处,调试时发现不是int3的CC二进制修改为00000000,不停调试,不停的修改。
<4>. 在CC地址的最后放入FFFFFFFF用以表示CC修复结束。
<5>. 调试时要注意复制修改后的程序二进制数据,防止出现错误,完成后把.text中的二进制数据复制到dump的文件中保存。
00805E39 . 50 PUSH EAX ; /pContext
00805E3A . 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0] ; |
00805E40 . 51 PUSH ECX ; |hThread
00805E41 . FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThreadCo>; \GetThreadContext
00805E47 . 90 NOP
00805E48 . 90 NOP
00805E49 . 52 PUSH EDX
00805E4A . 8B15 00808200 MOV EDX, DWORD PTR DS:[828000] ; ezcddax.00439891
00805E50 . 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX
00805E56 . C705 108F8200 0080>MOV DWORD PTR DS:[828F10], ezcddax.00828>
00805E60 . 5A POP EDX
00805E61 . 90 NOP
00805E62 . 90 NOP
00805E63 . 90 NOP
00805E64 . 90 NOP
00805E65 . 90 NOP
00805E66 . 90 NOP
00805E67 . 90 NOP
00805E68 . 90 NOP
00805E69 . 90 NOP
00805E6A . 90 NOP
00805E6B . 90 NOP
00805E6C . 90 NOP
00805E6D . 90 NOP
00805E6E . 90 NOP
00805E6F . 90 NOP
00805E70 . 90 NOP
00805E71 . 90 NOP
00805E72 . 90 NOP
00805E73 . 90 NOP
00805E74 . 90 NOP
00805E75 . 90 NOP
00805E76 . 90 NOP
00805E77 . 90 NOP
00805E78 . 90 NOP
00805E79 . 90 NOP
00805E7A . 90 NOP
00805E7B . 90 NOP
00805E7C . 90 NOP
00805E7D . 90 NOP
00805E7E . 90 NOP
00805E7F . 90 NOP
00805E80 . 90 NOP
00805E81 . 90 NOP
00805E82 . 90 NOP
00805E83 > 90 NOP
00805E84 . 90 NOP
00805E85 . 90 NOP
00805E86 . 90 NOP
00805E87 . 90 NOP
00805E88 . 90 NOP
00805E89 . 90 NOP
00805E8A . 60 PUSHAD
00805E8B . C785 78EBFFFF 0000>MOV DWORD PTR SS:[EBP-1488], 0
00805E95 . 6A FF PUSH -1 ; /Arg3 = FFFFFFFF
00805E97 . 6A 04 PUSH 4 ; |Arg2 = 00000004
00805E99 . 8D95 34ECFFFF LEA EDX, DWORD PTR SS:[EBP-13CC] ; |堆栈地址=0012E3D0
00805E9F . 52 PUSH EDX ; |Arg1
00805EA0 . E8 EB60FDFF CALL ezcddax.007DBF90 ; \ezcddax.007DBF90
00805EA5 . 83C4 0C ADD ESP, 0C
00805EA8 . 8985 4CEEFFFF MOV DWORD PTR SS:[EBP-11B4], EAX
00805EAE . 8B85 4CEEFFFF MOV EAX, DWORD PTR SS:[EBP-11B4]
00805EB4 . 33D2 XOR EDX, EDX
00805EB6 . B9 19000000 MOV ECX, 19
00805EBB . F7F1 DIV ECX
00805EBD . 8995 48EEFFFF MOV DWORD PTR SS:[EBP-11B8], EDX
00805EC3 . 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
00805EC9 . 52 PUSH EDX
00805ECA . 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00805ED0 . FF1485 98CD8300 CALL DWORD PTR DS:[EAX*4+83CD98]
00805ED7 . 83C4 04 ADD ESP, 4
00805EDA . 8985 78EBFFFF MOV DWORD PTR SS:[EBP-1488], EAX
00805EE0 . C785 74EBFFFF 0000>MOV DWORD PTR SS:[EBP-148C], 0
00805EEA . 8B8D 48EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B8]
00805EF0 . 8B148D 00F38300 MOV EDX, DWORD PTR DS:[ECX*4+83F300]
00805EF7 . 8995 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], EDX
00805EFD > 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
00805F03 . 3B85 54EEFFFF CMP EAX, DWORD PTR SS:[EBP-11AC]
00805F09 . 7D 5C JGE SHORT ezcddax.00805F67
00805F0B . 8B85 54EEFFFF MOV EAX, DWORD PTR SS:[EBP-11AC]
00805F11 . 2B85 74EBFFFF SUB EAX, DWORD PTR SS:[EBP-148C]
00805F17 . 99 CDQ
00805F18 . 2BC2 SUB EAX, EDX
00805F1A . D1F8 SAR EAX, 1
00805F1C . 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805F22 . 03C8 ADD ECX, EAX
00805F24 . 898D 70EBFFFF MOV DWORD PTR SS:[EBP-1490], ECX
00805F2A . 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F30 . 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F37 . 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F3D . 8B95 78EBFFFF MOV EDX, DWORD PTR SS:[EBP-1488]
00805F43 . 3B1488 CMP EDX, DWORD PTR DS:[EAX+ECX*4]
00805F46 . 76 11 JBE SHORT ezcddax.00805F59
00805F48 . 8B85 70EBFFFF MOV EAX, DWORD PTR SS:[EBP-1490]
00805F4E . 83C0 01 ADD EAX, 1
00805F51 . 8985 74EBFFFF MOV DWORD PTR SS:[EBP-148C], EAX
00805F57 . EB 0C JMP SHORT ezcddax.00805F65
00805F59 > 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F5F . 898D 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], ECX
00805F65 >^ EB 96 JMP SHORT ezcddax.00805EFD
00805F67 > 90 NOP
00805F68 . 90 NOP
00805F69 . 90 NOP
00805F6A . 90 NOP
00805F6B . 90 NOP
00805F6C . 90 NOP
00805F6D . 90 NOP
00805F6E . 90 NOP
00805F6F . 90 NOP
00805F70 . 90 NOP
00805F71 . 90 NOP
00805F72 . 90 NOP
00805F73 . 90 NOP
00805F74 . 90 NOP
00805F75 . 90 NOP
00805F76 . 90 NOP
00805F77 . 90 NOP
00805F78 . 90 NOP
00805F79 . 90 NOP
00805F7A . 90 NOP
00805F7B . 90 NOP
00805F7C . 90 NOP
00805F7D . 90 NOP
00805F7E . 90 NOP
00805F7F . 90 NOP
00805F80 . 90 NOP
00805F81 . 90 NOP
00805F82 . 90 NOP
00805F83 . 90 NOP
00805F84 . 90 NOP
00805F85 . 90 NOP
00805F86 . 90 NOP
00805F87 . 90 NOP
00805F88 . 90 NOP
00805F89 . 90 NOP
00805F8A . 90 NOP
00805F8B . 90 NOP
00805F8C . 90 NOP
00805F8D . 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F93 . 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F9A . 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805FA0 . 8B1488 MOV EDX, DWORD PTR DS:[EAX+ECX*4]
00805FA3 . 3B95 78EBFFFF CMP EDX, DWORD PTR SS:[EBP-1488] ; 判断CC地址是否在表中
00805FA9 . 0F85 0A020000 JNZ ezcddax.008061B9
00805FAF . 90 NOP
00805FB0 . 90 NOP
00805FB1 . 90 NOP ; 下面开始修改相关代码:
00805FB2 . 90 NOP ; 首先通过壳计算jump代码长度的代码,获得代码长度,用以区分长短跳转。
00805FB3 . E8 97010000 CALL ezcddax.0080614F ; 把壳计算jump代码长度的一段修改成计算的函数
00805FB8 . 90 NOP
00805FB9 . 90 NOP
00805FBA . 90 NOP
00805FBB . 90 NOP
00805FBC . 90 NOP
00805FBD . 90 NOP
00805FBE . E8 F9000000 CALL ezcddax.008060BC ; 计算jump偏移量
00805FC3 . 803D 208F8200 04 CMP BYTE PTR DS:[828F20], 4 ; 根据代码长度判断长短跳转
00805FCA 7F 30 JG SHORT ezcddax.00805FFC
00805FCC 7C 38 JL SHORT ezcddax.00806006 ; 短跳转直接处理
00805FCE 66:833D 308F8200 0>CMP WORD PTR DS:[828F30], 4 ; 这是jmp的另一种类型,arm把跳转到下一代码的类型也判断为jmp 偏移量是4
00805FD6 74 0F JE SHORT ezcddax.00805FE7
00805FD8 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 剩下的就是长jmp类型了
00805FDE C640 FF E9 MOV BYTE PTR DS:[EAX-1], 0E9 ; 填入长jmp类型代码
00805FE2 E9 08010000 JMP ezcddax.008060EF ; 直接到判断正反方向跳转的代码
00805FE7 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 偏移量是4的jmp类型用nop填入
00805FED C640 FF 90 MOV BYTE PTR DS:[EAX-1], 90
00805FF1 C700 90909090 MOV DWORD PTR DS:[EAX], 90909090
00805FF7 E9 BD010000 JMP ezcddax.008061B9 ; 修复算完成,直接到下一循环。
00805FFC 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 如果是长跳转,写入长跳转标记代码
00806002 C640 FF 0F MOV BYTE PTR DS:[EAX-1], 0F ; 注意是单字节,写入CC地址
00806006 > 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
0080600C . 8B0C85 64F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F364]
00806013 . 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806019 . 8B0491 MOV EAX, DWORD PTR DS:[ECX+EDX*4]
0080601C . 8985 5CEBFFFF MOV DWORD PTR SS:[EBP-14A4], EAX
00806022 . 8B8D 3CECFFFF MOV ECX, DWORD PTR SS:[EBP-13C4]
00806028 . 81E1 D70F0000 AND ECX, 0FD7
0080602E . 898D 6CEBFFFF MOV DWORD PTR SS:[EBP-1494], ECX
00806034 . 8B95 5CEBFFFF MOV EDX, DWORD PTR SS:[EBP-14A4]
0080603A . 81E2 000000FF AND EDX, FF000000
00806040 . C1EA 18 SHR EDX, 18
00806043 . 8995 60EBFFFF MOV DWORD PTR SS:[EBP-14A0], EDX
00806049 . 8B85 5CEBFFFF MOV EAX, DWORD PTR SS:[EBP-14A4]
0080604F . 25 FFFFFF00 AND EAX, 0FFFFFF
00806054 . 8985 64EBFFFF MOV DWORD PTR SS:[EBP-149C], EAX
0080605A . 8B8D 28ECFFFF MOV ECX, DWORD PTR SS:[EBP-13D8]
00806060 . 51 PUSH ECX
00806061 . 8B95 6CEBFFFF MOV EDX, DWORD PTR SS:[EBP-1494]
00806067 . 52 PUSH EDX
00806068 . 8B85 64EBFFFF MOV EAX, DWORD PTR SS:[EBP-149C]
0080606E . 50 PUSH EAX
0080606F . 8B8D 60EBFFFF MOV ECX, DWORD PTR SS:[EBP-14A0]
00806075 . FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
0080607C . 83C4 0C ADD ESP, 0C
0080607F . 8985 68EBFFFF MOV DWORD PTR SS:[EBP-1498], EAX
00806085 . 8B95 68EBFFFF MOV EDX, DWORD PTR SS:[EBP-1498]
0080608B . 33D2 XOR EDX, EDX
0080608D . 803D 208F8200 04 CMP BYTE PTR DS:[828F20], 4 ; 下面根据不同的代码长度,到不同的写入偏移量的代码
00806094 . 0F8C D3000000 JL ezcddax.0080616D ; <4 是短跳转
0080609A . 7F 7D JG SHORT ezcddax.00806119 ; >4 是长跳转
0080609C . 74 51 JE SHORT ezcddax.008060EF ; =4 是jmp类型
0080609E . 90 NOP
0080609F . 90 NOP
008060A0 . 90 NOP
008060A1 . 90 NOP
008060A2 . 90 NOP
008060A3 . 90 NOP
008060A4 . 90 NOP
008060A5 . 90 NOP
008060A6 . 90 NOP
008060A7 . 90 NOP
008060A8 . 90 NOP
008060A9 . 90 NOP
008060AA . 90 NOP
008060AB . 90 NOP
008060AC . 90 NOP
008060AD . 90 NOP
008060AE . 90 NOP
008060AF . 90 NOP
008060B0 . 90 NOP
008060B1 . 90 NOP
008060B2 . 90 NOP
008060B3 . 90 NOP
008060B4 . 90 NOP
008060B5 . 90 NOP
008060B6 . 90 NOP
008060B7 90 NOP
008060B8 90 NOP
008060B9 90 NOP
008060BA 90 NOP
008060BB 90 NOP
008060BC /$ 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8] ; 修改成计算jump偏移量的函数
008060C2 |. 8B0C85 18F28300 MOV ECX, DWORD PTR DS:[EAX*4+83F218]
008060C9 |. 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060CF |. 33D2 XOR EDX, EDX
008060D1 |. BE 17000000 MOV ESI, 17
008060D6 |. F7F6 DIV ESI
008060D8 |. 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060DE |. 8B0C81 MOV ECX, DWORD PTR DS:[ECX+EAX*4]
008060E1 |. 338C95 70EEFFFF XOR ECX, DWORD PTR SS:[EBP+EDX*4-1190] ; 计算偏移量
008060E8 |. 890D 308F8200 MOV DWORD PTR DS:[828F30], ECX ; 存放,便于使用。
008060EE \. C3 RETN
008060EF > 66:813D 308F8200 8>CMP WORD PTR DS:[828F30], 0FF80 ; jmp类型中的长跳转中的正反方向判断代码
008060F8 . 0F8C 87000000 JL ezcddax.00806185
008060FE . 66:833D 308F8200 7>CMP WORD PTR DS:[828F30], 7F
00806106 . 7E 2B JLE SHORT ezcddax.00806133
00806108 . EB 7B JMP SHORT ezcddax.00806185
0080610A 90 NOP
0080610B 90 NOP
0080610C 90 NOP
0080610D 90 NOP
0080610E 90 NOP
0080610F 90 NOP
00806110 90 NOP
00806111 90 NOP
00806112 90 NOP
00806113 90 NOP
00806114 90 NOP
00806115 90 NOP
00806116 90 NOP
00806117 90 NOP
00806118 90 NOP
00806119 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 长跳转类型
0080611F . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
00806125 . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
0080612B . 8950 01 MOV DWORD PTR DS:[EAX+1], EDX ; 写入偏移量的地址是CC地址+1,因为长跳转是用双字节表示的
0080612E . E9 86000000 JMP ezcddax.008061B9
00806133 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 向上的jmp长跳转修复代码
00806139 . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
0080613F . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
00806145 . 4A DEC EDX
00806146 . 8910 MOV DWORD PTR DS:[EAX], EDX
00806148 . EB 6F JMP SHORT ezcddax.008061B9
0080614A 90 NOP
0080614B 90 NOP
0080614C 90 NOP
0080614D 90 NOP
0080614E 90 NOP
0080614F /$ 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8] ; 把壳计算jump代码长度的一段修改成计算的函数
00806155 |. 8B0C85 D0F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F3D0]
0080615C |. 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806162 |. 33C0 XOR EAX, EAX
00806164 |. 8A0411 MOV AL, BYTE PTR DS:[ECX+EDX]
00806167 |. A2 208F8200 MOV BYTE PTR DS:[828F20], AL ; 取得的值存放,以便调用
0080616C \. C3 RETN
0080616D > 90 NOP
0080616E . 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 取偏移量,这个偏移量是从CC的下一个字节开始的
00806174 . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20] ; 偏移量-jump代码长度=实际偏移量
0080617A . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 取CC发生时的下一字节地址
00806180 . 8810 MOV BYTE PTR DS:[EAX], DL ; 写入实际偏移量,注意是单字节
00806182 . EB 35 JMP SHORT ezcddax.008061B9
00806184 90 NOP
00806185 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 向下的jmp长跳转修复代码
0080618B . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
00806191 . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
00806197 . 90 NOP
00806198 . 8910 MOV DWORD PTR DS:[EAX], EDX ; 注意写入的dword类型值
0080619A . 90 NOP
0080619B . 90 NOP
0080619C . 90 NOP
0080619D . 90 NOP
0080619E . 90 NOP
0080619F . 90 NOP
008061A0 . 90 NOP
008061A1 . 90 NOP
008061A2 . 90 NOP
008061A3 . 90 NOP
008061A4 . 90 NOP
008061A5 . 90 NOP
008061A6 . 90 NOP
008061A7 . 90 NOP
008061A8 . 90 NOP
008061A9 . 90 NOP
008061AA . 90 NOP
008061AB . 90 NOP
008061AC . 90 NOP
008061AD . 90 NOP
008061AE . 90 NOP
008061AF . 90 NOP
008061B0 . 90 NOP
008061B1 . 90 NOP
008061B2 . 90 NOP
008061B3 . 90 NOP
008061B4 . 90 NOP
008061B5 . 90 NOP
008061B6 . 90 NOP
008061B7 . 90 NOP
008061B8 . 90 NOP
008061B9 > 8305 108F8200 04 ADD DWORD PTR DS:[828F10], 4 ; 参数+1
008061C0 > 8B15 108F8200 MOV EDX, DWORD PTR DS:[828F10] ; ezcddax.00828000
008061C6 . 8B12 MOV EDX, DWORD PTR DS:[EDX]
008061C8 . 8995 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], EDX
008061CE . 83FA 00 CMP EDX, 0
008061D1 .^ 74 E6 JE SHORT ezcddax.008061B9 ; 如果出现00000000,表示这个地址不是CC
008061D3 . 83FA FF CMP EDX, -1
008061D6 . 74 08 JE SHORT ezcddax.008061E0 ; 如果是ffffffff 表示修复结束。
008061D8 . 61 POPAD
008061D9 .^ E9 A5FCFFFF JMP ezcddax.00805E83
008061DE 90 NOP
008061DF 90 NOP
008061E0 > 90 NOP
008061E1 . 90 NOP
008061E2 . 90 NOP
008061E3 . 90 NOP
008061E4 . 90 NOP
008061E5 . 90 NOP
008061E6 . 90 NOP
008061E7 . 90 NOP
008061E8 . 90 NOP
008061E9 . 90 NOP
008061EA . 90 NOP
008061EB . 90 NOP
008061EC . 90 NOP
008061ED . 90 NOP
008061EE . 90 NOP
008061EF . 90 NOP
008061F0 . 90 NOP
008061F1 . 90 NOP
008061F2 . 90 NOP
008061F3 . 90 NOP
008061F4 . 90 NOP
008061F5 . 90 NOP
008061F6 . 90 NOP
008061F7 . 90 NOP
008061F8 . 90 NOP
008061F9 . 90 NOP
008061FA . 90 NOP
008061FB . 90 NOP
008061FC . 90 NOP
008061FD . 90 NOP
008061FE . 90 NOP
008061FF . 90 NOP
00806200 . 90 NOP
00806201 . 90 NOP
00806202 . 90 NOP
00806203 . 90 NOP
00806204 . 90 NOP
00806205 . 90 NOP
00806206 . 90 NOP
00806207 . 90 NOP
00806208 . 90 NOP
00806209 . 90 NOP
0080620A . 90 NOP
0080620B . 52 PUSH EDX ; /pContext
0080620C . 8B85 50EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B0] ; |
00806212 . 50 PUSH EAX ; |hThread
00806213 . FF15 DC808300 CALL DWORD PTR DS:[<&KERNEL32.SetThreadCo>; \SetThreadContext
50 8B 8D 50 EE FF FF 51 FF 15 E0 80 83 00 90 90 52 8B 15 00 80 82 00 89 15 00 8F 82 00 C7 05 10
8F 82 00 00 80 82 00 5A 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 C7 85 78 EB FF FF 00 00 00 00 6A FF 6A 04
8D 95 34 EC FF FF 52 E8 EB 60 FD FF 83 C4 0C 89 85 4C EE FF FF 8B 85 4C EE FF FF 33 D2 B9 19 00
00 00 F7 F1 89 95 48 EE FF FF 8B 95 34 EC FF FF 52 8B 85 48 EE FF FF FF 14 85 98 CD 83 00 83 C4
04 89 85 78 EB FF FF C7 85 74 EB FF FF 00 00 00 00 8B 8D 48 EE FF FF 8B 14 8D 00 F3 83 00 89 95
54 EE FF FF 8B 85 74 EB FF FF 3B 85 54 EE FF FF 7D 5C 8B 85 54 EE FF FF 2B 85 74 EB FF FF 99 2B
C2 D1 F8 8B 8D 74 EB FF FF 03 C8 89 8D 70 EB FF FF 8B 95 48 EE FF FF 8B 04 95 7C F2 83 00 8B 8D
70 EB FF FF 8B 95 78 EB FF FF 3B 14 88 76 11 8B 85 70 EB FF FF 83 C0 01 89 85 74 EB FF FF EB 0C
8B 8D 70 EB FF FF 89 8D 54 EE FF FF EB 96 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8B 95 48 EE FF FF 8B 04 95 7C F2 83
00 8B 8D 74 EB FF FF 8B 14 88 3B 95 78 EB FF FF 0F 85 0A 02 00 00 90 90 90 90 E8 97 01 00 00 90
90 90 90 90 90 E8 F9 00 00 00 80 3D 20 8F 82 00 04 7F 15 90 90 90 7C 35 8B 85 34 EC FF FF C6 40
FF E9 E9 0F 01 00 00 90 8B 85 34 EC FF FF C6 40 FF 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 8B 85 48 EE FF FF 8B 0C 85 64 F3 83 00 8B 95 74 EB FF FF
8B 04 91 89 85 5C EB FF FF 8B 8D 3C EC FF FF 81 E1 D7 0F 00 00 89 8D 6C EB FF FF 8B 95 5C EB FF
FF 81 E2 00 00 00 FF C1 EA 18 89 95 60 EB FF FF 8B 85 5C EB FF FF 25 FF FF FF 00 89 85 64 EB FF
FF 8B 8D 28 EC FF FF 51 8B 95 6C EB FF FF 52 8B 85 64 EB FF FF 50 8B 8D 60 EB FF FF FF 14 8D 0C
88 83 00 83 C4 0C 89 85 68 EB FF FF 8B 95 68 EB FF FF 33 D2 80 3D 20 8F 82 00 04 0F 8C D3 00 00
00 7F 7D 74 51 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 FD
00 00 00 8B 85 48 EE FF FF 8B 0C 85 18 F2 83 00 8B 85 74 EB FF FF 33 D2 BE 17 00 00 00 F7 F6 8B
85 74 EB FF FF 8B 0C 81 33 8C 95 70 EE FF FF 89 0D 30 8F 82 00 C3 66 81 3D 30 8F 82 00 80 FF 0F
8C 87 00 00 00 66 83 3D 30 8F 82 00 7F 7E 2B EB 7B 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
8B 15 30 8F 82 00 2B 15 20 8F 82 00 8B 85 34 EC FF FF 89 50 01 E9 86 00 00 00 8B 15 30 8F 82 00
2B 15 20 8F 82 00 8B 85 34 EC FF FF 4A 89 10 EB 6F 90 90 90 90 90 8B 85 48 EE FF FF 8B 0C 85 D0
F3 83 00 8B 95 74 EB FF FF 33 C0 8A 04 11 A2 20 8F 82 00 C3 90 8B 15 30 8F 82 00 2B 15 20 8F 82
00 8B 85 34 EC FF FF 88 10 EB 35 90 8B 15 30 8F 82 00 2B 15 20 8F 82 00 8B 85 34 EC FF FF 90 89
10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
83 05 10 8F 82 00 04 8B 15 10 8F 82 00 8B 12 89 95 34 EC FF FF 83 FA 00 74 E6 83 FA FF 74 08 61
E9 A5 FC FF FF 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 52 8B 85 50 EE FF FF 50 FF 15 DC 80 83 00
跟着练习的可以复制上面的二进制代码,看看效果。剩下的就是搞定跳转类型并写入代码中就行了。
下面要修复的就是跳转类型了,这是整个修复工作中最烦人,最没有技术含量的工作了,下面就几个例子来看看如何修复。
调整好上面的代码,在修复完成的地址处下个中断,取消其他的所有断点,在下面的函数入口处下中断,运行。
例1----CC发生时地址:0043989E
DS:[00828004]=0043989E (ezcddax.0043989E)
EAX=00828004 (ezcddax.00828004)
007F2BEF 55 PUSH EBP
007F2BF0 8BEC MOV EBP, ESP
007F2BF2 83EC 40 SUB ESP, 40
007F2BF5 C745 D0 D800000>MOV DWORD PTR SS:[EBP-30], 0D8
007F2BFC C745 D4 2400000>MOV DWORD PTR SS:[EBP-2C], 24
007F2C03 C745 D8 E400000>MOV DWORD PTR SS:[EBP-28], 0E4
007F2C0A C745 DC A600000>MOV DWORD PTR SS:[EBP-24], 0A6
007F2C11 C745 E0 9400000>MOV DWORD PTR SS:[EBP-20], 94
007F2C18 C745 E4 2900000>MOV DWORD PTR SS:[EBP-1C], 29
007F2C1F C745 E8 2A00000>MOV DWORD PTR SS:[EBP-18], 2A
007F2C26 C745 EC F300000>MOV DWORD PTR SS:[EBP-14], 0F3
007F2C2D C745 F0 0700000>MOV DWORD PTR SS:[EBP-10], 7
007F2C34 C745 C0 0700000>MOV DWORD PTR SS:[EBP-40], 7
007F2C3B 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007F2C3E C1E8 07 SHR EAX, 7
007F2C41 83E0 07 AND EAX, 7
007F2C44 8B4C85 D0 MOV ECX, DWORD PTR SS:[EBP+EAX*4-30]
007F2C48 894D C4 MOV DWORD PTR SS:[EBP-3C], ECX
007F2C4B 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C4E 99 CDQ
007F2C4F B9 19000000 MOV ECX, 19
007F2C54 F7F9 IDIV ECX
007F2C56 8945 CC MOV DWORD PTR SS:[EBP-34], EAX
007F2C59 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C5C 99 CDQ
007F2C5D B9 19000000 MOV ECX, 19
007F2C62 F7F9 IDIV ECX
007F2C64 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C67 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
007F2C6A 3B55 C8 CMP EDX, DWORD PTR SS:[EBP-38]
007F2C6D 75 11 JNZ SHORT ezcddax.007F2C80
007F2C6F 8B45 C8 MOV EAX, DWORD PTR SS:[EBP-38]
007F2C72 83C0 01 ADD EAX, 1
007F2C75 99 CDQ
007F2C76 B9 19000000 MOV ECX, 19
007F2C7B F7F9 IDIV ECX
007F2C7D 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C80 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2C83 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
007F2C86 8B0C95 48E48300 MOV ECX, DWORD PTR DS:[EDX*4+83E448]
007F2C8D 330C85 CC828300 XOR ECX, DWORD PTR DS:[EAX*4+8382CC]
007F2C94 8B55 C8 MOV EDX, DWORD PTR SS:[EBP-38]
007F2C97 330C95 CC828300 XOR ECX, DWORD PTR DS:[EDX*4+8382CC]
007F2C9E 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007F2CA1 8B45 0C MOV EAX, DWORD PTR SS:[EBP+C]
007F2CA4 50 PUSH EAX
007F2CA5 8B4D C4 MOV ECX, DWORD PTR SS:[EBP-3C]
007F2CA8 0FBE91 88CC8300 MOVSX EDX, BYTE PTR DS:[ECX+83CC88]
007F2CAF FF1495 C0CB8300 CALL DWORD PTR DS:[EDX*4+83CBC0]
007F2CB6 83C4 04 ADD ESP, 4
007F2CB9 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007F2CBC 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10]
007F2CBF 50 PUSH EAX
007F2CC0 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
007F2CC3 51 PUSH ECX
007F2CC4 FF55 F8 CALL DWORD PTR SS:[EBP-8] ; ezcddax.007EB7A0
堆栈 SS:[0012DC5C]=007EB7A0 (ezcddax.007EB7A0)
007F2CC7 83C4 08 ADD ESP, 8
007F2CCA 50 PUSH EAX
007F2CCB 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2CCE 0FBE82 88CC8300 MOVSX EAX, BYTE PTR DS:[EDX+83CC88]
007F2CD5 FF1485 24CC8300 CALL DWORD PTR DS:[EAX*4+83CC24]
007F2CDC 83C4 04 ADD ESP, 4
007F2CDF 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007F2CE2 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
007F2CE5 83E0 01 AND EAX, 1
007F2CE8 8BE5 MOV ESP, EBP
007F2CEA 5D POP EBP
007F2CEB C3 RETN
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
007EB7A9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB7AC 50 PUSH EAX
007EB7AD FF15 24CC8300 CALL DWORD PTR DS:[83CC24] ; ezcddax.007DC062
007EB7B3 83C4 04 ADD ESP, 4
007EB7B6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB7B9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EB7BC 51 PUSH ECX
007EB7BD B9 00080000 MOV ECX, 800
007EB7C2 B9 0A000000 MOV ECX, 0A
007EB7C7 F7D1 NOT ECX
007EB7C9 0FC8 BSWAP EAX
007EB7CB F7D1 NOT ECX
007EB7CD 41 INC ECX
007EB7CE 41 INC ECX
007EB7CF 41 INC ECX
007EB7D0 41 INC ECX
007EB7D1 41 INC ECX
007EB7D2 41 INC ECX
007EB7D3 41 INC ECX
007EB7D4 41 INC ECX
007EB7D5 41 INC ECX
007EB7D6 41 INC ECX
007EB7D7 41 INC ECX
007EB7D8 41 INC ECX
007EB7D9 41 INC ECX
007EB7DA 41 INC ECX
007EB7DB 41 INC ECX
007EB7DC 41 INC ECX
007EB7DD 41 INC ECX
007EB7DE 41 INC ECX
007EB7DF 41 INC ECX
007EB7E0 49 DEC ECX
007EB7E1 41 INC ECX
007EB7E2 FEC1 INC CL
007EB7E4 FEC1 INC CL
007EB7E6 FEC1 INC CL
007EB7E8 83C1 0D ADD ECX, 0D
007EB7EB FEC1 INC CL
007EB7ED FEC1 INC CL
007EB7EF FEC1 INC CL
007EB7F1 FEC1 INC CL
007EB7F3 FEC1 INC CL
007EB7F5 83C1 0A ADD ECX, 0A
007EB7F8 49 DEC ECX
007EB7F9 52 PUSH EDX
007EB7FA BA 04000000 MOV EDX, 4
007EB7FF 03CA ADD ECX, EDX
007EB801 41 INC ECX
007EB802 5A POP EDX
007EB803 0FC8 BSWAP EAX
007EB805 23C1 AND EAX, ECX
/////////////////////////////////////////////////
EBX=00000040
EAX=00000246
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=1
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是jz/je 判断是短跳转就在CC地址写入类型的代码74;长跳转则在CC发生时的地址写入84
/////////////////////////////////////////////////
007EB807 59 POP ECX
007EB808 F7D8 NEG EAX
007EB80A 1BC0 SBB EAX, EAX
007EB80C F7D8 NEG EAX
/////////////////////////////////////////////////
测试ZF位是否为1
////////////////////////////////////////////////
007EB80E 5A POP EDX
007EB80F 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB812 8B0D 94838300 MOV ECX, DWORD PTR DS:[838394]
007EB818 330D 98838300 XOR ECX, DWORD PTR DS:[838398]
007EB81E D1E1 SHL ECX, 1
007EB820 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB823 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB827 74 09 JE SHORT ezcddax.007EB832
007EB829 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB82C 83CA 01 OR EDX, 1
007EB82F 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB832 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB835 50 PUSH EAX
007EB836 FF15 C0CB8300 CALL DWORD PTR DS:[83CBC0] ; ezcddax.007DBFB0
007EB83C 83C4 04 ADD ESP, 4
007EB83F 5F POP EDI
007EB840 5E POP ESI
007EB841 5B POP EBX
007EB842 8BE5 MOV ESP, EBP
007EB844 5D POP EBP
007EB845 C3 RETN
修改为:
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
007EB7A9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB7AC 50 PUSH EAX
007EB7AD FF15 24CC8300 CALL DWORD PTR DS:[83CC24] ; ezcddax.007DC062
007EB7B3 83C4 04 ADD ESP, 4
007EB7B6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB7B9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
*******************************************************************************
{修改的代码是}
007EB7BC 90 NOP ; 下面是修改的代码
007EB7BD 90 NOP
007EB7BE 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10] ; 取CC发生时的地址
007EB7C4 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EB7C6 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F ; 比较是不是长跳转标志
007EB7CA 74 06 JE SHORT ezcddax.007EB7D2 ; 短跳转写入
007EB7CC C640 FF 74 MOV BYTE PTR DS:[EAX-1], 74
007EB7D0 EB 20 JMP SHORT ezcddax.007EB7F2 ; 长跳转写入,注意是写在CC发生时的地址而不是CC地址
007EB7D2 C600 84 MOV BYTE PTR DS:[EAX], 84
007EB7D5 90 NOP
007EB7D6 33C0 XOR EAX, EAX
********************************************************************************
007EB7D8 90 NOP
007EB7D9 90 NOP
007EB7DA 90 NOP
007EB7DB 90 NOP
007EB7DC 90 NOP
007EB7DD 90 NOP
007EB7DE 90 NOP
007EB7DF 90 NOP
007EB7E0 90 NOP
007EB7E1 90 NOP
007EB7E2 90 NOP
007EB7E3 90 NOP
007EB7E4 90 NOP
007EB7E5 90 NOP
007EB7E6 90 NOP
007EB7E7 90 NOP
007EB7E8 90 NOP
007EB7E9 90 NOP
007EB7EA 90 NOP
007EB7EB 90 NOP
007EB7EC 90 NOP
007EB7ED 90 NOP
007EB7EE 90 NOP
007EB7EF 90 NOP
007EB7F0 90 NOP
007EB7F1 90 NOP
007EB7F2 90 NOP
007EB7F3 90 NOP
007EB7F4 90 NOP
007EB7F5 90 NOP
007EB7F6 90 NOP
007EB7F7 90 NOP
007EB7F8 90 NOP
007EB7F9 90 NOP
007EB7FA 90 NOP
007EB7FB 90 NOP
007EB7FC 90 NOP
007EB7FD 90 NOP
007EB7FE 90 NOP
007EB7FF 90 NOP
007EB800 90 NOP
007EB801 90 NOP
007EB802 90 NOP
007EB803 90 NOP
007EB804 90 NOP
007EB805 90 NOP
007EB806 90 NOP
007EB807 90 NOP
007EB808 90 NOP
007EB809 90 NOP
007EB80A 90 NOP
007EB80B 90 NOP
007EB80C 90 NOP
007EB80D 90 NOP
007EB80E 90 NOP
007EB80F 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB812 8B0D 94838300 MOV ECX, DWORD PTR DS:[838394]
007EB818 330D 98838300 XOR ECX, DWORD PTR DS:[838398]
007EB81E D1E1 SHL ECX, 1
007EB820 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB823 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB827 74 09 JE SHORT ezcddax.007EB832
007EB829 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB82C 83CA 01 OR EDX, 1
007EB82F 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB832 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB835 50 PUSH EAX
007EB836 FF15 C0CB8300 CALL DWORD PTR DS:[83CBC0] ; ezcddax.007DBFB0
007EB83C 83C4 04 ADD ESP, 4
007EB83F 5F POP EDI
007EB840 5E POP ESI
007EB841 5B POP EBX
007EB842 8BE5 MOV ESP, EBP
007EB844 5D POP EBP
007EB845 C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 24 CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 74 EB 20 C6 00 84 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 45 F4 8B 0D 94 83 83 00 33 0D 98 83 83 00 D1 E1
89 4D F8 83 7D F4 00 74 09 8B 55 F8 83 CA 01 89 55 F8 8B 45 F8 50 FF 15 C0 CB 83 00 83 C4 04 5F
5E 5B 8B E5 5D C3
00439895 8B15 ECEB6C00 MOV EDX, DWORD PTR DS:[6CEBEC]
0043989B 85D2 TEST EDX, EDX
0043989D 0F84 AE030000 JE ezcddax.00439C51 //修复后的代码,是个长je类型
004398A3 66:C785 1CFDFFF>MOV WORD PTR SS:[EBP-2E4], 218
================================================================================================
例2:00439989
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
入口:DS:[00838A54]=007F720B (ezcddax.007F720B),F7进入:
007F72E0 FF55 F8 CALL DWORD PTR SS:[EBP-8] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数真正入口
堆栈 SS:[0012DC5C]=007E6809 (ezcddax.007E6809)
入口是:=007E6809 F7再次进入:
007E6809 55 PUSH EBP
007E680A 8BEC MOV EBP, ESP
007E680C 83EC 0C SUB ESP, 0C
007E680F 53 PUSH EBX
007E6810 56 PUSH ESI
007E6811 57 PUSH EDI
007E6812 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E6815 50 PUSH EAX
007E6816 FF15 28CC8300 CALL DWORD PTR DS:[83CC28] ; ezcddax.007DC1BD
007E681C 83C4 04 ADD ESP, 4
007E681F 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E6822 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值,看看壳怎么利用这个值,注意EAX
007E6825 53 PUSH EBX ; 取CC发生时的地址,注意这个地址是CC的下一个字节
007E6826 BB 80000000 MOV EBX, 80
007E682B EB 05 JMP SHORT ezcddax.007E6832
007E682D BB 04000000 MOV EBX, 4 ; 写入到CC地址中,所以要-1
007E6832 BB 32000000 MOV EBX, 32
007E6837 F7D3 NOT EBX
007E6839 0FC8 BSWAP EAX
007E683B F7D3 NOT EBX
007E683D 43 INC EBX
007E683E 43 INC EBX
007E683F 83C3 08 ADD EBX, 8
007E6842 4B DEC EBX
007E6843 51 PUSH ECX
007E6844 B9 04000000 MOV ECX, 4
007E6849 03D9 ADD EBX, ECX
007E684B 43 INC EBX
007E684C 59 POP ECX
007E684D 0FC8 BSWAP EAX
007E684F 23C3 AND EAX, EBX
//////////////////////////////////////////////////////////////////////
EBX=00000040
EAX=00000246
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=1
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是jz/je 判断是短跳转就在CC地址写入类型的代码74;长跳转则在CC发生时的地址写入84
//////////////////////////////////////////////////////////////////////
007E6851 5B POP EBX
007E6852 F7D8 NEG EAX
007E6854 1BC0 SBB EAX, EAX
007E6856 F7D8 NEG EAX
/////////////////////////////////////////////////
测试ZF位是否为1
/////////////////////////////////////////////////
007E6858 5A POP EDX
007E6859 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E685C 8B0D 98838300 MOV ECX, DWORD PTR DS:[838398]
007E6862 330D 9C838300 XOR ECX, DWORD PTR DS:[83839C]
007E6868 D1E1 SHL ECX, 1
007E686A 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E686D 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E6871 74 09 JE SHORT ezcddax.007E687C
007E6873 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E6876 83CA 01 OR EDX, 1
007E6879 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E687C 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E687F 50 PUSH EAX
007E6880 FF15 C4CB8300 CALL DWORD PTR DS:[83CBC4] ; ezcddax.007DC114
007E6886 83C4 04 ADD ESP, 4
007E6889 5F POP EDI
007E688A 5E POP ESI
007E688B 5B POP EBX
007E688C 8BE5 MOV ESP, EBP
007E688E 5D POP EBP
007E688F C3 RETN
这是一个同例一的相同类型,所以直接修改代码为:
007E6809 55 PUSH EBP
007E680A 8BEC MOV EBP, ESP
007E680C 83EC 0C SUB ESP, 0C
007E680F 53 PUSH EBX
007E6810 56 PUSH ESI
007E6811 57 PUSH EDI
007E6812 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E6815 50 PUSH EAX
007E6816 FF15 28CC8300 CALL DWORD PTR DS:[83CC28] ; ezcddax.007DC1BD
007E681C 83C4 04 ADD ESP, 4
007E681F 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E6822 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值,看看壳怎么利用这个值,注意EAX
007E6825 90 NOP ; 取CC发生时的地址,注意这个地址是CC的下一个字节
007E6826 E9 914F0000 JMP ezcddax.007EB7BC //跳到上一个修改的代码处理
007E682B 90 NOP
007E682C 90 NOP
007E682D 90 NOP
007E682E 90 NOP
007E682F 90 NOP
007E6830 90 NOP
007E6831 90 NOP
007E6832 90 NOP
007E6833 90 NOP
007E6834 90 NOP
007E6835 90 NOP
007E6836 90 NOP
007E6837 90 NOP
007E6838 90 NOP
007E6839 90 NOP
007E683A 90 NOP
007E683B 90 NOP
007E683C 90 NOP
007E683D 90 NOP
007E683E 90 NOP
007E683F 90 NOP
007E6840 90 NOP
007E6841 90 NOP
007E6842 90 NOP
007E6843 90 NOP
007E6844 90 NOP
007E6845 90 NOP
007E6846 90 NOP
007E6847 90 NOP
007E6848 90 NOP
007E6849 90 NOP
007E684A 90 NOP
007E684B 90 NOP
007E684C 90 NOP
007E684D 90 NOP
007E684E 90 NOP
007E684F 90 NOP
007E6850 90 NOP
007E6851 90 NOP
007E6852 90 NOP
007E6853 90 NOP
007E6854 90 NOP
007E6855 90 NOP
007E6856 90 NOP
007E6857 90 NOP
007E6858 90 NOP
007E6859 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E685C 8B0D 98838300 MOV ECX, DWORD PTR DS:[838398]
007E6862 330D 9C838300 XOR ECX, DWORD PTR DS:[83839C]
007E6868 D1E1 SHL ECX, 1
007E686A 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E686D 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E6871 74 09 JE SHORT ezcddax.007E687C
007E6873 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E6876 83CA 01 OR EDX, 1
007E6879 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E687C 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E687F 50 PUSH EAX
007E6880 FF15 C4CB8300 CALL DWORD PTR DS:[83CBC4] ; ezcddax.007DC114
007E6886 83C4 04 ADD ESP, 4
007E6889 5F POP EDI
007E688A 5E POP ESI
007E688B 5B POP EBX
007E688C 8BE5 MOV ESP, EBP
007E688E 5D POP EBP
007E688F C3 RETN
修复后的代码为:
0043995F 85C0 TEST EAX, EAX
00439961 74 13 JE SHORT ezcddax.00439976 //修复后的代码,是个断je类型
00439963 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
00439966 8B81 E8070000 MOV EAX, DWORD PTR DS:[ECX+7E8]
0043996C 33D2 XOR EDX, EDX
0043996E 8B08 MOV ECX, DWORD PTR DS:[EAX]
例3:
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
入口:DS:[00838B24]=007FA56D (ezcddax.007FA56D) F7进入:
007FA63F FF55 F8 CALL DWORD PTR SS:[EBP-8] ; ezcddax.007E381A
真正入口:SS:[0012DC5C]=007E381A (ezcddax.007E381A) F7进入:
007E381A /. 55 PUSH EBP
007E381B |. 8BEC MOV EBP, ESP
007E381D |. 83EC 0C SUB ESP, 0C
007E3820 |. 53 PUSH EBX
007E3821 |. 56 PUSH ESI
007E3822 |. 57 PUSH EDI
007E3823 |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E3826 |. 50 PUSH EAX ; /Arg1
007E3827 |. FF15 64CC8300 CALL DWORD PTR DS:[83CC64] ; \ezcddax.007DE435
007E382D |. 83C4 04 ADD ESP, 4
007E3830 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E3833 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值
007E3836 |. 52 PUSH EDX
007E3837 |. BA FFFF0000 MOV EDX, 0FFFF
007E383C |. 23C2 AND EAX, EDX ; 取位
007E383E |. 53 PUSH EBX
007E383F |. 50 PUSH EAX ; 入栈
007E3840 |. B7 07 MOV BH, 7
007E3842 |. FECF DEC BH
007E3844 |. FECF DEC BH
007E3846 |. FECF DEC BH
007E3848 |. FECF DEC BH
007E384A |. FECF DEC BH
007E384C |. FECF DEC BH
007E384E |. FECF DEC BH
007E3850 |. 25 00080000 AND EAX, 800 ; 障眼法
007E3855 |. 0FC9 BSWAP ECX
007E3857 |. 58 POP EAX ; 出栈
007E3858 |. 0FC9 BSWAP ECX
007E385A |. 22E7 AND AH, BH ; 取位
007E385C |. B3 86 MOV BL, 86
007E385E |. 80EB 05 SUB BL, 5
007E3861 |. FECB DEC BL
007E3863 |. FECB DEC BL
007E3865 |. FECB DEC BL
007E3867 |. FECB DEC BL
007E3869 |. FECB DEC BL
007E386B |. FECB DEC BL
007E386D |. FECB DEC BL
007E386F |. 80EB 1A SUB BL, 1A
007E3872 |. FECB DEC BL
007E3874 |. 80EB 1F SUB BL, 1F
007E3877 |. 66:F7D3 NOT BX
007E387A |. 0FC8 BSWAP EAX
007E387C |. 66:F7D3 NOT BX
007E387F |. 0FC8 BSWAP EAX
007E3881 |. 22C3 AND AL, BL
//////////////////////////////////////////////////
; BL=40 ('@') AL=46 ('F')
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=0
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是JNE/JNZ 短跳转在CC地址写入类型的代码75;长跳转在CC发生时地址写入85
///////////////////////////////////////////////////
007E3883 |. 8BC0 MOV EAX, EAX
007E3885 |. 5B POP EBX
007E3886 |. F7D8 NEG EAX
007E3888 |. 1BC0 SBB EAX, EAX
007E388A |. 40 INC EAX
/////////////////////////////////////////////////
测试ZF位是否为0
/////////////////////////////////////////////////
007E388B |. 5A POP EDX
007E388C |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E388F |. 8B0D D4838300 MOV ECX, DWORD PTR DS:[8383D4]
007E3895 |. 330D D8838300 XOR ECX, DWORD PTR DS:[8383D8]
007E389B |. D1E1 SHL ECX, 1
007E389D |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E38A0 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E38A4 |. 74 09 JE SHORT ezcddax.007E38AF
007E38A6 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E38A9 |. 83CA 01 OR EDX, 1
007E38AC |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E38AF |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E38B2 |. 50 PUSH EAX ; /Arg1
007E38B3 |. FF15 00CC8300 CALL DWORD PTR DS:[83CC00] ; \ezcddax.007DE2C9
007E38B9 |. 83C4 04 ADD ESP, 4
007E38BC |. 5F POP EDI
007E38BD |. 5E POP ESI
007E38BE |. 5B POP EBX
007E38BF |. 8BE5 MOV ESP, EBP
007E38C1 |. 5D POP EBP
007E38C2 \. C3 RETN
修改为:
007E381A 55 PUSH EBP
007E381B 8BEC MOV EBP, ESP
007E381D 83EC 0C SUB ESP, 0C
007E3820 53 PUSH EBX
007E3821 56 PUSH ESI
007E3822 57 PUSH EDI
007E3823 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E3826 50 PUSH EAX
007E3827 FF15 64CC8300 CALL DWORD PTR DS:[83CC64] ; ezcddax.007DE435
007E382D 83C4 04 ADD ESP, 4
007E3830 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E3833 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值
007E3836 90 NOP ; 取CC地址
007E3837 90 NOP
007E3838 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007E383E 8B00 MOV EAX, DWORD PTR DS:[EAX] ; 取CC地址
007E3840 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F ; 比较是不是长跳转标志
007E3844 74 06 JE SHORT ezcddax.007E384C
007E3846 C640 FF 75 MOV BYTE PTR DS:[EAX-1], 75 ; 短跳转写入在CC地址
007E384A EB 20 JMP SHORT ezcddax.007E386C
007E384C C600 85 MOV BYTE PTR DS:[EAX], 85 ; 长跳转写入,注意是写在CC发生时的地址而不是CC地址
007E384F 90 NOP
007E3850 33C0 XOR EAX, EAX
007E3852 90 NOP
007E3853 90 NOP
007E3854 90 NOP
007E3855 90 NOP
007E3856 90 NOP
007E3857 90 NOP
007E3858 90 NOP
007E3859 90 NOP
007E385A 90 NOP
007E385B 90 NOP
007E385C 90 NOP
007E385D 90 NOP
007E385E 90 NOP
007E385F 90 NOP
007E3860 90 NOP
007E3861 90 NOP
007E3862 90 NOP
007E3863 90 NOP
007E3864 90 NOP
007E3865 90 NOP
007E3866 90 NOP
007E3867 90 NOP
007E3868 90 NOP
007E3869 90 NOP
007E386A 90 NOP
007E386B 90 NOP
007E386C 90 NOP
007E386D 90 NOP
007E386E 90 NOP
007E386F 90 NOP
007E3870 90 NOP
007E3871 90 NOP
007E3872 90 NOP
007E3873 90 NOP
007E3874 90 NOP
007E3875 90 NOP
007E3876 90 NOP
007E3877 90 NOP
007E3878 90 NOP
007E3879 90 NOP
007E387A 90 NOP
007E387B 90 NOP
007E387C 90 NOP
007E387D 90 NOP
007E387E 90 NOP
007E387F 90 NOP
007E3880 90 NOP
007E3881 90 NOP
007E3882 90 NOP
007E3883 90 NOP
007E3884 90 NOP
007E3885 90 NOP
007E3886 90 NOP
007E3887 90 NOP
007E3888 90 NOP
007E3889 90 NOP
007E388A 90 NOP
007E388B 90 NOP
007E388C 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E388F 8B0D D4838300 MOV ECX, DWORD PTR DS:[8383D4]
007E3895 330D D8838300 XOR ECX, DWORD PTR DS:[8383D8]
007E389B D1E1 SHL ECX, 1
007E389D 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E38A0 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E38A4 74 09 JE SHORT ezcddax.007E38AF
007E38A6 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E38A9 83CA 01 OR EDX, 1
007E38AC 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E38AF 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E38B2 50 PUSH EAX
007E38B3 FF15 00CC8300 CALL DWORD PTR DS:[83CC00] ; ezcddax.007DE2C9
007E38B9 83C4 04 ADD ESP, 4
007E38BC 5F POP EDI
007E38BD 5E POP ESI
007E38BE 5B POP EBX
007E38BF 8BE5 MOV ESP, EBP
007E38C1 5D POP EBP
007E38C2 C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 64 CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 75 EB 20 C6 00 85 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 45 F4 8B 0D D4 83 83 00 33 0D D8 83 83
00 D1 E1 89 4D F8 83 7D F4 00 74 09 8B 55 F8 83 CA 01 89 55 F8 8B 45 F8 50 FF 15 00 CC 83 00 83
C4 04 5F 5E 5B 8B E5 5D C3
修复后的代码:
00439986 84C0 TEST AL, AL
00439988 75 24 JNZ SHORT ezcddax.004399AE //修复后的代码,是个jnz短跳转类型
0043998A 68 FF000000 PUSH 0FF
0043998F 8D85 70F4FFFF LEA EAX, DWORD PTR SS:[EBP-B90]
还有许多跳转,就不能一一跟踪了,想修改CC的可以根据这个方法,跟踪下去。
对于跳转类型的判断其实也不难,就是壳把代码分散开来,所以修改的量比较大,所以这个方法也不是个好办法。
因为时间关系没有全部的完成,只是给出了基本的方法,大家可以参考这个方法,不必拘于这个方法。
fxyang
2006.3.18
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
