能力值:
( LV2,RANK:10 )
|
-
-
5 楼
小虾前辈,你说的OEP我断了,怎么运行不到这里啊,更说不上DUMP了,请再指点一下!谢谢
你要有空写篇脱文,我来学习学习了!
老大,违规????
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
奇怪,你说的OEP,我用OD载入,下断,根本断不了,晕了!
好象一直在LOADDLL中转,不见进入要调试的DLL领空,怎么回事,!
forgot,也来诊断断啊!
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
谢谢FLY,我试了,OD载入后,直接初始化完成,F9进不了DLL领空,这时,我手工关了LOADDLL.exe,再F9,进入,找到重定位表,跟进到了入口点停在OEP,这里,我用OD自带的DUMP出文件,同时我也用LOADPE,找到LOADDLL进程,DUMP出了调试的DLL,我发现两个DUMP出的DLL不同,我想知道这两个DLL是否都可以用!
谢谢指正!
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
再次谢谢FLY 前辈 ,有空好好向你学习!
我再试试!
我用以上方法试过,OD载入后,不关闭OD调试器旁边OLLyDbg Dll Loader窗口,F9怎么也进来入调试的DLL领空,手工脱DLL我头一次,搞不明白怎么回事!
但在你发的例程上,却可以,晕了!
|
能力值:
![]()
(RANK:410 )
|
-
-
13 楼
可以用OD载入呀,UPX的壳很好脱,只是Dll重定位修复有一点难度,但熟悉之后也很简单:
载入后中断在这里:然后拉动滚动条往下找“popad”语句,找到后在那里设个断点,F9运行,再走一步就可以跳到入口点了。找到入口点后可以用LordPE将整个Dll文件Dump出来。再用Import修复一下和修复Dll的重定位数据就可以了。
1000A037 X> 807C24 08 01 cmp byte ptr ss:[esp+8],1 //OD载入停在这里
1000A03C 0F85 95010000 jnz XYG.1000A1D7
1000A042 60 pushad
1000A043 E8 00000000 call XYG.1000A048
1000A048 58 pop eax
1000A049 83E8 48 sub eax,48
1000A04C 50 push eax
1000A04D 8DB8 0070FFFF lea edi,dword ptr ds:[eax+FFFF>
1000A053 57 push edi
1000A054 66:8187 00000000 00>add word ptr ds:[edi],0
1000A05D 8DB0 F8010000 lea esi,dword ptr ds:[eax+1F8]
1000A063 83CD FF or ebp,FFFFFFFF
1000A066 31DB xor ebx,ebx
1000A068 EB 08 jmp short XYG.1000A072
1000A06A 90 nop
1000A06B 90 nop
1000A06C 8A06 mov al,byte ptr ds:[esi]
1000A06E 46 inc esi
1000A06F 8807 mov byte ptr ds:[edi],al
1000A071 47 inc edi
1000A072 01DB add ebx,ebx
1000A074 75 07 jnz short XYG.1000A07D
1000A076 8B1E mov ebx,dword ptr ds:[esi]
1000A078 83EE FC sub esi,-4
1000A07B 11DB adc ebx,ebx
1000A07D ^ 72 ED jb short XYG.1000A06C
1000A07F B8 01000000 mov eax,1
1000A084 01DB add ebx,ebx
1000A086 75 07 jnz short XYG.1000A08F
1000A088 8B1E mov ebx,dword ptr ds:[esi]
1000A08A 83EE FC sub esi,-4
1000A08D 11DB adc ebx,ebx
1000A08F 11C0 adc eax,eax
1000A091 01DB add ebx,ebx
1000A093 ^ 77 EF ja short XYG.1000A084
1000A095 75 09 jnz short XYG.1000A0A0
1000A097 8B1E mov ebx,dword ptr ds:[esi]
1000A099 83EE FC sub esi,-4
1000A09C 11DB adc ebx,ebx
1000A09E ^ 73 E4 jnb short XYG.1000A084
1000A0A0 31C9 xor ecx,ecx
1000A0A2 83E8 03 sub eax,3
1000A0A5 72 67 jb short XYG.1000A10E
1000A0A7 C1E0 08 shl eax,8
1000A0AA 8A06 mov al,byte ptr ds:[esi]
1000A0AC 46 inc esi
1000A0AD 83F0 FF xor eax,FFFFFFFF
1000A0B0 74 78 je short XYG.1000A12A
1000A0B2 89C5 mov ebp,eax
1000A0B4 01DB add ebx,ebx
1000A0B6 75 07 jnz short XYG.1000A0BF
1000A0B8 8B1E mov ebx,dword ptr ds:[esi]
1000A0BA 83EE FC sub esi,-4
1000A0BD 11DB adc ebx,ebx
1000A0BF 11C9 adc ecx,ecx
1000A0C1 01DB add ebx,ebx
1000A0C3 75 07 jnz short XYG.1000A0CC
1000A0C5 8B1E mov ebx,dword ptr ds:[esi]
1000A0C7 83EE FC sub esi,-4
1000A0CA 11DB adc ebx,ebx
1000A0CC 11C9 adc ecx,ecx
1000A0CE 75 20 jnz short XYG.1000A0F0
1000A0D0 41 inc ecx
1000A0D1 01DB add ebx,ebx
1000A0D3 75 07 jnz short XYG.1000A0DC
1000A0D5 8B1E mov ebx,dword ptr ds:[esi]
1000A0D7 83EE FC sub esi,-4
1000A0DA 11DB adc ebx,ebx
1000A0DC 11C9 adc ecx,ecx
1000A0DE 01DB add ebx,ebx
1000A0E0 ^ 77 EF ja short XYG.1000A0D1
1000A0E2 75 09 jnz short XYG.1000A0ED
1000A0E4 8B1E mov ebx,dword ptr ds:[esi]
1000A0E6 83EE FC sub esi,-4
1000A0E9 11DB adc ebx,ebx
1000A0EB ^ 73 E4 jnb short XYG.1000A0D1
1000A0ED 83C1 02 add ecx,2
1000A0F0 3D 00F3FFFF cmp eax,-0D00
1000A0F5 83D1 01 adc ecx,1
1000A0F8 8D1407 lea edx,dword ptr ds:[edi+eax]
1000A0FB 83F8 FC cmp eax,-4
1000A0FE 7E 14 jle short XYG.1000A114
1000A100 8A02 mov al,byte ptr ds:[edx]
1000A102 42 inc edx
1000A103 8807 mov byte ptr ds:[edi],al
1000A105 47 inc edi
1000A106 49 dec ecx
1000A107 ^ 75 F7 jnz short XYG.1000A100
1000A109 ^ E9 64FFFFFF jmp XYG.1000A072
1000A10E 89E8 mov eax,ebp
1000A110 ^ EB A2 jmp short XYG.1000A0B4
1000A112 90 nop
1000A113 90 nop
1000A114 8B02 mov eax,dword ptr ds:[edx]
1000A116 83C2 04 add edx,4
1000A119 8907 mov dword ptr ds:[edi],eax
1000A11B 83C7 04 add edi,4
1000A11E 83E9 04 sub ecx,4
1000A121 ^ 77 F1 ja short XYG.1000A114
1000A123 01CF add edi,ecx
1000A125 ^ E9 48FFFFFF jmp XYG.1000A072
1000A12A 5E pop esi
1000A12B 5D pop ebp
1000A12C 2B7F FC sub edi,dword ptr ds:[edi-4]
1000A12F 57 push edi
1000A130 8DBE 00000000 lea edi,dword ptr ds:[esi]
1000A136 B9 22010000 mov ecx,122
1000A13B 8A07 mov al,byte ptr ds:[edi]
1000A13D 47 inc edi
1000A13E 2C E8 sub al,0E8
1000A140 3C 01 cmp al,1
1000A142 ^ 77 F7 ja short XYG.1000A13B
1000A144 803F 06 cmp byte ptr ds:[edi],6
1000A147 ^ 75 F2 jnz short XYG.1000A13B
1000A149 8B07 mov eax,dword ptr ds:[edi]
1000A14B 8A5F 04 mov bl,byte ptr ds:[edi+4]
1000A14E 66:C1E8 08 shr ax,8
1000A152 C1C0 10 rol eax,10
1000A155 86C4 xchg ah,al
1000A157 29F8 sub eax,edi
1000A159 80EB E8 sub bl,0E8
1000A15C 01F0 add eax,esi
1000A15E 8907 mov dword ptr ds:[edi],eax
1000A160 83C7 05 add edi,5
1000A163 89D8 mov eax,ebx
1000A165 ^ E2 D9 loopd short XYG.1000A140
1000A167 5F pop edi
1000A168 8B07 mov eax,dword ptr ds:[edi]
1000A16A 09C0 or eax,eax
1000A16C 74 37 je short XYG.1000A1A5
1000A16E 8B5F 04 mov ebx,dword ptr ds:[edi+4]
1000A171 8D8430 00800000 lea eax,dword ptr ds:[eax+esi+>
1000A178 01F3 add ebx,esi
1000A17A 50 push eax
1000A17B 83C7 08 add edi,8
1000A17E FF55 00 call dword ptr ss:[ebp]
1000A181 92 xchg eax,edx
1000A182 8A07 mov al,byte ptr ds:[edi]
1000A184 47 inc edi
1000A185 08C0 or al,al
1000A187 ^ 74 DF je short XYG.1000A168
1000A189 52 push edx
1000A18A 89F9 mov ecx,edi
1000A18C 79 07 jns short XYG.1000A195
1000A18E 0FB707 movzx eax,word ptr ds:[edi]
1000A191 47 inc edi
1000A192 50 push eax
1000A193 47 inc edi
1000A194 B9 5748F2AE mov ecx,AEF24857
1000A199 52 push edx
1000A19A FF55 04 call dword ptr ss:[ebp+4]
1000A19D 5A pop edx
1000A19E 8903 mov dword ptr ds:[ebx],eax
1000A1A0 83C3 04 add ebx,4
1000A1A3 ^ EB DD jmp short XYG.1000A182
1000A1A5 8D5E FC lea ebx,dword ptr ds:[esi-4]
1000A1A8 83C7 04 add edi,4
1000A1AB 31C0 xor eax,eax
1000A1AD 8A07 mov al,byte ptr ds:[edi] //DLL重定位处理,此时EDI的值为“100082FD”
1000A1AF 47 inc edi
1000A1B0 09C0 or eax,eax
1000A1B2 74 22 je short XYG.1000A1D6
1000A1B4 3C EF cmp al,0EF
1000A1B6 77 11 ja short XYG.1000A1C9
1000A1B8 01C3 add ebx,eax
1000A1BA 8B03 mov eax,dword ptr ds:[ebx]
1000A1BC 86C4 xchg ah,al
1000A1BE C1C0 10 rol eax,10
1000A1C1 86C4 xchg ah,al
1000A1C3 01F0 add eax,esi
1000A1C5 8903 mov dword ptr ds:[ebx],eax
1000A1C7 ^ EB E2 jmp short XYG.1000A1AB
1000A1C9 24 0F and al,0F
1000A1CB C1E0 10 shl eax,10
1000A1CE 66:8B07 mov ax,word ptr ds:[edi]
1000A1D1 83C7 02 add edi,2
1000A1D4 ^ EB E2 jmp short XYG.1000A1B8
1000A1D6 61 popad //到这里重定位处理完毕,此时EDI值为100084FB
1000A1D7 - E9 C387FFFF jmp XYG.1000299F //跨段跳,跳到入口点。
跳到这里,这个就是入口点???,全是乱码,不过可以用右键/分析/分析代码功能来还原代码。
1000299F 55 db 55 ; CHAR 'U'
100029A0 8B db 8B
100029A1 EC db EC
100029A2 53 db 53 ; CHAR 'S'
100029A3 8B db 8B
100029A4 5D db 5D ; CHAR ']'
100029A5 08 db 08
100029A6 56 db 56 ; CHAR 'V'
100029A7 8B db 8B
100029A8 75 db 75 ; CHAR 'u'
100029A9 0C db 0C
100029AA 57 db 57 ; CHAR 'W'
100029AB 8B db 8B
100029AC 7D db 7D ; CHAR '}'
100029AD 10 db 10
100029AE 85 db 85
分析代码后的入口点,可以用LordPD将Dll文件Dump下来了,然后再用Import修复一下和修复Dll的重定位数据就可以了。
1000299F /. 55 push ebp
100029A0 |. 8BEC mov ebp,esp
100029A2 |. 53 push ebx
100029A3 |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]
100029A6 |. 56 push esi
100029A7 |. 8B75 0C mov esi,dword ptr ss:[ebp+C]
100029AA |. 57 push edi
100029AB |. 8B7D 10 mov edi,dword ptr ss:[ebp+10]
100029AE |. 85F6 test esi,esi
100029B0 |. 75 09 jnz short XYG.100029BB
100029B2 |. 833D 70740010 00 cmp dword ptr ds:[10007470],0
|
