用PEID查是:Armadillo 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks
就试了一下,,OD加载...隐藏.
下断 HE GetModuleHandleA+1,F9 ,最后来到:
000693C8 /00069668
000693CC |00DC5CE1 返回到 00DC5CE1 来自 KERNEL32.GetModuleHandleA
000693D0 |0006951C ASCII "kernel32.dll"
清除断点,Alt+F9返回到这:
00DC5CE1 8B0D AC40DF00 mov ecx,dword ptr ds:[DF40AC]
00DC5CE7 89040E mov dword ptr ds:[esi+ecx],eax
00DC5CEA A1 AC40DF00 mov eax,dword ptr ds:[DF40AC]
00DC5CEF 391C06 cmp dword ptr ds:[esi+eax],ebx
00DC5CF2 75 16 jnz short 00DC5D0A
00DC5CF4 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00DC5CFA 50 push eax
00DC5CFB FF15 BC62DE00 call dword ptr ds:[DE62BC] ; KERNEL32.LoadLibraryA
00DC5D01 8B0D AC40DF00 mov ecx,dword ptr ds:[DF40AC]
00DC5D07 89040E mov dword ptr ds:[esi+ecx],eax
00DC5D0A A1 AC40DF00 mov eax,dword ptr ds:[DF40AC]
00DC5D0F 391C06 cmp dword ptr ds:[esi+eax],ebx
00DC5D12 0F84 2F010000 je 00DC5E47 ;Magic jump,,,改之.....
00DC5D18 33C9 xor ecx,ecx
00DC5D1A 8B07 mov eax,dword ptr ds:[edi]
00DC5D1C 3918 cmp dword ptr ds:[eax],ebx
00DC5D1E 74 06 je short 00DC5D26
00DC5D20 41 inc ecx
00DC5D21 83C0 0C add eax,0C
下断 he GetTickCount,F9 运行中断到这:
77E6EDD2 K> BA 0000FE7F mov edx,7FFE0000
77E6EDD7 8B02 mov eax,dword ptr ds:[edx]
77E6EDD9 F762 04 mul dword ptr ds:[edx+4]
77E6EDDC 0FACD0 18 shrd eax,edx,18
77E6EDE0 C3 retn
77E6EDE1 K> 55 push ebp
77E6EDE2 8BEC mov ebp,esp
77E6EDE4 83EC 18 sub esp,18
77E6EDE7 8B45 08 mov eax,dword ptr ss:[ebp+8]
77E6EDEA 8B08 mov ecx,dword ptr ds:[eax]
77E6EDEC 8B40 04 mov eax,dword ptr ds:[eax+4]
77E6EDEF 85C0 test eax,eax
77E6EDF1 894D F8 mov dword ptr ss:[ebp-8],ecx
77E6EDF4 8945 FC mov dword ptr ss:[ebp-4],eax
堆栈:
00069670 00DDC3C8 /CALL 到 GetTickCount 来自 00DDC3C2
00069674 00DEFA98
00069678 77F87FC0 ntdll.RtlLeaveCriticalSection
清除断点,,Alt+F9返回到这:
00DDC3C8 2B85 A4D4FFFF sub eax,dword ptr ss:[ebp-2B5C]
00DDC3CE 8B8D A8D4FFFF mov ecx,dword ptr ss:[ebp-2B58]
00DDC3D4 6BC9 32 imul ecx,ecx,32
00DDC3D7 81C1 D0070000 add ecx,7D0
00DDC3DD 3BC1 cmp eax,ecx
00DDC3DF 76 07 jbe short 00DDC3E8
00DDC3E1 C685 34D9FFFF 01 mov byte ptr ss:[ebp-26CC],1
00DDC3E8 83BD E4D7FFFF 00 cmp dword ptr ss:[ebp-281C],0
00DDC3EF 0F85 8A000000 jnz 00DDC47F
00DDC3F5 0FB685 94D4FFFF movzx eax,byte ptr ss:[ebp-2B6C]
00DDC3FC 85C0 test eax,eax
00DDC3FE 74 7F je short 00DDC47F
00DDC400 6A 00 push 0
00DDC402 8B85 98D4FFFF mov eax,dword ptr ss:[ebp-2B68]
00DDC408 C1E0 02 shl eax,2
00DDC40B 50 push eax
00DDC40C 8B85 0CD8FFFF mov eax,dword ptr ss:[ebp-27F4]
00DDC412 0385 90D4FFFF add eax,dword ptr ss:[ebp-2B70]
查找:
PUSH EAX
XCHG CX,CX
POP EAX
STC
下断,F9断下.
00DDCF54 50 push eax
00DDCF55 66:87C9 xchg cx,cx
00DDCF58 58 pop eax
00DDCF59 C705 E0C0DE00 60CBDE0>mov dword ptr ds:[DEC0E0],0DECB60
00DDCF63 A1 E49FDF00 mov eax,dword ptr ds:[DF9FE4]
00DDCF68 8B00 mov eax,dword ptr ds:[eax] ;重定位表的RVA
00DDCF6A 8985 3CD9FFFF mov dword ptr ss:[ebp-26C4],eax
00DDCF70 A1 E49FDF00 mov eax,dword ptr ds:[DF9FE4]
00DDCF75 83C0 04 add eax,4
00DDCF78 A3 E49FDF00 mov dword ptr ds:[DF9FE4],eax
00DDCF7D A1 E49FDF00 mov eax,dword ptr ds:[DF9FE4]
00DDCF82 8B00 mov eax,dword ptr ds:[eax] ;重定位表的大小
00DDCF84 8985 78D9FFFF mov dword ptr ss:[ebp-2688],eax
00DDCF8A A1 E49FDF00 mov eax,dword ptr ds:[DF9FE4]
00DDCF8F 83C0 04 add eax,4
00DDCF92 A3 E49FDF00 mov dword ptr ds:[DF9FE4],eax
00DDCF97 83BD 3CD9FFFF 00 cmp dword ptr ss:[ebp-26C4],0
00DDCF9E 74 6F je short 00DDD00F
00DDCFA0 83BD 78D9FFFF 00 cmp dword ptr ss:[ebp-2688],0
00DDCFA7 74 66 je short 00DDD00F
00DDCFA9 8B85 FCD7FFFF mov eax,dword ptr ss:[ebp-2804]
00DDCFAF 8B8D 0CD8FFFF mov ecx,dword ptr ss:[ebp-27F4]
00DDCFB5 3B48 34 cmp ecx,dword ptr ds:[eax+34]
00DDCFB8 74 55 je short 00DDD00F ;映像基址不符的jump 改jmp
00DDCFBA FFB5 78D9FFFF push dword ptr ss:[ebp-2688]
00DDCFC0 8B85 0CD8FFFF mov eax,dword ptr ss:[ebp-27F4]
00DDCFC6 0385 3CD9FFFF add eax,dword ptr ss:[ebp-26C4]
00DDCFCC 50 push eax
00DDCFCD 8B85 FCD7FFFF mov eax,dword ptr ss:[ebp-2804]
00DDCFD3 FF70 34 push dword ptr ds:[eax+34]
00DDCFD6 FFB5 0CD8FFFF push dword ptr ss:[ebp-27F4]
00DDCFDC E8 3C150000 call 00DDE51D ;重定位处理CALL
00DDCFE1 83C4 10 add esp,10
00DDCFE4 0FB6C0 movzx eax,al
00DDCFE7 85C0 test eax,eax
00DDCFE9 75 24 jnz short 00DDD00F
00DDCFEB 8B45 08 mov eax,dword ptr ss:[ebp+8]
00DDCFEE 8B00 mov eax,dword ptr ds:[eax]
00DDCFF0 C700 07000000 mov dword ptr ds:[eax],7
00DDCFF6 68 50CBDE00 push 0DECB50 ; ASCII "Location CPG"
00DDCFFB 8B45 08 mov eax,dword ptr ss:[ebp+8]
00DDCFFE FF70 04 push dword ptr ds:[eax+4]
00DDD001 E8 24800000 call 00DE502A ; jmp to MSVCRT.strcpy
Alt+M,,,text下内存断点..F9运行之...
007B1140 /EB 10 jmp short Chekii.007B1152 ;<---------OEP
007B1142 |66:623A bound di,dword ptr ds:[edx]
007B1145 |43 inc ebx
007B1146 |2B2B sub ebp,dword ptr ds:[ebx]
007B1148 |48 dec eax
007B1149 |4F dec edi
007B114A |4F dec edi
007B114B |4B dec ebx
007B114C |90 nop
007B114D -|E9 F8007D00 jmp 00F8124A
007B1152 \A1 7F007D00 mov eax,dword ptr ds:[7D007F]
007B1157 C1E0 02 shl eax,2
007B115A A3 83007D00 mov dword ptr ds:[7D0083],eax
007B115F 8B4424 08 mov eax,dword ptr ss:[esp+8]
007B1163 A3 F1007D00 mov dword ptr ds:[7D00F1],eax
007B1168 FF1485 E1007D00 call dword ptr ds:[eax*4+7D00E1]
007B116F 833D F1007D00 01 cmp dword ptr ds:[7D00F1],1
007B1176 75 5E jnz short Chekii.007B11D6
007B1178 803D 8B007D00 00 cmp byte ptr ds:[7D008B],0
007B117F 74 24 je short Chekii.007B11A5
007B1181 E8 C2E40100 call Chekii.007CF648 ; jmp to KERNEL32.GetVersion
LordPE dump.....接下来我就找不到IAT了,,,怎么这个OEP有点怪.....什么原因啊?下面是原dll...
http://chekii.zk.cn/Chekii.dll
[课程]Android-CTF解题方法汇总!