【破文作者】condor
【使用工具】od lordPE importREC
【操作系统】Windows XP
【下载地址】http://www.onlinedown.net/soft/37369.htm
--------------------------------------------------------------------------------
【破解声明】初次写脱文,大家多多关照!本文只限于脱壳,不涉及破解。当然还希望能够得到作者的谅解。
【软件名称】Windows木马清道夫 8.9 上网必备版
【保护方式】PECompact 2.x -> Jeremy Collake
--------------------------------------------------------------------------------
1、去掉所有异常忽略,保留kernel32里的内存读写异常忽略
2、F9,run
3、遇到写[00000000]内存异常,暂停
4、查看SEH 链,获得第一个SE Handle,Ctrl+G,来到此地址
5、向下找jmp eax,记住此地址
6、ollydbg重新载入,下硬件执行断点: he 第5步的地址,F9,中断
7、F8 发现"jmp 到 MSVBVM60.ThunRTMain" 得到oep :004013A4
8、dump,imprec fix iat 运行dumped_.exe 弹出一个对话框,标题和内容都是"error"
具体如下:
0040139E 24 db 24 ; CHAR '$'
0040139F 11 db 11
004013A0 40 db 40 ; CHAR '@'
004013A1 00 db 00
004013A2 00 db 00
004013A3 00 db 00
004013A4 > $ 68 E0194500 push 004519E0 ; ASCII "VB5!6&vb6chs.dll"
004013A9 . E8 EEFFFFFF call 0040139C ; jmp 到 MSVBVM60.ThunRTMain
004013AE ? 0000 add [eax], al
004013B0 ? 50 push eax
004013B1 . 0000 add [eax], al
004013B3 ? 0030 add [eax], dh
004013B5 ? 0000 add [eax], al
004013B7 ? 0048 00 add [eax], cl
004013BA . 0000 add [eax], al
004013BC . 0000 add [eax], al
004013BE . 0000 add [eax], al
004013C0 . 5B pop ebx
004013C1 . 023D FB8303FC add bh, [FC0383FB]
imprec 日志:
Analysing process...
Module loaded: c:\windows\system32\ntdll.dll
Module loaded: c:\windows\system32\kernel32.dll
Module loaded: c:\windows\system32\oleaut32.dll
Module loaded: c:\windows\system32\msvcrt.dll
Module loaded: c:\windows\system32\user32.dll
Module loaded: c:\windows\system32\gdi32.dll
Module loaded: c:\windows\system32\advapi32.dll
Module loaded: c:\windows\system32\rpcrt4.dll
Module loaded: c:\windows\system32\ole32.dll
Module loaded: d:\program files\ftc\msvbvm60.dll
Module loaded: c:\windows\system32\imm32.dll
Module loaded: c:\windows\system32\lpk.dll
Module loaded: c:\windows\system32\usp10.dll
Getting associated modules done.
Image Base:00400000 Size:0037A000
Original IAT RVA found at: 00001124 in Section RVA: 00001000 Size:00372000
IAT read successfully.
---------------------------------------------------------------------------------------------------------------------------
Current imports:
4 (decimal:4) valid module(s) (added: +4 (decimal:+4))
5B (decimal:91) imported function(s). (added: +5B (decimal:+91))
---------------------------------------------------------------------------------------------------------------------------
Fixing a dumped file...
4 (decimal:4) module(s)
5B (decimal:91) imported function(s).
*** New section added successfully. RVA:0037A000 SIZE:00001000
Image Import Descriptor size: 50; Total length: 6A8
D:\Program Files\ftc\dumped_.exe saved successfully.
那个步骤错了,与系统有关(我用的是xp sp2),还是程序有自校验?望前辈们指点.
补充:发现用esp平衡原理也得到同一个OEP,详细过程同:
http://www.stuhack.com/viewarticle.php?id=626
但fix dump完的程序还是弹出一个对话框,标题和内容都是"error"
[课程]Linux pwn 探索篇!