首先感谢CYTO大侠的耐心指导
OD载入程序,VOLX脚本运行
013B027D 55 PUSH EBP ; 00049D57C
013B027E BD A2CD4400 MOV EBP,44CDA2
013B0283 83DD 4D SBB EBP,4D
013B0286 336C24 28 XOR EBP,DWORD PTR SS:[ESP+28]
013B028A 336C24 08 XOR EBP,DWORD PTR SS:[ESP+8]
013B028E BD F2BE4200 MOV EBP,42BEF2
LORDPE载入完全转存,IMPORT载入进程得到输入表,修正OEP:FB027D,保存树文件,又回到OD,F8一路下来
013B0325 68 700A3B01 PUSH 13B0A70
013B032A E8 D1FC0900 CALL 01450000 这里F7进
013B032F B9 F2264500 MOV ECX,4526F2
013B0334 B9 EA0A4800 MOV ECX,480AEA
....................
01450186 CD 20 INT 20
01450188 FFD6 CALL ESI 我的是这个ESI=011B8A20
0145018A 6A 30 PUSH 30
区段转存
01190000 00043000 d90000
011e0000 00014000 de0000
013b0000 00004000 fb
013c0000 00002000 fc
013d0000 00002000 fd
013e0000 00001000 减基址0400000 fe
013f0000 00001000 ff
01400000 00001000 1000000
01410000 00001000 101
01420000 00001000 102
01430000 00001000 103
01440000 00001000 104
01450000 00001000 105
01460000 00001000 106
LordPE加入这些区段,修改VOffset,重建PE
ImportREC载入刚存的树文件,保存.dump_.exe
OD加载dump_.exe,从OEP往下步进到特征码:
00F78A5B 8B73 30 mov esi,dword ptr ds:[ebx+30] ; dumped_.011A30CA
00F78A5E 8B7B 14 mov edi,dword ptr ds:[ebx+14]
00F78A61 A1 F037F800 mov eax,dword ptr ds:[F837F0]
00F78A66 8B40 34 mov eax,dword ptr ds:[eax+34]
00F78A69 FFD0 call eax
00F78A6B 2945 0C sub dword ptr ss:[ebp+C],eax
00F78A6E 8B45 0C mov eax,dword ptr ss:[ebp+C]
00F78A71 2B43 18 sub eax,dword ptr ds:[ebx+18]
00F78A74 2B43 68 sub eax,dword ptr ds:[ebx+68]
修改为:
00F78A5B 8B73 30 mov esi,dword ptr ds:[ebx+30] ; dumped_.011A30CA
00F78A5E 8B7B 14 mov edi,dword ptr ds:[ebx+14]
00F78A61 A1 F037F800 mov eax,dword ptr ds:[F837F0]
00F78A66 3E:8B4424 58 mov eax,dword ptr ds:[esp+58]
00F78A6B 83E8 05 sub eax,5
00F78A6E 90 nop
00F78A6F 90 nop
00F78A70 90 nop
00F78A71 2B43 18 sub eax,dword ptr ds:[ebx+18]
00F78A74 2B43 68 sub eax,dword ptr ds:[ebx+68]
另存程序,,运行正常,用W32DSM载入字符串乱码,,,用C32ASM载入程序就自动退出,,这是什么原因..我怀凝是那里还没处理好
PE查壳为:什么也没找到*
大侠们看看,,是错在那
附件:
http://pickup.mofile.com/2732698696948747 (原文件和脱壳文件)
麻烦大家了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
