最近花了几天时间学习了一下高手们的脱此猛壳的文章,但是在实际操作时遇到以下问题:
找到了OEP和IAT
00672B9D 55 PUSH EBP <-------OEP
00672B9E 8BEC MOV EBP,ESP
00672BA0 6A FF PUSH -1
00672BA2 68 40C86B00 PUSH MapleSto.006BC840
00672BA7 68 74326700 PUSH MapleSto.00673274 ; SE 处理程序安装
00672BAC 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00672BB2 50 PUSH EAX
00672BB3 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00672BBA 83EC 58 SUB ESP,58
00672BBD 53 PUSH EBX
00672BBE 56 PUSH ESI
00672BBF 57 PUSH EDI
00672BC0 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00672BC3 FF15 9C506B00 CALL DWORD PTR DS:[6B509C] ; kernel32.GetVersion
00672BC9 33D2 XOR EDX,EDX
颇长的IAT,中间用0000填充,未加密
006B5000 44 A5 DB 77 85 A6 DB 77 83 78 DA 77 1B 76 DA 77 Dホw?埙?邝v邝
006B5010 B3 77 DA 77 8E 77 DA 77 F4 EA DA 77 E7 EB DA 77 橱邝?邝絷邝珉邝
006B5020 F0 6B DA 77 C9 D4 DC 77 E5 ED DA 77 4A CF DB 77 痣邝稍荀屙邝J羡w
006B5030 96 7F DB 77 46 85 DB 77 B1 A7 DB 77 54 A2 DB 77 ?埙F?w抱埙T③w
006B5040 80 AB DB 77 22 A1 DB 77 F9 A2 DB 77 79 A8 DB 77 ?埙"≯w?埙yㄛw
006B5050 3C A4 DB 77 00 00 00 00 26 D9 18 6D 00 00 00 00 <ほw....&?m....
006B5060 17 46 30 76 00 00 00 00 77 9B 80 7C 62 5F 82 7C F0v....w?|b_?
006B5070 E0 C6 80 7C BD 99 80 7C 37 97 80 7C EC E9 80 7C 嗥???7?|扉?
006B5080 51 28 81 7C 29 9F 80 7C AD 97 80 7C 86 03 81 7C Q(?)?|????
006B5090 77 1D 80 7C 28 AC 80 7C 79 E0 81 7C AB 14 81 7C w?(?|y?|??
006B50A0 F1 0C 81 7C 29 C7 80 7C C1 C9 80 7C 34 0D 81 7C ??)?|辽?4.?
006B50B0 A6 0D 81 7C 64 B6 80 7C AD 9C 80 7C 5D 99 80 7C ??d?|??]?|
006B50C0 66 AA 80 7C CC 21 80 7C 80 A4 80 7C B9 8C 83 7C f?|??????
006B50D0 57 BB 80 7C 69 10 81 7C CF C6 80 7C 78 2C 81 7C W?|i?掀?x,?
006B50E0 23 CC 81 7C 7B 97 80 7C 94 97 80 7C 52 70 82 7C #?|{?|??Rp?
006B50F0 3B 29 82 7C 86 3D 86 7C D2 3C 86 7C 00 3C 86 7C ?????.<?
006B5100 8D 3A 86 7C B7 47 86 7C C7 A0 80 7C 28 9C 80 7C ??非?沁?(?|
006B5110 A1 9F 80 7C 8A 18 93 7C 50 F8 81 7C 9F 0F 81 7C ????P?|??
006B5120 2A E9 81 7C 4C 9C 80 7C 29 B5 80 7C E7 AA 81 7C *?|L?|)?|绐?
006B5130 6E 9C 80 7C 67 23 80 7C 0E 18 80 7C 8F 0C 81 7C n?|g#????
006B5140 BD E4 81 7C 30 25 80 7C 7C 2F 81 7C AC 92 80 7C 戒?0%?|/???
006B5150 24 1A 80 7C 57 B3 80 7C B9 8F 83 7C 31 03 93 7C $?W?|??1?
006B5160 19 62 82 7C 4E 99 80 7C ED 10 92 7C 05 10 92 7C b?N?|???
006B5170 1B EC 80 7C 2F 08 81 7C CB CA 81 7C 3F EB 80 7C ?|/?耸???|
006B5180 A7 24 80 7C A9 60 82 7C 79 EE 81 7C A2 CA 81 7C ??┼?y?|⑹?
006B5190 17 A4 80 7C B3 9E 80 7C 63 4C 81 7C 5D B2 80 7C ?|??cL?]?|
006B51A0 81 9A 80 7C 14 9B 80 7C 4F 1D 80 7C 53 00 83 7C ???|O?S.?
006B51B0 DF 06 86 7C CF 21 82 7C 3D 04 93 7C 49 AA 80 7C ????=?I?|
006B51C0 5C E8 81 7C D4 05 93 7C 58 CD 80 7C 16 E0 80 7C \?|??X?|?|
006B51D0 0D E0 80 7C CB D8 81 7C 9A DD 81 7C A9 2C 81 7C .?|素?????
006B51E0 EF F6 85 7C 40 7A 95 7C E1 EA 81 7C EE 1E 80 7C 秭?@z?彡???
006B51F0 8D 2C 81 7C 4C 17 81 7C 16 1E 80 7C FD 79 93 7C ??L????
006B5200 ED 09 93 7C F5 9B 80 7C 0F 2B 81 7C 40 03 93 7C ????+?@?
006B5210 50 97 80 7C 6A 48 81 7C 10 11 81 7C 29 29 81 7C P?|jH??))?
006B5220 E6 2B 81 7C 43 99 80 7C 2A E8 81 7C 2B 2E 83 7C ??C?|*?|+.?
006B5230 C4 CE 80 7C 8A 2B 86 7C 3F DC 81 7C 5F 48 81 7C 奈?????|_H?
006B5240 00 00 00 00 BE 15 E0 5F 00 00 00 00 20 49 0F 77 ....?噙.... Iw
006B5250 C0 48 0F 77 D9 66 0F 77 95 D2 11 77 9A 4E 0F 77 廊w冁w?w?w
006B5260 E9 C2 11 77 C3 CA 11 77 00 00 00 00 58 8A D1 77 槁w檬w....X?w
006B5270 17 F1 D3 77 E9 03 D2 77 2E F8 D3 77 CD FA D1 77 裼w?吟.?w旺痒
006B5280 50 D4 D1 77 E1 88 D2 77 A4 52 D2 77 6E B4 D1 77 P匝w?吟ひ吟n囱w
006B5290 9D B4 D1 77 DE A2 D1 77 C6 F3 D3 77 92 C5 D1 77 ?痒蔻痒企喻?痒
006B52A0 4F 67 D2 77 41 A0 D1 77 00 00 00 00 5B 4E B1 76 Og吟A_痒....[N宾
006B52B0 00 00 00 00 C0 2B A2 71 33 62 A2 71 8A 42 A2 71 ....?Ⅰ3bⅠ?Ⅰ
006B52C0 D4 4F A2 71 00 00 00 00 00 A7 02 60 60 8A 02 60 韵Ⅰ.....?``?`
006B52D0 F0 91 02 60 00 00 00 00 A9 42 9A 76 00 00 00 00 ?`....┞?....
用Advanced Import protection保护后的代码,在我的电脑上其API调用转换成了call 01140000形式:
00672C1B 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
00672C1E E8 E46D0000 CALL MapleSto.00679A07
00672C23 E8 D8D3AC00 CALL 01140000 <-----------------------
00672C28 5E POP ESI
00672C29 A3 BC5F7100 MOV DWORD PTR DS:[715FBC],EAX
00672C2E E8 A26C0000 CALL MapleSto.006798D5
00672C33 A3 28457100 MOV DWORD PTR DS:[714528],EAX
00672C38 E8 4B6A0000 CALL MapleSto.00679688
00672C3D E8 8D690000 CALL MapleSto.006795CF
00672C42 E8 40080000 CALL MapleSto.00673487
00672C47 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00672C4A 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00672C4D 50 PUSH EAX
00672C4E E8 ADD3AC00 CALL 01140000 <------------------------
跟进
.......
0114013D 034C24 18 ADD ECX,DWORD PTR SS:[ESP+18]
01140141 8D8C26 48B3F400 LEA ECX,DWORD PTR DS:[ESI+F4B348]
01140148 2BCE SUB ECX,ESI
0114014A FFD1 CALL ECX
再跟进
...
00F4B497 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00F4B49A 0FB640 09 MOVZX EAX,BYTE PTR DS:[EAX+9]
00F4B49E 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]
00F4B4A1 8B5483 68 MOV EDX,DWORD PTR DS:[EBX+EAX*4+68]
00F4B4A5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00F4B4A8 FFD2 CALL EDX
00F4B4AA 3C 01 CMP AL,1 <-----------------关键判断 此时AL为1,没有对下一行的stolen code
00F4B4AC 75 25 JNZ SHORT 00F4B4D3
00F4B4AE 56 PUSH ESI
00F4B4AF 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00F4B4B2 50 PUSH EAX
00F4B4B3 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
00F4B4B6 50 PUSH EAX
00F4B4B7 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18]
00F4B4BA 50 PUSH EAX
00F4B4BB 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00F4B4BE 50 PUSH EAX
00F4B4BF 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00F4B4C2 50 PUSH EAX
00F4B4C3 8B4D 1C MOV ECX,DWORD PTR SS:[EBP+1C]
00F4B4C6 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00F4B4C9 8BC3 MOV EAX,EBX
00F4B4CB E8 C0010000 CALL 00F4B690 <---------------------------------F7再次跟进
00F4B4D0 EB 01 JMP SHORT 00F4B4D3
00F4B4D2 E8 8D45FC50 CALL 51F0FA64
00F4B4D7 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
00F4B4DA 50 PUSH EAX
00F4B4DB 8B45 18 MOV EAX,DWORD PTR SS:[EBP+18]
00F4B4DE 50 PUSH EAX
00F4B4DF 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00F4B4E2 50 PUSH EAX
00F4B4E3 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00F4B4E6 50 PUSH EAX
00F4B4E7 8B4D 1C MOV ECX,DWORD PTR SS:[EBP+1C]
00F4B4EA 8B55 10 MOV EDX,DWORD PTR SS:[EBP+10]
00F4B4ED 8BC3 MOV EAX,EBX
00F4B4EF E8 64F1FFFF CALL 00F4A658
到了这里下面不知道该怎么继续了.请问是不是该打PATCH把所有的CALL 01140000替换成壳修改的地址还是其他的什么地址?
有点搞不懂API调用CALL被壳修改后和IAT的对应关系
我下内存写入断点看到壳把一个CALL 01140000变成了CALL 01240000 是不是直接打PATCH把此处的CALL 01140000换成01240000就行了?
希望各位高手不要嫌麻烦请赐教!! 感谢万分
[课程]FART 脱壳王!加量不加价!FART作者讲授!