用OD载入,根据弹出的对话框,判断是加密壳,所以我先将调试设置中只选择“忽略在kernel32中引发的内存访问异常”,
其他都不选。。
F9程序出现异常,再SHIFT+F9 31次,总共是32次,看堆栈提示如下
0012FDC0 00449FDF WinToWeb.00449FDF
0012FDC4 0012FDFC 指针到下一个 SEH 记录
0012FDC8 00449FE9 SE 句柄
0012FDCC 0012FDE0
ctrl+G输入00449FE9
00449FBF 33C0 xor eax,eax
00449FC1 55 push ebp
00449FC2 68 E99F4400 push WinToWeb.00449FE9
00449FC7 64:FF30 push dword ptr fs:[eax]
00449FCA 64:8920 mov dword ptr fs:[eax],esp
00449FCD 8B5D FC mov ebx,dword ptr ss:[ebp-4]
00449FD0 8B55 FC mov edx,dword ptr ss:[ebp-4]
00449FD3 8B83 BC020000 mov eax,dword ptr ds:[ebx+2BC]
00449FD9 FF93 B8020000 call dword ptr ds:[ebx+2B8]
00449FDF 33C0 xor eax,eax
00449FE1 5A pop edx
00449FE2 59 pop ecx
00449FE3 59 pop ecx
00449FE4 64:8910 mov dword ptr fs:[eax],edx //在这里下断,SHIFT+F9断下
,然后取消断点
00449FE7 EB 17 jmp short WinToWeb.0044A000
00449FE9 ^ E9 3293FBFF jmp WinToWeb.00403320
之后不停的按F8,就不仔细说明了!
00449FE7 /EB 17 jmp short WinToWeb.0044A000 ; jump
00449FE9 ^|E9 3293FBFF jmp WinToWeb.00403320
00449FEE |8B55 FC mov edx,dword ptr ss:[ebp-4]
00449FF1 |A1 D4574C00 mov eax,dword ptr ds:[4C57D4]
00449FF6 |E8 496C0000 call WinToWeb.00450C44
00449FFB |E8 7C96FBFF call WinToWeb.0040367C
0044A000 \8B45 FC mov eax,dword ptr ss:[ebp-4] ; jump here
0044A003 F680 CC020000 02 test byte ptr ds:[eax+2CC],2
0044A00A 74 0A je short WinToWeb.0044A016 ; jump
0044A00C B2 01 mov dl,1
0044A00E 8B45 FC mov eax,dword ptr ss:[ebp-4]
0044A011 E8 EA080000 call WinToWeb.0044A900
0044A016 5F pop edi ; jump here
0044A017 5E pop esi
0044A018 5B pop ebx
0044A019 59 pop ecx
0044A01A 5D pop ebp
0044A01B C3 retn
--------------------------------------------------------------------------------------
00449CDB F686 CC020000 20 test byte ptr ds:[esi+2CC],20 ; retn here
00449CE2 74 12 je short WinToWeb.00449CF6 ; jump
00449CE4 8BC6 mov eax,esi
00449CE6 66:BB B6FF mov bx,0FFB6
00449CEA E8 6193FBFF call WinToWeb.00403050
00449CEF 80A6 CC020000 DF and byte ptr ds:[esi+2CC],0DF
00449CF6 5E pop esi
00449CF7 5B pop ebx
00449CF8 C3 retn
-------------------------------------------------------------------------------------
00403212 58 pop eax ; 00E621A8
00403213 C3 retn
-------------------------------------------------------------------------------------
00449CB1 64:8F05 00000000 pop dword ptr fs:[0] ; 0012FF2C
00449CB8 83C4 0C add esp,0C
00449CBB 8B45 FC mov eax,dword ptr ss:[ebp-4]
00449CBE 5B pop ebx
00449CBF 8BE5 mov esp,ebp
00449CC1 5D pop ebp
00449CC2 C3 retn
-------------------------------------------------------------------------------------
00450B30 33C0 xor eax,eax
00450B32 5A pop edx
00450B33 59 pop ecx
00450B34 59 pop ecx
00450B35 64:8910 mov dword ptr fs:[eax],edx
00450B38 EB 16 jmp short WinToWeb.00450B50
00450B3A ^ E9 E127FBFF jmp WinToWeb.00403320
00450B3F 8B45 FC mov eax,dword ptr ss:[ebp-4]
00450B42 33D2 xor edx,edx
00450B44 8910 mov dword ptr ds:[eax],edx
00450B46 E8 DD2AFBFF call WinToWeb.00403628
00450B4B E8 2C2BFBFF call WinToWeb.0040367C
00450B50 837E 38 00 cmp dword ptr ds:[esi+38],0
00450B54 75 1D jnz short WinToWeb.00450B73
00450B56 8BC3 mov eax,ebx
00450B58 8B15 3C6F4400 mov edx,dword ptr ds:[446F3C] ; WinToWeb.00446F88
00450B5E E8 8924FBFF call WinToWeb.00402FEC
00450B63 84C0 test al,al
00450B65 74 0C je short WinToWeb.00450B73
00450B67 8BFB mov edi,ebx
00450B69 8BC7 mov eax,edi
00450B6B E8 D07EFEFF call WinToWeb.00438A40
00450B70 897E 38 mov dword ptr ds:[esi+38],edi
00450B73 5F pop edi
00450B74 5E pop esi
00450B75 5B pop ebx
00450B76 59 pop ecx
00450B77 5D pop ebp
00450B78 C3 retn
--------------------------------------------------------------------------------------------------
004C10B9 8B0D F8484C00 mov ecx,dword ptr ds:[4C48F8] ; WinToWeb.004C59E8
004C10BF 8B03 mov eax,dword ptr ds:[ebx]
004C10C1 8B15 A4284A00 mov edx,dword ptr ds:[4A28A4] ; WinToWeb.004A28F0
004C10C7 E8 30FAF8FF call WinToWeb.00450AFC
004C10CC 8B0D 48474C00 mov ecx,dword ptr ds:[4C4748] ; WinToWeb.004C59E0
004C10D2 8B03 mov eax,dword ptr ds:[ebx]
004C10D4 8B15 281D4A00 mov edx,dword ptr ds:[4A1D28] ; WinToWeb.004A1D74
004C10DA E8 1DFAF8FF call WinToWeb.00450AFC
004C10DF 8B0D 34464C00 mov ecx,dword ptr ds:[4C4634] ; WinToWeb.004C5A30
004C10E5 8B03 mov eax,dword ptr ds:[ebx]
004C10E7 8B15 C4434A00 mov edx,dword ptr ds:[4A43C4] ; WinToWeb.004A4410
004C10ED E8 0AFAF8FF call WinToWeb.00450AFC
004C10F2 8B0D 2C484C00 mov ecx,dword ptr ds:[4C482C] ; WinToWeb.004C5A3C
004C10F8 8B03 mov eax,dword ptr ds:[ebx]
004C10FA 8B15 50494A00 mov edx,dword ptr ds:[4A4950] ; WinToWeb.004A499C
004C1100 E8 F7F9F8FF call WinToWeb.00450AFC
004C1105 8B0D BC474C00 mov ecx,dword ptr ds:[4C47BC] ; WinToWeb.004C5A48
004C110B 8B03 mov eax,dword ptr ds:[ebx]
004C110D 8B15 C44F4A00 mov edx,dword ptr ds:[4A4FC4] ; WinToWeb.004A5010
004C1113 E8 E4F9F8FF call WinToWeb.00450AFC
004C1118 8B0D 7C454C00 mov ecx,dword ptr ds:[4C457C] ; WinToWeb.004C5A58
004C111E 8B03 mov eax,dword ptr ds:[ebx]
004C1120 8B15 68534A00 mov edx,dword ptr ds:[4A5368] ; WinToWeb.004A53B4
004C1126 E8 D1F9F8FF call WinToWeb.00450AFC
004C112B 8B0D DC474C00 mov ecx,dword ptr ds:[4C47DC] ; WinToWeb.004C5A60
004C1131 8B03 mov eax,dword ptr ds:[ebx]
004C1133 8B15 80554A00 mov edx,dword ptr ds:[4A5580] ; WinToWeb.004A55CC
004C1139 E8 BEF9F8FF call WinToWeb.00450AFC
004C113E 8B0D 70484C00 mov ecx,dword ptr ds:[4C4870] ; WinToWeb.004C5A68
004C1144 8B03 mov eax,dword ptr ds:[ebx]
004C1146 8B15 C45A4A00 mov edx,dword ptr ds:[4A5AC4] ; WinToWeb.004A5B10
004C114C E8 ABF9F8FF call WinToWeb.00450AFC
004C1151 8B0D 24454C00 mov ecx,dword ptr ds:[4C4524] ; WinToWeb.004C5A78
004C1157 8B03 mov eax,dword ptr ds:[ebx]
004C1159 8B15 785D4A00 mov edx,dword ptr ds:[4A5D78] ; WinToWeb.004A5DC4
004C115F E8 98F9F8FF call WinToWeb.00450AFC
004C1164 8B03 mov eax,dword ptr ds:[ebx]
004C1166 E8 11FAF8FF call WinToWeb.00450B7C ;这里按F7跟进去
-----------------------------------------------------------------------------------------------
00450B7C 55 push ebp ;在这里dump程序,弹出一个错误对话
框“无法读取被调试进程的内存(00400000-004FDFFF)”
00450B7D 8BEC mov ebp,esp
00450B7F 51 push ecx
00450B80 8945 FC mov dword ptr ss:[ebp-4],eax
00450B83 8B45 FC mov eax,dword ptr ss:[ebp-4]
00450B86 C680 95000000 01 mov byte ptr ds:[eax+95],1
00450B8D 33D2 xor edx,edx
00450B8F 55 push ebp
00450B90 68 260C4500 push WinToWeb.00450C26
00450B95 64:FF32 push dword ptr fs:[edx]
到这里我就卡住了,不能dump程序,估计是 VirtualProtect函数引起的,重新加载程序,下bp VirtualProtect断点,发现到处都是,找不到北了,请高手指教.....
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课