刚刚入门,正在努力学习中,希望各位前辈能够给予些许指点。
这个是QQ连连看的辅助程式,作者在反脱壳方面下了不少功夫,虽然是用FSG加的壳,但是EP区段被动了手脚,用peid查可以查到是FSG 2.0 -> bart/xt但是2个EP区段名称被删除了。
00400154 > 8725 A8855A00 xchg dword ptr ds:[5A85A8], esp //--FSG2.0典型入口--//
0040015A 61 popad
0040015B 94 xchg eax, esp
0040015C 55 push ebp
0040015D A4 movsb
0040015E B6 80 mov dh, 80
00400160 FF13 call near dword ptr ds:[ebx]
00400162 ^ 73 F9 jnb short tyllky.0040015D //--想往回跳--//
00400164 33C9 xor ecx, ecx //--F4到这里--//
00400166 FF13 call near dword ptr ds:[ebx]
00400168 73 16 jnb short tyllky.00400180
0040016A 33C0 xor eax, eax
0040016C FF13 call near dword ptr ds:[ebx]
0040016E 73 1F jnb short tyllky.0040018F
00400170 B6 80 mov dh, 80
00400172 41 inc ecx
00400173 B0 10 mov al, 10
00400175 FF13 call near dword ptr ds:[ebx]
00400177 12C0 adc al, al
00400179 ^ 73 FA jnb short tyllky.00400175 //--短跳转--//
0040017B 75 3A jnz short tyllky.004001B7 //--直接F4,跳转实现--//
0040017D AA stosb
0040017E ^ EB E0 jmp short tyllky.00400160
00400180 FF53 08 call near dword ptr ds:[ebx+8] ; tyllky.00400000
00400183 02F6 add dh, dh
00400185 83D9 01 sbb ecx, 1
00400188 75 0E jnz short tyllky.00400198
0040018A FF53 04 call near dword ptr ds:[ebx+4]
0040018D EB 24 jmp short tyllky.004001B3
0040018F AC lodsb
00400190 D1E8 shr eax, 1
00400192 74 2D je short tyllky.004001C1
00400194 13C9 adc ecx, ecx
00400196 EB 18 jmp short tyllky.004001B0
00400198 91 xchg eax, ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax, 8
0040019D AC lodsb
0040019E FF53 04 call near dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax, dword ptr ds:[ebx-8]
004001A4 73 0A jnb short tyllky.004001B0
004001A6 80FC 05 cmp ah, 5
004001A9 73 06 jnb short tyllky.004001B1
004001AB 83F8 7F cmp eax, 7F
004001AE 77 02 ja short tyllky.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax, ebp
004001B3 8BC5 mov eax, ebp
004001B5 B6 00 mov dh, 0
004001B7 56 push esi //--上面的跳转来到这里--//
004001B8 8BF7 mov esi, edi ; ntdll.7C930738
004001BA 2BF0 sub esi, eax
004001BC F3:A4 rep movsb
004001BE 5E pop esi ; kernel32.7C816D4F
004001BF ^ EB 9F jmp short tyllky.00400160 //--想回跳--//
004001C1 5E pop esi ; kernel32.7C816D4F //--F4--//
004001C2 AD lodsd
004001C3 97 xchg eax, edi ; ntdll.7C930738
004001C4 AD lodsd
004001C5 50 push eax
004001C6 FF53 10 call near dword ptr ds:[ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, dword ptr ds:[edi]
004001CC 40 inc eax
004001CD ^ 78 F3 js short tyllky.004001C2
004001CF 75 03 jnz short tyllky.004001D4
004001D1 - FF63 0C jmp near dword ptr ds:[ebx+C] //--到OEP,OEP值:004107BE--//
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call near dword ptr ds:[ebx+14]
004001D9 AB stosd
004001DA ^ EB EE jmp short tyllky.004001CA //--这段循环恢复RVA--//
004001DC 33C9 xor ecx, ecx
004001DE 41 inc ecx
004001DF FF13 call near dword ptr ds:[ebx]
004001E1 13C9 adc ecx, ecx
004001E3 FF13 call near dword ptr ds:[ebx]
004001E5 ^ 72 F8 jb short tyllky.004001DF
004001E7 C3 ret
004001E8 02D2 add dl, dl
004001EA 75 05 jnz short tyllky.004001F1
004001EC 8A16 mov dl, byte ptr ds:[esi]
004001EE 46 inc esi
004001EF 12D2 adc dl, dl
004001F1 C3 ret
在004107BE处使用ollydump取消Rebuild Import选项的勾选,模式1转存为dump.exe。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)