参照cyto大侠的 [脚本+补区段]-ASProtect 2.1x SKE-文件夹保护 2006 2.10。
http://bbs.pediy.com/showthread.php?s=&threadid=27239
一文,脱某软件壳,本来偶菜鸟是不敢碰这猛壳的,但看雪论坛牛人们对此壳已经研究得十分透彻,优秀脱文倍出,也贸然来试试,不想却还是没捞着,呵呵。
首先使用Volx脚本:Aspr2.XX_IATfixer_v1.02.osc
运行完毕,提示:
"There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin "
选择resume,提示:
"Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window"
再次选择resume,运行到OEP,提示:
"Stolen code start, press OK button to add comments"
提示"Comments are added",点确定,停在伪OEP处。
0124026E 55 push ebp ; 00040CBAF
0124026F BD 7EA64600 mov ebp, 46A67E
01240274 C1C5 DB rol ebp, 0DB
01240277 EB 02 jmp short 0124027B
01240279 CD20 0BEB8D6C vxdjump 6C8DEB0B
0124027F 24 06 and al, 6
01240281 8D6C35 FA lea ebp, [ebp+esi-6]
01240285 2BEE sub ebp, esi
01240287 6A FF push -1
01240289 68 52DE4200 push 42DE52
0124028E 66:9C pushfw
01240290 50 push eax
01240291 334424 08 xor eax, [esp+8]
01240295 C1D0 DD rcl eax, 0DD
01240298 26:EB 02 jmp short 0124029D
0124029B CD20 8BC4F3EB vxdjump EBF3C48B
012402A1 02CD add cl, ch
012402A3 208D 40065226 and [ebp+26520640], cl
LordPE选择进程dump,保存为dumped.exe
IAT:因为使用了脚本,呵呵,真是强大,很容易确定RVA:E000,size:630
上ImportREC,选择进程,填入RVA+Size,获取函数,全部有效,修改OEP=0124026E-400000=E4026E,保存备用。
接下来,补区段,00AE0000 12400000 12C00000等几个区段,用LordPE逐一装配,然后ImportREC载入先前保存的IAT修复存为dumped_.exe
继续照猫画虎,Route Check:
OD载入dumped_.exe,从OEP步进,来到特征码处:
00AFFDDB 8B73 30 mov esi, [ebx+30]
00AFFDDE 8B7B 14 mov edi, [ebx+14]
00AFFDE1 A1 44BAB100 mov eax, [B1BA44]
00AFFDE6 8B40 34 mov eax, [eax+34]
00AFFDE9 FFD0 call eax
00AFFDEB 2945 0C sub [ebp+C], eax
00AFFDEE 8B45 0C mov eax, [ebp+C]
00AFFDF1 2B43 18 sub eax, [ebx+18]
00AFFDF4 2B43 68 sub eax, [ebx+68]
修改为:
00AFFDDB 8B73 30 mov esi, [ebx+30]
00AFFDDE 8B7B 14 mov edi, [ebx+14]
00AFFDE1 A1 44BAB100 mov eax, [B1BA44]
00AFFDE6 8B4424 58 mov eax, [esp+58]
00AFFDEA 90 nop
00AFFDEB 83E8 05 sub eax, 5
00AFFDEE 90 nop
00AFFDEF 90 nop
00AFFDF0 90 nop
00AFFDF1 2B43 18 sub eax, [ebx+18]
00AFFDF4 2B43 68 sub eax, [ebx+68]
另存为:dumped_fix.exe
运行:出错
对照原程序跟踪,结果发现原程序在OD里,无论怎么隐藏OD都无法运行起来。也会出现这类似的错误。
为节省论坛空间,我脱的这个程序以及修复过的程序都另外打包放到:
http://www.bsqing.com/test.rar
希望各位大侠们帮我看看是什么问题导致修复不成功,应该如何解决,谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课