以下是我脱壳的全部过程,不知道是OD有问题还是脱壳的时候出错,小弟愚笨请大哥大姐们帮看看到底是什么地方出了问题.........
忽略所有异常,隐藏OD
下断bp OpenMutexA Shift+F9跳到这里
7C80EA1B > 8BFF MOV EDI,EDI ; ntdll.7C930738
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
7C80EA27 0F84 66530300 JE kernel32.7C843D93
堆栈
0012F798 00648DB8 /CALL 到 OpenMutexA 来自 VDC.00648DB2
0012F79C 001F0001 |Access = 1F0001
0012F7A0 00000000 |Inheritable = FALSE
0012F7A4 0012FDD8 \MutexName = "E3C::DA7242FFE9"
0012F7A8 7C930738 ntdll.7C930738
然后Ctrl+G 表达方式:00401000
00401000 0000 ADD BYTE PTR DS:[EAX],AL
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 0000 ADD BYTE PTR DS:[EAX],AL
0040100A 0000 ADD BYTE PTR DS:[EAX],AL
0040100C 0000 ADD BYTE PTR DS:[EAX],AL
0040100E 0000 ADD BYTE PTR DS:[EAX],AL
00401010 0000 ADD BYTE PTR DS:[EAX],AL
00401012 0000 ADD BYTE PTR DS:[EAX],AL
00401014 0000 ADD BYTE PTR DS:[EAX],AL
00401016 0000 ADD BYTE PTR DS:[EAX],AL
00401018 0000 ADD BYTE PTR DS:[EAX],AL
0040101A 0000 ADD BYTE PTR DS:[EAX],AL
0040101C 0000 ADD BYTE PTR DS:[EAX],AL
跳到这,然后将以上部分代码改为:
00401000 60 pushad
00401001 9C pushfd
00401002 68 DCFB1200 push 12FDD8 //前面堆栈显示的值 ; ASCII "E3C::DA7242FFE9"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FDB407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DC407C jmp kernel32.OpenMutexA
在00401000 60 pushad处新建EIP 然后Shift+F9再次中断在取消断点
继续下断he GetModuleHandleA+5 Shift+F9跳到这里
7C80B6A6 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C80B6AA 74 18 JE SHORT kernel32.7C80B6C4
7C80B6AC FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80B6AF E8 C0290000 CALL kernel32.7C80E074
7C80B6B4 85C0 TEST EAX,EAX
7C80B6B6 74 08 JE SHORT kernel32.7C80B6C0
7C80B6B8 FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C80B6BB E8 7D2D0000 CALL kernel32.GetModuleHandleW
下面是每次F9的结果
0012EF20 /0012EF3C
0012EF24 |77F45BD8 返回到 SHLWAPI.77F45BD8 来自 kernel32.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
0012EF30 |77F40000 SHLWAPI.77F40000
0012EF34 |00000000
0012EF38 |00002283
0012EF3C ]0012EF50
0012EF40 |77F452DD 返回到 SHLWAPI.77F452DD 来自 SHLWAPI.77F45BB5
0012EF44 |00000000
0012EF48 |00000001
0012EF4C |77F40000 SHLWAPI.77F40000
0012F738 /0012F7A0
0012F73C |00647EF3 返回到 VDC.00647EF3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0012F750
0012F748 |00DF20E6
0012F74C |006C6E04 VDC.006C6E04
0012F750 |00000000
0012F754 |006A1000 ASCII "PDATA000"
0012F758 |0012F700
0012F75C |00E0F536
0012F760 |00E0565D
00129524 /0012EC6C
00129528 |00E06DF3 返回到 00E06DF3 来自 kernel32.GetModuleHandleA
0012952C |00E1BC1C ASCII "kernel32.dll"
00129530 |00E1CEC4 ASCII "VirtualAlloc"
00129534 |00E1FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
00129540 |00000000
00129544 |00000000
00129548 |00000000
0012954C |00000000
00129524 /0012EC6C
00129528 |00E06E10 返回到 00E06E10 来自 kernel32.GetModuleHandleA
0012952C |00E1BC1C ASCII "kernel32.dll"
00129530 |00E1CEB8 ASCII "VirtualFree"
00129534 |00E1FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
00129540 |00000000
00129544 |00000000
00129548 |00000000
这次F9时有个错误按Shift+F9跳过到这里
00129288 /00129528
0012928C |00DF5CE1 返回到 00DF5CE1 来自 kernel32.GetModuleHandleA
00129290 |001293DC ASCII "kernel32.dll" //在这里取消硬件断点
00129294 |00000000
00129298 |EC6C0000
0012929C |92960012
001292A0 |00E1B0F4
001292A4 |00000000
001292A8 |00000000
然后Alt+F9到这里
00DF5CE1 8B0D AC40E200 mov ecx, [E240AC]
00DF5CE7 89040E mov [esi+ecx], eax
00DF5CEA A1 AC40E200 mov eax, [E240AC]
00DF5CEF 391C06 cmp [esi+eax], ebx
00DF5CF2 75 16 jnz short 00DF5D0A
00DF5CF4 8D85 B4FEFFFF lea eax, [ebp-14C]
00DF5CFA 50 push eax
00DF5CFB FF15 BC62E100 call [E162BC] ; kernel32.LoadLibraryA
00DF5D01 8B0D AC40E200 mov ecx, [E240AC]
00DF5D07 89040E mov [esi+ecx], eax
00DF5D0A A1 AC40E200 mov eax, [E240AC]
00DF5D0F 391C06 cmp [esi+eax], ebx
00DF5D12 0F84 2F010000 je 00DF5E47 //将这里的JE改成JMP
00DF5D18 33C9 xor ecx, ecx
00DF5D1A 8B07 mov eax, [edi]
00DF5D1C 3918 cmp [eax], ebx
00DF5D1E 74 06 je short 00DF5D26
00DF5D20 41 inc ecx
00DF5D21 83C0 0C add eax, 0C
00DF5D24 ^ EB F6 jmp short 00DF5D1C
00DF5D26 8BD9 mov ebx, ecx
00DF5D28 C1E3 02 shl ebx, 2
00DF5D2B 53 push ebx
00DF5D2C E8 63F20100 call 00E14F94 ; jmp 到 msvcrt.operator new
Alt+M在内存镜像在00401000段F2下断
在次按Shift+F9到达OEP
问题就在这里DUMP的时候出错
[课程]Android-CTF解题方法汇总!