我用二次内存中断来寻找OEP,找到下面这个[005D2724处]。接着用ollydump把内存镜象dump出来,但用ImportREC修复IAT时,却怎么也修复不了[各参数填OEP:001D2724 RVA:00305000 大小:3000]。请问原因是我找的OEP是伪OEP还是说这个IAT加密过???请高手指点一下。。。
寻找OEP过程如下:
打开OD载入mysoft.exe程序,设置忽略所以异常,然后用HideOD.dll插件隐藏OD。
007BC000 > 60 pushad //从这开始
007BC001 4E dec esi
007BC002 85CE test esi, ecx
007BC004 33F1 xor esi, ecx
007BC006 F9 stc
007BC007 66:81CB 3A34 or bx, 343A
007BC00C 4D dec ebp
----------------------------------------------------------------
1。然后我按ALT+M,对.idata段[地址:00705000,大小:00003000]设置内存写入断点,再按F9,停在下面这位置
007CD10B 8366 0C 00 and dword ptr [esi+C], 0 //停在这里
007CD10F 03C2 add eax, edx
007CD111 8BD8 mov ebx, eax
007CD113 56 push esi
007CD114 57 push edi
007CD115 50 push eax
------------------------------------------------------------------
2。再按ALT+M,对.text段[地址:00401000 大小:00296000]设置内存访问断点,再按F9,停在下面这位置
00401A50 /EB 10 jmp short 00401A62 //停在这里
00401A52 |66:623A bound di, dword ptr [edx]
00401A55 |43 inc ebx
00401A56 |2B2B sub ebp, dword ptr [ebx]
00401A58 |48 dec eax
00401A59 |4F dec edi
00401A5A |4F dec edi
00401A5B |4B dec ebx
00401A5C |90 nop
00401A5D -|E9 98706900 jmp 00A98AFA
00401A62 \A1 8B706900 mov eax, dword ptr [69708B]
00401A67 C1E0 02 shl eax, 2
00401A6A A3 8F706900 mov dword ptr [69708F], eax
00401A6F 52 push edx
00401A70 6A 00 push 0
00401A72 E8 A1462900 call 00696118
00401A77 8BD0 mov edx, eax
00401A79 E8 5E741C00 call 005C8EDC
00401A7E 5A pop edx
00401A7F E8 80731C00 call 005C8E04
00401A84 E8 93741C00 call 005C8F1C
00401A89 6A 00 push 0
00401A8B E8 68851C00 call 005C9FF8
00401A90 59 pop ecx
00401A91 68 34706900 push 00697034
00401A96 6A 00 push 0
00401A98 E8 7B462900 call 00696118
00401A9D A3 93706900 mov dword ptr [697093], eax //eax=00400000 (mysoft.00400000), ASCII "MZP"
00401AA2 6A 00 push 0
00401AA4 E9 7B0C1D00 jmp 005D2724
-----------------------------------------------------------------
我猜测不再需要设断点了。于是就用F8来跟。跟到00401AA4 E9 7B0C1D00 jmp 005D2724这句,跳转到下面:
-----------------------------------------------------------------
005D2723 90 nop
005D2724 55 push ebp ;跳到这里,接着再按几次F8就看到程序窗口开始启动了。
005D2725 8BEC mov ebp, esp
005D2727 83C4 F4 add esp, -0C
005D272A 53 push ebx
005D272B 56 push esi
005D272C 57 push edi
--------------------------------------------------------------
请问这个是真OEP,还是伪OEP,我应该根据什么来判断呢???
上面那个00401AA4处的跨段jmp是Stolen Code,还是跟UPX壳一样。此时解压code完毕跳到OEP处开始执行程序????
此时各寄存器值如下:
EAX 00400000 ASCII "MZP"
ECX 00000000
EDX 0000009C
EBX 7FFD9000
ESP 0012FFBC
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C930738 ntdll.7C930738
EIP 005D2724 mysoft.005D2724
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 1 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOACCESS (000003E6)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM D0A8 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 1372 Prec NEAR,64 掩码 1 1 0 0 1 0
请高手们帮忙扶小弟一把
[课程]Linux pwn 探索篇!