讨论关于一个DLL脱壳的不解之处-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼重定位 2006-11-1 00:37 0
来来去去雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 44 粉丝 0 关注私信	来来去去 3 楼这是俺的分析 00400000 00001000 LOADDLL PE 文件头 Imag R RWE 00410000 00001000 LOADDLL CODE 代码 Imag R E RWE 00420000 00003000 LOADDLL DATA 数据 Imag RW RWE 00430000 00001000 LOADDLL .idata 输入表 Imag RW RWE 00440000 00001000 LOADDLL .edata 输出表 Imag R RWE 00450000 00001000 LOADDLL .rsrc 资源 Imag RW RWE 00460000 000DA000 Map R E R E 00760000 00008000 Priv RW RW 00770000 00001000 Priv RW RW 00780000 00001000 Priv RW RW 00790000 00003000 Priv RW RW 007A0000 00010000 Priv RW RW 00C00000 00054000 Priv RWE RWE 00C60000 00004000 Priv RW RW 00C70000 00002000 Map R R \Device\HarddiskVolume1\WINNT\System32\ctype.nls 10000000 00001000 aal PE 文件头 Imag R RWE 10001000 00012000 aal 代码 Imag R RWE 10013000 00005000 aal 数据 Imag R RWE 10018000 00005000 aal Imag R RWE 1001D000 00002000 aal .rsrc 资源 Imag R RWE 1001F000 00003000 aal Imag R RWE 10022000 00001000 aal 输出表 Imag R RWE 10023000 00052000 aal .data SFX,输入表, OEP: 00C40F28 55 push ebp ; aal.100233FF 00C40F29 8BEC mov ebp,esp 00C40F2B 83C4 B4 add esp,-4C 00C40F2E B8 080CC400 mov eax,0C40C08 IAT: 00C4C118 77E710D1 KERNEL32.GetCurrentThreadId 00C4C11C 77F87BF9 ntdll.RtlDeleteCriticalSection 00C4C120 77F89134 ntdll.RtlLeaveCriticalSection 00C4C124 77F89103 ntdll.RtlEnterCriticalSection 00C4C128 77E7BE13 KERNEL32.InitializeCriticalSection 00C4C12C 77E7E2DC KERNEL32.VirtualFree 00C4C130 77E7175C KERNEL32.VirtualAlloc 00C4C134 77E7C1C6 KERNEL32.LocalFree 00C4C138 77E7C13B KERNEL32.LocalAlloc 镜像基址:00400000 大小:00060000 ->> 选择的模块: e:\aal.dll 镜像基址:10000000 大小:00076000 不知咋的。跟本就是不这样的哦。重定位不是在这里么？ 00C523FB 8B03 mov eax,dword ptr ds:[ebx] 00C523FD 8785 592A4400 xchg dword ptr ss:[ebp+442A59],eax 00C52403 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8] 00C52409 8B85 512A4400 mov eax,dword ptr ss:[ebp+442A51] 00C5240F 2BD0 sub edx,eax 00C52411 74 75 je short 00C52488 00C52413 8BC2 mov eax,edx 00C52415 C1E8 10 shr eax,10 00C52418 33DB xor ebx,ebx 00C5241A 8BB5 5D2A4400 mov esi,dword ptr ss:[ebp+442A5D] 00C52420 03B5 D8304400 add esi,dword ptr ss:[ebp+4430D8] 00C52426 833E 00 cmp dword ptr ds:[esi],0 00C52429 74 5D je short 00C52488 00C5242B 8B4E 04 mov ecx,dword ptr ds:[esi+4] 00C5242E 83E9 08 sub ecx,8 00C52431 D1E9 shr ecx,1 00C52433 8B3E mov edi,dword ptr ds:[esi] 00C52435 03BD D8304400 add edi,dword ptr ss:[ebp+4430D8] 00C5243B 83C6 08 add esi,8 00C5243E 66:8B1E mov bx,word ptr ds:[esi] 00C52441 C1EB 0C shr ebx,0C 00C52444 83FB 01 cmp ebx,1 00C52447 74 0C je short 00C52455 00C52449 83FB 02 cmp ebx,2 00C5244C 74 16 je short 00C52464 00C5244E 83FB 03 cmp ebx,3 00C52451 74 20 je short 00C52473 00C52453 EB 2C jmp short 00C52481 00C52455 66:8B1E mov bx,word ptr ds:[esi] 00C52458 81E3 FF0F0000 and ebx,0FFF 00C5245E 66:01041F add word ptr ds:[edi+ebx],ax 00C52462 EB 1D jmp short 00C52481 00C52464 66:8B1E mov bx,word ptr ds:[esi] 00C52467 81E3 FF0F0000 and ebx,0FFF 00C5246D 66:01141F add word ptr ds:[edi+ebx],dx 00C52471 EB 0E jmp short 00C52481 00C52473 66:8B1E mov bx,word ptr ds:[esi] 00C52476 81E3 FF0F0000 and ebx,0FFF 00C5247C 01141F add dword ptr ds:[edi+ebx],edx 00C5247F EB 00 jmp short 00C52481 00C52481 83C6 02 add esi,2 00C52484 ^ E2 B8 loopd short 00C5243E 00C52486 ^ EB 9E jmp short 00C52426 00C52488 8BB5 612A4400 mov esi,dword ptr ss:[ebp+442A61] 300K无法上传附件。郁闷 2006-11-1 10:30 0
来来去去雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 44 粉丝 0 关注私信	来来去去 4 楼我顶下。没有解说下 2006-11-1 21:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼重定位 2006-11-1 00:37 0
来来去去雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 44 粉丝 0 关注私信	来来去去 3 楼这是俺的分析 00400000 00001000 LOADDLL PE 文件头 Imag R RWE 00410000 00001000 LOADDLL CODE 代码 Imag R E RWE 00420000 00003000 LOADDLL DATA 数据 Imag RW RWE 00430000 00001000 LOADDLL .idata 输入表 Imag RW RWE 00440000 00001000 LOADDLL .edata 输出表 Imag R RWE 00450000 00001000 LOADDLL .rsrc 资源 Imag RW RWE 00460000 000DA000 Map R E R E 00760000 00008000 Priv RW RW 00770000 00001000 Priv RW RW 00780000 00001000 Priv RW RW 00790000 00003000 Priv RW RW 007A0000 00010000 Priv RW RW 00C00000 00054000 Priv RWE RWE 00C60000 00004000 Priv RW RW 00C70000 00002000 Map R R \Device\HarddiskVolume1\WINNT\System32\ctype.nls 10000000 00001000 aal PE 文件头 Imag R RWE 10001000 00012000 aal 代码 Imag R RWE 10013000 00005000 aal 数据 Imag R RWE 10018000 00005000 aal Imag R RWE 1001D000 00002000 aal .rsrc 资源 Imag R RWE 1001F000 00003000 aal Imag R RWE 10022000 00001000 aal 输出表 Imag R RWE 10023000 00052000 aal .data SFX,输入表, OEP: 00C40F28 55 push ebp ; aal.100233FF 00C40F29 8BEC mov ebp,esp 00C40F2B 83C4 B4 add esp,-4C 00C40F2E B8 080CC400 mov eax,0C40C08 IAT: 00C4C118 77E710D1 KERNEL32.GetCurrentThreadId 00C4C11C 77F87BF9 ntdll.RtlDeleteCriticalSection 00C4C120 77F89134 ntdll.RtlLeaveCriticalSection 00C4C124 77F89103 ntdll.RtlEnterCriticalSection 00C4C128 77E7BE13 KERNEL32.InitializeCriticalSection 00C4C12C 77E7E2DC KERNEL32.VirtualFree 00C4C130 77E7175C KERNEL32.VirtualAlloc 00C4C134 77E7C1C6 KERNEL32.LocalFree 00C4C138 77E7C13B KERNEL32.LocalAlloc 镜像基址:00400000 大小:00060000 ->> 选择的模块: e:\aal.dll 镜像基址:10000000 大小:00076000 不知咋的。跟本就是不这样的哦。重定位不是在这里么？ 00C523FB 8B03 mov eax,dword ptr ds:[ebx] 00C523FD 8785 592A4400 xchg dword ptr ss:[ebp+442A59],eax 00C52403 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8] 00C52409 8B85 512A4400 mov eax,dword ptr ss:[ebp+442A51] 00C5240F 2BD0 sub edx,eax 00C52411 74 75 je short 00C52488 00C52413 8BC2 mov eax,edx 00C52415 C1E8 10 shr eax,10 00C52418 33DB xor ebx,ebx 00C5241A 8BB5 5D2A4400 mov esi,dword ptr ss:[ebp+442A5D] 00C52420 03B5 D8304400 add esi,dword ptr ss:[ebp+4430D8] 00C52426 833E 00 cmp dword ptr ds:[esi],0 00C52429 74 5D je short 00C52488 00C5242B 8B4E 04 mov ecx,dword ptr ds:[esi+4] 00C5242E 83E9 08 sub ecx,8 00C52431 D1E9 shr ecx,1 00C52433 8B3E mov edi,dword ptr ds:[esi] 00C52435 03BD D8304400 add edi,dword ptr ss:[ebp+4430D8] 00C5243B 83C6 08 add esi,8 00C5243E 66:8B1E mov bx,word ptr ds:[esi] 00C52441 C1EB 0C shr ebx,0C 00C52444 83FB 01 cmp ebx,1 00C52447 74 0C je short 00C52455 00C52449 83FB 02 cmp ebx,2 00C5244C 74 16 je short 00C52464 00C5244E 83FB 03 cmp ebx,3 00C52451 74 20 je short 00C52473 00C52453 EB 2C jmp short 00C52481 00C52455 66:8B1E mov bx,word ptr ds:[esi] 00C52458 81E3 FF0F0000 and ebx,0FFF 00C5245E 66:01041F add word ptr ds:[edi+ebx],ax 00C52462 EB 1D jmp short 00C52481 00C52464 66:8B1E mov bx,word ptr ds:[esi] 00C52467 81E3 FF0F0000 and ebx,0FFF 00C5246D 66:01141F add word ptr ds:[edi+ebx],dx 00C52471 EB 0E jmp short 00C52481 00C52473 66:8B1E mov bx,word ptr ds:[esi] 00C52476 81E3 FF0F0000 and ebx,0FFF 00C5247C 01141F add dword ptr ds:[edi+ebx],edx 00C5247F EB 00 jmp short 00C52481 00C52481 83C6 02 add esi,2 00C52484 ^ E2 B8 loopd short 00C5243E 00C52486 ^ EB 9E jmp short 00C52426 00C52488 8BB5 612A4400 mov esi,dword ptr ss:[ebp+442A61] 300K无法上传附件。郁闷 2006-11-1 10:30 0
来来去去雪币： 205 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 44 粉丝 0 关注私信	来来去去 4 楼我顶下。没有解说下 2006-11-1 21:15 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

讨论 关于一个DLL脱壳的不解之处

讨论关于一个DLL脱壳的不解之处