能力值:
( LV9,RANK:3410 )
|
-
-
2 楼
重定位
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
这是俺的分析
00400000 00001000 LOADDLL PE 文件头 Imag R RWE
00410000 00001000 LOADDLL CODE 代码 Imag R E RWE
00420000 00003000 LOADDLL DATA 数据 Imag RW RWE
00430000 00001000 LOADDLL .idata 输入表 Imag RW RWE
00440000 00001000 LOADDLL .edata 输出表 Imag R RWE
00450000 00001000 LOADDLL .rsrc 资源 Imag RW RWE
00460000 000DA000 Map R E R E
00760000 00008000 Priv RW RW
00770000 00001000 Priv RW RW
00780000 00001000 Priv RW RW
00790000 00003000 Priv RW RW
007A0000 00010000 Priv RW RW
00C00000 00054000 Priv RWE RWE
00C60000 00004000 Priv RW RW
00C70000 00002000 Map R R \Device\HarddiskVolume1\WINNT\System32\ctype.nls
10000000 00001000 aal PE 文件头 Imag R RWE
10001000 00012000 aal 代码 Imag R RWE
10013000 00005000 aal 数据 Imag R RWE
10018000 00005000 aal Imag R RWE
1001D000 00002000 aal .rsrc 资源 Imag R RWE
1001F000 00003000 aal Imag R RWE
10022000 00001000 aal 输出表 Imag R RWE
10023000 00052000 aal .data SFX,输入表,
OEP:
00C40F28 55 push ebp ; aal.100233FF
00C40F29 8BEC mov ebp,esp
00C40F2B 83C4 B4 add esp,-4C
00C40F2E B8 080CC400 mov eax,0C40C08
IAT:
00C4C118 77E710D1 KERNEL32.GetCurrentThreadId
00C4C11C 77F87BF9 ntdll.RtlDeleteCriticalSection
00C4C120 77F89134 ntdll.RtlLeaveCriticalSection
00C4C124 77F89103 ntdll.RtlEnterCriticalSection
00C4C128 77E7BE13 KERNEL32.InitializeCriticalSection
00C4C12C 77E7E2DC KERNEL32.VirtualFree
00C4C130 77E7175C KERNEL32.VirtualAlloc
00C4C134 77E7C1C6 KERNEL32.LocalFree
00C4C138 77E7C13B KERNEL32.LocalAlloc
镜像基址:00400000 大小:00060000
->> 选择的模块: e:\aal.dll
镜像基址:10000000 大小:00076000
不知咋的。跟本就是不这样的哦。
重定位不是在这里么?
00C523FB 8B03 mov eax,dword ptr ds:[ebx]
00C523FD 8785 592A4400 xchg dword ptr ss:[ebp+442A59],eax
00C52403 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8]
00C52409 8B85 512A4400 mov eax,dword ptr ss:[ebp+442A51]
00C5240F 2BD0 sub edx,eax
00C52411 74 75 je short 00C52488
00C52413 8BC2 mov eax,edx
00C52415 C1E8 10 shr eax,10
00C52418 33DB xor ebx,ebx
00C5241A 8BB5 5D2A4400 mov esi,dword ptr ss:[ebp+442A5D]
00C52420 03B5 D8304400 add esi,dword ptr ss:[ebp+4430D8]
00C52426 833E 00 cmp dword ptr ds:[esi],0
00C52429 74 5D je short 00C52488
00C5242B 8B4E 04 mov ecx,dword ptr ds:[esi+4]
00C5242E 83E9 08 sub ecx,8
00C52431 D1E9 shr ecx,1
00C52433 8B3E mov edi,dword ptr ds:[esi]
00C52435 03BD D8304400 add edi,dword ptr ss:[ebp+4430D8]
00C5243B 83C6 08 add esi,8
00C5243E 66:8B1E mov bx,word ptr ds:[esi]
00C52441 C1EB 0C shr ebx,0C
00C52444 83FB 01 cmp ebx,1
00C52447 74 0C je short 00C52455
00C52449 83FB 02 cmp ebx,2
00C5244C 74 16 je short 00C52464
00C5244E 83FB 03 cmp ebx,3
00C52451 74 20 je short 00C52473
00C52453 EB 2C jmp short 00C52481
00C52455 66:8B1E mov bx,word ptr ds:[esi]
00C52458 81E3 FF0F0000 and ebx,0FFF
00C5245E 66:01041F add word ptr ds:[edi+ebx],ax
00C52462 EB 1D jmp short 00C52481
00C52464 66:8B1E mov bx,word ptr ds:[esi]
00C52467 81E3 FF0F0000 and ebx,0FFF
00C5246D 66:01141F add word ptr ds:[edi+ebx],dx
00C52471 EB 0E jmp short 00C52481
00C52473 66:8B1E mov bx,word ptr ds:[esi]
00C52476 81E3 FF0F0000 and ebx,0FFF
00C5247C 01141F add dword ptr ds:[edi+ebx],edx
00C5247F EB 00 jmp short 00C52481
00C52481 83C6 02 add esi,2
00C52484 ^ E2 B8 loopd short 00C5243E
00C52486 ^ EB 9E jmp short 00C52426
00C52488 8BB5 612A4400 mov esi,dword ptr ss:[ebp+442A61]
300K无法上传附件。郁闷
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我顶下。没有解说下
|