目标软件:WinIso 5.3
使用工具:OllyDbg , PEiD , ImportREC
PEiD查壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
OD载入,停在这里:
005391D0 > 60 PUSHAD // 入口
005391D1 BE 00704D00 MOV ESI,WinISO.004D7000
005391D6 8DBE 00A0F2FF LEA EDI,DWORD PTR DS:[ESI+FFF2A000]
005391DC C787 38080E00 4>MOV DWORD PTR DS:[EDI+E0838],73C86D48
005391E6 57 PUSH EDI
......// 往下运行
00539326 B9 5748F2AE MOV ECX,AEF24857
0053932B 55 PUSH EBP
0053932C FF96 34B31300 CALL DWORD PTR DS:[ESI+13B334]
00539332 09C0 OR EAX,EAX
00539334 74 07 JE SHORT WinISO.0053933D
00539336 8903 MOV DWORD PTR DS:[EBX],EAX
00539338 83C3 04 ADD EBX,4
0053933B ^ EB D8 JMP SHORT WinISO.00539315
0053933D FF96 38B31300 CALL DWORD PTR DS:[ESI+13B338]
00539343 61 POPAD // 出口
00539344 - E9 B77CECFF JMP WinISO.00401000 // 跳转到OEP?
00401000 /EB 10 JMP SHORT WinISO.00401012
00401002 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401005 |43 INC EBX
00401006 |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401008 |48 DEC EAX
00401009 |4F DEC EDI
0040100A |4F DEC EDI
0040100B |4B DEC EBX
0040100C |90 NOP
0040100D -|E9 B4544C00 JMP 008C64C6
00401012 \A1 A7544C00 MOV EAX,DWORD PTR DS:[4C54A7]
00401012 A1 A7544C00 MOV EAX,DWORD PTR DS:[4C54A7]
00401017 C1E0 02 SHL EAX,2
0040101A A3 AB544C00 MOV DWORD PTR DS:[4C54AB],EAX
0040101F 52 PUSH EDX
00401020 6A 00 PUSH 0
00401022 E8 AD300C00 CALL WinISO.004C40D4 ; JMP 到 kernel32.GetModuleHandleA
00401027 8BD0 MOV EDX,EAX
00401029 E8 96400B00 CALL WinISO.004B50C4
0040102E 5A POP EDX
0040102F E8 F43F0B00 CALL WinISO.004B5028
00401034 E8 CB400B00 CALL WinISO.004B5104
00401039 6A 00 PUSH 0
0040103B E8 50550B00 CALL WinISO.004B6590
00401040 59 POP ECX
00401041 68 50544C00 PUSH WinISO.004C5450
00401046 6A 00 PUSH 0
00401048 E8 87300C00 CALL WinISO.004C40D4 ; JMP 到 kernel32.GetModuleHandleA
我在00401000这里DUMP,脱出来的程序修复IAT.
我在ImportREC里面的OEP这里写00401000,点"自动查找IAT",弹出"无效OEP,其不匹配进程内存".
请问高手:我DUMP的地方对不对?04001000这个是OEP吗?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
