【文章标题】: fsg2.0脱壳练习心得
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【软件名称】: fsg2.0加壳的记事本
【加壳方式】: fsg2.0
【使用工具】: OD、peid、SuperImportREC
【作者声明】: 为了给我自己留下个学习历程,也为了给向我这样的菜鸟减少一些弯路,特写此文。
--------------------------------------------------------------------------------
【详细过程】
手动跟踪,很快来到入口点:
0100739D . 6A 70 push 70
0100739F . 68 98180001 push 01001898
010073A4 . E8 BF010000 call 01007568
010073A9 . 33DB xor ebx, ebx
010073AB . 53 push ebx ; /pModule => NULL
010073AC . 8B3D CC100001 mov edi, dword ptr [10010CC] ; |kernel32.GetModuleHandleA
010073B2 . FFD7 call edi ; \GetModuleHandleA
用OD的插件脱壳,试运行,出现如下出错提示,看样子是输入表没有修复。
用SuperImportREC修复输入表依然不能运行,什么提示也没有。
重新回到OD,d 10010cc,查看输入表如下:
01001000 77DA6FC8 ADVAPI32.RegQueryValueExW
01001004 77DA6BF0 ADVAPI32.RegCloseKey
01001008 77DC8F7D ADVAPI32.RegCreateKeyW
0100100C 77DCD5FD ADVAPI32.IsTextUnicode
01001010 77DA7883 ADVAPI32.RegQueryValueExA
01001014 77DA761B ADVAPI32.RegOpenKeyExA
01001018 77DAD7CC ADVAPI32.RegSetValueExW
0100101C 7FFFFFFF
01001020 7718D260 comctl32.CreateStatusWindowW
01001024 7FFFFFFF
01001028 77F0DDC9 GDI32.EndPage
0100102C 77F2383F GDI32.AbortDoc
01001030 77F0E051 GDI32.EndDoc
01001034 77EF6E98 GDI32.DeleteDC
01001038 77F0F126 GDI32.StartPage
0100103C 77EF7FD6 GDI32.GetTextExtentPoint32W
01001040 77EFBE91 GDI32.CreateDCW
01001044 77F2395F GDI32.SetAbortProc
01001048 77EF9AC7 GDI32.GetTextFaceW
0100104C 77EF7EE5 GDI32.TextOutW
01001050 77F244CF GDI32.StartDocW
01001054 77F1EE65 GDI32.EnumFontsW
01001058 77EF61E1 GDI32.GetStockObject
0100105C 77EF8394 GDI32.GetObjectW
01001060 77EF5A8A GDI32.GetDeviceCaps
01001064 77EF9999 GDI32.CreateFontIndirectW
01001068 77EF6C2D GDI32.DeleteObject
0100106C 77EF7DF2 GDI32.GetTextMetricsW
01001070 77EF5EFB GDI32.SetBkMode
01001074 77EFD526 GDI32.LPtoDP
01001078 77F06C94 GDI32.SetWindowExtEx
0100107C 77F06D3D GDI32.SetViewportExtEx
01001080 77EF9A1A GDI32.SetMapMode
01001084 77EF5B90 GDI32.SelectObject
01001088 7FFFFFFF
0100108C 7C809728 kernel32.GetCurrentThreadId
01001090 7C80929C kernel32.GetTickCount
01001094 7C80A427 kernel32.QueryPerformanceCounter
01001098 7C80A7D4 kernel32.GetLocalTime
0100109C 7C809F10 kernel32.GetUserDefaultLCID
010010A0 7C833775 kernel32.GetDateFormatW
010010A4 7C833FD3 kernel32.GetTimeFormatW
010010A8 7C80FF19 kernel32.GlobalLock
010010AC 7C80FE82 kernel32.GlobalUnlock
010010B0 7C810C6D kernel32.GetFileInformationByHandle
010010B4 7C80938E kernel32.CreateFileMappingW
010010B8 7C8017E5 kernel32.GetSystemTimeAsFileTime
010010BC 7C801E16 kernel32.TerminateProcess
010010C0 7C80DDF5 kernel32.GetCurrentProcess
010010C4 7C84479D kernel32.SetUnhandledExceptionFilter
010010C8 7C801D77 kernel32.LoadLibraryA
010010CC 7C80B6A1 kernel32.GetModuleHandleA
010010D0 7C801EEE kernel32.GetStartupInfoA
010010D4 7C80FC2F kernel32.GlobalFree
010010D8 7C811562 kernel32.GetLocaleInfoW
010010DC 7C80992F kernel32.LocalFree
010010E0 7C80998D kernel32.LocalAlloc
010010E4 7C809A09 kernel32.lstrlenW
010010E8 7C832EB1 kernel32.LocalUnlock
010010EC 7C80A35E kernel32.CompareStringW
010010F0 7C832E1D kernel32.LocalLock
010010F4 7C879636 kernel32.FoldStringW
010010F8 7C809B47 kernel32.CloseHandle
010010FC 7C80BA64 kernel32.lstrcpyW
01001100 7C80180E kernel32.ReadFile
01001104 7C810760 kernel32.CreateFileW
01001108 7C80A996 kernel32.lstrcmpiW
0100110C 7C809920 kernel32.GetCurrentProcessId
01001110 7C80ADA0 kernel32.GetProcAddress
01001114 7C816F83 kernel32.GetCommandLineW
01001118 7C810F32 kernel32.lstrcatW
0100111C 7C80EDD7 kernel32.FindClose
01001120 7C80EEE1 kernel32.FindFirstFileW
01001124 7C80B74C kernel32.GetFileAttributesW
01001128 7C80A9CC kernel32.lstrcmpW
0100112C 7C8097C6 kernel32.MulDiv
01001130 7C80B9EF kernel32.lstrcpynW
01001134 7C8325BC kernel32.LocalSize
01001138 7C930331 ntdll.RtlGetLastWin32Error
0100113C 7C810D87 kernel32.WriteFile
01001140 7C930340 ntdll.RtlSetLastWin32Error
01001144 7C80A0D4 kernel32.WideCharToMultiByte
01001148 7C830927 kernel32.LocalReAlloc
0100114C 7C834B8F kernel32.FormatMessageW
01001150 7C813070 kernel32.GetUserDefaultUILanguage
01001154 7C832044 kernel32.SetEndOfFile
01001158 7C831F31 kernel32.DeleteFileW
0100115C 7C809915 kernel32.GetACP
01001160 7C80B974 kernel32.UnmapViewOfFile
01001164 7C809BF8 kernel32.MultiByteToWideChar
01001168 7C80B905 kernel32.MapViewOfFile
0100116C 7C862E62 kernel32.UnhandledExceptionFilter
01001170 7FFFFFFF
01001174 7D6470B0 SHELL32.DragFinish
01001178 7D5E0702 SHELL32.DragQueryFileW
0100117C 7D5FAF9E SHELL32.DragAcceptFiles
01001180 7D63240B SHELL32.ShellAboutW
01001184 7FFFFFFF
01001188 77D1B6AE USER32.GetClientRect
0100118C 77D1BF58 USER32.SetCursor
01001190 77D1869D USER32.ReleaseDC
01001194 77D186C7 USER32.GetDC
01001198 77D2662C USER32.DialogBoxParamW
0100119C 77D248CD USER32.SetActiveWindow
010011A0 77D1C21E USER32.GetKeyboardLayout
010011A4 77D1B33C USER32.DefWindowProcW
010011A8 77D1DAEA USER32.DestroyWindow
010011AC 77D31F4C USER32.MessageBeep
010011B0 77D1D8A4 USER32.ShowWindow
010011B4 77D1BE4B USER32.GetForegroundWindow
010011B8 77D1BE27 USER32.IsIconic
010011BC 77D3039F USER32.GetWindowPlacement
010011C0 77D190D2 USER32.CharUpperW
010011C4 77D19E36 USER32.LoadStringW
010011C8 77D21D38 USER32.LoadAcceleratorsW
010011CC 77D1DB70 USER32.GetSystemMenu
010011D0 77D1AF7F USER32.RegisterClassExW
010011D4 77D23744 USER32.LoadImageW
010011D8 77D19D69 USER32.LoadCursorW
010011DC 77D2DF46 USER32.SetWindowPlacement
010011E0 77D1FF50 USER32.CreateWindowExW
010011E4 77D1E5ED USER32.GetDesktopWindow
010011E8 77D1BEF0 USER32.GetFocus
010011EC 77D212EA USER32.LoadIconW
010011F0 77D1BC36 USER32.SetWindowTextW
010011F4 77D21211 USER32.PostQuitMessage
010011F8 77D1AF34 USER32.RegisterWindowMessageW
010011FC 77D1D7F9 USER32.UpdateWindow
01001200 77D2F728 USER32.SetScrollPos
01001204 77D1DB9A USER32.CharLowerW
01001208 77D1929B USER32.PeekMessageW
0100120C 77D1BE71 USER32.EnableWindow
01001210 77D1EC50 USER32.DrawTextExW
01001214 77D284EE USER32.CreateDialogParamW
01001218 77D1CDB6 USER32.GetWindowTextW
0100121C 77D18F9D USER32.GetSystemMetrics
01001220 77D1DBEC USER32.MoveWindow
01001224 77D1B5F5 USER32.InvalidateRect
01001228 77D6178C USER32.WinHelpW
0100122C 77D1D869 USER32.GetDlgCtrlID
01001230 77D2BAAF USER32.ChildWindowFromPoint
01001234 77D1BDC8 USER32.ScreenToClient
01001238 77D1BD76 USER32.GetCursorPos
0100123C 77D25CDA USER32.SendDlgItemMessageW
01001240 77D1B8BA USER32.SendMessageW
01001244 77D1DAFE USER32.CharNextW
01001248 77D31A8E USER32.CheckMenuItem
0100124C 77D3023D USER32.CloseClipboard
01001250 77D2F13E USER32.IsClipboardFormatAvailable
01001254 77D3024F USER32.OpenClipboard
01001258 77D29414 USER32.GetMenuState
0100125C 77D1EA2F USER32.EnableMenuItem
01001260 77D216E2 USER32.GetSubMenu
01001264 77D3148B USER32.GetMenu
01001268 77D660F2 USER32.MessageBoxW
0100126C 77D1D62B USER32.SetWindowLongW
01001270 77D188A6 USER32.GetWindowLongW
01001274 77D24816 USER32.GetDlgItem
01001278 77D1DA60 USER32.SetFocus
0100127C 77D25C7A USER32.SetDlgItemTextW
01001280 77D1A9B6 USER32.wsprintfW
01001284 77D247AD USER32.GetDlgItemTextW
01001288 77D26250 USER32.EndDialog
0100128C 77D1B72F USER32.GetParent
01001290 77D3187D USER32.UnhookWinEvent
01001294 77D18A01 USER32.DispatchMessageW
01001298 77D18BF6 USER32.TranslateMessage
0100129C 77D1941E USER32.TranslateAcceleratorW
010012A0 77D2DFBC USER32.IsDialogMessageW
010012A4 77D18CCB USER32.PostMessageW
010012A8 77D191C6 USER32.GetMessageW
010012AC 77D317C8 USER32.SetWinEventHook
010012B0 FFFFFFFF
010012B4 72F76090
010012B8 72F75390
010012BC 72F75749
010012C0 7FFFFFFF
010012C4 763448D6 comdlg32.PageSetupDlgW
010012C8 76338696 comdlg32.FindTextW
010012CC 76349D29 comdlg32.PrintDlgExW
010012D0 7633C4A9 comdlg32.ChooseFontW
010012D4 76321986 comdlg32.GetFileTitleW
010012D8 76337C65 comdlg32.GetOpenFileNameW
010012DC 763386CA comdlg32.ReplaceTextW
010012E0 763300CE comdlg32.CommDlgExtendedError
010012E4 76337CF3 comdlg32.GetSaveFileNameW
010012E8 7FFFFFFF
010012EC 77C02DAE msvcrt._XcptFilter
010012F0 77C09E9A msvcrt._exit
010012F4 77C09ECE msvcrt._c_exit
010012F8 77C1AEA3 msvcrt.time
010012FC 77C1AB3D msvcrt.localtime
01001300 77C09EB6 msvcrt._cexit
01001304 77BED036 msvcrt.iswctype
01001308 77C05C94 msvcrt._except_handler3
0100130C 77BECE77 msvcrt._wtol
01001310 77C1802F msvcrt.wcsncmp
01001314 77C0FB0C msvcrt._snwprintf
01001318 77C09E7E msvcrt.exit
0100131C 77C317AC offset msvcrt._acmdln
01001320 77BEEEEB msvcrt.__getmainargs
01001324 77C09D67 msvcrt._initterm
01001328 77C1D675 msvcrt.__setusermatherr
0100132C 77C323D8 offset msvcrt._adjust_fdiv
01001330 77BEF1A4 msvcrt.__p__commode
01001334 77BEF1DB msvcrt.__p__fmode
01001338 77C0537C msvcrt.__set_app_type
0100133C 77C1EE2F msvcrt._controlfp
01001340 77C1806B msvcrt.wcsncpy
01001344 7FFFFFFF
01001348 00000000
0100134C 00000000
正常的输入表两个DLL之间用00000000隔开,而此输入表用7FFFFFFF隔开,把它全部改成00000000,重新用OD的插件脱壳,记事本已能成功运行。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年02月11日 14:32:53
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课