00465000 Vipe> 60 pushad \\在这里记下ESP值 0012ffc4 ,f8一下
00465001 E8 00000000 call Viper免?00465006\\到这里 记下ESP值0012ffa4
00465006 5D pop ebp
00465007 81ED 06000000 sub ebp,6
0046500D EB 05 jmp short Viper免?00465014
0046500F B8 49DCF466 mov eax,66F4DC49
00465014 64:A0 23000000 mov al,byte ptr fs:[23]
0046501A EB 03 jmp short Viper免?0046501F
0046501C C784E8 84C0EB03 >mov dword ptr ds:[eax+ebp*8+3EBC0>
00465027 67:B9 49000000 mov ecx,49
0046502D 8DB5 C5020000 lea esi,dword ptr ss:[ebp+2C5]
00465033 56 push esi
00465034 8006 44 add byte ptr ds:[esi],44
00465037 46 inc esi
f9一下 打开内存 在代码段 下F2断点
内存映射,项目 22
地址=00400000
大小=00086000 (548864.)
宿主=Viper免?00400000 (自身)
区段=
包含=PE header
类型=Imag 01001002
访问=R
初始访问=RWE
shift+f9运行
0D8DE8D3 8A06 mov al,byte ptr ds:[esi] \\断在这里
0D8DE8D5 46 inc esi
0D8DE8D6 47 inc edi
0D8DE8D7 8843 0F mov byte ptr ds:[ebx+F],al
0D8DE8DA 8A46 FF mov al,byte ptr ds:[esi-1]
0D8DE8DD 55 push ebp
0D8DE8DE E8 00000000 call 0D8DE8E3
0D8DE8E3 5D pop ebp
0D8DE8E4 81ED 0D470000 sub ebp,470D
0D8DE8EA 8A8D 50030000 mov cl,byte ptr ss:[ebp+350]
0D8DE8F0 5D pop ebp
0D8DE8F1 32C1 xor al,cl
0D8DE8F3 8847 FF mov byte ptr ds:[edi-1],al
0D8DE8F6 8BC5 mov eax,ebp
0D8DE8F8 4D dec ebp
0D8DE8F9 85C0 test eax,eax
0D8DE8FB ^ 75 A4 jnz short 0D8DE8A1
然后在命令行 下硬件断点 hr 0012FFa4 (就是载入程序的时候 记下的ESP值)
0012FC40 60 pushad \\第一次断在这里,继续shift+f9
0012FC41 E8 03000000 call 0012FC49
0012FC46 D2EB shr bl,cl
0012FC48 0A58 EB or bl,byte ptr ds:[eax-15]
0012FC4B 0148 40 add dword ptr ds:[eax+40],ecx
0012FC4E EB 01 jmp short 0012FC51
0012FC50 35 FFE061E8 xor eax,E861E0FF
0012FC55 0100 add dword ptr ds:[eax],eax
0012FC57 0000 add byte ptr ds:[eax],al
0012FC59 E8 E8020000 call 0012FF46
0012FC54 E8 01000000 call 0012FC5A\\第二次断在这里,继续shift+f9
0012FC59 E8 E8020000 call 0012FF46
0012FC5E 00CD add ch,cl
0012FC60 2083 04240B83 and byte ptr ds:[ebx+830B2404],al
0012FC66 44 inc esp
0012FC67 24 04 and al,4
0012FC69 13C3 adc eax,ebx
0012FC6B E9 E8020000 jmp 0012FF58
0012FC70 00CD add ch,cl
0012FC72 2083 042408C3 and byte ptr ds:[ebx+C3082404],al
0012FC78 E8 E8320000 call 00132F65
0012FCFB E8 00000000 call 0012FD00\\第三次断这里
0012FD00 5D pop ebp
0012FD01 E8 02000000 call 0012FD08
0012FD06 CD20 83042408 vxdcall 8240483
0012FD0C C3 retn
0012FD0D E8 83ED05EB call EB18EA95
0012FD12 020F add cl,byte ptr ds:[edi]
0012FD14 C7 ??? ; 未知命令
0012FD15 EB 02 jmp short 0012FD19
然后删除硬件访问断点`下模拟跟踪命令
tc ebp==12ffc0(载入程序记下的ESP值)
0D9EE2E2 58 pop eax ; 0D9EE159\\停在这里,F8走,碰到CALL就停下
0D9EE2E3 83C4 1C add esp,1C
0D9EE2E6 83C4 2C add esp,2C
0D9EE2E9 E9 51170000 jmp 0D9EFA3F
00451A18 90 nop
00451A19 90 nop
00451A1A 90 nop
00451A1B 90 nop
00451A1C 90 nop
00451A1D 90 nop
00451A1E 90 nop
00451A1F 90 nop
00451A20 90 nop
00451A21 90 nop
00451A22 90 nop
00451A23 E8 A041FBFF call Viper免?00405BC8 \\F8到这里停下 很明显的delphi程序 补上被
盗的命令 55 8B EC 83 C4 F0 B8 64 23 45 00
00451A28 A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A2D 8B00 mov eax,dword ptr ds:[eax]
00451A2F E8 7CE1FFFF call Viper免?0044FBB0
00451A34 8B0D 80314500 mov ecx,dword ptr ds:[453180] ; Viper免?00454BD0
00451A3A A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A3F 8B00 mov eax,dword ptr ds:[eax]
00451A41 8B15 50114500 mov edx,dword ptr ds:[451150] ; Viper免?0045119C
00451A47 E8 7CE1FFFF call Viper免?0044FBC8
00451A4C A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A51 8B00 mov eax,dword ptr ds:[eax]
00451A53 E8 F0E1FFFF call Viper免?0044FC48
00451A58 E8 C322FBFF call Viper免?00403D20
00451A5D 8D40 00 lea eax,dword ptr ds:[eax]
00451A60 0000 add byte ptr ds:[eax],al
00451A62 0000 add byte ptr ds:[eax],al
00451A64 0000 add byte ptr ds:[eax],al
补完后的程序
00451A18 55 push ebp //在这里右键 在此处新键EIP
00451A19 8BEC mov ebp,esp
00451A1B 83C4 F0 add esp,-10
00451A1E B8 64234500 mov eax,Viper免?00452364
00451A23 E8 A041FBFF call Viper免?00405BC8
00451A28 A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A2D 8B00 mov eax,dword ptr ds:[eax]
00451A2F E8 7CE1FFFF call Viper免?0044FBB0
00451A34 8B0D 80314500 mov ecx,dword ptr ds:[453180] ; Viper免?00454BD0
00451A3A A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A3F 8B00 mov eax,dword ptr ds:[eax]
00451A41 8B15 50114500 mov edx,dword ptr ds:[451150] ; Viper免?0045119C
00451A47 E8 7CE1FFFF call Viper免?0044FBC8
00451A4C A1 A4304500 mov eax,dword ptr ds:[4530A4]
00451A51 8B00 mov eax,dword ptr ds:[eax]
00451A53 E8 F0E1FFFF call Viper免?0044FC48
00451A58 E8 C322FBFF call Viper免?00403D20
00451A5D 8D40 00 lea eax,dword ptr ds:[eax]
然后dumped出来
打开ImportREC_fix1.6 修复IAT 发现10个无法识别的,手动修复后 还不可以运行 剪切也不能运行
请问各位大虾 怎么办???
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!