-
-
[求助]用themida加壳的DELPHI OEP修复问题~
-
发表于:
2007-7-20 11:46
4791
-
[求助]用themida加壳的DELPHI OEP修复问题~
用脚本找到OEP后:
004063DC 53 push ebx -----找到的OEP
004063DD 8BD8 mov ebx, eax
004063DF 33C0 xor eax, eax
004063E1 A3 A0C04C00 mov dword ptr [4CC0A0], eax
004063E6 6A 00 push 0
004063E8 E8 2BFFFFFF call 00406318 ; jmp 到 kernel32.GetModuleHandleA
004063ED A3 64F64C00 mov dword ptr [4CF664], eax
004063F2 A1 64F64C00 mov eax, dword ptr [4CF664]
004063F7 A3 ACC04C00 mov dword ptr [4CC0AC], eax
004063FC 33C0 xor eax, eax
004063FE A3 B0C04C00 mov dword ptr [4CC0B0], eax
00406403 33C0 xor eax, eax
00406405 A3 B4C04C00 mov dword ptr [4CC0B4], eax
0040640A E8 C1FFFFFF call 004063D0
0040640F BA A8C04C00 mov edx, 004CC0A8
00406414 8BC3 mov eax, ebx
00406416 E8 F5D9FFFF call 00403E10
0040641B 5B pop ebx
0040641C C3 retn
而一般的DELPHI程序(跟上面不同个程序)的OEP是
0045E460 > $ 55 push ebp -------------一般的DELPHI程序的OEP
0045E461 . 8BEC mov ebp, esp
0045E463 . 83C4 F0 add esp, -10
0045E466 . B8 88E14500 mov eax, 0045E188
0045E46B . E8 EC77FAFF call 00405C5C -----------------上面用脚本找到的OEP是这CALL里的代码
0045E470 . A1 6C074600 mov eax, dword ptr [46076C]
0045E475 . 8B00 mov eax, dword ptr [eax]
0045E477 . E8 EC10FFFF call 0044F568
0045E47C . 8B0D AC084600 mov ecx, dword ptr [4608AC] ; Server.00461E34
0045E482 . A1 6C074600 mov eax, dword ptr [46076C]
0045E487 . 8B00 mov eax, dword ptr [eax]
0045E489 . 8B15 4CD84500 mov edx, dword ptr [45D84C] ; Server.0045D898
0045E48F . E8 EC10FFFF call 0044F580
0045E494 . A1 6C074600 mov eax, dword ptr [46076C]
0045E499 . 8B00 mov eax, dword ptr [eax]
0045E49B . E8 6011FFFF call 0044F600
0045E4A0 . E8 8B58FAFF call 00403D30
对比了一下,用脚本找到的“OEP”是原始OEP里的一个CALL的代码,我用脚本找到OEP后,“向上”都找不到相关的正确的OEP代码,估计是被TMD给删了~现在想补这段代码,想问下有什么办法?那几个CALL的地址已经找到了,但不是CALL的就找不到~~~
[课程]Android-CTF解题方法汇总!
