能力值:
( LV2,RANK:10 )
|
-
-
2 楼
popad以后不是要跳走了才能到oep的吗
|
能力值:
( LV9,RANK:530 )
|
-
-
3 楼
Dump插件能自动找大小, 一般不用修改
自己手工找的话, 先找到 PE header, SizeOfImage 在 PE header中, 偏移0x50处
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
感谢大侠回复,为什么自动找到的大小脱壳后文件会大那么多呢?而且EP段中还多了两段,偶用ASP自动脱壳机脱壳后的文件大小和原文件一样,也没有多出的EP段,手工找的方法能不能举个例什么的详细点,谢谢!!
|
能力值:
( LV9,RANK:530 )
|
-
-
5 楼
文件变大的问题, 可看精华8中CCDebuger写的"浅谈程序脱壳后的优化", 写的非常好!
手工找大小如下, OD载入 notepad.exe (W2KSP4)
1.) 起始地址 :01000000
01000000 开始的1C bytes 为 DOS EXE header, 不用管;
0100003C 中的DD 为 Offset to PE signature, 本例中为 000000D8, 所以PE header 从 010000D8 开始
2.) PE header: 010000D8
...
PE+0050 为 SizeOfImage, 本例中为 01000128 DD 00010000 ; SizeOfImage = 10000 (65536.)
3.) \winnt\system32\notepad.exe (on W2KSP4)
====================== Memory map ==========================
Address Size Owner Section Contains Type Access Initial Mapped as
......
01000000 00001000 notepad 0100 PE header Imag R RWE <=======
01001000 00007000 notepad 0100 .text code,imports Imag R RWE
01008000 00002000 notepad 0100 .data data Imag R RWE
0100A000 00006000 notepad 0100 .rsrc resources Imag R RWE
......
============ Dump - notepad 01000000..01000FFF ================
01000000 4D 5A ASCII "MZ" ; DOS EXE Signature
01000002 9000 DW 0090 ; DOS_PartPag = 90 (144.)
01000004 0300 DW 0003 ; DOS_PageCnt = 3
01000006 0000 DW 0000 ; DOS_ReloCnt = 0
01000008 0400 DW 0004 ; DOS_HdrSize = 4
0100000A 0000 DW 0000 ; DOS_MinMem = 0
0100000C FFFF DW FFFF ; DOS_MaxMem = FFFF (65535.)
0100000E 0000 DW 0000 ; DOS_ReloSS = 0
01000010 B800 DW 00B8 ; DOS_ExeSP = B8
01000012 0000 DW 0000 ; DOS_ChkSum = 0
01000014 0000 DW 0000 ; DOS_ExeIP = 0
01000016 0000 DW 0000 ; DOS_ReloCS = 0
01000018 4000 DW 0040 ; DOS_TablOff = 40
0100001A 0000 DW 0000 ; DOS_Overlay = 0
.
.
.
0100003C D8000000 DD 000000D8 ; Offset to PE signature <=======
.
.
.
010000D8 50 45 00 00>ASCII "PE" ; PE signature (PE)
010000DC 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
010000DE 0300 DW 0003 ; NumberOfSections = 3
010000E0 7C65F637 DD 37F6657C ; TimeDateStamp = 37F6657C
010000E4 00000000 DD 00000000 ; PointerToSymbolTable = 0
010000E8 00000000 DD 00000000 ; NumberOfSymbols = 0
010000EC E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
010000EE 0F03 DW 030F ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|RELOCS_STRIPPED|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED|DEBUG_STRIPPED
010000F0 0B01 DW 010B ; MagicNumber = PE32
010000F2 05 DB 05 ; MajorLinkerVersion = 5
010000F3 0C DB 0C ; MinorLinkerVersion = C (12.)
010000F4 00660000 DD 00006600 ; SizeOfCode = 6600 (26112.)
010000F8 006E0000 DD 00006E00 ; SizeOfInitializedData = 6E00 (28160.)
010000FC 00000000 DD 00000000 ; SizeOfUninitializedData = 0
01000100 20640000 DD 00006420 ; AddressOfEntryPoint = 6420
01000104 00100000 DD 00001000 ; BaseOfCode = 1000
01000108 00800000 DD 00008000 ; BaseOfData = 8000
0100010C 00000001 DD 01000000 ; ImageBase = 1000000
01000110 00100000 DD 00001000 ; SectionAlignment = 1000
01000114 00020000 DD 00000200 ; FileAlignment = 200
01000118 0500 DW 0005 ; MajorOSVersion = 5
0100011A 0000 DW 0000 ; MinorOSVersion = 0
0100011C 0500 DW 0005 ; MajorImageVersion = 5
0100011E 0000 DW 0000 ; MinorImageVersion = 0
01000120 0400 DW 0004 ; MajorSubsystemVersion = 4
01000122 0000 DW 0000 ; MinorSubsystemVersion = 0
01000124 00000000 DD 00000000 ; Reserved
01000128 00000100 DD 00010000 ; SizeOfImage = 10000 (65536.) <=======
0100012C 00060000 DD 00000600 ; SizeOfHeaders = 600 (1536.)
01000130 B4E80000 DD 0000E8B4 ; CheckSum = E8B4
01000134 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
01000136 0080 DW 8000 ; DLLCharacteristics = 8000
01000138 00000400 DD 00040000 ; SizeOfStackReserve = 40000 (262144.)
0100013C 00100000 DD 00001000 ; SizeOfStackCommit = 1000 (4096.)
01000140 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
01000144 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
01000148 00000000 DD 00000000 ; LoaderFlags = 0
.
.
.
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
非常感谢LS的回复,收藏好好看看。
|
|
|
|
