首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 加壳脱壳
    3. 发新帖
[庆祝论坛改版]以壳解壳之SVKP
发表于: 2007-11-24 12:14 7408

[庆祝论坛改版]以壳解壳之SVKP

wynney 活跃值
24
2007-11-24 12:14
7408
【文章标题】: 以壳解壳SVKP
【文章作者】: wynney
【软件名称】: 硬盘里找的
【下载地址】: 自己搜索下载
【作者声明】: 工作不怎么忙了,出来冒冒泡
--------------------------------------------------------------------------------
【详细过程】
  一、到OEP去溜达,SFX
  
  忽略所有异常,看图,Ctrl+F2,不一会就到FOEP了[如果中间有异常,Shift+F9过]
  
  

00405DC8 . 53 push ebx ; SFX 代码真实入口点
00405DC9 . 8BD8 mov ebx,eax ; 很典型的Delphi特征
00405DCB . 33C0 xor eax,eax
00405DCD . A3 9C304800 mov dword ptr ds:[48309C],eax
00405DD2 . 6A 00 push 0
00405DD4 . E8 2BFFFFFF call SVKP.00405D04
00405DD9 . A3 64664800 mov dword ptr ds:[486664],eax
00405DDE . A1 64664800 mov eax,dword ptr ds:[486664]
00405DE3 . A3 A8304800 mov dword ptr ds:[4830A8],eax
00405DE8 . 33C0 xor eax,eax
00405DEA . A3 AC304800 mov dword ptr ds:[4830AC],eax
00405DEF . 33C0 xor eax,eax
00405DF1 . A3 B0304800 mov dword ptr ds:[4830B0],eax
00405DF6 . E8 C1FFFFFF call SVKP.00405DBC
00405DFB . BA A4304800 mov edx,SVKP.004830A4
00405E00 . 8BC3 mov eax,ebx
00405E02 . E8 9DDDFFFF call SVKP.00403BA4
00405E07 . 5B pop ebx
00405E08 . C3 retn ; 返回到FOEP

  
  

004823B7 E8 0C3AF8FF call SVKP.00405DC8 ; FOEP,上面的代码被抽,今天不讲如何修复Stolen
004823BC A1 2C5C4800 mov eax,dword ptr ds:[485C2C] ; retn到这

  
  二、以壳解壳点
  
  忽略除了内存异常和指定异常外的所有异常,Ctrl+F2
  
  

005B8000 > 60 pushad ; 入口
005B8001 E8 00000000 call SVKP.005B8006 ; F8到这,hr ESP
005B8006 5D pop ebp
005B8007 81ED 06000000 sub ebp,6

  
  4次Shift+F9,到最后一次内存异常
  
  

00FBDC09 CD 01 int 1 ; 最后一次内存异常
00FBDC0B E8 01000000 call 00FBDC11
00FBDC10 - E9 83C4047C jmp 7D00A098
00FBDC15 03EB add ebp,ebx
00FBDC17 039A 74FB648F add ebx,dword ptr ds:[edx+8F64FB74]
00FBDC1D 05 00000000 add eax,0
00FBDC22 E8 02000000 call 00FBDC29
00FBDC27 CD20 83042408 vxdcall 8240483
00FBDC2D C3 retn

  
  硬件断点不要删,到Code断下断,Shift+F9
  
  

00FDE8D3 8A06 mov al,byte ptr ds:[esi] ; 中断在这,删除内存断点
00FDE8D5 46 inc esi
00FDE8D6 47 inc edi
00FDE8D7 8843 0F mov byte ptr ds:[ebx+F],al
00FDE8DA 8A46 FF mov al,byte ptr ds:[esi-1]
00FDE8DD 55 push ebp

  Shift+F9,硬件中断在SVKP的典型代码了
  
  

0012FC40 60 pushad ; 中断
0012FC41 E8 03000000 call 0012FC49
0012FC46 D2EB shr bl,cl
0012FC48 0A58 EB or bl,byte ptr ds:[eax-15]
0012FC4B 0148 40 add dword ptr ds:[eax+40],ecx
0012FC4E EB 01 jmp short 0012FC51
0012FC50 35 FFE061E8 xor eax,E861E0FF
0012FC55 0100 add dword ptr ds:[eax],eax

  
  删除硬件断点,Ctrl+G:004823B7,F2,Ctrl+F11,中断在004823B7,点“运行跟踪”,看跟踪窗口

  

地址=0012FC53
命令=popad
修改后的寄存器=EAX=0105E159,ESP=0012FFC4


  看EAX,0105E159就是Stolen开始的位置了
  
  取消004823B7处的断点,开始LordPE,Dump了,并且补上两个取段
  
  打开 ImportREC,OEP输入000823B7[004823B7 - 00400000],获取IAT,全部无效,先用等级1修复,有很大一部分被修复了,
  剩下10个没有修复的[这几个指针就是SVKP会特殊处理的几个指针了,大家应该比较熟悉,这里我们不需要修复她们]
  ,可以看看,没有被修复的指针所指向的地址全部在需要补的两个区段里

Target: D:\Downloads\以壳解壳SVKP\SVKP.exe
OEP: 000823B7 IATRVA: 0019113C IATSize: 000006EC

FThunk: 00191140 NbFunc: 00000022
1 00191140 kernel32.dll 0080 DeleteCriticalSection
1 00191144 kernel32.dll 0241 LeaveCriticalSection
1 00191148 kernel32.dll 0097 EnterCriticalSection
1 0019114C kernel32.dll 0216 InitializeCriticalSection
1 00191150 kernel32.dll 036E VirtualFree
1 00191154 kernel32.dll 036B VirtualAlloc
1 00191158 kernel32.dll 024C LocalFree
1 0019115C kernel32.dll 0248 LocalAlloc
0 00191160 ? 0000 01057FB8
1 00191164 kernel32.dll 013F GetCurrentThreadId
1 00191168 kernel32.dll 021A InterlockedDecrement
1 0019116C kernel32.dll 021E InterlockedIncrement
1 00191170 kernel32.dll 0373 VirtualQuery
1 00191174 kernel32.dll 037F WideCharToMultiByte
1 00191178 kernel32.dll 0265 MultiByteToWideChar
1 0019117C kernel32.dll 03B3 lstrlen
1 00191180 kernel32.dll 03B0 lstrcpyn
1 00191184 kernel32.dll 0243 LoadLibraryExA
1 00191188 kernel32.dll 01CD GetThreadLocale
1 0019118C kernel32.dll 01AD GetStartupInfoA
1 00191190 kernel32.dll 0198 GetProcAddress
0 00191194 ? 0000 0103D19C
1 00191198 kernel32.dll 0174 GetModuleFileNameA
1 0019119C kernel32.dll 016C GetLocaleInfoA
0 001911A0 ? 0000 0103A15A
1 001911A4 kernel32.dll 00F1 FreeLibrary
1 001911A8 kernel32.dll 00D1 FindFirstFileA
1 001911AC kernel32.dll 00CD FindClose
0 001911B0 ? 0000 010376A9
1 001911B4 kernel32.dll 038C WriteFile
1 001911B8 kernel32.dll 0358 UnhandledExceptionFilter
1 001911BC kernel32.dll 02C5 RtlUnwind
1 001911C0 kernel32.dll 0297 RaiseException
1 001911C4 kernel32.dll 01AF GetStdHandle

FThunk: 001911CC NbFunc: 00000004
1 001911CC user32.dll 0128 GetKeyboardType
1 001911D0 user32.dll 01C9 LoadStringA
0 001911D4 ? 0000 0105A078
1 001911D8 user32.dll 002B CharNextA

FThunk: 001911E0 NbFunc: 00000003
1 001911E0 advapi32.dll 01EE RegQueryValueExA
1 001911E4 advapi32.dll 01E4 RegOpenKeyExA
1 001911E8 advapi32.dll 01CB RegCloseKey

FThunk: 001911F0 NbFunc: 00000003
1 001911F0 oleaut32.dll 0006 SysFreeString
1 001911F4 oleaut32.dll 0005 SysReAllocStringLen
1 001911F8 oleaut32.dll 0004 SysAllocStringLen

FThunk: 00191200 NbFunc: 00000004
1 00191200 kernel32.dll 034F TlsSetValue
1 00191204 kernel32.dll 034E TlsGetValue
1 00191208 kernel32.dll 0248 LocalAlloc
0 0019120C ? 0000 0103D19C

FThunk: 00191214 NbFunc: 00000003
1 00191214 advapi32.dll 01EE RegQueryValueExA
1 00191218 advapi32.dll 01E4 RegOpenKeyExA
1 0019121C advapi32.dll 01CB RegCloseKey

FThunk: 00191224 NbFunc: 00000045
1 00191224 kernel32.dll 03AD lstrcpy
1 00191228 kernel32.dll 038C WriteFile
1 0019122C kernel32.dll 037B WaitForSingleObject
1 00191230 kernel32.dll 0373 VirtualQuery
1 00191234 kernel32.dll 036B VirtualAlloc
1 00191238 kernel32.dll 033F Sleep
1 0019123C kernel32.dll 033E SizeofResource
1 00191240 kernel32.dll 032D SetThreadLocale
1 00191244 kernel32.dll 0307 SetFilePointer
1 00191248 kernel32.dll 0302 SetEvent
1 0019124C kernel32.dll 0301 SetErrorMode
1 00191250 kernel32.dll 02FE SetEndOfFile
1 00191254 kernel32.dll 02BD ResetEvent
1 00191258 kernel32.dll 02A4 ReadFile
1 0019125C kernel32.dll 0265 MultiByteToWideChar
1 00191260 kernel32.dll 0264 MulDiv
1 00191264 kernel32.dll 0255 LockResource
1 00191268 kernel32.dll 0247 LoadResource
1 0019126C kernel32.dll 0242 LoadLibraryA
1 00191270 kernel32.dll 0241 LeaveCriticalSection
1 00191274 kernel32.dll 0225 IsBadReadPtr
1 00191278 kernel32.dll 0216 InitializeCriticalSection
1 0019127C kernel32.dll 01FD GlobalUnlock
1 00191280 kernel32.dll 01F9 GlobalReAlloc
1 00191284 kernel32.dll 01F5 GlobalHandle
1 00191288 kernel32.dll 01F6 GlobalLock
1 0019128C kernel32.dll 01F2 GlobalFree
1 00191290 kernel32.dll 01EE GlobalFindAtomA
1 00191294 kernel32.dll 01ED GlobalDeleteAtom
1 00191298 kernel32.dll 01EB GlobalAlloc
1 0019129C kernel32.dll 01E9 GlobalAddAtomA
0 001912A0 ? 0000 01058FCE
0 001912A4 ? 0000 01057FB8
1 001912A8 kernel32.dll 01D2 GetTickCount
1 001912AC kernel32.dll 01CD GetThreadLocale
1 001912B0 kernel32.dll 01C9 GetTempPathA
1 001912B4 kernel32.dll 01B9 GetSystemInfo
1 001912B8 kernel32.dll 01B1 GetStringTypeExA
1 001912BC kernel32.dll 01AF GetStdHandle
1 001912C0 kernel32.dll 0198 GetProcAddress
0 001912C4 ? 0000 0103D19C
1 001912C8 kernel32.dll 0174 GetModuleFileNameA
1 001912CC kernel32.dll 016C GetLocaleInfoA
1 001912D0 kernel32.dll 016B GetLocalTime
1 001912D4 kernel32.dll 0169 GetLastError
1 001912D8 kernel32.dll 0162 GetFullPathNameA
1 001912DC kernel32.dll 0146 GetDiskFreeSpaceA
1 001912E0 kernel32.dll 0140 GetDateFormatA
1 001912E4 kernel32.dll 013F GetCurrentThreadId
1 001912E8 kernel32.dll 013D GetCurrentProcessId
1 001912EC kernel32.dll 00FE GetCPInfo
1 001912F0 kernel32.dll 00F7 GetACP
1 001912F4 kernel32.dll 00F3 FreeResource
1 001912F8 kernel32.dll 021B InterlockedExchange
1 001912FC kernel32.dll 00F1 FreeLibrary
1 00191300 kernel32.dll 00EC FormatMessageA
1 00191304 kernel32.dll 00E0 FindResourceA
1 00191308 kernel32.dll 00D1 FindFirstFileA
1 0019130C kernel32.dll 00CD FindClose
1 00191310 kernel32.dll 00C3 FileTimeToLocalFileTime
1 00191314 kernel32.dll 00C2 FileTimeToDosDateTime
1 00191318 kernel32.dll 0098 EnumCalendarInfoA
1 0019131C kernel32.dll 0097 EnterCriticalSection
1 00191320 kernel32.dll 0080 DeleteCriticalSection
1 00191324 kernel32.dll 006D CreateThread
1 00191328 kernel32.dll 0050 CreateFileA
1 0019132C kernel32.dll 004C CreateEventA
1 00191330 kernel32.dll 0038 CompareStringA
1 00191334 kernel32.dll 0032 CloseHandle

FThunk: 0019133C NbFunc: 00000003
1 0019133C version.dll 000B VerQueryValueA
1 00191340 version.dll 0002 GetFileVersionInfoSizeA
1 00191344 version.dll 0001 GetFileVersionInfoA

FThunk: 0019134C NbFunc: 0000004C
1 0019134C gdi32.dll 0253 UnrealizeObject
1 00191350 gdi32.dll 024A StretchBlt
1 00191354 gdi32.dll 0244 SetWindowOrgEx
1 00191358 gdi32.dll 0242 SetWinMetaFileBits
1 0019135C gdi32.dll 0240 SetViewportOrgEx
1 00191360 gdi32.dll 023D SetTextColor
1 00191364 gdi32.dll 0239 SetStretchBltMode
1 00191368 gdi32.dll 0236 SetROP2
1 0019136C gdi32.dll 0232 SetPixel
1 00191370 gdi32.dll 0223 SetEnhMetaFileBits
1 00191374 gdi32.dll 021F SetDIBColorTable
1 00191378 gdi32.dll 021A SetBrushOrgEx
1 0019137C gdi32.dll 0217 SetBkMode
1 00191380 gdi32.dll 0216 SetBkColor
1 00191384 gdi32.dll 0210 SelectPalette
1 00191388 gdi32.dll 020F SelectObject
1 0019138C gdi32.dll 020D SelectClipRgn
1 00191390 gdi32.dll 0208 SaveDC
1 00191394 gdi32.dll 0202 RoundRect
1 00191398 gdi32.dll 0201 RestoreDC
1 0019139C gdi32.dll 01F7 Rectangle
1 001913A0 gdi32.dll 01F6 RectVisible
1 001913A4 gdi32.dll 01F4 RealizePalette
1 001913A8 gdi32.dll 01EF Polyline
1 001913AC gdi32.dll 01EE Polygon
1 001913B0 gdi32.dll 01E1 PlayEnhMetaFile
1 001913B4 gdi32.dll 01DE PatBlt
1 001913B8 gdi32.dll 01D2 MoveToEx
1 001913BC gdi32.dll 01CF MaskBlt
1 001913C0 gdi32.dll 01CE LineTo
1 001913C4 gdi32.dll 01C8 IntersectClipRect
1 001913C8 gdi32.dll 01C4 GetWindowOrgEx
1 001913CC gdi32.dll 01C2 GetWinMetaFileBits
1 001913D0 gdi32.dll 01C1 GetViewportOrgEx
1 001913D4 gdi32.dll 01BD GetTextMetricsA
1 001913D8 gdi32.dll 01B7 GetTextExtentPointA
1 001913DC gdi32.dll 01B5 GetTextExtentPoint32A
1 001913E0 gdi32.dll 01AA GetSystemPaletteEntries
1 001913E4 gdi32.dll 01A6 GetStockObject
1 001913E8 gdi32.dll 019D GetPixel
1 001913EC gdi32.dll 019B GetPaletteEntries
1 001913F0 gdi32.dll 0196 GetObjectA
1 001913F4 gdi32.dll 0176 GetEnhMetaFilePaletteEntries
1 001913F8 gdi32.dll 0175 GetEnhMetaFileHeader
1 001913FC gdi32.dll 0172 GetEnhMetaFileBits
1 00191400 gdi32.dll 016C GetDeviceCaps
1 00191404 gdi32.dll 016B GetDIBits
1 00191408 gdi32.dll 016A GetDIBColorTable
1 0019140C gdi32.dll 0168 GetDCOrgEx
1 00191410 gdi32.dll 0166 GetCurrentPositionEx
1 00191414 gdi32.dll 0165 GetCurrentObject
1 00191418 gdi32.dll 0161 GetClipBox
1 0019141C gdi32.dll 0151 GetBrushOrgEx
1 00191420 gdi32.dll 014B GetBitmapBits
1 00191424 gdi32.dll 011C GdiFlush
1 00191428 gdi32.dll 00DA ExtCreateRegion
1 0019142C gdi32.dll 00D8 ExcludeClipRect
1 00191430 gdi32.dll 0090 DeleteObject
1 00191434 gdi32.dll 008E DeleteEnhMetaFile
1 00191438 gdi32.dll 008D DeleteDC
1 0019143C gdi32.dll 0051 CreateSolidBrush
1 00191440 gdi32.dll 004C CreateRectRgn
1 00191444 gdi32.dll 0049 CreatePenIndirect
1 00191448 gdi32.dll 0048 CreatePen
1 0019144C gdi32.dll 0046 CreatePalette
1 00191450 gdi32.dll 0040 CreateHalftonePalette
1 00191454 gdi32.dll 003B CreateFontIndirectA
1 00191458 gdi32.dll 0034 CreateDIBitmap
1 0019145C gdi32.dll 0033 CreateDIBSection
1 00191460 gdi32.dll 002E CreateCompatibleDC
1 00191464 gdi32.dll 002D CreateCompatibleBitmap
1 00191468 gdi32.dll 002A CreateBrushIndirect
1 0019146C gdi32.dll 0028 CreateBitmap
1 00191470 gdi32.dll 0024 CopyEnhMetaFileA
1 00191474 gdi32.dll 0022 CombineRgn
1 00191478 gdi32.dll 0013 BitBlt

FThunk: 00191480 NbFunc: 000000B0
1 00191480 user32.dll 0061 CreateWindowExA
1 00191484 user32.dll 02D6 WindowFromPoint
1 00191488 user32.dll 02D3 WinHelpA
1 0019148C user32.dll 02D1 WaitMessage
1 00191490 user32.dll 02BC UpdateWindow
1 00191494 user32.dll 02B4 UnregisterClassA
1 00191498 user32.dll 02AF UnhookWindowsHookEx
1 0019149C user32.dll 02AB TranslateMessage
1 001914A0 user32.dll 02AA TranslateMDISysAccel
1 001914A4 user32.dll 02A5 TrackPopupMenu
1 001914A8 user32.dll 029A SystemParametersInfoA
1 001914AC user32.dll 0293 ShowWindow
1 001914B0 user32.dll 0291 ShowScrollBar
1 001914B4 user32.dll 0290 ShowOwnedPopups
1 001914B8 user32.dll 028F ShowCursor
1 001914BC user32.dll 0285 SetWindowRgn
1 001914C0 user32.dll 028B SetWindowsHookExA
1 001914C4 user32.dll 0287 SetWindowTextA
1 001914C8 user32.dll 0284 SetWindowPos
1 001914CC user32.dll 0283 SetWindowPlacement
1 001914D0 user32.dll 0282 SetWindowLongW
1 001914D4 user32.dll 0281 SetWindowLongA
1 001914D8 user32.dll 027B SetTimer
1 001914DC user32.dll 0271 SetScrollRange
1 001914E0 user32.dll 0270 SetScrollPos
1 001914E4 user32.dll 026F SetScrollInfo
1 001914E8 user32.dll 026D SetRect
1 001914EC user32.dll 026B SetPropA
1 001914F0 user32.dll 0267 SetParent
1 001914F4 user32.dll 0263 SetMenuItemInfoA
1 001914F8 user32.dll 025E SetMenu
1 001914FC user32.dll 0258 SetForegroundWindow
1 00191500 user32.dll 0257 SetFocus
1 00191504 user32.dll 024E SetCursor
1 00191508 user32.dll 024B SetClipboardData
1 0019150C user32.dll 0248 SetClassLongA
1 00191510 user32.dll 0245 SetCapture
1 00191514 user32.dll 0244 SetActiveWindow
1 00191518 user32.dll 023C SendMessageA
1 0019151C user32.dll 0235 ScrollWindow
1 00191520 user32.dll 0232 ScreenToClient
1 00191524 user32.dll 022D RemovePropA
1 00191528 user32.dll 022C RemoveMenu
1 0019152C user32.dll 022B ReleaseDC
1 00191530 user32.dll 022A ReleaseCapture
1 00191534 user32.dll 021B RegisterClipboardFormatA
1 00191538 user32.dll 021B RegisterClipboardFormatA
1 0019153C user32.dll 0217 RegisterClassA
1 00191540 user32.dll 0216 RedrawWindow
1 00191544 user32.dll 020C PtInRect
1 00191548 user32.dll 0202 PostQuitMessage
1 0019154C user32.dll 0200 PostMessageA
1 00191550 user32.dll 01FE PeekMessageA
1 00191554 user32.dll 01F4 OpenClipboard
1 00191558 user32.dll 01F3 OffsetRect
1 0019155C user32.dll 01EF OemToCharA
1 00191560 user32.dll 01EA MoveWindow
0 00191564 ? 0000 0105A078
1 00191568 user32.dll 01DC MessageBeep
1 0019156C user32.dll 01D8 MapWindowPoints
1 00191570 user32.dll 01D4 MapVirtualKeyA
1 00191574 user32.dll 01C9 LoadStringA
1 00191578 user32.dll 01C0 LoadKeyboardLayoutA
1 0019157C user32.dll 01BC LoadIconA
1 00191580 user32.dll 01B8 LoadCursorA
1 00191584 user32.dll 01B6 LoadBitmapA
1 00191588 user32.dll 01B3 KillTimer
1 0019158C user32.dll 01B1 IsZoomed
1 00191590 user32.dll 01B0 IsWindowVisible
1 00191594 user32.dll 01AF IsWindowUnicode
1 00191598 user32.dll 01AD IsWindowEnabled
1 0019159C user32.dll 01AC IsWindow
1 001915A0 user32.dll 01A9 IsRectEmpty
1 001915A4 user32.dll 01A7 IsIconic
1 001915A8 user32.dll 01A1 IsDialogMessage
1 001915AC user32.dll 019F IsChild
1 001915B0 user32.dll 0194 InvalidateRect
1 001915B4 user32.dll 0193 IntersectRect
1 001915B8 user32.dll 018F InsertMenuItemA
1 001915BC user32.dll 018E InsertMenuA
1 001915C0 user32.dll 018B InflateRect
1 001915C4 user32.dll 017C GetWindowThreadProcessId
1 001915C8 user32.dll 017A GetWindowTextLengthW
1 001915CC user32.dll 017B GetWindowTextW
1 001915D0 user32.dll 0178 GetWindowTextA
1 001915D4 user32.dll 0175 GetWindowRect
1 001915D8 user32.dll 0174 GetWindowPlacement
1 001915DC user32.dll 0170 GetWindowLongW
1 001915E0 user32.dll 016F GetWindowLongA
1 001915E4 user32.dll 016D GetWindowDC
1 001915E8 user32.dll 0164 GetTopWindow
1 001915EC user32.dll 015E GetSystemMetrics
1 001915F0 user32.dll 015D GetSystemMenu
1 001915F4 user32.dll 015C GetSysColorBrush
1 001915F8 user32.dll 015B GetSysColor
1 001915FC user32.dll 015A GetSubMenu
1 00191600 user32.dll 0158 GetScrollRange
1 00191604 user32.dll 0157 GetScrollPos
1 00191608 user32.dll 0156 GetScrollInfo
1 0019160C user32.dll 014B GetPropA
1 00191610 user32.dll 0146 GetParent
1 00191614 user32.dll 016B GetWindow
1 00191618 user32.dll 0139 GetMenuStringA
1 0019161C user32.dll 0138 GetMenuState
1 00191620 user32.dll 0135 GetMenuItemInfoA
1 00191624 user32.dll 0134 GetMenuItemID
1 00191628 user32.dll 0133 GetMenuItemCount
1 0019162C user32.dll 012D GetMenu
1 00191630 user32.dll 0129 GetLastActivePopup
1 00191634 user32.dll 0127 GetKeyboardState
1 00191638 user32.dll 0124 GetKeyboardLayoutList
1 0019163C user32.dll 0123 GetKeyboardLayout
1 00191640 user32.dll 0122 GetKeyState
1 00191644 user32.dll 0120 GetKeyNameTextA
1 00191648 user32.dll 011B GetIconInfo
1 0019164C user32.dll 0118 GetForegroundWindow
1 00191650 user32.dll 0117 GetFocus
1 00191654 user32.dll 0116 GetDoubleClickTime
1 00191658 user32.dll 0111 GetDlgCtrlID
1 0019165C user32.dll 010F GetDesktopWindow
1 00191660 user32.dll 010E GetDCEx
1 00191664 user32.dll 010D GetDC
1 00191668 user32.dll 010C GetCursorPos
1 0019166C user32.dll 0109 GetCursor
1 00191670 user32.dll 0102 GetClipboardData
1 00191674 user32.dll 0100 GetClientRect
1 00191678 user32.dll 00FD GetClassNameA
1 0019167C user32.dll 00F7 GetClassInfoA
1 00191680 user32.dll 00F4 GetCapture
1 00191684 user32.dll 00EC GetActiveWindow
1 00191688 user32.dll 00EA FrameRect
1 0019168C user32.dll 00E5 FindWindowExA
1 00191690 user32.dll 00E4 FindWindowA
1 00191694 user32.dll 00E3 FillRect
1 00191698 user32.dll 00E0 EqualRect
1 0019169C user32.dll 00DF EnumWindows
1 001916A0 user32.dll 00DC EnumThreadWindows
1 001916A4 user32.dll 00C9 EndPaint
1 001916A8 user32.dll 00C5 EnableWindow
1 001916AC user32.dll 00C4 EnableScrollBar
1 001916B0 user32.dll 00C3 EnableMenuItem
1 001916B4 user32.dll 00C2 EmptyClipboard
1 001916B8 user32.dll 00C0 DrawTextW
1 001916BC user32.dll 00BD DrawTextA
1 001916C0 user32.dll 00B9 DrawMenuBar
1 001916C4 user32.dll 00B8 DrawIconEx
1 001916C8 user32.dll 00B7 DrawIcon
1 001916CC user32.dll 00B6 DrawFrameControl
1 001916D0 user32.dll 00B4 DrawFocusRect
1 001916D4 user32.dll 00B3 DrawEdge
1 001916D8 user32.dll 00A2 DispatchMessageA
1 001916DC user32.dll 009A DestroyWindow
1 001916E0 user32.dll 0098 DestroyMenu
1 001916E4 user32.dll 0096 DestroyCursor
1 001916E8 user32.dll 0096 DestroyCursor
1 001916EC user32.dll 0092 DeleteMenu
1 001916F0 user32.dll 008F DefWindowProcA
1 001916F4 user32.dll 008C DefMDIChildProcA
1 001916F8 user32.dll 008A DefFrameProcA
1 001916FC user32.dll 005F CreatePopupMenu
1 00191700 user32.dll 005E CreateMenu
1 00191704 user32.dll 0058 CreateIcon
1 00191708 user32.dll 004A CopyImage
1 0019170C user32.dll 0043 CloseClipboard
1 00191710 user32.dll 0041 ClientToScreen
1 00191714 user32.dll 003A CheckMenuItem
1 00191718 user32.dll 001C CallWindowProcA
1 0019171C user32.dll 001B CallNextHookEx
1 00191720 user32.dll 000E BeginPaint
1 00191724 user32.dll 002B CharNextA
1 00191728 user32.dll 0028 CharLowerBuffA
1 0019172C user32.dll 0027 CharLowerA
1 00191730 user32.dll 0036 CharUpperBuffA
1 00191734 user32.dll 0031 CharToOemA
1 00191738 user32.dll 0003 AdjustWindowRectEx
1 0019173C user32.dll 0001 ActivateKeyboardLayout

FThunk: 00191744 NbFunc: 00000001
1 00191744 kernel32.dll 033F Sleep

FThunk: 0019174C NbFunc: 00000008
1 0019174C oleaut32.dll 0094 SafeArrayPtrOfIndex
1 00191750 oleaut32.dll 0013 SafeArrayGetUBound
1 00191754 oleaut32.dll 0014 SafeArrayGetLBound
1 00191758 oleaut32.dll 000F SafeArrayCreate
1 0019175C oleaut32.dll 000C VariantChangeType
1 00191760 oleaut32.dll 000A VariantCopy
1 00191764 oleaut32.dll 0009 VariantClear
1 00191768 oleaut32.dll 0008 VariantInit

FThunk: 00191770 NbFunc: 00000017
1 00191770 comctl32.dll 004F ImageList_SetIconSize
1 00191774 comctl32.dll 003B ImageList_GetIconSize
1 00191778 comctl32.dll 0052 ImageList_Write
1 0019177C comctl32.dll 0043 ImageList_Read
1 00191780 comctl32.dll 0038 ImageList_GetDragImage
1 00191784 comctl32.dll 0031 ImageList_DragShowNolock
1 00191788 comctl32.dll 004C ImageList_SetDragCursorImage
1 0019178C comctl32.dll 0030 ImageList_DragMove
1 00191790 comctl32.dll 002F ImageList_DragLeave
1 00191794 comctl32.dll 002E ImageList_DragEnter
1 00191798 comctl32.dll 0036 ImageList_EndDrag
1 0019179C comctl32.dll 002A ImageList_BeginDrag
1 001917A0 comctl32.dll 003F ImageList_LoadImage
1 001917A4 comctl32.dll 0044 ImageList_Remove
1 001917A8 comctl32.dll 0033 ImageList_DrawEx
1 001917AC comctl32.dll 0032 ImageList_Draw
1 001917B0 comctl32.dll 0037 ImageList_GetBkColor
1 001917B4 comctl32.dll 004B ImageList_SetBkColor
1 001917B8 comctl32.dll 0046 ImageList_ReplaceIcon
1 001917BC comctl32.dll 0027 ImageList_Add
1 001917C0 comctl32.dll 003C ImageList_GetImageCount
1 001917C4 comctl32.dll 002D ImageList_Destroy
1 001917C8 comctl32.dll 002C ImageList_Create

FThunk: 001917D0 NbFunc: 0000000D
1 001917D0 kernel32.dll 03A0 _llseek
1 001917D4 kernel32.dll 039C _hread
1 001917D8 kernel32.dll 039E _lclose
1 001917DC kernel32.dll 03A1 _lopen
1 001917E0 kernel32.dll 033E SizeofResource
1 001917E4 kernel32.dll 0247 LoadResource
1 001917E8 kernel32.dll 00E0 FindResourceA
1 001917EC kernel32.dll 033F Sleep
1 001917F0 kernel32.dll 024C LocalFree
1 001917F4 kernel32.dll 0248 LocalAlloc
1 001917F8 kernel32.dll 032E SetThreadPriority
1 001917FC kernel32.dll 006D CreateThread
1 00191800 kernel32.dll 0032 CloseHandle

FThunk: 00191808 NbFunc: 00000007
1 00191808 winmm.dll 00CF waveOutWrite
1 0019180C winmm.dll 00CE waveOutUnprepareHeader
1 00191810 winmm.dll 00C9 waveOutReset
1 00191814 winmm.dll 00C8 waveOutPrepareHeader
1 00191818 winmm.dll 00C6 waveOutOpen
1 0019181C winmm.dll 00C3 waveOutGetPosition
1 00191820 winmm.dll 00BA waveOutClose

  把OEP改成00C5E159[0105E159 - 00400000],FixDump 。。。。。
  
  可以正常运行....
  
  

0105E159 > 81C5 21AA9095 add ebp,9590AA21 ; 以壳解壳OEP
0105E15F 50 push eax
0105E160 89E4 mov esp,esp
0105E162 E9 1C0F0000 jmp Unpack_.0105F083
0105E167 E7 47 out 47,eax
0105E169 11A5 BDB4A83F adc dword ptr ss:[ebp+3FA8B4BD],esp
0105E16F E8 FA4E6D58 call 5973306E

  
  
--------------------------------------------------------------------------------
【经验总结】
  本文介绍的东西没什么适用价值,只是一种技术探讨,希望大家能举一反三....
  
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2007年11月23日 下午 04:26:14

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (7)
liuyilin
雪    币: 303
活跃值: (461)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
能跨系统吗?,估计不行
2007-11-24 12:23
0
wynney
雪    币: 224
活跃值: (147)
能力值: ( LV9,RANK:970 )
在线值:
发帖
回帖
粉丝
私信
3
想跨平台,就要看你会不会处理跨平台了:)
2007-11-24 12:34
0
liuyilin
雪    币: 303
活跃值: (461)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
我是说你这种方法不能跨平台
因为不同机器可能补区段的地址不同,这样指向这个区段的IAT就成了问题.

"就要看你会不会处理跨平台了"请教如何解决?
2007-11-24 13:10
0
wynney
雪    币: 224
活跃值: (147)
能力值: ( LV9,RANK:970 )
在线值:
发帖
回帖
粉丝
私信
5
我是说你会不会在后面处理跨平台,Undersatand?
2007-11-24 13:13
0
liuyilin
雪    币: 303
活跃值: (461)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
部分IAT指向会出问题,怎么解决(我是说以壳解壳解决IAT)
2007-11-24 13:17
0
十三少
雪    币: 226
活跃值: (15)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
7
沟通问题失败啊
2007-11-24 18:43
0
aki
雪    币: 223
活跃值: (70)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
8
十三啥时候对壳子感兴趣了
2007-11-24 19:19
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//