-
-
Armadillo 脱壳过程,请大家帮我看看~~~谢谢了~
-
发表于: 2004-10-15 01:31
-
使用flyODBG,设置OD忽略所有的异常选项,用PE查看是Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks,用FI查看是Armadillo 3.01 big {glue}
按照爱的中体验之Armadillo3.x仿Fly大侠的壹次脱壳法之Mr.Captor来进行的
0046D000 Q> 60 pushad ----------------入口
0046D001 E8 00000000 call QQTwin.0046D006
0046D006 5D pop ebp
0046D007 50 push eax
0046D008 51 push ecx
0046D009 EB 0F jmp short QQTwin.0046D01A
0046D00B B9 EB0FB8EB mov ecx,EBB80FEB
0046D010 07 pop es
........................................
下BP GetModuleHandleA断点,F9运行
77E12CD1 k> 837C24 04 00 cmp dword ptr ss:[esp+4],0 ------------断在这里,F2取消断点,设置硬件执行断点
77E12CD6 74 18 je short kernel32.77E12CF0
77E12CD8 FF7424 04 push dword ptr ss:[esp+4]
77E12CDC E8 92FFFFFF call kernel32.77E12C73
77E12CE1 85C0 test eax,eax
77E12CE3 74 08 je short kernel32.77E12CED
77E12CE5 FF70 04 push dword ptr ds:[eax+4]
77E12CE8 E8 77520000 call kernel32.GetModuleHandleW
77E12CED C2 0400 retn 4
........................................................
此时 堆栈提示
====================================================================
0012FF10 0045B111 /CALL 到 GetModuleHandleA 来自 QQTwin.0045B10B
0012FF14 00000000 \pModule = NULL
0012FF18 00000000
0012FF1C 00141F00
0012FF20 0000000A
0012FF24 77E100E0 ASCII "PE"
0012FF28 77E10000 kernel32.77E10000
0012FF2C 0045B049 QQTwin.0045B049
......................................
====================================================================
接着按17次F9
堆栈提示
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "user32.dll"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000140
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第18次
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "MSVBVM60.DLL"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000028
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第19次
====================================================================
0012CBA8 73441BC1 /CALL 到 GetModuleHandleA 来自 73441BBB
0012CBAC 73443DBC \pModule = "kernel32.dll"
0012CBB0 73441B60 返回到 73441B60 来自 73441B8C
0012CBB4 73440000
0012CBB8 00000001
0012CBBC 00000000
0012CBC0 00000001
0012CBC4 0012CBE0
......................................
====================================================================
第20次
====================================================================
0012CB9C 73442858 /CALL 到 GetModuleHandleA 来自 73442852
0012CBA0 73443DE8 \pModule = "KERNEL32"
0012CBA4 73442808 返回到 73442808 来自 7344284D
0012CBA8 734427D9 返回到 734427D9
0012CBAC 73441C66 返回到 73441C66 来自 734427CE
0012CBB0 73441B60 返回到 73441B60 来自 73441B8C
0012CBB4 73440000
0012CBB8 00000001
......................................
====================================================================
第21次
====================================================================
0012CB94 73443208 /CALL 到 GetModuleHandleA 来自 73443202
0012CB98 00000000 \pModule = NULL
0012CB9C 73443172 返回到 73443172 来自 734431F7
0012CBA0 73440000
0012CBA4 00000001
0012CBA8 73440000
0012CBAC /0012CBEC
0012CBB0 |73441B21 返回到 73441B21 来自 73443146
......................................
====================================================================
第22次
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "advapi32.dll"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000004
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第23次
====================================================================
0012D3D4 003C5895 /CALL 到 GetModuleHandleA 来自 003C588F
0012D3D8 00000000 \pModule = NULL
0012D3DC 0012E994
0012D3E0 00AF1DF0
0012D3E4 00000000
0012D3E8 000206D8 UNICODE "\QQTwin.exe"
0012D3EC 77E4FF68 kernel32.77E4FF68
0012D3F0 00000000
......................................
====================================================================
此时删除硬件断点,Ctrl+F9返回.
003C5895 3945 08 cmp dword ptr ss:[ebp+8],eax ; QQTwin.00400000 -----------断在这里
003C5898 75 07 jnz short 003C58A1
003C589A BE C0733E00 mov esi,3E73C0
003C589F EB 60 jmp short 003C5901
003C58A1 393D A8793E00 cmp dword ptr ds:[3E79A8],edi
003C58A7 B9 A8793E00 mov ecx,3E79A8
003C58AC 74 3C je short 003C58EA ------------------这里就是传说重的magic jmp嘛?
003C58AE 8B35 80D73E00 mov esi,dword ptr ds:[3ED780]
003C58B4 A1 80163F00 mov eax,dword ptr ds:[3F1680]
003C58B9 F641 08 01 test byte ptr ds:[ecx+8],1
将003C58AC 74 3C je short 003C58EA 改成 003C58AC /EB 3C jmp short 003C58EA
改后就是
003C5895 3945 08 cmp dword ptr ss:[ebp+8],eax ; QQTwin.00400000
003C5898 75 07 jnz short 003C58A1
003C589A BE C0733E00 mov esi,3E73C0
003C589F EB 60 jmp short 003C5901
003C58A1 393D A8793E00 cmp dword ptr ds:[3E79A8],edi
003C58A7 B9 A8793E00 mov ecx,3E79A8
003C58AC EB 3C jmp short 003C58EA -----------改后
003C58AE 8B35 80D73E00 mov esi,dword ptr ds:[3ED780]
003C58B4 A1 80163F00 mov eax,dword ptr ds:[3F1680]
003C58B9 F641 08 01 test byte ptr ds:[ecx+8],1
流程
003C58EA FF75 0C push dword ptr ss:[ebp+C] --------------JMP到这里
003C58ED FF75 08 push dword ptr ss:[ebp+8]
003C58F0 E8 35FEFFFF call 003C572A
003C58F5 59 pop ecx
003C58F6 59 pop ecx
003C58F7 5F pop edi
003C58F8 5E pop esi
003C58F9 5B pop ebx
003C58FA C9 leave
003C58FB C2 0800 retn 8
003DA9D2 8985 94F7FFFF mov dword ptr ss:[ebp-86C],eax ; kernel32.GetFileAttributesA -------------返回到这里
003DA9D8 83BD 94F7FFFF 00 cmp dword ptr ss:[ebp-86C],0
003DA9DF 75 38 jnz short 003DAA19 -----------跳到003DAA19
003DA9E1 8B45 08 mov eax,dword ptr ss:[ebp+8]
003DA9E4 8B00 mov eax,dword ptr ds:[eax]
003DA9E6 C700 03000000 mov dword ptr ds:[eax],3
003DA9EC FF15 C8503E00 call dword ptr ds:[3E50C8] ; ntdll.RtlGetLastWin32Error
003DA9F2 50 push eax
003DA9F3 FFB5 3CF7FFFF push dword ptr ss:[ebp-8C4]
003DA9F9 FFB5 A0F8FFFF push dword ptr ss:[ebp-760]
003DA9FF 68 B88F3E00 push 3E8FB8 ; ASCII "File "%s", function "%s" (error %d)"
003DAA04 8B45 08 mov eax,dword ptr ss:[ebp+8]
003DAA07 FF70 04 push dword ptr ds:[eax+4]
003DAA0A E8 4D3E0000 call 003DE85C
003DAA0F 83C4 14 add esp,14
003DAA12 33C0 xor eax,eax
003DAA14 E9 240C0000 jmp 003DB63D
003DAA19 8B85 A8F9FFFF mov eax,dword ptr ss:[ebp-658] ; QQTwin.004380C4 -----------到这里
003DAA1F 8B8D 94F7FFFF mov ecx,dword ptr ss:[ebp-86C]
003DAA25 8908 mov dword ptr ds:[eax],ecx
003DAA27 8B85 A8F9FFFF mov eax,dword ptr ss:[ebp-658]
003DAA2D 83C0 04 add eax,4
003DAA30 8985 A8F9FFFF mov dword ptr ss:[ebp-658],eax
003DAA36 ^ E9 7AFDFFFF jmp 003DA7B5 -----------------往上跳
003DAA3B 0FB685 B4F9FFFF movzx eax,byte ptr ss:[ebp-64C] ----------F4到这里
003DAA42 85C0 test eax,eax
003DAA44 /74 7F je short 003DAAC5 ----------跳到003DAAC5
003DAA46 |6A 00 push 0
003DAA48 |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA4E |C1E0 02 shl eax,2
003DAA51 |50 push eax
003DAA52 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA58 |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAA5E |50 push eax
003DAA5F |E8 5F150000 call 003DBFC3
003DAA64 |83C4 0C add esp,0C
003DAA67 |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA6D |C1E0 02 shl eax,2
003DAA70 |50 push eax
003DAA71 |FFB5 C0F9FFFF push dword ptr ss:[ebp-640]
003DAA77 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA7D |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAA83 |50 push eax
003DAA84 |E8 37340000 call 003DDEC0
003DAA89 |83C4 0C add esp,0C
003DAA8C |6A 01 push 1
003DAA8E |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA94 |C1E0 02 shl eax,2
003DAA97 |50 push eax
003DAA98 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA9E |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAAA4 |50 push eax
003DAAA5 |E8 19150000 call 003DBFC3
003DAAAA |83C4 0C add esp,0C
003DAAAD |8B85 C0F9FFFF mov eax,dword ptr ss:[ebp-640]
003DAAB3 |8985 08E6FFFF mov dword ptr ss:[ebp-19F8],eax
003DAAB9 |FFB5 08E6FFFF push dword ptr ss:[ebp-19F8]
003DAABF |E8 E8330000 call 003DDEAC
003DAAC4 |59 pop ecx
003DAAC5 \8D85 ACF9FFFF lea eax,dword ptr ss:[ebp-654] ----------到这里
003DAACB 50 push eax
003DAACC FFB5 ACF9FFFF push dword ptr ss:[ebp-654]
003DAAD2 8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAAD8 C1E0 02 shl eax,2
003DAADB 50 push eax
003DAADC 8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAAE2 0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAAE8 50 push eax
003DAAE9 FF15 08513E00 call dword ptr ds:[3E5108] ; kernel32.VirtualProtect
003DAAEF ^ E9 35FAFFFF jmp 003DA529 ---------往上跳
003DAAF4 8B85 30FBFFFF mov eax,dword ptr ss:[ebp-4D0] ------F4到这里
CTRL+G 输入003C58AC,按确定,跳到这里
003C58AC 74 3C jmp short 003C58EA --------- 点右键->“撤销选择”
取消所有断点,ALT+M,在401000处下内存访问断点,按F9
内存镜像,项目 20
地址=00401000
大小=00037000 (225280.)
Owner=QQTwin 00400000
区段=.text
类型=Imag 01001002
访问=R
初始访问=RWE
0041962D 6A 60 push 60 ----------这里是OEP吗?
0041962F 68 00BE4300 push QQTwin.0043BE00
00419634 E8 73110000 call QQTwin.0041A7AC
00419639 BF 94000000 mov edi,94
0041963E 8BC7 mov eax,edi
00419640 E8 9BF1FFFF call QQTwin.004187E0
00419645 8965 E8 mov dword ptr ss:[ebp-18],esp
00419648 8BF4 mov esi,esp
0041964A 893E mov dword ptr ds:[esi],edi
0041964C 56 push esi
0041964D FF15 98824300 call dword ptr ds:[438298] ; kernel32.GetVersionExA
00419653 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00419656 890D 38AD4400 mov dword ptr ds:[44AD38],ecx
0041965C 8B46 04 mov eax,dword ptr ds:[esi+4]
0041965F A3 44AD4400 mov dword ptr ds:[44AD44],eax
00419664 8B56 08 mov edx,dword ptr ds:[esi+8]
用LOADPE,选择完全脱壳,在用ImportREC 1.6选择qqtwin.exe进程,
OEP填1962D,自动搜索IAT,获取输入表,显示19个无效指针,用追踪1,外挂插件-Armadillo 2.6还是19个,全部CUT掉
修复抓取文件,选dumped.exe
运行后出错如图
还有我前几次做法都一样,获取输入表后,显示13个无效指针,CUT掉后运行没反映,这几天被这个搞的头晕晕~~
软件下载
按照爱的中体验之Armadillo3.x仿Fly大侠的壹次脱壳法之Mr.Captor来进行的
0046D000 Q> 60 pushad ----------------入口
0046D001 E8 00000000 call QQTwin.0046D006
0046D006 5D pop ebp
0046D007 50 push eax
0046D008 51 push ecx
0046D009 EB 0F jmp short QQTwin.0046D01A
0046D00B B9 EB0FB8EB mov ecx,EBB80FEB
0046D010 07 pop es
........................................
下BP GetModuleHandleA断点,F9运行
77E12CD1 k> 837C24 04 00 cmp dword ptr ss:[esp+4],0 ------------断在这里,F2取消断点,设置硬件执行断点
77E12CD6 74 18 je short kernel32.77E12CF0
77E12CD8 FF7424 04 push dword ptr ss:[esp+4]
77E12CDC E8 92FFFFFF call kernel32.77E12C73
77E12CE1 85C0 test eax,eax
77E12CE3 74 08 je short kernel32.77E12CED
77E12CE5 FF70 04 push dword ptr ds:[eax+4]
77E12CE8 E8 77520000 call kernel32.GetModuleHandleW
77E12CED C2 0400 retn 4
........................................................
此时 堆栈提示
====================================================================
0012FF10 0045B111 /CALL 到 GetModuleHandleA 来自 QQTwin.0045B10B
0012FF14 00000000 \pModule = NULL
0012FF18 00000000
0012FF1C 00141F00
0012FF20 0000000A
0012FF24 77E100E0 ASCII "PE"
0012FF28 77E10000 kernel32.77E10000
0012FF2C 0045B049 QQTwin.0045B049
......................................
====================================================================
接着按17次F9
堆栈提示
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "user32.dll"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000140
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第18次
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "MSVBVM60.DLL"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000028
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第19次
====================================================================
0012CBA8 73441BC1 /CALL 到 GetModuleHandleA 来自 73441BBB
0012CBAC 73443DBC \pModule = "kernel32.dll"
0012CBB0 73441B60 返回到 73441B60 来自 73441B8C
0012CBB4 73440000
0012CBB8 00000001
0012CBBC 00000000
0012CBC0 00000001
0012CBC4 0012CBE0
......................................
====================================================================
第20次
====================================================================
0012CB9C 73442858 /CALL 到 GetModuleHandleA 来自 73442852
0012CBA0 73443DE8 \pModule = "KERNEL32"
0012CBA4 73442808 返回到 73442808 来自 7344284D
0012CBA8 734427D9 返回到 734427D9
0012CBAC 73441C66 返回到 73441C66 来自 734427CE
0012CBB0 73441B60 返回到 73441B60 来自 73441B8C
0012CBB4 73440000
0012CBB8 00000001
......................................
====================================================================
第21次
====================================================================
0012CB94 73443208 /CALL 到 GetModuleHandleA 来自 73443202
0012CB98 00000000 \pModule = NULL
0012CB9C 73443172 返回到 73443172 来自 734431F7
0012CBA0 73440000
0012CBA4 00000001
0012CBA8 73440000
0012CBAC /0012CBEC
0012CBB0 |73441B21 返回到 73441B21 来自 73443146
......................................
====================================================================
第22次
====================================================================
0012D264 003C519B /CALL 到 GetModuleHandleA 来自 003C5195
0012D268 0012D3A0 \pModule = "advapi32.dll"
0012D26C 00000002
0012D270 00AF1DF0
0012D274 00000000
0012D278 00000004
0012D27C 00003FFF
0012D280 00000000
......................................
====================================================================
第23次
====================================================================
0012D3D4 003C5895 /CALL 到 GetModuleHandleA 来自 003C588F
0012D3D8 00000000 \pModule = NULL
0012D3DC 0012E994
0012D3E0 00AF1DF0
0012D3E4 00000000
0012D3E8 000206D8 UNICODE "\QQTwin.exe"
0012D3EC 77E4FF68 kernel32.77E4FF68
0012D3F0 00000000
......................................
====================================================================
此时删除硬件断点,Ctrl+F9返回.
003C5895 3945 08 cmp dword ptr ss:[ebp+8],eax ; QQTwin.00400000 -----------断在这里
003C5898 75 07 jnz short 003C58A1
003C589A BE C0733E00 mov esi,3E73C0
003C589F EB 60 jmp short 003C5901
003C58A1 393D A8793E00 cmp dword ptr ds:[3E79A8],edi
003C58A7 B9 A8793E00 mov ecx,3E79A8
003C58AC 74 3C je short 003C58EA ------------------这里就是传说重的magic jmp嘛?
003C58AE 8B35 80D73E00 mov esi,dword ptr ds:[3ED780]
003C58B4 A1 80163F00 mov eax,dword ptr ds:[3F1680]
003C58B9 F641 08 01 test byte ptr ds:[ecx+8],1
将003C58AC 74 3C je short 003C58EA 改成 003C58AC /EB 3C jmp short 003C58EA
改后就是
003C5895 3945 08 cmp dword ptr ss:[ebp+8],eax ; QQTwin.00400000
003C5898 75 07 jnz short 003C58A1
003C589A BE C0733E00 mov esi,3E73C0
003C589F EB 60 jmp short 003C5901
003C58A1 393D A8793E00 cmp dword ptr ds:[3E79A8],edi
003C58A7 B9 A8793E00 mov ecx,3E79A8
003C58AC EB 3C jmp short 003C58EA -----------改后
003C58AE 8B35 80D73E00 mov esi,dword ptr ds:[3ED780]
003C58B4 A1 80163F00 mov eax,dword ptr ds:[3F1680]
003C58B9 F641 08 01 test byte ptr ds:[ecx+8],1
流程
003C58EA FF75 0C push dword ptr ss:[ebp+C] --------------JMP到这里
003C58ED FF75 08 push dword ptr ss:[ebp+8]
003C58F0 E8 35FEFFFF call 003C572A
003C58F5 59 pop ecx
003C58F6 59 pop ecx
003C58F7 5F pop edi
003C58F8 5E pop esi
003C58F9 5B pop ebx
003C58FA C9 leave
003C58FB C2 0800 retn 8
003DA9D2 8985 94F7FFFF mov dword ptr ss:[ebp-86C],eax ; kernel32.GetFileAttributesA -------------返回到这里
003DA9D8 83BD 94F7FFFF 00 cmp dword ptr ss:[ebp-86C],0
003DA9DF 75 38 jnz short 003DAA19 -----------跳到003DAA19
003DA9E1 8B45 08 mov eax,dword ptr ss:[ebp+8]
003DA9E4 8B00 mov eax,dword ptr ds:[eax]
003DA9E6 C700 03000000 mov dword ptr ds:[eax],3
003DA9EC FF15 C8503E00 call dword ptr ds:[3E50C8] ; ntdll.RtlGetLastWin32Error
003DA9F2 50 push eax
003DA9F3 FFB5 3CF7FFFF push dword ptr ss:[ebp-8C4]
003DA9F9 FFB5 A0F8FFFF push dword ptr ss:[ebp-760]
003DA9FF 68 B88F3E00 push 3E8FB8 ; ASCII "File "%s", function "%s" (error %d)"
003DAA04 8B45 08 mov eax,dword ptr ss:[ebp+8]
003DAA07 FF70 04 push dword ptr ds:[eax+4]
003DAA0A E8 4D3E0000 call 003DE85C
003DAA0F 83C4 14 add esp,14
003DAA12 33C0 xor eax,eax
003DAA14 E9 240C0000 jmp 003DB63D
003DAA19 8B85 A8F9FFFF mov eax,dword ptr ss:[ebp-658] ; QQTwin.004380C4 -----------到这里
003DAA1F 8B8D 94F7FFFF mov ecx,dword ptr ss:[ebp-86C]
003DAA25 8908 mov dword ptr ds:[eax],ecx
003DAA27 8B85 A8F9FFFF mov eax,dword ptr ss:[ebp-658]
003DAA2D 83C0 04 add eax,4
003DAA30 8985 A8F9FFFF mov dword ptr ss:[ebp-658],eax
003DAA36 ^ E9 7AFDFFFF jmp 003DA7B5 -----------------往上跳
003DAA3B 0FB685 B4F9FFFF movzx eax,byte ptr ss:[ebp-64C] ----------F4到这里
003DAA42 85C0 test eax,eax
003DAA44 /74 7F je short 003DAAC5 ----------跳到003DAAC5
003DAA46 |6A 00 push 0
003DAA48 |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA4E |C1E0 02 shl eax,2
003DAA51 |50 push eax
003DAA52 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA58 |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAA5E |50 push eax
003DAA5F |E8 5F150000 call 003DBFC3
003DAA64 |83C4 0C add esp,0C
003DAA67 |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA6D |C1E0 02 shl eax,2
003DAA70 |50 push eax
003DAA71 |FFB5 C0F9FFFF push dword ptr ss:[ebp-640]
003DAA77 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA7D |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAA83 |50 push eax
003DAA84 |E8 37340000 call 003DDEC0
003DAA89 |83C4 0C add esp,0C
003DAA8C |6A 01 push 1
003DAA8E |8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAA94 |C1E0 02 shl eax,2
003DAA97 |50 push eax
003DAA98 |8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAA9E |0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAAA4 |50 push eax
003DAAA5 |E8 19150000 call 003DBFC3
003DAAAA |83C4 0C add esp,0C
003DAAAD |8B85 C0F9FFFF mov eax,dword ptr ss:[ebp-640]
003DAAB3 |8985 08E6FFFF mov dword ptr ss:[ebp-19F8],eax
003DAAB9 |FFB5 08E6FFFF push dword ptr ss:[ebp-19F8]
003DAABF |E8 E8330000 call 003DDEAC
003DAAC4 |59 pop ecx
003DAAC5 \8D85 ACF9FFFF lea eax,dword ptr ss:[ebp-654] ----------到这里
003DAACB 50 push eax
003DAACC FFB5 ACF9FFFF push dword ptr ss:[ebp-654]
003DAAD2 8B85 B8F9FFFF mov eax,dword ptr ss:[ebp-648]
003DAAD8 C1E0 02 shl eax,2
003DAADB 50 push eax
003DAADC 8B85 44FBFFFF mov eax,dword ptr ss:[ebp-4BC]
003DAAE2 0385 B0F9FFFF add eax,dword ptr ss:[ebp-650]
003DAAE8 50 push eax
003DAAE9 FF15 08513E00 call dword ptr ds:[3E5108] ; kernel32.VirtualProtect
003DAAEF ^ E9 35FAFFFF jmp 003DA529 ---------往上跳
003DAAF4 8B85 30FBFFFF mov eax,dword ptr ss:[ebp-4D0] ------F4到这里
CTRL+G 输入003C58AC,按确定,跳到这里
003C58AC 74 3C jmp short 003C58EA --------- 点右键->“撤销选择”
取消所有断点,ALT+M,在401000处下内存访问断点,按F9
内存镜像,项目 20
地址=00401000
大小=00037000 (225280.)
Owner=QQTwin 00400000
区段=.text
类型=Imag 01001002
访问=R
初始访问=RWE
0041962D 6A 60 push 60 ----------这里是OEP吗?
0041962F 68 00BE4300 push QQTwin.0043BE00
00419634 E8 73110000 call QQTwin.0041A7AC
00419639 BF 94000000 mov edi,94
0041963E 8BC7 mov eax,edi
00419640 E8 9BF1FFFF call QQTwin.004187E0
00419645 8965 E8 mov dword ptr ss:[ebp-18],esp
00419648 8BF4 mov esi,esp
0041964A 893E mov dword ptr ds:[esi],edi
0041964C 56 push esi
0041964D FF15 98824300 call dword ptr ds:[438298] ; kernel32.GetVersionExA
00419653 8B4E 10 mov ecx,dword ptr ds:[esi+10]
00419656 890D 38AD4400 mov dword ptr ds:[44AD38],ecx
0041965C 8B46 04 mov eax,dword ptr ds:[esi+4]
0041965F A3 44AD4400 mov dword ptr ds:[44AD44],eax
00419664 8B56 08 mov edx,dword ptr ds:[esi+8]
用LOADPE,选择完全脱壳,在用ImportREC 1.6选择qqtwin.exe进程,
OEP填1962D,自动搜索IAT,获取输入表,显示19个无效指针,用追踪1,外挂插件-Armadillo 2.6还是19个,全部CUT掉
修复抓取文件,选dumped.exe
运行后出错如图
还有我前几次做法都一样,获取输入表后,显示13个无效指针,CUT掉后运行没反映,这几天被这个搞的头晕晕~~
软件下载
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
截图:
|
|
|
|
|
|
|
|
|
最初由 fly 发布 设置了,没有用,似乎跟这个没有关系的。它的提示不是固定的。  
|
|
|
刚才看了一下,原来还对Joiner.exe进行检验,修正文件已经mail给你
请测试 :D 
|
|
|
|
|
|
|
