【文章标题】: 菜鸟手脱FSG2.0并修复导入表笔记
【文章作者】: firefly
【软件名称】: FSG加壳记事本
【下载地址】: 看雪工具下载
【加壳方式】: FSG2.0
【软件介绍】: winxp sp2,OllyICE,ODBGScript1.62
【作者声明】: 菜鸟脱壳学习笔记,失误之处烦请大家指正。
--------------------------------------------------------------------------------
【详细过程】
首先用FSG2.0将记事本加壳,然后用OD载入加壳的记事本, 如下所示:
01000154 > 8725 6CF40101 xchg dword ptr [101F46C], esp
0100015A 61 popad
0100015B 94 xchg eax, esp
0100015C 55 push ebp
0100015D A4 movs byte ptr es:[edi], byte ptr [esi]
0100015E B6 80 mov dh, 80
01000160 FF13 call dword ptr [ebx]
01000162 ^ 73 F9 jnb short 0100015D
01000164 33C9 xor ecx, ecx
01000166 FF13 call dword ptr [ebx]
01000168 73 16 jnb short 01000180
0100016A 33C0 xor eax, eax
0100016C FF13 call dword ptr [ebx]
0100016E 73 1F jnb short 0100018F
01000170 B6 80 mov dh, 80
01000172 41 inc ecx
01000173 B0 10 mov al, 10
01000175 FF13 call dword ptr [ebx]
01000177 12C0 adc al, al
01000179 ^ 73 FA jnb short 01000175
0100017B 75 3A jnz short 010001B7
0100017D AA stos byte ptr es:[edi]
0100017E ^ EB E0 jmp short 01000160
01000180 FF53 08 call dword ptr [ebx+8]
01000183 02F6 add dh, dh
01000185 83D9 01 sbb ecx, 1
01000188 75 0E jnz short 01000198
0100018A FF53 04 call dword ptr [ebx+4]
0100018D EB 24 jmp short 010001B3
0100018F AC lods byte ptr [esi]
01000190 D1E8 shr eax, 1
01000192 74 2D je short 010001C1
01000194 13C9 adc ecx, ecx
01000196 EB 18 jmp short 010001B0
01000198 91 xchg eax, ecx
01000199 48 dec eax
0100019A C1E0 08 shl eax, 8
0100019D AC lods byte ptr [esi]
0100019E FF53 04 call dword ptr [ebx+4]
010001A1 3B43 F8 cmp eax, dword ptr [ebx-8]
010001A4 73 0A jnb short 010001B0
010001A6 80FC 05 cmp ah, 5
010001A9 73 06 jnb short 010001B1
010001AB 83F8 7F cmp eax, 7F
010001AE 77 02 ja short 010001B2
010001B0 41 inc ecx
010001B1 41 inc ecx
010001B2 95 xchg eax, ebp
010001B3 8BC5 mov eax, ebp
010001B5 B6 00 mov dh, 0
010001B7 56 push esi
010001B8 8BF7 mov esi, edi
010001BA 2BF0 sub esi, eax
010001BC F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
010001BE 5E pop esi
010001BF ^ EB 9F jmp short 01000160
010001C1 5E pop esi
[COLOR="Red"] ; 此处循环处理导入表[/COLOR]
010001C2 AD lods dword ptr [esi]
010001C3 97 xchg eax, edi
010001C4 AD lods dword ptr [esi]
010001C5 50 push eax
010001C6 FF53 10 call dword ptr [ebx+10] ; kernel32.LoadLibraryA
010001C9 95 xchg eax, ebp
010001CA 8B07 mov eax, dword ptr [edi]
010001CC 40 inc eax
010001CD ^ 78 F3 js short 010001C2
010001CF 75 03 jnz short 010001D4
[COLOR="Red"] ; 这里跳到OEP
010001D1 FF63 0C jmp dword ptr [ebx+C] [/COLOR]
010001D4 50 push eax
010001D5 55 push ebp
010001D6 FF53 14 call dword ptr [ebx+14] ; kernel32.GetProcAddress
010001D9 AB stos dword ptr es:[edi]
010001DA ^ EB EE jmp short 010001CA
[COLOR="Red"]0100739D[/COLOR] . 6A 70 push 70
0100739F . 68 98180001 push 01001898
010073A4 . E8 BF010000 call 01007568
010073A9 . 33DB xor ebx, ebx
010073AB . 53 push ebx ; /pModule => NULL
010073AC . 8B3D CC100001 mov edi, dword ptr [10010CC] ; |kernel32.GetModuleHandleA
010073B2 . FFD7 call edi ; \GetModuleHandleA
010073B4 . 66:8138 4D5A cmp word ptr [eax], 5A4D
010073B9 . 75 1F jnz short 010073DA
010073BB . 8B48 3C mov ecx, dword ptr [eax+3C]
010073BE . 03C8 add ecx, eax
010073C0 . 8139 50450000 cmp dword ptr [ecx], 4550
010073C6 . 75 12 jnz short 010073DA
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课