-
-
[旧帖] [求助]脱壳后用Import fix修复。却只有2个无效指针 0.00雪花
-
发表于: 2008-2-18 23:06
-
PEID查壳:ASPack 2.12 -> Alexey Solodovnikov [Overlay]
OD载入后如下
0056D001 > 60 pushad
0056D002 E8 03000000 call DELPHI编.0056D00A //F7进
0056D007 - E9 EB045D45 jmp 45B3D4F7
0056D00C 55 push ebp
0056D00D C3 retn
0056D00E E8 01000000 call DELPHI编.0056D014
0056D013 EB 5D jmp short DELPHI编.0056D072
0056D015 BB EDFFFFFF mov ebx,-13
0056D01A 03DD add ebx,ebp
----------------------------------------------------------------------------------------------
0056D00A 5D pop ebp //来到这里
0056D00B 45 inc ebp
0056D00C 55 push ebp
0056D00D C3 retn //这里单步后来到0056D008
----------------------------------------------------------------------------------------------
0056D008 /EB 04 jmp short DELPHI编.0056D00E //来到这里
0056D00A |5D pop ebp
0056D00B |45 inc ebp
0056D00C |55 push ebp
0056D00D |C3 retn
0056D00E \E8 01000000 call DELPHI编.0056D014 //这里F7进
0056D013 EB 5D jmp short DELPHI编.0056D072
0056D015 BB EDFFFFFF mov ebx,-13
------------------------------------------------------------------------------------------------
0056D014 5D pop ebp //来到这里
0056D015 BB EDFFFFFF mov ebx,-13
0056D01A 03DD add ebx,ebp
0056D01C 81EB 00D01600 sub ebx,16D000
0056D022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
0056D029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0056D02F 0F85 65030000 jnz DELPHI编.0056D39A //这里跟随
0056D035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
0056D03B 50 push eax
0056D03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0056D042 8985 26040000 mov dword ptr ss:[ebp+426],eax
0056D048 8BF8 mov edi,eax
----------------------------------------------------------------------------------------
0056D39A B8 68B01100 mov eax,11B068 //来到这里。F4
0056D39F 50 push eax
0056D3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0056D3A6 59 pop ecx
0056D3A7 0BC9 or ecx,ecx
0056D3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0056D3AF 61 popad
0056D3B0 75 08 jnz short DELPHI编.0056D3BA
0056D3B2 B8 01000000 mov eax,1
0056D3B7 C2 0C00 retn 0C
0056D3BA 68 00000000 push 0
0056D3BF C3 retn //这里跳到OEP
0056D3C0 8B85 26040000 mov eax,dword ptr ss:[ebp+426]
-------------------------------------------------------------------------------------------------------
0051B068 55 push ebp //来到这里。脱壳
0051B069 8BEC mov ebp,esp
0051B06B B9 07000000 mov ecx,7
0051B070 6A 00 push 0
0051B072 6A 00 push 0
0051B074 49 dec ecx
0051B075 ^ 75 F9 jnz short DELPHI编.0051B070
0051B077 53 push ebx
0051B078 56 push esi
0051B079 57 push edi
0051B07A B8 38AD5100 mov eax,DELPHI编.0051AD38
0051B07F E8 F8C2EEFF call DELPHI编.0040737C
0051B084 8B35 08F45100 mov esi,dword ptr ds:[51F408] ; DELPHI编.005207D8
0051B08A 33C0 xor eax,eax
0051B08C 55 push ebp
0051B08D 68 84B35100 push DELPHI编.0051B384
用OD 的方式1跟LordPE各脱一个,Import Fix 载入修复,却只有2个无效的指针
。。。这,请问我哪里操作错了吗?请指教。谢谢。。。附上文件。
OD载入后如下
0056D001 > 60 pushad
0056D002 E8 03000000 call DELPHI编.0056D00A //F7进
0056D007 - E9 EB045D45 jmp 45B3D4F7
0056D00C 55 push ebp
0056D00D C3 retn
0056D00E E8 01000000 call DELPHI编.0056D014
0056D013 EB 5D jmp short DELPHI编.0056D072
0056D015 BB EDFFFFFF mov ebx,-13
0056D01A 03DD add ebx,ebp
----------------------------------------------------------------------------------------------
0056D00A 5D pop ebp //来到这里
0056D00B 45 inc ebp
0056D00C 55 push ebp
0056D00D C3 retn //这里单步后来到0056D008
----------------------------------------------------------------------------------------------
0056D008 /EB 04 jmp short DELPHI编.0056D00E //来到这里
0056D00A |5D pop ebp
0056D00B |45 inc ebp
0056D00C |55 push ebp
0056D00D |C3 retn
0056D00E \E8 01000000 call DELPHI编.0056D014 //这里F7进
0056D013 EB 5D jmp short DELPHI编.0056D072
0056D015 BB EDFFFFFF mov ebx,-13
------------------------------------------------------------------------------------------------
0056D014 5D pop ebp //来到这里
0056D015 BB EDFFFFFF mov ebx,-13
0056D01A 03DD add ebx,ebp
0056D01C 81EB 00D01600 sub ebx,16D000
0056D022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
0056D029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0056D02F 0F85 65030000 jnz DELPHI编.0056D39A //这里跟随
0056D035 8D85 2E040000 lea eax,dword ptr ss:[ebp+42E]
0056D03B 50 push eax
0056D03C FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0056D042 8985 26040000 mov dword ptr ss:[ebp+426],eax
0056D048 8BF8 mov edi,eax
----------------------------------------------------------------------------------------
0056D39A B8 68B01100 mov eax,11B068 //来到这里。F4
0056D39F 50 push eax
0056D3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0056D3A6 59 pop ecx
0056D3A7 0BC9 or ecx,ecx
0056D3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0056D3AF 61 popad
0056D3B0 75 08 jnz short DELPHI编.0056D3BA
0056D3B2 B8 01000000 mov eax,1
0056D3B7 C2 0C00 retn 0C
0056D3BA 68 00000000 push 0
0056D3BF C3 retn //这里跳到OEP
0056D3C0 8B85 26040000 mov eax,dword ptr ss:[ebp+426]
-------------------------------------------------------------------------------------------------------
0051B068 55 push ebp //来到这里。脱壳
0051B069 8BEC mov ebp,esp
0051B06B B9 07000000 mov ecx,7
0051B070 6A 00 push 0
0051B072 6A 00 push 0
0051B074 49 dec ecx
0051B075 ^ 75 F9 jnz short DELPHI编.0051B070
0051B077 53 push ebx
0051B078 56 push esi
0051B079 57 push edi
0051B07A B8 38AD5100 mov eax,DELPHI编.0051AD38
0051B07F E8 F8C2EEFF call DELPHI编.0040737C
0051B084 8B35 08F45100 mov esi,dword ptr ds:[51F408] ; DELPHI编.005207D8
0051B08A 33C0 xor eax,eax
0051B08C 55 push ebp
0051B08D 68 84B35100 push DELPHI编.0051B384
用OD 的方式1跟LordPE各脱一个,Import Fix 载入修复,却只有2个无效的指针
。。。这,请问我哪里操作错了吗?请指教。谢谢。。。附上文件。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
首先谢谢petnt的提醒,小菜我潜水3天狂搜资料~~~尽管问题未解决.但至少又多学了个动手经验
 其实是前阵子下载的电子书(DELPHI编程手册3.0.exe),看着有壳就想拿来练练手.壳倒是好脱.修复却...  ,只好先放着.等技术进步点再回头报仇!! 也谢谢dlina和nwmonster,手动寻找了IAT,倒是有了.但那两个无效指针依然修复不了(等级1和3都不行),剪掉无效指针也不行.已经用了所有我知道的和能搜集到的资料去试着修复 ...至于 nwmonster说的.小菜我还不会 ...好了.先这样.谢谢大侠们的指导.我会再努力的!!祝大家中秋快乐
|
