看看下面OEP处的代码:
004010CC FFD7 call edi ; unpackme.004010CE
004010CE 58 pop eax
004010CF 83EC 44 sub esp, 44
004010D2 56 push esi
004010D3 90 nop 像这样的跳转都改了~!
004010D4 E8 B518F7FF call 0037298E
004010D9 8BF0 mov esi, eax
004010DB 8A00 mov al, byte ptr ds:[eax]
004010DD 3C 22 cmp al, 22
004010DF 75 1B jnz short unpackme.004010FC
004010E1 56 push esi
004010E2 90 nop 这里也是。
004010E3 E8 A618F7FF call 0037298E
于是有一个问题,应该在壳里有一个跳转表,试着找了一下~!
0037249E 8B4424 04 mov eax, dword ptr ss:[esp+4]
003724A2 8B00 mov eax, dword ptr ds:[eax]
003724A4 8B4C24 0C mov ecx, dword ptr ss:[esp+C]
003724A8 FF81 B8000000 inc dword ptr ds:[ecx+B8]
003724AE 3D 03000080 cmp eax, 80000003
003724B3 75 51 jnz short 00372506
003724B5 8B81 B4000000 mov eax, dword ptr ds:[ecx+B4]
003724BB 8D80 A8010000 lea eax, dword ptr ds:[eax+1A8]
003724C1 8941 04 mov dword ptr ds:[ecx+4], eax
003724C4 8B81 B4000000 mov eax, dword ptr ds:[ecx+B4]
003724CA 8D80 D2010000 lea eax, dword ptr ds:[eax+1D2]
003724D0 8941 08 mov dword ptr ds:[ecx+8], eax
003724D3 8B81 B4000000 mov eax, dword ptr ds:[ecx+B4]
003724D9 8D80 FF010000 lea eax, dword ptr ds:[eax+1FF]
003724DF 8941 0C mov dword ptr ds:[ecx+C], eax
003724E2 8B81 B4000000 mov eax, dword ptr ds:[ecx+B4]
003724E8 8D80 31020000 lea eax, dword ptr ds:[eax+231]
003724EE 8941 10 mov dword ptr ds:[ecx+10], eax
003724F1 33C0 xor eax, eax
003724F3 8161 14 F00FFFF>and dword ptr ds:[ecx+14], FFFF0FF0
003724FA C741 18 5501000>mov dword ptr ds:[ecx+18], 155
00372501 E9 A1000000 jmp 003725A7
00372506 3D 04000080 cmp eax, 80000004
0037250B 75 6C jnz short 00372579
0037250D E8 04000000 call 00372516
00372512 40 inc eax
00372513 04 00 add al, 0
00372515 0058 FF add byte ptr ds:[eax-1], bl
00372518 008B 0083F801 add byte ptr ds:[ebx+1F88300], cl
0037251E 75 08 jnz short 00372528
00372520 F791 B0000000 not dword ptr ds:[ecx+B0]
00372526 EB 4D jmp short 00372575
00372528 83F8 02 cmp eax, 2
0037252B 75 11 jnz short 0037253E
0037252D 8B81 B0000000 mov eax, dword ptr ds:[ecx+B0]
00372533 C1C0 13 rol eax, 13
00372536 8981 B0000000 mov dword ptr ds:[ecx+B0], eax
0037253C EB 37 jmp short 00372575
0037253E 83F8 03 cmp eax, 3
00372541 75 29 jnz short 0037256C
00372543 8181 B0000000 2>add dword ptr ds:[ecx+B0], 4B23526
0037254D 8B81 B0000000 mov eax, dword ptr ds:[ecx+B0]
00372553 8B99 A4000000 mov ebx, dword ptr ds:[ecx+A4]
00372559 66:93 xchg ax, bx
0037255B 66:03C3 add ax, bx
0037255E 8981 B0000000 mov dword ptr ds:[ecx+B0], eax
00372564 8999 A4000000 mov dword ptr ds:[ecx+A4], ebx
0037256A EB 09 jmp short 00372575
0037256C 8B81 A0000000 mov eax, dword ptr ds:[ecx+A0]
00372572 8030 55 xor byte ptr ds:[eax], 55
00372575 33C0 xor eax, eax
00372577 EB 2E jmp short 003725A7
00372579 3D 940000C0 cmp eax, C0000094
0037257E 75 24 jnz short 003725A4
00372580 FF81 B8000000 inc dword ptr ds:[ecx+B8] 00372661+1 下面有个retn跑到系统中去了,所以这里是出口~!
00372662 90 nop
00372663 64:8F05 0000000>pop dword ptr fs:[0]
0037266A 58 pop eax
0037266B 8DB5 E6060000 lea esi, dword ptr ss:[ebp+6E6] 这是kernel32.dll的基址
00372671 56 push esi
00372672 FF95 77060000 call dword ptr ss:[ebp+677]
00372678 8BF0 mov esi, eax
0037267A 8DBD F4060000 lea edi, dword ptr ss:[ebp+6F4]
00372680 B9 02000000 mov ecx, 2
00372685 51 push ecx
00372686 57 push edi
00372687 56 push esi
00372688 FF95 73060000 call dword ptr ss:[ebp+673]
0037268E 0FB64F FF movzx ecx, byte ptr ds:[edi-1]
00372692 03F9 add edi, ecx
00372694 8907 mov dword ptr ds:[edi], eax
00372696 83C7 05 add edi, 5
00372699 59 pop ecx
0037269A ^ E2 E9 loopd short 00372685 这里似乎是在处理一些函数~!
0037269C 8DB5 BB060000 lea esi, dword ptr ss:[ebp+6BB]
003726A2 56 push esi
003726A3 FF95 77060000 call dword ptr ss:[ebp+677]
003726A9 0BC0 or eax, eax
003726AB 75 07 jnz short 003726B4
003726AD 56 push esi
003726AE FF95 7B060000 call dword ptr ss:[ebp+67B] 这是取user32.dll的基址
003726B4 8BF0 mov esi, eax
003726B6 8DBD C7060000 lea edi, dword ptr ss:[ebp+6C7]
003726BC B9 02000000 mov ecx, 2
003726C1 51 push ecx
003726C2 57 push edi
003726C3 56 push esi
003726C4 FF95 73060000 call dword ptr ss:[ebp+673]
003726CA 0FB64F FF movzx ecx, byte ptr ds:[edi-1]
003726CE 03F9 add edi, ecx
003726D0 8907 mov dword ptr ds:[edi], eax
003726D2 83C7 05 add edi, 5
003726D5 59 pop ecx
003726D6 ^ E2 E9 loopd short 003726C1 这里处理完毕~!下面一段似乎是对00401000处的代码进行解码~~!
003726D8 BB 5E070000 mov ebx, 75E
003726DD 833C2B 00 cmp dword ptr ds:[ebx+ebp], 0
003726E1 74 47 je short 0037272A
003726E3 53 push ebx
003726E4 6A 04 push 4
003726E6 68 00100000 push 1000
003726EB FF342B push dword ptr ds:[ebx+ebp]
003726EE 6A 00 push 0
003726F0 FF95 7F060000 call dword ptr ss:[ebp+67F] 申请虚拟内存~!
003726F6 5B pop ebx
003726F7 8BF0 mov esi, eax
003726F9 8BC3 mov eax, ebx
003726FB 03C5 add eax, ebp
003726FD 8B78 04 mov edi, dword ptr ds:[eax+4]
00372700 03BD 83060000 add edi, dword ptr ss:[ebp+683]
00372706 56 push esi
00372707 57 push edi
00372708 FF95 B7060000 call dword ptr ss:[ebp+6B7]
0037270E 8B0C2B mov ecx, dword ptr ds:[ebx+ebp]
00372711 56 push esi
00372712 F3:A4 rep movs byte ptr es:[edi], byte ptr ds:>
00372714 5E pop esi
00372715 53 push ebx
00372716 68 00800000 push 8000
0037271B 6A 00 push 0
0037271D 56 push esi
0037271E FF95 00070000 call dword ptr ss:[ebp+700] 释放虚拟内存
00372724 5B pop ebx
00372725 83C3 0C add ebx, 0C
00372728 ^ EB B3 jmp short 003726DD 处理完。
0037272A 8B85 9B060000 mov eax, dword ptr ss:[ebp+69B]
00372730 0BC0 or eax, eax
00372732 0F85 8D000000 jnz 003727C5
00372738 8BBD AB060000 mov edi, dword ptr ss:[ebp+6AB]
0037273E 03BD 83060000 add edi, dword ptr ss:[ebp+683]
00372744 8B77 0C mov esi, dword ptr ds:[edi+C]
00372747 0BF6 or esi, esi
00372749 75 02 jnz short 0037274D
0037274B EB 73 jmp short 003727C0
0037274D 03B5 83060000 add esi, dword ptr ss:[ebp+683]
00372753 56 push esi
00372754 FF95 77060000 call dword ptr ss:[ebp+677]
0037275A 0BC0 or eax, eax
0037275C 75 10 jnz short 0037276E
0037275E 56 push esi
0037275F FF95 7B060000 call dword ptr ss:[ebp+67B]
00372765 0BC0 or eax, eax
00372767 75 05 jnz short 0037276E
00372769 E9 F1020000 jmp 00372A5F
0037276E 8BF0 mov esi, eax
00372770 8B17 mov edx, dword ptr ds:[edi]
00372772 0BD2 or edx, edx
00372774 75 03 jnz short 00372779
00372776 8B57 10 mov edx, dword ptr ds:[edi+10]
00372779 0395 83060000 add edx, dword ptr ss:[ebp+683]
0037277F 8B5F 10 mov ebx, dword ptr ds:[edi+10]
00372782 039D 83060000 add ebx, dword ptr ss:[ebp+683]
00372788 8B02 mov eax, dword ptr ds:[edx]
0037278A 0BC0 or eax, eax
0037278C 75 02 jnz short 00372790
0037278E EB 2B jmp short 003727BB
00372790 53 push ebx
00372791 52 push edx
00372792 99 cdq
00372793 0BD2 or edx, edx
00372795 75 0B jnz short 003727A2
00372797 83C0 02 add eax, 2
0037279A 0385 83060000 add eax, dword ptr ss:[ebp+683]
003727A0 EB 05 jmp short 003727A7
003727A2 25 FFFFFF7F and eax, 7FFFFFFF
003727A7 50 push eax
003727A8 56 push esi
003727A9 FF95 73060000 call dword ptr ss:[ebp+673]
003727AF 8903 mov dword ptr ds:[ebx], eax
003727B1 5A pop edx
003727B2 5B pop ebx
003727B3 83C2 04 add edx, 4
003727B6 83C3 04 add ebx, 4
003727B9 ^ EB CD jmp short 00372788
003727BB 83C7 14 add edi, 14
003727BE ^ EB 84 jmp short 00372744
003727C0 E9 A5000000 jmp 0037286A
003727C5 8B95 AB060000 mov edx, dword ptr ss:[ebp+6AB]
003727CB 03D5 add edx, ebp
003727CD 8B3A mov edi, dword ptr ds:[edx]
003727CF 0BFF or edi, edi
003727D1 75 05 jnz short 003727D8
003727D3 E9 92000000 jmp 0037286A
003727D8 03BD 83060000 add edi, dword ptr ss:[ebp+683]
003727DE 83C2 05 add edx, 5
003727E1 8BF2 mov esi, edx
003727E3 56 push esi
003727E4 FF95 77060000 call dword ptr ss:[ebp+677]
003727EA 0BC0 or eax, eax
003727EC 75 10 jnz short 003727FE
003727EE 56 push esi
003727EF FF95 7B060000 call dword ptr ss:[ebp+67B]
003727F5 0BC0 or eax, eax
003727F7 75 05 jnz short 003727FE
003727F9 E9 61020000 jmp 00372A5F
003727FE 0FB64E FF movzx ecx, byte ptr ds:[esi-1]
00372802 03F1 add esi, ecx
00372804 8BD6 mov edx, esi
00372806 8BF0 mov esi, eax
00372808 42 inc edx
00372809 8B0A mov ecx, dword ptr ds:[edx]
0037280B 83C2 04 add edx, 4
0037280E 51 push ecx
0037280F 0FB602 movzx eax, byte ptr ds:[edx]
00372812 0BC0 or eax, eax
00372814 75 14 jnz short 0037282A
00372816 42 inc edx
00372817 52 push edx
00372818 8B02 mov eax, dword ptr ds:[edx]
0037281A 50 push eax
0037281B 56 push esi
0037281C FF95 73060000 call dword ptr ss:[ebp+673]
00372822 8907 mov dword ptr ds:[edi], eax
00372824 5A pop edx
00372825 83C2 04 add edx, 4
00372828 EB 34 jmp short 0037285E
0037282A 42 inc edx
0037282B 52 push edx
0037282C 60 pushad
0037282D 8BF2 mov esi, edx
0037282F 8DBD 26070000 lea edi, dword ptr ss:[ebp+726]
00372835 33C0 xor eax, eax
00372837 AC lods byte ptr ds:[esi]
00372838 EB 07 jmp short 00372841
0037283A C0C0 03 rol al, 3
0037283D F6D0 not al
0037283F AA stos byte ptr es:[edi]
00372840 AC lods byte ptr ds:[esi]
00372841 0BC0 or eax, eax
00372843 ^ 75 F5 jnz short 0037283A
00372845 AA stos byte ptr es:[edi]
00372846 61 popad
00372847 8D95 26070000 lea edx, dword ptr ss:[ebp+726]
0037284D 52 push edx
0037284E 56 push esi
0037284F FF95 73060000 call dword ptr ss:[ebp+673]
00372855 8907 mov dword ptr ds:[edi], eax
00372857 5A pop edx
00372858 0FB642 FF movzx eax, byte ptr ds:[edx-1]
0037285C 03D0 add edx, eax
0037285E 42 inc edx
0037285F 83C7 04 add edi, 4
00372862 59 pop ecx
00372863 ^ E2 A9 loopd short 0037280E 这里循环处理函数~!
00372865 ^ E9 63FFFFFF jmp 003727CD
0037286A 8BB5 93060000 mov esi, dword ptr ss:[ebp+693]
00372870 0BF6 or esi, esi
00372872 74 4E je short 003728C2
00372874 03B5 83060000 add esi, dword ptr ss:[ebp+683]
0037287A 8BBD 83060000 mov edi, dword ptr ss:[ebp+683]
00372880 2BBD 8F060000 sub edi, dword ptr ss:[ebp+68F]
00372886 8B16 mov edx, dword ptr ds:[esi]
00372888 EB 34 jmp short 003728BE
0037288A 8B4E 04 mov ecx, dword ptr ds:[esi+4]
0037288D 83C6 08 add esi, 8
00372890 83E9 08 sub ecx, 8
00372893 D1E9 shr ecx, 1
00372895 EB 21 jmp short 003728B8
00372897 0FB706 movzx eax, word ptr ds:[esi]
0037289A C1E8 0C shr eax, 0C
0037289D 83F8 03 cmp eax, 3
003728A0 75 12 jnz short 003728B4
003728A2 0FB706 movzx eax, word ptr ds:[esi]
003728A5 25 FF0F0000 and eax, 0FFF
003728AA 03C2 add eax, edx
003728AC 0385 83060000 add eax, dword ptr ss:[ebp+683]
003728B2 0138 add dword ptr ds:[eax], edi
003728B4 83C6 02 add esi, 2
003728B7 49 dec ecx
003728B8 0BC9 or ecx, ecx
003728BA ^ 75 DB jnz short 00372897
003728BC 8B16 mov edx, dword ptr ds:[esi]
003728BE 0BD2 or edx, edx
003728C0 ^ 75 C8 jnz short 0037288A
003728C2 8B85 9F060000 mov eax, dword ptr ss:[ebp+69F]
003728C8 83F8 01 cmp eax, 1
003728CB 75 33 jnz short 00372900
003728CD 8BBD AF060000 mov edi, dword ptr ss:[ebp+6AF]
003728D3 03FD add edi, ebp
003728D5 8DB5 6D050000 lea esi, dword ptr ss:[ebp+56D]
003728DB 8B07 mov eax, dword ptr ds:[edi]
003728DD 0BC0 or eax, eax
003728DF 75 02 jnz short 003728E3
003728E1 EB 1D jmp short 00372900
003728E3 25 FFFFFF7F and eax, 7FFFFFFF
003728E8 0385 83060000 add eax, dword ptr ss:[ebp+683]
003728EE 2B85 8F060000 sub eax, dword ptr ss:[ebp+68F]
003728F4 8BDE mov ebx, esi
003728F6 2BD8 sub ebx, eax
003728F8 8958 FC mov dword ptr ds:[eax-4], ebx
003728FB 83C7 08 add edi, 8
003728FE ^ EB DB jmp short 003728DB
00372900 64:FF35 3000000>push dword ptr fs:[30]
00372907 58 pop eax
00372908 85C0 test eax, eax
0037290A 78 0F js short 0037291B
0037290C 8B40 0C mov eax, dword ptr ds:[eax+C]
0037290F 8B40 0C mov eax, dword ptr ds:[eax+C]
00372912 C740 20 0010000>mov dword ptr ds:[eax+20], 1000
00372919 EB 2C jmp short 00372947
0037291B 6A 00 push 0
0037291D FF95 77060000 call dword ptr ss:[ebp+677]
00372923 85D2 test edx, edx
00372925 79 20 jns short 00372947
00372927 837A 08 FF cmp dword ptr ds:[edx+8], -1
0037292B 75 1A jnz short 00372947
0037292D 8B52 04 mov edx, dword ptr ds:[edx+4]
00372930 C742 50 0010000>mov dword ptr ds:[edx+50], 1000
00372937 64:FF35 2000000>push dword ptr fs:[20]
0037293E 58 pop eax
0037293F 85C0 test eax, eax
00372941 0F85 D8020000 jnz 00372C1F
00372947 89AD A7050000 mov dword ptr ss:[ebp+5A7], ebp
0037294D 8B85 B3060000 mov eax, dword ptr ss:[ebp+6B3]
00372953 0385 83060000 add eax, dword ptr ss:[ebp+683]
00372959 8BF8 mov edi, eax
0037295B 83C7 02 add edi, 2
0037295E 8B9D A3060000 mov ebx, dword ptr ss:[ebp+6A3]
00372964 83FB 01 cmp ebx, 1
00372967 75 0A jnz short 00372973
00372969 5D pop ebp
0037296A 5B pop ebx
0037296B 59 pop ecx
0037296C 5A pop edx
0037296D 5E pop esi
0037296E 55 push ebp
0037296F 8BEC mov ebp, esp
00372971 EB 19 jmp short 0037298C
00372973 83FB 02 cmp ebx, 2
00372976 75 0F jnz short 00372987
00372978 8BC5 mov eax, ebp
0037297A 5D pop ebp
0037297B 5B pop ebx
0037297C 59 pop ecx
0037297D 5A pop edx
0037297E 5E pop esi
0037297F FFB0 A7060000 push dword ptr ds:[eax+6A7]
00372985 EB 05 jmp short 0037298C
00372987 5D pop ebp
00372988 5B pop ebx
00372989 59 pop ecx
0037298A 5A pop edx
0037298B 5E pop esi
0037298C FFE0 jmp eax 这里去OEP吧~!
好像没有找对地方,想问一下这个壳的跳转表在哪里?
请高手给点提示,谢谢~!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)