-
-
[旧帖] [求助]脱EncryptPE V2.2007.4.11时遇到的问题 0.00雪花
-
发表于: 2008-5-4 20:26
-
参考了高人的文章:
2.CodeReplace修复处理
是EncryptPE的亮点之一。下面就来研究如何修复吧
代码:
712055C8 E8 0FD2F1FF call 711227DC
//里面有异常
712055CD A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
//此处需要设置断点后Shift+F9,中断后取消断点,否则将在712055C8里异常导致无法继续调试
//[I]我在这里设置了断点,可是出现Exception 0EEDFADE错误,紧接着是一大堆Access violation when writing to [00000000],然后线程异常退出。[/I]
712055D2 8038 00 cmp byte ptr ds:[eax],0
//比较校验标志位
712055D5 74 05 je short 712055DC
712055D7 E8 907AF2FF call 7112D06C
712055DC A1 C8DF2171 mov eax,dword ptr ds:[7121DFC8]
712055E1 8038 00 cmp byte ptr ds:[eax],0
712055E4 74 17 je short 712055FD
712055FD E8 01000000 call 71205603
71205603 58 pop eax
71205604 83C0 0C add eax,0C
71205607 60 pushad
71205608 E8 F7EAFEFF call 711F4104
7120561B E8 CCD7FFFF call 71202DEC
//这里设断,Shift+F9中断后取消断点
//处理CodeReplace,进入
以下省略。
附上我写的脚本,写得不太好,初学者,不要见笑!
//原始的Import Table RVA:143000 30ca
var addr
gpa "IsDebuggerPresent", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
bphws 71205168,"x"
esto
bphwc 71205168
log "HardBreakPoint at 71205168"
log eip
mov addr,712051cf
asm addr,"jmp 71232aa0"
mov addr,71232aa0
mov [addr],#609C8B7E0C81C7000040008BF08B4EFCF3A49D61E80F25EFFFE91627FDFF#
mov addr,712052b1
fill addr,5,90
mov addr,71205335
asm addr,"jmp 71232ac0"
mov addr,71232ac0
mov [addr],#609C8B75C48B4EFC8B3B81C702004000F3A49D618B45C4E95E28FDFF#
mov addr,71205349
fill addr,5,90
mov addr,71205356
fill addr,2,90
bp 71205375
esto
bc 71205375
log "BreakPoint at 71205375"
log eip
sti
log "Step into 71205375=>71202BAC"
log eip
//step into to edit 71202d48-71205394
mov addr,71202d48
fill addr,2,90
mov addr,71205394
asm addr,"jmp 71232ae4"
mov addr,71232ae4
mov [addr],#E8C300FDFF609C8925DE2A2371832DDE2A237104FFD08BF08B4EFC3E8B7DB866C707000083C702F3A4C607009D61E98228FDFF#
bp 71232AF8
esto
bc 71232af8
log "BreakPoint at 71232af8"
log eip
sti
log "Step into 71232af8=>01"
log eip
log [eip]
//step into 71232af8 to edit
sti
log "step into 0118001d=>711f4798"
log eip
bp 711F47EF
esto
bc 711F47EF
log "BreakPoint at 711f47ef"
log eip
sti
log "Step into 711f47ef=>711F2AF0"
log eip
//step into 711F47EF to edit
mov addr,711f2ba4
mov [addr],#8B25DE2A2371C3#
mov addr,712053e1
fill addr,2,90
log "finished,ready to restore"
bphws 712053f9,"x"
log eip
esto
bphwc 712053f9
//c
log "Start to restore..."
mov addr,712051cf
asm [addr],"call 71124FC8"
mov addr,71232aa0
fill addr,30,00
mov addr,712052b1
asm [addr],"call 711282A4"
mov addr,71205335
asm addr,"mov dword ptr ds:[ebx],eax"
mov addr,71205337
mov [addr],#8b45c4#
mov addr,71232ac0
fill addr,28,00
mov addr,71205349
asm addr,"call 711282A4"
mov addr,71205356
asm addr,"jnz short 712053C2"
mov addr,71202d48
asm addr,"mov dword ptr ds:[esi],eax"
mov addr,71205394
asm addr,"call 71202BAC"
mov addr,71232ae4
fill addr,51,00
mov addr,711f2ba4
asm addr,"call 71124FC8"
mov addr,711f2ba9
mov [addr],#8bd0#
mov addr,712053e1
asm addr,"jnz short 712053F9"
bp 7120542C
esto
bc 7120542c
log "Import Table restore over"
bp 71205460
esto
bc 71205460
log "Relocation TableRVA=>"
log [eax+A0]
log edx
bp 71205469
esto
bc 71205469
log "Relocation TableSIZE=>"
log [eax+A4]
log edx
bp 71205498
esto
bc 71205498
//d
bp 712055cd
esto
bc 712055cd
log "BreakPoint at 712055cd"
log eip
//从这以后就
bp 712055fd
esto
bp 712055fd
sti
mov eip,71205603
log "Step into 712055fd=>71205603"
log eip
bp 7120561B
esto
bc 7120561B
log "BreakPoint at 7120561b"
log eip
log [7120561b]
sti
log "Step into 7120561B=>71202DEC"
log eip
asm 71203181,"jmp 71232b20"
mov [71232B20],#609C89251C2B2371832D1C2B23710448FFD08B3083C0168B38668916897E029D61FF0424FF4C2408E93B06FDFF#
//stop at 318e
bp 71232B30
esto
bc 71232B30
sti
log "Step into 71232b30=>00401FF5"
log eip
sto
log "f8 to 011905E4"
log eip
sti
log "Step into 011905E4=>711F4BA8"
log eip
bp 711f4c3f
esto
bc 711f4c3f
log "BreakPoint at 711f4c3f"
log eip
mov [ebx],01
log "Change [ebx] to 01"
log [ebx]
asm 711f4e19,"jmp 711f4eda"
asm 711f4e2f,"jmp 711f4eda"
asm 711f4eda,"mov esp,dword ptr ds:[71232B1C]"
asm 711f4ee0,"retn"
bp 7120318e
esto
bc 7120318e
log "BreakPoint at 7120318e"
log eip
log "CodeReplace repaired"
//e
asm 71203181,"inc dword ptr ss:[esp]"
asm 711f4e19,"mov eax,dword ptr ss:[ebp-8]"
asm 711f4e2f,"mov edx,dword ptr ds:[7121F718]"
asm 711f4eda,"mov ecx,dword ptr ds:[7121F718]"
asm 711f4ee0,"mov ecx,dword ptr [ecx+3c]"
问题出在哪里呀?
附件权限不够,下载地址http://www.fs2you.com/files/79c275d1-19d5-11dd-9f65-0014221f3995/
2.CodeReplace修复处理
是EncryptPE的亮点之一。下面就来研究如何修复吧
代码:
712055C8 E8 0FD2F1FF call 711227DC
//里面有异常
712055CD A1 18DE2171 mov eax,dword ptr ds:[7121DE18]
//此处需要设置断点后Shift+F9,中断后取消断点,否则将在712055C8里异常导致无法继续调试
//[I]我在这里设置了断点,可是出现Exception 0EEDFADE错误,紧接着是一大堆Access violation when writing to [00000000],然后线程异常退出。[/I]
712055D2 8038 00 cmp byte ptr ds:[eax],0
//比较校验标志位
712055D5 74 05 je short 712055DC
712055D7 E8 907AF2FF call 7112D06C
712055DC A1 C8DF2171 mov eax,dword ptr ds:[7121DFC8]
712055E1 8038 00 cmp byte ptr ds:[eax],0
712055E4 74 17 je short 712055FD
712055FD E8 01000000 call 71205603
71205603 58 pop eax
71205604 83C0 0C add eax,0C
71205607 60 pushad
71205608 E8 F7EAFEFF call 711F4104
7120561B E8 CCD7FFFF call 71202DEC
//这里设断,Shift+F9中断后取消断点
//处理CodeReplace,进入
以下省略。
附上我写的脚本,写得不太好,初学者,不要见笑!
//原始的Import Table RVA:143000 30ca
var addr
gpa "IsDebuggerPresent", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
bphws 71205168,"x"
esto
bphwc 71205168
log "HardBreakPoint at 71205168"
log eip
mov addr,712051cf
asm addr,"jmp 71232aa0"
mov addr,71232aa0
mov [addr],#609C8B7E0C81C7000040008BF08B4EFCF3A49D61E80F25EFFFE91627FDFF#
mov addr,712052b1
fill addr,5,90
mov addr,71205335
asm addr,"jmp 71232ac0"
mov addr,71232ac0
mov [addr],#609C8B75C48B4EFC8B3B81C702004000F3A49D618B45C4E95E28FDFF#
mov addr,71205349
fill addr,5,90
mov addr,71205356
fill addr,2,90
bp 71205375
esto
bc 71205375
log "BreakPoint at 71205375"
log eip
sti
log "Step into 71205375=>71202BAC"
log eip
//step into to edit 71202d48-71205394
mov addr,71202d48
fill addr,2,90
mov addr,71205394
asm addr,"jmp 71232ae4"
mov addr,71232ae4
mov [addr],#E8C300FDFF609C8925DE2A2371832DDE2A237104FFD08BF08B4EFC3E8B7DB866C707000083C702F3A4C607009D61E98228FDFF#
bp 71232AF8
esto
bc 71232af8
log "BreakPoint at 71232af8"
log eip
sti
log "Step into 71232af8=>01"
log eip
log [eip]
//step into 71232af8 to edit
sti
log "step into 0118001d=>711f4798"
log eip
bp 711F47EF
esto
bc 711F47EF
log "BreakPoint at 711f47ef"
log eip
sti
log "Step into 711f47ef=>711F2AF0"
log eip
//step into 711F47EF to edit
mov addr,711f2ba4
mov [addr],#8B25DE2A2371C3#
mov addr,712053e1
fill addr,2,90
log "finished,ready to restore"
bphws 712053f9,"x"
log eip
esto
bphwc 712053f9
//c
log "Start to restore..."
mov addr,712051cf
asm [addr],"call 71124FC8"
mov addr,71232aa0
fill addr,30,00
mov addr,712052b1
asm [addr],"call 711282A4"
mov addr,71205335
asm addr,"mov dword ptr ds:[ebx],eax"
mov addr,71205337
mov [addr],#8b45c4#
mov addr,71232ac0
fill addr,28,00
mov addr,71205349
asm addr,"call 711282A4"
mov addr,71205356
asm addr,"jnz short 712053C2"
mov addr,71202d48
asm addr,"mov dword ptr ds:[esi],eax"
mov addr,71205394
asm addr,"call 71202BAC"
mov addr,71232ae4
fill addr,51,00
mov addr,711f2ba4
asm addr,"call 71124FC8"
mov addr,711f2ba9
mov [addr],#8bd0#
mov addr,712053e1
asm addr,"jnz short 712053F9"
bp 7120542C
esto
bc 7120542c
log "Import Table restore over"
bp 71205460
esto
bc 71205460
log "Relocation TableRVA=>"
log [eax+A0]
log edx
bp 71205469
esto
bc 71205469
log "Relocation TableSIZE=>"
log [eax+A4]
log edx
bp 71205498
esto
bc 71205498
//d
bp 712055cd
esto
bc 712055cd
log "BreakPoint at 712055cd"
log eip
//从这以后就
bp 712055fd
esto
bp 712055fd
sti
mov eip,71205603
log "Step into 712055fd=>71205603"
log eip
bp 7120561B
esto
bc 7120561B
log "BreakPoint at 7120561b"
log eip
log [7120561b]
sti
log "Step into 7120561B=>71202DEC"
log eip
asm 71203181,"jmp 71232b20"
mov [71232B20],#609C89251C2B2371832D1C2B23710448FFD08B3083C0168B38668916897E029D61FF0424FF4C2408E93B06FDFF#
//stop at 318e
bp 71232B30
esto
bc 71232B30
sti
log "Step into 71232b30=>00401FF5"
log eip
sto
log "f8 to 011905E4"
log eip
sti
log "Step into 011905E4=>711F4BA8"
log eip
bp 711f4c3f
esto
bc 711f4c3f
log "BreakPoint at 711f4c3f"
log eip
mov [ebx],01
log "Change [ebx] to 01"
log [ebx]
asm 711f4e19,"jmp 711f4eda"
asm 711f4e2f,"jmp 711f4eda"
asm 711f4eda,"mov esp,dword ptr ds:[71232B1C]"
asm 711f4ee0,"retn"
bp 7120318e
esto
bc 7120318e
log "BreakPoint at 7120318e"
log eip
log "CodeReplace repaired"
//e
asm 71203181,"inc dword ptr ss:[esp]"
asm 711f4e19,"mov eax,dword ptr ss:[ebp-8]"
asm 711f4e2f,"mov edx,dword ptr ds:[7121F718]"
asm 711f4eda,"mov ecx,dword ptr ds:[7121F718]"
asm 711f4ee0,"mov ecx,dword ptr [ecx+3c]"
问题出在哪里呀?
附件权限不够,下载地址http://www.fs2you.com/files/79c275d1-19d5-11dd-9f65-0014221f3995/
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
我都熬了七个通宵了。十分郁闷。
|
|
|
如果用论坛中的odbgscript脱壳脚本,直接DUMP,再用ImportRec修复输入表,发现有些函数不能被识别,我用级别1修复,名字是出来了,可还是Invalid,什么原因?OEP是找到了,也可以导入IAT,就是不能运行,PEID查壳也显示脱了壳。没有基础知识,直接就拖老王壳,是不是难了点?我考虑用bp SendmessageA断下,找到比较部分(估计还用到了RegQueryValueExA),找到比较是否注册的部分,直接改(甚至不脱壳),是否可行?这个BDKS.exe运行后界面,
 ,我用注册表监控查到有访问注册表注册项目,可我不会断。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
f l u "机"各有志 啊 |
