因不够权限发表,请版主照顾一下。
PC-Guard 5.0脱壳过程无法修复函数,求助
文件是 Multi-Instrument(万用仪)3.0 ,网址: http://www.virtins.com/MIsetup.zip
功能:一个基于声卡的多功能虚拟仪器,有示波器、频谱分析仪、信号发生器、万用表、数据记录仪、频谱3D图、设备检测计划、LCR表等虚拟仪器功能。
用PEiD 0.94检查的结果:PC-Guard 5.0 -> Blagoje Ceklic
看了网上各位老大的文章后,尝试了一下,结果不能修复Import函数
0050B000 > FC cld
0050B001 55 push ebp
0050B002 50 push eax
0050B003 E8 00000000 call 0050B008
0050B008 5D pop ebp
0050B009 60 pushad
0050B00A E8 03000000 call 0050B012
0050B00F 83EB 0E sub ebx, 0E
0050B012 EB 01 jmp short 0050B015
0050B014 0C 58 or al, 58
0050B016 EB 01 jmp short 0050B019
0050B018 35 40EB0136 xor eax, 3601EB40
0050B01D FFE0 jmp eax
0050B01F 0B61 B8 or esp, dword ptr [ecx-48]
0050B022 D865 41 fsub dword ptr [ebp+41]
0050B025 00EB add bl, ch
0050B027 01E3 add ebx, esp
0050B029 60 pushad
0050B02A E8 03000000 call 0050B032
0050B02F D2EB shr bl, cl
0050B031 0B58 EB or ebx, dword ptr [eax-15]
0050B034 0148 40 add dword ptr [eax+40], ecx
0050B037 EB 01 jmp short 0050B03A
0050B039 35 FFE0E761 xor eax, 61E7E0FF
0050B03E 2BE8 sub ebp, eax
0050B040 9C pushfd
0050B041 EB 01 jmp short 0050B044
0050B043 D5 9D aad 9D
0050B045 EB 01 jmp short 0050B048
0050B047 0B58 60 or ebx, dword ptr [eax+60]
0050B04A E8 03000000 call 0050B052
异常设置不忽略INT3中断外的全部异常,OD自动隐藏插件帮你隐藏OD
插件HideOD中的选项全部勾上,并Hide
Alt+M打开内存镜像,在401000上下断点
F9运行,点Continue
到达这里
004D8632 /. 55 push ebp
004D8633 |. 8BEC mov ebp, esp
004D8635 |. 6A FF push -1
004D8637 |. 68 783E4F00 push 004F3E78
004D863C |. 68 F2894D00 push 004D89F2 ; jmp 到 msvcrt._except_handler3; SE 处理程序安装
004D8641 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004D8647 |. 50 push eax
004D8648 |. 64:8925 00000>mov dword ptr fs:[0], esp
004D864F |. 83EC 68 sub esp, 68
004D8652 |. 53 push ebx
004D8653 |. 56 push esi
004D8654 |. 57 push edi
004D8655 |. 8965 E8 mov dword ptr [ebp-18], esp
004D8658 |. 33DB xor ebx, ebx
004D865A |. 895D FC mov dword ptr [ebp-4], ebx
004D865D |. 6A 02 push 2
004D865F |. 5F pop edi
004D8660 |. 57 push edi
004D8661 |. FF15 38A84E00 call dword ptr [4EA838] ; msvcrt.__set_app_type
004D8667 |. 59 pop ecx
004D8668 |. 830D 40985000>or dword ptr [509840], FFFFFFFF
004D866F |. 830D 44985000>or dword ptr [509844], FFFFFFFF
004D8676 |. FF15 34A84E00 call dword ptr [4EA834] ; msvcrt.__p__fmode
004D867C |. 8B0D 34985000 mov ecx, dword ptr [509834]
004D8682 |. 8908 mov dword ptr [eax], ecx
004D8684 |. FF15 30A84E00 call dword ptr [4EA830] ; msvcrt.__p__commode
004D868A |. 8B0D 30985000 mov ecx, dword ptr [509830]
004D8690 |. 8908 mov dword ptr [eax], ecx
004D8692 |. A1 2CA84E00 mov eax, dword ptr [4EA82C]
004D8697 |. 8B00 mov eax, dword ptr [eax]
004D8699 |. A3 3C985000 mov dword ptr [50983C], eax
004D869E |. E8 4E030000 call 004D89F1
004D86A3 |. 391D 50775000 cmp dword ptr [507750], ebx
004D86A9 |. 75 0C jnz short 004D86B7
004D86AB |. 68 EE894D00 push 004D89EE
004D86B0 |. FF15 28A84E00 call dword ptr [4EA828] ; msvcrt.__setusermatherr
004D86B6 |. 59 pop ecx
004D86B7 |> E8 20030000 call 004D89DC
004D86BC |. 68 40405000 push 00504040
004D86C1 |. 68 3C405000 push 0050403C
004D86C6 |. E8 0B030000 call 004D89D6 ; jmp 到 msvcrt._initterm
004D86CB |. A1 2C985000 mov eax, dword ptr [50982C]
004D86D0 |. 8945 94 mov dword ptr [ebp-6C], eax
004D86D3 |. 8D45 94 lea eax, dword ptr [ebp-6C]
004D86D6 |. 50 push eax
004D86D7 |. FF35 28985000 push dword ptr [509828]
004D86DD |. 8D45 9C lea eax, dword ptr [ebp-64]
004D86E0 |. 50 push eax
004D86E1 |. 8D45 90 lea eax, dword ptr [ebp-70]
004D86E4 |. 50 push eax
004D86E5 |. 8D45 A0 lea eax, dword ptr [ebp-60]
004D86E8 |. 50 push eax
004D86E9 |. FF15 20A84E00 call dword ptr [4EA820] ; msvcrt.__wgetmainargs
004D86EF |. 68 38405000 push 00504038
004D86F4 |. 68 00405000 push 00504000
004D86F9 |. E8 D8020000 call 004D89D6 ; jmp 到 msvcrt._initterm
004D86FE |. 83C4 24 add esp, 24
004D8701 |. A1 1CA84E00 mov eax, dword ptr [4EA81C]
004D8706 |. 8B30 mov esi, dword ptr [eax]
004D8708 |. 3BF3 cmp esi, ebx
004D870A |. 75 13 jnz short 004D871F
004D870C |. 834D FC FF or dword ptr [ebp-4], FFFFFFFF
004D8710 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004D8713 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004D871A |. 5F pop edi
004D871B |. 5E pop esi
004D871C |. 5B pop ebx
004D871D |. C9 leave
004D871E |. C3 retn
004D871F |> 8975 8C mov dword ptr [ebp-74], esi
004D8722 |. 66:833E 22 cmp word ptr [esi], 22
004D8726 |. 75 45 jnz short 004D876D
004D8728 |> 03F7 /add esi, edi
004D872A |. 8975 8C |mov dword ptr [ebp-74], esi
004D872D |. 66:8B06 |mov ax, word ptr [esi]
004D8730 |. 66:3BC3 |cmp ax, bx
004D8733 |. 74 06 |je short 004D873B
004D8735 |. 66:3D 2200 |cmp ax, 22
004D8739 |.^ 75 ED \jnz short 004D8728
004D873B |> 66:833E 22 cmp word ptr [esi], 22
004D873F |. 75 05 jnz short 004D8746
004D8741 |> 03F7 add esi, edi
004D8743 |. 8975 8C mov dword ptr [ebp-74], esi
004D8746 |> 66:8B06 mov ax, word ptr [esi]
004D8749 |. 66:3BC3 cmp ax, bx
004D874C |. 74 06 je short 004D8754
004D874E |. 66:3D 2000 cmp ax, 20
004D8752 |.^ 76 ED jbe short 004D8741
004D8754 |> 895D D0 mov dword ptr [ebp-30], ebx
004D8757 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
004D875A |. 50 push eax
004D875B |. FF15 B4A04E00 call dword ptr [4EA0B4] ; kernel32.GetStartupInfoW
004D8761 |. F645 D0 01 test byte ptr [ebp-30], 1
004D8765 |. 74 13 je short 004D877A
004D8767 |. 0FB745 D4 movzx eax, word ptr [ebp-2C]
004D876B |. EB 10 jmp short 004D877D
004D876D |> 66:833E 20 /cmp word ptr [esi], 20
004D8771 |.^ 76 D3 |jbe short 004D8746
004D8773 |. 03F7 |add esi, edi
004D8775 |. 8975 8C |mov dword ptr [ebp-74], esi
004D8778 |.^ EB F3 \jmp short 004D876D
004D877A |> 6A 0A push 0A
004D877C |. 58 pop eax
004D877D |> 50 push eax
004D877E |. 56 push esi
004D877F |. 53 push ebx
004D8780 |. 53 push ebx
004D8781 |. FF15 B0A04E00 call dword ptr [4EA0B0] ; kernel32.GetModuleHandleW
004D8787 |. 50 push eax
004D8788 |. E8 83020000 call 004D8A10
004D878D |. 8945 98 mov dword ptr [ebp-68], eax
004D8790 |. 50 push eax
004D8791 |. FF15 0CA84E00 call dword ptr [4EA80C] ; msvcrt.exit
004D8797 |. 8B45 EC mov eax, dword ptr [ebp-14]
004D879A |. 8B08 mov ecx, dword ptr [eax]
004D879C |. 8B09 mov ecx, dword ptr [ecx]
004D879E |. 894D 88 mov dword ptr [ebp-78], ecx
004D87A1 |. 50 push eax
004D87A2 |. 51 push ecx
004D87A3 |. E8 28020000 call 004D89D0 ; jmp 到 msvcrt._XcptFilter
004D87A8 |. 59 pop ecx
004D87A9 |. 59 pop ecx
004D87AA \. C3 retn
试着以000D8632为OEP,进行Dump
再用Import修改OEP后,IAT Autosearch, Get Imports,
有三处无效
分别是rva:000EA8AC ptr:00A1CD7A
00A1CD7A pushad
00A1CD7B jmp short 00A1CD7E
00A1CD7D jecxz short 00A1CD6A
00A1CD7E jmp short 00A1CD81
00A1CD81 call 00A1CD86
00A1CD86 pop ebp
00A1CD87 jmp short 00A1CD8A
00A1CD8A sub ebp,B56217F8
00A1CD90 jmp short 00A1CD93
00A1CD93 jmp short 00A1CD96
00A1CD96 pushad
00A1CD97 jmp short 00A1CD9A
00A1CD9A call 00A1CDB4
00A1CD9F jmp short 00A1CDA2
00A1CDA2 jmp short 00A1CDA5
00A1CDA5 mov esp,[esp+8]
00A1CDA9 jmp short 00A1CDAC
00A1CDAC jmp short 00A1CDF3
00A1CDF3 jmp short 00A1CDF6
00A1CDF6 jmp short 00A1CDF9
00A1CDF9 test esp,esp
00A1CDFB pushfd
00A1CDFC jmp short 00A1CDFF
00A1CDFF popfd
00A1CE00 jmp short 00A1CE03
00A1CE03 jns short 00A1CE11
00A1CE05 jmp short 00A1CE08
00A1CE08 jmp short 00A1CE0B
00A1CE0B setno [edx-15]
00A1CE0F add [ecx+1EBC033],ecx
00A1CE15 jecxz short 00A1CE02
00A1CE11 xor eax,eax
00A1CE13 jmp short 00A1CE16
00A1CE16 jmp short 00A1CE19
00A1CE19 pop dword ptr fs:[eax]
00A1CE1C pushad
00A1CE1D call 00A1CE25
00A1CE22 sub ebx,E
00A1CE25 jmp short 00A1CE28
00A1CE28 pop eax
00A1CE29 jmp short 00A1CE2C
00A1CE2C inc eax
00A1CE2D jmp short 00A1CE30
00A1CE30 jmp eax
rva:000EA9D9 ptr:00401880
00401880 mov eax,[4EA140] // = mfc42u.dll/1085
00401885 retn
rva:000EA9DC ptr:004EA9E0
004EA9E0 0000 add [eax],al
004EA9E2 0000 add [eax],al
004EA9E4 0000 add [eax],al
004EA9E6 0000 add [eax],al
004EA9E8 0000 add [eax],al
004EA9EA 0000 add [eax],al
004EA9EC 0000 add [eax],al
004EA9EE 0000 add [eax],al
004EA9F0 0000 add [eax],al
004EA9F2 0000 add [eax],al
004EA9F4 0000 add [eax],al
004EA9F6 0000 add [eax],al
004EA9F8 CC int3
采用Universal Import Fixer (UIF)进行RVA,Size调整后用Import
选择重建原始FT、创建新的IAT、修正EP到OEP、使用来自磁盘的PE头文件头,
修复Dump,依然出现Microsoft错误报告
请教大家,这个OEP是否正确?如正确的话,该如何修复函数?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课