PeBundle 2.10 加了9层壳,全部脱掉后来到OEP:
00401000 . A1 5A004B00 MOV EAX,DWORD PTR DS:[4B005A]
00401005 . C1E0 02 SHL EAX,2
00401008 . A3 5E004B00 MOV DWORD PTR DS:[4B005E],EAX
0040100D . 57 PUSH EDI
0040100E . 51 PUSH ECX
0040100F . 33C0 XOR EAX,EAX
00401011 . BF 1C184D00 MOV EDI,W32dsm8_.004D181C
00401016 . B9 AC1F4D00 MOV ECX,W32dsm8_.004D1FAC
0040101B . 3BCF CMP ECX,EDI
0040101D . 76 05 JBE SHORT W32dsm8_.00401024
Lord-PE dump full,ImportREC 填入OEP RVA:1000,Auto Search,Get Import,Fix dump,得到Dumped_.exe.
运行出错在0045E49D:
0045E48A . 50 PUSH EAX ; /String
0045E48B . E8 C4070500 CALL <JMP.&kernel32.lstrlen> ; \lstrlenA
0045E490 > A1 E0364D00 MOV EAX,DWORD PTR DS:[4D36E0]
0045E495 . FF60 10 JMP DWORD PTR DS:[EAX+10]
0045E498 > A1 E0364D00 MOV EAX,DWORD PTR DS:[4D36E0]
0045E49D . FF60 1C JMP DWORD PTR DS:[EAX+1C] //这里出错!
0045E4A0 > A1 E0364D00 MOV EAX,DWORD PTR DS:[4D36E0]
0045E4A5 . FF60 3C JMP DWORD PTR DS:[EAX+3C]
0045E4A8 > A1 E0364D00 MOV EAX,DWORD PTR DS:[4D36E0]
0045E4AD . FF60 40 JMP DWORD PTR DS:[EAX+40]
0045E4B0 > 8943 0C MOV DWORD PTR DS:[EBX+C],EAX
0045E4B3 . BB 00004B00 MOV EBX,dumped_.004B0000 ; ASCII "Borland C++ - Copyright 1995 Borland Intl."
0045E4B8 . 8903 MOV DWORD PTR DS:[EBX],EAX
0045E4BA . 5B POP EBX
0045E4BB . 5D POP EBP
0045E4BC . C3 RETN
运行原文件,Alt+M查看,发现[EAX+1C]处是w32Patch.dll连接库的地址段,而Dumped_.exe没有加载这个库,所以jmp这个地址当然出错了!
往上看EAX的值来自固定地址[4D36E0],实际是w32Patch.dll导出函数Funcs的地址,如下修复:
找到空白处:
004D6000空白处写入字串"w32Patch.dll"
004D6010空白处写入字串"Funcs"
已知: [004D45F8]处为函数LoadLibraryA地址,
[004D45E4]处为函数GetProcAddress地址。
004D6030空白处写入如下补丁代码:
004D6030 > 60 PUSHAD
004D6031 9C PUSHFD
004D6032 68 00604D00 PUSH dumped_.004D6000 ; ASCII "w32Patch.dll"
004D6037 FF15 F8454D00 CALL DWORD PTR DS:[<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA
004D603D 68 10604D00 PUSH dumped_.004D6010 ; ASCII "Funcs"
004D6042 50 PUSH EAX
004D6043 FF15 E4454D00 CALL DWORD PTR DS:[<&kernel32.GetProcAddress>] ; kernel32.GetProcAddress
004D6049 A3 E0364D00 MOV DWORD PTR DS:[4D36E0],EAX
004D604E 9D POPFD
004D604F 61 POPAD
004D6050 ^ E9 ABAFF2FF JMP dumped_.00401000
全部修改好后,如下所示:
004D6000 77 33 32 50 61 74 63 68 2E 64 6C 6C 00 00 00 00 w32Patch.dll....
004D6010 46 75 6E 63 73 00 00 00 00 00 00 00 00 00 00 00 Funcs...........
004D6020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
004D6030 60 9C 68 00 60 4D 00 FF 15 F8 45 4D 00 68 10 60 `渉.`M.鳨M.h`
004D6040 4D 00 50 FF 15 E4 45 4D 00 A3 E0 36 4D 00 9D 61 M.P銭M.`6M.漚
004D6050 E9 AB AF F2 FF 00 00 00 00 00 00 00 00 00 00 00 楂...........
用16进制编辑器,修改添加代码后保存文件,并用Lord-PE修改入口004D6030,保存运行,正常了。
附件包含内容:
dumped.exe //脱壳后
dump_Fixed.exe //脱壳修复IAT和打过补丁代码
FixedReadme.txt //修复说明
tree.txt //IAT表