ASPack 2.12壳脱壳后,用ImportREC修复IAT。仍然无法使用,提示:Invalid data in the file! 大家给看下 到底哪错了?还是部分dll文件没调用导致无法运行……?
OD载入后:
00445001 > 60 PUSHAD
// 停这里 Ctrl+F 搜寻“POPAD”
00445002 E8 03000000 CALL OEP.0044500A
00445007 - E9 EB045D45 JMP 45A154F7
0044500C 55 PUSH EBP
0044500D C3 RETN
一直下一个 来到这:
004453AF 61 POPAD // F4下断这里,F8进
004453B0 75 08 JNZ SHORT OEP.004453BA
004453B2 B8 01000000 MOV EAX,1
004453B7 C2 0C00 RETN 0C
004453BA 68 00000000 PUSH 0
004453BF C3 RETN // F8进 来到:
----------------------------------------------------
0040389F 55 PUSH EBP // OD脱壳
004038A0 8BEC MOV EBP,ESP
004038A2 6A FF PUSH -1
---------------------------------------------------------------
脱壳后PEID查:Microsoft Visual C++ 6.0 无壳了
ImportREC修复…………发现程序比原程序小很多~~~~而且脱壳后对比有部分dll文件 没有被调用
下面2份是对比:前为源程序 后为脱壳后的~
源程序“
Analysing process...
Module loaded: c:\windows\system32\ntdll.dll
Module loaded: c:\windows\system32\kernel32.dll
Module loaded: c:\windows\system32\user32.dll
Module loaded: c:\windows\system32\gdi32.dll
Module loaded: c:\windows\system32\imm32.dll
Module loaded: c:\windows\system32\advapi32.dll
Module loaded: c:\windows\system32\rpcrt4.dll
Module loaded: c:\windows\system32\secur32.dll
Module loaded: c:\windows\system32\lpk.dll
Module loaded: c:\windows\system32\usp10.dll
Module loaded: c:\windows\system32\msvcrt.dll
Module loaded: c:\docume~1\admini~1\locals~1\temp\e_4\krnln.fnr
Module loaded: c:\windows\system32\winmm.dll
Module loaded: c:\windows\system32\comdlg32.dll
Module loaded: c:\windows\system32\shlwapi.dll
Module loaded: c:\windows\system32\comctl32.dll
Module loaded: c:\windows\system32\shell32.dll
Module loaded: c:\windows\system32\winspool.drv
Module loaded: c:\windows\system32\ole32.dll
Module loaded: c:\windows\system32\olepro32.dll
Module loaded: c:\windows\system32\oleaut32.dll
Module loaded: c:\windows\system32\ws2_32.dll
Module loaded: c:\windows\system32\ws2help.dll
Module loaded: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
Module loaded: c:\windows\system32\uxtheme.dll
Module loaded: c:\windows\system32\msctf.dll
Module loaded: c:\windows\system32\msctfime.ime
Module loaded: c:\windows\system32\clbcatq.dll
Module loaded: c:\windows\system32\comres.dll
Module loaded: c:\windows\system32\version.dll
Module loaded: c:\windows\system32\wshom.ocx
Module loaded: c:\windows\system32\mpr.dll
Module loaded: c:\windows\system32\scrrun.dll
Module loaded: c:\windows\system32\mfc42.dll
* No export for module: c:\windows\system32\mfc42loc.dll
* No export for module: c:\windows\system32\wshchs.dll
Module loaded: c:\windows\system32\sxs.dll
Module loaded: c:\windows\system32\setupapi.dll
Module loaded: c:\windows\system32\userenv.dll
Module loaded: c:\windows\system32\shdocvw.dll
Module loaded: c:\windows\system32\crypt32.dll
Module loaded: c:\windows\system32\msasn1.dll
Module loaded: c:\windows\system32\cryptui.dll
Module loaded: c:\windows\system32\wintrust.dll
Module loaded: c:\windows\system32\imagehlp.dll
Module loaded: c:\windows\system32\netapi32.dll
Module loaded: c:\windows\system32\wininet.dll
Module loaded: c:\windows\system32\wldap32.dll
Module loaded: c:\windows\system32\linkinfo.dll
Module loaded: c:\windows\system32\ntshrui.dll
Module loaded: c:\windows\system32\atl.dll
Module loaded: c:\docume~1\admini~1\locals~1\temp\e_4\shell.fne
Module loaded: c:\docume~1\admini~1\locals~1\temp\e_4\iext5.fne
Module loaded: c:\docume~1\admini~1\locals~1\temp\e_4\iext.fnr
Module loaded: c:\windows\system32\mswsock.dll
Module loaded: c:\windows\system32\hnetcfg.dll
Module loaded: c:\windows\system32\wshtcpip.dll
Module loaded: c:\windows\system32\dnsapi.dll
Module loaded: c:\windows\system32\winrnr.dll
Module loaded: c:\windows\system32\rasadhlp.dll
Module loaded: c:\docume~1\admini~1\locals~1\temp\e_4\dp1.fne
Getting associated modules done.
Image Base:00400000 Size:0004A000
--------------------------------------------------------------------------
脱壳后的:
Analysing process...
Module loaded: c:\windows\system32\ntdll.dll
Module loaded: c:\windows\system32\kernel32.dll
Module loaded: c:\windows\system32\user32.dll
Module loaded: c:\windows\system32\gdi32.dll
Module loaded: c:\windows\system32\imm32.dll
Module loaded: c:\windows\system32\advapi32.dll
Module loaded: c:\windows\system32\rpcrt4.dll
Module loaded: c:\windows\system32\secur32.dll
Module loaded: c:\windows\system32\lpk.dll
Module loaded: c:\windows\system32\usp10.dll
Module loaded: c:\windows\system32\msvcrt.dll
Module loaded: c:\windows\system32\uxtheme.dll
Module loaded: c:\windows\system32\msctf.dll
Module loaded: c:\windows\system32\msctfime.ime
Module loaded: c:\windows\system32\ole32.dll
Getting associated modules done.
Image Base:00400000 Size:0004A600
各高手帮看看。是不是因为dll没被调用而无法运行。如果是应该如何添加缺少的dll文件?? 请给个详细说明~~~~ 小弟在此先谢过oooooooooo
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课