我在练习脱SVKP1.43注册版加的壳时,分别以记事本和另一个小程序做练习目标文件,那个小程序可以正常脱壳并修复
但我用同样的方法练习脱记事本时,却遇了问题.
引用一段正常的记事本的代码:
004010DD |. 3C 22 cmp al, 22
004010DF |. 75 1B jnz short 复件_NOT.004010FC
004010E1 |> 56 /push esi
004010E2 |. FF15 F4644000 |call dword ptr ds:[4064F4] ; call dword ptr ds:[<&USER32.CharNextA>>; \CharNextA
004010E8 |. 8BF0 |mov esi, eax
004010EA |. 8A00 |mov al, byte ptr ds:[eax]
004010EC |. 84C0 |test al, al
004010EE |. 74 04 |je short 复件_NOT.004010F4
004010F0 |. 3C 22 |cmp al, 22
004010F2 |.^ 75 ED \jnz short 复件_NOT.004010E1
004010F4 |> 803E 22 cmp byte ptr ds:[esi], 22
004010F7 |. 75 15 jnz short 复件_NOT.0040110E
004010F9 |. 46 inc esi
004010FA |. EB 12 jmp short 复件_NOT.0040110E
004010FC |> 3C 20 cmp al, 20
004010FE |. 7E 0E jle short 复件_NOT.0040110E
00401100 |> 56 /push esi
00401101 |. FF15 F4644000 |call dword ptr ds:[4064F4] ; call dword ptr ds:[<&USER32.CharNextA>>; \CharNextA
而我Dump出的文件却是这样的:
004010DD |. 3C 22 cmp al, 22
004010DF |. 75 1B jnz short NOTEPAD_.004010FC
004010E1 |> 56 /push esi
004010E2 FF15 AC644000 call dword ptr ds:[4064AC] ; call dword ptr ds:[<&user32.MessageBoxA>; USER32.MessageBoxA
004010E8 |. 8BF0 |mov esi, eax
004010EA |. 8A00 |mov al, byte ptr ds:[eax]
004010EC |. 84C0 |test al, al
004010EE |. 74 04 |je short NOTEPAD_.004010F4
004010F0 |. 3C 22 |cmp al, 22
004010F2 |.^ 75 ED \jnz short NOTEPAD_.004010E1
004010F4 |> 803E 22 cmp byte ptr ds:[esi], 22
004010F7 |. 75 15 jnz short NOTEPAD_.0040110E
004010F9 |. 46 inc esi
004010FA |. EB 12 jmp short NOTEPAD_.0040110E
004010FC |> 3C 20 cmp al, 20
004010FE |. 7E 0E jle short NOTEPAD_.0040110E
00401100 |> 56 /push esi
00401101 |. FF15 AC644000 |call dword ptr ds:[4064AC] ; call dword ptr ds:[<&user32.MessageBox>; \MessageBoxA
结果是,我虽然修复了正常的IAT,但仍然不能用,很明显,上面的调用地址不对.
开始我以为我是dump文件有问题,又重新dump了一下,结果调用地址依然不正确.
具体的dump步骤:
od载入加壳的记事本,忽略所有异常,并隐藏OD,F9运行,会中断在
0012E3B6 6285 1E220000 bound eax, qword ptr ss:[ebp+221E]
0012E3BC EB 02 jmp short 0012E3C0
0012E3BE 0FE88B D1EB02CD psubsb mm1, qword ptr ds:[ebx+CD02EBD1]
0012E3C5 208B C2EB02CD and byte ptr ds:[ebx+CD02EBC2], cl
此时堆栈内容是:
0012E418 00000216
0012E41C 0012E42C Pointer to next SEH record
0012E420 01971B7B SE handler ;注意这###############
0012E424 01970008
0012E428 000000FF
所以Ctrl+G 到01971B7B,F2下断,Shist+f9过异常,然后中断于此:
01971B7B /EB 0B jmp short 01971B88
01971B7D |0000 add byte ptr ds:[eax], al
01971B7F |FF00 inc dword ptr ds:[eax]
01971B81 |0000 add byte ptr ds:[eax], al
01971B83 |0000 add byte ptr ds:[eax], al
01971B85 |0000 add byte ptr ds:[eax], al
01971B87 |00EB add bl, ch
01971B89 03C7 add eax, edi
01971B8B 84E8 test al, ch
接着首先取消断点,然后在400000段上下内存访问断点,F9运行,中断在
0199E8D3 8A06 mov al, byte ptr ds:[esi]
0199E8D5 46 inc esi
0199E8D6 47 inc edi
0199E8D7 8843 0F mov byte ptr ds:[ebx+F], al
0199E8DA 8A46 FF mov al, byte ptr ds:[esi-1]
0199E8DD 55 push ebp
0199E8DE E8 00000000 call 0199E8E3
0199E8E3 5D pop ebp
0199E8E4 81ED 0D470000 sub ebp, 470D
0199E8EA 8A8D 50030000 mov cl, byte ptr ss:[ebp+350]
0199E8F0 5D pop ebp
0199E8F1 32C1 xor al, cl
0199E8F3 8847 FF mov byte ptr ds:[edi-1], al
0199E8F6 8BC5 mov eax, ebp
0199E8F8 4D dec ebp
0199E8F9 85C0 test eax, eax
0199E8FB ^ 75 A4 jnz short 0199E8A1
0199E8FD 33C0 xor eax, eax
0199E8FF 5D pop ebp
0199E900 5F pop edi
0199E901 5E pop esi
0199E902 5B pop ebx
0199E903 C2 1400 retn 14
取消内存断点,移动光标到0199E903 C2 1400 retn 14一行上,然后按F4,接着再次在401000到404fff上下内存访问断点,F9运行后就会中断在伪OEP处:
004010DD 3C 22 cmp al, 22
004010DF 75 1B jnz short NOTEPAD.004010FC
004010E1 56 push esi
004010E2 FF15 AC644000 call dword ptr ds:[4064AC] ;***************************
004010E8 8BF0 mov esi, eax
004010EA 8A00 mov al, byte ptr ds:[eax]
004010EC 84C0 test al, al
004010EE 74 04 je short NOTEPAD.004010F4
004010F0 3C 22 cmp al, 22
004010F2 ^ 75 ED jnz short NOTEPAD.004010E1
004010F4 803E 22 cmp byte ptr ds:[esi], 22
004010F7 75 15 jnz short NOTEPAD.0040110E
004010F9 46 inc esi
004010FA EB 12 jmp short NOTEPAD.0040110E
004010FC 3C 20 cmp al, 20
004010FE 7E 0E jle short NOTEPAD.0040110E
00401100 56 push esi
00401101 FF15 AC644000 call dword ptr ds:[4064AC] ;*******************************
00401107 8038 20 cmp byte ptr ds:[eax], 20
现在问题就来了,注意加*****号的两行,明显和原记事本的调用地址都不一样了,这是为什什么呢.在这种情况下应该怎么做呢,我根本都没法dump出正常的文件来了
这是我的练习文件
附件:test.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课