虽然已经过了截止时间,不过还是提交一下吧,贵在参与。(没注意12:00截止了,以为今天全天都可以提交)
我的处理过程是:
1、用IDA反编译pediy.dll, 生成pediy.asm。
2、修改pediy.asm可以在masm32中编译,保持编译出来的代码与逆向分析的pediy.dll一致。
3、根据要求增加输出函数OpenUrlA,重新编译生成pediy.dll,Link参数采用/BASE:0x400000选项,以保持BaseImage为0x400000
源码:
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
; +-------------------------------------------------------------------------+
;
.486 ; set processor model
.model flat, stdcall ; default STDCALL calling convention
option casemap :none ; always use the case sensitive option
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\macros\macros.asm
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
OpenUrlA PROTO STDCALL
.data
unk_403000 dd 0
unk_403004 dd 0
; char Text[]
Text db '看雪论坛.深圳腾讯 2008软件安全竞赛活动---第1题!',0
; char Caption[]
Caption db 'www.pediy.com',0
dword_403048 dd 0
dword_40304C dd 0
dword_403050 dd 0
Exec db 'explorer.exe http://bbs.pediy.com',0
.code
sub_401000 proc near
Invoke MessageBoxA,0,ADDR Text,ADDR Caption,0
mov eax, 1
retn 0Ch
sub_401000 endp
; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
LibMain proc hinstDLL:DWORD, fdwReason:DWORD, lpReserved:DWORD
cmp [fdwReason], 1
jnz short loc_40103F
call sub_40107C
push offset unk_403004
push offset unk_403000
call sub_401062
pop ecx
pop ecx
loc_40103F:
push esi
push [lpReserved]
push [fdwReason]
push [hinstDLL]
call sub_401000
cmp [fdwReason], 0
mov esi, eax
jnz short loc_40105B
call sub_401094
loc_40105B:
mov eax, esi
pop esi
pop ebp
retn 0Ch
LibMain endp
sub_401062 proc
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_0]
loc_401067:
cmp esi, [esp+4+arg_4]
jnb short loc_40107A
mov eax, [esi]
test eax, eax
jz short loc_401075
call eax
loc_401075:
add esi, 4
jmp short loc_401067
; ---------------------------------------------------------------------------
loc_40107A:
pop esi
retn
sub_401062 endp
sub_40107C proc
push 20h
pop eax
push 4
push eax
mov dword_40304C, eax
call sub_4010B0
pop ecx
mov dword_403048, eax
pop ecx
retn
sub_40107C endp
sub_401094 proc
mov ecx, dword_403050
test ecx, ecx
jz short locret_4010AF
mov eax, dword_403048
lea ecx, [eax+ecx*4]
push ecx
push eax
call sub_401062
pop ecx
pop ecx
locret_4010AF:
retn
sub_401094 endp
sub_4010B0 proc
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
imul eax, [esp+arg_4]
push eax ; dwBytes
push 8 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapAlloc
retn
sub_4010B0 endp
OpenUrlA proc STDCALL
push 5
push offset Exec
call WinExec
ret
OpenUrlA endp
end LibMain
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
