下载地址:
http://www.wg805.com/保护方式:ASProtect 1.23 RC1 - Alexey Solodovnikov
OD异常设置不忽略内存异常,其余全部忽略,载入程序。
F9运行
009E335C 3100 xor dword ptr ds:[eax],eax ///停在这里
009E335E EB 01 jmp short 009E3361
009E3360 68 648F0500 push 58F64
009E3365 0000 add byte ptr ds:[eax],al
009E3367 00EB add bl,ch
009E3369 02E8 add ch,al
显示异常,shift+F9
25下到最后一次异常处
009E2CD1 3100 xor dword ptr ds:[eax],eax
009E2CD3 64:8F05 00000000 pop dword ptr fs:[0]// 在此处下断,Shift+F9中断到这句,然后清除断点
009E2CDA 58 pop eax
009E2CDB 833D 7C6D9E00 00 cmp dword ptr ds:[9E6D7C],0
009E2CE2 74 14 je short 009E2CF8
009E2CE4 6A 0C push 0C
009E2CE6 B9 7C6D9E00 mov ecx,9E6D7C
009E2CEB 8D45 F8 lea eax,dword ptr ss:[ebp-8]
009E2CEE BA 04000000 mov edx,4
009E2CF3 E8 54E1FFFF call 009E0E4C
009E2CF8 FF75 FC push dword ptr ss:[ebp-4]
009E2CFB FF75 F8 push dword ptr ss:[ebp-8]
009E2CFE 8B45 F4 mov eax,dword ptr ss:[ebp-C]
009E2D01 8338 00 cmp dword ptr ds:[eax],0
009E2D04 74 02 je short 009E2D08
009E2D06 FF30 push dword ptr ds:[eax]
009E2D08 FF75 F0 push dword ptr ss:[ebp-10]
009E2D0B FF75 EC push dword ptr ss:[ebp-14]
009E2D0E C3 retn////这里不能下断点,不同于Asprotect1.23rc4
ALT+M打开内存镜像,下内存访问断点。F9运行
内存镜像
地址=00401000
大小=00093000
owner=ntPCIK 00400000
包含=code
类型=Imag 01001002
中断在OEP处
004931B0 55 push ebp ////DUMP
004931B1 8BEC mov ebp,esp
004931B3 83C4 F0 add esp,-10
004931B6 B8 302F4900 mov eax,ntPCIK.00492F30
004931BB E8 9C3BF7FF call ntPCIK.00406D5C
004931C0 A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
004931C5 8B00 mov eax,dword ptr ds:[eax]
004931C7 E8 3C9CFCFF call ntPCIK.0045CE08
004931CC 68 28324900 push ntPCIK.00493228 ; ASCII "ntpt"
004931D1 6A FF push -1
004931D3 6A 00 push 0
004931D5 E8 223DF7FF call ntPCIK.00406EFC
004931DA E8 ED3DF7FF call ntPCIK.00406FCC
004931DF 3D B7000000 cmp eax,0B7
004931E4 75 07 jnz short ntPCIK.004931ED
004931E6 6A 00 push 0
004931E8 E8 573DF7FF call ntPCIK.00406F44
004931ED A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
004931F2 8B00 mov eax,dword ptr ds:[eax]
004931F4 BA 38324900 mov edx,ntPCIK.00493238
004931F9 E8 1698FCFF call ntPCIK.0045CA14
004931FE 8B0D E45C4900 mov ecx,dword ptr ds:[495CE4] ; ntPCIK.00496F30
00493204 A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
Import REC 填入oep 931B0 ,IAT自动搜索-获得输入信息-显示无效的,右键先用追踪层次1修复大部分指针,剩下的用Asprotect1.2X插件修复。
还剩一个rva:00099314 ptr=009E13B4,剪切掉,修复成功,程序运行出错。
用OD载入修复后的程序,来到这里
004931B0 1> $ 55 push ebp
004931B1 . 8BEC mov ebp,esp
004931B3 . 83C4 F0 add esp,-10
004931B6 . B8 302F4900 mov eax,1_.00492F30
004931BB . E8 9C3BF7FF call 1_.00406D5C
004931C0 . A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
004931C5 . 8B00 mov eax,dword ptr ds:[eax]
004931C7 . E8 3C9CFCFF call 1_.0045CE08
004931CC . 68 28324900 push 1_.00493228 ; /Arg3 = 00493228 ASCII "ntpt"
004931D1 . 6A FF push -1 ; |Arg2 = FFFFFFFF
004931D3 . 6A 00 push 0 ; |Arg1 = 00000000
004931D5 . E8 223DF7FF call 1_.00406EFC ; \1_.00406EFC
004931DA . E8 ED3DF7FF call <jmp.&kernel32.GetLastError> ; [GetLastError
004931DF . 3D B7000000 cmp eax,0B7
004931E4 . 75 07 jnz short 1_.004931ED
004931E6 . 6A 00 push 0 ; /ExitCode = 0
004931E8 . E8 573DF7FF call <jmp.&kernel32.ExitProcess> ; \ExitProcess
004931ED > A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
004931F2 . 8B00 mov eax,dword ptr ds:[eax]
004931F4 . BA 38324900 mov edx,1_.00493238
004931F9 . E8 1698FCFF call 1_.0045CA14
004931FE . 8B0D E45C4900 mov ecx,dword ptr ds:[495CE4] ; 1_.00496F30
00493204 . A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
00493209 . 8B00 mov eax,dword ptr ds:[eax]
0049320B . 8B15 D4BA4800 mov edx,dword ptr ds:[48BAD4] ; 1_.0048BB20
00493211 . E8 0A9CFCFF call 1_.0045CE20//这里出错
信息框提示 0045CE20,这里是调用壳中的代码,壳被脱了,当然出错,所以要知道它究竟是调用什么内容,只能跟踪未脱壳的程序相应位置。
用OD重新加载未脱壳的程序,重复上叙步骤。直到OEP处停下。
00493211 E8 0A9CFCFF call ntPCIK.0045CE20 ///F4,F7进入
00493216 A1 DC5B4900 mov eax,dword ptr ds:[495BDC]
0049321B 8B00 mov eax,dword ptr ds:[eax]
0045CE20 55 push ebp
0045CE21 8BEC mov ebp,esp
0045CE23 51 push ecx
0045CE24 53 push ebx
0045CE25 56 push esi
0045CE26 57 push edi
0045CE27 894D FC mov dword ptr ss:[ebp-4],ecx
0045CE2A 8BDA mov ebx,edx
0045CE2C 8BF0 mov esi,eax
0045CE2E 8BC3 mov eax,ebx
0045CE30 FF50 F4 call dword ptr ds:[eax-C]
0045CE33 8BD8 mov ebx,eax
0045CE35 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045CE38 8918 mov dword ptr ds:[eax],ebx
0045CE3A 33C0 xor eax,eax
0045CE3C 55 push ebp
0045CE3D 68 5ECE4500 push ntPCIK.0045CE5E
0045CE42 64:FF30 push dword ptr fs:[eax]
0045CE45 64:8920 mov dword ptr fs:[eax],esp
0045CE48 8BCE mov ecx,esi
0045CE4A 83CA FF or edx,FFFFFFFF
0045CE4D 8BC3 mov eax,ebx
0045CE4F 8B38 mov edi,dword ptr ds:[eax]
0045CE51 FF57 2C call dword ptr ds:[edi+2C] ///进入异常
请各位指点一下,如何修复出错的指针。
[课程]Linux pwn 探索篇!