-
-
[旧帖] [求助]手脱遇到困难请前辈执教! 0.00雪花
-
发表于: 2008-12-2 16:23 2815
-
手脱遇到困难 因水平还不高还请前辈指教!我一定加紧学习
1。用PEID查壳为:Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
2。用OD载入,忽略所有异常,隐藏OD
3。到这里↓
0054B243 >/$ 55 push ebp
0054B244 |. 8BEC mov ebp, esp
0054B246 |. 6A FF push -1
0054B248 |. 68 404F5700 push 00574F40
0054B24D |. 68 80AF5400 push 0054AF80 ; SE 处理程序安装
0054B252 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0054B258 |. 50 push eax
0054B259 |. 64:8925 00000>mov dword ptr fs:[0], esp
0054B260 |. 83EC 58 sub esp, 58
0054B263 |. 53 push ebx
0054B264 |. 56 push esi
0054B265 |. 57 push edi
4。下断bp OpenMutexA,回车,Shift+F9! 到这里↓
7C80EA1B > 8BFF mov edi, edi ; ntdll.7C930738
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp, esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je 7C843D93
7C80EA2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr [ebp+10]
7C80EA36 8DB0 F80B0000 lea esi, dword ptr [eax+BF8]
7C80EA3C 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA3F 50 push eax
堆栈显示的情况如下:
0012F798 00536DB8 /CALL 到 OpenMutexA 来自 遨游网络.00536DB2
0012F79C 001F0001 |Access = 1F0001
0012F7A0 00000000 |Inheritable = FALSE
0012F7A4 0012FDD8 \MutexName = "338::DA5B5C7156"
0012F7A8 7C930738 ntdll.7C930738
0012F7AC 00000000
0012F7B0 7FFDE000
0012F7B4 0012F9DC
5。断下后使用 Ctrl+G 进入 00401000,键入了以下代码↓
00401000 60 pushad
00401001 9C pushfd
00401002 68 D8FD1200 push 12FDD8 ; ASCII "338::DA5B5C7156"
00401007 33C0 xor eax, eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FD9407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DA407C jmp kernel32.OpenMutexA
00401017 0000 add byte ptr [eax], al
00401019 0000 add byte ptr [eax], al
0040101B 0000 add byte ptr [eax], al
0040101D 0000 add byte ptr [eax], al
以上↑键入内容二进制代码为:
60 9C 68 D8 FD 12 00 33 C0 50 50 E8 2F D9 40 7C 9D 61 E9 04 DA 40 7C
6。然后(00401000 60 pushad)新建EIP后使用Shift+F9再次中断回这里↓
7C80EA1B > 8BFF mov edi, edi ; ntdll.7C930738
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp, esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je 7C843D93
7C80EA2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr [ebp+10]
7C80EA36 8DB0 F80B0000 lea esi, dword ptr [eax+BF8]
7C80EA3C 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA3F 50 push eax
7C80EA40 FF15 8C10807C call dword ptr [<&ntdll.RtlInitAnsiSt>; ntdll.RtlInitAnsiString
7C80EA46 6A 00 push 0
7。然后F2取消断点,准备避开输入表加密并找到Magic Jump。
8。下断 he GetModuleHandleA+5,Shift+F9到了这里↓
7C80B6A6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr [ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax, eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr [eax+4]
7C80B6BB E8 7D2D0000 call GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 ret 4
7C80B6C4 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80B6CA 8B40 30 mov eax, dword ptr [eax+30]
7C80B6CD 8B40 08 mov eax, dword ptr [eax+8]
7C80B6D0 ^ EB EE jmp short 7C80B6C0
此时堆栈显示为↓:
0012EE60 /0012EE98
0012EE64 |5D175324 返回到 5D175324 来自 kernel32.GetModuleHandleA
0012EE68 |5D175370 ASCII "kernel32.dll"
0012EE6C |5D1E3AB8
0012EE70 |00000000
0012EE74 |5D170000
0012EE78 |7C812BFF 返回到 kernel32.7C812BFF 来自 ntdll.RtlCreateHeap
0012EE7C |40001062
9。连续F9,下面是每一次F9时候堆栈显示的情况!!!
(1)
0012EF20 /0012EF3C
0012EF24 |77F45BD8 返回到 SHLWAPI.77F45BD8 来自 kernel3.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
0012EF30 |77F40000 SHLWAPI.77F40000
0012EF34 |00000000
(2)
0012F738 /0012F7A0
0012F73C |00535EF3 返回到 遨游网络.00535EF3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0012F750
0012F748 |00E120E6
0012F74C |005B4E04 遨游网络.005B4E04
0012F750 |00000000
(3)
00129524 /0012EC6C
00129528 |00E26DF3 返回到 00E26DF3 来自 kernel32.GetModuleHandleA
0012952C |00E3BC1C ASCII "kernel32.dll"
00129530 |00E3CEC4 ASCII "VirtualAlloc"
00129534 |00E3FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
(4)
00129524 /0012EC6C
00129528 |00E26E10 返回到 00E26E10 来自 kernel32.GetModuleHandleA
0012952C |00E3BC1C ASCII "kernel32.dll"
00129530 |00E3CEB8 ASCII "VirtualFree"
00129534 |00E3FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
问题出现了再次F9时弹出提示框,内容如下↓:
不知如何回避位于地址 00E313A5 的命令. 请尝试更改 EIP 或忽略程序异常.
因为水平有限穿山甲壳也拖过几个今天突然遇上这个问题还望前辈们指教 谢谢!
希望得到解决办法和问题原因 困难是学习的动力~!再次感谢~!!
1。用PEID查壳为:Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
2。用OD载入,忽略所有异常,隐藏OD
3。到这里↓
0054B243 >/$ 55 push ebp
0054B244 |. 8BEC mov ebp, esp
0054B246 |. 6A FF push -1
0054B248 |. 68 404F5700 push 00574F40
0054B24D |. 68 80AF5400 push 0054AF80 ; SE 处理程序安装
0054B252 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0054B258 |. 50 push eax
0054B259 |. 64:8925 00000>mov dword ptr fs:[0], esp
0054B260 |. 83EC 58 sub esp, 58
0054B263 |. 53 push ebx
0054B264 |. 56 push esi
0054B265 |. 57 push edi
4。下断bp OpenMutexA,回车,Shift+F9! 到这里↓
7C80EA1B > 8BFF mov edi, edi ; ntdll.7C930738
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp, esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je 7C843D93
7C80EA2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr [ebp+10]
7C80EA36 8DB0 F80B0000 lea esi, dword ptr [eax+BF8]
7C80EA3C 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA3F 50 push eax
堆栈显示的情况如下:
0012F798 00536DB8 /CALL 到 OpenMutexA 来自 遨游网络.00536DB2
0012F79C 001F0001 |Access = 1F0001
0012F7A0 00000000 |Inheritable = FALSE
0012F7A4 0012FDD8 \MutexName = "338::DA5B5C7156"
0012F7A8 7C930738 ntdll.7C930738
0012F7AC 00000000
0012F7B0 7FFDE000
0012F7B4 0012F9DC
5。断下后使用 Ctrl+G 进入 00401000,键入了以下代码↓
00401000 60 pushad
00401001 9C pushfd
00401002 68 D8FD1200 push 12FDD8 ; ASCII "338::DA5B5C7156"
00401007 33C0 xor eax, eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 2FD9407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 04DA407C jmp kernel32.OpenMutexA
00401017 0000 add byte ptr [eax], al
00401019 0000 add byte ptr [eax], al
0040101B 0000 add byte ptr [eax], al
0040101D 0000 add byte ptr [eax], al
以上↑键入内容二进制代码为:
60 9C 68 D8 FD 12 00 33 C0 50 50 E8 2F D9 40 7C 9D 61 E9 04 DA 40 7C
6。然后(00401000 60 pushad)新建EIP后使用Shift+F9再次中断回这里↓
7C80EA1B > 8BFF mov edi, edi ; ntdll.7C930738
7C80EA1D 55 push ebp
7C80EA1E 8BEC mov ebp, esp
7C80EA20 51 push ecx
7C80EA21 51 push ecx
7C80EA22 837D 10 00 cmp dword ptr [ebp+10], 0
7C80EA26 56 push esi
7C80EA27 0F84 66530300 je 7C843D93
7C80EA2D 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80EA33 FF75 10 push dword ptr [ebp+10]
7C80EA36 8DB0 F80B0000 lea esi, dword ptr [eax+BF8]
7C80EA3C 8D45 F8 lea eax, dword ptr [ebp-8]
7C80EA3F 50 push eax
7C80EA40 FF15 8C10807C call dword ptr [<&ntdll.RtlInitAnsiSt>; ntdll.RtlInitAnsiString
7C80EA46 6A 00 push 0
7。然后F2取消断点,准备避开输入表加密并找到Magic Jump。
8。下断 he GetModuleHandleA+5,Shift+F9到了这里↓
7C80B6A6 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr [ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax, eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr [eax+4]
7C80B6BB E8 7D2D0000 call GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 ret 4
7C80B6C4 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80B6CA 8B40 30 mov eax, dword ptr [eax+30]
7C80B6CD 8B40 08 mov eax, dword ptr [eax+8]
7C80B6D0 ^ EB EE jmp short 7C80B6C0
此时堆栈显示为↓:
0012EE60 /0012EE98
0012EE64 |5D175324 返回到 5D175324 来自 kernel32.GetModuleHandleA
0012EE68 |5D175370 ASCII "kernel32.dll"
0012EE6C |5D1E3AB8
0012EE70 |00000000
0012EE74 |5D170000
0012EE78 |7C812BFF 返回到 kernel32.7C812BFF 来自 ntdll.RtlCreateHeap
0012EE7C |40001062
9。连续F9,下面是每一次F9时候堆栈显示的情况!!!
(1)
0012EF20 /0012EF3C
0012EF24 |77F45BD8 返回到 SHLWAPI.77F45BD8 来自 kernel3.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
0012EF30 |77F40000 SHLWAPI.77F40000
0012EF34 |00000000
(2)
0012F738 /0012F7A0
0012F73C |00535EF3 返回到 遨游网络.00535EF3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0012F750
0012F748 |00E120E6
0012F74C |005B4E04 遨游网络.005B4E04
0012F750 |00000000
(3)
00129524 /0012EC6C
00129528 |00E26DF3 返回到 00E26DF3 来自 kernel32.GetModuleHandleA
0012952C |00E3BC1C ASCII "kernel32.dll"
00129530 |00E3CEC4 ASCII "VirtualAlloc"
00129534 |00E3FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
(4)
00129524 /0012EC6C
00129528 |00E26E10 返回到 00E26E10 来自 kernel32.GetModuleHandleA
0012952C |00E3BC1C ASCII "kernel32.dll"
00129530 |00E3CEB8 ASCII "VirtualFree"
00129534 |00E3FA98
00129538 |7C9210ED ntdll.RtlLeaveCriticalSection
0012953C |00000000
问题出现了再次F9时弹出提示框,内容如下↓:
不知如何回避位于地址 00E313A5 的命令. 请尝试更改 EIP 或忽略程序异常.
因为水平有限穿山甲壳也拖过几个今天突然遇上这个问题还望前辈们指教 谢谢!
希望得到解决办法和问题原因 困难是学习的动力~!再次感谢~!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [求助]请帮忙查个壳 谢谢 1850
- [求助]问一个窗口字串检测的问题 3496
- [求助]手脱遇到困难请前辈执教! 2816
- [求助][求助]求个软件下载地址 3972
- [求助]关于软件资源的替换 3179
看原图
赞赏
雪币:
留言: