-
-
TMD脱壳修复IAT时遇到这种问题:
-
发表于: 2008-12-23 16:47
-
1.Themida/WinLicense V1.8.2.0 + -> Oreans Technologies *的一个壳,
真正的OEP在此:
004B4BE6 |. 59 pop ecx
004B4BE7 \. C3 retn
004B4BE8 52 push edx <----------------真正的OEP
004B4BE9 97 xchg eax, edi
004B4BEA 4A dec edx
004B4BEB 0375 90 add esi, dword ptr ss:[ebp-70]
004B4BEE 16 push ss
004B4BEF 32F5 xor dh, ch
004B4BF1 9A FAB4B303 A>call far 39AC:03B3B4FA
004B4BF8 F4 hlt
004B4BF9 6320 arpl word ptr ds:[eax], sp
004B4BFB 3BED cmp ebp, ebp
004B4BFD F65E 74 neg byte ptr ds:[esi+74]
004B4C00 1F pop ds
004B4C01 BA 6F2314E4 mov edx, E414236F
004B4C06 F607 06 test byte ptr ds:[edi], 6
004B4C09 35 5C4ADA70 xor eax, 70DA4A5C
004B4C0E 8917 mov dword ptr ds:[edi], edx
004B4C10 DA3B fidivr dword ptr ds:[ebx]
004B4C12 FFD5 call near ebp
004B4C14 09B0 E98B4604 or dword ptr ds:[eax+4468BE9], esi
=======以上代码为被偷代码=================================
004B4C1A . A3 20366100 mov dword ptr ds:[613620], eax
004B4C1F . 8B56 08 mov edx, dword ptr ds:[esi+8]
004B4C22 . 8915 24366100 mov dword ptr ds:[613624], edx
004B4C28 . 8B76 0C mov esi, dword ptr ds:[esi+C]
004B4C2B . 81E6 FF7F0000 and esi, 7FFF
004B4C31 . 8935 18366100 mov dword ptr ds:[613618], esi
004B4C37 . 83F9 02 cmp ecx, 2
依据:【文章作者】: best坏小子---手脱Themida 1.8.x.x -> Oreans Technologies *
进行到此,修复了OEP,如下:
004B4BE8 > $ 6A 60 push 60
004B4BEA . 68 B8BF5500 push 0055BFB8
004B4BEF . E8 A8730000 call 004BBF9C
004B4BF4 . BF 94000000 mov edi, 94
004B4BF9 . 8BC7 mov eax, edi
004B4BFB . E8 60710000 call 004BBD60
004B4C00 . 8965 E8 mov dword ptr ss:[ebp-18], esp
004B4C03 . 8BF4 mov esi, esp
004B4C05 . 893E mov dword ptr ds:[esi], edi
004B4C07 . 56 push esi
004B4C08 . FF15 50335500 call near dword ptr ds:[553350]
004B4C0E . 8B4E 10 mov ecx, dword ptr ds:[esi+10]
004B4C11 . 890D 14366100 mov dword ptr ds:[613614], ecx
004B4C17 . 8B46 04 mov eax, dword ptr ds:[esi+4]
=======以上为已修复被stolen的代码=========================
004B4C1A . A3 20366100 mov dword ptr ds:[613620], eax
004B4C1F . 8B56 08 mov edx, dword ptr ds:[esi+8]
004B4C22 . 8915 24366100 mov dword ptr ds:[613624], edx
004B4C28 . 8B76 0C mov esi, dword ptr ds:[esi+C]
004B4C2B . 81E6 FF7F0000 and esi, 7FFF
004B4C31 . 8935 18366100 mov dword ptr ds:[613618], esi
004B4C37 . 83F9 02 cmp ecx, 2
004B4C3A . 74 0C je short 004B4C48
004B4C3C . 81CE 00800000 or esi, 8000
......
========================================================
2.用OD自带的DUMP,DUMP出程序,用Universal Import Fixer v1.2 (FINAL) 修复IAT,如下
Fixing Success...
Fixed Module : XXXX.exe
Image Base : 00400000
IAT RVA : 02650000
IAT Size : 00000258
Normal Imports : 205
Directly Imports : 784
All Imports : 989
===================================================
3.用ImportRec重建IAT.
输入:OEP:B4BE8 RVA:02650000 SIZE:258 后 获取输入表:
全部有效,修正DUMP文件.
至此完成脱壳.但是程序不能运行.出现程序运行遇到问题,关闭.
==============================================
问题1:上面我做的方法正确吗?如果有错,肯请指正.
问题2:我发现DUMP出来的程序不能运行,于是用OD载入修复后的程序,再用Universal Import Fixer v1.2 (FINAL)检查发现,输入表里的函数都不可用,我打开内存映象,在新加的IAT段却发现了输入表里的函数都在,不知道是怎么回事,请高手们指点.
问题3.TMD的输入表被加密了,如何才能恢复呢?
先谢谢各位了,望赐教!!! @_@
真正的OEP在此:
004B4BE6 |. 59 pop ecx
004B4BE7 \. C3 retn
004B4BE8 52 push edx <----------------真正的OEP
004B4BE9 97 xchg eax, edi
004B4BEA 4A dec edx
004B4BEB 0375 90 add esi, dword ptr ss:[ebp-70]
004B4BEE 16 push ss
004B4BEF 32F5 xor dh, ch
004B4BF1 9A FAB4B303 A>call far 39AC:03B3B4FA
004B4BF8 F4 hlt
004B4BF9 6320 arpl word ptr ds:[eax], sp
004B4BFB 3BED cmp ebp, ebp
004B4BFD F65E 74 neg byte ptr ds:[esi+74]
004B4C00 1F pop ds
004B4C01 BA 6F2314E4 mov edx, E414236F
004B4C06 F607 06 test byte ptr ds:[edi], 6
004B4C09 35 5C4ADA70 xor eax, 70DA4A5C
004B4C0E 8917 mov dword ptr ds:[edi], edx
004B4C10 DA3B fidivr dword ptr ds:[ebx]
004B4C12 FFD5 call near ebp
004B4C14 09B0 E98B4604 or dword ptr ds:[eax+4468BE9], esi
=======以上代码为被偷代码=================================
004B4C1A . A3 20366100 mov dword ptr ds:[613620], eax
004B4C1F . 8B56 08 mov edx, dword ptr ds:[esi+8]
004B4C22 . 8915 24366100 mov dword ptr ds:[613624], edx
004B4C28 . 8B76 0C mov esi, dword ptr ds:[esi+C]
004B4C2B . 81E6 FF7F0000 and esi, 7FFF
004B4C31 . 8935 18366100 mov dword ptr ds:[613618], esi
004B4C37 . 83F9 02 cmp ecx, 2
依据:【文章作者】: best坏小子---手脱Themida 1.8.x.x -> Oreans Technologies *
进行到此,修复了OEP,如下:
004B4BE8 > $ 6A 60 push 60
004B4BEA . 68 B8BF5500 push 0055BFB8
004B4BEF . E8 A8730000 call 004BBF9C
004B4BF4 . BF 94000000 mov edi, 94
004B4BF9 . 8BC7 mov eax, edi
004B4BFB . E8 60710000 call 004BBD60
004B4C00 . 8965 E8 mov dword ptr ss:[ebp-18], esp
004B4C03 . 8BF4 mov esi, esp
004B4C05 . 893E mov dword ptr ds:[esi], edi
004B4C07 . 56 push esi
004B4C08 . FF15 50335500 call near dword ptr ds:[553350]
004B4C0E . 8B4E 10 mov ecx, dword ptr ds:[esi+10]
004B4C11 . 890D 14366100 mov dword ptr ds:[613614], ecx
004B4C17 . 8B46 04 mov eax, dword ptr ds:[esi+4]
=======以上为已修复被stolen的代码=========================
004B4C1A . A3 20366100 mov dword ptr ds:[613620], eax
004B4C1F . 8B56 08 mov edx, dword ptr ds:[esi+8]
004B4C22 . 8915 24366100 mov dword ptr ds:[613624], edx
004B4C28 . 8B76 0C mov esi, dword ptr ds:[esi+C]
004B4C2B . 81E6 FF7F0000 and esi, 7FFF
004B4C31 . 8935 18366100 mov dword ptr ds:[613618], esi
004B4C37 . 83F9 02 cmp ecx, 2
004B4C3A . 74 0C je short 004B4C48
004B4C3C . 81CE 00800000 or esi, 8000
......
========================================================
2.用OD自带的DUMP,DUMP出程序,用Universal Import Fixer v1.2 (FINAL) 修复IAT,如下
Fixing Success...
Fixed Module : XXXX.exe
Image Base : 00400000
IAT RVA : 02650000
IAT Size : 00000258
Normal Imports : 205
Directly Imports : 784
All Imports : 989
===================================================
3.用ImportRec重建IAT.
输入:OEP:B4BE8 RVA:02650000 SIZE:258 后 获取输入表:
全部有效,修正DUMP文件.
至此完成脱壳.但是程序不能运行.出现程序运行遇到问题,关闭.
==============================================
问题1:上面我做的方法正确吗?如果有错,肯请指正.
问题2:我发现DUMP出来的程序不能运行,于是用OD载入修复后的程序,再用Universal Import Fixer v1.2 (FINAL)检查发现,输入表里的函数都不可用,我打开内存映象,在新加的IAT段却发现了输入表里的函数都在,不知道是怎么回事,请高手们指点.
问题3.TMD的输入表被加密了,如何才能恢复呢?
先谢谢各位了,望赐教!!! @_@
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
