程序使用PEID检查,提示"什么也没有找到*",EP段里显示".aspack".使用OD载入,入口代码如下:
00487000 90 nop
00487001 > 50 push eax ; kernel32.BaseThreadInitThunk
00487002 E8 03000000 call 0048700A
00487007 F9 stc
00487008 EB 04 jmp short 0048700E
0048700A 5D pop ebp
0048700B 45 inc ebp
0048700C 55 push ebp
0048700D C3 retn
0048700E E8 01000000 call 00487014
00487013 AD lods dword ptr [esi]
00487014 5D pop ebp
00487015 BB EDFFFFFF mov ebx, -13
0048701A 03DD add ebx, ebp
0048701C 81EB 00700800 sub ebx, 87000
00487022 83BD 22040000 0>cmp dword ptr [ebp+422], 0
00487029 899D 22040000 mov dword ptr [ebp+422], ebx
0048702F 0F85 65030000 jnz 0048739A
00487035 8D85 2E040000 lea eax, dword ptr [ebp+42E]
0048703B 50 push eax
0048703C FF95 4D0F0000 call dword ptr [ebp+F4D]
00487042 8985 26040000 mov dword ptr [ebp+426], eax
然后使用ASPACK脱壳机(看雪提供的三款都试过了)以及使用OD手动脱壳后,程序运行的时候,界面已经出来了,但系统会提示"程序出现了一问题,导致程序停止正常工作,请关闭该程序"的调试对话框,
脱壳后使用PEID检查显示为"E language *",但使用E-CODE EXPLORER打开就提示不包含易语言模块,无法分析,使用OD载入,入口代码如下.
00401000 >/$ E8 06000000 call 0040100B
00401005 |. 50 push eax ; /ExitCode
00401006 \. E8 BB010000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0040100B /$ 55 push ebp
0040100C |. 8BEC mov ebp, esp
0040100E |. 81C4 F0FEFFFF add esp, -110
00401014 |. E9 83000000 jmp 0040109C
00401019 |. 6B 72 6E 6C 6>ascii "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6>ascii "krnln.fnr",0
0040102D |. 47 65 74 4E 6>ascii "GetNewSock",0
00401038 |. 53 6F 66 74 7>ascii "Software\souhj11"
00401048 |. 5C 68 6A 62 7>ascii "\hjbz2008",0
00401052 |. 50 61 74 68 0>ascii "Path",0
00401057 |. 4E 6F 74 20 6>ascii "Not found the ke"
00401067 |. 72 6E 65 6C 2>ascii "rnel library or "
00401077 |. 74 68 65 20 6>ascii "the kernel libra"
00401087 |. 72 79 20 69 7>ascii "ry is invalid!",0
00401096 |. 45 72 72 6F 7>ascii "Error",0
0040109C |> 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004010A2 |. 50 push eax
004010A3 |. E8 44010000 call 004011EC
004010A8 |. 68 19104000 push 00401019 ; /String2 = "krnln.fnr"
004010AD |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
004010B3 |. 50 push eax ; |String1
004010B4 |. E8 25010000 call <jmp.&kernel32.lstrcat> ; \lstrcat
004010B9 |. 50 push eax ; /FileName
004010BA |. E8 19010000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
然后使用OD调试,会停在这里
76F81975 /74 14 je short 76F8198B
76F81977 |53 push ebx
76F81978 |8B59 10 mov ebx, dword ptr [ecx+10] ;OD停在这里,提示访问违规:读取[00000010] - 使用Shift+F7/F8/F9来忽略异常
76F8197B |2B59 1C sub ebx, dword ptr [ecx+1C]
76F8197E |C1E3 0C shl ebx, 0C
76F81981 |015E 10 add dword ptr [esi+10], ebx
76F81984 |8B09 mov ecx, dword ptr [ecx]
76F81986 |3BCA cmp ecx, edx
76F81988 ^|75 EE jnz short 76F81978
76F8198A |5B pop ebx
76F8198B \8B40 78 mov eax, dword ptr [eax+78]
76F8198E 8B4E 10 mov ecx, dword ptr [esi+10]
76F81991 C1E0 03 shl eax, 3
76F81994 2BC8 sub ecx, eax
76F81996 894E 0C mov dword ptr [esi+C], ecx
76F81999 FF07 inc dword ptr [edi]
76F8199B 33C0 xor eax, eax
请问是哪里的问题呢?应该怎么处理?谢谢.
[课程]Android-CTF解题方法汇总!