程序下载
http://bbs.pediy.com/upload/file/2004/12/mxdgg1.1.rar_572.rar
冒险小乖 1.1 / SVKP 1.3x -> Pavol Cerven
1. Dump
OllyDbg 用 SFX - Trace real blockwise 忽略碰到的异常到达 Fake OEP
0040F818 90 nop
0040F819 90 nop
0040F81A 90 nop
0040F81B 90 nop
0040F81C 90 nop
0040F81D 90 nop
0040F81E 90 nop
0040F81F . E8 582F0000 call 0041277C ; Real entry point of SFX code
0040F824 . BF 94000000 mov edi, 94
0040F829 . 8BC7 mov eax, edi
0040F82B . E8 800D0000 call 004105B0
留意堆栈
0012FFBC 0042ADC0 mxdgg1_1.0042ADC0
0012FFC0 00000060
0012FFC4 77E6141A RETURN to kernel32.77E6141A
补上 Stolen Bytes
0040F818 6A 60 push 60
0040F81A 68 C0AD4200 push 0042ADC0
0040F81F . E8 582F0000 call 0041277C ; Real entry point of SFX code
0040F824 . BF 94000000 mov edi, 94
0040F829 . 8BC7 mov eax, edi
0040F82B . E8 800D0000 call 004105B0
LordPE 修正 Size Of Image 可以 Dump 了
2. Import Table
ImpREC 信息
OEP:F818
RVA:00028000
Size:00000594
随意找一个 IAT 42805c
取消忽略异常、关闭 SFX 追踪重新运行程序
到最后一次异常
0A24DC09 CD 01 int 1
设置 GetModuleHandleA 断点
77E5ACD9 > 837C24 04 00 cmp dword ptr [esp+4], 0
77E5ACDE 0F84 37010000 je 77E5AE1B
77E5ACE4 FF7424 04 push dword ptr [esp+4]
77E5ACE8 E8 F8050000 call 77E5B2E5
77E5ACED 85C0 test eax, eax
77E5ACEF 74 08 je short 77E5ACF9
77E5ACF1 FF70 04 push dword ptr [eax+4]
77E5ACF4 E8 27060000 call GetModuleHandleW
77E5ACF9 C2 0400 retn 4 ; 这里
hr 42805c 监视哪里写 IAT
0A2692BF 8B16 mov edx, [esi]
0A2692C1 83C6 04 add esi, 4
0A2692C4 F9 stc
0A2692C5 13D2 adc edx, edx
0A2692C7 C3 retn
...
0A265B3E 6A 05 push 5
0A265B40 5A pop edx
0A265B41 2BC3 sub eax, ebx
0A265B43 2BC2 sub eax, edx
0A265B45 C603 E9 mov byte ptr [ebx], 0E9
0A265B48 8943 01 mov [ebx+1], eax
0A265B4B 0111 add [ecx], edx
0A265B4D 5F pop edi
0A265B4E 58 pop eax
0A265B4F 8907 mov [edi], eax ; Patch
0A265B51 61 popad
这个就是一些普通函数的 IAT 重定向,向上看看哪里开始
0A265A8C 60 pushad
0A265A8D 0F84 BC000000 je 0A265B4F ; *Magic Jump*
0A265A93 8B8D 5B010200 mov ecx, [ebp+2015B]
0A265A99 8D99 65520300 lea ebx, [ecx+35265] ; 缓冲
0A265A9F 8D8D 2E030200 lea ecx, [ebp+2032E] ; 已经使用的大小
0A265AA5 0319 add ebx, [ecx]
0A265AA7 8139 00300000 cmp dword ptr [ecx], 3000
0A265AAD 0F83 9C000000 jnb 0A265B4F
0A265AB3 53 push ebx
0A265AB4 57 push edi
0A265AB5 51 push ecx
0A265AB6 8A10 mov dl, [eax]
0A265AB8 50 push eax
0A265AB9 B0 12 mov al, 12
0A265ABB 32C2 xor al, dl
0A265ABD 34 DE xor al, 0DE
0A265ABF 75 03 jnz short 0A265AC4
0A265AC1 80C2 01 add dl, 1
0A265AC4 58 pop eax
0A265AC5 80FA 50 cmp dl, 50
0A265AC8 72 05 jb short 0A265ACF
0A265ACA 80FA 5F cmp dl, 5F
0A265ACD 76 3A jbe short 0A265B09
0A265ACF 80FA 6A cmp dl, 6A
开始反汇编了
0A265B4F 8907 mov [edi], eax
0A265B51 61 popad
这里 Patch
再来一遍, 到这里改 JMP,向下看哪里结束,下个INT3
0A265B7A 33C0 xor eax, eax ; 设断
0A265B7C 64:8F00 pop dword ptr fs:[eax]
0A265B7F 83C4 04 add esp, 4
0A265B82 C3 retn
中断后IAT基本有效,还有特殊函数被加密
选一个残余分子 hr 4280b8
0A26742E 890F mov [edi], ecx ; ECX 正是加密后的地址
0A267430 7C 03 jl short 0A267435
0A267432 EB 03 jmp short 0A267437
0A267434 - E9 74FB61EB jmp F5886FAD
追踪几步,来到退回主循环
0A265B3E 6A 05 push 5
0A265B40 5A pop edx
0A265B41 2BC3 sub eax, ebx
0A265B43 2BC2 sub eax, edx
0A265B45 C603 E9 mov byte ptr [ebx], 0E9
0A265B48 8943 01 mov [ebx+1], eax
0A265B4B 0111 add [ecx], edx
0A265B4D 5F pop edi
0A265B4E 58 pop eax
0A265B4F 8907 mov [edi], eax
0A265B51 61 popad
0A265B52 8385 43010200 0>add dword ptr [ebp+20143], 4 ; Thunk指针+4
0A265B59 ^ E9 ADFBFFFF jmp 0A26570B ; 循环
0A26570B 8B06 mov eax, [esi]
0A26570D 0BC0 or eax, eax
0A26570F 8B95 871C0300 mov edx, [ebp+31C87]
0A265715 75 03 jnz short 0A26571A
0A265747 80BD 7F1B0300 0>cmp byte ptr [ebp+31B7F], 1
0A26574E 74 06 je short 0A265756
0A265750 81E3 FFFFFF0F and ebx, 0FFFFFFF
0A265775 2903 sub [ebx], eax
0A265777 58 pop eax
0A265778 813B CC971025 cmp dword ptr [ebx], 251097CC
0A26577E 0F84 41170000 je 0A266EC5
0A265784 813B C5B1662D cmp dword ptr [ebx], 2D66B1C5
0A26578A 0F84 62180000 je 0A266FF2
0A265790 813B 9404B2D9 cmp dword ptr [ebx], D9B20494
0A265796 0F84 AA1C0000 je 0A267446
0A26579C 813B A41A86D0 cmp dword ptr [ebx], D0861AA4
0A2657A2 0F84 58210000 je 0A267900
0A2657A8 813B 706586B1 cmp dword ptr [ebx], B1866570
...
0A265832 /0F84 FC2D0000 je 0A268634
0A265838 |813B B8B8B2FB cmp dword ptr [ebx], FBB2B8B8
0A26583E |0F84 56320000 je 0A268A9A
0A265844 |813B 8E5D2D57 cmp dword ptr [ebx], 572D5D8E
0A26584A |0F84 86320000 je 0A268AD6
一大串比较,可能是通过HASH处理特殊函数
修补这里:
0A265778 /E9 D3000000 jmp 0A265850
0A26577D |90 nop
BPX 到 0040F81F,再用 ImpREC 全部有效 X-D
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; 4 = Equivalent to 0 with (R) tag.
;
; 5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)
Target: mxdgg1.1.exe
OEP: 0000F81F IATRVA: 00028000 IATSize: 00000594
FThunk: 00028000 NbFunc: 00000009
1 00028000 advapi32.dll 01E1 RegOpenKeyA
1 00028004 advapi32.dll 01EC RegQueryValueExA
1 00028008 advapi32.dll 01E2 RegOpenKeyExA
1 0002800C advapi32.dll 01D0 RegDeleteKeyA
1 00028010 advapi32.dll 01D5 RegEnumKeyA
1 00028014 advapi32.dll 01EB RegQueryValueA
1 00028018 advapi32.dll 01CD RegCreateKeyExA
1 0002801C advapi32.dll 01F9 RegSetValueExA
1 00028020 advapi32.dll 01C9 RegCloseKey
FThunk: 00028028 NbFunc: 00000001
1 00028028 comctl32.dll 0011 InitCommonControls
FThunk: 00028030 NbFunc: 00000020
1 00028030 gdi32.dll 01C0 GetViewportExtEx
1 00028034 gdi32.dll 01C3 GetWindowExtEx
1 00028038 gdi32.dll 01F2 PtVisible
1 0002803C gdi32.dll 01F6 RectVisible
1 00028040 gdi32.dll 024F TextOutA
1 00028044 gdi32.dll 00DE ExtTextOutA
1 00028048 gdi32.dll 00D5 Escape
1 0002804C gdi32.dll 020F SelectObject
1 00028050 gdi32.dll 0240 SetViewportOrgEx
1 00028054 gdi32.dll 01D6 OffsetViewportOrgEx
1 00028058 gdi32.dll 023F SetViewportExtEx
1 0002805C gdi32.dll 0209 ScaleViewportExtEx
1 00028060 gdi32.dll 0243 SetWindowExtEx
1 00028064 gdi32.dll 020A ScaleWindowExtEx
1 00028068 gdi32.dll 00DD ExtSelectClipRgn
1 0002806C gdi32.dll 008D DeleteDC
1 00028070 gdi32.dll 014D GetBkColor
1 00028074 gdi32.dll 01B0 GetTextColor
1 00028078 gdi32.dll 004D CreateRectRgnIndirect
1 0002807C gdi32.dll 01A5 GetRgnBox
1 00028080 gdi32.dll 018E GetMapMode
1 00028084 gdi32.dll 0090 DeleteObject
1 00028088 gdi32.dll 022C SetMapMode
1 0002808C gdi32.dll 0201 RestoreDC
1 00028090 gdi32.dll 0208 SaveDC
1 00028094 gdi32.dll 0028 CreateBitmap
1 00028098 gdi32.dll 016C GetDeviceCaps
1 0002809C gdi32.dll 01A6 GetStockObject
1 000280A0 gdi32.dll 0216 SetBkColor
1 000280A4 gdi32.dll 023D SetTextColor
1 000280A8 gdi32.dll 0161 GetClipBox
1 000280AC gdi32.dll 0196 GetObjectA
FThunk: 000280B4 NbFunc: 00000080
1 000280B4 kernel32.dll 01A7 GetStartupInfoA
1 000280B8 kernel32.dll 0104 GetCommandLineA
1 000280BC kernel32.dll 00B1 ExitProcess
1 000280C0 kernel32.dll 02BF RtlUnwind
1 000280C4 kernel32.dll 0207 HeapReAlloc
1 000280C8 kernel32.dll 0291 RaiseException
1 000280CC kernel32.dll 0341 TerminateProcess
1 000280D0 kernel32.dll 0209 HeapSize
1 000280D4 kernel32.dll 01AA GetStringTypeA
1 000280D8 kernel32.dll 01AD GetStringTypeW
1 000280DC kernel32.dll 0201 HeapDestroy
1 000280E0 kernel32.dll 01FF HeapCreate
1 000280E4 kernel32.dll 0368 VirtualFree
1 000280E8 kernel32.dll 0365 VirtualAlloc
1 000280EC kernel32.dll 0222 IsBadWritePtr
1 000280F0 kernel32.dll 01A9 GetStdHandle
1 000280F4 kernel32.dll 0352 UnhandledExceptionFilter
1 000280F8 kernel32.dll 00E9 FreeEnvironmentStringsA
1 000280FC kernel32.dll 0148 GetEnvironmentStrings
1 00028100 kernel32.dll 00EA FreeEnvironmentStringsW
1 00028104 kernel32.dll 01FD HeapAlloc
1 00028108 kernel32.dll 024F LockResource
1 0002810C kernel32.dll 0159 GetFileType
1 00028110 kernel32.dll 028C QueryPerformanceCounter
1 00028114 kernel32.dll 0137 GetCurrentProcessId
1 00028118 kernel32.dll 032D SetUnhandledExceptionFilter
1 0002811C kernel32.dll 022E LCMapStringA
1 00028120 kernel32.dll 022F LCMapStringW
1 00028124 kernel32.dll 01CF GetTimeZoneInformation
1 00028128 kernel32.dll 036B VirtualProtect
1 0002812C kernel32.dll 01B3 GetSystemInfo
1 00028130 kernel32.dll 036D VirtualQuery
1 00028134 kernel32.dll 021F IsBadReadPtr
1 00028138 kernel32.dll 021C IsBadCodePtr
1 0002813C kernel32.dll 031C SetStdHandle
1 00028140 kernel32.dll 02F9 SetEnvironmentVariableA
1 00028144 kernel32.dll 0203 HeapFree
1 00028148 kernel32.dll 01B8 GetSystemTimeAsFileTime
1 0002814C kernel32.dll 0158 GetFileTime
1 00028150 kernel32.dll 0151 GetFileAttributesA
1 00028154 kernel32.dll 00BD FileTimeToLocalFileTime
1 00028158 kernel32.dll 02FB SetErrorMode
1 0002815C kernel32.dll 004F CreateFileA
1 00028160 kernel32.dll 015C GetFullPathNameA
1 00028164 kernel32.dll 01D8 GetVolumeInformationA
1 00028168 kernel32.dll 00CB FindFirstFileA
1 0002816C kernel32.dll 00C7 FindClose
1 00028170 kernel32.dll 0136 GetCurrentProcess
1 00028174 kernel32.dll 008E DuplicateHandle
1 00028178 kernel32.dll 0156 GetFileSize
1 0002817C kernel32.dll 02F8 SetEndOfFile
1 00028180 kernel32.dll 0353 UnlockFile
1 00028184 kernel32.dll 024D LockFile
1 00028188 kernel32.dll 00E1 FlushFileBuffers
1 0002818C kernel32.dll 0301 SetFilePointer
1 00028190 kernel32.dll 0386 WriteFile
1 00028194 kernel32.dll 029E ReadFile
1 00028198 kernel32.dll 038B WritePrivateProfileStringA
1 0002819C kernel32.dll 0185 GetOEMCP
1 000281A0 kernel32.dll 00F8 GetCPInfo
1 000281A4 kernel32.dll 0218 InterlockedIncrement
1 000281A8 kernel32.dll 0347 TlsFree
1 000281AC kernel32.dll 007C DeleteCriticalSection
1 000281B0 kernel32.dll 0249 LocalReAlloc
1 000281B4 kernel32.dll 0349 TlsSetValue
1 000281B8 kernel32.dll 0346 TlsAlloc
1 000281BC kernel32.dll 0210 InitializeCriticalSection
1 000281C0 kernel32.dll 0348 TlsGetValue
1 000281C4 kernel32.dll 0091 EnterCriticalSection
1 000281C8 kernel32.dll 01EF GlobalHandle
1 000281CC kernel32.dll 01F3 GlobalReAlloc
1 000281D0 kernel32.dll 023B LeaveCriticalSection
1 000281D4 kernel32.dll 0242 LocalAlloc
1 000281D8 kernel32.dll 00BE FileTimeToSystemTime
1 000281DC kernel32.dll 01EB GlobalFlags
1 000281E0 kernel32.dll 0214 InterlockedDecrement
1 000281E4 kernel32.dll 0138 GetCurrentThread
1 000281E8 kernel32.dll 03A1 lstrcmp
1 000281EC kernel32.dll 003C ConvertDefaultLocale
1 000281F0 kernel32.dll 009C EnumResourceLanguagesA
1 000281F4 kernel32.dll 0163 GetLastError
1 000281F8 kernel32.dll 02B9 RestoreLastError
1 000281FC kernel32.dll 025E MulDiv
1 00028200 kernel32.dll 01E5 GlobalAlloc
1 00028204 kernel32.dll 00E6 FormatMessageA
1 00028208 kernel32.dll 0246 LocalFree
1 0002820C kernel32.dll 016E GetModuleFileNameA
1 00028210 kernel32.dll 0338 SizeofResource
1 00028214 kernel32.dll 03AA lstrcpyn
1 00028218 kernel32.dll 0139 GetCurrentThreadId
1 0002821C kernel32.dll 01ED GlobalGetAtomNameA
1 00028220 kernel32.dll 01E3 GlobalAddAtomA
1 00028224 kernel32.dll 01E8 GlobalFindAtomA
1 00028228 kernel32.dll 01E7 GlobalDeleteAtom
1 0002822C kernel32.dll 023C LoadLibraryA
1 00028230 kernel32.dll 00EB FreeLibrary
1 00028234 kernel32.dll 039E lstrcat
1 00028238 kernel32.dll 03A3 lstrcmpW
1 0002823C kernel32.dll 03A7 lstrcpy
1 00028240 kernel32.dll 0170 GetModuleHandleA
1 00028244 kernel32.dll 0192 GetProcAddress
1 00028248 kernel32.dll 01F0 GlobalLock
1 0002824C kernel32.dll 01F7 GlobalUnlock
1 00028250 kernel32.dll 01EC GlobalFree
1 00028254 kernel32.dll 00DA FindResourceA
1 00028258 kernel32.dll 0241 LoadResource
1 0002825C kernel32.dll 024F LockResource
1 00028260 kernel32.dll 00ED FreeResource
1 00028264 kernel32.dll 01D5 GetVersion
1 00028268 kernel32.dll 01D6 GetVersionExA
1 0002826C kernel32.dll 0037 CompareStringA
1 00028270 kernel32.dll 01C7 GetThreadLocale
1 00028274 kernel32.dll 03A4 lstrcmpi
1 00028278 kernel32.dll 0215 InterlockedExchange
1 0002827C kernel32.dll 025F MultiByteToWideChar
1 00028280 kernel32.dll 00F1 GetACP
1 00028284 kernel32.dll 0038 CompareStringW
1 00028288 kernel32.dll 0379 WideCharToMultiByte
1 0002828C kernel32.dll 0166 GetLocaleInfoA
1 00028290 kernel32.dll 03AD lstrlen
1 00028294 kernel32.dll 0031 CloseHandle
1 00028298 kernel32.dll 026F OpenProcess
1 0002829C kernel32.dll 001C Beep
1 000282A0 kernel32.dll 038F WriteProcessMemory
1 000282A4 kernel32.dll 02A1 ReadProcessMemory
1 000282A8 kernel32.dll 036C VirtualProtectEx
1 000282AC kernel32.dll 014A GetEnvironmentStringsW
1 000282B0 kernel32.dll 01CC GetTickCount
FThunk: 000282B8 NbFunc: 00000002
1 000282B8 oleacc.dll 0014 LresultFromObject
1 000282BC oleacc.dll 0007 CreateStdAccessibleObject
FThunk: 000282C4 NbFunc: 0000000C
1 000282C4 oleaut32.dll 0006 SysFreeString
1 000282C8 oleaut32.dll 0096 SysAllocStringByteLen
1 000282CC oleaut32.dll 0009 VariantClear
1 000282D0 oleaut32.dll 000C VariantChangeType
1 000282D4 oleaut32.dll 0008 VariantInit
1 000282D8 oleaut32.dll 0004 SysAllocStringLen
1 000282DC oleaut32.dll 000A VariantCopy
1 000282E0 oleaut32.dll 0010 SafeArrayDestroy
1 000282E4 oleaut32.dll 00B8 SystemTimeToVariantTime
1 000282E8 oleaut32.dll 0002 SysAllocString
1 000282EC oleaut32.dll 01A4 OleCreateFontIndirect
1 000282F0 oleaut32.dll 0007 SysStringLen
FThunk: 000282F8 NbFunc: 00000004
1 000282F8 shlwapi.dll 024D PathFindFileNameA
1 000282FC shlwapi.dll 0299 PathStripToRootA
1 00028300 shlwapi.dll 024B PathFindExtensionA
1 00028304 shlwapi.dll 0271 PathIsUNCA
FThunk: 0002830C NbFunc: 0000007D
1 0002830C user32.dll 0203 PostThreadMessageA
1 00028310 user32.dll 0202 PostQuitMessage
1 00028314 user32.dll 02D9 wsprintfA
1 00028318 user32.dll 0262 SetMenuItemBitmaps
1 0002831C user32.dll 01E5 ModifyMenuA
1 00028320 user32.dll 00C3 EnableMenuItem
1 00028324 user32.dll 003A CheckMenuItem
1 00028328 user32.dll 012F GetMenuCheckMarkDimensions
1 0002832C user32.dll 01B6 LoadBitmapA
1 00028330 user32.dll 0138 GetMenuState
1 00028334 user32.dll 0293 ShowWindow
1 00028338 user32.dll 01EA MoveWindow
1 0002833C user32.dll 0287 SetWindowTextA
1 00028340 user32.dll 01A1 IsDialogMessage
1 00028344 user32.dll 021B RegisterClipboardFormatA
1 00028348 user32.dll 02D3 WinHelpA
1 0002834C user32.dll 00F4 GetCapture
1 00028350 user32.dll 0061 CreateWindowExA
1 00028354 user32.dll 028B SetWindowsHookExA
1 00028358 user32.dll 001B CallNextHookEx
1 0002835C user32.dll 00FB GetClassLongA
1 00028360 user32.dll 00F8 GetClassInfoExA
1 00028364 user32.dll 00FD GetClassNameA
1 00028368 user32.dll 026B SetPropA
1 0002836C user32.dll 014B GetPropA
1 00028370 user32.dll 022D RemovePropA
1 00028374 user32.dll 0237 SendDlgItemMessageA
1 00028378 user32.dll 0117 GetFocus
1 0002837C user32.dll 0257 SetFocus
1 00028380 user32.dll 019F IsChild
1 00028384 user32.dll 0179 GetWindowTextLengthA
1 00028388 user32.dll 0178 GetWindowTextA
1 0002838C user32.dll 0118 GetForegroundWindow
1 00028390 user32.dll 0129 GetLastActivePopup
1 00028394 user32.dll 00A2 DispatchMessageA
1 00028398 user32.dll 0164 GetTopWindow
1 0002839C user32.dll 02AF UnhookWindowsHookEx
1 000283A0 user32.dll 013E GetMessageTime
1 000283A4 user32.dll 013D GetMessagePos
1 000283A8 user32.dll 01FE PeekMessageA
1 000283AC user32.dll 01D8 MapWindowPoints
1 000283B0 user32.dll 01DD MessageBoxA
1 000283B4 user32.dll 0122 GetKeyState
1 000283B8 user32.dll 0258 SetForegroundWindow
1 000283BC user32.dll 01B0 IsWindowVisible
1 000283C0 user32.dll 02BC UpdateWindow
1 000283C4 user32.dll 012D GetMenu
1 000283C8 user32.dll 0200 PostMessageA
1 000283CC user32.dll 015A GetSubMenu
1 000283D0 user32.dll 0134 GetMenuItemID
1 000283D4 user32.dll 0133 GetMenuItemCount
1 000283D8 user32.dll 015B GetSysColor
1 000283DC user32.dll 0003 AdjustWindowRectEx
1 000283E0 user32.dll 00E0 EqualRect
1 000283E4 user32.dll 00F7 GetClassInfoA
1 000283E8 user32.dll 0217 RegisterClassA
1 000283EC user32.dll 02B4 UnregisterClassA
1 000283F0 user32.dll 0111 GetDlgCtrlID
1 000283F4 user32.dll 008F DefWindowProcA
1 000283F8 user32.dll 001C CallWindowProcA
1 000283FC user32.dll 0281 SetWindowLongA
1 00028400 user32.dll 0284 SetWindowPos
1 00028404 user32.dll 01F3 OffsetRect
1 00028408 user32.dll 0193 IntersectRect
1 0002840C user32.dll 029A SystemParametersInfoA
1 00028410 user32.dll 0174 GetWindowPlacement
1 00028414 user32.dll 0175 GetWindowRect
1 00028418 user32.dll 023C SendMessageA
1 0002841C user32.dll 00C5 EnableWindow
1 00028420 user32.dll 01BC LoadIconA
1 00028424 user32.dll 01DC MessageBeep
1 00028428 user32.dll 0143 GetNextDlgGroupItem
1 0002842C user32.dll 0195 InvalidateRgn
1 00028430 user32.dll 0194 InvalidateRect
1 00028434 user32.dll 0047 CopyAcceleratorTableA
1 00028438 user32.dll 026D SetRect
1 0002843C user32.dll 01A9 IsRectEmpty
1 00028440 user32.dll 002B CharNextA
1 00028444 user32.dll 004B CopyRect
1 00028448 user32.dll 020C PtInRect
1 0002844C user32.dll 016B GetWindow
1 00028450 user32.dll 010F GetDesktopWindow
1 00028454 user32.dll 00EC GetActiveWindow
1 00028458 user32.dll 0244 SetActiveWindow
1 0002845C user32.dll 0053 CreateDialogIndirectParamA
1 00028460 user32.dll 009A DestroyWindow
1 00028464 user32.dll 01AC IsWindow
1 00028468 user32.dll 016F GetWindowLongA
1 0002846C user32.dll 0112 GetDlgItem
1 00028470 user32.dll 01AD IsWindowEnabled
1 00028474 user32.dll 0146 GetParent
1 00028478 user32.dll 0144 GetNextDlgTabItem
1 0002847C user32.dll 00C7 EndDialog
1 00028480 user32.dll 021B RegisterClipboardFormatA
1 00028484 user32.dll 0035 CharUpperA
1 00028488 user32.dll 027B SetTimer
1 0002848C user32.dll 00F3 GetAsyncKeyState
1 00028490 user32.dll 017C GetWindowThreadProcessId
1 00028494 user32.dll 00E4 FindWindowA
1 00028498 user32.dll 00B7 DrawIcon
1 0002849C user32.dll 0100 GetClientRect
1 000284A0 user32.dll 015E GetSystemMetrics
1 000284A4 user32.dll 01A7 IsIconic
1 000284A8 user32.dll 022A ReleaseCapture
1 000284AC user32.dll 0245 SetCapture
1 000284B0 user32.dll 0098 DestroyMenu
1 000284B4 user32.dll 01B8 LoadCursorA
1 000284B8 user32.dll 015C GetSysColorBrush
1 000284BC user32.dll 00C9 EndPaint
1 000284C0 user32.dll 000E BeginPaint
1 000284C4 user32.dll 016D GetWindowDC
1 000284C8 user32.dll 022B ReleaseDC
1 000284CC user32.dll 010D GetDC
1 000284D0 user32.dll 0041 ClientToScreen
1 000284D4 user32.dll 017E GrayStringA
1 000284D8 user32.dll 00BE DrawTextExA
1 000284DC user32.dll 00BD DrawTextA
1 000284E0 user32.dll 029C TabbedTextOutA
1 000284E4 user32.dll 01D3 MapDialogRect
1 000284E8 user32.dll 024E SetCursor
1 000284EC user32.dll 013B GetMessageA
1 000284F0 user32.dll 02AB TranslateMessage
1 000284F4 user32.dll 010C GetCursorPos
1 000284F8 user32.dll 02C6 ValidateRect
1 000284FC user32.dll 0280 SetWindowContextHelpId
FThunk: 00028504 NbFunc: 00000003
1 00028504 winspool.drv 0103 OpenPrinterA
1 00028508 winspool.drv 00B1 DocumentPropertiesA
1 0002850C winspool.drv 0086 ClosePrinter
FThunk: 00028514 NbFunc: 0000000B
1 00028514 wsock32.dll 0004 connect
1 00028518 wsock32.dll 0013 send
1 0002851C wsock32.dll 0010 recv
1 00028520 wsock32.dll 0003 closesocket
1 00028524 wsock32.dll 0016 shutdown
1 00028528 wsock32.dll 0009 htons
1 0002852C wsock32.dll 000A inet_addr
1 00028530 wsock32.dll 0017 socket
1 00028534 wsock32.dll 0074 WSACleanup
1 00028538 wsock32.dll 0073 WSAStartup
1 0002853C wsock32.dll 0012 select
FThunk: 00028544 NbFunc: 00000001
1 00028544 comdlg32.dll 006C GetFileTitleA
FThunk: 0002854C NbFunc: 0000000F
1 0002854C ole32.dll 0064 CoTaskMemAlloc
1 00028550 ole32.dll 0008 CLSIDFromProgID
1 00028554 ole32.dll 000A CLSIDFromString
1 00028558 ole32.dll 0024 CoGetClassObject
1 0002855C ole32.dll 013F StgOpenStorageOnILockBytes
1 00028560 ole32.dll 0132 StgCreateDocfileOnILockBytes
1 00028564 ole32.dll 008C CreateILockBytesOnHGlobal
1 00028568 ole32.dll 0114 OleUninitialize
1 0002856C ole32.dll 001E CoFreeUnusedLibraries
1 00028570 ole32.dll 00FD OleInitialize
1 00028574 ole32.dll 005C CoRevokeClassObject
1 00028578 ole32.dll 0053 CoRegisterMessageFilter
1 0002857C ole32.dll 00F8 OleFlushClipboard
1 00028580 ole32.dll 00FF OleIsCurrentClipboard
1 00028584 ole32.dll 0065 CoTaskMemFree
FThunk: 0002858C NbFunc: 00000001
1 0002858C oledlg.dll 0008 OleUIBusyA
3. 脱壳
简化操作,到最后一次异常,
0A265A8D 0F84 BC000000 je 0A265B4F ; *Magic Jump*
改为jmp
打补丁,
0A265778 /E9 D3000000 jmp 0A265850
在 Fake OEP 0040F81F 上 F2, Shift+F9
修补OEP代码
0040F818 6A 60 push 60
0040F81A 68 C0AD4200 push 0042ADC0
Dump, FixDump, Rebuild
开始忘记改OEP,找了n长时间的错误,天。
[课程]Linux pwn 探索篇!