Magic jmp 脱tElock V0.98加壳的EXE
【调试环境】:WinXP、Ollydbg1.10、LordPE tElock V0.98记事本
【作者声明】:高手见笑........
设置Ollydbg忽略除了“忽略在KERNEL32中的内存访问异常”之外的所有其它异常.
od载入tElock V0.98记事本
入口:
0040DBD4 0000 add byte ptr ds:[eax],al
0040DBD6 N>^ E9 25E4FFFF jmp Note.0040C000 ===》壳的oep;
0040DBDB 0000 add byte ptr ds:[eax],al
0040DBDD 0038 add byte ptr ds:[eax],bh
第一个异常:
0040DA1C F1 int1
0040DA1D FF07 inc dword ptr ds:[edi] ===》单步异常;
0040DA1F ^ EB E8 jmp short Note.0040DA09
0040DA21 EB 03 jmp short Note.0040DA26
第二个异常
0040DA72 9D popfd
0040DA73 F8 clc
0040DA74 ^ 73 DC jnb short Note.0040DA52 ===》单步异常;
0040DA76 CD20 64678F06 vxdcall 68F6764
第三个异常:
0040C08C CC int3
0040C08D 90 nop ===》INT3异常;
0040C08E 8BC0 mov eax,eax
0040C090 F9 stc
大约第十二个异常又是int3异
0040CB28 90 nop ==》int3异常;
0040CB29 E9 D7000000 jmp Note.0040CC05
0040CB2E 8D85 C20A0000 lea eax,dword ptr ss:[ebp+AC2]
0040CB34 894424 04 mov dword ptr ss:[esp+4],eax
第15个异常
0040CBA6 CD 68 int 68===》到这个异常停止;
0040CBA8 66:05 7B0C add ax,0C7B
0040CBAC 66:48 dec ax
0040CBAE 74 55 je short Note.0040CC05
ctrl+f 搜索命令:test esi,esi
因为magic jmp 就在此下;
0040D177 8BB5 56D34000 mov esi,dword ptr ss:[ebp+40D356]
0040D17D 85F6 test esi,esi ===》esi=c0000
0040D17F 0F84 8B000000 je Note.0040D210
0040D185 8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362] ;Note.00400000
0040D18B 03F2 add esi,edx ;Note.0040c0000
0040D18D 2B95 66D34000 sub edx,dword ptr ss:[ebp+40D366] ;这里的差为0都是Note.0040c0000, 下边要跳了,不要跳;
0040D193 74 7B je short Note.0040D210;==》改Z为0;
0040D195 8BDA mov ebx,edx
0040D197 C1EB 10 shr ebx,10
0040D19A 8B06 mov eax,dword ptr ds:[esi]
0040D19C 85C0 test eax,eax
0040D19E 74 70 je short Note.0040D210 ===》改z为1;下跳了;
0040D1A0 8B4E 04 mov ecx,dword ptr ds:[esi+4]
0040D1A3 83E9 08 sub ecx,8
0040D1A6 D1E9 shr ecx,1
0040D1A8 8BBD 62D34000 mov edi,dword ptr ss:[ebp+40D362]
跳到这里来了;
0040D210 8B95 62D34000 mov edx,dword ptr ss:[ebp+40D362] ;Note.00400000
0040D216 8BB5 52D34000 mov esi,dword ptr ss:[ebp+40D352] ;esi=6000 ,这就是输入表的偏移地址记好
0040D21C 85F6 test esi,esi
0040D21E 0F84 06040000 je Note.0040D62A ==》改Z为1跳不要它加密;
0040D224 03F2 add esi,edx
0040D226 83A5 52D44000 00 and dword ptr ss:[ebp+40D452],0
0040D22D 8B46 0C mov eax,dword ptr ds:[esi+C]
0040D230 8366 0C 00 and dword ptr ds:[esi+C],0
0040D234 85C0 test eax,eax
0040D236 0F84 EE030000 je Note.0040D62A
0040D23C 03C2 add eax,edx
0040D23E 8BD8 mov ebx,eax
0040D240 50 push eax
跳到这里:
0040D62A 8BBD 5AD34000 mov edi,dword ptr ss:[ebp+40D35A]
0040D630 85FF test edi,edi ==》这是EDI=7000,只是输入表的末尾偏移地址,减去开始的6000等于1000得出IAT RAV =6000;size=7000-6000=1000;ok~
0040D632 EB 03 jmp short Note.0040D637
0040D634 0100 add dword ptr ds:[eax],eax
0040D636 EB 74 jmp short Note.0040D6AC
0040D638 3203 xor al,byte ptr ds:[ebx]
0040D63A BD 62D34000 mov ebp,Note.0040D362
0040D63F 8B85 6AD34000 mov eax,dword ptr ss:[ebp+40D36A]
0040D645 85C0 test eax,eax
0040D647 74 22 je short Note.0040D66B
0040D649 8B8D 6ED34000 mov ecx,dword ptr ss:[ebp+40D36E]
0040D64F 85C9 test ecx,ecx
0040D651 74 18 je short Note.0040D66B
0040D653 03C7 add eax,edi
0040D655 0385 72D34000 add eax,dword ptr ss:[ebp+40D372]
0040D65B 50 push eax
0040D65C 51 push ecx
0040D65D E8 13FAFFFF call Note.0040D075
下内存断点,在 code区段下内存访问断点,
shift +f9运行,直到入口:
004010CC 55 push ebp
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:[4063E4]
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short Note.004010FC
清除所有断点;
lordpe完整dump;
lorpe编辑dump ;oep=10cc ;IAT=6000;size=1000;
lorpe重建~;注释有错误的地方,感谢直教ing;
___@
qIwEiXuE
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
