看雪的门槛也是很高的啊!呵呵 不过支持,省得到处看见无意义垃圾帖子。偶还是个新手,很渴望加入看学跟大牛们学习.如果能通过的话,我的邮箱:10953366@qq.com
进入正题
要脱的软件是一个外挂软件
PEID查为Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
AFP查保护为
<Protection Options>
Debug-Blocker
CopyMem-II
Enable Memory-Patching Protections
<Backup Key Options>
Variable Backup Keys
<Compression Options>
Best/Slowest Compression
!- Child detach
Child process ID: 00002CC0
Entry point: 00499243
Original bytes: 558B
脱这保护壳壳
我分3步
第一步:找OEP
第二步:脱掉外壳
第三步:找RVA
第四步:修复IAT
第一步:找OEP
========================================
OD载入,隐藏。。。
00499243 >/$ 55 push ebp 停在这里
00499244 |. 8BEC mov ebp,esp
00499246 |. 6A FF push -1
00499248 |. 68 402F4C00 push PSWA.004C2F40
bp WaitForDebugEvent 下断 F9
7C85B388 > 8BFF mov edi,edi
7C85B38A 55 push ebp
7C85B38B 8BEC mov ebp,esp
7C85B38D 83EC 68 sub esp,68
7C85B390 56 push esi
7C85B391 FF75 0C push dword ptr ss:[ebp+C]
7C85B394 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C85B397 50 push eax
堆栈显示
0012DC8C 00489386 /CALL 到 WaitForDebugEvent 来自 PSWA.00489380
0012DC90 0012ED7C |pDebugEvent = 0012ED7C
0012DC94 000003E8 \Timeout = 1000. ms
0012DC98 7C930208 ntdll.7C930208
0012DC9C 00000000
0012ED7C位置右键选着数据窗跟随
取消断点,bp WriteProcessMemory F9
数据窗口显示如下
0012ED88 80000001
0012ED8C 00000000
0012ED90 00000000
0012ED94 0042496E PSWA.0042496E --------OEP
0012ED98 00000002
0012ED9C 00000000
0012EDA0 0042496E PSWA.0042496E
0012EDA4 0042496E PSWA.0042496E
0012EDA8 00000001
0012EDAC 00000000
第二步:脱掉外壳
==========================================
重新载入程序,隐藏OD。he WaitForDebugEvent F9
7C85B388 > 8BFF mov edi,edi ====中断在这里
7C85B38A 55 push ebp
7C85B38B 8BEC mov ebp,esp
7C85B38D 83EC 68 sub esp,68
7C85B390 56 push esi
7C85B391 FF75 0C push dword ptr ss:[ebp+C]
7C85B394 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C85B397 50 push eax
7C85B398 E8 E370FAFF call kernel32.7C802480
7C85B39D 8BF0 mov esi,eax
7C85B39F 56 push esi
7C85B3A0 8D45 98 lea eax,dword ptr ss:[ebp-68]
7C85B3A3 50 push eax
7C85B3A4 E8 2D550200 call <jmp.&ntdll.DbgUiWaitStateChange>
7C85B3A9 3D 01010000 cmp eax,101
7C85B3AE ^ 74 EF je short kernel32.7C85B39F
7C85B3B0 3D C0000000 cmp eax,0C0
7C85B3B5 ^ 74 E8 je short kernel32.7C85B39F
中断后ALT+F9回到程序领空
00489386 . 85C0 test eax,eax
00489388 . 0F84 64270000 je PSWA.0048BAF2
0048938E . 8B85 FCFDFFFF mov eax,dword ptr ss:[ebp-204]
00489394 . 25 FF000000 and eax,0FF
00489399 . 85C0 test eax,eax
0048939B . 74 13 je short PSWA.004893B0
0048939D . 8B0D D0434C00 mov ecx,dword ptr ds:[4C43D0]
004893A3 . 8379 20 00 cmp dword ptr ds:[ecx+20],0
004893A7 . 74 07 je short PSWA.004893B0
004893A9 . C685 FCFDFFFF 00 mov byte ptr ss:[ebp-204],0
004893B0 > 68 88424C00 push PSWA.004C4288 ; /pCriticalSection = PSWA.004C4288
004893B5 . FF15 A4D14B00 call dword ptr ds:[<&KERNEL32.EnterCrit>; \EnterCriticalSection
004893BB . 60 pushad
004893BC . 33C0 xor eax,eax
右键查找,搜索所有常量 填入FFFFFFF8
004893A9 mov byte ptr ss:[ebp-204],0 (初始 CPU 选择)
00489956 or eax,FFFFFFF8
00489971 or edx,FFFFFFF8
0048999A or ecx,FFFFFFF8
00489E72 or edx,FFFFFFF8
00489E8D or ecx,FFFFFFF8
00489EB5 or eax,FFFFFFF8
0048BC77 mov dword ptr ss:[ebp-8],0
0048BC89 mov edx,dword ptr ss:[ebp-8]
0048BC8F mov dword ptr ss:[ebp-8],edx
0048BC9B mov ecx,dword ptr ss:[ebp-8]
0048BD00 cmp dword ptr ss:[ebp-8],0
0048BD0A mov ecx,dword ptr ss:[ebp-8]
0048C1F3 or edx,FFFFFFF8
0048C217 or ecx,FFFFFFF8
0048C248 or edx,FFFFFFF8
0048D335 lea edx,dword ptr ss:[ebp-8]
0048D48D mov dword ptr ss:[ebp-8],0
0048D49C mov ecx,dword ptr ss:[ebp-8]
双击第一个FFFFFFF8进入
00489906 >^\74 FB je short PSWA.00489903
00489908 >^ EB F9 jmp short PSWA.00489903
0048990A > 83BD CCF5FFFF 00 cmp dword ptr ss:[ebp-A34],0 =======这里下硬件执行断点,SHIFT+F9
00489911 . 0F8C A8020000 jl PSWA.00489BBF
00489917 . 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
0048991D . 3B0D D4434C00 cmp ecx,dword ptr ds:[4C43D4]
00489923 . 0F8D 96020000 jge PSWA.00489BBF
00489929 . 8B95 40F6FFFF mov edx,dword ptr ss:[ebp-9C0]
0048992F . 81E2 FF000000 and edx,0FF
00489935 . 85D2 test edx,edx
00489937 . 0F84 AD000000 je PSWA.004899EA
0048993D . 6A 00 push 0
0048993F . 8BB5 CCF5FFFF mov esi,dword ptr ss:[ebp-A34]
00489945 . C1E6 04 shl esi,4
00489948 . 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
0048994E . 25 07000080 and eax,80000007
00489953 . 79 05 jns short PSWA.0048995A
00489955 . 48 dec eax
00489956 . 83C8 F8 or eax,FFFFFFF8 ===========双击第一个FFFFFFF8来到这里,往上找CMP
00489959 . 40 inc eax
0048995A > 33C9 xor ecx,ecx
0048995C . 8A88 BC1D4C00 mov cl,byte ptr ds:[eax+4C1DBC]
00489962 . 8B95 CCF5FFFF mov edx,dword ptr ss:[ebp-A34]
00489968 . 81E2 07000080 and edx,80000007
0048996E . 79 05 jns short PSWA.00489975
00489970 . 4A dec edx
00489971 . 83CA F8 or edx,FFFFFFF8
00489974 . 42 inc edx
00489975 > 33C0 xor eax,eax
00489977 . 8A82 BD1D4C00 mov al,byte ptr ds:[edx+4C1DBD]
0048997D . 8B3C8D 84D34B00 mov edi,dword ptr ds:[ecx*4+4BD384]
00489984 . 333C85 84D34B00 xor edi,dword ptr ds:[eax*4+4BD384]
0048998B . 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
00489991 . 81E1 07000080 and ecx,80000007
00489997 . 79 05 jns short PSWA.0048999E
00489999 . 49 dec ecx
0048999A . 83C9 F8 or ecx,FFFFFFF8
0048999D . 41 inc ecx
0048999E > 33D2 xor edx,edx
004899A0 . 8A91 BE1D4C00 mov dl,byte ptr ds:[ecx+4C1DBE]
004899A6 . 333C95 84D34B00 xor edi,dword ptr ds:[edx*4+4BD384]
004899AD . 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
004899B3 . 99 cdq
004899B4 . B9 1C000000 mov ecx,1C
004899B9 . F7F9 idiv ecx
004899BB . 8BCA mov ecx,edx
004899BD . D3EF shr edi,cl
004899BF . 83E7 0F and edi,0F
004899C2 . 03F7 add esi,edi
004899C4 . 8B15 B8434C00 mov edx,dword ptr ds:[4C43B8]
004899CA . 8D04B2 lea eax,dword ptr ds:[edx+esi*4]
004899CD . 50 push eax
004899CE . 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
004899D4 . 51 push ecx
004899D5 . E8 68210000 call PSWA.0048BB42
004899DA . 83C4 0C add esp,0C
004899DD . 25 FF000000 and eax,0FF ==================这里patch
004899E2 . 85C0 test eax,eax
004899E4 . 0F84 D5010000 je PSWA.00489BBF
004899EA > 837D D8 00 cmp dword ptr ss:[ebp-28],0
004899EE . 75 27 jnz short PSWA.00489A17
硬件执行断点断下来后看到小窗口显示
堆栈 ss:[0012ED68]=00000023 =====把00000023改为00000000
跳转来自 0048974D, 00489903
接下来从上面代码记录几个参数
XXXXXXXX 0048990A
YYYYYYYY [ebp-A30]=1212ED68
zzzzzzzz 4C43D4
WWWWWWWW 00489BBF
把这些数值填入下面表格
inc dword ptr ds:[YYYYYYYY]
mov dword ptr ds:[ZZZZZZZZ+4],1
jmp XXXXXXXX
填入后即为
inc dword ptr ds:[12ED68]
mov dword ptr ds:[4C43D8],1 ===这里ZZZZZ+4=4C43D4+4=4C43D8
jmp 0048990A
接下来找到and eax,0FF进行patch。
在and eax,OFf右键选着汇编,并勾上使用NOP填充进行patch
patch后删除硬件断点,CTRL+G回到00489BBF,就是刚才WWWWWW的地址。
00489BBF > \E9 0D110000 jmp PSWA.0048ACD1 =========在这里下硬件断点,SHIFT+F9
00489BC4 > 8B0D B0D34B00 mov ecx,dword ptr ds:[4BD3B0]
00489BCA . 81F1 050000C0 xor ecx,C0000005
00489BD0 . 398D D4F5FFFF cmp dword ptr ss:[ebp-A2C],ecx
00489BD6 . 0F85 92040000 jnz PSWA.0048A06E
00489BDC . 70 07 jo short PSWA.00489BE5
00489BDE . 7C 03 jl short PSWA.00489BE3
00489BE0 > EB 05 jmp short PSWA.00489BE7
00489BE2 E8 db E8
00489BE3 >^ 74 FB je short PSWA.00489BE0
00489BE5 >^ EB F9 jmp short PSWA.00489BE0
00489BE7 > 8B85 DCF5FFFF mov eax,dword ptr ss:[ebp-A24]
00489BED . 8B48 18 mov ecx,dword ptr ds:[eax+18]
断下来后就用LORDPE脱壳,在选着文件的时候有2个程序,选着子进程的,即是选着第2个进行脱壳操作。
第三步:查找RVA
================================
OD载入脱壳后的程序
7C92120F C3 retn =============到这里
7C921210 8BFF mov edi,edi
7C921212 > CC int3
7C921213 C3 retn
7C921214 8BFF mov edi,edi
7C921216 8B4424 04 mov eax,dword ptr ss:[esp+4]
7C92121A CC int3
7C92121B C2 0400 retn 4
7C92121E > 64:A1 18000000 mov eax,dword ptr fs:[18]
7C921224 C3 retn
7C921225 > 57 push edi
7C921226 8B7C24 0C mov edi,dword ptr ss:[esp+C]
7C92122A 8B5424 08 mov edx,dword ptr ss:[esp+8]
然后F9就到这里
0042496E > E8 189E0000 call Unpack.0042E78B
00424973 ^ E9 78FEFFFF jmp Unpack.004247F0
00424978 6A 0C push 0C
0042497A 68 60564400 push Unpack.00445660
0042497F E8 9C010000 call Unpack.00424B20
00424984 8365 E4 00 and dword ptr ss:[ebp-1C],0
00424988 8B75 08 mov esi,dword ptr ss:[ebp+8]
0042498B 3B35 4CF54400 cmp esi,dword ptr ds:[44F54C]
00424991 77 22 ja short Unpack.004249B5
00424993 6A 04 push 4
00424995 E8 03A00000 call Unpack.0042E99D
0042499A 59 pop ecx
0042499B 8365 FC 00 and dword ptr ss:[ebp-4],0
0042499F 56 push esi
004249A0 E8 0AA80000 call Unpack.0042F1AF
004249A5 59 pop ecx
004249A6 8945 E4 mov dword ptr ss:[ebp-1C],eax
004249A9 C745 FC FEFFFFFF mov dword ptr ss:[ebp-4],-2
004249B0 E8 09000000 call Unpack.004249BE
004249B5 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004249B8 E8 A8010000 call Unpack.00424B65
004249BD C3 retn
004249BE 6A 04 push 4
004249C0 E8 FE9E0000 call Unpack.0042E8C3
004249C5 59 pop ecx
004249C6 C3 retn
再次F7
0042E78B 8BFF mov edi,edi ; ntdll.7C930208
0042E78D 55 push ebp
0042E78E 8BEC mov ebp,esp
0042E790 83EC 10 sub esp,10
0042E793 A1 D4A54400 mov eax,dword ptr ds:[44A5D4]
0042E798 8365 F8 00 and dword ptr ss:[ebp-8],0
0042E79C 8365 FC 00 and dword ptr ss:[ebp-4],0
0042E7A0 53 push ebx
0042E7A1 57 push edi
0042E7A2 BF 4EE640BB mov edi,BB40E64E
0042E7A7 BB 0000FFFF mov ebx,FFFF0000
0042E7AC 3BC7 cmp eax,edi
0042E7AE 74 0D je short Unpack.0042E7BD
0042E7B0 85C3 test ebx,eax
0042E7B2 74 09 je short Unpack.0042E7BD
0042E7B4 F7D0 not eax
0042E7B6 A3 D8A54400 mov dword ptr ds:[44A5D8],eax
0042E7BB EB 60 jmp short Unpack.0042E81D
0042E7BD 56 push esi
0042E7BE 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0042E7C1 50 push eax
0042E7C2 FF15 20A14300 call dword ptr ds:[43A120] ; kernel32.GetSystemTimeAsFileTime
0042E7C8 8B75 FC mov esi,dword ptr ss:[ebp-4]
0042E7CB 3375 F8 xor esi,dword ptr ss:[ebp-8]
0042E7CE FF15 74A24300 call dword ptr ds:[43A274] ; kernel32.GetCurrentProcessId
0042E7D4 33F0 xor esi,eax
0042E7D6 FF15 24A24300 call dword ptr ds:[43A224] ; kernel32.GetCurrentThreadId
0042E7DC 33F0 xor esi,eax
0042E7DE FF15 84A24300 call dword ptr ds:[43A284] ; kernel32.GetTickCount
0042E7E4 33F0 xor esi,eax
0042E7E6 8D45 F0 lea eax,dword ptr ss:[ebp-10]
从上面第一个FF15找到43A120地址
然后在数据窗CTRL+G 到43A120位置
从这个位置往上找起始位置
要留意16进制的代码
当看见有000000间隔的时候
那么这个位置就是RVA了
我这找到的的位置是43A000
RVA=43A0000
第四步:修复IAT
==================================
用OD再一次载入未脱壳的程序,bp DebugActiveProcess,F9断下
堆栈显示
0012DC90 004891DA /CALL 到 DebugActiveProcess 来自 PSWA.004891D4
0012DC94 00000E14 \ProcessId = E14
0012DC98 7C930208 ntdll.7C930208
0012DC9C 00000000
打开一个OD附加E14,隐藏OD,然后ALT+F9返回程序,还原代码55 8B
00499243 >/$- EB FE jmp short PSWA.<模块入口点> ==========
00499245 |? EC in al,dx ==========选着这两行,右键--二进制--编辑--前2个字节修改为55 8B
00499246 |. 6A FF push -1
00499248 |. 68 402F4C00 push PSWA.004C2F40
0049924D |. 68 808F4900 push PSWA.00498F80 ; SE 处理程序安装
00499252 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
然后BP OpenMutexA,F9
7C80EAAB > 8BFF mov edi,edi =======BP OpenMutexA,F9到了这里
7C80EAAD 55 push ebp
7C80EAAE 8BEC mov ebp,esp
7C80EAB0 51 push ecx
7C80EAB1 51 push ecx
7C80EAB2 837D 10 00 cmp dword ptr ss:[ebp+10],0
7C80EAB6 56 push esi
7C80EAB7 0F84 37550300 je kernel32.7C843FF4
取消断点 CTRL+G 填入00401000 点确定
00401000 0000 add byte ptr ds:[eax],al 在这里右键--二进制---二进制粘贴代码
00401002 0000 add byte ptr ds:[eax],al
00401004 0000 add byte ptr ds:[eax],al
00401006 0000 add byte ptr ds:[eax],al
00401008 0000 add byte ptr ds:[eax],al
0040100A 0000 add byte ptr ds:[eax],al
0040100C 0000 add byte ptr ds:[eax],al
0040100E 0000 add byte ptr ds:[eax],al
00401010 0000 add byte ptr ds:[eax],al
00401012 0000 add byte ptr ds:[eax],al
00401014 0000 add byte ptr ds:[eax],al
00401016 0000 add byte ptr ds:[eax],al
00401018 0000 add byte ptr ds:[eax],al
堆栈显示
0012F798 00484DB8 /CALL 到 OpenMutexA 来自 PSWA.00484DB2
0012F79C 001F0001 |Access = 1F0001
0012F7A0 00000000 |Inheritable = FALSE
0012F7A4 0012FDD8 \MutexName = "E14::DAC4CA1EF7"
上面二进制所粘贴的代码为 60 9C 68 D8 FD 12 00 33 C0 50 50 E8 BF D9 40 7C 9D 61 E9 94 DA 40 7C
粘贴后如下
00401000 60 pushad
00401001 9C pushfd
00401002 68 D8FD1200 push 12FDD8 ; ASCII "E14::DAC4CA1EF7"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 BFD9407C call kernel32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 94DA407C jmp kernel32.OpenMutexA
00401017 0000 add byte ptr ds:[eax],al
00401019 0000 add byte ptr ds:[eax],al
0040101B 0000 add byte ptr ds:[eax],al
在00401000新建EIP,SHIFT+F9,断下后在CTRL+G,回到00401000,把刚才粘贴的代码撤销,删除断点,
BP GetModuleHandleA+5 SHIFT+F9
第一次SHIFT+F9 堆栈显示
0012E794 /0012E7CC
0012E798 |77C079B2 返回到 77C079B2 来自 kernel32.GetModuleHandleA
0012E79C |77BE31BC ASCII "kernel32.dll"
0012E7A0 |77C31A70
0012E7A4 |00000000
0012E7A8 |77BEF2A1
第二次SHIFT+F9 堆栈显示
0012E618 /0012E734
0012E61C |74683C4E 返回到 74683C4E 来自 kernel32.GetModuleHandleA
0012E620 |0012E624 ASCII "C:\WINDOWS\system32\ntdll.dll"
0012E624 |575C3A43
0012E628 |4F444E49
第三次SHIFT+F9 堆栈显示
0012E620 /0012E73C
0012E624 |74683C4E 返回到 74683C4E 来自 kernel32.GetModuleHandleA
0012E628 |0012E62C ASCII "C:\WINDOWS\system32\imm32.dll"
0012E62C |575C3A43
0012E630 |4F444E49
第四次SHIFT+F9 堆栈显示
0012E56C /0012E688
0012E570 |74683C4E 返回到 74683C4E 来自 kernel32.GetModuleHandleA
0012E574 |0012E578 ASCII "C:\WINDOWS\system32\KERNEL32"
0012E578 |575C3A43
0012E57C |4F444E49
第五次SHIFT+F9 堆栈显示
0012ECF8 /0012EE14
0012ECFC |7365D4BA 返回到 msctfime.7365D4BA 来自 kernel32.GetModuleHandleA
0012ED00 |0012ED04 ASCII "C:\WINDOWS\system32\ntdll.dll"
0012ED04 |575C3A43
0012ED08 |4F444E49
0012ED0C |735C5357
第六次SHIFT+F9 堆栈显示
0012EE60 /0012EE98
0012EE64 |5D175324 返回到 5D175324 来自 kernel32.GetModuleHandleA
0012EE68 |5D175370 ASCII "kernel32.dll"
0012EE6C |5D1E3AB8
第七次SHIFT+F9 堆栈显示
0012EF20 /0012EF3C
0012EF24 |77F45CD0 返回到 77F45CD0 来自 kernel32.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
第八次SHIFT+F9 堆栈显示
0012F738 /0012F7A0
0012F73C |00483EF3 返回到 PSWA.00483EF3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0012F750
0012F748 |00C820E6
第九次SHIFT+F9 堆栈显示
00129524 /0012EC6C
00129528 |00C96DF3 返回到 00C96DF3 来自 kernel32.GetModuleHandleA
0012952C |00CABC1C ASCII "kernel32.dll"
00129530 |00CACEC4 ASCII "VirtualAlloc"
00129534 |00CAFA98
00129538 |7C9210E0 ntdll.RtlLeaveCriticalSection
第十次SHIFT+F9 堆栈显示
00129524 /0012EC6C
00129528 |00C96E10 返回到 00C96E10 来自 kernel32.GetModuleHandleA
0012952C |00CABC1C ASCII "kernel32.dll"
00129530 |00CACEB8 ASCII "VirtualFree"
00129534 |00CAFA98
00129538 |7C9210E0 ntdll.RtlLeaveCriticalSection
第十一次SHIFT+F9 堆栈显示
00129288 /00129528
0012928C |00C85CE1 返回到 00C85CE1 来自 kernel32.GetModuleHandleA
00129290 |001293DC ASCII "kernel32.dll"
00129294 |00000000
00129298 |EC6C0000
取消断点,ALT+F9
00C85CE1 8B0D AC40CB00 mov ecx,dword ptr ds:[CB40AC] ============ALT+F9回到这里
00C85CE7 89040E mov dword ptr ds:[esi+ecx],eax
00C85CEA A1 AC40CB00 mov eax,dword ptr ds:[CB40AC]
00C85CEF 391C06 cmp dword ptr ds:[esi+eax],ebx
00C85CF2 75 16 jnz short 00C85D0A
00C85CF4 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00C85CFA 50 push eax
00C85CFB FF15 BC62CA00 call dword ptr ds:[CA62BC] ; kernel32.LoadLibraryA
00C85D01 8B0D AC40CB00 mov ecx,dword ptr ds:[CB40AC]
00C85D07 89040E mov dword ptr ds:[esi+ecx],eax
00C85D0A A1 AC40CB00 mov eax,dword ptr ds:[CB40AC]
00C85D0F 391C06 cmp dword ptr ds:[esi+eax],ebx
00C85D12 0F84 2F010000 je 00C85E47 =======================这里修改为jmp 00C85E47
00C85D18 33C9 xor ecx,ecx
00C85D1A 8B07 mov eax,dword ptr ds:[edi]
00C85D1C 3918 cmp dword ptr ds:[eax],ebx
00C85D1E 74 06 je short 00C85D26
00C85D20 41 inc ecx
我在00C85D12 0F84 2F010000 je 00C85E47这里 修改为jmp 00C85E47,然后shift+f9
00C91A7C F62D AA0D4E34 imul byte ptr ds:[344E0DAA] =====修改为jmp 00C85E47,然后shift+f9后到这里
00C91A82 F3: prefix rep:
00C91A83 8E32 mov seg?,word ptr ds:[edx] ; 未定义的段寄存器
00C91A85 16 push ss
00C91A86 AB stos dword ptr es:[edi]
00C91A87 213B and dword ptr ds:[ebx],edi
00C91A89 89D9 mov ecx,ebx
00C91A8B E5 E7 in eax,0E7
00C91A8D 0181 8E1B889C add dword ptr ds:[ecx+9C881B8E],eax
00C91A93 B2 5B mov dl,5B
00C91A95 4C dec esp
00C91A96 CA A18F retf 8FA1
00C91A99 6E outs dx,byte ptr es:[edi]
00C91A9A E8 992EB506 call 077E4938
00C91A9F 1B88 E8AB03D0 sbb ecx,dword ptr ds:[eax+D003ABE8]
00C91AA5 7A 1C jpe short 00C91AC3
00C91AA7 5D pop ebp
00C91AA8 210C92 and dword ptr ds:[edx+edx*4],ecx
00C91AAB DAACB3 EAC7471A fisubr dword ptr ds:[ebx+esi*4+1A47C7EA>
00C91AB2 F3: prefix rep:
00C91AB3 06 push es
00C91AB4 48 dec eax
00C91AB5 3B17 cmp edx,dword ptr ds:[edi]
00C91AB7 25 7790D542 and eax,42D59077
00C91ABC 9A 859EE17C 6D3F call far 3F6D:7CE19E85
00C91AC3 B8 BB2933E8 mov eax,E83329BB
00C91AC8 4F dec edi
00C91AC9 B2 36 mov dl,36
00C91ACB D2D1 rcl cl,cl
00C91ACD 54 push esp
修改为jmp 00C85E47,然后shift+f9后所到的位置如上,全红的,但感觉好像不对,不管了先继续试试,
打开ImportREC,点设置勾选使用来自磁盘的PE文件头。选着E14的子进程,OEP输入2496E,这里不能点自动找IAT的,所以刚才要自己去找RVA了,RVA填上43A000,长度填1000,吧无效的指针剪切。运行程序,OK了
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
