最近被某软件折磨,实在找不出头绪,现把调试过程贴出来,大家有空来看看。
软件名改为ww.exe,还有一个stone.dll不能改名,否则提示不能运行。
用peid查看ww.exe:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
stone.dll:ASPack 2.11 -> Alexey Solodovnikov
用aspackdie脱去stone.dll,可正常运行。
用所有我能找到的工具(包括upxfix,fs,upxshell,upxstripper,lordpe,prodump....)脱ww.exe,修复IAT
后不能运行,用windows任务管理器可以看到ww.exe这个进程基本不占用CPU资源,但占用10M左右内存(我一般就关掉了,否则可能耗光内存,我在网吧就被耗死过)。
用od载入,停在
004E20D0 w> 60 pushad //停在这里
004E20D1 BE 00404A00 mov esi,ww.004A4000
004E20D6 8DBE 00D0F5FF lea edi,dword ptr ds:[esi+FFF5D000]
004E20DC 57 push edi
004E20DD 83CD FF or ebp,FFFFFFFF
004E20E0 EB 10 jmp short ww.004E20F2
004E20E2 90 nop
004E20E3 90 nop
004E20E4 90 nop
004E20E5 90 nop
004E20E6 90 nop
004E20E7 90 nop
004E20E8 8A06 mov al,byte ptr ds:[esi]
004E20EA 46 inc esi
004E20EB 8807 mov byte ptr ds:[edi],al
004E20ED 47 inc edi
向下翻页,来到
004E223B 61 popad
004E223C - E9 3B3CF9FF jmp ww.00475E7C //在这里点击,然后F4,F8
004E2241 0000 add byte ptr ds:[eax],al
004E2243 0000 add byte ptr ds:[eax],al
004E2245 0000 add byte ptr ds:[eax],al
004E2247 0000 add byte ptr ds:[eax],al
这里应该是OEP了
00475E7C 55 push ebp //我在这里dump
00475E7D 8BEC mov ebp,esp
00475E7F 6A FF push -1
00475E81 68 D8B74800 push ww.0048B7D8
00475E86 68 E65F4700 push ww.00475FE6 ; jmp to
MSVCRT._except_handler3
用ImportREC修复IAT,还是不能运行。
下面跟踪原程序
F9运行程序,第一次异常
77E4D756 5E pop esi ; MSVCRT.77BE14AC
77E4D757 C9 leave
77E4D758 C2 1000 retn 10
77E4D75B k> 55 push ebp
77E4D75C 8BEC mov ebp,esp
77E4D75E 51 push ecx
77E4D75F 51 push ecx
77E4D760 56 push esi
77E4D761 8B75 08 mov esi,dword ptr ss:[ebp+8]
77E4D764 56 push esi
77E4D765 8D45 F8 lea eax,dword ptr ss:[ebp-8]
77E4D768 50 push eax
77E4D769 FF15 BC13E477 call dword ptr ds:[<&ntdll.NtQueryPerf>;
ntdll.ZwQueryPerformanceCounter
77E4D76F 85C0 test eax,eax
77E4D771 0F8C 55610300 jl kernel32.77E838CC
77E4D777 833E 00 cmp dword ptr ds:[esi],0
77E4D77A 0F84 56610300 je kernel32.77E838D6
77E4D780 33C0 xor eax,eax
77E4D782 40 inc eax
77E4D783 5E pop esi
77E4D784 C9 leave
77E4D785 C2 0400 retn 4
77E4D788 55 push ebp
77E4D789 8BEC mov ebp,esp
77E4D78B 51 push ecx
77E4D78C 51 push ecx
77E4D78D 8B45 0C mov eax,dword ptr ss:[ebp+C]
77E4D790 53 push ebx
77E4D791 33DB xor ebx,ebx
77E4D793 56 push esi
77E4D794 8918 mov dword ptr ds:[eax],ebx
77E4D796 64:A1 18000000 mov eax,dword ptr fs:[18]
77E4D79C 8B40 30 mov eax,dword ptr ds:[eax+30]
77E4D79F 68 24040000 push 424
77E4D7A4 FF35 E867EB77 push dword ptr ds:[77EB67E8]
77E4D7AA FF70 18 push dword ptr ds:[eax+18]
77E4D7AD FF15 0C10E477 call dword ptr ds:[<&ntdll.RtlAllocate>;
ntdll.RtlAllocateHeap
77E4D7B3 8BF0 mov esi,eax
77E4D7B5 3BF3 cmp esi,ebx
77E4D7B7 0F84 837B0300 je kernel32.77E85340
77E4D7BD 57 push edi
77E4D7BE 8B3D 9813E477 mov edi,dword ptr ds:[<&ntdll.NtOpenTh>;
ntdll.ZwOpenThreadToken
77E4D7C4 56 push esi
77E4D7C5 53 push ebx
77E4D7C6 6A 28 push 28
77E4D7C8 6A FE push -2
77E4D7CA 895E 0C mov dword ptr ds:[esi+C],ebx
77E4D7CD FFD7 call edi
77E4D7CF 85C0 test eax,eax
77E4D7D1 7D 2C jge short kernel32.77E4D7FF
77E4D7D3 6A 03 push 3
77E4D7D5 FF15 7014E477 call dword ptr ds:[<&ntdll.RtlImperson>;
ntdll.RtlImpersonateSelf
77E4D7DB 3BC3 cmp eax,ebx
77E4D7DD 8945 F8 mov dword ptr ss:[ebp-8],eax
77E4D7E0 0F8C 647B0300 jl kernel32.77E8534A
77E4D7E6 56 push esi
77E4D7E7 53 push ebx
77E4D7E8 6A 28 push 28
77E4D7EA 6A FE push -2
77E4D7EC FFD7 call edi
77E4D7EE 8BF8 mov edi,eax
77E4D7F0 3BFB cmp edi,ebx
77E4D7F2 0F8C 6E7B0300 jl kernel32.77E85366
堆栈
0012EFE0 77BE14AC ASCII "Access violation - no RTTI data!"
0012EFE4 E06D7363
0012EFE8 00000001
SHIFT+F8跳过,来到
77F5109C 8B1C24 mov ebx,dword ptr ss:[esp]
77F5109F 51 push ecx
77F510A0 53 push ebx
77F510A1 E8 BD060100 call ntdll.77F61763
77F510A6 0AC0 or al,al
77F510A8 74 0C je short ntdll.77F510B6
77F510AA 5B pop ebx
77F510AB 59 pop ecx
77F510AC 6A 00 push 0
77F510AE 51 push ecx
77F510AF E8 FFD40200 call ntdll.ZwContinue
77F510B4 EB 0B jmp short ntdll.77F510C1
77F510B6 5B pop ebx
77F510B7 59 pop ecx
77F510B8 6A 00 push 0
77F510BA 51 push ecx
77F510BB 53 push ebx
77F510BC E8 42DE0200 call ntdll.ZwRaiseException
77F510C1 83C4 EC add esp,-14
77F510C4 890424 mov dword ptr ss:[esp],eax
77F510C7 C74424 04 01000000 mov dword ptr ss:[esp+4],1
77F510CF 895C24 08 mov dword ptr ss:[esp+8],ebx
77F510D3 C74424 10 00000000 mov dword ptr ss:[esp+10],0
77F510DB 54 push esp
77F510DC E8 43000000 call ntdll.RtlRaiseException
77F510E1 C2 0800 retn 8
77F510E4 n> 55 push ebp
77F510E5 8BEC mov ebp,esp
77F510E7 83EC 50 sub esp,50
77F510EA 894424 0C mov dword ptr ss:[esp+C],eax
77F510EE 64:A1 18000000 mov eax,dword ptr fs:[18]
77F510F4 8B80 A4010000 mov eax,dword ptr ds:[eax+1A4]
77F510FA 890424 mov dword ptr ss:[esp],eax
77F510FD C74424 04 00000000 mov dword ptr ss:[esp+4],0
77F51105 C74424 08 00000000 mov dword ptr ss:[esp+8],0
77F5110D C74424 10 00000000 mov dword ptr ss:[esp+10],0
77F51115 54 push esp
77F51116 E8 09000000 call ntdll.RtlRaiseException
77F5111B 8B0424 mov eax,dword ptr ss:[esp]
77F5111E 8BE5 mov esp,ebp
77F51120 5D pop ebp
77F51121 C3 retn
77F51122 90 nop
77F51123 90 nop
77F51124 n> 55 push ebp
77F51125 8BEC mov ebp,esp
77F51127 9C pushfd
77F51128 81EC D0020000 sub esp,2D0
77F5112E 8985 DCFDFFFF mov dword ptr ss:[ebp-224],eax
77F51134 898D D8FDFFFF mov dword ptr ss:[ebp-228],ecx
77F5113A 8B45 08 mov eax,dword ptr ss:[ebp+8]
77F5113D 8B4D 04 mov ecx,dword ptr ss:[ebp+4]
77F51140 8948 0C mov dword ptr ds:[eax+C],ecx
77F51143 8D85 2CFDFFFF lea eax,dword ptr ss:[ebp-2D4]
77F51149 8988 B8000000 mov dword ptr ds:[eax+B8],ecx
77F5114F 8998 A4000000 mov dword ptr ds:[eax+A4],ebx
77F51155 8990 A8000000 mov dword ptr ds:[eax+A8],edx
77F5115B 89B0 A0000000 mov dword ptr ds:[eax+A0],esi
77F51161 89B8 9C000000 mov dword ptr ds:[eax+9C],edi
77F51167 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
77F5116A 8988 C4000000 mov dword ptr ds:[eax+C4],ecx
77F51170 8B4D 00 mov ecx,dword ptr ss:[ebp]
77F51173 8988 B4000000 mov dword ptr ds:[eax+B4],ecx
77F51179 8B4D FC mov ecx,dword ptr ss:[ebp-4]
77F5117C 8988 C0000000 mov dword ptr ds:[eax+C0],ecx
77F51182 8C88 BC000000 mov word ptr ds:[eax+BC],cs
77F51188 8C98 98000000 mov word ptr ds:[eax+98],ds
77F5118E 8C80 94000000 mov word ptr ds:[eax+94],es
77F51194 8CA0 90000000 mov word ptr ds:[eax+90],fs
77F5119A 8CA8 8C000000 mov word ptr ds:[eax+8C],gs
77F511A0 8C90 C8000000 mov word ptr ds:[eax+C8],ss
77F511A6 C700 07000100 mov dword ptr ds:[eax],10007
77F511AC 6A 01 push 1
77F511AE 50 push eax
77F511AF FF75 08 push dword ptr ss:[ebp+8]
77F511B2 E8 4CDD0200 call ntdll.ZwRaiseException
77F511B7 83EC 20 sub esp,20
77F511BA 890424 mov dword ptr ss:[esp],eax
77F511BD C74424 04 01000000 mov dword ptr ss:[esp+4],1
77F511C5 C74424 10 00000000 mov dword ptr ss:[esp+10],0
77F511CD 8B45 08 mov eax,dword ptr ss:[ebp+8]
77F511D0 894424 08 mov dword ptr ss:[esp+8],eax
77F511D4 8BC4 mov eax,esp
77F511D6 50 push eax
77F511D7 E8 48FFFFFF call ntdll.RtlRaiseException
77F511DC 397E 04 cmp dword ptr ds:[esi+4],edi
77F511DF ^ 0F84 3DFEFFFF je ntdll.77F51022
77F511E5 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
77F511E9 8361 10 00 and dword ptr ds:[ecx+10],0
77F511ED 8D51 08 lea edx,dword ptr ds:[ecx+8]
77F511F0 8932 mov dword ptr ds:[edx],esi
77F511F2 8979 0C mov dword ptr ds:[ecx+C],edi
77F511F5 8990 B0010000 mov dword ptr ds:[eax+1B0],edx
77F511FB ^ E9 37FEFFFF jmp ntdll.77F51037
F9继续,又来到和第一次异常相同的地方。再次SHIFT+F8,又来到上面的代码段。
再次F9时,跳出了程序运行的画面,即所谓“跟飞了”?
再次载入,在第一次异常时F8
77E4D756 5E pop esi ; MSVCRT.77BE14AC
77E4D757 C9 leave
77E4D758 C2 1000 retn 10
retn10来到
77BF1A29 5F pop edi ; 0012F18E
77BF1A2A 5E pop esi
77BF1A2B C9 leave
77BF1A2C C2 0800 retn 8
retn8来到
73DAD626 5E pop esi ; 0012F18F
73DAD627 M> 55 push ebp
73DAD628 8BEC mov ebp,esp
73DAD62A 8B45 10 mov eax,dword ptr ss:[ebp+10] //Stack ss:[0012F094]=FFFFFFFF
eax=0012EFE4
73DAD62D 53 push ebx
73DAD62E 33DB xor ebx,ebx
73DAD630 3BC3 cmp eax,ebx
73DAD632 74 02 je short MFC42.73DAD636
73DAD634 8918 mov dword ptr ds:[eax],ebx //这里跳向下一个异常
F8来到
77F5109C 8B1C24 mov ebx,dword ptr ss:[esp]
77F5109F 51 push ecx
77F510A0 53 push ebx
77F510A1 E8 BD060100 call ntdll.77F61763
77F510A6 0AC0 or al,al
77F510A8 74 0C je short ntdll.77F510B6
77F510AA 5B pop ebx
77F510AB 59 pop ecx
77F510AC 6A 00 push 0
77F510AE 51 push ecx
77F510AF E8 FFD40200 call ntdll.ZwContinue
77F510B4 EB 0B jmp short ntdll.77F510C1
77F510B6 5B pop ebx
77F510B7 59 pop ecx
77F510B8 6A 00 push 0
77F510BA 51 push ecx
77F510BB 53 push ebx
77F510BC E8 42DE0200 call ntdll.ZwRaiseException //这里跳向下一个异常
F8来到
73DAD634 8918 mov dword ptr ds:[eax],ebx //这里显示“被调试的程序无法处理
异常”继续F8显示“进程已经终止,退出代码80”,无法继续跟踪。
73DAD636 53 push ebx
73DAD637 8D45 10 lea eax,dword ptr ss:[ebp+10]
73DAD63A 53 push ebx
73DAD63B 50 push eax
73DAD63C 68 00080000 push 800
73DAD641 FF71 08 push dword ptr ds:[ecx+8]
73DAD644 53 push ebx
73DAD645 68 00110000 push 1100
73DAD64A FF15 CCB1DC73 call dword ptr ds:[<&KERNEL32.FormatMe>;
kernel32.FormatMessageA
我就跟了这么多,请有空的高手来看看。谢谢!
[课程]Android-CTF解题方法汇总!