peid V0.95查壳得到
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov [Overlay]
VerA 查为
Version: ASProtect 2.3 SKE build 06.26 Beta [Extract]
用OD载入文件提示
入口超出代码范围(在PE文件头中指定).可能这是一个自解压或自修改文件.请在设置断点时记住这一点
点确定之后提示
快速统计报告表明其代码段可能被压缩,加密或包含大量的嵌入数据,代码分析将是非常不可靠的或完全错误的,您仍要继续分析吗
然后我点了是
然后hideOD
然后用了大大的脚本Aspr2.XX_IATfixer_v2.2s.osc
提示error
然后换成脚本Aspr2.XX_unpacker_v1.15SC.osc
提示“没有偷窃代码,请查看记录窗口内的IAT数据”
我点击确定,
在查看记录里:
Log data
Address Message
0llyICE v1.10
Asm2Clipboard PlugIn v0.1
Written by FaTmiKE 2oo4
I used code snippets from ExtraCopy PlugIn v1.0 by Regon
...so thanks to Regon for his great job!
Bookmarks sample plugin v1.06 (plugin demo)
Copyright (C) 2001, 2002 Oleh Yuschuk
CleanupEx v1.12.108 by Gigapede
CommandBar v3.00.108
Originary Written by Oleh Yuschuk Modified by Gigapede Contributors:TBD Wayne psyCK0 mfn
GODUP ver 1.2 by godfather+ - Delphi edition
Hide Caption v1.00 by Gigapede
HideOD, www.pediy.com
ODbgScript v1.65.2 chinese version by hnhuqiong
http://bbs.pediy.com or http://www.unpack.cn
OllyDump v3.00.110 by Gigapede
OllyMachine v0.20
Written by Luo Cong
Compiled on Dec 7 2004 14:32:15
OllyScript v0.92
Written by SHaG
PhantOm plugin 1.20
by Hellsp@wn & Archer
Ultra String Reference v0.11
Written by Luo Cong
Compiled on Sep 20 2005 15:33:30
WatchMan v1.00 by Gigapede
数据格式转换 plugin v1.1
该插件可以将内存里的二进制数据转换为相应的编译语言数据格式
Copyright (C) 2006 by zhanshen[DFCG][RCT]
Scanning import library '.\LIB\MFC42.Lib'
Resolved 6384 ordinals
Scanning import library '.\LIB\mfc71.Lib'
Resolved 6442 ordinals
File 'J:\论坛\VIP版2.8.0.0 请解压后运行\Wind-VIP.exe'
New process with ID 00000D28 created
00401000 Main thread with ID 00000860 created
00400000 Module J:\论坛\VIP版2.8.0.0 请解压后运行\Wind-VIP.exe
004D0000 Code size in header is 00000000, extending to size of section at 004D0000
76990000 Module C:\WINDOWS\system32\ole32.dll
770F0000 Module C:\WINDOWS\system32\oleaut32.dll
77BE0000 Module C:\WINDOWS\system32\msvcrt.dll
77D10000 Module C:\WINDOWS\system32\user32.dll
77DA0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E50000 Module C:\WINDOWS\system32\RPCRT4.dll
77EF0000 Module C:\WINDOWS\system32\GDI32.dll
77FC0000 Module C:\WINDOWS\system32\Secur32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C920000 Module C:\WINDOWS\system32\ntdll.dll
76300000 Module C:\WINDOWS\system32\IMM32.DLL
62C20000 Module C:\WINDOWS\system32\LPK.DLL
73FA0000 Module C:\WINDOWS\system32\USP10.dll
6D710000 Module C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
76BC0000 Module C:\WINDOWS\system32\PSAPI.DLL
6D730000 Module C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
6D020000 Module C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll
7C93AC4A Access violation when writing to [00000010]
6D020000 Unload C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll
00401000 Program entry point
00400000 Unload J:\论坛\VIP版2.8.0.0 请解压后运行\Wind-VIP.exe
62C20000 Unload C:\WINDOWS\system32\LPK.DLL
6D710000 Unload C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
6D730000 Unload C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
73FA0000 Unload C:\WINDOWS\system32\USP10.dll
76300000 Unload C:\WINDOWS\system32\IMM32.DLL
76990000 Unload C:\WINDOWS\system32\ole32.dll
76BC0000 Unload C:\WINDOWS\system32\PSAPI.DLL
770F0000 Unload C:\WINDOWS\system32\oleaut32.dll
77BE0000 Unload C:\WINDOWS\system32\msvcrt.dll
77D10000 Unload C:\WINDOWS\system32\user32.dll
77DA0000 Unload C:\WINDOWS\system32\ADVAPI32.dll
77E50000 Unload C:\WINDOWS\system32\RPCRT4.dll
77EF0000 Unload C:\WINDOWS\system32\GDI32.dll
77FC0000 Unload C:\WINDOWS\system32\Secur32.dll
7C800000 Unload C:\WINDOWS\system32\kernel32.dll
7C920000 Unload C:\WINDOWS\system32\ntdll.dll
Process terminated
Scanning import library '.\LIB\MFC42.Lib'
Resolved 6384 ordinals
Scanning import library '.\LIB\mfc71.Lib'
Resolved 6442 ordinals
File 'J:\论坛\VIP版2.8.0.0 请解压后运行\Wind-VIP.exe'
New process with ID 00001330 created
00401000 Main thread with ID 000011EC created
00400000 Module J:\论坛\VIP版2.8.0.0 请解压后运行\Wind-VIP.exe
004D0000 Code size in header is 00000000, extending to size of section at 004D0000
76990000 Module C:\WINDOWS\system32\ole32.dll
770F0000 Module C:\WINDOWS\system32\oleaut32.dll
77BE0000 Module C:\WINDOWS\system32\msvcrt.dll
77D10000 Module C:\WINDOWS\system32\user32.dll
77DA0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E50000 Module C:\WINDOWS\system32\RPCRT4.dll
77EF0000 Module C:\WINDOWS\system32\GDI32.dll
77FC0000 Module C:\WINDOWS\system32\Secur32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C920000 Module C:\WINDOWS\system32\ntdll.dll
76300000 Module C:\WINDOWS\system32\IMM32.DLL
62C20000 Module C:\WINDOWS\system32\LPK.DLL
73FA0000 Module C:\WINDOWS\system32\USP10.dll
6D710000 Module C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
76BC0000 Module C:\WINDOWS\system32\PSAPI.DLL
6D730000 Module C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
6D020000 Module C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll
7C93AC4A Access violation when writing to [00000010]
6D020000 Unload C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll
00401000 Program entry point
6D4C0000 Module C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
77BD0000 Module C:\WINDOWS\system32\version.dll
71A40000 Module C:\WINDOWS\system32\wsock32.dll
71A20000 Module C:\WINDOWS\system32\WS2_32.dll
71A10000 Module C:\WINDOWS\system32\WS2HELP.dll
7C80176F Breakpoint at kernel32.GetSystemTime
freeloc: 00BA0000
00BFFF66 Access violation when writing to [00000000]
00BFE2BA INT3 command at 00BFE2BA
00BFF004 Access violation when writing to [00000000]
00BFF7F3 Breakpoint at 00BFF7F3
00BFF6F4 Breakpoint at 00BFF6F4
00BFF382 Access violation when writing to [00000000]
00BF4C5A Breakpoint at 00BF4C5A
00BA011A Breakpoint at 00BA011A
AsprAPIloc: 00C0267C
00BFF4B8 Breakpoint at 00BFF4B8
00BFF5D1 Breakpoint at 00BFF5D1
00BFF609 Breakpoint at 00BFF609
00BFF67A Breakpoint at 00BFF67A
00BA0250 Breakpoint at 00BA0250
00BFE2BA INT3 command at 00BFE2BA
00BCED08 Breakpoint at 00BCED08
00BF58DF Breakpoint at 00BF58DF
00BFE834 Hardware breakpoint 1 at 00BFE834
004D1BD3 Conditional pause: eip < 01E00000
IAT 的地址 = 004E2000
IAT 的相对地址 = 000E2000
IAT 的大小 = 00000064
00BA0042 Breakpoint at 00BA0042
OEP 的地址 = 004D1BD3
OEP 的相对地址 = 000D1BD3
然后打开ImportREC
找到Wind-VIP.exe进程
修改
OEP:000D1BD3
RVA:000E2000
尺寸:00000064
点击获取输入表,显示无效函数
然后点修复转存文件
得到de_Wind-VIP_.exe文件
不知道上述脱壳是否成功
点文件无法运行
查了很多教程说是要附加数据,但没有找到这个教程
请教各位大大如何操作
[课程]Linux pwn 探索篇!