-
-
[原创]PEquake记事本脱壳
-
发表于: 2009-7-8 15:33 7567
-
【作者声明】:没什么技术含量,失误之处敬请诸位大侠赐教
【软件名称】: 程序实例见附件
【调试环境】:WinXP sp2、OD、PEiD、LordPE、ImportREC
说明:
PEquake一个很老的壳子了,闲来无聊决定练练手,没啥技术含量,大牛们就不要看了,参考了cyclotron大牛的文章,不要用修改版od,我这里会出问题,原版的不会
过程:
忽略所有异常,隐藏Olly,载入后来到这里:
0040D000 <> E8 A5000000 call notepad9.0040D0AA
0040D005 2D D0000000 sub eax,0D0
0040D00A 0000 add byte ptr ds:[eax],al
0040D00C 0000 add byte ptr ds:[eax],al
0040D00E 0000 add byte ptr ds:[eax],al
0040D010 003D D000002D add byte ptr ds:[2D0000D0],bh
0040D016 D000 rol byte ptr ds:[eax],1
0040D018 0000 add byte ptr ds:[eax],al
0040D01A 0000 add byte ptr ds:[eax],al
接下来有一大段SEH和花指令垃圾,我们下断点:bp CreateThread,来到下面,堆栈如下:
0012FFA8 003925CF /CALL to CreateThread from 003925C9
0012FFAC 00000000 |pSecurity = NULL
0012FFB0 00000000 |StackSize = 0
0012FFB4 00392597 |ThreadFunction = 00392597
0012FFB8 7C816FF7 |pThreadParm = kernel32.7C816FF7
0012FFBC 00000000 |CreationFlags = 0
0012FFC0 0039265A \pThreadId = 0039265A
0012FFC4 7C816FF7 RETURN to kernel32.7C816FF7
在入口处下断点bp 392597 F9运行来到这里:
00392597 E8 00000000 call 0039259C ;来到这里
0039259C 5D pop ebp
0039259D 81ED A4184000 sub ebp,4018A4
003925A3 68 F4010000 push 1F4
003925A8 FF95 B1634000 call dword ptr ss:[ebp+4063B1] ; kernel32.Sleep
Ctrl+F搜索指令 CMP EAX,4C505845,找到:
00392F3C 25 5F5F5F5F and eax,5F5F5F5F
00392F41 3D 4558504C cmp eax,4C505845 ;找到这里
00392F46 - 75 FE jnz short 00392F46 ;如果不是EXPLORER.EXE就在这里挂起
好了,把这个跳转nop掉,disable父进程检查。后面的反跟踪都没什么用了。
然后ctrl + g GetModuleHandleA
7C80B6C1 k> 8BFF mov edi,edi
7C80B6C3 55 push ebp
7C80B6C4 8BEC mov ebp,esp
7C80B6C6 837D 08 00 cmp dword ptr ss:[ebp+8],0
7C80B6CA 74 18 je short kernel32.7C80B6E4
7C80B6CC FF75 08 push dword ptr ss:[ebp+8]
7C80B6CF E8 C0290000 call kernel32.7C80E094
7C80B6D4 85C0 test eax,eax
7C80B6D6 74 08 je short kernel32.7C80B6E0
7C80B6D8 FF70 04 push dword ptr ds:[eax+4]
7C80B6DB E8 7D2D0000 call kernel32.GetModuleHandleW
7C80B6E0 5D pop ebp
7C80B6E1 C2 0400 retn 4 ;此处F2下断
F9运行,Alt+M对code段下几次内存访问断点,
第一次,F9运行来到此处:
00383CB1 8907 mov dword ptr ds:[edi],eax ;SHELL32.DragFinish
00383CB3 5A pop edx
00383CB4 0FB642 FF movzx eax,byte ptr ds:[edx-1]
00383CB8 03D0 add edx,eax
00383CBA 42 inc edx
00383CBB 83C7 04 add edi,4
00383CBE 59 pop ecx
00383CBF ^ E2 CA loopd short 00383C8B
00383CC1 ^ E9 EFFCFFFF jmp 003839B5
00383CC6 64:A1 30000000 mov eax,dword ptr fs:[30] ;此处F4,继续下断
00383CCC 85C0 test eax,eax
00383CCE 78 08 js short 00383CD8
00383CD0 0FB648 02 movzx ecx,byte ptr ds:[eax+2]
第二次,F9运行到此处:
00383FB9 8BDE mov ebx,esi
00383FBB 2BD8 sub ebx,eax
00383FBD 8958 FC mov dword ptr ds:[eax-4],ebx ;来到这里
00383FC0 83C7 08 add edi,8
00383FC3 ^ E9 44FDFFFF jmp 00383D0C
00383FC8 68 9F6F56B6 push B6566F9F ;这里F4,继续下断
00383FCD 50 push eax
00383FCE E8 5D000000 call 00384030
第三次,F9运行到此处:
004010CC 55 push ebp ;oep
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 90 nop
004010D4 E8 7258F8FF call 0038694B
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:[eax]
004010DD 3C 22 cmp al,22
004010DF 75 1B jnz short notepad9.004010FC
004010E1 56 push esi
004010E2 90 nop
004010E3 E8 6358F8FF call 0038694B
004010E8 8BF0 mov esi,eax
004010EA 8A00 mov al,byte ptr ds:[eax]
004010EC 84C0 test al,al
004010EE 74 04 je short notepad9.004010F4
004010F0 3C 22 cmp al,22
004010F2 ^ 75 ED jnz short notepad9.004010E1
004010F4 803E 22 cmp byte ptr ds:[esi],22
我们可以看到程序调用都变成了call 0038694B,
找一个call跟进349B15,我们选择这个:
004010D4 E8 7258F8FF call 0038694B
走过一段花指令以后,发现解码算法:
00386C07 8B06 mov eax,dword ptr ds:[esi] ;esi指向一张表
00386C09 33D2 xor edx,edx
00386C0B B9 02000000 mov ecx,2
00386C10 F7E1 mul ecx
00386C12 D1E8 shr eax,1
00386C14 3BF8 cmp edi,eax
00386C16 0F85 62010000 jnz 00386D7E
00386C1C 0AD2 or dl,dl
00386C1E 75 0A jnz short 00386C2A ;比较是ff25还是ff15形式的调用
00386C20 /E9 61010000 jmp 00386D86
表如下:
00387E03 5C 1A 40 00 F8 63 40 00 \@.鴆@.
00387E0B 23 15 40 00 FC 63 40 00 #@.點@.
00387E13 6F 34 40 00 00 64 40 00 o4@..d@.
00387E1B 64 2D 40 00 04 64 40 00 d-@.d@.
00387E23 A3 30 40 00 08 64 40 00 ?@.d@.
00387E2B 2F 1A 40 00 0C 64 40 00 /@..d@.
00387E33 46 1A 40 00 0C 64 40 00 F@..d@.
00387E3B 02 33 40 00 5C 63 40 00 3@.\c@.
00387E43 59 33 40 00 5C 63 40 00 Y3@.\c@.
00387E4B 2C 33 40 00 60 63 40 00 ,3@.`c@.
00387E53 1F 33 40 00 64 63 40 00 3@.dc@.
00387E5B 86 33 40 00 64 63 40 00 ?@.dc@.
00387E63 82 35 40 00 64 63 40 00 ?@.dc@.
00387E6B 0D 37 40 00 64 63 40 00 .7@.dc@.
00387E73 21 32 40 00 68 63 40 00 !2@.hc@.
00387E7B 13 33 40 00 6C 63 40 00 3@.lc@.
00387E83 AB 33 40 00 6C 63 40 00 ?@.lc@.
00387E8B B9 35 40 00 6C 63 40 00 ?@.lc@.
00387E93 18 36 40 00 6C 63 40 00 6@.lc@.
00387E9B 88 36 40 00 6C 63 40 00 ?@.lc@.
00387EA3 77 39 40 00 6C 63 40 00 w9@.lc@.
00387EAB E0 3A 40 00 6C 63 40 00 ?@.lc@.
00387EB3 0C 3B 40 00 6C 63 40 00 .;@.lc@.
00387EBB 21 3B 40 00 6C 63 40 00 !;@.lc@.
00387EC3 7A 41 40 00 6C 63 40 00 zA@.lc@.
00387ECB DA 43 40 00 6C 63 40 00 贑@.lc@.
00387ED3 3A 32 40 00 70 63 40 00 :2@.pc@.
00387EDB FB 34 40 00 74 63 40 00 ?@.tc@.
00387EE3 0B 35 40 00 74 63 40 00 5@.tc@.
00387EEB CE 29 40 00 78 63 40 00 ?@.xc@.
00387EF3 AB 32 40 00 78 63 40 00 ?@.xc@.
00387EFB 29 35 40 00 78 63 40 00 )5@.xc@.
00387F03 C6 37 40 00 78 63 40 00 ?@.xc@.
00387F0B 30 29 40 00 7C 63 40 00 0)@.|c@.
00387F13 5A 2E 40 00 7C 63 40 00 Z.@.|c@.
00387F1B 7B 38 40 00 7C 63 40 00 {8@.|c@.
00387F23 54 3A 40 00 7C 63 40 00 T:@.|c@.
00387F2B 3B 41 40 00 7C 63 40 00 ;A@.|c@.
00387F33 3B 29 40 00 80 63 40 00 ;)@.€c@.
00387F3B E0 32 40 00 80 63 40 00 ?@.€c@.
00387F43 66 35 40 00 80 63 40 00 f5@.€c@.
00387F4B 66 36 40 00 80 63 40 00 f6@.€c@.
00387F53 8D 38 40 00 80 63 40 00 ?@.€c@.
00387F5B 8D 3A 40 00 80 63 40 00 ?@.€c@.
00387F63 4F 41 40 00 80 63 40 00 OA@.€c@.
00387F6B E8 41 40 00 80 63 40 00 鐰@.€c@.
00387F73 AB 41 40 00 84 63 40 00 獳@.刢@.
00387F7B BD 41 40 00 84 63 40 00 紸@.刢@.
00387F83 5F 47 40 00 88 63 40 00 _G@.坈@.
00387F8B 82 4B 40 00 88 63 40 00 侹@.坈@.
00387F93 B2 4B 40 00 8C 63 40 00 睰@.宑@.
00387F9B 9B 4B 40 00 90 63 40 00 汯@.恈@.
00387FA3 3B 4D 40 00 94 63 40 00 ;M@.攃@.
00387FAB F7 4D 40 00 94 63 40 00 鱉@.攃@.
00387FB3 37 11 40 00 98 63 40 00 7@.榗@.
00387FBB D4 33 40 00 98 63 40 00 ?@.榗@.
00387FC3 52 11 40 00 9C 63 40 00 R@.渃@.
00387FCB 61 11 40 00 A0 63 40 00 a@.燾@.
00387FD3 6F 24 40 00 A4 63 40 00 o$@.@.
00387FDB A6 35 40 00 A4 63 40 00 ?@.@.
00387FE3 E3 37 40 00 A4 63 40 00 ?@.@.
00387FEB C9 39 40 00 A4 63 40 00 ?@.@.
00387FF3 75 49 40 00 A4 63 40 00 uI@.@.
00387FFB FE 49 40 00 A4 63 40 00 蘒@.@.
00388003 C5 4A 40 00 A4 63 40 00 臞@.@.
0038800B 16 4E 40 00 A4 63 40 00 N@.@.
00388013 61 4E 40 00 A4 63 40 00 aN@.@.
0038801B 7B 4E 40 00 A4 63 40 00 {N@.@.
00388023 F4 4E 40 00 A4 63 40 00 鬘@.@.
0038802B 4D 4F 40 00 A4 63 40 00 MO@.@.
00388033 66 4F 40 00 A4 63 40 00 fO@.@.
0038803B C3 28 40 00 A8 63 40 00 ?@.╟@.
00388043 21 25 40 00 AC 63 40 00 !%@.琧@.
0038804B 8B 21 40 00 B0 63 40 00 ?@.癱@.
00388053 7E 4D 40 00 B0 63 40 00 ~M@.癱@.
0038805B C2 23 40 00 B4 63 40 00 ?@.碿@.
00388063 6F 3D 40 00 B4 63 40 00 o=@.碿@.
0038806B 80 3D 40 00 B4 63 40 00 €=@.碿@.
00388073 7E 4C 40 00 B4 63 40 00 ~L@.碿@.
0038807B B1 4C 40 00 B4 63 40 00 盠@.碿@.
00388083 0E 4D 40 00 B4 63 40 00 M@.碿@.
0038808B 89 23 40 00 B8 63 40 00 ?@.竎@.
00388093 0A 22 40 00 BC 63 40 00 ."@.糲@.
0038809B 1C 38 40 00 BC 63 40 00 8@.糲@.
003880A3 AD 21 40 00 C0 63 40 00 ?@.纁@.
003880AB EC 28 40 00 C0 63 40 00 ?@.纁@.
003880B3 03 29 40 00 C0 63 40 00 )@.纁@.
003880BB CF 21 40 00 C4 63 40 00 ?@.腸@.
003880C3 0F 29 40 00 C4 63 40 00 )@.腸@.
003880CB 50 16 40 00 C8 63 40 00 P@.萩@.
003880D3 1B 2E 40 00 C8 63 40 00 .@.萩@.
003880DB D2 3E 40 00 C8 63 40 00 ?@.萩@.
003880E3 71 19 40 00 CC 63 40 00 q@.蘡@.
003880EB D3 2A 40 00 CC 63 40 00 ?@.蘡@.
003880F3 F7 2E 40 00 CC 63 40 00 ?@.蘡@.
003880FB D2 40 40 00 CC 63 40 00 褸@.蘡@.
00388103 6A 14 40 00 D0 63 40 00 j@.衏@.
0038810B AB 14 40 00 D0 63 40 00 ?@.衏@.
00388113 BF 2A 40 00 D0 63 40 00 ?@.衏@.
0038811B 29 2B 40 00 D0 63 40 00 )+@.衏@.
00388123 FC 2B 40 00 D0 63 40 00 ?@.衏@.
0038812B E3 2E 40 00 D0 63 40 00 ?@.衏@.
00388133 4D 2F 40 00 D0 63 40 00 M/@.衏@.
0038813B 14 32 40 00 D0 63 40 00 2@.衏@.
00388143 7D 11 40 00 D4 63 40 00 }@.詂@.
0038814B 92 11 40 00 D4 63 40 00 ?@.詂@.
00388153 F5 43 40 00 D4 63 40 00 魿@.詂@.
0038815B 6C 44 40 00 D4 63 40 00 lD@.詂@.
00388163 C4 44 40 00 D4 63 40 00 腄@.詂@.
0038816B D9 44 40 00 D4 63 40 00 貲@.詂@.
00388173 10 14 40 00 D8 63 40 00 @.豤@.
0038817B CB 17 40 00 D8 63 40 00 ?@.豤@.
00388183 DB 17 40 00 D8 63 40 00 ?@.豤@.
0038818B 4E 18 40 00 D8 63 40 00 N@.豤@.
00388193 8D 18 40 00 D8 63 40 00 ?@.豤@.
0038819B B2 1B 40 00 D8 63 40 00 ?@.豤@.
003881A3 13 1C 40 00 D8 63 40 00 @.豤@.
003881AB 3D 1C 40 00 D8 63 40 00 =@.豤@.
003881B3 9D 21 40 00 D8 63 40 00 ?@.豤@.
003881BB C8 21 40 00 D8 63 40 00 ?@.豤@.
003881C3 DF 21 40 00 D8 63 40 00 ?@.豤@.
003881CB 2C 36 40 00 D8 63 40 00 ,6@.豤@.
003881D3 1F 37 40 00 D8 63 40 00 7@.豤@.
003881DB 93 37 40 00 D8 63 40 00 ?@.豤@.
003881E3 B8 3C 40 00 D8 63 40 00 ?@.豤@.
003881EB 2C 3F 40 00 D8 63 40 00 ,?@.豤@.
003881F3 35 45 40 00 D8 63 40 00 5E@.豤@.
003881FB BA 45 40 00 D8 63 40 00 篍@.豤@.
00388203 CA 48 40 00 D8 63 40 00 蔋@.豤@.
0038820B FA 48 40 00 D8 63 40 00 鶫@.豤@.
00388213 67 49 40 00 D8 63 40 00 gI@.豤@.
0038821B AF 49 40 00 D8 63 40 00 疘@.豤@.
00388223 BE 11 40 00 DC 63 40 00 ?@.躢@.
0038822B 9C 38 40 00 E0 63 40 00 ?@.郼@.
00388233 E7 3A 40 00 E0 63 40 00 ?@.郼@.
0038823B 13 3B 40 00 E0 63 40 00 ;@.郼@.
00388243 5C 41 40 00 E0 63 40 00 \A@.郼@.
0038824B E3 43 40 00 E0 63 40 00 鉉@.郼@.
00388253 D9 10 40 00 E4 63 40 00 ?@.鋍@.
0038825B 4A 3D 40 00 E8 63 40 00 J=@.鑓@.
00388263 EC 43 40 00 E8 63 40 00 霤@.鑓@.
0038826B 51 4B 40 00 E8 63 40 00 QK@.鑓@.
00388273 66 4B 40 00 E8 63 40 00 fK@.鑓@.
0038827B 76 35 40 00 EC 63 40 00 v5@.靋@.
00388283 C4 3C 40 00 F0 63 40 00 ?@.餭@.
0038828B DC 41 40 00 F0 63 40 00 蹵@.餭@.
00388293 0C 4B 40 00 F0 63 40 00 .K@.餭@.
0038829B 28 4B 40 00 F0 63 40 00 (K@.餭@.
003882A3 80 47 40 00 14 64 40 00 €G@.d@.
003882AB A4 47 40 00 14 64 40 00 @.d@.
003882B3 3F 49 40 00 14 64 40 00 ?I@.d@.
003882BB E0 22 40 00 18 64 40 00 ?@.d@.
003882C3 D7 22 40 00 1C 64 40 00 ?@.d@.
003882CB CB 22 40 00 20 64 40 00 ?@. d@.
003882D3 6F 22 40 00 24 64 40 00 o"@.$d@.
003882DB 68 29 40 00 28 64 40 00 h)@.(d@.
003882E3 B2 29 40 00 28 64 40 00 ?@.(d@.
003882EB 12 34 40 00 28 64 40 00 4@.(d@.
003882F3 30 34 40 00 28 64 40 00 04@.(d@.
003882FB 18 3F 40 00 28 64 40 00 ?@.(d@.
00388303 AA 3F 40 00 28 64 40 00 ?@.(d@.
0038830B BB 47 40 00 28 64 40 00 籊@.(d@.
00388313 7F 2A 40 00 2C 64 40 00 *@.,d@.
0038831B F0 2C 40 00 2C 64 40 00 ?@.,d@.
00388323 69 2A 40 00 30 64 40 00 i*@.0d@.
0038832B 3C 3C 40 00 30 64 40 00 <<@.0d@.
00388333 F7 30 40 00 34 64 40 00 ?@.4d@.
0038833B CA 2F 40 00 38 64 40 00 ?@.8d@.
00388343 47 2D 40 00 3C 64 40 00 G-@.<d@.
0038834B D9 2D 40 00 3C 64 40 00 ?@.<d@.
00388353 D3 3A 40 00 3C 64 40 00 ?@.<d@.
0038835B E2 2C 40 00 40 64 40 00 ?@.@d@.
00388363 83 31 40 00 40 64 40 00 ?@.@d@.
0038836B CE 31 40 00 44 64 40 00 ?@.Dd@.
00388373 6E 31 40 00 48 64 40 00 n1@.Hd@.
0038837B FA 36 40 00 4C 64 40 00 ?@.Ld@.
00388383 03 38 40 00 50 64 40 00 8@.Pd@.
0038838B 86 3A 40 00 54 64 40 00 ?@.Td@.
00388393 C7 3B 40 00 58 64 40 00 ?@.Xd@.
0038839B 5E 3C 40 00 5C 64 40 00 ^<@.\d@.
003883A3 07 47 40 00 5C 64 40 00 G@.\d@.
003883AB 36 3D 40 00 60 64 40 00 6=@.`d@.
003883B3 FC 42 40 00 60 64 40 00 麭@.`d@.
003883BB 28 43 40 00 60 64 40 00 (C@.`d@.
003883C3 67 43 40 00 60 64 40 00 gC@.`d@.
003883CB 10 41 40 00 64 64 40 00 A@.dd@.
003883D3 F6 40 40 00 68 64 40 00 鯜@.hd@.
003883DB D4 45 40 00 68 64 40 00 訣@.hd@.
003883E3 A1 40 40 00 6C 64 40 00 @.ld@.
003883EB F8 46 40 00 70 64 40 00 鳩@.pd@.
003883F3 23 47 40 00 70 64 40 00 #G@.pd@.
003883FB 49 46 40 00 74 64 40 00 IF@.td@.
00388403 AB 46 40 00 74 64 40 00 獸@.td@.
0038840B 9E 46 40 00 78 64 40 00 濬@.xd@.
00388413 8F 46 40 00 7C 64 40 00 廎@.|d@.
0038841B 82 46 40 00 80 64 40 00 侳@.€d@.
00388423 35 46 40 00 84 64 40 00 5F@.刣@.
0038842B A5 22 40 00 88 64 40 00 ?@.坉@.
00388433 BB 22 40 00 88 64 40 00 ?@.坉@.
0038843B FA 22 40 00 88 64 40 00 ?@.坉@.
00388443 11 23 40 00 88 64 40 00 #@.坉@.
0038844B 3C 23 40 00 88 64 40 00 <#@.坉@.
00388453 5F 23 40 00 88 64 40 00 _#@.坉@.
0038845B 66 23 40 00 8C 64 40 00 f#@.宒@.
00388463 1D 22 40 00 90 64 40 00 "@.恉@.
0038846B 1E 21 40 00 94 64 40 00 !@.攄@.
00388473 DF 3B 40 00 94 64 40 00 ?@.攄@.
0038847B 46 21 40 00 98 64 40 00 F!@.榙@.
00388483 ED 3B 40 00 98 64 40 00 ?@.榙@.
0038848B 50 21 40 00 9C 64 40 00 P!@.渄@.
00388493 F7 3B 40 00 9C 64 40 00 ?@.渄@.
0038849B 02 21 40 00 A0 64 40 00 !@.燿@.
003884A3 5D 21 40 00 A0 64 40 00 ]!@.燿@.
003884AB A9 1E 40 00 A4 64 40 00 ?@.@.
003884B3 05 3B 40 00 A4 64 40 00 ;@.@.
003884BB 3E 3B 40 00 A4 64 40 00 >;@.@.
003884C3 E0 45 40 00 A4 64 40 00 郋@.@.
003884CB CB 1E 40 00 A8 64 40 00 ?@.╠@.
003884D3 D2 1E 40 00 A8 64 40 00 ?@.╠@.
003884DB EB 1E 40 00 AC 64 40 00 ?@.琩@.
003884E3 40 24 40 00 AC 64 40 00 @$@.琩@.
003884EB 89 29 40 00 AC 64 40 00 ?@.琩@.
003884F3 E6 33 40 00 AC 64 40 00 ?@.琩@.
003884FB 8B 34 40 00 AC 64 40 00 ?@.琩@.
00388503 94 1D 40 00 B0 64 40 00 ?@.癲@.
0038850B DF 1D 40 00 B0 64 40 00 ?@.癲@.
00388513 16 20 40 00 B0 64 40 00 @.癲@.
0038851B 87 20 40 00 B0 64 40 00 ?@.癲@.
00388523 BA 20 40 00 B4 64 40 00 ?@.磀@.
0038852B AC 22 40 00 B4 64 40 00 ?@.磀@.
00388533 C2 22 40 00 B4 64 40 00 ?@.磀@.
0038853B 01 23 40 00 B4 64 40 00 #@.磀@.
00388543 18 23 40 00 B4 64 40 00 #@.磀@.
0038854B 43 23 40 00 B4 64 40 00 C#@.磀@.
00388553 99 23 40 00 B4 64 40 00 ?@.磀@.
0038855B 8E 3C 40 00 B4 64 40 00 ?@.磀@.
00388563 D4 1A 40 00 B8 64 40 00 ?@.竏@.
0038856B DF 1A 40 00 BC 64 40 00 ?@.糳@.
00388573 D7 2B 40 00 BC 64 40 00 ?@.糳@.
0038857B D9 2F 40 00 BC 64 40 00 ?@.糳@.
00388583 58 3B 40 00 BC 64 40 00 X;@.糳@.
0038858B E8 1A 40 00 C0 64 40 00 ?@.纃@.
00388593 50 1A 40 00 C4 64 40 00 P@.膁@.
0038859B 5C 13 40 00 C8 64 40 00 \@.萪@.
003885A3 7F 1E 40 00 C8 64 40 00 @.萪@.
003885AB 69 46 40 00 C8 64 40 00 iF@.萪@.
003885B3 D1 46 40 00 C8 64 40 00 袴@.萪@.
003885BB 0B 15 40 00 CC 64 40 00 @.蘢@.
003885C3 92 31 40 00 CC 64 40 00 ?@.蘢@.
003885CB 16 16 40 00 D0 64 40 00 @.衐@.
003885D3 B9 2C 40 00 D0 64 40 00 ?@.衐@.
003885DB CC 3D 40 00 D0 64 40 00 ?@.衐@.
003885E3 84 16 40 00 D4 64 40 00 ?@.詃@.
003885EB 4A 2E 40 00 D4 64 40 00 J.@.詃@.
003885F3 E5 3D 40 00 D4 64 40 00 ?@.詃@.
003885FB A1 16 40 00 D8 64 40 00 ?@.豥@.
00388603 ED 16 40 00 D8 64 40 00 ?@.豥@.
0038860B F4 31 40 00 D8 64 40 00 ?@.豥@.
00388613 EC 34 40 00 D8 64 40 00 ?@.豥@.
0038861B 43 38 40 00 D8 64 40 00 C8@.豥@.
00388623 80 39 40 00 D8 64 40 00 €9@.豥@.
0038862B BA 3D 40 00 D8 64 40 00 ?@.豥@.
00388633 96 13 40 00 DC 64 40 00 ?@.躣@.
0038863B A9 13 40 00 DC 64 40 00 ?@.躣@.
00388643 BC 13 40 00 DC 64 40 00 ?@.躣@.
0038864B B9 15 40 00 DC 64 40 00 ?@.躣@.
00388653 C1 16 40 00 DC 64 40 00 ?@.躣@.
0038865B 07 17 40 00 DC 64 40 00 @.躣@.
00388663 A7 1A 40 00 DC 64 40 00 ?@.躣@.
0038866B FD 1A 40 00 DC 64 40 00 ?@.躣@.
00388673 55 1E 40 00 DC 64 40 00 U@.躣@.
0038867B 34 1F 40 00 DC 64 40 00 4@.躣@.
00388683 49 1F 40 00 DC 64 40 00 I@.躣@.
0038868B 69 1F 40 00 DC 64 40 00 i@.躣@.
00388693 A4 1F 40 00 DC 64 40 00 ?@.躣@.
0038869B B9 1F 40 00 DC 64 40 00 ?@.躣@.
003886A3 86 22 40 00 DC 64 40 00 ?@.躣@.
003886AB 2B 23 40 00 DC 64 40 00 +#@.躣@.
003886B3 00 2E 40 00 DC 64 40 00 ..@.躣@.
003886BB 42 2E 40 00 DC 64 40 00 B.@.躣@.
003886C3 19 31 40 00 DC 64 40 00 1@.躣@.
003886CB 30 31 40 00 DC 64 40 00 01@.躣@.
003886D3 45 31 40 00 DC 64 40 00 E1@.躣@.
003886DB 83 32 40 00 DC 64 40 00 ?@.躣@.
003886E3 96 32 40 00 DC 64 40 00 ?@.躣@.
003886EB F2 32 40 00 DC 64 40 00 ?@.躣@.
003886F3 6C 33 40 00 DC 64 40 00 l3@.躣@.
003886FB 9F 33 40 00 DC 64 40 00 ?@.躣@.
00388703 5F 38 40 00 DC 64 40 00 _8@.躣@.
0038870B 6F 38 40 00 DC 64 40 00 o8@.躣@.
00388713 B1 38 40 00 DC 64 40 00 ?@.躣@.
0038871B D4 38 40 00 DC 64 40 00 ?@.躣@.
00388723 EB 38 40 00 DC 64 40 00 ?@.躣@.
0038872B 46 39 40 00 DC 64 40 00 F9@.躣@.
00388733 E3 39 40 00 DC 64 40 00 ?@.躣@.
0038873B F8 39 40 00 DC 64 40 00 ?@.躣@.
00388743 34 3A 40 00 DC 64 40 00 4:@.躣@.
0038874B 44 3A 40 00 DC 64 40 00 D:@.躣@.
00388753 6F 3A 40 00 DC 64 40 00 o:@.躣@.
0038875B A1 3A 40 00 DC 64 40 00 ?@.躣@.
00388763 FA 3A 40 00 DC 64 40 00 ?@.躣@.
0038876B 32 3B 40 00 DC 64 40 00 2;@.躣@.
00388773 8C 3B 40 00 DC 64 40 00 ?@.躣@.
0038877B 2F 41 40 00 DC 64 40 00 /A@.躣@.
00388783 71 41 40 00 DC 64 40 00 qA@.躣@.
0038878B 00 42 40 00 DC 64 40 00 .B@.躣@.
00388793 33 42 40 00 DC 64 40 00 3B@.躣@.
0038879B 49 42 40 00 DC 64 40 00 IB@.躣@.
003887A3 D0 4B 40 00 DC 64 40 00 蠯@.躣@.
003887AB EC 4B 40 00 DC 64 40 00 霮@.躣@.
003887B3 FF 4B 40 00 DC 64 40 00 K@.躣@.
003887BB 11 4C 40 00 DC 64 40 00 L@.躣@.
003887C3 28 4C 40 00 DC 64 40 00 (L@.躣@.
003887CB 1B 17 40 00 E0 64 40 00 @.郿@.
003887D3 CB 14 40 00 E4 64 40 00 ?@.鋎@.
003887DB 3D 17 40 00 E4 64 40 00 =@.鋎@.
003887E3 1A 1A 40 00 E4 64 40 00 @.鋎@.
003887EB 84 2B 40 00 E4 64 40 00 ?@.鋎@.
003887F3 52 17 40 00 E8 64 40 00 R@.鑔@.
003887FB 18 1E 40 00 E8 64 40 00 @.鑔@.
00388803 3D 1E 40 00 E8 64 40 00 =@.鑔@.
0038880B 98 3B 40 00 E8 64 40 00 ?@.鑔@.
00388813 65 3C 40 00 E8 64 40 00 e<@.鑔@.
0038881B 2B 12 40 00 EC 64 40 00 +@.靌@.
00388823 EE 36 40 00 EC 64 40 00 ?@.靌@.
0038882B 45 12 40 00 F0 64 40 00 E@.餯@.
00388833 E8 10 40 00 F4 64 40 00 ?@.鬱@.
0038883B 07 11 40 00 F4 64 40 00 @.鬱@.
00388843 1F 11 40 00 F4 64 40 00 @.鬱@.
0038884B 49 22 40 00 F4 64 40 00 I"@.鬱@.
00388853 5A 4C 40 00 F4 64 40 00 ZL@.鬱@.
0038885B E5 4C 40 00 F4 64 40 00 錖@.鬱@.
00388863 AB 4D 40 00 F4 64 40 00 玀@.鬱@.
0038886B 40 4E 40 00 F4 64 40 00 @N@.鬱@.
00388873 1E 4F 40 00 F4 64 40 00 O@.鬱@.
0038887B 93 4F 40 00 F4 64 40 00 揙@.鬱@.
00388883 04 1E 40 00 F8 64 40 00 @.鴇@.
0038888B 29 1E 40 00 F8 64 40 00 )@.鴇@.
00388893 A1 1D 40 00 FC 64 40 00 ?@.黡@.
0038889B 38 21 40 00 00 65 40 00 8!@..e@.
003888A3 DF 26 40 00 FC 62 40 00 ?@.黚@.
003888AB 43 16 40 00 00 63 40 00 C@..c@.
003888B3 0E 2E 40 00 00 63 40 00 .@..c@.
003888BB 0C 3E 40 00 00 63 40 00 .>@..c@.
003888C3 18 3E 40 00 00 63 40 00 >@..c@.
003888CB 82 3E 40 00 00 63 40 00 ?@..c@.
003888D3 AA 16 40 00 04 63 40 00 ?@.c@.
003888DB 2D 2E 40 00 04 63 40 00 -.@.c@.
003888E3 39 3F 40 00 04 63 40 00 9?@.c@.
003888EB 73 3F 40 00 04 63 40 00 s?@.c@.
003888F3 F0 3C 40 00 08 63 40 00 ?@.c@.
003888FB 3E 3D 40 00 08 63 40 00 >=@.c@.
00388903 48 3F 40 00 08 63 40 00 H?@.c@.
0038890B 82 3F 40 00 08 63 40 00 ?@.c@.
00388913 93 42 40 00 08 63 40 00 揃@.c@.
0038891B 8D 44 40 00 08 63 40 00 岲@.c@.
00388923 94 44 40 00 0C 63 40 00 擠@..c@.
0038892B 37 44 40 00 10 63 40 00 7D@.c@.
00388933 43 44 40 00 14 63 40 00 CD@.c@.
0038893B 9B 44 40 00 14 63 40 00 汥@.c@.
00388943 E5 44 40 00 14 63 40 00 錎@.c@.
0038894B 7E 42 40 00 18 63 40 00 ~B@.c@.
00388953 C5 40 40 00 1C 63 40 00 臔@.c@.
0038895B 90 43 40 00 20 63 40 00 怌@. c@.
00388963 20 44 40 00 20 63 40 00 D@. c@.
0038896B 2C 40 40 00 24 63 40 00 ,@@.$c@.
00388973 CE 3F 40 00 28 63 40 00 ?@.(c@.
0038897B 89 40 40 00 2C 63 40 00 堾@.,c@.
00388983 79 3E 40 00 30 63 40 00 y>@.0c@.
0038898B 26 3E 40 00 34 63 40 00 &>@.4c@.
00388993 70 3E 40 00 34 63 40 00 p>@.4c@.
0038899B 93 3E 40 00 38 63 40 00 ?@.8c@.
003889A3 59 3F 40 00 38 63 40 00 Y?@.8c@.
003889AB 93 3F 40 00 38 63 40 00 ?@.8c@.
003889B3 52 3E 40 00 3C 63 40 00 R>@.<c@.
003889BB 38 3E 40 00 40 63 40 00 8>@.@c@.
003889C3 67 3E 40 00 44 63 40 00 g>@.Dc@.
003889CB 43 4B 40 00 48 63 40 00 CK@.Hc@.
003889D3 D5 3D 40 00 4C 63 40 00 ?@.Lc@.
003889DB D3 16 40 00 50 63 40 00 ?@.Pc@.
003889E3 B5 1E 40 00 50 63 40 00 ?@.Pc@.
003889EB 4C 44 40 00 50 63 40 00 LD@.Pc@.
003889F3 5A 44 40 00 50 63 40 00 ZD@.Pc@.
003889FB A4 44 40 00 50 63 40 00 @.Pc@.
00388A03 D2 26 40 00 54 63 40 00 ?@.Tc@.
00388A0B CE 4F 40 80 08 65 40 00 蜲@€e@. ;可以看到这几个是ff25类型的调用
00388A13 C8 4F 40 80 0C 65 40 00 萇@€.e@.
00388A1B C2 4F 40 80 10 65 40 00 翺@€e@.
00388A23 BC 4F 40 80 14 65 40 00 糘@€e@.
00388A2B B6 4F 40 80 18 65 40 00 禣@€e@.
00388A33 B0 4F 40 80 1C 65 40 00 癘@€e@.
00388A3B D4 4F 40 80 20 65 40 00 設@€ e@.
00388A43 BC 24 40 00 E4 62 40 00 ?@.鋌@.
00388A4B 0A 25 40 00 E4 62 40 00 .%@.鋌@.
00388A53 BF 26 40 00 E8 62 40 00 ?@.鑒@.
00388A5B 5F 24 40 00 EC 62 40 00 _$@.靊@.
00388A63 84 24 40 00 EC 62 40 00 ?@.靊@.
00388A6B F3 26 40 00 F0 62 40 00 ?@.餬@.
00388A73 42 25 40 00 F4 62 40 00 B%@.鬮@.
00388A7B 00 00 00 00 00 00 00 00 ........
00388A83 00 00 00 00 00 00 00 00 ........
我们知道了他的解码算法,可以自己写代码修复,下面是我的代码:
00386C07 8B06 mov eax,dword ptr ds:[esi] ;将第一个
00386C09 33D2 xor edx,edx
00386C0B B9 02000000 mov ecx,2
00386C10 F7E1 mul ecx
00386C12 D1E8 shr eax,1
00386C14 08D2 or dl,dl ;这里是比较时ff25 还是ff15类型的跳转调用
00386C16 75 16 jnz short 00386C2E ;下面几句是ff15的修复
00386C18 66:C740 FA FF15 mov word ptr ds:[eax-6],15FF
00386C1E 8B5E 04 mov ebx,dword ptr ds:[esi+4]
00386C21 8958 FC mov dword ptr ds:[eax-4],ebx
00386C24 83C6 08 add esi,8
00386C27 833E 00 cmp dword ptr ds:[esi],0 ;判断是否处理完毕
00386C2A ^ 75 DB jnz short 00386C07 ;没有处理完继续
00386C2C EB 14 jmp short 00386C42
00386C2E 66:C740 FA FF25 mov word ptr ds:[eax-6],25FF ;下面几句是ff25的修复
00386C34 8B5E 04 mov ebx,dword ptr ds:[esi+4]
00386C37 8958 FC mov dword ptr ds:[eax-4],ebx
00386C3A 83C6 08 add esi,8
00386C3D 833E 00 cmp dword ptr ds:[esi],0 ;同样是判断是否处理完毕
00386C40 ^ 75 C5 jnz short 00386C07 ;没有处理完继续
00386C42 90 nop
二进制代码:
8B 06 33 D2 B9 02 00 00 00 F7 E1 D1 E8 08 D2 75 16 66 C7 40 FA FF 15 8B 5E 04 89 58 FC 83 C6 08
83 3E 00 75 DB EB 14 66 C7 40 FA FF 25 8B 5E 04 89 58 FC 83 C6 08 83 3E 00 75 C5 90
走到00386c07处,将上面的二进制代码粘贴到00386c07处,如果走过了可以在00386c07处新建起源粘贴,粘的时候注意多选几行。
然后在00386c42处下硬件执行断点,F9运行到这里。然后撤销上面的修改。ctrl + g 来到004010cc处 可以看到都处理好了。
LordPE选择进程,纠正映像大小,dump程序。然后用IR OEP填10cc,修复一下,程序可以正常运行。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]码海迷踪-简单linux64下小虚拟机 6580
- python八进制字符串的转化 8671
- 各位大牛 下面是什么解压缩算法 5421
- 各位大侠 下面是什么算法 3429
- [求助]求解啊 求解 4626