按照这个教程
http://bbs.pediy.com/showthread.php?t=15394&highlight=svkp
我最后到达了
005AA867 0064A2 5A add byte ptr [edx+5A], ah
005AA86B 0090 90909090 add byte ptr [eax+90909090], dl
005AA871 90 nop
005AA872 90 nop
005AA873 90 nop
005AA874 90 nop
005AA875 90 nop
005AA876 90 nop
005AA877 90 nop
005AA878 E8 AFCCE5FF call 0040752C //停在此处
005AA87D 8B1D 10295B00 mov ebx, dword ptr [5B2910] ; Test.005B3C90
005AA883 E8 28B0FAFF call 005558B0
005AA888 84C0 test al, al
005AA88A 75 05 jnz short 005AA891
005AA88C E8 6FA4E5FF call 00404D00
005AA891 8B03 mov eax, dword ptr [ebx]
005AA893 E8 306FECFF call 004717C8
005AA898 8B03 mov eax, dword ptr [ebx]
005AA89A BA C4A95A00 mov edx, 005AA9C4 ; ASCII "Test"
005AA89F E8 306BECFF call 004713D4
005AA8A4 8B0D A0245B00 mov ecx, dword ptr [5B24A0] ; Test.00700B84
005AA8AA 8B03 mov eax, dword ptr [ebx]
根据教程里所说的找被偷的代码
引用:
ebp==12ffc0的Enter之后
044AEF1D ^\E9 28FBFFFF jmp 044AEA4A ;来到这里,F8走
044AEA4A 55 push ebp ;走到这里,二进制复制,
F8走
044AEA4B E9 D9060000 jmp 044AF129 ;这个不要
把刚才复制的粘贴到原先OD的0040524C处,接下来也就是把代码不断粘贴到程序
里面,当然每一次最后的jmp这句就不要了
--------------------------------
我也没用教程里的这命令
引用:
接着在命令行下tc eip<03000000,Enter来到
004052B1 90 nop
004052B2 90 nop
004052B3 90 nop
004052B4 90 nop
004052B5 90 nop
004052B6 E8 1C010000 call wowcrown.004053D7 ;伪OEP来到这里,
-------------------------------------------------
我是在命令行下tc ebp==12ffc0,之后,直接单步走的
这样就顺便把被偷的代码都复制了,(每次JMP上面的代码都复制,)
一小段小段的复制的时候心里发毛,大概349个字节 (这里面应该有花指令吧,我没有去花的)比教程里所说的被偷106个字节还多
55 50 B8 71 EB 00 37 29 44 24 04 58 81 ED 71 EB 00 37 89 ED 68 00 00 00 00 68 00 00 00 00 50 B8 71 EB 00 37 87 C9 01 44 24 04 58 58 01 04 24 58 01 04 24 5D 58 83 C4 C8 83 C4 94 83 C4 00 83 C4 00 83 C4 94 81 C3 71 EB 00 37 90 50 89 ED 53 68 00 00 00 00 B8 71 EB 00 37 01 04 24 58 01 04 24 5B 58 53 05 71 EB 00 37 50 B8 71 EB 00 37 29 04 24 8B 04 24 B8 71 EB 00 37 29 44 24 04 58 50 53 68 E2 D6 01 6E B8 71 EB 00 37 90 29 04 24 58 29 04 24 5B 58 50 68 8F 14 FF C8 50 B8 71 EB 00 37 01 44 24 04 58 90 50 68 00 00 00 00 50 B8 71 EB 00 37 01 44 24 04 58 58 01 44 24 04 58 58 29 44 24 04 58 50 53 68 E2 D6 01 6E B8 71 EB 00 37 29 04 24 58 29 04 24 5B 58 68 AA CB 58 92 05 71 EB 00 37 50 B8 71 EB 00 37 29 04 24 8B 04 24 B8 71 EB 00 37 01 44 24 04 58 05 71 EB 00 37 50 B8 71 EB 00 37 29 04 24 8B 04 24 68 00 00 00 00 05 71 EB 00 37 50 B8 71 EB 00 37 29 04 24 8B 04 24 B8 71 EB 00 37 01 44 24 04 87 E4 58 58 01 44 24 04 58 58 68 96 d1 58 92 50 B8 71 EB 00 37 01 44 24 04 58 87 ED 50 68 00 00 00 00 89 C0 50 B8 71 EB 00 37 01 44 24 04 58 58 01 44 24 04 58 89 F6
很显然我到达的地方字节不够,我应该直接在005AA787上面的NOP处写JMP跳到空处多的地方吗?
程序从005AA9D4处起就有很大的空白处
那么我写完后就是
005AA873 /E9 5C010000 jmp 005AA9D4 //这里就跳到空处
005AA878 |E8 AFCCE5FF call 0040752C
005AA87D |8B1D 10295B00 mov ebx, dword ptr [5B2910] ; Optimik.005B3C90
005AA883 |E8 28B0FAFF call 005558B0
005AA888 |84C0 test al, al
005AA88A |75 05 jnz short 005AA891
............
005AA9D4 55 push ebp //开始复制被偷的字节
005AA9D5 50 push eax
005AA9D6 B8 71EB0037 mov eax, 3700EB71
005AA9DB 294424 04 sub dword ptr [esp+4], eax
005AA9DF 58 pop eax
005AA9E0 81ED 71EB0037 sub ebp, 3700EB71
005AA9E6 89ED mov ebp, ebp
005AA9E8 68 00000000 push 0
005AA9ED 68 00000000 push 0
005AA9F2 50 push eax
005AA9F3 B8 71EB0037 mov eax, 3700EB71
005AA9F8 87C9 xchg ecx, ecx
005AA9FA 014424 04 add dword ptr [esp+4], eax
..........
....
005AAB27 014424 04 add dword ptr [esp+4], eax
005AAB2B 58 pop eax
005AAB2C 89F6 mov esi, esi
005AAB2E ^ E9 45FDFFFF jmp 005AA878 //返回到了005AA878
005AAB33 90 nop
然后把005AA873这里设置为“此处为新EIP” ,开始DUMP
用Importrec开始修复这程序OEP 填001AA873 自动查找IAT 获取输入表
显示无效 还有6个指针未解决 跟踪级别1 3都搞不定 自带插件跟踪也不行
rva:00303274
rva:003036FC
rva:00303A64
rva:00303A68
rva:00303A6c
rva:00303A70
重新载入此程序 尝试手动修复这几个指计
命令行下输入DD 00403274 下内存写入断点 F9几次下来都找不到相关函数 6个无效指针都试了,都找不到
剪掉指针 能看到程序启动的LOGO 马上就弹出错误了 0X0000000 .....内存不为能为READ
请教应该如何去修复
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!