本人菜鸟一只,最近正在看黑鹰的破解教程,于是就开始寻找程序脱壳,练手,不想碰到了一个系统里带的驱动安装的一个程序,于是就拿来脱壳,壳是UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
脱壳就不多说了,很简单直接就做掉了,然后添加附加数据,但是添加完附加数据程序能运行,但是功能丢失,所以我现在不知道问题是出在附加数据指针没修复?还是有自校验,希望各位好心的大大们帮帮我,看一下是哪的问题
脱壳程序加载后下BP SetFilePointer 然后程序F9运行后 ALT+F9返回的代码如下:
0041DA9C 57 PUSH EDI
0041DA9D FF75 10 PUSH DWORD PTR SS:[EBP+10]
0041DAA0 6A 00 PUSH 0
0041DAA2 FF75 0C PUSH DWORD PTR SS:[EBP+C]
0041DAA5 50 PUSH EAX
0041DAA6 FF15 90D14700 CALL DWORD PTR DS:[<&kernel32.SetFilePoi>; kernel32.SetFilePointer
0041DAAC 8BF8 MOV EDI,EAX
0041DAAE 83FF FF CMP EDI,-1
0041DAB1 75 08 JNZ SHORT x_.0041DABB
0041DAB3 FF15 E0D24700 CALL DWORD PTR DS:[<&kernel32.GetLastErr>; ntdll.RtlGetLastWin32Error
0041DAB9 EB 02 JMP SHORT x_.0041DABD
0041DABB 33C0 XOR EAX,EAX
0041DABD 85C0 TEST EAX,EAX
0041DABF 74 0C JE SHORT x_.0041DACD
0041DAC1 50 PUSH EAX
0041DAC2 E8 03B0FFFF CALL x_.00418ACA
0041DAC7 59 POP ECX
0041DAC8 83C8 FF OR EAX,FFFFFFFF
0041DACB EB 1B JMP SHORT x_.0041DAE8
0041DACD 8BC6 MOV EAX,ESI
0041DACF C1F8 05 SAR EAX,5
0041DAD2 8B0485 40094A00 MOV EAX,DWORD PTR DS:[EAX*4+4A0940]
0041DAD9 83E6 1F AND ESI,1F
0041DADC C1E6 06 SHL ESI,6
0041DADF 8D4430 04 LEA EAX,DWORD PTR DS:[EAX+ESI+4]
0041DAE3 8020 FD AND BYTE PTR DS:[EAX],0FD
0041DAE6 8BC7 MOV EAX,EDI
0041DAE8 5F POP EDI
0041DAE9 5E POP ESI
0041DAEA 5D POP EBP
0041DAEB C3 RETN
0041DAEC 6A 10 PUSH 10
停在这里:
0041DAAC 8BF8 MOV EDI,EAX
0041DAAE 83FF FF CMP EDI,-1
堆栈窗口显示:
00C4EF04 0041DAAC /CALL 到 SetFilePointer 来自 x_.0041DAA6
00C4EF08 000000E8 |hFile = 000000E8 (窗口)
00C4EF0C 00000000 |OffsetLo = 0
00C4EF10 00000000 |pOffsetHi = NULL
00C4EF14 00000001 \Origin = FILE_CURRENT
再往下我就不太会分析代码了,看到了许多XOR等等也没有找到简单的自校验信息,有些看不大懂
原程序和脱壳的文件,我上传到了我的纳米盘里,希望各位高手帮帮,真的很感谢,困惑了我2天了
谢谢高手们,指点迷津
纳米盘:
http://d.namipan.com/d/f13ae76d414ccf68830abb6c408f32b2a795aa2c296dfd00
BRSBOX:
http://www.brsbox.com/filebox/down/fc/9250e0cb541d27488ccb6293d84504ba
飞速网:
http://www.rayfile.com/files/f35353f5-bf0b-11de-a98e-0014221b798a/
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
