不确定定位到的IAT是否正确?
本帖最后由 欧雨鹏 于 2020-11-5 14:48 编辑我不知道现在还能不能发布悬赏,看公告好像不给发布悬赏?如果可以,我是想发布。。。
反复确认,OEP就是这68E1
进入oep后,随便找了个函数定位,获取到下面的所有函数,但是不敢确定是否正确。是不是被壳间接调用?
01318000 >74A52223comctl32.InitCommonControlsEx
01318004 >00000000
01318008 >774C3A51kernel32.CreateFileMappingW
0131800C >774D0B5Dkernel32.CreateFileW
01318010 >774B905Bkernel32.OutputDebugStringW
01318014 >774CFE44kernel32.GetSystemTimeAsFileTime
01318018 >774CF212kernel32.GetCurrentThreadId
0131801C >774D0D23kernel32.GetCurrentProcessId
01318020 >774CF2A7kernel32.QueryPerformanceCounter
01318024 >774D0DB4kernel32.IsProcessorFeaturePresent
01318028 >774CB02Bkernel32.IsDebuggerPresent
0131802C >779B324Cntdll.RtlEncodePointer
01318030 >779A7B5Bntdll.RtlDeleteCriticalSection
01318034 >779AF020ntdll.RtlDecodePointer
01318038 >774CF176kernel32.GetLastError
0131803C >774D3625kernel32.InitializeCriticalSectionEx
01318040 >774CC0D4kernel32.MapViewOfFile
01318044 >774D0F86kernel32.WideCharToMultiByte
01318048 >00000000
0131804C >6EB2E0FBmsvcr120._controlfp_s
01318050 >6EBA46A3msvcr120._invoke_watson
01318054 >6EB2DDB5msvcr120.__crtSetUnhandledExceptionFilter
01318058 >6EB19D1Fmsvcr120._except_handler4_common
0131805C >6EB9DD4Cmsvcr120.terminate
01318060 >6EB2BF82msvcr120._onexit
01318064 >6EB12B48msvcr120.__dllonexit
01318068 >6EB11C72msvcr120._calloc_crt
0131806C >6EB0EDF9msvcr120._unlock
01318070 >6EB0EDD4msvcr120._lock
01318074 >6EBA47FFmsvcr120.__crtTerminateProcess
01318078 >6EBA4814msvcr120.__crtUnhandledException
0131807C >6EBA6B98msvcr120._crt_debugger_hook
01318080 >6EB0EC80msvcr120.type_info::~type_info
01318084 >6EBDF638offset msvcr120._commode
01318088 >6EBDF740offset msvcr120._fmode
0131808C >6EBDF634offset msvcr120._wcmdln
01318090 >6EB1D609msvcr120._initterm
01318094 >6EB1D63Fmsvcr120._initterm_e
01318098 >6EB7BCA1msvcr120.__setusermatherr
0131809C >6EBA55CBmsvcr120._configthreadlocale
013180A0 >6EB34FA1msvcr120._cexit
013180A4 >6EB7BE5Emsvcr120._exit
013180A8 >6EB2CB88msvcr120.__set_app_type
013180AC >6EB30E91msvcr120.__wgetmainargs
013180B0 >6EB7BE33msvcr120._amsg_exit
013180B4 >6EB2E39Cmsvcr120.__crtGetShowWindowMode
013180B8 >6EBA4CF5msvcr120._XcptFilter
013180BC >6EB11748msvcr120.memset
013180C0 >6EB0ECE0msvcr120.free
013180C4 >6EB12FF3msvcr120.strcpy_s
013180C8 >6EB2F374msvcr120.sscanf_s
013180CC >6EB35133msvcr120.exit
013180D0 >6EB2FF7Fmsvcr120.vsprintf_s
013180D4 >6EB18EE7msvcr120.__CxxFrameHandler3
013180D8 >00000000
013180DC >767984A7shell32.DragQueryFileW
013180E0 >00000000
013180E4 >77AB74B1user32.GetClientRect
013180E8 >77AD1833user32.DrawIcon
013180EC >77AAA72Euser32.EnableWindow
013180F0 >77AB8409user32.GetSystemMetrics
013180F4 >77AB66E3user32.IsIconic
013180F8 >77AB272Auser32.AppendMenuW
013180FC >77AB1702user32.GetSystemMenu
01318100 >77AB1431user32.LoadIconW
01318104 >77AB77D5user32.SetTimer
01318108 >77AB764Cuser32.SendMessageW
0131810C >00000000
01318110 >6BE4B466mfc120u.#1501
01318114 >6BE4B499mfc120u.#316
01318118 >6C03A3A2mfc120u.#3839
0131811C >6C03A5ABmfc120u.#7037
01318120 >6C03A5B7mfc120u.#6960
01318124 >6BE755AAmfc120u.#1110
01318128 >6C02EEC8mfc120u.#3654
0131812C >6BE75157mfc120u.#7384
01318130 >6BFD0C4Dmfc120u.#10353
01318134 >6C02FF48mfc120u.#7946
01318138 >6BF9CF52mfc120u.#1521
0131813C >6C02FF9Dmfc120u.#7951
01318140 >6C0300E2mfc120u.#13516
01318144 >6BFD0302mfc120u.#9106
01318148 >6BE754D2mfc120u.#9116
0131814C >6BE75497mfc120u.#12048
01318150 >6C02BDA2mfc120u.#9020
01318154 >6BFD0CD2mfc120u.#2718
01318158 >6BFD080Bmfc120u.#13612
0131815C >6BE4EB5Emfc120u.#6121
01318160 >6BFD04C6mfc120u.#3122
01318164 >6BFD0519mfc120u.#3361
01318168 >6BFD0551mfc120u.#3362
0131816C >6BFD0964mfc120u.#4049
01318170 >6BE4B2A9mfc120u.#14162
01318174 >6BFD0CB1mfc120u.#10896
01318178 >6BFD0CCAmfc120u.#8921
0131817C >6BE4B2ACmfc120u.#14388
01318180 >6C03E168mfc120u.#13333
01318184 >6C02B565mfc120u.#8636
01318188 >6C029B5Emfc120u.#5332
0131818C >6BE4F7F4mfc120u.#280
01318190 >6BEAC874mfc120u.#265
01318194 >6C03010Fmfc120u.#5753
01318198 >6BEB270Emfc120u.#14432
0131819C >6BEB270Emfc120u.#14432
013181A0 >6BE4B2A9mfc120u.#14162
013181A4 >6BE4EBE3mfc120u.#14666
013181A8 >6BE4B2A9mfc120u.#14162
013181AC >6BE4B2A9mfc120u.#14162
013181B0 >6C02F1EAmfc120u.#3147
013181B4 >6C02F23Cmfc120u.#9012
013181B8 >6C02A8F7mfc120u.#7543
013181BC >6C02F4FFmfc120u.#7059
013181C0 >6C02F20Bmfc120u.#1176
013181C4 >6BF9D57Fmfc120u.#10260
013181C8 >6BF9B9A0mfc120u.#7542
013181CC >6BF9BD3Bmfc120u.#992
013181D0 >6BF9C63Amfc120u.#1467
013181D4 >6BF9BFE3mfc120u.#7881
013181D8 >6BFEEE4Dmfc120u.#2163
013181DC >6BEAC833mfc120u.#1506
013181E0 >6BF22ADAmfc120u.#949
013181E4 >6BF643C4mfc120u.#13302
013181E8 >6BF8DBC8mfc120u.#7206
013181EC >6BF9E57Emfc120u.#13771
013181F0 >6BF98A19mfc120u.#7326
013181F4 >6BFA8A9Cmfc120u.#7335
013181F8 >6BFA8A68mfc120u.#7344
013181FC >6BF9C8DBmfc120u.#12799
01318200 >6C018F9Amfc120u.#12094
01318204 >6C019139mfc120u.#12126
01318208 >6BF9CE2Cmfc120u.#10314
0131820C >6C018DC0mfc120u.#8099
01318210 >6BF9C869mfc120u.#4546
01318214 >6BF9CDA5mfc120u.#12122
01318218 >6C018FFBmfc120u.#12114
0131821C >6C01911Emfc120u.#5821
01318220 >6C018D18mfc120u.#3809
01318224 >6BF9E762mfc120u.#6252
01318228 >6BF9EA8Bmfc120u.#14527
0131822C >6BF9E7CEmfc120u.#6253
01318230 >6BF9EB17mfc120u.#14528
01318234 >6BF9E95Amfc120u.#6251
01318238 >6BF9EBB5mfc120u.#14526
0131823C >6BE4B2ACmfc120u.#14388
01318240 >6BE4EB83mfc120u.#14431
01318244 >6BF9E0EAmfc120u.#14326
01318248 >6BF9DB78mfc120u.#11858
0131824C >6BF9DB62mfc120u.#11857
01318250 >6BF9DB38mfc120u.#1992
01318254 >6BF9BFA3mfc120u.#7825
01318258 >6BF9DB28mfc120u.#12818
0131825C >6BF9DC9Dmfc120u.#4047
01318260 >6BF9DAAAmfc120u.#4109
01318264 >6BF9DBD1mfc120u.#9279
01318268 >6BF9C921mfc120u.#14454
0131826C >6BF9C964mfc120u.#7806
01318270 >6BF9C9A7mfc120u.#14448
01318274 >6BF9CC0Cmfc120u.#12413
01318278 >6BF9CA10mfc120u.#12412
0131827C >6BF9CC86mfc120u.#2444
01318280 >6BF9CD15mfc120u.#5262
01318284 >6BE529C1mfc120u.#4772
01318288 >6BF9C1D8mfc120u.#12736
0131828C >6BF9C079mfc120u.#8268
01318290 >6BF9BEADmfc120u.#8352
01318294 >6C042448mfc120u.#2173
01318298 >6BF27F18mfc120u.#2204
0131829C >6C03D1CEmfc120u.#4842
013182A0 >6BE4FB75mfc120u.#8346
013182A4 >6C029029mfc120u.#3790
013182A8 >6C03A213mfc120u.#887
013182AC >6C03A287mfc120u.#1386
013182B0 >6BFD040Bmfc120u.#10919
013182B4 >6BFD1B45mfc120u.#501
013182B8 >6BFD1E2Emfc120u.#1140
013182BC >6BFD2E82mfc120u.#4050
013182C0 >6BE4B849mfc120u.#1518
013182C4 >6BFD3090mfc120u.#6219
013182C8 >6BE72462mfc120u.#7004
013182CC >6C045EE9mfc120u.#1522
013182D0 >6C02C144mfc120u.#7370
013182D4 >6BFA8A62mfc120u.#7340
013182D8 >6BE4EB83mfc120u.#14431
013182DC >6BE4EBE3mfc120u.#14666
013182E0 >6BE4EBE3mfc120u.#14666
013182E4 >6BE4EBE3mfc120u.#14666
013182E8 >6BE4B2ACmfc120u.#14388
013182EC >6C0296DBmfc120u.#3223
013182F0 >6C029597mfc120u.#3329
013182F4 >6C0295DBmfc120u.#3330
013182F8 >6C02997Fmfc120u.#3898
013182FC >6C0296A2mfc120u.#11999
01318300 >6C02BBADmfc120u.#2640
01318304 >6C02916Bmfc120u.#5838
01318308 >6C02917Bmfc120u.#13563
0131830C >6C029A9Cmfc120u.#11592
01318310 >6BE4EBE3mfc120u.#14666
01318314 >6C02A739mfc120u.#14455
01318318 >6C02A7ABmfc120u.#7807
0131831C >6C02A8A2mfc120u.#14449
01318320 >6C02D8D6mfc120u.#3013
01318324 >6C02D8DDmfc120u.#4451
01318328 >6C02D905mfc120u.#9574
0131832C >6C02CA6Emfc120u.#4459
01318330 >6C02CA8Emfc120u.#4909
01318334 >6C02CAA1mfc120u.#4874
01318338 >6C02CAB4mfc120u.#4867
0131833C >6C02CAD7mfc120u.#4905
01318340 >6C02CAFAmfc120u.#4932
01318344 >6C02CB1Dmfc120u.#4883
01318348 >6C02CB40mfc120u.#4916
0131834C >6C02CB63mfc120u.#4928
01318350 >6C02CB86mfc120u.#4891
01318354 >6C02CBA9mfc120u.#4895
01318358 >6C02CBCFmfc120u.#4899
0131835C >6C02CBF2mfc120u.#4887
01318360 >6C02CC05mfc120u.#4920
01318364 >6C02CC18mfc120u.#4879
01318368 >6C02CC3Bmfc120u.#1736
0131836C >6C02CC5Emfc120u.#1727
01318370 >6C02CC8Amfc120u.#1731
01318374 >6C02CCB0mfc120u.#1723
01318378 >6C02CCC9mfc120u.#1711
0131837C >6C02CCE9mfc120u.#12134
01318380 >6C02CCE9mfc120u.#12134
01318384 >6C02CD0Cmfc120u.#13738
01318388 >6C02CD1Bmfc120u.#3224
0131838C >6C02B275mfc120u.#9137
01318390 >6C02B2F9mfc120u.#10883
01318394 >6C029A24mfc120u.#6875
01318398 >6C029A28mfc120u.#12095
0131839C >6C03DFD6mfc120u.#8846
013183A0 >6C02A953mfc120u.#14447
013183A4 >6C02A998mfc120u.#11811
013183A8 >6C0299D9mfc120u.#3795
013183AC >6BE4B2ACmfc120u.#14388
013183B0 >6C02FDB8mfc120u.#9018
013183B4 >6C02A2C6mfc120u.#11601
013183B8 >6BEF8CF5mfc120u.#11600
013183BC >6BE4BC11mfc120u.#11559
013183C0 >6BE4DB79mfc120u.#13447
013183C4 >6BE506E2mfc120u.#12719
013183C8 >6BE506E2mfc120u.#12719
013183CC >6BE4EC8Amfc120u.#14676
013183D0 >6BE4DB79mfc120u.#13447
013183D4 >6BE4EB83mfc120u.#14431
013183D8 >6BE4EB1Amfc120u.#11810
013183DC >6C02DE35mfc120u.#3260
013183E0 >6BF9DE22mfc120u.#2262
013183E4 >6BFD03A4mfc120u.#1108
013183E8 >6C02FE44mfc120u.#1177
013183EC >6C028C24mfc120u.#999
013183F0 >6BE9F78Dmfc120u.#7060
013183F4 >6BFA88DEmfc120u.#9090
013183F8 >6C02996Emfc120u.#10136
013183FC >6BE4EC56mfc120u.#12942
01318400 >6BE4EBE3mfc120u.#14666
01318404 >6BE4EB1Amfc120u.#11810
01318408 >6C02DE4Fmfc120u.#3263
0131840C >6BE4EBE3mfc120u.#14666
01318410 >6BE4EB1Amfc120u.#11810
01318414 >6BFA8A15mfc120u.#7609
01318418 >6BE4EB1Amfc120u.#11810
0131841C >6BE4B2A9mfc120u.#14162
01318420 >6C02FDD9mfc120u.#7398
01318424 >6BFA8AA2mfc120u.#7333
01318428 >6BF9ECA3mfc120u.#8206
0131842C >6BFA8A5Cmfc120u.#7337
01318430 >6BE74F58mfc120u.#462
01318434 >6BE72462mfc120u.#7004
01318438 >6BFA8A6Emfc120u.#10131
0131843C >6C03BDEFmfc120u.#2367
01318440 >6BEAC86Ejmp 到 msvcr120.free
使用scally进行修复
但是用imp rec修复,就不行了。
点IAT自动搜索,依然提示找不到有效的OEP,点获取导入表也不行。
这让我怀疑找到的OEP和这些函数是不是正确的?
求前辈们告知,为何Import Rec找不到进程
上面获取的那些是正确的吗?
如果IAT找的8000起始地址不正确,那么该如何定位?
天哪。刚刚用PE查看了下PE结构。。。
怎么imp table iat是0?明明修复了。。。
附件:
链接:https://pan.baidu.com/s/1jM0o5lIOuJD-JK5_Xmpdmw 提取码:wzg7
解压:52pojie 厉害了,。 一个是自动修复208kb的,另一个是手动修复228kb的。我这边运行都没问题。你试试看链接: https://pan.baidu.com/s/1G1xDJV6RfUQYD21oX_g6CQ 提取码: 4321
页:
[1]