好友
阅读权限10
听众
最后登录1970-1-1
|
UPolyX v0.5 *peid查壳是这个晕倒
00511709 UnP>50 push eax od载入到这里
0051170A 7C 05jl short UnPackMe.00511711
0051170C 52 push edx
0051170D C1C4 80rol esp,80
00511710 5A pop edx
00511711 58 pop eax
00511712 7E 07jle short UnPackMe.0051171B
00511714 72 05jb short UnPackMe.0051171B
00511716 0D 00000000or eax,0
0051171B FC cld
0051171C BE 3C010000mov esi,13C
00511721 87DE xchg esi,ebx
00511723 87D2 xchg edx,edx
00511725 F8 clc
00511726 04 00add al,0
00511728 B9 A0F9FFFFmov ecx,-660
0051172D 56 push esi
0051172E 7F 06jg short UnPackMe.00511736
00511730 57 push edi
00511731 66:83E9 00 sub cx,0
打开内存镜像
005119000处f2下断点f9运行
0051126E FF10 call dword ptr ds:[eax]; kernel32.LoadLibraryA 这里f7进去
00511270 83C4 10add esp,10
00511273 89C7 mov edi,eax
00511275 6A 00push 0
00511277 68 6C6C6F63push 636F6C6C
0051127C 68 75616C41push 416C6175
00511281 68 56697274push 74726956
00511286 54 push esp
00511287 50 push eax
00511288 8B45 0Cmov eax,dword ptr ss:[ebp+C]
一路f8打断向上的跳转
005114CC ^\EB CDjmp short UnPackMe.0051149B
005114CE 83C3 14add ebx,14
005114D1 ^ EB 99jmp short UnPackMe.0051146C
005114D3 64:8B05 30000000 mov eax,dword ptr fs:[30] f4运行到这里 出现错误 不理他
005114DA 8B40 0Cmov eax,dword ptr ds:[eax+C]
005114DD 8B58 0Cmov ebx,dword ptr ds:[eax+C]
005114E0 895D 90mov dword ptr ss:[ebp-70],ebx
005114E3 8B53 18mov edx,dword ptr ds:[ebx+18]
00511528 3B45 B8cmp eax,dword ptr ss:[ebp-48]
0051152B 76 05jbe short 00511532
0051152D 83C7 14add edi,14
00511530 ^ EB DEjmp short 00511510 这里叫他向上跳要不就跑飞了 循环2次会跳过这里
00511532 6A 1Cpush 1C
00511534 8D85 64FFFFFFlea eax,dword ptr ss:[ebp-9C]
0051153A 50 push eax
0051153B 56 push esi
0051153C FF55 88call dword ptr ss:[ebp-78]
004070FF 60 pushad
00407100 68 54704000push UnPack_1.00407054 ; ASCII "KERNEL32.DLL" 这里用esp定律 下硬件访问断点f9运行
00407105 B8 48704000mov eax,UnPack_1.00407048
0040710A FF10 call dword ptr ds:[eax]
0040710C 68 B3704000push UnPack_1.004070B3 ; ASCII "GlobalAlloc"
00407111 50 push eax
00407112 B8 44704000mov eax,UnPack_1.00407044
00407117 FF10 call dword ptr ds:[eax]
00407119 68 00100000push 1000
0040711E 6A 40push 40
00407120 FFD0 call eax
00407122 8905 CA704000mov dword ptr ds:[4070CA],eax
00407128 89C7 mov edi,eax
0040712A BE 00104000mov esi,UnPack_1.00401000
0040729A BA 00174000mov edx,UnPack_1.00401700
0040729F FFE2 jmp edx跳向 oep
004072A1 90 nop
004072A2 C3 retn
004072A3 44 inc esp
004072A4 0000 add byte ptr ds:[eax],al
004072A6 0000 add byte ptr ds:[eax],al
004072A8 0000 add byte ptr ds:[eax],al
004072AA 0000 add byte ptr ds:[eax],al
00401700 55 push ebp loadpe无法转存晕!换了petool才可以
00401701 8BEC mov ebp,esp
00401703 6A FFpush -1
00401705 68 00254000push UnPack_1.00402500
0040170A 68 86184000push UnPack_1.00401886 ; jmp to msvcrt._except_handler3
0040170F 64:A1 00000000 mov eax,dword ptr fs:[0]
00401715 50 push eax
00401716 64:8925 00000000 mov dword ptr fs:[0],esp
0040171D 83EC 68sub esp,68
00401720 53 push ebx
00401721 56 push esi
00401722 57 push edi
00401723 8965 E8mov dword ptr ss:[ebp-18],esp
00401726 33DB xor ebx,ebx
00401723 8965 E8mov dword ptr ss:[ebp-18],esp
00401726 33DB xor ebx,ebx
00401728 895D FCmov dword ptr ss:[ebp-4],ebx
0040172B 6A 02push 2
0040172D FF15 90214000call dword ptr ds:[402190] ; msvcrt.__set_app_type
这里是iat表
00401733 59 pop ecx
00401734 830D 2C314000 FF or dword ptr ds:[40312C],FFFFFFFF
0040173B 830D 30314000 FF or dword ptr ds:[403130],FFFFFFFF
手动指定 iat开始地址00402000 大小004022c0-00402000 =2c0
ir修复
打开加壳程序 来修复
无效的指针全部删除保存成功!!! |
|