好友
阅读权限40
听众
最后登录1970-1-1
|
niliu
发表于 2008-10-22 10:30
那啥..开头把
00471000 >9CPUSHFD
0047100160PUSHAD
00471002E8 02000000 CALL UnPackMe.00471009/////////////////F7过
0047100733C0XOR EAX,EAX
004710098BC4MOV EAX,ESP
0047100B83C0 04 ADD EAX,4
0047100E93XCHG EAX,EBX
0047100F8BE3MOV ESP,EBX
004710118B5B FC MOV EBX,DWORD PTR DS:[EBX-4]
0047101481EB 07204000 SUB EBX,UnPackMe.00402007; ASCII "FE"
0047101A87DDXCHG EBP,EBX
0047101C01AD BB2F4000 ADD DWORD PTR SS:[EBP+402FBB],EBP
0047102201AD E5304000 ADD DWORD PTR SS:[EBP+4030E5],EBP
0047102801AD 5E304000 ADD DWORD PTR SS:[EBP+40305E],EBP
0047102E01AD 92314000 ADD DWORD PTR SS:[EBP+403192],EBP
0047103401AD 42314000 ADD DWORD PTR SS:[EBP+403142],EBP
0047103A01AD F7314000 ADD DWORD PTR SS:[EBP+4031F7],EBP
0047104001AD 66324000 ADD DWORD PTR SS:[EBP+403266],EBP
0047104601AD 2F324000 ADD DWORD PTR SS:[EBP+40322F],EBP
0047104C01AD FD344000 ADD DWORD PTR SS:[EBP+4034FD],EBP
0047105201AD 52354000 ADD DWORD PTR SS:[EBP+403552],EBP
00471058E8 DF0B0000 CALL UnPackMe.00471C3C
0047105DE8 740E0000 CALL UnPackMe.00471ED6
0047106285C0TEST EAX,EAX
0047106474 15 JE SHORT UnPackMe.0047107B
00471066FFB5 B2214000 PUSH DWORD PTR SS:[EBP+4021B2]
0047106CE8 E5140000 CALL UnPackMe.00472556
004710718985 01384000 MOV DWORD PTR SS:[EBP+403801],EAX
0047107785C0TEST EAX,EAX
0047107975 0E JNZ SHORT UnPackMe.00471089
0047107B8D85 3B234000 LEA EAX,DWORD PTR SS:[EBP+40233B]
00471081C700 00000000 MOV DWORD PTR DS:[EAX],0
00471087EB 3E JMP SHORT UnPackMe.004710C7
004710898D85 5D254000 LEA EAX,DWORD PTR SS:[EBP+40255D]
0047108F8D8D 91254000 LEA ECX,DWORD PTR SS:[EBP+402591]
00471095FFB5 01384000 PUSH DWORD PTR SS:[EBP+403801]
0047109BFFB5 B2214000 PUSH DWORD PTR SS:[EBP+4021B2]
004710A151PUSH ECX
004710A250PUSH EAX
004710A3E8 000A0000 CALL UnPackMe.00471AA8
004710A88D85 25264000 LEA EAX,DWORD PTR SS:[EBP+402625]
004710AE8D8D 89264000 LEA ECX,DWORD PTR SS:[EBP+402689]
004710B4FFB5 01384000 PUSH DWORD PTR SS:[EBP+403801]
004710BAFFB5 B2214000 PUSH DWORD PTR SS:[EBP+4021B2]
004710C051PUSH ECX
004710C150PUSH EAX
004710C2E8 E1090000 CALL UnPackMe.00471AA8
004710C78D85 2B234000 LEA EAX,DWORD PTR SS:[EBP+40232B]
004710CD50PUSH EAX
004710CEE8 030B0000 CALL UnPackMe.00471BD6
004710D3FFB5 B2214000 PUSH DWORD PTR SS:[EBP+4021B2]
004710D9FFB5 F5224000 PUSH DWORD PTR SS:[EBP+4022F5]
004710DFE8 C90C0000 CALL UnPackMe.00471DAD ; 进去有糖吃 //////////一路F8到这 F7进去
00471DAD58POP EAX; UnPackMe.004710E4
00471DAE5EPOP ESI
00471DAF5APOP EDX
00471DB050PUSH EAX
00471DB10BF6OR ESI,ESI
00471DB374 12 JE SHORT UnPackMe.00471DC7
00471DB503F2ADD ESI,EDX
00471DB7E8 0D000000 CALL UnPackMe.00471DC9 ; 那啥 。有糖吃. /////// F7进
00471DBC72 0A JB SHORT UnPackMe.00471DC8
00471DBE83C6 14 ADD ESI,14
00471DC1837E 0C 00CMP DWORD PTR DS:[ESI+C],0
00471DC5^ 75 F0 JNZ SHORT UnPackMe.00471DB7
00471DC7F8CLC
00471DC8C3RETN
00471DC98B0EMOV ECX,DWORD PTR DS:[ESI]
00471DCB8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
00471DCE0BC9OR ECX,ECX
00471DD075 02 JNZ SHORT UnPackMe.00471DD4
00471DD28BCFMOV ECX,EDI
00471DD403CAADD ECX,EDX
00471DD603FAADD EDI,EDX
00471DD88B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00471DDB85C0TEST EAX,EAX
00471DDD74 71 JE SHORT UnPackMe.00471E50
00471DDF03C2ADD EAX,EDX
00471DE151PUSH ECX
00471DE252PUSH EDX
00471DE38985 C6214000 MOV DWORD PTR SS:[EBP+4021C6],EAX
00471DE9C785 C2214000 0>MOV DWORD PTR SS:[EBP+4021C2],0
00471DF350PUSH EAX
00471DF4E8 51030000 CALL UnPackMe.0047214A
00471DF985C0TEST EAX,EAX
00471DFB75 0B JNZ SHORT UnPackMe.00471E08
00471DFDFFB5 C6214000 PUSH DWORD PTR SS:[EBP+4021C6]
00471E03E8 6B020000 CALL UnPackMe.00472073
00471E085APOP EDX
00471E0959POP ECX
00471E0A85C0TEST EAX,EAX
00471E0C74 44 JE SHORT UnPackMe.00471E52
00471E0E8985 BA214000 MOV DWORD PTR SS:[EBP+4021BA],EAX
00471E148B19MOV EBX,DWORD PTR DS:[ECX]
00471E1683C1 04 ADD ECX,4
00471E1985DBTEST EBX,EBX
00471E1B74 33 JE SHORT UnPackMe.00471E50
00471E1D8BC3MOV EAX,EBX
00471E1FF7C3 00000080 TEST EBX,80000000
00471E2574 08 JE SHORT UnPackMe.00471E2F
00471E2781E3 FFFF0000 AND EBX,0FFFF
00471E2DEB 04 JMP SHORT UnPackMe.00471E33
00471E2F43INC EBX
00471E3043INC EBX
00471E3103DAADD EBX,EDX
00471E3351PUSH ECX
00471E3452PUSH EDX
00471E35899D C2214000 MOV DWORD PTR SS:[EBP+4021C2],EBX
00471E3B53PUSH EBX
00471E3CFFB5 BA214000 PUSH DWORD PTR SS:[EBP+4021BA]
00471E42E8 32010000 CALL UnPackMe.00471F79 ; 进去 有糖吃昂昂.. .//////F7同样淫荡昂..
00471E475APOP EDX
00471E4859POP ECX
00471E4985C0TEST EAX,EAX
00471E4B74 05 JE SHORT UnPackMe.00471E52
00471E4DABSTOS DWORD PTR ES:[EDI]
00471E4E^ EB C4 JMP SHORT UnPackMe.00471E14
00471E50F8CLC
00471E51C3RETN
00471E52F9STC
00471E53C3RETN
IAT处理的重头戏来了..昂..就在下面代码.恩 3种方法处理IAT
00471FB15EPOP ESI; UnPackMe.00470000
00471FB25DPOP EBP
00471FB3FF75 0C PUSH DWORD PTR SS:[EBP+C]
00471FB6FF75 08 PUSH DWORD PTR SS:[EBP+8]
00471FB9FF15 E9184700 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; kernel32.GetProcAddress
00471FBF85C0TEST EAX,EAX
00471FC174 25 JE SHORT UnPackMe.00471FE8 ///////////IAT处理方法1: 这改JMP
00471FC351PUSH ECX
00471FC456PUSH ESI
00471FC550PUSH EAX
00471FC6E8 00000000 CALL UnPackMe.00471FCB
00471FCB5EPOP ESI
00471FCC81EE CB2F4000 SUB ESI,UnPackMe.00402FCB
00471FD28D8E 2B234000 LEA ECX,DWORD PTR DS:[ESI+40232B]
00471FD850PUSH EAX
00471FD951PUSH ECX
00471FDAE8 97FBFFFF CALL UnPackMe.00471B76
00471FDF85C0TEST EAX,EAX
00471FE174 02 JE SHORT UnPackMe.00471FE5////////// IAT处理方法2: 这该JMP
00471FE359POP ECX //////////////只有2句下一句加这一句 解决方法3:NOP掉这2句.
00471FE450PUSH EAX////// 恩 重头戏就这2句代码..这是加密IAT的昂只要过了这2句啥问题都无了.
00471FE558POP EAX
00471FE65EPOP ESI
00471FE759POP ECX
00471FE8C9LEAVE
00471FE9C2 0800 RETN 8 ///// 那啥 节约时间 一路F8狂奔别在循环里吃糖糖 直接下F2断点飞出去
恩 IAT处理了 那啥就该找OEP了 昂.一路F8淫荡..
004711798D8D E1214000 LEA ECX,DWORD PTR SS:[EBP+4021E1]
0047117F6A 30 PUSH 30
0047118151PUSH ECX
004711828D9D D5214000 LEA EBX,DWORD PTR SS:[EBP+4021D5]
0047118853PUSH EBX
00471189FFB5 BE214000 PUSH DWORD PTR SS:[EBP+4021BE]
0047118FFF95 E9284000 CALL DWORD PTR SS:[EBP+4028E9]
004711958D9D 09234000 LEA EBX,DWORD PTR SS:[EBP+402309]
0047119B53PUSH EBX
0047119C6A 00 PUSH 0
0047119EFFD0CALL EAX
004711A0FFA5 CD284000 JMP DWORD PTR SS:[EBP+4028CD]
004711A661POPAD
004711A79DPOPFD
004711A868 9C154500 PUSH UnPackMe.0045159C
004711ADC3RETN /////////////这里过去就是OEP了这壳 昂..除了处理一个IAT外找到OEP的确很简单
0045159C55PUSH EBP////////////OEP昂昂..
0045159D8BECMOV EBP,ESP
0045159F83C4 F0 ADD ESP,-10
004515A2B8 BC134500 MOV EAX,UnPackMe.004513BC
004515A7E8 8846FBFF CALL UnPackMe.00405C34
004515ACA1 E02F4500 MOV EAX,DWORD PTR DS:[452FE0]
004515B18B00MOV EAX,DWORD PTR DS:[EAX]
004515B3E8 F8E5FFFF CALL UnPackMe.0044FBB0
004515B8A1 E02F4500 MOV EAX,DWORD PTR DS:[452FE0]
004515BD8B00MOV EAX,DWORD PTR DS:[EAX]
004515BFBA FC154500 MOV EDX,UnPackMe.004515FC; ASCII ".52pojie.cn"
004515C4E8 F7E1FFFF CALL UnPackMe.0044F7C0
004515C98B0D C0304500 MOV ECX,DWORD PTR DS:[4530C0]; UnPackMe.00454BD0
004515CFA1 E02F4500 MOV EAX,DWORD PTR DS:[452FE0]
004515D48B00MOV EAX,DWORD PTR DS:[EAX]
004515D68B15 50114500 MOV EDX,DWORD PTR DS:[451150]; UnPackMe.0045119C
004515DCE8 E7E5FFFF CALL UnPackMe.0044FBC8
004515E1A1 E02F4500 MOV EAX,DWORD PTR DS:[452FE0]
004515E68B00MOV EAX,DWORD PTR DS:[EAX]
004515E8E8 5BE6FFFF CALL UnPackMe.0044FC48
004515EDE8 6A27FBFF CALL UnPackMe.00403D5C
004515F20000ADD BYTE PTR DS:[EAX],AL
恩 那啥 脱壳修复IAT昂 没无效函数...恩完了... |
|