好友
阅读权限10
听众
最后登录1970-1-1
|
欧雨鹏
发表于 2020-10-31 20:46
本帖最后由 欧雨鹏 于 2020-11-1 18:02 编辑
工具:吾爱破解OD
环境:vmware---win7 64位
样本:vs2013编写的MFC程序,经过aspack2.24加壳
加壳后的信息如下:
q13
OD载入后,停在此处
q1
使用ESP定律可以直接走到OEP
q2
单步进去。直到oep处.
q3
地址:00BF68E1 F7单步进去。
q4
可以看到这里面就是入口。切换到E,查看exe的基址是00BF0000
尝试dump,起始地址改为BF0000,oep改为68E1
q5
q6
用Import REC修复IAT,弹出下面错误。
q7
加载了未加壳的程序,可以确定这就是OEP入口。。。但是就是找不到有用的信息。
后面应该还需要解压,但是跟下去跟不明白。。
下面开始跟踪:
在00BF6FB2 地址处右键--断点---硬件执行.重新载入程序
command输入BP GetModuleHandleA 回车,再shift+F9,断下来这里。可以看到kernel32.dll.来到了GetModuleHandleA
q8
单步走出去,到这里
[Asm] 纯文本查看 复制代码 00C1500E E8 01000000 call PEWINDOW.00C15014
00C15013 EB 5D jmp short PEWINDOW.00C15072
00C15015 BB EDFFFFFF mov ebx,-0x13
00C1501A 03DD add ebx,ebp ; PEWINDOW.00C15013
00C1501C 81EB 00500200 sub ebx,0x25000
00C15022 83BD 94040000 0>cmp dword ptr ss:[ebp+0x494],0x0
00C15029 899D 94040000 mov dword ptr ss:[ebp+0x494],ebx ; PEWINDOW.00BF0000
00C1502F 0F85 D7030000 jnz PEWINDOW.00C1540C
00C15035 8D85 A0040000 lea eax,dword ptr ss:[ebp+0x4A0]
00C1503B 50 push eax ; kernel32.755D0000
00C1503C FF95 B50F0000 call dword ptr ss:[ebp+0xFB5] ; kernel32.GetModuleHandleA
00C15042 8985 98040000 mov dword ptr ss:[ebp+0x498],eax ; kernel32.755D0000 //出来后在这里
00C15048 8BF0 mov esi,eax ; kernel32.755D0000
00C1504A 8D7D 51 lea edi,dword ptr ss:[ebp+0x51]
00C1504D 57 push edi ; Virtualalloc
00C1504E 56 push esi
00C1504F FF95 B10F0000 call dword ptr ss:[ebp+0xFB1] ; kernel32.GetProcAddress
00C15055 AB stos dword ptr es:[edi]
00C15056 B0 00 mov al,0x0
00C15058 AE scas byte ptr es:[edi] ; 删除virtualalloc,freealloc,virtualprotect等字符串操作
00C15059 ^ 75 FD jnz short PEWINDOW.00C15058;这个跳转用来跳上一句,删除字符
00C1505B 3807 cmp byte ptr ds:[edi],al
00C1505D ^ 75 EE jnz short PEWINDOW.00C1504D;这跳转获取字符串并删除循环操作
00C1505F 8D45 7A lea eax,dword ptr ss:[ebp+0x7A]
00C15062 - FFE0 jmp eax ; kernel32.755D0000 这里,直接跳到eax执行。下面几行不执行
00C15064 56 push esi
00C15065 6972 74 75616C4>imul esi,dword ptr ds:[edx+0x74],0x416C6175
00C1506C 6c ins byte ptr es:[edi],dx
00C1506D 6c ins byte ptr es:[edi],dx
00C1506E 6f outs dx,dword ptr ds:[esi]
00C1506F 6300 arpl word ptr ds:[eax],ax
下面是跳转到的eax
[Asm] 纯文本查看 复制代码
00C1508D 8B9D A1050000 mov ebx,dword ptr ss:[ebp+0x5A1] ; 从这里开始解压??
00C15093 0BDB or ebx,ebx ; PEWINDOW.00BF0000
00C15095 74 16 je short PEWINDOW.00C150AD;这里跳了,跳到00C150AD
00C15097 2B9D 9D050000 sub ebx,dword ptr ss:[ebp+0x59D]
00C1509D 039D 94040000 add ebx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C150A3 8B03 mov eax,dword ptr ds:[ebx]
00C150A5 8785 A5050000 xchg dword ptr ss:[ebp+0x5A5],eax ; PEWINDOW.00C1508D
00C150AB 8903 mov dword ptr ds:[ebx],eax ; PEWINDOW.00C1508D
00C150AD 8DB5 D1050000 lea esi,dword ptr ss:[ebp+0x5D1]
00C150B3 833E 00 cmp dword ptr ds:[esi],0x0
00C150B6 0F84 0A010000 je PEWINDOW.00C151C6;这里没有跳
00C150BC 6A 04 push 0x4
00C150BE 68 00100000 push 0x1000
00C150C3 68 00180000 push 0x1800
00C150C8 6A 00 push 0x0
00C150CA FF55 51 call dword ptr ss:[ebp+0x51] ; kernel32.VirtualAlloc
00C150CD 8985 54010000 mov dword ptr ss:[ebp+0x154],eax ; PEWINDOW.00C1508D
00C150D3 8B46 04 mov eax,dword ptr ds:[esi+0x4]
00C150D6 05 0E010000 add eax,0x10E
00C150DB 0F84 B7000000 je PEWINDOW.00C15198;这里也没有跳
00C150E1 6A 04 push 0x4;这是大小?
00C150E3 68 00100000 push 0x1000;这是IAT的RVA?
00C150E8 50 push eax ; PEWINDOW.00C1508D;这里是基址?
00C150E9 6A 00 push 0x0;这是什么?
00C150EB FF55 51 call dword ptr ss:[ebp+0x51] ; kernel32.VirtualAlloc
00C150EE 8985 50010000 mov dword ptr ss:[ebp+0x150],eax ; PEWINDOW.00C1508D
00C150F4 56 push esi ; kernel32.755D0000
00C150F5 8B1E mov ebx,dword ptr ds:[esi]
00C150F7 039D 94040000 add ebx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C150FD FFB5 54010000 push dword ptr ss:[ebp+0x154]
00C15103 FF76 04 push dword ptr ds:[esi+0x4]
00C15106 50 push eax ; PEWINDOW.00C1508D
00C15107 53 push ebx ; PEWINDOW.00BF0000
00C15108 E8 C7050000 call PEWINDOW.00C156D4
00C1510D B3 00 mov bl,0x0
00C1510F 80FB 00 cmp bl,0x0
00C15112 75 4D jnz short PEWINDOW.00C15161
00C15114 FE85 FB000000 inc byte ptr ss:[ebp+0xFB]
00C1511A 50 push eax ; PEWINDOW.00C1508D
00C1511B 51 push ecx ; kernel32.755D0000
00C1511C 56 push esi ; kernel32.755D0000
00C1511D 53 push ebx ; PEWINDOW.00BF0000
00C1511E 8BC8 mov ecx,eax ; PEWINDOW.00C1508D
00C15120 83E9 05 sub ecx,0x5
00C15123 8BB5 50010000 mov esi,dword ptr ss:[ebp+0x150]
00C15129 33DB xor ebx,ebx ; PEWINDOW.00BF0000
00C1512B 0BC9 or ecx,ecx ; kernel32.755D0000 ;从这里开始就不断的循环,也不知道是不是这里开始解压
00C1512D 74 2E je short PEWINDOW.00C1515D
00C1512F 78 2C js short PEWINDOW.00C1515D
00C15131 AC lods byte ptr ds:[esi]
00C15132 3C E8 cmp al,0xE8
00C15134 74 0A je short PEWINDOW.00C15140
00C15136 EB 00 jmp short PEWINDOW.00C15138 ;这里向上循环好多次
00C15138 3C E9 cmp al,0xE9
00C1513A 74 04 je short PEWINDOW.00C15140
00C1513C 43 inc ebx ; PEWINDOW.00BF0000
00C1513D 49 dec ecx ; kernel32.755D0000
00C1513E ^ EB EB jmp short PEWINDOW.00C1512B ;这里向上循环好多次
00C15140 8B06 mov eax,dword ptr ds:[esi]
00C15142 EB 00 jmp short PEWINDOW.00C15144
00C15144 803E 01 cmp byte ptr ds:[esi],0x1
00C15147 ^ 75 F3 jnz short PEWINDOW.00C1513C
00C15149 24 00 and al,0x0
00C1514B C1C0 18 rol eax,0x18
00C1514E 2BC3 sub eax,ebx ; PEWINDOW.00BF0000
00C15150 8906 mov dword ptr ds:[esi],eax ; PEWINDOW.00C1508D
00C15152 83C3 05 add ebx,0x5
00C15155 83C6 04 add esi,0x4
00C15158 83E9 05 sub ecx,0x5
00C1515B ^ EB CE jmp short PEWINDOW.00C1512B
00C1515D 5B pop ebx ; PEWINDOW.00BF0000
00C1515E 5E pop esi ; kernel32.755D0000
00C1515F 59 pop ecx ; kernel32.755D0000
00C15160 58 pop eax ; PEWINDOW.00C1508D
00C15161 EB 08 jmp short PEWINDOW.00C1516B
00C15163 0000 add byte ptr ds:[eax],al
00C15165 0000 add byte ptr ds:[eax],al
00C15167 0000 add byte ptr ds:[eax],al
00C15169 0000 add byte ptr ds:[eax],al
00C1516B 8BC8 mov ecx,eax ; PEWINDOW.00C1508D
00C1516D 8B3E mov edi,dword ptr ds:[esi]
00C1516F 03BD 94040000 add edi,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15175 8BB5 50010000 mov esi,dword ptr ss:[ebp+0x150]
00C1517B C1F9 02 sar ecx,0x2
00C1517E F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
00C15180 8BC8 mov ecx,eax ; PEWINDOW.00C1508D
00C15182 83E1 03 and ecx,0x3
00C15185 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
00C15187 5E pop esi ; kernel32.755D0000
00C15188 68 00800000 push 0x8000
00C1518D 6A 00 push 0x0
00C1518F FFB5 50010000 push dword ptr ss:[ebp+0x150]
00C15195 FF55 5E call dword ptr ss:[ebp+0x5E] ; kernel32.VirtualFree ;这里调用了virtualfree
00C15198 83C6 0C add esi,0xC
00C1519B 833E 00 cmp dword ptr ds:[esi],0x0
00C1519E ^ 0F85 2FFFFFFF jnz PEWINDOW.00C150D3 ;这向上循环,调用了几次virtualAlloc,和VirtualFree就继续执行下面的
00C151A4 68 00800000 push 0x8000 ;这个是RVA??
00C151A9 6A 00 push 0x0
00C151AB FFB5 54010000 push dword ptr ss:[ebp+0x154]
00C151B1 FF55 5E call dword ptr ss:[ebp+0x5E] ; kernel32.VirtualFree
00C151B4 8B9D A1050000 mov ebx,dword ptr ss:[ebp+0x5A1]
00C151BA 0BDB or ebx,ebx ; PEWINDOW.00BF0000
00C151BC 74 08 je short PEWINDOW.00C151C6
00C151BE 8B03 mov eax,dword ptr ds:[ebx]
00C151C0 8785 A5050000 xchg dword ptr ss:[ebp+0x5A5],eax ; PEWINDOW.00C1508D
00C151C6 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C151CC 8B85 9D050000 mov eax,dword ptr ss:[ebp+0x59D]
00C151D2 2BD0 sub edx,eax ; PEWINDOW.00C1508D
00C151D4 74 79 je short PEWINDOW.00C1524F
00C151D6 8BC2 mov eax,edx ; kernel32.755D0000
00C151D8 C1E8 10 shr eax,0x10
00C151DB 33DB xor ebx,ebx ; PEWINDOW.00BF0000
00C151DD 8BB5 A9050000 mov esi,dword ptr ss:[ebp+0x5A9]
00C151E3 03B5 94040000 add esi,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C151E9 833E 00 cmp dword ptr ds:[esi],0x0
00C151EC 74 61 je short PEWINDOW.00C1524F
00C151EE 8B4E 04 mov ecx,dword ptr ds:[esi+0x4]
00C151F1 83E9 08 sub ecx,0x8
00C151F4 D1E9 shr ecx,1
00C151F6 8B3E mov edi,dword ptr ds:[esi]
00C151F8 03BD 94040000 add edi,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C151FE 83C6 08 add esi,0x8
00C15201 66:8B1E mov bx,word ptr ds:[esi]
00C15204 C1EB 0C shr ebx,0xC
00C15207 83FB 01 cmp ebx,0x1
00C1520A 74 0C je short PEWINDOW.00C15218
00C1520C 83FB 02 cmp ebx,0x2
00C1520F 74 16 je short PEWINDOW.00C15227
00C15211 83FB 03 cmp ebx,0x3
00C15214 74 20 je short PEWINDOW.00C15236
00C15216 EB 2C jmp short PEWINDOW.00C15244
00C15218 66:8B1E mov bx,word ptr ds:[esi]
00C1521B 81E3 FF0F0000 and ebx,0xFFF
00C15221 66:01041F add word ptr ds:[edi+ebx],ax
00C15225 EB 1D jmp short PEWINDOW.00C15244
00C15227 66:8B1E mov bx,word ptr ds:[esi]
00C1522A 81E3 FF0F0000 and ebx,0xFFF
00C15230 66:01141F add word ptr ds:[edi+ebx],dx
00C15234 EB 0E jmp short PEWINDOW.00C15244
00C15236 66:8B1E mov bx,word ptr ds:[esi]
00C15239 81E3 FF0F0000 and ebx,0xFFF
00C1523F 01141F add dword ptr ds:[edi+ebx],edx ; kernel32.755D0000
00C15242 EB 00 jmp short PEWINDOW.00C15244
00C15244 66:830E FF or word ptr ds:[esi],0xFFFF
00C15248 83C6 02 add esi,0x2
00C1524B ^ E2 B4 loopd short PEWINDOW.00C15201 ;这一段循 环不知道做什么 用的。。
00C1524D ^ EB 9A jmp short PEWINDOW.00C151E9
00C1524F 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15255 8BB5 B1050000 mov esi,dword ptr ss:[ebp+0x5B1]
00C1525B 0BF6 or esi,esi ; kernel32.755D0000
00C1525D 74 11 je short PEWINDOW.00C15270
00C1525F 03F2 add esi,edx ; kernel32.755D0000
00C15261 AD lods dword ptr ds:[esi]
00C15262 0BC0 or eax,eax ; PEWINDOW.00C1508D
00C15264 74 0A je short PEWINDOW.00C15270
00C15266 03C2 add eax,edx ; kernel32.755D0000
00C15268 8BF8 mov edi,eax ; PEWINDOW.00C1508D
00C1526A 66:AD lods word ptr ds:[esi]
00C1526C 66:AB stos word ptr es:[edi]
00C1526E ^ EB F1 jmp short PEWINDOW.00C15261
00C15270 BE ACB60000 mov esi,0xB6AC
00C15275 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C1527B 03F2 add esi,edx ; kernel32.755D0000
00C1527D 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00C15280 85C0 test eax,eax ; PEWINDOW.00C1508D
00C15282 0F84 0D010000 je PEWINDOW.00C15395
00C15288 03C2 add eax,edx ; kernel32.755D0000
00C1528A 8BD8 mov ebx,eax ; PEWINDOW.00C1508D
00C1528C 50 push eax ; PEWINDOW.00C1508D
00C1528D FF95 B50F0000 call dword ptr ss:[ebp+0xFB5] ; kernel32.GetModuleHandleA
00C15293 85C0 test eax,eax ; PEWINDOW.00C1508D
00C15295 75 07 jnz short PEWINDOW.00C1529E
00C15297 53 push ebx ; PEWINDOW.00BF0000
00C15298 FF95 B90F0000 call dword ptr ss:[ebp+0xFB9] ; kernel32.LoadLibraryA
00C1529E 8985 B5050000 mov dword ptr ss:[ebp+0x5B5],eax ; PEWINDOW.00C1508D
00C152A4 C785 B9050000 0>mov dword ptr ss:[ebp+0x5B9],0x0
00C152AE 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C152B4 8B06 mov eax,dword ptr ds:[esi]
00C152B6 85C0 test eax,eax ; PEWINDOW.00C1508D
00C152B8 75 03 jnz short PEWINDOW.00C152BD
00C152BA 8B46 10 mov eax,dword ptr ds:[esi+0x10]
00C152BD 03C2 add eax,edx ; kernel32.755D0000
00C152BF 0385 B9050000 add eax,dword ptr ss:[ebp+0x5B9]
00C152C5 8B18 mov ebx,dword ptr ds:[eax]
00C152C7 8B7E 10 mov edi,dword ptr ds:[esi+0x10]
00C152CA 03FA add edi,edx ; kernel32.755D0000
00C152CC 03BD B9050000 add edi,dword ptr ss:[ebp+0x5B9]
00C152D2 85DB test ebx,ebx ; PEWINDOW.00BF0000
00C152D4 0F84 A5000000 je PEWINDOW.00C1537F
00C152DA F7C3 00000080 test ebx,0x80000000
00C152E0 75 04 jnz short PEWINDOW.00C152E6
00C152E2 03DA add ebx,edx ; kernel32.755D0000
00C152E4 43 inc ebx ; PEWINDOW.00BF0000
00C152E5 43 inc ebx ; PEWINDOW.00BF0000
00C152E6 53 push ebx ; PEWINDOW.00BF0000
00C152E7 81E3 FFFFFF7F and ebx,0x7FFFFFFF
00C152ED 53 push ebx ; PEWINDOW.00BF0000
00C152EE FFB5 B5050000 push dword ptr ss:[ebp+0x5B5]
00C152F4 FF95 B10F0000 call dword ptr ss:[ebp+0xFB1] ; kernel32.GetProcAddress
00C152FA 85C0 test eax,eax ; PEWINDOW.00C1508D
00C152FC 5B pop ebx ; PEWINDOW.00BF0000
00C152FD 75 72 jnz short PEWINDOW.00C15371
00C152FF F7C3 00000080 test ebx,0x80000000
00C15305 75 19 jnz short PEWINDOW.00C15320
00C15307 57 push edi ; PEWINDOW.00C1508C
00C15308 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00C1530B 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15311 50 push eax ; PEWINDOW.00C1508D
00C15312 53 push ebx ; PEWINDOW.00BF0000
00C15313 8D85 E7040000 lea eax,dword ptr ss:[ebp+0x4E7]
00C15319 50 push eax ; PEWINDOW.00C1508D
00C1531A 57 push edi ; PEWINDOW.00C1508C
00C1531B E9 12010000 jmp PEWINDOW.00C15432
00C15320 81E3 FFFFFF7F and ebx,0x7FFFFFFF
00C15326 8B85 98040000 mov eax,dword ptr ss:[ebp+0x498] ; kernel32.755D0000
00C1532C 3985 B5050000 cmp dword ptr ss:[ebp+0x5B5],eax ; PEWINDOW.00C1508D
00C15332 75 24 jnz short PEWINDOW.00C15358
00C15334 57 push edi ; PEWINDOW.00C1508C
00C15335 8BD3 mov edx,ebx ; PEWINDOW.00BF0000
00C15337 4A dec edx ; kernel32.755D0000
00C15338 C1E2 02 shl edx,0x2
00C1533B 8B9D B5050000 mov ebx,dword ptr ss:[ebp+0x5B5]
00C15341 8B7B 3C mov edi,dword ptr ds:[ebx+0x3C]
00C15344 8B7C3B 78 mov edi,dword ptr ds:[ebx+edi+0x78]
00C15348 035C3B 1C add ebx,dword ptr ds:[ebx+edi+0x1C]
00C1534C 8B0413 mov eax,dword ptr ds:[ebx+edx]
00C1534F 0385 B5050000 add eax,dword ptr ss:[ebp+0x5B5]
00C15355 5F pop edi ; PEWINDOW.00C1508C
00C15356 EB 19 jmp short PEWINDOW.00C15371
00C15358 57 push edi ; PEWINDOW.00C1508C
00C15359 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00C1535C 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15362 50 push eax ; PEWINDOW.00C1508D
00C15363 53 push ebx ; PEWINDOW.00BF0000
00C15364 8D85 38050000 lea eax,dword ptr ss:[ebp+0x538]
00C1536A 50 push eax ; PEWINDOW.00C1508D
00C1536B 57 push edi ; PEWINDOW.00C1508C
00C1536C E9 C1000000 jmp PEWINDOW.00C15432
00C15371 8907 mov dword ptr ds:[edi],eax ; PEWINDOW.00C1508D
00C15373 8385 B9050000 0>add dword ptr ss:[ebp+0x5B9],0x4
00C1537A ^ E9 2FFFFFFF jmp PEWINDOW.00C152AE
00C1537F 8906 mov dword ptr ds:[esi],eax ; PEWINDOW.00C1508D
00C15381 8946 0C mov dword ptr ds:[esi+0xC],eax ; PEWINDOW.00C1508D
00C15384 8946 10 mov dword ptr ds:[esi+0x10],eax ; PEWINDOW.00C1508D
00C15387 83C6 14 add esi,0x14
00C1538A 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15390 ^ E9 E8FEFFFF jmp PEWINDOW.00C1527D
00C15395 8BB5 94040000 mov esi,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C1539B 8B7E 3C mov edi,dword ptr ds:[esi+0x3C]
00C1539E 03FE add edi,esi ; kernel32.755D0000
00C153A0 51 push ecx ; kernel32.755D0000
00C153A1 54 push esp
00C153A2 51 push ecx ; kernel32.755D0000
00C153A3 54 push esp
00C153A4 6A 04 push 0x4
00C153A6 FF77 54 push dword ptr ds:[edi+0x54]
00C153A9 56 push esi ; kernel32.755D0000
00C153AA FF55 6A call dword ptr ss:[ebp+0x6A] ; kernel32.VirtualProtect
00C153AD FF77 54 push dword ptr ds:[edi+0x54]
00C153B0 56 push esi ; kernel32.755D0000
00C153B1 0FB74F 06 movzx ecx,word ptr ds:[edi+0x6]
00C153B5 0FB747 14 movzx eax,word ptr ds:[edi+0x14]
00C153B9 8D7C07 F0 lea edi,dword ptr ds:[edi+eax-0x10]
00C153BD 8DB5 D1050000 lea esi,dword ptr ss:[ebp+0x5D1]
00C153C3 AD lods dword ptr ds:[esi]
00C153C4 85C0 test eax,eax ; PEWINDOW.00C1508D
00C153C6 74 40 je short PEWINDOW.00C15408
00C153C8 83C7 28 add edi,0x28
00C153CB 3B47 0C cmp eax,dword ptr ds:[edi+0xC]
00C153CE ^ E0 F8 loopdne short PEWINDOW.00C153C8
00C153D0 75 36 jnz short PEWINDOW.00C15408
00C153D2 41 inc ecx ; kernel32.755D0000
00C153D3 51 push ecx ; kernel32.755D0000
00C153D4 56 push esi ; kernel32.755D0000
00C153D5 6A 01 push 0x1
00C153D7 F646 07 E0 test byte ptr ds:[esi+0x7],0xE0
00C153DB 74 03 je short PEWINDOW.00C153E0
00C153DD D12424 shl dword ptr ss:[esp],1
00C153E0 F646 07 80 test byte ptr ds:[esi+0x7],0x80
00C153E4 74 03 je short PEWINDOW.00C153E9
00C153E6 D12424 shl dword ptr ss:[esp],1
00C153E9 F646 07 20 test byte ptr ds:[esi+0x7],0x20
00C153ED 74 04 je short PEWINDOW.00C153F3
00C153EF C12424 04 shl dword ptr ss:[esp],0x4
00C153F3 FF77 08 push dword ptr ds:[edi+0x8]
00C153F6 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C153FC 50 push eax ; PEWINDOW.00C1508D
00C153FD FF55 6A call dword ptr ss:[ebp+0x6A] ; kernel32.VirtualProtect
00C15400 59 pop ecx ; kernel32.755D0000
00C15401 AD lods dword ptr ds:[esi]
00C15402 AD lods dword ptr ds:[esi]
00C15403 8947 24 mov dword ptr ds:[edi+0x24],eax ; PEWINDOW.00C1508D
00C15406 ^ E2 BB loopd short PEWINDOW.00C153C3
00C15408 FF55 6A call dword ptr ss:[ebp+0x6A] ; kernel32.VirtualProtect
00C1540B 59 pop ecx ; kernel32.755D0000
00C1540C B8 E1680000 mov eax,0x68E1
00C15411 50 push eax ; PEWINDOW.00C1508D
00C15412 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15418 59 pop ecx ; kernel32.755D0000
00C15419 0BC9 or ecx,ecx ; kernel32.755D0000
00C1541B 8985 1A040000 mov dword ptr ss:[ebp+0x41A],eax ; PEWINDOW.00C1508D
00C15421 61 popad
00C15422 75 08 jnz short PEWINDOW.00C1542C
00C15424 B8 01000000 mov eax,0x1
00C15429 C2 0C00 retn 0xC
不敢确定,这里是不是IAT的基址,RVA和大小等?
[Asm] 纯文本查看 复制代码
00C150E1 6A 04 push 0x4
00C150E3 68 00100000 push 0x1000
00C150E8 50 push eax ; PEWINDOW.00C1508D
00C150E9 6A 00 push 0x0
00C150EB FF55 51 call dword ptr ss:[ebp+0x51] ; kernel32.VirtualAlloc
继续单 步,走到这里又开始了一次循 环,这里不知道又在做啥 。。好像解压IAT就在这里?
[Asm] 纯文本查看 复制代码 00C152AE 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C152B4 8B06 mov eax,dword ptr ds:[esi]
00C152B6 85C0 test eax,eax ; mfc120u.#1110
00C152B8 75 03 jnz short PEWINDOW.00C152BD
00C152BA 8B46 10 mov eax,dword ptr ds:[esi+0x10]
00C152BD 03C2 add eax,edx ; mfc120u.6F0E0000
00C152BF 0385 B9050000 add eax,dword ptr ss:[ebp+0x5B9]
00C152C5 8B18 mov ebx,dword ptr ds:[eax]
00C152C7 8B7E 10 mov edi,dword ptr ds:[esi+0x10]
00C152CA 03FA add edi,edx ; mfc120u.6F0E0000
00C152CC 03BD B9050000 add edi,dword ptr ss:[ebp+0x5B9]
00C152D2 85DB test ebx,ebx
00C152D4 0F84 A5000000 je PEWINDOW.00C1537F
00C152DA F7C3 00000080 test ebx,0x80000000
00C152E0 75 04 jnz short PEWINDOW.00C152E6
00C152E2 03DA add ebx,edx ; mfc120u.6F0E0000
00C152E4 43 inc ebx
00C152E5 43 inc ebx
00C152E6 53 push ebx
00C152E7 81E3 FFFFFF7F and ebx,0x7FFFFFFF
00C152ED 53 push ebx
00C152EE FFB5 B5050000 push dword ptr ss:[ebp+0x5B5] ; mfc120u.6F0E0000
00C152F4 FF95 B10F0000 call dword ptr ss:[ebp+0xFB1] ; kernel32.GetProcAddress
00C152FA 85C0 test eax,eax ; mfc120u.#1110
00C152FC 5B pop ebx
00C152FD 75 72 jnz short PEWINDOW.00C15371
00C152FF F7C3 00000080 test ebx,0x80000000
00C15305 75 19 jnz short PEWINDOW.00C15320
00C15307 57 push edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C15308 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00C1530B 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15311 50 push eax ; mfc120u.#1110
00C15312 53 push ebx
00C15313 8D85 E7040000 lea eax,dword ptr ss:[ebp+0x4E7]
00C15319 50 push eax ; mfc120u.#1110
00C1531A 57 push edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C1531B E9 12010000 jmp PEWINDOW.00C15432
00C15320 81E3 FFFFFF7F and ebx,0x7FFFFFFF
00C15326 8B85 98040000 mov eax,dword ptr ss:[ebp+0x498] ; kernel32.755D0000
00C1532C 3985 B5050000 cmp dword ptr ss:[ebp+0x5B5],eax ; mfc120u.#1110
00C15332 75 24 jnz short PEWINDOW.00C15358
00C15334 57 push edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C15335 8BD3 mov edx,ebx
00C15337 4A dec edx ; mfc120u.6F0E0000
00C15338 C1E2 02 shl edx,0x2
00C1533B 8B9D B5050000 mov ebx,dword ptr ss:[ebp+0x5B5] ; mfc120u.6F0E0000
00C15341 8B7B 3C mov edi,dword ptr ds:[ebx+0x3C]
00C15344 8B7C3B 78 mov edi,dword ptr ds:[ebx+edi+0x78]
00C15348 035C3B 1C add ebx,dword ptr ds:[ebx+edi+0x1C]
00C1534C 8B0413 mov eax,dword ptr ds:[ebx+edx]
00C1534F 0385 B5050000 add eax,dword ptr ss:[ebp+0x5B5] ; mfc120u.6F0E0000
00C15355 5F pop edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C15356 EB 19 jmp short PEWINDOW.00C15371
00C15358 57 push edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C15359 8B46 0C mov eax,dword ptr ds:[esi+0xC]
00C1535C 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15362 50 push eax ; mfc120u.#1110
00C15363 53 push ebx
00C15364 8D85 38050000 lea eax,dword ptr ss:[ebp+0x538]
00C1536A 50 push eax ; mfc120u.#1110
00C1536B 57 push edi ; PEWINDOW._imp_??1CDialogImplMAEXZEXPAUtagDRAWITEMSTRUCTZXZray'escriptor'4)'raitMFC_DLL_WV?$ChTraitsCRT_WATLATLZ
00C1536C E9 C1000000 jmp PEWINDOW.00C15432
00C15371 8907 mov dword ptr ds:[edi],eax ; mfc120u.#1110
00C15373 8385 B9050000 0>add dword ptr ss:[ebp+0x5B9],0x4
00C1537A ^ E9 2FFFFFFF jmp PEWINDOW.00C152AE
00C1537F 8906 mov dword ptr ds:[esi],eax ; msvcr120.__dllonexit
00C15381 8946 0C mov dword ptr ds:[esi+0xC],eax ; msvcr120.__dllonexit
00C15384 8946 10 mov dword ptr ds:[esi+0x10],eax ; msvcr120.__dllonexit
00C15387 83C6 14 add esi,0x14
00C1538A 8B95 94040000 mov edx,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C15390 ^ E9 E8FEFFFF jmp PEWINDOW.00C1527D
经过无数次循 环,这一段好像是在解secton 表?
[Asm] 纯文本查看 复制代码 00C153AD FF77 54 push dword ptr ds:[edi+0x54]
00C153B0 56 push esi ; PEWINDOW.00C1560C
00C153B1 0FB74F 06 movzx ecx,word ptr ds:[edi+0x6]
00C153B5 0FB747 14 movzx eax,word ptr ds:[edi+0x14]
00C153B9 8D7C07 F0 lea edi,dword ptr ds:[edi+eax-0x10]
00C153BD 8DB5 D1050000 lea esi,dword ptr ss:[ebp+0x5D1]
00C153C3 AD lods dword ptr ds:[esi]
00C153C4 85C0 test eax,eax ; PEWINDOW.wWinMainCRTStartupER::GetRuntimeClasstcontroltor'ADERlHelper<HINSTANCE__ *> >::RemoveAll
00C153C6 74 40 je short PEWINDOW.00C15408
00C153C8 83C7 28 add edi,0x28
00C153CB 3B47 0C cmp eax,dword ptr ds:[edi+0xC]
00C153CE ^ E0 F8 loopdne short PEWINDOW.00C153C8
00C153D0 75 36 jnz short PEWINDOW.00C15408
00C153D2 41 inc ecx
00C153D3 51 push ecx
00C153D4 56 push esi ; PEWINDOW.00C1560C
00C153D5 6A 01 push 0x1
00C153D7 F646 07 E0 test byte ptr ds:[esi+0x7],0xE0
00C153DB 74 03 je short PEWINDOW.00C153E0
00C153DD D12424 shl dword ptr ss:[esp],1
00C153E0 F646 07 80 test byte ptr ds:[esi+0x7],0x80
00C153E4 74 03 je short PEWINDOW.00C153E9
00C153E6 D12424 shl dword ptr ss:[esp],1
00C153E9 F646 07 20 test byte ptr ds:[esi+0x7],0x20
00C153ED 74 04 je short PEWINDOW.00C153F3
00C153EF C12424 04 shl dword ptr ss:[esp],0x4
00C153F3 FF77 08 push dword ptr ds:[edi+0x8]
00C153F6 0385 94040000 add eax,dword ptr ss:[ebp+0x494] ; PEWINDOW.00BF0000
00C153FC 50 push eax ; PEWINDOW.wWinMainCRTStartupER::GetRuntimeClasstcontroltor'ADERlHelper<HINSTANCE__ *> >::RemoveAll
00C153FD FF55 6A call dword ptr ss:[ebp+0x6A] ; kernel32.VirtualProtect
00C15400 59 pop ecx
00C15401 AD lods dword ptr ds:[esi]
00C15402 AD lods dword ptr ds:[esi]
00C15403 8947 24 mov dword ptr ds:[edi+0x24],eax ; PEWINDOW.wWinMainCRTStartupER::GetRuntimeClasstcontroltor'ADERlHelper<HINSTANCE__ *> >::RemoveAll
00C15406 ^ E2 BB loopd short PEWINDOW.00C153C3
继续F8下去,发现走到这里,已经回来程序入口了。
q9
[Asm] 纯文本查看 复制代码
00C15421 61 popad
00C15422 75 08 jnz short PEWINDOW.00C1542C
00C15424 B8 01000000 mov eax,0x1
00C15429 C2 0C00 retn 0xC
00C1542C 68 E168BF00 push PEWINDOW.wWinMainCRTStartupER::GetRuntimeClasstcontroltor'ADERlHelper>
00C15431 C3 retn
尝试dump一下
起始地址为:BF0000,OEP地址填 写为:68E1
q10
q11
提示Unknown Packer-Protector , 8 sections / Self Write code ? unknown Protection [ Win Vista ] [ Debug:02 ]
q12
修复IAT还是这样提示。
到这一步不知道怎么修复了。。
请求大佬 们赐解!!万分感 谢!
附上样本,自己写的MFC一个PE解析程序。
链接:https://pan.baidu.com/s/1jM0o5lIOuJD-JK5_Xmpdmw 提取码:wzg7
解压:52pojie
|
|
|
发表于 2020-10-31 21:04
我竟没想到过32位系统里脱。我一直以为是随机基址造成这样的这种情况。。
