晕,怎么这么喜欢打包的啊,!好久没玩了, 练手一下呵呵!
脱出打包的DLL
下bp CreateFileA就OK,
0013FF84 004111E5 |FileName = "C:\WINDOWS\system32\EdrLib.dll"
将路径去掉,让他释放到当前目录吧,哈!(其实打包功能很弱的,DLL都没有处理一下,释放出来就OK了)
然后修复加密的几个IAT:
通过对无效的指针下断,找到这里:00410F15 899D 8E274000 mov dword ptr ss:[ebp+40278E],ebx ; EdrTest.00407B22
00410F1B 53 push ebx
00410F1C FFB5 86274000 push dword ptr ss:[ebp+402786]
00410F22 E8 1CF8FFFF call EdrTest.00410743 //关键CALL之一
00410F27 8BD0 mov edx,eax
00410F29 8D8D A1254000 lea ecx,dword ptr ss:[ebp+4025A1]
00410F2F 52 push edx
00410F30 51 push ecx
00410F31 E8 A5F5FFFF call EdrTest.004104DB //关键CALL之二
00410F36 85C0 test eax,eax
00410F38 75 02 jnz short EdrTest.00410F3C ; N
跟进这个CALL:00410F22 E8 1CF8FFFF call EdrTest.0041074300410743 C8 000000 enter 0,0
00410747 56 push esi
00410748 E8 00000000 call EdrTest.0041074D
0041074D 5E pop esi
0041074E 81EE 4D274000 sub esi,EdrTest.0040274D
00410754 FF75 0C push dword ptr ss:[ebp+C]
00410757 FF75 08 push dword ptr ss:[ebp+8]
0041075A FF96 C72C4000 call dword ptr ds:[esi+402CC7] ; 取函数地址
00410760 85C0 test eax,eax
00410762 74 19 je short EdrTest.0041077D
00410764 51 push ecx
00410765 52 push edx
00410766 8BD0 mov edx,eax
00410768 8D8E A1254000 lea ecx,dword ptr ds:[esi+4025A1]
0041076E 52 push edx
0041076F 51 push ecx
00410770 E8 66FDFFFF call EdrTest.004104DB
00410775 85C0 test eax,eax ; 进行比较,不加密,则不跳
00410777 75 02 jnz short EdrTest.0041077B //将这里给NOP掉,就跳过了
00410779 8BC2 mov eax,edx
0041077B 5A pop edx
0041077C 59 pop ecx
0041077D 5E pop esi
0041077E C9 leave
0041077F C2 0800 retn 8
返回后,再跟进00410F31 E8 A5F5FFFF call EdrTest.004104DB004104DB C8 040000 enter 4,0
004104DF 53 push ebx
004104E0 57 push edi
004104E1 56 push esi
004104E2 E8 00000000 call EdrTest.004104E7
004104E7 5B pop ebx
004104E8 81EB E7244000 sub ebx,EdrTest.004024E7 ; ASCII "p@"
004104EE C745 FC 0000000>mov dword ptr ss:[ebp-4],0
004104F5 8B75 08 mov esi,dword ptr ss:[ebp+8]
004104F8 833E 00 cmp dword ptr ds:[esi],0 ; 这里循环比较
004104FB 74 34 je short EdrTest.00410531
004104FD 56 push esi
004104FE 8B7E 08 mov edi,dword ptr ds:[esi+8]
00410501 03FB add edi,ebx
00410503 8B76 0C mov esi,dword ptr ds:[esi+C]
00410506 03F3 add esi,ebx
00410508 8B45 0C mov eax,dword ptr ss:[ebp+C]
0041050B 833F FF cmp dword ptr ds:[edi],-1
0041050E 74 13 je short EdrTest.00410523
00410510 8B0F mov ecx,dword ptr ds:[edi]
00410512 85C9 test ecx,ecx
00410514 74 05 je short EdrTest.0041051B
00410516 390419 cmp dword ptr ds:[ecx+ebx],eax ; 比较是不是要加密的函数
00410519 74 0E je short EdrTest.00410529 ; 是则跳出,进行加密
0041051B 83C7 04 add edi,4
0041051E 83C6 04 add esi,4
00410521 ^ EB E8 jmp short EdrTest.0041050B
00410523 5E pop esi
00410524 83C6 10 add esi,10
00410527 ^ EB CF jmp short EdrTest.004104F8
00410529 8B06 mov eax,dword ptr ds:[esi]
0041052B 03C3 add eax,ebx
0041052D 8945 FC mov dword ptr ss:[ebp-4],eax
00410530 5E pop esi
00410531 5E pop esi
00410532 5F pop edi
00410533 5B pop ebx
00410534 8B45 FC mov eax,dword ptr ss:[ebp-4]
00410537 C9 leave
00410538 C2 0800 retn 8
这里将00410519 74 0E je short EdrTest.00410529 给NOP掉就OK了,哈
然后运行到OEP,Dump下来修复,全部有效,哈!
Game Over!
|