好友
阅读权限25
听众
最后登录1970-1-1
|
【文章标题】: 不用Import REC 脱壳 之(一)KByS V0.28篇
【文章作者】: qifeon
【使用工具】: OD、LordPE、
【操作平台】: Windows xp sp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
壳不难,看签名应该是shoooo大牛早期写的壳。我们直接到iat处理的地方,没有加密.脱壳很简单,略过-------
学习下利用数据直接构造IAT
01019F4B 55 push ebp ; KByS_V0_.01000000
01019F4C AD lods dword ptr ds:[esi] //这里看ESI指向的数据 ,本机esi=002eeb46
01019F4D 85C0 test eax,eax
01019F4F 74 37 je short KByS_V0_.01019F88
01019F51 8BF8 mov edi,eax
01019F53 033C24 add edi,dword ptr ss:[esp]
01019F56 56 push esi
01019F57 FF13 call dword ptr ds:[ebx]
01019F59 8BE8 mov ebp,eax
01019F5B AC lods byte ptr ds:[esi]
01019F5C 84C0 test al,al
01019F5E ^ 75 FB jnz short KByS_V0_.01019F5B
01019F60 AD lods dword ptr ds:[esi]
01019F61 85C0 test eax,eax
01019F63 ^ 74 E7 je short KByS_V0_.01019F4C
01019F65 83EE 04 sub esi,0x4
01019F68 AD lods dword ptr ds:[esi]
01019F69 A9 00000080 test eax,0x80000000
01019F6E 75 0B jnz short KByS_V0_.01019F7B
01019F70 83EE 04 sub esi,0x4
01019F73 56 push esi
01019F74 55 push ebp
01019F75 FF53 04 call dword ptr ds:[ebx+0x4]
01019F78 AB stos dword ptr es:[edi]
01019F79 ^ EB E0 jmp short KByS_V0_.01019F5B
01019F7B 25 FFFFFF7F and eax,0x7FFFFFFF
01019F80 50 push eax
01019F81 55 push ebp
01019F82 FF53 04 call dword ptr ds:[ebx+0x4]
01019F85 AB stos dword ptr es:[edi]
01019F86 ^ EB D8 jmp short KByS_V0_.01019F60
01019F88 5D pop ebp //结束后跳到这里
01019F89 5F pop edi
01019F8A C3 retn
01019F4C 处看ESI指向的数据,本机esi=002eeb46
002EEB46 C4 12 00 00 63 6F 6D 64 6C 67 33 32 2E 64 6C 6C ?..comdlg32.dll
002EEB56 00 50 61 67 65 53 65 74 75 70 44 6C 67 57 00 46 .PageSetupDlgW.F
002EEB66 69 6E 64 54 65 78 74 57 00 50 72 69 6E 74 44 6C indTextW.PrintDl
002EEB76 67 45 78 57 00 43 68 6F 6F 73 65 46 6F 6E 74 57 gExW.ChooseFontW
002EEB86 00 47 65 74 46 69 6C 65 54 69 74 6C 65 57 00 47 .GetFileTitleW.G
002EEB96 65 74 4F 70 65 6E 46 69 6C 65 4E 61 6D 65 57 00 etOpenFileNameW.
002EEBA6 52 65 70 6C 61 63 65 54 65 78 74 57 00 43 6F 6D ReplaceTextW.Com
002EEBB6 6D 44 6C 67 45 78 74 65 6E 64 65 64 45 72 72 6F mDlgExtendedErro
002EEBC6 72 00 47 65 74 53 61 76 65 46 69 6C 65 4E 61 6D r.GetSaveFileNam
002EEBD6 65 57 00 00 00 00 00 74 11 00 00 53 48 45 4C 4C eW.....t�..SHELL
002EEBE6 33 32 2E 64 6C 6C 00 44 72 61 67 46 69 6E 69 73 32.dll.DragFinis
002EEBF6 68 00 44 72 61 67 51 75 65 72 79 46 69 6C 65 57 h.DragQueryFileW
002EEC06 00 44 72 61 67 41 63 63 65 70 74 46 69 6C 65 73 .DragAcceptFiles
002EEC16 00 53 68 65 6C 6C 41 62 6F 75 74 57 00 00 00 00 .ShellAboutW....
002EEC26 00 B4 12 00 00 57 49 4E 53 50 4F 4F 4C 2E 44 52 .?..WINSPOOL.DR
002EEC36 56 00 47 65 74 50 72 69 6E 74 65 72 44 72 69 76 V.GetPrinterDriv
002EEC46 65 72 57 00 43 6C 6F 73 65 50 72 69 6E 74 65 72 erW.ClosePrinter
002EEC56 00 4F 70 65 6E 50 72 69 6E 74 65 72 57 00 00 00 .OpenPrinterW...
002EEC66 00 00 20 10 00 00 43 4F 4D 43 54 4C 33 32 2E 64 .. �..COMCTL32.d
002EEC76 6C 6C 00 43 72 65 61 74 65 53 74 61 74 75 73 57 ll.CreateStatusW
002EEC86 69 6E 64 6F 77 57 00 00 00 00 00 EC 12 00 00 6D indowW.....?..m
002EEC96 73 76 63 72 74 2E 64 6C 6C 00 5F 58 63 70 74 46 svcrt.dll._XcptF
002EECA6 69 6C 74 65 72 00 5F 65 78 69 74 00 5F 63 5F 65 ilter._exit._c_e
002EECB6 78 69 74 00 74 69 6D 65 00 6C 6F 63 61 6C 74 69 xit.time.localti
002EECC6 6D 65 00 5F 63 65 78 69 74 00 69 73 77 63 74 79 me._cexit.iswcty
002EECD6 70 65 00 5F 65 78 63 65 70 74 5F 68 61 6E 64 6C pe._except_handl
002EECE6 65 72 33 00 5F 77 74 6F 6C 00 77 63 73 6E 63 6D er3._wtol.wcsncm
002EECF6 70 00 5F 73 6E 77 70 72 69 6E 74 66 00 65 78 69 p._snwprintf.exi
002EED06 74 00 5F 61 63 6D 64 6C 6E 00 5F 5F 67 65 74 6D t._acmdln.__getm
002EED16 61 69 6E 61 72 67 73 00 5F 69 6E 69 74 74 65 72 ainargs._initter
002EED26 6D 00 5F 5F 73 65 74 75 73 65 72 6D 61 74 68 65 m.__setusermathe
002EED36 72 72 00 5F 61 64 6A 75 73 74 5F 66 64 69 76 00 rr._adjust_fdiv.
002EED46 5F 5F 70 5F 5F 63 6F 6D 6D 6F 64 65 00 5F 5F 70 __p__commode.__p
002EED56 5F 5F 66 6D 6F 64 65 00 5F 5F 73 65 74 5F 61 70 __fmode.__set_ap
002EED66 70 5F 74 79 70 65 00 5F 63 6F 6E 74 72 6F 6C 66 p_type._controlf
002EED76 70 00 77 63 73 6E 63 70 79 00 00 00 00 00 00 10 p.wcsncpy......�
002EED86 00 00 41 44 56 41 50 49 33 32 2E 64 6C 6C 00 52 ..ADVAPI32.dll.R
002EED96 65 67 51 75 65 72 79 56 61 6C 75 65 45 78 57 00 egQueryValueExW.
002EEDA6 52 65 67 43 6C 6F 73 65 4B 65 79 00 52 65 67 43 RegCloseKey.RegC
002EEDB6 72 65 61 74 65 4B 65 79 57 00 49 73 54 65 78 74 reateKeyW.IsText
002EEDC6 55 6E 69 63 6F 64 65 00 52 65 67 51 75 65 72 79 Unicode.RegQuery
002EEDD6 56 61 6C 75 65 45 78 41 00 52 65 67 4F 70 65 6E ValueExA.RegOpen
002EEDE6 4B 65 79 45 78 41 00 52 65 67 53 65 74 56 61 6C KeyExA.RegSetVal
002EEDF6 75 65 45 78 57 00 00 00 00 00 8C 10 00 00 4B 45 ueExW.....?..KE
002EEE06 52 4E 45 4C 33 32 2E 64 6C 6C 00 47 65 74 43 75 RNEL32.dll.GetCu
002EEE16 72 72 65 6E 74 54 68 72 65 61 64 49 64 00 47 65 rrentThreadId.Ge
002EEE26 74 54 69 63 6B 43 6F 75 6E 74 00 51 75 65 72 79 tTickCount.Query
002EEE36 50 65 72 66 6F 72 6D 61 6E 63 65 43 6F 75 6E 74 PerformanceCount
002EEE46 65 72 00 47 65 74 4C 6F 63 61 6C 54 69 6D 65 00 er.GetLocalTime.
002EEE56 47 65 74 55 73 65 72 44 65 66 61 75 6C 74 4C 43 GetUserDefaultLC
002EEE66 49 44 00 47 65 74 44 61 74 65 46 6F 72 6D 61 74 ID.GetDateFormat
002EEE76 57 00 47 65 74 54 69 6D 65 46 6F 72 6D 61 74 57 W.GetTimeFormatW
002EEE86 00 47 6C 6F 62 61 6C 4C 6F 63 6B 00 47 6C 6F 62 .GlobalLock.Glob
002EEE96 61 6C 55 6E 6C 6F 63 6B 00 47 65 74 46 69 6C 65 alUnlock.GetFile
002EEEA6 49 6E 66 6F 72 6D 61 74 69 6F 6E 42 79 48 61 6E InformationByHan
002EEEB6 64 6C 65 00 43 72 65 61 74 65 46 69 6C 65 4D 61 dle.CreateFileMa
002EEEC6 70 70 69 6E 67 57 00 47 65 74 53 79 73 74 65 6D ppingW.GetSystem
002EEED6 54 69 6D 65 41 73 46 69 6C 65 54 69 6D 65 00 54 TimeAsFileTime.T
002EEEE6 65 72 6D 69 6E 61 74 65 50 72 6F 63 65 73 73 00 erminateProcess.
002EEEF6 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 GetCurrentProces
002EEF06 73 00 53 65 74 55 6E 68 61 6E 64 6C 65 64 45 78 s.SetUnhandledEx
002EEF16 63 65 70 74 69 6F 6E 46 69 6C 74 65 72 00 4C 6F ceptionFilter.Lo
002EEF26 61 64 4C 69 62 72 61 72 79 41 00 47 65 74 4D 6F adLibraryA.GetMo
002EEF36 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 53 duleHandleA.GetS
002EEF46 74 61 72 74 75 70 49 6E 66 6F 41 00 47 6C 6F 62 tartupInfoA.Glob
002EEF56 61 6C 46 72 65 65 00 47 65 74 4C 6F 63 61 6C 65 alFree.GetLocale
002EEF66 49 6E 66 6F 57 00 4C 6F 63 61 6C 46 72 65 65 00 InfoW.LocalFree.
002EEF76 4C 6F 63 61 6C 41 6C 6C 6F 63 00 6C 73 74 72 6C LocalAlloc.lstrl
002EEF86 65 6E 57 00 4C 6F 63 61 6C 55 6E 6C 6F 63 6B 00 enW.LocalUnlock.
002EEF96 43 6F 6D 70 61 72 65 53 74 72 69 6E 67 57 00 4C CompareStringW.L
002EEFA6 6F 63 61 6C 4C 6F 63 6B 00 46 6F 6C 64 53 74 72 ocalLock.FoldStr
002EEFB6 69 6E 67 57 00 43 6C 6F 73 65 48 61 6E 64 6C 65 ingW.CloseHandle
002EEFC6 00 6C 73 74 72 63 70 79 57 00 52 65 61 64 46 69 .lstrcpyW.ReadFi
002EEFD6 6C 65 00 43 72 65 61 74 65 46 69 6C 65 57 00 6C le.CreateFileW.l
002EEFE6 73 74 72 63 6D 70 69 57 00 47 65 74 43 75 72 72 strcmpiW.GetCurr
002EEFF6 65 6E 74 50 72 6F 63 65 73 73 49 64 00 47 65 74 entProcessId.Get
002EF006 50 72 6F 63 41 64 64 72 65 73 73 00 47 65 74 43 ProcAddress.GetC
002EF016 6F 6D 6D 61 6E 64 4C 69 6E 65 57 00 6C 73 74 72 ommandLineW.lstr
002EF026 63 61 74 57 00 46 69 6E 64 43 6C 6F 73 65 00 46 catW.FindClose.F
002EF036 69 6E 64 46 69 72 73 74 46 69 6C 65 57 00 47 65 indFirstFileW.Ge
002EF046 74 46 69 6C 65 41 74 74 72 69 62 75 74 65 73 57 tFileAttributesW
002EF056 00 6C 73 74 72 63 6D 70 57 00 4D 75 6C 44 69 76 .lstrcmpW.MulDiv
002EF066 00 6C 73 74 72 63 70 79 6E 57 00 4C 6F 63 61 6C .lstrcpynW.Local
002EF076 53 69 7A 65 00 47 65 74 4C 61 73 74 45 72 72 6F Size.GetLastErro
002EF086 72 00 57 72 69 74 65 46 69 6C 65 00 53 65 74 4C r.WriteFile.SetL
002EF096 61 73 74 45 72 72 6F 72 00 57 69 64 65 43 68 61 astError.WideCha
002EF0A6 72 54 6F 4D 75 6C 74 69 42 79 74 65 00 4C 6F 63 rToMultiByte.Loc
002EF0B6 61 6C 52 65 41 6C 6C 6F 63 00 46 6F 72 6D 61 74 alReAlloc.Format
002EF0C6 4D 65 73 73 61 67 65 57 00 47 65 74 55 73 65 72 MessageW.GetUser
002EF0D6 44 65 66 61 75 6C 74 55 49 4C 61 6E 67 75 61 67 DefaultUILanguag
002EF0E6 65 00 53 65 74 45 6E 64 4F 66 46 69 6C 65 00 44 e.SetEndOfFile.D
002EF0F6 65 6C 65 74 65 46 69 6C 65 57 00 47 65 74 41 43 eleteFileW.GetAC
002EF106 50 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C P.UnmapViewOfFil
002EF116 65 00 4D 75 6C 74 69 42 79 74 65 54 6F 57 69 64 e.MultiByteToWid
002EF126 65 43 68 61 72 00 4D 61 70 56 69 65 77 4F 66 46 eChar.MapViewOfF
002EF136 69 6C 65 00 55 6E 68 61 6E 64 6C 65 64 45 78 63 ile.UnhandledExc
002EF146 65 70 74 69 6F 6E 46 69 6C 74 65 72 00 00 00 00 eptionFilter....
002EF156 00 28 10 00 00 47 44 49 33 32 2E 64 6C 6C 00 45 .(�..GDI32.dll.E
002EF166 6E 64 50 61 67 65 00 41 62 6F 72 74 44 6F 63 00 ndPage.AbortDoc.
002EF176 45 6E 64 44 6F 63 00 44 65 6C 65 74 65 44 43 00 EndDoc.DeleteDC.
002EF186 53 74 61 72 74 50 61 67 65 00 47 65 74 54 65 78 StartPage.GetTex
002EF196 74 45 78 74 65 6E 74 50 6F 69 6E 74 33 32 57 00 tExtentPoint32W.
002EF1A6 43 72 65 61 74 65 44 43 57 00 53 65 74 41 62 6F CreateDCW.SetAbo
002EF1B6 72 74 50 72 6F 63 00 47 65 74 54 65 78 74 46 61 rtProc.GetTextFa
002EF1C6 63 65 57 00 54 65 78 74 4F 75 74 57 00 53 74 61 ceW.TextOutW.Sta
002EF1D6 72 74 44 6F 63 57 00 45 6E 75 6D 46 6F 6E 74 73 rtDocW.EnumFonts
002EF1E6 57 00 47 65 74 53 74 6F 63 6B 4F 62 6A 65 63 74 W.GetStockObject
002EF1F6 00 47 65 74 4F 62 6A 65 63 74 57 00 47 65 74 44 .GetObjectW.GetD
002EF206 65 76 69 63 65 43 61 70 73 00 43 72 65 61 74 65 eviceCaps.Create
002EF216 46 6F 6E 74 49 6E 64 69 72 65 63 74 57 00 44 65 FontIndirectW.De
002EF226 6C 65 74 65 4F 62 6A 65 63 74 00 47 65 74 54 65 leteObject.GetTe
002EF236 78 74 4D 65 74 72 69 63 73 57 00 53 65 74 42 6B xtMetricsW.SetBk
002EF246 4D 6F 64 65 00 4C 50 74 6F 44 50 00 53 65 74 57 Mode.LPtoDP.SetW
002EF256 69 6E 64 6F 77 45 78 74 45 78 00 53 65 74 56 69 indowExtEx.SetVi
002EF266 65 77 70 6F 72 74 45 78 74 45 78 00 53 65 74 4D ewportExtEx.SetM
002EF276 61 70 4D 6F 64 65 00 53 65 6C 65 63 74 4F 62 6A apMode.SelectObj
002EF286 65 63 74 00 00 00 00 00 88 11 00 00 55 53 45 52 ect.....?..USER
002EF296 33 32 2E 64 6C 6C 00 47 65 74 43 6C 69 65 6E 74 32.dll.GetClient
002EF2A6 52 65 63 74 00 53 65 74 43 75 72 73 6F 72 00 52 Rect.SetCursor.R
002EF2B6 65 6C 65 61 73 65 44 43 00 47 65 74 44 43 00 44 eleaseDC.GetDC.D
002EF2C6 69 61 6C 6F 67 42 6F 78 50 61 72 61 6D 57 00 53 ialogBoxParamW.S
002EF2D6 65 74 41 63 74 69 76 65 57 69 6E 64 6F 77 00 47 etActiveWindow.G
002EF2E6 65 74 4B 65 79 62 6F 61 72 64 4C 61 79 6F 75 74 etKeyboardLayout
002EF2F6 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 57 00 .DefWindowProcW.
002EF306 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 4D 65 DestroyWindow.Me
002EF316 73 73 61 67 65 42 65 65 70 00 53 68 6F 77 57 69 ssageBeep.ShowWi
002EF326 6E 64 6F 77 00 47 65 74 46 6F 72 65 67 72 6F 75 ndow.GetForegrou
002EF336 6E 64 57 69 6E 64 6F 77 00 49 73 49 63 6F 6E 69 ndWindow.IsIconi
002EF346 63 00 47 65 74 57 69 6E 64 6F 77 50 6C 61 63 65 c.GetWindowPlace
002EF356 6D 65 6E 74 00 43 68 61 72 55 70 70 65 72 57 00 ment.CharUpperW.
002EF366 4C 6F 61 64 53 74 72 69 6E 67 57 00 4C 6F 61 64 LoadStringW.Load
002EF376 41 63 63 65 6C 65 72 61 74 6F 72 73 57 00 47 65 AcceleratorsW.Ge
002EF386 74 53 79 73 74 65 6D 4D 65 6E 75 00 52 65 67 69 tSystemMenu.Regi
002EF396 73 74 65 72 43 6C 61 73 73 45 78 57 00 4C 6F 61 sterClassExW.Loa
002EF3A6 64 49 6D 61 67 65 57 00 4C 6F 61 64 43 75 72 73 dImageW.LoadCurs
002EF3B6 6F 72 57 00 53 65 74 57 69 6E 64 6F 77 50 6C 61 orW.SetWindowPla
002EF3C6 63 65 6D 65 6E 74 00 43 72 65 61 74 65 57 69 6E cement.CreateWin
002EF3D6 64 6F 77 45 78 57 00 47 65 74 44 65 73 6B 74 6F dowExW.GetDeskto
002EF3E6 70 57 69 6E 64 6F 77 00 47 65 74 46 6F 63 75 73 pWindow.GetFocus
002EF3F6 00 4C 6F 61 64 49 63 6F 6E 57 00 53 65 74 57 69 .LoadIconW.SetWi
002EF406 6E 64 6F 77 54 65 78 74 57 00 50 6F 73 74 51 75 ndowTextW.PostQu
002EF416 69 74 4D 65 73 73 61 67 65 00 52 65 67 69 73 74 itMessage.Regist
002EF426 65 72 57 69 6E 64 6F 77 4D 65 73 73 61 67 65 57 erWindowMessageW
002EF436 00 55 70 64 61 74 65 57 69 6E 64 6F 77 00 53 65 .UpdateWindow.Se
002EF446 74 53 63 72 6F 6C 6C 50 6F 73 00 43 68 61 72 4C tScrollPos.CharL
002EF456 6F 77 65 72 57 00 50 65 65 6B 4D 65 73 73 61 67 owerW.PeekMessag
002EF466 65 57 00 45 6E 61 62 6C 65 57 69 6E 64 6F 77 00 eW.EnableWindow.
002EF476 44 72 61 77 54 65 78 74 45 78 57 00 43 72 65 61 DrawTextExW.Crea
002EF486 74 65 44 69 61 6C 6F 67 50 61 72 61 6D 57 00 47 teDialogParamW.G
002EF496 65 74 57 69 6E 64 6F 77 54 65 78 74 57 00 47 65 etWindowTextW.Ge
002EF4A6 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 4D tSystemMetrics.M
002EF4B6 6F 76 65 57 69 6E 64 6F 77 00 49 6E 76 61 6C 69 oveWindow.Invali
002EF4C6 64 61 74 65 52 65 63 74 00 57 69 6E 48 65 6C 70 dateRect.WinHelp
002EF4D6 57 00 47 65 74 44 6C 67 43 74 72 6C 49 44 00 43 W.GetDlgCtrlID.C
002EF4E6 68 69 6C 64 57 69 6E 64 6F 77 46 72 6F 6D 50 6F hildWindowFromPo
002EF4F6 69 6E 74 00 53 63 72 65 65 6E 54 6F 43 6C 69 65 int.ScreenToClie
002EF506 6E 74 00 47 65 74 43 75 72 73 6F 72 50 6F 73 00 nt.GetCursorPos.
002EF516 53 65 6E 64 44 6C 67 49 74 65 6D 4D 65 73 73 61 SendDlgItemMessa
002EF526 67 65 57 00 53 65 6E 64 4D 65 73 73 61 67 65 57 geW.SendMessageW
002EF536 00 43 68 61 72 4E 65 78 74 57 00 43 68 65 63 6B .CharNextW.Check
002EF546 4D 65 6E 75 49 74 65 6D 00 43 6C 6F 73 65 43 6C MenuItem.CloseCl
002EF556 69 70 62 6F 61 72 64 00 49 73 43 6C 69 70 62 6F ipboard.IsClipbo
002EF566 61 72 64 46 6F 72 6D 61 74 41 76 61 69 6C 61 62 ardFormatAvailab
002EF576 6C 65 00 4F 70 65 6E 43 6C 69 70 62 6F 61 72 64 le.OpenClipboard
002EF586 00 47 65 74 4D 65 6E 75 53 74 61 74 65 00 45 6E .GetMenuState.En
002EF596 61 62 6C 65 4D 65 6E 75 49 74 65 6D 00 47 65 74 ableMenuItem.Get
002EF5A6 53 75 62 4D 65 6E 75 00 47 65 74 4D 65 6E 75 00 SubMenu.GetMenu.
002EF5B6 4D 65 73 73 61 67 65 42 6F 78 57 00 53 65 74 57 MessageBoxW.SetW
002EF5C6 69 6E 64 6F 77 4C 6F 6E 67 57 00 47 65 74 57 69 indowLongW.GetWi
002EF5D6 6E 64 6F 77 4C 6F 6E 67 57 00 47 65 74 44 6C 67 ndowLongW.GetDlg
002EF5E6 49 74 65 6D 00 53 65 74 46 6F 63 75 73 00 53 65 Item.SetFocus.Se
002EF5F6 74 44 6C 67 49 74 65 6D 54 65 78 74 57 00 77 73 tDlgItemTextW.ws
002EF606 70 72 69 6E 74 66 57 00 47 65 74 44 6C 67 49 74 printfW.GetDlgIt
002EF616 65 6D 54 65 78 74 57 00 45 6E 64 44 69 61 6C 6F emTextW.EndDialo
002EF626 67 00 47 65 74 50 61 72 65 6E 74 00 55 6E 68 6F g.GetParent.Unho
002EF636 6F 6B 57 69 6E 45 76 65 6E 74 00 44 69 73 70 61 okWinEvent.Dispa
002EF646 74 63 68 4D 65 73 73 61 67 65 57 00 54 72 61 6E tchMessageW.Tran
002EF656 73 6C 61 74 65 4D 65 73 73 61 67 65 00 54 72 61 slateMessage.Tra
002EF666 6E 73 6C 61 74 65 41 63 63 65 6C 65 72 61 74 6F nslateAccelerato
002EF676 72 57 00 49 73 44 69 61 6C 6F 67 4D 65 73 73 61 rW.IsDialogMessa
002EF686 67 65 57 00 50 6F 73 74 4D 65 73 73 61 67 65 57 geW.PostMessageW
002EF696 00 47 65 74 4D 65 73 73 61 67 65 57 00 53 65 74 .GetMessageW.Set
002EF6A6 57 69 6E 45 76 65 6E 74 48 6F 6F 6B 00 00 00 00 WinEventHook....
可以看到完整的DLL和API。不过临时解密保存在申请的内存里。源程序里被清除了。
每个DLL前面保存着API填充的thunk偏移地址,如comdlg32.dll的api填充thunk RVA=00124
DLL之间用4个字节0隔开。有了这些我们就可以构造iat了。在程序空间找块大些的空地
存放IID和字符串。我们这里选01007604起始地址保存IID,01007a1c起始地址保存字符串。
简单复习下IID
IID的结构如下:
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics;
DWORD OriginalFirstThunk;
};
DWORD TimeDateStamp;
DWORD ForwarderChain;
DWORD Name;
DWORD FirstThunk;
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED *PIMAGE_IMPORT_DESCRIPTOR;
由5个DWORD组成
1.OriginalFirstThunk //可以为0
2.TimeDateStamp //可以为0
3.ForwarderChain //可以为0
4.Name // 指向DLL名
5.FirstThunk //指向API填充首地址RVA
如我们构造comdlg32.dll所在IID
01007604 00 00 00 00 00 00 00 00 00 00 00 00 1C 7A 00 00 ............�z..
01007614 C4 12 00 00 ?...
其中1C 7A 00 00是我们要把comdlg32.dll拷贝到的地址
手动比较麻烦,我们写个脚本处理下。有点没事找事的感觉。主要是学习下自己手动构造IAT。
var src
var dst
var tmp
var iid
var thunk
mov iid,01007604 //初始化
mov thunk,000012c4
mov src,002eeb4a
mov dst,007a1c
add iid,0c //构建IID第一部分
mov [iid],dst
add iid,4
mov [iid],thunk
loop:
cmp src,002ef6b2 //结束地址
je exit
mov tmp, [src],1
cmp tmp,0 //为0则字符串结束
je nextapi
mov [dst+01000000],tmp,1 //拷贝DLL和API字符串
inc src
inc dst
jmp loop
nextapi:
cmp [src],0 //4个字节0即指向下一个DLL模块
je nextdll
inc dst
mov [thunk+01000000],dst // 构建IAT THUNK
add dst,2 //保留hint 位置
inc src
add thunk,4
jmp loop
nextdll:
inc dst
add src,5
mov thunk,[src]
add src,4
add iid,10 //构建IID
mov [iid],dst
add iid,4
mov [iid],thunk
jmp loop
exit:
ret
运行下脚本,到01001000和01007604观察下,很完美。
thunk data
01001000 >8D 7C 00 00 A0 7C 00 00 AE 7C 00 00 BE 7C 00 00 峾..爘..畖..緗..
01001010 CE 7C 00 00 E1 7C 00 00 F1 7C 00 00 00 00 00 00 蝲..醸..駖......
01001020 53 7B 00 00 00 00 00 00 CD 80 00 00 D7 80 00 00 S{......蛝..讇..
01001030 E2 80 00 00 EB 80 00 00 F6 80 00 00 02 81 00 00 鈥..雬..鰛..�?.
01001040 1A 81 00 00 26 81 00 00 35 81 00 00 44 81 00 00 �?.&?.5?.D?.
01001050 4F 81 00 00 5B 81 00 00 68 81 00 00 79 81 00 00 O?.[?.h?.y?.
01001060 86 81 00 00 96 81 00 00 AC 81 00 00 BB 81 00 00 唩..杹..瑏..粊..
01001070 CD 81 00 00 D9 81 00 00 E2 81 00 00 F3 81 00 00 蛠..賮..鈦..髞..
01001080 06 82 00 00 13 82 00 00 00 00 00 00 0F 7D 00 00 �?.�?.....�}..
01001090 24 7D 00 00 33 7D 00 00 4D 7D 00 00 5C 7D 00 00 $}..3}..M}..\}..
010010A0 71 7D 00 00 82 7D 00 00 93 7D 00 00 A0 7D 00 00 q}..倉..搣..爙..
010010B0 AF 7D 00 00 CC 7D 00 00 E1 7D 00 00 FB 7D 00 00 瘆..蘿..醹..鹽..
010010C0 0E 7E 00 00 22 7E 00 00 40 7E 00 00 4F 7E 00 00 �~.."~..@~..O~..
010010D0 62 7E 00 00 74 7E 00 00 81 7E 00 00 92 7E 00 00 b~..t~..亊..拁..
010010E0 9E 7E 00 00 AB 7E 00 00 B6 7E 00 00 C4 7E 00 00 瀪..珇..秪..膥..
010010F0 D5 7E 00 00 E1 7E 00 00 EF 7E 00 00 FD 7E 00 00 諂..醻..飤..齸..
01001100 08 7F 00 00 13 7F 00 00 21 7F 00 00 2D 7F 00 00 �..�..!..-..
01001110 43 7F 00 00 54 7F 00 00 66 7F 00 00 71 7F 00 00 C..T..f..q..
01001120 7D 7F 00 00 8E 7F 00 00 A3 7F 00 00 AE 7F 00 00 }..?..?..?..
01001130 B7 7F 00 00 C3 7F 00 00 CF 7F 00 00 DE 7F 00 00 ?..?..?..?..
01001140 EA 7F 00 00 F9 7F 00 00 0F 80 00 00 1E 80 00 00 ?..?..� |
-
-
脱壳练习.rar
79.24 KB, 下载次数: 49, 下载积分: 吾爱币 -1 CB
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
