TA的每日心情 | 开心
2016-7-26 14:34 |
|---|
签到天数: 5 天 [LV.2]偶尔看看I
|
发表于 2008-6-25 14:01:41
|
显示全部楼层
下断点,bp GetSystemTime
断下后ALT+F9返回:
009EB900 FF15 1023A400 call dword ptr [A42310] ; kernel32.GetSystemTime
009EB906 0FB74D FA movzx ecx, word ptr [ebp-6] //到这里
009EB90A 51 push ecx
009EB90B 0FB755 F8 movzx edx, word ptr [ebp-8]
009EB90F 52 push edx
009EB910 0FB745 F6 movzx eax, word ptr [ebp-A]
009EB914 50 push eax
009EB915 0FB74D F4 movzx ecx, word ptr [ebp-C]
009EB919 51 push ecx
009EB91A 0FB755 F2 movzx edx, word ptr [ebp-E]
009EB91E 52 push edx
009EB91F 0FB745 EE movzx eax, word ptr [ebp-12]
009EB923 50 push eax
009EB924 0FB74D EC movzx ecx, word ptr [ebp-14]
009EB928 51 push ecx
009EB929 E8 22010000 call 009EBA50 //F7进入
009EB92E 50 push eax
009EB92F 68 2032A400 push 0A43220 ; ASCII "%08X-%04u%02u%02u%02u%02u%02u%04u"
009EB934 8B55 E4 mov edx, dword ptr [ebp-1C]
--------------------------------------------------------------------------------------------------------
009EBA50 55 push ebp
009EBA51 8BEC mov ebp, esp
009EBA53 51 push ecx
009EBA54 6A 00 push 0
009EBA56 B9 E0F4A400 mov ecx, 0A4F4E0
009EBA5B E8 5042FFFF call 009DFCB0 //F7进入
009EBA60 8BE5 mov esp, ebp
009EBA62 5D pop ebp
009EBA63 C3 retn
---------------------------------------------------------------------
009DFCB0 55 push ebp
009DFCB1 8BEC mov ebp, esp
009DFCB3 83EC 0C sub esp, 0C
009DFCB6 894D F8 mov dword ptr [ebp-8], ecx
009DFCB9 8B45 F8 mov eax, dword ptr [ebp-8]
009DFCBC 8B88 5C060000 mov ecx, dword ptr [eax+65C]
009DFCC2 894D FC mov dword ptr [ebp-4], ecx
009DFCC5 BA 01000000 mov edx, 1
009DFCCA 85D2 test edx, edx
009DFCCC 7C 21 jl short 009DFCEF
009DFCCE B8 01000000 mov eax, 1
009DFCD3 83F8 01 cmp eax, 1
009DFCD6 7F 17 jg short 009DFCEF
009DFCD8 B9 01000000 mov ecx, 1
009DFCDD C1E1 02 shl ecx, 2
009DFCE0 8B55 F8 mov edx, dword ptr [ebp-8]
009DFCE3 8B840A 64200000 mov eax, dword ptr [edx+ecx+2064]
009DFCEA 8945 F4 mov dword ptr [ebp-C], eax
009DFCED EB 07 jmp short 009DFCF6
009DFCEF C745 F4 0000000>mov dword ptr [ebp-C], 0
009DFCF6 8B4D 08 mov ecx, dword ptr [ebp+8]
009DFCF9 51 push ecx
009DFCFA 6A 01 push 1
009DFCFC 8B4D FC mov ecx, dword ptr [ebp-4]
009DFCFF E8 BC9C0100 call 009F99C0 //F7进入
009DFD04 3345 F4 xor eax, dword ptr [ebp-C]
009DFD07 8BE5 mov esp, ebp
009DFD09 5D pop ebp
009DFD0A C2 0400 retn 4
------------------------------------------------------------------------
009F99C0 55 push ebp
009F99C1 8BEC mov ebp, esp
009F99C3 83EC 4C sub esp, 4C
009F99C6 56 push esi
009F99C7 894D B4 mov dword ptr [ebp-4C], ecx
009F99CA C745 FC 0000000>mov dword ptr [ebp-4], 0
009F99D1 B8 01000000 mov eax, 1
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
向下找到这里:
009F9C44 89048A mov dword ptr [edx+ecx*4], eax
009F9C47 8945 FC mov dword ptr [ebp-4], eax //这里出现硬盘指纹,就改为EAC1AD64。
接下来就是脱壳:
下断点:bp VirtualProtect 断下后返回,ctrl+f 查找“push 100”,将上面的PUSH EBP 改为RET
00A1C3AF 8B8D C8D5FFFF mov ecx, dword ptr [ebp-2A38]
00A1C3B5 51 push ecx
00A1C3B6 8B95 C4D5FFFF mov edx, dword ptr [ebp-2A3C]
00A1C3BC 52 push edx
00A1C3BD 8B85 74D8FFFF mov eax, dword ptr [ebp-278C]
00A1C3C3 0385 C0D5FFFF add eax, dword ptr [ebp-2A40]
00A1C3C9 50 push eax
00A1C3CA E8 11E90000 call 00A2ACE0
00A1C3CF 83C4 0C add esp, 0C
00A1C3D2 8D8D D4D5FFFF lea ecx, dword ptr [ebp-2A2C]
00A1C3D8 51 push ecx
00A1C3D9 8B95 D4D5FFFF mov edx, dword ptr [ebp-2A2C]
---------------------------------------------------------------------------------
009D2760 55 push ebp //改为ret
009D2761 8BEC mov ebp, esp
009D2763 83EC 2C sub esp, 2C
009D2766 833D 20E6A400 0>cmp dword ptr [A4E620], 0
009D276D 75 59 jnz short 009D27C8
009D276F C745 EC 6558132>mov dword ptr [ebp-14], 29135865
009D2776 68 00010000 push 100
----------------------------------------------------------------------------------
接下来下断点bp CreateThread 断下后ALT + F9 返回来到这里:
00A0595C 50 push eax
00A0595D FF15 9022A400 call dword ptr [A42290] ; kernel32.CloseHandle
00A05963 5E pop esi
00A05964 5B pop ebx
00A05965 8BE5 mov esp, ebp
00A05967 5D pop ebp
00A05968 C3 retn
F8单步一直到这里:
00A226C9 8B15 2CFBA400 mov edx, dword ptr [A4FB2C] ; Arm_d32v.0105B368
00A226CF 8B41 74 mov eax, dword ptr [ecx+74]
00A226D2 3342 78 xor eax, dword ptr [edx+78]
00A226D5 8B0D 2CFBA400 mov ecx, dword ptr [A4FB2C] ; Arm_d32v.0105B368
00A226DB 3381 80000000 xor eax, dword ptr [ecx+80]
00A226E1 8945 DC mov dword ptr [ebp-24], eax
00A226E4 8B55 08 mov edx, dword ptr [ebp+8]
00A226E7 8B42 04 mov eax, dword ptr [edx+4]
00A226EA 50 push eax
00A226EB 8B4D 08 mov ecx, dword ptr [ebp+8]
00A226EE 8B51 08 mov edx, dword ptr [ecx+8]
00A226F1 52 push edx
00A226F2 6A 00 push 0
00A226F4 8B45 08 mov eax, dword ptr [ebp+8]
00A226F7 8B48 0C mov ecx, dword ptr [eax+C]
00A226FA 51 push ecx
00A226FB 8B55 F4 mov edx, dword ptr [ebp-C]
00A226FE 2B55 DC sub edx, dword ptr [ebp-24]
00A22701 FFD2 call edx //这里进入就是OEP
00A22703 8945 FC mov dword ptr [ebp-4], eax
-------------------------------------------------------------------------------
0100739D 6A 70 push 70 //OEP dump and fix OK
0100739F 68 98180001 push 01001898
010073A4 E8 BF010000 call 01007568
010073A9 33DB xor ebx, ebx
010073AB 53 push ebx
010073AC 8B3D CC100001 mov edi, dword ptr [10010CC] ; kernel32.GetModuleHandleA
010073B2 FFD7 call edi
010073B4 66:8138 4D5A cmp word ptr [eax], 5A4D
----------------------------------------------------------------- |
|
IP卡
发表于 2008-6-24 23:56:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主