在脱壳的时候虽然显示的有附加数据,但是我发现脱壳之后并不需要进行修复~
用OD载入之后会中断在下面的入口点处:
1 2 3 4 5 6 7 8 9 | 00401140 > B8 D0A19900 mov eax,plistEdi.0099A1D0 ; 入口点 00401145 50 push eax 00401146 64:FF35 0000000>push dword ptr fs:[0] 0040114D 64:8925 0000000>mov dword ptr fs:[0],esp 00401154 33C0 xor eax,eax ; 单步执行到此处之后出现SE处理程序 00401156 8908 mov dword ptr ds:[eax],ecx 00401158 50 push eax 00401159 45 inc ebp 0040115A 43 inc ebx |
忽略所有异常F8单步执行,直到堆栈窗口中出现如下的信息:
1 2 3 | 0022FFBC 0022FFE0 指向下一个 SEH 记录的指针 0022FFC0 0099A1D0 SE处理程序 0022FFC4 7C817077 返回到 kernel32.7C817077 |
在反汇编窗口中按Ctrl+G打开跳转窗口,输入地址0099A1D0,跳转之后的代码如下所示:
0099A1D0 B8 558F99F0 mov eax,0xF0998F55 ; 设置断点,SHIFT+F9运行程序 0099A1D5 8D88 9E120010 lea ecx,dword ptr ds:[eax+0x1000129E] 0099A1DB 8941 01 mov dword ptr ds:[ecx+0x1],eax 0099A1DE 8B5424 04 mov edx,dword ptr ss:[esp+0x4] 0099A1E2 8B52 0C mov edx,dword ptr ds:[edx+0xC] 0099A1E5 C602 E9 mov byte ptr ds:[edx],0xE9 0099A1E8 83C2 05 add edx,0x5 0099A1EB 2BCA sub ecx,edx 0099A1ED 894A FC mov dword ptr ds:[edx-0x4],ecx 0099A1F0 33C0 xor eax,eax 0099A1F2 C3 retn |
中断之后删除设置的int3 断点,输入命令bp VirtualAlloc下断,然后F9运行。此时会中断在如下的代码处:
1 2 3 4 5 6 7 8 9 10 11 | 7C809AF1 > 8BFF mov edi,edi 7C809AF3 55 push ebp 7C809AF4 8BEC mov ebp,esp 7C809AF6 FF75 14 push dword ptr ss:[ebp+0x14] 7C809AF9 FF75 10 push dword ptr ss:[ebp+0x10] 7C809AFC FF75 0C push dword ptr ss:[ebp+0xC] 7C809AFF FF75 08 push dword ptr ss:[ebp+0x8] 7C809B02 6A FF push -0x1 7C809B04 E8 09000000 call kernel32.VirtualAllocEx 7C809B09 5D pop ebp 7C809B0A C2 1000 retn 0x10 |
取消设置的断点,Alt+F9执行到返回,此时代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | 0099A229 5A pop edx ; plistEdi.00400000 0099A22A 8BF8 mov edi,eax 0099A22C 50 push eax 0099A22D 52 push edx 0099A22E 8B33 mov esi,dword ptr ds:[ebx] 0099A230 8B43 20 mov eax,dword ptr ds:[ebx+0x20] 0099A233 03C2 add eax,edx 0099A235 8B08 mov ecx,dword ptr ds:[eax] 0099A237 894B 20 mov dword ptr ds:[ebx+0x20],ecx 0099A23A 8B43 1C mov eax,dword ptr ds:[ebx+0x1C] 0099A23D 03C2 add eax,edx 0099A23F 8B08 mov ecx,dword ptr ds:[eax] 0099A241 894B 1C mov dword ptr ds:[ebx+0x1C],ecx 0099A244 03F2 add esi,edx 0099A246 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC] 0099A249 03CA add ecx,edx 0099A24B 8D43 1C lea eax,dword ptr ds:[ebx+0x1C] 0099A24E 50 push eax 0099A24F 57 push edi 0099A250 56 push esi 0099A251 FFD1 call ecx 0099A253 5A pop edx 0099A254 58 pop eax 0099A255 0343 08 add eax,dword ptr ds:[ebx+0x8] 0099A258 8BF8 mov edi,eax 0099A25A 52 push edx 0099A25B 8BF0 mov esi,eax 0099A25D 8B46 FC mov eax,dword ptr ds:[esi-0x4] 0099A260 83C0 04 add eax,0x4 0099A263 2BF0 sub esi,eax 0099A265 8956 08 mov dword ptr ds:[esi+0x8],edx 0099A268 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC] 0099A26B 894E 14 mov dword ptr ds:[esi+0x14],ecx 0099A26E FFD7 call edi 0099A270 8985 3F130010 mov dword ptr ss:[ebp+0x1000133F],eax 0099A276 8BF0 mov esi,eax 0099A278 8B4B 14 mov ecx,dword ptr ds:[ebx+0x14] 0099A27B 5A pop edx 0099A27C EB 0C jmp XplistEdi.0099A28A 0099A27E 03CA add ecx,edx 0099A280 68 00800000 push 0x8000 0099A285 6A 00 push 0x0 0099A287 57 push edi 0099A288 FF11 call dword ptr ds:[ecx] 0099A28A 8BC6 mov eax,esi 0099A28C 5A pop edx 0099A28D 5E pop esi 0099A28E 5F pop edi 0099A28F 59 pop ecx 0099A290 5B pop ebx 0099A291 5D pop ebp 0099A292 FFE0 jmp eax ; 这里跳转之后就是程序的原始oep了,设置int3断点,F9运行 |
跳转之后就来到程序的原始入口点了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | 00401140 > 55 push ebp ; 入口点 00401141 89E5 mov ebp,esp 00401143 83EC 18 sub esp,0x18 00401146 C70424 02000000 mov dword ptr ss:[esp],0x2 0040114D FF15 B00F9000 call dword ptr ds:[0x900FB0] ; msvcrt.__set_app_type 00401153 E8 C8FEFFFF call plistEdi.00401020 00401158 90 nop 00401159 8DB426 00000000 lea esi,dword ptr ds:[esi] 00401160 55 push ebp 00401161 89E5 mov ebp,esp 00401163 83EC 18 sub esp,0x18 00401166 C70424 01000000 mov dword ptr ss:[esp],0x1 0040116D FF15 B00F9000 call dword ptr ds:[0x900FB0] ; msvcrt.__set_app_type 00401173 E8 A8FEFFFF call plistEdi.00401020 00401178 90 nop 00401179 8DB426 00000000 lea esi,dword ptr ds:[esi] 00401180 55 push ebp 00401181 89E5 mov ebp,esp 00401183 53 push ebx 00401184 83EC 14 sub esp,0x14 00401187 8B45 08 mov eax,dword ptr ss:[ebp+0x8] 0040118A 8B00 mov eax,dword ptr ds:[eax] 0040118C 8B00 mov eax,dword ptr ds:[eax] |
到这里就是抓取内存镜像和修复IAT了。
6条评论
麻烦问下这个软件脱壳后如何追注册码!请赐教,万分感谢!
这个东西直接爆破就可以了,没什么技术含量的。但是软件本身有个bug。
Ctrl+G到0099A1D0的步骤是多余的吧
@hyp 为虾米你认为是多余的呢?
@obaby
OD载入后直接bp VirtualAlloc,不需要再Ctrl+G到0099A1D0呀
嗯嗯,那就是多余的啦。嘎嘎