在脱壳的时候虽然显示的有附加数据,但是我发现脱壳之后并不需要进行修复~
用OD载入之后会中断在下面的入口点处:
00401140 > B8 D0A19900 mov eax,plistEdi.0099A1D0 ; 入口点
00401145 50 push eax
00401146 64:FF35 0000000>push dword ptr fs:[0]
0040114D 64:8925 0000000>mov dword ptr fs:[0],esp
00401154 33C0 xor eax,eax ; 单步执行到此处之后出现SE处理程序
00401156 8908 mov dword ptr ds:[eax],ecx
00401158 50 push eax
00401159 45 inc ebp
0040115A 43 inc ebx
忽略所有异常F8单步执行,直到堆栈窗口中出现如下的信息:
0022FFBC 0022FFE0 指向下一个 SEH 记录的指针
0022FFC0 0099A1D0 SE处理程序
0022FFC4 7C817077 返回到 kernel32.7C817077
在反汇编窗口中按Ctrl+G打开跳转窗口,输入地址0099A1D0,跳转之后的代码如下所示:
0099A1D0 B8 558F99F0 mov eax,0xF0998F55 ; 设置断点,SHIFT+F9运行程序
0099A1D5 8D88 9E120010 lea ecx,dword ptr ds:[eax+0x1000129E]
0099A1DB 8941 01 mov dword ptr ds:[ecx+0x1],eax
0099A1DE 8B5424 04 mov edx,dword ptr ss:[esp+0x4]
0099A1E2 8B52 0C mov edx,dword ptr ds:[edx+0xC]
0099A1E5 C602 E9 mov byte ptr ds:[edx],0xE9
0099A1E8 83C2 05 add edx,0x5
0099A1EB 2BCA sub ecx,edx
0099A1ED 894A FC mov dword ptr ds:[edx-0x4],ecx
0099A1F0 33C0 xor eax,eax
0099A1F2 C3 retn
中断之后删除设置的int3 断点,输入命令bp VirtualAlloc下断,然后F9运行。此时会中断在如下的代码处:
7C809AF1 > 8BFF mov edi,edi
7C809AF3 55 push ebp
7C809AF4 8BEC mov ebp,esp
7C809AF6 FF75 14 push dword ptr ss:[ebp+0x14]
7C809AF9 FF75 10 push dword ptr ss:[ebp+0x10]
7C809AFC FF75 0C push dword ptr ss:[ebp+0xC]
7C809AFF FF75 08 push dword ptr ss:[ebp+0x8]
7C809B02 6A FF push -0x1
7C809B04 E8 09000000 call kernel32.VirtualAllocEx
7C809B09 5D pop ebp
7C809B0A C2 1000 retn 0x10
取消设置的断点,Alt+F9执行到返回,此时代码如下:
0099A229 5A pop edx ; plistEdi.00400000
0099A22A 8BF8 mov edi,eax
0099A22C 50 push eax
0099A22D 52 push edx
0099A22E 8B33 mov esi,dword ptr ds:[ebx]
0099A230 8B43 20 mov eax,dword ptr ds:[ebx+0x20]
0099A233 03C2 add eax,edx
0099A235 8B08 mov ecx,dword ptr ds:[eax]
0099A237 894B 20 mov dword ptr ds:[ebx+0x20],ecx
0099A23A 8B43 1C mov eax,dword ptr ds:[ebx+0x1C]
0099A23D 03C2 add eax,edx
0099A23F 8B08 mov ecx,dword ptr ds:[eax]
0099A241 894B 1C mov dword ptr ds:[ebx+0x1C],ecx
0099A244 03F2 add esi,edx
0099A246 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC]
0099A249 03CA add ecx,edx
0099A24B 8D43 1C lea eax,dword ptr ds:[ebx+0x1C]
0099A24E 50 push eax
0099A24F 57 push edi
0099A250 56 push esi
0099A251 FFD1 call ecx
0099A253 5A pop edx
0099A254 58 pop eax
0099A255 0343 08 add eax,dword ptr ds:[ebx+0x8]
0099A258 8BF8 mov edi,eax
0099A25A 52 push edx
0099A25B 8BF0 mov esi,eax
0099A25D 8B46 FC mov eax,dword ptr ds:[esi-0x4]
0099A260 83C0 04 add eax,0x4
0099A263 2BF0 sub esi,eax
0099A265 8956 08 mov dword ptr ds:[esi+0x8],edx
0099A268 8B4B 0C mov ecx,dword ptr ds:[ebx+0xC]
0099A26B 894E 14 mov dword ptr ds:[esi+0x14],ecx
0099A26E FFD7 call edi
0099A270 8985 3F130010 mov dword ptr ss:[ebp+0x1000133F],eax
0099A276 8BF0 mov esi,eax
0099A278 8B4B 14 mov ecx,dword ptr ds:[ebx+0x14]
0099A27B 5A pop edx
0099A27C EB 0C jmp XplistEdi.0099A28A
0099A27E 03CA add ecx,edx
0099A280 68 00800000 push 0x8000
0099A285 6A 00 push 0x0
0099A287 57 push edi
0099A288 FF11 call dword ptr ds:[ecx]
0099A28A 8BC6 mov eax,esi
0099A28C 5A pop edx
0099A28D 5E pop esi
0099A28E 5F pop edi
0099A28F 59 pop ecx
0099A290 5B pop ebx
0099A291 5D pop ebp
0099A292 FFE0 jmp eax ; 这里跳转之后就是程序的原始oep了,设置int3断点,F9运行
跳转之后就来到程序的原始入口点了:
00401140 > 55 push ebp ; 入口点
00401141 89E5 mov ebp,esp
00401143 83EC 18 sub esp,0x18
00401146 C70424 02000000 mov dword ptr ss:[esp],0x2
0040114D FF15 B00F9000 call dword ptr ds:[0x900FB0] ; msvcrt.__set_app_type
00401153 E8 C8FEFFFF call plistEdi.00401020
00401158 90 nop
00401159 8DB426 00000000 lea esi,dword ptr ds:[esi]
00401160 55 push ebp
00401161 89E5 mov ebp,esp
00401163 83EC 18 sub esp,0x18
00401166 C70424 01000000 mov dword ptr ss:[esp],0x1
0040116D FF15 B00F9000 call dword ptr ds:[0x900FB0] ; msvcrt.__set_app_type
00401173 E8 A8FEFFFF call plistEdi.00401020
00401178 90 nop
00401179 8DB426 00000000 lea esi,dword ptr ds:[esi]
00401180 55 push ebp
00401181 89E5 mov ebp,esp
00401183 53 push ebx
00401184 83EC 14 sub esp,0x14
00401187 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0040118A 8B00 mov eax,dword ptr ds:[eax]
0040118C 8B00 mov eax,dword ptr ds:[eax]
到这里就是抓取内存镜像和修复IAT了。
6 comments
麻烦问下这个软件脱壳后如何追注册码!请赐教,万分感谢!
这个东西直接爆破就可以了,没什么技术含量的。但是软件本身有个bug。
Ctrl+G到0099A1D0的步骤是多余的吧
@hyp 为虾米你认为是多余的呢?
@obaby
OD载入后直接bp VirtualAlloc,不需要再Ctrl+G到0099A1D0呀
嗯嗯,那就是多余的啦。嘎嘎