|
|
发表于 2009-11-4 11:07:48
|显示全部楼层
一、用PEiD先查一下程序有无加壳,得到有加了壳:FSG 2.0 -> bart/xt
二、用OllySTC载入程序,如下:
00400154 > 8725 74A24100 XCHG DWORD PTR DS:[41A274],ESP -->载入后到这里
F8单步进入,
0040015A 61 POPAD
0040015B 94 XCHG EAX,ESP
0040015C 55 PUSH EBP
0040015D A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040015E B6 80 MOV DH,80
00400160 FF13 CALL DWORD PTR DS:[EBX]
00400162 ^ 73 F9 JNB SHORT FSG2_0.0040015D -->没有回跳,按F8
00400164 33C9 XOR ECX,ECX
00400166 FF13 CALL DWORD PTR DS:[EBX]
00400168 73 16 JNB SHORT FSG2_0.00400180 -->没有回跳,按F8
0040016A 33C0 XOR EAX,EAX
0040016C FF13 CALL DWORD PTR DS:[EBX]
0040016E 73 1F JNB SHORT FSG2_0.0040018F -->跳到0040018F
F8来到了0040018F处:
0040018F AC LODS BYTE PTR DS:[ESI]
00400190 D1E8 SHR EAX,1
00400192 74 2D JE SHORT FSG2_0.004001C1 -->没有回跳,按F8
00400194 13C9 ADC ECX,ECX
00400196 EB 18 JMP SHORT FSG2_0.004001B0 -->跳到004001B0处
00400198 91 XCHG EAX,ECX
00400199 48 DEC EAX
0040019A C1E0 08 SHL EAX,8
0040019D AC LODS BYTE PTR DS:[ESI]
0040019E FF53 04 CALL DWORD PTR DS:[EBX+4]
004001A1 3B43 F8 CMP EAX,DWORD PTR DS:[EBX-8]
004001A4 73 0A JNB SHORT FSG2_0.004001B0
004001A6 80FC 05 CMP AH,5
004001A9 73 06 JNB SHORT FSG2_0.004001B1
004001AB 83F8 7F CMP EAX,7F
004001AE 77 02 JA SHORT FSG2_0.004001B2
004001B0 41 INC ECX -->到这里了
004001B1 41 INC ECX
004001B2 95 XCHG EAX,EBP
004001B3 8BC5 MOV EAX,EBP
004001B5 B6 00 MOV DH,0
004001B7 56 PUSH ESI ; FSG2_0.00416393
004001B8 8BF7 MOV ESI,EDI
004001BA 2BF0 SUB ESI,EAX
004001BC F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004001BE 5E POP ESI
004001BF ^ EB 9F JMP SHORT FSG2_0.00400160 -->回跳到00400160处,用F4跳试到下一行
004001C1 5E POP ESI -->F8继续
004001C2 AD LODS DWORD PTR DS:[ESI]
004001C3 97 XCHG EAX,EDI
004001C4 AD LODS DWORD PTR DS:[ESI]
004001C5 50 PUSH EAX
004001C6 FF53 10 CALL DWORD PTR DS:[EBX+10]
004001C9 95 XCHG EAX,EBP
004001CA 8B07 MOV EAX,DWORD PTR DS:[EDI]
004001CC 40 INC EAX
004001CD ^ 78 F3 JS SHORT FSG2_0.004001C2 -->没有回跳,按F8
004001CF 75 03 JNZ SHORT FSG2_0.004001D4 -->这里千万不要再F8了,不信自己试一下。用F4跳试到下一行
004001D1 - FF63 0C JMP DWORD PTR DS:[EBX+C] ; FSG2_0.004010CC这是Win98记事本程序的入口点F8进入
004001D4 50 PUSH EAX
到这里来了:
004010CC 55 DB 55 ; CHAR ’U’
004010CD 8B DB 8B
004010CE EC DB EC
004010CF 83 DB 83
窗口中右击“Analysis”-->“Analysis Code”或者Ctrl+A,分析代码:
004010CC /. 55 PUSH EBP -->就是OEP,好了,转存一下,就OK了
004010CD |. 8BEC MOV EBP,ESP
004010CF |. 83EC 44 SUB ESP,44
004010D2 |. 56 PUSH ESI
004010D3 |. FF15 E4634000 CALL DWORD PTR DS:[4063E4] ; [GetCommandLineA
004010D9 |. 8BF0 MOV ESI,EAX
004010DB |. 8A00 MOV AL,BYTE PTR DS:[EAX]
004010DD |. 3C 22 CMP AL,22
004010DF |. 75 1B JNZ SHORT FSG2_0.004010FC
三、现在不要关闭OD,接着修复一下,因为脱壳后我发现不能运行它:
选中004010D3这一行,右击“Follow in Dump”-->“Memory address”或者Ctrl+A:
004010D3 |. FF15 E4634000 CALL DWORD PTR DS:[4063E4] ; [GetCommandLineA
注意数据窗口中变化:(忘了说了数据窗口中要处于反汇编状态)
004062E4 . 8378DA77 DD ADVAPI32.RegQueryValueExA
004062E8 . F06BDA77 DD ADVAPI32.RegCloseKey
004062EC . E7EBDA77 DD ADVAPI32.RegSetValueExA
004062F0 . 1BC4DC77 DD ADVAPI32.RegOpenKeyA
.
.
.
004064F8 . 27BED177 DD USER32.IsIconic
004064FC . 1112D277 DD USER32.PostQuitMessage
00406500 . 9CFAD277 DD USER32.TranslateAcceleratorA
00406504 FF DB FF
修复时填:
OEP=004010CC
RVA=62E4
SIZE=00406504-004062E4=220
用ImportREC修复函数就可以了。 |
|
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡