沈阳电脑维修网,沈阳上门维修电脑服务
当前位置: 主页 > 程序数据代码>加密壳之ACProtect之OEP的处理 >

加密壳之ACProtect之OEP的处理

时间:2017-5-23来源:www.sypcwx.cn 作者: 沈阳电脑维修网点击:
沈阳电脑维修,上门维修电脑
  沈阳电脑维修上门服务13889116605: 菜驹也玩加密壳之ACProtect之OEP的处理附件下载:加壳文件和pdf1.加密过程:ACProctectv1.41版本分析对OEP入口点代码的偷取2.分析过程:载入后,EIP=00... 菜驹也玩加密壳之ACProtect之OEP的处理 附件下载:加壳文件和pdf   1.加密过程: ACProctectv1.41版本   分析对OEP入口点代码的偷取   2.分析过程: 载入后,EIP=00412000 00412000>60pushad 00412001E801000000callvcmfc库1.00412007 00412006-7E83jleXvcmfc库1.00411F8B 004120080424addal,0x24 0041200A06pushes 0041200BC3retn 0041200C7701jaXvcmfc库1.0041200F 0041200E43incebx 0041200FFCcld 004120107501jnzXvcmfc库1.00412013 入口点是在壳段(地址:00412000,大小:19000)   根据壳的特征,用ESP,在00412001处下HRESP 来到这里: 0041254A56pushesi 0041254B8F05A1294100popdwordptrds:[0x4129A1] 0041255160pushad 004125527803jsXvcmfc库1.00412557 004125547901jnsXvcmfc库1.00412557 004125567B40jpoXvcmfc库1.00412598   可以看到pushad,清除上面的硬件断点后,在pushad下面下HRESP 来到这里: 0042775351pushecx 004277548F0589284100popdwordptrds:[0x412889];[889]=ecx 0042775A60pushad 0042775B61popad 0042775C51pushecx 0042775D8F05CD294100popdwordptrds:[0x4129CD];[9cd]=ecx 00427763FF35CD294100pushdwordptrds:[0x4129CD] 004277698915E1284100movdwordptrds:[0x4128E1],edx 0042776FFF35E1284100pushdwordptrds:[0x4128E1] 0042777556pushesi 00427776BE11294100movesi,vcmfc库1.00412911 0042777B8BD6movedx,esi 0042777D5Epopesi 0042777E52pushedx 0042777F59popecx;ecx=edx=412911 004277808F053D284100popdwordptrds:[0x41283D] 004277868B153D284100movedx,dwordptrds:[0x41283D] 0042778C8929movdwordptrds:[ecx],ebp;[412911]=ebp 0042778E8F05A12A4100popdwordptrds:[0x412AA1] 0042779456pushesi 00427795BEA12A4100movesi,vcmfc库1.00412AA1 0042779A8B0Emovecx,dwordptrds:[esi] 0042779C5Epopesi 0042779DFF3511294100pushdwordptrds:[0x412911];这地方就是被偷的第一句代码pushebp 004277A38925192B4100movdwordptrds:[0x412B19],esp 004277A990nop 004277AA90nop 004277AB60pushad 004277ACE801000000callvcmfc库1.004277B2 004277B1^7783jaXvcmfc库1.00427736 注意其中的nopnoppushad这三条指令,出现这个意味着这就是偷取的代码的开始。。。。当然,这里的nop是随意填充的,可能没有,也可能有一个,也可能有两个,也可能多个..关键是pushad指令   把NOP之前的指令全部复制成二进制保存。 0042775351pushecx 004277548F0589284100popdwordptrds:[0x412889];[889]=ecx 0042775A60pushad 0042775B61popad 0042775C51pushecx 0042775D8F05CD294100popdwordptrds:[0x4129CD];[9cd]=ecx 00427763FF35CD294100pushdwordptrds:[0x4129CD] 004277698915E1284100movdwordptrds:[0x4128E1],edx 0042776FFF35E1284100pushdwordptrds:[0x4128E1] 0042777556pushesi 00427776BE11294100movesi,vcmfc库1.00412911 0042777B8BD6movedx,esi 0042777D5Epopesi 0042777E52pushedx 0042777F59popecx;ecx=edx=412911 004277808F053D284100popdwordptrds:[0x41283D] 004277868B153D284100movedx,dwordptrds:[0x41283D] 0042778C8929movdwordptrds:[ecx],ebp;[412911]=ebp 0042778E8F05A12A4100popdwordptrds:[0x412AA1] 0042779456pushesi 00427795BEA12A4100movesi,vcmfc库1.00412AA1 0042779A8B0Emovecx,dwordptrds:[esi] 0042779C5Epopesi 0042779DFF3511294100pushdwordptrds:[0x412911];这地方就是被偷的第一句代码pushebp 004277A38925192B4100movdwordptrds:[0x412B19],esp   这段代码的二进制数据为: 518F05892841006061518F05CD294100FF35CD2941008915E1284100FF35E128410056BE112941008BD65E52598F053D2841008B153D28410089298F05A12A410056BEA12A41008B0E5EFF35112941008925192B4100       重复上面的步骤,直到n次,怎么确定n,我这里是弹出试用版nag之后就出现了。 把这n次之间的二进制数据都保存下来。 00429106/EB01jmpXvcmfc库1.00429109 00429108|E8FF254B91call918DB70C 0042910D42incedx   00429106处是一个近跳,F7进去 00429109-FF254B914200jmpdwordptrds:[0x42914B];vcmfc库1.00405391 0042910F60pushad 00429110E800000000callvcmfc库1.00429115 004291155Epopesi 0042911683EE06subesi,0x6 其中: ds:[0042914B]=00405391(vcmfc库1.00405391) 这是一个跨段的长跳转,何为跨段?当前指令是在00429109它要跳到00405391,   从模块图中看出,它是要从.perplex段跳到.text段执行..这就是传说中的跨段   所以说,进到代码段后,就是传说中的伪OEP了,伪OEP是长得这个样子的       下面就把它DUMP出来 用importrec修复下IAT,没有问题fix一下dump出来的文件   Importrec会给文件加一个.mackt的区段,里面存的是输入表,大小为1000,输入表用不了这么大的空间,我们把被偷的代码放在这个区段里好了。 用OD打开修复过和dump_.exe,在0042b000的段处找一个空的位置, 我找的是0042BBA0,把上面得到的二进制贴上去,贴完后,再加上一句JMP00405391(跳到伪OEP) 0042BEBF58POPEAX 0042BEC08908MOVDWORDPTRDS:[EAX],ECX 0042BEC2A1A4604000MOVEAX,DWORDPTRDS:[0x4060A4] 0042BEC7-E9C594FDFFJMPdumped_.<ModuleEntryPoint>   用LOADPE把入口点修改成0042BBA0,OK,完工。。。       保存的所有的二进制数据: 0042775351pushecx 004277548F0589284100popdwordptrds:[0x412889];[889]=ecx 0042775A60pushad 0042775B61popad 0042775C51pushecx 0042775D8F05CD294100popdwordptrds:[0x4129CD];[9cd]=ecx 00427763FF35CD294100pushdwordptrds:[0x4129CD] 004277698915E1284100movdwordptrds:[0x4128E1],edx 0042776FFF35E1284100pushdwordptrds:[0x4128E1] 0042777556pushesi 00427776BE11294100movesi,vcmfc库1.00412911 0042777B8BD6movedx,esi 0042777D5Epopesi 0042777E52pushedx 0042777F59popecx;ecx=edx=412911 004277808F053D284100popdwordptrds:[0x41283D] 004277868B153D284100movedx,dwordptrds:[0x41283D] 0042778C8929movdwordptrds:[ecx],ebp;[412911]=ebp 0042778E8F05A12A4100popdwordptrds:[0x412AA1] 0042779456pushesi 00427795BEA12A4100movesi,vcmfc库1.00412AA1 0042779A8B0Emovecx,dwordptrds:[esi] 0042779C5Epopesi 0042779DFF3511294100pushdwordptrds:[0x412911];这地方就是被偷的第一句代码pushebp 004277A38925192B4100movdwordptrds:[0x412B19],esp   518F05892841006061518F05CD294100FF35CD2941008915E1284100FF35E128 410056BE112941008BD65E52598F053D2841008B153D28410089298F05A12A41 0056BEA12A41008B0E5EFF35112941008925192B4100   FF35192B41008F05C129410056BEC12941008B2E5E57BF9D294100891F5FFF35 9D294100893531284100FF353128410068FFFFFFFF5E8935992A41008B1D992A 41008F050D2A41008B350D2A410057   891C248F05052941008F0519284100FF35192841005BFF35052941008905D52A 4100FF35D52A4100893C24890C24C70424A0614000578F05E12A4100FF35E12A 4100891C24C70424C0544000   64A1000000008905A5294100FF35A5294100891C24890D852A4100FF35852A41 0057BF912941008BCF5F568BF18BDE5E8B0C248F05B52A410089038B1C248F05 ED284100FF3591294100   6489250000000083EC68538F05D5294100FF35D52941008F0599284100FF3599 284100578904248F0565294100FF3565294100893424528F05F1284100FF35F1 284100893DC92A4100FF35C92A4100   568F05312A4100606168E52A41005F518BCF8BD1598F05B92841008B3DB92841 00893A8F05D128410053BBD12841008B135BFF35E52A41008965E833DB895DFC 891585294100FF35852941008934245389142450B80200000060   8BD058525E8F05012A41008B15012A41005689142450B8252941008BD0588932 8F05AD2941008B15AD2941008B34248F05B92A4100FF3525294100FF15986040 008F050129410050B85D2A4100893858   FF355D2A410051C70424012941008F05852841008B3D852841008B0F8B3C248F 0561294100830DB4F14000FF830DB8F14000FFFF159C6040008905C1284100FF 35C128410057BF352841008BC75F8930   8B04248F0541284100FF3535284100508F056D2A4100FF356D2A4100893D3928 4100FF353928410051B97C7140008BF95957585F505E8F052D2A41008B052D2A 41008B0E8F05112B4100FF35112B4100   558F05252B410060615E8908FF15A0604000528F05552A4100FF35552A4100C7 052929410078714000FF35292941008F05352A41008B15352A41008B0A8F05C9 28410050B8C92841008B10588908A1A4604000  
上一篇:电脑开机密码丢失解决方法
查看[加密壳之ACProtect之OEP的处理]所有评论
发表评论
请自觉遵守互联网相关的政策法规,严禁发布色情、暴力、反动的言论。
用户名: 验证码:
推荐内容
关于我们 服务价格 联系我们 企业网站优化 沈阳网站建设 沈阳维修电脑