|
一.PEiD Sign
1
2
3
| [SimplePack V1.1X-V1.2X (Method1) -> bagie * Sign.By.fly]
signature = 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0
ep_only = true
|
1
2
3
| [SimplePack V1.X (Method2) -> bagie * Sign.By.fly]
signature = 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00
ep_only = false
|
_____________________________________________________________
二.SimplePack Method1压缩方式 脱壳
使用SimplePack.V1.21.build.09.09的Method1压缩方式加壳Win98记事本试炼脱壳
设置OllyDbg忽略所有异常选项,清除以前的所有断点,免得干扰调试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| 0040D000 60 pushad
//进入OllyDbg后暂停在这
0040D001 E8 00000000 call 0040D006
0040D006 5B pop ebx
0040D007 8D5B FA lea ebx,dword ptr ds:[ebx-6]
0040D00A BD 00004000 mov ebp,00400000
0040D00F 8B7D 3C mov edi,dword ptr ss:[ebp+3C]
0040D012 8D743D 00 lea esi,dword ptr ss:[ebp+edi]
0040D016 8DBE F8000000 lea edi,dword ptr ds:[esi+F8]
0040D01C 0FB776 06 movzx esi,word ptr ds:[esi+6]
0040D020 4E dec esi
0040D021 8B47 10 mov eax,dword ptr ds:[edi+10]
0040D024 09C0 or eax,eax
0040D026 74 55 je short 0040D07D
0040D028 0FB747 22 movzx eax,word ptr ds:[edi+22]
0040D02C 09C0 or eax,eax
0040D02E 74 4D je short 0040D07D
0040D030 6A 04 push 4
0040D032 68 00100000 push 1000
0040D037 FF77 10 push dword ptr ds:[edi+10]
0040D03A 6A 00 push 0
0040D03C FF93 63030000 call near dword ptr ds:[ebx+363] ; kernel32.VirtualAlloc
0040D042 50 push eax
0040D043 56 push esi
0040D044 57 push edi
0040D045 89EE mov esi,ebp
0040D047 0377 0C add esi,dword ptr ds:[edi+C]
0040D04A 8B4F 10 mov ecx,dword ptr ds:[edi+10]
0040D04D 89C7 mov edi,eax
0040D04F 89C8 mov eax,ecx
0040D051 C1E9 02 shr ecx,2
0040D054 FC cld
0040D055 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040D057 89C1 mov ecx,eax
0040D059 83E1 03 and ecx,3
0040D05C F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
0040D05E 5F pop edi
0040D05F 5E pop esi
0040D060 8B0424 mov eax,dword ptr ss:[esp]
0040D063 89EA mov edx,ebp
0040D065 0357 0C add edx,dword ptr ds:[edi+C]
0040D068 E8 66010000 call 0040D1D3
0040D06D 58 pop eax
0040D06E 68 00400000 push 4000
0040D073 FF77 10 push dword ptr ds:[edi+10]
0040D076 50 push eax
0040D077 FF93 67030000 call near dword ptr ds:[ebx+367] ; kernel32.VirtualFree
0040D07D 83C7 28 add edi,28
0040D080 4E dec esi
0040D081 75 9E jnz short 0040D021
//循环解码
0040D083 BE 00600000 mov esi,6000
//解码完毕
//ESI=6000 Import Table RVA ★
|
现在壳已经把程序解码完毕,而此时输入表还没有填充系统函数地址,正是Dump的最佳时机
运行LordPE完全dump目标进程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
| 0040D088 09F6 or esi,esi
0040D08A 0F84 0C010000 je 0040D19C
0040D090 01EE add esi,ebp
0040D092 8B4E 0C mov ecx,dword ptr ds:[esi+C]
0040D095 09C9 or ecx,ecx
0040D097 0F84 FF000000 je 0040D19C
//输入表处理完毕则跳转
0040D09D 01E9 add ecx,ebp
0040D09F 89CF mov edi,ecx
0040D0A1 57 push edi
0040D0A2 FF93 57030000 call near dword ptr ds:[ebx+357] ; kernel32.LoadLibraryA
0040D0A8 09C0 or eax,eax
0040D0AA 75 3D jnz short 0040D0E9
0040D0AC 6A 04 push 4
0040D0AE 68 00100000 push 1000
0040D0B3 68 00100000 push 1000
0040D0B8 6A 00 push 0
0040D0BA FF93 63030000 call near dword ptr ds:[ebx+363]
0040D0C0 89C6 mov esi,eax
0040D0C2 8D83 96020000 lea eax,dword ptr ds:[ebx+296]
0040D0C8 57 push edi
0040D0C9 50 push eax
0040D0CA 56 push esi
0040D0CB FF93 6F030000 call near dword ptr ds:[ebx+36F]
0040D0D1 6A 10 push 10
0040D0D3 6A 00 push 0
0040D0D5 56 push esi
0040D0D6 6A 00 push 0
0040D0D8 FF93 73030000 call near dword ptr ds:[ebx+373]
0040D0DE 89E5 mov ebp,esp
0040D0E0 B8 7E000000 mov eax,7E
0040D0E5 FF6424 2C jmp near dword ptr ss:[esp+2C]
0040D0E9 89C7 mov edi,eax
0040D0EB 8B0E mov ecx,dword ptr ds:[esi]
0040D0ED 09C9 or ecx,ecx
0040D0EF 75 03 jnz short 0040D0F4
0040D0F1 8B4E 10 mov ecx,dword ptr ds:[esi+10]
0040D0F4 09C9 or ecx,ecx
0040D0F6 0F84 CE000000 je 0040D1CA
0040D0FC 01E9 add ecx,ebp
0040D0FE 8B56 10 mov edx,dword ptr ds:[esi+10]
0040D101 01EA add edx,ebp
0040D103 8B01 mov eax,dword ptr ds:[ecx]
0040D105 09C0 or eax,eax
0040D107 75 05 jnz short 0040D10E
0040D109 83C6 14 add esi,14
0040D10C EB 84 jmp short 0040D092
0040D10E A9 00000080 test eax,80000000
0040D113 74 07 je short 0040D11C
0040D115 25 FFFF0000 and eax,0FFFF
0040D11A EB 05 jmp short 0040D121
0040D11C 01E8 add eax,ebp
0040D11E 83C0 02 add eax,2
0040D121 50 push eax
0040D122 51 push ecx
0040D123 52 push edx
0040D124 50 push eax
0040D125 57 push edi
0040D126 FF93 5B030000 call near dword ptr ds:[ebx+35B] ; kernel32.GetProcAddress
0040D12C 5A pop edx
0040D12D 59 pop ecx
0040D12E 09C0 or eax,eax
0040D130 75 52 jnz short 0040D184
0040D132 036E 0C add ebp,dword ptr ds:[esi+C]
0040D135 6A 04 push 4
0040D137 68 00100000 push 1000
0040D13C 68 00100000 push 1000
0040D141 6A 00 push 0
0040D143 FF93 63030000 call near dword ptr ds:[ebx+363]
0040D149 89C6 mov esi,eax
0040D14B 5F pop edi
0040D14C F7C7 0000FFFF test edi,FFFF0000
0040D152 74 08 je short 0040D15C
0040D154 8D83 BD020000 lea eax,dword ptr ds:[ebx+2BD]
0040D15A EB 06 jmp short 0040D162
0040D15C 8D83 ED020000 lea eax,dword ptr ds:[ebx+2ED]
0040D162 55 push ebp
0040D163 57 push edi
0040D164 50 push eax
0040D165 56 push esi
0040D166 FF93 6F030000 call near dword ptr ds:[ebx+36F]
0040D16C 6A 10 push 10
0040D16E 6A 00 push 0
0040D170 56 push esi
0040D171 6A 00 push 0
0040D173 FF93 73030000 call near dword ptr ds:[ebx+373]
0040D179 89E5 mov ebp,esp
0040D17B B8 7F000000 mov eax,7F
0040D180 FF6424 30 jmp near dword ptr ss:[esp+30]
0040D184 83C4 04 add esp,4
0040D187 8902 mov dword ptr ds:[edx],eax
0040D189 83C1 04 add ecx,4
0040D18C 83C2 04 add edx,4
0040D18F E9 6FFFFFFF jmp 0040D103
0040D194 83C6 14 add esi,14
0040D197 E9 F6FEFFFF jmp 0040D092
//循环处理输入表
0040D19C 8D4424 FC lea eax,dword ptr ss:[esp-4]
0040D1A0 50 push eax
0040D1A1 6A 04 push 4
0040D1A3 68 00100000 push 1000
0040D1A8 55 push ebp
0040D1A9 FF93 5F030000 call near dword ptr ds:[ebx+35F] ; kernel32.VirtualProtect
//设置PE头可读可写
0040D1AF BE 08014000 mov esi,00400108
0040D1B4 B8 00700000 mov eax,7000
0040D1B9 B9 B84F0000 mov ecx,4FB8
0040D1BE 8906 mov dword ptr ds:[esi],eax
//写入 Resource Table Address
0040D1C0 894E 04 mov dword ptr ds:[esi+4],ecx
//写入 Resource Table Size
0040D1C3 61 popad
0040D1C4 68 CC104000 push 004010CC
0040D1C9 C3 retn
//飞向光明之巅
004010CC 55 push ebp
//OEP
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E0634000 call near dword ptr ds:[4063E0] ; kernel32.GetCommandLineA
|
修正Dump文件的OEP RVA=000010CC/Import Table RVA=00006000
还可以修正BaseOfCoed=00001000/BaseOfData=00005000
脱壳完毕
是否很简单?是的,比UPX脱壳还简单
_______________________________________________________
二.SimplePack Method2压缩方式 脱壳
Method2加壳后只能在NT系统平台上运行。发现SimplePack V1.2 build 30.09和V1.21.build.09.09不使用INT 2E的Anti了,所以使用SimplePack.V1.11的Method2压缩方式加壳试炼品。
Method2压缩方式的脱壳有点麻烦,新手可以暂不练习此过程。
_____________________________________________
1.EP
设置OllyDBG的事件暂停在系统断点,载入试炼品
1
2
| 7C921231 C3 retn
//进入OllyDbg后暂停在系统断点
|
BP ZwSetInformationThread
1
2
| 0013FFB4 7C816FD4 返回到 kernel32.7C816FD4 来自 ntdll.ZwSetInformationThread
//Shift+F9 中断取消断点 看看返回地址是7C816FD4处,Alt+F9
|
如果Alt+F9返回有误,可以Ctrl+G:7C816FD4,再设断,Shift+F9中断取消断点
1
2
3
| 7C816FCE FF15 A013807C call near dword ptr ds:[ZwSetInformationThread]
7C816FD4 FF55 08 call near dword ptr ss:[ebp+8] ; 00400000
//返回这里,EXE从这里进入EP
|
注意:如果返回的下面不是call near dword ptr ss:[ebp+8],那就Ctrl+S在kernel32.dll的整个段块搜索命令序列:
1
2
3
4
5
6
| and dword ptr ss:[ebp-4],0
push 4
lea eax,dword ptr ss:[ebp+8]
push eax
push 9
push -2
|
搜索到后在下面的call near dword ptr ss:[ebp+8]设断,中断后就能进入EXE的EP
WinXP SP2和Win2000系统平台上是这个代码,其他系统平台的没有测试
1
2
3
4
5
6
7
8
| 00400000 4D dec ebp
//Method2压缩方式竟然以基址地址为EP
00400001 5A pop edx
00400002 90 nop
00400003 EB 01 jmp short 00400006
00400006 52 push edx
00400007 E9 89010000 jmp 00400195
00400195 EB 01 jmp short 00400198
|
_____________________________________________
2.SetInformationThread
1
2
3
| 00400198 64:A1 30000000 mov eax,dword ptr fs:[30]
//PEB
0040019E EB 01 jmp short 004001A1
|
TEB & PEB 资料
http://www.unpack.cn/thread-13382-1-1.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| 004001A1 8B48 0C mov ecx,dword ptr ds:[eax+C]
//PEB++00C = _PEB_LDR_DATA *Ldr
004001A4 E3 6F jecxz short 00400215
004001A6 EB 01 jmp short 004001A9
004001A9 05 AC000000 add eax,0AC
//PEB+0AC = OSBuildNumber
004001AE EB 01 jmp short 004001B1
004001B1 66:8138 9308 cmp word ptr ds:[eax],893
//Win2000 ?
004001B6 EB 01 jmp short 004001B9
004001B9 75 0A jnz short 004001C5
//SimplePack会调用int2E来Anti,因此如果是WinXP系统就修改这里不跳转
004001BB EB 01 jmp short 004001BE
004001C5 EB 01 jmp short 004001C8
004001C8 66:8138 280A cmp word ptr ds:[eax],0A28
//WinXP ?
004001CD 75 4A jnz short 00400219
004001CF EB 01 jmp short 004001D2
004001D2 B8 1AFFFFFF mov eax,-0E6
//7FFD9000+0AC-0E6=FFFFFF1A
004001D7 EB 00 jmp short 004001D9
004001D9 EB 01 jmp short 004001DC
004001DC 31C9 xor ecx,ecx
004001DE EB 01 jmp short 004001E1
004001E1 51 push ecx
004001E2 EB 01 jmp short 004001E5
004001E5 51 push ecx
004001E6 EB 01 jmp short 004001E9
004001E9 6A 11 push 11
004001EB EB 01 jmp short 004001EE
004001EE 6A FE push -2
004001F0 EB 01 jmp short 004001F3
004001F3 E8 03000000 call 004001FB
//Anti 进入看看
004001FB 830424 18 add dword ptr ss:[esp],18
004001FF EB 01 jmp short 00400202
00400202 F7D0 not eax
//EAX=NOT FFFFFF1A=000000E5
00400204 EB 01 jmp short 00400207
00400207 8D5424 04 lea edx,dword ptr ss:[esp+4]
0040020B EB 01 jmp short 0040020E
0040020E CD 2E int 2E
//调用SetInformationThread来Anti
//可以直接把这里NOP,不影响壳运行
00400210 83C4 14 add esp,14
00400213 EB 04 jmp short 00400219
|
_____________________________________________
3.Resource Table Address
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| 00400219 E8 03000000 call 00400221
00400221 5D pop ebp
00400222 EB 01 jmp short 00400225
00400225 8DAD E2FDFFFF lea ebp,dword ptr ss:[ebp-21E]
0040022B EB 01 jmp short 0040022E
0040022E 8B9D 38010000 mov ebx,dword ptr ss:[ebp+138]
00400234 EB 01 jmp short 00400237
00400237 01EB add ebx,ebp
00400239 EB 01 jmp short 0040023C
0040023C 8D4424 FC lea eax,dword ptr ss:[esp-4]
00400240 EB 01 jmp short 00400243
00400243 50 push eax
00400244 EB 01 jmp short 00400247
00400247 6A 04 push 4
00400249 EB 01 jmp short 0040024C
0040024C 68 00100000 push 1000
00400251 EB 01 jmp short 00400254
00400254 55 push ebp
00400255 EB 01 jmp short 00400258
00400258 FF53 30 call near dword ptr ds:[ebx+30] ; kernel32.VirtualProtect
//设置PE头可读可写
0040025B EB 01 jmp short 0040025E
0040025E B8 00700000 mov eax,7000
00400263 EB 01 jmp short 00400266
00400266 8985 94000000 mov dword ptr ss:[ebp+94],eax
//写入 Resource Table Address
0040026C EB 01 jmp short 0040026F
0040026F 8DB3 52050000 lea esi,dword ptr ds:[ebx+552]
00400275 EB 01 jmp short 00400278
00400278 8DBD 00100000 lea edi,dword ptr ss:[ebp+1000]
0040027E EB 01 jmp short 00400281
|
_____________________________________________
4.解码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
| 00400281 E8 CF000000 call 00400355
00400355 55 push ebp
00400356 53 push ebx
00400357 FC cld
00400358 B2 80 mov dl,80
0040035A 31DB xor ebx,ebx
0040035C A4 movs byte ptr es:[edi],byte ptr ds:[esi]
0040035D B3 02 mov bl,2
0040035F E8 6D000000 call 004003D1
00400364 73 F6 jnb short 0040035C
00400366 31C9 xor ecx,ecx
00400368 E8 64000000 call 004003D1
0040036D 73 1C jnb short 0040038B
0040036F 31C0 xor eax,eax
00400371 E8 5B000000 call 004003D1
00400376 73 23 jnb short 0040039B
00400378 B3 02 mov bl,2
0040037A 41 inc ecx
0040037B B0 10 mov al,10
0040037D E8 4F000000 call 004003D1
00400382 10C0 adc al,al
00400384 73 F7 jnb short 0040037D
00400386 75 3F jnz short 004003C7
00400388 AA stos byte ptr es:[edi]
00400389 EB D4 jmp short 0040035F
0040038B E8 4D000000 call 004003DD
00400390 29D9 sub ecx,ebx
00400392 75 10 jnz short 004003A4
00400394 E8 42000000 call 004003DB
00400399 EB 28 jmp short 004003C3
0040039B AC lods byte ptr ds:[esi]
0040039C D1E8 shr eax,1
0040039E 74 4D je short 004003ED
004003A0 11C9 adc ecx,ecx
004003A2 EB 1C jmp short 004003C0
004003A4 91 xchg eax,ecx
004003A5 48 dec eax
004003A6 C1E0 08 shl eax,8
004003A9 AC lods byte ptr ds:[esi]
004003AA E8 2C000000 call 004003DB
004003AF 3D 007D0000 cmp eax,7D00
004003B4 73 0A jnb short 004003C0
004003B6 80FC 05 cmp ah,5
004003B9 73 06 jnb short 004003C1
004003BB 83F8 7F cmp eax,7F
004003BE 77 02 ja short 004003C2
004003C0 41 inc ecx
004003C1 41 inc ecx
004003C2 95 xchg eax,ebp
004003C3 89E8 mov eax,ebp
004003C5 B3 01 mov bl,1
004003C7 56 push esi
004003C8 89FE mov esi,edi
004003CA 29C6 sub esi,eax
004003CC F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
004003CE 5E pop esi
004003CF EB 8E jmp short 0040035F
004003D1 00D2 add dl,dl
004003D3 75 05 jnz short 004003DA
004003D5 8A16 mov dl,byte ptr ds:[esi]
004003D7 46 inc esi
004003D8 10D2 adc dl,dl
004003DA C3 retn
004003DB 31C9 xor ecx,ecx
004003DD 41 inc ecx
004003DE E8 EEFFFFFF call 004003D1
004003E3 11C9 adc ecx,ecx
004003E5 E8 E7FFFFFF call 004003D1
004003EA 72 F2 jb short 004003DE
004003EC C3 retn
004003ED 5B pop ebx
004003EE 5D pop ebp
004003EF C3 retn
//这里设断,中断后解码完毕
|
_____________________________________________
5.Import Table
1
2
3
4
5
| 00400286 EB 01 jmp short 00400289
//004003EF解码完毕后返回这里
00400289 BE 00600000 mov esi,6000
//6000是Import Table RVA ★
0040028E EB 01 jmp short 00400291
|
现在壳已经把程序解码完毕,而此时输入表还没有填充系统函数地址,正是Dump的最佳时机
由于SimplePack Method2压缩后文件的修改了资源地址,而在第3部分壳在PE头写回正确的Resource Table Address,所以设置LordPE->Options->Task Viewer->去掉 Full dump:Paste header from disk 选项,也就是不使用物理文件的PE头
运行LordPE完全dump目标进程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| 00400291 09F6 or esi,esi
00400293 0F84 A0000000 je 00400339
00400299 01EE add esi,ebp
0040029B EB 01 jmp short 0040029E
0040029E 8B4E 0C mov ecx,dword ptr ds:[esi+C]
004002A1 EB 01 jmp short 004002A4
004002A4 09C9 or ecx,ecx
004002A6 0F84 8D000000 je 00400339
//输入表处理完毕则跳转
004002AC EB 01 jmp short 004002AF
004002AF 01E9 add ecx,ebp
004002B1 EB 01 jmp short 004002B4
004002B4 89CF mov edi,ecx
004002B6 EB 01 jmp short 004002B9
004002B9 57 push edi
004002BA EB 01 jmp short 004002BD
004002BD FF53 28 call near dword ptr ds:[ebx+28] ; kernel32.LoadLibraryA
004002C0 89C7 mov edi,eax
004002C2 EB 01 jmp short 004002C5
004002C5 8B0E mov ecx,dword ptr ds:[esi]
004002C7 09C9 or ecx,ecx
004002C9 75 03 jnz short 004002CE
004002CB 8B4E 10 mov ecx,dword ptr ds:[esi+10]
004002CE E3 7B jecxz short 0040034B
004002D0 01E9 add ecx,ebp
004002D2 EB 01 jmp short 004002D5
004002D5 8B56 10 mov edx,dword ptr ds:[esi+10]
004002D8 EB 01 jmp short 004002DB
004002DB 01EA add edx,ebp
004002DD EB 01 jmp short 004002E0
004002E0 8B01 mov eax,dword ptr ds:[ecx]
004002E2 EB 01 jmp short 004002E5
004002E5 09C0 or eax,eax
004002E7 74 48 je short 00400331
004002E9 EB 01 jmp short 004002EC
004002EC A9 00000080 test eax,80000000
004002F1 74 0A je short 004002FD
004002F3 EB 01 jmp short 004002F6
004002FD 01E8 add eax,ebp
004002FF EB 01 jmp short 00400302
00400302 83C0 02 add eax,2
00400305 EB 01 jmp short 00400308
00400308 51 push ecx
00400309 52 push edx
0040030A EB 01 jmp short 0040030D
0040030D 50 push eax
0040030E 57 push edi
0040030F EB 01 jmp short 00400312
00400312 FF53 2C call near dword ptr ds:[ebx+2C] ; kernel32.GetProcAddress
00400315 EB 01 jmp short 00400318
00400318 5A pop edx
00400319 59 pop ecx
0040031A EB 01 jmp short 0040031D
0040031D 09C0 or eax,eax
0040031F 74 2A je short 0040034B
00400321 8902 mov dword ptr ds:[edx],eax
00400323 EB 01 jmp short 00400326
00400326 83C1 04 add ecx,4
00400329 EB 01 jmp short 0040032C
0040032C 83C2 04 add edx,4
0040032F EB AC jmp short 004002DD
00400331 83C6 14 add esi,14
00400334 E9 62FFFFFF jmp 0040029B
//循环处理输入表
00400339 EB 01 jmp short 0040033C
|
_____________________________________________
6.OEP
1
2
3
4
5
6
7
8
9
10
11
12
13
| 0040033C 89E8 mov eax,ebp
0040033E EB 01 jmp short 00400341
00400341 05 CC100000 add eax,10CC
00400346 EB 01 jmp short 00400349
00400349 FFE0 jmp near eax ; SimplePa.004010CC
//飞向光明之巅
004010CC 90 nop
//OEP
//注意这里是NOP,貌似可以正常运行
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,44
004010D2 56 push esi
004010D3 FF15 E0634000 call near dword ptr ds:[4063E0] ; kernel32.GetCommandLineA
|
_____________________________________________
7.Game Over
用LordPE修正PE信息:OEP RVA=000010CC / Import Table RVA=00006000
Import Table Size可以看下IID数组的大小,填大点也没关系
SimplePack Method2压缩后文件清0了Resource Table Size,可以使用DT_FixRes把资源dump下来
用WinHex打开rsrc.bin,可以看到大小是0X5000,修正Resource Table Size=5000
简单优化一下,用LordPE删除最后一个区段,用WinHex删除自0X7000至末尾的数据。用LordPE修正第一区段的VSize=00006000,只保留LordPE的Validate PE选项ReBuild处理后的文件。再用LordPE载入DT_FixRes抓取的rsrc.bin区段,ReBuild PE即可。还可以找个正常的PE头修复一下被SimplePack折腾地一塌糊涂的PE头,完美修复PE结构就不做了。
|
|