⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 chap8-5-5-2.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 2 页
字号:
🔍
12 
  thunk 选项不是必须的. </span></p>
<p><span class="p9">:dd 446000 l 40<br>
  0030:00446000 00000000 00000000 00000000 0004669C .............f..<br>
  0030:00446010 0004612C 00000000 00000000 00000000 ,a..............</span></p>
<p><span class="p9">地址4669c 指向 LibraryName (RVA, 你需要加上基址imagebase+400000)</span></p>
<p><span class="p9">:db 44669c l 10<br>
  0030:0044669C 4B 45 52 4E 45 4C 33 32-2E 44 4C 4C 00 00 00 00 KERNEL32.DLL....</span></p>
<p><span class="p9">地址612c指向 first_thunk 库。</span></p>
<p><span class="p9">:dd 44612c l 10<br>
  0030:0044612C 000466AA 000466C2 000466DA 000466F2 .f...f...f...f..</span></p>
<p><span class="p9">这些是以NULL结尾的ASCII字符的RVA地址, . . 466aa 是第一个API函数的地址,466c2是第二个API函数地址...它们以以NULL结尾。<br>
  </span></p>
<p><span class="p9">:db 0004466aa l 20<br>
  0030:004466AA 00 00 44 65 6C 65 74 65-43 72 69 74 69 63 61 6C ..DeleteCritical<br>
  0030:004466BA 53 65 63 74 69 6F 6E 00-00 00 4C 65 61 76 65 43 Section...LeaveC</span></p>
<p><span class="p9"><span class="p9">通过上面的分析可知,</span>这就是原始的<span class="p9">.<span class="p9">import表,快dump 
  it!!(看看上文的</span></span></span><span class="p9">image_import_descriptors地址)</span></p>
<p><span class="p9">:/dump 446000 2000 c:\aspack.idata.bin<br>
  (如你是用Icedump 6.016以前版本用此命令:pagein d 446000 2000 c:\aspack.idata.bin)<br>
  </span></p>
<p class="p9">为了方便大家对比,特将dump正确的<span class="p9"><span class="p9"><span class="p9">import表</span></span></span>放在此<a href="aspack.idata.zip">下载</a>。</p>
<p><span class="p9"><br>
  =part4===part4===part4===part4===part4===part4===part4===part4===part4===part4=<br>
  <b>Dump整个程序并修正文件头</b></span></p>
<p class="p9">1、现在我们要找程序的入口点,下命令<span class="p9">:bpx loadlibrarya </span>,然后按14下F5,然后按F10一步一步跟踪来到如下代码:</p>
<table width="100%" align="center" bgcolor="#000000" height="0" bordercolorlight="#FFFFFF" bordercolordark="#FFFFFF">
  <tr> 
    <td class="p9" height="184"><font color="#FFFFFF">0137:00C1150E&nbsp; 8B4508&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; EAX,[EBP+08]&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11511&nbsp; 8B10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; MOV&nbsp; &nbsp; &nbsp; EDX,[EAX]&nbsp; DS:004664FC=00400000&nbsp; 
      <br>
      0137:00C11513&nbsp; 8B4508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      MOV&nbsp; &nbsp; &nbsp; EAX,[EBP+08]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11516&nbsp; 035018&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      ADD&nbsp; &nbsp; &nbsp; EDX,[EAX+18]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11519&nbsp; 8B4508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      MOV&nbsp; &nbsp; &nbsp; EAX,[EBP+08]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C1151C&nbsp; 8B401C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      MOV&nbsp; &nbsp; &nbsp; EAX,[EAX+1C]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C1151F&nbsp; E874F9FFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
      &nbsp; &nbsp; 00C10E98&nbsp; &nbsp; <font color="#33FF33">←在此按F8进入&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </font><br>
      0137:00C11524&nbsp; 5F&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; EDI&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11525&nbsp; 5E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; ESI&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11526&nbsp; 5B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; EBX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11527&nbsp; 59&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; ECX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11528&nbsp; 59&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; ECX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C11529&nbsp; 5D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POP&nbsp; &nbsp; &nbsp; EBP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </font><br>
      0137:00C1152A&nbsp; C20400&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      RET&nbsp; &nbsp; &nbsp; 0004&nbsp; </td>
  </tr>
</table>
<p class="p9"><br>
  F8进入后来到如下:</p>
<table width="100%" cellspacing="0" align="center" bgcolor="#000000">
  <tr> 
    <td class="p9"><font color="#FFFFFF">0137:00C10E96&nbsp; 8BC0&nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; EAX,EAX&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; <br>
      0137:00C10E98&nbsp; 89C4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; MOV&nbsp; &nbsp; &nbsp; ESP,EAX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C10E9A&nbsp; 89D0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; MOV&nbsp; &nbsp; &nbsp; EAX,EDX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C10E9C&nbsp; 8B1D6C66C100&nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; 
      &nbsp; EBX,[00C1666C]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; <br>
      0137:00C10EA2&nbsp; 89041C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      MOV&nbsp; &nbsp; &nbsp; [EBX+ESP],EAX&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>
      0137:00C10EA5&nbsp; 61&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; POPAD&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      <br>
      0137:00C10EA6&nbsp; 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; PUSH&nbsp; &nbsp; &nbsp; EAX ;<font color="#33FF33">push 442b98 即为入口点&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      </font><br>
      0137:00C10EA7&nbsp; C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; RET&nbsp; &nbsp; &nbsp; ;<font color="#33FF33">返回到己完全解压的代码处,即入口点处。&nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </font><br>
      0137:00C10EA8&nbsp; C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
      &nbsp; RET </font></td>
  </tr>
</table>
<p class="p9">来到入口点:</p>
<table width="100%" cellspacing="0" align="center" bgcolor="#000000">
  <tr> 
    <td><span class="p9"><font color="#FFFFFF">0167:00442B98 55 PUSH EBP <font color="#66FF66">←此处为入口点</font><br>
      0167:00442B99 8BEC MOV EBP,ESP<br>
      0167:00442B9B 83C4F4 ADD ESP,-0C</font></span></td>
  </tr>
</table>
<p class="p9"><font color="#000000">在<span class="p9">0167:00442B98 处就可dump整个内存数据了,此时程序己完全解压准备运行了。记下程序入口点:00442B98<br>
  在dump前,清除所有的断点:bc *. </span></font></p>
<p class="p9"><font color="#000000">./dump <span class="p9">400000 79000 c:\aspack.dumped.exe</span></font> 
  <br>
  <span class="p9">(如你是用Icedump 6.016以前版本用此命令:pagein d 400000 79000 c:\aspack.dumped.exe)</span> 
</p>
<p><span class="p9">2<span class="p9">、替换正确的<span class="p9"><span class="p9">import表</span></span></span></span></p>
<p><span class="p9"><span class="p9">用Hexworkshop打开aspack.dumped.exe和aspack.idata.bin. 
  Goto到exe文件的46000偏移处,Select Block大</span>小为2000. 拷贝aspack.idata.bin文件的同样大小(2000)的Block,粘贴到exe文件中以替换掉不正确的.idata 
  section,然后存盘。(注意:以上所有数据都是十六进制)</span></p>
<p class="p9">3、修正PE文件头<br>
  <br>
  用 Procdump打开刚建好的 <span class="p9"><span class="p9">aspack.dumped.exe</span></span>文件,<span class="p9">点击pe-editor按钮</span>,然后再点击SECTIONS按钮,在每个section点击右键,选中Edit 
  section,把所有的 section 的PSize = VSize offset = RVA 。</p>
<p class="p9">如:CODE 的PSize=0001E000; VSize=00042000;offset =00000400;RVA=00001000;<br>
  改成:PSize = VSize= 00042000;offset = RVA =00001000;</p>
<p class="p9">在改完所有的sections后,按OK,存盘后,你在资源管理器中刷新一下,就会发现<span class="p9"><span class="p9">aspack.dumped.exe</span></span>的图标回来了,但还不能运行,你还要修正入口点和<span class="p9"><span class="p9"><span class="p9"><span class="p9">import表</span></span></span></span>。</p>
<p class="p9">将入口点(Entry Point)改为:<span class="p9">00042B98</span>(记着:<font color="#000000"><span class="p9">00442B98</span></font>-<span class="p9">imagebase</span>=<font color="#000000"><span class="p9">42B98</span></font>)</p>
<p class="p9">再点击Directory按钮,将Import Table改为<span class="p9"> RVA (46000 );而其选项Size只要比0大就可;</span></p>
<p><span class="p9">然后点击OK,退出Procdump,再运行<span class="p9"> aspack.dumped.exe ,程序运行的很甜美!</span></span></p>
<p><span class="p9">这时你用W32DASM不能反汇编,你可用 Procdump编辑第一个<span class="p9">section 
  characteristics:</span></span></p>
<p><span class="p9">将其 c0000060 (data, writable)改为: 60000040 (code, executable)或 
  e0000060 (code, data, etc etc)</span></p>
<p class="p9">注:大家抓取屏幕可在<span class="p9">Icedump 6.016</span>中,用:/Screendump抓取。<br>
  不加参数命令:/Screendump 选取模式,重复执行,会在0、1、2、3、4五种模式下转换。<br>
  模式1(默认)是以文本方式存盘,模式2是以HTML文件存盘。其它的请参考其readme.<br>
  模式选好后,就可用命令: /SCREENDUMP [<filename>路径]文件名 抓取整个SOFTICE的屏幕。</p>
<div align="center"></div>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap8-5-5-1.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap8-5-5-3.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright 
  &copy; 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights 
  Reserved.</span></font></span></font></span></div>
</body>
</html>
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -