📄 chap8-5-5-1.htm.primary
字号:
OK,到此你的SOFTICE的功能己大大加强里。<br>
这时试试运行ShowDep,这时屏幕将蓝屏给你一菜单选项,告知ShowDep发现了SOFTICE,是否欺骗它,这时你按ESC按钮,程序即可正常运行。(注:我的SOFTICE用icepath打过补丁)<br>
</span></p>
<p><span class="p9">c、拦截函数loadlibararya<br>
</span></p>
<p><span class="p9"><span class="p9">下命令:<span class="p9">bpx loadlibrarya do
"dd esp->4"</span></span><br>
(注:在TRW2000下实现同样功能的命令是: bpx loadlibrarya do "dd *(esp+4)" </span></p>
<p class="p9">这个命令就是当拦截<span class="p9">loadlibararya</span>函数时,显示其入口参数的在内存的值,如:</p>
<p class="p9"><font color="#000000" class="p9">0137:00710242 PUSH EAX <br>
0137:00710243 CALL [<span class="p9">loadlibarary</span>] ;当调用此函数将中断,并显示push参数的值,在这里即:d
eax </font></p>
<p>o<span class="p9">k,断点设置好后,运行<span class="p9">ShowDep程序,将中断,此时按F5一直到数据窗口显示为:KERNEL32.DLL字符。在我win97系统下,只要按两下F5,即可看到如下情况:</span></span></p>
<table width="100%" cellspacing="0" align="center" bgcolor="#000000">
<tr>
<td class="p9"><font color="#00AF00">-----SHOWDEP!.rdata+1A8A--------------------------dword-------------PROT---<font color="#00FFFF">(0)<font color="#00AF00">--</font></font></font></td>
</tr>
<tr>
<td class="p9" height="18"><font color="#AFAFAF">0030:<font color="#FF3366">0042DA8A</font>
4E52454B 32334C45 4C4C442E 019A0000 KERNEL32.DLL.... ^</font></td>
</tr>
<tr>
<td class="p9"><font color="#AFAFAF">0030:0042DA9A 64616F4C 73727543 0041726F
6F4C01AB LoadCursorA...Lo v</font></td>
</tr>
</table>
<div align="center"><span class="p9">(图六)</span> </div>
<p class="p9">hehe...看看图六和图三是不是一样啊!其中前面的地址<font color="#AFAFAF"><font color="#FF3366">0042DA8A</font></font>就是关键。<br>
<font color="#AFAFAF"><font color="#FF3366">0042DA8A</font></font>就是<span class="p9">image_import_descriptors结构</span>中的name项的值,因为该结构如下:</p>
<p class="p9"><font color="#000000">0030:0042D104 0002D23C 00000000 00000000 <font color="#FF6699">0002DA8A</font>
<............... ^<br>
0030:0042D114 0002C070 0002D43C 00000000 00000000 p...<........... v </font></p>
<p class="p9"><font color="#000000">因此这时我要在数据窗口向前查找字符串<font color="#FF6699">0002DA8A</font>(<font color="#FF6699">0002DA8A</font>=</font><font color="#AFAFAF"><font color="#FF3366">0042DA8A</font></font>-基址):</p>
<p class="p9">下命令:S DS:400000 L FFFFFFFF 8A DA 02 00<br>
<span class="p9">(注:在TRW2000下实现同样功能的命令是: </span>S 30:0 L FFFFFFFF 8A DA 02 00)(用上面的好象不行,但愿新版能改进)
<br>
结果如下: </p>
<table width="100%" cellspacing="0" bgcolor="#000000" align="center">
<tr>
<td class="p9"><font color="#00AF00">-----SHOWDEP!.rdata+1100--------------------------dword-------------PROT---<font color="#00FFFF">(0)<font color="#00AF00">--</font></font></font></td>
</tr>
<tr>
<td class="p9" height="18"><font color="#AFAFAF">013F:0042D100 0042B385 0002D23C
00000000 00000000 ..B.<........... ^</font></td>
</tr>
<tr>
<td class="p9"><font color="#AFAFAF">013F:0042D110 <font color="#FF3399">0002DA8A</font>
0002C070 0002D43C 00000000 ....p...<....... v</font></td>
</tr>
</table>
<div align="center"><span class="p9">(图七)</span> </div>
<p class="p9">仔细比较图七和图一,发现这就是Import表的IMAGE_IMPORT_DESCRIPTOR数组。<br>
如你看不习惯,可再下命令: D 42D110-C 这样就可显示和图一一样的画面了。</p>
<p class="p9">这样就可确定Import表的地址是<font color="#000000">2D104=0042D104—400000(基址)</font></p>
<p class="p9"><font color="#000000">③确定Import表的大小</font></p>
<p class="p9"><font color="#000000">现己将Import表的起始地址确定了:RVA=42D104。只要确定Import表的尾部就可计算出其大小,Import表在内存里是连续存放的一段数据,其一般结尾处一段内存空间都是0,在此例,你开始先定位来到Import表的起始处,按ALT+↓向下翻页(或ALT+PageDown),直到看到如下情况:</font></p>
<table width="100%" cellspacing="0" align="center" bgcolor="#000000">
<tr>
<td class="p9"><font color="#AFAFAF">013F:0042E54A 65530262 766E4574 6E6F7269
746E656D b.SetEnvironment </font></td>
</tr>
<tr>
<td class="p9"><font color="#AFAFAF">013F:0042E55A 69726156 656C6261 011D0041
4C746547 VariableA...GetL </font></td>
</tr>
<tr>
<td class="p9"><font color="#AFAFAF">013F:0042E56A 6C61636F 666E4965 <font color="#FF3366">0000576F</font>
00000000 ocaleInfo<font color="#FF3399">W</font>...... </font></td>
</tr>
<tr>
<td class="p9"><font color="#AFAFAF">013F:0042E57A 00000000 00000000 00000000
00000000 ................ v</font></td>
</tr>
<tr>
<td height="23" class="p9"><font color="#AFAFAF">013F:0042E58A 00000000 00000000
00000000 00000000 ................ v</font></td>
</tr>
</table>
<div align="center"><span class="p9">(图八)</span> </div>
<p><span class="p9">字符串<font color="#AFAFAF"><font color="#FF3366">0000576F</font></font>就是Import表的最后一项,其后面一位000000的地址为:42e574(其边界就是上面红色的W,如你在SOFTICE不能确定可DUMP后在十六进制工具<span class="p9">Hexworkshop</span>很方便知边界地址)</span></p>
<p class="p9">因此Import表的大小=42E574-4<font color="#000000">2D104</font>=1470</p>
<p><span class="p9">④、找入口点</span></p>
<p><span class="p9">在SOFTICE你会来到如下:<br>
0137:00710B35 MOV EDX,[EAX]
<br>
0137:00710B37 MOV EAX,[EBP+08] <br>
0137:00710B3A ADD EDX,[EAX+18] <br>
0137:00710B3D MOV EAX,[EBP+08] <br>
0137:00710B40 MOV EAX,[EAX+1C] <br>
0137:00710B43 CALL 007104C8 ←按F8进去<br>
0137:00710B48 POP EDI <br>
0137:00710B49 POP ESI <br>
0137:00710B4A POP EBX <br>
0137:00710B4B POP ECX</span></p>
<p class="p9">按F8进去来到:</p>
<table width="100%" cellspacing="0" bordercolor="#000000" align="center">
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104C6 8BC0 MOV EAX,EAX </font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104C8 89C4 MOV ESP,EAX </font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104CA 89D0 MOV EAX,EDX </font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104CC 8B1D34567100 MOV EBX,[00715634]
</font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">137:007104D2 89041C MOV [EBX+ESP],EAX
</font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104D5 61 POPAD </font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#CCCCCC">0137:007104D6 50 PUSH EAX <font color="#66FF66">←此处EAX=422c3a即入口点的值</font></font></td>
</tr>
<tr bgcolor="#000000">
<td class="p9"><font color="#AFAFAF">0137:007104D7 C3 RET </font><font color="#66FF66">←返回到入口点</font></td>
</tr>
</table>
<div align="center"><span class="p9">(图九)</span> </div>
<p><span class="p9"><font color="#000000"><span class="p9">此时程序己完全解压准备运行了。记下程序入口点:00422c3a
在dump前,清除所有的断点:bc *. </span></font>因此你可在SOFTICE下用命令:</span></p>
<p class="p9"><span class="p9">:/dump 400000 <span class="p9">A0000</span> c:\temp\dump.exe</span><br>
<span class="p9">(如你是用Icedump 6.016以前版本用此命令:pagein d 400000 <span class="p9">A0000</span>
c:\temp\dump.exe)</span> </p>
<p><span class="p9"><span class="p9">⑤</span>修正PE文件头</span><br>
<br>
<span class="p9">用 Procdump打开刚建好的 <span class="p9"><span class="p9">dump.exe</span></span>文件,<span class="p9">点击pe-editor按钮</span>,然后再点击SECTIONS按钮,在每个section点击右键,选中Edit
section,把所有的 section 的PSize == VSize offset == RVA (即让物理地址和大小等于虚拟地址和大小)。如你是用Procdump脱的壳,可省去这一步。</span></p>
<p class="p9">在改完所有的sections后,按OK,存盘后,你在资源管理器中刷新一下,就会发现<span class="p9"><span class="p9">dumped.exe</span></span>的图标回来了,但还不能运行,你还要修正入口点和<span class="p9"><span class="p9"><span class="p9"><span class="p9">import表</span></span></span></span>。</p>
<p class="p9">将入口点(Entry Point)改为:<span class="p9"><font color="#000000"><span class="p9">00422c3a</span></font></span>(记着:<span class="p9"><font color="#000000"><span class="p9">00422c3a</span></font></span>-<span class="p9">imagebase</span>=<font color="#000000"><span class="p9"><font color="#000000"><span class="p9">22c3a</span></font></span></font>)</p>
<p class="p9">再点击Directory按钮,将Import Table改为<span class="p9"> RVA (2D104 );而其选项Size只要比0大就可;(这程序DUMP后improt并没被破坏,只要把import
rav/size 填上就OK了!) 在这例中,Import表的尺寸没用上,但方法要掌握,如碰到Import表损坏的程序,就要替换Import表程了,这时需要Import表的大小了。</span></p>
<p><span class="p9">然后点击OK,退出Procdump,再运行<span class="p9"> dumped.exe ,程序成功运行!</span></span>
<br>
</p>
<div align="center">
<p align="left" class="p9"><font color="#6699FF">方法三:利用S命令查找字串KERNEL32.DLL来确定Import表的位置</font></p>
<p align="left" class="p9">如果软件没.idata项,用方法二<span class="p9"><span class="p9"><span class="p9">bpx
loadlibrarya do "dd esp->4"</span></span></span>也不能看到KERNEL32.DLL,这种情况就要用S命令来协助了。</p>
<p align="left" class="p9">先<span class="p9"><span class="p9"><span class="p9">bpx
loadlibrarya <span class="p9"><span class="p9">do "dd esp->4"</span></span></span></span></span></p>
<p align="left" class="p9">中断后,凭经验来判断Import表完全触压时机,一般中断在第一次或第二次(某些情况要几次)Import表就基本解压结束了。这时下命令:S
DS:400000 l FFFFFFFF 'KERNEL32.DLL'<br>
</p>
<p align="left" class="p9">会在数据区找到KERNEL32.DLL ,但这不一定是<span class="p9"><span class="p9">image_import_descriptors结构</span></span>中对应的KERNEL32.DLL项,这要跟据具体情况来分析了,一般我们要找到的KERNEL32.DLL是在xxx:4xxxxxx的地址形式处。</p>
<p align="left" class="p9">如不能确定何处是关键的KERNEL32.DLL,只好dump后,用十六进制工具来分析了,这样较直观,打开后查找<span class="p9"><span class="p9">image_import_descriptors类似结构</span></span>。</p>
<p align="left" class="p9">当然Import表确定方法多种,这里将本人常用的几种方法列出供参考!也欢迎你将自己的经验告诉大家,互相提高。</p>
</div>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap8-5-5.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap8-5-5-2.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright
© 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights
Reserved.</span></font></span></font></span></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -