WEB开发网
开发学院网络安全黑客技术 环宇通汉英翻译系统3.0脱壳 阅读

环宇通汉英翻译系统3.0脱壳

 2007-01-12 20:13:10 来源:WEB开发网   
核心提示: 0167:004E7118 MOV EAX,004300A60167:004E711D ADD EAX,EBP0167:004E711F SUB EAX,[EBP+00433DBB]0167:004E7125 PUSH EAX0167:004E7126 LEA EDI,[EBP+00430
0167:004E7118 MOV EAX,004300A6
0167:004E711D ADD EAX,EBP
0167:004E711F SUB EAX,[EBP+00433DBB]
0167:004E7125 PUSH EAX
0167:004E7126 LEA EDI,[EBP+00430000]
0167:004E712C LEA ECX,[EBP+00433138]
0167:004E7132 SUB ECX,EDI
0167:004E7134 DEC ECX
0167:004E7135 CLD
0167:004E7136 XOR AL,AL
0167:004E7138 REP STOSB
0167:004E713A POP EAX
0167:004E713B PUSH EAX
0167:004E713C LEA EDI,[EBP+004332D3]
0167:004E7142 LEA ECX,[EBP+00434000]
0167:004E7148 SUB ECX,EDI
0167:004E714A DEC ECX
0167:004E714B CLD
0167:004E714C XOR AL,AL
0167:004E714E REP STOSB
0167:004E7150 POP EAX
0167:004E7151 MOV BYTE [EBP+00433DE8],00
0167:004E7158 POP EBP
0167:004E7159 JMP EAX <----到原入口

原入口可能需要密盘数据来还原,没有密盘所以得到的入口是不正确的,再运行会非法操作。可以这样,在最后那句把程序DUMP下来,反汇编。看里面的函数调用,比如:GetCommandLineA、GetVersion这些函数一般都出现在程序入口处,找一下,找到如下:

:0042DED7 55 push ebp
:0042DED8 8BEC mov ebp, esp
:0042DEDA 6AFF push FFFFFFFF
:0042DEDC 68D0754600 push 004675D0
:0042DEE1 6810224300 push 00432210
:0042DEE6 64A100000000 mov eax, dword ptr fs:[00000000]
:0042DEEC 50 push eax
:0042DEED 64892500000000 mov dword ptr fs:[00000000], esp
:0042DEF4 83EC58 sub esp, 00000058
:0042DEF7 53 push ebx
:0042DEF8 56 push esi
:0042DEF9 57 push edi
:0042DEFA 8965E8 mov dword ptr [ebp-18], esp
* Reference To: KERNEL32.GetVersion, Ord:0174h
|
:0042DEFD FF1570034600 Call dword ptr [00460370]
:0042DF03 33D2 xor edx, edx
:0042DF05 8AD4 mov dl, ah
:0042DF07 8915945A4800 mov dword ptr [00485A94], edx
:0042DF0D 8BC8 mov ecx, eax
:0042DF0F 81E1FF000000 and ecx, 000000FF
:0042DF15 890D905A4800 mov dword ptr [00485A90], ecx
:0042DF1B C1E108 shl ecx, 08
:0042DF1E 03CA add ecx, edx
:0042DF20 890D8C5A4800 mov dword ptr [00485A8C], ecx
:0042DF26 C1E810 shr eax, 10
:0042DF29 A3885A4800 mov dword ptr [00485A88], eax
:0042DF2E 6A01 push 00000001
:0042DF30 E862560000 call 00433597
:0042DF35 59 pop ecx
:0042DF36 85C0 test eax, eax
:0042DF38 7508 jne 0042DF42
:0042DF3A 6A1C push 0000001C
:0042DF3C E8C3000000 call 0042E004
:0042DF41 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DF38(C)
|
:0042DF42 E8A5330000 call 004312EC
:0042DF47 85C0 test eax, eax
:0042DF49 7508 jne 0042DF53
:0042DF4B 6A10 push 00000010
:0042DF4D E8B2000000 call 0042E004
:0042DF52 59 pop ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DF49(C)
|
:0042DF53 33F6 xor esi, esi
:0042DF55 8975FC mov dword ptr [ebp-04], esi
:0042DF58 E8C13E0000 call 00431E1E
* Reference To: KERNEL32.GetCommandLineA, Ord:00CAh
|
:0042DF5D FF15F8014600 Call dword ptr [004601F8]
:0042DF63 A3C8714800 mov dword ptr [004871C8], eax
:0042DF68 E8F8540000 call 00433465
:0042DF6D A3D05A4800 mov dword ptr [00485AD0], eax
:0042DF72 E8A1520000 call 00433218
:0042DF77 E8E3510000 call 0043315F
:0042DF7C E8E5EEFFFF call 0042CE66
:0042DF81 8975D0 mov dword ptr [ebp-30], esi
:0042DF84 8D45A4 lea eax, dword ptr [ebp-5C]
:0042DF87 50 push eax

所以估计42DED7就是真正的入口,试一下果然正确。

上一页  1 2 

Tags:环宇 汉英 翻译

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接