¡¾Ê¹Óù¤¾ß¡¿ Ollydbg,Loadpe,Imprec1.6F
¡¾ÍÑ¿Çƽ̨¡¿ Win2K
¡¾Èí¼þÃû³Æ¡¿ °´¼ü¾«Áé3 V3.11
¡¾¼Ó¿Ç·½Ê½¡¿ Armadillo 3.00a - 3.60 -> Silicon Realms Toolworks
¡¾±£»¤·½Ê½¡¿ Armadillo CopyMem-ll +Debug-Blocker
¡¾ÔÎÄÁ´½Ó¡¿ http://bbs.pediy.com/showthread.php?s=&threadid=4579
¡¾ÍÑ¿ÇÈË¡¿·ÉÎèµÄTÐô
--------------------------------------------------------------------------------
¡¾ÍÑ¿ÇÄÚÈÝ¡¿
СµÜµÚÒ»´ÎÊÖ¶¯ÍѿǾÍÅöÉÏÁËArmadillo CopyMem-ll +Debug-BlockerÄѲøµÄ¶«¶«£¬ËùÒÔÕûÀíÁËÒ»ÏÂÁ½¸öÐÇÆÚÀ´ÍÑArmadillo CopyMem-ll +Debug-BlockerµÄÈ«¹ý³Ì£¬Ï£ÍûÄܸøµÚÒ»´ÎÍÑArmadillo CopyMem-ll +Debug-BlockerÐÂÊÖÃÇÒ»µã°ïÖú£¬Ê¼´ó¼ÒÉÙ×ßµãÍä·£¨ÎÒµÄÍä·×ßÁ˲»ÉÙ£©¡£
СµÜµÚÒ»´ÎÍÑ¿Ç£¬±¾À´Ïë´Ó¼òµ¥µÄ¿Ç¿ªÊ¼Ñ§Ï°µÄ£¬¿ÉÏñʲôupx¡¢aspackµÈ¿Ç¶¼Óй¤¾ßÍÑ£¬ÅªµÄÒ»µãÐËȤ¶¼Ã»ÓÐÁË£¨±¾À´ÍѿǾÍÊÇÏëÔÚÅóÓÑÃæÇ°ìÅһϣ¬Óй¤¾ßÍѵĿǵ±È»Ã»ÓÐÌôÕ½ÐÔÁË£©¡£ÕâʱºöÈ»·¢ÏÖN¾Ã£¨¶à¾Ã¼Ç²»µ½ÁË£¬·´Õý¸Õ³öÎÒ¾ÍÏÂÁË£¬Ò»Ö±Ã»Óã©Ç°·ÅÔÚÔÛµçÄÔÀïµÄ°´¼ü¾«Áé3 v3.11£¬¹þ¹þ£¬Ð¡Ñù¾Í´ÓÄãÈëÊÖµ±ÎÒÍѿǵÄÈëÃÅѧϰ°É¡£
ÓÃPEiD.exeÒ»¿´ÊÇArmadilloµÄ¿Ç£¬ÔËÐгÌÐò·¢ÏÖ½ø³ÌÀïÓÐÁ½¸ö°´¼ü¾«Áé3.exe£¬¹þ¹þArmadillo Ë«½ø³Ì±ê×¼¿Ç¡£ÔÚÕâ֮ǰÎÒÏÈ¿´ÁËweiyi75¡¢fly¡¢csjwamanµÈ´ó´óÃǵÄË«½ø³Ì±ê×¼¿ÇµÄÍÑÎÄ¡£×î¹ýÑ¡ÔñÁËÕÕ×Åweiyi75´ó´óµÄÍÑÎÄ¡¶°®µÄÖÐÌåÑéÖ®Armadillo3.xË«½ø³ÌÖ®Mr.Captor¡·°´²½¾Í°áµÄ¿ªÍÑÁË¡£Ö÷ÒªÊÇweiyi75[Dfcg]µÄÍÑÎÄÀïµÄÍÑ·¨¼òµ¥Ò×ѧ£¬¶ÔÎÒÕâ¸öÐÂÊÖÀ´Ëµ±È½ÏÖ±¹Û¼ò±ã¡£
ODÔØÈë³ÌÐò£¬²å¼þ×Ô¶¯Òþ²ØOD,ºöÂÔËùÓÐÒì³£¡£
00485000 °´> $ 60 pushad //Íâ¿ÇÈë¿Ú
00485001 . E8 00000000 call °´¼ü¾«Áé.00485006
00485006 $ 5D pop ebp
00485007 . 50 push eax
00485008 . 51 push ecx
00485009 . EB 0F jmp short °´¼ü¾«Áé.0048501A
.....................................................................
ÃüÁîÐÐ϶ϵã BP OpenMutexA,F9ÔËÐС£
ÖжÏ
77E6C503 K> 55 push ebp
77E6C504 8BEC mov ebp,esp
77E6C506 51 push ecx
77E6C507 51 push ecx
77E6C508 837D 10 00 cmp dword ptr ss:[ebp+10],0
77E6C50C 56 push esi
77E6C50D 0F84 4AB90200 je KERNEL32.77E97E5D
.....................................................................
¶ÑÕ»ÄÚÈÝ
0012F574 0045C5F1 /CALL µ½ OpenMutexA
0012F578 001F0001 |Access = 1F0001
0012F57C 00000000 |Inheritable = FALSE
0012F580 0012FBB4 \MutexName = "2A8:AC7B8F140" //×¢ÒâMutexName Õâ¸öµØÖ· ÿ¸ö»úÆ÷²»Í¬£¬ÒÔ¿´µ½µÄΪÖ÷¡£
ÕÒÒ»¿é³ÌÐòÁì¿Õ¿ÕµØÖ·£¬Ð´ÈëһЩÆÛÆArmµÄ´úÂë¡£
Ctrl+G 401000
00401000 0000 ADD BYTE PTR DS:[EAX],AL //¶¼ÊÇ¿ÕµØÖ·¡£
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 0000 ADD BYTE PTR DS:[EAX],AL
0040100A 0000 ADD BYTE PTR DS:[EAX],AL
0040100C 0000 ADD BYTE PTR DS:[EAX],AL
0040100E 0000 ADD BYTE PTR DS:[EAX],AL
ODÖ±½ÓË«»÷ÐÞ¸Ä,ÌîÈëÒÔÏ´úÂë¡£
00401000 60 pushad
00401001 9C pushfd
00401002 68 B4FB1200 push 12FBB4 ; ASCII "2A8:AC7B8F140"
00401007 33C0 xor eax,eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 6D97A677 call KERNEL32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012 - E9 ECB4A677 jmp KERNEL32.OpenMutexA
............................................................
½«µ±Ç°µÄ Eip 77E6C503 Çл»µ½ 401000 À´¡£
µãÓÒ¼ü Ñ¡ÔÚ´Ë´¦Ð½¨ Eip ,¿´µ½Eip ±äΪ 401000
F9ÔËÐС£
ÖжÏ
77E6C503 K> 55 push ebp //Ë«»÷Ëü»òF2Çå³ý¶Ïµã¡£
77E6C504 8BEC mov ebp,esp
77E6C506 51 push ecx
77E6C507 51 push ecx
77E6C508 837D 10 00 cmp dword ptr ss:[ebp+10],0
77E6C50C 56 push esi
77E6C50D 0F84 4AB90200 je KERNEL32.77E97E5D
............................................................
ÕÒ magic jmp ÃüÁîÐÐ϶ϵ㣬bp GetModuleHandleA
77E63DFC K> 55 push ebp //F2È¥µô¶Ïµã£¬ÓÒ¼ü¸ÄΪӲ¼þÖ´ÐС£
77E63DFD 8BEC mov ebp,esp
77E63DFF 837D 08 00 cmp dword ptr ss:[ebp+8],0
77E63E03 74 18 je short KERNEL32.77E63E1D
77E63E05 FF75 08 push dword ptr ss:[ebp+8]
77E63E08 E8 87FFFFFF call KERNEL32.77E63D94
77E63E0D 85C0 test eax,eax
77E63E0F 74 08 je short KERNEL32.77E63E19
77E63E11 FF70 04 push dword ptr ds:[eax+4]
77E63E14 E8 3F240000 call KERNEL32.GetModuleHandleW
77E63E19 5D pop ebp
77E63E1A C2 0400 retn 4
........................................................................
F9ÔËÐÐ,¶à´ÎÓ²¼þÖжÏ,×¢Òâ¶ÑÕ»Öµ¡£
7´ÎF9Ìáʾһ¸ö·Ç·¨Ö¸Áî´íÎó£¬Shift+F9ºöÂÔ¡£
0012BEF8 00B1C807 /CALL µ½ GetModuleHandleA À´×Ô 00B1C801
0012BEFC 00B2D6C8 \pModule = "kernel32.dll"
0012BF00 00B2E67C ASCII "VirtualAlloc"
0012BEF8 00B1C824 /CALL µ½ GetModuleHandleA À´×Ô 00B1C81E
0012BEFC 00B2D6C8 \pModule = "kernel32.dll"
0012BF00 00B2E670 ASCII "VirtualFree"
9´ÎF9Ìáʾһ¸ö·Ç·¨Ö¸Áî´íÎó£¬Shift+F9ºöÂÔ¡£
¶ÑÕ»ÄÚÈÝ
0012BC70 00B0799B /CALL µ½ GetModuleHandleA À´×Ô 00B07995
0012BC74 0012BDAC \pModule = "kernel32.dll"
µãµ÷ÊԲ˵¥£¬ÀïÃæÇå³ýÓ²¼þ¶Ïµã¡£
Ctrl+F9 ·µ»Ø¡£
00B07995 FF15 C480B200 call dword ptr ds:[B280C4] ; KERNEL32.GetModuleHandleA
00B0799B 8B0D E011B300 mov ecx,dword ptr ds:[B311E0]
00B079A1 89040E mov dword ptr ds:[esi+ecx],eax
00B079A4 A1 E011B300 mov eax,dword ptr ds:[B311E0]
00B079A9 393C06 cmp dword ptr ds:[esi+eax],edi
00B079AC 75 16 jnz short 00B079C4
00B079AE 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00B079B4 50 push eax
00B079B5 FF15 CC80B200 call dword ptr ds:[B280CC] ; KERNEL32.LoadLibraryA
00B079BB 8B0D E011B300 mov ecx,dword ptr ds:[B311E0]
00B079C1 89040E mov dword ptr ds:[esi+ecx],eax
00B079C4 A1 E011B300 mov eax,dword ptr ds:[B311E0]
00B079C9 393C06 cmp dword ptr ds:[esi+eax],edi
00B079CC 0F84 AD000000 je 00B07A7F //ÕâÊÇÎÄÕÂÖÐÌáµ½µÄmagic jmp£¬ÎҸġ£
¸ÄΪ
00B07995 FF15 C480B200 call dword ptr ds:[B280C4] ; KERNEL32.GetModuleHandleA
00B0799B 8B0D E011B300 mov ecx,dword ptr ds:[B311E0]
00B079A1 89040E mov dword ptr ds:[esi+ecx],eax
00B079A4 A1 E011B300 mov eax,dword ptr ds:[B311E0]
00B079A9 393C06 cmp dword ptr ds:[esi+eax],edi
00B079AC 75 16 jnz short 00B079C4
00B079AE 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00B079B4 50 push eax
00B079B5 FF15 CC80B200 call dword ptr ds:[B280CC] ; KERNEL32.LoadLibraryA
00B079BB 8B0D E011B300 mov ecx,dword ptr ds:[B311E0]
00B079C1 89040E mov dword ptr ds:[esi+ecx],eax
00B079C4 A1 E011B300 mov eax,dword ptr ds:[B311E0]
00B079C9 393C06 cmp dword ptr ds:[esi+eax],edi
00B079CC E9 AE000000 jmp 00B07A7F //ÐÞ¸Ä £¨ÎÒÊÔ¹ý¸Ä±ê־λZ£©
.........................................................
Çå³ýËùÓжϵ㡣ÔÚ401000¶ÎÏÂÄÚ´æ¶Ïµã,°´F9
00B206B2 8B04B0 mov eax,dword ptr ds:[eax+esi*4] //À´µ½ÕâÀï
00B206B5 3341 54 xor eax,dword ptr ds:[ecx+54]
00B206B8 8B0D 9455B300 mov ecx,dword ptr ds:[B35594] ; °´¼ü¾«Áé.00495260
00B206BE 3341 04 xor eax,dword ptr ds:[ecx+4]
00B206C1 8B0D 9455B300 mov ecx,dword ptr ds:[B35594] ; °´¼ü¾«Áé.00495260
00B206C7 3341 74 xor eax,dword ptr ds:[ecx+74]
00B206CA 8B0D 9455B300 mov ecx,dword ptr ds:[B35594] ; °´¼ü¾«Áé.00495260
00B206D0 3341 30 xor eax,dword ptr ds:[ecx+30]
00B206D3 8B0D 9455B300 mov ecx,dword ptr ds:[B35594] ; °´¼ü¾«Áé.00495260
00B206D9 3341 20 xor eax,dword ptr ds:[ecx+20]
Ìáʾ±»µ÷ÊÔ³ÌÐòÎÞ·¨´¦ÀíÒì³££¬Shift+F9ºöÂÔ£¬game over³ÌÐòÍ˳ö¡£
ÌìÄÄ£¬ÎÒ´íÔÚÄÇÀïÀ²£¡ÎÒÔõô¾Íµ½²»ÁË¡°push ebp //µ½´ïµØÇòÈ˶¼ÖªµÀµÄλÖá±
ÏëÏëµÚÒ»´ÎÍÑ¿Ç£¬Ã»Õâô˳ÀûÒ²ÊÇÕý³£µÄ£¬ÄÇôÎÒÃÇÔÚÊÔÊÔÆäËû´ó´óµÄ·½·¨£¬ÔÚºóÀ´Èý¡¢ËÄÌìÀïżÓÃÁËÄÜÕÒµ½µÄÍѱê×¼¿ÇµÄ·½·¨À´ÍÑËü£¬TMDûһ¸ö³É¹¦µÄ£¬ÕâÆÚ¼äÿÌìÍíÉÏ19µãµ½1µã£¬ÎÒ¶¼ÔÚѧϰÑо¿¸÷¸÷armadillo±ê×¼¿ÇµÄÍÑ·¨£¬¸ãµÄÿÌìÉÏ°àû¾«Éñ¡£»¹ÊÇûÓÐÒ»µãÊÕ»ñ£¬×ܲ»ÄÜ°ë;¶ø·Ï°É£¿È¥ÂÛ̸ÉÏÎÊÎʸ÷λ´óϺ°É¡£¡£¡£
ÆÚ¼äloveboom´ó´ó³É¸øÓÚÌáʾ˵¡°¿ÉÄܲ»ÊDZê׼˫½ø³Ì¿Ç»òÊǸ߰汾µÄ£¬ËùÒÔÄã°´Ë«½ø³ÌµÄÀ´ÍÑÊDz»Ðеġ±¿É¶ÔÓÚÐÂÊÖµÄÎÒÀ´Ëµ£¬ËµÁ˵ÈÓÚ°×˵£¬Ï£ÍûÏ´ÎСµÜÌáÎÊʱ£¬¸÷ÃÇ´ó´óÄÜÌṩÏêϸһµãµÄ×ÊÁÏ¡£¡£¡£^_^
ºóÀ´»¹¶à¿÷wangli_com´ó´óµÄÖ¸µã¡£¡£¡£
ÏÈÕÒoep£¬ÔÚODÖÐÖØ¿ª³ÌÐò£¬ÏÂbp WaitForDebugEvent£¬F9ÔËÐÐ
77E7A6CF K> 55 push ebp //À´µ½ÕâÀF2Çå³ý¶Ïµã
77E7A6D0 8BEC mov ebp,esp
77E7A6D2 81EC 9C000000 sub esp,9C
77E7A6D8 53 push ebx
77E7A6D9 56 push esi
77E7A6DA 57 push edi
¿´¶ÑÕ»´°¿Ú
0012DA98 0046AD67 /CALL µ½ WaitForDebugEvent À´×Ô °´¼ü¾«Áé.0046AD61
0012DA9C 0012EB5C |pDebugEvent = 0012EB5C
0012DAA0 000003E8 \Timeout = 1000. ms
ÔÚ0012EB5CÉÏÏÂת´æÖиúËæ
ÔÚÏÂbp WriteProcessMemory,F9ÔËÐÐ
77E7ADB9 K> 55 push ebp //À´µ½ÕâÀï
77E7ADBA 8BEC mov ebp,esp
77E7ADBC 51 push ecx
77E7ADBD 51 push ecx
77E7ADBE 8B45 0C mov eax,dword ptr ss:[ebp+C]
77E7ADC1 53 push ebx
77E7ADC2 8945 F8 mov dword ptr ss:[ebp-8],eax
¿´Êý¾Ýת´æ´°¿Ú
0012EB5C 01 00 00 00 68 03 00 00 ...h..
0012EB64 C4 00 00 00 01 00 00 80 ?....€
0012EB6C 00 00 00 00 00 00 00 00 ........
0012EB74 00 CC 43 00 02 00 00 00 .ÌC.... //´ó¼Ò¿´µ½Ã»ÓÐ43CC00¾ÍÊÇOEP
ÔÙÔÚODÖÐÖØ¿ª³ÌÐò£¬ÏÂÓ²¼þ¶Ïµã£ºhe WaitForDebugEvent£¬ÔËÐÐͣס¡£»Øµ½¿Ç¿Õ¼ä£¬²éÕÒ³£ÊýFFFFFFF8£¬µÃµ½½á¹û£º
0046B3D6 OR EAX, FFFFFFF8
0046B3F1 OR EDX, FFFFFFF8
0046B41A OR ECX, FFFFFFF8
0046B8F0 OR EDX, FFFFFFF8
0046B90B OR ECX, FFFFFFF8
0046B933 OR EAX, FFFFFFF8
ÔÚ0046B3D6ÉÏË«»÷£¬À´µ½Õâ´úÂë´¦£¬³¯Éϼ¸Ðп´£º
0046B38A 83BD D0F5FFFF 00 cmp dword ptr ss:[ebp-A30],0 //Õâ¾ÍÊÇtDasm´óÏÀÎÄÖÐÌáµ½µÄ¹Ø¼ü´úÂë¡£
0046B391 0F8C A9020000 jl °´¼ü¾«Áé.0046B640
0046B397 8B8D D0F5FFFF mov ecx,dword ptr ss:[ebp-A30]
0046B39D 3B0D E4B54900 cmp ecx,dword ptr ds:[49B5E4]
0046B3A3 0F8D 97020000 jge °´¼ü¾«Áé.0046B640
0046B3A9 8B95 44F6FFFF mov edx,dword ptr ss:[ebp-9BC]
0046B3AF 81E2 FF000000 and edx,0FF
0046B3B5 85D2 test edx,edx
0046B3B7 0F84 AD000000 je °´¼ü¾«Áé.0046B46A
0046B3BD 6A 00 push 0
0046B3BF 8BB5 D0F5FFFF mov esi,dword ptr ss:[ebp-A30]
0046B3C5 C1E6 04 shl esi,4
0046B3C8 8B85 D0F5FFFF mov eax,dword ptr ss:[ebp-A30]
0046B3CE 25 07000080 and eax,80000007
0046B3D3 79 05 jns short °´¼ü¾«Áé.0046B3DA
0046B3D5 48 dec eax
0046B3D6 83C8 F8 or eax,FFFFFFF8 //¶ÏÔÚÕâÀïÏòÉÏ¿´
0046B3D9 40 inc eax
0046B3DA 33C9 xor ecx,ecx
0046B3DC 8A88 809A4900 mov cl,byte ptr ds:[eax+499A80]
0046B3E2 8B95 D0F5FFFF mov edx,dword ptr ss:[ebp-A30]
0046B3E8 81E2 07000080 and edx,80000007
0046B3EE 79 05 jns short °´¼ü¾«Áé.0046B3F5
0046B3F0 4A dec edx
0046B3F1 83CA F8 or edx,FFFFFFF8
0046B3F4 42 inc edx
0046B3F5 33C0 xor eax,eax
0046B3F7 8A82 819A4900 mov al,byte ptr ds:[edx+499A81]
0046B3FD 8B3C8D 60524900 mov edi,dword ptr ds:[ecx*4+495260]
0046B404 333C85 60524900 xor edi,dword ptr ds:[eax*4+495260]
0046B40B 8B8D D0F5FFFF mov ecx,dword ptr ss:[ebp-A30]
0046B411 81E1 07000080 and ecx,80000007
0046B417 79 05 jns short °´¼ü¾«Áé.0046B41E
0046B419 49 dec ecx
0046B41A 83C9 F8 or ecx,FFFFFFF8
0046B41D 41 inc ecx
0046B41E 33D2 xor edx,edx
0046B420 8A91 829A4900 mov dl,byte ptr ds:[ecx+499A82]
0046B426 333C95 60524900 xor edi,dword ptr ds:[edx*4+495260]
0046B42D 8B85 D0F5FFFF mov eax,dword ptr ss:[ebp-A30]
0046B433 99 cdq
0046B434 B9 1C000000 mov ecx,1C
0046B439 F7F9 idiv ecx
0046B43B 8BCA mov ecx,edx
0046B43D D3EF shr edi,cl
0046B43F 83E7 0F and edi,0F
0046B442 03F7 add esi,edi
0046B444 8B15 D4B54900 mov edx,dword ptr ds:[49B5D4]
0046B44A 8D04B2 lea eax,dword ptr ds:[edx+esi*4]
0046B44D 50 push eax
0046B44E 8B8D D0F5FFFF mov ecx,dword ptr ss:[ebp-A30]
0046B454 51 push ecx
0046B455 E8 FF1F0000 call °´¼ü¾«Áé.0046D459
0046B45A 83C4 0C add esp,0C
0046B45D 25 FF000000 and eax,0FF ¡¶--- Ð޸Ĵ˴¦
0046B462 85C0 test eax,eax
ÔÚ0046B38A´¦ÏÂÒ»Ó²¼þÖ´Ðжϵ㣬ÔËÐÐͣס¡£ °´ÕÕtDasmµÄ·½·¨£¬Ð޸ĴúÂëΪ£º
0046B45D FF05 48EB1200 inc dword ptr ds:[12EB48]
0046B463 C705 E8B54900 010000>mov dword ptr ds:[49B5E8],1
0046B46D ^ E9 18FFFFFF jmp °´¼ü¾«Áé.0046B38A
°Ñ12EB48´¦ÖÃ0£¬È¥µôËùÓÐÓ²¼þ¶Ïµã£¬²¢ÔÚ0046b640´¦Ï¶ϣ¬ÔËÐУ¬Í£×¡¡£ºÃ£¬ËùÓдúÂ붼ǿÖƽâѹÍê³É¡£
ÔËÐÐLordPE,Ñ¡ÔñµÚ2¸ö½ø³Ì(ÓÐ2¸öͬÃû½ø³Ì)£¬¼´¿ÉÍêÈ«dump³öÀ´ÁË¡£
dump³öÀ´ÁË»¹²»ÄÜÓÃÀ²£¬Ôõô°ì£¬ÐÞ¸´IAT±í£¬ÔõôÐÞ¸´wangli_com´ó´óû˵£¬²é¿´ÆäËü´ó´óµÄÍÑÎÄ´ó¶¼ÊÇÌø¹ýmagic jmpºóÓÃImprec1.6fÑ¡Ôñ½ø³Ì£¬ÌîÈëOep,×Ô¶¯ËÑË÷¡£ÎÒÊÔÎÒÊÔ£¬Ôõô²»ÐÐÕÒ²»µ½IATÊý¾Ý¡£¾¹ýN´Îʧ°Üºó£¬ÎÒ¶¼Òª¶ÔarmadilloÍ×ÐÁË¡£¡£¡£
Ôõô°ìÁË£¬×Ô¼º¸ã²»¶¨¾ÍÈ¥²é×ÊÁÏÀ²£¬ºóÀ´ÎÒÔÚÃܽçÍÑ¿ÇÎļ¯ÖÐÕÒµ½ÁËtDasm´ó´óµÄÔÎÄ¡´Armadillo 3.6Ö÷³ÌÐòÍÑ¿Ç¡µ¡´Armadillo 3.6Ö÷³ÌÐòIAT´¦Àí¡µ£¬ÕÕ×Å·½·¨ÓÖ´ÓÍÑÁËÒ»±é·Ç³£Ë³Àû£¬µ±µ½ÁËIAT´¦ÀíµÄʱºò£¬tDasm´ó´óÎÄÖÐÌáµ½µÄ·½·¨Ò»Ê±ÎÞ·¨Àí½â£¬ÕÕ×Å×ö¶¼»á¸ú·É¡£
û°ì·¨¼ÌÐøÕÒ·½·¨°¥£¬µ±¿´µ½jwh51´ó´óµÄ¡¶Armadillo COPYMEMEIIÖ®DUMPµÄÒ»¸öLOADPEС²å¼þ¡·£¬ÎÒÓÖÕÕ×ÅÍÑÁËÒ»±é£¬¹þ¹þÔÀ´ÓÐÕâô·½±ãµÄ·½·¨À²£¬¸útDasm´ó´óµÄ·½·¨ÔÀí²î²»¶à£¬µ±²½¾Û¼òµ¥µÄ¶à£¬ÐÂÊÖÍѲ»ÈÝÒ׳ö´í£¬Ç¿ÁÒÍƼö¡£
ÔÚµ±ÎÒ¿´µ½¹Ç»ÒC½ã½ãµÄ¡¶ÊµÕ½Armadillo3.60 Original CopyMem-ll +Debug-Blocker -----UltraEdit¡·ÎÄÕº󣬽⿪ÁËÀ§»óÁËÎÒÈý¡¢ËÄÌìµÄIAT±íÐÞ¸´ÎÊÌ⣨½¨ÒéÐÂÊÖ¿ÉÒÔѧϰµ«×îºÃ²»ÓùǻÒC½ã½ãµÄÍÑ¿Ç·½·¨£¬ËýµÄÔÀíºÍtDasm¡¢jwh51µÈ´ó´óµÄ·½·¨Ò»Ñù£¬µ«¹ý³Ì¸´ÔÓ£¬ÈÝÒ׳ö´í£©
ºÃÑÔ¹éÕý´«£¬ÎÒÃÇÀ´ÐÞ¸´IAT±í¡£¡£¡£
ÎÒÃÇÓÃODÔØÈëdump³öÀ´µÄÎļþ£¬F8µ¥²½Ö´ÐС£
0043CC00 1> 55 push ebp //³ÌÐòÈë¿ÚOEP
0043CC01 8BEC mov ebp,esp
0043CC03 6A FF push -1
0043CC05 68 189C4400 push 111.00449C18
0043CC0A 68 5ECD4300 push 111.0043CD5E
0043CC0F 64:A1 00000000 mov eax,dword ptr fs:[0]
0043CC15 50 push eax
0043CC16 64:8925 00000000 mov dword ptr fs:[0],esp
0043CC1D 83EC 68 sub esp,68
0043CC20 53 push ebx
0043CC21 56 push esi
0043CC22 57 push edi
0043CC23 8965 E8 mov dword ptr ss:[ebp-18],esp
0043CC26 33DB xor ebx,ebx
0043CC28 895D FC mov dword ptr ss:[ebp-4],ebx
0043CC2B 6A 02 push 2
0043CC2D FF15 5C4B4400 call dword ptr ds:[444B5C] //Ö´Ðе½ÕâÀïÎÒÃǵijÌÐò¾Í·ÉÁË
ODÖØÍ·À´Ò»±é£¬µ±Ö´Ðе½43CC2D£¬ÎÒÃÇÔÚÊý¾Ý´°¿Úctrl_G 444b5cÊDz»ÊÇ¿´µ½ºÜ¶à77Ö®ÀàµÄ¶«Î÷£¬¹þ¹þ£¬Õâ¾ÍÊÇIAT±íµÄ´æ·ÅµØ£¬ÎÒÃÇ˳×ÅÏòÉÏ¿´£¬À´µ½Êý¾Ý´°¿Ú¶¥²¿µØÖ·444000¾ÍÊÇIAT±íµÄÆðʼµØÖ·£¬ÎÒÃÇÄñʼÇÏ¡£
ÔÚODÖØÐÂÔØÈë°´¼ü¾«Áé3.exe£¬ºöÂÔËùÓÐÒì³££¬bp DebugActiveProcess£¬F9¶ÏÏ¡£¿´¶ÑÕ»´°¿Ú£º
0012DA9C 0046ABDB /CALL µ½ DebugActiveProcess À´×Ô °´¼ü¾«Áé.0046ABD5
0012DAA0 000003CC \ProcessId = 3CC ¨D¨D¨D£¾×Ó½ø³Ì¾ä±ú
´ò¿ªÁíÒ»¸öOD¸½¼Ó3CCÕâ¸ö×Ó½ø³Ì¡£È»ºóALT£«F9·µ»Ø³ÌÐò
00485000 °´>- EB FE jmp short °´¼ü¾«Áé.<ModuleEntryPoint> //¶ÏÔÚÕâÀï
00485002 0000 add byte ptr ds:[eax],al
00485004 0000 add byte ptr ds:[eax],al
00485006 5D pop ebp
00485007 50 push eax
00485008 51 push ecx
»¹Ô´úÂ룬²»È»ÊÇËÀÑ»·£¬»¹Ô¿ªÍ·Á½Ðжþ½øÖÆ£º 60 E8 Ϊ 60 E8
00485000 °´> 60 pushad
00485001 E8 00000000 call °´¼ü¾«Áé.00485006
00485006 5D pop ebp
00485007 50 push eax
00485008 51 push ecx
OK£¬BP OpenMutexA£¬F9ºóÖжϣ¬²»ÒªÇå³ý¶Ïµã£¬°´ÕÕÇ°Ãæ˵µÄÍѱê×¼¿ÇµÄ·½·¨À´Ò»±é£¬ÐÞ¸ÄÍêmagic jmpºó£¬ÔÚÖ±½Ó°´F9Öжϡ£
ÓÃImprec1.6fÑ¡Ôñ½ø³Ì3CC£¬ÌîÈëOEPµØÖ·3CC00£¬ÌîÈëRAV£¨³ö¾ÍÊÇIATµØÖ·£©44000£¬²»Òª°´×Ô¶¯ËÑË÷IAT£¬Ö±½Ó°´»ñÈ¡ÊäÈë±í£¬ÔÙ°´ÏÔʾÎÞЧµØÖ·£¬¼ôµôÐÞ¸´×¥È¡Îļþ¾ÍOKÁË¡£
µ½ÏÖÔÚÍÑ¿ÇÍê±Ï£¬ÍѿǺóÎļþ´óС1.5M£¬¸Ð¾õ²»Ë¬µÄ¿ÉÒԲμÓyesky1´ó´óµÄ¡¶ÍѿǺóÈí¼þ¼õ·Ê´ó·¨¡··Ç³£¼òµ¥£¬¼õ·ÊºóÎļþ´óС728KB¡£¡£¡£
Èç¹û¶Ôarmadillo¿Ç»¹Ó⻶®µÄ£¬¿ÉÒÔ¼ÓÎÒQQ£º120471426£¬¹²Í¬Ñ§Ï°¡£¡£¡£ÆäËü¿Ç¾ÍËãÁË£¬ÎÒû»¹ÊÔ¹ýÁË¡£¡£¡£¡£