记事本这里下载
OS:2K
od(v1.1)中Options的Exceptions设定为:
Iglore ... Kernel32 打勾
Iglore Int3和单步中断打勾
Iglore ..custom...中增加C0000005和C0000094两项,打勾。
用od载入那个NotePad,去掉Debuger标志,一次F9,两次Shift+F9后,Ctrl+G转到844351设断,再Shift+F9,程序中断在那里。
00844351 SUB EAX,DWORD PTR SS:[EBP+ECX*4+3B14] ;在这里设断
00844358 ROL EAX,CL
0084435A DEC ECX
0084435B JNZ SHORT 00844351
0084435D JMP SHORT 00844361
去掉断点,在本段么端空闲处(这里就是848001啦)键入如下代码,这段代码的作用是躲过PeLock的自校验。
00848001 CMP ECX,148
00848007 JE SHORT 0084802D
00848009 CMP ECX,85
0084800F JE SHORT 00848027
00848011 CMP ECX,84
00848017 JE SHORT 00848021
00848019 SUB EAX,DWORD PTR SS:[EBP+ECX*4+3B14]
00848020 RETN
00848021 SUB EAX,148D842B
00848026 RETN
00848027 SUB EAX,D300003B
0084802C RETN
0084802D SUB EAX,3EB1989
00848032 RETN
再把844351处改成call 语句,如下:
00844351 CALL 00848001
00844356 NOP
00844357 NOP
00844358 ROL EAX,CL
0084435A DEC ECX
0084435B JNZ SHORT 00844351
0084435D JMP SHORT 00844361
把844661处的
00844661 MOV DWORD PTR DS:[ECX],EBX
改成
00844661 MOV DWORD PTR DS:[ECX],EAX
(以上的所有工作就是为了最后这里的改动)
在4010D3处设断,为什么?这里是伪Oep!再Shift+F9,断点处中断,这时你看到正要叫GetCommandLineA,呵呵。修复Oep吧,在这前面键入
push ebp
mov ebp,esp
add esp,-4c
push esi
为啥?从堆栈esp指针和dump时的情况,很快就会知道。(不要说参考了原版啊)
也许这时你打算修复dump了,不过再看看的好:4010E2这行显然有点bt,再检查,这样的东东多呢(不过没有500处)!
004010D3 CALL DWORD PTR DS:[4063E4] ; KERNEL32.GetCommandLineA
004010D9 MOV ESI,EAX
004010DB MOV AL,BYTE PTR DS:[EAX]
004010DD CMP AL,22
004010DF JNZ SHORT NOTEPAD.004010FC
004010E1 PUSH ESI
004010E2 JMP 00890001 ;BT哦
004010E7 ADD BYTE PTR DS:[EBX+84008AF0],CL
004010ED SAL BYTE PTR SS:[ESP+EAX+3C],22
004010F2 JNZ SHORT NOTEPAD.004010E1
004010F4 CMP BYTE PTR DS:[ESI],22
004010F7 JNZ SHORT NOTEPAD.0040110E
004010F9 INC ESI
004010FA JMP SHORT NOTEPAD.0040110E
004010FC CMP AL,20
004010FE JLE SHORT NOTEPAD.0040110E
00401100 PUSH ESI
00401101 JMP 0089000D
00401106 ADD BYTE PTR DS:[EAX+F08B2038],AL
0040110C JG SHORT NOTEPAD.00401100
0040110E CMP BYTE PTR DS:[ESI],0
00401111 JE SHORT NOTEPAD.00401126
00401113 CMP BYTE PTR DS:[ESI],20
00401116 JA SHORT NOTEPAD.00401126
00401118 PUSH ESI
00401119 JMP 00890019
0040111E ADD BYTE PTR DS:[EAX+F08B0038],AL
00401124 JNZ SHORT NOTEPAD.00401113
00401126 MOV DWORD PTR SS:[EBP-18],0
0040112D LEA ECX,DWORD PTR SS:[EBP-44]
00401130 PUSH ECX
00401131 JMP 00890025
00401136 ADD DH,DH
00401138 INC EBP
00401139 CALL EF31FA3F
0040113E DEC EAX
0040113F ADD BYTE PTR SS:[ESP+EAX+F],DH
00401143 MOV BH,45
00401145 IN AL,DX ; I/O command
00401146 PUSH EAX
00401147 PUSH ESI
00401148 PUSH 0
0040114A PUSH 0
0040114C JMP 00890049
00401151 ADD BYTE PTR DS:[EAX-18],DL
00401154 JBE SHORT NOTEPAD.00401165
00401156 ADD BYTE PTR DS:[EAX],AL
00401158 PUSH EAX
00401159 MOV ESI,EAX
0040115B JMP 00890055
00401160 ADD BYTE PTR DS:[EBX+E58B5EC6],CL
00401166 POP EBP
00401167 RETN
赶紧想法修复吧,这可是体力活啊,没法,咱就是喜欢“炒现饭”!再编一段吧(你不要骂我啊)。于是又找到一段
“空地”慢慢的敲键盘,看官,这一段有点长,还有点乱,偶又菜,希望不要倒了你的胃口:
0084803A PUSHAD
0084803B MOV EDI,401000
00848040 MOV ECX,4000
00848045 MOV AL,0E9
00848047 REPNE SCAS BYTE PTR ES:[EDI]
00848049 TEST ECX,ECX
0084804B JE SHORT 00848099
0084804D MOV EAX,DWORD PTR DS:[EDI]
0084804F AND EAX,FFFF0000
00848054 CMP EAX,480000
00848059 JNZ SHORT 00848045
0084805B PUSH ECX
0084805C PUSH EDI
0084805D MOV ESI,EDI
0084805F LODS DWORD PTR DS:[ESI]
00848060 ADD ESI,EAX
00848062 DEC EDI
00848063 XCHG ESI,EDI
00848065 NOP
00848066 NOP
00848067 CALL 00848124
0084806C NOP
0084806D NOP
0084806E NOT ECX
00848070 SUB EDI,ECX
00848072 DEC ECX
00848073 DEC ECX
00848074 XCHG ESI,EDI
00848076 MOV AX,WORD PTR DS:[ESI]
00848079 CMP AL,8D
0084807B JE SHORT 0084809F
0084807D CMP AX,15FF
00848081 JE SHORT 00848092
00848083 CMP AX,0F881
00848087 JE 0084810E
0084808D NOP
0084808E NOP
0084808F NOP
00848090 NOP
00848091 INC ECX
00848092 NOP
00848093 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[SI]
00848095 POP EDI
00848096 POP ECX
00848097 JMP SHORT 00848045
00848099 POPAD
0084809A JMP NOTEPAD.004010D3
0084809F INC ECX
008480A0 MOV BYTE PTR DS:[ECX+ESI],0C3
008480A4 PUSH EAX
008480A5 PUSH EDX
008480A6 PUSH EBX
008480A7 PUSH EBP
008480A8 PUSH EDI
008480A9 PUSH ECX
008480AA PUSH ESI
008480AB CALL ESI
008480AD CMP DWORD PTR SS:[ESP],ESI
008480B0 JE SHORT 008480B8
008480B2 MOV EAX,ESI
008480B4 MOV DL,0BE
008480B6 JMP SHORT 008480FC
008480B8 CMP DWORD PTR SS:[ESP+4],ECX
008480BC JE SHORT 008480C4
008480BE MOV EAX,ECX
008480C0 MOV DL,0B9
008480C2 JMP SHORT 008480FC
008480C4 CMP DWORD PTR SS:[ESP+8],EDI
008480C8 JE SHORT 008480D0
008480CA MOV EAX,EDI
008480CC MOV DL,0BF
008480CE JMP SHORT 008480FC
008480D0 CMP DWORD PTR SS:[ESP+C],EBP
008480D4 JE SHORT 008480DC
008480D6 MOV EAX,EBP
008480D8 MOV DL,0BD
008480DA JMP SHORT 008480FC
008480DC CMP DWORD PTR SS:[ESP+10],EBX
008480E0 JE SHORT 008480E8
008480E2 MOV EAX,EBX
008480E4 MOV DL,0BB
008480E6 JMP SHORT 008480FC
008480E8 CMP DWORD PTR SS:[ESP+14],EDX
008480EC JE SHORT 008480F4
008480EE MOV EAX,EDX
008480F0 MOV DL,0BC
008480F2 JMP SHORT 008480FC
008480F4 CMP DWORD PTR SS:[ESP+18],EAX
008480F8 JE SHORT 0084810D
008480FA MOV DL,0B8
008480FC POP ESI
008480FD POP ECX
008480FE POP EDI
008480FF POP EBP
00848100 POP EBX
00848101 MOV BYTE PTR DS:[EDI],DL
00848103 INC EDI
00848104 STOS DWORD PTR ES:[EDI]
00848105 MOV BYTE PTR DS:[ECX+ESI],0E9
00848109 POP EDX
0084810A POP EAX
0084810B JMP SHORT 00848095
0084810D NOP
0084810E CMP ECX,5
00848111 JNZ SHORT 00848123
00848113 MOV BYTE PTR DS:[EDI],3D
00848116 MOV EAX,DWORD PTR DS:[ESI+2]
00848119 INC EDI
0084811A STOS DWORD PTR ES:[EDI]
0084811B JMP 00848095
00848120 NOP
00848121 NOP
00848122 NOP
00848123 NOP
00848124 PUSH EDX
00848125 MOV ECX,-1
0084812A MOV AL,0E9
0084812C REPNE SCAS BYTE PTR ES:[EDI]
0084812E NOP
0084812F NOP
00848130 MOV EDX,EDI
00848132 ADD EDX,DWORD PTR DS:[EDI]
00848134 AND EDX,FFFF0000
0084813A CMP EDX,400000 ; ASCII "MZ"
00848140 JNZ SHORT 0084812A
00848142 POP EDX
00848143 RETN
完成后把eip搞到0084803A(PUSHAD),在848099(POPAD)这里设断,F9,呵呵,中断了!再来一下F7,这时再看看
我们的程序,是不是很爽啊?用 LordPE dump,再用ImportREC修 IAT,很容易了,就不说啦。(见谅)
004010D3 CALL DWORD PTR DS:[4063E4] ; KERNEL32.GetCommandLineA
004010D9 MOV ESI,EAX
004010DB MOV AL,BYTE PTR DS:[EAX]
004010DD CMP AL,22
004010DF JNZ SHORT NOTEPAD.004010FC
004010E1 PUSH ESI
004010E2 CALL DWORD PTR DS:[4064F4] ; USER32.CharNextA
004010E8 MOV ESI,EAX
004010EA MOV AL,BYTE PTR DS:[EAX]
004010EC TEST AL,AL
004010EE JE SHORT NOTEPAD.004010F4
004010F0 CMP AL,22
004010F2 JNZ SHORT NOTEPAD.004010E1
004010F4 CMP BYTE PTR DS:[ESI],22
004010F7 JNZ SHORT NOTEPAD.0040110E
004010F9 INC ESI
004010FA JMP SHORT NOTEPAD.0040110E
004010FC CMP AL,20
004010FE JLE SHORT NOTEPAD.0040110E
00401100 PUSH ESI
00401101 CALL DWORD PTR DS:[4064F4] ; USER32.CharNextA
00401107 CMP BYTE PTR DS:[EAX],20
0040110A MOV ESI,EAX
0040110C JG SHORT NOTEPAD.00401100
0040110E CMP BYTE PTR DS:[ESI],0
00401111 JE SHORT NOTEPAD.00401126
00401113 CMP BYTE PTR DS:[ESI],20
00401116 JA SHORT NOTEPAD.00401126
00401118 PUSH ESI
00401119 CALL DWORD PTR DS:[4064F4] ; USER32.CharNextA
0040111F CMP BYTE PTR DS:[EAX],0
00401122 MOV ESI,EAX
00401124 JNZ SHORT NOTEPAD.00401113
00401126 MOV DWORD PTR SS:[EBP-18],0
0040112D LEA ECX,DWORD PTR SS:[EBP-44]
00401130 PUSH ECX
00401131 CALL DWORD PTR DS:[406398] ; KERNEL32.GetStartupInfoA
00401137 TEST BYTE PTR SS:[EBP-18],1
0040113B MOV EAX,0A
00401140 JE SHORT NOTEPAD.00401146
00401142 MOVZX EAX,WORD PTR SS:[EBP-14]
00401146 PUSH EAX
00401147 PUSH ESI
00401148 PUSH 0
0040114A PUSH 0
0040114C CALL DWORD PTR DS:[40639C] ; KERNEL32.GetModuleHandleA
00401152 PUSH EAX
00401153 CALL NOTEPAD.004020CE
00401158 PUSH EAX
00401159 MOV ESI,EAX
0040115B CALL DWORD PTR DS:[4063A0] ; KERNEL32.ExitProcess
00401161 MOV EAX,ESI
00401163 POP ESI
00401164 MOV ESP,EBP
00401166 POP EBP
00401167 RETN
哦,差点忘记了,你看看这retn前面的pop esi;mov esp,ebp;pop ebp吧,这就是修oep时的又一个理由吧。
以上不当之处敬请各位大侠指正