¼òµ¥È´ÓÐÓã¬themidaµÄС»¨ÕÐ ,µ¥»÷ÏÂÔظ½¼þ

½«APIµÄ´úÂ븴ÖƵ½ÐÂÉêÇëµ½µÄÄÚ´æ¿Õ¼äÈ¥Ö´ÐÐ,ÔÙ϶ϵ㵱ȻÎÞЧÀ².

´úÂë:

00A2CCDE    8BFF            mov     edi, edi
00A2CCE0    55              push    ebp
00A2CCE1    8BEC            mov     ebp, esp
00A2CCE3    833D 1821E777 0>cmp     dword ptr [77E72118], 0
00A2CCEA    74 24           je      short 00A2CD10
00A2CCEC    64:A1 18000000  mov     eax, fs:[18]
00A2CCF2    6A 00           push    0
00A2CCF4    FF70 24         push    dword ptr [eax+24]
00A2CCF7    68 442FE777     push    77E72F44
00A2CCFC    FF15 D012E177   call    [<&KERNEL32.InterlockedCompareEx>; kernel32.InterlockedCompareExchange
00A2CD02    85C0            test    eax, eax
00A2CD04    75 0A           jnz     short 00A2CD10
00A2CD06    C705 402FE777 0>mov     dword ptr [77E72F40], 1
00A2CD10    6A 00           push    0
00A2CD12    FF75 14         push    dword ptr [ebp+14]
00A2CD15    FF75 10         push    dword ptr [ebp+10]
00A2CD18    FF75 0C         push    dword ptr [ebp+C]
00A2CD1B    FF75 08         push    dword ptr [ebp+8]
00A2CD1E    E8 4D040000     call    00A2D170
00A2CD23    5D              pop     ebp
00A2CD24    C2 1000         retn    10

¶÷£¬ÏÈÈ¡MessageBoxAµÄ´úÂ룬Ȼºó·Åµ½ÆäËûÄÚ´æµØÖ·È»ºóÈ¥CALL

¶÷£¬Îҵķ½·¨ÊÇ
1£¬ÕÒµ½ËûÉêÇë¿Õ¼äµÄµØ·½È»ºóÖ´ÐзÃÎÊÖжÏ
2£¬Êǽ«MessageBoxA´úÂ븴ÖƲ¿·Ö£¬È»ºóÔÙËûÖ´Ðе½´°¿Ú³öÀ´µÄʱºò£¬½øÐÐÏ´úÂë²éÕÒ£¬¾Í¿ÉÒÔÖªµÀËûµÄ´úÂ븴ÖƵ½ÄĸöµØ·½£¬È»ºóÏÂÓ²¼þÖ´ÐУ¬¹Ø±ÕÔÙ×°ÔؾͿÉÒÔ¶ÏÏÂÀ´ÁË

ÎÊÌ⣺

Õâô˵user32Ó¦¸Ã²»»á±»Öض¨Î»°É£¿

²ËÄñ½Ìѧ£º

1.¸ù¾Ýdll´óС·ÖÅäÄڴ棬°Ñdll¶ÁÈë
2.»ñµÃapiµÄµØÖ·,¸ù¾Ýdll¿é±íÕÒµ½physoffset
3.µ÷Óà¿Õ¼äµØÖ·+physoffset
4.ÊÍ·ÅÄÚ´æ

forgotÖÕÓÚ¸¡³öÀ´ÁË ¡£

themidaÔÚ²éÕÒº¯ÊýµØÖ·µÄʱºòÓõÄÊÇgzgzlxgÎÄÕ½éÉܵÄ
·½Ê½¡£ÎÒÓÃGetProcAddressÖ»ÊÇͼʡÊ¡£

ÎÒÏëÕâ¸öÍæÒÕÄܹ¤×÷ÊÇÓÃÁË°ó¶¨ÊäÈë

ÒýÓÃ:

×î³õÓÉ Lenus ·¢²¼
ÇëÎÊÒ»ÏÂ...q3ÐÖÓõÄÊÇʲô¹¤¾ßµÃµ½ÉÏÃæµÄÊý¾Ý£¿

¸Ð¾õÕâÑùGetFileSize²»ÊǺܱ£ÏÕ...·ÃÎÊÊý¾Ý¶Î£¬Öض¨Î»µÈµÈ¶¼´æÔÚÎÊÌâ°É£¡ 

Êý¾Ý¶ÎÖ¸ÏòÕæÕýµÄuser32.dll£¬
Èç¹ûÓоø¶ÔµØÖ·¶¼»á·ÃÎÊÕæµÄdll
Ïà¶ÔµØÖ·±ÈÈçjmp/callÒòΪ¶¼Êǹ̶¨Æ«ÒÆ£¬Ò²²»´æÔÚÖض¨Î»µÄÎÊÌâ¡£



£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½
to softworm

ÕâÕÐÕæµÄ²»´í°¡£¬ÓÃÀ´×ökrnl/usr/gdi/advµÈϵͳdllµÄIAT¼ÓÃÜ»¹ÄÜ·À¶Ïµã¡£

windows¿Ï¶¨¶¼ÓÐbound imports

ÉõÖÁ¿ÉÒÔÔÚдmyGetProcAddrµÄʱºòÅжÏÒ»ÏÂtimestamp£¬°ÑboundµÄ¶¼ÓÃÕâÖÖ·½Ê½£¬Ö»ÊÇÀË·ÑÒ»µãµãÄÚ´æ:)

ÔËÐÐÎÞkeyµÄThemida»áÌø³öÈçϵĶԻ°¿ò£º

 
ͼһ

Õâ¸ö¶Ô»°¿òÊǵ÷ÓÃMessageBoxº¯ÊýÏÔʾµÄ£¬µ«ÄãÓÃMessageBox϶ÏÊÇÀ¹²»×¡µÄ£¬ÒòΪÍâ¿Ç½«MessageBoxº¯Êý´úÂë°áµ½×Ô¼ºµÄµØÖ·¿Õ¼äÖ´ÐÐÁË¡£
¸ÐÐËȤµÄ¿ÉÒÔ¿´¿´Õâ¸öʵÀý£ºhttp://bbs.pediy.com/showthread.php?s=&threadid=23721

¶Ô²ß£º
ÔÚÕâÓÃThemida1.3.3.0ΪÀýÑÝʾһÏ¡£
ÏÈÓÃOD¼ÓÔØThemida£¬ÔËÐУ¬Ö±µ½³öÏÖͼһÄǸö¶Ô»°¿ò¡£ÕâÀï×îÖÕµ÷ÓÃMessageBoxExWÏÔʾ¶Ô»°¿òµÄ£¬ÔÚODÀï²é¿´MessageBoxExWº¯Êý£º

77D50538 USER32.MessageBoxExW   8BFF            mov     edi, edi
77D5053A                        55              push    ebp
77D5053B                        8BEC            mov     ebp, esp
77D5053D                        6A FF           push    -1
77D5053F                        FF75 18         push    dword ptr [ebp+18]
77D50542                        FF75 14         push    dword ptr [ebp+14]
77D50545                        FF75 10         push    dword ptr [ebp+10]
77D50548                        FF75 0C         push    dword ptr [ebp+C]
77D5054B                        FF75 08         push    dword ptr [ebp+8]
77D5054E                        E8 EE590100     call    MessageBoxTimeoutW
77D50553                        5D              pop     ebp
77D50554                        C2 1400         retn    14


Óöþ½øÖƸ´ÖÆ£¬½«MessageBoxExW ¿ªÊ¼Ò»¶ÎµÄ»úÆ÷Â븴ÖƳöÀ´£º8B FF 55 8B EC 6A FF FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08

ÔÚODÀï°´Alt£«M´ò¿ªÄÚ´æ´°¿Ú£¬²éÕҸղŸ´ÖƳöÀ´µÄ»úÆ÷Â룺

 

ÕÒµ½µÄÊý¾Ý£º
013FF938  8B FF 55 8B EC 6A FF FF 75 18 FF 75 14 FF 75 10  ?U‹ìjÿÿuÿuÿu
013FF948  FF 75 0C FF 75 08 E8 EE 59 01 00 5D C2 14 00 90  ÿu.ÿuèîY
.]?.


È»ºóÔÚ·´»ã±à´°¿ÚÌøµ½013FF938´úÂë´¦£º

013FF938                        8BFF            mov     edi, edi
013FF93A                        55              push    ebp
013FF93B                        8BEC            mov     ebp, esp
013FF93D                        6A FF           push    -1
013FF93F                        FF75 18         push    dword ptr [ebp+18]
013FF942                        FF75 14         push    dword ptr [ebp+14]
013FF945                        FF75 10         push    dword ptr [ebp+10]
013FF948                        FF75 0C         push    dword ptr [ebp+C]
013FF94B                        FF75 08         push    dword ptr [ebp+8]
013FF94E                        E8 EE590100     call    01415341
013FF953                        5D              pop     ebp
013FF954                        C2 1400         retn    14
013FF957                        90              nop
013FF958                        90              nop
013FF959                        90              nop
013FF95A                        90              nop
013FF95B                        90              nop
013FF95C                        8BFF            mov     edi, edi
013FF95E                        55              push    ebp
013FF95F                        8BEC            mov     ebp, esp
013FF961                        6A FF           push    -1
013FF963                        FF75 18         push    dword ptr [ebp+18]
013FF966                        FF75 14         push    dword ptr [ebp+14]
013FF969                        FF75 10         push    dword ptr [ebp+10]
013FF96C                        FF75 0C         push    dword ptr [ebp+C]
013FF96F                        FF75 08         push    dword ptr [ebp+8]
013FF972                        E8 4D5A0100     call    014153C4             //ÕâÀïÏÔʾͼ1µÄ´°¿Ú
013FF977                        5D              pop     ebp                  //ÕâÀï϶ϾͿɶÏÏÂ
013FF978                        C2 1400         retn    14


ÔÚ013FF977´¦Ï¶ϣ¬µ¥»÷ͼһ¶Ô»°¿òµÄOKºó£¬¾ÍÄÜÖжϡ£