-
-
脱Armadillo时遇到问题
-
发表于: 2005-5-24 13:34
-
按照大虾们的文章,还是不行.
之前的步骤如BP OpenMutexA 然后G到401000改成单进程还行,到了用BP GetModuleHandleA后,撤消断点,改为硬件断点,F9运行后在堆栈看不到大虾们提到的什么advapi32什么的.
我用GetModuleHandleA硬件中断断下后堆栈显示
设硬件断点后按一次F9:
0012BB9C 0048C01B /CALL 到 GetModuleHandleA 来自 try_88.0048C015
0012BBA0 00000000 \pModule = NULL
ALT+F9返回后代码是:
0048C01B |. 8945 08 mov dword ptr ss:[ebp+8],eax ; try_88.00400000
0048C01E |> A0 202A4C00 mov al,byte ptr ds:[4C2A20]
0048C023 |. 8885 FCFEFFFF mov byte ptr ss:[ebp-104],al
0048C029 |. B9 40000000 mov ecx,40
0048C02E |. 33C0 xor eax,eax
0048C030 |. 8DBD FDFEFFFF lea edi,dword ptr ss:[ebp-103]
0048C036 |. F3:AB rep stos dword ptr es:[edi]
0048C038 |. 66:AB stos word ptr es:[edi]
0048C03A |. AA stos byte ptr es:[edi]
0048C03B |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0048C040 |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104] ; |
0048C046 |. 51 push ecx ; |PathBuffer
0048C047 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ; |
0048C04A |. 52 push edx ; |hModule
0048C04B |. FF15 C0C14B00 call dword ptr ds:[<&KERNEL32.GetModuleFileNa>; \GetModuleFileNameA
0048C051 |. 6A 5C push 5C
0048C053 |. 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0048C059 |. 50 push eax
0048C05A |. E8 31AB0000 call try_88.00496B90
0048C05F |. 83C4 08 add esp,8
0048C062 |. 8985 F8FEFFFF mov dword ptr ss:[ebp-108],eax
0048C068 |. 83BD F8FEFFFF 00 cmp dword ptr ss:[ebp-108],0
0048C06F |. 75 0C jnz short try_88.0048C07D
0048C071 |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
0048C077 |. 898D F8FEFFFF mov dword ptr ss:[ebp-108],ecx
0048C07D |> 6A 2E push 2E
0048C07F |. 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-104]
0048C085 |. 52 push edx
0048C086 |. E8 05AB0000 call try_88.00496B90
0048C08B |. 83C4 08 add esp,8
0048C08E |. 8985 F4FEFFFF mov dword ptr ss:[ebp-10C],eax
0048C094 |. 83BD F4FEFFFF 00 cmp dword ptr ss:[ebp-10C],0
0048C09B |. 74 0E je short try_88.0048C0AB
0048C09D |. 8B85 F4FEFFFF mov eax,dword ptr ss:[ebp-10C]
0048C0A3 |. 3B85 F8FEFFFF cmp eax,dword ptr ss:[ebp-108]
0048C0A9 |. 73 17 jnb short try_88.0048C0C2
0048C0AB |> 6A 00 push 0
0048C0AD |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
0048C0B3 |. 51 push ecx
重头来按二次F9:
0012BCBC 00485EA2 /CALL 到 GetModuleHandleA
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后代码:
00485EA2 . 8B0D 80C34B00 mov ecx,dword ptr ds:[4BC380]
00485EA8 . 330D 90C34B00 xor ecx,dword ptr ds:[4BC390]
00485EAE . 330D C8C34B00 xor ecx,dword ptr ds:[4BC3C8]
00485EB4 . 03C1 add eax,ecx
00485EB6 . A3 342F4C00 mov dword ptr ds:[4C2F34],eax
00485EBB . 51 push ecx
00485EBC . 0FC9 bswap ecx
00485EBE . F7D1 not ecx
00485EC0 . 50 push eax
00485EC1 . F7D0 not eax
00485EC3 . B8 6D69656C mov eax,6C65696D
00485EC8 . 91 xchg eax,ecx
00485EC9 . B9 DEC0ADDE mov ecx,DEADC0DE
00485ECE . 91 xchg eax,ecx
00485ECF . F7D0 not eax
00485ED1 . 58 pop eax
00485ED2 . F7D1 not ecx
00485ED4 . 59 pop ecx
00485ED5 . 9C pushfd
00485ED6 . 60 pushad
00485ED7 . 33DB xor ebx,ebx
00485ED9 . 74 03 je short try_88.00485EDE
00485EDB > EB 22 jmp short try_88.00485EFF
00485EDD EB db EB
00485EDE > 33DB xor ebx,ebx
00485EE0 . 74 00 je short try_88.00485EE2
00485EE2 > EB 0D jmp short try_88.00485EF1
00485EE4 B8 db B8
00485EE5 EB db EB
00485EE6 0F db 0F
00485EE7 > B9 87C9F934 mov ecx,34F9C987
00485EEC . 90 nop
00485EED . F9 stc
00485EEE . 74 05 je short try_88.00485EF5
00485EF0 . EB 33 jmp short try_88.00485F25
00485EF2 ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
00485EF7 ? C9 leave
00485EF8 ? 40 inc eax
00485EF9 ? 48 dec eax
00485EFA . 85C0 test eax,eax
00485EFC .^ 75 DD jnz short try_88.00485EDB
00485EFE E9 db E9
00485EFF > 61 popad
00485F00 . 9D popfd
00485F01 . 66:92 xchg ax,dx
00485F03 . 66:92 xchg ax,dx
00485F05 . 8BC0 mov eax,eax
00485F07 . 8B15 A8C34B00 mov edx,dword ptr ds:[4BC3A8]
00485F0D . 3315 E8C34B00 xor edx,dword ptr ds:[4BC3E8]
00485F13 . 3315 84C34B00 xor edx,dword ptr ds:[4BC384]
00485F19 . 81C2 FF0F0000 add edx,0FFF
00485F1F . C1EA 0C shr edx,0C
00485F22 . 8915 482F4C00 mov dword ptr ds:[4C2F48],edx
00485F28 . 70 07 jo short try_88.00485F31
00485F2A . 7C 03 jl short try_88.00485F2F
00485F2C > EB 05 jmp short try_88.00485F33
00485F2E E8 db E8
00485F2F >^ 74 FB je short try_88.00485F2C
00485F31 >^ EB F9 jmp short try_88.00485F2C
00485F33 > C745 CC 00000000 mov dword ptr ss:[ebp-34],0
00485F3A . C785 08FFFFFF FFF>mov dword ptr ss:[ebp-F8],-1
00485F44 . 51 push ecx
00485F45 . 0FC9 bswap ecx
00485F47 . F7D1 not ecx
00485F49 . 50 push eax
00485F4A . F7D0 not eax
00485F4C . B8 6D69656C mov eax,6C65696D
00485F51 . 91 xchg eax,ecx
00485F52 . B9 DEC0ADDE mov ecx,DEADC0DE
00485F57 . 91 xchg eax,ecx
00485F58 . F7D0 not eax
00485F5A . 58 pop eax
00485F5B . F7D1 not ecx
00485F5D . 59 pop ecx
00485F5E . 9C pushfd
00485F5F . 60 pushad
00485F60 . 33DB xor ebx,ebx
00485F62 . 74 03 je short try_88.00485F67
00485F64 > EB 22 jmp short try_88.00485F88
00485F66 EB db EB
00485F67 > 33DB xor ebx,ebx
00485F69 . 74 00 je short try_88.00485F6B
00485F6B > EB 0D jmp short try_88.00485F7A
00485F6D B8 db B8
00485F6E EB db EB
重头来按三次F9:
0012B284 77E4F591 /CALL 到 GetModuleHandleA 来自 kernel32.77E4F58C
0012B288 00000000 \pModule = NULL
0012B28C 0012D248 UNICODE "Kernel32.dll"
ALT+F9返回后代码:
00487243 . 85C0 test eax,eax
00487245 . 75 07 jnz short try_88.0048724E
00487247 . 32C0 xor al,al
00487249 . E9 032A0000 jmp try_88.00489C51
0048724E > 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-EC]
00487254 . 50 push eax ; /Arg1
00487255 . E8 6FABFFFF call try_88.00481DC9 ; \try_88.00481DC9
0048725A . 83C4 04 add esp,4
0048725D > 6A 00 push 0 ; /pModule = NULL
0048725F . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487265 . 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax
0048726B . 8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-E4]
00487271 . 8B95 1CFFFFFF mov edx,dword ptr ss:[ebp-E4]
00487277 . 0351 3C add edx,dword ptr ds:[ecx+3C]
0048727A . 8995 00FEFFFF mov dword ptr ss:[ebp-200],edx
00487280 . 6A 00 push 0 ; /pModule = NULL
00487282 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200]
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
重头来按四次F9:
0012BCBC 00487265 /CALL 到 GetModuleHandleA 来自 try_88.0048725F
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后是:
00487265 . 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax ; try_88.00400000
0048726B . 8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-E4]
00487271 . 8B95 1CFFFFFF mov edx,dword ptr ss:[ebp-E4]
00487277 . 0351 3C add edx,dword ptr ds:[ecx+3C]
0048727A . 8995 00FEFFFF mov dword ptr ss:[ebp-200],edx
00487280 . 6A 00 push 0 ; /pModule = NULL
00487282 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200]
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
004872F7 . 50 push eax
重头来按5次F9:
0012BCBC 00487288 /CALL 到 GetModuleHandleA 来自 try_88.00487282
0012BCC0 00000000 \pModule = NULL
ALT+F9后代码是:
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200] ; try_88.00400100
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
重头来按六次F9:
0012BCBC 0048729C /CALL 到 GetModuleHandleA 来自 try_88.00487296
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后代码:
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200] ; try_88.00400100
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
重头来第7次F9:
这次OD左下角就提示:调试字符SSSSSSSSSSSSS之类的,然后就异常了,程序也运行了.怎么回事?
上面这6次中哪个才是MAGIC JUMP的返回时机啊?我怎么找不到,是我做错步骤了还是这个版本用这方法行不通?请赐教.
之前的步骤如BP OpenMutexA 然后G到401000改成单进程还行,到了用BP GetModuleHandleA后,撤消断点,改为硬件断点,F9运行后在堆栈看不到大虾们提到的什么advapi32什么的.
我用GetModuleHandleA硬件中断断下后堆栈显示
设硬件断点后按一次F9:0012BB9C 0048C01B /CALL 到 GetModuleHandleA 来自 try_88.0048C015
0012BBA0 00000000 \pModule = NULL
ALT+F9返回后代码是:
0048C01B |. 8945 08 mov dword ptr ss:[ebp+8],eax ; try_88.00400000
0048C01E |> A0 202A4C00 mov al,byte ptr ds:[4C2A20]
0048C023 |. 8885 FCFEFFFF mov byte ptr ss:[ebp-104],al
0048C029 |. B9 40000000 mov ecx,40
0048C02E |. 33C0 xor eax,eax
0048C030 |. 8DBD FDFEFFFF lea edi,dword ptr ss:[ebp-103]
0048C036 |. F3:AB rep stos dword ptr es:[edi]
0048C038 |. 66:AB stos word ptr es:[edi]
0048C03A |. AA stos byte ptr es:[edi]
0048C03B |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0048C040 |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104] ; |
0048C046 |. 51 push ecx ; |PathBuffer
0048C047 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ; |
0048C04A |. 52 push edx ; |hModule
0048C04B |. FF15 C0C14B00 call dword ptr ds:[<&KERNEL32.GetModuleFileNa>; \GetModuleFileNameA
0048C051 |. 6A 5C push 5C
0048C053 |. 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0048C059 |. 50 push eax
0048C05A |. E8 31AB0000 call try_88.00496B90
0048C05F |. 83C4 08 add esp,8
0048C062 |. 8985 F8FEFFFF mov dword ptr ss:[ebp-108],eax
0048C068 |. 83BD F8FEFFFF 00 cmp dword ptr ss:[ebp-108],0
0048C06F |. 75 0C jnz short try_88.0048C07D
0048C071 |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
0048C077 |. 898D F8FEFFFF mov dword ptr ss:[ebp-108],ecx
0048C07D |> 6A 2E push 2E
0048C07F |. 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-104]
0048C085 |. 52 push edx
0048C086 |. E8 05AB0000 call try_88.00496B90
0048C08B |. 83C4 08 add esp,8
0048C08E |. 8985 F4FEFFFF mov dword ptr ss:[ebp-10C],eax
0048C094 |. 83BD F4FEFFFF 00 cmp dword ptr ss:[ebp-10C],0
0048C09B |. 74 0E je short try_88.0048C0AB
0048C09D |. 8B85 F4FEFFFF mov eax,dword ptr ss:[ebp-10C]
0048C0A3 |. 3B85 F8FEFFFF cmp eax,dword ptr ss:[ebp-108]
0048C0A9 |. 73 17 jnb short try_88.0048C0C2
0048C0AB |> 6A 00 push 0
0048C0AD |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
0048C0B3 |. 51 push ecx
重头来按二次F9:0012BCBC 00485EA2 /CALL 到 GetModuleHandleA
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后代码:
00485EA2 . 8B0D 80C34B00 mov ecx,dword ptr ds:[4BC380]
00485EA8 . 330D 90C34B00 xor ecx,dword ptr ds:[4BC390]
00485EAE . 330D C8C34B00 xor ecx,dword ptr ds:[4BC3C8]
00485EB4 . 03C1 add eax,ecx
00485EB6 . A3 342F4C00 mov dword ptr ds:[4C2F34],eax
00485EBB . 51 push ecx
00485EBC . 0FC9 bswap ecx
00485EBE . F7D1 not ecx
00485EC0 . 50 push eax
00485EC1 . F7D0 not eax
00485EC3 . B8 6D69656C mov eax,6C65696D
00485EC8 . 91 xchg eax,ecx
00485EC9 . B9 DEC0ADDE mov ecx,DEADC0DE
00485ECE . 91 xchg eax,ecx
00485ECF . F7D0 not eax
00485ED1 . 58 pop eax
00485ED2 . F7D1 not ecx
00485ED4 . 59 pop ecx
00485ED5 . 9C pushfd
00485ED6 . 60 pushad
00485ED7 . 33DB xor ebx,ebx
00485ED9 . 74 03 je short try_88.00485EDE
00485EDB > EB 22 jmp short try_88.00485EFF
00485EDD EB db EB
00485EDE > 33DB xor ebx,ebx
00485EE0 . 74 00 je short try_88.00485EE2
00485EE2 > EB 0D jmp short try_88.00485EF1
00485EE4 B8 db B8
00485EE5 EB db EB
00485EE6 0F db 0F
00485EE7 > B9 87C9F934 mov ecx,34F9C987
00485EEC . 90 nop
00485EED . F9 stc
00485EEE . 74 05 je short try_88.00485EF5
00485EF0 . EB 33 jmp short try_88.00485F25
00485EF2 ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
00485EF7 ? C9 leave
00485EF8 ? 40 inc eax
00485EF9 ? 48 dec eax
00485EFA . 85C0 test eax,eax
00485EFC .^ 75 DD jnz short try_88.00485EDB
00485EFE E9 db E9
00485EFF > 61 popad
00485F00 . 9D popfd
00485F01 . 66:92 xchg ax,dx
00485F03 . 66:92 xchg ax,dx
00485F05 . 8BC0 mov eax,eax
00485F07 . 8B15 A8C34B00 mov edx,dword ptr ds:[4BC3A8]
00485F0D . 3315 E8C34B00 xor edx,dword ptr ds:[4BC3E8]
00485F13 . 3315 84C34B00 xor edx,dword ptr ds:[4BC384]
00485F19 . 81C2 FF0F0000 add edx,0FFF
00485F1F . C1EA 0C shr edx,0C
00485F22 . 8915 482F4C00 mov dword ptr ds:[4C2F48],edx
00485F28 . 70 07 jo short try_88.00485F31
00485F2A . 7C 03 jl short try_88.00485F2F
00485F2C > EB 05 jmp short try_88.00485F33
00485F2E E8 db E8
00485F2F >^ 74 FB je short try_88.00485F2C
00485F31 >^ EB F9 jmp short try_88.00485F2C
00485F33 > C745 CC 00000000 mov dword ptr ss:[ebp-34],0
00485F3A . C785 08FFFFFF FFF>mov dword ptr ss:[ebp-F8],-1
00485F44 . 51 push ecx
00485F45 . 0FC9 bswap ecx
00485F47 . F7D1 not ecx
00485F49 . 50 push eax
00485F4A . F7D0 not eax
00485F4C . B8 6D69656C mov eax,6C65696D
00485F51 . 91 xchg eax,ecx
00485F52 . B9 DEC0ADDE mov ecx,DEADC0DE
00485F57 . 91 xchg eax,ecx
00485F58 . F7D0 not eax
00485F5A . 58 pop eax
00485F5B . F7D1 not ecx
00485F5D . 59 pop ecx
00485F5E . 9C pushfd
00485F5F . 60 pushad
00485F60 . 33DB xor ebx,ebx
00485F62 . 74 03 je short try_88.00485F67
00485F64 > EB 22 jmp short try_88.00485F88
00485F66 EB db EB
00485F67 > 33DB xor ebx,ebx
00485F69 . 74 00 je short try_88.00485F6B
00485F6B > EB 0D jmp short try_88.00485F7A
00485F6D B8 db B8
00485F6E EB db EB
重头来按三次F9:0012B284 77E4F591 /CALL 到 GetModuleHandleA 来自 kernel32.77E4F58C
0012B288 00000000 \pModule = NULL
0012B28C 0012D248 UNICODE "Kernel32.dll"
ALT+F9返回后代码:
00487243 . 85C0 test eax,eax
00487245 . 75 07 jnz short try_88.0048724E
00487247 . 32C0 xor al,al
00487249 . E9 032A0000 jmp try_88.00489C51
0048724E > 8B85 14FFFFFF mov eax,dword ptr ss:[ebp-EC]
00487254 . 50 push eax ; /Arg1
00487255 . E8 6FABFFFF call try_88.00481DC9 ; \try_88.00481DC9
0048725A . 83C4 04 add esp,4
0048725D > 6A 00 push 0 ; /pModule = NULL
0048725F . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487265 . 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax
0048726B . 8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-E4]
00487271 . 8B95 1CFFFFFF mov edx,dword ptr ss:[ebp-E4]
00487277 . 0351 3C add edx,dword ptr ds:[ecx+3C]
0048727A . 8995 00FEFFFF mov dword ptr ss:[ebp-200],edx
00487280 . 6A 00 push 0 ; /pModule = NULL
00487282 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200]
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
重头来按四次F9:0012BCBC 00487265 /CALL 到 GetModuleHandleA 来自 try_88.0048725F
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后是:
00487265 . 8985 1CFFFFFF mov dword ptr ss:[ebp-E4],eax ; try_88.00400000
0048726B . 8B8D 1CFFFFFF mov ecx,dword ptr ss:[ebp-E4]
00487271 . 8B95 1CFFFFFF mov edx,dword ptr ss:[ebp-E4]
00487277 . 0351 3C add edx,dword ptr ds:[ecx+3C]
0048727A . 8995 00FEFFFF mov dword ptr ss:[ebp-200],edx
00487280 . 6A 00 push 0 ; /pModule = NULL
00487282 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200]
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
004872F7 . 50 push eax
重头来按5次F9:0012BCBC 00487288 /CALL 到 GetModuleHandleA 来自 try_88.00487282
0012BCC0 00000000 \pModule = NULL
ALT+F9后代码是:
00487288 . 8B8D 00FEFFFF mov ecx,dword ptr ss:[ebp-200] ; try_88.00400100
0048728E . 0341 28 add eax,dword ptr ds:[ecx+28]
00487291 . 8945 C4 mov dword ptr ss:[ebp-3C],eax
00487294 . 6A 00 push 0 ; /pModule = NULL
00487296 . FF15 4CC04B00 call dword ptr ds:[<&KERNEL32.GetModuleHandle>; \GetModuleHandleA
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200]
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
重头来按六次F9:0012BCBC 0048729C /CALL 到 GetModuleHandleA 来自 try_88.00487296
0012BCC0 00000000 \pModule = NULL
ALT+F9返回后代码:
0048729C . 8B95 00FEFFFF mov edx,dword ptr ss:[ebp-200] ; try_88.00400100
004872A2 . 2B42 34 sub eax,dword ptr ds:[edx+34]
004872A5 . 8945 C8 mov dword ptr ss:[ebp-38],eax
004872A8 . 51 push ecx
004872A9 . 0FC9 bswap ecx
004872AB . F7D1 not ecx
004872AD . 50 push eax
004872AE . F7D0 not eax
004872B0 . B8 6D69656C mov eax,6C65696D
004872B5 . 91 xchg eax,ecx
004872B6 . B9 DEC0ADDE mov ecx,DEADC0DE
004872BB . 91 xchg eax,ecx
004872BC . F7D0 not eax
004872BE . 58 pop eax
004872BF . F7D1 not ecx
004872C1 . 59 pop ecx
004872C2 . 9C pushfd
004872C3 . 60 pushad
004872C4 . 33DB xor ebx,ebx
004872C6 . 74 03 je short try_88.004872CB
004872C8 > EB 22 jmp short try_88.004872EC
004872CA EB db EB
004872CB > 33DB xor ebx,ebx
004872CD . 74 00 je short try_88.004872CF
004872CF > EB 0D jmp short try_88.004872DE
004872D1 B8 db B8
004872D2 EB db EB
004872D3 0F db 0F
004872D4 > B9 87C9F934 mov ecx,34F9C987
004872D9 . 90 nop
004872DA . F9 stc
004872DB . 74 05 je short try_88.004872E2
004872DD . EB 33 jmp short try_88.00487312
004872DF ? C074F2 B8 87 sal byte ptr ds:[edx+esi*8-48],87
004872E4 ? C9 leave
004872E5 ? 40 inc eax
004872E6 ? 48 dec eax
004872E7 . 85C0 test eax,eax
004872E9 .^ 75 DD jnz short try_88.004872C8
004872EB E9 db E9
004872EC > 61 popad
004872ED . 9D popfd
004872EE . 66:92 xchg ax,dx
004872F0 . 66:92 xchg ax,dx
004872F2 . 8BC0 mov eax,eax
004872F4 . 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
重头来第7次F9:这次OD左下角就提示:调试字符SSSSSSSSSSSSS之类的,然后就异常了,程序也运行了.怎么回事?
上面这6次中哪个才是MAGIC JUMP的返回时机啊?我怎么找不到,是我做错步骤了还是这个版本用这方法行不通?请赐教.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
呵.FLY老大的回复如我所料~
 搞这个东东我已经反反复复不下100次了!十多天都一直在试各种方法,所有论坛文章什么精华还有水帖我都看遍了,还没有一个好的结果.只有在这请教各位大大们了  fly老大请问一下,我都不清楚这个壳是ARM的哪个版本,PEID测出是Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] 估计应该是新3.X以上的ARM,只是PEID误报. 我该用哪个版本的ARM去加记事本练习一下才和我要脱的这个程序相近? 当然希望大大们能金手一指~指出我走错哪条路了~就最好不过了 |
|
|
最初由 仙剑太郎 发布 哈哈,ARM真难搞,我搞了几个月一无所获。。。。。。 |
|
|
|
|
|
|
|
|
|
|
|
弄软件上来,可能被ban id了~
没有大大许可不敢弄. 
|
|
|
|
