-
-
[旧帖] [求助]修复PE的问题 0.00雪花
-
发表于: 2008-3-15 21:50
-
弄了一天了,资料也看了很多,可是都看不懂
想不到 fly 还曾经到过这个地方
How To Fix The Relocations!
已经比较了下脱壳前和脱壳后,可是不知道该改哪个位置
脱壳后:
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0090
e_cp: 0x0003
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x0000
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x0000
e_res: 0x8D37F32900000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000138
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0027
TimeDateStamp: 0x47C7946C (GMT: Fri Feb 29 05:13:16 2008)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x010E
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x06
MinorLinkerVersion: 0x00 -> 6.00
SizeOfCode: 0x0006C000
SizeOfInitializedData: 0x000C8000
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x7C412A5C
BaseOfCode: 0x00001000
BaseOfData: 0x0006D000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0004
MinorOperatingSystemVersion: 0x0000 -> 4.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x0035B000
SizeOfHeaders: 0x00001000
CheckSum: 0x001D277B
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00001000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x0035A000 0x000001D6 (".idata2")
Resource 0x0008A000 0x000AA320 (".rsrc")
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00284000 0x00000058 (".icod01")
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
脱壳前
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0090
e_cp: 0x0003
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x0000
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x0000
e_res: 0x8D37F32900000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000138
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0027
TimeDateStamp: 0x47C7946C (GMT: Fri Feb 29 05:13:16 2008)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x010E
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x06
MinorLinkerVersion: 0x00 -> 6.00
SizeOfCode: 0x0006C000
SizeOfInitializedData: 0x000C8000
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x00358000
BaseOfCode: 0x00001000
BaseOfData: 0x0006D000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00000200
MajorOperatingSystemVersion: 0x0004
MinorOperatingSystemVersion: 0x0000 -> 4.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x0035A000
SizeOfHeaders: 0x00000A00
CheckSum: 0x001D277B
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00001000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x00358C7B 0x000001D6 ("pebundle")
Resource 0x0008A000 0x000AA320 (".rsrc")
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00284000 0x00000058 (".reloc")
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
希望能通过这个例子学到点东西,各位大大们快来帮帮我吧
程序加的是PEBundle 2.0x - 2.4x,我用脚本跑了下,DUMP出来了,可是要修复。
总是以为有现成的工具能一步修复,可是我想错了
这个是脱壳脚本
PE文件格式真的太难看懂了 ,哪位朋友有简单易懂的资料?可以分享下吗?先谢谢了
谢谢关注我这个帖子的朋友们!
想不到 fly 还曾经到过这个地方
How To Fix The Relocations!
已经比较了下脱壳前和脱壳后,可是不知道该改哪个位置
脱壳后:
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0090
e_cp: 0x0003
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x0000
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x0000
e_res: 0x8D37F32900000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000138
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0027
TimeDateStamp: 0x47C7946C (GMT: Fri Feb 29 05:13:16 2008)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x010E
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x06
MinorLinkerVersion: 0x00 -> 6.00
SizeOfCode: 0x0006C000
SizeOfInitializedData: 0x000C8000
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x7C412A5C
BaseOfCode: 0x00001000
BaseOfData: 0x0006D000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0004
MinorOperatingSystemVersion: 0x0000 -> 4.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x0035B000
SizeOfHeaders: 0x00001000
CheckSum: 0x001D277B
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00001000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x0035A000 0x000001D6 (".idata2")
Resource 0x0008A000 0x000AA320 (".rsrc")
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00284000 0x00000058 (".icod01")
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
脱壳前
->DOS Header
e_magic: 0x5A4D
e_cblp: 0x0090
e_cp: 0x0003
e_crlc: 0x0000
e_cparhdr: 0x0004
e_minalloc: 0x0000
e_maxalloc: 0xFFFF
e_ss: 0x0000
e_sp: 0x00B8
e_csum: 0x0000
e_ip: 0x0000
e_cs: 0x0000
e_lfarlc: 0x0040
e_ovno: 0x0000
e_res: 0x8D37F32900000000
e_oemid: 0x0000
e_oeminfo: 0x0000
e_res2: 0x0000000000000000000000000000000000000000
e_lfanew: 0x00000138
->File Header
Machine: 0x014C (I386)
NumberOfSections: 0x0027
TimeDateStamp: 0x47C7946C (GMT: Fri Feb 29 05:13:16 2008)
PointerToSymbolTable: 0x00000000
NumberOfSymbols: 0x00000000
SizeOfOptionalHeader: 0x00E0
Characteristics: 0x010E
(EXECUTABLE_IMAGE)
(LINE_NUMS_STRIPPED)
(LOCAL_SYMS_STRIPPED)
(32BIT_MACHINE)
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x06
MinorLinkerVersion: 0x00 -> 6.00
SizeOfCode: 0x0006C000
SizeOfInitializedData: 0x000C8000
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x00358000
BaseOfCode: 0x00001000
BaseOfData: 0x0006D000
ImageBase: 0x00400000
SectionAlignment: 0x00001000
FileAlignment: 0x00000200
MajorOperatingSystemVersion: 0x0004
MinorOperatingSystemVersion: 0x0000 -> 4.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x0035A000
SizeOfHeaders: 0x00000A00
CheckSum: 0x001D277B
Subsystem: 0x0002 (WINDOWS_GUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00001000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0x00000000
NumberOfRvaAndSizes: 0x00000010
DataDirectory (16) RVA Size
------------- ---------- ----------
ExportTable 0x00000000 0x00000000
ImportTable 0x00358C7B 0x000001D6 ("pebundle")
Resource 0x0008A000 0x000AA320 (".rsrc")
Exception 0x00000000 0x00000000
Security 0x00000000 0x00000000
Relocation 0x00284000 0x00000058 (".reloc")
Debug 0x00000000 0x00000000
Copyright 0x00000000 0x00000000
GlobalPtr 0x00000000 0x00000000
TLSTable 0x00000000 0x00000000
LoadConfig 0x00000000 0x00000000
BoundImport 0x00000000 0x00000000
IAT 0x00000000 0x00000000
DelayImport 0x00000000 0x00000000
COM 0x00000000 0x00000000
Reserved 0x00000000 0x00000000
希望能通过这个例子学到点东西,各位大大们快来帮帮我吧
程序加的是PEBundle 2.0x - 2.4x,我用脚本跑了下,DUMP出来了,可是要修复。
总是以为有现成的工具能一步修复,可是我想错了
这个是脱壳脚本
/* ////////////////////////////////////////////////////////////// // PEBundle 2.0x - 2.4x OEP finder // Author: hacnho/VCT2k4 // Email : hacnho@hotmail.com // Website: 0bbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6Z5j5h3&6V1j5h3&6Q4x3X3g2A6L8X3k6G2i4K6u0r3K9r3q4U0L8X3S2G2 // OS : WinXP Pro, OllyDbg 1.10 Final, OllyScript v0.85 ///////////////////////////////////////////////////////// */ sti sti eob Break findop eip, #9D68# bphws esp,"r" run Break: sto sto sto an eip log eip cmt eip, "This is the OEP! Found by hacnho/VCT2k4" MSG "Dumped and fix IAT now! Thanx for using my Script...!" ret
PE文件格式真的太难看懂了
,哪位朋友有简单易懂的资料?可以分享下吗?先谢谢了谢谢关注我这个帖子的朋友们!
