(编辑:jimmy 日期: 2025/1/23 浏览:2)
工具:52下的OD;
研究对象:东财资金;
来源:网络
理由:和谐过程中的一点心得;
软件类型:dc历史邦2号_se.dll;
要达到目的:解决脱壳后R6002- floating point support not loaded问题
写了几篇文章,积分到了99,今年积分目标到200,看来这些和谐文章要到200也不是件容易的事,给自己鼓一下劲:加油。
dc历史邦2号_se.dll原版加壳 Safengine Shielden v2.4.0.0:
1CD53A20 C785 E8FDFFFF A3000000 mov dword ptr ss:[ebp-0x218],0xA31CD53A2A 8B03 mov eax,dword ptr ds:[ebx]1CD53A2C 8B35 58B4ED1C mov esi,dword ptr ds:[0x1CEDB458] ; ntdll.RtlDecodePointer1CD53A32 83C3 08 add ebx,0x81CD53A35 8985 88FDFFFF mov dword ptr ss:[ebp-0x278],eax1CD53A3B 8B43 FC mov eax,dword ptr ds:[ebx-0x4]1CD53A3E 8985 8CFDFFFF mov dword ptr ss:[ebp-0x274],eax1CD53A44 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-0x25C]1CD53A4A 50 push eax1CD53A4B FFB5 94FDFFFF push dword ptr ss:[ebp-0x26C]1CD53A51 0FBEC2 movsx eax,dl1CD53A54 FFB5 E8FDFFFF push dword ptr ss:[ebp-0x218]1CD53A5A 899D D8FDFFFF mov dword ptr ss:[ebp-0x228],ebx1CD53A60 50 push eax1CD53A61 FFB5 9CFDFFFF push dword ptr ss:[ebp-0x264]1CD53A67 8D85 88FDFFFF lea eax,dword ptr ss:[ebp-0x278]1CD53A6D 57 push edi1CD53A6E 50 push eax1CD53A6F FF35 7881D91C push dword ptr ds:[0x1CD98178]1CD53A75 FFD6 call esi ; ntdll.RtlDecodePointer1CD53A77 FFD0 call eax ;
EAX 1CD58A3F dc历史邦.1CD58A3F
ECX 0011B594
EDX 7C92E514 ntdll.KiFastSystemCallRet
EBX 0011B90C
ESP 0011B5C0
EBP 0011B860
ESI 7C9332FF ntdll.RtlDecodePointer
EDI 0011B654
EIP 1CD53A77 dc历史邦.1CD53A77
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_MOD_NOT_FOUND (0000007E)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
DR0 00000000
DR1 00000000
DR2 00000000
DR3 00000000
DR6 00000000
DR7 00000000
Eax=1CD58A3F,call Eax=call 1CD58A3F
探究一下1CD58A3F是怎么来的,1CD53A20设置为新EIP,F8一路到
1CD53A6F FF35 7881D91C push dword ptr ds:[0x1CD98178]
ds:[1CD98178]=EFF7AF5C
F7进入1CD53A75 FFD6 call esi ; ntdll.RtlDecodePointer7C9332D9 > 8BFF mov edi,edi7C9332DB 55 push ebp7C9332DC 8BEC mov ebp,esp7C9332DE 51 push ecx7C9332DF 6A 00 push 0x07C9332E1 6A 04 push 0x47C9332E3 8D45 FC lea eax,dword ptr ss:[ebp-0x4]7C9332E6 50 push eax7C9332E7 6A 24 push 0x247C9332E9 6A FF push -0x17C9332EB E8 0EA5FFFF call 7C92D7FE ; ntdll.ZwQueryInformationProcess7C9332F0 8B45 FC mov eax,dword ptr ss:[ebp-0x4]7C9332F3 3345 08 xor eax,dword ptr ss:[ebp+0x8]7C9332F6 C9 leave7C9332F7 C2 0400 retn 0x4
到,
7C9332F0 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
堆栈 ss:[0011B5B0]=F3222563
eax=F3222563
7C9332F3 3345 08 xor eax,dword ptr ss:[ebp+0x8]
堆栈 ss:[0011B5BC]=EFF7AF5C
eax=F3222563
dword ptr ss:[ebp+0x8]=EFF7AF5C=ds:[1CD98178]
原来ntdll.RtlDecodePointer函数还有A xor B=C的功能,来看看dword ptr ss:[ebp+0x8]=EFF7AF5C=ds:[1CD98178],ds:[1CD98178]指向的值是怎么回事,
F7 进入1CD53A77 FFD0 call eax ;
1CD58A3F 6A 02 push 0x2
1CD58A41 E8 DD31FFFF call 1CD4BC23 ; dc历史邦.1CD4BC23
1CD58A46 59 pop ecx ; dc历史邦.1CD53A79
1CD58A47 C3 retn
ds:[1CD98178]指向的值是一个固定值,并不是随机填充,因此基本上可以得出结论,程序脱壳后资源修复出现了问题,那好办,把正确的地址找回。加载原版程序,找到1007E176,把1007E176填入000C7578地址,保存文件,OD重新加载,F9,日线看东财资金模块: