珊瑚虫QQ外挂3.06脱壳
生活随笔
收集整理的這篇文章主要介紹了
珊瑚虫QQ外挂3.06脱壳
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
1.CoralQQ.exe
用peid查,顯示是PECompact?2.x?->?Jeremy?Collake的殼
用OD載入后停在
00401000?????B8?D4A14300?????????mov?eax,CoralQQ.0043A1D4???????F8單步運(yùn)行
00401005?????50??????????????????push?eax
00401006?????64:FF35?00000000????push?dword?ptr?fs:[0]
0040100D?????64:8925?00000000????mov?dword?ptr?fs:[0],esp
00401014?????33C0????????????????xor?eax,eax??????????????????到這里我們看到在堆棧窗口
————————————————————————————————————————————————
0012FFBC??????0012FFE0?????指針到下一個(gè)?SEH?記錄
0012FFC0??????0043A1D4?????SE?句柄
0012FFC4??????7C816D4F?????返回到?kernel32.7C816D4F
————————————————————————————————————————————————
看回來,我們ctrl+G到?0043A1D4,到達(dá)后在此處下斷點(diǎn),然后F9運(yùn)行,
程序被斷下。
0043A1D4?????B8?7E9043F0?????????mov?eax,F043907E
0043A1D9?????8D88?79110010???????lea?ecx,dword?ptr?ds:[eax+10001179]
0043A1DF?????8941?01?????????????mov?dword?ptr?ds:[ecx+1],eax
0043A1E2?????8B5424?04???????????mov?edx,dword?ptr?ss:[esp+4]
0043A1E6?????8B52?0C?????????????mov?edx,dword?ptr?ds:[edx+C]
0043A1E9?????C602?E9?????????????mov?byte?ptr?ds:[edx],0E9
0043A1EC?????83C2?05?????????????add?edx,5
0043A1EF?????2BCA????????????????sub?ecx,edx
0043A1F1?????894A?FC?????????????mov?dword?ptr?ds:[edx-4],ecx
取消斷點(diǎn),然后在0043A1F7下斷點(diǎn)
0043A1F7?????B8?78563412?????????mov?eax,12345678
0043A1FC?????64:8F05?00000000????pop?dword?ptr?fs:[0]
0043A203?????83C4?04?????????????add?esp,4
0043A206?????55??????????????????push?ebp
0043A207?????53??????????????????push?ebx
0043A208?????51??????????????????push?ecx
0043A209?????57??????????????????push?edi
0043A20A?????56??????????????????push?esi
0043A20B?????52??????????????????push?edx
再按F9運(yùn)行,程序又被斷下,取消斷點(diǎn)。F8單步運(yùn)行,
一直F8到了0043A29F,
0043A281?????8985?23120010???????mov?dword?ptr?ss:[ebp+10001223],eax
0043A287?????8BF0????????????????mov?esi,eax
0043A289?????59??????????????????pop?ecx
0043A28A?????5A??????????????????pop?edx
0043A28B?????03CA????????????????add?ecx,edx
0043A28D?????68?00800000?????????push?8000
0043A292?????6A?00???????????????push?0
0043A294?????57??????????????????push?edi
0043A295?????FF11????????????????call?dword?ptr?ds:[ecx]
0043A297?????8BC6????????????????mov?eax,esi
0043A299?????5A??????????????????pop?edx
0043A29A?????5E??????????????????pop?esi
0043A29B?????5F??????????????????pop?edi
0043A29C?????59??????????????????pop?ecx
0043A29D?????5B??????????????????pop?ebx
0043A29E?????5D??????????????????pop?ebp
0043A29F???FFE0?????????jmp?eax????????F8到這里,跳OEP
00418E2C?????55????push?ebp?????到達(dá)OEP
00418E2D?????8BEC????????????????mov?ebp,esp
00418E2F?????83C4?F0?????????????add?esp,-10
00418E32?????B8?648D4100?????????mov?eax,CoralQQ.00418D64
00418E37?????E8?A4BAFEFF?????????call?CoralQQ.004048E0
00418E3C?????A1?F49D4100?????????mov?eax,dword?ptr?ds:[419DF4]
00418E41?????33D2????????????????xor?edx,edx
00418E43?????E8?30F4FFFF?????????call?CoralQQ.00418278
2.CoralQQ.dll
OD載入后
00B7D911?>??B8?80F5B900?????mov?eax,CoralQQ.00B9F580??停在這里
00B7D916????50??????????????push?eax
00B7D917????64:FF35?0000000>push?dword?ptr?fs:[0]
00B7D91E????64:8925?0000000>mov?dword?ptr?fs:[0],esp
00B7D925????33C0????????????xor?eax,eax
00B7D927????8908????????????mov?dword?ptr?ds:[eax],ecx
00B7D929????50??????????????push?eax
00B7D92A????45??????????????inc?ebp
00B7D92B????43??????????????inc?ebx
用esp定律
dd?0006f8a0
下硬件訪問斷點(diǎn);
F9運(yùn)行到達(dá)
00B9F64A????59??????????????pop?ecx
00B9F64B????5B??????????????pop?ebx
00B9F64C????5D??????????????pop?ebp?????????????????????????????????????;?0006F8C4
00B9F64D????FFE0????????????jmp?eax?跳OEP
到
00B7D911?>??55??????????????push?ebp
00B7D912????8BEC????????????mov?ebp,esp
00B7D914????53??????????????push?ebx
00B7D915????8B5D?08?????????mov?ebx,dword?ptr?ss:[ebp+8]
00B7D918????56??????????????push?esi
然后用lord?dump出!
再用ImportREC修復(fù)輸入表!
重定位表弄不懂,還請高手指教一下啊!!
用peid查,顯示是PECompact?2.x?->?Jeremy?Collake的殼
用OD載入后停在
00401000?????B8?D4A14300?????????mov?eax,CoralQQ.0043A1D4???????F8單步運(yùn)行
00401005?????50??????????????????push?eax
00401006?????64:FF35?00000000????push?dword?ptr?fs:[0]
0040100D?????64:8925?00000000????mov?dword?ptr?fs:[0],esp
00401014?????33C0????????????????xor?eax,eax??????????????????到這里我們看到在堆棧窗口
————————————————————————————————————————————————
0012FFBC??????0012FFE0?????指針到下一個(gè)?SEH?記錄
0012FFC0??????0043A1D4?????SE?句柄
0012FFC4??????7C816D4F?????返回到?kernel32.7C816D4F
————————————————————————————————————————————————
看回來,我們ctrl+G到?0043A1D4,到達(dá)后在此處下斷點(diǎn),然后F9運(yùn)行,
程序被斷下。
0043A1D4?????B8?7E9043F0?????????mov?eax,F043907E
0043A1D9?????8D88?79110010???????lea?ecx,dword?ptr?ds:[eax+10001179]
0043A1DF?????8941?01?????????????mov?dword?ptr?ds:[ecx+1],eax
0043A1E2?????8B5424?04???????????mov?edx,dword?ptr?ss:[esp+4]
0043A1E6?????8B52?0C?????????????mov?edx,dword?ptr?ds:[edx+C]
0043A1E9?????C602?E9?????????????mov?byte?ptr?ds:[edx],0E9
0043A1EC?????83C2?05?????????????add?edx,5
0043A1EF?????2BCA????????????????sub?ecx,edx
0043A1F1?????894A?FC?????????????mov?dword?ptr?ds:[edx-4],ecx
取消斷點(diǎn),然后在0043A1F7下斷點(diǎn)
0043A1F7?????B8?78563412?????????mov?eax,12345678
0043A1FC?????64:8F05?00000000????pop?dword?ptr?fs:[0]
0043A203?????83C4?04?????????????add?esp,4
0043A206?????55??????????????????push?ebp
0043A207?????53??????????????????push?ebx
0043A208?????51??????????????????push?ecx
0043A209?????57??????????????????push?edi
0043A20A?????56??????????????????push?esi
0043A20B?????52??????????????????push?edx
再按F9運(yùn)行,程序又被斷下,取消斷點(diǎn)。F8單步運(yùn)行,
一直F8到了0043A29F,
0043A281?????8985?23120010???????mov?dword?ptr?ss:[ebp+10001223],eax
0043A287?????8BF0????????????????mov?esi,eax
0043A289?????59??????????????????pop?ecx
0043A28A?????5A??????????????????pop?edx
0043A28B?????03CA????????????????add?ecx,edx
0043A28D?????68?00800000?????????push?8000
0043A292?????6A?00???????????????push?0
0043A294?????57??????????????????push?edi
0043A295?????FF11????????????????call?dword?ptr?ds:[ecx]
0043A297?????8BC6????????????????mov?eax,esi
0043A299?????5A??????????????????pop?edx
0043A29A?????5E??????????????????pop?esi
0043A29B?????5F??????????????????pop?edi
0043A29C?????59??????????????????pop?ecx
0043A29D?????5B??????????????????pop?ebx
0043A29E?????5D??????????????????pop?ebp
0043A29F???FFE0?????????jmp?eax????????F8到這里,跳OEP
00418E2C?????55????push?ebp?????到達(dá)OEP
00418E2D?????8BEC????????????????mov?ebp,esp
00418E2F?????83C4?F0?????????????add?esp,-10
00418E32?????B8?648D4100?????????mov?eax,CoralQQ.00418D64
00418E37?????E8?A4BAFEFF?????????call?CoralQQ.004048E0
00418E3C?????A1?F49D4100?????????mov?eax,dword?ptr?ds:[419DF4]
00418E41?????33D2????????????????xor?edx,edx
00418E43?????E8?30F4FFFF?????????call?CoralQQ.00418278
2.CoralQQ.dll
OD載入后
00B7D911?>??B8?80F5B900?????mov?eax,CoralQQ.00B9F580??停在這里
00B7D916????50??????????????push?eax
00B7D917????64:FF35?0000000>push?dword?ptr?fs:[0]
00B7D91E????64:8925?0000000>mov?dword?ptr?fs:[0],esp
00B7D925????33C0????????????xor?eax,eax
00B7D927????8908????????????mov?dword?ptr?ds:[eax],ecx
00B7D929????50??????????????push?eax
00B7D92A????45??????????????inc?ebp
00B7D92B????43??????????????inc?ebx
用esp定律
dd?0006f8a0
下硬件訪問斷點(diǎn);
F9運(yùn)行到達(dá)
00B9F64A????59??????????????pop?ecx
00B9F64B????5B??????????????pop?ebx
00B9F64C????5D??????????????pop?ebp?????????????????????????????????????;?0006F8C4
00B9F64D????FFE0????????????jmp?eax?跳OEP
到
00B7D911?>??55??????????????push?ebp
00B7D912????8BEC????????????mov?ebp,esp
00B7D914????53??????????????push?ebx
00B7D915????8B5D?08?????????mov?ebx,dword?ptr?ss:[ebp+8]
00B7D918????56??????????????push?esi
然后用lord?dump出!
再用ImportREC修復(fù)輸入表!
重定位表弄不懂,還請高手指教一下啊!!
總結(jié)
以上是生活随笔為你收集整理的珊瑚虫QQ外挂3.06脱壳的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Maven-将jar包发布到本地mave
- 下一篇: 启动3dmax 9,出现脚本错误警告的解