|
|
不是什么技术文章也不会做太多解释
虽然开源了但少一个模块 模块是商业的 不能公开也是情理之中的
作者已经很久没更新的,在新的版本是不是可以自己改动一下呢
这只是自己的备忘录 所以不会打太多文字
已经找出新版本更新需要的数据
E_pCode, 0044D46C
E_pValidCode, 0044D49B
E_pBreakPoint, 004096B4
E_MemCrcLen, 0015D747
E_pMemCrcCal, 004E58B8
E_pMemCrcSnow, 0049A5E3
E_pMemCrcValue, 005A737C
E_strCompling, 00411BAB
E_strComplied, 0042DE50
E_strECComplied, 0045FBA7
E_OutputDebugString_This,
RPPM ( 005B1318 + #E_OutputDebugString_This_offest1_511 , { #E_OutputDebugString_This_offest2_511 })
E_pHextoDec,
E_pHWID, INC DWORD PTR DS:[5B1E08]
E_SetBreakPoint, 00461A63
E_ProcCode,004139C0
E_ProcPackCode, 00413A5B
E_ProcPackName,004201C9
E_ExportPackCode, 0042DB8E
E_AddResourcePreview, 0043A213
E_AddResourceConfirm,
因为WonderWall加有upx 因为e写的东西普遍大得离谱所以我没打算脱壳但是upx压缩后空间有限所以手动给他加一个区段
od载入 ctrl+g → 101B4000 跳到刚加上去的区段写代码
101B4000 是提示E的版本号的文本
101B4020 文本的指针
代码是从101B4030 开始的
CPU Disasm
地址 十六进制数据 指令 注释
101B4000 C4FA LES EDI,EDX ; 非法使用寄存器
101B4002 B5 B1 MOV CH,0B1
101B4004 C7 DB C7 ; 未知的命令
101B4005 B0 D5 MOV AL,0D5
101B4007 FD STD
101B4008 D4 DA AAM 0DA
101B400A CA B9D3 RETF 0D3B9 ; 长跳转或调用
101B400D C3 RETN
101B400E D2D7 RCL BH,CL
101B4010 D3EF SHR EDI,CL
101B4012 D1D4 RCL ESP,1 ; 可疑的堆栈指针的使用
101B4014 35 2E3331B0 XOR EAX,B031332E
101B4019 E6 B1 OUT 0B1,AL ; I/O 命令
101B401B BE 21000000 MOV ESI,21
101B4020 0040 1B ADD BYTE PTR DS:[EAX+1B],AL
101B4023 1000 ADC BYTE PTR DS:[EAX],AL
101B4025 0000 ADD BYTE PTR DS:[EAX],AL
101B4027 0000 ADD BYTE PTR DS:[EAX],AL
101B4029 90 NOP
101B402A 90 NOP
101B402B 90 NOP
101B402C 90 NOP
101B402D 90 NOP
101B402E 90 NOP
101B402F 90 NOP
101B4030 8B44E4 30 MOV EAX,DWORD PTR SS:[ESP+30]
101B4034 813D A1584E00 43365498 CMP DWORD PTR DS:[4E58A1],98543643
101B403E 0F85 84010000 JNE 101B41C8
101B4044 36:66:C780 186C0200 8D05 MOV WORD PTR SS:[EAX+26C18],58D
101B404E 8D90 00401B00 LEA EDX,[EAX+1B4000]
101B4054 36:8990 20401B00 MOV DWORD PTR SS:[EAX+1B4020],EDX
101B405B 8D90 20401B00 LEA EDX,[EAX+1B4020]
101B4061 36:8990 1A6C0200 MOV DWORD PTR SS:[EAX+26C1A],EDX
101B4068 36:C780 1E6C0200 90909090 MOV DWORD PTR SS:[EAX+26C1E],90909090
101B4073 36:C780 226C0200 90909090 MOV DWORD PTR SS:[EAX+26C22],90909090
101B407E 36:C780 C1720200 6CD44400 MOV DWORD PTR SS:[EAX+272C1],44D46C
101B4089 36:C780 96CD0200 71D44400 MOV DWORD PTR SS:[EAX+2CD96],44D471
101B4094 36:C780 88CD0200 9BD44400 MOV DWORD PTR SS:[EAX+2CD88],44D49B
101B409F 36:C780 6F720200 B4964000 MOV DWORD PTR SS:[EAX+2726F],4096B4
101B40AA 36:C780 92830200 B9964000 MOV DWORD PTR SS:[EAX+28392],4096B9
101B40B5 36:C780 3D6C0200 47D71500 MOV DWORD PTR SS:[EAX+26C3D],15D747
101B40C0 36:C780 98720200 B8584E00 MOV DWORD PTR SS:[EAX+27298],4E58B8
101B40CB 36:C780 00CC0200 E3A54900 MOV DWORD PTR SS:[EAX+2CC00],49A5E3
101B40D6 36:C780 F3CB0200 7C735A00 MOV DWORD PTR SS:[EAX+2CBF3],5A737C
101B40E1 36:C780 0DCC0200 7C735A00 MOV DWORD PTR SS:[EAX+2CC0D],5A737C
101B40EC 36:C780 3C730200 AB1B4100 MOV DWORD PTR SS:[EAX+2733C],411BAB
101B40F7 36:C780 52ED0200 B01B4100 MOV DWORD PTR SS:[EAX+2ED52],411BB0
101B4102 36:C780 27EE0200 55DE4200 MOV DWORD PTR SS:[EAX+2EE27],42DE55
101B410D 36:C780 65730200 50DE4200 MOV DWORD PTR SS:[EAX+27365],42DE50
101B4118 36:C780 8E730200 A7FB4500 MOV DWORD PTR SS:[EAX+2738E],45FBA7
101B4123 36:C780 E5EF0200 ACFB4500 MOV DWORD PTR SS:[EAX+2EFE5],45FBAC
101B412E 36:C780 0FCF0100 CC1B5B00 MOV DWORD PTR SS:[EAX+1CF0F],5B1BCC
101B4139 36:C780 13730200 725D4B00 MOV DWORD PTR SS:[EAX+27313],4B5D72
101B4144 36:C780 21D80200 775D4B00 MOV DWORD PTR SS:[EAX+2D821],4B5D77
101B414F 36:C780 EA720200 43C14A00 MOV DWORD PTR SS:[EAX+272EA],4AC143
101B415A 36:C780 75D70200 48C14A00 MOV DWORD PTR SS:[EAX+2D775],4AC148
101B4165 36:C780 7AD70200 D0584B00 MOV DWORD PTR SS:[EAX+2D77A],4B58D0
101B4170 36:C780 D3740200 081E5B00 MOV DWORD PTR SS:[EAX+274D3],5B1E08
101B417B 36:C780 B7730200 631A4600 MOV DWORD PTR SS:[EAX+273B7],461A63
101B4186 36:C780 E0730200 C0394100 MOV DWORD PTR SS:[EAX+273E0],4139C0
101B4191 36:C780 09740200 5B3A4100 MOV DWORD PTR SS:[EAX+27409],413A5B
101B419C 36:C780 32740200 C9014200 MOV DWORD PTR SS:[EAX+27432],4201C9
101B41A7 36:C780 5B740200 8EDB4200 MOV DWORD PTR SS:[EAX+2745B],42DB8E
101B41B2 36:C780 84740200 13A24300 MOV DWORD PTR SS:[EAX+27484],43A213
101B41BD 36:C780 AD740200 146E4300 MOV DWORD PTR SS:[EAX+274AD],436E14
101B41C8 36:C780 E0CC0200 10F04C00 MOV DWORD PTR SS:[EAX+2CCE0],4CF010
101B41D3 36:C780 22EE0200 A4E15900 MOV DWORD PTR SS:[EAX+2EE22],59E1A4
101B41DE 36:C780 E0EF0200 A40E5A00 MOV DWORD PTR SS:[EAX+2EFE0],5A0EA4
101B41E9 36:C780 4DED0200 98DE5900 MOV DWORD PTR SS:[EAX+2ED4D],59DE98
101B41F4 36:C680 20CE0200 C4 MOV BYTE PTR SS:[EAX+2CE20],0C4
101B41FC 36:C680 2ACE0200 CC MOV BYTE PTR SS:[EAX+2CE2A],0CC
101B4204 36:C680 5FB30200 C4 MOV BYTE PTR SS:[EAX+2B35F],0C4
101B420C 36:C680 75B30200 CC MOV BYTE PTR SS:[EAX+2B375],0CC
101B4214 36:C680 8CBC0200 C4 MOV BYTE PTR SS:[EAX+2BC8C],0C4
101B421C 36:C680 A7BC0200 CC MOV BYTE PTR SS:[EAX+2BCA7],0CC
101B4224 36:C680 2D9C0200 E9 MOV BYTE PTR SS:[EAX+29C2D],0E9
101B422C 36:C780 2E9C0200 BF0D0000 MOV DWORD PTR SS:[EAX+29C2E],0DBF
101B4237 36:C680 329C0200 90 MOV BYTE PTR SS:[EAX+29C32],90
101B423F 05 4D120400 ADD EAX,4124D
101B4244 50 PUSH EAX
101B4245 813D A1584E00 43365498 CMP DWORD PTR DS:[4E58A1],98543643
101B424F 75 05 JNE SHORT 101B4256
101B4251 B8 FF010000 MOV EAX,1FF
101B4256 C3 RETN
101B4257 0000 ADD BYTE PTR DS:[EAX],AL
写完后保存一下吧 (当然不保存也可以 只是习惯)
od重新载入停在upx的入口点
CPU Disasm
地址 十六进制数据 指令 注释
101B2AC0 807C24 08 01 CMP BYTE PTR SS:[ESP+8],1
101B2AC5 0F85 E2010000 JNE 101B2CAD
101B2ACB 60 PUSHAD
101B2ACC BE 00C01110 MOV ESI,1011C000
101B2AD1 8DBE 0050EEFF LEA EDI,[ESI+FFEE5000]
101B2AD7 57 PUSH EDI
101B2AD8 83CD FF OR EBP,FFFFFFFF
101B2ADB EB 0D JMP SHORT 101B2AEA
101B2ADD 90 NOP
101B2ADE 90 NOP
101B2ADF 90 NOP
101B2AE0 8A06 MOV AL,BYTE PTR DS:[ESI]
101B2AE2 46 INC ESI
101B2AE3 8807 MOV BYTE PTR DS:[EDI],AL
101B2AE5 47 INC EDI
101B2AE6 01DB ADD EBX,EBX
101B2AE8 75 07 JNE SHORT 101B2AF1
101B2AEA 8B1E MOV EBX,DWORD PTR DS:[ESI]
101B2AEC 83EE FC SUB ESI,-4
101B2AEF 11DB ADC EBX,EBX
讲好的不脱壳 但是要改代码
往下找 找到upx解压完毕的地方
CPU Disasm
地址 十六进制数据 指令 注释
101B2C9E 58 POP EAX
101B2C9F 61 POPAD
101B2CA0 8D4424 80 LEA EAX,[ESP-80]
101B2CA4 6A 00 PUSH 0
101B2CA6 39C4 CMP ESP,EAX
101B2CA8 ^ 75 FA JNE SHORT 101B2CA4
101B2CAA 83EC 80 SUB ESP,-80
101B2CAD ^ E9 471AF6FF JMP 101146F9
101B2CB2 0000 ADD BYTE PTR DS:[EAX],AL
这个很熟悉的jmp 就是条到原oep的跳转了 这里我们改动一点代码
CPU Disasm
地址 十六进制数据 指令 注释
101B2CAA 83EC 80 SUB ESP,-80
101B2CAD 8B44E4 04 MOV EAX,DWORD PTR SS:[ESP+4] ; 这里原来是jmp,[esp+4]是基址的指针
101B2CB1 36:C780 49120400 E32D1700 MOV DWORD PTR SS:[EAX+41249],172DE3 ; [EAX+41249]s是WW判断完E版本的jmp
101B2CBC 05 F9461100 ADD EAX,1146F9 ; JMP 101146F9 所以这里是基址+1146F9
101B2CC1 50 PUSH EAX ; push ret 跳 当然jmp也没问题的
101B2CC2 C3 RETN ; 起跳
101B2CC3 0000 ADD BYTE PTR DS:[EAX],AL
101B2CC5 0000 ADD BYTE PTR DS:[EAX],AL
101B2CC7 0000 ADD BYTE PTR DS:[EAX],AL
上面代码的目的就是在WonderWall判断完E版本并且不是WonderWal支持的版本就跳到刚加的区段
看看原来 的代码 不肯贴完 只贴关键部分
MOV DWORD PTR SS:[EAX+41249],172DE3
CPU Dump 执行MOV DWORD PTR SS:[EAX+41249],172DE3 之前
地址 十六进制数据 指令 注释
10041230 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX
10041233 0F85 0A000000 JNE 10041243
10041239 B8 92010000 MOV EAX,192
1004123E E9 0A000000 JMP 1004124D
10041243 B8 00000000 MOV EAX,0 ; WonderWall识别不了的版本返回0
10041248 E9 00000000 JMP 1004124D ;注意这里
1004124D 8BE5 MOV ESP,EBP
1004124F 5D POP EBP
10041250 C3 RETN
CPU Dump 执行MOV DWORD PTR SS:[EAX+41249],172DE3 之后
地址 十六进制数据 指令 注释
10041230 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX
10041233 0F85 0A000000 JNE 10041243
10041239 B8 92010000 MOV EAX,192
1004123E E9 0A000000 JMP 1004124D
10041243 B8 00000000 MOV EAX,0 ; WonderWall识别不了的版本返回0
10041248 E9 E32D1700 JMP 101B4030 ; 注意这里
1004124D 8BE5 MOV ESP,EBP
1004124F 5D POP EBP
10041250 C3 RETN
再次保存 就大功告成了~~
|
评分
-
查看全部评分
|
粤公网安备 44522102000125 增值电信业务经营许可证 粤B2-20192173
发表于 2015-1-13 15:46:54
主题置顶卡
沉默卡
变色卡
扫一扫,关注易界动态