1.查壳 2.find OEP 3.dump 4.fix

 

die查壳:

PECompact(3.02.2)脱壳记录_ide


 

 

 

 x32dbg调试脱壳,找OEP:

入口点:

mov eax,idaprohelper.44B51C
push eax
push dword ptr fs:[0]
mov dword ptr fs:[0],esp
xor eax,eax
mov dword ptr ds:[eax],ecx

PECompact(3.02.2)脱壳记录_技术_02

seh异常处理函数

PECompact(3.02.2)脱壳记录_技术_03

 

 

设置忽略异常

PECompact(3.02.2)脱壳记录_ide_04

 

 

异常处理函数下断,运行

 PECompact(3.02.2)脱壳记录_ide_05

 

 SEH异常相关结构

EXCEPTION_DISPOSITION __cdecl _except_handler(
        _In_ struct _EXCEPTION_RECORD* _ExceptionRecord,
        _In_ void*                     _EstablisherFrame,
        _Inout_ struct _CONTEXT*       _ContextRecord,
        _Inout_ void*                  _DispatcherContext
        );

typedef struct _EXCEPTION_RECORD {
    DWORD    ExceptionCode;//+0
    DWORD ExceptionFlags;//+4
    struct _EXCEPTION_RECORD *ExceptionRecord;//+8
    PVOID ExceptionAddress;//+c
    DWORD NumberParameters;
    ULONG_PTR ExceptionInformation[EXCEPTION_MAXIMUM_PARAMETERS];
} EXCEPTION_RECORD;

// Exception disposition return values
typedef enum _EXCEPTION_DISPOSITION
{
    ExceptionContinueExecution,
    ExceptionContinueSearch,
    ExceptionNestedException,
    ExceptionCollidedUnwind
} EXCEPTION_DISPOSITION;

 

mov eax,0xF044A2A1
lea ecx,dword ptr ds:[eax+0x1000129E]
mov dword ptr ds:[ecx+0x1],eax
mov edx,dword ptr ss:[esp+0x4]                     //_ExceptionRecord
mov edx,dword ptr ds:[edx+0xC]                     //ExceptionAddress
mov byte ptr ds:[edx],0xE9                         //0xe9jmp
add edx,0x5                                           //jmp xxxx指令长度 
sub ecx,edx                 //与jmp跳转目标地址的相对偏移(去除当前指令长度)
mov dword ptr ds:[edx-0x4],ecx        //构造jmp指令的目标地址
xor eax,eax                               // ExceptionContinueExecution
ret 

ExceptionAddress patch为jmp跳转

PECompact(3.02.2)脱壳记录_异常处理_06

 

 PECompact(3.02.2)脱壳记录_异常处理_07

 

 

修补jmp指令:

PECompact(3.02.2)脱壳记录_2d_08

 

 

修补jmp指令后:

PECompact(3.02.2)脱壳记录_2d_09

 

 

异常处理函数结束,原异常地址下断,

PECompact(3.02.2)脱壳记录_运行报错_10

 

运行:

PECompact(3.02.2)脱壳记录_运行报错_11

 

 

取消断点,单步

PECompact(3.02.2)脱壳记录_2d_12

一直单步

PECompact(3.02.2)脱壳记录_异常处理_13

 

 

Jmp eax后来到OEP

PECompact(3.02.2)脱壳记录_异常处理_14


 

Dump

PECompact(3.02.2)脱壳记录_ide_15

 

 

脱壳后直接运行报错:

PECompact(3.02.2)脱壳记录_2d_16

 

 

修复:

新开程序:

PECompact(3.02.2)脱壳记录_ide_17

 

 

脱壳后

PECompact(3.02.2)脱壳记录_运行报错_18

 

 PECompact(3.02.2)脱壳记录_技术_19


 

 

 

PECompact简单的压缩壳,脱壳没什么难度。