Preface : This two-day learning concept for IAT IT IID redirection, but still a little fuzzy, operating first down, after slowly get to know, here's talk about under their own understanding of it
Reverse program: UnPackMe_YodasCrypter1.3.e.exe
The reverse process:
1, first load OD, the following interface, and with a red label at PUSHAD, ESP's law attempts husking, hardware breakpoints
2, F9 is the first time the figure below, where it is also not far OEP, and then try to break the code segment memory access
3, over the next breakpoint and then F9, to find the OEP office, so this time shelling of work has been done
OEP is 004271B0. 55 PUSH EBP
4, save the dump, where pe tools for their own use, to open the error is found, you need to make the appropriate repair IAT
5, reload the dump program, found OEP can not be reached directly error, follow the OEP 004271B0, see IAT table is correct, we know that normal IAT table in which to store the address of each function, and after redirect IAT table wherein the address is not stored, but is a pointer, the pointer to a memory space of the shell, then the address is returned back to the code fragment in the housing, FIG as follows, after redirection, the address table in the IAT saved not address the API function, but is covered with a redirection address
5, so the way we deal with these addresses encryption IAT is to find the address of the jump encrypt the IAT (that is, Magic Jump), will it be modified to force the jump (JMP), so that it can not be encrypted IAT, so as to achieve shelling repair of purpose!
We need to know the starting and ending addresses IAT table, were looking after the shelling had finished
The starting address is: 00460818 0014329A
End address: 00460F28 00000000
The difference is: 710
6、然后重新载入一个有壳的程序,我们需要给它的IAT表的地址进行定位,数据窗口查找表达式460818,然后在460818到460F28设置内存写入断点,原因是一开始我们加载进入还是有壳的情况下,都是被加密过的,如果当程序运行起来的时候,iat表的地址就会被覆盖成重定向后的地址,那就会写入,所以这里设置内存写入断点,设置完了之后F9运行程序,如下图,来到了第一个要被修改的api地址
00465730 8902 MOV DWORD PTR DS:[EDX],EAX ; WINMM.PlaySoundA
7、继续F8走到如下图中,红标处就是IAT表中的地址被重新修改为重定向的地址,所以我们需要进行NOP,让下面的跳转进行跳过,使其不进行重定向
8、然后进行F9运行程序,发现程序直接中断,但是还是可以获取当前程序的IAT表,此时的IAT是正确的,所以可以进行修复成功!
