镜像基址变幻
镜像基址的变幻
查找重定位-reloc
过程:
第一个
343B-3000=043B+B000=B43B
B43B+400000=40B43B
第二个
3457-3000=0457+B000=B457
B457+400000=40B457
映像基址修改代码
004A2321 60 pushad
004A2322 E8 00000000 call 004A2327
004A2327 58 pop eax
004A2328 25 00F0FFFF and eax, -0x1000
004A232D 66:8138 4D5A cmp word ptr [eax], 0x5A4D
004A2332 74 07 je short 004A233B
004A2334 2D 00100000 sub eax, 0x1000
004A2339 ^ EB F2 jmp short 004A232D
004A233B 50 push eax
004A233C 8BD8 mov ebx, eax
004A233E 83C3 3C add ebx, 0x3C
004A2341 8B1B mov ebx, dword ptr [ebx]
004A2343 03D8 add ebx, eax
004A2345 81C3 A0000000 add ebx, 0xA0
004A234B 8B1B mov ebx, dword ptr [ebx]
004A234D 031C24 add ebx, dword ptr [esp]
004A2350 53 push ebx
004A2351 FF33 push dword ptr [ebx]
004A2353 FF73 04 push dword ptr [ebx+0x4]
004A2356 8B5424 08 mov edx, dword ptr [esp+0x8]
004A235A 031424 add edx, dword ptr [esp]
004A235D 52 push edx
004A235E 83C3 08 add ebx, 0x8
004A2361 33C9 xor ecx, ecx
004A2363 66:8B0B mov cx, word ptr [ebx]
004A2366 81E9 00300000 sub ecx, 0x3000
004A236C 034C24 08 add ecx, dword ptr [esp+0x8]
004A2370 034C24 10 add ecx, dword ptr [esp+0x10]
004A2374 E8 17000000 call 004A2390
004A2379 83C3 02 add ebx, 0x2
004A237C 3BDA cmp ebx, edx
004A237E ^ 7C E1 jl short 004A2361
004A2380 833A 00 cmp dword ptr [edx], 0x0
004A2383 74 05 je short 004A238A
004A2385 83C4 10 add esp, 0x10
004A2388 ^ EB C6 jmp short 004A2350
004A238A 61 popad
004A238B - E9 81EDC610 jmp 11111111
004A2390 8129 00004000 sub dword ptr [ecx], 00400000 ; ASCII "MZP"
004A2396 8101 00000010 add dword ptr [ecx], 0x10000000
004A239C C3 retn
二进制:60 E8 00 00 00 00 58 25 00 F0 FF FF 66 81 38 4D 5A 74 07 2D 00 10 00 00 EB F2 50 8B D8 83 C3 3C 8B 1B 03 D8 81 C3 A0 00 00 00 8B 1B 03 1C 24 53 FF 33 FF 73 04 8B 54 24 08 03 14 24 52 83 C3 08 33 C9 66 8B 0B 81 E9 00 30 00 00 03 4C 24 08 03 4C 24 10 E8 17 00 00 00 83 C3 02 3B DA 7C E1 83 3A 00 74 05 83 C4 10 EB C6 61 E9 81 ED C6 10 81 29 00 00 40 00 81 01 00 00 00 10 C3
100A2209 . 55 push ebp
100A220A . 89E5 mov ebp, esp
100A220C . 51 push ecx
100A220D . B9 08000000 mov ecx, 0x8
100A2212 > 6A 00 push 0x0
100A2214 . 49 dec ecx
100A2215 .^ 75 FB jnz short 100A2212
100A2217 . 8B4C24 20 mov ecx, dword ptr [esp+0x20]
100A221B . 8944E4 1C mov dword ptr [esp+0x1C], eax
100A221F . 895CE4 18 mov dword ptr [esp+0x18], ebx
100A2223 . 894CE4 14 mov dword ptr [esp+0x14], ecx
100A2227 . 8954E4 10 mov dword ptr [esp+0x10], edx
100A222B . 8964E4 0C mov dword ptr [esp+0xC], esp
100A222F . 896CE4 08 mov dword ptr [esp+0x8], ebp
100A2233 . 8974E4 04 mov dword ptr [esp+0x4], esi
100A2237 . 893CE4 mov dword ptr [esp], edi
100A223A . E8 00000000 call 100A223F
100A223F $ 5B pop ebx
100A2240 . 81E3 00F0FFFF and ebx, -0x1000
100A2246 > 66:813B 4D5A cmp word ptr [ebx], 0x5A4D
100A224B . 74 08 je short 100A2255
100A224D . 81EB 00100000 sub ebx, 0x1000
100A2253 .^ EB F1 jmp short 100A2246
100A2255 > 53 push ebx
100A2256 . 8BC3 mov eax, ebx
100A2258 . 83C0 3C add eax, 0x3C
100A225B . 8BCB mov ecx, ebx
100A225D . 0308 add ecx, dword ptr [eax]
100A225F . 81C1 A0000000 add ecx, 0xA0
100A2265 . 8B09 mov ecx, dword ptr [ecx]
100A2267 . 030C24 add ecx, dword ptr [esp]
100A226A . 6A 00 push 0x0
100A226C > 8339 00 cmp dword ptr [ecx], 0x0
100A226F . 74 2F je short 100A22A0
100A2271 . 58 pop eax
100A2272 . 90 nop
100A2273 . 8B41 04 mov eax, dword ptr [ecx+0x4]
100A2276 . 03C1 add eax, ecx
100A2278 . FF31 push dword ptr [ecx]
100A227A . 83C1 08 add ecx, 0x8
100A227D > 33D2 xor edx, edx
100A227F . 66:8B11 mov dx, word ptr [ecx]
100A2282 . 80EE 30 sub dh, 0x30
100A2285 . 031424 add edx, dword ptr [esp]
100A2288 . 035424 04 add edx, dword ptr [esp+0x4]
100A228C . E8 17000000 call 100A22A8
100A2291 . 90 nop
100A2292 > 41 inc ecx
100A2293 . 41 inc ecx
100A2294 . 3BC8 cmp ecx, eax
100A2296 .^ 74 D4 je short 100A226C
100A2298 . 66:8339 00 cmp word ptr [ecx], 0x0
100A229C .^ 74 F4 je short 100A2292
100A229E .^ EB DD jmp short 100A227D
100A22A0 > 83C4 08 add esp, 0x8
100A22A3 . EB 15 jmp short 100A22BA
100A22A5 90 nop
100A22A6 90 nop
100A22A7 90 nop
100A22A8 /$ 807A 03 00 cmp byte ptr [edx+0x3], 0x0
100A22AC |. 75 0B jnz short 100A22B9
100A22AE |. 66:836A 02 40 sub word ptr [edx+0x2], 0x40
100A22B3 |. 66:8142 02 00>add word ptr [edx+0x2], 0x1000
100A22B9 \> C3 retn
100A22BA > 8B44E4 1C mov eax, dword ptr [esp+0x1C]
100A22BE . 8B5CE4 18 mov ebx, dword ptr [esp+0x18]
100A22C2 . 8B4CE4 14 mov ecx, dword ptr [esp+0x14]
100A22C6 . 8B54E4 10 mov edx, dword ptr [esp+0x10]
100A22CA . 8B64E4 0C mov esp, dword ptr [esp+0xC]
100A22CE . 8B6CE4 08 mov ebp, dword ptr [esp+0x8]
100A22D2 . 8B74E4 04 mov esi, dword ptr [esp+0x4]
100A22D6 . 8B3CE4 mov edi, dword ptr [esp]
100A22D9 . B9 00020000 mov ecx, 0x200
100A22DE . C1E1 06 shl ecx, 0x6
100A22E1 . C1E9 0C shr ecx, 0xC
100A22E4 > 83EC FC sub esp, -0x4
100A22E7 . 49 dec ecx
100A22E8 .^ 75 FA jnz short 100A22E4
100A22EA . 8B6C24 04 mov ebp, dword ptr [esp+0x4]
100A22EE . B9 00020000 mov ecx, 0x200
100A22F3 . C1E1 06 shl ecx, 0x6
100A22F6 . C1E9 0C shr ecx, 0xC
100A22F9 > 44 inc esp
100A22FA . 49 dec ecx
100A22FB .^ 75 FC jnz short 100A22F9
100A22FD . 8B4C24 F8 mov ecx, dword ptr [esp-0x8]
二进制: 55 89 E5 51 B9 08 00 00 00 6A 00 49 75 FB 8B 4C 24 20 89 44 E4 1C 89 5C E4 18 89 4C E4 14 89 54
E4 10 89 64 E4 0C 89 6C E4 08 89 74 E4 04 89 3C E4 E8 00 00 00 00 5B 81 E3 00 F0 FF FF 66 81 3B 4D 5A 74 08 81 EB 00 10 00 00 EB F1 53 8B C3 83 C0 3C 8B CB 03 08 81 C1 A0 00 00 00 8B 09 03 0C 24 6A 00 83 39 00 74 2F 58 90 8B 41 04 03 C1 FF 31 83 C1 08 33 D2 66 8B 11 80 EE 30 03 14 24 03 54 24 04 E8 17 00 00 00 90 41 41 3B C8 74 D4 66 83 39 00 74 F4 EB DD 83 C4 08 EB 15 90 90 90 80 7A 03 00 75 0B 66 83 6A 02 40 66 81 42 02 00 10 C3 8B 44 E4 1C 8B 5C E4 18 8B 4C E4 14 8B 54 E4 10 8B 64 E4 0C 8B 6C E4 08 8B 74 E4 04 8B 3C E4 B9 00 02 00 00 C1 E1 06 C1 E9 0C 83 EC FC 49 75 FA 8B 6C 24 04 B9 00 02 00 00 C1 E1 06 C1 E9 0C 44 49 75 FC 8B 4C 24 F8
本文出自 “文东会” 博客,转载请与作者联系!