我有一个 exe 应用程序,其中包含三个文件。我知道在打包之前这些文件是如何命名的,我有大约 80% 的打包文件和一些主要的可执行文件二进制代码。我还发现,执行创建和使用两个文件\AppData\Local\Temp\名为MBX@pid@3bytes.###包含应用程序的入口,我相信。当我用 PEiD 扫描文件头时,我得到Nothing found [Overlay] *.
那是我的 objdump 结果
application.exe: file format pei-i386
architecture: i386, flags 0x00000102:
EXEC_P, D_PAGED
start address 0x0083db33
Characteristics 0x30f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
debugging information removed
Time/Date Tue Dec 8 10:45:51 2009
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00000000
SizeOfInitializedData 00150000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0043db33
BaseOfCode 0043c000
BaseOfData 001b2000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00457000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0044eb2c 0000003c Import Directory [parts of .idata]
Entry 2 003dc000 0005e81a Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 0044e000 0000005c Import Address Table Directory
Entry d 0022c5f8 00000060 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in 6 at 0x84eb2c
The Import Tables (interpreted 6 section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0044eb2c 0044eb68 00000000 00000000 0044ecb8 0044e000
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
44ebc4 537 InitializeCriticalSection
44ebe0 408 GetProcAddress
44ebf2 594 LocalFree
44ebfe 667 RaiseException
44ec10 590 LocalAlloc
44ec1e 375 GetModuleHandleA
44ec32 583 LeaveCriticalSection
44ec4a 143 EnterCriticalSection
44ec62 429 GetShortPathNameA
44ec76 709 ResumeThread
44ec86 925 WriteProcessMemory
44ec9c 400 GetPrivateProfileSectionA
44ed52 434 GetStringTypeA
44ed42 571 LCMapStringW
44ed32 570 LCMapStringA
44ecfa 714 RtlUnwind
44ed06 903 WideCharToMultiByte
44ed1c 619 MultiByteToWideChar
44ed64 437 GetStringTypeW
0044eb40 0044ebb8 00000000 00000000 0044ecee 0044e050
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
44ecc6 142 DefWindowProcA
44ecd8 2 AdjustWindowRectEx
0044eb54 00000000 00000000 00000000 00000000 00000000
Sections:
Idx Name Size VMA LMA File off Algn
0 0 000b7000 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
1 1 00029000 005b2000 005b2000 000b8000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
2 2 00001000 0062f000 0062f000 000e1000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
3 3 0005e81a 007dc000 007dc000 000e2000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
4 4 00001000 0083b000 0083b000 00141000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
5 5 0000c000 0083c000 0083c000 00142000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
6 6 00000d76 0084e000 0084e000 0014e000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
7 7 00002000 0084f000 0084f000 0014f000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
我希望的结果是解压缩到可执行文件中的文件。
更新
我使用过FastScanner 3.0这个应用程序,我发现它和上一个一样,使用 MoleBox Pro 打包。这是 FastScanner 的所有猜测(与之前的应用程序相同)。
所以一切似乎都和以前一样,但二进制文件不同,我无法以任何方式解压缩它,当回到以前的应用程序时,它根本不是问题。Molebox 早已死了,所以我怀疑它是由新版本打包的。还弄乱了 ollydbg,我发现该应用程序在我之前调用的那两个文件上有入口点。