UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
应该是UPX的我用软件都脱不了。就用手脱了1天还是没成功。不是回跳下个就F4。再找、、大家有没所以好方法和意见帮下脱下这壳。。
004437B0 > $ 60 pushad
004437B1 . BE 00004300 mov esi, 00430000
004437B6 . 8DBE 0010FDFF lea edi, dword ptr [esi+FFFD1000]
004437BC . 57 push edi
004437BD . 83CD FF or ebp, FFFFFFFF
004437C0 . EB 10 jmp short 004437D2
004437C2 90 nop
004437C3 90 nop
004437C4 90 nop
004437C5 90 nop
004437C6 90 nop
004437C7 90 nop
004437C8 > 8A06 mov al, byte ptr [esi]
004437CA . 46 inc esi
004437CB . 8807 mov byte ptr [edi], al
004437CD . 47 inc edi
004437CE > 01DB add ebx, ebx
004437D0 . 75 07 jnz short 004437D9
004437D2 > 8B1E mov ebx, dword ptr [esi]
004437D4 . 83EE FC sub esi, -4
004437D7 . 11DB adc ebx, ebx
004437D9 >^ 72 ED jb short 004437C8 //回跳
004437DB . B8 01000000 mov eax, 1
004437E0 > 01DB add ebx, ebx
004437E2 . 75 07 jnz short 004437EB
004437E4 . 8B1E mov ebx, dword ptr [esi]
004437E6 . 83EE FC sub esi, -4
004437E9 . 11DB adc ebx, ebx
004437EB > 11C0 adc eax, eax
004437ED . 01DB add ebx, ebx
004437EF . 73 0B jnb short 004437FC
004437F1 . 75 19 jnz short 0044380C
004437F3 . 8B1E mov ebx, dword ptr [esi]
004437F5 . 83EE FC sub esi, -4
004437F8 . 11DB adc ebx, ebx
004437FA . 72 10 jb short 0044380C
004437FC > 48 dec eax
004437FD . 01DB add ebx, ebx
004437FF . 75 07 jnz short 00443808
00443801 . 8B1E mov ebx, dword ptr [esi]
00443803 . 83EE FC sub esi, -4
00443806 . 11DB adc ebx, ebx
00443808 > 11C0 adc eax, eax
0044380A .^ EB D4 jmp short 004437E0
0044380C > 31C9 xor ecx, ecx
0044380E . 83E8 03 sub eax, 3
00443811 . 72 11 jb short 00443824
00443813 . C1E0 08 shl eax, 8
00443816 . 8A06 mov al, byte ptr [esi]
00443818 . 46 inc esi
00443819 . 83F0 FF xor eax, FFFFFFFF
0044381C . 74 78 je short 00443896
0044381E . D1F8 sar eax, 1
00443820 . 89C5 mov ebp, eax
00443822 . EB 0B jmp short 0044382F
00443824 > 01DB add ebx, ebx
00443826 . 75 07 jnz short 0044382F
00443828 . 8B1E mov ebx, dword ptr [esi]
0044382A . 83EE FC sub esi, -4
0044382D . 11DB adc ebx, ebx
0044382F > 11C9 adc ecx, ecx
00443831 . 01DB add ebx, ebx
00443833 . 75 07 jnz short 0044383C
00443835 . 8B1E mov ebx, dword ptr [esi]
00443837 . 83EE FC sub esi, -4
0044383A . 11DB adc ebx, ebx
0044383C > 11C9 adc ecx, ecx
0044383E . 75 20 jnz short 00443860
00443840 . 41 inc ecx
00443841 > 01DB add ebx, ebx
00443843 . 75 07 jnz short 0044384C
00443845 . 8B1E mov ebx, dword ptr [esi]
00443847 . 83EE FC sub esi, -4
0044384A . 11DB adc ebx, ebx
0044384C > 11C9 adc ecx, ecx
0044384E . 01DB add ebx, ebx
00443850 .^ 73 EF jnb short 00443841 //回跳 00443841
00443852 . 75 09 jnz short 0044385D
00443854 . 8B1E mov ebx, dword ptr [esi]
00443856 . 83EE FC sub esi, -4
00443859 . 11DB adc ebx, ebx
0044385B .^ 73 E4 jnb short 00443841 //回跳 00443841
0044385D > 83C1 02 add ecx, 2
00443860 > 81FD 00FBFFFF cmp ebp, -500
00443866 . 83D1 01 adc ecx, 1
00443869 . 8D142F lea edx, dword ptr [edi+ebp]
0044386C . 83FD FC cmp ebp, -4
0044386F . 76 0F jbe short 00443880
00443871 > 8A02 mov al, byte ptr [edx]
00443873 . 42 inc edx
00443874 . 8807 mov byte ptr [edi], al
00443876 . 47 inc edi
00443877 . 49 dec ecx
00443878 .^ 75 F7 jnz short 00443871 //回跳
0044387A .^ E9 4FFFFFFF jmp 004437CE //回跳
0044387F 90 nop (奇诡.这按F4会自动运行软件)
00443880 > 8B02 mov eax, dword ptr [edx]
00443882 . 83C2 04 add edx, 4
00443885 . 8907 mov dword ptr [edi], eax
00443887 . 83C7 04 add edi, 4
0044388A . 83E9 04 sub ecx, 4
0044388D .^ 77 F1 ja short 00443880
0044388F . 01CF add edi, ecx
00443891 .^ E9 38FFFFFF jmp 004437CE //回跳
00443896 > 5E pop esi
00443897 . 89F7 mov edi, esi
00443899 . B9 F1030000 mov ecx, 3F1
0044389E > 8A07 mov al, byte ptr [edi]
004438A0 . 47 inc edi
004438A1 . 2C E8 sub al, 0E8
004438A3 > 3C 01 cmp al, 1
004438A5 .^ 77 F7 ja short 0044389E
004438A7 . 803F 05 cmp byte ptr [edi], 5
004438AA .^ 75 F2 jnz short 0044389E
004438AC . 8B07 mov eax, dword ptr [edi]
004438AE . 8A5F 04 mov bl, byte ptr [edi+4]
004438B1 . 66:C1E8 08 shr ax, 8
004438B5 . C1C0 10 rol eax, 10
004438B8 . 86C4 xchg ah, al
004438BA . 29F8 sub eax, edi
004438BC . 80EB E8 sub bl, 0E8
004438BF . 01F0 add eax, esi
004438C1 . 8907 mov dword ptr [edi], eax
004438C3 . 83C7 05 add edi, 5
004438C6 . 89D8 mov eax, ebx
004438C8 .^ E2 D9 loopd short 004438A3
004438CA . 8DBE 00100400 lea edi, dword ptr [esi+41000]
004438D0 > 8B07 mov eax, dword ptr [edi]
004438D2 . 09C0 or eax, eax
004438D4 . 74 45 je short 0044391B
004438D6 . 8B5F 04 mov ebx, dword ptr [edi+4]
004438D9 . 8D8430 705704>lea eax, dword ptr [eax+esi+45770]
004438E0 . 01F3 add ebx, esi
004438E2 . 50 push eax
004438E3 . 83C7 08 add edi, 8
004438E6 . FF96 AC570400 call dword ptr [esi+457AC]
004438EC . 95 xchg eax, ebp
004438ED > 8A07 mov al, byte ptr [edi]
004438EF . 47 inc edi
004438F0 . 08C0 or al, al
004438F2 .^ 74 DC je short 004438D0
004438F4 . 89F9 mov ecx, edi
004438F6 . 79 07 jns short 004438FF
004438F8 . 0FB707 movzx eax, word ptr [edi]
004438FB . 47 inc edi
004438FC . 50 push eax
004438FD . 47 inc edi
004438FE B9 db B9
004438FF . 57 push edi
00443900 . 48 dec eax
00443901 . F2:AE repne scas byte ptr es:[edi]
00443903 . 55 push ebp
00443904 . FF96 B0570400 call dword ptr [esi+457B0]
0044390A . 09C0 or eax, eax
0044390C . 74 07 je short 00443915
0044390E . 8903 mov dword ptr [ebx], eax
00443910 . 83C3 04 add ebx, 4
00443913 .^ EB D8 jmp short 004438ED
00443915 > FF96 B4570400 call dword ptr [esi+457B4]
0044391B > 61 popad
0044391C .- E9 EFEDFBFF jmp 00402710
这东西http://e.ys168.com/?yzh322再这里面等待脱壳文件里。有兴趣的帮我研究下怎么脱
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
