-
-
如何解释 Enigma Protector加壳的Emulated.Windows.APIs
-
发表于: 2010-6-5 22:27 2183
-
像如下l加壳的 Enigma Protector 1.9x,被保护是Delphi,一般的API可以修改像
mov edx,dword ptr ss:[ebp-4]
mov ecx,dword ptr ss:[ebp-10]
mov dword ptr ds:[edx+eax*4+4],ecx // nop
但如同: 4083CC 的这行应该是Emulated.Windows.APIs保护吧,我不太了解这壳,不知该怎么处理好,试过将 00C700EF 这行的 330B 标记为 GetModuleHandleA等等,发现其它程序就不适应了,该如何处理如何是上策?有操作过的兄弟能否提点一下小弟 》》
mov edx,dword ptr ss:[ebp-4]
mov ecx,dword ptr ss:[ebp-10]
mov dword ptr ds:[edx+eax*4+4],ecx // nop
但如同: 4083CC 的这行应该是Emulated.Windows.APIs保护吧,我不太了解这壳,不知该怎么处理好,试过将 00C700EF 这行的 330B 标记为 GetModuleHandleA等等,发现其它程序就不适应了,该如何处理如何是上策?有操作过的兄弟能否提点一下小弟 》》
call 4083CC 004083CC jmp dword ptr [8EB33C] ; asv2010-.00BA9914 004083D2 mov eax, eax 004083D4 jmp dword ptr [8EB338] ; kernel32.LocalAlloc 004083DA mov eax, eax 004083DC jmp dword ptr [8EB334] ; kernel32.TlsGetValue 004083E2 mov eax, eax 004083E4 jmp dword ptr [8EB330] ; kernel32.TlsSetValue 00BA9914 jmp 00C700EF 00BA9919 wait 00BA991A rol byte ptr [edx+8D657A9A], 1B 00BA9921 adc al, 6F 00BA9923 sti 00BA9924 jmp far C0C1:89407D56 00C700EF push 330B 00C700F4 jmp 00C65500 00C700F9 push 3319 00C700FE jmp 00C65500 00C70103 push 331C 00C70108 jmp 00C65500 00C7010D push 3321 00C70112 jmp 00C65500 00C70117 push 332A 00C7011C jmp 00C65500
00C65500 pushad 00C65501 pushfd 00C65502 mov dl, 1 00C65504 mov esi, 0 00C65509 lea edi, dword ptr [esi+C677C4] 00C6550F lea edi, dword ptr [edi] 00C65511 mov ecx, 1 00C65516 xor eax, eax 00C65518 lock cmpxchg dword ptr [edi], ecx 00C6551C je short 00C6552D 00C6551E cmp dl, byte ptr [C677C0] 00C65524 je short 00C65502 00C65526 inc dl 00C65528 add esi, 64 00C6552B jmp short 00C65509 00C6552D lea eax, dword ptr [esi+C677C4] 00C65533 lea eax, dword ptr [eax+10] 00C65536 mov ecx, dword ptr [esp] 00C65539 mov dword ptr [eax+50], ecx 00C6553C mov ecx, dword ptr [esp+4] 00C65540 mov dword ptr [eax+1C], ecx 00C65543 mov ecx, dword ptr [esp+8] 00C65547 mov dword ptr [eax+18], ecx 00C6554A mov ecx, dword ptr [esp+C] 00C6554E mov dword ptr [eax+14], ecx 00C65551 mov ecx, dword ptr [esp+10] 00C65555 mov dword ptr [eax+10], ecx 00C65558 mov ecx, dword ptr [esp+14] 00C6555C mov dword ptr [eax+C], ecx 00C6555F mov ecx, dword ptr [esp+18] 00C65563 mov dword ptr [eax+8], ecx 00C65566 mov ecx, dword ptr [esp+1C] 00C6556A mov dword ptr [eax+4], ecx 00C6556D mov ecx, dword ptr [esp+20] 00C65571 mov dword ptr [eax], ecx 00C65573 add dword ptr [eax+10], 4 00C65577 lea edi, dword ptr [esi+C677C4] 00C6557D mov eax, edi 00C6557F call 00C60210 00C65584 mov eax, edi 00C65586 call 00C60258 00C6558B mov esp, dword ptr [edi+4] 00C6558E push edi 00C6558F lea ecx, dword ptr [edi+10] 00C65592 mov ecx, dword ptr [ecx+10] 00C65595 push dword ptr [ecx-4] 00C65598 call 00C614D0 00C6559D push eax 00C6559E mov eax, edi 00C655A0 call 00C60234 00C655A5 pop eax 00C655A6 lea edi, dword ptr [edi+10] 00C655A9 mov ecx, dword ptr [edi+10] 00C655AC sub ecx, 4 00C655AF mov dword ptr [ecx], eax 00C655B1 mov eax, dword ptr [edi+50] 00C655B4 sub ecx, 4 00C655B7 mov dword ptr [ecx], eax 00C655B9 mov eax, dword ptr [edi] 00C655BB sub ecx, 4 00C655BE mov dword ptr [ecx], eax 00C655C0 mov eax, dword ptr [edi+4] 00C655C3 sub ecx, 4 00C655C6 mov dword ptr [ecx], eax 00C655C8 mov eax, dword ptr [edi+8] 00C655CB sub ecx, 4 00C655CE mov dword ptr [ecx], eax 00C655D0 mov eax, dword ptr [edi+C] 00C655D3 sub ecx, 4 00C655D6 mov dword ptr [ecx], eax 00C655D8 mov eax, dword ptr [edi+10] 00C655DB sub ecx, 4 00C655DE mov dword ptr [ecx], eax 00C655E0 mov eax, dword ptr [edi+14] 00C655E3 sub ecx, 4 00C655E6 mov dword ptr [ecx], eax 00C655E8 mov eax, dword ptr [edi+18] 00C655EB sub ecx, 4 00C655EE mov dword ptr [ecx], eax 00C655F0 mov eax, dword ptr [edi+1C] 00C655F3 sub ecx, 4 00C655F6 mov dword ptr [ecx], eax 00C655F8 lea eax, dword ptr [esi+C677C4] 00C655FE mov byte ptr [eax], 0 00C65601 mov esp, ecx 00C65603 popad 00C65604 popfd 00C65605 retn
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: