Windows信使群发器是个不错的信使群发器,
我想破解它,它的下载地址是:http://www.cnysoft.com/software/down.asp?sid=NetSendMsg
下载后用peid查壳,发现是aspack2.12b的壳,用aspackdie1.41脱壳。脱壳后是unpacked.exe,运行,发现出现启动窗口就消失,用OLLYDBG.EXE载入它先f8,后用f7大法,发现以下内容:
00403E26 8D542410 lea edx, dword ptr [esp+10]
:00403E2A 52 push edx
:00403E2B 8D4C242C lea ecx, dword ptr [esp+2C]
:00403E2F 8BE8 mov ebp, eax
:00403E31 E852E40100 call 00422288
:00403E36 8B442410 mov eax, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"netsendmsg.exe"
|
:00403E3A 68E8034600 push 004603E8
:00403E3F 50 push eax
:00403E40 C684249C0F000005 mov byte ptr [esp+00000F9C], 05
:00403E48 E8BF680200 call 0042A70C
:00403E4D 83C408 add esp, 00000008
:00403E50 85C0 test eax, eax
:00403E52 0F84B9000000 je 00403F11
:00403E58 8B4C2410 mov ecx, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"nsm.exe"
|
:00403E5C 68E0034600 push 004603E0
:00403E61 51 push ecx
:00403E62 E8A5680200 call 0042A70C
:00403E67 83C408 add esp, 00000008
:00403E6A 85C0 test eax, eax
:00403E6C 0F849F000000 je 00403F11
:00403E72 8B542410 mov edx, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"unins000.exe"
|
:00403E76 68D0034600 push 004603D0
:00403E7B 52 push edx
:00403E7C E88B680200 call 0042A70C
我想是它比较启动的主程序的名称,如果不是就退出。把脱壳后的文件改为主程序文件netsendmsg.exe直接启动正常, 退出后再用OLLYDBG载入,按f9运行出错,忽略错误,主程序退出了。用插件isdebuger隐藏也是这样。我又用wdasm反汇编,再载入运行,它也是出错退出,请肉鸟帮下我这新手找个方向,在上段代码的下面几十行可能是对OLLYDBG等调试软件的防范,
请高手指点下帮我去除它的反调试功能。
* Possible StringData Ref from Data Obj ->"unins000.exe"
|
:00403E76 68D0034600 push 004603D0
:00403E7B 52 push edx
:00403E7C E88B680200 call 0042A70C
:00403E81 83C408 add esp, 00000008
:00403E84 85C0 test eax, eax
:00403E86 0F8485000000 je 00403F11
:00403E8C 8B442410 mov eax, dword ptr [esp+10]
:00403E90 50 push eax
:00403E91 8BCB mov ecx, ebx
:00403E93 E828070000 call 004045C0
:00403E98 83F8FF cmp eax, FFFFFFFF
:00403E9B 741B je 00403EB8
:00403E9D 50 push eax
:00403E9E 6A00 push 00000000
:00403EA0 68FF0F1F00 push 001F0FFF
* Reference To: KERNEL32.OpenProcess, Ord:01EFh
|
:00403EA5 FF1574F34400 Call dword ptr [0044F374]
:00403EAB 85C0 test eax, eax
:00403EAD 7409 je 00403EB8
:00403EAF 6A00 push 00000000
:00403EB1 50 push eax
* Reference To: KERNEL32.TerminateProcess, Ord:029Eh
|
:00403EB2 FF1578F34400 Call dword ptr [0044F378]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403E9B(C), :00403EAD(C)
|
:00403EB8 8D4C2420 lea ecx, dword ptr [esp+20]
:00403EBC 51 push ecx
:00403EBD 8D4C242C lea ecx, dword ptr [esp+2C]
:00403EC1 E899E20100 call 0042215F
:00403EC6 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Data Obj ->"r+w+b"
|
:00403EC8 68C8034600 push 004603C8
:00403ECD 50 push eax
:00403ECE E826680200 call 0042A6F9
:00403ED3 83C408 add esp, 00000008
:00403ED6 8D4C2420 lea ecx, dword ptr [esp+20]
:00403EDA 8BF0 mov esi, eax
:00403EDC E872E00300 call 00441F53
:00403EE1 85F6 test esi, esi
:00403EE3 742C je 00403F11
:00403EE5 BF32000000 mov edi, 00000032
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403F06(C)
|
:00403EEA E8B7670200 call 0042A6A6
:00403EEF 56 push esi
:00403EF0 6A04 push 00000004
:00403EF2 8D54241C lea edx, dword ptr [esp+1C]
:00403EF6 6A04 push 00000004
:00403EF8 52 push edx
:00403EF9 89442424 mov dword ptr [esp+24], eax
:00403EFD E85E660200 call 0042A560
:00403F02 83C410 add esp, 00000010
:00403F05 4F dec edi
:00403F06 75E2 jne 00403EEA
:00403F08 56 push esi
:00403F09 E8D5650200 call 0042A4E3
:00403F0E 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403E52(C), :00403E6C(C), :00403E86(C), :00403EE3(C)
|
:00403F11 8D4C2410 lea ecx, dword ptr [esp+10]
:00403F15 C68424940F000003 mov byte ptr [esp+00000F94], 03
:00403F1D E831E00300 call 00441F53
:00403F22 85ED test ebp, ebp
:00403F24 0F85F3FEFFFF jne 00403E1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E17(C)
|
:00403F2A 8BCB mov ecx, ebx
:00403F2C E89F050000 call 004044D0
* Reference To: USER32.PeekMessageA, Ord:01DCh
|
:00403F31 8B3500F64400 mov esi, dword ptr [0044F600]
* Reference To: USER32.TranslateMessage, Ord:0282h
|
:00403F37 8B2D04F64400 mov ebp, dword ptr [0044F604]
* Reference To: USER32.DispatchMessageA, Ord:0095h
|
:00403F3D 8B3D08F64400 mov edi, dword ptr [0044F608]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403F8A(C)
|
:00403F43 6A01 push 00000001
:00403F45 6A00 push 00000000
:00403F47 6A00 push 00000000
:00403F49 6A00 push 00000000
:00403F4B 8D442454 lea eax, dword ptr [esp+54]
:00403F4F 50 push eax
:00403F50 FFD6 call esi
:00403F52 85C0 test eax, eax
:00403F54 740E je 00403F64
:00403F56 8D4C2444 lea ecx, dword ptr [esp+44]
:00403F5A 51 push ecx
:00403F5B FFD5 call ebp
:00403F5D 8D542444 lea edx, dword ptr [esp+44]
:00403F61 52 push edx
:00403F62 FFD7 call edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403F54(C)
|
:00403F64 51 push ecx
:00403F65 8B4C2428 mov ecx, dword ptr [esp+28]
:00403F69 8BC4 mov eax, esp
:00403F6B 89642418 mov dword ptr [esp+18], esp
:00403F6F 8D542424 lea edx, dword ptr [esp+24]
:00403F73 8908 mov dword ptr [eax], ecx
:00403F75 52 push edx
:00403F76 8D442418 lea eax, dword ptr [esp+18]
:00403F7A 50 push eax
:00403F7B E8CF8B0300 call 0043CB4F
:00403F80 8BC8 mov ecx, eax
:00403F82 E8C9060000 call 00404650
:00403F87 833803 cmp dword ptr [eax], 00000003
:00403F8A 7CB7 jl 00403F43
:00403F8C 8B74241C mov esi, dword ptr [esp+1C]
:00403F90 8B16 mov edx, dword ptr [esi]
:00403F92 8BCE mov ecx, esi
:00403F94 FF5258 call [edx+58]
:00403F97 85F6 test esi, esi
:00403F99 7409 je 00403FA4
:00403F9B 8B06 mov eax, dword ptr [esi]
:00403F9D 6A01 push 00000001
:00403F9F 8BCE mov ecx, esi
:00403FA1 FF5004 call [eax+04]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403F99(C)
|
:00403FA4 8B8360010000 mov eax, dword ptr [ebx+00000160]
:00403FAA 85C0 test eax, eax
:00403FAC 743F je 00403FED
:00403FAE E8A8490400 call 0044895B
:00403FB3 8B4008 mov eax, dword ptr [eax+08]
:00403FB6 6A00 push 00000000
:00403FB8 6A00 push 00000000
[课程]Linux pwn 探索篇!