首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] 手脱ASPROTECT1.23 RC4找不到Stolen Code 0.00雪花
发表于: 2010-11-6 18:10 2750

[旧帖] 手脱ASPROTECT1.23 RC4找不到Stolen Code 0.00雪花

okjim 活跃值
2010-11-6 18:10
2750
在脱AS时,到了最后一次异常
00E639E4    31C0            XOR EAX,EAX
00E639E6    64:FF30         PUSH DWORD PTR FS:[EAX]
00E639E9    64:8920         MOV DWORD PTR FS:[EAX],ESP
00E639EC    3100            XOR DWORD PTR DS:[EAX],EAX
00E639EE    64:8F05 0000000>POP DWORD PTR FS:[0]
00E639F5    58              POP EAX
00E639F6    833D B07EE600 0>CMP DWORD PTR DS:[E67EB0],0
00E639FD    74 14           JE SHORT 00E63A13
00E639FF    6A 0C           PUSH 0C
00E63A01    B9 B07EE600     MOV ECX,0E67EB0
00E63A06    8D45 F8         LEA EAX,DWORD PTR SS:[EBP-8]
00E63A09    BA 04000000     MOV EDX,4
00E63A0E    E8 2DD1FFFF     CALL 00E60B40
00E63A13    FF75 FC         PUSH DWORD PTR SS:[EBP-4]
00E63A16    FF75 F8         PUSH DWORD PTR SS:[EBP-8]
00E63A19    8B45 F4         MOV EAX,DWORD PTR SS:[EBP-C]
00E63A1C    8338 00         CMP DWORD PTR DS:[EAX],0
00E63A1F    74 02           JE SHORT 00E63A23
00E63A21    FF30            PUSH DWORD PTR DS:[EAX]
00E63A23    FF75 F0         PUSH DWORD PTR SS:[EBP-10]
00E63A26    FF75 EC         PUSH DWORD PTR SS:[EBP-14]
00E63A29    C3              RETN

在retn下断,跳转后应该为双重JMP,f7找stolen code,但是我跳到了
7C801F42    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F48    8B49 08         MOV ECX,DWORD PTR DS:[ECX+8]
7C801F4B    8948 08         MOV DWORD PTR DS:[EAX+8],ECX
7C801F4E    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F54    8B49 0C         MOV ECX,DWORD PTR DS:[ECX+C]
7C801F57    8948 0C         MOV DWORD PTR DS:[EAX+C],ECX
7C801F5A    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F60    8B49 10         MOV ECX,DWORD PTR DS:[ECX+10]
7C801F63    8948 10         MOV DWORD PTR DS:[EAX+10],ECX
7C801F66    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F6C    8B49 14         MOV ECX,DWORD PTR DS:[ECX+14]
7C801F6F    8948 14         MOV DWORD PTR DS:[EAX+14],ECX
7C801F72    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F78    8B49 18         MOV ECX,DWORD PTR DS:[ECX+18]
7C801F7B    8948 18         MOV DWORD PTR DS:[EAX+18],ECX
7C801F7E    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F84    8B49 1C         MOV ECX,DWORD PTR DS:[ECX+1C]
7C801F87    8948 1C         MOV DWORD PTR DS:[EAX+1C],ECX
7C801F8A    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F90    8B49 20         MOV ECX,DWORD PTR DS:[ECX+20]
7C801F93    8948 20         MOV DWORD PTR DS:[EAX+20],ECX
7C801F96    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801F9C    8B49 24         MOV ECX,DWORD PTR DS:[ECX+24]
7C801F9F    8948 24         MOV DWORD PTR DS:[EAX+24],ECX
7C801FA2    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FA8    8B49 28         MOV ECX,DWORD PTR DS:[ECX+28]
7C801FAB    8948 28         MOV DWORD PTR DS:[EAX+28],ECX
7C801FAE    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FB4    8B49 2C         MOV ECX,DWORD PTR DS:[ECX+2C]
7C801FB7    8948 2C         MOV DWORD PTR DS:[EAX+2C],ECX
7C801FBA    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FC0    66:8B49 30      MOV CX,WORD PTR DS:[ECX+30]
7C801FC4    66:8948 30      MOV WORD PTR DS:[EAX+30],CX
7C801FC8    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FCE    66:8B49 32      MOV CX,WORD PTR DS:[ECX+32]
7C801FD2    66:8948 32      MOV WORD PTR DS:[EAX+32],CX
7C801FD6    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FDC    8B49 34         MOV ECX,DWORD PTR DS:[ECX+34]
7C801FDF    8948 34         MOV DWORD PTR DS:[EAX+34],ECX
7C801FE2    F640 2D 07      TEST BYTE PTR DS:[EAX+2D],7
7C801FE6    0F84 CE010000   JE kernel32.7C8021BA
7C801FEC    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FF2    8B49 38         MOV ECX,DWORD PTR DS:[ECX+38]
7C801FF5    8948 38         MOV DWORD PTR DS:[EAX+38],ECX
7C801FF8    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C801FFE    8B49 3C         MOV ECX,DWORD PTR DS:[ECX+3C]
7C802001    8948 3C         MOV DWORD PTR DS:[EAX+3C],ECX
7C802004    8B0D DC53887C   MOV ECX,DWORD PTR DS:[7C8853DC]
7C80200A    8B49 40         MOV ECX,DWORD PTR DS:[ECX+40]
7C80200D    8948 40         MOV DWORD PTR DS:[EAX+40],ECX
7C802010    E8 FC040000     CALL kernel32.7C802511
7C802015    C2 0400         RETN 4

返回后到了oep下面
00436490    0000            ADD BYTE PTR DS:[EAX],AL
00436492    0000            ADD BYTE PTR DS:[EAX],AL//[COLOR="red"]这里是被stolen的code [/COLOR]
00436494    0000            ADD BYTE PTR DS:[EAX],AL
00436496    0000            ADD BYTE PTR DS:[EAX],AL
00436498    0000            ADD BYTE PTR DS:[EAX],AL
0043649A    0000            ADD BYTE PTR DS:[EAX],AL
0043649C    0000            ADD BYTE PTR DS:[EAX],AL
0043649E    0000            ADD BYTE PTR DS:[EAX],AL
004364A0    0000            ADD BYTE PTR DS:[EAX],AL
004364A2    0000            ADD BYTE PTR DS:[EAX],AL
004364A4    0000            ADD BYTE PTR DS:[EAX],AL
004364A6    0000            ADD BYTE PTR DS:[EAX],AL
004364A8    0000            ADD BYTE PTR DS:[EAX],AL
004364AA    0000            ADD BYTE PTR DS:[EAX],AL
004364AC    0000            ADD BYTE PTR DS:[EAX],AL
004364AE    0000            ADD BYTE PTR DS:[EAX],AL
004364B0    0000            ADD BYTE PTR DS:[EAX],AL
004364B2    0000            ADD BYTE PTR DS:[EAX],AL
004364B4    0000            ADD BYTE PTR DS:[EAX],AL
004364B6    FF15 98224900   CALL DWORD PTR DS:[492298]
004364BC    33D2            XOR EDX,EDX
004364BE    8AD4            MOV DL,AH
004364C0    8915 C4CC4D00   MOV DWORD PTR DS:[4DCCC4],EDX
004364C6    8BC8            MOV ECX,EAX
004364C8    81E1 FF000000   AND ECX,0FF
004364CE    890D C0CC4D00   MOV DWORD PTR DS:[4DCCC0],ECX
004364D4    C1E1 08         SHL ECX,8
004364D7    03CA            ADD ECX,EDX
004364D9    890D BCCC4D00   MOV DWORD PTR DS:[4DCCBC],ECX
004364DF    C1E8 10         SHR EAX,10
004364E2    A3 B8CC4D00     MOV DWORD PTR DS:[4DCCB8],EAX
004364E7    6A 01           PUSH 1
004364E9    E8 93370000     CALL crysb.00439C81
004364EE    59              POP ECX
004364EF    85C0            TEST EAX,EAX
004364F1    75 08           JNZ SHORT crysb.004364FB
004364F3    6A 1C           PUSH 1C
004364F5    E8 C3000000     CALL crysb.004365BD
004364FA    59              POP ECX
004364FB    E8 5C350000     CALL crysb.00439A5C
00436500    85C0            TEST EAX,EAX
00436502    75 08           JNZ SHORT crysb.0043650C
00436504    6A 10           PUSH 10
00436506    E8 B2000000     CALL crysb.004365BD
0043650B    59              POP ECX
0043650C    33F6            XOR ESI,ESI
0043650E    8975 FC         MOV DWORD PTR SS:[EBP-4],ESI
00436511    E8 13550000     CALL crysb.0043BA29
00436516    FF15 08224900   CALL DWORD PTR DS:[492208]
0043651C    A3 58D54D00     MOV DWORD PTR DS:[4DD558],EAX
00436521    E8 5B6D0000     CALL crysb.0043D281
00436526    A3 A8CC4D00     MOV DWORD PTR DS:[4DCCA8],EAX
0043652B    E8 046B0000     CALL crysb.0043D034
00436530    E8 466A0000     CALL crysb.0043CF7B
00436535    E8 B7170000     CALL crysb.00437CF1
0043653A    8975 D0         MOV DWORD PTR SS:[EBP-30],ESI
0043653D    8D45 A4         LEA EAX,DWORD PTR SS:[EBP-5C]
00436540    50              PUSH EAX
00436541    FF15 00224900   CALL DWORD PTR DS:[492200]
00436547    E8 D7690000     CALL crysb.0043CF23//[COLOR="Red"]跳到了这里[/COLOR]0043654C    8945 9C         MOV DWORD PTR SS:[EBP-64],EAX
0043654F    F645 D0 01      TEST BYTE PTR SS:[EBP-30],1
00436553    74 06           JE SHORT crysb.0043655B
00436555    0FB745 D4       MOVZX EAX,WORD PTR SS:[EBP-2C]
00436559    EB 03           JMP SHORT crysb.0043655E
0043655B    6A 0A           PUSH 0A
0043655D    58              POP EAX
0043655E    50              PUSH EAX
0043655F    FF75 9C         PUSH DWORD PTR SS:[EBP-64]
00436562    56              PUSH ESI
00436563    56              PUSH ESI
00436564    FF15 24224900   CALL DWORD PTR DS:[492224]
0043656A    50              PUSH EAX

求解释,希望有高人帮忙

[课程]FART 脱壳王!加量不加价!FART作者讲授!

收藏
免费 0
支持
分享
最新回复 (1)
okjim
雪    币: 172
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
没人看么,难道还要把程序发上来,好大的
2010-11-13 18:25
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//