今日想破解一程序,用PEID查,显示NO Founded,然后用OD载入提示有异常,载入后停在这里:
00413961 DI> 9C pushfd <===肯定是加了壳的
00413962 60 pushad
00413963 E8 00000000 call DIPCServ.00413968
00413968 5D pop ebp
然后用F8一步步向下走,遇到向上跳转的就跳过,来到这里
004139BB 60 pushad <===又出现一个pushad
004139BC 6A 40 push 40
004139BE 68 00100000 push 1000
004139C3 68 00100000 push 1000
004139C8 6A 00 push 0
004139CA FF95 FBFEFFFF call dword ptr ss:[ebp-105]
004139D0 85C0 test eax,eax
004139D2 0F84 06030000 je DIPCServ.00413CDE
004139D8 8985 BBFEFFFF mov dword ptr ss:[ebp-145],eax
004139DE E8 00000000 call DIPCServ.004139E3
004139E3 5B pop ebx
004139E4 B9 2F894000 mov ecx,DIPCServ.0040892F
004139E9 81E9 2C864000 sub ecx,DIPCServ.0040862C
004139EF 03D9 add ebx,ecx
004139F1 50 push eax
004139F2 53 push ebx
004139F3 E8 3D020000 call DIPCServ.00413C35
004139F8 61 popad <===这里和上面004139BB处的pushad对应
004139F9 03BD 9FFEFFFF add edi,dword ptr ss:[ebp-161]
004139FF 8BDF mov ebx,edi
00413A01 833F 00 cmp dword ptr ds:[edi],0
00413A04 75 0A jnz short DIPCServ.00413A10
00413A06 83C7 04 add edi,4
00413A09 B9 00000000 mov ecx,0
00413A0E EB 16 jmp short DIPCServ.00413A26
继续跟踪来到这里:
00413B84 61 popad <===
00413B85 9D popfd <===这2个和开始时候的对应
00413B86 - E9 A6FCFEFF jmp DIPCServ.00403831 <===有大跳转
00413B8B 8BB5 A3FEFFFF mov esi,dword ptr ss:[ebp-15D]
00413B91 0BF6 or esi,esi
00413B93 0F84 97000000 je DIPCServ.00413C30
00413B99 8B95 A7FEFFFF mov edx,dword ptr ss:[ebp-159]
00413B86的跳转跳到这里
00403831 55 db 55 ; CHAR 'U'
00403832 8B db 8B
00403833 EC db EC
00403834 6A db 6A ; CHAR 'j'
00403835 FF db FF
00403836 68 db 68 ; CHAR 'h'
00403837 F0 db F0
00403838 62 db 62 ; CHAR 'b'
00403839 40 db 40 ; CHAR '@'
0040383A 00 db 00
0040383B 68 db 68 ; CHAR 'h'
0040383C A4 db A4
0040383D 4C db 4C ; CHAR 'L'
0040383E 40 db 40 ; CHAR '@'
0040383F 00 db 00
00403840 64 db 64 ; CHAR 'd'
:
:
:
然后程序就运行了.
重新载入后我先来到上面那个大跳转处然后在下面一句下断,即在00413B8B处下断,按F9程序就运行了,并没有停在00413B8B处.
我在00403831处开始脱壳,用Import修复IAT,显示"真",可修复后的程序运行不了,不知道00403831处是否是程序入口还是我修复IAT时有问题,望高手指点!!!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法