-
-
[旧帖] ASPack 2.12 -> Alexey Solodovnikov [Overlay]带壳分析通过,保存文件无法运行 0.00雪花
-
发表于: 2011-4-15 13:02
-
有个软件是ASPack 2.12 -> Alexey Solodovnikov [Overlay]壳,已找到启动时找狗跳转,脱壳修改跳转后保存文件可以运行,带壳跟踪到跳转处修改跳转也能正常运行,但带壳修改跳转保存为文件后就无法启动,麻烦高手指点。
0045E8BE |. 6A 01 push 1 ; /RemoveMsg = PM_REMOVE
0045E8C0 |. 6A 00 push 0 ; |MsgFilterMax = WM_NULL
0045E8C2 |. 6A 00 push 0 ; |MsgFilterMin = WM_NULL
0045E8C4 |. 6A 00 push 0 ; |hWnd = NULL
0045E8C6 |. 57 push edi ; |pMsg
0045E8C7 |. E8 94AEFAFF call 00409760 ; \PeekMessageA
0045E8CC |. 85C0 test eax, eax
0045E8CE |. 74 75 je short 0045E945
0045E8D0 |. B3 01 mov bl, 1
0045E8D2 |. 837F 04 12 cmp dword ptr [edi+4], 12
0045E8D6 |. 74 66 je short 0045E93E
0045E8D8 |. C60424 00 mov byte ptr [esp], 0
0045E8DC |. 66:83BE C2000>cmp word ptr [esi+C2], 0
0045E8E4 74 10 je short 0045E8F6
;带壳修改此处跳转或脱壳修改保存文件均能正常运行,但带壳修改此处跳转然后保存为文件就不能启动。提示:“0x009099a0”指令引用的"0XD5C3A58"内存,该内存不能为“read”.要终止程序,请单击“确定”。要调试程序,请单击“取消”。
0045E8E6 |. 8BCC mov ecx, esp
0045E8E8 |. 8BD7 mov edx, edi
0045E8EA |. 8B86 C4000000 mov eax, dword ptr [esi+C4]
0045E8F0 |. FF96 C0000000 call dword ptr [esi+C0]
0045E8BE |. 6A 01 push 1 ; /RemoveMsg = PM_REMOVE
0045E8C0 |. 6A 00 push 0 ; |MsgFilterMax = WM_NULL
0045E8C2 |. 6A 00 push 0 ; |MsgFilterMin = WM_NULL
0045E8C4 |. 6A 00 push 0 ; |hWnd = NULL
0045E8C6 |. 57 push edi ; |pMsg
0045E8C7 |. E8 94AEFAFF call 00409760 ; \PeekMessageA
0045E8CC |. 85C0 test eax, eax
0045E8CE |. 74 75 je short 0045E945
0045E8D0 |. B3 01 mov bl, 1
0045E8D2 |. 837F 04 12 cmp dword ptr [edi+4], 12
0045E8D6 |. 74 66 je short 0045E93E
0045E8D8 |. C60424 00 mov byte ptr [esp], 0
0045E8DC |. 66:83BE C2000>cmp word ptr [esi+C2], 0
0045E8E4 74 10 je short 0045E8F6
;带壳修改此处跳转或脱壳修改保存文件均能正常运行,但带壳修改此处跳转然后保存为文件就不能启动。提示:“0x009099a0”指令引用的"0XD5C3A58"内存,该内存不能为“read”.要终止程序,请单击“确定”。要调试程序,请单击“取消”。
0045E8E6 |. 8BCC mov ecx, esp
0045E8E8 |. 8BD7 mov edx, edi
0045E8EA |. 8B86 C4000000 mov eax, dword ptr [esi+C4]
0045E8F0 |. FF96 C0000000 call dword ptr [esi+C0]
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
