程序名:休闲麻将3.0 工具:OllyDbg.V1.10(手头工具不多) 系统:XP(由于我执意不重装系统,不太稳定)
开始我以为挺好脱的,可是脱完了就傻了,就是不能运行。请先看看我怎么做的
004BD001 > 60 PUSHAD
004BD002 E8 03000000 CALL Mj.004BD00A //这种东西用F7搞定
004BD007 - E9 EB045D45 JMP 45A8D4F7
004BD00C 55 PUSH EBP
004BD00D C3 RETN
004BD00E E8 01000000 CALL Mj.004BD014 //F7过,等运行到7xxxxxxx的时候就可以用F8了
004BD013 EB 5D JMP SHORT Mj.004BD072
004BD12D 0BC9 OR ECX,ECX //这段可能是在在解压什么的
004BD12F 74 2E JE SHORT Mj.004BD15F //这个跳是离这段最远的了,所以在004BD15F设断,F9走
004BD131 78 2C JS SHORT Mj.004BD15F
004BD133 AC LODS BYTE PTR DS:[ESI]
004BD134 3C E8 CMP AL,0E8
004BD136 74 0A JE SHORT Mj.004BD142
004BD138 EB 00 JMP SHORT Mj.004BD13A
004BD13A 3C E9 CMP AL,0E9
004BD13C 74 04 JE SHORT Mj.004BD142
004BD13E 43 INC EBX
004BD13F 49 DEC ECX
004BD140 ^ EB EB JMP SHORT Mj.004BD12D
004BD376 8907 MOV DWORD PTR DS:[EDI],EAX //这个后面还有很长,但也是循环
004BD378 8385 49050000 0>ADD DWORD PTR SS:[EBP+549],4
004BD37F ^ E9 32FFFFFF JMP Mj.004BD2B6
004BD384 8906 MOV DWORD PTR DS:[ESI],EAX
004BD386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
004BD389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
004BD38C 83C6 14 ADD ESI,14
004BD38F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
004BD395 ^ E9 EBFEFFFF JMP Mj.004BD285
004BD39A B8 3C130000 MOV EAX,133C //当时我就怀疑它是入口地址
004BD39F 50 PUSH EAX
.
.
.
004BD2B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
004BD2BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
004BD2BE 85C0 TEST EAX,EAX
004BD2C0 75 03 JNZ SHORT Mj.004BD2C5
004BD2C2 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
004BD2C5 03C2 ADD EAX,EDX
004BD2C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
004BD2CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
004BD2CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
004BD2D2 03FA ADD EDI,EDX
004BD2D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
004BD2DA 85DB TEST EBX,EBX
004BD2DC 0F84 A2000000 JE Mj.004BD384 //在004BD384设断,F9过
004BD2E2 F7C3 00000080 TEST EBX,80000000
004BD2E8 75 04 JNZ SHORT Mj.004BD2EE
004BD2EA 03DA ADD EBX,EDX
004BD2EC 43 INC EBX
004BD39A B8 3C130000 MOV EAX,133C //入口地址
004BD39F 50 PUSH EAX
004BD3A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004BD3A6 59 POP ECX
004BD3A7 0BC9 OR ECX,ECX
004BD3A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004BD3AF 61 POPAD
004BD3B0 75 08 JNZ SHORT Mj.004BD3BA
004BD3B2 B8 01000000 MOV EAX,1
004BD3B7 C2 0C00 RETN 0C
004BD3BA 68 3C134000 PUSH Mj.0040133C
004BD3BF C3 RETN
0040133C 68 84134000 PUSH Mj.00401384 //程序正式开始 ; ASCII "VB5!6&vb6chs.dll"
00401341 E8 F0FFFFFF CALL Mj.00401336 ; JMP to msvbvm60.ThunRTMain
00401346 0000 ADD BYTE PTR DS:[EAX],AL
到这以后,脱出来的东西点击以后根本没反应,我第一次脱壳,后面真的不知道怎么办了,我到底哪个环节出错了,高手……
本来我想用OD跟跟看是怎么回事,可是跟了半天,也搞不明白,而且VB编的东西CALL来CALL去的(其实
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!