[求助]ASProtect V2.X DLL -> Alexey Solodovnikov脱壳-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
刘志军雪币： 26 活跃值： (56) 能力值： ( LV2，RANK：10 ) 在线值：发帖 32 回帖 149 粉丝 0 关注私信	刘志军 2 楼很遗憾，我也脱不了。 OD载入程序。 0048A001 > 60 pushad //OD载入后。停在这外壳入口 0048A002 E8 03000000 call L2WCrack.0048A00A //F8到这。因为这个CALL比较近。F7步入 0048A007 - E9 EB045D45 jmp 45A5A4F7 0048A00C 55 push ebp ................................................ 0048A00A 5D pop ebp //直接跳到这里。继续F8 0048A00B 45 inc ebp 0048A00C 55 push ebp 0048A00D C3 retn //跳 0048A00E E8 01000000 call L2WCrack.0048A014 0048A013 EB 5D jmp short L2WCrack.0048A072 .................................................... 0048A008 /EB 04 jmp short L2WCrack.0048A00E //跳到了这里，这里也是一个跳转 0048A00A \|5D pop ebp 0048A00B \|45 inc ebp 0048A00C \|55 push ebp 0048A00D \|C3 retn 0048A00E \E8 01000000 call L2WCrack.0048A014 //跳到这里，这个CALL一定要F7步入，F8会启动程序。OVER 0048A013 EB 5D jmp short L2WCrack.0048A072 0048A015 BB EDFFFFFF mov ebx,-13 0048A01A 03DD add ebx,ebp 0048A01C 81EB 00A00800 sub ebx,8A000 ................................................... 0048A014 5D pop ebp //跳到这里， 0048A015 BB EDFFFFFF mov ebx,-13 0048A01A 03DD add ebx,ebp 0048A01C 81EB 00A00800 sub ebx,8A000 0048A022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0 ..............省略代码............................ 0048A05E 53 push ebx 0048A05F 57 push edi 0048A060 FF95 490F0000 call dword ptr ss:[ebp+F49] 0048A066 8985 51050000 mov dword ptr ss:[ebp+551],eax 0048A06C 8D45 77 lea eax,dword ptr ss:[ebp+77] 0048A06F FFE0 jmp eax //一直F8来到这，又是一个跳转 0048A071 56 push esi .................................................. 0048A08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] //跳到这里, 0048A090 0BDB or ebx,ebx 0048A092 74 0A je short L2WCrack.0048A09E 0048A094 8B03 mov eax,dword ptr ds:[ebx] .............省略代码N条........... 0048A12B 33DB xor ebx,ebx 0048A12D 0BC9 or ecx,ecx 0048A12F 74 2E je short L2WCrack.0048A15F 0048A131 78 2C js short L2WCrack.0048A15F 0048A133 AC lods byte ptr ds:[esi] 0048A134 3C E8 cmp al,0E8 0048A136 74 0A je short L2WCrack.0048A142 0048A138 EB 00 jmp short L2WCrack.0048A13A 0048A13A 3C E9 cmp al,0E9 0048A13C 74 04 je short L2WCrack.0048A142 0048A13E 43 inc ebx 0048A13F 49 dec ecx 0048A140 ^ EB EB jmp short L2WCrack.0048A12D //这里有个往回跳.手动脱壳一般不要让它往回跳 0048A142 8B06 mov eax,dword ptr ds:[esi] //点这里.按F4运行到这里 0048A144 EB 00 jmp short L2WCrack.0048A146 0048A146 803E 16 cmp byte ptr ds:[esi],16 0048A149 ^ 75 F3 jnz short L2WCrack.0048A13E //又一个往回跳. 0048A14B 24 00 and al,0 //F4到这里 0048A14D C1C0 18 rol eax,18 0048A150 2BC3 sub eax,ebx 0048A152 8906 mov dword ptr ds:[esi],eax 0048A154 83C3 05 add ebx,5 0048A157 83C6 04 add esi,4 0048A15A 83E9 05 sub ecx,5 0048A15D ^ EB CE jmp short L2WCrack.0048A12D //到这里又是一个往回跳. 0048A15F 5B pop ebx //F4到这里 0048A160 5E pop esi 0048A161 59 pop ecx 0048A162 58 pop eax 0048A163 EB 08 jmp short L2WCrack.0048A16D //这里往下跳 0048A165 0000 add byte ptr ds:[eax],al ...................................................... 0048A16D 8BC8 mov ecx,eax //跳到这里 0048A16F 8B3E mov edi,dword ptr ds:[esi] 0048A171 03BD 22040000 add edi,dword ptr ss:[ebp+422] 0048A177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152] 0048A17D C1F9 02 sar ecx,2 0048A180 F3:A5 rep movs dword ptr es:[edi],dword pt> 0048A182 8BC8 mov ecx,eax 0048A184 83E1 03 and ecx,3 0048A187 F3:A4 rep movs byte ptr es:[edi],byte ptr > 0048A189 5E pop esi 0048A18A 68 00800000 push 8000 0048A18F 6A 00 push 0 0048A191 FFB5 52010000 push dword ptr ss:[ebp+152] 0048A197 FF95 51050000 call dword ptr ss:[ebp+551] 0048A19D 83C6 08 add esi,8 0048A1A0 833E 00 cmp dword ptr ds:[esi],0 0048A1A3 ^ 0F85 1EFFFFFF jnz L2WCrack.0048A0C7 //往回跳 0048A1A9 68 00800000 push 8000 //F4到这里 0048A1AE 6A 00 push 0 0048A1B0 FFB5 56010000 push dword ptr ss:[ebp+156] 0048A1B6 FF95 51050000 call dword ptr ss:[ebp+551] 0048A1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] 0048A1C2 0BDB or ebx,ebx 0048A1C4 74 08 je short L2WCrack.0048A1CE 0048A1C6 8B03 mov eax,dword ptr ds:[ebx] 0048A1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax 0048A1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422] 0048A1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D] 0048A1DA 2BD0 sub edx,eax 0048A1DC 74 79 je short L2WCrack.0048A257 //向下跳 0048A1DE 8BC2 mov eax,edx 0048A1E0 C1E8 10 shr eax,10 0048A1E3 33DB xor ebx,ebx ................................................. 0048A257 8B95 22040000 mov edx,dword ptr ss:[ebp+422] //跳到这里 0048A25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541] 0048A263 0BF6 or esi,esi 0048A265 74 11 je short L2WCrack.0048A278 //又一个向下跳转 0048A267 03F2 add esi,edx 0048A269 AD lods dword ptr ds:[esi] 0048A26A 0BC0 or eax,eax 0048A26C 74 0A je short L2WCrack.0048A278 0048A26E 03C2 add eax,edx 0048A270 8BF8 mov edi,eax 0048A272 66:AD lods word ptr ds:[esi] 0048A274 66:AB stos word ptr es:[edi] 0048A276 ^ EB F1 jmp short L2WCrack.0048A269 0048A278 BE 00400700 mov esi,74000 //跳到这里 0048A27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422] 0048A283 03F2 add esi,edx 0048A285 8B46 0C mov eax,dword ptr ds:[esi+C] 0048A288 85C0 test eax,eax 0048A28A 0F84 0A010000 je L2WCrack.0048A39A 0048A28A /0F84 0A010000 je L2WCrack.0048A39A 0048A290 \|03C2 add eax,edx 0048A292 \|8BD8 mov ebx,eax 0048A294 \|50 push eax 0048A295 \|FF95 4D0F0000 call dword ptr ss:[ebp+F4D] 0048A29B \|85C0 test eax,eax 0048A29D \|75 07 jnz short L2WCrack.0048A2A6 //这里有个向下的小跳转 0048A29F \|53 push ebx 0048A2A0 \|FF95 510F0000 call dword ptr ss:[ebp+F51] 0048A2A6 \|8985 45050000 mov dword ptr ss:[ebp+545],eax //跳到这里 0048A2AC \|C785 49050000 0>mov dword ptr ss:[ebp+549],0 0048A2B6 \|8B95 22040000 mov edx,dword ptr ss:[ebp+422] ..............省略N条代码............................... 0048A302 85C0 test eax,eax 0048A304 5B pop ebx 0048A305 75 6F jnz short L2WCrack.0048A376 //这里来了个大跳转. 0048A307 F7C3 00000080 test ebx,80000000 0048A30D 75 19 jnz short L2WCrack.0048A328 ....................................................... 0048A376 8907 mov dword ptr ds:[edi],eax //跳到这里 0048A378 8385 49050000 0>add dword ptr ss:[ebp+549],4 0048A37F ^ E9 32FFFFFF jmp L2WCrack.0048A2B6 //往回跳 0048A384 8906 mov dword ptr ds:[esi],eax //F4到这 0048A386 8946 0C mov dword ptr ds:[esi+C],eax 0048A389 8946 10 mov dword ptr ds:[esi+10],eax 0048A38C 83C6 14 add esi,14 0048A38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422] 0048A395 ^ E9 EBFEFFFF jmp L2WCrack.0048A285 //又一个往回跳 0048A39A B8 480E0700 mov eax,70E48 //F4到这里 0048A39F 50 push eax 0048A3A0 0385 22040000 add eax,dword ptr ss:[ebp+422] 0048A3A6 59 pop ecx 0048A3A7 0BC9 or ecx,ecx 0048A3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax 0048A3AF 61 popad //popad是出栈 0048A3B0 75 08 jnz short L2WCrack.0048A3BA //这里一个小跳 0048A3B2 B8 01000000 mov eax,1 0048A3B7 C2 0C00 retn 0C 0048A3BA 68 00000000 push 0 //程序运行到这时.显示的是l2wcrack.00470e48 0048A3BF C3 retn //返回入口点 ............................................................ 00470E48 55 push ebp //直接用OD插件脱壳. 当我到 0048A3BF C3 retn //返回入口点这一步时，返回入口点，发现不像OEP。。而是： 0042DF24 B8 FF000000 mov eax,0FF 0042DF29 E8 1F080000 call 1.0042E74D 0042DF2E C3 retn 0042DF2F > E8 27B80000 call 1.0043975B 这个是OEP吗？？？ 0042DF34 ^ E9 16FEFFFF jmp 1.0042DD4F 0042DF39 3B0D F0774500 cmp ecx,dword ptr ds:[4577F0] 0042DF3F 75 02 jnz short 1.0042DF43 0042DF41 F3: prefix rep: 希望高手指点一下这是什么问题!!! 在下感激不尽！！！ 2011-7-9 08:22 0
xiwushgya 雪币： 2820 活跃值： (2681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 94 粉丝 1 关注私信	xiwushgya 3 楼感谢刘志军的热心啊初学这个我脱了很长时间啊，都没有解决 http://u.115.com/file/dnsdq30r 这个是xJJuno脱完以后的壳 2011-7-9 09:58 0
henheng 雪币： 26 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	henheng 4 楼用ESP定律法来脱的话，会不会简单一点？ 2011-7-10 14:36 0
刘志军雪币： 26 活跃值： (56) 能力值： ( LV2，RANK：10 ) 在线值：发帖 32 回帖 149 粉丝 0 关注私信	刘志军 5 楼我在研究一下，很有意思的一个壳 2011-7-10 17:48 0
xiwushgya 雪币： 2820 活跃值： (2681) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 94 粉丝 1 关注私信	xiwushgya 6 楼谢谢刘兄啊，耽误你时间了 2011-7-10 22:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

刘志军

雪币： 26

活跃值： (56)

能力值：

( LV2，RANK：10 )

在线值：

发帖

32

回帖

149

粉丝

0

关注

私信

刘志军: 2 楼

很遗憾，我也脱不了。
OD载入程序。

0048A001 >  60             pushad             //OD载入后。停在这外壳入口
0048A002 E8 03000000    call L2WCrack.0048A00A  //F8到这。因为这个CALL比较近。F7步入
0048A007  - E9 EB045D45    jmp 45A5A4F7
0048A00C 55             push ebp
................................................
0048A00A 5D             pop ebp                //直接跳到这里。继续F8
0048A00B 45             inc ebp
0048A00C 55             push ebp
0048A00D C3             retn                   //跳
0048A00E E8 01000000    call L2WCrack.0048A014
0048A013 EB 5D          jmp short L2WCrack.0048A072
....................................................
0048A008 /EB 04          jmp short L2WCrack.0048A00E  //跳到了这里，这里也是一个跳转
0048A00A |5D             pop ebp
0048A00B |45             inc ebp
0048A00C |55             push ebp
0048A00D |C3             retn
0048A00E \E8 01000000    call L2WCrack.0048A014    //跳到这里，这个CALL一定要F7步入，F8会启动程序。OVER
0048A013 EB 5D          jmp short L2WCrack.0048A072
0048A015 BB EDFFFFFF    mov ebx,-13
0048A01A 03DD          add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
...................................................
0048A014 5D             pop ebp                //跳到这里，
0048A015 BB EDFFFFFF    mov ebx,-13
0048A01A 03DD          add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
0048A022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
..............省略代码............................
0048A05E 53             push ebx
0048A05F 57             push edi
0048A060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0048A066 8985 51050000 mov dword ptr ss:[ebp+551],eax
0048A06C 8D45 77       lea eax,dword ptr ss:[ebp+77]
0048A06F FFE0          jmp eax                         //一直F8来到这，又是一个跳转
0048A071 56             push esi
..................................................
0048A08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] //跳到这里,
0048A090 0BDB          or ebx,ebx
0048A092 74 0A          je short L2WCrack.0048A09E
0048A094 8B03          mov eax,dword ptr ds:[ebx]
.............省略代码N条...........
0048A12B 33DB          xor ebx,ebx
0048A12D 0BC9          or ecx,ecx
0048A12F 74 2E          je short L2WCrack.0048A15F
0048A131 78 2C          js short L2WCrack.0048A15F
0048A133 AC             lods byte ptr ds:[esi]
0048A134 3C E8          cmp al,0E8
0048A136 74 0A          je short L2WCrack.0048A142
0048A138 EB 00          jmp short L2WCrack.0048A13A
0048A13A 3C E9          cmp al,0E9
0048A13C 74 04          je short L2WCrack.0048A142
0048A13E 43             inc ebx
0048A13F 49             dec ecx
0048A140  ^ EB EB          jmp short L2WCrack.0048A12D //这里有个往回跳.手动脱壳一般不要让它往回跳
0048A142 8B06          mov eax,dword ptr ds:[esi]    //点这里.按F4运行到这里
0048A144 EB 00          jmp short L2WCrack.0048A146
0048A146 803E 16       cmp byte ptr ds:[esi],16
0048A149  ^ 75 F3          jnz short L2WCrack.0048A13E //又一个往回跳.
0048A14B 24 00          and al,0                   //F4到这里
0048A14D C1C0 18       rol eax,18
0048A150 2BC3          sub eax,ebx
0048A152 8906          mov dword ptr ds:[esi],eax
0048A154 83C3 05       add ebx,5
0048A157 83C6 04       add esi,4
0048A15A 83E9 05       sub ecx,5
0048A15D  ^ EB CE          jmp short L2WCrack.0048A12D  //到这里又是一个往回跳.
0048A15F 5B             pop ebx                   //F4到这里
0048A160 5E             pop esi
0048A161 59             pop ecx
0048A162 58             pop eax
0048A163 EB 08          jmp short L2WCrack.0048A16D  //这里往下跳
0048A165 0000          add byte ptr ds:[eax],al
......................................................
0048A16D 8BC8          mov ecx,eax                   //跳到这里
0048A16F 8B3E          mov edi,dword ptr ds:[esi]
0048A171 03BD 22040000 add edi,dword ptr ss:[ebp+422]
0048A177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0048A17D C1F9 02       sar ecx,2
0048A180 F3:A5          rep movs dword ptr es:[edi],dword pt>
0048A182 8BC8          mov ecx,eax
0048A184 83E1 03       and ecx,3
0048A187 F3:A4          rep movs byte ptr es:[edi],byte ptr >
0048A189 5E             pop esi
0048A18A 68 00800000    push 8000
0048A18F 6A 00          push 0
0048A191 FFB5 52010000 push dword ptr ss:[ebp+152]
0048A197 FF95 51050000 call dword ptr ss:[ebp+551]
0048A19D 83C6 08       add esi,8
0048A1A0 833E 00       cmp dword ptr ds:[esi],0
0048A1A3  ^ 0F85 1EFFFFFF jnz L2WCrack.0048A0C7          //往回跳
0048A1A9 68 00800000    push 8000                      //F4到这里
0048A1AE 6A 00          push 0
0048A1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0048A1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0048A1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0048A1C2 0BDB          or ebx,ebx
0048A1C4 74 08          je short L2WCrack.0048A1CE
0048A1C6 8B03          mov eax,dword ptr ds:[ebx]
0048A1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0048A1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D]
0048A1DA 2BD0          sub edx,eax
0048A1DC 74 79          je short L2WCrack.0048A257    //向下跳
0048A1DE 8BC2          mov eax,edx
0048A1E0 C1E8 10       shr eax,10
0048A1E3 33DB          xor ebx,ebx
.................................................
0048A257 8B95 22040000 mov edx,dword ptr ss:[ebp+422]    //跳到这里
0048A25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541]
0048A263 0BF6          or esi,esi
0048A265 74 11          je short L2WCrack.0048A278       //又一个向下跳转
0048A267 03F2          add esi,edx
0048A269 AD             lods dword ptr ds:[esi]
0048A26A 0BC0          or eax,eax
0048A26C 74 0A          je short L2WCrack.0048A278
0048A26E 03C2          add eax,edx
0048A270 8BF8          mov edi,eax
0048A272 66:AD          lods word ptr ds:[esi]
0048A274 66:AB          stos word ptr es:[edi]
0048A276  ^ EB F1          jmp short L2WCrack.0048A269
0048A278 BE 00400700    mov esi,74000                      //跳到这里
0048A27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A283 03F2          add esi,edx
0048A285 8B46 0C       mov eax,dword ptr ds:[esi+C]
0048A288 85C0          test eax,eax
0048A28A 0F84 0A010000 je L2WCrack.0048A39A
0048A28A /0F84 0A010000 je L2WCrack.0048A39A
0048A290 |03C2          add eax,edx
0048A292 |8BD8          mov ebx,eax
0048A294 |50             push eax
0048A295 |FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0048A29B |85C0          test eax,eax
0048A29D |75 07          jnz short L2WCrack.0048A2A6    //这里有个向下的小跳转
0048A29F |53             push ebx
0048A2A0 |FF95 510F0000 call dword ptr ss:[ebp+F51]
0048A2A6 |8985 45050000 mov dword ptr ss:[ebp+545],eax //跳到这里
0048A2AC |C785 49050000 0>mov dword ptr ss:[ebp+549],0
0048A2B6 |8B95 22040000 mov edx,dword ptr ss:[ebp+422]
..............省略N条代码...............................
0048A302 85C0          test eax,eax
0048A304 5B             pop ebx
0048A305 75 6F          jnz short L2WCrack.0048A376       //这里来了个大跳转.
0048A307 F7C3 00000080 test ebx,80000000
0048A30D 75 19          jnz short L2WCrack.0048A328
.......................................................
0048A376 8907          mov dword ptr ds:[edi],eax          //跳到这里
0048A378 8385 49050000 0>add dword ptr ss:[ebp+549],4
0048A37F  ^ E9 32FFFFFF    jmp L2WCrack.0048A2B6             //往回跳
0048A384 8906          mov dword ptr ds:[esi],eax       //F4到这
0048A386 8946 0C       mov dword ptr ds:[esi+C],eax
0048A389 8946 10       mov dword ptr ds:[esi+10],eax
0048A38C 83C6 14       add esi,14
0048A38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A395  ^ E9 EBFEFFFF    jmp L2WCrack.0048A285             //又一个往回跳
0048A39A B8 480E0700    mov eax,70E48                   //F4到这里
0048A39F 50             push eax
0048A3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0048A3A6 59             pop ecx
0048A3A7 0BC9          or ecx,ecx
0048A3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0048A3AF 61             popad                            //popad是出栈
0048A3B0 75 08          jnz short L2WCrack.0048A3BA       //这里一个小跳
0048A3B2 B8 01000000    mov eax,1
0048A3B7 C2 0C00       retn 0C
0048A3BA 68 00000000    push 0                         //程序运行到这时.显示的是l2wcrack.00470e48
0048A3BF C3             retn                            //返回入口点
............................................................
00470E48 55             push ebp                      //直接用OD插件脱壳.

当我到 0048A3BF C3             retn                            //返回入口点    这一步时，返回入口点，发现不像OEP。。
而是：  0042DF24 B8 FF000000    mov eax,0FF
         0042DF29 E8 1F080000    call 1.0042E74D
         0042DF2E C3             retn
         0042DF2F >  E8 27B80000    call 1.0043975B    这个是OEP吗？？？
         0042DF34  ^ E9 16FEFFFF    jmp 1.0042DD4F
         0042DF39 3B0D F0774500 cmp ecx,dword ptr ds:[4577F0]
         0042DF3F 75 02          jnz short 1.0042DF43
         0042DF41 F3:          prefix rep:
希望高手指点一下这是什么问题!!!
在下感激不尽！！！

2011-7-9 08:22

0