能力值:
( LV2,RANK:10 )
|
-
-
2 楼
附上OEP处代码:
0041F586 /> /55 push ebp
0041F587 |. |8BEC mov ebp, esp
0041F589 |. |83EC 10 sub esp, 10
0041F58C |. |A1 30264400 mov eax, dword ptr [442630]
0041F591 |. |8365 F8 00 and dword ptr [ebp-8], 0
0041F595 |. |8365 FC 00 and dword ptr [ebp-4], 0
0041F599 |. |53 push ebx
0041F59A |. |57 push edi
0041F59B |. |BF 4EE640BB mov edi, BB40E64E
0041F5A0 |. |3BC7 cmp eax, edi
0041F5A2 |. |BB 0000FFFF mov ebx, FFFF0000
0041F5A7 |. |74 0D je short 0041F5B6
0041F5A9 |. |85C3 test ebx, eax
0041F5AB |. |74 09 je short 0041F5B6
0041F5AD |. |F7D0 not eax
0041F5AF |. |A3 34264400 mov dword ptr [442634], eax
0041F5B4 |. |EB 60 jmp short 0041F616
0041F5B6 |> |56 push esi
0041F5B7 |. |8D45 F8 lea eax, dword ptr [ebp-8]
0041F5BA |. |50 push eax
0041F5BB |. |52 push edx
0041F5BC |. |E8 B0F20200 call 0044E871
0041F5C1 |. |8B75 FC mov esi, dword ptr [ebp-4]
0041F5C4 |. |3375 F8 xor esi, dword ptr [ebp-8]
0041F5C7 |. |50 push eax
0041F5C8 |. |E8 06440300 call 004539D3
0041F5CD |. |33F0 xor esi, eax
0041F5CF |. |52 push edx
0041F5D0 |. |E8 1AFB0200 call 0044F0EF
0041F5D5 |. |33F0 xor esi, eax
0041F5D7 |. |55 push ebp
0041F5D8 |. E8 173C0300 call 004531F4
......
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
貌似不是oep
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
有道理,protection_id说我觉得已经脱掉壳的程序是visual c++ 8.0写的并且仍有vmp保护
这oep的代码似乎和vc++的入口特征也不像~
这是用fast method找到的,待我再用normal method找找看.
......
好象找不到新的OEP~
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
这种复杂的壳不能靠脚本搞定,靠不住
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
到没到OEP,看下堆栈就知道了
|
|
|