ASPack 2.12的手动脱壳[原创]-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

ASPack 2.12的手动脱壳[原创]

发表于: 2005-5-29 23:15 12266

ASPack 2.12的手动脱壳[原创]

beach

2005-5-29 23:15

12266

【破解作者】 beach
【作者主页】 http://bbs.chinadev.net/
【使用工具】 PEID、flyODBG修改版
【破解平台】 winXPSP2
【软件名称】某外挂破解程序
【软件简介】因为某外挂要收费了。这个程序是绕过外挂的收费验证。直接进游戏。不错的好软件。佩服作者的能力。
【加壳方式】 ASPack 2.12
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

一。用PEID查看壳为：ASPack 2.12 -> Alexey Solodovnikov

二。设置flyODBG忽略所有异常选项,OD自动隐藏插件帮你隐藏OD.

OD载入程序。
0048A001 >  60             pushad             //OD载入后。停在这外壳入口
0048A002 E8 03000000    call L2WCrack.0048A00A  //F8到这。因为这个CALL比较近。F7步入
0048A007  - E9 EB045D45    jmp 45A5A4F7
0048A00C 55             push ebp
................................................
0048A00A 5D             pop ebp                //直接跳到这里。继续F8
0048A00B 45             inc ebp
0048A00C 55             push ebp
0048A00D C3             retn                   //跳
0048A00E E8 01000000    call L2WCrack.0048A014
0048A013 EB 5D          jmp short L2WCrack.0048A072
....................................................

0048A008 /EB 04          jmp short L2WCrack.0048A00E  //跳到了这里，这里也是一个跳转
0048A00A |5D             pop ebp
0048A00B |45             inc ebp
0048A00C |55             push ebp
0048A00D |C3             retn
0048A00E \E8 01000000    call L2WCrack.0048A014    //跳到这里，这个CALL一定要F7步入，F8会启动程序。OVER
0048A013 EB 5D          jmp short L2WCrack.0048A072
0048A015 BB EDFFFFFF    mov ebx,-13
0048A01A 03DD          add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
...................................................
0048A014 5D             pop ebp                //跳到这里，
0048A015 BB EDFFFFFF    mov ebx,-13
0048A01A 03DD          add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
0048A022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
..............省略代码............................
0048A05E 53             push ebx
0048A05F 57             push edi
0048A060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0048A066 8985 51050000 mov dword ptr ss:[ebp+551],eax
0048A06C 8D45 77       lea eax,dword ptr ss:[ebp+77]
0048A06F FFE0          jmp eax                         //一直F8来到这，又是一个跳转
0048A071 56             push esi
..................................................
0048A08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] //跳到这里,
0048A090 0BDB          or ebx,ebx
0048A092 74 0A          je short L2WCrack.0048A09E
0048A094 8B03          mov eax,dword ptr ds:[ebx]
.............省略代码N条...........
0048A12B 33DB          xor ebx,ebx
0048A12D 0BC9          or ecx,ecx
0048A12F 74 2E          je short L2WCrack.0048A15F
0048A131 78 2C          js short L2WCrack.0048A15F
0048A133 AC             lods byte ptr ds:[esi]
0048A134 3C E8          cmp al,0E8
0048A136 74 0A          je short L2WCrack.0048A142
0048A138 EB 00          jmp short L2WCrack.0048A13A
0048A13A 3C E9          cmp al,0E9
0048A13C 74 04          je short L2WCrack.0048A142
0048A13E 43             inc ebx
0048A13F 49             dec ecx
0048A140  ^ EB EB          jmp short L2WCrack.0048A12D //这里有个往回跳.手动脱壳一般不要让它往回跳
0048A142 8B06          mov eax,dword ptr ds:[esi]    //点这里.按F4运行到这里
0048A144 EB 00          jmp short L2WCrack.0048A146
0048A146 803E 16       cmp byte ptr ds:[esi],16
0048A149  ^ 75 F3          jnz short L2WCrack.0048A13E //又一个往回跳.
0048A14B 24 00          and al,0                   //F4到这里
0048A14D C1C0 18       rol eax,18
0048A150 2BC3          sub eax,ebx
0048A152 8906          mov dword ptr ds:[esi],eax
0048A154 83C3 05       add ebx,5
0048A157 83C6 04       add esi,4
0048A15A 83E9 05       sub ecx,5
0048A15D  ^ EB CE          jmp short L2WCrack.0048A12D  //到这里又是一个往回跳.
0048A15F 5B             pop ebx                   //F4到这里
0048A160 5E             pop esi
0048A161 59             pop ecx
0048A162 58             pop eax
0048A163 EB 08          jmp short L2WCrack.0048A16D  //这里往下跳
0048A165 0000          add byte ptr ds:[eax],al
......................................................
0048A16D 8BC8          mov ecx,eax                   //跳到这里
0048A16F 8B3E          mov edi,dword ptr ds:[esi]
0048A171 03BD 22040000 add edi,dword ptr ss:[ebp+422]
0048A177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0048A17D C1F9 02       sar ecx,2
0048A180 F3:A5          rep movs dword ptr es:[edi],dword pt>
0048A182 8BC8          mov ecx,eax
0048A184 83E1 03       and ecx,3
0048A187 F3:A4          rep movs byte ptr es:[edi],byte ptr >
0048A189 5E             pop esi
0048A18A 68 00800000    push 8000
0048A18F 6A 00          push 0
0048A191 FFB5 52010000 push dword ptr ss:[ebp+152]
0048A197 FF95 51050000 call dword ptr ss:[ebp+551]
0048A19D 83C6 08       add esi,8
0048A1A0 833E 00       cmp dword ptr ds:[esi],0
0048A1A3  ^ 0F85 1EFFFFFF jnz L2WCrack.0048A0C7          //往回跳
0048A1A9 68 00800000    push 8000                      //F4到这里
0048A1AE 6A 00          push 0
0048A1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0048A1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0048A1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0048A1C2 0BDB          or ebx,ebx
0048A1C4 74 08          je short L2WCrack.0048A1CE
0048A1C6 8B03          mov eax,dword ptr ds:[ebx]
0048A1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0048A1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D]
0048A1DA 2BD0          sub edx,eax
0048A1DC 74 79          je short L2WCrack.0048A257    //向下跳
0048A1DE 8BC2          mov eax,edx
0048A1E0 C1E8 10       shr eax,10
0048A1E3 33DB          xor ebx,ebx
.................................................
0048A257 8B95 22040000 mov edx,dword ptr ss:[ebp+422]    //跳到这里
0048A25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541]
0048A263 0BF6          or esi,esi
0048A265 74 11          je short L2WCrack.0048A278       //又一个向下跳转
0048A267 03F2          add esi,edx
0048A269 AD             lods dword ptr ds:[esi]
0048A26A 0BC0          or eax,eax
0048A26C 74 0A          je short L2WCrack.0048A278
0048A26E 03C2          add eax,edx
0048A270 8BF8          mov edi,eax
0048A272 66:AD          lods word ptr ds:[esi]
0048A274 66:AB          stos word ptr es:[edi]
0048A276  ^ EB F1          jmp short L2WCrack.0048A269
0048A278 BE 00400700    mov esi,74000                      //跳到这里
0048A27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A283 03F2          add esi,edx
0048A285 8B46 0C       mov eax,dword ptr ds:[esi+C]
0048A288 85C0          test eax,eax
0048A28A 0F84 0A010000 je L2WCrack.0048A39A
0048A28A /0F84 0A010000 je L2WCrack.0048A39A
0048A290 |03C2          add eax,edx
0048A292 |8BD8          mov ebx,eax
0048A294 |50             push eax
0048A295 |FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0048A29B |85C0          test eax,eax
0048A29D |75 07          jnz short L2WCrack.0048A2A6    //这里有个向下的小跳转
0048A29F |53             push ebx
0048A2A0 |FF95 510F0000 call dword ptr ss:[ebp+F51]
0048A2A6 |8985 45050000 mov dword ptr ss:[ebp+545],eax //跳到这里
0048A2AC |C785 49050000 0>mov dword ptr ss:[ebp+549],0
0048A2B6 |8B95 22040000 mov edx,dword ptr ss:[ebp+422]
..............省略N条代码...............................
0048A302 85C0          test eax,eax
0048A304 5B             pop ebx
0048A305 75 6F          jnz short L2WCrack.0048A376       //这里来了个大跳转.
0048A307 F7C3 00000080 test ebx,80000000
0048A30D 75 19          jnz short L2WCrack.0048A328
.......................................................
0048A376 8907          mov dword ptr ds:[edi],eax          //跳到这里
0048A378 8385 49050000 0>add dword ptr ss:[ebp+549],4
0048A37F  ^ E9 32FFFFFF    jmp L2WCrack.0048A2B6             //往回跳
0048A384 8906          mov dword ptr ds:[esi],eax       //F4到这
0048A386 8946 0C       mov dword ptr ds:[esi+C],eax
0048A389 8946 10       mov dword ptr ds:[esi+10],eax
0048A38C 83C6 14       add esi,14
0048A38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A395  ^ E9 EBFEFFFF    jmp L2WCrack.0048A285             //又一个往回跳
0048A39A B8 480E0700    mov eax,70E48                   //F4到这里
0048A39F 50             push eax
0048A3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0048A3A6 59             pop ecx
0048A3A7 0BC9          or ecx,ecx
0048A3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0048A3AF 61             popad                            //popad是出栈
0048A3B0 75 08          jnz short L2WCrack.0048A3BA       //这里一个小跳
0048A3B2 B8 01000000    mov eax,1
0048A3B7 C2 0C00       retn 0C
0048A3BA 68 00000000    push 0                         //程序运行到这时.显示的是l2wcrack.00470e48
0048A3BF C3             retn                            //返回入口点
............................................................
00470E48 55             push ebp                      //直接用OD插件脱壳.
00470E49 8BEC          mov ebp,esp
00470E4B 83C4 F0       add esp,-10
00470E4E 53             push ebx
00470E4F B8 080C4700    mov eax,L2WCrack.00470C08
.........................................................

三.脱壳后程序不能运行.打开recimport.系统进程选L2wcrack.exe这个进程.填入OEP:70E48.点自动搜索IAT
再点获取输入表.发现指针全部有效.再点修复抓取文件.修复脱壳的文件.运行OK

--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (15)
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 2 楼嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ 2005-5-29 23:22 0
cyclotron 雪币： 392 活跃值： (909) 能力值： ( LV9，RANK：690 ) 在线值：发帖 43 回帖 800 粉丝 9 关注私信	cyclotron 17 3 楼最初由 Winter-Night 发布嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ 不是wg，是wg的crack 2005-5-29 23:28 0
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 4 楼最初由 cyclotron 发布不是wg，是wg的crack 看走眼了，吓一跳 2005-5-29 23:36 0
Pr0Zel 雪币： 288 活跃值： (415) 能力值： ( LV9，RANK：290 ) 在线值：发帖 37 回帖 384 粉丝 0 关注私信	Pr0Zel 7 5 楼最初由 Winter-Night 发布嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ ESP定律可以对付大多数的壳 2005-5-30 00:31 0
fly2sky 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 21 粉丝 0 关注私信	fly2sky 6 楼我最喜脱UPX和ASPACK的壳，因为太好脱了 2005-6-1 10:32 0
cnnets 雪币： 454 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 251 粉丝 0 关注私信	cnnets 7 楼最初由 fly2sky 发布我最喜脱UPX和ASPACK的壳，因为太好脱了对于有附加数据的如何? 2005-6-1 11:40 0
hao1geren 雪币： 213 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 88 粉丝 0 关注私信	hao1geren 8 楼如果不是想深入了解这个壳可以来一点简单的： OD载入后，Ctrl+B 输入 61空格75，直接就到了OEP,在55那行上，F2,F9,然后用抓去映像，修复IAT,就OK了 2005-6-1 12:49 0
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 7 关注私信	wynney 24 9 楼最初由 cnnets 发布对于有附加数据的如何? 2005-6-1 19:10 0
9571 雪币： 106 活跃值： (271) 能力值： ( LV3，RANK：30 ) 在线值：发帖 33 回帖 201 粉丝 0 关注私信	9571 10 楼我自己根据一个定理脱了这个壳，不用修复到如表，脱壳完成后直接运行，就是文件大了些 2005-6-2 09:22 0
reboot 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 43 粉丝 0 关注私信	reboot 11 楼你说的55那行是指od装入加壳程序之后的的第一个55吗？ 2006-7-7 11:34 0
yjonline 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 7 粉丝 0 关注私信	yjonline 12 楼 00704014 5D pop 为什么我到了这里就走不出去ebp ; Manager.00704013 00704015 BB EDFFFFFF mov ebx, -13 0070401A 03DD add ebx, ebp 0070401C 81EB 00403000 sub ebx, 304000 00704022 807D 4D 01 cmp byte ptr [ebp+4D], 1 00704026 75 0C jnz short 00704034 00704028 8B7424 28 mov esi, [esp+28] 0070402C 83FE 01 cmp esi, 1 0070402F 895D 4E mov [ebp+4E], ebx 00704032 75 31 jnz short 00704065 00704034 8D45 53 lea eax, [ebp+53] 00704037 50 push eax 00704038 53 push ebx 00704039 FFB5 F1090000 push dword ptr [ebp+9F1] 0070403F 8D45 35 lea eax, [ebp+35] 00704042 50 push eax 00704043 E9 82000000 jmp 007040CA 00704048 0000 add [eax], al 0070404A 0000 add [eax], al 0070404C 0000 add [eax], al 0070404E 0000 add [eax], al 00704050 0000 add [eax], al 00704052 0000 add [eax], al 00704054 0000 add [eax], al 00704056 0000 add [eax], al 00704058 0000 add [eax], al 0070405A 0000 add [eax], al 0070405C 0000 add [eax], al 0070405E 0000 add [eax], al 00704060 0000 add [eax], al 00704062 0000 add [eax], al 00704064 00B8 F8C0A523 add [eax+23A5C0F8], bh 0070406A 50 push eax 0070406B 50 push eax 0070406C 0345 4E add eax, [ebp+4E] 0070406F 5B pop ebx 00704070 85C0 test eax, eax 00704072 74 1C je short 00704090 00704074 EB 01 jmp short 00704077 00704076 E8 81FBF8C0 call C1693BFC 0070407B A5 movs dword ptr es:[edi], dword ptr [e> 0070407C 237435 33 and esi, [ebp+esi+33] 00704080 D256 6A rcl byte ptr [esi+6A], cl 00704083 0056 FF add [esi-1], dl 00704086 75 4E jnz short 007040D6 00704088 FFD0 call eax 0070408A 5E pop esi 0070408B 83FE 00 cmp esi, 0 0070408E 75 24 jnz short 007040B4 00704090 33D2 xor edx, edx 00704092 8B45 41 mov eax, [ebp+41] 00704095 85C0 test eax, eax 00704097 74 07 je short 007040A0 00704099 52 push edx 0070409A 52 push edx 0070409B FF75 35 push dword ptr [ebp+35] 0070409E FFD0 call eax 007040A0 8B45 35 mov eax, [ebp+35] 007040A3 85C0 test eax, eax 007040A5 74 0D je short 007040B4 007040A7 68 00800000 push 8000 007040AC 6A 00 push 0 007040AE FF75 35 push dword ptr [ebp+35] 007040B1 FF55 3D call [ebp+3D] 007040B4 5B pop ebx 007040B5 0BDB or ebx, ebx 007040B7 61 popad 007040B8 75 06 jnz short 007040C0 007040BA 6A 01 push 1 007040BC 58 pop eax 007040BD C2 0C00 retn 0C 007040C0 33C0 xor eax, eax 007040C2 F7D8 neg eax 007040C4 1BC0 sbb eax, eax 007040C6 40 inc eax 007040C7 C2 0C00 retn 0C 007040CA E8 05000000 call 007040D4 007040CF A9 2ECF5C65 test eax, 655CCF2E 007040D4 BE E17CFD42 mov esi, 42FD7CE1 007040D9 5F pop edi 007040DA E8 09000000 call 007040E8 007040DF 1D 92636019 sbb eax, 19606392 007040E4 DEBF 8CD580D9 fidivr word ptr [edi+D980D58C] 007040EA B6 59 mov dh, 59 007040EC 81C7 54080000 add edi, 854 007040F2 52 push edx 007040F3 8AFD mov bh, ch 007040F5 5E pop esi 007040F6 68 00000000 push 0 007040FB 5A pop edx 007040FC 66:8BDF mov bx, di 007040FF 8B0417 mov eax, [edi+edx] 00704102 66:B9 6D79 mov cx, 796D 00704106 81F0 8A240804 xor eax, 408248A 0070410C E9 05000000 jmp 00704116 00704111 69EE 8F1C2581 imul ebp, esi, 81251C8F 00704117 E8 FBCA557F call 7FC60C17 0070411C 8BDE mov ebx, esi 0070411E 81C0 18178214 add eax, 14821718 00704124 0F83 03000000 jnb 0070412D 0070412A 0FBFF1 movsx esi, cx 0070412D 50 push eax 0070412E 56 push esi 0070412F 66:81DB 130A sbb bx, 0A13 00704134 5E pop esi 00704135 8F0417 pop dword ptr [edi+edx] 00704138 0F85 15000000 jnz 00704153 0070413E E8 09000000 call 0070414C 00704143 BD B20380B9 mov ebp, B98003B2 00704148 FE ??? ; 未知命令 00704149 5F pop edi 0070414A AC lods byte ptr [esi] 0070414B 75 68 jnz short 007041B5 0070414D 98 cwde 0070414E E0 51 loopdne short 007041A1 00704150 325E 5E xor bl, [esi+5E] 00704153 E9 08000000 jmp 00704160 00704158 B0 29 mov al, 29 0070415A AE scas byte ptr es:[edi] 0070415B 4F dec edi 0070415C DCE5 fsubr st(5), st 0070415E BA 6B83EA04 mov edx, 4EA836B 00704163 66:BB 74F0 mov bx, 0F074 00704167 81FA 90F8FFFF cmp edx, -770 0070416D 0F85 1E000000 jnz 00704191 00704173 66:81E6 5E69 and si, 695E 00704178 E9 3A000000 jmp 007041B7 0070417D 0C 55 or al, 55 0070417F 6A 5B push 5B 00704181 F8 clc 00704182 D136 sal dword ptr [esi], 1 00704184 37 aaa 00704185 A4 movs byte ptr es:[edi], byte ptr [esi> 00704186 0D C2D31009 or eax, 910D3C2 0070418B 0E push cs 0070418C 2F das 0070418D 3C C5 cmp al, 0C5 0070418F 1A4B 68 sbb cl, [ebx+68] 00704192 E6 A8 out 0A8, al 00704194 93 xchg eax, ebx 00704195 7D 0F jge short 007041A6 00704197 8A05 000000BE mov al, [BE000000] 0070419D 35 7CAA185E xor eax, 5E18AA7C 007041A2 ^ E9 58FFFFFF jmp 007040FF 007041A7 58 pop eax 007041A8 B1 96 mov cl, 96 007041AA 17 pop ss 007041AB 04 ED add al, 0ED 007041AD 22B3 70E96E0F and dh, [ebx+F6EE970] 007041B3 9C pushfd 007041B4 A5 movs dword ptr es:[edi], dword ptr [e> 007041B5 7A 2B jpe short 007041E2 007041B7 46 inc esi 007041B8 ^ E3 DB jecxz short 00704195 007041BA 6E outs dx, byte ptr es:[edi] 007041BB 69D6 D7BBC72B imul edx, esi, 2BC7BBD7 007041C1 C438 les edi, [eax] 007041C3 93 xchg eax, ebx 007041C4 CF iretd 007041C5 7F 7C jg short 00704243 007041C7 2F das 007041C8 A3 EC777BC6 mov [C67B77EC], eax 007041CD 07 pop es 007041CE 34 41 xor al, 41 007041D0 E7 DB out 0DB, eax 007041D2 6E outs dx, byte ptr es:[edi] 007041D3 69DA F3AF43FF imul ebx, edx, FF43AFF3 007041D9 AF scas dword ptr es:[edi] 007041DA EC in al, dx 007041DB DF53 1C fist word ptr [ebx+1C] 007041DE E0 2B loopdne short 0070420B 007041E0 F737 div dword ptr [edi] 007041E2 A4 movs byte ptr es:[edi], byte ptr [esi> 007041E3 78 4E js short 00704233 007041E5 96 xchg eax, esi 007041E6 CD C1 int 0C1 007041E8 8520 test [eax], esp 007041EA A0 613D5747 mov al, [47573D61] 007041EF B7 11 mov bh, 11 007041F1 92 xchg eax, edx 007041F2 BD 6097DBD6 mov ebp, D6DB9760 007041F7 04 91 add al, 91 007041F9 DB6E 78 fld tbyte ptr [esi+78] 007041FC 4E dec esi 007041FD 97 xchg eax, edi 007041FE C7 ??? ; 未知命令 007041FF - E9 5AE7F1AB jmp AC62295E 00704204 49 dec ecx 00704205 A9 3CA00D5D test eax, 5D0DA03C 0070420A 36:CE into 0070420C 90 nop 0070420D 37 aaa 0070420E 9B wait 0070420F - E9 82CBE850 jmp 51590D96 00704214 1E push ds 00704215 B3 8E mov bl, 8E 00704217 8310 B1 adc dword ptr [eax], -4F 0070421A 57 push edi 0070421B EE out dx, al 0070421C 5F pop edi 0070421D 1307 adc eax, [edi] 0070421F 2D 9B3121FD sub eax, FD21319B 00704224 E1 22 loopde short 00704248 00704226 D5 E4 aad 0E4 00704228 A9 6B751CCF test eax, CF1C756B 0070422D 5E pop esi 0070422E 5D pop ebp 0070422F 6F outs dx, dword ptr es:[edi] 00704230 19D9 sbb ecx, ebx 00704232 BD BBB9EA6E mov ebp, 6EEAB9BB 00704237 6997 093EB53D 0>imul edx, [edi+3DB53E09], B1A15206 00704241 D235 5DF56DCA sal byte ptr [CA6DF55D], cl 00704247 EC in al, dx 00704248 B8 DD7DE2EE mov eax, EEE27DDD 0070424D DB6E 69 fld tbyte ptr [esi+69] 00704250 1AAC50 8C90DB6E sbb ch, [eax+edx2+6EDB908C] 00704257 34 08 xor al, 8 00704259 2D 2510FC68 sub eax, 68FC1025 0070425E A9 BC6055FD test eax, FD5560BC 00704263 185411 D5 sbb [ecx+edx-2B], dl 00704267 16 push ss 00704268 51 push ecx 00704269 8A50 FC mov dl, [eax-4] 0070426C 97 xchg eax, edi 0070426D DB6E 00 fld tbyte ptr [esi] 00704270 2C D9 sub al, 0D9 00704272 59 pop ecx 00704273 AC lods byte ptr [esi] 00704274 50 push eax 00704275 C5AD 088481FA lds ebp, [ebp+FA818408] 0070427B B5 A7 mov ch, 0A7 0070427D DC77 01 fdiv qword ptr [edi+1] 00704280 8279 4D E8 cmp byte ptr [ecx+4D], -18 00704284 07 pop es 00704285 4C dec esp 00704286 FC cld 00704287 2C C2 sub al, 0C2 00704289 CC int3 0070428A 04 21 add al, 21 0070428C F5 cmc 0070428D 13F8 adc edi, eax 0070428F 3848 E7 cmp [eax-19], cl 00704292 024F 81 add cl, [edi-7F] 00704295 79 4D jns short 007042E4 00704297 00B3 794DE8A4 add [ebx+A4E84D79], dh 0070429D 238B 2D779757 and ecx, [ebx+5797772D] 007042A3 ^ 71 C3 jno short 00704268 007042A5 EE out dx, al 007042A6 ^ E2 D5 loopd short 0070427D 007042A8 58 pop eax 007042A9 1F pop ds 007042AA 2F das 007042AB ^ 78 AB js short 00704258 007042AD D6 salc 007042AE 3A5C17 F5 cmp bl, [edi+edx-B] 007042B2 9F lahf 007042B3 0F21 ??? ; 未知命令 007042B5 0268 EE add ch, [eax-12] 007042B8 A7 cmps dword ptr [esi], dword ptr es:[e> 007042B9 73 4D jnb short 00704308 007042BB E8 4882DF69 call 6A4FC508 007042C0 FB sti 007042C1 46 inc esi 007042C2 A7 cmps dword ptr [esi], dword ptr es:[e> 007042C3 7B 0E jpo short 007042D3 007042C5 E4 D6 in al, 0D6 007042C7 8D05 A67B5649 lea eax, [49567BA6] 007042CD E7 36 out 36, eax 007042CF ^ 7F AC jg short 0070427D 007042D1 7A 50 jpe short 00704323 007042D3 8605 82C22672 xchg [7226C282], al 007042D9 60 pushad 007042DA E5 62 in eax, 62 007042DC 04 3B add al, 3B 007042DE C2 16A5 retn 0A516 007042E1 98 cwde 007042E2 8E87 A7724DE8 mov es, [edi+E84D72A7] 007042E8 48 dec eax 007042E9 F9 stc 007042EA F9 stc 007042EB EE out dx, al 007042EC E8 2DB6F2D5 call D662F91E 007042F1 F2: prefix repne: 007042F2 ^ 70 A3 jo short 00704297 007042F4 2223 and ah, [ebx] 007042F6 30C7 xor bh, al 007042F8 CD 6C int 6C 007042FA 41 inc ecx 007042FB 86CF xchg bh, cl 007042FD 99 cdq 007042FE 15 3DCE7C65 adc eax, 657CCE3D 00704303 E2 48 loopd short 0070434D 00704305 79 5C jns short 00704363 00704307 67:B0 79 mov al, 79 0070430A 4D dec ebp 0070430B E8 A7AE4DE8 call E8BDF1B7 00704310 48 dec eax 00704311 B7 20 mov bh, 20 00704313 1B36 sbb esi, [esi] 00704315 1C 8C sbb al, 8C 00704317 FD std 00704318 F3: prefix rep: 00704319 1F pop ds 0070431A 98 cwde 0070431B E0 7E loopdne short 0070439B 0070431D A4 movs byte ptr es:[edi], byte ptr [esi> 0070431E 8445 BA test [ebp-46], al 00704321 27 daa 00704322 1081 17ADBC13 adc [ecx+13BCAD17], al 00704328 2B7D 4C sub edi, [ebp+4C] 0070432B E8 42C088D0 call D0F90372 00704330 8F ??? ; 未知命令 00704331 93 xchg eax, ebx 00704332 74 35 je short 00704369 00704334 CA D707 retf 7D7 00704337 B8 D73B6C9C mov eax, 9C6C3BD7 0070433C 93 xchg eax, ebx 0070433D CF iretd 0070433E A2 102E9CCF mov [CF9C2E10], al 00704343 FFA7 4F085631 jmp [edi+3156084F] 00704349 E5 6D in eax, 6D 0070434B 9F lahf 0070434C B6 40 mov dh, 40 0070434E 55 push ebp 0070434F DB5B A9 fistp dword ptr [ebx-57] 00704352 E6 77 out 77, al 00704354 BD 8882D0E3 mov ebp, E3D08288 00704359 A0 8817C4BC mov al, [BCC41788] 0070435E 20D5 and ch, dl 00704360 97 xchg eax, edi 00704361 841C56 test [esi+edx2], bl 00704364 56 push esi 00704365 58 pop eax 00704366 16 push ss 00704367 56 push esi 00704368 56 push esi 00704369 4F dec edi 0070436A BD 8313C54E mov ebp, 4EC51383 0070436F BF 97A0AA7B mov edi, 7BAAA097 00704374 B9 8CC6179D mov ecx, 9D17C68C 00704379 E8 E1F3C368 call 6934375F 0070437E CE into 0070437F 6A 56 push 56 00704381 4F dec edi 00704382 EA 8CA6B342 1A4>jmp far 4D1A:42B3A68C 00704389 45 inc ebp 0070438A 0856 56 or [esi+56], dl 0070438D F2: prefix repne: 0070438E 7F 73 jg short 00704403 00704390 4C dec esp 00704391 DD ??? ; 未知命令 00704392 6C ins byte ptr es:[edi], dx 00704393 4B dec ebx 00704394 70 5E jo short 007043F4 00704396 97 xchg eax, edi 00704397 55 push ebp 00704398 56 push esi 00704399 4F dec edi 0070439A 08D5 or ch, dl 0070439C AD lods dword ptr [esi] 0070439D 6B08 9E imul ecx, [eax], -62 007043A0 2BC0 sub eax, eax 007043A2 6F outs dx, dword ptr es:[edi] 007043A3 CD DC int 0DC 007043A5 85CD test ebp, ecx 007043A7 50 push eax 007043A8 C3 retn 007043A9 8588 F9B8A79F test [eax+9FA7B8F9], ecx 007043AF 57 push edi 007043B0 4E dec esi 007043B1 F4 hlt 007043B2 0F5656 91 orps xmm2, [esi-6F] 007043B6 9E sahf 007043B7 0FA50D FA0B0B5D shld [5D0B0BFA], ecx, cl 007043BE 118F 04261C94 adc [edi+941C2604], ecx 007043C4 ^ 78 C0 js short 00704386 007043C6 47 inc edi 007043C7 5A pop edx 007043C8 DBC0 fcmovnb st, st 007043CA F5 cmc 007043CB 61 popad 007043CC 4B dec ebx 007043CD 76 4A jbe short 00704419 007043CF C057 CE BD rcl byte ptr [edi-32], 0BD 007043D3 48 dec eax 007043D4 66:57 push di 007043D6 8BF2 mov esi, edx 007043D8 A2 93F864D6 mov [D664F893], al 007043DD 85DA test edx, ebx 007043DF EA 97406C5A 67A>jmp far A167:5A6C4097 007043E6 8E2A mov gs, [edx] 007043E8 D5 58 aad 58 007043EA 0856 56 or [esi+56], dl 007043ED 4F dec edi 007043EE 1D D9DA8D42 sbb eax, 428DDAD9 007043F3 F0:D7 lock xlat byte ptr [ebx+al] ; 不允许锁定前缀 007043F5 39E8 cmp eax, ebp 007043F7 C1A8 4E8E30FF 4>shr dword ptr [eax+FF308E4E], 4A 007043FE A6 cmps byte ptr [esi], byte ptr es:[edi> 007043FF DC46 79 fadd qword ptr [esi+79] 00704402 42 inc edx 00704403 D246 79 rol byte ptr [esi+79], cl 00704406 42 inc edx 00704407 C6 ??? ; 未知命令 00704408 79 79 jns short 00704483 0070440A 2A02 sub al, [edx] 0070440C 9B wait 0070440D 4A dec edx 0070440E A6 cmps byte ptr [esi], byte ptr es:[edi> 0070440F D5 71 aad 71 00704411 AD lods dword ptr [esi] 00704412 4D dec ebp 00704413 2066 0D and [esi+D], ah 00704416 2E:9A 502CA63D >call far 7D5F:3DA62C50 0070441E 6A 8B push -75 00704420 081F or [edi], bl 00704422 E7 A4 out 0A4, eax 00704424 F2:A7 repne cmps dword ptr es:[edi], dword p> 2006-7-7 21:33 0
iamcrackin 雪币： 235 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 43 回帖 169 粉丝 0 关注私信	iamcrackin 3 13 楼 OD载入后，Ctrl+B 输入 61空格75，直接就到了OEP,在55那行上，F2,F9,然后抓去映像，修复IAT,就OK了你的方法似乎很奇特，能说详细点吗？我输入61 75怎么到不了那里？？？ 2006-11-9 23:04 0
huainet 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	huainet 14 楼努力学习中希望老鸟们多教教偶 2007-2-4 01:28 0
zhucheng 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	zhucheng 15 楼 0048A3BA 68 00000000 push 0 //程序运行到这时.显示的是l2wcrack.00470e48 0048A3BF C3 retn //返回入口点问题可能有点白痴,因为我是新手啊,就是"显示的是12wcrack.00460e48"是在哪个窗口显示的啊,我怎么找不到 2007-2-10 15:53 0
morose 雪币： 233 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 59 粉丝 0 关注私信	morose 16 楼用esp定律也可以脱呀 2007-2-11 10:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

beach

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (15)
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 2 楼嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ 2005-5-29 23:22 0
cyclotron 雪币： 392 活跃值： (909) 能力值： ( LV9，RANK：690 ) 在线值：发帖 43 回帖 800 粉丝 9 关注私信	cyclotron 17 3 楼最初由 Winter-Night 发布嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ 不是wg，是wg的crack 2005-5-29 23:28 0
Winter-Night 雪币： 296 活跃值： (250) 能力值： ( LV9，RANK：210 ) 在线值：发帖 31 回帖 726 粉丝 1 关注私信	Winter-Night 5 4 楼最初由 cyclotron 发布不是wg，是wg的crack 看走眼了，吓一跳 2005-5-29 23:36 0
Pr0Zel 雪币： 288 活跃值： (415) 能力值： ( LV9，RANK：290 ) 在线值：发帖 37 回帖 384 粉丝 0 关注私信	Pr0Zel 7 5 楼最初由 Winter-Night 发布嗯，对于压缩壳还可以试试更简单的方法不过外挂加压缩壳倒是不多见~ ESP定律可以对付大多数的壳 2005-5-30 00:31 0
fly2sky 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 21 粉丝 0 关注私信	fly2sky 6 楼我最喜脱UPX和ASPACK的壳，因为太好脱了 2005-6-1 10:32 0
cnnets 雪币： 454 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 251 粉丝 0 关注私信	cnnets 7 楼最初由 fly2sky 发布我最喜脱UPX和ASPACK的壳，因为太好脱了对于有附加数据的如何? 2005-6-1 11:40 0
hao1geren 雪币： 213 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 88 粉丝 0 关注私信	hao1geren 8 楼如果不是想深入了解这个壳可以来一点简单的： OD载入后，Ctrl+B 输入 61空格75，直接就到了OEP,在55那行上，F2,F9,然后用抓去映像，修复IAT,就OK了 2005-6-1 12:49 0
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 7 关注私信	wynney 24 9 楼最初由 cnnets 发布对于有附加数据的如何? 2005-6-1 19:10 0
9571 雪币： 106 活跃值： (271) 能力值： ( LV3，RANK：30 ) 在线值：发帖 33 回帖 201 粉丝 0 关注私信	9571 10 楼我自己根据一个定理脱了这个壳，不用修复到如表，脱壳完成后直接运行，就是文件大了些 2005-6-2 09:22 0
reboot 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 43 粉丝 0 关注私信	reboot 11 楼你说的55那行是指od装入加壳程序之后的的第一个55吗？ 2006-7-7 11:34 0
yjonline 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 7 粉丝 0 关注私信	yjonline 12 楼 00704014 5D pop 为什么我到了这里就走不出去ebp ; Manager.00704013 00704015 BB EDFFFFFF mov ebx, -13 0070401A 03DD add ebx, ebp 0070401C 81EB 00403000 sub ebx, 304000 00704022 807D 4D 01 cmp byte ptr [ebp+4D], 1 00704026 75 0C jnz short 00704034 00704028 8B7424 28 mov esi, [esp+28] 0070402C 83FE 01 cmp esi, 1 0070402F 895D 4E mov [ebp+4E], ebx 00704032 75 31 jnz short 00704065 00704034 8D45 53 lea eax, [ebp+53] 00704037 50 push eax 00704038 53 push ebx 00704039 FFB5 F1090000 push dword ptr [ebp+9F1] 0070403F 8D45 35 lea eax, [ebp+35] 00704042 50 push eax 00704043 E9 82000000 jmp 007040CA 00704048 0000 add [eax], al 0070404A 0000 add [eax], al 0070404C 0000 add [eax], al 0070404E 0000 add [eax], al 00704050 0000 add [eax], al 00704052 0000 add [eax], al 00704054 0000 add [eax], al 00704056 0000 add [eax], al 00704058 0000 add [eax], al 0070405A 0000 add [eax], al 0070405C 0000 add [eax], al 0070405E 0000 add [eax], al 00704060 0000 add [eax], al 00704062 0000 add [eax], al 00704064 00B8 F8C0A523 add [eax+23A5C0F8], bh 0070406A 50 push eax 0070406B 50 push eax 0070406C 0345 4E add eax, [ebp+4E] 0070406F 5B pop ebx 00704070 85C0 test eax, eax 00704072 74 1C je short 00704090 00704074 EB 01 jmp short 00704077 00704076 E8 81FBF8C0 call C1693BFC 0070407B A5 movs dword ptr es:[edi], dword ptr [e> 0070407C 237435 33 and esi, [ebp+esi+33] 00704080 D256 6A rcl byte ptr [esi+6A], cl 00704083 0056 FF add [esi-1], dl 00704086 75 4E jnz short 007040D6 00704088 FFD0 call eax 0070408A 5E pop esi 0070408B 83FE 00 cmp esi, 0 0070408E 75 24 jnz short 007040B4 00704090 33D2 xor edx, edx 00704092 8B45 41 mov eax, [ebp+41] 00704095 85C0 test eax, eax 00704097 74 07 je short 007040A0 00704099 52 push edx 0070409A 52 push edx 0070409B FF75 35 push dword ptr [ebp+35] 0070409E FFD0 call eax 007040A0 8B45 35 mov eax, [ebp+35] 007040A3 85C0 test eax, eax 007040A5 74 0D je short 007040B4 007040A7 68 00800000 push 8000 007040AC 6A 00 push 0 007040AE FF75 35 push dword ptr [ebp+35] 007040B1 FF55 3D call [ebp+3D] 007040B4 5B pop ebx 007040B5 0BDB or ebx, ebx 007040B7 61 popad 007040B8 75 06 jnz short 007040C0 007040BA 6A 01 push 1 007040BC 58 pop eax 007040BD C2 0C00 retn 0C 007040C0 33C0 xor eax, eax 007040C2 F7D8 neg eax 007040C4 1BC0 sbb eax, eax 007040C6 40 inc eax 007040C7 C2 0C00 retn 0C 007040CA E8 05000000 call 007040D4 007040CF A9 2ECF5C65 test eax, 655CCF2E 007040D4 BE E17CFD42 mov esi, 42FD7CE1 007040D9 5F pop edi 007040DA E8 09000000 call 007040E8 007040DF 1D 92636019 sbb eax, 19606392 007040E4 DEBF 8CD580D9 fidivr word ptr [edi+D980D58C] 007040EA B6 59 mov dh, 59 007040EC 81C7 54080000 add edi, 854 007040F2 52 push edx 007040F3 8AFD mov bh, ch 007040F5 5E pop esi 007040F6 68 00000000 push 0 007040FB 5A pop edx 007040FC 66:8BDF mov bx, di 007040FF 8B0417 mov eax, [edi+edx] 00704102 66:B9 6D79 mov cx, 796D 00704106 81F0 8A240804 xor eax, 408248A 0070410C E9 05000000 jmp 00704116 00704111 69EE 8F1C2581 imul ebp, esi, 81251C8F 00704117 E8 FBCA557F call 7FC60C17 0070411C 8BDE mov ebx, esi 0070411E 81C0 18178214 add eax, 14821718 00704124 0F83 03000000 jnb 0070412D 0070412A 0FBFF1 movsx esi, cx 0070412D 50 push eax 0070412E 56 push esi 0070412F 66:81DB 130A sbb bx, 0A13 00704134 5E pop esi 00704135 8F0417 pop dword ptr [edi+edx] 00704138 0F85 15000000 jnz 00704153 0070413E E8 09000000 call 0070414C 00704143 BD B20380B9 mov ebp, B98003B2 00704148 FE ??? ; 未知命令 00704149 5F pop edi 0070414A AC lods byte ptr [esi] 0070414B 75 68 jnz short 007041B5 0070414D 98 cwde 0070414E E0 51 loopdne short 007041A1 00704150 325E 5E xor bl, [esi+5E] 00704153 E9 08000000 jmp 00704160 00704158 B0 29 mov al, 29 0070415A AE scas byte ptr es:[edi] 0070415B 4F dec edi 0070415C DCE5 fsubr st(5), st 0070415E BA 6B83EA04 mov edx, 4EA836B 00704163 66:BB 74F0 mov bx, 0F074 00704167 81FA 90F8FFFF cmp edx, -770 0070416D 0F85 1E000000 jnz 00704191 00704173 66:81E6 5E69 and si, 695E 00704178 E9 3A000000 jmp 007041B7 0070417D 0C 55 or al, 55 0070417F 6A 5B push 5B 00704181 F8 clc 00704182 D136 sal dword ptr [esi], 1 00704184 37 aaa 00704185 A4 movs byte ptr es:[edi], byte ptr [esi> 00704186 0D C2D31009 or eax, 910D3C2 0070418B 0E push cs 0070418C 2F das 0070418D 3C C5 cmp al, 0C5 0070418F 1A4B 68 sbb cl, [ebx+68] 00704192 E6 A8 out 0A8, al 00704194 93 xchg eax, ebx 00704195 7D 0F jge short 007041A6 00704197 8A05 000000BE mov al, [BE000000] 0070419D 35 7CAA185E xor eax, 5E18AA7C 007041A2 ^ E9 58FFFFFF jmp 007040FF 007041A7 58 pop eax 007041A8 B1 96 mov cl, 96 007041AA 17 pop ss 007041AB 04 ED add al, 0ED 007041AD 22B3 70E96E0F and dh, [ebx+F6EE970] 007041B3 9C pushfd 007041B4 A5 movs dword ptr es:[edi], dword ptr [e> 007041B5 7A 2B jpe short 007041E2 007041B7 46 inc esi 007041B8 ^ E3 DB jecxz short 00704195 007041BA 6E outs dx, byte ptr es:[edi] 007041BB 69D6 D7BBC72B imul edx, esi, 2BC7BBD7 007041C1 C438 les edi, [eax] 007041C3 93 xchg eax, ebx 007041C4 CF iretd 007041C5 7F 7C jg short 00704243 007041C7 2F das 007041C8 A3 EC777BC6 mov [C67B77EC], eax 007041CD 07 pop es 007041CE 34 41 xor al, 41 007041D0 E7 DB out 0DB, eax 007041D2 6E outs dx, byte ptr es:[edi] 007041D3 69DA F3AF43FF imul ebx, edx, FF43AFF3 007041D9 AF scas dword ptr es:[edi] 007041DA EC in al, dx 007041DB DF53 1C fist word ptr [ebx+1C] 007041DE E0 2B loopdne short 0070420B 007041E0 F737 div dword ptr [edi] 007041E2 A4 movs byte ptr es:[edi], byte ptr [esi> 007041E3 78 4E js short 00704233 007041E5 96 xchg eax, esi 007041E6 CD C1 int 0C1 007041E8 8520 test [eax], esp 007041EA A0 613D5747 mov al, [47573D61] 007041EF B7 11 mov bh, 11 007041F1 92 xchg eax, edx 007041F2 BD 6097DBD6 mov ebp, D6DB9760 007041F7 04 91 add al, 91 007041F9 DB6E 78 fld tbyte ptr [esi+78] 007041FC 4E dec esi 007041FD 97 xchg eax, edi 007041FE C7 ??? ; 未知命令 007041FF - E9 5AE7F1AB jmp AC62295E 00704204 49 dec ecx 00704205 A9 3CA00D5D test eax, 5D0DA03C 0070420A 36:CE into 0070420C 90 nop 0070420D 37 aaa 0070420E 9B wait 0070420F - E9 82CBE850 jmp 51590D96 00704214 1E push ds 00704215 B3 8E mov bl, 8E 00704217 8310 B1 adc dword ptr [eax], -4F 0070421A 57 push edi 0070421B EE out dx, al 0070421C 5F pop edi 0070421D 1307 adc eax, [edi] 0070421F 2D 9B3121FD sub eax, FD21319B 00704224 E1 22 loopde short 00704248 00704226 D5 E4 aad 0E4 00704228 A9 6B751CCF test eax, CF1C756B 0070422D 5E pop esi 0070422E 5D pop ebp 0070422F 6F outs dx, dword ptr es:[edi] 00704230 19D9 sbb ecx, ebx 00704232 BD BBB9EA6E mov ebp, 6EEAB9BB 00704237 6997 093EB53D 0>imul edx, [edi+3DB53E09], B1A15206 00704241 D235 5DF56DCA sal byte ptr [CA6DF55D], cl 00704247 EC in al, dx 00704248 B8 DD7DE2EE mov eax, EEE27DDD 0070424D DB6E 69 fld tbyte ptr [esi+69] 00704250 1AAC50 8C90DB6E sbb ch, [eax+edx2+6EDB908C] 00704257 34 08 xor al, 8 00704259 2D 2510FC68 sub eax, 68FC1025 0070425E A9 BC6055FD test eax, FD5560BC 00704263 185411 D5 sbb [ecx+edx-2B], dl 00704267 16 push ss 00704268 51 push ecx 00704269 8A50 FC mov dl, [eax-4] 0070426C 97 xchg eax, edi 0070426D DB6E 00 fld tbyte ptr [esi] 00704270 2C D9 sub al, 0D9 00704272 59 pop ecx 00704273 AC lods byte ptr [esi] 00704274 50 push eax 00704275 C5AD 088481FA lds ebp, [ebp+FA818408] 0070427B B5 A7 mov ch, 0A7 0070427D DC77 01 fdiv qword ptr [edi+1] 00704280 8279 4D E8 cmp byte ptr [ecx+4D], -18 00704284 07 pop es 00704285 4C dec esp 00704286 FC cld 00704287 2C C2 sub al, 0C2 00704289 CC int3 0070428A 04 21 add al, 21 0070428C F5 cmc 0070428D 13F8 adc edi, eax 0070428F 3848 E7 cmp [eax-19], cl 00704292 024F 81 add cl, [edi-7F] 00704295 79 4D jns short 007042E4 00704297 00B3 794DE8A4 add [ebx+A4E84D79], dh 0070429D 238B 2D779757 and ecx, [ebx+5797772D] 007042A3 ^ 71 C3 jno short 00704268 007042A5 EE out dx, al 007042A6 ^ E2 D5 loopd short 0070427D 007042A8 58 pop eax 007042A9 1F pop ds 007042AA 2F das 007042AB ^ 78 AB js short 00704258 007042AD D6 salc 007042AE 3A5C17 F5 cmp bl, [edi+edx-B] 007042B2 9F lahf 007042B3 0F21 ??? ; 未知命令 007042B5 0268 EE add ch, [eax-12] 007042B8 A7 cmps dword ptr [esi], dword ptr es:[e> 007042B9 73 4D jnb short 00704308 007042BB E8 4882DF69 call 6A4FC508 007042C0 FB sti 007042C1 46 inc esi 007042C2 A7 cmps dword ptr [esi], dword ptr es:[e> 007042C3 7B 0E jpo short 007042D3 007042C5 E4 D6 in al, 0D6 007042C7 8D05 A67B5649 lea eax, [49567BA6] 007042CD E7 36 out 36, eax 007042CF ^ 7F AC jg short 0070427D 007042D1 7A 50 jpe short 00704323 007042D3 8605 82C22672 xchg [7226C282], al 007042D9 60 pushad 007042DA E5 62 in eax, 62 007042DC 04 3B add al, 3B 007042DE C2 16A5 retn 0A516 007042E1 98 cwde 007042E2 8E87 A7724DE8 mov es, [edi+E84D72A7] 007042E8 48 dec eax 007042E9 F9 stc 007042EA F9 stc 007042EB EE out dx, al 007042EC E8 2DB6F2D5 call D662F91E 007042F1 F2: prefix repne: 007042F2 ^ 70 A3 jo short 00704297 007042F4 2223 and ah, [ebx] 007042F6 30C7 xor bh, al 007042F8 CD 6C int 6C 007042FA 41 inc ecx 007042FB 86CF xchg bh, cl 007042FD 99 cdq 007042FE 15 3DCE7C65 adc eax, 657CCE3D 00704303 E2 48 loopd short 0070434D 00704305 79 5C jns short 00704363 00704307 67:B0 79 mov al, 79 0070430A 4D dec ebp 0070430B E8 A7AE4DE8 call E8BDF1B7 00704310 48 dec eax 00704311 B7 20 mov bh, 20 00704313 1B36 sbb esi, [esi] 00704315 1C 8C sbb al, 8C 00704317 FD std 00704318 F3: prefix rep: 00704319 1F pop ds 0070431A 98 cwde 0070431B E0 7E loopdne short 0070439B 0070431D A4 movs byte ptr es:[edi], byte ptr [esi> 0070431E 8445 BA test [ebp-46], al 00704321 27 daa 00704322 1081 17ADBC13 adc [ecx+13BCAD17], al 00704328 2B7D 4C sub edi, [ebp+4C] 0070432B E8 42C088D0 call D0F90372 00704330 8F ??? ; 未知命令 00704331 93 xchg eax, ebx 00704332 74 35 je short 00704369 00704334 CA D707 retf 7D7 00704337 B8 D73B6C9C mov eax, 9C6C3BD7 0070433C 93 xchg eax, ebx 0070433D CF iretd 0070433E A2 102E9CCF mov [CF9C2E10], al 00704343 FFA7 4F085631 jmp [edi+3156084F] 00704349 E5 6D in eax, 6D 0070434B 9F lahf 0070434C B6 40 mov dh, 40 0070434E 55 push ebp 0070434F DB5B A9 fistp dword ptr [ebx-57] 00704352 E6 77 out 77, al 00704354 BD 8882D0E3 mov ebp, E3D08288 00704359 A0 8817C4BC mov al, [BCC41788] 0070435E 20D5 and ch, dl 00704360 97 xchg eax, edi 00704361 841C56 test [esi+edx2], bl 00704364 56 push esi 00704365 58 pop eax 00704366 16 push ss 00704367 56 push esi 00704368 56 push esi 00704369 4F dec edi 0070436A BD 8313C54E mov ebp, 4EC51383 0070436F BF 97A0AA7B mov edi, 7BAAA097 00704374 B9 8CC6179D mov ecx, 9D17C68C 00704379 E8 E1F3C368 call 6934375F 0070437E CE into 0070437F 6A 56 push 56 00704381 4F dec edi 00704382 EA 8CA6B342 1A4>jmp far 4D1A:42B3A68C 00704389 45 inc ebp 0070438A 0856 56 or [esi+56], dl 0070438D F2: prefix repne: 0070438E 7F 73 jg short 00704403 00704390 4C dec esp 00704391 DD ??? ; 未知命令 00704392 6C ins byte ptr es:[edi], dx 00704393 4B dec ebx 00704394 70 5E jo short 007043F4 00704396 97 xchg eax, edi 00704397 55 push ebp 00704398 56 push esi 00704399 4F dec edi 0070439A 08D5 or ch, dl 0070439C AD lods dword ptr [esi] 0070439D 6B08 9E imul ecx, [eax], -62 007043A0 2BC0 sub eax, eax 007043A2 6F outs dx, dword ptr es:[edi] 007043A3 CD DC int 0DC 007043A5 85CD test ebp, ecx 007043A7 50 push eax 007043A8 C3 retn 007043A9 8588 F9B8A79F test [eax+9FA7B8F9], ecx 007043AF 57 push edi 007043B0 4E dec esi 007043B1 F4 hlt 007043B2 0F5656 91 orps xmm2, [esi-6F] 007043B6 9E sahf 007043B7 0FA50D FA0B0B5D shld [5D0B0BFA], ecx, cl 007043BE 118F 04261C94 adc [edi+941C2604], ecx 007043C4 ^ 78 C0 js short 00704386 007043C6 47 inc edi 007043C7 5A pop edx 007043C8 DBC0 fcmovnb st, st 007043CA F5 cmc 007043CB 61 popad 007043CC 4B dec ebx 007043CD 76 4A jbe short 00704419 007043CF C057 CE BD rcl byte ptr [edi-32], 0BD 007043D3 48 dec eax 007043D4 66:57 push di 007043D6 8BF2 mov esi, edx 007043D8 A2 93F864D6 mov [D664F893], al 007043DD 85DA test edx, ebx 007043DF EA 97406C5A 67A>jmp far A167:5A6C4097 007043E6 8E2A mov gs, [edx] 007043E8 D5 58 aad 58 007043EA 0856 56 or [esi+56], dl 007043ED 4F dec edi 007043EE 1D D9DA8D42 sbb eax, 428DDAD9 007043F3 F0:D7 lock xlat byte ptr [ebx+al] ; 不允许锁定前缀 007043F5 39E8 cmp eax, ebp 007043F7 C1A8 4E8E30FF 4>shr dword ptr [eax+FF308E4E], 4A 007043FE A6 cmps byte ptr [esi], byte ptr es:[edi> 007043FF DC46 79 fadd qword ptr [esi+79] 00704402 42 inc edx 00704403 D246 79 rol byte ptr [esi+79], cl 00704406 42 inc edx 00704407 C6 ??? ; 未知命令 00704408 79 79 jns short 00704483 0070440A 2A02 sub al, [edx] 0070440C 9B wait 0070440D 4A dec edx 0070440E A6 cmps byte ptr [esi], byte ptr es:[edi> 0070440F D5 71 aad 71 00704411 AD lods dword ptr [esi] 00704412 4D dec ebp 00704413 2066 0D and [esi+D], ah 00704416 2E:9A 502CA63D >call far 7D5F:3DA62C50 0070441E 6A 8B push -75 00704420 081F or [edi], bl 00704422 E7 A4 out 0A4, eax 00704424 F2:A7 repne cmps dword ptr es:[edi], dword p> 2006-7-7 21:33 0
iamcrackin 雪币： 235 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 43 回帖 169 粉丝 0 关注私信	iamcrackin 3 13 楼 OD载入后，Ctrl+B 输入 61空格75，直接就到了OEP,在55那行上，F2,F9,然后抓去映像，修复IAT,就OK了你的方法似乎很奇特，能说详细点吗？我输入61 75怎么到不了那里？？？ 2006-11-9 23:04 0
huainet 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	huainet 14 楼努力学习中希望老鸟们多教教偶 2007-2-4 01:28 0
zhucheng 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	zhucheng 15 楼 0048A3BA 68 00000000 push 0 //程序运行到这时.显示的是l2wcrack.00470e48 0048A3BF C3 retn //返回入口点问题可能有点白痴,因为我是新手啊,就是"显示的是12wcrack.00460e48"是在哪个窗口显示的啊,我怎么找不到 2007-2-10 15:53 0
morose 雪币： 233 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 59 粉丝 0 关注私信	morose 16 楼用esp定律也可以脱呀 2007-2-11 10:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复