脱一个软件的壳。用PEID检测,说什么都没发现
用深度扫描出来下列提示:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser [Overlay] *
手脱OD载入,F8,
寄存器ESP 0012FFA4
EIP 0110FA21两组数字亮红,右键-数据窗口中跟随
然后在地址栏中ESP 0012FFA4 第一组数字中断点-硬件访问-字
F9,一行一行寻找,F9六次后,寻找到这里,请高手指点我下一部要怎么做?谢谢大牛们!!
00CE0F00 8D85 64FEFFFF LEA EAX,DWORD PTR SS:[EBP-19C]
00CE0F06 E8 A14872FF CALL Easyfatt.004057AC
00CE0F0B 8D85 68FEFFFF LEA EAX,DWORD PTR SS:[EBP-198]
00CE0F11 BA 06000000 MOV EDX,6
00CE0F16 E8 B54872FF CALL Easyfatt.004057D0
00CE0F1B 8D45 80 LEA EAX,DWORD PTR SS:[EBP-80]
00CE0F1E BA 11000000 MOV EDX,11
00CE0F23 E8 A84872FF CALL Easyfatt.004057D0
00CE0F28 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
00CE0F2B BA 08000000 MOV EDX,8
00CE0F30 E8 9B4872FF CALL Easyfatt.004057D0
00CE0F35 C3 RETN
00CE0F36 ^E9 8D4172FF JMP Easyfatt.004050C8
00CE0F3B ^EB C3 JMP SHORT Easyfatt.00CE0F00
00CE0F3D 5F POP EDI
00CE0F3E 5E POP ESI
00CE0F3F 5B POP EBX
00CE0F40 E8 CB4672FF CALL Easyfatt.00405610
00CE0F45 0000 ADD BYTE PTR DS:[EAX],AL
00CE0F47 0006 ADD BYTE PTR DS:[ESI],AL
00CE0F49 54 PUSH ESP
00CE0F4A 61
POPAD
00CE0F4B 68 6F6D6100 PUSH Easyfatt.00616D6F
00CE0F50 FFFF ??? ; 未知命令
00CE0F52 FFFF ??? ; 未知命令
00CE0F54 0D 0000003C OR EAX,3C000000
00CE0F59 46 INC ESI
00CE0F5A 75 6C JNZ SHORT Easyfatt.00CE0FC8
00CE0F5C 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00CE0F5D 45 INC EBP
00CE0F5E 78 65 JS SHORT Easyfatt.00CE0FC5
00CE0F60 46 INC ESI
00CE0F61 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00CE0F62 61 POPAD
00CE0F63 67:3E:0000 ADD BYTE PTR DS:[BX+SI],AL
00CE0F67 00FF ADD BH,BH
00CE0F69 FFFF ??? ; 未知命令
00CE0F6B FF0E DEC DWORD PTR DS:[ESI]
00CE0F6D 0000 ADD BYTE PTR DS:[EAX],AL
00CE0F6F 004461 6E ADD BYTE PTR DS:[ECX+6E],AL
00CE0F73 65:61
POPAD ; 多余的前缀
00CE0F75 2045 61 AND BYTE PTR SS:[EBP+61],AL
00CE0F78 73 79 JNB SHORT Easyfatt.00CE0FF3
00CE0F7A 66:61 POPAW
00CE0F7C 74 74 JE SHORT Easyfatt.00CE0FF2
00CE0F7E 0000 ADD BYTE PTR DS:[EAX],AL
00CE0F80 FFFF ??? ; 未知命令
00CE0F82 FFFF ??? ; 未知命令
00CE0F84 0F0000 SLDT WORD PTR DS:[EAX]
00CE0F87 005C44 61 ADD BYTE PTR SS:[ESP+EAX*2+61],BL
00CE0F8B 6E OUTS DX,BYTE PTR ES:[EDI] ; I/O 命令
00CE0F8C 65:61 POPAD ; 多余的前缀
00CE0F8E 5C POP ESP
00CE0F8F 45 INC EBP
00CE0F90 61 POPAD
00CE0F91 73 79 JNB SHORT Easyfatt.00CE100C
00CE0F93 66:61 POPAW
00CE0F95 74 74 JE SHORT Easyfatt.00CE100B
00CE0F97 00FF ADD BH,BH
00CE0F99 FFFF ??? ; 未知命令
00CE0F9B FF35 00000048 PUSH DWORD PTR DS:[48000000]
00CE0FA1 3A5C50 72 CMP BL,BYTE PTR DS:[EAX+EDX*2+72]
00CE0FA5 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
00CE0FA6 67:65:74 74 JE SHORT Easyfatt.00CE101E ; 多余的前缀
00CE0FAA 695C44 61 6E6561>IMUL EBX,DWORD PTR SS:[ESP+EAX*2+61],456>
00CE0FB2 61 POPAD
00CE0FB3 73 79 JNB SHORT Easyfatt.00CE102E
00CE0FB5 66:61 POPAW
00CE0FB7 74 74 JE SHORT Easyfatt.00CE102D
00CE0FB9 3230 XOR DH,BYTE PTR DS:[EAX]
00CE0FBB 3039 XOR BYTE PTR DS:[ECX],BH
00CE0FBD 5C POP ESP
00CE0FBE 41 INC ECX
00CE0FBF 70 70 JO SHORT Easyfatt.00CE1031
00CE0FC1 5F POP EDI
00CE0FC2 4D DEC EBP
00CE0FC3 61 POPAD
00CE0FC4 73 74 JNB SHORT Easyfatt.00CE103A
00CE0FC6 65:72 5C JB SHORT Easyfatt.00CE1025 ; 多余的前缀
00CE0FC9 45 INC EBP
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
