首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 加壳脱壳
    3. 发新帖
telock 1.0 脱壳
发表于: 2005-7-29 12:42 10001

telock 1.0 脱壳

Winter-Night 活跃值
5
2005-7-29 12:42
10001
【破文作者】Winter

【作者邮箱】spsgeyro@gmail.com

【所属组织】[CZG][D.4s]

【组织主页】http://www.5icrack.com

【个人主页】http://winternight.blogchina.com/

【使用工具】OD(DIY版),PEiD,Imprec

【操作系统】Windows 2003

--------------------------------------------------------------------------------

【软件名称】QQ广告特工钻石版 2.8      

【下载地址】http://www.qqmsg.com/download/qqmsgDMD2.8.exe

【软件大小】不大  

【破解难度】一般  

【保护方式】tElock 1.0 (private) -> tE!

【软件语言】Microsoft Visual C++ 7.0 [Debug]

【软件简介】广告特工钻石版2.8根据腾讯公司最新的限制条件修改了软件,增加了添加跟删除好友的时间延迟,经过修改的软件不会出现超时现象。单个线程速度虽然不快,但是同时增加登陆的qq个数还是一样达到一小时1200以上的群发。钻石版2.8更换了qq版采用了qq2004精简版。占的系统资源少了很多。一般一台P3 700的电脑开8个进程没问题。具体做法就是运行桌面图标8次。如果电脑够好开10几个同时发是没问题的。请老客户完全卸载老版本重新安装本程序。。。

【破解声明】仅仅学习脱壳,请大侠们赐教

【破解目的】学习脱壳

--------------------------------------------------------------------------------

【过程】

最近看到有朋友在找这个的破解,拿来看了一下,正好练练手~

下载安装好,peid看一下,telock1.0,没脱过,试一下,参考一下看雪精华里面fly大侠的脱文

“tElock 0.9x-1.0x (private) 反Ollydbg分析和脱壳――BadCopyProV3_71_0727 KeyGen ”。

od载入,停在这里:
0048409D Q>^\E9 5EDFFFFF       JMP QQ广告特.00482000      //停在这里
004840A2     0000              ADD BYTE PTR DS:[EAX],AL
004840A4     00A6 728626E5     ADD BYTE PTR DS:[ESI+E5268672],AH

忽略int3,单步,kernel32的异常后F9运行,六次后退出,看来有反调试,由于对去除反调试不是十分

有把握,于是决定带发修行,不管反调试继续脱壳。

【雾里看花之找到输入表篇】
参考教程,来到第四次异常:
00482DD9     F7F3              DIV EBX
00482DDB     85D2              TEST EDX,EDX
00482DDD     0F84 9A010000     JE QQ广告特.00482F7D

接下来是找到处理输入表部分,来到这里:
004835D3     8B95 63374000     MOV EDX,DWORD PTR SS:[EBP+403763]
004835D9     8BB5 53374000     MOV ESI,DWORD PTR SS:[EBP+403753]
004835DF     85F6              TEST ESI,ESI          //ESI指向输入表rva,可以用D 004658A8来查看
004835E1     0F84 2F040000     JE QQ广告特.00483A16

照理讲按照fly大侠的方法,这里用lordpe部分dump后然后写入脱壳后文件就可以了,但这个程序似乎行不通,找了一下原因后发现字符串被加密过了:
FgwBljbI}~yeo{{ubS       =>      GetFileAttributesA

跟下去,找到解密部分:
0048383F     53                PUSH EBX
00483840     33C0              XOR EAX,EAX
00483842     4B                DEC EBX
00483843     43                INC EBX
00483844     FEC4              INC AH
00483846     8A03              MOV AL,BYTE PTR DS:[EBX]
00483848     3023              XOR BYTE PTR DS:[EBX],AH
0048384A     3C 00             CMP AL,0
0048384C   ^ 75 F5             JNZ SHORT QQ广告特.00483843
0048384E     8803              MOV BYTE PTR DS:[EBX],AL
00483850     5B                POP EBX                     //这里出现解密后字符串

然后单步跟,来到这里:
00483916     8BF8              MOV EDI,EAX        //这里提示了解密后字符串的位置,程序解压后读取的api地址
00483918     83E0 0F           AND EAX,0F
0048391B     50                PUSH EAX

作为刚刚对脱壳有一点耳熟的我,只能用最笨的办法来修复了:在00483850拿下所有的还原后的字符串,然后脱壳后逐个手动修复
48383F                           483850
FgwBljbI}~yeo{{ubS       =>      GetFileAttributesA
FgwBljb\`gn                      GetFileTime
RgwAwthzDeoi                     SetErrorMode
DzjpUthklyx                      ExitProcess
SvoQkqnfm                        RtlUnwind
FgwW|usmd^bahO|Vx~v@|{r          GetSystemTimeAsFileTime
FgwPlkbNfxfmyO                   GetTimeFormatA
Fgw@drbNfxfmyO                   GetDateFormatA
IgbtDjkgj                        HeapAlloc
IgbtCtbm                         HeapFree
                                 VirtualProtect
WkqppgkIefdo                     VirtualAlloc
FgwW|usmdCejb                    GetSystemInfo
WkqppgkY|oyu                     VirtualQuery
堆栈 [0012FF9C]=004668F4 (QQ广告特.004668F4), ASCII "GetStartupInfoA"
堆栈 [0012FF9C]=00466906 (QQ广告特.00466906), ASCII "GetCommandLineA"
堆栈 [0012FF9C]=00466918 (QQ广告特.00466918), ASCII "HeapReAlloc"
堆栈 [0012FF9C]=00466926 (QQ广告特.00466926), ASCII "SetStdHandle"
堆栈 [0012FF9C]=00466936 (QQ广告特.00466936), ASCII "GetFileType"
堆栈 [0012FF9C]=00466944 (QQ广告特.00466944), ASCII "ExitThread"
堆栈 [0012FF9C]=00466952 (QQ广告特.00466952), ASCII "CreateThread"
堆栈 [0012FF9C]=00466962 (QQ广告特.00466962), ASCII "HeapSize"
堆栈 [0012FF9C]=00466988 (QQ广告特.00466988), ASCII "GetTimeZoneInformation"
堆栈 [0012FF9C]=004669A2 (QQ广告特.004669A2), ASCII "GetStringTypeA"
堆栈 [0012FF9C]=004669B4 (QQ广告特.004669B4), ASCII "GetStringTypeW"
堆栈 [0012FF9C]=004669C6 (QQ广告特.004669C6), ASCII "HeapDestroy"
堆栈 [0012FF9C]=004669D4 (QQ广告特.004669D4), ASCII "HeapCreate"
堆栈 [0012FF9C]=004669E2 (QQ广告特.004669E2), ASCII "VirtualFree"
堆栈 [0012FF9C]=004669F0 (QQ广告特.004669F0), ASCII "IsBadWritePtr"
堆栈 [0012FF9C]=00466A00 (QQ广告特.00466A00), ASCII "GetStdHandle"
堆栈 [0012FF9C]=00466A10 (QQ广告特.00466A10), ASCII "UnhandledExceptionFilter"
堆栈 [0012FF9C]=00466A2C (QQ广告特.00466A2C), ASCII "FreeEnvironmentStringsA"
堆栈 [0012FF9C]=00466A46 (QQ广告特.00466A46), ASCII "GetEnvironmentStrings"
堆栈 [0012FF9C]=00466A5E (QQ广告特.00466A5E), ASCII "FreeEnvironmentStringsW"
堆栈 [0012FF9C]=00466A78 (QQ广告特.00466A78), ASCII "GetEnvironmentStringsW"
堆栈 [0012FF9C]=00466A92 (QQ广告特.00466A92), ASCII "SetHandleCount"
堆栈 [0012FF9C]=00466AA4 (QQ广告特.00466AA4), ASCII "SetUnhandledExceptionFilter"
堆栈 [0012FF9C]=00466AC2 (QQ广告特.00466AC2), ASCII "GetDriveTypeA"
堆栈 [0012FF9C]=00466AD2 (QQ广告特.00466AD2), ASCII "LCMapStringA"
堆栈 [0012FF9C]=00466AE2 (QQ广告特.00466AE2), ASCII "LCMapStringW"
堆栈 [0012FF9C]=00466AF2 (QQ广告特.00466AF2), ASCII "IsBadReadPtr"
堆栈 [0012FF9C]=00466B02 (QQ广告特.00466B02), ASCII "IsBadCodePtr"
堆栈 [0012FF9C]=00466B12 (QQ广告特.00466B12), ASCII "SetEnvironmentVariableA"
堆栈 [0012FF9C]=00466802 (QQ广告特.00466802), ASCII "GetOEMCP"
堆栈 [0012FF9C]=004667F6 (QQ广告特.004667F6), ASCII "GetCPInfo"
堆栈 [0012FF9C]=004667EC (QQ广告特.004667EC), ASCII "TlsFree"
堆栈 [0012FF9C]=004667DC (QQ广告特.004667DC), ASCII "LocalReAlloc"
堆栈 [0012FF9C]=004667CE (QQ广告特.004667CE), ASCII "TlsSetValue"
堆栈 [0012FF9C]=004667C2 (QQ广告特.004667C2), ASCII "TlsAlloc"
堆栈 [0012FF9C]=004667B4 (QQ广告特.004667B4), ASCII "TlsGetValue"
堆栈 [0012FF9C]=0046679C (QQ广告特.0046679C), ASCII "EnterCriticalSection"
堆栈 [0012FF9C]=0046678C (QQ广告特.0046678C), ASCII "GlobalHandle"
堆栈 [0012FF9C]=0046677C (QQ广告特.0046677C), ASCII "GlobalReAlloc"
堆栈 [0012FF9C]=00466764 (QQ广告特.00466764), ASCII "LeaveCriticalSection"
堆栈 [0012FF9C]=00466756 (QQ广告特.00466756), ASCII "LocalAlloc"
堆栈 [0012FF9C]=00466748 (QQ广告特.00466748), ASCII "GlobalFlags"
堆栈 [0012FF9C]=00466730 (QQ广告特.00466730), ASCII "DeleteCriticalSection"
堆栈 [0012FF9C]=00466714 (QQ广告特.00466714), ASCII "InitializeCriticalSection"
堆栈 [0012FF9C]=00466702 (QQ广告特.00466702), ASCII "RaiseException"
堆栈 [0012FF9C]=004666F2 (QQ广告特.004666F2), ASCII "CreateEventA"
堆栈 [0012FF9C]=004666E2 (QQ广告特.004666E2), ASCII "SuspendThread"
堆栈 [0012FF9C]=004666D6 (QQ广告特.004666D6), ASCII "SetEvent"
堆栈 [0012FF9C]=004666C0 (QQ广告特.004666C0), ASCII "WaitForSingleObject"
堆栈 [0012FF9C]=004666B0 (QQ广告特.004666B0), ASCII "ResumeThread"
堆栈 [0012FF9C]=0046669C (QQ广告特.0046669C), ASCII "SetThreadPriority"
堆栈 [0012FF9C]=00466688 (QQ广告特.00466688), ASCII "GetFullPathNameA"
堆栈 [0012FF9C]=00466674 (QQ广告特.00466674), ASCII "GetCurrentProcess"
堆栈 [0012FF9C]=00466662 (QQ广告特.00466662), ASCII "DuplicateHandle"
堆栈 [0012FF9C]=00466654 (QQ广告特.00466654), ASCII "GetFileSize"
堆栈 [0012FF9C]=00466644 (QQ广告特.00466644), ASCII "SetEndOfFile"
堆栈 [0012FF9C]=00466636 (QQ广告特.00466636), ASCII "UnlockFile"
堆栈 [0012FF9C]=0046662A (QQ广告特.0046662A), ASCII "LockFile"
堆栈 [0012FF9C]=00466616 (QQ广告特.00466616), ASCII "FlushFileBuffers"
堆栈 [0012FF9C]=00466604 (QQ广告特.00466604), ASCII "SetFilePointer"
堆栈 [0012FF9C]=004665F8 (QQ广告特.004665F8), ASCII "WriteFile"
堆栈 [0012FF9C]=004665EC (QQ广告特.004665EC), ASCII "ReadFile"
堆栈 [0012FF9C]=004665D8 (QQ广告特.004665D8), ASCII "GetCurrentThread"
堆栈 [0012FF9C]=004665CC (QQ广告特.004665CC), ASCII "lstrcmpA"
堆栈 [0012FF9C]=004665B4 (QQ广告特.004665B4), ASCII "ConvertDefaultLocale"
堆栈 [0012FF9C]=0046659A (QQ广告特.0046659A), ASCII "EnumResourceLanguagesA"
堆栈 [0012FF9C]=0046658E (QQ广告特.0046658E), ASCII "lstrcpyA"
堆栈 [0012FF9C]=0046657C (QQ广告特.0046657C), ASCII "FindFirstFileA"
堆栈 [0012FF9C]=00466562 (QQ广告特.00466562), ASCII "FileTimeToLocalFileTime"
堆栈 [0012FF9C]=0046654A (QQ广告特.0046654A), ASCII "FileTimeToSystemTime"
堆栈 [0012FF9C]=0046653A (QQ广告特.0046653A), ASCII "FindNextFileA"
堆栈 [0012FF9C]=0046652E (QQ广告特.0046652E), ASCII "FindClose"
堆栈 [0012FF9C]=00466518 (QQ广告特.00466518), ASCII "GetCurrentThreadId"
堆栈 [0012FF9C]=00466502 (QQ广告特.00466502), ASCII "GlobalGetAtomNameA"
堆栈 [0012FF9C]=004664F0 (QQ广告特.004664F0), ASCII "GlobalAddAtomA"
堆栈 [0012FF9C]=004664DE (QQ广告特.004664DE), ASCII "GlobalFindAtomA"
堆栈 [0012FF9C]=004664CA (QQ广告特.004664CA), ASCII "GlobalDeleteAtom"
堆栈 [0012FF9C]=004664BA (QQ广告特.004664BA), ASCII "LoadLibraryA"
堆栈 [0012FF9C]=004664AC (QQ广告特.004664AC), ASCII "FreeLibrary"
堆栈 [0012FF9C]=004664A0 (QQ广告特.004664A0), ASCII "lstrcatA"
堆栈 [0012FF9C]=00466494 (QQ广告特.00466494), ASCII "lstrcmpW"
堆栈 [0012FF9C]=00466480 (QQ广告特.00466480), ASCII "GetModuleHandleA"
堆栈 [0012FF9C]=0046646E (QQ广告特.0046646E), ASCII "GetProcAddress"
堆栈 [0012FF9C]=0046645E (QQ广告特.0046645E), ASCII "SetLastError"
堆栈 [0012FF9C]=00466454 (QQ广告特.00466454), ASCII "MulDiv"
堆栈 [0012FF9C]=00466442 (QQ广告特.00466442), ASCII "FormatMessageA"
堆栈 [0012FF9C]=00466436 (QQ广告特.00466436), ASCII "lstrcpynA"
堆栈 [0012FF9C]=00466428 (QQ广告特.00466428), ASCII "GlobalFree"
堆栈 [0012FF9C]=00466418 (QQ广告特.00466418), ASCII "FreeResource"
堆栈 [0012FF9C]=00466406 (QQ广告特.00466406), ASCII "CompareStringW"
堆栈 [0012FF9C]=004663F4 (QQ广告特.004663F4), ASCII "CompareStringA"
堆栈 [0012FF9C]=004663E8 (QQ广告特.004663E8), ASCII "lstrcmpiA"
堆栈 [0012FF9C]=004663DA (QQ广告特.004663DA), ASCII "GetVersion"
堆栈 [0012FF9C]=004663BC (QQ广告特.004663BC), ASCII "WritePrivateProfileStringA"
堆栈 [0012FF9C]=004663AA (QQ广告特.004663AA), ASCII "VirtualAllocEx"
堆栈 [0012FF9C]=00466394 (QQ广告特.00466394), ASCII "WriteProcessMemory"
堆栈 [0012FF9C]=00466380 (QQ广告特.00466380), ASCII "ReadProcessMemory"
堆栈 [0012FF9C]=00466370 (QQ广告特.00466370), ASCII "VirtualFreeEx"
堆栈 [0012FF9C]=0046635E (QQ广告特.0046635E), ASCII "CreateProcessA"
堆栈 [0012FF9C]=0046634A (QQ广告特.0046634A), ASCII "CreateDirectoryA"
堆栈 [0012FF9C]=0046633E (QQ广告特.0046633E), ASCII "CopyFileA"
堆栈 [0012FF9C]=00466330 (QQ广告特.00466330), ASCII "CreateFileA"
堆栈 [0012FF9C]=0046631E (QQ广告特.0046631E), ASCII "DeviceIoControl"
堆栈 [0012FF9C]=0046630A (QQ广告特.0046630A), ASCII "RemoveDirectoryA"
堆栈 [0012FF9C]=004662FA (QQ广告特.004662FA), ASCII "GetTickCount"
堆栈 [0012FF9C]=004662E2 (QQ广告特.004662E2), ASCII "GetVolumeInformationA"
堆栈 [0012FF9C]=004662CA (QQ广告特.004662CA), ASCII "GetPrivateProfileIntA"
堆栈 [0012FF9C]=004662AE (QQ广告特.004662AE), ASCII "GetPrivateProfileStringA"
堆栈 [0012FF9C]=004662A0 (QQ广告特.004662A0), ASCII "GlobalAlloc"
堆栈 [0012FF9C]=00466292 (QQ广告特.00466292), ASCII "GlobalLock"
堆栈 [0012FF9C]=00466282 (QQ广告特.00466282), ASCII "GlobalUnlock"
堆栈 [0012FF9C]=0046627A (QQ广告特.0046627A), ASCII "Sleep"
堆栈 [0012FF9C]=00466262 (QQ广告特.00466262), ASCII "InterlockedIncrement"
堆栈 [0012FF9C]=0046624C (QQ广告特.0046624C), ASCII "GetExitCodeProcess"
堆栈 [0012FF9C]=0046623A (QQ广告特.0046623A), ASCII "TerminateThread"
堆栈 [0012FF9C]=00466224 (QQ广告特.00466224), ASCII "GetModuleFileNameA"
堆栈 [0012FF9C]=00466208 (QQ广告特.00466208), ASCII "CreateToolhelp32Snapshot"
堆栈 [0012FF9C]=004661F6 (QQ广告特.004661F6), ASCII "Process32First"
堆栈 [0012FF9C]=004661E0 (QQ广告特.004661E0), ASCII "GetCurrentProcessId"
堆栈 [0012FF9C]=004661D2 (QQ广告特.004661D2), ASCII "OpenProcess"
堆栈 [0012FF9C]=004661C2 (QQ广告特.004661C2), ASCII "Process32Next"
堆栈 [0012FF9C]=004661B4 (QQ广告特.004661B4), ASCII "CloseHandle"
堆栈 [0012FF9C]=004661A0 (QQ广告特.004661A0), ASCII "TerminateProcess"
堆栈 [0012FF9C]=00466188 (QQ广告特.00466188), ASCII "GetCurrentDirectoryA"
堆栈 [0012FF9C]=0046617A (QQ广告特.0046617A), ASCII "DeleteFileA"
堆栈 [0012FF9C]=00466162 (QQ广告特.00466162), ASCII "SetCurrentDirectoryA"
堆栈 [0012FF9C]=00466156 (QQ广告特.00466156), ASCII "MoveFileA"
堆栈 [0012FF9C]=0046614A (QQ广告特.0046614A), ASCII "lstrlenA"
堆栈 [0012FF9C]=00466134 (QQ广告特.00466134), ASCII "MultiByteToWideChar"
堆栈 [0012FF9C]=00466124 (QQ广告特.00466124), ASCII "GetLastError"
堆栈 [0012FF9C]=0046610C (QQ广告特.0046610C), ASCII "InterlockedDecrement"
堆栈 [0012FF9C]=004660F6 (QQ广告特.004660F6), ASCII "WideCharToMultiByte"
堆栈 [0012FF9C]=004660EA (QQ广告特.004660EA), ASCII "LocalFree"
堆栈 [0012FF9C]=004660DA (QQ广告特.004660DA), ASCII "FindResourceA"
堆栈 [0012FF9C]=004660CA (QQ广告特.004660CA), ASCII "LoadResource"
堆栈 [0012FF9C]=004660BA (QQ广告特.004660BA), ASCII "LockResource"
堆栈 [0012FF9C]=004660A8 (QQ广告特.004660A8), ASCII "SizeofResource"
堆栈 [0012FF9C]=00466098 (QQ广告特.00466098), ASCII "GetVersionExA"
堆栈 [0012FF9C]=00466086 (QQ广告特.00466086), ASCII "GetThreadLocale"
堆栈 [0012FF9C]=00466074 (QQ广告特.00466074), ASCII "GetLocaleInfoA"
堆栈 [0012FF9C]=0046606A (QQ广告特.0046606A), ASCII "GetACP"
堆栈 [0012FF9C]=0046696E (QQ广告特.0046696E), ASCII "QueryPerformanceCounter"
堆栈 [0012FF9C]=00466054 (QQ广告特.00466054), ASCII "InterlockedExchange"
堆栈 [0012FF9C]=00467442 (QQ广告特.00467442), ASCII "GetNextDlgGroupItem"
堆栈 [0012FF9C]=00467458 (QQ广告特.00467458), ASCII "MessageBeep"
堆栈 [0012FF9C]=00467466 (QQ广告特.00467466), ASCII "GetDCEx"
堆栈 [0012FF9C]=00467470 (QQ广告特.00467470), ASCII "LockWindowUpdate"
堆栈 [0012FF9C]=00467484 (QQ广告特.00467484), ASCII "SetParent"
堆栈 [0012FF9C]=004673CE (QQ广告特.004673CE), ASCII "ReleaseCapture"
堆栈 [0012FF9C]=004673C0 (QQ广告特.004673C0), ASCII "SetCapture"
堆栈 [0012FF9C]=004673B2 (QQ广告特.004673B2), ASCII "LoadCursorA"
堆栈 [0012FF9C]=0046739E (QQ广告特.0046739E), ASCII "GetSysColorBrush"
堆栈 [0012FF9C]=0046738C (QQ广告特.0046738C), ASCII "WindowFromPoint"
堆栈 [0012FF9C]=0046737E (QQ广告特.0046737E), ASCII "DestroyMenu"
堆栈 [0012FF9C]=00467370 (QQ广告特.00467370), ASCII "InflateRect"
堆栈 [0012FF9C]=00467364 (QQ广告特.00467364), ASCII "EndPaint"
堆栈 [0012FF9C]=00467356 (QQ广告特.00467356), ASCII "BeginPaint"
堆栈 [0012FF9C]=00467348 (QQ广告特.00467348), ASCII "GetWindowDC"
堆栈 [0012FF9C]=00467336 (QQ广告特.00467336), ASCII "ClientToScreen"
堆栈 [0012FF9C]=00467328 (QQ广告特.00467328), ASCII "GrayStringA"
堆栈 [0012FF9C]=0046731A (QQ广告特.0046731A), ASCII "DrawTextExA"
堆栈 [0012FF9C]=0046730E (QQ广告特.0046730E), ASCII "DrawTextA"
堆栈 [0012FF9C]=004672FC (QQ广告特.004672FC), ASCII "TabbedTextOutA"
堆栈 [0012FF9C]=004672EE (QQ广告特.004672EE), ASCII "GetMessageA"
堆栈 [0012FF9C]=004672DA (QQ广告特.004672DA), ASCII "TranslateMessage"
堆栈 [0012FF9C]=004672CA (QQ广告特.004672CA), ASCII "ValidateRect"
堆栈 [0012FF9C]=004672BE (QQ广告特.004672BE), ASCII "SetCursor"
堆栈 [0012FF9C]=004672A4 (QQ广告特.004672A4), ASCII "SetWindowContextHelpId"
堆栈 [0012FF9C]=00467294 (QQ广告特.00467294), ASCII "MapDialogRect"
堆栈 [0012FF9C]=00467278 (QQ广告特.00467278), ASCII "RegisterClipboardFormatA"
堆栈 [0012FF9C]=00467268 (QQ广告特.00467268), ASCII "SetRectEmpty"
堆栈 [0012FF9C]=0046725C (QQ广告特.0046725C), ASCII "IsZoomed"
堆栈 [0012FF9C]=0046724A (QQ广告特.0046724A), ASCII "PostQuitMessage"
堆栈 [0012FF9C]=0046723E (QQ广告特.0046723E), ASCII "wsprintfA"
堆栈 [0012FF9C]=00467228 (QQ广告特.00467228), ASCII "SetMenuItemBitmaps"
堆栈 [0012FF9C]=0046721A (QQ广告特.0046721A), ASCII "ModifyMenuA"
堆栈 [0012FF9C]=00467208 (QQ广告特.00467208), ASCII "EnableMenuItem"
堆栈 [0012FF9C]=004671F8 (QQ广告特.004671F8), ASCII "CheckMenuItem"
堆栈 [0012FF9C]=004671DA (QQ广告特.004671DA), ASCII "GetMenuCheckMarkDimensions"
堆栈 [0012FF9C]=004671CE (QQ广告特.004671CE), ASCII "ReleaseDC"
堆栈 [0012FF9C]=004671C6 (QQ广告特.004671C6), ASCII "GetDC"
堆栈 [0012FF9C]=004671AC (QQ广告特.004671AC), ASCII "RegisterWindowMessageA"
堆栈 [0012FF9C]=004671A0 (QQ广告特.004671A0), ASCII "WinHelpA"
堆栈 [0012FF9C]=00467192 (QQ广告特.00467192), ASCII "GetCapture"
堆栈 [0012FF9C]=0046716C (QQ广告特.0046716C), ASCII "SetWindowsHookExA"
堆栈 [0012FF9C]=0046715A (QQ广告特.0046715A), ASCII "CallNextHookEx"
堆栈 [0012FF9C]=0046714A (QQ广告特.0046714A), ASCII "GetClassLongA"
堆栈 [0012FF9C]=00467138 (QQ广告特.00467138), ASCII "GetClassInfoExA"
堆栈 [0012FF9C]=0046712C (QQ广告特.0046712C), ASCII "SetPropA"
堆栈 [0012FF9C]=00467120 (QQ广告特.00467120), ASCII "GetPropA"
堆栈 [0012FF9C]=00467112 (QQ广告特.00467112), ASCII "RemovePropA"
堆栈 [0012FF9C]=00467108 (QQ广告特.00467108), ASCII "IsChild"
堆栈 [0012FF9C]=004670F2 (QQ广告特.004670F2), ASCII "GetForegroundWindow"
堆栈 [0012FF9C]=004670DC (QQ广告特.004670DC), ASCII "GetLastActivePopup"
堆栈 [0012FF9C]=004670C8 (QQ广告特.004670C8), ASCII "DispatchMessageA"
堆栈 [0012FF9C]=004670B2 (QQ广告特.004670B2), ASCII "BeginDeferWindowPos"
堆栈 [0012FF9C]=0046709E (QQ广告特.0046709E), ASCII "EndDeferWindowPos"
堆栈 [0012FF9C]=0046708E (QQ广告特.0046708E), ASCII "GetTopWindow"
堆栈 [0012FF9C]=00467078 (QQ广告特.00467078), ASCII "UnhookWindowsHookEx"
堆栈 [0012FF9C]=00467066 (QQ广告特.00467066), ASCII "GetMessageTime"
堆栈 [0012FF9C]=00467056 (QQ广告特.00467056), ASCII "GetMessagePos"
堆栈 [0012FF9C]=00467432 (QQ广告特.00467432), ASCII "InvalidateRgn"
堆栈 [0012FF9C]=00467034 (QQ广告特.00467034), ASCII "MapWindowPoints"
堆栈 [0012FF9C]=00467026 (QQ广告特.00467026), ASCII "MessageBoxA"
堆栈 [0012FF9C]=00467014 (QQ广告特.00467014), ASCII "TrackPopupMenu"
堆栈 [0012FF9C]=00467006 (QQ广告特.00467006), ASCII "GetKeyState"
堆栈 [0012FF9C]=00466FF6 (QQ广告特.00466FF6), ASCII "UpdateWindow"
堆栈 [0012FF9C]=00466FEC (QQ广告特.00466FEC), ASCII "GetMenu"
堆栈 [0012FF9C]=00466FD6 (QQ广告特.00466FD6), ASCII "AdjustWindowRectEx"
堆栈 [0012FF9C]=00466FC4 (QQ广告特.00466FC4), ASCII "ScreenToClient"
堆栈 [0012FF9C]=00466FB8 (QQ广告特.00466FB8), ASCII "EqualRect"
堆栈 [0012FF9C]=00466FA6 (QQ广告特.00466FA6), ASCII "DeferWindowPos"
堆栈 [0012FF9C]=00466F96 (QQ广告特.00466F96), ASCII "GetClassInfoA"
堆栈 [0012FF9C]=00466F84 (QQ广告特.00466F84), ASCII "RegisterClassA"
堆栈 [0012FF9C]=00466F70 (QQ广告特.00466F70), ASCII "UnregisterClassA"
堆栈 [0012FF9C]=00466F5E (QQ广告特.00466F5E), ASCII "DefWindowProcA"
堆栈 [0012FF9C]=00466F4C (QQ广告特.00466F4C), ASCII "CallWindowProcA"
堆栈 [0012FF9C]=00466F3E (QQ广告特.00466F3E), ASCII "OffsetRect"
堆栈 [0012FF9C]=00466F2E (QQ广告特.00466F2E), ASCII "IntersectRect"
堆栈 [0012FF9C]=00466F16 (QQ广告特.00466F16), ASCII "SystemParametersInfoA"
堆栈 [0012FF9C]=00466F00 (QQ广告特.00466F00), ASCII "GetWindowPlacement"
堆栈 [0012FF9C]=00466EF4 (QQ广告特.00466EF4), ASCII "CopyRect"
堆栈 [0012FF9C]=00466B3A (QQ广告特.00466B3A), ASCII "GetClientRect"
堆栈 [0012FF9C]=00466B4A (QQ广告特.00466B4A), ASCII "EnableWindow"
堆栈 [0012FF9C]=00466B5A (QQ广告特.00466B5A), ASCII "SendMessageA"
堆栈 [0012FF9C]=00466B6A (QQ广告特.00466B6A), ASCII "CharUpperA"
堆栈 [0012FF9C]=00466B78 (QQ广告特.00466B78), ASCII "GetWindowThreadProcessId"
堆栈 [0012FF9C]=00466B94 (QQ广告特.00466B94), ASCII "GetWindow"
堆栈 [0012FF9C]=00466BA0 (QQ广告特.00466BA0), ASCII "LoadBitmapA"
堆栈 [0012FF9C]=00466BAE (QQ广告特.00466BAE), ASCII "DrawIcon"
堆栈 [0012FF9C]=00466BBA (QQ广告特.00466BBA), ASCII "GetSubMenu"
堆栈 [0012FF9C]=00466BC8 (QQ广告特.00466BC8), ASCII "LoadMenuA"
堆栈 [0012FF9C]=00466BD4 (QQ广告特.00466BD4), ASCII "IsIconic"
堆栈 [0012FF9C]=00467180 (QQ广告特.00467180), ASCII "CreateWindowExA"
堆栈 [0012FF9C]=00466BE0 (QQ广告特.00466BE0), ASCII "InvalidateRect"
堆栈 [0012FF9C]=00466BF2 (QQ广告特.00466BF2), ASCII "SetTimer"
堆栈 [0012FF9C]=00466EE8 (QQ广告特.00466EE8), ASCII "PtInRect"
堆栈 [0012FF9C]=00466ED0 (QQ广告特.00466ED0), ASCII "GetWindowTextLengthA"
堆栈 [0012FF9C]=00466EC4 (QQ广告特.00466EC4), ASCII "GetFocus"
堆栈 [0012FF9C]=00466EB4 (QQ广告特.00466EB4), ASCII "SetWindowPos"
堆栈 [0012FF9C]=00466EA8 (QQ广告特.00466EA8), ASCII "SetFocus"
堆栈 [0012FF9C]=00466E96 (QQ广告特.00466E96), ASCII "SetWindowLongA"
堆栈 [0012FF9C]=00466E84 (QQ广告特.00466E84), ASCII "SetWindowTextA"
堆栈 [0012FF9C]=00466E70 (QQ广告特.00466E70), ASCII "IsDialogMessageA"
堆栈 [0012FF9C]=00466E5A (QQ广告特.00466E5A), ASCII "SendDlgItemMessageA"
堆栈 [0012FF9C]=0046741A (QQ广告特.0046741A), ASCII "CopyAcceleratorTableA"
堆栈 [0012FF9C]=0046740C (QQ广告特.0046740C), ASCII "IsRectEmpty"
堆栈 [0012FF9C]=00467400 (QQ广告特.00467400), ASCII "CharNextA"
堆栈 [0012FF9C]=004673EA (QQ广告特.004673EA), ASCII "PostThreadMessageA"
堆栈 [0012FF9C]=004673E0 (QQ广告特.004673E0), ASCII "SetRect"
堆栈 [0012FF9C]=00466E4A (QQ广告特.00466E4A), ASCII "GetMenuState"
堆栈 [0012FF9C]=00466E3A (QQ广告特.00466E3A), ASCII "GetMenuItemID"
堆栈 [0012FF9C]=00466E26 (QQ广告特.00466E26), ASCII "GetMenuItemCount"
堆栈 [0012FF9C]=00466E12 (QQ广告特.00466E12), ASCII "GetDesktopWindow"
堆栈 [0012FF9C]=00466E00 (QQ广告特.00466E00), ASCII "GetActiveWindow"
堆栈 [0012FF9C]=00466DEE (QQ广告特.00466DEE), ASCII "SetActiveWindow"
堆栈 [0012FF9C]=00466DD0 (QQ广告特.00466DD0), ASCII "CreateDialogIndirectParamA"
堆栈 [0012FF9C]=00466DC0 (QQ广告特.00466DC0), ASCII "DestroyWindow"
堆栈 [0012FF9C]=00467046 (QQ广告特.00467046), ASCII "PeekMessageA"
堆栈 [0012FF9C]=00466BFE (QQ广告特.00466BFE), ASCII "KillTimer"
堆栈 [0012FF9C]=00466C0A (QQ广告特.00466C0A), ASCII "SetForegroundWindow"
堆栈 [0012FF9C]=00466C20 (QQ广告特.00466C20), ASCII "LoadIconA"
堆栈 [0012FF9C]=00466C2C (QQ广告特.00466C2C), ASCII "IsWindowVisible"
堆栈 [0012FF9C]=00466C3E (QQ广告特.00466C3E), ASCII "GetDlgCtrlID"
堆栈 [0012FF9C]=00466C4E (QQ广告特.00466C4E), ASCII "GetCursorPos"
堆栈 [0012FF9C]=00466C5E (QQ广告特.00466C5E), ASCII "GetSystemMetrics"
堆栈 [0012FF9C]=00466C72 (QQ广告特.00466C72), ASCII "PostMessageA"
堆栈 [0012FF9C]=00466C82 (QQ广告特.00466C82), ASCII "CloseClipboard"
堆栈 [0012FF9C]=00466C94 (QQ广告特.00466C94), ASCII "SetClipboardData"
堆栈 [0012FF9C]=00466CA8 (QQ广告特.00466CA8), ASCII "EmptyClipboard"
堆栈 [0012FF9C]=00466CBA (QQ广告特.00466CBA), ASCII "OpenClipboard"
堆栈 [0012FF9C]=00466CCA (QQ广告特.00466CCA), ASCII "GetParent"
堆栈 [0012FF9C]=00466CD6 (QQ广告特.00466CD6), ASCII "GetDlgItem"
堆栈 [0012FF9C]=00466CE4 (QQ广告特.00466CE4), ASCII "IsWindowEnabled"
堆栈 [0012FF9C]=00466CF6 (QQ广告特.00466CF6), ASCII "GetWindowTextA"
堆栈 [0012FF9C]=00466D08 (QQ广告特.00466D08), ASCII "ShowWindow"
堆栈 [0012FF9C]=00466D16 (QQ广告特.00466D16), ASCII "EnumChildWindows"
堆栈 [0012FF9C]=00466D2A (QQ广告特.00466D2A), ASCII "GetClassNameA"
堆栈 [0012FF9C]=00466D3A (QQ广告特.00466D3A), ASCII "EnumWindows"
堆栈 [0012FF9C]=00466D48 (QQ广告特.00466D48), ASCII "FindWindowA"
堆栈 [0012FF9C]=00466D56 (QQ广告特.00466D56), ASCII "GetSysColor"
堆栈 [0012FF9C]=00466D64 (QQ广告特.00466D64), ASCII "MoveWindow"
堆栈 [0012FF9C]=00466D72 (QQ广告特.00466D72), ASCII "GetWindowRect"
堆栈 [0012FF9C]=00466D82 (QQ广告特.00466D82), ASCII "EndDialog"
堆栈 [0012FF9C]=00466D8E (QQ广告特.00466D8E), ASCII "GetNextDlgTabItem"
堆栈 [0012FF9C]=00466DA2 (QQ广告特.00466DA2), ASCII "GetWindowLongA"
堆栈 [0012FF9C]=00466DB4 (QQ广告特.00466DB4), ASCII "IsWindow"
堆栈 [0012FF9C]=00467750 (QQ广告特.00467750), ASCII "SetRectRgn"
堆栈 [0012FF9C]=0046775E (QQ广告特.0046775E), ASCII "CombineRgn"
堆栈 [0012FF9C]=0046776C (QQ广告特.0046776C), ASCII "GetMapMode"
堆栈 [0012FF9C]=0046777A (QQ广告特.0046777A), ASCII "GetBkColor"
堆栈 [0012FF9C]=00467788 (QQ广告特.00467788), ASCII "GetTextColor"
堆栈 [0012FF9C]=00467798 (QQ广告特.00467798), ASCII "GetRgnBox"
堆栈 [0012FF9C]=0046773E (QQ广告特.0046773E), ASCII "GetStockObject"
堆栈 [0012FF9C]=00467728 (QQ广告特.00467728), ASCII "CreatePatternBrush"
堆栈 [0012FF9C]=00467714 (QQ广告特.00467714), ASCII "ExtSelectClipRgn"
堆栈 [0012FF9C]=00467700 (QQ广告特.00467700), ASCII "ScaleWindowExtEx"
堆栈 [0012FF9C]=004676EE (QQ广告特.004676EE), ASCII "SetWindowExtEx"
堆栈 [0012FF9C]=004676D8 (QQ广告特.004676D8), ASCII "ScaleViewportExtEx"
堆栈 [0012FF9C]=004676C4 (QQ广告特.004676C4), ASCII "SetViewportExtEx"
堆栈 [0012FF9C]=004676AE (QQ广告特.004676AE), ASCII "OffsetViewportOrgEx"
堆栈 [0012FF9C]=0046769A (QQ广告特.0046769A), ASCII "SetViewportOrgEx"
堆栈 [0012FF9C]=00467690 (QQ广告特.00467690), ASCII "Escape"
堆栈 [0012FF9C]=00467682 (QQ广告特.00467682), ASCII "ExtTextOutA"
堆栈 [0012FF9C]=00467676 (QQ广告特.00467676), ASCII "TextOutA"
堆栈 [0012FF9C]=00467668 (QQ广告特.00467668), ASCII "RectVisible"
堆栈 [0012FF9C]=0046765C (QQ广告特.0046765C), ASCII "PtVisible"
堆栈 [0012FF9C]=0046749C (QQ广告特.0046749C), ASCII "GetDeviceCaps"
堆栈 [0012FF9C]=0046764A (QQ广告特.0046764A), ASCII "GetWindowExtEx"
堆栈 [0012FF9C]=00467636 (QQ广告特.00467636), ASCII "GetViewportExtEx"
堆栈 [0012FF9C]=00467626 (QQ广告特.00467626), ASCII "CreateRectRgn"
堆栈 [0012FF9C]=00467616 (QQ广告特.00467616), ASCII "SelectClipRgn"
堆栈 [0012FF9C]=00467602 (QQ广告特.00467602), ASCII "IntersectClipRect"
堆栈 [0012FF9C]=004675F0 (QQ广告特.004675F0), ASCII "ExcludeClipRect"
堆栈 [0012FF9C]=004675E2 (QQ广告特.004675E2), ASCII "SetMapMode"
堆栈 [0012FF9C]=004675D6 (QQ广告特.004675D6), ASCII "RestoreDC"
堆栈 [0012FF9C]=004675CC (QQ广告特.004675CC), ASCII "SaveDC"
堆栈 [0012FF9C]=004675BE (QQ广告特.004675BE), ASCII "CreateFontA"
堆栈 [0012FF9C]=004675AE (QQ广告特.004675AE), ASCII "GetCharWidthA"
堆栈 [0012FF9C]=0046759E (QQ广告特.0046759E), ASCII "DeleteObject"
堆栈 [0012FF9C]=00467584 (QQ广告特.00467584), ASCII "CreateCompatibleBitmap"
堆栈 [0012FF9C]=0046756E (QQ广告特.0046756E), ASCII "CreateCompatibleDC"
堆栈 [0012FF9C]=0046755E (QQ广告特.0046755E), ASCII "StretchDIBits"
堆栈 [0012FF9C]=00467552 (QQ广告特.00467552), ASCII "DeleteDC"
堆栈 [0012FF9C]=0046753A (QQ广告特.0046753A), ASCII "GetTextExtentPoint32A"
堆栈 [0012FF9C]=00467528 (QQ广告特.00467528), ASCII "GetTextMetricsA"
堆栈 [0012FF9C]=00467518 (QQ广告特.00467518), ASCII "SelectObject"
堆栈 [0012FF9C]=00467508 (QQ广告特.00467508), ASCII "CreateBitmap"
堆栈 [0012FF9C]=004674FE (QQ广告特.004674FE), ASCII "PatBlt"
堆栈 [0012FF9C]=004674E6 (QQ广告特.004674E6), ASCII "CreateRectRgnIndirect"
堆栈 [0012FF9C]=004674D8 (QQ广告特.004674D8), ASCII "GetObjectA"
堆栈 [0012FF9C]=004674CA (QQ广告特.004674CA), ASCII "SetBkColor"
堆栈 [0012FF9C]=004674BA (QQ广告特.004674BA), ASCII "SetTextColor"
堆栈 [0012FF9C]=004674AC (QQ广告特.004674AC), ASCII "GetClipBox"
堆栈 [0012FF9C]=004677D6 (QQ广告特.004677D6), ASCII "GetFileTitleA"
堆栈 [0012FF9C]=004677C2 (QQ广告特.004677C2), ASCII "GetOpenFileNameA"
堆栈 [0012FF9C]=004677AE (QQ广告特.004677AE), ASCII "GetSaveFileNameA"
堆栈 [0012FF9C]=0046781A (QQ广告特.0046781A), ASCII "OpenPrinterA"
堆栈 [0012FF9C]=00467804 (QQ广告特.00467804), ASCII "DocumentPropertiesA"
堆栈 [0012FF9C]=004677F4 (QQ广告特.004677F4), ASCII "ClosePrinter"
堆栈 [0012FF9C]=00467846 (QQ广告特.00467846), ASCII "RegOpenKeyA"
堆栈 [0012FF9C]=00467854 (QQ广告特.00467854), ASCII "RegQueryValueExA"
堆栈 [0012FF9C]=00467868 (QQ广告特.00467868), ASCII "RegOpenKeyExA"
堆栈 [0012FF9C]=00467878 (QQ广告特.00467878), ASCII "RegDeleteKeyA"
堆栈 [0012FF9C]=00467888 (QQ广告特.00467888), ASCII "RegEnumKeyA"
堆栈 [0012FF9C]=00467896 (QQ广告特.00467896), ASCII "RegQueryValueA"
堆栈 [0012FF9C]=004678A8 (QQ广告特.004678A8), ASCII "RegCreateKeyExA"
堆栈 [0012FF9C]=004678BA (QQ广告特.004678BA), ASCII "RegSetValueExA"
堆栈 [0012FF9C]=00467838 (QQ广告特.00467838), ASCII "RegCloseKey"
堆栈 [0012FF9C]=004678EA (QQ广告特.004678EA), ASCII "Shell_NotifyIconA"
堆栈 [0012FF9C]=004678DA (QQ广告特.004678DA), ASCII "ShellExecuteA"
堆栈 [0012FF9C]=0046790A (QQ广告特.0046790A), ASCII "ImageList_AddMasked"
堆栈 [0012FF9C]=00467920 (QQ广告特.00467920), ASCII "ImageList_SetBkColor"
堆栈 [0012FF9C]=00467938 (QQ广告特.00467938), ASCII "ImageList_Destroy"
堆栈 [0012FF9C]=0046794C (QQ广告特.0046794C), ASCII "ImageList_Create"
堆栈 [0012FF9C]=00467984 (QQ广告特.00467984), ASCII "PathStripToRootA"
堆栈 [0012FF9C]=00467998 (QQ广告特.00467998), ASCII "PathIsUNCA"
堆栈 [0012FF9C]=0046796E (QQ广告特.0046796E), ASCII "PathFindExtensionA"
堆栈 [0012FF9C]=004679A6 (QQ广告特.004679A6), ASCII "PathFindFileNameA"
堆栈 [0012FF9C]=00467A36 (QQ广告特.00467A36), ASCII "OleUninitialize"
堆栈 [0012FF9C]=00467A24 (QQ广告特.00467A24), ASCII "CoTaskMemAlloc"
堆栈 [0012FF9C]=00467A48 (QQ广告特.00467A48), ASCII "CoFreeUnusedLibraries"
堆栈 [0012FF9C]=00467A14 (QQ广告特.00467A14), ASCII "CoTaskMemFree"
堆栈 [0012FF9C]=00467A02 (QQ广告特.00467A02), ASCII "CLSIDFromString"
堆栈 [0012FF9C]=004679F0 (QQ广告特.004679F0), ASCII "CLSIDFromProgID"
堆栈 [0012FF9C]=004679DC (QQ广告特.004679DC), ASCII "CoCreateInstance"
堆栈 [0012FF9C]=004679D2 (QQ广告特.004679D2), ASCII "OleRun"
堆栈 [0012FF9C]=00467A60 (QQ广告特.00467A60), ASCII "OleInitialize"
堆栈 [0012FF9C]=00467A70 (QQ广告特.00467A70), ASCII "CoGetClassObject"
堆栈 [0012FF9C]=00467A84 (QQ广告特.00467A84), ASCII "CoRevokeClassObject"
堆栈 [0012FF9C]=00467A9A (QQ广告特.00467A9A), ASCII "OleIsCurrentClipboard"
堆栈 [0012FF9C]=00467AB2 (QQ广告特.00467AB2), ASCII "OleFlushClipboard"
堆栈 [0012FF9C]=00467AC6 (QQ广告特.00467AC6), ASCII "CoRegisterMessageFilter"
堆栈 [0012FF9C]=00467B1E (QQ广告特.00467B1E), ASCII "CreateILockBytesOnHGlobal"
堆栈 [0012FF9C]=00467AFE (QQ广告特.00467AFE), ASCII "StgCreateDocfileOnILockBytes"
堆栈 [0012FF9C]=00467AE0 (QQ广告特.00467AE0), ASCII "StgOpenStorageOnILockBytes"
堆栈 [0012FF9C]=00467B52 (QQ广告特.00467B52), ASCII "GetAdaptersInfo"

然后可以搁一下,去找传说中的光明之巅~

【轻松拿下OEP】
shift+F9来到第五次异常:
00483B71     8DC0              LEA EAX,EAX        //看堆栈seh,在命令行下断bp 483b7f
00483B73     EB 01             JMP SHORT QQ广告特.00483B76
00483B75     EB 68             JMP SHORT QQ广告特.00483BDF

shift+F9,取消断点,单步下去。

00483C5C     E8 06000000       CALL QQ广告特.00483C67          //F7进去
00483C61     8B6424 08         MOV ESP,DWORD PTR SS:[ESP+8]
00483C65     EB 0C             JMP SHORT QQ广告特.00483C73
00483C67     2BFF              SUB EDI,EDI                     //来到这里,停一下
00483C69     64:FF37           PUSH DWORD PTR FS:[EDI]
00483C6C     64:8927           MOV DWORD PTR FS:[EDI],ESP
00483C6F     FE07              INC BYTE PTR DS:[EDI]
00483C71   ^ EB E8             JMP SHORT QQ广告特.00483C5B
00483C73     83F8 60           CMP EAX,60
00483C76     E8 0B000000       CALL QQ广告特.00483C86
00483C7B     83E8 A5           SUB EAX,-5B
00483C7E     E9 0A000000       JMP QQ广告特.00483C8D
00483C83     83D8 29           SBB EAX,29
00483C86     C1F8 BB           SAR EAX,0BB
00483C89     C3                RETN                             //在这里下断,shift+F9后取消断点,单步跟到OEp

00483C38     61                POPAD
00483C39     E8 00000000       CALL QQ广告特.00483C3E
00483C3E     5A                POP EDX
00483C3F     81EA 0E000000     SUB EDX,0E
00483C45     57                PUSH EDI
00483C46     51                PUSH ECX
00483C47     33C0              XOR EAX,EAX
00483C49     8D3A              LEA EDI,DWORD PTR DS:[EDX]
00483C4B     B9 20000000       MOV ECX,20
00483C50     F3:AA             REP STOS BYTE PTR ES:[EDI]
00483C52     66:AB             STOS WORD PTR ES:[EDI]
00483C54     59                POP ECX
00483C55     5F                POP EDI
00483C56     C3                RETN                            //这里就会回到OEp啦

00430E9A     6A 60             PUSH 60                         //这里可以脱壳了
00430E9C     68 40DD4500       PUSH QQ广告特.0045DD40
00430EA1     E8 4E1E0000       CALL QQ广告特.00432CF4
00430EA6     BF 94000000       MOV EDI,94
00430EAB     8BC7              MOV EAX,EDI

【修复IAT】
IMPREC载入后,填入OEP:30E9A,然后自动搜索,发现n个假指针,这时候回到00483916,下断后一个一个按对应位置填入函数,直到全部为真,修复脱壳文件后可以成功运行,希望大侠们能赐教个更好的方法。

【去除反调试】
脱完壳后再度载入,发现还是会使OD退出,看来不是壳的问题,简单跟踪一下程序,发现是枚举进程:
00404290    > /8A11            MOV DL,BYTE PTR DS:[ECX]
00404292    . |41              INC ECX
00404293    . |84D2            TEST DL,DL
00404295    .^\75 F9           JNZ SHORT Unpacked.00404290

只要改一个地方就可以:
0040430B    .^\0F85 5FFFFFFF   JNZ Unpacked.00404270       //nop掉
--------------------------------------------------------------------------------

【版权声明】转载请注明作者以及确保文章完整性,谢谢附件:unpacked.fixed.rar

[课程]Linux pwn 探索篇!

收藏
免费 0
支持
分享
最新回复 (15)
fly
雪    币: 898
活跃值: (4039)
能力值: ( LV9,RANK:3410 )
在线值:
发帖
回帖
粉丝
私信
2
对于Telock,使用ImportRec来修复输入表的话,可以在解除壳校验后修改Magic Jmp避开输入表加密就行了
2005-7-29 12:50
0
Winter-Night
雪    币: 296
活跃值: (250)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
3
输入表加密是不是在这个地方:
004835D3     8B95 63374000     MOV EDX,DWORD PTR SS:[EBP+403763]
004835D9     8BB5 53374000     MOV ESI,DWORD PTR SS:[EBP+403753]
004835DF     85F6              TEST ESI,ESI         
004835E1     0F84 2F040000     JE QQ广告特.00483A16 //改这个跳转?
但是这个telock好像改了后面就无法运行了~
2005-7-29 12:53
0
Fpc
雪    币: 598
活跃值: (282)
能力值: ( LV13,RANK:330 )
在线值:
发帖
回帖
粉丝
私信
4
用096版的插件
2005-7-29 16:44
0
heng9ml
雪    币: 212
活跃值: (40)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
5
我的方法不行,修复不完全
2005-7-29 18:57
0
深海游侠
雪    币: 300
活跃值: (521)
能力值: ( LV9,RANK:410 )
在线值:
发帖
回帖
粉丝
私信
6
赞一个,用我的PEID差出是*Neolite 2.0 -> Neoworx Inc.*伪装地。

PS:附件好象损坏了。
2005-7-29 20:16
0
Winter-Night
雪    币: 296
活跃值: (250)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
7
呵呵,游侠也来了,附件我这里好像没问题,没做过跨平台测试,安装好原版用这个覆盖一下应该可以用,一会我去xpsp2看看~
2005-7-29 20:24
0
深海游侠
雪    币: 300
活跃值: (521)
能力值: ( LV9,RANK:410 )
在线值:
发帖
回帖
粉丝
私信
8
压缩包的问题?
2005-7-29 21:06
0
Winter-Night
雪    币: 296
活跃值: (250)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
9
附件:unpacked.zip
试试这个 ,大概这两天我这里不太正常~
2005-7-29 21:15
0
深海游侠
雪    币: 300
活跃值: (521)
能力值: ( LV9,RANK:410 )
在线值:
发帖
回帖
粉丝
私信
10
最初由 Winter-Night 发布
附件:unpacked.zip
试试这个 ,大概这两天我这里不太正常~


哦了,已解决。
麻烦兄弟了。
我去看看先。
2005-7-29 21:23
0
脱不下来
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
昨天按教程脱0。98的但运行不了,再用ESP定律脱了可以用,郁闷,
2005-7-30 13:46
0
fly
雪    币: 898
活跃值: (4039)
能力值: ( LV9,RANK:3410 )
在线值:
发帖
回帖
粉丝
私信
12
这个tELock算是修改版,输入表处理方法见tElock XXX脱壳
若想使用原来的IAT,看着修改就行了

00483713    3A5408 FF        cmp dl,byte ptr ds:[eax+ecx-1]
00483717    74 E8            je short 00483701
00483719    3A5408 08        cmp dl,byte ptr ds:[eax+ecx+8]
0048371D    74 E2            je short 00483701
0048371F    3A5408 12        cmp dl,byte ptr ds:[eax+ecx+12]
00483723    74 DC            je short 00483701
00483725    3A5408 1D        cmp dl,byte ptr ds:[eax+ecx+1D]
00483729    74 D6            je short 00483701
0048372B    EB D0            jmp short 004836FD
//判断是否是需要加密的DLL
0048372D    0AF6             or dh,dh
0048372F    895424 1C        mov dword ptr ss:[esp+1C],edx
00483733    61               popad
00483734    C685 FD2F4000 00 mov byte ptr ss:[ebp+402FFD],0
0048373B    74 24            je short 00483761
//Magic Jump!改为JMP ★

004839B0    8385 4F374000 04 add dword ptr ss:[ebp+40374F],4
004839B7    E9 B5FDFFFF      jmp 00483771
004839BC    83C6 14          add esi,14
004839BF    8B95 63374000    mov edx,dword ptr ss:[ebp+403763]
004839C5    E9 1FFCFFFF      jmp 004835E9
//循环处理输入表

00483A16    8BBD 5B374000  mov edi,dword ptr ss:[ebp+40375B]
//中断在这里输入表处理完毕
00483A1C    85FF           test edi,edi
00483A1E    EB 03          jmp short 00483A23

修改Magic Jump后就能得到所有有效的函数了

00430E9A    6A 60          push 60
//OEP
00430E9C    68 40DD4500    push 45DD40
00430EA1    E8 4E1E0000    call 00432CF4
00430EA6    BF 94000000    mov edi,94
00430EAB    8BC7           mov eax,edi
00430EAD    E8 6EE9FFFF    call 0042F820

OEP: 00030E9A       
IATRVA: 00055000       
IATSize: 000006A4
2005-7-30 16:05
0
深海游侠
雪    币: 300
活跃值: (521)
能力值: ( LV9,RANK:410 )
在线值:
发帖
回帖
粉丝
私信
13
我说呢。
受益了。
2005-7-30 16:27
0
pendan2001
雪    币: 61
活跃值: (160)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
14
2005-7-30 16:33
0
Winter-Night
雪    币: 296
活跃值: (250)
能力值: ( LV9,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
15
最初由 fly 发布
这个tELock算是修改版,输入表处理方法见tElock XXX脱壳
若想使用原来的IAT,看着修改就行了

00483713 3A5408 FF cmp dl,byte ptr ds:[eax+ecx-1]
00483717 74 E8 je short 00483701
........


多谢fly大侠指点,手动修复花了我一下午,眼睛都花了…………
这次学到了个简单方法,受教了
2005-7-30 16:36
0
山蒙
雪    币: 1
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
16
不错,学习了..........
2005-7-30 18:38
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//