PEID检测yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) [Overlay] *
用yoda's Protector v1.02脱壳机,提示不是yoda's Protector v1.02加的壳
用FastScanner v2.1提示Sorry nothing found **
OD载入,入口点代码如下:
00401760 > $ 9C PUSHFD ; (Initial CPU selection)
00401761 . 60 PUSHAD
00401762 . 60 PUSHAD
00401763 . E8 00000000 CALL 公式搜集.00401768
00401768 $ 5E POP ESI
00401769 . 81C6 C3000000 ADD ESI,0C3
0040176F . 56 PUSH ESI
00401770 . 64:67:FF36 00>PUSH DWORD PTR FS:[0]
00401776 . 64:67:8926 00>MOV DWORD PTR FS:[0],ESP
0040177C . EA 00104000 C>JMP FAR E8C3:00401000 ; 远跳转
远跳后:
7C92E480 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
7C92E483 51 PUSH ECX
7C92E484 53 PUSH EBX
7C92E485 E8 9AC30100 CALL ntdll.7C94A824
7C92E48A 0AC0 OR AL,AL
7C92E48C 74 0C JE SHORT ntdll.7C92E49A
7C92E48E 5B POP EBX
7C92E48F 59 POP ECX
7C92E490 6A 00 PUSH 0
7C92E492 51 PUSH ECX
7C92E493 E8 C6EBFFFF CALL ntdll.ZwContinue
7C92E498 EB 0B JMP SHORT ntdll.7C92E4A5
7C92E49A 5B POP EBX
7C92E49B 59 POP ECX
7C92E49C 6A 00 PUSH 0
7C92E49E 51 PUSH ECX
7C92E49F 53 PUSH EBX
7C92E4A0 E8 09F5FFFF CALL ntdll.ZwRaiseException
7C92E4A5 83C4 EC ADD ESP,-14
7C92E4A8 890424 MOV DWORD PTR SS:[ESP],EAX
7C92E4AB C74424 04 01000>MOV DWORD PTR SS:[ESP+4],1
7C92E4B3 895C24 08 MOV DWORD PTR SS:[ESP+8],EBX
7C92E4B7 C74424 10 00000>MOV DWORD PTR SS:[ESP+10],0
7C92E4BF 54 PUSH ESP
7C92E4C0 E8 63000000 CALL ntdll.RtlRaiseException
7C92E4C5 C2 0800 RETN 8
7C92E4C8 > 55 PUSH EBP
前5次F8到7C92E485 E8 9AC30100 CALL ntdll.7C94A824处时又跳到
7C92E480 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
当第6次进入7C92E485 E8 9AC30100 CALL ntdll.7C94A824处时程序跑起来。
跟踪7C92E485 E8 9AC30100 CALL ntdll.7C94A824处进入循环,出不来。郁闷,求指点,求脱壳。谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
