手上有一超市收银软件,不知是何类型的壳,有反调试器,用OD调试时会有NG;直接运行,会提示:找不到指定的加密锁; 请朋友帮忙看看,谢谢!OD调试部分代码如下:
0040121C > /EB 10 jmp short Shop.0040122E
0040121E |66:623A bound di,dword ptr ds:[edx]
00401221 |43 inc ebx
00401222 |2B2B sub ebp,dword ptr ds:[ebx]
00401224 |48 dec eax
00401225 |4F dec edi
00401226 |4F dec edi
00401227 |4B dec ebx
00401228 |90 nop
00401229 -|E9 ACB04300 jmp 0083C2DA
0040122E \A1 9FB04300 mov eax,dword ptr ds:[0x43B09F]
00401233 C1E0 02 shl eax,0x2
00401236 A3 A3B04300 mov dword ptr ds:[0x43B0A3],eax
0040123B 52 push edx
0040123C 6A 00 push 0x0
0040123E E8 B58F0300 call <jmp.&KERNEL32.GetModuleHandleA>
00401243 8BD0 mov edx,eax
00401245 E8 FECB0200 call Shop.0042DE48
0040124A 5A pop edx
0040124B E8 F8C70200 call Shop.0042DA48
00401250 E8 7FD10200 call Shop.0042E3D4
00401255 6A 00 push 0x0
00401257 E8 9CE40200 call Shop.0042F6F8
0040125C 59 pop ecx
0040125D 68 48B04300 push Shop.0043B048
00401262 6A 00 push 0x0
00401264 E8 8F8F0300 call <jmp.&KERNEL32.GetModuleHandleA>
00401269 A3 A7B04300 mov dword ptr ds:[0x43B0A7],eax
0040126E 6A 00 push 0x0
00401270 E9 8F610300 jmp Shop.00437404
00401275 > E9 CEE40200 jmp Shop.0042F748
0040127A 33C0 xor eax,eax
0040127C A0 91B04300 mov al,byte ptr ds:[0x43B091]
00401281 C3 retn
00401282 A1 A7B04300 mov eax,dword ptr ds:[0x43B0A7]
00401287 C3 retn
00401288 60 pushad
00401289 BB 0050B0BC mov ebx,0xBCB05000
0040128E 53 push ebx
0040128F 68 AD0B0000 push 0xBAD
00401294 C3 retn
00401295 B9 AC000000 mov ecx,0xAC
0040129A 0BC9 or ecx,ecx
0040129C 74 4D je short Shop.004012EB
0040129E 833D 9FB04300 0>cmp dword ptr ds:[0x43B09F],0x0
004012A5 73 0A jnb short Shop.004012B1
004012A7 B8 FE000000 mov eax,0xFE
004012AC E8 D7FFFFFF call Shop.00401288
004012B1 B9 AC000000 mov ecx,0xAC
004012B6 51 push ecx
004012B7 6A 08 push 0x8
004012B9 E8 528F0300 call <jmp.&KERNEL32.GetProcessHeap>
004012BE 50 push eax
004012BF E8 A08F0300 call <jmp.&KERNEL32.HeapAlloc>
004012C4 0BC0 or eax,eax
004012C6 75 0A jnz short Shop.004012D2
004012C8 B8 FD000000 mov eax,0xFD
004012CD E8 B6FFFFFF call Shop.00401288
004012D2 50 push eax
004012D3 50 push eax
004012D4 FF35 9FB04300 push dword ptr ds:[0x43B09F]
004012DA E8 65630300 call Shop.00437644
004012DF FF35 9FB04300 push dword ptr ds:[0x43B09F]
004012E5 E8 6E630300 call Shop.00437658
004012EA 5F pop edi
004012EB C3 retn
004012EC B9 AC000000 mov ecx,0xAC
004012F1 0BC9 or ecx,ecx
004012F3 74 19 je short Shop.0040130E
004012F5 E8 22630300 call Shop.0043761C
004012FA A3 9FB04300 mov dword ptr ds:[0x43B09F],eax
004012FF 83F8 00 cmp eax,0x0
00401302 ^ 73 91 jnb short Shop.00401295
00401304 B8 FC000000 mov eax,0xFC
00401309 E8 7AFFFFFF call Shop.00401288
0040130E C3 retn
0040130F 833D 9FB04300 0>cmp dword ptr ds:[0x43B09F],0x0
00401316 72 28 jb short Shop.00401340
00401318 FF35 9FB04300 push dword ptr ds:[0x43B09F]
0040131E E8 11630300 call Shop.00437634
00401323 0BC0 or eax,eax
00401325 74 19 je short Shop.00401340
00401327 50 push eax
00401328 6A 08 push 0x8
0040132A E8 E18E0300 call <jmp.&KERNEL32.GetProcessHeap>
0040132F 50 push eax
00401330 E8 358F0300 call <jmp.&KERNEL32.HeapFree>
00401335 FF35 9FB04300 push dword ptr ds:[0x43B09F]
0040133B E8 20630300 call Shop.00437660
00401340 C3 retn
00401341 C3 retn
00401342 833D 9FB04300 0>cmp dword ptr ds:[0x43B09F],0x0
00401349 72 10 jb short Shop.0040135B
0040134B E8 BFFFFFFF call Shop.0040130F
00401350 FF35 9FB04300 push dword ptr ds:[0x43B09F]
00401356 E8 C9620300 call Shop.00437624
0040135B C3 retn
0040135C A1 9FB04300 mov eax,dword ptr ds:[0x43B09F]
00401361 64:67:8B16 2C00 mov edx,dword ptr fs:[0x2C]
00401367 8B0482 mov eax,dword ptr ds:[edx+eax*4]
0040136A C3 retn
0040136B 90 nop
0040136C B8 D0B04300 mov eax,Shop.0043B0D0
00401371 E8 C66F0100 call Shop.0041833C
00401376 C3 retn
00401377 90 nop
00401378 B8 D0B04300 mov eax,Shop.0043B0D0
0040137D E8 CA6F0100 call Shop.0041834C
00401382 A1 E0B04300 mov eax,dword ptr ds:[0x43B0E0]
00401387 3B05 D4B04300 cmp eax,dword ptr ds:[0x43B0D4]
0040138D 74 0A je short Shop.00401399
0040138F 85C0 test eax,eax
00401391 74 06 je short Shop.00401399
00401393 50 push eax
00401394 E8 E78D0300 call <jmp.&KERNEL32.FreeLibrary>
00401399 C3 retn
0040139A 90 nop
0040139B 90 nop
0040139C 55 push ebp
0040139D 8BEC mov ebp,esp
0040139F 8B4D 10 mov ecx,dword ptr ss:[ebp+0x10]
004013A2 8B55 0C mov edx,dword ptr ss:[ebp+0xC]
004013A5 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
004013A8 A2 74254400 mov byte ptr ds:[0x442574],al
004013AD 8815 75254400 mov byte ptr ds:[0x442575],dl
004013B3 84C0 test al,al
004013B5 74 04 je short Shop.004013BB
004013B7 84D2 test dl,dl
004013B9 74 04 je short Shop.004013BF
004013BB 33C0 xor eax,eax
004013BD EB 02 jmp short Shop.004013C1
004013BF B0 01 mov al,0x1
004013C1 8B15 58234400 mov edx,dword ptr ds:[0x442358] ; Shop.00444EA8
004013C7 8802 mov byte ptr ds:[edx],al
004013C9 890D 78254400 mov dword ptr ds:[0x442578],ecx
004013CF 890D D4B04300 mov dword ptr ds:[0x43B0D4],ecx
004013D5 33C0 xor eax,eax
004013D7 A3 D8B04300 mov dword ptr ds:[0x43B0D8],eax
004013DC 33C0 xor eax,eax
004013DE A3 DCB04300 mov dword ptr ds:[0x43B0DC],eax
004013E3 C605 76254400 0>mov byte ptr ds:[0x442576],0x1
004013EA E8 7DFFFFFF call Shop.0040136C
004013EF 803D 74254400 0>cmp byte ptr ds:[0x442574],0x0
004013F6 75 39 jnz short Shop.00401431
004013F8 B8 9C134000 mov eax,Shop.0040139C
004013FD E8 B65C0100 call Shop.004170B8
00401402 A3 D8B04300 mov dword ptr ds:[0x43B0D8],eax
00401407 B8 CCB04300 mov eax,Shop.0043B0CC
0040140C E8 A75C0100 call Shop.004170B8
00401411 A3 DCB04300 mov dword ptr ds:[0x43B0DC],eax
00401416 E8 7D8D0300 call <jmp.&KERNEL32.GetCommandLineW>
0040141B 8B15 5C234400 mov edx,dword ptr ds:[0x44235C] ; Shop.00444EB0
00401421 8902 mov dword ptr ds:[edx],eax
00401423 0FB645 14 movzx eax,byte ptr ss:[ebp+0x14]
00401427 34 01 xor al,0x1
00401429 8B15 64234400 mov edx,dword ptr ds:[0x442364] ; Shop.00444EBC
0040142F 8802 mov byte ptr ds:[edx],al
00401431 5D pop ebp
00401432 C3 retn
00401433 90 nop
00401434 53 push ebx
00401435 56 push esi
00401436 8B35 60234400 mov esi,dword ptr ds:[0x442360] ; Shop.00444EB8
0040143C 803D 74254400 0>cmp byte ptr ds:[0x442574],0x0
00401443 75 14 jnz short Shop.00401459
00401445 833E 00 cmp dword ptr ds:[esi],0x0
00401448 74 0F je short Shop.00401459
0040144A 8B06 mov eax,dword ptr ds:[esi]
0040144C 89C3 mov ebx,eax
0040144E 33C0 xor eax,eax
00401450 8906 mov dword ptr ds:[esi],eax
00401452 FFD3 call ebx
00401454 833E 00 cmp dword ptr ds:[esi],0x0
00401457 ^ 75 F1 jnz short Shop.0040144A
00401459 E8 1AFFFFFF call Shop.00401378
0040145E 5E pop esi
0040145F 5B pop ebx
00401460 C3 retn
00401461 90 nop
00401462 90 nop
00401463 90 nop
00401464 FF05 80254400 inc dword ptr ds:[0x442580]
0040146A C3 retn
0040146B 90 nop
0040146C 832D 80254400 0>sub dword ptr ds:[0x442580],0x1
00401473 C3 retn
00401474 55 push ebp
00401475 8BEC mov ebp,esp
00401477 83C4 F8 add esp,-0x8
0040147A B8 01000000 mov eax,0x1
0040147F 53 push ebx
00401480 56 push esi
00401481 57 push edi
00401482 E9 2D010000 jmp Shop.004015B4
00401487 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0040148A 8B8A E0000000 mov ecx,dword ptr ds:[edx+0xE0]
00401490 894D F8 mov dword ptr ss:[ebp-0x8],ecx
00401493 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
