-
-
[求助]Armadillo 3.78 - 4.xx 修复问题
-
发表于: 2013-5-18 12:08
-
下面是我的手脱流程
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
OD载入 停在
GetModuleHandleA+5 下断运行
shift + f9
00128994 |01A3AB2C 返回到 01A3AB2C 来自 kernel32.GetModuleHandleA
00128998 |01AEE058 ASCII "kernel32.dll"
0012899C |01AEFF34 ASCII "VirtualAlloc"
shift + f9
00128994 |01A3AB4A 返回到 01A3AB4A 来自 kernel32.GetModuleHandleA
00128998 |01AEE058 ASCII "kernel32.dll"
0012899C |01AEFF28 ASCII "VirtualFree"
shift + f9
01CFF178 /01CFF7D0
01CFF17C |7C80B7C9 返回到 kernel32.7C80B7C9 来自 kernel32.GetModuleHandleA
01CFF180 |00000000
01CFF184 |7C80B7A4 返回到 kernel32.7C80B7A4 来自 kernel32.7C80B7C2
alt + f9返回领空 停在
01A160E4 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A160E7 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A160ED 890491 mov dword ptr ds:[ecx+edx*4],eax
01A160F0 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A160F3 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A160F8 833C90 00 cmp dword ptr ds:[eax+edx*4],0x0
01A160FC 75 5C jnz short 01A1615A
01A160FE 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
01A16101 8B51 08 mov edx,dword ptr ds:[ecx+0x8]
01A16104 83E2 02 and edx,0x2
01A16107 74 38 je short 01A16141
01A16109 B8 18000000 mov eax,0x18
01A1610E C1E0 02 shl eax,0x2
01A16111 8B0D 9C7AB101 mov ecx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16117 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1611D 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16123 8B5E 1C mov ebx,dword ptr ds:[esi+0x1C]
01A16126 335A 18 xor ebx,dword ptr ds:[edx+0x18]
01A16129 331C01 xor ebx,dword ptr ds:[ecx+eax]
01A1612C 83E3 10 and ebx,0x10
01A1612F F7DB neg ebx
01A16131 1BDB sbb ebx,ebx
01A16133 F7DB neg ebx
01A16135 0FB6C3 movzx eax,bl
01A16138 85C0 test eax,eax
01A1613A 75 05 jnz short 01A16141
01A1613C ^ E9 1BFFFFFF jmp 01A1605C
01A16141 8D8D B0FEFFFF lea ecx,dword ptr ss:[ebp-0x150]
01A16147 51 push ecx
01A16148 FF15 30C3AE01 call dword ptr ds:[0x1AEC330] ; kernel32.LoadLibraryA
01A1614E 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16151 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A16157 890491 mov dword ptr ds:[ecx+edx*4],eax
01A1615A 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A1615D A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A16162 833C90 00 cmp dword ptr ds:[eax+edx*4],0x0
01A16166 75 05 jnz short 01A1616D
01A16168 ^ E9 EFFEFFFF jmp 01A1605C
01A1616D C785 A4FEFFFF 0>mov dword ptr ss:[ebp-0x15C],0x0
01A16177 C785 A8FEFFFF 0>mov dword ptr ss:[ebp-0x158],0x0
01A16181 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
01A16184 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
01A16187 8995 ACFEFFFF mov dword ptr ss:[ebp-0x154],edx
01A1618D EB 0F jmp short 01A1619E
01A1618F 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
01A16195 83C0 0C add eax,0xC
01A16198 8985 ACFEFFFF mov dword ptr ss:[ebp-0x154],eax
01A1619E 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154]
01A161A4 8339 00 cmp dword ptr ds:[ecx],0x0
01A161A7 74 11 je short 01A161BA
01A161A9 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-0x158]
01A161AF 83C2 01 add edx,0x1
01A161B2 8995 A8FEFFFF mov dword ptr ss:[ebp-0x158],edx
01A161B8 ^ EB D5 jmp short 01A1618F
01A161BA 33C9 xor ecx,ecx
01A161BC 8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
01A161C2 BA 04000000 mov edx,0x4
01A161C7 F7E2 mul edx
01A161C9 0F90C1 seto cl
01A161CC F7D9 neg ecx
01A161CE 0BC8 or ecx,eax
01A161D0 51 push ecx
01A161D1 E8 0B9F0800 call 01AA00E1
01A161D6 83C4 04 add esp,0x4
01A161D9 8985 64FDFFFF mov dword ptr ss:[ebp-0x29C],eax
01A161DF 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A161E2 8B0D 8CACB101 mov ecx,dword ptr ds:[0x1B1AC8C]
01A161E8 8B95 64FDFFFF mov edx,dword ptr ss:[ebp-0x29C]
01A161EE 891481 mov dword ptr ds:[ecx+eax*4],edx
01A161F1 33C9 xor ecx,ecx
01A161F3 8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
01A161F9 BA 04000000 mov edx,0x4
01A161FE F7E2 mul edx
01A16200 0F90C1 seto cl
01A16203 F7D9 neg ecx
01A16205 0BC8 or ecx,eax
01A16207 51 push ecx
01A16208 E8 D49E0800 call 01AA00E1
01A1620D 83C4 04 add esp,0x4
01A16210 8985 60FDFFFF mov dword ptr ss:[ebp-0x2A0],eax
01A16216 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16219 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A1621F 8B95 60FDFFFF mov edx,dword ptr ss:[ebp-0x2A0]
01A16225 891481 mov dword ptr ds:[ecx+eax*4],edx
01A16228 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
01A1622B 8B48 04 mov ecx,dword ptr ds:[eax+0x4]
01A1622E 898D ACFEFFFF mov dword ptr ss:[ebp-0x154],ecx
01A16234 EB 1E jmp short 01A16254
01A16236 8B95 ACFEFFFF mov edx,dword ptr ss:[ebp-0x154]
01A1623C 83C2 0C add edx,0xC
01A1623F 8995 ACFEFFFF mov dword ptr ss:[ebp-0x154],edx
01A16245 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A1624B 83C0 01 add eax,0x1
01A1624E 8985 A4FEFFFF mov dword ptr ss:[ebp-0x15C],eax
01A16254 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154]
01A1625A 8339 00 cmp dword ptr ds:[ecx],0x0
01A1625D 0F84 47010000 je 01A163AA
01A16263 68 00010000 push 0x100
01A16268 8D95 A0FDFFFF lea edx,dword ptr ss:[ebp-0x260]
01A1626E 52 push edx
01A1626F 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
01A16275 8B08 mov ecx,dword ptr ds:[eax]
01A16277 51 push ecx
01A16278 E8 43A60400 call 01A608C0
01A1627D 83C4 0C add esp,0xC
01A16280 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16286 A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1628B 8B4A 28 mov ecx,dword ptr ds:[edx+0x28]
01A1628E 3348 1C xor ecx,dword ptr ds:[eax+0x1C]
01A16291 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16297 334A 18 xor ecx,dword ptr ds:[edx+0x18]
01A1629A A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1629F 3348 14 xor ecx,dword ptr ds:[eax+0x14]
01A162A2 898D 54FDFFFF mov dword ptr ss:[ebp-0x2AC],ecx
01A162A8 8D8D A0FDFFFF lea ecx,dword ptr ss:[ebp-0x260]
01A162AE 51 push ecx
01A162AF 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A162B2 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A162B7 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A162BA 51 push ecx
01A162BB FF15 34C3AE01 call dword ptr ds:[0x1AEC334] ; kernel32.GetProcAddress
01A162C1 3385 54FDFFFF xor eax,dword ptr ss:[ebp-0x2AC]
01A162C7 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A162CA 8B0D 8CACB101 mov ecx,dword ptr ds:[0x1B1AC8C]
01A162D0 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
01A162D3 8B8D A4FEFFFF mov ecx,dword ptr ss:[ebp-0x15C]
01A162D9 89048A mov dword ptr ds:[edx+ecx*4],eax
01A162DC 6A 01 push 0x1
01A162DE 8D95 A0FDFFFF lea edx,dword ptr ss:[ebp-0x260]
01A162E4 52 push edx
01A162E5 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A162E8 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A162EE 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A162F1 52 push edx
01A162F2 E8 490C0000 call 01A16F40
01A162F7 83C4 0C add esp,0xC
01A162FA 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
01A162FD 8B15 90ACB101 mov edx,dword ptr ds:[0x1B1AC90]
01A16303 8B0C8A mov ecx,dword ptr ds:[edx+ecx*4]
01A16306 8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
01A1630C 890491 mov dword ptr ds:[ecx+edx*4],eax
01A1630F 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16312 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A16318 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A1631B 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A16321 833C82 00 cmp dword ptr ds:[edx+eax*4],0x0
01A16325 75 32 jnz short 01A16359
01A16327 6A 00 push 0x0
01A16329 8D8D A0FDFFFF lea ecx,dword ptr ss:[ebp-0x260]
01A1632F 51 push ecx
01A16330 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16333 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A16338 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A1633B 51 push ecx
01A1633C E8 FF0B0000 call 01A16F40
01A16341 83C4 0C add esp,0xC
01A16344 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16347 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A1634D 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
01A16350 8B8D A4FEFFFF mov ecx,dword ptr ss:[ebp-0x15C]
01A16356 89048A mov dword ptr ds:[edx+ecx*4],eax
01A16359 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A1635C A1 90ACB101 mov eax,dword ptr ds:[0x1B1AC90]
01A16361 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A16364 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1636A A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1636F 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16375 8B3D 9C7AB101 mov edi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1637B 8B7F 28 mov edi,dword ptr ds:[edi+0x28]
01A1637E 337E 1C xor edi,dword ptr ds:[esi+0x1C]
01A16381 3378 18 xor edi,dword ptr ds:[eax+0x18]
01A16384 337A 14 xor edi,dword ptr ds:[edx+0x14]
01A16387 8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
01A1638D 333C91 xor edi,dword ptr ds:[ecx+edx*4]
01A16390 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16393 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A16399 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A1639C 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A163A2 893C82 mov dword ptr ds:[edx+eax*4],edi
01A163A5 ^ E9 8CFEFFFF jmp 01A16236
01A163AA 8B0D 9C7AB101 mov ecx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163B0 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163B6 A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A163BB 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163C1 8B76 40 mov esi,dword ptr ds:[esi+0x40]
01A163C4 3370 18 xor esi,dword ptr ds:[eax+0x18]
01A163C7 3372 24 xor esi,dword ptr ds:[edx+0x24]
01A163CA 3371 30 xor esi,dword ptr ds:[ecx+0x30]
01A163CD 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
01A163D0 8B15 94ACB101 mov edx,dword ptr ds:[0x1B1AC94]
01A163D6 33348A xor esi,dword ptr ds:[edx+ecx*4]
01A163D9 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A163DC 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A163E2 893481 mov dword ptr ds:[ecx+eax*4],esi
01A163E5 ^ E9 72FCFFFF jmp 01A1605C
01A163EA EB 03 jmp short 01A163EF
01A163EC D6 salc
01A163ED D6 salc
本人在此处NOP
然后在 01A163EA EB 03 jmp short 01A163EF 处下段 运行
内存镜像下断 运行 一路F8
F7进入OEP
LoadPE 完整保存 使用ImportREC 修复IAT以后 问题的来了。。。
OD重新载入 脱壳后的程序
无法分析文件
谁能帮忙找找问题 谢谢了
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
OD载入 停在
GetModuleHandleA+5 下断运行
shift + f9
00128994 |01A3AB2C 返回到 01A3AB2C 来自 kernel32.GetModuleHandleA
00128998 |01AEE058 ASCII "kernel32.dll"
0012899C |01AEFF34 ASCII "VirtualAlloc"
shift + f9
00128994 |01A3AB4A 返回到 01A3AB4A 来自 kernel32.GetModuleHandleA
00128998 |01AEE058 ASCII "kernel32.dll"
0012899C |01AEFF28 ASCII "VirtualFree"
shift + f9
01CFF178 /01CFF7D0
01CFF17C |7C80B7C9 返回到 kernel32.7C80B7C9 来自 kernel32.GetModuleHandleA
01CFF180 |00000000
01CFF184 |7C80B7A4 返回到 kernel32.7C80B7A4 来自 kernel32.7C80B7C2
alt + f9返回领空 停在
01A160E4 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A160E7 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A160ED 890491 mov dword ptr ds:[ecx+edx*4],eax
01A160F0 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A160F3 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A160F8 833C90 00 cmp dword ptr ds:[eax+edx*4],0x0
01A160FC 75 5C jnz short 01A1615A
01A160FE 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
01A16101 8B51 08 mov edx,dword ptr ds:[ecx+0x8]
01A16104 83E2 02 and edx,0x2
01A16107 74 38 je short 01A16141
01A16109 B8 18000000 mov eax,0x18
01A1610E C1E0 02 shl eax,0x2
01A16111 8B0D 9C7AB101 mov ecx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16117 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1611D 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16123 8B5E 1C mov ebx,dword ptr ds:[esi+0x1C]
01A16126 335A 18 xor ebx,dword ptr ds:[edx+0x18]
01A16129 331C01 xor ebx,dword ptr ds:[ecx+eax]
01A1612C 83E3 10 and ebx,0x10
01A1612F F7DB neg ebx
01A16131 1BDB sbb ebx,ebx
01A16133 F7DB neg ebx
01A16135 0FB6C3 movzx eax,bl
01A16138 85C0 test eax,eax
01A1613A 75 05 jnz short 01A16141
01A1613C ^ E9 1BFFFFFF jmp 01A1605C
01A16141 8D8D B0FEFFFF lea ecx,dword ptr ss:[ebp-0x150]
01A16147 51 push ecx
01A16148 FF15 30C3AE01 call dword ptr ds:[0x1AEC330] ; kernel32.LoadLibraryA
01A1614E 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16151 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A16157 890491 mov dword ptr ds:[ecx+edx*4],eax
01A1615A 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A1615D A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A16162 833C90 00 cmp dword ptr ds:[eax+edx*4],0x0
01A16166 75 05 jnz short 01A1616D
01A16168 ^ E9 EFFEFFFF jmp 01A1605C
01A1616D C785 A4FEFFFF 0>mov dword ptr ss:[ebp-0x15C],0x0
01A16177 C785 A8FEFFFF 0>mov dword ptr ss:[ebp-0x158],0x0
01A16181 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
01A16184 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
01A16187 8995 ACFEFFFF mov dword ptr ss:[ebp-0x154],edx
01A1618D EB 0F jmp short 01A1619E
01A1618F 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
01A16195 83C0 0C add eax,0xC
01A16198 8985 ACFEFFFF mov dword ptr ss:[ebp-0x154],eax
01A1619E 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154]
01A161A4 8339 00 cmp dword ptr ds:[ecx],0x0
01A161A7 74 11 je short 01A161BA
01A161A9 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-0x158]
01A161AF 83C2 01 add edx,0x1
01A161B2 8995 A8FEFFFF mov dword ptr ss:[ebp-0x158],edx
01A161B8 ^ EB D5 jmp short 01A1618F
01A161BA 33C9 xor ecx,ecx
01A161BC 8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
01A161C2 BA 04000000 mov edx,0x4
01A161C7 F7E2 mul edx
01A161C9 0F90C1 seto cl
01A161CC F7D9 neg ecx
01A161CE 0BC8 or ecx,eax
01A161D0 51 push ecx
01A161D1 E8 0B9F0800 call 01AA00E1
01A161D6 83C4 04 add esp,0x4
01A161D9 8985 64FDFFFF mov dword ptr ss:[ebp-0x29C],eax
01A161DF 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A161E2 8B0D 8CACB101 mov ecx,dword ptr ds:[0x1B1AC8C]
01A161E8 8B95 64FDFFFF mov edx,dword ptr ss:[ebp-0x29C]
01A161EE 891481 mov dword ptr ds:[ecx+eax*4],edx
01A161F1 33C9 xor ecx,ecx
01A161F3 8B85 A8FEFFFF mov eax,dword ptr ss:[ebp-0x158]
01A161F9 BA 04000000 mov edx,0x4
01A161FE F7E2 mul edx
01A16200 0F90C1 seto cl
01A16203 F7D9 neg ecx
01A16205 0BC8 or ecx,eax
01A16207 51 push ecx
01A16208 E8 D49E0800 call 01AA00E1
01A1620D 83C4 04 add esp,0x4
01A16210 8985 60FDFFFF mov dword ptr ss:[ebp-0x2A0],eax
01A16216 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16219 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A1621F 8B95 60FDFFFF mov edx,dword ptr ss:[ebp-0x2A0]
01A16225 891481 mov dword ptr ds:[ecx+eax*4],edx
01A16228 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
01A1622B 8B48 04 mov ecx,dword ptr ds:[eax+0x4]
01A1622E 898D ACFEFFFF mov dword ptr ss:[ebp-0x154],ecx
01A16234 EB 1E jmp short 01A16254
01A16236 8B95 ACFEFFFF mov edx,dword ptr ss:[ebp-0x154]
01A1623C 83C2 0C add edx,0xC
01A1623F 8995 ACFEFFFF mov dword ptr ss:[ebp-0x154],edx
01A16245 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A1624B 83C0 01 add eax,0x1
01A1624E 8985 A4FEFFFF mov dword ptr ss:[ebp-0x15C],eax
01A16254 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-0x154]
01A1625A 8339 00 cmp dword ptr ds:[ecx],0x0
01A1625D 0F84 47010000 je 01A163AA
01A16263 68 00010000 push 0x100
01A16268 8D95 A0FDFFFF lea edx,dword ptr ss:[ebp-0x260]
01A1626E 52 push edx
01A1626F 8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
01A16275 8B08 mov ecx,dword ptr ds:[eax]
01A16277 51 push ecx
01A16278 E8 43A60400 call 01A608C0
01A1627D 83C4 0C add esp,0xC
01A16280 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16286 A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1628B 8B4A 28 mov ecx,dword ptr ds:[edx+0x28]
01A1628E 3348 1C xor ecx,dword ptr ds:[eax+0x1C]
01A16291 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16297 334A 18 xor ecx,dword ptr ds:[edx+0x18]
01A1629A A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1629F 3348 14 xor ecx,dword ptr ds:[eax+0x14]
01A162A2 898D 54FDFFFF mov dword ptr ss:[ebp-0x2AC],ecx
01A162A8 8D8D A0FDFFFF lea ecx,dword ptr ss:[ebp-0x260]
01A162AE 51 push ecx
01A162AF 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A162B2 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A162B7 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A162BA 51 push ecx
01A162BB FF15 34C3AE01 call dword ptr ds:[0x1AEC334] ; kernel32.GetProcAddress
01A162C1 3385 54FDFFFF xor eax,dword ptr ss:[ebp-0x2AC]
01A162C7 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A162CA 8B0D 8CACB101 mov ecx,dword ptr ds:[0x1B1AC8C]
01A162D0 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
01A162D3 8B8D A4FEFFFF mov ecx,dword ptr ss:[ebp-0x15C]
01A162D9 89048A mov dword ptr ds:[edx+ecx*4],eax
01A162DC 6A 01 push 0x1
01A162DE 8D95 A0FDFFFF lea edx,dword ptr ss:[ebp-0x260]
01A162E4 52 push edx
01A162E5 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A162E8 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A162EE 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A162F1 52 push edx
01A162F2 E8 490C0000 call 01A16F40
01A162F7 83C4 0C add esp,0xC
01A162FA 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
01A162FD 8B15 90ACB101 mov edx,dword ptr ds:[0x1B1AC90]
01A16303 8B0C8A mov ecx,dword ptr ds:[edx+ecx*4]
01A16306 8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
01A1630C 890491 mov dword ptr ds:[ecx+edx*4],eax
01A1630F 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16312 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A16318 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A1631B 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A16321 833C82 00 cmp dword ptr ds:[edx+eax*4],0x0
01A16325 75 32 jnz short 01A16359
01A16327 6A 00 push 0x0
01A16329 8D8D A0FDFFFF lea ecx,dword ptr ss:[ebp-0x260]
01A1632F 51 push ecx
01A16330 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16333 A1 94ACB101 mov eax,dword ptr ds:[0x1B1AC94]
01A16338 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A1633B 51 push ecx
01A1633C E8 FF0B0000 call 01A16F40
01A16341 83C4 0C add esp,0xC
01A16344 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A16347 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A1634D 8B1491 mov edx,dword ptr ds:[ecx+edx*4]
01A16350 8B8D A4FEFFFF mov ecx,dword ptr ss:[ebp-0x15C]
01A16356 89048A mov dword ptr ds:[edx+ecx*4],eax
01A16359 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
01A1635C A1 90ACB101 mov eax,dword ptr ds:[0x1B1AC90]
01A16361 8B0C90 mov ecx,dword ptr ds:[eax+edx*4]
01A16364 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1636A A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A1636F 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A16375 8B3D 9C7AB101 mov edi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A1637B 8B7F 28 mov edi,dword ptr ds:[edi+0x28]
01A1637E 337E 1C xor edi,dword ptr ds:[esi+0x1C]
01A16381 3378 18 xor edi,dword ptr ds:[eax+0x18]
01A16384 337A 14 xor edi,dword ptr ds:[edx+0x14]
01A16387 8B95 A4FEFFFF mov edx,dword ptr ss:[ebp-0x15C]
01A1638D 333C91 xor edi,dword ptr ds:[ecx+edx*4]
01A16390 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A16393 8B0D 90ACB101 mov ecx,dword ptr ds:[0x1B1AC90]
01A16399 8B1481 mov edx,dword ptr ds:[ecx+eax*4]
01A1639C 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
01A163A2 893C82 mov dword ptr ds:[edx+eax*4],edi
01A163A5 ^ E9 8CFEFFFF jmp 01A16236
01A163AA 8B0D 9C7AB101 mov ecx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163B0 8B15 9C7AB101 mov edx,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163B6 A1 9C7AB101 mov eax,dword ptr ds:[0x1B17A9C]
01A163BB 8B35 9C7AB101 mov esi,dword ptr ds:[0x1B17A9C] ; Armadill.01163848
01A163C1 8B76 40 mov esi,dword ptr ds:[esi+0x40]
01A163C4 3370 18 xor esi,dword ptr ds:[eax+0x18]
01A163C7 3372 24 xor esi,dword ptr ds:[edx+0x24]
01A163CA 3371 30 xor esi,dword ptr ds:[ecx+0x30]
01A163CD 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
01A163D0 8B15 94ACB101 mov edx,dword ptr ds:[0x1B1AC94]
01A163D6 33348A xor esi,dword ptr ds:[edx+ecx*4]
01A163D9 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
01A163DC 8B0D 94ACB101 mov ecx,dword ptr ds:[0x1B1AC94]
01A163E2 893481 mov dword ptr ds:[ecx+eax*4],esi
01A163E5 ^ E9 72FCFFFF jmp 01A1605C
01A163EA EB 03 jmp short 01A163EF
01A163EC D6 salc
01A163ED D6 salc
本人在此处NOP
然后在 01A163EA EB 03 jmp short 01A163EF 处下段 运行
内存镜像下断 运行 一路F8
F7进入OEP
LoadPE 完整保存 使用ImportREC 修复IAT以后 问题的来了。。。
OD重新载入 脱壳后的程序
无法分析文件
谁能帮忙找找问题 谢谢了
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
谢谢哦
该怎么弄呢  |
|
|
|
|
|
|
