-
-
我烦死机代码 看过来
-
发表于: 2005-10-11 09:08
-
VsMenu60控件用PEID查PECompact 1.68 - 1.84 -> Jeremy Collake加壳
按【原创】PECompact 1.68 -1.84(烂!烂!)脱壳 文章进行
我就让它跳到这里吧 G 004F3414,到了这里:
004F3414 5F pop edi ; Throttle.00401000
004F3415 59 pop ecx
-中间这一段和我的不一样
-我放在下面了
-
-
004F3457 3B85 67974000 cmp eax,dword ptr ss:[ebp+409767]
004F345D 74 4D je short Throttle.004F34AC 跳下去了!
004F345F ^ E9 4FFEFFFF jmp Throttle.004F32B3
004F3464 54 push esp
004F3465 68 69732065 push 65207369
004F346A 78 65 js short Throttle.004F34D1
004F346C 6375 74 arpl word ptr ss:[ebp+74],si
004F346F 61 popad 这个东东看着高兴
来到这里:
004F3523 80BD 6B9F4000 C3 cmp byte ptr ss:[ebp+409F6B],0C3 这里比较干什么???
004F352A /74 22 je short Throttle.004F354E
004F352C |8D95 6BA14000 lea edx,dword ptr ss:[ebp+40A16B]
004F3532 |6A 40 push 40
004F3534 |52 push edx
004F3535 |FFB5 3D974000 push dword ptr ss:[ebp+40973D]
004F353B |FFB5 39974000 push dword ptr ss:[ebp+409739]
004F3541 |E8 F40A0000 call Throttle.004F403A
004F3546 |85C0 test eax,eax
004F3548 ^|0F85 9DFDFFFF jnz Throttle.004F32EB
004F354E \61 popad 好东东呀!!!!!!!
004F354F 9D popfd 好东东呀!!!!!!!!
004F3550 50 push eax
004F3551 68 E0DE4700 push Throttle.0047DEE0 ; ASCII "U??"
004F3556 C2 0400 retn 4 这里应该回到了入口点!
不一样的一段
1106C4A9 90 nop
1106C4AA 90 nop
1106C4AB 90 nop
1106C4AC E8 A1010000 call VsMenu60.1106C652
1106C4B1 E8 A3000000 call VsMenu60.1106C559
1106C4B6 73 6B jnb short VsMenu60.1106C523这里是跳的
1106C4B8 E8 56020000 call VsMenu60.1106C713
1106C4BD 8D9D 1B974000 lea ebx,dword ptr ss:[ebp+40971B]
1106C4C3 53 push ebx
1106C4C4 50 push eax
1106C4C5 FF95 3D974000 call dword ptr ss:[ebp+40973D]
1106C4CB 8D9D 6B974000 lea ebx,dword ptr ss:[ebp+40976B]
1106C4D1 53 push ebx
1106C4D2 83BD 2D974000 01 cmp dword ptr ss:[ebp+40972D],1
1106C4D9 74 08 je short VsMenu60.1106C4E3
1106C4DB 8D8D B2964000 lea ecx,dword ptr ss:[ebp+4096B2]
1106C4E1 EB 06 jmp short VsMenu60.1106C4E9
1106C4E3 8D8D 6E964000 lea ecx,dword ptr ss:[ebp+40966E]
1106C4E9 8B95 25974000 mov edx,dword ptr ss:[ebp+409725]
1106C4EF 8BBD 29974000 mov edi,dword ptr ss:[ebp+409729]
1106C4F5 57 push edi
1106C4F6 52 push edx
1106C4F7 51 push ecx
1106C4F8 53 push ebx
1106C4F9 FFD0 call eax
1106C4FB 8D9D 0F974000 lea ebx,dword ptr ss:[ebp+40970F]
1106C501 53 push ebx
1106C502 FFB5 38964000 push dword ptr ss:[ebp+409638]
1106C508 FF95 3D974000 call dword ptr ss:[ebp+40973D]
1106C50E 5B pop ebx
1106C50F 8D8D 58964000 lea ecx,dword ptr ss:[ebp+409658]
1106C515 6A 10 push 10
1106C517 51 push ecx
1106C518 53 push ebx
1106C519 6A 00 push 0
1106C51B FFD0 call eax
1106C51D FFA5 49974000 jmp dword ptr ss:[ebp+409749]
1106C523 80BD 6B9F4000 C3 cmp byte ptr ss:[ebp+409F6B],0C3跳到这里以下又一样了
1106C52A 74 22 je short VsMenu60.1106C54E
是假的壳还是变形的壳,怎样脱?
谢谢
按【原创】PECompact 1.68 -1.84(烂!烂!)脱壳 文章进行
我就让它跳到这里吧 G 004F3414,到了这里:
004F3414 5F pop edi ; Throttle.00401000
004F3415 59 pop ecx
-中间这一段和我的不一样
-我放在下面了
-
-
004F3457 3B85 67974000 cmp eax,dword ptr ss:[ebp+409767]
004F345D 74 4D je short Throttle.004F34AC 跳下去了!
004F345F ^ E9 4FFEFFFF jmp Throttle.004F32B3
004F3464 54 push esp
004F3465 68 69732065 push 65207369
004F346A 78 65 js short Throttle.004F34D1
004F346C 6375 74 arpl word ptr ss:[ebp+74],si
004F346F 61 popad 这个东东看着高兴
来到这里:
004F3523 80BD 6B9F4000 C3 cmp byte ptr ss:[ebp+409F6B],0C3 这里比较干什么???
004F352A /74 22 je short Throttle.004F354E
004F352C |8D95 6BA14000 lea edx,dword ptr ss:[ebp+40A16B]
004F3532 |6A 40 push 40
004F3534 |52 push edx
004F3535 |FFB5 3D974000 push dword ptr ss:[ebp+40973D]
004F353B |FFB5 39974000 push dword ptr ss:[ebp+409739]
004F3541 |E8 F40A0000 call Throttle.004F403A
004F3546 |85C0 test eax,eax
004F3548 ^|0F85 9DFDFFFF jnz Throttle.004F32EB
004F354E \61 popad 好东东呀!!!!!!!
004F354F 9D popfd 好东东呀!!!!!!!!
004F3550 50 push eax
004F3551 68 E0DE4700 push Throttle.0047DEE0 ; ASCII "U??"
004F3556 C2 0400 retn 4 这里应该回到了入口点!
不一样的一段
1106C4A9 90 nop
1106C4AA 90 nop
1106C4AB 90 nop
1106C4AC E8 A1010000 call VsMenu60.1106C652
1106C4B1 E8 A3000000 call VsMenu60.1106C559
1106C4B6 73 6B jnb short VsMenu60.1106C523这里是跳的
1106C4B8 E8 56020000 call VsMenu60.1106C713
1106C4BD 8D9D 1B974000 lea ebx,dword ptr ss:[ebp+40971B]
1106C4C3 53 push ebx
1106C4C4 50 push eax
1106C4C5 FF95 3D974000 call dword ptr ss:[ebp+40973D]
1106C4CB 8D9D 6B974000 lea ebx,dword ptr ss:[ebp+40976B]
1106C4D1 53 push ebx
1106C4D2 83BD 2D974000 01 cmp dword ptr ss:[ebp+40972D],1
1106C4D9 74 08 je short VsMenu60.1106C4E3
1106C4DB 8D8D B2964000 lea ecx,dword ptr ss:[ebp+4096B2]
1106C4E1 EB 06 jmp short VsMenu60.1106C4E9
1106C4E3 8D8D 6E964000 lea ecx,dword ptr ss:[ebp+40966E]
1106C4E9 8B95 25974000 mov edx,dword ptr ss:[ebp+409725]
1106C4EF 8BBD 29974000 mov edi,dword ptr ss:[ebp+409729]
1106C4F5 57 push edi
1106C4F6 52 push edx
1106C4F7 51 push ecx
1106C4F8 53 push ebx
1106C4F9 FFD0 call eax
1106C4FB 8D9D 0F974000 lea ebx,dword ptr ss:[ebp+40970F]
1106C501 53 push ebx
1106C502 FFB5 38964000 push dword ptr ss:[ebp+409638]
1106C508 FF95 3D974000 call dword ptr ss:[ebp+40973D]
1106C50E 5B pop ebx
1106C50F 8D8D 58964000 lea ecx,dword ptr ss:[ebp+409658]
1106C515 6A 10 push 10
1106C517 51 push ecx
1106C518 53 push ebx
1106C519 6A 00 push 0
1106C51B FFD0 call eax
1106C51D FFA5 49974000 jmp dword ptr ss:[ebp+409749]
1106C523 80BD 6B9F4000 C3 cmp byte ptr ss:[ebp+409F6B],0C3跳到这里以下又一样了
1106C52A 74 22 je short VsMenu60.1106C54E
是假的壳还是变形的壳,怎样脱?
谢谢
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
