ASProtect 1.23RC4 以壳解壳+暗桩修复+解除自校验+破解――ArtCursors V3.99B3
        
      
        
下载页面：  http://www.onlinedown.net/soft/27328.htm
软件大小：  993KB
软件语言：  英文
软件类别：  国外软件/共享版/图标工具
运行环境：  Win9x/Me/NT/2000/XP
加入时间：  2004-6-10 20:18:29
下载次数：  707
软件评级：  ****
软件介绍：  Aha-soft继ArtIcons后，又一套极佳的鼠标光标编辑工具，支持标准的16x16、32x32..及自订尺寸图示，除可观看、绘制、抓取、收集、和管理等功能外，亦有渐层着色功能及齐全的编辑工具。支持格式包括：ico、ani、cur、wmf、emf、bmp、jpg、jpeg、gif、png，它并从图像ICO、JPG等文件中导入。
      
【作者声明】：只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教！
      
【调试环境】：WinXP、Ollydbg、PEiD、LordPE、ImportREC
      
―――――――――――――――――――――――――――――――――
【脱壳过程】：
                 
               
      
有兄弟让看看这个东东，抽空看了一下，发现和以前版本的没有太多区别。
还看了一下其同门软件ArtIcons Pro V4.06b，脱壳方法和这个一样。
―――――――――――――――――――――――――――――――――
一、以壳解壳：Stolen Code + OEP
      
      
设置Ollydbg忽略除了“内存访问异常”之外的所有其它异常选项。老规矩：用IsDebug 1.4插件去掉Ollydbg的调试器标志。
      

00401000     68 01C05900         push ARTCUR.0059C001//进入OD后停在这
00401005     E8 01000000         call ARTCUR.0040100B
0040100A     C3                  retn

00B539EC     3100                xor dword ptr ds:[eax],eax//最后1次异常
00B539EE     64:8F05 00000000    pop dword ptr fs:[0]
00B539F5     58                  pop eax
00B539F6     833D B07EB500 00    cmp dword ptr ds:[B57EB0],0
00B539FD     74 14               je short 00B53A13
00B539FF     6A 0C               push 0C
00B53A01     B9 B07EB500         mov ecx,0B57EB0
00B53A06     8D45 F8             lea eax,dword ptr ss:[ebp-8]
00B53A09     BA 04000000         mov edx,4
00B53A0E     E8 2DD1FFFF         call 00B50B40
00B53A13     FF75 FC             push dword ptr ss:[ebp-4]
00B53A16     FF75 F8             push dword ptr ss:[ebp-8]
00B53A19     8B45 F4             mov eax,dword ptr ss:[ebp-C]
00B53A1C     8338 00             cmp dword ptr ds:[eax],0
00B53A1F     74 02               je short 00B53A23
00B53A21     FF30                push dword ptr ds:[eax]
00B53A23     FF75 F0             push dword ptr ss:[ebp-10]
00B53A26     FF75 EC             push dword ptr ss:[ebp-14]
00B53A29     C3                  retn//此处下断，Shift+F9，断在这！

0012FF5C    00B67190
0012FF60    00400000  ASCII "MZP"
0012FF64    32C336F0
0012FF68    0012FFA4 //注意这里 ★

00B672D3     03C3                add eax,ebx
00B672D5     BB AC060000         mov ebx,6AC//注意这个值 ★ 这里就可以按“以壳解壳”的方法来脱壳了
00B672DA     0BDB                or ebx,ebx
00B672DC     75 07               jnz short 00B672E5

00B672E5     E8 00000000         call 00B672EA
00B672EA     5D                  pop ebp
00B672EB     81ED 4DE14B00       sub ebp,4BE14D
00B672F1     8D85 F2E04B00       lea eax,dword ptr ss:[ebp+4BE0F2]
00B672F7     8D8D 94E14B00       lea ecx,dword ptr ss:[ebp+4BE194]
00B672FD     03CB                add ecx,ebx
00B672FF     8941 01             mov dword ptr ds:[ecx+1],eax
00B67302     8D85 36E14B00       lea eax,dword ptr ss:[ebp+4BE136]
00B67308     8D8D FAE04B00       lea ecx,dword ptr ss:[ebp+4BE0FA]
00B6730E     8901                mov dword ptr ds:[ecx],eax
00B67310     B8 5E140000         mov eax,145E
00B67315     8D8D FFE04B00       lea ecx,dword ptr ss:[ebp+4BE0FF]
00B6731B     8901                mov dword ptr ds:[ecx],eax
00B6731D     8D8D 94E14B00       lea ecx,dword ptr ss:[ebp+4BE194]
00B67323     8D85 94F34B00       lea eax,dword ptr ss:[ebp+4BF394]
00B67329     51                  push ecx
00B6732A     50                  push eax
00B6732B     E8 76FFFFFF         call 00B672A6
00B67330     61                  popad
00B67331     F3:                 prefix rep:
00B67332     EB 02               jmp short 00B67336

00B67362     FF53 0E             call dword ptr ds:[ebx+E]//这个CALL里面处理 Stolen Code  ★
       
00B67399     896C24 04           mov dword ptr ss:[esp+4],ebp
00B673A1     8D6424 04           lea esp,dword ptr ss:[esp+4]//push ebp ★
00B673A5     8BEC                mov ebp,esp ★
00B673A7     81EC 0C000000       sub esp,0C//ADD ESP,-0C  ★
       
00B674DE     8BC3                mov eax,ebx  ; ARTCUR.00544CC3
00B674E3     83C0 51             add eax,51//mov eax,00544D14 ★

005451AC     55                  push ebp
005451AD     8BEC                mov ebp,esp
005451AF     83C4 F4             add esp,-0C
005451B2     B8 144D5400         mov eax,00544D14//Stolen Code
005451B7     E8 7018ECFF         call ARTCUR.00406A2C
005451BC     FF15 14BC5400       call dword ptr ds:[54BC14]; ARTCUR.00544BC0
005451C2     E8 4DEAEBFF         call ARTCUR.00403C14

AsprDbgr v1.0beta (:P) Made by me... Manko.
       
  iEP=401000 (E:\试炼场\脱壳学习\ASProtect\ArtCursors 4.02 Beta\ARTCUR.EXE
       
  GST returns to: B42667
    Trick aspr GST... (EAX=12121212h)
  GV returns to: B51A61
    IAT Start: 54E1A4
          End: 54E994
       Length: 7F0
      IATentry 54E1F8 = B517A4 resolved as GetProcAddress
      IATentry 54E1FC = B51C64 resolved as GetModuleHandleA
      IATentry 54E210 = B51CD8 resolved as GetCommandLineA
      IATentry 54E2B0 = B51C64 resolved as GetModuleHandleA
      IATentry 54E340 = B51CC8 resolved as LockResource
      IATentry 54E38C = B51C8C resolved as GetVersion
      IATentry 54E3A8 = B517A4 resolved as GetProcAddress
      IATentry 54E3B0 = B51C64 resolved as GetModuleHandleA
      IATentry 54E3E4 = B51CC0 resolved as GetCurrentProcessId
      IATentry 54E3F0 = B51CF0 resolved as FreeResource
    SymbolInitialize seems to have frozen.
    Any invalid IAT entries was NOT erased...
  Dip-Table at adress: B57AB4
    0 4FEE78 0 0 4FEECC 0 0 544BC0 544CBC 544CDC 0 4FEEF4 4FEEE4 0
  Last SEH passed. Searching for signatures. Singlestepping to OEP!
    Call + OEP-jump-setup at: B68015 ( Code: E8000000 5D81ED )
    Mutated, stolen bytes at: B68060 ( Code: 61F3EB02 CD20EB01 )
    Erase of stolen bytes at: B67FC4 ( Code: 9CFCBF03 80B600B9 )
      Repz ... found. Skipping erase of stolen bytes. ;)
  Dip from pre-OEP: 40692C (Reached from: B67FD5)
  Sugested tempOEP at: 5451B7

00B60000     BB AC060000         mov ebx,6AC
00B60005     E9 DB720000         jmp UnPacked.00B672E5//跳至“以壳解壳”代码段

00B6896B     00A4E1 14006B65     add byte ptr ds:[ecx+656B0014],ah//异常

0012FDFC    00539780  返回到 dumped_.00539780

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！