侦壳后发现是:UltraProtect 1.x -> RISCO Software Inc,初步判断为ACProtect,
OD加载后显示入口为:
00705000 > $ 60 pushad
00705001 . 50 push eax
00705002 . E8 01000000 call JY007.00705008
00705007 E8 db E8
00705008 $ 83C4 04 add esp,0x4
0070500B . 58 pop eax ; kernel32.7C82F32B
0070500C . F9 stc
0070500D . 70 02 jo short JY007.00705011
0070500F . 85F3 test ebx,esi
00705011 > 7C 03 jl short JY007.00705016
00705013 . 7D 01 jge short JY007.00705016
00705015 76 db 76 ; CHAR 'v'
00705016 . 85F1 test ecx,esi
00705018 . E8 01000000 call JY007.0070501E
0070501D >- 76 83 jbe short JY007.00704FA2
0070501F . 04 24 add al,0x24
00705021 . 06 push es
00705022 . C3 retn
用脚本脱了,侦壳后发现原程序为VB程序,但是.perplex依然存在Memory map, 条目 29
地址=00705000
大小=0001E000 (122880.)
属主=JY007 00400000
区段=.perplex
包含=SFX,代码,输入表
类型=Imag 01001002
访问=R
初始访问=RWE
但是无法运行,IAT修复显示无错误:
脱壳后OD加载,VB入口地址正确:00412004 > 68 8C214100 push 已脱壳未.0041218C ; ASCII "VB5!6&vb6chs.dll"
00412009 E8 F0FFFFFF call 已脱壳未.00411FFE
0041200E 0000 add byte ptr ds:[eax],al
00412010 0000 add byte ptr ds:[eax],al
00412012 0000 add byte ptr ds:[eax],al
00412014 3000 xor byte ptr ds:[eax],al
00412016 0000 add byte ptr ds:[eax],al
00412018 40 inc eax
0070500地址依然保留了ACProtect的入口地址:
00705000 60 pushad
00705001 50 push eax
00705002 E8 01000000 call 已脱壳未.00705008
00705007 E8 83C40458 call 5875148F
0070500C F9 stc
0070500D 70 02 jo short 已脱壳未.00705011
0070500F 85F3 test ebx,esi
00705011 7C 03 jl short 已脱壳未.00705016
00705013 7D 01 jge short 已脱壳未.00705016
00705015 - 76 85 jbe short 已脱壳未.00704F9C
00705017 F1 int1
00705018 E8 01000000 call 已脱壳未.0070501E
0070501D - 76 83 jbe short 已脱壳未.00704FA2
0070501F 04 24 add al,0x24
00705021 06 push es
00705022 C3 retn
请问各位大大如何解决这问题,本来小菜鸟,急需指教,这里先万分感谢。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
