-
-
[求助]一个与众不同的UltraProtect壳,请高手指点
-
发表于: 2005-12-13 21:31
-
用PEID查壳是UltraProtect 1.x -> RISCO Software Inc.
用OD加载后的代码:OD加载后的代码和论坛上的文章都不一样,真是晕呀
也试了FLY的方法,但那个 BP Process32First+1 断点都断不住
00AD5000 > 60 pushad
00AD5001 E8 01000000 call 1.00AD5007
00AD5006 7A 83 jpe short 1.00AD4F8B
00AD5008 C40443 les eax,fword ptr ds:[ebx+eax*2]
00AD500B FC cld
00AD500C F8 clc
00AD500D F9 stc
00AD500E 8BEA mov ebp,edx
00AD5010 8BF8 mov edi,eax
00AD5012 E8 01000000 call 1.00AD5018
00AD5017 - 77 83 ja short 1.00AD4F9C
00AD5019 04 24 add al,24
00AD501B 06 push es
00AD501C C3 retn
00AD501D 8BD9 mov ebx,ecx
00AD501F 74 03 je short 1.00AD5024
00AD5021 75 01 jnz short 1.00AD5024
00AD5023 9A 4DEB0173 E90C call far 0CE9:7301EB4D
00AD502A 0000 add byte ptr ds:[eax],al
00AD502C 0066 81 add byte ptr ds:[esi-7F],ah
00AD502F C1FD 20 sar ebp,20
00AD5032 0F82 01000000 jb 1.00AD5039
00AD5038 49 dec ecx
00AD5039 BF 4A51AD00 mov edi,1.00AD514A
00AD503E E8 01000000 call 1.00AD5044
00AD5043 - EB 83 jmp short 1.00AD4FC8
00AD5045 C404E9 les eax,fword ptr ds:[ecx+ebp*8]
00AD5048 0300 add eax,dword ptr ds:[eax]
00AD504A 0000 add byte ptr ds:[eax],al
00AD504C 85C2 test edx,eax
00AD504E 40 inc eax
00AD504F BD 1B6C994F mov ebp,4F996C1B
00AD5054 4A dec edx
00AD5055 81C5 9B2B0508 add ebp,8052B9B
00AD505B 7C 03 jl short 1.00AD5060
00AD505D 7D 01 jge short 1.00AD5060
00AD505F ^ 76 E9 jbe short 1.00AD504A
00AD5061 0800 or byte ptr ds:[eax],al
00AD5063 0000 add byte ptr ds:[eax],al
00AD5065 66:8BCD mov cx,bp
00AD5068 73 03 jnb short 1.00AD506D
00AD506A 66:D3FA sar dx,cl
00AD506D BB 9A638AE5 mov ebx,E58A639A
00AD5072 71 01 jno short 1.00AD5075
00AD5074 4A dec edx
00AD5075 81C3 9D9C751A add ebx,1A759C9D
--------------------------------
我忽略了除了内存异常以外的所以的异常
F9运行中断
00AE6B2E CD 01 int 1
00AE6B30 40 inc eax
00AE6B31 40 inc eax
00AE6B32 0BC0 or eax,eax
00AE6B34 75 05 jnz short 1.00AE6B3B
00AE6B36 90 nop
00AE6B37 90 nop
00AE6B38 90 nop
00AE6B39 90 nop
00AE6B3A 61 popad
00AE6B3B 33C0 xor eax,eax
00AE6B3D 64:8F00 pop dword ptr fs:[eax]
00AE6B40 58 pop eax
00AE6B41 60 pushad
00AE6B42 E8 00000000 call 1.00AE6B47
00AE6B47 5E pop esi
00AE6B48 83EE 06 sub esi,6
00AE6B4B B9 57000000 mov ecx,57
00AE6B50 29CE sub esi,ecx
00AE6B52 BA 9F5FD307 mov edx,7D35F9F
00AE6B57 C1E9 02 shr ecx,2
00AE6B5A 83E9 02 sub ecx,2
00AE6B5D 83F9 00 cmp ecx,0
00AE6B60 7C 1A jl short 1.00AE6B7C
00AE6B62 8B048E mov eax,dword ptr ds:[esi+ecx*4]
00AE6B65 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*4+4]
00AE6B69 03C3 add eax,ebx
00AE6B6B C1C0 15 rol eax,15
00AE6B6E 33C2 xor eax,edx
00AE6B70 81EA 3CEF6E6A sub edx,6A6EEF3C
00AE6B76 89048E mov dword ptr ds:[esi+ecx*4],eax
00AE6B79 49 dec ecx
00AE6B7A ^ EB E1 jmp short 1.00AE6B5D
00AE6B7C 61 popad
00AE6B7D 61 popad
00AE6B7E C3 retn
----------------------------------------------------------------------
ALT+M打开内存,F2在这下断
00400000 00001000 1 PE 文件头 Imag R RWE
00401000 002AC000 1 CODE --------------在这里下断
006AD000 0001E000 1 DATA 代码,数据 Imag R RWE
006CB000 00004000 1 BSS 代码 Imag R RWE
----------------------------------------------------------------------
SHIFT+F9运行,断在这,晕呀,几论坛上的好多的文章都不同呀,不知怎么办呀,请高手指点
006AC13C 6A 00 push 0
006AC13E 6A 00 push 0
006AC140 49 dec ecx
006AC141 ^ 75 F9 jnz short 1.006AC13C
006AC143 53 push ebx
006AC144 56 push esi
006AC145 B8 2CB76A00 mov eax,1.006AB72C
006AC14A E8 FDB4D5FF call 1.0040764C
006AC14F 33C0 xor eax,eax
006AC151 55 push ebp
006AC152 68 5FC56A00 push 1.006AC55F
006AC157 64:FF30 push dword ptr fs:[eax]
006AC15A 64:8920 mov dword ptr fs:[eax],esp
006AC15D 68 70C56A00 push 1.006AC570 ; ASCII "1"
006AC162 E8 E5B8D5FF call 1.00407A4C ; jmp 到 kernel32.GlobalFindAtomA
006AC167 66:85C0 test ax,ax
006AC16A 0F85 9B030000 jnz 1.006AC50B
006AC170 E8 A7F1FFFF call 1.006AB31C
006AC175 84C0 test al,al
006AC177 0F84 C7030000 je 1.006AC544
006AC17D 68 70C56A00 push 1.006AC570 ; ASCII "1"
006AC182 E8 ADB8D5FF call 1.00407A34 ; jmp 到 kernel32.GlobalAddAtomA
006AC187 8D55 E8 lea edx,dword ptr ss:[ebp-18]
006AC18A A1 6CA76C00 mov eax,dword ptr ds:[6CA76C]
006AC18F 8B00 mov eax,dword ptr ds:[eax]
006AC191 E8 021ADDFF call 1.0047DB98
006AC196 8B45 E8 mov eax,dword ptr ss:[ebp-18]
006AC199 8D55 EC lea edx,dword ptr ss:[ebp-14]
006AC19C E8 A3E5D5FF call 1.0040A744
006AC1A1 8B55 EC mov edx,dword ptr ss:[ebp-14]
006AC1A4 A1 A8A66C00 mov eax,dword ptr ds:[6CA6A8]
006AC1A9 B9 84C56A00 mov ecx,1.006AC584 ; ASCII "Sys\CBIme.INI"
006AC1AE E8 618FD5FF call 1.00405114
006AC1B3 8B0D A8A66C00 mov ecx,dword ptr ds:[6CA6A8] ; 1.006CEBE4
006AC1B9 8B09 mov ecx,dword ptr ds:[ecx]
006AC1BB B2 01 mov dl,1
006AC1BD A1 94EE4700 mov eax,dword ptr ds:[47EE94]
006AC1C2 E8 7D2DDDFF call 1.0047EF44
006AC1C7 8BD8 mov ebx,eax
006AC1C9 6A 00 push 0
006AC1CB B9 9CC56A00 mov ecx,1.006AC59C ; ASCII "Index"
006AC1D0 BA ACC56A00 mov edx,1.006AC5AC ; ASCII "Configuration"
006AC1D5 8BC3 mov eax,ebx
006AC1D7 8B30 mov esi,dword ptr ds:[eax]
006AC1D9 FF56 0C call dword ptr ds:[esi+C]
006AC1DC A1 6CA76C00 mov eax,dword ptr ds:[6CA76C]
用OD加载后的代码:OD加载后的代码和论坛上的文章都不一样,真是晕呀
也试了FLY的方法,但那个 BP Process32First+1 断点都断不住
00AD5000 > 60 pushad
00AD5001 E8 01000000 call 1.00AD5007
00AD5006 7A 83 jpe short 1.00AD4F8B
00AD5008 C40443 les eax,fword ptr ds:[ebx+eax*2]
00AD500B FC cld
00AD500C F8 clc
00AD500D F9 stc
00AD500E 8BEA mov ebp,edx
00AD5010 8BF8 mov edi,eax
00AD5012 E8 01000000 call 1.00AD5018
00AD5017 - 77 83 ja short 1.00AD4F9C
00AD5019 04 24 add al,24
00AD501B 06 push es
00AD501C C3 retn
00AD501D 8BD9 mov ebx,ecx
00AD501F 74 03 je short 1.00AD5024
00AD5021 75 01 jnz short 1.00AD5024
00AD5023 9A 4DEB0173 E90C call far 0CE9:7301EB4D
00AD502A 0000 add byte ptr ds:[eax],al
00AD502C 0066 81 add byte ptr ds:[esi-7F],ah
00AD502F C1FD 20 sar ebp,20
00AD5032 0F82 01000000 jb 1.00AD5039
00AD5038 49 dec ecx
00AD5039 BF 4A51AD00 mov edi,1.00AD514A
00AD503E E8 01000000 call 1.00AD5044
00AD5043 - EB 83 jmp short 1.00AD4FC8
00AD5045 C404E9 les eax,fword ptr ds:[ecx+ebp*8]
00AD5048 0300 add eax,dword ptr ds:[eax]
00AD504A 0000 add byte ptr ds:[eax],al
00AD504C 85C2 test edx,eax
00AD504E 40 inc eax
00AD504F BD 1B6C994F mov ebp,4F996C1B
00AD5054 4A dec edx
00AD5055 81C5 9B2B0508 add ebp,8052B9B
00AD505B 7C 03 jl short 1.00AD5060
00AD505D 7D 01 jge short 1.00AD5060
00AD505F ^ 76 E9 jbe short 1.00AD504A
00AD5061 0800 or byte ptr ds:[eax],al
00AD5063 0000 add byte ptr ds:[eax],al
00AD5065 66:8BCD mov cx,bp
00AD5068 73 03 jnb short 1.00AD506D
00AD506A 66:D3FA sar dx,cl
00AD506D BB 9A638AE5 mov ebx,E58A639A
00AD5072 71 01 jno short 1.00AD5075
00AD5074 4A dec edx
00AD5075 81C3 9D9C751A add ebx,1A759C9D
--------------------------------
我忽略了除了内存异常以外的所以的异常
F9运行中断
00AE6B2E CD 01 int 1
00AE6B30 40 inc eax
00AE6B31 40 inc eax
00AE6B32 0BC0 or eax,eax
00AE6B34 75 05 jnz short 1.00AE6B3B
00AE6B36 90 nop
00AE6B37 90 nop
00AE6B38 90 nop
00AE6B39 90 nop
00AE6B3A 61 popad
00AE6B3B 33C0 xor eax,eax
00AE6B3D 64:8F00 pop dword ptr fs:[eax]
00AE6B40 58 pop eax
00AE6B41 60 pushad
00AE6B42 E8 00000000 call 1.00AE6B47
00AE6B47 5E pop esi
00AE6B48 83EE 06 sub esi,6
00AE6B4B B9 57000000 mov ecx,57
00AE6B50 29CE sub esi,ecx
00AE6B52 BA 9F5FD307 mov edx,7D35F9F
00AE6B57 C1E9 02 shr ecx,2
00AE6B5A 83E9 02 sub ecx,2
00AE6B5D 83F9 00 cmp ecx,0
00AE6B60 7C 1A jl short 1.00AE6B7C
00AE6B62 8B048E mov eax,dword ptr ds:[esi+ecx*4]
00AE6B65 8B5C8E 04 mov ebx,dword ptr ds:[esi+ecx*4+4]
00AE6B69 03C3 add eax,ebx
00AE6B6B C1C0 15 rol eax,15
00AE6B6E 33C2 xor eax,edx
00AE6B70 81EA 3CEF6E6A sub edx,6A6EEF3C
00AE6B76 89048E mov dword ptr ds:[esi+ecx*4],eax
00AE6B79 49 dec ecx
00AE6B7A ^ EB E1 jmp short 1.00AE6B5D
00AE6B7C 61 popad
00AE6B7D 61 popad
00AE6B7E C3 retn
----------------------------------------------------------------------
ALT+M打开内存,F2在这下断
00400000 00001000 1 PE 文件头 Imag R RWE
00401000 002AC000 1 CODE --------------在这里下断
006AD000 0001E000 1 DATA 代码,数据 Imag R RWE
006CB000 00004000 1 BSS 代码 Imag R RWE
----------------------------------------------------------------------
SHIFT+F9运行,断在这,晕呀,几论坛上的好多的文章都不同呀,不知怎么办呀,请高手指点
006AC13C 6A 00 push 0
006AC13E 6A 00 push 0
006AC140 49 dec ecx
006AC141 ^ 75 F9 jnz short 1.006AC13C
006AC143 53 push ebx
006AC144 56 push esi
006AC145 B8 2CB76A00 mov eax,1.006AB72C
006AC14A E8 FDB4D5FF call 1.0040764C
006AC14F 33C0 xor eax,eax
006AC151 55 push ebp
006AC152 68 5FC56A00 push 1.006AC55F
006AC157 64:FF30 push dword ptr fs:[eax]
006AC15A 64:8920 mov dword ptr fs:[eax],esp
006AC15D 68 70C56A00 push 1.006AC570 ; ASCII "1"
006AC162 E8 E5B8D5FF call 1.00407A4C ; jmp 到 kernel32.GlobalFindAtomA
006AC167 66:85C0 test ax,ax
006AC16A 0F85 9B030000 jnz 1.006AC50B
006AC170 E8 A7F1FFFF call 1.006AB31C
006AC175 84C0 test al,al
006AC177 0F84 C7030000 je 1.006AC544
006AC17D 68 70C56A00 push 1.006AC570 ; ASCII "1"
006AC182 E8 ADB8D5FF call 1.00407A34 ; jmp 到 kernel32.GlobalAddAtomA
006AC187 8D55 E8 lea edx,dword ptr ss:[ebp-18]
006AC18A A1 6CA76C00 mov eax,dword ptr ds:[6CA76C]
006AC18F 8B00 mov eax,dword ptr ds:[eax]
006AC191 E8 021ADDFF call 1.0047DB98
006AC196 8B45 E8 mov eax,dword ptr ss:[ebp-18]
006AC199 8D55 EC lea edx,dword ptr ss:[ebp-14]
006AC19C E8 A3E5D5FF call 1.0040A744
006AC1A1 8B55 EC mov edx,dword ptr ss:[ebp-14]
006AC1A4 A1 A8A66C00 mov eax,dword ptr ds:[6CA6A8]
006AC1A9 B9 84C56A00 mov ecx,1.006AC584 ; ASCII "Sys\CBIme.INI"
006AC1AE E8 618FD5FF call 1.00405114
006AC1B3 8B0D A8A66C00 mov ecx,dword ptr ds:[6CA6A8] ; 1.006CEBE4
006AC1B9 8B09 mov ecx,dword ptr ds:[ecx]
006AC1BB B2 01 mov dl,1
006AC1BD A1 94EE4700 mov eax,dword ptr ds:[47EE94]
006AC1C2 E8 7D2DDDFF call 1.0047EF44
006AC1C7 8BD8 mov ebx,eax
006AC1C9 6A 00 push 0
006AC1CB B9 9CC56A00 mov ecx,1.006AC59C ; ASCII "Index"
006AC1D0 BA ACC56A00 mov edx,1.006AC5AC ; ASCII "Configuration"
006AC1D5 8BC3 mov eax,ebx
006AC1D7 8B30 mov esi,dword ptr ds:[eax]
006AC1D9 FF56 0C call dword ptr ds:[esi+C]
006AC1DC A1 6CA76C00 mov eax,dword ptr ds:[6CA76C]
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
