加壳方式:Armadillo 3.78 -> Silicon Realms Toolworks
忽略所有异常,在添加以下几个:这个在OD调试设置-异常 里面设置。
C0000005(ACCESS VIOLATION)
C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE)
C0000096(PRIVILEGED INSTRUCTION)
用OD载入,先下BP OpenMutexA断点shift+F9运行
7C80EC1B > 8BFF MOV EDI,EDI 断在这里。
7C80EC1D 55 PUSH EBP
7C80EC1E 8BEC MOV EBP,ESP
7C80EC20 51 PUSH ECX
7C80EC21 51 PUSH ECX
7C80EC22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EC26 56 PUSH ESI
7C80EC27 0F84 7A500300 JE kernel32.7C843CA7
7C80EC2D 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80EC33 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C80EC36 8DB0 F80B0000 LEA ESI,DWORD PTR DS:[EAX+BF8]
7C80EC3C 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C80EC3F 50 PUSH EAX
看到堆栈
0012F710 00462F0B /CALL 到 OpenMutexA
0012F714 001F0001 |Access = 1F0001
0012F718 00000000 |Inheritable = FALSE
0012F71C 0012FDA0 \MutexName = "964::DA159E951C"
0012F720 00000004
0012F724 00000000
0012F728 00478323 Yuhon.00478323
0012F72C 003E1BB0
0012F730 003E0000
Ctrl+G 401000 键入
得到以下代码
00401000 0000 ADD BYTE PTR DS:[EAX],AL
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 0000 ADD BYTE PTR DS:[EAX],AL
0040100A 0000 ADD BYTE PTR DS:[EAX],AL
0040100C 0000 ADD BYTE PTR DS:[EAX],AL
0040100E 0000 ADD BYTE PTR DS:[EAX],AL
00401010 0000 ADD BYTE PTR DS:[EAX],AL
00401012 0000 ADD BYTE PTR DS:[EAX],AL
00401014 0000 ADD BYTE PTR DS:[EAX],AL
00401016 0000 ADD BYTE PTR DS:[EAX],AL
请高手指教
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法