能力值:
( LV2,RANK:10 )
|
-
-
2 楼
但是首先要搞清楚是压缩壳 还是加密壳..
压缩壳 可以按你的方法.
加密壳. 中间很多anti ,不解决anti 根本走不到OEP附近
|
能力值:
( LV9,RANK:3410 )
|
-
-
3 楼
004013D5 6A 60 push 60
004013D7 68 18524000 push 405218
004013DC E8 830D0000 call 00402164
004013E1 BF 94000000 mov edi,94
004013E6 8BC7 mov eax,edi
004013E8 E8 C30D0000 call 004021B0
004013ED 8965 E8 mov dword ptr ss:[ebp-18],esp
004013F0 8BF4 mov esi,esp
004013F2 893E mov dword ptr ds:[esi],edi
004013F4 56 push esi
004013F5 FF15 5C504000 call dword ptr ds:[40505C] ; kernel32.GetVersionExA
如这个,你GetVersionExA中断返回后看到相似代码就可以确定了
有些概念被搞得越来越混乱
啥是什么广义ESP啥是狭义ESP
|
能力值:
( LV9,RANK:180 )
在线值:
|
-
-
4 楼
最初由 闪电狼 发布
但是首先要搞清楚是压缩壳 还是加密壳..
压缩壳 可以按你的方法.
加密壳. 中间很多anti ,不解决anti 根本走不到OEP附近
没看到有anti的代码,应该没anti,这是一个知名游戏公司的一个游戏
最初由 fly 发布
004013D5 6A 60 push 60
004013D7 68 18524000 push 405218
004013DC E8 830D0000 call 00402164
004013E1 BF 94000000 mov edi,94
004013E6 8BC7 mov eax,edi
........
谢谢,我试试看,这个push 60我有看到过,是在GetVersionExA上面的那些代码中吗?我试试。
谢谢大家。
|
能力值:
( LV9,RANK:180 )
在线值:
|
-
-
5 楼
004BEC77 . 6A 60 PUSH 60
004BEC79 . 68 10044F00 PUSH Chuzzle.004F0410
004BEC7E . E8 CD400000 CALL Chuzzle.004C2D50
004BEC83 . BF 94000000 MOV EDI,94
004BEC88 . 8BC7 MOV EAX,EDI
004BEC8A . E8 F1FCFFFF CALL Chuzzle.004BE980
004BEC8F . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004BEC92 . 8BF4 MOV ESI,ESP
004BEC94 . 893E MOV DWORD PTR DS:[ESI],EDI
004BEC96 . 56 PUSH ESI ; /pVersionInformation
004BEC97 . FF15 0C714D00 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; \GetVersionExA
004BEC9D . 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
004BECA0 . 890D 008F5000 MOV DWORD PTR DS:[508F00],ECX
004BECA6 . 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
004BECA9 . A3 0C8F5000 MOV DWORD PTR DS:[508F0C],EAX
004BECAE . 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8]
004BECB1 . 8915 108F5000 MOV DWORD PTR DS:[508F10],EDX
004BECB7 . 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
004BECBA . 81E6 FF7F0000 AND ESI,7FFF
004BECC0 . 8935 048F5000 MOV DWORD PTR DS:[508F04],ESI
004BECC6 . 83F9 02 CMP ECX,2
004BECC9 . 74 0C JE SHORT Chuzzle.004BECD7
004BECCB . 81CE 00800000 OR ESI,8000
004BECD1 . 8935 048F5000 MOV DWORD PTR DS:[508F04],ESI
004BECD7 > C1E0 08 SHL EAX,8
004BECDA . 03C2 ADD EAX,EDX
004BECDC . A3 088F5000 MOV DWORD PTR DS:[508F08],EAX
004BECE1 . 33F6 XOR ESI,ESI
004BECE3 . 56 PUSH ESI ; /pModule => NULL
004BECE4 . 8B3D F4704D00 MOV EDI,DWORD PTR DS:[<&KERNEL32.GetModu>; |kernel32.GetModuleHandleA
004BECEA . FFD7 CALL EDI ; \GetModuleHandleA
004BECEC . 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
004BECF1 . 75 1F JNZ SHORT Chuzzle.004BED12
004BECF3 . 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
004BECF6 . 03C8 ADD ECX,EAX
004BECF8 . 8139 50450000 CMP DWORD PTR DS:[ECX],4550
004BECFE . 75 12 JNZ SHORT Chuzzle.004BED12
004BED00 . 0FB741 18 MOVZX EAX,WORD PTR DS:[ECX+18]
004BED04 . 3D 0B010000 CMP EAX,10B
004BED09 . 74 1F JE SHORT Chuzzle.004BED2A
004BED0B . 3D 0B020000 CMP EAX,20B
004BED10 . 74 05 JE SHORT Chuzzle.004BED17
004BED12 > 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
004BED15 . EB 27 JMP SHORT Chuzzle.004BED3E
004BED17 > 83B9 84000000>CMP DWORD PTR DS:[ECX+84],0E
004BED1E .^ 76 F2 JBE SHORT Chuzzle.004BED12
004BED20 . 33C0 XOR EAX,EAX
004BED22 . 39B1 F8000000 CMP DWORD PTR DS:[ECX+F8],ESI
004BED28 . EB 0E JMP SHORT Chuzzle.004BED38
004BED2A > 8379 74 0E CMP DWORD PTR DS:[ECX+74],0E
004BED2E .^ 76 E2 JBE SHORT Chuzzle.004BED12
004BED30 . 33C0 XOR EAX,EAX
004BED32 . 39B1 E8000000 CMP DWORD PTR DS:[ECX+E8],ESI
004BED38 > 0F95C0 SETNE AL
004BED3B . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004BED3E > 6A 01 PUSH 1
004BED40 . E8 20580000 CALL Chuzzle.004C4565
004BED45 . 59 POP ECX
004BED46 . 85C0 TEST EAX,EAX
004BED48 . 75 08 JNZ SHORT Chuzzle.004BED52
004BED4A . 6A 1C PUSH 1C
004BED4C . E8 02FFFFFF CALL Chuzzle.004BEC53
004BED51 . 59 POP ECX
004BED52 > E8 3A3A0000 CALL Chuzzle.004C2791
004BED57 . 85C0 TEST EAX,EAX
004BED59 . 75 08 JNZ SHORT Chuzzle.004BED63
004BED5B . 6A 10 PUSH 10
004BED5D . E8 F1FEFFFF CALL Chuzzle.004BEC53
004BED62 . 59 POP ECX
004BED63 > E8 5B570000 CALL Chuzzle.004C44C3
004BED68 . 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
004BED6B . E8 55550000 CALL Chuzzle.004C42C5
004BED70 . 85C0 TEST EAX,EAX
004BED72 . 7D 08 JGE SHORT Chuzzle.004BED7C
004BED74 . 6A 1B PUSH 1B
004BED76 . E8 B3FEFFFF CALL Chuzzle.004BEC2E
004BED7B . 59 POP ECX
004BED7C > FF15 E8704D00 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
004BED82 . A3 34A75000 MOV DWORD PTR DS:[50A734],EAX
004BED87 . E8 17540000 CALL Chuzzle.004C41A3
004BED8C . A3 F08E5000 MOV DWORD PTR DS:[508EF0],EAX
004BED91 . E8 6B530000 CALL Chuzzle.004C4101
004BED96 . 85C0 TEST EAX,EAX
004BED98 . 7D 08 JGE SHORT Chuzzle.004BEDA2
004BED9A . 6A 08 PUSH 8
004BED9C . E8 8DFEFFFF CALL Chuzzle.004BEC2E
004BEDA1 . 59 POP ECX
004BEDA2 > E8 27510000 CALL Chuzzle.004C3ECE
004BEDA7 . 85C0 TEST EAX,EAX
004BEDA9 . 7D 08 JGE SHORT Chuzzle.004BEDB3
004BEDAB . 6A 09 PUSH 9
004BEDAD . E8 7CFEFFFF CALL Chuzzle.004BEC2E
004BEDB2 . 59 POP ECX
004BEDB3 > E8 D3000000 CALL Chuzzle.004BEE8B
004BEDB8 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
004BEDBB . 3BC6 CMP EAX,ESI
004BEDBD . 74 07 JE SHORT Chuzzle.004BEDC6
004BEDBF . 50 PUSH EAX
004BEDC0 . E8 69FEFFFF CALL Chuzzle.004BEC2E
004BEDC5 . 59 POP ECX
004BEDC6 > 8975 C8 MOV DWORD PTR SS:[EBP-38],ESI
004BEDC9 . 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
004BEDCC . 50 PUSH EAX ; /pStartupinfo
004BEDCD . FF15 1C714D00 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
004BEDD3 . E8 8D500000 CALL Chuzzle.004C3E65
004BEDD8 . 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
004BEDDB . F645 C8 01 TEST BYTE PTR SS:[EBP-38],1
004BEDDF . 74 06 JE SHORT Chuzzle.004BEDE7
004BEDE1 . 0FB745 CC MOVZX EAX,WORD PTR SS:[EBP-34]
004BEDE5 . EB 03 JMP SHORT Chuzzle.004BEDEA
004BEDE7 > 6A 0A PUSH 0A
004BEDE9 . 58 POP EAX
004BEDEA > 50 PUSH EAX
004BEDEB . FF75 98 PUSH DWORD PTR SS:[EBP-68]
004BEDEE . 56 PUSH ESI
004BEDEF . 56 PUSH ESI
004BEDF0 . FFD7 CALL EDI
004BEDF2 . 50 PUSH EAX ; |Arg1
004BEDF3 . E8 C8C1F8FF CALL Chuzzle.0044AFC0 ; \Chuzzle.0044AFC0
004BEDF8 . 8BF8 MOV EDI,EAX
004BEDFA . 897D 94 MOV DWORD PTR SS:[EBP-6C],EDI
004BEDFD . 3975 E4 CMP DWORD PTR SS:[EBP-1C],ESI
004BEE00 . 75 06 JNZ SHORT Chuzzle.004BEE08
004BEE02 . 57 PUSH EDI
004BEE03 . E8 BB010000 CALL Chuzzle.004BEFC3
004BEE08 > E8 D8010000 CALL Chuzzle.004BEFE5
004BEE0D . EB 2B JMP SHORT Chuzzle.004BEE3A
004BEE0F . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004BEE12 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004BEE14 . 8B09 MOV ECX,DWORD PTR DS:[ECX]
004BEE16 . 894D 90 MOV DWORD PTR SS:[EBP-70],ECX
004BEE19 . 50 PUSH EAX
004BEE1A . 51 PUSH ECX
004BEE1B . E8 E14E0000 CALL Chuzzle.004C3D01
004BEE20 . 59 POP ECX
004BEE21 . 59 POP ECX
004BEE22 . C3 RETN
走不到RET程序就已经运行了,还是搞不到。昨天随便找一个OEP用OD的脱壳,程序由1.05M变成1.07M,用PEID查看可以看到是VC7写的,但是程序运行到窗口出来就退出了,可能是有校验,但是这样不算是脱下来对吧?
|
能力值:
( LV9,RANK:3410 )
|
-
-
6 楼
004BEC77处dump
ImportREC修复输入表
|
能力值:
( LV9,RANK:180 )
在线值:
|
-
-
7 楼
谢谢,试了一下,跟昨天情况一样,1.05M脱出来1.07M,用的是OllyDump,勾上重建输入表的话,运行程序后先是试图访问网页(本来就有的),然后主窗口出来则出错,把VC叫出来了(默认调试器);不勾上重建输入表则正常运行,PEID查到的信息是Microsoft Visual C++ 7.0 [Debug]
载入脱壳前的文件,OD提示Chuzzle和bass超出入口点范围
载入脱壳后的文件,OD提示bass超出入口点范围
不知这是什么情况,难道仅是加密了文件头部分?
|
能力值:
( LV9,RANK:3410 )
|
-
-
8 楼
此提示无所谓
不要使用OllyDump的输入表修复选项,用ImportREC
那个功能是鸡肋
|
能力值:
( LV9,RANK:180 )
在线值:
|
-
-
9 楼
谢谢,我再研究一下
那就是说,这样已经算脱出来了?这个程序真奇怪,几乎没有压缩,我试试看,谢谢。
|
