能力值:
( LV9,RANK:650 )
|
-
-
2 楼
ASProtect.SKE.2.3 build 04.26 Beta选stolen code保护NOTEPAD
对比之后,没想到抽代码如此厉害:
没有抽的代码是:
004010CC >/$ 55 PUSH EBP
004010CD |. 8BEC MOV EBP,ESP
004010CF |. 83EC 44 SUB ESP,44
004010D2 |. 56 PUSH ESI
004010D3 |. FF15 E4634000 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
004010D9 |. 8BF0 MOV ESI,EAX
004010DB |. 8A00 MOV AL,BYTE PTR DS:[EAX]
004010DD |. 3C 22 CMP AL,22
004010DF |. 75 1B JNZ SHORT NOTEPAD1.004010FC
004010E1 |> 56 /PUSH ESI ; /pCurrentChar
004010E2 |. FF15 F4644000 |CALL DWORD PTR DS:[<&USER32.CharNextA>] ; \CharNextA
004010E8 |. 8BF0 |MOV ESI,EAX
004010EA |. 8A00 |MOV AL,BYTE PTR DS:[EAX]
004010EC |. 84C0 |TEST AL,AL
004010EE |. 74 04 |JE SHORT NOTEPAD1.004010F4
004010F0 |. 3C 22 |CMP AL,22
004010F2 |.^ 75 ED \JNZ SHORT NOTEPAD1.004010E1
004010F4 |> 803E 22 CMP BYTE PTR DS:[ESI],22
004010F7 |. 75 15 JNZ SHORT NOTEPAD1.0040110E
004010F9 |. 46 INC ESI
004010FA |. EB 12 JMP SHORT NOTEPAD1.0040110E
004010FC |> 3C 20 CMP AL,20
004010FE |. 7E 0E JLE SHORT NOTEPAD1.0040110E
00401100 |> 56 /PUSH ESI ; /pCurrentChar
00401101 |. FF15 F4644000 |CALL DWORD PTR DS:[<&USER32.CharNextA>] ; \CharNextA
00401107 |. 8038 20 |CMP BYTE PTR DS:[EAX],20
0040110A |. 8BF0 |MOV ESI,EAX
0040110C |.^ 7F F2 \JG SHORT NOTEPAD1.00401100
0040110E |> 803E 00 CMP BYTE PTR DS:[ESI],0
00401111 |. 74 13 JE SHORT NOTEPAD1.00401126
00401113 |> 803E 20 /CMP BYTE PTR DS:[ESI],20
00401116 |. 77 0E |JA SHORT NOTEPAD1.00401126
00401118 |. 56 |PUSH ESI ; /pCurrentChar
00401119 |. FF15 F4644000 |CALL DWORD PTR DS:[<&USER32.CharNextA>] ; \CharNextA
0040111F |. 8038 00 |CMP BYTE PTR DS:[EAX],0
00401122 |. 8BF0 |MOV ESI,EAX
00401124 |.^ 75 ED \JNZ SHORT NOTEPAD1.00401113
00401126 |> C745 E8 00000>MOV DWORD PTR SS:[EBP-18],0
0040112D |. 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
00401130 |. 51 PUSH ECX ; /pStartupinfo
00401131 |. FF15 98634000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
00401137 |. F645 E8 01 TEST BYTE PTR SS:[EBP-18],1
0040113B |. B8 0A000000 MOV EAX,0A
00401140 |. 74 04 JE SHORT NOTEPAD1.00401146
00401142 |. 0FB745 EC MOVZX EAX,WORD PTR SS:[EBP-14]
00401146 |> 50 PUSH EAX ; /Arg4
00401147 |. 56 PUSH ESI ; |Arg3
00401148 |. 6A 00 PUSH 0 ; |Arg2 = 00000000
0040114A |. 6A 00 PUSH 0 ; |/pModule = NULL
0040114C |. FF15 9C634000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA
00401152 |. 50 PUSH EAX ; |Arg1
00401153 |. E8 760F0000 CALL NOTEPAD1.004020CE ; \NOTEPAD1.004020CE
00401158 |. 50 PUSH EAX ; /ExitCode
00401159 |. 8BF0 MOV ESI,EAX ; |
0040115B \. FF15 A0634000 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
00401161 . 8BC6 MOV EAX,ESI
00401163 . 5E POP ESI
00401164 . 8BE5 MOV ESP,EBP
00401166 . 5D POP EBP
00401167 . C3 RETN
00401168 /$ 833D B8574000>CMP DWORD PTR DS:[4057B8],0
0040116F |. 74 0C JE SHORT NOTEPAD1.0040117D
00401171 |. A1 B8574000 MOV EAX,DWORD PTR DS:[4057B8]
00401176 |. 50 PUSH EAX ; /hMem => NULL
00401177 |. FF15 D4634000 CALL DWORD PTR DS:[<&KERNEL32.GlobalFree>; \GlobalFree
0040117D |> 833D BC574000>CMP DWORD PTR DS:[4057BC],0
00401184 |. 74 0C JE SHORT NOTEPAD1.00401192
00401186 |. A1 BC574000 MOV EAX,DWORD PTR DS:[4057BC]
0040118B |. 50 PUSH EAX ; /hMem => NULL
0040118C |. FF15 D4634000 CALL DWORD PTR DS:[<&KERNEL32.GlobalFree>; \GlobalFree
00401192 \> C3 RETN
00401193 /$ C705 F4574000>MOV DWORD PTR DS:[4057F4],NOTEPAD1.00404>
0040119D |. 83EC 04 SUB ESP,4
004011A0 |. C705 FC574000>MOV DWORD PTR DS:[4057FC],0E
004011AA |. 8D4424 02 LEA EAX,DWORD PTR SS:[ESP+2]
004011AE |. 6A 02 PUSH 2 ; /BufSize = 2
004011B0 |. 50 PUSH EAX ; |Buffer
004011B1 |. 6A 0D PUSH 0D ; |InfoType = D
004011B3 |. 68 00040000 PUSH 400 ; |LocaleId = 400
004011B8 |. FF15 DC634000 CALL DWORD PTR DS:[<&KERNEL32.GetLocaleI>; \GetLocaleInfoA
004011BE |. 807C24 02 31 CMP BYTE PTR SS:[ESP+2],31
004011C3 |. 75 2A JNZ SHORT NOTEPAD1.004011EF
下面是抽过的代码:
004010CC - E9 BBF24301 JMP 0184038C
004010D1 D36CDC C7 SHR DWORD PTR SS:[ESP+EBX*8-39],CL
004010D5 02FC ADD BH,AH
004010D7 99 CDQ
004010D8 8807 MOV BYTE PTR DS:[EDI],AL
004010DA B7 0D MOV BH,0D
004010DC 1E PUSH DS
004010DD FC CLD
004010DE 90 NOP
004010DF 024F 98 ADD CL,BYTE PTR DS:[EDI-68]
004010E2 1B63 71 SBB ESP,DWORD PTR DS:[EBX+71]
004010E5 1924D0 SBB DWORD PTR DS:[EAX+EDX*8],ESP
004010E8 CE INTO
004010E9 6A 60 PUSH 60
004010EB EC IN AL,DX ; I/O 命令
004010EC ^ 7E 8C JLE SHORT 1122.0040107A
004010EE 3E:E8 B65BDF47 CALL 481F6CAA ; 多余的前缀
004010F4 E7 51 OUT 51,EAX ; I/O 命令
004010F6 C7 ??? ; 未知命令
004010F7 D832 FDIV DWORD PTR DS:[EDX]
004010F9 F3: PREFIX REP: ; 多余的前缀
004010FA D5 5F AAD 5F
004010FC F2: PREFIX REPNE: ; 多余的前缀
004010FD D98468 8AA59043 FLD DWORD PTR DS:[EAX+EBP*2+4390A58A]
00401104 91 XCHG EAX,ECX
00401105 4F DEC EDI
00401106 71 2C JNO SHORT 1122.00401134
00401108 1B92 6600C26B SBB EDX,DWORD PTR DS:[EDX+6BC20066]
0040110E - E9 15084401 JMP 01841928
00401113 90 NOP
00401114 3F AAS
00401115 D7 XLAT BYTE PTR DS:[EBX+AL]
00401116 58 POP EAX
00401117 9E SAHF
00401118 A9 D679DE77 TEST EAX,77DE79D6
0040111D 2280 ACC3F3B9 AND AL,BYTE PTR DS:[EAX+B9F3C3AC]
00401123 D2DF RCR BH,CL
00401125 40 INC EAX
00401126 8A4C68 5D MOV CL,BYTE PTR DS:[EAX+EBP*2+5D]
0040112A BD 7090A5A2 MOV EBP,A2A59070
0040112F 26:A8 4D TEST AL,4D ; 多余的前缀
00401132 1C 09 SBB AL,9
00401134 30E3 XOR BL,AH
00401136 238B F942597B AND ECX,DWORD PTR DS:[EBX+7B5942F9]
0040113C 33DD XOR EBX,EBP
0040113E 94 XCHG EAX,ESP
0040113F 825A BC 9B SBB BYTE PTR DS:[EDX-44],-65
00401143 8069 8D 7A SUB BYTE PTR DS:[ECX-73],7A
00401147 D7 XLAT BYTE PTR DS:[EBX+AL]
00401148 C9 LEAVE
00401149 8E19 MOV DS,WORD PTR DS:[ECX] ; 段寄存器更改
0040114B 0D D957FB4C OR EAX,4CFB57D9
00401150 0C AD OR AL,0AD
00401152 6A C0 PUSH -40
00401154 F1 INT1
00401155 EA 51C6BEA9 9F6>JMP FAR 659F:A9BEC651
0040115C 03BB 049FC0A0 ADD EDI,DWORD PTR DS:[EBX+A0C09F04]
00401162 2B7F 0F SUB EDI,DWORD PTR DS:[EDI+F]
00401165 FD STD
00401166 04 F5 ADD AL,0F5
00401168 - E9 9CF34301 JMP 01840509
0040116D 3E:8717 XCHG DWORD PTR DS:[EDI],EDX
00401170 009C1F 8C9086BB ADD BYTE PTR DS:[EDI+EBX+BB86908C],BL
00401177 F9 STC
00401178 2B67 EA SUB ESP,DWORD PTR DS:[EDI-16]
0040117B 15 180D48BF ADC EAX,BF480D18
00401180 ^ 7E 9F JLE SHORT 1122.00401121
00401182 55 PUSH EBP
00401183 C686 7B9C51FB A>MOV BYTE PTR DS:[ESI+FB519C7B],0A0
0040118A DA61 4C FISUB DWORD PTR DS:[ECX+4C]
0040118D BF 1805D50E MOV EDI,0ED50518
00401192 DEC7 FADDP ST(7),ST
00401194 05 F4574000 ADD EAX,1122.004057F4
00401199 EB 45 JMP SHORT 1122.004011E0
0040119B 40 INC EAX
0040119C 0083 EC04C705 ADD BYTE PTR DS:[EBX+5C704EC],AL
004011A2 FC CLD
004011A3 57 PUSH EDI
004011A4 40 INC EAX
004011A5 000E ADD BYTE PTR DS:[ESI],CL
004011A7 0000 ADD BYTE PTR DS:[EAX],AL
004011A9 008D 4424026A ADD BYTE PTR SS:[EBP+6A022444],CL
004011AF 0250 6A ADD DL,BYTE PTR DS:[EAX+6A]
004011B2 0D 68000400 OR EAX,40068
004011B7 00FF ADD BH,BH
004011B9 15 DC634000 ADC EAX,1122.004063DC
004011BE 807C24 02 31 CMP BYTE PTR SS:[ESP+2],31
004011C3 75 2A JNZ SHORT 1122.004011EF
|
能力值:
( LV4,RANK:50 )
|
-
-
3 楼
是呀,我也遇到个aspr 2.1 ske加的东东,就像你的那样,都是JMP,然后偷了大概两个过程的代码.偷的太厉害了,不知道从哪里下手修复.晕死.
|
能力值:
( LV9,RANK:170 )
|
-
-
4 楼
01840413 E8 E8FB0500 CALL 018A0000
可能是 40110C 或 401124 或其他, 要跟一下才能断定.
0040110A |. 8BF0 |MOV ESI,EAX
0040110C |.^ 7F F2 \JG SHORT NOTEPAD1.00401100
00401122 |. 8BF0 |MOV ESI,EAX
00401124 |.^ 75 ED \JNZ SHORT NOTEPAD1.00401113
|