修复用 Asprotect 2.3 SKE build 03.19 的 hide OEP 选项加壳的 stolen code 中, 从call xxxxxxxx, 开始一层一层进入直到第三层, 会看到以下这样的代码
00D1F6B0 68 00000000 PUSH 0
00D1F6B5 68 B0F6D100 PUSH 0D1F6B0
00D1F6BA 68 0846DA00 PUSH 0DA4608
00D1F6BF E8 14F90000 CALL 00D2EFD8
其实它就是下面这段代码
00D1F6B0 55 PUSH EBP
00D1F6B1 8BEC MOV EBP,ESP
00D1F6B3 83C4 F0 ADD ESP,-10
00D1F6B6 53 PUSH EBX
00D1F6B7 56 PUSH ESI
00D1F6B8 57 PUSH EDI
00D1F6B9 8BF1 MOV ESI,ECX
00D1F6BB 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00D1F6BE 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00D1F6C1 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F6C4 8D78 24 LEA EDI,DWORD PTR DS:[EAX+24]
00D1F6C7 33C0 XOR EAX,EAX
00D1F6C9 8A47 01 MOV AL,BYTE PTR DS:[EDI+1]
00D1F6CC 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F6CF 8B5C82 40 MOV EBX,DWORD PTR DS:[EDX+EAX*4+40]
00D1F6D3 8BC6 MOV EAX,ESI
00D1F6D5 FFD3 CALL EBX
00D1F6D7 8BD8 MOV EBX,EAX
00D1F6D9 33C0 XOR EAX,EAX
00D1F6DB 8A47 02 MOV AL,BYTE PTR DS:[EDI+2]
00D1F6DE 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F6E1 8B5482 40 MOV EDX,DWORD PTR DS:[EDX+EAX*4+40]
00D1F6E5 8BC6 MOV EAX,ESI
00D1F6E7 FFD2 CALL EDX
00D1F6E9 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00D1F6EC 33C0 XOR EAX,EAX
00D1F6EE 8A47 03 MOV AL,BYTE PTR DS:[EDI+3]
00D1F6F1 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F6F4 8B5482 40 MOV EDX,DWORD PTR DS:[EDX+EAX*4+40]
00D1F6F8 8BC6 MOV EAX,ESI
00D1F6FA FFD2 CALL EDX
00D1F6FC 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00D1F6FF 80EB 02 SUB BL,2
00D1F702 0F82 CE000000 JB 00D1F7D6
00D1F708 74 75 JE SHORT 00D1F77F
00D1F70A FECB DEC BL
00D1F70C 0F85 F3000000 JNZ 00D1F805
00D1F712 8BCE MOV ECX,ESI
00D1F714 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
00D1F717 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F71A E8 45FDFFFF CALL 00D1F464 --> 这里F7 进入第4 层
00D1F71F 8945 10 MOV DWORD PTR SS:[EBP+10],EAX
00D1F722 33C0 XOR EAX,EAX
00D1F724 8A47 04 MOV AL,BYTE PTR DS:[EDI+4]
00D1F727 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F72A 8B5C82 40 MOV EBX,DWORD PTR DS:[EDX+EAX*4+40]
00D1F72E 8BC6 MOV EAX,ESI
00D1F730 FFD3 CALL EBX
00D1F732 8BD8 MOV EBX,EAX
00D1F734 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F737 3258 70 XOR BL,BYTE PTR DS:[EAX+70]
00D1F73A 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00D1F73D 8BD3 MOV EDX,EBX
00D1F73F 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F742 E8 A5030000 CALL 00D1FAEC
00D1F747 84C0 TEST AL,AL
00D1F749 74 1A JE SHORT 00D1F765
00D1F74B 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F74E 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
00D1F751 0345 F0 ADD EAX,DWORD PTR SS:[EBP-10]
00D1F754 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F757 0342 68 ADD EAX,DWORD PTR DS:[EDX+68]
00D1F75A 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F75D 0342 70 ADD EAX,DWORD PTR DS:[EDX+70]
00D1F760 E9 A5000000 JMP 00D1F80A
00D1F765 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F768 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
00D1F76B 0345 F4 ADD EAX,DWORD PTR SS:[EBP-C]
00D1F76E 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F771 0342 68 ADD EAX,DWORD PTR DS:[EDX+68]
00D1F774 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F777 0342 70 ADD EAX,DWORD PTR DS:[EDX+70]
00D1F77A E9 8B000000 JMP 00D1F80A
00D1F77F 33C0 XOR EAX,EAX
00D1F781 8A47 04 MOV AL,BYTE PTR DS:[EDI+4]
00D1F784 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F787 8B5C82 40 MOV EBX,DWORD PTR DS:[EDX+EAX*4+40]
00D1F78B 8BC6 MOV EAX,ESI
00D1F78D FFD3 CALL EBX
00D1F78F 8BD8 MOV EBX,EAX
00D1F791 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F794 3258 70 XOR BL,BYTE PTR DS:[EAX+70]
00D1F797 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
00D1F79A 8BD3 MOV EDX,EBX
00D1F79C 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F79F E8 48030000 CALL 00D1FAEC
00D1F7A4 84C0 TEST AL,AL
00D1F7A6 74 17 JE SHORT 00D1F7BF
00D1F7A8 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F7AB 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
00D1F7AE 0345 F0 ADD EAX,DWORD PTR SS:[EBP-10]
00D1F7B1 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F7B4 0342 68 ADD EAX,DWORD PTR DS:[EDX+68]
00D1F7B7 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F7BA 0342 70 ADD EAX,DWORD PTR DS:[EDX+70]
00D1F7BD EB 4B JMP SHORT 00D1F80A
00D1F7BF 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F7C2 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
00D1F7C5 0345 F4 ADD EAX,DWORD PTR SS:[EBP-C]
00D1F7C8 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F7CB 0342 68 ADD EAX,DWORD PTR DS:[EDX+68]
00D1F7CE 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F7D1 0342 70 ADD EAX,DWORD PTR DS:[EDX+70]
00D1F7D4 EB 34 JMP SHORT 00D1F80A
00D1F7D6 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F7D9 8B50 68 MOV EDX,DWORD PTR DS:[EAX+68]
00D1F7DC 8BC2 MOV EAX,EDX
00D1F7DE 0345 F4 ADD EAX,DWORD PTR SS:[EBP-C]
00D1F7E1 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00D1F7E4 8B49 70 MOV ECX,DWORD PTR DS:[ECX+70]
00D1F7E7 03C1 ADD EAX,ECX
00D1F7E9 83F8 FF CMP EAX,-1
00D1F7EC 75 0F JNZ SHORT 00D1F7FD
00D1F7EE 8BC2 MOV EAX,EDX
00D1F7F0 0345 F0 ADD EAX,DWORD PTR SS:[EBP-10]
00D1F7F3 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F7F6 0342 10 ADD EAX,DWORD PTR DS:[EDX+10]
00D1F7F9 03C1 ADD EAX,ECX
00D1F7FB EB 0D JMP SHORT 00D1F80A
00D1F7FD 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00D1F800 0342 18 ADD EAX,DWORD PTR DS:[EDX+18]
00D1F803 EB 05 JMP SHORT 00D1F80A
00D1F805 B8 5057D300 MOV EAX,0D35750
00D1F80A 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00D1F80D 83EA 04 SUB EDX,4
00D1F810 8902 MOV DWORD PTR DS:[EDX],EAX
00D1F812 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00D1F815 E8 76020000 CALL 00D1FA90
00D1F81A FF75 FC PUSH DWORD PTR SS:[EBP-4]
00D1F81D FF75 10 PUSH DWORD PTR SS:[EBP+10]
00D1F820 FF75 0C PUSH DWORD PTR SS:[EBP+C]
00D1F823 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00D1F826 FF60 20 JMP DWORD PTR DS:[EAX+20]
00D1F829 5F POP EDI
00D1F82A 5E POP ESI
00D1F82B 5B POP EBX
00D1F82C 8BE5 MOV ESP,EBP
00D1F82E 5D POP EBP
00D1F82F C2 1000 RETN 10
第4 层
00D1F464 68 00000000 PUSH 0
00D1F469 68 64F4D100 PUSH 0D1F464
00D1F46E 68 FC30DA00 PUSH 0DA30FC
00D1F473 E8 60FB0000 CALL 00D2EFD8
以下这段就是第4 层的代码
00D1F464 53 PUSH EBX
00D1F465 56 PUSH ESI
00D1F466 57 PUSH EDI
00D1F467 55 PUSH EBP
00D1F468 83C4 EC ADD ESP,-14
00D1F46B 8BF9 MOV EDI,ECX
00D1F46D 891424 MOV DWORD PTR SS:[ESP],EDX
00D1F470 8BD8 MOV EBX,EAX
00D1F472 8D73 24 LEA ESI,DWORD PTR DS:[EBX+24]
00D1F475 33ED XOR EBP,EBP
00D1F477 33C0 XOR EAX,EAX
00D1F479 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
00D1F47D 33C0 XOR EAX,EAX
00D1F47F 8A46 08 MOV AL,BYTE PTR DS:[ESI+8]
00D1F482 8B5483 40 MOV EDX,DWORD PTR DS:[EBX+EAX*4+40]
00D1F486 8BC7 MOV EAX,EDI
00D1F488 FFD2 CALL EDX
00D1F48A 2B43 70 SUB EAX,DWORD PTR DS:[EBX+70]
00D1F48D 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
00D1F491 33C0 XOR EAX,EAX
00D1F493 8A46 06 MOV AL,BYTE PTR DS:[ESI+6]
00D1F496 8B5483 40 MOV EDX,DWORD PTR DS:[EBX+EAX*4+40]
00D1F49A 8BC7 MOV EAX,EDI
00D1F49C FFD2 CALL EDX
00D1F49E 8BD0 MOV EDX,EAX
00D1F4A0 80EA 08 SUB DL,8
00D1F4A3 0F92C2 SETB DL
00D1F4A6 80FA 01 CMP DL,1
00D1F4A9 75 10 JNZ SHORT 00D1F4BB
00D1F4AB 8BC8 MOV ECX,EAX
00D1F4AD 8B1424 MOV EDX,DWORD PTR SS:[ESP]
00D1F4B0 8BC3 MOV EAX,EBX
00D1F4B2 E8 DD080000 CALL 00D1FD94
00D1F4B7 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
00D1F4BB 33C0 XOR EAX,EAX
00D1F4BD 8A46 07 MOV AL,BYTE PTR DS:[ESI+7]
00D1F4C0 8B5483 40 MOV EDX,DWORD PTR DS:[EBX+EAX*4+40]
00D1F4C4 8BC7 MOV EAX,EDI
00D1F4C6 FFD2 CALL EDX
00D1F4C8 2B43 70 SUB EAX,DWORD PTR DS:[EBX+70]
00D1F4CB 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
00D1F4CF 33C0 XOR EAX,EAX
00D1F4D1 8A46 05 MOV AL,BYTE PTR DS:[ESI+5]
00D1F4D4 8B5483 40 MOV EDX,DWORD PTR DS:[EBX+EAX*4+40]
00D1F4D8 8BC7 MOV EAX,EDI
00D1F4DA FFD2 CALL EDX
00D1F4DC 8BD0 MOV EDX,EAX
00D1F4DE 80EA 08 SUB DL,8
00D1F4E1 0F92C2 SETB DL
00D1F4E4 80FA 01 CMP DL,1
00D1F4E7 75 0E JNZ SHORT 00D1F4F7
00D1F4E9 8BC8 MOV ECX,EAX
00D1F4EB 8B1424 MOV EDX,DWORD PTR SS:[ESP]
00D1F4EE 8BC3 MOV EAX,EBX
00D1F4F0 E8 9F080000 CALL 00D1FD94
00D1F4F5 8BE8 MOV EBP,EAX
00D1F4F7 036C24 0C ADD EBP,DWORD PTR SS:[ESP+C]
00D1F4FB 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00D1F4FF 034424 08 ADD EAX,DWORD PTR SS:[ESP+8]
00D1F503 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00D1F507 33C0 XOR EAX,EAX
00D1F509 8A46 09 MOV AL,BYTE PTR DS:[ESI+9]
00D1F50C 8B5483 40 MOV EDX,DWORD PTR DS:[EBX+EAX*4+40]
00D1F510 8BC7 MOV EAX,EDI
00D1F512 FFD2 CALL EDX
00D1F514 83E0 7F AND EAX,7F
00D1F517 83F8 04 CMP EAX,4
00D1F51A 77 42 JA SHORT 00D1F55E
00D1F51C FF2485 23F5D100 JMP DWORD PTR DS:[EAX*4+D1F523]
00D1F523 4D DEC EBP
00D1F524 F5 CMC
00D1F525 D100 ROL DWORD PTR DS:[EAX],1
00D1F527 52 PUSH EDX
00D1F528 F5 CMC
00D1F529 D100 ROL DWORD PTR DS:[EAX],1
00D1F52B 37 AAA
00D1F52C F5 CMC
00D1F52D D100 ROL DWORD PTR DS:[EAX],1
00D1F52F 40 INC EAX
00D1F530 F5 CMC
00D1F531 D100 ROL DWORD PTR DS:[EAX],1
00D1F533 68 F5D100 PUSH 00D1F5
00D1F537 33C0 XOR EAX,EAX
00D1F539 8A45 00 MOV AL,BYTE PTR SS:[EBP]
00D1F53C 8BE8 MOV EBP,EAX
00D1F53E EB 28 JMP SHORT 00D1F568
00D1F540 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00D1F544 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00D1F547 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00D1F54B EB 1B JMP SHORT 00D1F568
00D1F54D 8B6D 00 MOV EBP,DWORD PTR SS:[EBP]
00D1F550 EB 16 JMP SHORT 00D1F568
00D1F552 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00D1F556 8B00 MOV EAX,DWORD PTR DS:[EAX]
00D1F558 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00D1F55C EB 0A JMP SHORT 00D1F568
00D1F55E 68 84F5D100 PUSH 0D1F584 ; ASCII "113"
00D1F563 E8 9C60FFFF CALL 00D15604
00D1F568 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
00D1F56C 8BC5 MOV EAX,EBP
00D1F56E E8 F5070000 CALL 00D1FD68
00D1F573 83C4 14 ADD ESP,14
00D1F576 5D POP EBP
00D1F577 5F POP EDI
00D1F578 5E POP ESI
00D1F579 5B POP EBX
00D1F57A C3 RETN
00D1F51C FF2485 23F5D100 JMP DWORD PTR DS:[EAX*4+D1F523]
这句中的 D1F523 须按个人调试时实际地址而变.
00D1F523 4D DEC EBP
00D1F524 F5 CMC
00D1F525 D100 ROL DWORD PTR DS:[EAX],1
00D1F527 52 PUSH EDX
00D1F528 F5 CMC
00D1F529 D100 ROL DWORD PTR DS:[EAX],1
00D1F52B 37 AAA
00D1F52C F5 CMC
00D1F52D D100 ROL DWORD PTR DS:[EAX],1
00D1F52F 40 INC EAX
00D1F530 F5 CMC
00D1F531 D100 ROL DWORD PTR DS:[EAX],1
00D1F533 68 F5D100 PUSH 00D1F5
从00D1F523 到00D1F536 须按个人调试时实际地址而变.
00D1F55E 68 84F5D100 PUSH 0D1F584 ; ASCII "113"
00D1F563 E8 9C60FFFF CALL 00D15604
00D1F55E 和00D1F563这两句可不管它, 你如来到这里就已是 game over.
懒得加注释大家可参考 Asprotect 2.11 版的教程.
附件是上面这两段的二进制代码, 可复制到你调试的目标中.
[注意]APP应用上架合规检测服务,协助应用顺利上架!