[求助]Aspr2.0x 脱壳问题（极度郁闷）-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 2 楼怎么一个帖子传多个附件？我保留原附件、上传新附件选项都试过了，总是只能留一个上传的附件： 20_.part2.rar （296.49kb，4次下载） 2006-6-29 10:48 0
blackeyes 雪币： 295 活跃值： (346) 能力值： ( LV9，RANK：530 ) 在线值：发帖 19 回帖 99 粉丝 1 关注私信	blackeyes 13 3 楼用 VolX 大侠的 Script Asprotect 2.XX SKE IAT Fixer, 可以秒脱它的壳。 OEP=474EF9, IAT:4B5000-4B583F ImpRec 修复后, 有 3 处需要改一下就好了 1.) 0041B5E7 . E8 D4C60000 CALL w_.00427CC0 0041B5EC . 8B15 0C304D00 MOV EDX,DWORD PTR DS:[4D300C] 0041B5F2 . 83C9 FF OR ECX,FFFFFFFF 0041B5F5 . 8BFA MOV EDI,EDX 0041B5F7 . 33C0 XOR EAX,EAX 0041B5F9 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] // 这儿会出错跟原程序, 4D300C 下硬件读断点, [4D300C] = 004FD838 2.) 0041B2F0 应该总返回 1, 实际上它是在判一个地方的CODE 是不是 E8, 用了 VolX 大侠的 Script, IAT 修复了, 即把好多的 E8 xxxxxxxx Call XXXXXXXX 改回成 FF15 yyyyyyyy Call DWORD PTR DS:[YYYYYYYY] 如果不是E8 xxxxxxxx, 下面 return EAX=0 0041B2F0 $ 52 PUSH EDX 0041B2F1 . 57 PUSH EDI 0041B2F2 . E8 95000000 CALL w_.0041B38C 0041B2F7 . 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B2FB . BA 66C34100 MOV EDX,w_.0041C366 0041B300 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 0041B304 . 8D5402 F4 LEA EDX,DWORD PTR DS:[EDX+EAX-C] 0041B308 . 2BD0 SUB EDX,EAX 0041B30A . FF32 PUSH DWORD PTR DS:[EDX] 0041B30C . 335424 08 XOR EDX,DWORD PTR SS:[ESP+8] 0041B310 . 335424 28 XOR EDX,DWORD PTR SS:[ESP+28] 0041B314 . 5A POP EDX 0041B315 . 8D9422 37D8FEFF LEA EDX,DWORD PTR DS:[EDX+FFFED837] 0041B31C . 8D7C75 4C LEA EDI,DWORD PTR SS:[EBP+ESI2+4C] 0041B320 . 8D7C07 B4 LEA EDI,DWORD PTR DS:[EDI+EAX-4C] 0041B324 . 2BF8 SUB EDI,EAX 0041B326 . FF32 PUSH DWORD PTR DS:[EDX] 0041B328 . 337C24 08 XOR EDI,DWORD PTR SS:[ESP+8] 0041B32C . BF 3A054200 MOV EDI,w_.0042053A 0041B331 . 5F POP EDI 0041B332 . 81E7 FF000000 AND EDI,0FF 0041B338 . C1DA CF RCR EDX,0CF ; Shift constant out of range 1..31 0041B33B . 83CA 6B OR EDX,6B 0041B33E . 81EA F44D63A3 SUB EDX,A3634DF4 0041B344 . 8D97 A680D7AD LEA EDX,DWORD PTR DS:[EDI+ADD780A6] 0041B34A . 2BD7 SUB EDX,EDI 0041B34C . 8DBC1F 727E2852 LEA EDI,DWORD PTR DS:[EDI+EBX+52287E72] 0041B353 . 2BFB SUB EDI,EBX 0041B355 . 03FA ADD EDI,EDX 0041B357 . 0BFF OR EDI,EDI // 这儿 EDI应该==0 0041B359 0F85 24000000 JNZ w_.0041B383 // NOP掉 * 0041B35F . 03FF ADD EDI,EDI 0041B361 . 33FF XOR EDI,EDI 0041B363 . C1C8 71 ROR EAX,71 ; Shift constant out of range 1..31 0041B366 . C1D8 ED RCR EAX,0ED ; Shift constant out of range 1..31 0041B369 . C1D8 A5 RCR EAX,0A5 ; Shift constant out of range 1..31 0041B36C . 83D8 E1 SBB EAX,-1F 0041B36F . 33C1 XOR EAX,ECX 0041B371 . 8D442F 44 LEA EAX,DWORD PTR DS:[EDI+EBP+44] 0041B375 . 2BC5 SUB EAX,EBP 0041B377 . 8D4408 BC LEA EAX,DWORD PTR DS:[EAX+ECX-44] 0041B37B . 2BC1 SUB EAX,ECX 0041B37D . 40 INC EAX 0041B37E . E9 11000000 JMP w_.0041B394 0041B383 > 13C1 ADC EAX,ECX 0041B385 . 33C0 XOR EAX,EAX 0041B387 . E9 08000000 JMP w_.0041B394 0041B38C /$ 83CA 1B OR EDX,1B 0041B38F \|. 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B393 \. C3 RETN 0041B394 > 5F POP EDI 0041B395 . 5A POP EDX 0041B396 . EB 68 JMP SHORT w_.0041B400 3.) 同 2), .判一个地方的CODE 是不是 E8, 0041B520 . 55 PUSH EBP 0041B521 . 8BEC MOV EBP,ESP 0041B523 . 6A FF PUSH -1 0041B525 . 68 D3144B00 PUSH w_.004B14D3 ; SE handler installation 0041B52A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0041B530 . 50 PUSH EAX 0041B531 . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0041B538 . 81EC D8020000 SUB ESP,2D8 0041B53E . 53 PUSH EBX 0041B53F . 56 PUSH ESI ... 0041B6D2 . E8 19FCFFFF CALL w_.0041B2F0 // * 0041B6D7 . 85C0 TEST EAX,EAX 0041B6D9 . 74 31 JE SHORT w_.0041B70C 0041B6DB . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54] 0041B6DE . 8BCB MOV ECX,EBX 0041B6E0 . 52 PUSH EDX 0041B6E1 . E8 7E0A0900 CALL w_.004AC164 0041B6E6 . 85C0 TEST EAX,EAX 0041B6E8 . 75 22 JNZ SHORT w_.0041B70C 0041B6EA . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 0041B6ED . C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1 0041B6F4 . E8 EB060900 CALL w_.004ABDE4 0041B6F9 . 5F POP EDI 0041B6FA . 5E POP ESI 0041B6FB . 33C0 XOR EAX,EAX 0041B6FD . 5B POP EBX 0041B6FE . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 0041B701 . 64:890D 00000000 MOV DWORD PTR FS:[0],ECX 0041B708 . 8BE5 MOV ESP,EBP 0041B70A . 5D POP EBP 0041B70B . C3 RETN 0041B70C > 56 PUSH ESI 0041B70D . 53 PUSH EBX 0041B70E . E8 7B000000 CALL w_.0041B78E 0041B713 . C1CE FB ROR ESI,0FB ; Shift constant out of range 1..31 0041B716 . 83DE D7 SBB ESI,-29 0041B719 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20] 0041B71D . 8D7426 DC LEA ESI,DWORD PTR DS:[ESI-24] 0041B721 . 8B36 MOV ESI,DWORD PTR DS:[ESI] 0041B723 . 23DB AND EBX,EBX 0041B725 . 68 9D040000 PUSH 49D 0041B72A . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B72E . BB 8A024B00 MOV EBX,w_.004B028A ; ASCII "wL" 0041B733 . 5B POP EBX 0041B734 . 03F3 ADD ESI,EBX 0041B736 . 0BDF OR EBX,EDI 0041B738 . FF36 PUSH DWORD PTR DS:[ESI] 0041B73A . BB 6A974600 MOV EBX,w_.0046976A 0041B73F . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B743 . 5B POP EBX 0041B744 . 81E3 FF000000 AND EBX,0FF 0041B74A . 83EE C3 SUB ESI,-3D 0041B74D . 037424 38 ADD ESI,DWORD PTR SS:[ESP+38] 0041B751 . 2BF7 SUB ESI,EDI 0041B753 . 8DB3 FAFB0220 LEA ESI,DWORD PTR DS:[EBX+2002FBFA] 0041B759 . 2BF3 SUB ESI,EBX 0041B75B . 8D9C3B 1E03FDDF LEA EBX,DWORD PTR DS:[EBX+EDI+DFFD031E] 0041B762 . 2BDF SUB EBX,EDI 0041B764 . 03DE ADD EBX,ESI 0041B766 . 0BDB OR EBX,EBX // EBX == 0!!!! 0041B768 . 0F84 27000000 JE w_.0041B795 // JMP **** 0041B76E . 8D6C4B 18 LEA EBP,DWORD PTR DS:[EBX+ECX*2+18] 0041B772 . 83ED 18 SUB EBP,18 0041B775 . 2BE9 SUB EBP,ECX 0041B777 . 83CE 8B OR ESI,FFFFFF8B 0041B77A . 83DE 67 SBB ESI,67 0041B77D . 2BFB SUB EDI,EBX 0041B77F . 68 60B6E4DD PUSH DDE4B660 0041B784 . 68 7E7B22B8 PUSH B8227B7E 0041B789 . E9 07000000 JMP w_.0041B795 0041B78E $ 83DE 57 SBB ESI,57 0041B791 . C1C6 73 ROL ESI,73 ; Shift constant out of range 1..31 0041B794 . C3 RETN 0041B795 > 5B POP EBX 0041B796 . 5E POP ESI 0041B797 . E9 80000000 JMP w_.0041B81C 我是在 http://www.exacttrend.com/ 下载的 Web Log Explorer 3.1 Standard Edition (Build 0318) 2006-6-30 04:36 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 4 楼我再练习练习，感谢你的回复最初由 blackeyes* 发布* 跟原程序, 4D300C 下硬件读断点, [4D300C] = 004FD838 ........ 004FD838该数值怎么来？是不是只要指向一个NULL（0x00000000）就可以了 2006-7-1 11:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 2 楼怎么一个帖子传多个附件？我保留原附件、上传新附件选项都试过了，总是只能留一个上传的附件： 20_.part2.rar （296.49kb，4次下载） 2006-6-29 10:48 0
blackeyes 雪币： 295 活跃值： (346) 能力值： ( LV9，RANK：530 ) 在线值：发帖 19 回帖 99 粉丝 1 关注私信	blackeyes 13 3 楼用 VolX 大侠的 Script Asprotect 2.XX SKE IAT Fixer, 可以秒脱它的壳。 OEP=474EF9, IAT:4B5000-4B583F ImpRec 修复后, 有 3 处需要改一下就好了 1.) 0041B5E7 . E8 D4C60000 CALL w_.00427CC0 0041B5EC . 8B15 0C304D00 MOV EDX,DWORD PTR DS:[4D300C] 0041B5F2 . 83C9 FF OR ECX,FFFFFFFF 0041B5F5 . 8BFA MOV EDI,EDX 0041B5F7 . 33C0 XOR EAX,EAX 0041B5F9 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] // 这儿会出错跟原程序, 4D300C 下硬件读断点, [4D300C] = 004FD838 2.) 0041B2F0 应该总返回 1, 实际上它是在判一个地方的CODE 是不是 E8, 用了 VolX 大侠的 Script, IAT 修复了, 即把好多的 E8 xxxxxxxx Call XXXXXXXX 改回成 FF15 yyyyyyyy Call DWORD PTR DS:[YYYYYYYY] 如果不是E8 xxxxxxxx, 下面 return EAX=0 0041B2F0 $ 52 PUSH EDX 0041B2F1 . 57 PUSH EDI 0041B2F2 . E8 95000000 CALL w_.0041B38C 0041B2F7 . 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B2FB . BA 66C34100 MOV EDX,w_.0041C366 0041B300 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 0041B304 . 8D5402 F4 LEA EDX,DWORD PTR DS:[EDX+EAX-C] 0041B308 . 2BD0 SUB EDX,EAX 0041B30A . FF32 PUSH DWORD PTR DS:[EDX] 0041B30C . 335424 08 XOR EDX,DWORD PTR SS:[ESP+8] 0041B310 . 335424 28 XOR EDX,DWORD PTR SS:[ESP+28] 0041B314 . 5A POP EDX 0041B315 . 8D9422 37D8FEFF LEA EDX,DWORD PTR DS:[EDX+FFFED837] 0041B31C . 8D7C75 4C LEA EDI,DWORD PTR SS:[EBP+ESI2+4C] 0041B320 . 8D7C07 B4 LEA EDI,DWORD PTR DS:[EDI+EAX-4C] 0041B324 . 2BF8 SUB EDI,EAX 0041B326 . FF32 PUSH DWORD PTR DS:[EDX] 0041B328 . 337C24 08 XOR EDI,DWORD PTR SS:[ESP+8] 0041B32C . BF 3A054200 MOV EDI,w_.0042053A 0041B331 . 5F POP EDI 0041B332 . 81E7 FF000000 AND EDI,0FF 0041B338 . C1DA CF RCR EDX,0CF ; Shift constant out of range 1..31 0041B33B . 83CA 6B OR EDX,6B 0041B33E . 81EA F44D63A3 SUB EDX,A3634DF4 0041B344 . 8D97 A680D7AD LEA EDX,DWORD PTR DS:[EDI+ADD780A6] 0041B34A . 2BD7 SUB EDX,EDI 0041B34C . 8DBC1F 727E2852 LEA EDI,DWORD PTR DS:[EDI+EBX+52287E72] 0041B353 . 2BFB SUB EDI,EBX 0041B355 . 03FA ADD EDI,EDX 0041B357 . 0BFF OR EDI,EDI // 这儿 EDI应该==0 0041B359 0F85 24000000 JNZ w_.0041B383 // NOP掉 * 0041B35F . 03FF ADD EDI,EDI 0041B361 . 33FF XOR EDI,EDI 0041B363 . C1C8 71 ROR EAX,71 ; Shift constant out of range 1..31 0041B366 . C1D8 ED RCR EAX,0ED ; Shift constant out of range 1..31 0041B369 . C1D8 A5 RCR EAX,0A5 ; Shift constant out of range 1..31 0041B36C . 83D8 E1 SBB EAX,-1F 0041B36F . 33C1 XOR EAX,ECX 0041B371 . 8D442F 44 LEA EAX,DWORD PTR DS:[EDI+EBP+44] 0041B375 . 2BC5 SUB EAX,EBP 0041B377 . 8D4408 BC LEA EAX,DWORD PTR DS:[EAX+ECX-44] 0041B37B . 2BC1 SUB EAX,ECX 0041B37D . 40 INC EAX 0041B37E . E9 11000000 JMP w_.0041B394 0041B383 > 13C1 ADC EAX,ECX 0041B385 . 33C0 XOR EAX,EAX 0041B387 . E9 08000000 JMP w_.0041B394 0041B38C /$ 83CA 1B OR EDX,1B 0041B38F \|. 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B393 \. C3 RETN 0041B394 > 5F POP EDI 0041B395 . 5A POP EDX 0041B396 . EB 68 JMP SHORT w_.0041B400 3.) 同 2), .判一个地方的CODE 是不是 E8, 0041B520 . 55 PUSH EBP 0041B521 . 8BEC MOV EBP,ESP 0041B523 . 6A FF PUSH -1 0041B525 . 68 D3144B00 PUSH w_.004B14D3 ; SE handler installation 0041B52A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0041B530 . 50 PUSH EAX 0041B531 . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0041B538 . 81EC D8020000 SUB ESP,2D8 0041B53E . 53 PUSH EBX 0041B53F . 56 PUSH ESI ... 0041B6D2 . E8 19FCFFFF CALL w_.0041B2F0 // * 0041B6D7 . 85C0 TEST EAX,EAX 0041B6D9 . 74 31 JE SHORT w_.0041B70C 0041B6DB . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54] 0041B6DE . 8BCB MOV ECX,EBX 0041B6E0 . 52 PUSH EDX 0041B6E1 . E8 7E0A0900 CALL w_.004AC164 0041B6E6 . 85C0 TEST EAX,EAX 0041B6E8 . 75 22 JNZ SHORT w_.0041B70C 0041B6EA . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 0041B6ED . C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1 0041B6F4 . E8 EB060900 CALL w_.004ABDE4 0041B6F9 . 5F POP EDI 0041B6FA . 5E POP ESI 0041B6FB . 33C0 XOR EAX,EAX 0041B6FD . 5B POP EBX 0041B6FE . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 0041B701 . 64:890D 00000000 MOV DWORD PTR FS:[0],ECX 0041B708 . 8BE5 MOV ESP,EBP 0041B70A . 5D POP EBP 0041B70B . C3 RETN 0041B70C > 56 PUSH ESI 0041B70D . 53 PUSH EBX 0041B70E . E8 7B000000 CALL w_.0041B78E 0041B713 . C1CE FB ROR ESI,0FB ; Shift constant out of range 1..31 0041B716 . 83DE D7 SBB ESI,-29 0041B719 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20] 0041B71D . 8D7426 DC LEA ESI,DWORD PTR DS:[ESI-24] 0041B721 . 8B36 MOV ESI,DWORD PTR DS:[ESI] 0041B723 . 23DB AND EBX,EBX 0041B725 . 68 9D040000 PUSH 49D 0041B72A . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B72E . BB 8A024B00 MOV EBX,w_.004B028A ; ASCII "wL" 0041B733 . 5B POP EBX 0041B734 . 03F3 ADD ESI,EBX 0041B736 . 0BDF OR EBX,EDI 0041B738 . FF36 PUSH DWORD PTR DS:[ESI] 0041B73A . BB 6A974600 MOV EBX,w_.0046976A 0041B73F . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B743 . 5B POP EBX 0041B744 . 81E3 FF000000 AND EBX,0FF 0041B74A . 83EE C3 SUB ESI,-3D 0041B74D . 037424 38 ADD ESI,DWORD PTR SS:[ESP+38] 0041B751 . 2BF7 SUB ESI,EDI 0041B753 . 8DB3 FAFB0220 LEA ESI,DWORD PTR DS:[EBX+2002FBFA] 0041B759 . 2BF3 SUB ESI,EBX 0041B75B . 8D9C3B 1E03FDDF LEA EBX,DWORD PTR DS:[EBX+EDI+DFFD031E] 0041B762 . 2BDF SUB EBX,EDI 0041B764 . 03DE ADD EBX,ESI 0041B766 . 0BDB OR EBX,EBX // EBX == 0!!!! 0041B768 . 0F84 27000000 JE w_.0041B795 // JMP **** 0041B76E . 8D6C4B 18 LEA EBP,DWORD PTR DS:[EBX+ECX*2+18] 0041B772 . 83ED 18 SUB EBP,18 0041B775 . 2BE9 SUB EBP,ECX 0041B777 . 83CE 8B OR ESI,FFFFFF8B 0041B77A . 83DE 67 SBB ESI,67 0041B77D . 2BFB SUB EDI,EBX 0041B77F . 68 60B6E4DD PUSH DDE4B660 0041B784 . 68 7E7B22B8 PUSH B8227B7E 0041B789 . E9 07000000 JMP w_.0041B795 0041B78E $ 83DE 57 SBB ESI,57 0041B791 . C1C6 73 ROL ESI,73 ; Shift constant out of range 1..31 0041B794 . C3 RETN 0041B795 > 5B POP EBX 0041B796 . 5E POP ESI 0041B797 . E9 80000000 JMP w_.0041B81C 我是在 http://www.exacttrend.com/ 下载的 Web Log Explorer 3.1 Standard Edition (Build 0318) 2006-6-30 04:36 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 4 楼我再练习练习，感谢你的回复最初由 blackeyes* 发布* 跟原程序, 4D300C 下硬件读断点, [4D300C] = 004FD838 ........ 004FD838该数值怎么来？是不是只要指向一个NULL（0x00000000）就可以了 2006-7-1 11:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复