-
-
[求助]谁知道这是什么壳?伪装壳?
-
发表于: 2006-7-8 23:57
-
某程序扒了壳以后,peid显示Borland C++ 1999
od载入,停在这里
0040169C > /EB 10 JMP SHORT ephmse1_.004016AE
0040169E |66:623A BOUND DI,DWORD PTR DS:[EDX]
004016A1 |43 INC EBX
004016A2 |2B2B SUB EBP,DWORD PTR DS:[EBX]
004016A4 |48 DEC EAX
004016A5 |4F DEC EDI
004016A6 |4F DEC EDI
004016A7 |4B DEC EBX
004016A8 |90 NOP
004016A9 -|E9 98D04E00 JMP 008EE746
004016AE \A1 8BD04E00 MOV EAX,DWORD PTR DS:[4ED08B]
004016B3 C1E0 02 SHL EAX,2
004016B6 A3 8FD04E00 MOV DWORD PTR DS:[4ED08F],EAX
004016BB 52 PUSH EDX
004016BC 6A 00 PUSH 0
004016BE E8 57AA0E00 CALL <JMP.&kernel32.GetModuleHandleA>
004016C3 8BD0 MOV EDX,EAX
004016C5 E8 86B50D00 CALL ephmse1_.004DCC50
004016CA 5A POP EDX
004016CB E8 E4B40D00 CALL ephmse1_.004DCBB4
004016D0 E8 BBB50D00 CALL ephmse1_.004DCC90
004016D5 6A 00 PUSH 0
004016D7 E8 C0CA0D00 CALL ephmse1_.004DE19C
004016DC 59 POP ECX
004016DD 68 34D04E00 PUSH ephmse1_.004ED034
004016E2 6A 00 PUSH 0
004016E4 E8 31AA0E00 CALL <JMP.&kernel32.GetModuleHandleA>
004016E9 A3 93D04E00 MOV DWORD PTR DS:[4ED093],EAX
004016EE 6A 00 PUSH 0
004016F0 E9 235D0E00 JMP ephmse1_.004E7418
004016F5 > E9 EECA0D00 JMP ephmse1_.004DE1E8
004016FA 33C0 XOR EAX,EAX
004016FC A0 7DD04E00 MOV AL,BYTE PTR DS:[4ED07D]
00401701 C3 RETN
004E7418 55 PUSH EBP
004E7419 8BEC MOV EBP,ESP
004E741B 83C4 F4 ADD ESP,-0C
004E741E 53 PUSH EBX
004E741F 56 PUSH ESI
004E7420 57 PUSH EDI
004E7421 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004E7424 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
004E7427 83E0 01 AND EAX,1
004E742A A3 7C574F00 MOV DWORD PTR DS:[4F577C],EAX
004E742F E8 10CFFFFF CALL ephmse1_.004E4344
004E7434 8B56 20 MOV EDX,DWORD PTR DS:[ESI+20]
004E7437 52 PUSH EDX
004E7438 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+1C]
004E743B 51 PUSH ECX
004E743C E8 4FD3FFFF CALL ephmse1_.004E4790
004E7441 83C4 08 ADD ESP,8
004E7444 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28]
004E7447 50 PUSH EAX
004E7448 E8 777BFFFF CALL ephmse1_.004DEFC4
004E744D 59 POP ECX
004E744E 8B56 44 MOV EDX,DWORD PTR DS:[ESI+44]
004E7451 52 PUSH EDX
004E7452 E8 7D7BFFFF CALL ephmse1_.004DEFD4
004E7457 59 POP ECX
看样子不像Borland C++ 1999,有点象Delphi,可以用DEDE反编,请问要怎么扒了这层壳?
od载入,停在这里
0040169C > /EB 10 JMP SHORT ephmse1_.004016AE
0040169E |66:623A BOUND DI,DWORD PTR DS:[EDX]
004016A1 |43 INC EBX
004016A2 |2B2B SUB EBP,DWORD PTR DS:[EBX]
004016A4 |48 DEC EAX
004016A5 |4F DEC EDI
004016A6 |4F DEC EDI
004016A7 |4B DEC EBX
004016A8 |90 NOP
004016A9 -|E9 98D04E00 JMP 008EE746
004016AE \A1 8BD04E00 MOV EAX,DWORD PTR DS:[4ED08B]
004016B3 C1E0 02 SHL EAX,2
004016B6 A3 8FD04E00 MOV DWORD PTR DS:[4ED08F],EAX
004016BB 52 PUSH EDX
004016BC 6A 00 PUSH 0
004016BE E8 57AA0E00 CALL <JMP.&kernel32.GetModuleHandleA>
004016C3 8BD0 MOV EDX,EAX
004016C5 E8 86B50D00 CALL ephmse1_.004DCC50
004016CA 5A POP EDX
004016CB E8 E4B40D00 CALL ephmse1_.004DCBB4
004016D0 E8 BBB50D00 CALL ephmse1_.004DCC90
004016D5 6A 00 PUSH 0
004016D7 E8 C0CA0D00 CALL ephmse1_.004DE19C
004016DC 59 POP ECX
004016DD 68 34D04E00 PUSH ephmse1_.004ED034
004016E2 6A 00 PUSH 0
004016E4 E8 31AA0E00 CALL <JMP.&kernel32.GetModuleHandleA>
004016E9 A3 93D04E00 MOV DWORD PTR DS:[4ED093],EAX
004016EE 6A 00 PUSH 0
004016F0 E9 235D0E00 JMP ephmse1_.004E7418
004016F5 > E9 EECA0D00 JMP ephmse1_.004DE1E8
004016FA 33C0 XOR EAX,EAX
004016FC A0 7DD04E00 MOV AL,BYTE PTR DS:[4ED07D]
00401701 C3 RETN
004E7418 55 PUSH EBP
004E7419 8BEC MOV EBP,ESP
004E741B 83C4 F4 ADD ESP,-0C
004E741E 53 PUSH EBX
004E741F 56 PUSH ESI
004E7420 57 PUSH EDI
004E7421 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004E7424 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
004E7427 83E0 01 AND EAX,1
004E742A A3 7C574F00 MOV DWORD PTR DS:[4F577C],EAX
004E742F E8 10CFFFFF CALL ephmse1_.004E4344
004E7434 8B56 20 MOV EDX,DWORD PTR DS:[ESI+20]
004E7437 52 PUSH EDX
004E7438 8B4E 1C MOV ECX,DWORD PTR DS:[ESI+1C]
004E743B 51 PUSH ECX
004E743C E8 4FD3FFFF CALL ephmse1_.004E4790
004E7441 83C4 08 ADD ESP,8
004E7444 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28]
004E7447 50 PUSH EAX
004E7448 E8 777BFFFF CALL ephmse1_.004DEFC4
004E744D 59 POP ECX
004E744E 8B56 44 MOV EDX,DWORD PTR DS:[ESI+44]
004E7451 52 PUSH EDX
004E7452 E8 7D7BFFFF CALL ephmse1_.004DEFD4
004E7457 59 POP ECX
看样子不像Borland C++ 1999,有点象Delphi,可以用DEDE反编,请问要怎么扒了这层壳?
|
|
|---|---|
|
|
|
|
|
是BC++?
OD载入老提示入口点超出代码范围,是不是壳没有扒干净的缘故? 
|
|
|
|
|
|
 终于正常了,3ks
|
