脱壳目标程序[啊啦QQ大盗0526]时,PEID 0.94结果Borland Delphi v3.0 *。用OD载入,OEP下几句代码就是一个大JMP
004B2000 a> 55 push ebp
004B2001 8BEC mov ebp,esp
004B2003 83C4 F4 add esp,-0C
004B2006 83C4 0C add esp,0C
004B2009 50 push eax
004B200A B8 01E04A00 mov eax,alaqq052.004AE001
004B200F FFE0 jmp eax <--------
004B2011 90 nop
004B2012 0000 add byte ptr ds:[eax],al
004B2014 0000 add byte ptr ds:[eax],al
JMP跟过去就是ASPACK1.21入口代码
004AE001 60 pushad
004AE002 E8 03000000 call alaqq052.004AE00A
004AE007 - E9 EB045D45 jmp 45A7E4F7
004AE00C 55 push ebp
004AE00D C3 retn
004AE00E E8 01000000 call alaqq052.004AE014
004AE013 EB 5D jmp short alaqq052.004AE072
004AE015 BB EDFFFFFF mov ebx,-13
004AE01A 03DD add ebx,ebp
004AE01C 81EB 00E00A00 sub ebx,0AE000
004AE022 83BD 22040000 00 cmp dword ptr ss:[ebp+422],0
004AE029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
004AE02F 0F85 65030000 jnz alaqq052.004AE39A
然后从004AE001DUMP出来不能运行,也不能用ASPACKdie脱。
手工脱下来得到入口
00473A78 55 push ebp
00473A79 8BEC mov ebp,esp
00473A7B 83C4 F0 add esp,-10
00473A7E B8 48384700 mov eax,alaqq052.00473848
00473A83 E8 0829F9FF call alaqq052.00406390
00473A88 33C0 xor eax,eax
00473A8A 55 push ebp
00473A8B 68 FB3A4700 push alaqq052.00473AFB
00473A90 64:FF30 push dword ptr fs:[eax]
00473A93 64:8920 mov dword ptr fs:[eax],esp
00473A96 B8 646C4700 mov eax,alaqq052.00476C64
00473A9B BA 103B4700 mov edx,alaqq052.00473B10 ; ASCII " "
00473AA0 E8 570BF9FF call alaqq052.004045FC
00473AA5 90 nop
但DUMP下来还是我行,PEIDV9.4什么也没找到。
大家帮帮忙,谢谢!!
[课程]FART 脱壳王!加量不加价!FART作者讲授!