偶是菜鸟,正在学习脱壳,但一下子就被遇到一个软件碰壁了,请给我一些提示让我继续学下去:
用PEid分析软件,用普通扫描扫不出,用核心扫描得到
UPX 0.80 - 1.24 DLL -> Markus & Laszlo
那么就用 Upx试试,但脱不了,说不是用upx脱的.
用OD打开
马上就出现:
32位可执行文件 xxxx 的格式错误
然后显示的代码如下:
7C952584 C3 RETN
7C952585 90 NOP
7C952586 8BFF MOV EDI,EDI
7C952588 > CC INT3
7C952589 C3 RETN
7C95258A 8BFF MOV EDI,EDI
7C95258C 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
7C952590 CC INT3
7C952591 C2 0400 RETN 4
7C952594 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C95259A C3 RETN
7C95259B > 57 PUSH EDI
7C95259C 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
7C9525A0 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
7C9525A4 C702 00000000 MOV DWORD PTR DS:[EDX],0
7C9525AA 897A 04 MOV DWORD PTR DS:[EDX+4],EDI
7C9525AD 0BFF OR EDI,EDI
7C9525AF 74 1E JE SHORT ntdll.7C9525CF
7C9525B1 83C9 FF OR ECX,FFFFFFFF
7C9525B4 33C0 XOR EAX,EAX
7C9525B6 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
7C9525B8 F7D1 NOT ECX
7C9525BA 81F9 FFFF0000 CMP ECX,0FFFF
7C9525C0 76 05 JBE SHORT ntdll.7C9525C7
7C9525C2 B9 FFFF0000 MOV ECX,0FFFF
7C9525C7 66:894A 02 MOV WORD PTR DS:[EDX+2],CX
7C9525CB 49 DEC ECX
7C9525CC 66:890A MOV WORD PTR DS:[EDX],CX
7C9525CF 5F POP EDI
7C9525D0 C2 0800 RETN 8
7C9525D3 > 57 PUSH EDI
7C9525D4 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
7C9525D8 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
7C9525DC C702 00000000 MOV DWORD PTR DS:[EDX],0
7C9525E2 897A 04 MOV DWORD PTR DS:[EDX+4],EDI
7C9525E5 0BFF OR EDI,EDI
7C9525E7 74 1E JE SHORT ntdll.7C952607
7C9525E9 83C9 FF OR ECX,FFFFFFFF
7C9525EC 33C0 XOR EAX,EAX
7C9525EE F2:AE REPNE SCAS BYTE PTR ES:[EDI]
7C9525F0 F7D1 NOT ECX
7C9525F2 81F9 FFFF0000 CMP ECX,0FFFF
7C9525F8 76 05 JBE SHORT ntdll.7C9525FF
7C9525FA B9 FFFF0000 MOV ECX,0FFFF
7C9525FF 66:894A 02 MOV WORD PTR DS:[EDX+2],CX
7C952603 49 DEC ECX
7C952604 66:890A MOV WORD PTR DS:[EDX],CX
7C952607 5F POP EDI
7C952608 C2 0800 RETN 8
7C95260B > 57 PUSH EDI
7C95260C 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
7C952610 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
7C952614 C702 00000000 MOV DWORD PTR DS:[EDX],0
7C95261A 897A 04 MOV DWORD PTR DS:[EDX+4],EDI
7C95261D 0BFF OR EDI,EDI
7C95261F 74 22 JE SHORT ntdll.7C952643
7C952621 83C9 FF OR ECX,FFFFFFFF
7C952624 33C0 XOR EAX,EAX
7C952626 66:F2:AF REPNE SCAS WORD PTR ES:[EDI]
7C952629 F7D1 NOT ECX
7C95262B D1E1 SHL ECX,1
7C95262D 81F9 FEFF0000 CMP ECX,0FFFE
7C952633 76 05 JBE SHORT ntdll.7C95263A
7C952635 B9 FEFF0000 MOV ECX,0FFFE
7C95263A 66:894A 02 MOV WORD PTR DS:[EDX+2],CX
7C95263E 49 DEC ECX
7C95263F 49 DEC ECX
7C952640 66:890A MOV WORD PTR DS:[EDX],CX
7C952643 5F POP EDI
7C952644 C2 0800 RETN 8
7C952647 > 83EC 0C SUB ESP,0C
7C95264A DD1424 FST QWORD PTR SS:[ESP]
7C95264D E8 851E0000 CALL ntdll.7C9544D7
7C952652 E8 0D000000 CALL ntdll.7C952664
7C952657 83C4 0C ADD ESP,0C
7C95265A C3 RETN
7C95265B > 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
7C95265F E8 301E0000 CALL ntdll.7C954494
7C952664 52 PUSH EDX
7C952665 9B WAIT
7C952666 D93C24 FSTCW WORD PTR SS:[ESP]
7C952669 74 50 JE SHORT ntdll.7C9526BB
7C95266B 66:813C24 7F02 CMP WORD PTR SS:[ESP],27F
7C952671 74 06 JE SHORT ntdll.7C952679
7C952673 D92D A0F1957C FLDCW WORD PTR DS:[7C95F1A0]
7C952679 D9FE FSIN
7C95267B 9B WAIT
7C95267C DFE0 FSTSW AX
7C95267E 9E SAHF
7C95267F 7A 1D JPE SHORT ntdll.7C95269E
7C952681 833D 149D9B7C 0>CMP DWORD PTR DS:[7C9B9D14],0
7C952688 0F85 5F1E0000 JNZ ntdll.7C9544ED
7C95268E BA 1E000000 MOV EDX,1E
7C952693 8D0D A09C9B7C LEA ECX,DWORD PTR DS:[7C9B9CA0]
7C952699 E9 5C1E0000 JMP ntdll.7C9544FA
我怎看也看不懂,请各位大虾指教一下.偶只是技术学习,所以就不提供此软件的名称和下载了.
[课程]Linux pwn 探索篇!
