-
-
[求助]脱壳后能正常运行却不能修改资源?
-
发表于: 2006-8-2 21:25
-
PEID杳的:nSPack 1.3 -> North Star/Liu Xing Ping
脱了以后是
004B2C71 8BEC mov ebp, esp
004B2C73 83C4 F0 add esp, -10
004B2C76 B8 F8294B00 mov eax, 004B29F8
004B2C7B E8 4831F5FF call 00405DC8
004B2C80 A1 84584B00 mov eax, [4B5884]
004B2C85 8B00 mov eax, [eax]
004B2C87 E8 242BFAFF call 004557B0
004B2C8C 8B0D A8574B00 mov ecx, [4B57A8] ; 最新局域.004B7D3C
004B2C92 A1 84584B00 mov eax, [4B5884]
004B2C97 8B00 mov eax, [eax]
004B2C99 8B15 6C214B00 mov edx, [4B216C] ; 最新局域.004B21B8
004B2C9F E8 242BFAFF call 004557C8
004B2CA4 A1 84584B00 mov eax, [4B5884]
004B2CA9 8B00 mov eax, [eax]
004B2CAB E8 982BFAFF call 00455848
004B2CB0 E8 0F12F5FF call 00403EC4
004B2CB5 8D40 00 lea eax, [eax]
004B2CB8 0000 add [eax], al
....................................................
这样是不是没有脱完啊!!
我后来在第五个CALL跟进去看了看
是这些东西
00455848 $ 55 push ebp
00455849 . 8BEC mov ebp, esp
0045584B . 51 push ecx
0045584C . 53 push ebx
0045584D . 56 push esi
0045584E . 57 push edi
0045584F . 8945 FC mov [ebp-4], eax
00455852 . 8B45 FC mov eax, [ebp-4]
00455855 . C680 A5000000>mov byte ptr [eax+A5], 1
0045585C . 33D2 xor edx, edx
0045585E . 55 push ebp
0045585F . 68 26594500 push 00455926
00455864 . 64:FF32 push dword ptr fs:[edx]
00455867 . 64:8922 mov fs:[edx], esp
0045586A . B8 08C74400 mov eax, 0044C708 ; 入口地址
像是真正的OEP
而在这00455848 $ 55 push ebp
直接DUMP程序不能运行!!
后边要怎么做啊~~
脱了以后是
004B2C71 8BEC mov ebp, esp
004B2C73 83C4 F0 add esp, -10
004B2C76 B8 F8294B00 mov eax, 004B29F8
004B2C7B E8 4831F5FF call 00405DC8
004B2C80 A1 84584B00 mov eax, [4B5884]
004B2C85 8B00 mov eax, [eax]
004B2C87 E8 242BFAFF call 004557B0
004B2C8C 8B0D A8574B00 mov ecx, [4B57A8] ; 最新局域.004B7D3C
004B2C92 A1 84584B00 mov eax, [4B5884]
004B2C97 8B00 mov eax, [eax]
004B2C99 8B15 6C214B00 mov edx, [4B216C] ; 最新局域.004B21B8
004B2C9F E8 242BFAFF call 004557C8
004B2CA4 A1 84584B00 mov eax, [4B5884]
004B2CA9 8B00 mov eax, [eax]
004B2CAB E8 982BFAFF call 00455848
004B2CB0 E8 0F12F5FF call 00403EC4
004B2CB5 8D40 00 lea eax, [eax]
004B2CB8 0000 add [eax], al
....................................................
这样是不是没有脱完啊!!
我后来在第五个CALL跟进去看了看
是这些东西
00455848 $ 55 push ebp
00455849 . 8BEC mov ebp, esp
0045584B . 51 push ecx
0045584C . 53 push ebx
0045584D . 56 push esi
0045584E . 57 push edi
0045584F . 8945 FC mov [ebp-4], eax
00455852 . 8B45 FC mov eax, [ebp-4]
00455855 . C680 A5000000>mov byte ptr [eax+A5], 1
0045585C . 33D2 xor edx, edx
0045585E . 55 push ebp
0045585F . 68 26594500 push 00455926
00455864 . 64:FF32 push dword ptr fs:[edx]
00455867 . 64:8922 mov fs:[edx], esp
0045586A . B8 08C74400 mov eax, 0044C708 ; 入口地址
像是真正的OEP
而在这00455848 $ 55 push ebp
直接DUMP程序不能运行!!
后边要怎么做啊~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
