是一个企业搜索名录软件.以前有破过,后来他升级了。
程序的URL: http://wt.flyhight.com/soft/searchw.rar
PEID查壳是
Microsoft Visual C++ 6.0
有点假,以前是aspack加壳,Delphi 写的,OD看了一下,
00750060 > 55 PUSH EBP //入口
00750061 8BEC MOV EBP,ESP
00750063 6A FF PUSH -1
00750065 68 3E1E4000 PUSH SearchW.00401E3E
0075006A 68 521E4000 PUSH SearchW.00401E52
0075006F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00750075 50 PUSH EAX
00750076 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0075007D 83EC 44 SUB ESP,44 //F8一路跟
00750225 3C 04 CMP AL,4
00750227 74 05 JE SHORT SearchW.0075022E
00750229 EB 01 JMP SHORT SearchW.0075022C
0075022B - E9 61C38DB5 JMP B602C591 //跳了
00750230 53 PUSH EBX
0075022E 8DB5 532A4000 LEA ESI,DWORD PTR SS:[EBP+402A53] //在这里DOWN 了出来。
00750234 8D85 DD1F4000 LEA EAX,DWORD PTR SS:[EBP+401FDD]
0075023A 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
0075023D 33DB XOR EBX,EBX
0075023F 8D85 AC284000 LEA EAX,DWORD PTR SS:[EBP+4028AC]
00750245 50 PUSH EAX
再往下跟就死了。我down出来PEID,提示下面这个壳,
yoda's Protector v1.02 (.dll,.ocx) --> Ashkbiz Danehkar *
都没有遇到,
找了一下fly 的yoda's Protector V1.03.X的脚本,隐藏了OD。
#log
dbh
var T0
var T1
var T2
var T3
var T4
MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options. "
cmp $RESULT, 0
je TryAgain
//GetVersion――――――――――――――――――――――――――――――――
/*
00461EBE FF541D 00 call dword ptr ss:[ebp+ebx]; kernel32.GetVersion
00461EC2 A9 00000080 test eax,80000000
00461EC7 74 20 je short 00461EE9
00461EC9 3C 04 cmp al,4
00461ECB 75 0C jnz short 00461ED9
00461ECD C785 48A04200 0>mov dword ptr ss:[ebp+42A048],2
00461ED7 EB 40 jmp short 00461F19
00461ED9 3C 03 cmp al,3
00461EDB 75 3C jnz short 00461F19
00461EDD C785 48A04200 0>mov dword ptr ss:[ebp+42A048],1
00461EE7 EB 30 jmp short 00461F19
00461EE9 3C 03 cmp al,3
//Windows3.X ?
00461EEB 75 0C jnz short 00461EF9
00461EED C785 48A04200 0>mov dword ptr ss:[ebp+42A048],4
00461EF7 EB 20 jmp short 00461F19
00461EF9 3C 04 cmp al,4
//Windows9X、NT4.0 ?
00461EFB 75 0C jnz short 00461F09
00461EFD C785 48A04200 0>mov dword ptr ss:[ebp+42A048],8
*/
gpa "GetVersion", "KERNEL32.dll"
eob GetVersion
bp $RESULT
esto
GoOn0:
esto
GetVersion:
cmp eip,$RESULT
jne GoOn0
bc $RESULT
rtu
mov eax,4
mov [$RESULT], #B804000000C3# //脚本只可以运行到这里,也就是
00406DDB E8 98A6FFFF CALL SearchW.00401478 // 脚本运行到程序这里。
; JMP 到 kernel32.GetVersion
00406DE0 25 00000080 AND EAX,80000000
00406DE5 3D 00000080 CMP EAX,80000000
00406DEA 74 2D JE SHORT SearchW.00406E19
00406DEC E8 87A6FFFF CALL SearchW.00401478 ; JMP 到 kernel32.GetVersion
00406DF1 25 FF000000 AND EAX,0FF
00406DF6 66:83F8 04 CMP AX,4 //F8 到这里OD 就挂了。
00406DFA 76 0C JBE SHORT SearchW.00406E08
00406DFC C705 C0A56300 0>MOV DWORD PTR DS:[63A5C0],3
00406E06 EB 20 JMP SHORT SearchW.00406E28
请教。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课