一dll文件查为ASPack 2.12 -> Alexey Solodovnikov
OD打开
300A4001 > 60 pushad
300A4002 E8 03000000 call 300A400A
300A4007 - E9 EB045D45 jmp 756744F7
300A400C 55 push ebp
300A400D C3 retn
300A400E E8 01000000 call 300A4014
300A4013 EB 5D jmp short 300A4072
300A4015 BB EDFFFFFF mov ebx, -13
300A401A 03DD add ebx, ebp
300A401C 81EB 00400A00 sub ebx, 0A4000
300A4022 807D 4D 01 cmp byte ptr [ebp+4D], 1
300A4026 75 0C jnz short 300A4034
300A4028 8B7424 28 mov esi, [esp+28]
300A402C 83FE 01 cmp esi, 1
300A402F 895D 4E mov [ebp+4E], ebx
300A4032 75 31 jnz short 300A4065
300A4034 8D45 53 lea eax, [ebp+53]
300A4037 50 push eax
300A4038 53 push ebx
300A4039 FFB5 E50B0000 push dword ptr [ebp+BE5]
300A403F 8D45 35 lea eax, [ebp+35]
300A4042 50 push eax
300A4043 E9 82000000 jmp 300A40CA
300A4048 0000 add [eax], al
300A404A 0000 add [eax], al
F7下来到
300A40AE FF75 35 push dword ptr [ebp+35]
300A40B1 FF55 3D call [ebp+3D]
300A40B4 5B pop ebx
300A40B5 0BDB or ebx, ebx
300A40B7 61 popad
300A40B8 75 06 jnz short 300A40C0
300A40BA 6A 01 push 1
300A40BC 58 pop eax
300A40BD C2 0C00 retn 0C
300A40C0 33C0 xor eax, eax
300A40C2 F7D8 neg eax
300A40C4 1BC0 sbb eax, eax
300A40C6 40 inc eax
300A40C7 C2 0C00 retn 0C 按常理这进去就是OEP
没想到却到了系统领空
7C9211A7 8BE6 mov esp, esi
7C9211A9 5B pop ebx
7C9211AA 5F pop edi
7C9211AB 5E pop esi
7C9211AC 5D pop ebp
7C9211AD C2 1000 retn 10
7C9211B0 90 nop
7C9211B1 90 nop
7C9211B2 90 nop
7C9211B3 90 nop
7C9211B4 90 nop
7C9211B5 > 8BFF mov edi, edi
7C9211B7 55 push ebp
7C9211B8 8BEC mov ebp, esp
7C9211BA 56 push esi
7C9211BB 57 push edi
7C9211BC 64:A1 18000000 mov eax, fs:[18]
7C9211C2 8BB0 B0010000 mov esi, [eax+1B0]
7C9211C8 85F6 test esi, esi
7C9211CA 8B7D 0C mov edi, [ebp+C]
7C9211CD 0F85 10F20000 jnz 7C9303E3
7C9211D3 85FF test edi, edi
7C9211D5 0F85 11F20000 jnz 7C9303EC
7C9211DB 803D 04C0997C 0>cmp byte ptr [7C99C004], 0
7C9211E2 0F85 04F20000 jnz 7C9303EC
7C9211E8 8B45 08 mov eax, [ebp+8]
试了各种脱壳机,都不能脱掉,,大家帮忙看下
[课程]Android-CTF解题方法汇总!