一文件用ASProtect SKE V2.3 build 06.26加壳的DLL,
OD加载,?略除int3的所有异常,运行二次内存代码段下断,F9就到了OEP
300A4001 > 60 pushad
300A4002 E8 03000000 call 300A400A
300A4007 - E9 EB045D45 jmp 756744F7
300A400C 55 push ebp
300A400D C3 retn
300A400E E8 01000000 call 300A4014
300A4013 EB 5D jmp short 300A4072
300A4015 BB EDFFFFFF mov ebx, -13
300A401A 03DD add ebx, ebp
300A401C 81EB 00400A00 sub ebx, 0A4000
300A4022 807D 4D 01 cmp byte ptr [ebp+4D], 1
300A4026 75 0C jnz short 300A4034
300A4028 8B7424 28 mov esi, [esp+28]
300A402C 83FE 01 cmp esi, 1
300A402F 895D 4E mov [ebp+4E], ebx
300A4032 75 31 jnz short 300A4065
300A4034 8D45 53 lea eax, [ebp+53]
300A4037 50 push eax
300A4038 53 push ebx
300A4039 FFB5 E50B0000 push dword ptr [ebp+BE5]
300A403F 8D45 35 lea eax, [ebp+35]
300A4042 50 push eax
300A4043 E9 82000000 jmp 300A40CA
300A4048 0000 add [eax], al
重新加载,F9一次断在这
0091E2BB 90 nop
0091E2BC EB 01 jmp short 0091E2BF
0091E2BE 6966 81 FE47467>imul esp, [esi-7F], 744647FE
搜索所有字串,在二个85双击
0091F457 66:A5 movs word ptr es:[edi], word ptr [esi>
0091F459 EB 0A jmp short 0091F465
0091F45B 68 A4F69100 push 91F6A4 ; ASCII "85",CR,LF
0091F460 E8 6B68FDFF call 008F5CD0
0091F465 A1 0C2B9200 mov eax, [922B0C]
0091F46A 8B00 mov eax, [eax]
0091F46C E8 9F57FFFF call 00914C10 这里进去
0091F471 84C0 test al, al
0091F473 75 0A jnz short 0091F47F
0091F475 68 A4F69100 push 91F6A4 ; ASCII "85",CR,LF
0091F47A E8 5168FDFF call 008F5CD0
0091F47F 8B15 542C9200 mov edx, [922C54]
一路下来
00914CFC 85C0 test eax, eax
00914CFE 75 0A jnz short 00914D0A
00914D00 68 584D9100 push 914D58 ; ASCII "180",CR,LF
00914D05 E8 C60FFEFF call 008F5CD0
00914D0A 834424 08 04 add dword ptr [esp+8], 4
00914D0F 47 inc edi
00914D10 EB 1A jmp short 00914D2C
00914D12 83C7 02 add edi, 2
00914D15 8BC7 mov eax, edi
00914D17 50 push eax
00914D18 55 push ebp
00914D19 8D4424 10 lea eax, [esp+10]
00914D1D 50 push eax
00914D1E 56 push esi
00914D1F E8 8CFCFFFF call 009149B0 这里进去
00914D24 0FB707 movzx eax, word ptr [edi]
00914D27 83C0 02 add eax, 2
00914D2A 03F8 add edi, eax
009149DF 8943 2C mov [ebx+2C], eax
009149E2 EB 01 jmp short 009149E5
009149E4 6933 C08A433B imul esi, [ebx], 3B438AC0
009149EA 3BF0 cmp esi, eax 这里就是比较加密的地方
009149EC 75 5E jnz short 00914A4C
009149EE EB 01 jmp short 009149F1
函数表己解决,后面的
3000123C $ E8 BFEDA9D1 call 01AA0000
30001241 ? F6 ??? ; 未知命令
30001242 8BC0 mov eax, eax
30001244 $ E8 B7EDA9D1 call 01AA0000
30001249 ? AD lods dword ptr [esi]
3000124A 8BC0 mov eax, eax
3000124C $ E8 AFEDA9D1 call 01AA0000
30001251 ? A6 cmps byte ptr
call 01AA0000这些如何修复,
01027188 8945 F0 mov dword ptr ss:[ebp-10],eax
0102718B B8 00070000 mov eax,700
01027190 E8 B7B3FDFF call 0100254C //第二次patch的位
找不到象上面2.1版的打补丁地方
用补区段法又不能加载部份转存,请大侠们指点下
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课