7C809A51 > 8BFF MOV EDI,EDI
7C809A53 55 PUSH EBP
7C809A54 8BEC MOV EBP,ESP
7C809A56 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C809A59 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809A5C FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809A5F FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809A62 6A FF PUSH -1
7C809A64 E8 09000000 CALL kernel32.VirtualAllocEx
7C809A69 5D POP EBP
7C809A6A C2 1000 RETN 10
7C809A6D 90 NOP
7C809A6E 90 NOP
7C809A6F 90 NOP
7C809A70 90 NOP
7C809A71 90 NOP
7C809A72 > 6A 10 PUSH 10
7C809A74 68 C09A807C PUSH kernel32.7C809AC0
7C809A79 E8 488AFFFF CALL kernel32.7C8024C6
7C809A7E 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C809A81 85C0 TEST EAX,EAX
7C809A83 75 47 JNZ SHORT kernel32.7C809ACC
7C809A85 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
7C809A89 FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C809A8C FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C809A8F 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10]
7C809A92 50 PUSH EAX
7C809A93 6A 00 PUSH 0
7C809A95 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
7C809A98 50 PUSH EAX
7C809A99 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809A9C FF15 9011807C CALL DWORD PTR DS:[<&ntdll.NtAllocateVir>; ntdll.ZwAllocateVirtualMemory
7C809AA2 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
7C809AA5 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
7C809AA9 85C0 TEST EAX,EAX
7C809AAB 0F8C 49270000 JL kernel32.7C80C1FA
7C809AB1 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
7C809AB4 E8 488AFFFF CALL kernel32.7C802501
7C809AB9 C2 1400 RETN 14
7C809ABC 90 NOP
7C809ABD 90 NOP
7C809ABE 90 NOP
7C809ABF 90 NOP
7C809AC0 FFFF ??? ; 未知命令
7C809AC2 FFFF ??? ; 未知命令
7C809AC4 B7 04 MOV BH,4
7C809AC6 847CCA 04 TEST BYTE PTR DS:[EDX+ECX*8+4],BH
7C809ACA 847C8B 0D TEST BYTE PTR DS:[EBX+ECX*4+D],BH
7C809ACE 3C 30 CMP AL,30
7C809AD0 887C3B 81 MOV BYTE PTR DS:[EBX+EDI-7F],BH
7C809AD4 3C 01 CMP AL,1
7C809AD6 0000 ADD BYTE PTR DS:[EAX],AL
7C809AD8 ^ 73 AB JNB SHORT kernel32.7C809A85
7C809ADA E9 C7690300 JMP kernel32.7C8404A6
7C809ADF 90 NOP
7C809AE0 90 NOP
7C809AE1 90 NOP
7C809AE2 90 NOP
7C809AE3 90 NOP
7C809AE4 > 8BFF MOV EDI,EDI
7C809AE6 55 PUSH EBP
7C809AE7 8BEC MOV EBP,ESP
7C809AE9 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809AEC FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809AEF FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809AF2 6A FF PUSH -1
7C809AF4 E8 09000000 CALL kernel32.VirtualFreeEx
7C809AF9 5D POP EBP
7C809AFA C2 0C00 RETN 0C
7C809AFD 90 NOP
7C809AFE 90 NOP
7C809AFF 90 NOP
7C809B00 90 NOP
7C809B01 90 NOP
7C809B02 > 8BFF MOV EDI,EDI
7C809B04 55 PUSH EBP
7C809B05 8BEC MOV EBP,ESP
7C809B07 F645 15 80 TEST BYTE PTR SS:[EBP+15],80
7C809B0B 74 0A JE SHORT kernel32.7C809B17
7C809B0D 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C809B11 0F85 BE690300 JNZ kernel32.7C8404D5
7C809B17 56 PUSH ESI
7C809B18 8B35 A811807C MOV ESI,DWORD PTR DS:[<&ntdll.NtFreeVirt>; ntdll.ZwFreeVirtualMemory
7C809B1E 57 PUSH EDI
7C809B1F FF75 14 PUSH DWORD PTR SS:[EBP+14]
...................
这个是什么壳子啊,郁闷.
区段是DEPACK
放上加壳的记事本.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法