经查壳后.为ASProtect 2.1x SKE -> Alexey Solodovnikov [Overlay]
OD载入.跑起Aspr2.XX_unpacker_v1.0脚本.
脱完后,用Import Reconstructor修复删掉无用指针.
用overlay加上附加数据.程序可以运运.
一运行,程序自动关闭.
所以怀疑是自校检.
再次用OD载入.下断bp TerminateProcess 下断F9程序跑起来.
程序序断下来.
7C801E16 > 8BFF mov edi, edi断在这里
7C801E18 55 push ebp
7C801E19 8BEC mov ebp, esp
7C801E1B 837D 08 00 cmp dword ptr [ebp+8], 0
7C801E1F 75 09 jnz short 7C801E2A
7C801E21 6A 06 push 6
7C801E23 E8 98740000 call 7C8092C0
7C801E28 EB 1B jmp short 7C801E45
7C801E2A FF75 0C push dword ptr [ebp+C]
7C801E2D FF75 08 push dword ptr [ebp+8]
7C801E30 FF15 FC13807C call dword ptr [<&ntdll.NtTerminatePr>; ntdll.ZwTerminateProcess
堆栈区的情况如下.
0252FF04 004AC445 /CALL 到 TerminateProcess 来自 de_dlq_.004AC440
0252FF08 00000350 |hProcess = 00000350 (window)
0252FF0C 00000000 \ExitCode = 0
0252FF10 0021E258 ASCII "explorer.exe"
所以直接到达内存地址004AC440
004AC3DC 5F pop edi ; 0021314C
004AC3DD 5B pop ebx
004AC3DE 83C7 04 add edi, 4
004AC3E1 81C3 04010000 add ebx, 104
004AC3E7 E8 D4500200 call 004D14C0
004AC3EC 83C4 04 add esp, 4
004AC3EF 58 pop eax
004AC3F0 8945 E8 mov dword ptr [ebp-18], eax
004AC3F3 ^ E9 15FCFFFF jmp 004AC00D
004AC3F8 8965 D4 mov dword ptr [ebp-2C], esp
004AC3FB FF75 F0 push dword ptr [ebp-10]
004AC3FE B8 09000000 mov eax, 9
004AC403 E8 C4500200 call 004D14CC
004AC408 3965 D4 cmp dword ptr [ebp-2C], esp
004AC40B 74 0D je short 004AC41A
004AC40D 68 06000000 push 6
004AC412 E8 AF500200 call 004D14C6
004AC417 83C4 04 add esp, 4
004AC41A 8B45 D8 mov eax, dword ptr [ebp-28]
004AC41D 3945 E0 cmp dword ptr [ebp-20], eax
004AC420 0F84 40000000 je 004AC466
004AC426 837D 08 01 cmp dword ptr [ebp+8], 1
004AC42A 0F85 27000000 jnz 004AC457
004AC430 8965 D4 mov dword ptr [ebp-2C], esp
004AC433 68 00000000 push 0
004AC438 FF75 DC push dword ptr [ebp-24]
004AC43B B8 1A000000 mov eax, 1A
004AC440 E8 87500200 call 004D14CC /断在这里.
在这里下断004AC3DC 5F pop
F9程序跑起来.断下来.
把 004AC42A 0F85 27000000 jnz 004AC457
改成004AC42A 0F85 27000000 jmp 004AC457
保存去行.程序依然自动关闭.
再次用OD载入.下断bp TerminateProcess 下断F9程序跑起来.
程序断下.可以看到
0252FEF8 004A2CBF /CALL 到 TerminateProcess 来自 2.004A2CBA
0252FEFC 00000000 |hProcess = NULL
0252FF00 00000000 \ExitCode = 0
0252FF04 FFFFFFFF
0252FF08 7C93056D 返回到 ntdll.7C93056D 来自 ntdll.7C92EE02
来到.004A2CBA
004A2C98 /74 0D je short 004A2CA7
004A2C9A |68 06000000 push 6
004A2C9F |E8 22E80200 call 004D14C6
004A2CA4 |83C4 04 add esp, 4
004A2CA7 \8965 EC mov dword ptr [ebp-14], esp
004A2CAA 68 00000000 push 0
004A2CAF FF35 244CC700 push dword ptr [C74C24]
004A2CB5 B8 0C000000 mov eax, 0C
004A2CBA E8 0DE80200 call 004D14CC
之后.不管上面的什么改什么JNZ.JE JMP都跳不过去.请高手们指点一下.
本人也是个人游戏一下而已.
软件下载地址请点经查壳后.为ASProtect 2.1x SKE -> Alexey Solodovnikov [Overlay]
OD载入.跑起Aspr2.XX_unpacker_v1.0脚本.
脱完后,用Import Reconstructor修复删掉无用指针.
用overlay加上附加数据.程序可以运运.
一运行,程序自动关闭.
所以怀疑是自校检.
再次用OD载入.下断bp TerminateProcess 下断F9程序跑起来.
程序序断下来.
7C801E16 > 8BFF mov edi, edi断在这里
7C801E18 55 push ebp
7C801E19 8BEC mov ebp, esp
7C801E1B 837D 08 00 cmp dword ptr [ebp+8], 0
7C801E1F 75 09 jnz short 7C801E2A
7C801E21 6A 06 push 6
7C801E23 E8 98740000 call 7C8092C0
7C801E28 EB 1B jmp short 7C801E45
7C801E2A FF75 0C push dword ptr [ebp+C]
7C801E2D FF75 08 push dword ptr [ebp+8]
7C801E30 FF15 FC13807C call dword ptr [<&ntdll.NtTerminatePr>; ntdll.ZwTerminateProcess
堆栈区的情况如下.
0252FF04 004AC445 /CALL 到 TerminateProcess 来自 de_dlq_.004AC440
0252FF08 00000350 |hProcess = 00000350 (window)
0252FF0C 00000000 \ExitCode = 0
0252FF10 0021E258 ASCII "explorer.exe"
所以直接到达内存地址004AC440
004AC3DC 5F pop edi ; 0021314C
004AC3DD 5B pop ebx
004AC3DE 83C7 04 add edi, 4
004AC3E1 81C3 04010000 add ebx, 104
004AC3E7 E8 D4500200 call 004D14C0
004AC3EC 83C4 04 add esp, 4
004AC3EF 58 pop eax
004AC3F0 8945 E8 mov dword ptr [ebp-18], eax
004AC3F3 ^ E9 15FCFFFF jmp 004AC00D
004AC3F8 8965 D4 mov dword ptr [ebp-2C], esp
004AC3FB FF75 F0 push dword ptr [ebp-10]
004AC3FE B8 09000000 mov eax, 9
004AC403 E8 C4500200 call 004D14CC
004AC408 3965 D4 cmp dword ptr [ebp-2C], esp
004AC40B 74 0D je short 004AC41A
004AC40D 68 06000000 push 6
004AC412 E8 AF500200 call 004D14C6
004AC417 83C4 04 add esp, 4
004AC41A 8B45 D8 mov eax, dword ptr [ebp-28]
004AC41D 3945 E0 cmp dword ptr [ebp-20], eax
004AC420 0F84 40000000 je 004AC466
004AC426 837D 08 01 cmp dword ptr [ebp+8], 1
004AC42A 0F85 27000000 jnz 004AC457
004AC430 8965 D4 mov dword ptr [ebp-2C], esp
004AC433 68 00000000 push 0
004AC438 FF75 DC push dword ptr [ebp-24]
004AC43B B8 1A000000 mov eax, 1A
004AC440 E8 87500200 call 004D14CC /断在这里.
在这里下断004AC3DC 5F pop
F9程序跑起来.断下来.
把 004AC42A 0F85 27000000 jnz 004AC457
改成004AC42A 0F85 27000000 jmp 004AC457
保存去行.程序依然自动关闭.
再次用OD载入.下断bp TerminateProcess 下断F9程序跑起来.
程序断下.可以看到
0252FEF8 004A2CBF /CALL 到 TerminateProcess 来自 2.004A2CBA
0252FEFC 00000000 |hProcess = NULL
0252FF00 00000000 \ExitCode = 0
0252FF04 FFFFFFFF
0252FF08 7C93056D 返回到 ntdll.7C93056D 来自 ntdll.7C92EE02
来到.004A2CBA
004A2C98 /74 0D je short 004A2CA7
004A2C9A |68 06000000 push 6
004A2C9F |E8 22E80200 call 004D14C6
004A2CA4 |83C4 04 add esp, 4
004A2CA7 \8965 EC mov dword ptr [ebp-14], esp
004A2CAA 68 00000000 push 0
004A2CAF FF35 244CC700 push dword ptr [C74C24]
004A2CB5 B8 0C000000 mov eax, 0C
004A2CBA E8 0DE80200 call 004D14CC
之后.不管上面的什么改什么JNZ.JE JMP都跳不过去.请高手们指点一下.
本人也是个人游戏一下而已.
软件下载地址请点击
程序已经脱壳和加了附加数据.可直接调试.
下载地址:http://www.ywzzzz.com/111.exe
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)