非常棘手的自校验-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] 非常棘手的自校验 0.00雪花

发表于: 2007-4-7 17:32 3918

[旧帖] 非常棘手的自校验 0.00雪花

anchengw

2007-4-7 17:32

3918

小弟也曾破过几个小软件，近日应朋友之求帮其破一软件。却遇到了非常棘手的带自校验的软件，求高人指点。
　　软件加的是ASPack 2.12壳，用工具轻松脱掉。但一运行，便退出，猜其有自校验，于是用OD载入
　　　刚载入的代码：
00432BB9 >/$  55          PUSH EBP
00432BBA  |.  8BEC       MOV EBP,ESP
00432BBC  |.  6A FF       PUSH -1
00432BBE  |.  68 10734700 PUSH 1111111.00477310
00432BC3  |.  68 B48A4300 PUSH 1111111.00438AB4                   ;  SE 处理程序安装
00432BC8  |.  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00432BCE  |.  50          PUSH EAX
00432BCF  |.  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00432BD6  |.  83EC 58    SUB ESP,58
00432BD9  |.  53          PUSH EBX
00432BDA  |.  56          PUSH ESI
00432BDB  |.  57          PUSH EDI
00432BDC  |.  8965 E8    MOV DWORD PTR SS:[EBP-18],ESP
00432BDF  |.  FF15 CCD24600 CALL DWORD PTR DS:[<&kernel32.GetVersion>;  kernel32.GetVersion
00432BE5  |.  33D2       XOR EDX,EDX
00432BE7  |.  8AD4       MOV DL,AH
00432BE9  |.  8915 CC074900 MOV DWORD PTR DS:[4907CC],EDX
00432BEF  |.  8BC8       MOV ECX,EAX
00432BF1  |.  81E1 FF000000 AND ECX,0FF
00432BF7  |.  890D C8074900 MOV DWORD PTR DS:[4907C8],ECX
00432BFD  |.  C1E1 08    SHL ECX,8
00432C00  |.  03CA       ADD ECX,EDX
00432C02  |.  890D C4074900 MOV DWORD PTR DS:[4907C4],ECX
00432C08  |.  C1E8 10    SHR EAX,10
00432C0B  |.  A3 C0074900 MOV DWORD PTR DS:[4907C0],EAX
00432C10  |.  6A 01       PUSH 1
00432C12  |.  E8 234C0000 CALL 1111111.0043783A
00432C17  |.  59          POP ECX
00432C18  |.  85C0       TEST EAX,EAX
00432C1A    75 08       JNZ SHORT 1111111.00432C24
00432C1C  |.  6A 1C       PUSH 1C
00432C1E  |.  E8 C3000000 CALL 1111111.00432CE6
00432C23  |.  59          POP ECX
00432C24  |>  E8 03430000 CALL 1111111.00436F2C
00432C29  |.  85C0       TEST EAX,EAX
00432C2B    75 08       JNZ SHORT 1111111.00432C35
00432C2D  |.  6A 10       PUSH 10
00432C2F  |.  E8 B2000000 CALL 1111111.00432CE6
00432C34  |.  59          POP ECX
00432C35  |>  33F6       XOR ESI,ESI
00432C37  |.  8975 FC    MOV DWORD PTR SS:[EBP-4],ESI
00432C3A  |.  E8 DE7C0000 CALL 1111111.0043A91D
00432C3F  |.  FF15 E0D14600 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
00432C45  |.  A3 F41E4900 MOV DWORD PTR DS:[491EF4],EAX
00432C4A  |.  E8 9C7B0000 CALL 1111111.0043A7EB
00432C4F  |.  A3 B0074900 MOV DWORD PTR DS:[4907B0],EAX
00432C54  |.  E8 45790000 CALL 1111111.0043A59E
00432C59  |.  E8 87780000 CALL 1111111.0043A4E5
00432C5E  |.  E8 A7000000 CALL 1111111.00432D0A
00432C63  |.  8975 D0    MOV DWORD PTR SS:[EBP-30],ESI
00432C66  |.  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
00432C69  |.  50          PUSH EAX                               ; /pStartupinfo
00432C6A  |.  FF15 E4D14600 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
00432C70  |.  E8 18780000 CALL 1111111.0043A48D
00432C75  |.  8945 9C    MOV DWORD PTR SS:[EBP-64],EAX
00432C78  |.  F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
00432C7C  |.  74 06       JE SHORT 1111111.00432C84
00432C7E  |.  0FB745 D4    MOVZX EAX,WORD PTR SS:[EBP-2C]
00432C82  |.  EB 03       JMP SHORT 1111111.00432C87
00432C84  |>  6A 0A       PUSH 0A
00432C86  |.  58          POP EAX
00432C87  |>  50          PUSH EAX
00432C88  |.  FF75 9C    PUSH DWORD PTR SS:[EBP-64]
00432C8B  |.  56          PUSH ESI
00432C8C  |.  56          PUSH ESI                               ; /pModule
00432C8D  |.  FF15 E4D24600 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
00432C93  |.  50          PUSH EAX
00432C94  |.  E8 0E020100 CALL 1111111.00442EA7                   ;  出错

用F8单步到432C94出错，估计有防OD调试的代码。
在432C94下断，重新载入，按F9，到断点，按F7进入
00442EA7  /$  FF7424 10    PUSH DWORD PTR SS:[ESP+10]
00442EAB  |.  FF7424 10    PUSH DWORD PTR SS:[ESP+10]
00442EAF  |.  FF7424 10    PUSH DWORD PTR SS:[ESP+10]
00442EB3  |.  FF7424 10    PUSH DWORD PTR SS:[ESP+10]
00442EB7  |.  E8 E3AD0000 CALL 1111111.0044DC9F                   ;  出错
00442EBC  \.  C2 1000    RETN 10
00442EBF  /$  E8 CBD40100 CALL 1111111.0046038F
00442EC4  |.  8B4C24 04    MOV ECX,DWORD PTR SS:[ESP+4]
00442EC8  |.  85C9       TEST ECX,ECX
00442ECA  |.  8848 14    MOV BYTE PTR DS:[EAX+14],CL
00442ECD  |.  75 08       JNZ SHORT 1111111.00442ED7
00442ECF  |.  6A FD       PUSH -3
00442ED1  |.  E8 2E24FFFF CALL 1111111.00435304
00442ED6  |.  59          POP ECX
00442ED7  |>  6A 01       PUSH 1
00442ED9  |.  58          POP EAX
00442EDA  \.  C2 0800    RETN 8

再按F8单步，到442EB7时，再次出错，取消上个断点，在此下断。重新载入F9运行到断点
F7进入
0044DC9F  /$  53          PUSH EBX
0044DCA0  |.  56          PUSH ESI
0044DCA1  |.  57          PUSH EDI
0044DCA2  |.  83CB FF    OR EBX,FFFFFFFF
0044DCA5  |.  E8 A7CDFFFF CALL 1111111.0044AA51
0044DCAA  |.  8BF0       MOV ESI,EAX
0044DCAC  |.  E8 DE260100 CALL 1111111.0046038F
0044DCB1  |.  FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
0044DCB5  |.  8B78 04    MOV EDI,DWORD PTR DS:[EAX+4]
0044DCB8  |.  FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
0044DCBC  |.  FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
0044DCC0  |.  FF7424 1C    PUSH DWORD PTR SS:[ESP+1C]
0044DCC4  |.  E8 404C0100 CALL 1111111.00462909
0044DCC9  |.  85C0       TEST EAX,EAX
0044DCCB  |.  74 3B       JE SHORT 1111111.0044DD08
0044DCCD  |.  85FF       TEST EDI,EDI
0044DCCF  |.  74 0E       JE SHORT 1111111.0044DCDF
0044DCD1  |.  8B07       MOV EAX,DWORD PTR DS:[EDI]
0044DCD3  |.  8BCF       MOV ECX,EDI
0044DCD5  |.  FF90 84000000 CALL DWORD PTR DS:[EAX+84]
0044DCDB  |.  85C0       TEST EAX,EAX
0044DCDD  |.  74 29       JE SHORT 1111111.0044DD08
0044DCDF  |>  8B06       MOV EAX,DWORD PTR DS:[ESI]
0044DCE1  |.  8BCE       MOV ECX,ESI
0044DCE3  |.  FF50 50    CALL DWORD PTR DS:[EAX+50]             ;  出错
0044DCE6  |.  85C0       TEST EAX,EAX
0044DCE8  |.  75 15       JNZ SHORT 1111111.0044DCFF
0044DCEA  |.  8B4E 1C    MOV ECX,DWORD PTR DS:[ESI+1C]
0044DCED  |.  85C9       TEST ECX,ECX
0044DCEF  |.  74 05       JE SHORT 1111111.0044DCF6
0044DCF1  |.  8B01       MOV EAX,DWORD PTR DS:[ECX]
0044DCF3  |.  FF50 58    CALL DWORD PTR DS:[EAX+58]
0044DCF6  |>  8B06       MOV EAX,DWORD PTR DS:[ESI]
0044DCF8  |.  8BCE       MOV ECX,ESI
0044DCFA  |.  FF50 68    CALL DWORD PTR DS:[EAX+68]
0044DCFD  |.  EB 07       JMP SHORT 1111111.0044DD06
0044DCFF  |>  8B06       MOV EAX,DWORD PTR DS:[ESI]
0044DD01  |.  8BCE       MOV ECX,ESI
0044DD03  |.  FF50 54    CALL DWORD PTR DS:[EAX+54]
0044DD06  |>  8BD8       MOV EBX,EAX
0044DD08  |>  E8 3F820100 CALL 1111111.00465F4C
0044DD0D  |.  5F          POP EDI
0044DD0E  |.  8BC3       MOV EAX,EBX
0044DD10  |.  5E          POP ESI
0044DD11  |.  5B          POP EBX
0044DD12  \.  C2 1000    RETN 10

单步到44DCE3，再次出错，重复以上步聚，进入出错的CALL
00420E30 .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00420E36 .  6A FF       PUSH -1
00420E38 .  68 1BA44600 PUSH 1111111.0046A41B
00420E3D .  50          PUSH EAX
00420E3E .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
00420E45 .  81EC B0000000 SUB ESP,0B0
00420E4B .  53          PUSH EBX
00420E4C .  55          PUSH EBP
00420E4D .  56          PUSH ESI
00420E4E .  57          PUSH EDI
00420E4F .  8BE9       MOV EBP,ECX
00420E51 .  6A 00       PUSH 0
00420E53 .  E8 E5420400 CALL 1111111.0046513D
00420E58 .  85C0       TEST EAX,EAX
00420E5A    75 11       JNZ SHORT 1111111.00420E6D
00420E5C .  6A FF       PUSH -1
00420E5E .  50          PUSH EAX
00420E5F .  6A 68       PUSH 68
00420E61 .  E8 C1180300 CALL 1111111.00452727
00420E66 .  33C0       XOR EAX,EAX
00420E68 .  E9 E2060000 JMP 1111111.0042154F
00420E6D >  68 F8854800 PUSH 1111111.004885F8                   ; /FileName = "BugReport.dll"
00420E72 .  FF15 84D34600 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA
00420E78 .  85C0       TEST EAX,EAX
00420E7A .  75 13       JNZ SHORT 1111111.00420E8F
00420E7C .  50          PUSH EAX                               ; /Arg3
00420E7D .  50          PUSH EAX                               ; |Arg2
00420E7E .  68 E0854800 PUSH 1111111.004885E0                   ; |Arg1 = 004885E0
00420E83 .  E8 67180300 CALL 1111111.004526EF                   ; \1111111.004526EF
00420E88 .  33C0       XOR EAX,EAX
00420E8A .  E9 C0060000 JMP 1111111.0042154F
00420E8F >  68 CC854800 PUSH 1111111.004885CC                   ; /ProcNameOrOrdinal = "StartMyException"
00420E94 .  50          PUSH EAX                               ; |hModule
00420E95 .  FF15 88D34600 CALL DWORD PTR DS:[<&kernel32.GetProcAdd>; \GetProcAddress
00420E9B .  8BF8       MOV EDI,EAX
00420E9D .  A1 80974800 MOV EAX,DWORD PTR DS:[489780]
00420EA2 .  894424 10    MOV DWORD PTR SS:[ESP+10],EAX
00420EA6 .  68 81000000 PUSH 81                               ; /Arg1 = 00000081
00420EAB .  8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]          ; |
00420EAF .  C78424 CC0000>MOV DWORD PTR SS:[ESP+CC],0             ; |
00420EBA .  E8 41990200 CALL 1111111.0044A800                   ; \1111111.0044A800
00420EBF .  8B4C24 10    MOV ECX,DWORD PTR SS:[ESP+10]
00420EC3 .  51          PUSH ECX
00420EC4 .  68 AC764800 PUSH 1111111.004876AC                   ;  ASCII "VolleyMail"
00420EC9 .  FFD7       CALL EDI
00420ECB .  83C4 08    ADD ESP,8
00420ECE .  8D9D C8000000 LEA EBX,DWORD PTR SS:[EBP+C8]
00420ED4 .  896C24 30    MOV DWORD PTR SS:[ESP+30],EBP
00420ED8 .  68 04010000 PUSH 104                               ; /BufSize = 104 (260.)
00420EDD .  53          PUSH EBX                               ; |Buffer
00420EDE .  E8 29E80100 CALL <JMP.&WS2_32.gethostname>          ; \gethostname
00420EE3 .  803B 00    CMP BYTE PTR DS:[EBX],0
00420EE6    75 22       JNZ SHORT 1111111.00420F0A
00420EE8 .  BF B8854800 MOV EDI,1111111.004885B8                ;  ASCII "mail.volleymail.com"
00420EED .  83C9 FF    OR ECX,FFFFFFFF
00420EF0 .  33C0       XOR EAX,EAX
00420EF2 .  F2:AE       REPNE SCAS BYTE PTR ES:[EDI]
00420EF4 .  F7D1       NOT ECX
00420EF6 .  2BF9       SUB EDI,ECX
00420EF8 .  8BD1       MOV EDX,ECX
00420EFA .  8BF7       MOV ESI,EDI
00420EFC .  8BFB       MOV EDI,EBX
00420EFE .  C1E9 02    SHR ECX,2
00420F01 .  F3:A5       REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00420F03 .  8BCA       MOV ECX,EDX
00420F05 .  83E1 03    AND ECX,3
00420F08 .  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00420F0A >  8BCD       MOV ECX,EBP
00420F0C .  E8 BC0F0400 CALL 1111111.00461ECD
00420F11 .  6A 00       PUSH 0
00420F13 .  68 FFF3EF00 PUSH 0EFF3FF
00420F18 .  8BCD       MOV ECX,EBP
00420F1A .  E8 370F0400 CALL 1111111.00461E56
00420F1F .  6A 01       PUSH 1                                  ; /Arg2 = 00000001
00420F21 .  6A 00       PUSH 0                                  ; |Arg1 = 00000000
00420F23 .  E8 386E0000 CALL 1111111.00427D60                   ; \1111111.00427D60
00420F28 .  8B45 78    MOV EAX,DWORD PTR SS:[EBP+78]
00420F2B .  50          PUSH EAX                               ; /MutexName
00420F2C .  6A 01       PUSH 1                                  ; |InitialOwner = TRUE
00420F2E .  6A 00       PUSH 0                                  ; |pSecurity = NULL
00420F30 .  FF15 F8D24600 CALL DWORD PTR DS:[<&kernel32.CreateMute>; \CreateMutexA
00420F36 .  FF15 FCD24600 CALL DWORD PTR DS:[<&kernel32.GetLastErr>; [GetLastError
00420F3C .  3D B7000000 CMP EAX,0B7
00420F41 .  75 19       JNZ SHORT 1111111.00420F5C
00420F43 .  6A 10       PUSH 10                               ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00420F45 .  68 AC854800 PUSH 1111111.004885AC                   ; |Title = "错误提示"
00420F4A .  68 88854800 PUSH 1111111.00488588                   ; |Text = "VolleyMail邮件群发专家已经在运行！"
00420F4F .  6A 00       PUSH 0                                  ; |hOwner = NULL
00420F51 .  FF15 68D64600 CALL DWORD PTR DS:[<&user32.MessageBoxA>>; \MessageBoxA
00420F57 .  E9 67050000 JMP 1111111.004214C3
00420F5C >  6A 68       PUSH 68
00420F5E .  E8 26540200 CALL 1111111.00446389
00420F63 .  83C4 04    ADD ESP,4
00420F66 .  894424 28    MOV DWORD PTR SS:[ESP+28],EAX
00420F6A .  85C0       TEST EAX,EAX
00420F6C .  C68424 C80000>MOV BYTE PTR SS:[ESP+C8],1
00420F74 .  74 0D       JE SHORT 1111111.00420F83
00420F76 .  6A 00       PUSH 0
00420F78 .  8BC8       MOV ECX,EAX
00420F7A .  E8 D1BAFFFF CALL 1111111.0041CA50
00420F7F .  8BF0       MOV ESI,EAX
00420F81 .  EB 02       JMP SHORT 1111111.00420F85
00420F83 >  33F6       XOR ESI,ESI
00420F85 >  6A 00       PUSH 0
00420F87 .  68 DA000000 PUSH 0DA
00420F8C .  8BCE       MOV ECX,ESI
00420F8E .  C68424 D00000>MOV BYTE PTR SS:[ESP+D0],0
00420F96 .  E8 1DB40200 CALL 1111111.0044C3B8
00420F9B .  6A 05       PUSH 5
00420F9D .  8BCE       MOV ECX,ESI
00420F9F .  E8 AF890200 CALL 1111111.00449953
00420FA4 .  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
00420FA8 .  E8 A0A30200 CALL 1111111.0044B34D
00420FAD .  68 1C664800 PUSH 1111111.0048661C                   ;  ASCII "Cache.MX"
00420FB2 .  8D4C24 1C    LEA ECX,DWORD PTR SS:[ESP+1C]
00420FB6 .  68 50E54800 PUSH 1111111.0048E550
00420FBB .  51          PUSH ECX
00420FBC .  C68424 D40000>MOV BYTE PTR SS:[ESP+D4],2
00420FC4 .  E8 1B950200 CALL 1111111.0044A4E4
00420FC9 .  8B00       MOV EAX,DWORD PTR DS:[EAX]
00420FCB .  6A 00       PUSH 0                                  ; /Arg3 = 00000000
00420FCD .  68 40800000 PUSH 8040                               ; |Arg2 = 00008040
00420FD2 .  50          PUSH EAX                               ; |Arg1
00420FD3 .  8D4C24 48    LEA ECX,DWORD PTR SS:[ESP+48]          ; |
00420FD7 .  C68424 D40000>MOV BYTE PTR SS:[ESP+D4],3             ; |
00420FDF .  E8 DEA30200 CALL 1111111.0044B3C2                   ; \1111111.0044B3C2
00420FE4 .  8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
00420FE8 .  8BF8       MOV EDI,EAX
00420FEA .  C68424 C80000>MOV BYTE PTR SS:[ESP+C8],2
00420FF2 .  E8 58920200 CALL 1111111.0044A24F
00420FF7 .  85FF       TEST EDI,EDI
00420FF9 .  74 48       JE SHORT 1111111.00421043
00420FFB .  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
00420FFF .  E8 65AB0200 CALL 1111111.0044BB69
00421004 .  8BF8       MOV EDI,EAX
00421006 .  B8 25499224 MOV EAX,24924925
0042100B .  F7E7       MUL EDI
0042100D .  8BC7       MOV EAX,EDI
0042100F .  57          PUSH EDI
00421010 .  2BC2       SUB EAX,EDX
00421012 .  D1E8       SHR EAX,1
00421014 .  03C2       ADD EAX,EDX
00421016 .  C1E8 06    SHR EAX,6
00421019 .  8985 08020000 MOV DWORD PTR SS:[EBP+208],EAX
0042101F .  E8 65530200 CALL 1111111.00446389
00421024 .  8B5424 40    MOV EDX,DWORD PTR SS:[ESP+40]
00421028 .  83C4 04    ADD ESP,4
0042102B .  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
0042102F .  8985 00020000 MOV DWORD PTR SS:[EBP+200],EAX
00421035 .  57          PUSH EDI
00421036 .  50          PUSH EAX
00421037 .  FF52 34    CALL DWORD PTR DS:[EDX+34]
0042103A .  8D4C24 3C    LEA ECX,DWORD PTR SS:[ESP+3C]
0042103E .  E8 AFA60200 CALL 1111111.0044B6F2
00421043    68 586A4800 PUSH 1111111.00486A58                   ;  ASCII "InitProg.dll"
00421048    FF15 84D34600 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>;  kernel32.LoadLibraryA　　　把DLL脱壳后，一运行到此，OD就出错，无法再调试，隐藏也不行。
0042104E .  8BD8       MOV EBX,EAX
00421050 .  85DB       TEST EBX,EBX
00421052    75 11       JNZ SHORT 1111111.00421065
00421054 .  50          PUSH EAX                               ; /Arg3
00421055 .  50          PUSH EAX                               ; |Arg2
00421056 .  68 70794800 PUSH 1111111.00487970                   ; |Arg1 = 00487970
0042105B .  E8 8F160300 CALL 1111111.004526EF                   ; \1111111.004526EF
00421060 .  E9 4D040000 JMP 1111111.004214B2
00421065 >  8B3D 88D34600 MOV EDI,DWORD PTR DS:[<&kernel32.GetProc>;  kernel32.GetProcAddress
0042106B .  68 7C854800 PUSH 1111111.0048857C                   ; /ProcNameOrOrdinal = "InitEnvir"
00421070 .  53          PUSH EBX                               ; |hModule
00421071 .  FFD7       CALL EDI                               ; \GetProcAddress
00421073 .  8D4C24 54    LEA ECX,DWORD PTR SS:[ESP+54]
00421077 .  68 6C854800 PUSH 1111111.0048856C                   ;  ASCII "VolleyMail.exe"
0042107C .  8D5424 34    LEA EDX,DWORD PTR SS:[ESP+34]
00421080 .  51          PUSH ECX
00421081 .  52          PUSH EDX
00421082 .  C74424 60 D8D>MOV DWORD PTR SS:[ESP+60],0DDD8
0042108A .  FFD0       CALL EAX                               ;  进入发现来到了程序的一个DLL中，自校验就是在这个DLL中完成的。
0042108C .  85C0       TEST EAX,EAX
0042108E .  75 11       JNZ SHORT 1111111.004210A1
00421090 .  B9 C4090000 MOV ECX,9C4
00421095 .  BF 2300FF00 MOV EDI,0FF0023
0042109A .  F3:AB       REP STOS DWORD PTR ES:[EDI]
0042109C .  E9 11040000 JMP 1111111.004214B2
004210A1 >  68 5C854800 PUSH 1111111.0048855C                   ;  ASCII "GetMachineCode"
004210A6 .  53          PUSH EBX
004210A7 .  FFD7       CALL EDI
004210A9 .  8BD0       MOV EDX,EAX

跟入42108A的CALL

00D22040 >  6A FF          PUSH -1
00D22042 68 4D8ED300    PUSH InitProg.00D38E4D
00D22047 64:A1 00000000  MOV EAX,DWORD PTR FS:[0]
00D2204D 50             PUSH EAX
00D2204E 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00D22055 81EC B0000000 SUB ESP,0B0
00D2205B 53             PUSH EBX
00D2205C 55             PUSH EBP
00D2205D 68 8001D400    PUSH InitProg.00D40180                ; ASCII "etide.51.net"
00D22062 E8 E9FDFFFF    CALL InitProg.00D21E50
00D22067 8B8424 CC000000 MOV EAX,DWORD PTR SS:[ESP+CC]
00D2206E 8B8C24 C8000000 MOV ECX,DWORD PTR SS:[ESP+C8]
00D22075 68 80000000    PUSH 80
00D2207A 8D5424 3C    LEA EDX,DWORD PTR SS:[ESP+3C]
00D2207E 52             PUSH EDX
00D2207F 6A 00          PUSH 0
00D22081 8901          MOV DWORD PTR DS:[ECX],EAX
00D22083 FF15 38A2D300 CALL DWORD PTR DS:[D3A238]             ; kernel32.GetModuleFileNameA
00D22089 8D4424 38    LEA EAX,DWORD PTR SS:[ESP+38]
00D2208D 50             PUSH EAX
00D2208E 8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
00D22092 E8 AF180100    CALL InitProg.00D33946
00D22097 6A 5C          PUSH 5C
00D22099 8D4C24 14    LEA ECX,DWORD PTR SS:[ESP+14]
00D2209D C78424 C4000000>MOV DWORD PTR SS:[ESP+C4],0
00D220A8 E8 5FD10000    CALL InitProg.00D2F20C
00D220AD 40             INC EAX
00D220AE 50             PUSH EAX
00D220AF 8D4C24 10    LEA ECX,DWORD PTR SS:[ESP+10]
00D220B3 51             PUSH ECX
00D220B4 8D4C24 18    LEA ECX,DWORD PTR SS:[ESP+18]
00D220B8 E8 D7D00000    CALL InitProg.00D2F194

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・0

支持

最新回复 (1)
anchengw 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 13 粉丝 0 关注私信	anchengw 2 楼进入后，发现是在一程序DLL的领空中。粗略跟了一下，发现销毁程序和自校验，全在这个DLL里。于是退出OD，用PEID查此DLL的壳，跟主程序是一样的壳，用脱壳器脱掉。用OD重新载入主程序，界面出来后，弹出无法找到此DLL的提示框，确定后程序就退出了，用原来未去壳的主程序也是一样。到此小弟是山穷水尽，不知如何是好。请高人给指条出路。 2007-4-7 17:41 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

anchengw

雪币： 204

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

anchengw: 2 楼

进入后，发现是在一程序DLL的领空中。粗略跟了一下，发现销毁程序和自校验，全在这个DLL里。于是退出OD，用PEID查此DLL的壳，跟主程序是一样的壳，用脱壳器脱掉。用OD重新载入主程序，界面出来后，弹出无法找到此DLL的提示框，确定后程序就退出了，用原来未去壳的主程序也是一样。

到此小弟是山穷水尽，不知如何是好。请高人给指条出路。

2007-4-7 17:41

anchengw

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号