能力值:
( LV4,RANK:50 )
|
-
-
9 楼
最后一次停在这里
00C2F3F3 893B mov dword ptr ds:[ebx],edi
00C2F3F5 3085 5798C864 xor byte ptr ss:[ebp+64C89857],al
00C2F3FB 1B3F sbb edi,dword ptr ds:[edi]
00C2F3FD 05 7B462835 add eax,3528467B
00C2F402 67:64:8F06 0000 pop dword ptr fs:[0]
00C2F408 26:EB 02 jmp short 00C2F40D
00C2F40B CD20 83C4048D vxdjump 8D04C483
00C2F411 9B wait
00C2F412 1E push ds
00C2F413 77 44 ja short 00C2F459
00C2F415 005B A1 add byte ptr ds:[ebx-5F],bl
00C2F418 E4 26 in al,26
00C2F41A C3 retn
00C2F41B 008B 008B401C add byte ptr ds:[ebx+1C408B00],cl
00C2F421 8945 F8 mov dword ptr ss:[ebp-8],eax
00C2F424 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F429 8B00 mov eax,dword ptr ds:[eax]
00C2F42B 8B00 mov eax,dword ptr ds:[eax]
00C2F42D 8945 F0 mov dword ptr ss:[ebp-10],eax
这个可以么?
如果在00C2F41A,然后shift+f9会出现error窗口。
所以现在我还是找不到oep在哪里。
|
能力值:
( LV6,RANK:90 )
|
-
-
10 楼
00C2F3F3 893B mov dword ptr ds:[ebx],edi
00C2F3F5 3085 5798C864 xor byte ptr ss:[ebp+64C89857],al
00C2F3FB 1B3F sbb edi,dword ptr ds:[edi]
00C2F3FD 05 7B462835 add eax,3528467B
00C2F402 67:64:8F06 0000 pop dword ptr fs:[0]<<==这里设断,按Shift+F9断在次处,再单步往下走。
00C2F408 26:EB 02 jmp short 00C2F40D
00C2F40B CD20 83C4048D vxdjump 8D04C483
00C2F411 9B wait
00C2F412 1E push ds
00C2F413 77 44 ja short 00C2F459
00C2F415 005B A1 add byte ptr ds:[ebx-5F],bl
00C2F418 E4 26 in al,26
00C2F41A C3 retn
00C2F41B 008B 008B401C add byte ptr ds:[ebx+1C408B00],cl
00C2F421 8945 F8 mov dword ptr ss:[ebp-8],eax
00C2F424 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F429 8B00 mov eax,dword ptr ds:[eax]
00C2F42B 8B00 mov eax,dword ptr ds:[eax]
00C2F42D 8945 F0 mov dword ptr ss:[ebp-10],eax
|
能力值:
( LV4,RANK:50 )
|
-
-
11 楼
谢谢lipton这么关照我
我已经试过了,不过怎么判断哪些代码是被抽掉的,要恢复到哪里呢?
00C2F41B 008B 008B401C add byte ptr ds:[ebx+1C408B00],cl
00C2F421 8945 F8 mov dword ptr ss:[ebp-8],eax
00C2F424 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F429 8B00 mov eax,dword ptr ds:[eax]
00C2F42B 8B00 mov eax,dword ptr ds:[eax]
00C2F42D 8945 F0 mov dword ptr ss:[ebp-10],eax
00C2F430 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F435 8B00 mov eax,dword ptr ds:[eax]
00C2F437 83C0 18 add eax,18
00C2F43A 8945 FC mov dword ptr ss:[ebp-4],eax
00C2F43D A1 6C26C300 mov eax,dword ptr ds:[C3266C]
00C2F442 8858 08 mov byte ptr ds:[eax+8],bl
00C2F445 8B45 FC mov eax,dword ptr ss:[ebp-4]
00C2F448 8338 00 cmp dword ptr ds:[eax],0
00C2F44B 75 21 jnz short 00C2F46E
这些是您给我指示下断后跟的。
|
能力值:
( LV9,RANK:210 )
|
-
-
14 楼
最初由 Sen 发布 谢谢lipton这么关照我 .................
lipton是一个非常热心的人,曾经非常耐心地指导我脱aspr,回想起来,真是太谢谢lipton大侠啦!
你这一段按lipton说的应该jmp到00C2F40D,把这以后的代码列出来。
|
能力值:
( LV4,RANK:50 )
|
-
-
15 楼
00C2F40D 83C4 04 add esp,4
00C2F410 8D9B 1E774400 lea ebx,dword ptr ds:[ebx+44771E]
00C2F416 5B pop ebx
00C2F417 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F41C 8B00 mov eax,dword ptr ds:[eax]
00C2F41E 8B40 1C mov eax,dword ptr ds:[eax+1C]
00C2F421 8945 F8 mov dword ptr ss:[ebp-8],eax
00C2F424 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F429 8B00 mov eax,dword ptr ds:[eax]
00C2F42B 8B00 mov eax,dword ptr ds:[eax]
00C2F42D 8945 F0 mov dword ptr ss:[ebp-10],eax
00C2F430 A1 E426C300 mov eax,dword ptr ds:[C326E4]
00C2F435 8B00 mov eax,dword ptr ds:[eax]
00C2F437 83C0 18 add eax,18
00C2F43A 8945 FC mov dword ptr ss:[ebp-4],eax
00C2F43D A1 6C26C300 mov eax,dword ptr ds:[C3266C]
00C2F442 8858 08 mov byte ptr ds:[eax+8],bl
00C2F445 8B45 FC mov eax,dword ptr ss:[ebp-4]
00C2F448 8338 00 cmp dword ptr ds:[eax],0
00C2F44B 75 21 jnz short 00C2F46E
00C2F44D 8345 F8 20 add dword ptr ss:[ebp-8],20
00C2F451 A1 0826C300 mov eax,dword ptr ds:[C32608]
00C2F456 8B00 mov eax,dword ptr ds:[eax]
00C2F458 8078 2E 00 cmp byte ptr ds:[eax+2E],0
00C2F45C 75 10 jnz short 00C2F46E
00C2F45E B8 1F000000 mov eax,1F
00C2F463 E8 6833FEFF call 00C127D0
00C2F468 C1E0 02 shl eax,2
00C2F46B 2945 F8 sub dword ptr ss:[ebp-8],eax
00C2F46E E8 6DD6FFFF call 00C2CAE0
00C2F473 8BD8 mov ebx,eax
00C2F475 833D 644BC300 00 cmp dword ptr ds:[C34B64],0
00C2F47C /74 14 je short 00C2F492
00C2F47E |6A 04 push 4
00C2F480 |B9 644BC300 mov ecx,0C34B64
00C2F485 |8D45 F4 lea eax,dword ptr ss:[ebp-C]
00C2F488 |BA 04000000 mov edx,4
00C2F48D |E8 A224FFFF call 00C21934
00C2F492 \B8 02000000 mov eax,2
00C2F497 E8 3433FEFF call 00C127D0
00C2F49C 85C0 test eax,eax
00C2F49E 0F85 13010000 jnz 00C2F5B7
00C2F4A4 56 push esi
00C2F4A5 E8 E0000000 call 00C2F58A
00C2F4AA 53 push ebx
00C2F4AB 51 push ecx
00C2F4AC 81DB D2F2500D sbb ebx,0D50F2D2
00C2F4B2 83DB 61 sbb ebx,61
00C2F4B5 BB BA2B4200 mov ebx,422BBA ; ASCII "\X"
00C2F4BA 8D5C24 5D lea ebx,dword ptr ss:[esp+5D]
00C2F4BE 52 push edx
00C2F4BF 51 push ecx
00C2F4C0 03D1 add edx,ecx
00C2F4C2 BA 0B6E4737 mov edx,37476E0B
00C2F4C7 87CA xchg edx,ecx
00C2F4C9 81F1 9B6E4737 xor ecx,37476E9B
00C2F4CF F7D9 neg ecx
00C2F4D1 83F1 D5 xor ecx,FFFFFFD5
00C2F4D4 87D1 xchg ecx,edx
00C2F4D6 83C2 A4 add edx,-5C
00C2F4D9 2BDA sub ebx,edx
00C2F4DB B9 CE924000 mov ecx,4092CE
00C2F4E0 F2: prefix repne:
00C2F4E1 EB 01 jmp short 00C2F4E4
00C2F4E3 9A 334C2408 590B call far 0B59:08244C33
00C2F4EA D35A FF rcr dword ptr ds:[edx-1],cl
00C2F4ED 33F2 xor esi,edx
00C2F4EF EB 01 jmp short 00C2F4F2
00C2F4F1 F3: prefix rep:
00C2F4F2 83DB 55 sbb ebx,55
00C2F4F5 BB 228F4700 mov ebx,478F22
00C2F4FA 5B pop ebx
00C2F4FB 2E:EB 01 jmp short 00C2F4FF
00C2F4FE F3: prefix rep:
00C2F4FF 6BC9 00 imul ecx,ecx,0
00C2F502 51 push ecx
00C2F503 8F43 18 pop dword ptr ds:[ebx+18]
00C2F506 83C3 0F add ebx,0F
00C2F509 52 push edx
00C2F50A 51 push ecx
00C2F50B 335424 08 xor edx,dword ptr ss:[esp+8]
00C2F50F F2: prefix repne:
00C2F510 EB 01 jmp short 00C2F513
00C2F512 69BA 465A4600 26EB>imul edi,dword ptr ds:[edx+465A46],CD02EB26
00C2F51C 20F3 and bl,dh
00C2F51E EB 02 jmp short 00C2F522
00C2F520 CD20 68650080 vxdcall 80006568
00C2F526 25 83EAF703 and eax,3F7EA83
00C2F52B 54 push esp
00C2F52C 24 18 and al,18
00C2F52E 5A pop edx
00C2F52F 52 push edx
00C2F530 81E1 2080CE4B and ecx,4BCE8020
00C2F536 59 pop ecx
00C2F537 83C1 CA add ecx,-36
00C2F53A 83C1 D1 add ecx,-2F
00C2F53D 51 push ecx
00C2F53E F3: prefix rep:
00C2F53F EB 02 jmp short 00C2F543
00C2F541 CD20 8D143A5A vxdcall 5A3A148D
00C2F547 C1C2 C9 rol edx,0C9
00C2F54A 8D5C53 52 lea ebx,dword ptr ds:[ebx+edx*2+52]
00C2F54E EB 02 jmp short 00C2F552
00C2F550 CD20 8D5C2BAE vxdcall AE2B5C8D
00C2F556 2BDD sub ebx,ebp
00C2F558 2BDA sub ebx,edx
00C2F55A EB 01 jmp short 00C2F55D
00C2F55C 9A 034C2438 B9E6 call far E6B9:38244C03
00C2F563 A3 4900592B mov dword ptr ds:[2B590049],eax
00C2F568 D5 5A aad 5A
00C2F56A 8343 5E 09 add dword ptr ds:[ebx+5E],9
00C2F56E F2: prefix repne:
00C2F56F EB 01 jmp short 00C2F572
00C2F571 9A C1D149B9 8A2E call far 2E8A:B949D1C1
00C2F578 49 dec ecx
00C2F579 0059 F2 add byte ptr ds:[ecx-E],bl
00C2F57C EB 01 jmp short 00C2F57F
00C2F57E F0:8D5C51 B7 lock lea ebx,dword ptr ds:[ecx+edx*2-49] ; 锁定前缀是不允许的
00C2F583 5B pop ebx
00C2F584 83C8 FF or eax,FFFFFFFF
00C2F587 F7D0 not eax
00C2F589 C3 retn
|
能力值:
( LV9,RANK:210 )
|
-
-
16 楼
根据我的经验,“prefix repne:”是变形的Stolen Code段的标志,它把Stolen Code加上了许多的冗余的无实际用途的代码,要慢慢分析,才能得出真正的Stolen Code。
|
能力值:
( LV2,RANK:10 )
|
-
-
18 楼
有的Stolen code还有花指令。
不大容易掌握,而且ASPR的版本很多!
有的我能脱,有的我一点办法也没有!
还有OD去出花指令的插件管用吗?
最初由 moon 发布 根据我的经验,“prefix repne:”是变形的Stolen Code段的标志,它把Stolen Code加上了许多的冗余的无实际用途的代码,要慢慢分析,才能得出真正的Stolen Code。
|
能力值:
( LV6,RANK:90 )
|
-
-
19 楼
抱歉的很
这个壳,追了半天没有结果,不但入口代码分不清,就算找到后还有加密的Call EAX,估计还有替换代码,上一个版本SC4.94-184就是最后一段替换代码没有还原而失败.看来要等高手来解决了。
|