各位老大,你们好。偶刚学习脱壳,有很多不懂,望热心的老大们帮助一下,谢谢。
0061CB49 > 9C PUSHFD //OD 载入后停在这里
0061CB4A 60 PUSHAD
0061CB4B E8 00000000 CALL 自动绘制.0061CB50
0061CB50 B8 FFFFFF0F MOV EAX,0FFFFFFF
0061CB55 B9 07000000 MOV ECX,7
0061CB5A 5D POP EBP
0061CB5B 2BE9 SUB EBP,ECX
0061CB5D EB 0B JMP SHORT 自动绘制.0061CB6A //一路 F8 后,在此跳走
0061CB6A 8DB5 EFFEFFFF LEA ESI,DWORD PTR SS:[EBP-111] //跳走后,来到此处
0061CB70 8B0E MOV ECX,DWORD PTR DS:[ESI]
0061CB72 83F9 01 CMP ECX,1
0061CB75 0F84 F1010000 JE 自动绘制.0061CD6C //此处不跳
0061CB7B C706 01000000 MOV DWORD PTR DS:[ESI],1
0061CB81 8BD5 MOV EDX,EBP
0061CB83 8B8D BFFEFFFF MOV ECX,DWORD PTR SS:[EBP-141]
0061CB89 2BD1 SUB EDX,ECX
0061CB8B 8995 BFFEFFFF MOV DWORD PTR SS:[EBP-141],EDX
0061CB91 0195 D7FEFFFF ADD DWORD PTR SS:[EBP-129],EDX
0061CB97 8DB5 F3FEFFFF LEA ESI,DWORD PTR SS:[EBP-10D]
0061CB9D 0116 ADD DWORD PTR DS:[ESI],EDX
0061CB9F 8B36 MOV ESI,DWORD PTR DS:[ESI]
0061CBA1 8BFD MOV EDI,EBP
0061CBA3 ^ EB C0 JMP SHORT 自动绘制.0061CB65 //也是一路 F8 后,在此跳走
0061CB65 60 PUSHAD //跳向这里
0061CB66 6A 40 PUSH 40
0061CB68 EB 3C JMP SHORT 自动绘制.0061CBA6
0061CB6A 8DB5 EFFEFFFF LEA ESI,DWORD PTR SS:[EBP-111]
0061CB70 8B0E MOV ECX,DWORD PTR DS:[ESI]
0061CB72 83F9 01 CMP ECX,1
0061CB75 0F84 F1010000 JE 自动绘制.0061CD6C //此处不跳
0061CB7B C706 01000000 MOV DWORD PTR DS:[ESI],1
0061CB81 8BD5 MOV EDX,EBP
0061CB83 8B8D BFFEFFFF MOV ECX,DWORD PTR SS:[EBP-141]
0061CB89 2BD1 SUB EDX,ECX
0061CB8B 8995 BFFEFFFF MOV DWORD PTR SS:[EBP-141],EDX
0061CB91 0195 D7FEFFFF ADD DWORD PTR SS:[EBP-129],EDX
0061CB97 8DB5 F3FEFFFF LEA ESI,DWORD PTR SS:[EBP-10D]
0061CB9D 0116 ADD DWORD PTR DS:[ESI],EDX
0061CB9F 8B36 MOV ESI,DWORD PTR DS:[ESI]
0061CBA1 8BFD MOV EDI,EBP
0061CBA3 ^ EB C0 JMP SHORT 自动绘制.0061CB65 // still F8 ,又在此跳走,让老大们见笑了~~~
0061CBA6 68 00100000 PUSH 1000
0061CBAB 68 00100000 PUSH 1000
0061CBB0 6A 00 PUSH 0
0061CBB2 FF95 13FFFFFF CALL DWORD PTR SS:[EBP-ED]
0061CBB8 85C0 TEST EAX,EAX
0061CBBA 0F84 06030000 JE 自动绘制.0061CEC6
0061CBC0 8985 D3FEFFFF MOV DWORD PTR SS:[EBP-12D],EAX
0061CBC6 E8 00000000 CALL 自动绘制.0061CBCB
0061CBCB 5B POP EBX
0061CBCC B9 2F894000 MOV ECX,自动绘制.0040892F
0061CBD1 81E9 2C864000 SUB ECX,自动绘制.0040862C
0061CBD7 03D9 ADD EBX,ECX
0061CBD9 50 PUSH EAX
0061CBDA 53 PUSH EBX
0061CBDB E8 3D020000 CALL 自动绘制.0061CE1D
0061CBE0 61 POPAD
0061CBE1 03BD B7FEFFFF ADD EDI,DWORD PTR SS:[EBP-149]
0061CBE7 8BDF MOV EBX,EDI
0061CBE9 833F 00 CMP DWORD PTR DS:[EDI],0
0061CBEC 75 0A JNZ SHORT 自动绘制.0061CBF8
0061CBEE 83C7 04 ADD EDI,4
0061CBF1 B9 00000000 MOV ECX,0
0061CBF6 /EB 16 JMP SHORT 自动绘制.0061CC0E
0061CBF8 |B9 01000000 MOV ECX,1
0061CBFD |033B ADD EDI,DWORD PTR DS:[EBX]
0061CBFF |83C3 04 ADD EBX,4
0061CC02 |833B 00 CMP DWORD PTR DS:[EBX],0
0061CC05 |74 2D JE SHORT 自动绘制.0061CC34
0061CC07 |0113 ADD DWORD PTR DS:[EBX],EDX
0061CC09 |8B33 MOV ESI,DWORD PTR DS:[EBX]
0061CC0B |037B 04 ADD EDI,DWORD PTR DS:[EBX+4]
0061CC0E \57 PUSH EDI
0061CC0F 51 PUSH ECX
0061CC10 52 PUSH EDX
0061CC11 53 PUSH EBX
0061CC12 FFB5 17FFFFFF PUSH DWORD PTR SS:[EBP-E9]
0061CC18 FFB5 13FFFFFF PUSH DWORD PTR SS:[EBP-ED]
0061CC1E 56 PUSH ESI
0061CC1F 57 PUSH EDI
0061CC20 FF95 D3FEFFFF CALL DWORD PTR SS:[EBP-12D]
0061CC26 5B POP EBX
0061CC27 5A POP EDX
0061CC28 59 POP ECX
0061CC29 5F POP EDI
0061CC2A 83F9 00 CMP ECX,0
0061CC2D 74 05 JE SHORT 自动绘制.0061CC34
0061CC2F 83C3 08 ADD EBX,8
0061CC32 ^ EB CE JMP SHORT 自动绘制.0061CC02
0061CC34 68 00800000 PUSH 8000
0061CC39 6A 00 PUSH 0
0061CC3B FFB5 D3FEFFFF PUSH DWORD PTR SS:[EBP-12D]
0061CC41 FF95 17FFFFFF CALL DWORD PTR SS:[EBP-E9]
0061CC47 8DB5 D7FEFFFF LEA ESI,DWORD PTR SS:[EBP-129]
0061CC4D 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
0061CC50 8D56 08 LEA EDX,DWORD PTR DS:[ESI+8]
0061CC53 8B36 MOV ESI,DWORD PTR DS:[ESI]
0061CC55 8BFE MOV EDI,ESI
0061CC57 83F9 00 CMP ECX,0
0061CC5A 74 3F JE SHORT 自动绘制.0061CC9B
0061CC5C 8A07 MOV AL,BYTE PTR DS:[EDI]
0061CC5E 47 INC EDI ; 自动绘制.00401000
0061CC5F 2C E8 SUB AL,0E8
0061CC61 3C 01 CMP AL,1
0061CC63 ^ 77 F7 JA SHORT 自动绘制.0061CC5C
0061CC65 8B07 MOV EAX,DWORD PTR DS:[EDI]
0061CC67 807A 01 00 CMP BYTE PTR DS:[EDX+1],0
0061CC6B 74 14 JE SHORT 自动绘制.0061CC81
0061CC6D 8A1A MOV BL,BYTE PTR DS:[EDX]
0061CC6F 381F CMP BYTE PTR DS:[EDI],BL
0061CC71 ^ 75 E9 JNZ SHORT 自动绘制.0061CC5C
0061CC73 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
0061CC76 66:C1E8 08 SHR AX,8
0061CC7A C1C0 10 ROL EAX,10
0061CC7D 86C4 XCHG AH,AL
0061CC7F /EB 0A JMP SHORT 自动绘制.0061CC8B
0061CC81 |8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
0061CC84 |86C4 XCHG AH,AL
0061CC86 |C1C0 10 ROL EAX,10
0061CC89 |86C4 XCHG AH,AL
0061CC8B \2BC7 SUB EAX,EDI
0061CC8D 03C6 ADD EAX,ESI
0061CC8F 8907 MOV DWORD PTR DS:[EDI],EAX
0061CC91 83C7 05 ADD EDI,5
0061CC94 80EB E8 SUB BL,0E8
0061CC97 8BC3 MOV EAX,EBX
0061CC99 ^ E2 C6 LOOPD SHORT 自动绘制.0061CC61
0061CC9B E8 D3000000 CALL 自动绘制.0061CD73
0061CCA0 8D8D E3FEFFFF LEA ECX,DWORD PTR SS:[EBP-11D]
0061CCA6 8B41 04 MOV EAX,DWORD PTR DS:[ECX+4]
0061CCA9 83F8 00 CMP EAX,0
0061CCAC 0F84 81000000 JE 自动绘制.0061CD33
0061CCB2 8BF2 MOV ESI,EDX
0061CCB4 2B71 08 SUB ESI,DWORD PTR DS:[ECX+8]
0061CCB7 74 7A JE SHORT 自动绘制.0061CD33
0061CCB9 8971 08 MOV DWORD PTR DS:[ECX+8],ESI
0061CCBC 8B01 MOV EAX,DWORD PTR DS:[ECX]
0061CCBE 8DB5 F3FEFFFF LEA ESI,DWORD PTR SS:[EBP-10D]
0061CCC4 8B36 MOV ESI,DWORD PTR DS:[ESI]
0061CCC6 8D5E FC LEA EBX,DWORD PTR DS:[ESI-4]
0061CCC9 83F8 01 CMP EAX,1
0061CCCC 74 0A JE SHORT 自动绘制.0061CCD8
0061CCCE 8BFA MOV EDI,EDX
0061CCD0 0379 04 ADD EDI,DWORD PTR DS:[ECX+4]
0061CCD3 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8]
0061CCD6 EB 08 JMP SHORT 自动绘制.0061CCE0
0061CCD8 8BFE MOV EDI,ESI
0061CCDA 0379 04 ADD EDI,DWORD PTR DS:[ECX+4]
0061CCDD 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8]
0061CCE0 33C0 XOR EAX,EAX
0061CCE2 8A07 MOV AL,BYTE PTR DS:[EDI]
0061CCE4 47 INC EDI
0061CCE5 0BC0 OR EAX,EAX
0061CCE7 74 20 JE SHORT 自动绘制.0061CD09
0061CCE9 3C EF CMP AL,0EF
0061CCEB 77 06 JA SHORT 自动绘制.0061CCF3
0061CCED 03D8 ADD EBX,EAX
0061CCEF 010B ADD DWORD PTR DS:[EBX],ECX
0061CCF1 ^ EB ED JMP SHORT 自动绘制.0061CCE0
0061CCF3 24 0F AND AL,0F
0061CCF5 C1E0 10 SHL EAX,10
0061CCF8 66:8B07 MOV AX,WORD PTR DS:[EDI]
0061CCFB 83C7 02 ADD EDI,2
0061CCFE 0BC0 OR EAX,EAX
0061CD00 ^ 75 EB JNZ SHORT 自动绘制.0061CCED
0061CD02 8B07 MOV EAX,DWORD PTR DS:[EDI]
0061CD04 83C7 04 ADD EDI,4
0061CD07 ^ EB E4 JMP SHORT 自动绘制.0061CCED
0061CD09 33DB XOR EBX,EBX
0061CD0B 87FE XCHG ESI,EDI
0061CD0D 8B06 MOV EAX,DWORD PTR DS:[ESI]
0061CD0F 83F8 00 CMP EAX,0
0061CD12 74 1F JE SHORT 自动绘制.0061CD33
0061CD14 AD LODS DWORD PTR DS:[ESI]
0061CD15 0BC0 OR EAX,EAX
0061CD17 74 08 JE SHORT 自动绘制.0061CD21
0061CD19 03D8 ADD EBX,EAX
0061CD1B 66:010C3B ADD WORD PTR DS:[EBX+EDI],CX
0061CD1F ^ EB F3 JMP SHORT 自动绘制.0061CD14
0061CD21 33DB XOR EBX,EBX
0061CD23 C1E9 10 SHR ECX,10
0061CD26 AD LODS DWORD PTR DS:[ESI]
0061CD27 0BC0 OR EAX,EAX
0061CD29 74 08 JE SHORT 自动绘制.0061CD33
0061CD2B 03D8 ADD EBX,EAX
0061CD2D 66:010C3B ADD WORD PTR DS:[EBX+EDI],CX
0061CD31 ^ EB F3 JMP SHORT 自动绘制.0061CD26
0061CD33 8BDD MOV EBX,EBP
0061CD35 81EB 21000000 SUB EBX,21
0061CD3B 33C9 XOR ECX,ECX
0061CD3D 8A0B MOV CL,BYTE PTR DS:[EBX]
0061CD3F 83F9 00 CMP ECX,0
0061CD42 74 28 JE SHORT 自动绘制.0061CD6C
0061CD44 43 INC EBX ; 自动绘制.0061CB28
0061CD45 8DB5 BFFEFFFF LEA ESI,DWORD PTR SS:[EBP-141]
0061CD4B 8B16 MOV EDX,DWORD PTR DS:[ESI]
0061CD4D 56 PUSH ESI
0061CD4E 51 PUSH ECX
0061CD4F 53 PUSH EBX
0061CD50 52 PUSH EDX
0061CD51 56 PUSH ESI
0061CD52 FF33 PUSH DWORD PTR DS:[EBX]
0061CD54 FF73 04 PUSH DWORD PTR DS:[EBX+4]
0061CD57 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
0061CD5A 03C2 ADD EAX,EDX
0061CD5C 50 PUSH EAX
0061CD5D FF95 0FFFFFFF CALL DWORD PTR SS:[EBP-F1]
0061CD63 5A POP EDX
0061CD64 5B POP EBX
0061CD65 59 POP ECX
0061CD66 5E POP ESI
0061CD67 83C3 0C ADD EBX,0C
0061CD6A ^ E2 E1 LOOPD SHORT 自动绘制.0061CD4D
0061CD6C 61 POPAD //跳过无数次循环后,来到这里
0061CD6D 9D POPFD //似乎是看到了光明之巅,但…………
0061CD6E - E9 7DE9DEFF JMP 自动绘制.0040B6F0 //真的是光明之巅吗???
0040B6F0 68 DB 68 ; CHAR 'h' //来到这里了
0040B6F1 F4 DB F4
0040B6F2 B7 DB B7
0040B6F3 40 DB 40 ; CHAR '@'
0040B6F4 00 DB 00
0040B6F5 E8 DB E8
0040B6F6 F0 DB F0
用 OD 的“脱壳在当前的调试进程”脱了一下,现在用 PEid0.94 能看出来是 Visual Basic 编程了,但运行脱壳后的程序,却出现了“无法
定位序数 65464 于动态链接库 Msvbvm60.dll 上。”的错误提示,用 ImportREC 的自动修复功能,说没有 OEP ,至此彻底费解了,望老大帮助一二为盼,谢谢。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
