PEID查壳是北斗USPACK的壳
以下是脱壳后程序的分析
4067A6 . /0F84 8A000000 je 00406836 跳就死
004067AC . |53 push ebx
004067AD . |53 push ebx
004067AE . |68 9C254200 push 0042259C ; 注册验证失败!
004067B3 . |E8 BC160100 call <jmp.&MFC42.#1200_AfxMessageBox>
004067B8 . |8D4C24 54 lea ecx, dword ptr [esp+54]
004067BC . |E8 EFD1FFFF call 004039B0
004067C1 . |53 push ebx
004067C2 . |8D8C24 800000>lea ecx, dword ptr [esp+80]
004067C9 . |C68424 281903>mov byte ptr [esp+31928], 0B
004067D1 . |E8 1AD00000 call 004137F0
004067D6 . |8D4C24 7C lea ecx, dword ptr [esp+7C]
004067DA . |C68424 241903>mov byte ptr [esp+31924], 0C
004067E2 . |E8 A1140100 call <jmp.&MFC42.#2514_CDialog::DoMod>
004067E7 . |8D8C24 1C0100>lea ecx, dword ptr [esp+11C]
004067EE . |C68424 241903>mov byte ptr [esp+31924], 0E
004067F6 . |E8 11180100 call <jmp.&MFC42.#656_CEdit::~CEdit>
004067FB . |8D8C24 DC0000>lea ecx, dword ptr [esp+DC]
00406802 . |C68424 241903>mov byte ptr [esp+31924], 0D
0040680A . |E8 FD170100 call <jmp.&MFC42.#656_CEdit::~CEdit>
0040680F . |8D4C24 7C lea ecx, dword ptr [esp+7C]
00406813 . |C68424 241903>mov byte ptr [esp+31924], 0B
0040681B . |E8 6A150100 call <jmp.&MFC42.#641_CDialog::~CDial>
00406820 . |8D4C24 54 lea ecx, dword ptr [esp+54]
00406824 . |C68424 241903>mov byte ptr [esp+31924], 9
0040682C . |E8 4FD2FFFF call 00403A80
00406831 . |E9 07060000 jmp 00406E3D
00406836 > \8D4C24 2C lea ecx, dword ptr [esp+2C]
0040683A . E8 61E0FFFF call 004048A0
0040683F . 84C0 test al, al
00406841 . 0F85 8A000000 jnz 004068D1
00406847 . 53 push ebx
00406848 . 53 push ebx
00406849 . 68 9C254200 push 0042259C ; 注册验证失败!
0040684E . E8 21160100 call <jmp.&MFC42.#1200_AfxMessageBox>
00406853 . 8D4C24 54 lea ecx, dword ptr [esp+54]
00406857 . E8 54D1FFFF call 004039B0
0040685C . 53 push ebx
0040685D . 8D8C24 800000>lea ecx, dword ptr [esp+80]
00406864 . C68424 281903>mov byte ptr [esp+31928], 0F
0040686C . E8 7FCF0000 call 004137F0
00406871 . 8D4C24 7C lea ecx, dword ptr [esp+7C]
00406875 . C68424 241903>mov byte ptr [esp+31924], 10
0040687D . E8 06140100 call <jmp.&MFC42.#2514_CDialog::DoMod>
00406882 . 8D8C24 1C0100>lea ecx, dword ptr [esp+11C]
00406889 . C68424 241903>mov byte ptr [esp+31924], 12
00406891 . E8 76170100 call <jmp.&MFC42.#656_CEdit::~CEdit>
00406896 . 8D8C24 DC0000>lea ecx, dword ptr [esp+DC]
0040689D . C68424 241903>mov byte ptr [esp+31924], 11
004068A5 . E8 62170100 call <jmp.&MFC42.#656_CEdit::~CEdit>
004068AA . 8D4C24 7C lea ecx, dword ptr [esp+7C]
004068AE . C68424 241903>mov byte ptr [esp+31924], 0F
004068B6 . E8 CF140100 call <jmp.&MFC42.#641_CDialog::~CDial>
004068BB . 8D4C24 54 lea ecx, dword ptr [esp+54]
004068BF . C68424 241903>mov byte ptr [esp+31924], 9
004068C7 . E8 B4D1FFFF call 00403A80
004068CC . E9 6C050000 jmp 00406E3D
004068D1 > 8D4C24 2C lea ecx, dword ptr [esp+2C]
004068D5 . E8 C6D7FFFF call 004040A0
004068DA . 84C0 test al, al
004068DC . 74 41 je short 0040691F 跳就死
004068DE . 53 push ebx
004068DF . 6A 04 push 4
004068E1 . 68 68254200 push 00422568 ; 严重错误,即将关闭计算机.\n\n你确定要重新启动计算机吗?
004068E6 . 895C24 28 mov dword ptr [esp+28], ebx
004068EA . E8 85150100 call <jmp.&MFC42.#1200_AfxMessageBox>
004068EF . 83F8 06 cmp eax, 6
004068F2 . 75 12 jnz short 00406906 不跳就死
004068F4 > 53 push ebx
004068F5 . 6A 04 push 4
004068F7 . 68 68254200 push 00422568 ; 严重错误,即将关闭计算机.\n\n你确定要重新启动计算机吗?
004068FC . E8 73150100 call <jmp.&MFC42.#1200_AfxMessageBox>
00406901 . 83F8 06 cmp eax, 6
00406904 .^ 75 EE jnz short 004068F4
00406906 > 8D4424 1C lea eax, dword ptr [esp+1C]
0040690A . 50 push eax ; /pThreadId
0040690B . 53 push ebx ; |CreationFlags
0040690C . 53 push ebx ; |pThreadParm
0040690D . 68 108C4000 push 00408C10 ; |ThreadFunction = 19.00408C10
00406912 . 53 push ebx ; |StackSize
00406913 . 53 push ebx ; |pSecurity
00406914 . FF15 30C04100 call dword ptr [<&kernel32.CreateThre>; \CreateThread
0040691A . E9 1E050000 jmp 00406E3D
0040691F > 8D4C24 2C lea ecx, dword ptr [esp+2C]
00406923 . E8 68DFFFFF call 00404890
00406928 . 84C0 test al, al
0040692A . 0F84 0D050000 je 00406E3D
00406930 . 8D4C24 2C lea ecx, dword ptr [esp+2C]
00406934 . E8 E7E5FFFF call 00404F20
00406939 . 84C0 test al, al
0040693B . 0F85 FC040000 jnz 00406E3D 不跳就死
总结,本人对几个关键跳转做了以下修改
004067A6 /0F85 8A000000 jnz 00406836
004068DC /75 41 jnz short 0040691F
004068F2 /74 12 je short 00406906
0040693B . /0F84 FC040000 je 00406E3D
下bp ExitProcess 断点拦截后就不知道该如何继续返回程序了,请高手们指点
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!