脱壳后,以下应该是自校验的代码,请问如何去除自校验?
0040113A /$ 55 PUSH EBP
0040113B |. 8BEC MOV EBP,ESP
0040113D |. 81EC 98020000 SUB ESP,298
00401143 |. 53 PUSH EBX
00401144 |. 56 PUSH ESI
00401145 |. 57 PUSH EDI
00401146 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
0040114C |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00401151 |. 50 PUSH EAX ; |PathBuffer
00401152 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hModule
00401155 |. 33DB XOR EBX,EBX ; |
00401157 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; |
0040115A |. 895D F8 MOV DWORD PTR SS:[EBP-8],EBX ; |
0040115D |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX ; |
00401160 |. FF15 24604000 CALL DWORD PTR DS:[<&kernel32.GetModuleF>; \GetModuleFileNameA
00401166 |. 53 PUSH EBX ; /hTemplateFile => NULL
00401167 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040116C |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040116E |. 53 PUSH EBX ; |pSecurity => NULL
0040116F |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00401171 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] ; |
00401177 |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
0040117C |. 50 PUSH EAX ; |FileName
0040117D |. FF15 20604000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; \CreateFileA
00401183 |. 8BF8 MOV EDI,EAX
00401185 |. 83FF FF CMP EDI,-1
00401188 |. 75 0C JNZ SHORT 123.00401196
0040118A |. C745 FC C0714>MOV DWORD PTR SS:[EBP-4],123.004071C0 ; can't open file!
00401191 |. E9 37030000 JMP 123.004014CD
00401196 |> 8B35 1C604000 MOV ESI,DWORD PTR DS:[<&kernel32.SetFile>; kernel32.SetFilePointer
0040119C |. 6A 02 PUSH 2 ; /Origin = FILE_END
0040119E |. 53 PUSH EBX ; |pOffsetHi
0040119F |. 6A F8 PUSH -8 ; |OffsetLo = FFFFFFF8 (-8.)
004011A1 |. 57 PUSH EDI ; |hFile
004011A2 |. FFD6 CALL ESI ; \SetFilePointer
004011A4 |. 3D E8030000 CMP EAX,3E8
004011A9 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004011AC 0F82 FD020000 JB 123.004014AF
004011B2 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004011B5 |. 53 PUSH EBX ; /pOverlapped
004011B6 |. 50 PUSH EAX ; |pBytesRead
004011B7 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; |
004011BA |. 6A 08 PUSH 8 ; |BytesToRead = 8
004011BC |. 50 PUSH EAX ; |Buffer
004011BD |. 57 PUSH EDI ; |hFile
004011BE |. 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX ; |
004011C1 |. FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
004011C7 |. 85C0 TEST EAX,EAX
004011C9 |. 0F84 E9020000 JE 123.004014B8
004011CF |. 837D E4 08 CMP DWORD PTR SS:[EBP-1C],8
004011D3 |. 0F85 DF020000 JNZ 123.004014B8
004011D9 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
004011DC |. 817D E0 A5B79>CMP DWORD PTR SS:[EBP-20],829AB7A5
004011E3 |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
004011E6 0F85 C3020000 JNZ 123.004014AF
004011EC |. 83F8 04 CMP EAX,4
004011EF 0F8C BA020000 JL 123.004014AF
004011F5 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
004011F8 0F8D B1020000 JGE 123.004014AF
004011FE |. 50 PUSH EAX
004011FF |. E8 32220000 CALL 123.00403436
00401204 |. 3BC3 CMP EAX,EBX
00401206 |. 59 POP ECX
00401207 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040120A |. 0F84 07010000 JE 123.00401317
00401210 |. 6A 02 PUSH 2
00401212 |. 53 PUSH EBX
00401213 |. 6A F8 PUSH -8
00401215 |. 895D E8 MOV DWORD PTR SS:[EBP-18],EBX
00401218 |. 58 POP EAX
00401219 |. 2B45 08 SUB EAX,DWORD PTR SS:[EBP+8]
0040121C |. 50 PUSH EAX
0040121D |. 57 PUSH EDI
0040121E |. FFD6 CALL ESI
00401220 |. 83F8 FF CMP EAX,-1
00401223 |. 0F84 7D020000 JE 123.004014A6
00401229 |. 8B75 F8 MOV ESI,DWORD PTR SS:[EBP-8]
0040122C |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0040122F |. 53 PUSH EBX ; /pOverlapped
00401230 |. 50 PUSH EAX ; |pBytesRead
00401231 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |BytesToRead
00401234 |. 56 PUSH ESI ; |Buffer
00401235 |. 57 PUSH EDI ; |hFile
00401236 |. FF15 18604000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; \ReadFile
0040123C |. 85C0 TEST EAX,EAX
0040123E |. 0F84 62020000 JE 123.004014A6
00401244 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00401247 |. 3945 E8 CMP DWORD PTR SS:[EBP-18],EAX
0040124A |. 0F85 56020000 JNZ 123.004014A6
00401250 |. 813E A5B79A82 CMP DWORD PTR DS:[ESI],829AB7A5
00401256 0F85 4A020000 JNZ 123.004014A6
0040125C 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401262 |. 83C6 04 ADD ESI,4
00401265 |. 50 PUSH EAX ; /Buffer
00401266 |. 68 04010000 PUSH 104 ; |BufSize = 104 (260.)
0040126B |. FF15 14604000 CALL DWORD PTR DS:[<&kernel32.GetTempPat>; \GetTempPathA
00401271 |. 85C0 TEST EAX,EAX
00401273 |. 75 0C JNZ SHORT 123.00401281
00401275 |. C745 FC 98714>MOV DWORD PTR SS:[EBP-4],123.00407198 ; can't retrieve the temporary directory!
0040127C |. E9 3E020000 JMP 123.004014BF
00401281 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
00401283 |. 83C6 04 ADD ESI,4
00401286 |. 50 PUSH EAX ; /<%X>
00401287 |. 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90] ; |
0040128D |. 68 90714000 PUSH 123.00407190 ; |e_%x
00401292 |. 50 PUSH EAX ; |s
00401293 |. FF15 B0604000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; \wsprintfA
00401299 |. 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]
0040129F |. 50 PUSH EAX
004012A0 |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012A6 |. 50 PUSH EAX
004012A7 |. E8 24200000 CALL 123.004032D0
004012AC |. 83C4 14 ADD ESP,14
004012AF |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012B5 |. 53 PUSH EBX ; /pSecurity
004012B6 |. 50 PUSH EAX ; |Path
004012B7 |. FF15 10604000 CALL DWORD PTR DS:[<&kernel32.CreateDire>; \CreateDirectoryA
004012BD |. 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
004012C3 |. 68 8C714000 PUSH 123.0040718C ; \
004012C8 |. 50 PUSH EAX
004012C9 |. E8 02200000 CALL 123.004032D0
004012CE |. FF36 PUSH DWORD PTR DS:[ESI]
004012D0 |. 836D 08 0C SUB DWORD PTR SS:[EBP+8],0C
004012D4 |. 8D7E 04 LEA EDI,DWORD PTR DS:[ESI+4]
004012D7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004012DA |. 57 PUSH EDI
004012DB |. E8 39FEFFFF CALL 123.00401119
004012E0 |. 836D 08 08 SUB DWORD PTR SS:[EBP+8],8
004012E4 |. 8B47 04 MOV EAX,DWORD PTR DS:[EDI+4]
004012E7 |. 83C4 14 ADD ESP,14
004012EA |. 395D 08 CMP DWORD PTR SS:[EBP+8],EBX
004012ED |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004012F0 0F8E A7010000 JLE 123.0040149D
004012F6 |. 813F 0D0F3E03 CMP DWORD PTR DS:[EDI],33E0F0D
004012FC 0F85 9B010000 JNZ 123.0040149D
00401302 |. 3BC3 CMP EAX,EBX
00401304 0F8E 93010000 JLE 123.0040149D
0040130A |. 50 PUSH EAX
0040130B |. E8 26210000 CALL 123.00403436
00401310 |. 8BF0 MOV ESI,EAX
00401312 |. 59 POP ECX
00401313 |. 3BF3 CMP ESI,EBX
00401315 75 0C JNZ SHORT 123.00401323
00401317 |> C745 FC 74714>MOV DWORD PTR SS:[EBP-4],123.00407174 ; insufficient memory!
0040131E E9 9C010000 JMP 123.004014BF
00401323 |> FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401326 |. 83C7 08 ADD EDI,8
00401329 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040132C |. 57 PUSH EDI
0040132D |. 50 PUSH EAX
0040132E |. 56 PUSH ESI
0040132F |. E8 E71E0000 CALL 123.0040321B
00401334 |. 83C4 10 ADD ESP,10
00401337 |. 85C0 TEST EAX,EAX
00401339 74 13 JE SHORT 123.0040134E
0040133B |. 56 PUSH ESI
0040133C |. E8 EA200000 CALL 123.0040342B
00401341 |. 59 POP ECX
00401342 |. C745 FC 58714>MOV DWORD PTR SS:[EBP-4],123.00407158 ; failed to decompress data!
00401349 |. E9 71010000 JMP 123.004014BF
0040134E |> FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00401351 |. E8 D5200000 CALL 123.0040342B
00401356 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00401359 |. 59 POP ECX
0040135A |. 03C6 ADD EAX,ESI
0040135C |. 8975 F8 MOV DWORD PTR SS:[EBP-8],ESI
0040135F |. 3BF0 CMP ESI,EAX
00401361 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00401364 |. 885D A4 MOV BYTE PTR SS:[EBP-5C],BL
00401367 |. 0F83 B4000000 JNB 123.00401421
0040136D |> 8BFE /MOV EDI,ESI
0040136F |. 56 |PUSH ESI
00401370 |. 897D 08 |MOV DWORD PTR SS:[EBP+8],EDI
00401373 |. E8 38200000 |CALL 123.004033B0
00401378 |. C70424 4C7140>|MOV DWORD PTR SS:[ESP],123.0040714C ; krnln.fnr
0040137F |. 57 |PUSH EDI
00401380 |. 8D7406 01 |LEA ESI,DWORD PTR DS:[ESI+EAX+1]
00401384 |. E8 47480000 |CALL 123.00405BD0
00401389 |. 59 |POP ECX
0040138A |. 85C0 |TEST EAX,EAX
0040138C |. 59 |POP ECX
0040138D |. 74 11 |JE SHORT 123.004013A0
0040138F |. 68 40714000 |PUSH 123.00407140 ; krnln.fne
00401394 |. 57 |PUSH EDI
00401395 |. E8 36480000 |CALL 123.00405BD0
0040139A |. 59 |POP ECX
0040139B |. 85C0 |TEST EAX,EAX
0040139D |. 59 |POP ECX
0040139E |. 75 0C |JNZ SHORT 123.004013AC
004013A0 |> 8D45 A4 |LEA EAX,DWORD PTR SS:[EBP-5C]
004013A3 |. 57 |PUSH EDI
004013A4 |. 50 |PUSH EAX
004013A5 |. E8 161F0000 |CALL 123.004032C0
004013AA |. 59 |POP ECX
004013AB |. 59 |POP ECX
004013AC |> 8B3E |MOV EDI,DWORD PTR DS:[ESI]
004013AE |. 8D85 6CFEFFFF |LEA EAX,DWORD PTR SS:[EBP-194]
004013B4 |. 50 |PUSH EAX
004013B5 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013BB |. 50 |PUSH EAX
004013BC |. 83C6 04 |ADD ESI,4
004013BF |. E8 FC1E0000 |CALL 123.004032C0
004013C4 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
004013C7 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013CD |. 50 |PUSH EAX
004013CE |. E8 FD1E0000 |CALL 123.004032D0
004013D3 |. 83C4 10 |ADD ESP,10
004013D6 |. 8D85 68FDFFFF |LEA EAX,DWORD PTR SS:[EBP-298]
004013DC |. 53 |PUSH EBX ; /hTemplateFile
004013DD |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL
004013E2 |. 6A 02 |PUSH 2 ; |Mode = CREATE_ALWAYS
004013E4 |. 53 |PUSH EBX ; |pSecurity
004013E5 |. 53 |PUSH EBX ; |ShareMode
004013E6 |. 68 00000040 |PUSH 40000000 ; |Access = GENERIC_WRITE
004013EB |. 50 |PUSH EAX ; |FileName
004013EC |. FF15 20604000 |CALL DWORD PTR DS:[<&kernel32.CreateFil>; \CreateFileA
004013F2 |. 83F8 FF |CMP EAX,-1
004013F5 |. 8945 08 |MOV DWORD PTR SS:[EBP+8],EAX
004013F8 |. 74 17 |JE SHORT 123.00401411
004013FA |. 8D4D D8 |LEA ECX,DWORD PTR SS:[EBP-28]
004013FD |. 53 |PUSH EBX ; /pOverlapped
004013FE |. 51 |PUSH ECX ; |pBytesWritten
004013FF |. 57 |PUSH EDI ; |nBytesToWrite
00401400 |. 56 |PUSH ESI ; |Buffer
00401401 |. 50 |PUSH EAX ; |hFile
00401402 |. FF15 0C604000 |CALL DWORD PTR DS:[<&kernel32.WriteFile>; \WriteFile
00401408 |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; /hObject
0040140B |. FF15 08604000 |CALL DWORD PTR DS:[<&kernel32.CloseHand>; \CloseHandle
00401411 |> 03F7 |ADD ESI,EDI
00401413 |. 3B75 F4 |CMP ESI,DWORD PTR SS:[EBP-C]
00401416 |.^ 0F82 51FFFFFF \JB 123.0040136D
0040141C |. 385D A4 CMP BYTE PTR SS:[EBP-5C],BL
0040141F |. 75 0C JNZ SHORT 123.0040142D
00401421 |> C745 FC 20714>MOV DWORD PTR SS:[EBP-4],123.00407120 ; not found the kernel library!
00401428 |. E9 92000000 JMP 123.004014BF
0040142D |> 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194]
00401433 |. 50 PUSH EAX
00401434 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040143A |. 50 PUSH EAX
0040143B |. E8 801E0000 CALL 123.004032C0
00401440 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00401443 |. 50 PUSH EAX
00401444 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
0040144A |. 50 PUSH EAX
0040144B |. E8 801E0000 CALL 123.004032D0
00401450 |. 83C4 10 ADD ESP,10
00401453 |. 8D85 68FDFFFF LEA EAX,DWORD PTR SS:[EBP-298]
00401459 |. 50 PUSH EAX ; /FileName
0040145A |. FF15 04604000 CALL DWORD PTR DS:[<&kernel32.LoadLibrar>; \LoadLibraryA
00401460 |. 3BC3 CMP EAX,EBX
00401462 |. 75 09 JNZ SHORT 123.0040146D
00401464 |. C745 FC 00714>MOV DWORD PTR SS:[EBP-4],123.00407100 ; failed to load kernel library!
0040146B |. EB 52 JMP SHORT 123.004014BF
0040146D |> 68 F4704000 PUSH 123.004070F4 ; /getnewsock
00401472 |. 50 PUSH EAX ; |hModule
00401473 |. FF15 00604000 CALL DWORD PTR DS:[<&kernel32.GetProcAdd>; \GetProcAddress
00401479 |. 3BC3 CMP EAX,EBX
0040147B |. 75 09 JNZ SHORT 123.00401486
0040147D |. C745 FC D4704>MOV DWORD PTR SS:[EBP-4],123.004070D4 ; the kernel library is invalid!
00401484 |. EB 39 JMP SHORT 123.004014BF
00401486 |> 68 E8030000 PUSH 3E8
0040148B |. FFD0 CALL EAX
0040148D |. 3BC3 CMP EAX,EBX
0040148F |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00401492 |. 75 2B JNZ SHORT 123.004014BF
00401494 |. C745 FC A8704>MOV DWORD PTR SS:[EBP-4],123.004070A8 ; the interface of kernel library is invalid!
0040149B |. EB 22 JMP SHORT 123.004014BF
0040149D |> C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],123.0040708C ; invalid data in the file!
004014A4 |. EB 19 JMP SHORT 123.004014BF
004014A6 |> C745 FC 5C704>MOV DWORD PTR SS:[EBP-4],123.0040705C ; failed to read file or invalid data in file!
004014AD |. EB 10 JMP SHORT 123.004014BF
004014AF |> C745 FC 8C704>MOV DWORD PTR SS:[EBP-4],123.0040708C ; invalid data in the file!
004014B6 |. EB 15 JMP SHORT 123.004014CD
004014B8 |> C745 FC 38704>MOV DWORD PTR SS:[EBP-4],123.00407038 ; failed to read data from the file!
004014BF |> 395D F8 CMP DWORD PTR SS:[EBP-8],EBX
004014C2 |. 74 09 JE SHORT 123.004014CD
004014C4 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004014C7 |. E8 5F1F0000 CALL 123.0040342B
004014CC |. 59 POP ECX
004014CD |> 395D FC CMP DWORD PTR SS:[EBP-4],EBX ; |
004014D0 |. 75 13 JNZ SHORT 123.004014E5 ; |
004014D2 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; |
004014D5 |. E8 00000000 CALL 123.004014DA ; \123.004014DA
004014DA |$ 810424 267B00>ADD DWORD PTR SS:[ESP],7B26
004014E1 |. FFD0 CALL EAX
004014E3 |. EB 11 JMP SHORT 123.004014F6
004014E5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014E7 |. 68 30704000 PUSH 123.00407030 ; |error
004014EC |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Text
004014EF |. 53 PUSH EBX ; |hOwner
004014F0 |. FF15 AC604000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004014F6 |> 5F POP EDI
004014F7 |. 5E POP ESI
004014F8 |. 33C0 XOR EAX,EAX
004014FA |. 5B POP EBX
004014FB |. C9 LEAVE
004014FC \. C2 1000 RETN 10
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)