脱一软件,用Peid测是ASPack 2.12 -> Alexey Solodovnikov。脱完后,运行,可以看见进程,但没有界面。请问我哪没有脱好?是IAT错了吗?
我脱的那0040114C是不是入口?用Import REc得RVA 00067104 size 000000E4。有一个有效msvbvm50.dll,脱后的用Peid测是Microsoft Visual Basic 5.0 / 6.0
哪不对?我的入口对吗?为什么不能显示? 请指教!谢了!!!
一进OD在这里。
0046F001 > 60 pushad
0046F002 E8 03000000 call freepp.0046F00A
0046F007 - E9 EB045D45 jmp 45A3F4F7
0046F00C 55 push ebp
0046F00D C3 retn
0046F00E E8 01000000 call freepp.0046F014
0046F013 EB 5D jmp short freepp.0046F072
0046F015 BB EDFFFFFF mov ebx,-13
0046F01A 03DD add ebx,ebp
0046F01C 81EB 00F00600 sub ebx,6F000
0046F022 83BD 22040000 00 cmp dword ptr ss:[ebp+422],0
0046F029 899D 22040000 mov dword ptr ss:[ebp+422],ebx
0046F02F 0F85 65030000 jnz freepp.0046F39A
...........................................
0046F323 /E9 98000000 jmp freepp.0046F3C0
0046F328 |81E3 FFFFFF7F and ebx,7FFFFFFF
0046F32E |8B85 26040000 mov eax,dword ptr ss:[ebp+426]
0046F334 3985 45050000 cmp dword ptr ss:[ebp+545],eax
0046F33A 75 24 jnz short freepp.0046F360
0046F33C 57 push edi
0046F33D 8BD3 mov edx,ebx
0046F33F 4A dec edx
0046F340 C1E2 02 shl edx,2
0046F343 8B9D 45050000 mov ebx,dword ptr ss:[ebp+545]
0046F349 8B7B 3C mov edi,dword ptr ds:[ebx+3C]
0046F34C 8B7C3B 78 mov edi,dword ptr ds:[ebx+edi+78]
0046F350 035C3B 1C add ebx,dword ptr ds:[ebx+edi+1C]
0046F354 8B0413 mov eax,dword ptr ds:[ebx+edx]
0046F357 0385 45050000 add eax,dword ptr ss:[ebp+545]
0046F35D 5F pop edi
0046F35E EB 16 jmp short freepp.0046F376
0046F360 57 push edi
0046F361 8B46 0C mov eax,dword ptr ds:[esi+C]
0046F364 0385 22040000 add eax,dword ptr ss:[ebp+422]
0046F36A 50 push eax
0046F36B 53 push ebx
0046F36C 8D85 C6040000 lea eax,dword ptr ss:[ebp+4C6]
0046F372 50 push eax
0046F373 57 push edi
0046F374 EB 4A jmp short freepp.0046F3C0
0046F376 8907 mov dword ptr ds:[edi],eax
0046F378 8385 49050000 04 add dword ptr ss:[ebp+549],4
0046F37F ^ E9 32FFFFFF jmp freepp.0046F2B6
0046F384 8906 mov dword ptr ds:[esi],eax
0046F386 8946 0C mov dword ptr ds:[esi+C],eax
0046F389 8946 10 mov dword ptr ds:[esi+10],eax
0046F38C 83C6 14 add esi,14
0046F38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0046F395 ^ E9 EBFEFFFF jmp freepp.0046F285
0046F39A B8 4C110000 mov eax,114C
0046F39F 50 push eax
0046F3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0046F3A6 59 pop ecx
0046F3A7 0BC9 or ecx,ecx
0046F3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0046F3AF 61 popad
0046F3B0 75 08 jnz short freepp.0046F3BA //从这跳
0046F3B2 B8 01000000 mov eax,1
0046F3B7 C2 0C00 retn 0C
0046F3BA 68 4C114000 push freepp.0040114C //这是不是入口?我就是到了40114c dump的
0046F3BF C3 retn
---------------------------------------------------
--------------------------------------------------
0040114C 68 30DA4000 push freepp.0040DA30
00401151 E8 EEFFFFFF call freepp.00401144 ; jmp to msvbvm50.ThunRTMain
00401156 0000 add byte ptr ds:[eax],al
00401158 40 inc eax
00401159 0000 add byte ptr ds:[eax],al
0040115B 0030 add byte ptr ds:[eax],dh
0040115D 0000 add byte ptr ds:[eax],al
0040115F 0038 add byte ptr ds:[eax],bh
00401161 0000 add byte ptr ds:[eax],al
00401163 0000 add byte ptr ds:[eax],al
00401165 0000 add byte ptr ds:[eax],al
00401167 00E7 add bh,ah
00401169 AA stos byte ptr es:[edi]
0040116A 95 xchg eax,ebp
0040116B CA BFDC retf 0DCBF
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
