最新版peid 0.94(数据库在看雪下了)查为VB6,核心为:ARJ Archive *
OD加载后停在这:
004011AC > $ 68 28134000 push 00401328 ; ASCII "VB5!6&vb6chs.dll"
004011B1 . E8 F0FFFFFF call <jmp.&MSVBVM60.#100>
004011B6 . 0000 add byte ptr [eax], al
004011B8 . 0000 add byte ptr [eax], al
004011BA . 0000 add byte ptr [eax], al
004011BC . 3000 xor byte ptr [eax], al
004011BE . 0000 add byte ptr [eax], al
004011C0 . 40 inc eax
004011C1 . 0000 add byte ptr [eax], al
004011C3 . 0000 add byte ptr [eax], al
004011C5 . 0000 add byte ptr [eax], al
004011C7 . 0073 62 add byte ptr [ebx+62], dh
004011CA . D355 85 rcl dword ptr [ebp-7B], cl
004011CD . 43 inc ebx
004011CE . DC11 fcom qword ptr [ecx]
F8运行到004011b1 然后ESP定律F8运行到这:
7339DE69 8935 DC074A73 mov dword ptr [734A07DC], esi ; 汽车修配.00401328
7339DE6F 8365 FC 00 and dword ptr [ebp-4], 0
7339DE73 8D45 A0 lea eax, dword ptr [ebp-60]
7339DE76 50 push eax
7339DE77 FF15 18113973 call dword ptr [<&KERNEL32.GetStartup>; kernel32.GetStartupInfoA
7339DE7D 0FB745 D0 movzx eax, word ptr [ebp-30]
7339DE81 A3 D8074A73 mov dword ptr [734A07D8], eax
7339DE86 FF35 D4064A73 push dword ptr [734A06D4] ; 汽车修配.00400000
7339DE8C 56 push esi
7339DE8D BE 70044A73 mov esi, 734A0470
7339DE92 8BCE mov ecx, esi
7339DE94 E8 60000000 call 7339DEF9
到这以后寄存器一通乱算然后到这:77FB4DB3 |. 8B1C24 mov ebx, dword ptr [esp]
77FB4DB6 |. 51 push ecx
77FB4DB7 |. 53 push ebx
77FB4DB8 |. E8 ACBDFAFF call 77F60B69
77FB4DBD |. 0AC0 or al, al
77FB4DBF |. 74 0C je short 77FB4DCD
77FB4DC1 |. 5B pop ebx
77FB4DC2 |. 59 pop ecx
77FB4DC3 |. 6A 00 push 0
77FB4DC5 |. 51 push ecx
77FB4DC6 |. E8 480BFCFF call ZwContinue
77FB4DCB |. EB 0B jmp short 77FB4DD8
77FB4DCD |> 5B pop ebx
77FB4DCE |. 59 pop ecx
77FB4DCF |. 6A 00 push 0
77FB4DD1 |. 51 push ecx
77FB4DD2 |. 53 push ebx
77FB4DD3 |. E8 F213FCFF call ZwRaiseException
77FB4DD8 |> 83C4 EC add esp, -14
俺就想那位大哥给俺指条明路,谢谢了,程序入口到底在哪?俺初学。
[课程]FART 脱壳王!加量不加价!FART作者讲授!