-
-
[旧帖] [求助]请问老大这是什么壳?怎么脱?很急!!! 0.00雪花
-
发表于: 2008-2-13 12:40
-
这个加壳软件用PEiD测“什么也没有发现”。用OD载入时就出错,隐藏了也没有用。下面是我别的方法找到的载入程序时刚开始的代码,看看大家有什么样的办法?不知这是什么壳?怎么脱?
01931014: B800000000 MOV EAX, 00000000 载入时停在这里
01931019: 60 PUSHAD
0193101A: 0BC0 OR EAX, EAX
0193101C: 7468 JZ 1931086
0193101E: E800000000 CALL 01931023
01931023: 58 POP EAX
01931024: 0553000000 ADD EAX, 00000053
01931029: 8038E9 CMP BYTE PTR [EAX], FFFFFFE9
0193102C: 7513 JNZ 1931041
0193102E: 61 POPAD
0193102F: EB45 JMP 1931076
01931031: DB2D37109301 FLD REAL10 PTR [01931037]
01931037: FFFF INVALID
01931039: FFFF INVALID
0193103B: FFFF INVALID
0193103D: FFFF INVALID
0193103F: 3D40E80000 CMP EAX, 0000E840
01931044: 0000 ADD [EAX], AL
01931046: 58 POP EAX
01931047: 2500F0FFFF AND EAX, FFFFF000
0193104C: 33FF XOR EDI, EDI
0193104E: 66BB195A MOV BX, 5A19
01931052: 6683C334 ADD BX, 0034
01931056: 663918 CMP [EAX], BX
01931059: 7512 JNZ 193106D
0193105B: 0FB7503C MOVZX EDX, WORD PTR [EAX+3C]
0193105F: 03D0 ADD EDX, EAX
01931061: BBE9440000 MOV EBX, 000044E9
01931066: 83C367 ADD EBX, 00000067
01931069: 391A CMP [EDX], EBX
0193106B: 7407 JZ 1931074
0193106D: 2D00100000 SUB EAX, 00001000
01931072: EBDA JMP 193104E
01931074: 8BF8 MOV EDI, EAX
01931076: B8E0FE6201 MOV EAX, 0162FEE0
0193107B: 03C7 ADD EAX, EDI
0193107D: B96A125301 MOV ECX, 0153126A
01931082: 03CF ADD ECX, EDI
01931084: EB0A JMP 1931090
01931086: B8E0FEA201 MOV EAX, 01A2FEE0
0193108B: B96A129301 MOV ECX, 0193126A
01931090: 50 PUSH EAX
01931091: 51 PUSH ECX
01931092: E884000000 CALL 0193111B
01931097: E800000000 CALL 0193109C
0193109C: 58 POP EAX
0193109D: 2D26000000 SUB EAX, 00000026
019310A2: B9EF010000 MOV ECX, 000001EF
019310A7: C600E9 MOV BYTE PTR [EAX], E9
下面是用PEiD测的结果,请注意它的EP区段“se5t4”
01931014: B800000000 MOV EAX, 00000000 载入时停在这里
01931019: 60 PUSHAD
0193101A: 0BC0 OR EAX, EAX
0193101C: 7468 JZ 1931086
0193101E: E800000000 CALL 01931023
01931023: 58 POP EAX
01931024: 0553000000 ADD EAX, 00000053
01931029: 8038E9 CMP BYTE PTR [EAX], FFFFFFE9
0193102C: 7513 JNZ 1931041
0193102E: 61 POPAD
0193102F: EB45 JMP 1931076
01931031: DB2D37109301 FLD REAL10 PTR [01931037]
01931037: FFFF INVALID
01931039: FFFF INVALID
0193103B: FFFF INVALID
0193103D: FFFF INVALID
0193103F: 3D40E80000 CMP EAX, 0000E840
01931044: 0000 ADD [EAX], AL
01931046: 58 POP EAX
01931047: 2500F0FFFF AND EAX, FFFFF000
0193104C: 33FF XOR EDI, EDI
0193104E: 66BB195A MOV BX, 5A19
01931052: 6683C334 ADD BX, 0034
01931056: 663918 CMP [EAX], BX
01931059: 7512 JNZ 193106D
0193105B: 0FB7503C MOVZX EDX, WORD PTR [EAX+3C]
0193105F: 03D0 ADD EDX, EAX
01931061: BBE9440000 MOV EBX, 000044E9
01931066: 83C367 ADD EBX, 00000067
01931069: 391A CMP [EDX], EBX
0193106B: 7407 JZ 1931074
0193106D: 2D00100000 SUB EAX, 00001000
01931072: EBDA JMP 193104E
01931074: 8BF8 MOV EDI, EAX
01931076: B8E0FE6201 MOV EAX, 0162FEE0
0193107B: 03C7 ADD EAX, EDI
0193107D: B96A125301 MOV ECX, 0153126A
01931082: 03CF ADD ECX, EDI
01931084: EB0A JMP 1931090
01931086: B8E0FEA201 MOV EAX, 01A2FEE0
0193108B: B96A129301 MOV ECX, 0193126A
01931090: 50 PUSH EAX
01931091: 51 PUSH ECX
01931092: E884000000 CALL 0193111B
01931097: E800000000 CALL 0193109C
0193109C: 58 POP EAX
0193109D: 2D26000000 SUB EAX, 00000026
019310A2: B9EF010000 MOV ECX, 000001EF
019310A7: C600E9 MOV BYTE PTR [EAX], E9
下面是用PEiD测的结果,请注意它的EP区段“se5t4”
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
原来是这个壳,难啊,新手。。。
 楼主加油
|
|
|
|
|
|
|
