新手第一次脱aspr的壳,晕啊!!!
失败!!!!!!!!!!!!
==== aspr的壳。
==== 在Virtual Pc里
==== 2k sp4。
==== OD。
==== PEID查壳:ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov [Overlay]
便查看相关文章,临时抱脚.
新手第一次脱aspr的壳,晕啊!!!
昨天U盘不幸中着,
被老板狠驯了一顿,
晚上看书白天看书,
刚明白原来aspr这么硬,
但本人太菜,
没有聪明的大脑,不知该当从何深入,
希望大侠们给指点一下,感激涕零!!
\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\第一部分和大侠们说的是一样的\\\\\\\\\\\\\\\\\\\\\
0041A000 > 68 01204200 push 00422001 停在这里
0041A005 E8 01000000 call 0041A00B
0041A00A C3 retn 返回
0041A00B C3 retn
00422001 60 pushad 回到这里
00422002 E8 03000000 call 0042200A 进
00422008 /EB 04 jmp short 0042200E;
0042200A |5D pop ebp ; call到这 ; 0042007
0042200B |45 inc ebp
0042200C |55 push ebp
0042200D |C3 retn ; retn 422008
0042200E \E8 01000000 call 00422014 ; 进
00422013 /EB 5D jmp short 00422072 ;进入这里
00422015 |BB EDFFFFFF mov ebx, -13
0042201A |03DD add ebx, ebp ; 00422013+ffffffed
0042201C |81EB 00200200 sub ebx, 22000 ; MZP
00422022 |807D 4D 01 cmp byte ptr ss:[ebp+4D], 1
00422026 |75 0C jnz short 00422034 ; 不为1则跳
00422028 |8B7424 28 mov esi, dword ptr ss:[esp+28]
0042202C |83FE 01 cmp esi, 1
0042202F |895D 4E mov dword ptr ss:[ebp+4E], ebx
00422032 |75 31 jnz short 00422065
00422034 |8D45 53 lea eax, dword ptr ss:[ebp+53] ; 422066
00422037 |50 push eax
00422038 |53 push ebx
00422039 |FFB5 E50B0000 push dword ptr ss:[ebp+BE5]
0042203F |8D45 35 lea eax, dword ptr ss:[ebp+35]
00422042 |50 push eax
00422043 |E9 82000000 jmp 004220CA ; 跳走 :到这时和参考的一样。
以下是不一样的了,F8过call就会异常,shift+F9过异常就会提示有调试器。搞的不知所以了。
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\这一部分就变了,也不会了\\\\\\\\\\\\\\\\\\\\\\\\\\
004220CA E8 13000000 call 004220E2 ; 跳到这里
004220E2 0FB7F2 movzx esi, dx ; dx扩展esi
004220E5 5F pop edi ; 堆栈 [0012FF90]=004220CF (bsxjcgk.004220CF)
004220E6 E8 09000000 call 004220F4 ; 进
004220EB 4D dec ebp
004220EC 0213 add dl, byte ptr ds:[ebx]
004220EE 50 push eax
004220EF 49 dec ecx
004220F0 4E dec esi
004220F1 6F outsd
004220F2 7C 05 jl short 004220F9
004220F4 66:81CF 67F1 or di, 0F167 ;call到这里 di or 0f167
004220F9 58 pop eax
004220FA 0F89 05000000 jns 00422105
00422100 66:81E7 5FA6 and di, 0A65F
00422105 81C0 BF0A0000 add eax, 0ABF
0042210B B9 F1373E6A mov ecx, 6A3E37F1
00422110 81F1 7C353E6A xor ecx, 6A3E357C
00422116 BE F36CC273 mov esi, 73C26CF3
0042211B 8B10 mov edx, dword ptr ds:[eax]
0042211D BF DCE47567 mov edi, 6775E4DC
00422122 81C2 3172320A add edx, 0A327231
00422128 81F2 16BD2B79 xor edx, 792BBD16
0042212E 0F8A 05000000 jpe 00422139
00422134 BF 12B90A35 mov edi, 350AB912
00422139 81F2 97664040 xor edx, 40406697
0042213F 66:81EF 55D6 sub di, 0D655
00422144 8910 mov dword ptr ds:[eax], edx
00422146 0FBFF0 movsx esi, ax
00422149 83E8 04 sub eax, 4
0042214C 8BF8 mov edi, eax
0042214E 83E9 01 sub ecx, 1
00422151 0F85 15000000 jnz 0042216C ;跳走
00422157 E9 1E000000 jmp 0042217A
0042215C 2841 E6 sub byte ptr ds:[ecx-1A], al
0042215F 27 daa
00422160 D4 7D aam 7D
00422162 ^ 72 C3 jb short 00422127
00422164 40 inc eax
00422165 ^ 79 BE jns short 00422125
00422167 1F pop ds
00422168 6C insb
00422169 35 CA3BE9AA xor eax, AAE93BCA
0042216E FFFF ??? ; 未知命令
00422170 FFED jmp far ebp ; 非法使用寄存器
0042216C ^\E9 AAFFFFFF jmp 0042211B ;跳过来时是这样的,一动窗口就又变成00422170了,
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
下面是自己瞎折腾,大侠就当笑话看吧。^_^\\
这里jmp jnz的就不停的跳了,试着F4 过就会提示是有调试器。
试着修改ecx
从00422157 E9 1E000000 jmp 0042217A
0042217A D992 50325069 fst dword ptr ds:[edx+69503250] ;fst到77f91bbc
77F91BB6 8BFF mov edi, edi
77F91BB8 > 8B4C24 04 mov ecx, dword ptr ss:[esp+4]
77F91BBC 8B1C24 mov ebx, dword ptr ss:[esp]
77F91BBF 51 push ecx
77F91BC0 53 push ebx
77F91BC1 E8 ECAF0100 call 77FACBB2
77F91BC6 0AC0 or al, al
77F91BC8 74 0C je short 77F91BD6
77F91BCA 5B pop ebx
77F91BCB 59 pop ecx
77F91BCC 6A 00 push 0
77F91BCE 51 push ecx
77F91BCF E8 6466FFFF call ZwContinue
77F91BD4 EB 0B jmp short 77F91BE1
77F91BD6 5B pop ebx
77F91BD7 59 pop ecx
77F91BD8 6A 00 push 0
77F91BDA 51 push ecx
77F91BDB 53 push ebx
77F91BDC E8 7B6EFFFF call ZwRaiseException
已终止。
好象还有反调试.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
