有没有人见过这样的壳,
007511D3 > 68 80A0FE58 push 58FEA080 ;od载入停在这里
007511D8 E8 B97B2300 call 00988D96 ;必须进
00988D96 E8 9C040000 call 00989237 ;到这,必进
00989237 891424 mov dword ptr ss:[esp], edx ; ntdll.KiFastSystemCallRet
0098923A 60 pushad
0098923B 9C pushfd
0098923C 68 027C26A1 push A1267C02
00989241 55 push ebp
00989242 895C24 28 mov dword ptr ss:[esp+28], ebx
00989246 50 push eax
00989247 9C pushfd
00989248 FF3424 push dword ptr ss:[esp]
0098924B 68 B186EFEE push EEEF86B1
00989250 897C24 34 mov dword ptr ss:[esp+34], edi
00989254 FF7424 04 push dword ptr ss:[esp+4]
00989258 9C pushfd
00989259 897424 38 mov dword ptr ss:[esp+38], esi
0098925D 66:0FBEF3 movsx si, bl
00989261 E9 DE0E0000 jmp 0098A144
00989266 FD std
00989267 8D7C08 C0 lea edi, dword ptr ds:[eax+ecx-40]
0098926B 9C pushfd
0098926C 68 55EC5DD1 push D15DEC55
00989271 877C24 0C xchg dword ptr ss:[esp+C], edi
00989275 8DBC24 63B07D3B lea edi, dword ptr ss:[esp+3B7DB063]
0098927C FC cld
0098927D 8D3CDD 379209F2 lea edi, dword ptr ds:[ebx*8+F209923>
00989284 89C7 mov edi, eax
00989286 896C24 04 mov dword ptr ss:[esp+4], ebp
0098928A FD std
0098928B 68 9FD8D3F1 push F1D3D89F
00989290 FD std
00989291 FC cld
00989292 ^ E9 00FFFFFF jmp 00989197
00989297 9C pushfd
00989298 8DB2 CF903BAB lea esi, dword ptr ds:[edx+AB3B90CF]
剩下的就没有头绪了,跳来跳去的,
peid查不出来,
不知哪位高手见过这壳的话,请指点一下,谢谢!
原程序太大发不上来。
只能贴一些入口的代码来看。
还有区段信息
00470000 00001000 g PE 文件头 Imag R RWE
00471000 000E1000 g CODE 代码 Imag R RWE
00552000 00004000 g DATA 数据 Imag R RWE
00556000 00002000 g BSS Imag R RWE
00558000 00003000 g .idata Imag R RWE
0055B000 00001000 g .tls Imag R RWE
0055C000 00001000 g .rdata Imag R RWE
0055D000 0000F000 g .asp0 Imag R RWE
0056C000 00021000 g .rsrc 资源 Imag R RWE
0058D000 0019F000 g .asp1 Imag R RWE
0072C000 0025F000 g .asp2 SFX Imag R RWE
0098B000 00001000 g .reloc 重定位 Imag R RWE
0098C000 00001000 g .idata2 输入表 Imag R RWE
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
