PEID查壳是:Themida/WinLicense V1.8.2.0 + -> Oreans Technologies * Sign.By.fly [Overlay] *
OD载入停在这里:
0055E014 > B8 00000000 mov eax, 0
0055E019 60 pushad
0055E01A 0BC0 or eax, eax
0055E01C 74 68 je short 0055E086
0055E01E E8 00000000 call 0055E023
0055E023 58 pop eax
0055E024 05 53000000 add eax, 53
0055E029 8038 E9 cmp byte ptr [eax], 0E9
0055E02C 75 13 jnz short 0055E041
0055E02E 61 popad
0055E02F EB 45 jmp short 0055E076
0055E031 DB2D 37E05500 fld tbyte ptr [55E037]
0055E037 FFFF ??? ; 未知命令
0055E039 FFFF ??? ; 未知命令
0055E03B FFFF ??? ; 未知命令
0055E03D FFFF ??? ; 未知命令
0055E03F 3D 40E80000 cmp eax, 0E840
0055E044 0000 add byte ptr [eax], al
0055E046 58 pop eax
用okdodo 兄的脱壳脚本..程序运行在这里就没任何反应了.....:
00653228 0F3F ??? ; 未知命令
0065322A 07 pop es
0065322B 0B648F 05 or esp, dword ptr [edi+ecx*4+5]
0065322F 0000 add byte ptr [eax], al
00653231 0000 add byte ptr [eax], al
00653233 83C4 04 add esp, 4
00653236 31B5 251CE905 xor dword ptr [ebp+5E91C25], esi ; (initial cpu selection)
0065323C 56 push esi
0065323D 31B5 C105E905 xor dword ptr [ebp+5E905C1], esi
00653243 59 pop ecx
00653244 83FB FF cmp ebx, -1
00653247 0F84 21000000 je 0065326E
0065324D 81C9 5876934F or ecx, 4F937658
00653253 E9 E8000000 jmp 00653340
00653258 E9 0D000000 jmp 0065326A
0065325D C8 39D866 enter 0D839, 66
00653261 AB stos dword ptr es:[edi]
00653262 D6 salc
00653263 216473 DA and dword ptr [ebx+esi*2-26], esp
00653267 AF scas dword ptr es:[edi]
00653268 DB3F fstp tbyte ptr [edi]
0065326A 66:B9 C1F0 mov cx, 0F0C1
0065326E E9 54000000 jmp 006532C7
00653273 0B8D 7908E905 or ecx, dword ptr [ebp+5E90879]
00653279 8B4C24 0C mov ecx, dword ptr [esp+C]
0065327D C781 A4000000 F>mov dword ptr [ecx+A4], -1
00653287 8381 B8000000 0>add dword ptr [ecx+B8], 4
0065328E 33C0 xor eax, eax
00653290 C3 retn
在第2次运行脱壳脚本到这
00653A09 CD 01 int 1
00653A0B EB 00 jmp short 00653A0D
00653A0D 6A 00 push 0
00653A0F 57 push edi
00653A10 E8 03000000 call 00653A18
00653A15 205F C3 and byte ptr [edi-3D], bl
00653A18 5F pop edi
00653A19 897C24 04 mov dword ptr [esp+4], edi
00653A1D 814424 04 1B000>add dword ptr [esp+4], 1B
00653A25 47 inc edi
00653A26 57 push edi
00653A27 C3 retn
在第3次运行脱壳脚本停在这里此时脚本有提示:
00418712 /. 55 push ebp 这看是OEP我就在这脱壳了..
00418713 |. 8BEC mov ebp, esp
00418715 |. 6A FF push -1
00418717 |. 68 083C4600 push 00463C08
0041871C |. 68 76884100 push 00418876 ; jmp 到 msvcrt._except_handler3; SE 处理程序安装
00418721 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
00418727 |. 50 push eax
00418728 |. 64:8925 00000>mov dword ptr fs:[0], esp
0041872F |. 83EC 68 sub esp, 68
00418732 |. 53 push ebx
00418733 |. 56 push esi
00418734 |. 57 push edi
00418735 |. 8965 E8 mov dword ptr [ebp-18], esp
00418738 |. 33DB xor ebx, ebx
0041873A |. 895D FC mov dword ptr [ebp-4], ebx
0041873D |. 6A 02 push 2
0041873F |. FF15 181B4600 call dword ptr [461B18] ; msvcrt.__set_app_type
00418745 |. 59 pop ecx
00418746 |. 830D 0CA04700>or dword ptr [47A00C], FFFFFFFF
0041874D |. 830D 10A04700>or dword ptr [47A010], FFFFFFFF
00418754 |. FF15 141B4600 call dword ptr [461B14] ; msvcrt.__p__fmode
0041875A |. 8B0D 2C9C4700 mov ecx, dword ptr [479C2C]
00418760 |. 8908 mov dword ptr [eax], ecx
00418762 |. FF15 101B4600 call dword ptr [461B10] ; msvcrt.__p__commode
00418768 |. 8B0D 289C4700 mov ecx, dword ptr [479C28]
0041876E |. 8908 mov dword ptr [eax], ecx
00418770 |. A1 0C1B4600 mov eax, dword ptr [461B0C]
00418775 |. 8B00 mov eax, dword ptr [eax]
00418777 |. A3 08A04700 mov dword ptr [47A008], eax
0041877C |. E8 28010000 call 004188A9
00418781 |. 391D D86B4700 cmp dword ptr [476BD8], ebx
00418787 |. 75 0C jnz short 00418795
00418789 |. 68 A6884100 push 004188A6
0041878E |. FF15 081B4600 call dword ptr [461B08] ; msvcrt.__setusermatherr
00418794 |. 59 pop ecx
00418795 |> E8 FA000000 call 00418894
0041879A |. 68 9C604700 push 0047609C
0041879F |. 68 98604700 push 00476098
004187A4 |. E8 E5000000 call 0041888E ; jmp 到 msvcrt._initterm
004187A9 |. A1 249C4700 mov eax, dword ptr [479C24]
004187AE |. 8945 94 mov dword ptr [ebp-6C], eax
004187B1 |. 8D45 94 lea eax, dword ptr [ebp-6C]
004187B4 |. 50 push eax
004187B5 |. FF35 209C4700 push dword ptr [479C20]
004187BB |. 8D45 9C lea eax, dword ptr [ebp-64]
004187BE |. 50 push eax
004187BF |. 8D45 90 lea eax, dword ptr [ebp-70]
004187C2 |. 50 push eax
004187C3 |. 8D45 A0 lea eax, dword ptr [ebp-60]
004187C6 |. 50 push eax
004187C7 |. FF15 001B4600 call dword ptr [461B00] ; msvcrt.__getmainargs
004187CD |. 68 94604700 push 00476094
004187D2 |. 68 00604700 push 00476000
004187D7 |. E8 B2000000 call 0041888E ; jmp 到 msvcrt._initterm
004187DC |. 83C4 24 add esp, 24
004187DF |. A1 FC1A4600 mov eax, dword ptr [461AFC]
004187E4 |. 8B30 mov esi, dword ptr [eax]
004187E6 |. 8975 8C mov dword ptr [ebp-74], esi
004187E9 |. 803E 22 cmp byte ptr [esi], 22
004187EC |. 75 3A jnz short 00418828
004187EE |> 46 /inc esi
004187EF |. 8975 8C |mov dword ptr [ebp-74], esi
004187F2 |. 8A06 |mov al, byte ptr [esi]
004187F4 |. 3AC3 |cmp al, bl
004187F6 |. 74 04 |je short 004187FC
004187F8 |. 3C 22 |cmp al, 22
004187FA |.^ 75 F2 \jnz short 004187EE
004187FC |> 803E 22 cmp byte ptr [esi], 22
004187FF |. 75 04 jnz short 00418805
00418801 |> 46 inc esi
00418802 |. 8975 8C mov dword ptr [ebp-74], esi
00418805 |> 8A06 mov al, byte ptr [esi]
00418807 |. 3AC3 cmp al, bl
00418809 |. 74 04 je short 0041880F
0041880B |. 3C 20 cmp al, 20
0041880D |.^ 76 F2 jbe short 00418801
0041880F |> 895D D0 mov dword ptr [ebp-30], ebx
00418812 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
00418815 |. 50 push eax ; /pStartupinfo
00418816 |. FF15 48124600 call dword ptr [461248] ; \GetStartupInfoA
0041881C |. F645 D0 01 test byte ptr [ebp-30], 1
00418820 |. 74 11 je short 00418833
00418822 |. 0FB745 D4 movzx eax, word ptr [ebp-2C]
00418826 |. EB 0E jmp short 00418836
00418828 |> 803E 20 /cmp byte ptr [esi], 20
0041882B |.^ 76 D8 |jbe short 00418805
0041882D |. 46 |inc esi
0041882E |. 8975 8C |mov dword ptr [ebp-74], esi
00418831 |.^ EB F5 \jmp short 00418828
00418833 |> 6A 0A push 0A
00418835 |. 58 pop eax
00418836 |> 50 push eax
00418837 |. 56 push esi
00418838 |. 53 push ebx
00418839 |. 53 push ebx ; /pModule
0041883A |. FF15 2C114600 call dword ptr [46112C] ; \GetModuleHandleA
00418840 |. 50 push eax
00418841 |. E8 56240400 call 0045AC9C
00418846 |. 8945 98 mov dword ptr [ebp-68], eax
00418849 |. 50 push eax ; /status
0041884A |. FF15 701A4600 call dword ptr [461A70] ; \exit
00418850 |. 8B45 EC mov eax, dword ptr [ebp-14]
00418853 |. 8B08 mov ecx, dword ptr [eax]
00418855 |. 8B09 mov ecx, dword ptr [ecx]
00418857 |. 894D 88 mov dword ptr [ebp-78], ecx
0041885A |. 50 push eax
0041885B |. 51 push ecx
0041885C |. E8 27000000 call 00418888 ; jmp 到 msvcrt._XcptFilter
00418861 |. 59 pop ecx
00418862 |. 59 pop ecx
00418863 \. C3 retn
脱壳后用ImpREC修复时发现有一个指针..
rva:00061D90 ptr:00401080无效..
..我就直接剪切然后转存..
用PEID查壳显示:Microsoft Visual C++ 6.0.
然后打开运行发现运行不了...那位大侠帮忙看看那里错了谢谢!!!!
由于权限不够就发在临时空间 请大侠帮帮忙 还请帖上脱壳过程让小弟学习学习万分感谢!!!
保证无毒...有毒我死全家...........
下载地址:http://www.live-share.com/files/320001/B03_____08___.rar.html
不能下载已修改好了可以下...
[课程]Linux pwn 探索篇!