-
-
[旧帖] [求助]运行程序便会自动关闭计算机,如何处理,请高手指点一下 0.00雪花
-
发表于: 2008-6-23 22:07
-
脱壳了 ,查为 Microsoft Visual Basic 5.0 / 6.0但程序不能运行,分析应是自效验, 修改了关键地方,运行程序便会自动关闭计算机,如何处理,请高手指点一下
OD载入如下:
0040B5BC > $ 68 B4BA4000 PUSH dumped_.0040BAB4 ; ASCII "VB5!6&vb6chs.dll"
0040B5C1 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
0040B5C6 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5C8 . 78 00 JS SHORT dumped_.0040B5CA
0040B5CA > 0000 ADD BYTE PTR DS:[EAX],AL
0040B5CC . 3000 XOR BYTE PTR DS:[EAX],AL
0040B5CE . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D0 . 50 PUSH EAX
0040B5D1 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D3 . 0040 00 ADD BYTE PTR DS:[EAX],AL
0040B5D6 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D8 . 50 PUSH EAX
0040B5D9 . E0 2D LOOPDNE SHORT dumped_.0040B608
0040B5DB 8D DB 8D
0040B5DC E0 DB E0
0040B5DD 12 DB 12
0040B5DE 32 DB 32 ; CHAR '2'
0040B5DF 44 DB 44 ; CHAR 'D'
0040B5E0 A0 DB A0
0040B5E1 D1 DB D1
0040B5E2 F9 DB F9
0040B5E3 DE DB DE
0040B5E4 03 DB 03
下断 bp rtcFileLen F9运行断下
7346E967 > 55 PUSH EBP //F8单步
7346E968 8BEC MOV EBP,ESP
7346E96A 81EC 40010000 SUB ESP,140
7346E970 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
7346E976 50 PUSH EAX
7346E977 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7346E97A E8 E9000000 CALL msvbvm60.7346EA68
7346E97F 85C0 TEST EAX,EAX
7346E981 74 06 JE SHORT msvbvm60.7346E989
7346E983 50 PUSH EAX
7346E984 E8 0C6DF4FF CALL msvbvm60.733B5695
7346E989 8B85 E0FEFFFF MOV EAX,DWORD PTR SS:[EBP-120]
7346E98F C9 LEAVE
7346E990 C2 0400 RETN 4
7346E993 > 55 PUSH EBP
7346E994 8BEC MOV EBP,ESP
7346E996 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
7346E999 50 PUSH EAX
7346E99A FF75 08 PUSH DWORD PTR SS:[EBP+8]
7346E99D E8 49010000 CALL msvbvm60.7346EAEB
7346E9A2 85C0 TEST EAX,EAX
7346E9A4 74 06 JE SHORT msvbvm60.7346E9AC
7346E9A6 50 PUSH EAX
7346E9A7 E8 E96CF4FF CALL msvbvm60.733B5695
------------------------------------------------------------------------------
005DF67F . 3D 14101000 CMP EAX,101014 //比较大小
005DF684 . 7E 0D JLE SHORT dumped_.005DF693 //修改 jle改jmp(无条件跳)
005DF686 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
005DF68D . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.__vba>; msvbvm60.__vbaEnd
005DF693 > C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
005DF69A . C785 68FFFFFF>MOV DWORD PTR SS:[EBP-98],0
005DF6A4 . B8 10000000 MOV EAX,10
005DF6A9 . E8 32B9E2FF CALL <JMP.&msvbvm60.__vbaChkstk>
005DF6AE . 8BD4 MOV EDX,ESP
005DF6B0 . 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
005DF6B6 . 8902 MOV DWORD PTR DS:[EDX],EAX
005DF6B8 . 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94]
005DF6BE . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
005DF6C1 . 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
005DF6C7 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
005DF6CA . 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
005DF6D0 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
005DF6D3 . 68 E0954100 PUSH dumped_.004195E0 ; UNICODE "numbers"
005DF6D8 . 68 C8954100 PUSH dumped_.004195C8 ; UNICODE "chefiles"
005DF6DD . 8B15 98017200 MOV EDX,DWORD PTR DS:[720198]
005DF6E3 . 52 PUSH EDX
005DF6E4 . FF15 24134000 CALL DWORD PTR DS:[<&msvbvm60.rtcGe>; msvbvm60.rtcGetSetting
005DF6EA . 8BD0 MOV EDX,EAX
修改好了,运行程序便会自动关闭计算机,如何处理,请高手指点一下
OD载入如下:
0040B5BC > $ 68 B4BA4000 PUSH dumped_.0040BAB4 ; ASCII "VB5!6&vb6chs.dll"
0040B5C1 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
0040B5C6 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5C8 . 78 00 JS SHORT dumped_.0040B5CA
0040B5CA > 0000 ADD BYTE PTR DS:[EAX],AL
0040B5CC . 3000 XOR BYTE PTR DS:[EAX],AL
0040B5CE . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D0 . 50 PUSH EAX
0040B5D1 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D3 . 0040 00 ADD BYTE PTR DS:[EAX],AL
0040B5D6 . 0000 ADD BYTE PTR DS:[EAX],AL
0040B5D8 . 50 PUSH EAX
0040B5D9 . E0 2D LOOPDNE SHORT dumped_.0040B608
0040B5DB 8D DB 8D
0040B5DC E0 DB E0
0040B5DD 12 DB 12
0040B5DE 32 DB 32 ; CHAR '2'
0040B5DF 44 DB 44 ; CHAR 'D'
0040B5E0 A0 DB A0
0040B5E1 D1 DB D1
0040B5E2 F9 DB F9
0040B5E3 DE DB DE
0040B5E4 03 DB 03
下断 bp rtcFileLen F9运行断下
7346E967 > 55 PUSH EBP //F8单步
7346E968 8BEC MOV EBP,ESP
7346E96A 81EC 40010000 SUB ESP,140
7346E970 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
7346E976 50 PUSH EAX
7346E977 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7346E97A E8 E9000000 CALL msvbvm60.7346EA68
7346E97F 85C0 TEST EAX,EAX
7346E981 74 06 JE SHORT msvbvm60.7346E989
7346E983 50 PUSH EAX
7346E984 E8 0C6DF4FF CALL msvbvm60.733B5695
7346E989 8B85 E0FEFFFF MOV EAX,DWORD PTR SS:[EBP-120]
7346E98F C9 LEAVE
7346E990 C2 0400 RETN 4
7346E993 > 55 PUSH EBP
7346E994 8BEC MOV EBP,ESP
7346E996 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
7346E999 50 PUSH EAX
7346E99A FF75 08 PUSH DWORD PTR SS:[EBP+8]
7346E99D E8 49010000 CALL msvbvm60.7346EAEB
7346E9A2 85C0 TEST EAX,EAX
7346E9A4 74 06 JE SHORT msvbvm60.7346E9AC
7346E9A6 50 PUSH EAX
7346E9A7 E8 E96CF4FF CALL msvbvm60.733B5695
------------------------------------------------------------------------------
005DF67F . 3D 14101000 CMP EAX,101014 //比较大小
005DF684 . 7E 0D JLE SHORT dumped_.005DF693 //修改 jle改jmp(无条件跳)
005DF686 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
005DF68D . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.__vba>; msvbvm60.__vbaEnd
005DF693 > C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
005DF69A . C785 68FFFFFF>MOV DWORD PTR SS:[EBP-98],0
005DF6A4 . B8 10000000 MOV EAX,10
005DF6A9 . E8 32B9E2FF CALL <JMP.&msvbvm60.__vbaChkstk>
005DF6AE . 8BD4 MOV EDX,ESP
005DF6B0 . 8B85 68FFFFFF MOV EAX,DWORD PTR SS:[EBP-98]
005DF6B6 . 8902 MOV DWORD PTR DS:[EDX],EAX
005DF6B8 . 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94]
005DF6BE . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
005DF6C1 . 8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]
005DF6C7 . 8942 08 MOV DWORD PTR DS:[EDX+8],EAX
005DF6CA . 8B8D 74FFFFFF MOV ECX,DWORD PTR SS:[EBP-8C]
005DF6D0 . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
005DF6D3 . 68 E0954100 PUSH dumped_.004195E0 ; UNICODE "numbers"
005DF6D8 . 68 C8954100 PUSH dumped_.004195C8 ; UNICODE "chefiles"
005DF6DD . 8B15 98017200 MOV EDX,DWORD PTR DS:[720198]
005DF6E3 . 52 PUSH EDX
005DF6E4 . FF15 24134000 CALL DWORD PTR DS:[<&msvbvm60.rtcGe>; msvbvm60.rtcGetSetting
005DF6EA . 8BD0 MOV EDX,EAX
修改好了,运行程序便会自动关闭计算机,如何处理,请高手指点一下
