PESpin V1.0加密的写字本,修复时发现有代码被搬到PE头里了,请问各位现在应该这么办,PE头里肯定是不能补东西,有什么办法动态补回去吗?还是必须一点一点在原程序补码。我看了LOVEBOOM大大的文章,但没写这部分怎么处理,请各位大大指教。谢谢。
00400178 -E9 511F0000 JMP YUAN.004020CE/这里,跳转仍到PE头里了/
0040017D 5E POP ESI
0040017E 833D B8574000 00 CMP DWORD PTR DS:[4057B8],0
00400185 -E9 E50F0000 JMP YUAN.0040116F
0040018A 833D BC574000 00 CMP DWORD PTR DS:[4057BC],0
00400191 -E9 EE0F0000 JMP YUAN.00401184
00400196 68 00040000 PUSH 400
0040019B -E9 18100000 JMP YUAN.004011B8
004001A0 54 PUSH ESP
004001A1 -E9 26170000 JMP YUAN.004018CC
004001A6 5C POP ESP
004001A7 833D 10504000 00 CMP DWORD PTR DS:[405010],0
004001AE -E9 23110000 JMP YUAN.004012D6
004001B3 68 A0564000 PUSH YUAN.004056A0
004001B8 -E9 27110000 JMP YUAN.004012E4
004001BD C6 ??? ; 未知命令
004001BE -E9 1A300000 JMP YUAN.004031DD
004001C3 A8 83 TEST AL,83
004001C5 3D 10504000 CMP EAX,YUAN.00405010
004001CA 00E9 ADD CL,CH
004001CC 5A POP EDX
004001CD 1100 ADC DWORD PTR DS:[EAX],EAX
004001CF 0068 A0 ADD BYTE PTR DS:[EAX-60],CH
004001D2 56 PUSH ESI
004001D3 40 INC EAX
004001D4 00E9 ADD CL,CH
004001D6 60 PUSHAD
004001D7 1100 ADC DWORD PTR DS:[EAX],EAX
004001D9 0064E9 68 ADD BYTE PTR DS:[ECX+EBP*8+68],AH
004001DD 16 PUSH SS
004001DE 0000 ADD BYTE PTR DS:[EAX],AL
004001E0 60 PUSHAD
004001E1 -E9 27220000 JMP YUAN.0040240D
004001E6 CD E9 INT 0E9
004001E8 DB16 FIST DWORD PTR DS:[ESI]
004001EA 0000 ADD BYTE PTR DS:[EAX],AL
004001EC 0C 68 OR AL,68
004001EE B1 00 MOV CL,0
004001F0 0000 ADD BYTE PTR DS:[EAX],AL
004001F2 -E9 A6110000 JMP YUAN.0040139D
004001F7 CF IRETD
004001F8 68 B7000000 PUSH 0B7
004001FD -E9 AE110000 JMP YUAN.004013B0
00400202 3E:E9 BF160000 JMP YUAN.004018C7 ; 多余的前缀
00400208 CD 68 INT 68
0040020A 90 NOP
0040020B 55 PUSH EBP
0040020C 40 INC EAX
0040020D 00E9 ADD CL,CH
0040020F C011 00 RCL BYTE PTR DS:[ECX],0 ; 移动常数超出 1..31 的范围
00400212 004CE9 07 ADD BYTE PTR DS:[ECX+EBP*8+7],CL
00400216 36:0000 ADD BYTE PTR SS:[EAX],AL
00400219 05 E9A81600 ADD EAX,16A8E9
0040021E 00AF E9253500 ADD BYTE PTR DS:[EDI+3525E9],CH
00400224 002A ADD BYTE PTR DS:[EDX],CH
00400226 -E9 9C160000 JMP YUAN.004018C7
0040022B 99 CDQ
0040022C -E9 2F180000 JMP YUAN.00401A60
00400231 B9 68015640 MOV ECX,40560168
00400236 00E9 ADD CL,CH
00400238 C8 110000 ENTER 11,0
0040023C 3A68 50 CMP CH,BYTE PTR DS:[EAX+50]
0040023F 56 PUSH ESI
00400240 40 INC EAX
00400241 00E9 ADD CL,CH
00400243 D311 RCL DWORD PTR DS:[ECX],CL
00400245 0000 ADD BYTE PTR DS:[EAX],AL
00400247 D9E9 FLDL2T
00400249 7B 4D JPO SHORT YUAN.00400298
0040024B 0000 ADD BYTE PTR DS:[EAX],AL
0040024D EB 68 JMP SHORT YUAN.004002B7
0040024F 8000 00 ADD BYTE PTR DS:[EAX],0
00400252 00E9 ADD CL,CH
00400254 0112 ADD DWORD PTR DS:[EDX],EDX
00400256 0000 ADD BYTE PTR DS:[EAX],AL
00400258 8368 00 00 SUB DWORD PTR DS:[EAX],0
0040025C 0080 E9001200 ADD BYTE PTR DS:[EAX+1200E9],AL
00400262 0009 ADD BYTE PTR DS:[ECX],CL
00400264 -E9 3B320000 JMP YUAN.004034A4
00400269 AB STOS DWORD PTR ES:[EDI]
0040026A 68 80000000 PUSH 80
0040026F -E9 21120000 JMP YUAN.00401495
00400274 6B68 00 00 IMUL EBP,DWORD PTR DS:[EAX],0
00400278 0080 E9211200 ADD BYTE PTR DS:[EAX+1221E9],AL
0040027E 0019 ADD BYTE PTR DS:[ECX],BL
00400280 68 A0564000 PUSH YUAN.004056A0
00400285 -E9 1B120000 JMP YUAN.004014A5
0040028A B1 E9 MOV CL,0E9
0040028C 37 AAA
0040028D 16 PUSH SS
0040028E 0000 ADD BYTE PTR DS:[EAX],AL
00400290 61 POPAD
00400291 -E9 144D0000 JMP YUAN.00404FAA ; JMP to COMDLG32.CommDlgExtendedError
00400296 ^7F E9 JG SHORT YUAN.00400281
00400298 71 21 JNO SHORT YUAN.004002BB
0040029A 0000 ADD BYTE PTR DS:[EAX],AL
0040029C 5C POP ESP
0040029D -E9 25160000 JMP YUAN.004018C7
004002A2 0068 00 ADD BYTE PTR DS:[EAX],CH
004002A5 1040 00 ADC BYTE PTR DS:[EAX],AL
004002A8 -E9 64120000 JMP YUAN.00401511
004002AD 0AE9 OR CH,CL
004002AF 14 16 ADC AL,16
004002B1 0000 ADD BYTE PTR DS:[EAX],AL
004002B3 5D POP EBP
004002B4 -E9 B1480000 JMP YUAN.00404B6A
004002B9 43 INC EBX
004002BA -E9 08160000 JMP YUAN.004018C7
004002BF A3 E9D53A00 MOV DWORD PTR DS:[3AD5E9],EAX
004002C4 00E0 ADD AL,AH
004002C6 833D 5C534000 00 CMP DWORD PTR DS:[40535C],0
004002CD -E9 7F120000 JMP YUAN.00401551
004002D2 833D 10504000 00 CMP DWORD PTR DS:[405010],0
004002D9 -E9 A0120000 JMP YUAN.0040157E
004002DE -E9 2A210000 JMP YUAN.0040240D
004002E3 C5E9 LDS EBP,ECX ; 非法使用寄存器
004002E5 DE15 0000D568 FICOM WORD PTR DS:[68D50000]
004002EB C700 0000E9BE MOV DWORD PTR DS:[EAX],BEE90000
004002F1 1200 ADC AL,BYTE PTR DS:[EAX]
004002F3 0048 E9 ADD BYTE PTR DS:[EAX-17],CL
004002F6 CD 15 INT 15
004002F8 0000 ADD BYTE PTR DS:[EAX],AL
004002FA 8283 3D1C5040 00 ADD BYTE PTR DS:[EBX+40501C3D],0
00400301 01E9 ADD ECX,EBP
00400303 BE 120000E9 MOV ESI,E9000012
00400308 F5 CMC
00400309 36:0000 ADD BYTE PTR SS:[EAX],AL
0040030C 3883 3D1C5040 CMP BYTE PTR DS:[EBX+40501C3D],AL
00400312 0001 ADD BYTE PTR DS:[ECX],AL
00400314 -E9 C1120000 JMP YUAN.004015DA
00400319 -E9 0A220000 JMP YUAN.00402528
0040031E 97 XCHG EAX,EDI
0040031F -E9 A3150000 JMP YUAN.004018C7
00400324 7B E9 JPO SHORT YUAN.0040030F
00400326 E3 20 JECXZ SHORT YUAN.00400348
00400328 0000 ADD BYTE PTR DS:[EAX],AL
0040032A 46 INC ESI
0040032B -E9 97150000 JMP YUAN.004018C7
00400330 2C 68 SUB AL,68
00400332 D002 ROL BYTE PTR DS:[EDX],1
00400334 0000 ADD BYTE PTR DS:[EAX],AL
00400336 -E9 F2120000 JMP YUAN.0040162D
0040033B 50 PUSH EAX
0040033C -E9 814C0000 JMP YUAN.00404FC2 ; JMP to COMDLG32.ChooseFontA
00400341 F5 CMC
00400342 -E9 E1210000 JMP YUAN.00402528
00400347 97 XCHG EAX,EDI
00400348 -E9 7A150000 JMP YUAN.004018C7
0040034D A6 CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
0040034E 68 B0000000 PUSH 0B0
00400353 -E9 A8130000 JMP YUAN.00401700
00400358 63E9 ARPL CX,BP
0040035A 6915 0000E3E9 63150>IMUL EDX,DWORD PTR DS:[E9E30000],1563
00400364 43 INC EBX
00400365 68 C0554000 PUSH YUAN.004055C0
0040036A -E9 00140000 JMP YUAN.0040176F
0040036F 5E POP ESI
00400370 -E9 474C0000 JMP YUAN.00404FBC ; JMP to COMDLG32.FindTextA
00400375 31E9 XOR ECX,EBP
00400377 4C DEC ESP
00400378 15 00008968 ADC EAX,68890000
0040037D B0 57 MOV AL,57
0040037F 40 INC EAX
00400380 00E9 ADD CL,CH
00400382 FF13 CALL DWORD PTR DS:[EBX]
00400384 0000 ADD BYTE PTR DS:[EAX],AL
00400386 FB STI
00400387 -E9 2A4C0000 JMP YUAN.00404FB6 ; JMP to COMDLG32.PageSetupDlgA
0040038C 18E9 SBB CL,CH
0040038E 184C00 00 SBB BYTE PTR DS:[EAX+EAX],CL
00400392 1F POP DS ; 修正的段位寄存器
00400393 -E9 D00D0000 JMP YUAN.00401168
00400398 15 68A05440 ADC EAX,4054A068
0040039D 00E9 ADD CL,CH
0040039F 1D 140000F0 SBB EAX,F0000014
004003A4 68 F0544000 PUSH YUAN.004054F0
004003A9 -E9 17140000 JMP YUAN.004017C5
004003AE 1E PUSH DS
004003AF 68 C8544000 PUSH YUAN.004054C8
004003B4 -E9 17140000 JMP YUAN.004017D0
004003B9 0368 18 ADD EBP,DWORD PTR DS:[EAX+18]
004003BC 55 PUSH EBP
004003BD 40 INC EAX
004003BE 00E9 ADD CL,CH
004003C0 111400 ADC DWORD PTR DS:[EAX+EAX],EDX
004003C3 00FD ADD CH,BH
004003C5 -E9 5E210000 JMP YUAN.00402528
004003CA ^7E E9 JLE SHORT YUAN.004003B5
004003CC F71400 NOT DWORD PTR DS:[EAX+EAX]
004003CF 00C8 ADD AL,CL
004003D1 -E9 37200000 JMP YUAN.0040240D
004003D6 CB RETF ; 远距返回
004003D7 -E9 EB140000 JMP YUAN.004018C7
004003DC 77 68 JA SHORT YUAN.00400446
004003DE 50 PUSH EAX
004003DF 56 PUSH ESI
004003E0 40 INC EAX
004003E1 00E9 ADD CL,CH
004003E3 76 14 JBE SHORT YUAN.004003F9
004003E5 0000 ADD BYTE PTR DS:[EAX],AL
004003E7 90 NOP
004003E8 -E9 C34B0000 JMP YUAN.00404FB0 ; JMP to COMDLG32.GetSaveFileNameA
004003ED 14 E9 ADC AL,0E9
004003EF EA 2D0000B6 68A0 JMP FAR A068:B600002D ; 远距跳转
004003F6 56 PUSH ESI
004003F7 40 INC EAX
004003F8 00E9 ADD CL,CH
004003FA 891400 MOV DWORD PTR DS:[EAX+EAX],EDX
004003FD 00B6 E9A64B00 ADD BYTE PTR DS:[ESI+4BA6E9],DH
00400403 0094E9 03200000 ADD BYTE PTR DS:[ECX+EBP*8+2003],DL
0040040A D4 E9 AAM 0E9
0040040C F9 STC
0040040D 54 PUSH ESP
0040040E 00FD ADD CH,BH
00400410 3E:0000 ADD BYTE PTR DS:[EAX],AL
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法