-
-
[旧帖] [讨论]副加数据处理后运行异常问题 0.00雪花
-
发表于: 2008-8-9 09:31
-
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]的壳,脱壳很容易,数据处理也容易,但发现处理后出现异常,查看ASC码,有如下异常:
00464A93 push 1.0040C670 ,异常代码是:
00464AD2 push 1.0040C67D 发现异常:
00464BEF mov eax,1.0040C687 非法除以0
00464C0B mov eax,1.0040C691 堆栈溢出
00464C27 mov eax,1.0040C69A 页面错误
00464C43 mov eax,1.0040C6A3 int中断
00464C5F mov eax,1.0040C6AB 非法指令
00464C7B mov eax,1.0040C6B4 读写内存冲突
00464C97 mov eax,1.0040C6C1 处于单步调试状态
00464CB3 mov eax,1.0040C6D2 硬件中断
00464CBD mov eax,1.0040C6DB 未知异常
004655C3 push 1.0040C73C \
00465DE2 mov eax,1.0040C74E
返回程序领空相应位置,修改,剩下这两个异常不知道如何改,请教高手
00464A8A 83C4 10 add esp,10
00464A8D 8945 F0 mov dword ptr ss:[ebp-10],eax
00464A90 FF75 F0 push dword ptr ss:[ebp-10]
00464A93 68 70C64000 push 1.0040C670 ; ,异常代码是:
00464A98 FF75 F8 push dword ptr ss:[ebp-8]
00464A9B B9 03000000 mov ecx,3
00464AA0 E8 CBF1FFFF call 1.00463C70
00464AA5 83C4 0C add esp,0C
00464AA8 8945 EC mov dword ptr ss:[ebp-14],eax
00464AAB 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
00464AAE 85DB test ebx,ebx
00464AB0 74 09 je short 1.00464ABB
00464AB2 53 push ebx
00464AB3 E8 B1180200 call 1.00486369
00464AB8 83C4 04 add esp,4
00464ABB 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
00464ABE 85DB test ebx,ebx
00464AC0 74 09 je short 1.00464ACB
00464AC2 53 push ebx
00464AC3 E8 A1180200 call 1.00486369
00464AC8 83C4 04 add esp,4
00464ACB 68 04000080 push 80000004
00464AD0 6A 00 push 0
00464AD2 68 7DC64000 push 1.0040C67D ; 发现异常:
00464AD7 68 01030080 push 80000301
00464ADC 6A 00 push 0
00464ADE 68 10000000 push 10
00464AE3 68 04000080 push 80000004
00464AE8 6A 00 push 0
00464AEA 8B45 EC mov eax,dword ptr ss:[ebp-14]
00464AED 85C0 test eax,eax
00464AEF 75 05 jnz short 1.00464AF6
00464AF1 B8 67C64000 mov eax,1.0040C667
00464AF6 50 push eax
00464AF7 68 03000000 push 3
00464AFC BB 00030000 mov ebx,300
00464B01 E8 75180200 call 1.0048637B
00464B06 83C4 28 add esp,28
00464B09 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00464B0C 85DB test ebx,ebx
00464B0E 74 09 je short 1.00464B19
00464B10 53 push ebx
00464B11 E8 53180200 call 1.00486369
00464B16 83C4 04 add esp,4
00464B19 68 08000000 push 8
00464B1E E8 40180200 call 1.00486363
00464B23 83C4 04 add esp,4
00464B26 8945 FC mov dword ptr ss:[ebp-4],eax
00464B29 8BF8 mov edi,eax
00464B2B BE 44C64000 mov esi,1.0040C644
00464B30 AD lods dword ptr ds:[esi]
00464B31 AB stos dword ptr es:[edi]
00464B32 AD lods dword ptr ds:[esi]
00464B33 AB stos dword ptr es:[edi]
00464B34 6A 00 push 0
00464B36 8D45 FC lea eax,dword ptr ss:[ebp-4]
00464B39 50 push eax
00464B3A C745 F8 0000000>mov dword ptr ss:[ebp-8],0
00464B41 6A 00 push 0
00464B43 FF75 F8 push dword ptr ss:[ebp-8]
00464B46 FF35 1C22EC00 push dword ptr ds:[EC221C]
00464B4C E8 9C010000 call 1.00464CED
00464B51 8B5D FC mov ebx,dword ptr ss:[ebp-4]
00464B54 53 push ebx
00464B55 E8 0F180200 call 1.00486369
00464B5A 83C4 04 add esp,4
00464B5D 833D 2822EC00 0>cmp dword ptr ds:[EC2228],1
00464B64 0F85 0F000000 jnz 1.00464B79
00464B6A 6A 00 push 0
00464B6C E8 E0170200 call 1.00486351
00464B71 83C4 04 add esp,4
00464B74 E9 00000000 jmp 1.00464B79
00464B79 A1 2822EC00 mov eax,dword ptr ds:[EC2228]
00464B7E E9 00000000 jmp 1.00464B83
00464B83 8BE5 mov esp,ebp
00464B85 5D pop ebp
00464A93 push 1.0040C670 ,异常代码是:
00464AD2 push 1.0040C67D 发现异常:
00464BEF mov eax,1.0040C687 非法除以0
00464C0B mov eax,1.0040C691 堆栈溢出
00464C27 mov eax,1.0040C69A 页面错误
00464C43 mov eax,1.0040C6A3 int中断
00464C5F mov eax,1.0040C6AB 非法指令
00464C7B mov eax,1.0040C6B4 读写内存冲突
00464C97 mov eax,1.0040C6C1 处于单步调试状态
00464CB3 mov eax,1.0040C6D2 硬件中断
00464CBD mov eax,1.0040C6DB 未知异常
004655C3 push 1.0040C73C \
00465DE2 mov eax,1.0040C74E
返回程序领空相应位置,修改,剩下这两个异常不知道如何改,请教高手
00464A8A 83C4 10 add esp,10
00464A8D 8945 F0 mov dword ptr ss:[ebp-10],eax
00464A90 FF75 F0 push dword ptr ss:[ebp-10]
00464A93 68 70C64000 push 1.0040C670 ; ,异常代码是:
00464A98 FF75 F8 push dword ptr ss:[ebp-8]
00464A9B B9 03000000 mov ecx,3
00464AA0 E8 CBF1FFFF call 1.00463C70
00464AA5 83C4 0C add esp,0C
00464AA8 8945 EC mov dword ptr ss:[ebp-14],eax
00464AAB 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
00464AAE 85DB test ebx,ebx
00464AB0 74 09 je short 1.00464ABB
00464AB2 53 push ebx
00464AB3 E8 B1180200 call 1.00486369
00464AB8 83C4 04 add esp,4
00464ABB 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
00464ABE 85DB test ebx,ebx
00464AC0 74 09 je short 1.00464ACB
00464AC2 53 push ebx
00464AC3 E8 A1180200 call 1.00486369
00464AC8 83C4 04 add esp,4
00464ACB 68 04000080 push 80000004
00464AD0 6A 00 push 0
00464AD2 68 7DC64000 push 1.0040C67D ; 发现异常:
00464AD7 68 01030080 push 80000301
00464ADC 6A 00 push 0
00464ADE 68 10000000 push 10
00464AE3 68 04000080 push 80000004
00464AE8 6A 00 push 0
00464AEA 8B45 EC mov eax,dword ptr ss:[ebp-14]
00464AED 85C0 test eax,eax
00464AEF 75 05 jnz short 1.00464AF6
00464AF1 B8 67C64000 mov eax,1.0040C667
00464AF6 50 push eax
00464AF7 68 03000000 push 3
00464AFC BB 00030000 mov ebx,300
00464B01 E8 75180200 call 1.0048637B
00464B06 83C4 28 add esp,28
00464B09 8B5D EC mov ebx,dword ptr ss:[ebp-14]
00464B0C 85DB test ebx,ebx
00464B0E 74 09 je short 1.00464B19
00464B10 53 push ebx
00464B11 E8 53180200 call 1.00486369
00464B16 83C4 04 add esp,4
00464B19 68 08000000 push 8
00464B1E E8 40180200 call 1.00486363
00464B23 83C4 04 add esp,4
00464B26 8945 FC mov dword ptr ss:[ebp-4],eax
00464B29 8BF8 mov edi,eax
00464B2B BE 44C64000 mov esi,1.0040C644
00464B30 AD lods dword ptr ds:[esi]
00464B31 AB stos dword ptr es:[edi]
00464B32 AD lods dword ptr ds:[esi]
00464B33 AB stos dword ptr es:[edi]
00464B34 6A 00 push 0
00464B36 8D45 FC lea eax,dword ptr ss:[ebp-4]
00464B39 50 push eax
00464B3A C745 F8 0000000>mov dword ptr ss:[ebp-8],0
00464B41 6A 00 push 0
00464B43 FF75 F8 push dword ptr ss:[ebp-8]
00464B46 FF35 1C22EC00 push dword ptr ds:[EC221C]
00464B4C E8 9C010000 call 1.00464CED
00464B51 8B5D FC mov ebx,dword ptr ss:[ebp-4]
00464B54 53 push ebx
00464B55 E8 0F180200 call 1.00486369
00464B5A 83C4 04 add esp,4
00464B5D 833D 2822EC00 0>cmp dword ptr ds:[EC2228],1
00464B64 0F85 0F000000 jnz 1.00464B79
00464B6A 6A 00 push 0
00464B6C E8 E0170200 call 1.00486351
00464B71 83C4 04 add esp,4
00464B74 E9 00000000 jmp 1.00464B79
00464B79 A1 2822EC00 mov eax,dword ptr ds:[EC2228]
00464B7E E9 00000000 jmp 1.00464B83
00464B83 8BE5 mov esp,ebp
00464B85 5D pop ebp
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
