[求助][求助]脱PESin 0.3?-1.3?壳遇到死循环-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [求助][求助]脱PESin 0.3?-1.3?壳遇到死循环 0.00雪花

发表于: 2008-10-5 16:42 2291

[旧帖] [求助][求助]脱PESin 0.3?-1.3?壳遇到死循环 0.00雪花

hangweapon 活跃值

2008-10-5 16:42

2291

用OD载入加了PESin壳的DLL文件，出现提示后按确定，停在
003DC0D4 > /EB 01          jmp    short dbt3.003DC0D7///停在这里
003DC0D6 |68 60E80000    push 0E860
003DC0DB 0000          add    byte ptr ds:[eax], al
003DC0DD 8B1C24       mov    ebx, dword ptr ss:[esp]
003DC0E0 83C3 12       add    ebx, 12
003DC0E3 812B E8B10600 sub    dword ptr ds:[ebx], 6B1E8
003DC0E9 FE4B FD       dec    byte ptr ds:[ebx-3]
003DC0EC 822C24 17    sub    byte ptr ss:[esp], 17
003DC0F0 E6 46          out    46, al                                  ; I/O 命令
003DC0F2 000B          add    byte ptr ds:[ebx], cl
003DC0F4 E4 74          in    al, 74                                  ; I/O 命令
003DC0F6 9E             sahf
003DC0F7 75 01          jnz    short dbt3.003DC0FA
003DC0F9 C781 7304D77A F>mov    dword ptr ds:[ecx+7AD70473], 73812FF7
003DC103 1977 00       sbb    dword ptr ds:[edi], esi
003DC106 43             inc    ebx
003DC107 B7 F6          mov    bh, 0F6
003DC109 C3             retn
003DC10A 6BB7 0000F9FF E>imul esi, dword ptr ds:[edi+FFF90000], -1D
003DC111 C9             leave
003DC112 C2 0800       retn 8
003DC115 A3 687201FF    mov    dword ptr ds:[FF017268], eax
003DC11A 5D             pop    ebp
003DC11B 33C9          xor    ecx, ecx
003DC11D 41             inc    ecx
003DC11E E2 17          loopd short dbt3.003DC137
003DC120 EB 07          jmp    short dbt3.003DC129
003DC122 EA EB01EBEB 0DF>jmp    far FF0D:EBEB01EB                      ; 远距跳转
003DC129 E8 01000000    call dbt3.003DC12F
003DC12E EA 5A83EA0B FFE>jmp    far E2FF:0BEA835A                      ; 远距跳转
003DC135 EB 04          jmp    short dbt3.003DC13B
003DC137 9A EB0400EB FBF>call far FFFB:EB0004EB                      ; 远距呼叫
003DC13E E8 02000000    call dbt3.003DC145
003DC143 A0 005A81EA    mov    al, byte ptr ds:[EA815A00]
003DC148 45             inc    ebp
003DC149 C10A 00       ror    dword ptr ds:[edx], 0                   ; 移动常数超出 1..31 的范围
003DC14C 83EA FE       sub    edx, -2
003DC14F 8995 A9574000 mov    dword ptr ss:[ebp+4057A9], edx
003DC155 2BC0          sub    eax, eax

一直按F7跟进来到下面这个死循环

//////////////////////////////
0159C340 301C39       xor    byte ptr ds:[ecx+edi], bl
0159C343 FECB          dec    bl
0159C345 49             dec    ecx
0159C346 9C             pushfd
0159C347 EB 04          jmp    short dbt3.0159C34D
0159C349 01EB          add    ebx, ebp
0159C34B 04 CD          add    al, 0CD
0159C34D  ^ EB FB          jmp    short dbt3.0159C34A
0159C34F 2BC1          sub    eax, ecx
0159C351 2C 24          sub    al, 24
0159C353 06             push es
0159C354 F71424       not    dword ptr ss:[esp]
0159C357 832424 01    and    dword ptr ss:[esp], 1
0159C35B 50             push eax
0159C35C 52             push edx
0159C35D B8 79B2DC12    mov    eax, 12DCB279
0159C362 05 444D23ED    add    eax, ED234D44
0159C367 F76424 08    mul    dword ptr ss:[esp+8]
0159C36B 8D8428 D5364000 lea    eax, dword ptr ds:[eax+ebp+4036D5]
0159C372 894424 08    mov    dword ptr ss:[esp+8], eax
0159C376 5A             pop    edx
0159C377 58             pop    eax
0159C378 8D6424 04    lea    esp, dword ptr ss:[esp+4]
0159C37C FF6424 FC    jmp    near dword ptr ss:[esp-4]//这里返回到0159C340 造成死循环

强制nop掉就会退出，
请高手指点
没有权限加附件，请加我QQ4988182

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・0

免费・0

支持