JDPack Version 1.01 外壳完全分析笔记-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

JDPack Version 1.01 外壳完全分析笔记

2004-5-15 11:41 8264

JDPack Version 1.01 外壳完全分析笔记

cyclotron

2004-5-15 11:41

8264

JDPack Version 1.01 外壳完全分析笔记

【目标程序】 JDPack V1.01加壳的Win98记事本
【作者】 cyclotron[BCG][DFCG][FCG][OCN]

用OllyDBG载入后如下：

0040D000 >[color=#0000FF]PUSHAD[/color]
0040D001  [color=#0000FF]CALL[/color] NOTEPAD.0040D006
0040D006  [color=#0000FF]POP[/color] [color=#808000]EBP[/color]
0040D007  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#808000]EBP[/color]
0040D009  [color=#0000FF]SUB[/color] [color=#808000]EBP[/color],NOTEPAD.00402BC6                       [color=#008000]; 取得delta[/color]
0040D00F  [color=#0000FF]SUB[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403461]
0040D015  [color=#0000FF]SUB[/color] [color=#808000]EDX[/color],6
0040D01B  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465],[color=#808000]EDX[/color]              [color=#008000]; 取得基地址[/color]
0040D021  [color=#0000FF]CMP[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403469],0                [color=#008000]; 某重入标志[/color]
0040D028  [color=#0000FF]JNZ[/color] NOTEPAD.0040D3EA
0040D02E  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403469],1                [color=#008000]; 置重入标志[/color]
0040D038  [color=#0000FF]MOV[/color] [color=#808000]ECX[/color],788                                    [color=#008000]; 解码长度[/color]
0040D03D  [color=#0000FF]LEA[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+402C18]              [color=#008000]; 加密代码的起始地址,我这里是0040D058[/color]
0040D043  [color=#0000FF]MOV[/color] [color=#808000]AL[/color],[color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403460]
0040D049  [color=#0000FF]MOV[/color] [color=#808000]BL[/color],[color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]]
0040D04B  [color=#0000FF]XOR[/color] [color=#808000]AL[/color],[color=#808000]BL[/color]                                      [color=#008000]; 简单的异或解密运算[/color]
0040D04D  [color=#0000FF]MOV[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]],[color=#808000]AL[/color]
0040D04F  [color=#0000FF]MOV[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403460],[color=#808000]BL[/color]                [color=#008000]; 保存解密前的代码[/color]
0040D055  [color=#0000FF]INC[/color] [color=#808000]ESI[/color]
0040D056  LOOPD [color=#FF0000]SHORT[/color] NOTEPAD.0040D043                   [color=#008000]; 随着循环的进行对下面的代码进行解密[/color]
0040D058  [color=#0000FF]PUSHFD[/color]                                         [color=#008000]; 标志位入栈，这里不能单步通过[/color]
0040D059  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D05A  [color=#0000FF]TEST[/color] [color=#808000]AH[/color],1                                      [color=#008000]; 检测单步标志[/color]
0040D05D  [color=#0000FF]JE[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D066
0040D05F  [color=#0000FF]XOR[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+402FD7],0FF               [color=#008000]; 发现跟踪企图后将下面的一句关键代码破坏[/color]
0040D066  [color=#0000FF]MOV[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403201]              [color=#008000]; 原文件的区块数目[/color]
0040D06C  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#808000]EBP[/color]                                    [color=#008000]; delta[/color]
0040D06E  [color=#0000FF]PUSH[/color] [color=#808000]ESI[/color]
0040D06F  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]                                       [color=#008000]; 保存偏移量[/color]
0040D070  [color=#0000FF]MOV[/color] [color=#808000]ECX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]+403209]              [color=#008000]; 申请空间的大小[/color]
0040D076  [color=#0000FF]PUSH[/color] 4
0040D078  [color=#0000FF]PUSH[/color] 1000
0040D07D  [color=#0000FF]PUSH[/color] [color=#808000]ECX[/color]
0040D07E  [color=#0000FF]PUSH[/color] 0                                         [color=#008000]; 操作系统指定分配空间的地址[/color]
0040D080  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033EC]                 [color=#008000]; kernel32.VirtualAlloc[/color]
0040D086  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E1],[color=#808000]EAX[/color]              [color=#008000]; 保存空间的首地址[/color]
0040D08C  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D08D  [color=#0000FF]POP[/color] [color=#808000]ESI[/color]
0040D08E  [color=#0000FF]PUSH[/color] [color=#808000]ESI[/color]
0040D08F  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D090  [color=#0000FF]MOV[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]+403205]              [color=#008000]; 代码块偏移量[/color]
0040D096  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 映象基地址[/color]
0040D09C  [color=#0000FF]MOV[/color] [color=#808000]ECX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]+403209]              [color=#008000]; 解密块的大小[/color]
0040D0A2  [color=#0000FF]ADD[/color] [color=#808000]ESI[/color],[color=#808000]EDX[/color]
0040D0A4  [color=#0000FF]PUSHAD[/color]
0040D0A5  [color=#0000FF]MOV[/color] [color=#808000]EDI[/color],[color=#808000]ESI[/color]
0040D0A7  [color=#0000FF]XOR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]
0040D0A9  [color=#0000FF]LODS[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]]                         [color=#008000]; 载入代码块数据至al[/color]
0040D0AA  [color=#0000FF]XOR[/color] [color=#808000]AL[/color],[color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+402FD7]                [color=#008000]; 加密代码块的数据[/color]
0040D0B0  [color=#0000FF]STOS[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]ES[/color]:[[color=#808000]EDI[/color]]                         [color=#008000]; 存回代码块[/color]
0040D0B1  LOOPD [color=#FF0000]SHORT[/color] NOTEPAD.0040D0A9
0040D0B3  [color=#0000FF]POPAD[/color]
0040D0B4  [color=#0000FF]MOV[/color] [color=#808000]EDI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E1]              [color=#008000]; 这是前面用VirtualAlloc分配的内存空间[/color]
0040D0BA  [color=#0000FF]REP[/color] [color=#0000FF]MOVS[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]ES[/color]:[[color=#808000]EDI[/color]],[color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]]   [color=#008000]; 保存加密后的数据[/color]
0040D0BC  [color=#0000FF]MOV[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E1]              [color=#008000]; 加密数据的保存位置[/color]
0040D0C2  [color=#0000FF]MOV[/color] [color=#808000]EDI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]+403205]              [color=#008000]; 代码块偏移量[/color]
0040D0C8  [color=#0000FF]ADD[/color] [color=#808000]EDI[/color],[color=#808000]EDX[/color]
0040D0CA  [color=#0000FF]PUSH[/color] [color=#808000]EDI[/color]
0040D0CB  [color=#0000FF]PUSH[/color] [color=#808000]ESI[/color]
0040D0CC  [color=#0000FF]CALL[/color] NOTEPAD.0040D4BD                          [color=#008000]; 将代码块的数据还原[/color]
0040D0D1  [color=#0000FF]POP[/color] [color=#808000]ESI[/color]
0040D0D2  [color=#0000FF]POP[/color] [color=#808000]EDI[/color]
0040D0D3  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D0D4  [color=#0000FF]POP[/color] [color=#808000]ESI[/color]
0040D0D5  [color=#0000FF]PUSH[/color] [color=#808000]ESI[/color]
0040D0D6  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D0D7  [color=#0000FF]MOV[/color] [color=#808000]ECX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]+403209]              [color=#008000]; 申请空间的大小[/color]
0040D0DD  [color=#0000FF]MOV[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E1]              [color=#008000]; 动态申请的内存空间[/color]
0040D0E3  [color=#0000FF]PUSH[/color] 4000
0040D0E8  [color=#0000FF]PUSH[/color] [color=#808000]ECX[/color]
0040D0E9  [color=#0000FF]PUSH[/color] [color=#808000]ESI[/color]
0040D0EA  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033F0]                 [color=#008000]; kernel32.VirtualFree释放空间[/color]
0040D0F0  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D0F1  [color=#0000FF]POP[/color] [color=#808000]ESI[/color]
0040D0F2  [color=#0000FF]ADD[/color] [color=#808000]EAX[/color],8                                      [color=#008000]; delta+8[/color]
0040D0F5  [color=#0000FF]DEC[/color] [color=#808000]ESI[/color]                                        [color=#008000]; 区块数递减SI[/color]
0040D0F6  [color=#0000FF]JNZ[/color] NOTEPAD.0040D06E                           [color=#008000]; 上述循环依次对每个section进行解码[/color]
0040D0FC  [color=#0000FF]CMP[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E9],0                [color=#008000]; 是否有重定位数据?[/color]
0040D103  [color=#0000FF]JE[/color] NOTEPAD.0040D193
0040D109  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 当前映象基地址[/color]
0040D10F  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031E5]              [color=#008000]; 理想映象基地址[/color]
0040D115  [color=#0000FF]SUB[/color] [color=#808000]EDX[/color],[color=#808000]EAX[/color]
0040D117  [color=#0000FF]JE[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D193                      [color=#008000]; 是否需要重定位?[/color]

        ..........
        ..........
        ..........

0040D191  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D12C
0040D193  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403389]              [color=#008000]; "user32.dll"[/color]
0040D199  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D19A  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E8]                 [color=#008000]; 调用kernel32.LoadLibraryA 加载动态链接库[/color]
0040D1A0  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]                                       [color=#008000]; 保存库的句柄[/color]
0040D1A1  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403331]              [color=#008000]; "MessageBoxA"[/color]
0040D1A7  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D1A8  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1A9  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; 调用kernel32.GetProcAddress 取得函数地址[/color]
0040D1AF  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031D5],[color=#808000]EAX[/color]              [color=#008000]; 保存到全局变量[/color]
0040D1B5  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D1B6  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40333D]              [color=#008000]; "wsprintfA"[/color]
0040D1BC  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D1BD  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1BE  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D1C4  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031D9],[color=#808000]EAX[/color]
0040D1CA  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033F8]              [color=#008000]; "kernel32.dll"[/color]
0040D1D0  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D1D1  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E4]                 [color=#008000]; kernel32.GetModuleHandleA[/color]
0040D1D7  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1D8  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403347]              [color=#008000]; "ExitProcess"[/color]
0040D1DE  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D1DF  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1E0  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D1E6  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031C5],[color=#808000]EAX[/color]
0040D1EC  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D1ED  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1EE  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403361]              [color=#008000]; "CreateFileA"[/color]
0040D1F4  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D1F5  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D1F6  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D1FC  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031C1],[color=#808000]EAX[/color]
0040D202  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D203  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D204  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403353]              [color=#008000]; "GetVersionExA"[/color]
0040D20A  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D20B  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D20C  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D212  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031C9],[color=#808000]EAX[/color]
0040D218  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D219  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D21A  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40336D]              [color=#008000]; "VirtualProtect"[/color]
0040D220  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D221  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D222  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D228  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031CD],[color=#808000]EAX[/color]
0040D22E  [color=#0000FF]POP[/color] [color=#808000]EAX[/color]
0040D22F  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40337C]              [color=#008000]; "GetTickCount"[/color]
0040D235  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D236  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D237  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D23D  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031D1],[color=#808000]EAX[/color]
0040D243  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40346D]              [color=#008000]; OSVERSIONINFO结构体的指针[/color]
0040D249  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EBX[/color]],94                      [color=#008000]; OSVERSIONINFO结构体的大小[/color]
0040D24F  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D250  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031C9]                 [color=#008000]; kernel32.GetVersionExA[/color]
0040D256  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40346D]
0040D25C  [color=#0000FF]CMP[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EBX[/color]+10],1                    [color=#008000]; Win98?[/color]
0040D260  [color=#0000FF]JE[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D276
0040D262  [color=#0000FF]CMP[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EBX[/color]+10],2                    [color=#008000]; WinNT?[/color]
0040D266  [color=#0000FF]JE[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D26A
0040D268  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D284
0040D26A  [color=#0000FF]CALL[/color] NOTEPAD.0040D44E                          [color=#008000]; 简单地调用CreateFile检测SoftICE[/color]
{
    0040D44E  [color=#0000FF]PUSH[/color] 0
    0040D450  [color=#0000FF]PUSH[/color] 80
    0040D455  [color=#0000FF]PUSH[/color] 3
    0040D457  [color=#0000FF]PUSH[/color] 0
    0040D459  [color=#0000FF]PUSH[/color] 0
    0040D45B  [color=#0000FF]PUSH[/color] 80000000
    0040D460  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403394]
    0040D466  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]                            [color=#008000]; "\\.\ntice"[/color]
    0040D467  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031C1]      [color=#008000]; 调用CreateFileA检测SoftICE[/color]
    0040D46D  [color=#0000FF]CMP[/color] [color=#808000]EAX[/color],-1
    0040D470  [color=#0000FF]JE[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D478
    0040D472  [color=#0000FF]CALL[/color] NOTEPAD.0040D47B
    0040D477  [color=#0000FF]RETN[/color]
    0040D478  [color=#0000FF]XOR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]                         [color=#008000]; 未发现调试器[/color]
    0040D47A  [color=#0000FF]RETN[/color]
}
0040D26F  [color=#0000FF]CMP[/color] [color=#808000]EAX[/color],-1
0040D272  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D284
0040D274  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D280
0040D276  [color=#0000FF]CALL[/color] NOTEPAD.0040D418
0040D27B  [color=#0000FF]CMP[/color] [color=#808000]EAX[/color],-1
0040D27E  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D284
0040D280  [color=#0000FF]POPAD[/color]
0040D281  [color=#0000FF]XOR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]
0040D283  [color=#0000FF]RETN[/color]
0040D284  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 映象基地址[/color]
0040D28A  [color=#0000FF]MOV[/color] [color=#808000]ESI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031F1]              [color=#008000]; 输入表的偏移量,开始处理输入表[/color]
0040D290  [color=#0000FF]ADD[/color] [color=#808000]ESI[/color],[color=#808000]EDX[/color]
0040D292  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]+C]                   [color=#008000]; DllName指针[/color]
0040D295  [color=#0000FF]OR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]
0040D297  [color=#0000FF]JE[/color] NOTEPAD.0040D3EA
0040D29D  [color=#0000FF]ADD[/color] [color=#808000]EAX[/color],[color=#808000]EDX[/color]
0040D29F  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031BD],[color=#808000]EAX[/color]              [color=#008000]; 保存DllName地指针[/color]
0040D2A5  [color=#0000FF]MOV[/color] [color=#808000]EBX[/color],[color=#808000]EAX[/color]
0040D2A7  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]
0040D2A8  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E4]                 [color=#008000]; kernel32.GetModuleHandleA[/color]
0040D2AE  [color=#0000FF]OR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]                                     [color=#008000]; 是否已经加载?[/color]
0040D2B0  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D307
0040D2B2  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D2B3  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E8]                 [color=#008000]; 没有加载就调用kernel32.LoadLibraryA加载[/color]
0040D2B9  [color=#0000FF]OR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]                                     [color=#008000]; 加载成功?[/color]
0040D2BB  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D307

        ..........
        ..........
        ..........

0040D307  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031F9],[color=#808000]EAX[/color]              [color=#008000]; 保存Dll的句柄[/color]
0040D30D  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031FD],0                [color=#008000]; IAT地址表的偏移指针[/color]
0040D317  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 映象基地址[/color]
0040D31D  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]]                     [color=#008000]; OriginalFirstThunk[/color]
0040D31F  [color=#0000FF]OR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]
0040D321  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D326
0040D323  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]+10]                  [color=#008000]; FirstThunk[/color]
0040D326  [color=#0000FF]ADD[/color] [color=#808000]EAX[/color],[color=#808000]EDX[/color]                                    [color=#008000]; 加上映象基地址[/color]
0040D328  [color=#0000FF]ADD[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031FD]
0040D32E  [color=#0000FF]MOV[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EAX[/color]]                     [color=#008000]; 引入函数名指针的偏移量形式[/color]
0040D330  [color=#0000FF]MOV[/color] [color=#808000]EDI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]ESI[/color]+10]                  [color=#008000]; FirstThunk[/color]
0040D333  [color=#0000FF]ADD[/color] [color=#808000]EDI[/color],[color=#808000]EDX[/color]                                    [color=#008000]; 加上映象基地址[/color]
0040D335  [color=#0000FF]ADD[/color] [color=#808000]EDI[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031FD]
0040D33B  [color=#0000FF]TEST[/color] [color=#808000]EBX[/color],[color=#808000]EBX[/color]
0040D33D  [color=#0000FF]JE[/color] NOTEPAD.0040D3DC                            [color=#008000]; 从这里跳出填充IAT的循环[/color]
0040D343  [color=#0000FF]TEST[/color] [color=#808000]EBX[/color],80000000                              [color=#008000]; 以序数引入?[/color]
0040D349  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D352
0040D34B  [color=#0000FF]ADD[/color] [color=#808000]EBX[/color],[color=#808000]EDX[/color]                                    [color=#008000]; 加上映象基地址[/color]
0040D34D  [color=#0000FF]ADD[/color] [color=#808000]EBX[/color],2                                      [color=#008000]; 跳过序号(hint)域[/color]
0040D350  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D367
0040D352  [color=#0000FF]AND[/color] [color=#808000]EBX[/color],7FFFFFFF
0040D358  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D359  [color=#0000FF]PUSH[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031F9]
0040D35F  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]
0040D365  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D37F
0040D367  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]                                       [color=#008000]; 引入函数名的指针[/color]
0040D368  [color=#0000FF]PUSH[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031F9]                 [color=#008000]; Dll句柄[/color]
0040D36E  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4033E0]                 [color=#008000]; kernel32.GetProcAddress[/color]
0040D374  [color=#0000FF]JMP[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D37A
0040D376  [color=#0000FF]MOV[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EBX[/color]],0                        [color=#008000]; 清空函数名字符串[/color]
0040D379  [color=#0000FF]INC[/color] [color=#808000]EBX[/color]
0040D37A  [color=#0000FF]CMP[/color] [color=#FF0000]BYTE[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EBX[/color]],0                        [color=#008000]; 函数名是否结束?[/color]
0040D37D  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D376
0040D37F  [color=#0000FF]OR[/color] [color=#808000]EAX[/color],[color=#808000]EAX[/color]                                     [color=#008000]; 引入函数地址[/color]
0040D381  [color=#0000FF]JNZ[/color] [color=#FF0000]SHORT[/color] NOTEPAD.0040D3CE

        ..........
        ..........
        ..........

0040D3CE  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]DS[/color]:[[color=#808000]EDI[/color]],[color=#808000]EAX[/color]                     [color=#008000]; 将函数地址装入FirstThunk指向的IAT[/color]
0040D3D0  [color=#0000FF]ADD[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031FD],4                [color=#008000]; IAT地址表的指针递增[/color]
0040D3D7  [color=#0000FF]JMP[/color] NOTEPAD.0040D317
0040D3DC  [color=#0000FF]ADD[/color] [color=#808000]ESI[/color],14                                     [color=#008000]; 下一组IID[/color]
0040D3DF  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 映象基地址[/color]
0040D3E5  [color=#0000FF]JMP[/color] NOTEPAD.0040D292
0040D3EA  [color=#0000FF]PUSH[/color] 30
0040D3EC  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+40324D]              [color=#008000]; 字符串"Unregistered JDPack"[/color]
0040D3F2  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D3F3  [color=#0000FF]LEA[/color] [color=#808000]EBX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403261]              [color=#008000]; 字符串"This file PACKED by Unregistered..."[/color]
0040D3F9  [color=#0000FF]PUSH[/color] [color=#808000]EBX[/color]
0040D3FA  [color=#0000FF]PUSH[/color] 0
0040D3FC  [color=#0000FF]CALL[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031D5]                 [color=#008000]; user32.MessageBoxA[/color]
0040D402  [color=#0000FF]MOV[/color] [color=#808000]EDX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+403465]              [color=#008000]; 映象基地址[/color]
0040D408  [color=#0000FF]MOV[/color] [color=#808000]EAX[/color],[color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]EBP[/color]+4031ED]              [color=#008000]; OEP偏移量[/color]
0040D40E  [color=#0000FF]ADD[/color] [color=#808000]EAX[/color],[color=#808000]EDX[/color]
0040D410  [color=#0000FF]MOV[/color] [color=#FF0000]DWORD[/color] [color=#FF0000]PTR[/color] [color=#808000]SS[/color]:[[color=#808000]ESP[/color]+1C],[color=#808000]EAX[/color]
0040D414  [color=#0000FF]POPAD[/color]
0040D415  [color=#0000FF]PUSH[/color] [color=#808000]EAX[/color]                                       [color=#008000]; OEP入栈[/color]
0040D416  [color=#0000FF]RETN[/color]                                           [color=#008000]; 进入原始程序代码[/color]

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・2

点赞・10

打赏

最新回复 (6)
forgot 雪币： 6073 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3744 粉丝 15 关注私信	forgot 26 2004-5-15 11:57 2 楼 0 呵呵,可以做个JDPack了;)
fly 雪币： 896 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 295 回帖 7672 粉丝 32 关注私信	fly 85 2004-5-15 14:59 3 楼 0 看来更多的兄弟开始研究壳了支持一下 :D
4nil 雪币： 313 活跃值： (440) 能力值： ( LV12，RANK：530 ) 在线值：发帖 45 回帖 631 粉丝 2 关注私信	4nil 13 2005-12-2 14:56 4 楼 0 fly 大哥,我今天也碰到这么一个壳,可是最后RETN回来就变成 0060F402 8B95 65344000 MOV EDX,DWORD PTR SS:[EBP+403465] 0060F408 8B85 ED314000 MOV EAX,DWORD PTR SS:[EBP+4031ED] 0060F40E 03C2 ADD EAX,EDX 0060F410 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX 0060F414 61 POPAD 0060F415 50 PUSH EAX 0060F416 C3 RETN 从这里返回,就变乱码了，请问是OD设置问题吗? 00559B64 55 DB 55 ; CHAR 'U' 00559B65 8B DB 8B 00559B66 EC DB EC 00559B67 83 DB 83 00559B68 C4 DB C4 00559B69 F0 DB F0 00559B6A 53 DB 53 ; CHAR 'S' 00559B6B B8 DB B8 00559B6C 7C DB 7C ; CHAR '\|' 00559B6D 95 DB 95 00559B6E 55 DB 55 ; CHAR 'U' 00559B6F 00 DB 00 00559B70 E8 DB E8 00559B71 17 DB 17 00559B72 D9 DB D9 00559B73 EA DB EA 00559B74 FF DB FF 这个样子,请问怎么解决呢. 这个程序加壳后是从60F000开始的,解压后是从401000开始的
fly 雪币： 896 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 295 回帖 7672 粉丝 32 关注私信	fly 85 2005-12-2 16:00 5 楼 0 Ctrl+A
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2005-12-2 17:21 6 楼 0 好文章啊,多一点外壳分析可能对脱壳有很大的帮助啊,知其然,知其所以然,)
linhanshi 雪币： 85328 活跃值： (198625) 能力值： (RANK：10 ) 在线值：发帖 8992 回帖 25614 粉丝 423 关注私信	linhanshi 2005-12-2 17:53 7 楼 0 学习
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

cyclotron

发帖

800

回帖

690

RANK

关注

私信

他的文章

[更新]PEunLOCK v1.2 PUBLiC by cyclotron

[原创]代码恰似故事书列数病毒七宗罪

[调查]个人联系印刷厂印刷书籍的可行性

[原创]NtkrnlProtector简明脱壳笔记

[原创]VMCrackME----A Preliminary Virtual Machine From Top To Bottom

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
forgot 雪币： 6073 活跃值： (2236) 能力值： (RANK：1060 ) 在线值：发帖 155 回帖 3744 粉丝 15 关注私信	forgot 26 2004-5-15 11:57 2 楼 0 呵呵,可以做个JDPack了;)
fly 雪币： 896 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 295 回帖 7672 粉丝 32 关注私信	fly 85 2004-5-15 14:59 3 楼 0 看来更多的兄弟开始研究壳了支持一下 :D
4nil 雪币： 313 活跃值： (440) 能力值： ( LV12，RANK：530 ) 在线值：发帖 45 回帖 631 粉丝 2 关注私信	4nil 13 2005-12-2 14:56 4 楼 0 fly 大哥,我今天也碰到这么一个壳,可是最后RETN回来就变成 0060F402 8B95 65344000 MOV EDX,DWORD PTR SS:[EBP+403465] 0060F408 8B85 ED314000 MOV EAX,DWORD PTR SS:[EBP+4031ED] 0060F40E 03C2 ADD EAX,EDX 0060F410 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX 0060F414 61 POPAD 0060F415 50 PUSH EAX 0060F416 C3 RETN 从这里返回,就变乱码了，请问是OD设置问题吗? 00559B64 55 DB 55 ; CHAR 'U' 00559B65 8B DB 8B 00559B66 EC DB EC 00559B67 83 DB 83 00559B68 C4 DB C4 00559B69 F0 DB F0 00559B6A 53 DB 53 ; CHAR 'S' 00559B6B B8 DB B8 00559B6C 7C DB 7C ; CHAR '\|' 00559B6D 95 DB 95 00559B6E 55 DB 55 ; CHAR 'U' 00559B6F 00 DB 00 00559B70 E8 DB E8 00559B71 17 DB 17 00559B72 D9 DB D9 00559B73 EA DB EA 00559B74 FF DB FF 这个样子,请问怎么解决呢. 这个程序加壳后是从60F000开始的,解压后是从401000开始的
fly 雪币： 896 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 295 回帖 7672 粉丝 32 关注私信	fly 85 2005-12-2 16:00 5 楼 0 Ctrl+A
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2005-12-2 17:21 6 楼 0 好文章啊,多一点外壳分析可能对脱壳有很大的帮助啊,知其然,知其所以然,)
linhanshi 雪币： 85328 活跃值： (198625) 能力值： (RANK：10 ) 在线值：发帖 8992 回帖 25614 粉丝 423 关注私信	linhanshi 2005-12-2 17:53 7 楼 0 学习
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复