能力值:
( LV2,RANK:10 )
|
-
-
3 楼
黑鹰vip破解班,对入门的,可能难了,先看黑鹰破解班(黑鹰vip破解班是提高的)
这个UPX不难的
//ESP定律法手工去壳
PEid载入,查到壳为UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo //例行查壳
OD载入
0040EE00 > $ 60 pushad //停在这里!
0040EE01 . BE 00D04000 mov esi, 0040D000
0040EE06 . 8DBE 0040FFFF lea edi, dword ptr [esi+FFFF4000]
0040EE0C . 57 push edi
0040EE0D . 83CD FF or ebp, FFFFFFFF
0040EE10 . EB 10 jmp short 0040EE22
按一下F8,ESP突显(我的机子是 0012FFA4 ),在0012FFA4上右键,出现菜单中选:数据窗口中跟随
在数据窗口中,选中0012FFA4对应的数据(00000000),在上面右键,出现菜单中选,断点->硬件访问->Word,,,F9运行,点OD菜单:调试->硬件断点,然后删除硬件断点。。
此时,OD汇编如下:
0040EF87 . 8D4424 80 lea eax, dword ptr [esp-80] //停在这里
0040EF8B > 6A 00 push 0
0040EF8D . 39C4 cmp esp, eax
0040EF8F .^ 75 FA jnz short 0040EF8B
0040EF91 . 83EC 80 sub esp, -80
0040EF94 .- E9 A34FFFFF jmp 00403F3C 跳到OEP
0040EF99 00 db 00
F8向下走,到0040EF8F .^ 75 FA jnz short 0040EF8B,选中下面一行0040EF91 . 83EC 80 sub esp, -80,,按F4(运行到此行,打断向上的跳转),再按两下F8 到OEP
|
能力值:
( LV9,RANK:850 )
|
-
-
4 楼
主要是没有静下心来学习。就算是单步F8,也该到达目的地的。
把所有可见的代码都复制下来:
0040EE00 > $ 60 PUSHAD
0040EE01 . BE 00D04000 MOV ESI,GetHtml.0040D000
0040EE06 . 8DBE 0040FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF4000]
0040EE0C . 57 PUSH EDI
0040EE0D . 83CD FF OR EBP,FFFFFFFF
0040EE10 . EB 10 JMP SHORT GetHtml.0040EE22
0040EE12 90 NOP
0040EE13 90 NOP
0040EE14 90 NOP
0040EE15 90 NOP
0040EE16 90 NOP
0040EE17 90 NOP
0040EE18 > 8A06 MOV AL,BYTE PTR DS:[ESI]
0040EE1A . 46 INC ESI
0040EE1B . 8807 MOV BYTE PTR DS:[EDI],AL
0040EE1D . 47 INC EDI
0040EE1E > 01DB ADD EBX,EBX
0040EE20 . 75 07 JNZ SHORT GetHtml.0040EE29
0040EE22 > 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE24 . 83EE FC SUB ESI,-4
0040EE27 . 11DB ADC EBX,EBX
0040EE29 >^ 72 ED JB SHORT GetHtml.0040EE18
0040EE2B . B8 01000000 MOV EAX,1
0040EE30 > 01DB ADD EBX,EBX
0040EE32 . 75 07 JNZ SHORT GetHtml.0040EE3B
0040EE34 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE36 . 83EE FC SUB ESI,-4
0040EE39 . 11DB ADC EBX,EBX
0040EE3B > 11C0 ADC EAX,EAX
0040EE3D . 01DB ADD EBX,EBX
0040EE3F .^ 73 EF JNB SHORT GetHtml.0040EE30
0040EE41 . 75 09 JNZ SHORT GetHtml.0040EE4C
0040EE43 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE45 . 83EE FC SUB ESI,-4
0040EE48 . 11DB ADC EBX,EBX
0040EE4A .^ 73 E4 JNB SHORT GetHtml.0040EE30
0040EE4C > 31C9 XOR ECX,ECX
0040EE4E . 83E8 03 SUB EAX,3
0040EE51 . 72 0D JB SHORT GetHtml.0040EE60
0040EE53 . C1E0 08 SHL EAX,8
0040EE56 . 8A06 MOV AL,BYTE PTR DS:[ESI]
0040EE58 . 46 INC ESI
0040EE59 . 83F0 FF XOR EAX,FFFFFFFF
0040EE5C . 74 74 JE SHORT GetHtml.0040EED2
0040EE5E . 89C5 MOV EBP,EAX
0040EE60 > 01DB ADD EBX,EBX
0040EE62 . 75 07 JNZ SHORT GetHtml.0040EE6B
0040EE64 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE66 . 83EE FC SUB ESI,-4
0040EE69 . 11DB ADC EBX,EBX
0040EE6B > 11C9 ADC ECX,ECX
0040EE6D . 01DB ADD EBX,EBX
0040EE6F . 75 07 JNZ SHORT GetHtml.0040EE78
0040EE71 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE73 . 83EE FC SUB ESI,-4
0040EE76 . 11DB ADC EBX,EBX
0040EE78 > 11C9 ADC ECX,ECX
0040EE7A . 75 20 JNZ SHORT GetHtml.0040EE9C
0040EE7C . 41 INC ECX
0040EE7D > 01DB ADD EBX,EBX
0040EE7F . 75 07 JNZ SHORT GetHtml.0040EE88
0040EE81 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE83 . 83EE FC SUB ESI,-4
0040EE86 . 11DB ADC EBX,EBX
0040EE88 > 11C9 ADC ECX,ECX
0040EE8A . 01DB ADD EBX,EBX
0040EE8C .^ 73 EF JNB SHORT GetHtml.0040EE7D
0040EE8E . 75 09 JNZ SHORT GetHtml.0040EE99
0040EE90 . 8B1E MOV EBX,DWORD PTR DS:[ESI]
0040EE92 . 83EE FC SUB ESI,-4
0040EE95 . 11DB ADC EBX,EBX
0040EE97 .^ 73 E4 JNB SHORT GetHtml.0040EE7D
0040EE99 > 83C1 02 ADD ECX,2
0040EE9C > 81FD 00F3FFFF CMP EBP,-0D00
0040EEA2 . 83D1 01 ADC ECX,1
0040EEA5 . 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]
0040EEA8 . 83FD FC CMP EBP,-4
0040EEAB . 76 0F JBE SHORT GetHtml.0040EEBC
0040EEAD > 8A02 MOV AL,BYTE PTR DS:[EDX]
0040EEAF . 42 INC EDX
0040EEB0 . 8807 MOV BYTE PTR DS:[EDI],AL
0040EEB2 . 47 INC EDI
0040EEB3 . 49 DEC ECX
0040EEB4 .^ 75 F7 JNZ SHORT GetHtml.0040EEAD
0040EEB6 .^ E9 63FFFFFF JMP GetHtml.0040EE1E
0040EEBB 90 NOP
0040EEBC > 8B02 MOV EAX,DWORD PTR DS:[EDX]
0040EEBE . 83C2 04 ADD EDX,4
0040EEC1 . 8907 MOV DWORD PTR DS:[EDI],EAX
0040EEC3 . 83C7 04 ADD EDI,4
0040EEC6 . 83E9 04 SUB ECX,4
0040EEC9 .^ 77 F1 JA SHORT GetHtml.0040EEBC
0040EECB . 01CF ADD EDI,ECX
0040EECD .^ E9 4CFFFFFF JMP GetHtml.0040EE1E
0040EED2 > 5E POP ESI
0040EED3 . 89F7 MOV EDI,ESI
0040EED5 . B9 1E010000 MOV ECX,11E
0040EEDA > 8A07 MOV AL,BYTE PTR DS:[EDI]
0040EEDC . 47 INC EDI
0040EEDD . 2C E8 SUB AL,0E8
0040EEDF > 3C 01 CMP AL,1
0040EEE1 .^ 77 F7 JA SHORT GetHtml.0040EEDA
0040EEE3 . 803F 01 CMP BYTE PTR DS:[EDI],1
0040EEE6 .^ 75 F2 JNZ SHORT GetHtml.0040EEDA
0040EEE8 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
0040EEEA . 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
0040EEED . 66:C1E8 08 SHR AX,8
0040EEF1 . C1C0 10 ROL EAX,10
0040EEF4 . 86C4 XCHG AH,AL
0040EEF6 . 29F8 SUB EAX,EDI
0040EEF8 . 80EB E8 SUB BL,0E8
0040EEFB . 01F0 ADD EAX,ESI
0040EEFD . 8907 MOV DWORD PTR DS:[EDI],EAX
0040EEFF . 83C7 05 ADD EDI,5
0040EF02 . 88D8 MOV AL,BL
0040EF04 .^ E2 D9 LOOPD SHORT GetHtml.0040EEDF
0040EF06 . 8DBE 00C00000 LEA EDI,DWORD PTR DS:[ESI+C000]
0040EF0C > 8B07 MOV EAX,DWORD PTR DS:[EDI]
0040EF0E . 09C0 OR EAX,EAX
0040EF10 . 74 45 JE SHORT GetHtml.0040EF57
0040EF12 . 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
0040EF15 . 8D8430 A4E900>LEA EAX,DWORD PTR DS:[EAX+ESI+E9A4]
0040EF1C . 01F3 ADD EBX,ESI
0040EF1E . 50 PUSH EAX
0040EF1F . 83C7 08 ADD EDI,8
0040EF22 . FF96 44EA0000 CALL DWORD PTR DS:[ESI+EA44]
0040EF28 . 95 XCHG EAX,EBP
0040EF29 > 8A07 MOV AL,BYTE PTR DS:[EDI]
0040EF2B . 47 INC EDI
0040EF2C . 08C0 OR AL,AL
0040EF2E .^ 74 DC JE SHORT GetHtml.0040EF0C
0040EF30 . 89F9 MOV ECX,EDI
0040EF32 . 79 07 JNS SHORT GetHtml.0040EF3B
0040EF34 . 0FB707 MOVZX EAX,WORD PTR DS:[EDI]
0040EF37 . 47 INC EDI
0040EF38 . 50 PUSH EAX
0040EF39 . 47 INC EDI
0040EF3A B9 DB B9
0040EF3B . 57 PUSH EDI
0040EF3C . 48 DEC EAX
0040EF3D . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040EF3F . 55 PUSH EBP
0040EF40 . FF96 48EA0000 CALL DWORD PTR DS:[ESI+EA48]
0040EF46 . 09C0 OR EAX,EAX
0040EF48 . 74 07 JE SHORT GetHtml.0040EF51
0040EF4A . 8903 MOV DWORD PTR DS:[EBX],EAX
0040EF4C . 83C3 04 ADD EBX,4
0040EF4F .^ EB D8 JMP SHORT GetHtml.0040EF29
0040EF51 > FF96 58EA0000 CALL DWORD PTR DS:[ESI+EA58]
0040EF57 > 8BAE 4CEA0000 MOV EBP,DWORD PTR DS:[ESI+EA4C]
0040EF5D . 8DBE 00F0FFFF LEA EDI,DWORD PTR DS:[ESI-1000]
0040EF63 . BB 00100000 MOV EBX,1000
0040EF68 . 50 PUSH EAX
0040EF69 . 54 PUSH ESP
0040EF6A . 6A 04 PUSH 4
0040EF6C . 53 PUSH EBX
0040EF6D . 57 PUSH EDI
0040EF6E . FFD5 CALL EBP
0040EF70 . 8D87 1F020000 LEA EAX,DWORD PTR DS:[EDI+21F]
0040EF76 . 8020 7F AND BYTE PTR DS:[EAX],7F
0040EF79 . 8060 28 7F AND BYTE PTR DS:[EAX+28],7F
0040EF7D . 58 POP EAX
0040EF7E . 50 PUSH EAX
0040EF7F . 54 PUSH ESP
0040EF80 . 50 PUSH EAX
0040EF81 . 53 PUSH EBX
0040EF82 . 57 PUSH EDI
0040EF83 . FFD5 CALL EBP
0040EF85 . 58 POP EAX
0040EF86 . 61 POPAD
0040EF87 . 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]
0040EF8B > 6A 00 PUSH 0
0040EF8D . 39C4 CMP ESP,EAX
0040EF8F .^ 75 FA JNZ SHORT GetHtml.0040EF8B
0040EF91 . 83EC 80 SUB ESP,-80
0040EF94 .- E9 A34FFFFF JMP GetHtml.00403F3C <-----------这是跳向OEP
再往下面就啥都没有了:
0040EF99 00 DB 00
0040EF9A 00 DB 00
……
|