ABC1.1控制端...PEID09.4查的壳是:yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *
0.95查的壳是:Anti007 V1.0-V2.X -> NsPacK Private *
郁闷啊...谁能帮帮忙...
这是程序的开头...
00DD3D05 > 60 pushad
00DD3D06 9C pushfd
00DD3D07 E8 00000000 call RemoteAB.00DD3D0C
00DD3D0C 5D pop ebp
00DD3D0D 83ED 07 sub ebp,7
00DD3D10 8D9D B3FEFFFF lea ebx,dword ptr ss:[ebp-14D]
00DD3D16 8A03 mov al,byte ptr ds:[ebx]
00DD3D18 3C 00 cmp al,0
00DD3D1A 74 10 je short RemoteAB.00DD3D2C
00DD3D1C 8D9D DBFEFFFF lea ebx,dword ptr ss:[ebp-125]
00DD3D22 8A03 mov al,byte ptr ds:[ebx]
00DD3D24 3C 01 cmp al,1
00DD3D26 0F84 42020000 je RemoteAB.00DD3F6E
00DD3D2C C603 01 mov byte ptr ds:[ebx],1
00DD3D2F 8BD5 mov edx,ebp
00DD3D31 2B95 6FFEFFFF sub edx,dword ptr ss:[ebp-191]
00DD3D37 8995 6FFEFFFF mov dword ptr ss:[ebp-191],edx
00DD3D3D 0195 9FFEFFFF add dword ptr ss:[ebp-161],edx
00DD3D43 8DB5 E3FEFFFF lea esi,dword ptr ss:[ebp-11D]
00DD3D49 0116 add dword ptr ds:[esi],edx
00DD3D4B 60 pushad
00DD3D4C 6A 40 push 40
00DD3D4E 68 00100000 push 1000
00DD3D53 68 00100000 push 1000
00DD3D58 6A 00 push 0
00DD3D5A FF95 17FFFFFF call dword ptr ss:[ebp-E9]
00DD3D60 85C0 test eax,eax
00DD3D62 0F84 6A030000 je RemoteAB.00DD40D2
00DD3D68 8985 97FEFFFF mov dword ptr ss:[ebp-169],eax
00DD3D6E E8 00000000 call RemoteAB.00DD3D73
00DD3D73 5B pop ebx
00DD3D74 B9 68030000 mov ecx,368
00DD3D79 03D9 add ebx,ecx
00DD3D7B 50 push eax
00DD3D7C 53 push ebx
00DD3D7D E8 B1020000 call RemoteAB.00DD4033
00DD3D82 61 popad
00DD3D83 8B36 mov esi,dword ptr ds:[esi]
00DD3D85 8BFD mov edi,ebp
00DD3D87 03BD 5FFEFFFF add edi,dword ptr ss:[ebp-1A1]
00DD3D8D 8BDF mov ebx,edi
00DD3D8F 833F 00 cmp dword ptr ds:[edi],0
00DD3D92 75 0A jnz short RemoteAB.00DD3D9E
00DD3D94 83C7 04 add edi,4
00DD3D97 B9 00000000 mov ecx,0
00DD3D9C EB 16 jmp short RemoteAB.00DD3DB4
00DD3D9E B9 01000000 mov ecx,1
00DD3DA3 033B add edi,dword ptr ds:[ebx]
00DD3DA5 83C3 04 add ebx,4
00DD3DA8 833B 00 cmp dword ptr ds:[ebx],0
00DD3DAB 74 36 je short RemoteAB.00DD3DE3
00DD3DAD 0113 add dword ptr ds:[ebx],edx
00DD3DAF 8B33 mov esi,dword ptr ds:[ebx]
00DD3DB1 037B 04 add edi,dword ptr ds:[ebx+4]
00DD3DB4 57 push edi
00DD3DB5 51 push ecx
00DD3DB6 52 push edx
00DD3DB7 53 push ebx
00DD3DB8 FFB5 1BFFFFFF push dword ptr ss:[ebp-E5]
00DD3DBE FFB5 17FFFFFF push dword ptr ss:[ebp-E9]
00DD3DC4 8BD6 mov edx,esi
00DD3DC6 8BCF mov ecx,edi
00DD3DC8 8B85 97FEFFFF mov eax,dword ptr ss:[ebp-169]
00DD3DCE 05 AA050000 add eax,5AA
00DD3DD3 FFD0 call eax
00DD3DD5 5B pop ebx
00DD3DD6 5A pop edx
00DD3DD7 59 pop ecx
00DD3DD8 5F pop edi
00DD3DD9 83F9 00 cmp ecx,0
00DD3DDC 74 05 je short RemoteAB.00DD3DE3
00DD3DDE 83C3 08 add ebx,8
00DD3DE1 ^ EB C5 jmp short RemoteAB.00DD3DA8
00DD3DE3 68 00800000 push 8000
00DD3DE8 6A 00 push 0
00DD3DEA FFB5 97FEFFFF push dword ptr ss:[ebp-169]
00DD3DF0 FF95 1BFFFFFF call dword ptr ss:[ebp-E5]
00DD3DF6 8DB5 9FFEFFFF lea esi,dword ptr ss:[ebp-161]
00DD3DFC 8B4E 08 mov ecx,dword ptr ds:[esi+8]
00DD3DFF 8D56 10 lea edx,dword ptr ds:[esi+10]
00DD3E02 8B36 mov esi,dword ptr ds:[esi]
00DD3E04 8BFE mov edi,esi
00DD3E06 83F9 00 cmp ecx,0
00DD3E09 74 3F je short RemoteAB.00DD3E4A
00DD3E0B 8A07 mov al,byte ptr ds:[edi]
00DD3E0D 47 inc edi
00DD3E0E 2C E8 sub al,0E8
00DD3E10 3C 01 cmp al,1
00DD3E12 ^ 77 F7 ja short RemoteAB.00DD3E0B
00DD3E14 8B07 mov eax,dword ptr ds:[edi]
00DD3E16 807A 01 00 cmp byte ptr ds:[edx+1],0
00DD3E1A 74 14 je short RemoteAB.00DD3E30
[课程]Android-CTF解题方法汇总!
