已经脱壳成功过了,但在运行时,要检测狗,用OD载入后,查ASCII,找到弹出找不到加密狗的地方,双击进入,下面是:
007950A6 . 55 push ebp
007950A7 . 68 CB537900 push UnPacked.007953CB
007950AC . 64:FF30 push dword ptr fs:[eax]
007950AF . 64:8920 mov dword ptr fs:[eax],esp
007950B2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007950B5 . 8B80 18030000 mov eax,dword ptr ds:[eax+318]
007950BB . 33D2 xor edx,edx
007950BD . E8 66E0CAFF call UnPacked.00443128
007950C2 8B45 FC mov eax,dword ptr ss:[ebp-4]
007950C5 E8 C61FD1FF call UnPacked.004A7090
007950CA 833D E4807A00 >cmp dword ptr ds:[7A80E4],0
007950D1 77 30 ja short UnPacked.00795103
007950D3 6A 10 push 10
007950D5 B9 2C547900 mov ecx,UnPacked.0079542C
\\系统出错
007950DA BA 38547900 mov edx,UnPacked.00795438
\\读加密锁错误,请检查。007950DF A1 10567A00 mov eax,dword ptr ds:[7A5610]
007950E4 8B00 mov eax,dword ptr ds:[eax]
007950E6 E8 3D59D1FF call UnPacked.004AAA28
007950EB . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007950EE . E8 FD1DD1FF call UnPacked.004A6EF0
007950F3 . A1 E4807A00 mov eax,dword ptr ds:[7A80E4]
007950F8 . 50 push eax ; /hLibModule => NULL
007950F9 . E8 EA20C7FF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
007950FE . E8 F9F2C6FF call UnPacked.004043FC
00795103 833D EC807A00 >cmp dword ptr ds:[7A80EC],0
0079510A 7D 30 jge short UnPacked.0079513C
0079510C . 6A 10 push 10
0079510E B9 2C547900 mov ecx,UnPacked.0079542C
\\系统出错
00795113 BA 38547900 mov edx,UnPacked.00795438
\\读加密锁错误,请检查。00795118 A1 10567A00 mov eax,dword ptr ds:[7A5610]
0079511D 8B00 mov eax,dword ptr ds:[eax]
0079511F . E8 0459D1FF call UnPacked.004AAA28
00795124 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795127 . E8 C41DD1FF call UnPacked.004A6EF0
0079512C . A1 E4807A00 mov eax,dword ptr ds:[7A80E4]
00795131 . 50 push eax ; /hLibModule => NULL
00795132 . E8 B120C7FF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
00795137 . E8 C0F2C6FF call UnPacked.004043FC
0079513C > 8D85 F7FDFFFF lea eax,dword ptr ss:[ebp-209]
00795142 . 50 push eax
00795143 . 6A 00 push 0
00795145 . A1 EC807A00 mov eax,dword ptr ds:[7A80EC]
0079514A . 50 push eax
0079514B . A1 D8547A00 mov eax,dword ptr ds:[7A54D8]
00795150 . 8B00 mov eax,dword ptr ds:[eax]
00795152 . FFD0 call eax
00795154 . A3 E8807A00 mov dword ptr ds:[7A80E8],eax
00795159 833D E8807A00 >cmp dword ptr ds:[7A80E8],0
00795160 7D 30 jge short UnPacked.00795192
00795162 . 6A 10 push 10
00795164 B9 2C547900 mov ecx,UnPacked.0079542C
\\系统出错
00795169 BA 38547900 mov edx,UnPacked.00795438
\\读加密锁错误,请检查。0079516E A1 10567A00 mov eax,dword ptr ds:[7A5610]
00795173 8B00 mov eax,dword ptr ds:[eax]
00795175 . E8 AE58D1FF call UnPacked.004AAA28
0079517A . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0079517D . E8 6E1DD1FF call UnPacked.004A6EF0
00795182 . A1 E4807A00 mov eax,dword ptr ds:[7A80E4]
00795187 . 50 push eax ; /hLibModule => NULL
00795188 . E8 5B20C7FF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
0079518D . E8 6AF2C6FF call UnPacked.004043FC
00795192 > 8D9D F7FDFFFF lea ebx,dword ptr ss:[ebp-209]
00795198 . 8D85 F0FDFFFF lea eax,dword ptr ss:[ebp-210]
0079519E . 8BD3 mov edx,ebx
007951A0 . E8 6FF5C6FF call UnPacked.00404714
007951A5 . 8B85 F0FDFFFF mov eax,dword ptr ss:[ebp-210]
007951AB . BA 60547900 mov edx,UnPacked.00795460
007951B0 . E8 73F7C6FF call UnPacked.00404928
007951B5 74 30 je short UnPacked.007951E7
007951B7 . 6A 10 push 10
007951B9 B9 2C547900 mov ecx,UnPacked.0079542C
\\系统出错
007951BE BA 38547900 mov edx,UnPacked.00795438
\读加密锁错误,请检查。007951C3 A1 10567A00 mov eax,dword ptr ds:[7A5610]
007951C8 8B00 mov eax,dword ptr ds:[eax]
007951CA . E8 5958D1FF call UnPacked.004AAA28
007951CF . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007951D2 . E8 191DD1FF call UnPacked.004A6EF0
007951D7 . A1 E4807A00 mov eax,dword ptr ds:[7A80E4]
007951DC . 50 push eax ; /hLibModule => NULL
007951DD . E8 0620C7FF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
007951E2 . E8 15F2C6FF call UnPacked.004043FC
007951E7 > A1 EC807A00 mov eax,dword ptr ds:[7A80EC]
007951EC . 50 push eax
007951ED . A1 3C567A00 mov eax,dword ptr ds:[7A563C]
007951F2 . 8B00 mov eax,dword ptr ds:[eax]
007951F4 . FFD0 call eax
007951F6 . A1 E4807A00 mov eax,dword ptr ds:[7A80E4]
007951FB . 50 push eax ; /hLibModule => NULL
007951FC . E8 E71FC7FF call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
00795201 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795204 . 8B90 F8020000 mov edx,dword ptr ds:[eax+2F8]
0079520A . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0079520D . 8B08 mov ecx,dword ptr ds:[eax]
0079520F . FF91 6C020000 call dword ptr ds:[ecx+26C]
00795215 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795218 . E8 CF28D8FF call UnPacked.00517AEC
0079521D . 8B10 mov edx,dword ptr ds:[eax]
0079521F . FF52 44 call dword ptr ds:[edx+44]
00795222 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795225 . E8 C228D8FF call UnPacked.00517AEC
0079522A . BA 78547900 mov edx,UnPacked.00795478
0079522F . 8B08 mov ecx,dword ptr ds:[eax]
00795231 . FF51 38 call dword ptr ds:[ecx+38]
00795234 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795237 . E8 7C2CD3FF call UnPacked.004C7EB8
0079523C . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0079523F . 8B90 FC020000 mov edx,dword ptr ds:[eax+2FC]
00795245 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795248 . 8B80 20030000 mov eax,dword ptr ds:[eax+320]
0079524E . E8 519AFBFF call UnPacked.0074ECA4
00795253 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795256 . 8B10 mov edx,dword ptr ds:[eax]
00795258 . FF92 4C010000 call dword ptr ds:[edx+14C]
0079525E . 85C0 test eax,eax
00795260 . 0F8E CE000000 jle UnPacked.00795334
00795266 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795269 . 8B80 20030000 mov eax,dword ptr ds:[eax+320]
0079526F . BA 3C557900 mov edx,UnPacked.0079553C
00795274 . 8B08 mov ecx,dword ptr ds:[eax]
00795276 . FF91 B8000000 call dword ptr ds:[ecx+B8]
0079527C . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0079527F . 8B80 20030000 mov eax,dword ptr ds:[eax+320]
00795285 . 8B80 48010000 mov eax,dword ptr ds:[eax+148]
0079528B . 8B10 mov edx,dword ptr ds:[eax]
0079528D . FF52 44 call dword ptr ds:[edx+44]
00795290 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795293 . 8B10 mov edx,dword ptr ds:[eax]
00795295 . FF92 4C010000 call dword ptr ds:[edx+14C]
0079529B . 8BD8 mov ebx,eax
0079529D . 4B dec ebx
0079529E . 85DB test ebx,ebx
007952A0 . 0F8C 8E000000 jl UnPacked.00795334
007952A6 . 43 inc ebx
007952A7 . 33F6 xor esi,esi
007952A9 > BA 4C557900 mov edx,UnPacked.0079554C ; ASCII "FieldNameEn"
007952AE . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
007952B1 . E8 0A3DD3FF call UnPacked.004C8FC0
007952B6 . 8D95 E8FDFFFF lea edx,dword ptr ss:[ebp-218]
007952BC . 8B08 mov ecx,dword ptr ds:[eax]
007952BE . FF51 60 call dword ptr ds:[ecx+60]
007952C1 . FFB5 E8FDFFFF push dword ptr ss:[ebp-218]
007952C7 . 68 60557900 push UnPacked.00795560
007952CC . BA 6C557900 mov edx,UnPacked.0079556C ; ASCII "FieldNameCn"
007952D1 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
007952D4 . E8 E73CD3FF call UnPacked.004C8FC0
007952D9 . 8D95 E4FDFFFF lea edx,dword ptr ss:[ebp-21C]
007952DF . 8B08 mov ecx,dword ptr ds:[eax]
007952E1 . FF51 60 call dword ptr ds:[ecx+60]
007952E4 . FFB5 E4FDFFFF push dword ptr ss:[ebp-21C]
007952EA . 8D85 ECFDFFFF lea eax,dword ptr ss:[ebp-214]
007952F0 . BA 03000000 mov edx,3
007952F5 . E8 A2F5C6FF call UnPacked.0040489C
007952FA . 8B95 ECFDFFFF mov edx,dword ptr ss:[ebp-214]
00795300 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795303 . 8B80 20030000 mov eax,dword ptr ds:[eax+320]
00795309 . 8B80 48010000 mov eax,dword ptr ds:[eax+148]
0079530F . 8B08 mov ecx,dword ptr ds:[eax]
00795311 . FF51 38 call dword ptr ds:[ecx+38]
00795314 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795317 . 8B10 mov edx,dword ptr ds:[eax]
00795319 . FF92 4C010000 call dword ptr ds:[edx+14C]
0079531F . 48 dec eax
00795320 . 3BF0 cmp esi,eax
00795322 . 7D 08 jge short UnPacked.0079532C
00795324 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00795327 . E8 D453D3FF call UnPacked.004CA700
0079532C > 46 inc esi
0079532D . 4B dec ebx
0079532E .^ 0F85 75FFFFFF jnz UnPacked.007952A9
00795334 > 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795337 . 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
0079533D . E8 822BD3FF call UnPacked.004C7EC4
00795342 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795345 . 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
0079534B . E8 9C27D8FF call UnPacked.00517AEC
00795350 . 8B10 mov edx,dword ptr ds:[eax]
00795352 . FF52 44 call dword ptr ds:[edx+44]
00795355 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795358 . 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
0079535E . E8 8927D8FF call UnPacked.00517AEC
00795363 . BA 80557900 mov edx,UnPacked.00795580
00795368 . 8B08 mov ecx,dword ptr ds:[eax]
0079536A . FF51 38 call dword ptr ds:[ecx+38]
0079536D . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795370 . 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
00795376 . E8 3D2BD3FF call UnPacked.004C7EB8
0079537B . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0079537E . 8B90 FC020000 mov edx,dword ptr ds:[eax+2FC]
00795384 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795387 . 8B80 20030000 mov eax,dword ptr ds:[eax+320]
0079538D . E8 1299FBFF call UnPacked.0074ECA4
00795392 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00795395 . 8B90 20030000 mov edx,dword ptr ds:[eax+320]
0079539B . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0079539E . 8B80 1C030000 mov eax,dword ptr ds:[eax+31C]
007953A4 . E8 FBC8FAFF call UnPacked.00741CA4
007953A9 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007953AC . 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC]
007953B2 . 8B55 FC mov edx,dword ptr ss:[ebp-4]
007953B5 . 8B92 1C030000 mov edx,dword ptr ds:[edx+31C]
007953BB . 8982 20020000 mov dword ptr ds:[edx+220],eax
007953C1 . 33C0 xor eax,eax
007953C3 . 5A pop edx
007953C4 . 59 pop ecx
007953C5 . 59 pop ecx
007953C6 . 64:8910 mov dword ptr fs:[eax],edx
007953C9 . EB 12 jmp short UnPacked.007953DD
007953CB .^ E9 8CE7C6FF jmp UnPacked.00403B5C
007953D0 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
007953D3 . E8 A4E2C6FF call UnPacked.0040367C
007953D8 . E8 ABEBC6FF call UnPacked.00403F88
007953DD > 6A 00 push 0
007953DF . 6A 01 push 1
007953E1 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007953E4 . 8B80 1C030000 mov eax,dword ptr ds:[eax+31C]
007953EA . E8 65DAF9FF call UnPacked.00732E54
007953EF . 50 push eax ; |Arg1
007953F0 . E8 5FF2FAFF call UnPacked.00744654 ; \UnPacked.00744654
007953F5 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
007953F8 . E8 F31AD1FF call UnPacked.004A6EF0
007953FD . 33C0 xor eax,eax
007953FF . 5A pop edx
00795400 . 59 pop ecx
00795401 . 59 pop ecx
00795402 . 64:8910 mov dword ptr fs:[eax],edx
00795405 . 68 22547900 push UnPacked.00795422
0079540A > 8D85 E4FDFFFF lea eax,dword ptr ss:[ebp-21C]
00795410 . BA 04000000 mov edx,4
00795415 . E8 16F1C6FF call UnPacked.00404530
0079541A . C3 retn
如果把上面所有JA / JGE / 改为JMP,就可以运行了,但加壳后就不能进入,这是问题一。
如果不改JA 、JGE 为JMP,把提示找不到加密锁的地方RUTN后,加壳后可以运行,但有些功能出错。
请问高手,要怎么改?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法