一。用PEID查看壳为:ASPack 2.12 -> Alexey Solodovnikov
二。设置flyODBG忽略所有异常选项,OD自动隐藏插件帮你隐藏OD.
OD载入程序。
0048A001 > 60 pushad //OD载入后。停在这外壳入口
0048A002 E8 03000000 call L2WCrack.0048A00A //F8到这。因为这个CALL比较近。F7步入
0048A007 - E9 EB045D45 jmp 45A5A4F7
0048A00C 55 push ebp
................................................
0048A00A 5D pop ebp //直接跳到这里。继续F8
0048A00B 45 inc ebp
0048A00C 55 push ebp
0048A00D C3 retn //跳
0048A00E E8 01000000 call L2WCrack.0048A014
0048A013 EB 5D jmp short L2WCrack.0048A072
....................................................
0048A008 /EB 04 jmp short L2WCrack.0048A00E //跳到了这里,这里也是一个跳转
0048A00A |5D pop ebp
0048A00B |45 inc ebp
0048A00C |55 push ebp
0048A00D |C3 retn
0048A00E \E8 01000000 call L2WCrack.0048A014 //跳到这里,这个CALL一定要F7步入,F8会启动程序。OVER
0048A013 EB 5D jmp short L2WCrack.0048A072
0048A015 BB EDFFFFFF mov ebx,-13
0048A01A 03DD add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
...................................................
0048A014 5D pop ebp //跳到这里,
0048A015 BB EDFFFFFF mov ebx,-13
0048A01A 03DD add ebx,ebp
0048A01C 81EB 00A00800 sub ebx,8A000
0048A022 83BD 22040000 0>cmp dword ptr ss:[ebp+422],0
..............省略代码............................
0048A05E 53 push ebx
0048A05F 57 push edi
0048A060 FF95 490F0000 call dword ptr ss:[ebp+F49]
0048A066 8985 51050000 mov dword ptr ss:[ebp+551],eax
0048A06C 8D45 77 lea eax,dword ptr ss:[ebp+77]
0048A06F FFE0 jmp eax //一直F8来到这,又是一个跳转
0048A071 56 push esi
..................................................
0048A08A 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531] //跳到这里,
0048A090 0BDB or ebx,ebx
0048A092 74 0A je short L2WCrack.0048A09E
0048A094 8B03 mov eax,dword ptr ds:[ebx]
.............省略代码N条...........
0048A12B 33DB xor ebx,ebx
0048A12D 0BC9 or ecx,ecx
0048A12F 74 2E je short L2WCrack.0048A15F
0048A131 78 2C js short L2WCrack.0048A15F
0048A133 AC lods byte ptr ds:[esi]
0048A134 3C E8 cmp al,0E8
0048A136 74 0A je short L2WCrack.0048A142
0048A138 EB 00 jmp short L2WCrack.0048A13A
0048A13A 3C E9 cmp al,0E9
0048A13C 74 04 je short L2WCrack.0048A142
0048A13E 43 inc ebx
0048A13F 49 dec ecx
0048A140 ^ EB EB jmp short L2WCrack.0048A12D //这里有个往回跳.手动脱壳一般不要让它往回跳
0048A142 8B06 mov eax,dword ptr ds:[esi] //点这里.按F4运行到这里
0048A144 EB 00 jmp short L2WCrack.0048A146
0048A146 803E 16 cmp byte ptr ds:[esi],16
0048A149 ^ 75 F3 jnz short L2WCrack.0048A13E //又一个往回跳.
0048A14B 24 00 and al,0 //F4到这里
0048A14D C1C0 18 rol eax,18
0048A150 2BC3 sub eax,ebx
0048A152 8906 mov dword ptr ds:[esi],eax
0048A154 83C3 05 add ebx,5
0048A157 83C6 04 add esi,4
0048A15A 83E9 05 sub ecx,5
0048A15D ^ EB CE jmp short L2WCrack.0048A12D //到这里又是一个往回跳.
0048A15F 5B pop ebx //F4到这里
0048A160 5E pop esi
0048A161 59 pop ecx
0048A162 58 pop eax
0048A163 EB 08 jmp short L2WCrack.0048A16D //这里往下跳
0048A165 0000 add byte ptr ds:[eax],al
......................................................
0048A16D 8BC8 mov ecx,eax //跳到这里
0048A16F 8B3E mov edi,dword ptr ds:[esi]
0048A171 03BD 22040000 add edi,dword ptr ss:[ebp+422]
0048A177 8BB5 52010000 mov esi,dword ptr ss:[ebp+152]
0048A17D C1F9 02 sar ecx,2
0048A180 F3:A5 rep movs dword ptr es:[edi],dword pt>
0048A182 8BC8 mov ecx,eax
0048A184 83E1 03 and ecx,3
0048A187 F3:A4 rep movs byte ptr es:[edi],byte ptr >
0048A189 5E pop esi
0048A18A 68 00800000 push 8000
0048A18F 6A 00 push 0
0048A191 FFB5 52010000 push dword ptr ss:[ebp+152]
0048A197 FF95 51050000 call dword ptr ss:[ebp+551]
0048A19D 83C6 08 add esi,8
0048A1A0 833E 00 cmp dword ptr ds:[esi],0
0048A1A3 ^ 0F85 1EFFFFFF jnz L2WCrack.0048A0C7 //往回跳
0048A1A9 68 00800000 push 8000 //F4到这里
0048A1AE 6A 00 push 0
0048A1B0 FFB5 56010000 push dword ptr ss:[ebp+156]
0048A1B6 FF95 51050000 call dword ptr ss:[ebp+551]
0048A1BC 8B9D 31050000 mov ebx,dword ptr ss:[ebp+531]
0048A1C2 0BDB or ebx,ebx
0048A1C4 74 08 je short L2WCrack.0048A1CE
0048A1C6 8B03 mov eax,dword ptr ds:[ebx]
0048A1C8 8785 35050000 xchg dword ptr ss:[ebp+535],eax
0048A1CE 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A1D4 8B85 2D050000 mov eax,dword ptr ss:[ebp+52D]
0048A1DA 2BD0 sub edx,eax
0048A1DC 74 79 je short L2WCrack.0048A257 //向下跳
0048A1DE 8BC2 mov eax,edx
0048A1E0 C1E8 10 shr eax,10
0048A1E3 33DB xor ebx,ebx
.................................................
0048A257 8B95 22040000 mov edx,dword ptr ss:[ebp+422] //跳到这里
0048A25D 8BB5 41050000 mov esi,dword ptr ss:[ebp+541]
0048A263 0BF6 or esi,esi
0048A265 74 11 je short L2WCrack.0048A278 //又一个向下跳转
0048A267 03F2 add esi,edx
0048A269 AD lods dword ptr ds:[esi]
0048A26A 0BC0 or eax,eax
0048A26C 74 0A je short L2WCrack.0048A278
0048A26E 03C2 add eax,edx
0048A270 8BF8 mov edi,eax
0048A272 66:AD lods word ptr ds:[esi]
0048A274 66:AB stos word ptr es:[edi]
0048A276 ^ EB F1 jmp short L2WCrack.0048A269
0048A278 BE 00400700 mov esi,74000 //跳到这里
0048A27D 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A283 03F2 add esi,edx
0048A285 8B46 0C mov eax,dword ptr ds:[esi+C]
0048A288 85C0 test eax,eax
0048A28A 0F84 0A010000 je L2WCrack.0048A39A
0048A28A /0F84 0A010000 je L2WCrack.0048A39A
0048A290 |03C2 add eax,edx
0048A292 |8BD8 mov ebx,eax
0048A294 |50 push eax
0048A295 |FF95 4D0F0000 call dword ptr ss:[ebp+F4D]
0048A29B |85C0 test eax,eax
0048A29D |75 07 jnz short L2WCrack.0048A2A6 //这里有个向下的小跳转
0048A29F |53 push ebx
0048A2A0 |FF95 510F0000 call dword ptr ss:[ebp+F51]
0048A2A6 |8985 45050000 mov dword ptr ss:[ebp+545],eax //跳到这里
0048A2AC |C785 49050000 0>mov dword ptr ss:[ebp+549],0
0048A2B6 |8B95 22040000 mov edx,dword ptr ss:[ebp+422]
..............省略N条代码...............................
0048A302 85C0 test eax,eax
0048A304 5B pop ebx
0048A305 75 6F jnz short L2WCrack.0048A376 //这里来了个大跳转.
0048A307 F7C3 00000080 test ebx,80000000
0048A30D 75 19 jnz short L2WCrack.0048A328
.......................................................
0048A376 8907 mov dword ptr ds:[edi],eax //跳到这里
0048A378 8385 49050000 0>add dword ptr ss:[ebp+549],4
0048A37F ^ E9 32FFFFFF jmp L2WCrack.0048A2B6 //往回跳
0048A384 8906 mov dword ptr ds:[esi],eax //F4到这
0048A386 8946 0C mov dword ptr ds:[esi+C],eax
0048A389 8946 10 mov dword ptr ds:[esi+10],eax
0048A38C 83C6 14 add esi,14
0048A38F 8B95 22040000 mov edx,dword ptr ss:[ebp+422]
0048A395 ^ E9 EBFEFFFF jmp L2WCrack.0048A285 //又一个往回跳
0048A39A B8 480E0700 mov eax,70E48 //F4到这里
0048A39F 50 push eax
0048A3A0 0385 22040000 add eax,dword ptr ss:[ebp+422]
0048A3A6 59 pop ecx
0048A3A7 0BC9 or ecx,ecx
0048A3A9 8985 A8030000 mov dword ptr ss:[ebp+3A8],eax
0048A3AF 61 popad //popad是出栈
0048A3B0 75 08 jnz short L2WCrack.0048A3BA //这里一个小跳
0048A3B2 B8 01000000 mov eax,1
0048A3B7 C2 0C00 retn 0C
0048A3BA 68 00000000 push 0 //程序运行到这时.显示的是l2wcrack.00470e48
0048A3BF C3 retn //返回入口点
............................................................
00470E48 55 push ebp //直接用OD插件脱壳.
00470E49 8BEC mov ebp,esp
00470E4B 83C4 F0 add esp,-10
00470E4E 53 push ebx
00470E4F B8 080C4700 mov eax,L2WCrack.00470C08
.........................................................
三.脱壳后程序不能运行.打开recimport.系统进程选L2wcrack.exe这个进程.填入OEP:70E48.点自动搜索IAT
再点获取输入表.发现指针全部有效.再点修复抓取文件.修复脱壳的文件.运行OK
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
六种,ESP定律最方便
