工作平台Winxp
01010001 > 60 PUSHAD ; 停在这里,也是入口标志;
01010002 E8 03000000 CALL 0101000A ; F7走,不然跳出;
01010007 - E9 EB045D45 JMP 465E04F7
0101000C 55 PUSH EBP
0101000D C3 RETN ; 返回;
01010008 /EB 04 JMP SHORT 0101000E ; 返回跳到这里,F8接着跳;
0101000E E8 01000000 CALL 01010014 ; 跳到这里,F7跟进;
01010014 5D POP EBP ; 跳到这里,F8走;
01010015 BB EDFFFFFF MOV EBX, -13
0101001A 03DD ADD EBX, EBP ; notepad.01010008
0101001C 81EB 00000100 SUB EBX, 10000 ; UNICODE "=::=::\\"
.........
0101005F 57 PUSH EDI ; kernel32.77E60000
01010060 FF95 490F0000 CALL [EBP+F49] ; kernel32.GetProcAddress
01010066 8985 51050000 MOV [EBP+551], EAX ; kernel32.VirtualFree
0101006C 8D45 77 LEA EAX, [EBP+77]
0101006F - FFE0 JMP EAX ; 跳走;
0101008A 8B9D 31050000 MOV EBX, [EBP+531] ; 跳到这里;
01010090 0BDB OR EBX, EBX ; notepad.0101007E
01010092 74 0A JE SHORT 0101009E ; 跳走;
0101009E 8DB5 69050000 LEA ESI, [EBP+569] ; 跳到这里;
010100A4 833E 00 CMP DWORD PTR [ESI], 0
010100A7 0F84 21010000 JE 010101CE ; 跳未实现,记下,F8向下走;
010100AD 6A 04 PUSH 4
.........
01010122 83E9 06 SUB ECX, 6
01010125 8BB5 52010000 MOV ESI, [EBP+152]
0101012B 33DB XOR EBX, EBX
0101012D 0BC9 OR ECX, ECX
0101012F 74 2E JE SHORT 0101015F ; 回车跨越,跳出循环;
0101015F 5B POP EBX ; 跳到这里,F4,F8继续走;
01010160 5E POP ESI ; notepad.01001000
01010161 59 POP ECX ; notepad.01001000
01010162 58 POP EAX ; notepad.01001000
01010163 EB 08 JMP SHORT 0101016D ; 跳走;
0101016D 8BC8 MOV ECX, EAX ; 跳到这里,F8继续;
0101016F 8B3E MOV EDI, [ESI]
01010171 03BD 22040000 ADD EDI, [EBP+422] ; notepad.01000000
01010177 8BB5 52010000 MOV ESI, [EBP+152]
.........
0101019D 83C6 08 ADD ESI, 8
010101A0 833E 00 CMP DWORD PTR [ESI], 0
010101A3 ^ 0F85 1EFFFFFF JNZ 010100C7 ; 向回跳;
010101A9 68 00800000 PUSH 8000 ; F4到这里;
010101AE 6A 00 PUSH 0
010101B0 FFB5 56010000 PUSH DWORD PTR [EBP+156]
010101B6 FF95 51050000 CALL [EBP+551] ; kernel32.VirtualFree
010101BC 8B9D 31050000 MOV EBX, [EBP+531]
010101C2 0BDB OR EBX, EBX ; notepad.01001000
010101C4 74 08 JE SHORT 010101CE ; 跳走;
010101CE 8B95 22040000 MOV EDX, [EBP+422] ; 到这里;
010101D4 8B85 2D050000 MOV EAX, [EBP+52D] ; notepad.01000000
010101DA 2BD0 SUB EDX, EAX
010101DC 74 79 JE SHORT 01010257 ; 跳走;
01010257 8B95 22040000 MOV EDX, [EBP+422] ; 跳到这里;
0101025D 8BB5 41050000 MOV ESI, [EBP+541]
01010263 0BF6 OR ESI, ESI ; notepad.01010594
01010265 74 11 JE SHORT 01010278 ; 跳走;
01010278 BE 50660000 MOV ESI, 6650 ; 跳到这里;
.........
01010285 8B46 0C MOV EAX, [ESI+C]
01010288 85C0 TEST EAX, EAX
0101028A 0F84 0A010000 JE 0101039A ; 下面回跳F4直接跑飞,在这里回车直接跨越;
0101039A B8 20640000 MOV EAX, 6420 ; 跨到这里,F4,F8继续;
0101039F 50 PUSH EAX
010103A0 0385 22040000 ADD EAX, [EBP+422] ; notepad.01000000
010103A6 59 POP ECX ; 005C0076
010103A7 0BC9 OR ECX, ECX ; notepad.01010101
010103A9 8985 A8030000 MOV [EBP+3A8], EAX
010103AF 61 POPAD ; 出口标志,出口不远了;
010103B0 75 08 JNZ SHORT 010103BA ; 跳走;
010103B2 B8 01000000 MOV EAX, 1
010103B7 C2 0C00 RETN 0C
010103BA 68 00000000 PUSH 0 ; 跳到这里;
010103BF C3 RETN ; 跨段返回;
01006420 55 PUSH EBP ; Dump直接脱壳;
01006421 8BEC MOV EBP, ESP
01006423 6A FF PUSH -1
01006425 68 88180001 PUSH 1001888
importREC->选此进程->OPE:2ccb4->自动搜索IAT->获取输入表->全部有效OK,保存。
peid->Microsoft Visual C++ 5.0
[课程]FART 脱壳王!加量不加价!FART作者讲授!
