-
-
[推荐]脱壳PeSpin 1.32(All Protection Options)
-
发表于: 2009-9-13 18:56 3304
-
脱壳PeSpin 1.32(All Protection Options)
【文章标题】: 脱壳PeSpin 1.32
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: PeSpin 1.32
【保护方式】: PeSpin 1.32
【使用工具】: od,UIF,ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
0046B0D4 > /EB 01 jmp short UnPackMe.0046B0D7 入口
0046B0D6 |68 60E80000 push 0E860
0046B0DB 0000 add byte ptr ds:[eax],al
0046B0DD 8B1C24 mov ebx,dword ptr ss:[esp]
0046B0E0 83C3 12 add ebx,12
0046B0E3 812B E8B10600 sub dword ptr ds:[ebx],6B1E8
0046B0D7 60 pushad
0046B0D8 E8 00000000 call UnPackMe.0046B0DD 1 hr esp
2 go CreateMutexA 分离进程
7C8293AB > 8BFF mov edi,edi
7C8293AD 55 push ebp
7C8293AE 8BEC mov ebp,esp
7C8293B0 51 push ecx
7C8293B1 51 push ecx
7C8293B2 56 push esi
7C8293B3 33F6 xor esi,esi
7C8293B5 3975 10 cmp dword ptr ss:[ebp+10],esi
7C8293B8 74 32 je short kernel32.7C8293EC
7C8293BA FF75 10 push dword ptr ss:[ebp+10]
7C8293BD 64:8B35 1800000>mov esi,dword ptr fs:[18]
7C8293C4 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C8293C7 50 push eax
7C8293C8 81C6 F80B0000 add esi,0BF8
7C8293CE FF15 8C10807C call dword ptr ds:[<&ntdll.RtlInitAnsiSt>; ntdll.RtlInitAnsiString
7C8293D4 6A 00 push 0
7C8293D6 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C8293D9 50 push eax
7C8293DA 56 push esi
7C8293DB FF15 8810807C call dword ptr ds:[<&ntdll.RtlAnsiString>; ntdll.RtlAnsiStringToUnicodeString
7C8293E1 85C0 test eax,eax
7C8293E3 0F8C E3850100 jl kernel32.7C8419CC
7C8293E9 8B76 04 mov esi,dword ptr ds:[esi+4]
7C8293EC 56 push esi
7C8293ED FF75 0C push dword ptr ss:[ebp+C]
7C8293F0 FF75 08 push dword ptr ss:[ebp+8]
7C8293F3 E8 48FFFFFF call kernel32.CreateMutexW
7C8293F8 5E pop esi
7C8293F9 C9 leave
7C8293FA C2 0C00 retn 0C f2
0046EDD6 8985 C66C4000 mov dword ptr ss:[ebp+406CC6],eax
0046EDDC 8D85 3A271F03 lea eax,dword ptr ss:[ebp+31F273A]
0046EDE2 2D FCCEDE02 sub eax,2DECEFC
0046EDE7 FF10 call dword ptr ds:[eax] ; ntdll.RtlGetLastWin32Error
EAX 0046D4EC UnPackMe.0046D4EC
ECX 0012FF34
EDX 7C95860C ntdll.KiFastSystemCallRet edx----api
EBX 80000000
ESP 0012FFA0
EBP 00067CAE
ESI 7C800000 kernel32.7C800000
EDI 0046FDC6 UnPackMe.0046FDC6
EIP 0046EDE7 UnPackMe.0046EDE7
0012FFA0 0046B51B 返回到 UnPackMe.0046B51B
0012FFA4 00000000
0012FFA8 00000000
ebx=000000B7
eax=00000000
EAX 00000000
ECX 0012FF34
EDX 7C95860C ntdll.KiFastSystemCallRet
EBX 000000B7
ESP 0012FFA0
EBP 00067CAE
ESI 7C800000 kernel32.7C800000
EDI 0046FDC6 UnPackMe.0046FDC6
EIP 0046EDF4 UnPackMe.0046EDF4
0046EDF4 3BC3 cmp eax,ebx
0046EDF6 9C pushfd >>>>>>>>>Z
0046EDF7 C12C24 06 shr dword ptr ss:[esp],6
0046EDFB F71424 not dword ptr ss:[esp]
0046EDFE 832424 01 and dword ptr ss:[esp],1
0046EE02 58 pop eax
0046EE03 2BD2 sub edx,edx
0046EE05 BB BAE74D02 mov ebx,24DE7BA
0046EE0A 81EB 86E74D02 sub ebx,24DE786
0046EE10 F7E3 mul ebx
0046EE12 81CB FE12F40E or ebx,0EF412FE
0046EE18 8D8428 A60C91ED lea eax,dword ptr ds:[eax+ebp+ED910CA6]
0046EE1F 2D 179B50ED sub eax,ED509B17
0046EE24 FFE0 jmp eax >>>>>>>>>>f2
0046EE24 /FFE0 jmp eax ; UnPackMe.0046EE3D
0046EE26 |8BC3 mov eax,ebx
0046EE28 |35 EF4D2306 xor eax,6234DEF
0046EE3D F1 int1 f2
0046EE3E E8 1C030000 call UnPackMe.0046F15F
0046EE43 85C0 test eax,eax
0012FFA0 0046B51B 返回到 UnPackMe.0046B51B
0012FFA4 00000000
0012FFA8 00000000
go 0046B51B eip
0012FFA0+4
0046B51B B8 01A38156 mov eax,5681A301
0046B520 2BC9 sub ecx,ecx
0046B522 83C9 15 or ecx,15
0046B525 0FA3C8 bt eax,ecx
0046B528 0F83 81000000 jnb UnPackMe.0046B5AF
f1 87 df
0046F762 /E0 00 loopdne short UnPackMe.0046F764 >>>>>>>>{46f764+1}
0046F764 \83F1 87 xor ecx,FFFFFF87
0046F767 DF57 C3 fist word ptr ds:[edi-3D]
0046F76A 55 push ebp
0046F762 /E0 00 loopdne short UnPackMe.0046F764 >>>>>>>>{46f764+1}
撤销
go 46c18a eip f9
8907eb
0046FC44 8B041A mov eax,dword ptr ds:[edx+ebx]
0046FC47 8907 mov dword ptr ds:[edi],eax
0046FC49 BA B3E40D00 mov edx,0DE4B3
0046FC4E 81F2 1FE40D00 xor edx,0DE41F
0046E991 0000 add byte ptr ds:[eax],al
0046E993 0000 add byte ptr ds:[eax],al
0046E995 0000 add byte ptr ds:[eax],al
0046E997 0000 add byte ptr ds:[eax],al
0046E999 0000 add byte ptr ds:[eax],al
0046E99B 0000 add byte ptr ds:[eax],al
0046E99D 0000 add byte ptr ds:[eax],al
0046E99F 0000 add byte ptr ds:[eax],al
go GetVersion(数据窗口)
7C8297CB >64 d 硬件访问byte
0046BE23 F3:A4 rep movs byte ptr es:[edi], byte ptr> eax -----api
0046BE25 8BC6 mov eax, esi
0046BE27 8BF7 mov esi, edi
0046BE29 5F pop edi
0046BE2A EB 01 jmp short 0046BE2D
EAX 7C8297CB kernel32.GetVersion
ECX 00000005
EDX 00000006
EBX 7C8297CB kernel32.GetVersion
ESP 0012FF70
EBP 0012FF94
ESI 7C8297CC kernel32.7C8297CC
EDI 003E0A22
EIP 0046BE23 UnPackMe.0046BE23
0012FF74 004612A1 UnPackMe.004612A1
0012FF78 00460014 UnPackMe.00460014
0012FF7C 0012FF94
0012FF80 0012FF94
0012FF84 0046BD26 UnPackMe.0046BD26
0012FF88 00460ADC UnPackMe.00460ADC
0012FF8C 0046C881 UnPackMe.0046C881
0012FF90 003E0A1E
0012FF94 00067CAE
0012FF98 0046CA47 UnPackMe.0046CA47
0046BD65 /73 7B jnb short UnPackMe.0046BDE2
0046BD67 |8B18 mov ebx,dword ptr ds:[eax]
0046BD69 |EB 07 jmp short UnPackMe.0046BD72
0046BDE2 /EB 01 jmp short 0046BDE5 >>>>>>>>>>>> f2
0046BDE4 |FF83 070BBAEB inc dword ptr [ebx-0x1445F4F9]
0046BDEA 07 pop es
0046BDE5 8307 0B add dword ptr [edi], 0xB
0046BDE8 BA EB07FFE9 mov edx, 0xE9FF07EB
0046BDED 8916 mov dword ptr [esi], edx
0046BDEF 83C6 08 add esi, 0x8
0046C03F 57 push edi ; UnPackMe.004612A1 >>>>>>>>>>
0046C040 EB 01 jmp short 0046C043
0046C042 EA 51EB049A EB0>jmp far 04EB:9A04EB51
0046C049 00EB add bl, ch
0046C079 /0F84 90000000 je UnPackMe.0046C10F >>>>>
0046C07F |47 inc edi
0046C080 |EB 01 jmp short UnPackMe.0046C083
0046C10F /EB 04 jmp short 0046C115 >>>>>>f2
0046C111 |FFEB jmp far ebx ; Illegal use of register
0046C113 |04 25 add al, 0x25
0046C181 /EB 01 jmp short 0046C184
0046C183 |E6 EB out 0xEB, al
0046C185 04 A1 add al, 0xA1
0046C187 ^ EB F8 jmp short 0046C181
0046C189 D7 xlat byte ptr [ebx+al]
0046C18A 8907 mov dword ptr [edi], eax >>>>>>>>>关键 jmp 0046E941
0046C18C EB 02 jmp short 0046C190 >>>>>>>>>
89 07 EB 02
二进制搜索00000000000000000000000000000000000000000
0046E941 0000 add byte ptr [eax], al >>>>>>>>>>
0046E943 0000 add byte ptr [eax], al
0046E945 0000 add byte ptr [eax], al
0046E947 0000 add byte ptr [eax], al
0046E949 0000 add byte ptr [eax], al
0046E94B 0000 add byte ptr [eax], al
0046E94D 0000 add byte ptr [eax], al
0046E94F 0000 add byte ptr [eax], al
0046E951 0000 add byte ptr [eax], al
3E 8B 44 24 C4 3E 2B 44 24 C8 89 07 E9 3E D8 FF FF 贴上代码
mov eax,dword ptr ds:[esp-3c]
sub eax,dword ptr ds:[esp-38]
mov dword ptr ds:[edi],eax
jmp 0046C190 贴上代码
0046CCB5 BA D1957697 mov edx, 0x977695D1 来到这里,f8
0046CCBA F7DA neg edx
0046CCBC 81D9 93EC3FAF sbb ecx, 0xAF3FEC93
0046CCC2 F7D9 neg ecx
0046CCC4 FFC9 dec ecx
0046CCC6 F3: prefix rep:
0046CCF1 55 push ebp >>>>>>>>>>>>>1
0046CCF2 EB 01 jmp short 0046CCF5
0046CCF4 868B ECEB01D5 xchg byte ptr [ebx-0x2AFE1414], cl
0046CCF5 8BEC mov ebp, esp >>>>>>>2
0046CCF7 EB 01 jmp short 0046CCFA
0046CCFA 6A FF push -0x1 >>>>>>>>>>3
0046CCFC EB 01 jmp short 0046CCFF
0046CCFF 68 8D8F17EB push 0xEB178F8D
0046CD04 810424 D37E2D15 add dword ptr [esp], 0x152D7ED3
0046CD0B 68 B7E564D7 push 0xD764E5B7
0046CD10 810424 11ADDD28 add dword ptr [esp], 0x28DDAD11
0046CD17 64:A1 00000000 mov eax, dword ptr fs:[0] >>>>>>>
0046CD20 50 push eax >>>>>>
0046CD21 EB 01 jmp short 0046CD24
0046CD24 64:8925 0000000>mov dword ptr fs:[0], esp >>>>>>>
0046CD2B EB 01 jmp short 0046CD2E
0046CD2E 83C4 A8 add esp, -0x58 >>>>>>
0046CD31 EB 01 jmp short 0046CD34
0046CD34 53 push ebx >>>>>>>>>>
0046CD35 EB 01 jmp short 0046CD38
0046CD38 56 push esi >>>>>
0046CD39 EB 01 jmp short 0046CD3C
0046CD3C 57 push edi >>>>>
0046CD3D EB 01 jmp short 0046CD40
0046CD40 8965 E8 mov dword ptr [ebp-0x18], esp >>>>>
0046CD43 EB 01 jmp short 0046CD46
0046CD46 FF15 E1FF4600 call dword ptr [0x46FFE1] ; kernel32.GetVersion
0046CD4C EB 01 jmp short 0046CD4F
0046CD4F 33D2 xor edx, edx >>>>>
0046CD51 EB 01 jmp short 0046CD54
0046CD54 8AD4 mov dl, ah >>>>>
0046CD56 EB 01 jmp short 0046CD59
0046CD59 8915 34E64500 mov dword ptr [0x45E634], edx
0046CD5F EB 01 jmp short 0046CD62
0046CD62 8BC8 mov ecx, eax >>>>>
0046CD64 EB 01 jmp short 0046CD67
0046CD67 81E1 FF000000 and ecx, 0xFF >>>>>
0046CD6D EB 01 jmp short 0046CD70
0046CD70 890D 30E64500 mov dword ptr [0x45E630], ecx >>>>>
0046CD76 EB 01 jmp short 0046CD79
0046CD79 C1E1 08 shl ecx, 0x8 >>>>>>>>>>>>>>> end
0046CD7C EB 01 jmp short 0046CD7F
004271B0 0000 add byte ptr [eax], al oep
004271B2 0000 add byte ptr [eax], al
004271B4 0000 add byte ptr [eax], al
004271B6 0000 add byte ptr [eax], al
004271B8 0000 add byte ptr [eax], al
004271BA 0000 add byte ptr [eax], al
004271BC 0000 add byte ptr [eax], al
004271BE 0000 add byte ptr [eax], al
004271C0 0000 add byte ptr [eax], al
004271C2 0000 add byte ptr [eax], al
004271C4 0000 add byte ptr [eax], al
004271C6 0000 add byte ptr [eax], al
004271C8 0000 add byte ptr [eax], al
004271CA 0000 add byte ptr [eax], al
004271CC 0000 add byte ptr [eax], al
004271CE 0000 add byte ptr [eax], al
004271D0 0000 add byte ptr [eax], al
004271D2 0000 add byte ptr [eax], al
004271D4 0000 add byte ptr [eax], al
004271D6 0000 add byte ptr [eax], al
004271D8 0000 add byte ptr [eax], al
004271DA 0000 add byte ptr [eax], al
004271DC 0000 add byte ptr [eax], al
004271DE 0000 add byte ptr [eax], al
004271E0 0000 add byte ptr [eax], al
004271E2 0000 add byte ptr [eax], al
004271E4 0000 add byte ptr [eax], al
004271E6 0000 add byte ptr [eax], al
004271E8 0000 add byte ptr [eax], al
004271EA 0000 add byte ptr [eax], al
004271EC 0000 add byte ptr [eax], al
004271EE 0000 add byte ptr [eax], al
004271F0 0000 add byte ptr [eax], al
004271F2 0000 add byte ptr [eax], al
004271F4 0000 add byte ptr [eax], al
004271F6 008D C0890D2C add byte ptr [ebp+0x2C0D89C0], cl
004271FC E6 45 out 0x45, al
004271FE 00C1 add cl, al
00427200 E8 10A328E6 call E66B1515
00427205 45 inc ebp
00427206 00E8 add al, ch
00427208 6C ins byte ptr es:[edi], dx
00427209 8F ??? ; Unknown command
0042720A FD std
0042720B FF85 C08DC06A inc dword ptr [ebp+0x6AC08DC0]
00427211 1C E8 sbb al, 0xE8
00427213 67:8F ??? ; Unknown command
55 8B EC 6A FF 68 60 0E 45 00 68 C8 92 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 A8
53 56 57 89 65 E8 FF 15 DC 0A 46 00 33 D2 8A D4 89 15 34 E6 45 00 8B C8 81 E1 FF 00 00 00 89 0D
30 E6 45 00 C1 E1 08 oep
----------------------------------------------------------
00427360 - E9 738EFDFF jmp 004001D8
00427365 90 nop
00427366 90 nop
00427367 8DC0 lea eax, eax ; Illegal use of register
00427369 E8 768EFDFF call 004001E4
004001D8 833D 18E64500 0>cmp dword ptr [0x45E618], 0x1
004001DF - E9 83710200 jmp 00427367
-------------------------------------------------------------------------------
00427360 833D 18E64500 0>cmp dword ptr [0x45E618], 0x1
00427367 8DC0 lea eax, eax ; Illegal use of register
00427369 E8 768EFDFF call 004001E4
0042737B 68 FF000000 push 0xFF
00427380 FF15 E08D4500 call dword ptr [0x458DE0] ; UnPackMe.00427DD0
00427386 83C4 04 add esp, 0x4
00427440 68 80000000 push 0x80
00427445 E8 E68DFDFF call 00400230
file: http://www.plunder.com/UnPackMe-PeSpin-1-32-download-cf289120da.htm
ollydbg Under SEH Team http://www.plunder.com/UST-2bg-rar-download-396f638a7f.htm
【文章标题】: 脱壳PeSpin 1.32
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: unpackme
【下载地址】: 自己搜索下载
【加壳方式】: PeSpin 1.32
【保护方式】: PeSpin 1.32
【使用工具】: od,UIF,ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
0046B0D4 > /EB 01 jmp short UnPackMe.0046B0D7 入口
0046B0D6 |68 60E80000 push 0E860
0046B0DB 0000 add byte ptr ds:[eax],al
0046B0DD 8B1C24 mov ebx,dword ptr ss:[esp]
0046B0E0 83C3 12 add ebx,12
0046B0E3 812B E8B10600 sub dword ptr ds:[ebx],6B1E8
0046B0D7 60 pushad
0046B0D8 E8 00000000 call UnPackMe.0046B0DD 1 hr esp
2 go CreateMutexA 分离进程
7C8293AB > 8BFF mov edi,edi
7C8293AD 55 push ebp
7C8293AE 8BEC mov ebp,esp
7C8293B0 51 push ecx
7C8293B1 51 push ecx
7C8293B2 56 push esi
7C8293B3 33F6 xor esi,esi
7C8293B5 3975 10 cmp dword ptr ss:[ebp+10],esi
7C8293B8 74 32 je short kernel32.7C8293EC
7C8293BA FF75 10 push dword ptr ss:[ebp+10]
7C8293BD 64:8B35 1800000>mov esi,dword ptr fs:[18]
7C8293C4 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C8293C7 50 push eax
7C8293C8 81C6 F80B0000 add esi,0BF8
7C8293CE FF15 8C10807C call dword ptr ds:[<&ntdll.RtlInitAnsiSt>; ntdll.RtlInitAnsiString
7C8293D4 6A 00 push 0
7C8293D6 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C8293D9 50 push eax
7C8293DA 56 push esi
7C8293DB FF15 8810807C call dword ptr ds:[<&ntdll.RtlAnsiString>; ntdll.RtlAnsiStringToUnicodeString
7C8293E1 85C0 test eax,eax
7C8293E3 0F8C E3850100 jl kernel32.7C8419CC
7C8293E9 8B76 04 mov esi,dword ptr ds:[esi+4]
7C8293EC 56 push esi
7C8293ED FF75 0C push dword ptr ss:[ebp+C]
7C8293F0 FF75 08 push dword ptr ss:[ebp+8]
7C8293F3 E8 48FFFFFF call kernel32.CreateMutexW
7C8293F8 5E pop esi
7C8293F9 C9 leave
7C8293FA C2 0C00 retn 0C f2
0046EDD6 8985 C66C4000 mov dword ptr ss:[ebp+406CC6],eax
0046EDDC 8D85 3A271F03 lea eax,dword ptr ss:[ebp+31F273A]
0046EDE2 2D FCCEDE02 sub eax,2DECEFC
0046EDE7 FF10 call dword ptr ds:[eax] ; ntdll.RtlGetLastWin32Error
EAX 0046D4EC UnPackMe.0046D4EC
ECX 0012FF34
EDX 7C95860C ntdll.KiFastSystemCallRet edx----api
EBX 80000000
ESP 0012FFA0
EBP 00067CAE
ESI 7C800000 kernel32.7C800000
EDI 0046FDC6 UnPackMe.0046FDC6
EIP 0046EDE7 UnPackMe.0046EDE7
0012FFA0 0046B51B 返回到 UnPackMe.0046B51B
0012FFA4 00000000
0012FFA8 00000000
ebx=000000B7
eax=00000000
EAX 00000000
ECX 0012FF34
EDX 7C95860C ntdll.KiFastSystemCallRet
EBX 000000B7
ESP 0012FFA0
EBP 00067CAE
ESI 7C800000 kernel32.7C800000
EDI 0046FDC6 UnPackMe.0046FDC6
EIP 0046EDF4 UnPackMe.0046EDF4
0046EDF4 3BC3 cmp eax,ebx
0046EDF6 9C pushfd >>>>>>>>>Z
0046EDF7 C12C24 06 shr dword ptr ss:[esp],6
0046EDFB F71424 not dword ptr ss:[esp]
0046EDFE 832424 01 and dword ptr ss:[esp],1
0046EE02 58 pop eax
0046EE03 2BD2 sub edx,edx
0046EE05 BB BAE74D02 mov ebx,24DE7BA
0046EE0A 81EB 86E74D02 sub ebx,24DE786
0046EE10 F7E3 mul ebx
0046EE12 81CB FE12F40E or ebx,0EF412FE
0046EE18 8D8428 A60C91ED lea eax,dword ptr ds:[eax+ebp+ED910CA6]
0046EE1F 2D 179B50ED sub eax,ED509B17
0046EE24 FFE0 jmp eax >>>>>>>>>>f2
0046EE24 /FFE0 jmp eax ; UnPackMe.0046EE3D
0046EE26 |8BC3 mov eax,ebx
0046EE28 |35 EF4D2306 xor eax,6234DEF
0046EE3D F1 int1 f2
0046EE3E E8 1C030000 call UnPackMe.0046F15F
0046EE43 85C0 test eax,eax
0012FFA0 0046B51B 返回到 UnPackMe.0046B51B
0012FFA4 00000000
0012FFA8 00000000
go 0046B51B eip
0012FFA0+4
0046B51B B8 01A38156 mov eax,5681A301
0046B520 2BC9 sub ecx,ecx
0046B522 83C9 15 or ecx,15
0046B525 0FA3C8 bt eax,ecx
0046B528 0F83 81000000 jnb UnPackMe.0046B5AF
f1 87 df
0046F762 /E0 00 loopdne short UnPackMe.0046F764 >>>>>>>>{46f764+1}
0046F764 \83F1 87 xor ecx,FFFFFF87
0046F767 DF57 C3 fist word ptr ds:[edi-3D]
0046F76A 55 push ebp
0046F762 /E0 00 loopdne short UnPackMe.0046F764 >>>>>>>>{46f764+1}
撤销
go 46c18a eip f9
8907eb
0046FC44 8B041A mov eax,dword ptr ds:[edx+ebx]
0046FC47 8907 mov dword ptr ds:[edi],eax
0046FC49 BA B3E40D00 mov edx,0DE4B3
0046FC4E 81F2 1FE40D00 xor edx,0DE41F
0046E991 0000 add byte ptr ds:[eax],al
0046E993 0000 add byte ptr ds:[eax],al
0046E995 0000 add byte ptr ds:[eax],al
0046E997 0000 add byte ptr ds:[eax],al
0046E999 0000 add byte ptr ds:[eax],al
0046E99B 0000 add byte ptr ds:[eax],al
0046E99D 0000 add byte ptr ds:[eax],al
0046E99F 0000 add byte ptr ds:[eax],al
go GetVersion(数据窗口)
7C8297CB >64 d 硬件访问byte
0046BE23 F3:A4 rep movs byte ptr es:[edi], byte ptr> eax -----api
0046BE25 8BC6 mov eax, esi
0046BE27 8BF7 mov esi, edi
0046BE29 5F pop edi
0046BE2A EB 01 jmp short 0046BE2D
EAX 7C8297CB kernel32.GetVersion
ECX 00000005
EDX 00000006
EBX 7C8297CB kernel32.GetVersion
ESP 0012FF70
EBP 0012FF94
ESI 7C8297CC kernel32.7C8297CC
EDI 003E0A22
EIP 0046BE23 UnPackMe.0046BE23
0012FF74 004612A1 UnPackMe.004612A1
0012FF78 00460014 UnPackMe.00460014
0012FF7C 0012FF94
0012FF80 0012FF94
0012FF84 0046BD26 UnPackMe.0046BD26
0012FF88 00460ADC UnPackMe.00460ADC
0012FF8C 0046C881 UnPackMe.0046C881
0012FF90 003E0A1E
0012FF94 00067CAE
0012FF98 0046CA47 UnPackMe.0046CA47
0046BD65 /73 7B jnb short UnPackMe.0046BDE2
0046BD67 |8B18 mov ebx,dword ptr ds:[eax]
0046BD69 |EB 07 jmp short UnPackMe.0046BD72
0046BDE2 /EB 01 jmp short 0046BDE5 >>>>>>>>>>>> f2
0046BDE4 |FF83 070BBAEB inc dword ptr [ebx-0x1445F4F9]
0046BDEA 07 pop es
0046BDE5 8307 0B add dword ptr [edi], 0xB
0046BDE8 BA EB07FFE9 mov edx, 0xE9FF07EB
0046BDED 8916 mov dword ptr [esi], edx
0046BDEF 83C6 08 add esi, 0x8
0046C03F 57 push edi ; UnPackMe.004612A1 >>>>>>>>>>
0046C040 EB 01 jmp short 0046C043
0046C042 EA 51EB049A EB0>jmp far 04EB:9A04EB51
0046C049 00EB add bl, ch
0046C079 /0F84 90000000 je UnPackMe.0046C10F >>>>>
0046C07F |47 inc edi
0046C080 |EB 01 jmp short UnPackMe.0046C083
0046C10F /EB 04 jmp short 0046C115 >>>>>>f2
0046C111 |FFEB jmp far ebx ; Illegal use of register
0046C113 |04 25 add al, 0x25
0046C181 /EB 01 jmp short 0046C184
0046C183 |E6 EB out 0xEB, al
0046C185 04 A1 add al, 0xA1
0046C187 ^ EB F8 jmp short 0046C181
0046C189 D7 xlat byte ptr [ebx+al]
0046C18A 8907 mov dword ptr [edi], eax >>>>>>>>>关键 jmp 0046E941
0046C18C EB 02 jmp short 0046C190 >>>>>>>>>
89 07 EB 02
二进制搜索00000000000000000000000000000000000000000
0046E941 0000 add byte ptr [eax], al >>>>>>>>>>
0046E943 0000 add byte ptr [eax], al
0046E945 0000 add byte ptr [eax], al
0046E947 0000 add byte ptr [eax], al
0046E949 0000 add byte ptr [eax], al
0046E94B 0000 add byte ptr [eax], al
0046E94D 0000 add byte ptr [eax], al
0046E94F 0000 add byte ptr [eax], al
0046E951 0000 add byte ptr [eax], al
3E 8B 44 24 C4 3E 2B 44 24 C8 89 07 E9 3E D8 FF FF 贴上代码
mov eax,dword ptr ds:[esp-3c]
sub eax,dword ptr ds:[esp-38]
mov dword ptr ds:[edi],eax
jmp 0046C190 贴上代码
0046CCB5 BA D1957697 mov edx, 0x977695D1 来到这里,f8
0046CCBA F7DA neg edx
0046CCBC 81D9 93EC3FAF sbb ecx, 0xAF3FEC93
0046CCC2 F7D9 neg ecx
0046CCC4 FFC9 dec ecx
0046CCC6 F3: prefix rep:
0046CCF1 55 push ebp >>>>>>>>>>>>>1
0046CCF2 EB 01 jmp short 0046CCF5
0046CCF4 868B ECEB01D5 xchg byte ptr [ebx-0x2AFE1414], cl
0046CCF5 8BEC mov ebp, esp >>>>>>>2
0046CCF7 EB 01 jmp short 0046CCFA
0046CCFA 6A FF push -0x1 >>>>>>>>>>3
0046CCFC EB 01 jmp short 0046CCFF
0046CCFF 68 8D8F17EB push 0xEB178F8D
0046CD04 810424 D37E2D15 add dword ptr [esp], 0x152D7ED3
0046CD0B 68 B7E564D7 push 0xD764E5B7
0046CD10 810424 11ADDD28 add dword ptr [esp], 0x28DDAD11
0046CD17 64:A1 00000000 mov eax, dword ptr fs:[0] >>>>>>>
0046CD20 50 push eax >>>>>>
0046CD21 EB 01 jmp short 0046CD24
0046CD24 64:8925 0000000>mov dword ptr fs:[0], esp >>>>>>>
0046CD2B EB 01 jmp short 0046CD2E
0046CD2E 83C4 A8 add esp, -0x58 >>>>>>
0046CD31 EB 01 jmp short 0046CD34
0046CD34 53 push ebx >>>>>>>>>>
0046CD35 EB 01 jmp short 0046CD38
0046CD38 56 push esi >>>>>
0046CD39 EB 01 jmp short 0046CD3C
0046CD3C 57 push edi >>>>>
0046CD3D EB 01 jmp short 0046CD40
0046CD40 8965 E8 mov dword ptr [ebp-0x18], esp >>>>>
0046CD43 EB 01 jmp short 0046CD46
0046CD46 FF15 E1FF4600 call dword ptr [0x46FFE1] ; kernel32.GetVersion
0046CD4C EB 01 jmp short 0046CD4F
0046CD4F 33D2 xor edx, edx >>>>>
0046CD51 EB 01 jmp short 0046CD54
0046CD54 8AD4 mov dl, ah >>>>>
0046CD56 EB 01 jmp short 0046CD59
0046CD59 8915 34E64500 mov dword ptr [0x45E634], edx
0046CD5F EB 01 jmp short 0046CD62
0046CD62 8BC8 mov ecx, eax >>>>>
0046CD64 EB 01 jmp short 0046CD67
0046CD67 81E1 FF000000 and ecx, 0xFF >>>>>
0046CD6D EB 01 jmp short 0046CD70
0046CD70 890D 30E64500 mov dword ptr [0x45E630], ecx >>>>>
0046CD76 EB 01 jmp short 0046CD79
0046CD79 C1E1 08 shl ecx, 0x8 >>>>>>>>>>>>>>> end
0046CD7C EB 01 jmp short 0046CD7F
004271B0 0000 add byte ptr [eax], al oep
004271B2 0000 add byte ptr [eax], al
004271B4 0000 add byte ptr [eax], al
004271B6 0000 add byte ptr [eax], al
004271B8 0000 add byte ptr [eax], al
004271BA 0000 add byte ptr [eax], al
004271BC 0000 add byte ptr [eax], al
004271BE 0000 add byte ptr [eax], al
004271C0 0000 add byte ptr [eax], al
004271C2 0000 add byte ptr [eax], al
004271C4 0000 add byte ptr [eax], al
004271C6 0000 add byte ptr [eax], al
004271C8 0000 add byte ptr [eax], al
004271CA 0000 add byte ptr [eax], al
004271CC 0000 add byte ptr [eax], al
004271CE 0000 add byte ptr [eax], al
004271D0 0000 add byte ptr [eax], al
004271D2 0000 add byte ptr [eax], al
004271D4 0000 add byte ptr [eax], al
004271D6 0000 add byte ptr [eax], al
004271D8 0000 add byte ptr [eax], al
004271DA 0000 add byte ptr [eax], al
004271DC 0000 add byte ptr [eax], al
004271DE 0000 add byte ptr [eax], al
004271E0 0000 add byte ptr [eax], al
004271E2 0000 add byte ptr [eax], al
004271E4 0000 add byte ptr [eax], al
004271E6 0000 add byte ptr [eax], al
004271E8 0000 add byte ptr [eax], al
004271EA 0000 add byte ptr [eax], al
004271EC 0000 add byte ptr [eax], al
004271EE 0000 add byte ptr [eax], al
004271F0 0000 add byte ptr [eax], al
004271F2 0000 add byte ptr [eax], al
004271F4 0000 add byte ptr [eax], al
004271F6 008D C0890D2C add byte ptr [ebp+0x2C0D89C0], cl
004271FC E6 45 out 0x45, al
004271FE 00C1 add cl, al
00427200 E8 10A328E6 call E66B1515
00427205 45 inc ebp
00427206 00E8 add al, ch
00427208 6C ins byte ptr es:[edi], dx
00427209 8F ??? ; Unknown command
0042720A FD std
0042720B FF85 C08DC06A inc dword ptr [ebp+0x6AC08DC0]
00427211 1C E8 sbb al, 0xE8
00427213 67:8F ??? ; Unknown command
55 8B EC 6A FF 68 60 0E 45 00 68 C8 92 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 A8
53 56 57 89 65 E8 FF 15 DC 0A 46 00 33 D2 8A D4 89 15 34 E6 45 00 8B C8 81 E1 FF 00 00 00 89 0D
30 E6 45 00 C1 E1 08 oep
----------------------------------------------------------
00427360 - E9 738EFDFF jmp 004001D8
00427365 90 nop
00427366 90 nop
00427367 8DC0 lea eax, eax ; Illegal use of register
00427369 E8 768EFDFF call 004001E4
004001D8 833D 18E64500 0>cmp dword ptr [0x45E618], 0x1
004001DF - E9 83710200 jmp 00427367
-------------------------------------------------------------------------------
00427360 833D 18E64500 0>cmp dword ptr [0x45E618], 0x1
00427367 8DC0 lea eax, eax ; Illegal use of register
00427369 E8 768EFDFF call 004001E4
0042737B 68 FF000000 push 0xFF
00427380 FF15 E08D4500 call dword ptr [0x458DE0] ; UnPackMe.00427DD0
00427386 83C4 04 add esp, 0x4
00427440 68 80000000 push 0x80
00427445 E8 E68DFDFF call 00400230
file: http://www.plunder.com/UnPackMe-PeSpin-1-32-download-cf289120da.htm
ollydbg Under SEH Team http://www.plunder.com/UST-2bg-rar-download-396f638a7f.htm
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图
赞赏
雪币:
留言: