脱壳Yodas Crypter 1.3
【文章标题】: 脱壳Yodas Crypter 1.3
【文章作者】: hxqlky
【作者邮箱】: zmunlky@gmail.com
【作者主页】: http://www.x5dj.com/hxqlky
【软件名称】: Yodas Crypter 1.3
【下载地址】: 自己搜索下载
【保护方式】: Yodas Crypter 1.3
【编写语言】: delphi
【使用工具】: od,ImportREC
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
脱壳Yodas Crypter 1.3
0047B060 > 55 push ebp
0047B061 8BEC mov ebp,esp
0047B063 53 push ebx
0047B064 56 push esi
0047B065 57 push edi
0047B066 60 pushad
0047B067 E8 00000000 call free.0047B06C hr esp 1
0047B06C 5D pop ebp go IsDebuggerPresent 2
7C8130A3 > 64:A1 18000000 mov eax,dword ptr fs:[18]
7C8130A9 8B40 30 mov eax,dword ptr ds:[eax+30]
7C8130AC 0FB640 02 movzx eax,byte ptr ds:[eax+2]
7C8130B0 C3 retn f2
0047B88A 0BC0 or eax,eax f9
0047B88C 74 02 je short free.0047B890
0047B88E 61 popad
0047B88F C3 retn
0047B890 8BD5 mov edx,ebp
0047B892 81C2 13324000 add edx,free.00403213
0047B898 F702 01000000 test dword ptr ds:[edx],1
0047B89E 74 5F je short free.0047B8FF
0047B975 61 popad
0047B976 50 push eax
0047B977 33C0 xor eax,eax
0047B979 64:FF30 push dword ptr fs:[eax]
0047B97C 64:8920 mov dword ptr fs:[eax],esp
0047B97F EB 01 jmp short free.0047B982
0047B981 CC int3
0047B982 0000 add byte ptr ds:[eax],al
0047B976 50 push eax ; free.0047B90B
0047B977 33C0 xor eax,eax
0047B979 64:FF30 push dword ptr fs:[eax]
0047B97C 64:8920 mov dword ptr fs:[eax],esp
0047B97F EB 01 jmp short free.0047B982
0047B981 CC int3
7C92E480 8B1C24 mov ebx,dword ptr ss:[esp] 查看seh go代码段0047B90B
7C92E483 51 push ecx
7C92E484 53 push ebx
7C92E485 E8 F1C00100 call ntdll.7C94A57B
7C92E48A 0AC0 or al,al
7C92E48C 74 0C je short ntdll.7C92E49A
7C92E48E 5B pop ebx
0047B90B 55 push ebp f2 来到这里
0047B90C 8BEC mov ebp,esp
0047B90E 57 push edi
0047B90F 36:8B45 10 mov eax,dword ptr ss:[ebp+10]
0047B913 3E:8BB8 C400000>mov edi,dword ptr ds:[eax+C4]
0047B91A 3E:FF37 push dword ptr ds:[edi]
0047B91D 33FF xor edi,edi
0047B91F 64:8F07 pop dword ptr fs:[edi]
0047B922 3E:8380 C400000>add dword ptr ds:[eax+C4],8
0047B92A 3E:8BB8 A400000>mov edi,dword ptr ds:[eax+A4]
0047B931 C1C7 07 rol edi,7
0047B934 3E:89B8 B800000>mov dword ptr ds:[eax+B8],edi
0047B93B B8 00000000 mov eax,0
0047B940 5F pop edi
0047B941 C9 leave
0047B942 C3 retn
7C9232A8 64:8B25 0000000>mov esp,dword ptr fs:[0] alt +f9 oep
7C9232AF 64:8F05 0000000>pop dword ptr fs:[0]
7C9232B6 8BE5 mov esp,ebp
7C9232B8 5D pop ebp
7C9232B9 C2 1400 retn 14
7C9232BC 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
7C9232C0 F741 04 0600000>test dword ptr ds:[ecx+4],6
00463910 55 db 55 oep ; CHAR 'U'
00463911 8B db 8B
00463912 EC db EC
00463913 83 db 83
00463914 C4 db C4
00463915 F0 db F0
00463916 B8 db B8
00463917 . 10374600 dd free.00463710
0046391B E8 db E8
0046391C . 54 push esp
0046391D . 23FA and edi,edx
0046391F . FFA1 EC584600 jmp dword ptr ds:[ecx+4658EC]
00463925 8B db 8B
00463926 00 db 00
搜索ff15 跟随内存
00464000 00000000 iat 0
00464004 00000000
00464008 00000000
0046400C 00408D02 free.00408D02
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
