Rocky4 SHL 这种加密狗的壳谁脱过,好像很难脱!!!
本帖最后由 djhell 于 2020-7-4 17:03 编辑如题,Rocky4 SHL 这种加密狗的壳谁脱过,好像很难脱!!!网上资料很少基本没有,和R4ND有啥区别呢,给介绍一下吧!大家一起研究研究。。。。,我正在研究这个狗,没进展,也是wangyujie96大神告诉我的这个狗壳,感觉很难的样子
原始程序(需要msde2000或者sql2000)
链接:https://pan.baidu.com/s/1Iun6rMLORtAoV_nOuqO6xA
提取码:07d2
哪位大神能发个破文,不胜感激!
以下是小弟粗浅分析
加的yoda 's Protector壳,试着用yoda 's Protector专用工具脱壳,不成功,参考wangyujie96的话,EP区段里有RY4SHL区段,应该是Rockey4 SHL加密狗的壳
Exeinfo分析没有有用信息
Die分析无壳
启动软件提示有狗,想办法打狗
OD载入提示无法载入,缺少文件,到程序目录下看看
本帖最后由 djhell 于 2020-7-6 16:28 编辑
发现有个bpl文件,咱们把里面文件复制到exe同级目录
正常了,bpl一般就是delphi的文件
现在进行查字符串操作,发现没有有用信息
先F7跟进,然后一路F8,到了查狗的地方,看rockey4的api
0044244D B8 2B2B4400 mov eax,00442B2B ; ASCII "咐.D"
00442452 E8 79BCFEFF call 0042E0D0
00442457 81EC C4020000 sub esp,0x2C4
0044245D 53 push ebx
0044245E 56 push esi
0044245F 57 push edi
00442460 8D8D 30FDFFFF lea ecx,dword ptr ss:
00442466 E8 2FF6FFFF call 00441A9A
0044246B 8B45 08 mov eax,dword ptr ss:
0044246E 33DB xor ebx,ebx
00442470 66:895D 94 mov word ptr ss:,bx
00442474 33FF xor edi,edi
00442476 8B70 3C mov esi,dword ptr ds:
00442479 895D FC mov dword ptr ss:,ebx
0044247C 03F0 add esi,eax
0044247E 895D D4 mov dword ptr ss:,ebx
00442481 8935 EC584200 mov dword ptr ds:,esi
00442487 0FB746 16 movzx eax,word ptr ds:
0044248B 8945 F0 mov dword ptr ss:,eax
0044248E 0FB74E 18 movzx ecx,word ptr ds:
00442492 C1E0 10 shl eax,0x10
00442495 0BC1 or eax,ecx
00442497 8945 F0 mov dword ptr ss:,eax
0044249A 66:8B46 16 mov ax,word ptr ds:
0044249E 66:3146 14 xor word ptr ds:,ax
004424A2 8B4D F0 mov ecx,dword ptr ss:
004424A5 314E 22 xor dword ptr ds:,ecx
004424A8 F7D0 not eax
004424AA 66:8946 16 mov word ptr ds:,ax
004424AE 66:8B46 18 mov ax,word ptr ds:
004424B2 66:F7D0 not ax
004424B5 66:8946 18 mov word ptr ds:,ax
004424B9 66:8B46 16 mov ax,word ptr ds:
004424BD 66:395D D4 cmp word ptr ss:,bx
004424C1 8945 E8 mov dword ptr ss:,eax
004424C4 66:8B46 18 mov ax,word ptr ds:
004424C8 8945 EC mov dword ptr ss:,eax
004424CB 895D E4 mov dword ptr ss:,ebx
004424CE 895D E0 mov dword ptr ss:,ebx
004424D1 75 37 jnz short 0044250A ; 不跳
004424D3 8D45 8C lea eax,dword ptr ss:
004424D6 50 push eax
004424D7 8D45 E0 lea eax,dword ptr ss:
004424DA 50 push eax
004424DB 8D45 E4 lea eax,dword ptr ss:
004424DE 50 push eax
004424DF 8D45 EC lea eax,dword ptr ss:
004424E2 50 push eax
004424E3 8D45 E8 lea eax,dword ptr ss:
004424E6 50 push eax
004424E7 8D45 D8 lea eax,dword ptr ss:
004424EA 50 push eax
004424EB 8D45 F0 lea eax,dword ptr ss:
004424EE 50 push eax
004424EF 8D45 DC lea eax,dword ptr ss:
004424F2 50 push eax
004424F3 6A 01 push 0x1
004424F5 5F pop edi
004424F6 57 push edi
004424F7 E8 A487FEFF call 0042ACA0 ; 打开狗
004424FC 66:3BC3 cmp ax,bx
004424FF 0F85 2A030000 jnz 0044282F ; 不跳
00442505 897D D4 mov dword ptr ss:,edi
00442508 EB 4D jmp short 00442557
0044250A 66:8B46 16 mov ax,word ptr ds:
0044250E 8945 E8 mov dword ptr ss:,eax
00442511 66:8B46 18 mov ax,word ptr ds:
00442515 8945 EC mov dword ptr ss:,eax
00442518 8D45 8C lea eax,dword ptr ss:
0044251B 50 push eax
0044251C 8D45 E0 lea eax,dword ptr ss:
0044251F 50 push eax
00442520 8D45 E4 lea eax,dword ptr ss:
00442523 50 push eax
00442524 8D45 EC lea eax,dword ptr ss:
00442527 50 push eax
00442528 8D45 E8 lea eax,dword ptr ss:
0044252B 50 push eax
0044252C 8D45 D8 lea eax,dword ptr ss:
0044252F 50 push eax
00442530 8D45 F0 lea eax,dword ptr ss:
00442533 50 push eax
00442534 8D45 DC lea eax,dword ptr ss:
00442537 50 push eax
00442538 6A 02 push 0x2
0044253A 895D E4 mov dword ptr ss:,ebx
0044253D 895D E0 mov dword ptr ss:,ebx
00442540 897D F0 mov dword ptr ss:,edi
00442543 895D D8 mov dword ptr ss:,ebx
00442546 895D DC mov dword ptr ss:,ebx
00442549 E8 5287FEFF call 0042ACA0
0044254E 66:3BC3 cmp ax,bx
00442551 0F85 D8020000 jnz 0044282F
00442557 8B4D F0 mov ecx,dword ptr ss:
0044255A 895D 94 mov dword ptr ss:,ebx
0044255D 8B46 22 mov eax,dword ptr ds:
00442560 8BF9 mov edi,ecx
00442562 3BC3 cmp eax,ebx
00442564 74 0B je short 00442571 ; 跳
00442566 3BC8 cmp ecx,eax
00442568 0F85 1E010000 jnz 0044268C
0044256E 894D 94 mov dword ptr ss:,ecx
00442571 8D45 8C lea eax,dword ptr ss:
00442574 50 push eax
00442575 8D45 E0 lea eax,dword ptr ss:
00442578 50 push eax
00442579 8D45 E4 lea eax,dword ptr ss:
0044257C 50 push eax
0044257D 8D45 EC lea eax,dword ptr ss:
00442580 50 push eax
00442581 8D45 E8 lea eax,dword ptr ss:
00442584 50 push eax
00442585 8D45 D8 lea eax,dword ptr ss:
00442588 50 push eax
00442589 8D45 F0 lea eax,dword ptr ss:
0044258C 50 push eax
0044258D 8D45 DC lea eax,dword ptr ss:
00442590 50 push eax
00442591 6A 03 push 0x3
00442593 E8 0887FEFF call 0042ACA0
00442598 66:3BC3 cmp ax,bx
0044259B 0F85 8E020000 jnz 0044282F ; 不跳
004425A1 8B46 0C mov eax,dword ptr ds:
004425A4 3BC3 cmp eax,ebx
004425A6 74 03 je short 004425AB ; 不跳
004425A8 3145 94 xor dword ptr ss:,eax
004425AB 66:8B46 14 mov ax,word ptr ds:
004425AF 66:3D FFFF cmp ax,0xFFFF
004425B3 0F84 89000000 je 00442642 ; 跳
004425B9 8945 E8 mov dword ptr ss:,eax
004425BC 8D45 8C lea eax,dword ptr ss:
004425BF 50 push eax
004425C0 8D45 E0 lea eax,dword ptr ss:
004425C3 50 push eax
004425C4 8D45 E4 lea eax,dword ptr ss:
004425C7 50 push eax
004425C8 8D45 EC lea eax,dword ptr ss:
004425CB 50 push eax
004425CC 8D45 E8 lea eax,dword ptr ss:
004425CF 50 push eax
004425D0 8D45 D8 lea eax,dword ptr ss:
004425D3 50 push eax
004425D4 8D45 F0 lea eax,dword ptr ss:
004425D7 50 push eax
004425D8 8D45 DC lea eax,dword ptr ss:
004425DB 50 push eax
004425DC 6A 0C push 0xC
004425DE E8 BD86FEFF call 0042ACA0
004425E3 66:3BC3 cmp ax,bx
004425E6 0F85 1C020000 jnz 00442808
004425EC 66:837D EC 01 cmp word ptr ss:,0x1
004425F1 0F85 95000000 jnz 0044268C
004425F7 8B46 10 mov eax,dword ptr ds:
004425FA 3BC3 cmp eax,ebx
004425FC 74 3D je short 0044263B
004425FE 66:395D E4 cmp word ptr ss:,bx
00442602 0F84 84000000 je 0044268C
00442608 3145 94 xor dword ptr ss:,eax
0044260B 8D45 8C lea eax,dword ptr ss:
0044260E 50 push eax
0044260F 8D45 E0 lea eax,dword ptr ss:
00442612 50 push eax
00442613 8D45 E4 lea eax,dword ptr ss:
00442616 50 push eax
00442617 8D45 EC lea eax,dword ptr ss:
0044261A 50 push eax
0044261B 8D45 E8 lea eax,dword ptr ss:
0044261E 50 push eax
0044261F 8D45 D8 lea eax,dword ptr ss:
00442622 50 push eax
00442623 8D45 F0 lea eax,dword ptr ss:
00442626 50 push eax
00442627 8D45 DC lea eax,dword ptr ss:
0044262A 50 push eax
0044262B 6A 11 push 0x11
0044262D E8 6E86FEFF call 0042ACA0
00442632 66:3BC3 cmp ax,bx
00442635 0F85 CD010000 jnz 00442808
0044263B 0FB746 14 movzx eax,word ptr ds:
0044263F 3145 94 xor dword ptr ss:,eax
00442642 837E 1A FF cmp dword ptr ds:,-0x1
00442646 74 3D je short 00442685 ; 跳
00442648 8D45 8C lea eax,dword ptr ss:
0044264B 50 push eax
0044264C 8D45 E0 lea eax,dword ptr ss:
0044264F 50 push eax
00442650 8D45 E4 lea eax,dword ptr ss:
00442653 50 push eax
00442654 8D45 EC lea eax,dword ptr ss:
00442657 50 push eax
00442658 8D45 E8 lea eax,dword ptr ss:
0044265B 50 push eax
0044265C 8D45 D8 lea eax,dword ptr ss:
0044265F 50 push eax
00442660 8D45 F0 lea eax,dword ptr ss:
00442663 50 push eax
00442664 8D45 DC lea eax,dword ptr ss:
00442667 50 push eax
00442668 6A 0A push 0xA
0044266A E8 3186FEFF call 0042ACA0
0044266F 66:3BC3 cmp ax,bx
00442672 0F85 90010000 jnz 00442808
00442678 8B45 F0 mov eax,dword ptr ss:
0044267B 3B46 1A cmp eax,dword ptr ds:
0044267E 72 0C jb short 0044268C
00442680 3B46 1E cmp eax,dword ptr ds:
00442683 77 07 ja short 0044268C
00442685 C745 D4 0200000>mov dword ptr ss:,0x2
0044268C 66:837D D4 02 cmp word ptr ss:,0x2
00442691^ 0F85 22FEFFFF jnz 004424B9 ; 不跳
00442697 0FB745 DC movzx eax,word ptr ss:
0044269B A3 30544200 mov dword ptr ds:,eax
004426A0 8B45 08 mov eax,dword ptr ss:
004426A3 897E 22 mov dword ptr ds:,edi
004426A6 8B78 34 mov edi,dword ptr ds:
004426A9 03F8 add edi,eax
004426AB 0FB707 movzx eax,word ptr ds:
004426AE 47 inc edi
004426AF 8945 CC mov dword ptr ss:,eax
004426B2 47 inc edi
004426B3 80BE C8030000 0>cmp byte ptr ds:,0x1
004426BA 0F85 F6000000 jnz 004427B6 ; 不跳
004426C0 3BC3 cmp eax,ebx
004426C2 895D D4 mov dword ptr ss:,ebx
004426C5 0F8E EB000000 jle 004427B6 ; 不跳
004426CB 8B07 mov eax,dword ptr ds:
004426CD 8B5F 04 mov ebx,dword ptr ds:
004426D0 83C7 04 add edi,0x4
004426D3 8945 D0 mov dword ptr ss:,eax
004426D6 8945 D8 mov dword ptr ss:,eax
004426D9 8D45 8C lea eax,dword ptr ss:
004426DC 50 push eax
004426DD 8D45 E0 lea eax,dword ptr ss:
004426E0 50 push eax
004426E1 8D45 E4 lea eax,dword ptr ss:
004426E4 50 push eax
004426E5 8D45 EC lea eax,dword ptr ss:
004426E8 50 push eax
004426E9 8D45 E8 lea eax,dword ptr ss:
004426EC 50 push eax
004426ED 8D45 D8 lea eax,dword ptr ss:
004426F0 50 push eax
004426F1 8D45 F0 lea eax,dword ptr ss:
004426F4 50 push eax
004426F5 8D45 DC lea eax,dword ptr ss:
004426F8 50 push eax
004426F9 6A 08 push 0x8
004426FB 83C7 04 add edi,0x4
004426FE E8 9D85FEFF call 0042ACA0
00442703 66:85C0 test ax,ax
00442706 0F85 FA000000 jnz 00442806 ; 不跳
0044270C 66:8B45 E8 mov ax,word ptr ss:
00442710 66:8945 8C mov word ptr ss:,ax
00442714 66:8B45 EC mov ax,word ptr ss:
00442718 66:8945 8E mov word ptr ss:,ax
0044271C 66:8B45 E4 mov ax,word ptr ss:
00442720 66:8945 90 mov word ptr ss:,ax
00442724 66:8B45 E0 mov ax,word ptr ss:
00442728 66:8945 92 mov word ptr ss:,ax
0044272C 8B45 08 mov eax,dword ptr ss:
0044272F 8B40 04 mov eax,dword ptr ds:
00442732 0345 D0 add eax,dword ptr ss:
00442735 8945 D0 mov dword ptr ss:,eax
00442738 33C0 xor eax,eax
0044273A 8A8C06 BC030000 mov cl,byte ptr ds:
00442741 884C05 98 mov byte ptr ss:,cl
00442745 40 inc eax
00442746 83F8 0C cmp eax,0xC
00442749^ 7C EF jl short 0044273A
0044274B 8D45 8C lea eax,dword ptr ss:
0044274E 8D8D 30FDFFFF lea ecx,dword ptr ss:
00442754 50 push eax
00442755 8B85 30FDFFFF mov eax,dword ptr ss:
0044275B FF10 call dword ptr ds:
0044275D 6A 18 push 0x18
0044275F 8D85 74FFFFFF lea eax,dword ptr ss:
00442765 C1EB 03 shr ebx,0x3
00442768 6A 00 push 0x0
0044276A 50 push eax
0044276B C1E3 03 shl ebx,0x3
0044276E E8 2DB5FEFF call 0042DCA0
00442773 8D45 8C lea eax,dword ptr ss:
00442776 6A 08 push 0x8
00442778 50 push eax
00442779 8D85 74FFFFFF lea eax,dword ptr ss:
0044277F 50 push eax
00442780 E8 DBB1FEFF call 0042D960
00442785 83C4 18 add esp,0x18
00442788 8D85 74FFFFFF lea eax,dword ptr ss:
0044278E 8D8D 30FDFFFF lea ecx,dword ptr ss:
00442794 50 push eax
00442795 8B85 30FDFFFF mov eax,dword ptr ss:
0044279B 53 push ebx
0044279C FF75 D0 push dword ptr ss:
0044279F FF75 D0 push dword ptr ss:
004427A2 FF50 10 call dword ptr ds:
004427A5 FF45 D4 inc dword ptr ss:
004427A8 8B45 D4 mov eax,dword ptr ss:
004427AB 3B45 CC cmp eax,dword ptr ss:
004427AE^ 0F8C 17FFFFFF jl 004426CB ; 不跳
004427B4 33DB xor ebx,ebx
004427B6 8D45 DC lea eax,dword ptr ss:
004427B9 50 push eax
004427BA 56 push esi
004427BB E8 A5F8FFFF call 00442065
004427C0 59 pop ecx
004427C1 84C0 test al,al
004427C3 59 pop ecx
004427C4 0F85 8A000000 jnz 00442854 ; 关键跳
004427CA 8D45 8C lea eax,dword ptr ss:
004427CD 50 push eax
004427CE 8D45 E0 lea eax,dword ptr ss:
004427D1 50 push eax
004427D2 8D45 E4 lea eax,dword ptr ss:
004427D5 50 push eax
004427D6 8D45 EC lea eax,dword ptr ss:
004427D9 50 push eax
004427DA 8D45 E8 lea eax,dword ptr ss:
004427DD 50 push eax
004427DE 8D45 D8 lea eax,dword ptr ss:
004427E1 50 push eax
004427E2 8D45 F0 lea eax,dword ptr ss:
004427E5 50 push eax
004427E6 8D45 DC lea eax,dword ptr ss:
004427E9 50 push eax
004427EA 6A 04 push 0x4
004427EC E8 AF84FEFF call 0042ACA0
004427F1 837E 04 01 cmp dword ptr ds:,0x1
004427F5 0F84 DF000000 je 004428DA
004427FB 53 push ebx
004427FC E8 C4D9FFFF call 004401C5
00442801 E9 D4000000 jmp 004428DA
00442806 33DB xor ebx,ebx
00442808 8D45 8C lea eax,dword ptr ss:
0044280B 50 push eax
0044280C 8D45 E0 lea eax,dword ptr ss:
0044280F 50 push eax
00442810 8D45 E4 lea eax,dword ptr ss:
00442813 50 push eax
00442814 8D45 EC lea eax,dword ptr ss:
00442817 50 push eax
00442818 8D45 E8 lea eax,dword ptr ss:
0044281B 50 push eax
0044281C 8D45 D8 lea eax,dword ptr ss:
0044281F 50 push eax
00442820 8D45 F0 lea eax,dword ptr ss:
00442823 50 push eax
00442824 8D45 DC lea eax,dword ptr ss:
00442827 50 push eax
00442828 6A 04 push 0x4
0044282A E8 7184FEFF call 0042ACA0
0044282F 8D46 26 lea eax,dword ptr ds:
00442832 8DBE A6000000 lea edi,dword ptr ds:
00442838 6A 10 push 0x10
0044283A 50 push eax
0044283B 57 push edi
0044283C 53 push ebx
0044283D FF15 FCF14100 call dword ptr ds: ; user32.MessageBoxA
00442843 3BC3 cmp eax,ebx
00442845^ 75 83 jnz short 004427CA
00442847 57 push edi
00442848 53 push ebx
00442849 FF15 CCF04100 call dword ptr ds:
0044284F^ E9 76FFFFFF jmp 004427CA
00442854 8D45 8C lea eax,dword ptr ss:
00442857 50 push eax
00442858 8D45 E0 lea eax,dword ptr ss:
0044285B 50 push eax
0044285C 8D45 E4 lea eax,dword ptr ss:
0044285F 50 push eax
00442860 8D45 EC lea eax,dword ptr ss:
00442863 50 push eax
00442864 8D45 E8 lea eax,dword ptr ss:
00442867 50 push eax
00442868 8D45 D8 lea eax,dword ptr ss:
0044286B 50 push eax
0044286C 8D45 F0 lea eax,dword ptr ss:
0044286F 50 push eax
00442870 8D45 DC lea eax,dword ptr ss:
00442873 50 push eax
00442874 6A 04 push 0x4
00442876 E8 2584FEFF call 0042ACA0
0044287B E8 C2DEFFFF call 00440742
00442880 8D86 2E030000 lea eax,dword ptr ds:
00442886 50 push eax
00442887 E8 9EDBFFFF call 0044042A
0044288C 395E 0C cmp dword ptr ds:,ebx
0044288F 59 pop ecx
00442890 74 45 je short 004428D7 ; 不跳
00442892 83BE A6020000 0>cmp dword ptr ds:,0x1
00442899 8B3D 68F04100 mov edi,dword ptr ds:
0044289F 75 1B jnz short 004428BC ; 跳
004428A1 68 38544200 push 00425438
004428A6 53 push ebx
004428A7 56 push esi
004428A8 68 82034400 push 00440382
004428AD 53 push ebx
004428AE 53 push ebx
004428AF FF15 C8F04100 call dword ptr ds:
004428B5 A3 34544200 mov dword ptr ds:,eax
004428BA EB 14 jmp short 004428D0
004428BC 56 push esi
004428BD 68 64234400 push 00442364
004428C2 FFD7 call edi
004428C4 50 push eax
004428C5 FF76 0C push dword ptr ds:
004428C8 E8 30E5FFFF call 00440DFD
004428CD 83C4 10 add esp,0x10
004428D0 FFD7 call edi
004428D2 A3 28544200 mov dword ptr ds:,eax
004428D7 6A 01 push 0x1
004428D9 5B pop ebx
004428DA 834D FC FF or dword ptr ss:,0xFFFFFFFF
004428DE 8D8D 30FDFFFF lea ecx,dword ptr ss:
004428E4 E8 D6F1FFFF call 00441ABF
004428E9 8B4D F4 mov ecx,dword ptr ss:
004428EC 5F pop edi
004428ED 8BC3 mov eax,ebx
004428EF 5E pop esi
004428F0 5B pop ebx
004428F1 64:890D 0000000>mov dword ptr fs:,ecx
004428F8 C9 leave
004428F9 C2 0400 retn 0x4
正常返回到0043F67D
0043F67D E8 CB2D0000 call 0044244D ; 加密验证call
0043F682 85C0 test eax,eax
0043F684 75 4E jnz short 0043F6D4 ; 跳
0043F686 EB 0A jmp short 0043F692
0043F688 58 pop eax
0043F689 0AC9 or cl,cl
0043F68B EB 02 jmp short 0043F68F
0043F68D 80CD EB or ch,0xEB
0043F690 06 push es
0043F691 CE into
0043F692^ EB F6 jmp short 0043F68A
0043F694 F3: prefix rep:
0043F695^ E2 A0 loopd short 0043F637
0043F697 EB 0A jmp short 0043F6A3
0043F699 B6 58 mov dh,0x58
0043F69B EB 02 jmp short 0043F69F
0043F69D 51 push ecx
0043F69E DCEB fsub st(3),st
0043F6A0 07 pop es
0043F6A1 43 inc ebx
0043F6A2 25 EBF5108F and eax,0x8F10F5EB
0043F6A7 40 inc eax
0043F6A8 EB 0F jmp short 0043F6B9
0043F6AA DF5CB8 00 fistp word ptr ds:
0043F6AE 0000 add byte ptr ds:,al
0043F6B0 00EB add bl,ch
0043F6B2 02DD add bl,ch
0043F6B4 B0 EB mov al,0xEB
0043F6B6 07 pop es
0043F6B7 FFE4 jmp esp
0043F6B9^ EB F1 jmp short 0043F6AC
0043F6BB^ 73 C1 jnb short 0043F67E
0043F6BD 24 EB and al,0xEB
0043F6BF 0FA483 28C20C00>shld dword ptr ds:,eax,0xEB
0043F6C7 02D7 add dl,bh
0043F6C9 A5 movs dword ptr es:,dword ptr ds:[es>
0043F6CA EB 08 jmp short 0043F6D4
0043F6CC 96 xchg eax,esi
0043F6CD 1E push ds
0043F6CE A6 cmps byte ptr ds:,byte ptr es:
0043F6CF^ EB F2 jmp short 0043F6C3
0043F6D1 831E 06 sbb dword ptr ds:,0x6
0043F6D4 E8 A5230000 call 00441A7E
0043F6D9 6A 00 push 0x0
0043F6DB FF75 F8 push dword ptr ss:
0043F6DE FF75 F4 push dword ptr ss:
0043F6E1 E8 06070000 call 0043FDEC
0043F6E6 8B45 F8 mov eax,dword ptr ss:
0043F6E9 8B40 0C mov eax,dword ptr ds:
0043F6EC 8B4D F8 mov ecx,dword ptr ss:
0043F6EF 0341 04 add eax,dword ptr ds:
0043F6F2 8945 FC mov dword ptr ss:,eax
0043F6F5 B8 C52B4400 mov eax,00442BC5
0043F6FA 2D B0D94300 sub eax,0043D9B0 ; ASCII E8,"瞄"
0043F6FF 8945 D4 mov dword ptr ss:,eax
0043F702 C745 D8 B0D9430>mov dword ptr ss:,0043D9B0 ; ASCII E8,"瞄"
0043F709 8365 E0 00 and dword ptr ss:,0x0
0043F70D 8365 DC 00 and dword ptr ss:,0x0
0043F711 EB 07 jmp short 0043F71A
0043F713 8B45 DC mov eax,dword ptr ss:
0043F716 40 inc eax
0043F717 8945 DC mov dword ptr ss:,eax
0043F71A 8B45 D4 mov eax,dword ptr ss:
0043F71D 99 cdq
0043F71E 6A 04 push 0x4
0043F720 59 pop ecx
0043F721 F7F9 idiv ecx
0043F723 3945 DC cmp dword ptr ss:,eax
0043F726 7D 2F jge short 0043F757
0043F728 8B45 DC mov eax,dword ptr ss:
0043F72B 99 cdq
0043F72C 6A 02 push 0x2
0043F72E 59 pop ecx
0043F72F F7F9 idiv ecx
0043F731 85D2 test edx,edx
0043F733 75 11 jnz short 0043F746
0043F735 8B45 DC mov eax,dword ptr ss:
0043F738 8B4D D8 mov ecx,dword ptr ss:
0043F73B 8B55 E0 mov edx,dword ptr ss:
0043F73E 031481 add edx,dword ptr ds:
0043F741 8955 E0 mov dword ptr ss:,edx
0043F744 EB 0F jmp short 0043F755
0043F746 8B45 DC mov eax,dword ptr ss:
0043F749 8B4D D8 mov ecx,dword ptr ss:
0043F74C 8B55 E0 mov edx,dword ptr ss:
0043F74F 331481 xor edx,dword ptr ds:
0043F752 8955 E0 mov dword ptr ss:,edx
0043F755^ EB BC jmp short 0043F713
0043F757 8B45 E0 mov eax,dword ptr ss:
0043F75A 3B05 A0514200 cmp eax,dword ptr ds:
0043F760 74 20 je short 0043F782 ; 跳
0043F762 6A 00 push 0x0
0043F764 6A 00 push 0x0
0043F766 68 78524200 push 00425278
0043F76B E8 2EFDFFFF call 0043F49E
0043F770 59 pop ecx
0043F771 50 push eax
0043F772 6A 00 push 0x0
0043F774 FF15 FCF14100 call dword ptr ds: ; user32.MessageBoxA
0043F77A 6A 00 push 0x0
0043F77C FF15 E8F04100 call dword ptr ds:
0043F782 833D 34544200 0>cmp dword ptr ds:,0x0
0043F789 74 0C je short 0043F797
0043F78B FF35 34544200 push dword ptr ds:
0043F791 FF15 60F04100 call dword ptr ds:
0043F797 8B45 F8 mov eax,dword ptr ss:
0043F79A 8378 18 FF cmp dword ptr ds:,-0x1
0043F79E 74 31 je short 0043F7D1 ; 未跳
继续就到了
004041AC 55 db 55 ;CHAR 'U'
004041AD 8B db 8B
004041AE EC db EC
004041AF 83 db 83
004041B0 C4 db C4
004041B1 F0 db F0
004041B2 53 db 53 ;CHAR 'S'
004041B3 B8 db B8 ;v
004041B4 F43D4000 dd Xtdl3e.00403DF4 ;UNICODE "v"
004041B8 E8 db E8
004041B9 1F db 1F
004041BA CF db CF
004041BB FF db FF
004041BC .FFA1 60794000 jmp dword ptr ds:
程序领空
004041AC为OEP
dump
修复iat
OEP 000041AC
找RVA
一般方法,载入带壳程序来到OEP,Ctrl+B,搜索ff15或ff25找到call或jmp后,数据窗口,Ctrl+G,跟随call或jmp后的地址,这里就是IAT,此时可以确定IAT起始位
置和大小(上下翻页)
起始位置
00007000
大小
00004B22
fix dump
试运行失败
剩下内容还在研究,研究成功,发破文,如果有大神指点小弟,甚好 现在程序还是不能跑
会退出
iat修复,我按照教程走的
跟了一下,发现iat修复还是有问题,大神给参谋一下
页:
[1]