新手遇到未知特殊的壳无法脱壳和入手求助
常见的工具都试过了,肯定是查不到壳,经过一些学习,判断是VC++写的,但程序经过了处理。1:无法查找字符串
2:常见API函数无法成功定位和查找字符串
3:手工OD测试无果
4:可能是VMP?(但测试下来不敢确定了)
希望诸位神仙大佬能指点一下,因为软件是小工具的商业软件,网络账号授权的,暂时就不发程序了(怕被Ban ID)。
程序入口详细代码如下:
0040CD2F: E8E15C0000 CALL 00412A15H
0040CD34: E9A4FEFFFF JMP 0040CBDDH
0040CD39: 8BFF MOV EDI, EDI
0040CD3B: 55 PUSH EBP
0040CD3C: 8BEC MOV EBP, ESP
0040CD3E: 83EC20 SUB ESP, 00000020H
0040CD41: 8B4508 MOV EAX,
0040CD44: 56 PUSH ESI
0040CD45: 57 PUSH EDI
0040CD46: 6A08 PUSH 00000008H
0040CD48: 59 POP ECX
0040CD49: BE58F04100 MOV ESI, 0041F058H
0040CD4E: 8D7DE0 LEA EDI,
0040CD51: F3A5 REP MOVSD
0040CD53: 8945F8 MOV , EAX
0040CD56: 8B450C MOV EAX,
0040CD59: 5F POP EDI
0040CD5A: 8945FC MOV , EAX
0040CD5D: 5E POP ESI
0040CD5E: 85C0 TEST EAX, EAX
0040CD60: 740C JZ 40CD6EH
0040CD62: F60008 TEST BYTE PTR , 08H
0040CD65: 7407 JZ 40CD6EH
0040CD67: C745F400409901 MOV , 01994000H
0040CD6E: 8D45F4 LEA EAX,
0040CD71: 50 PUSH EAX
0040CD72: FF75F0 PUSH
0040CD75: FF75E4 PUSH
0040CD78: FF75E0 PUSH
0040CD7B: FF1500B04100 CALL ; RaiseException
0040CD81: C9 LEAVE
0040CD82: C20800 RETN 0008H
0040CD85: C3 RET
0040CD86: B863354100 MOV EAX, 00413563H
0040CD8B: A3E4284200 MOV , EAX
0040CD90: C705E82842004A2C4100 MOV , 00412C4AH
0040CD9A: C705EC284200FE2B4100 MOV , 00412BFEH
0040CDA4: C705F0284200372C4100 MOV , 00412C37H
0040CDAE: C705F4284200A02B4100 MOV , 00412BA0H
0040CDB8: A3F8284200 MOV , EAX
0040CDBD: C705FC284200DB344100 MOV , 004134DBH
0040CDC7: C70500294200BC2B4100 MOV , 00412BBCH
0040CDD1: C705042942001E2B4100 MOV , 00412B1EH
0040CDDB: C70508294200AB2A4100 MOV , 00412AABH
0040CDE5: C3 RET
0040CDE6: 8BFF MOV EDI, EDI
0040CDE8: 55 PUSH EBP
0040CDE9: 8BEC MOV EBP, ESP
0040CDEB: E896FFFFFF CALL 0040CD86H
0040CDF0: E81B680000 CALL 00413610H
0040CDF5: 837D0800 CMP , 00000000H
0040CDF9: A3A4344200 MOV , EAX
0040CDFE: 7405 JZ 40CE05H
0040CE00: E8A2670000 CALL 004135A7H
0040CE05: DBE2 FCLEX
0040CE07: 5D POP EBP
0040CE08: C3 RET
0040CE09: 3B0D34224200 CMP ECX,
0040CE0F: 7502 JNZ 40CE13H
0040CE11: F3C3 REP RET
0040CE13: E921680000 JMP 00413639H
0040CE18: CC INT 3
0040CE19: CC INT 3
0040CE1A: CC INT 3
0040CE1B: CC INT 3
0040CE1C: CC INT 3
0040CE1D: CC INT 3
0040CE1E: CC INT 3
0040CE1F: CC INT 3
0040CE20: 8BFF MOV EDI, EDI
0040CE22: 55 PUSH EBP
0040CE23: 8BEC MOV EBP, ESP
0040CE25: 83EC18 SUB ESP, 00000018H
0040CE28: 53 PUSH EBX
0040CE29: 8B5D0C MOV EBX,
0040CE2C: 56 PUSH ESI
0040CE2D: 8B7308 MOV ESI,
0040CE30: 333534224200 XOR ESI,
0040CE36: 57 PUSH EDI
0040CE37: 8B06 MOV EAX,
0040CE39: C645FF00 MOV BYTE PTR , 00H
0040CE3D: C745F401000000 MOV , 00000001H
0040CE44: 8D7B10 LEA EDI,
0040CE47: 83F8FE CMP EAX, FFFFFFFEH
0040CE4A: 740D JZ 40CE59H
0040CE4C: 8B4E04 MOV ECX,
0040CE4F: 03CF ADD ECX, EDI
0040CE51: 330C38 XOR ECX,
0040CE54: E8B0FFFFFF CALL 0040CE09H
0040CE59: 8B4E0C MOV ECX,
0040CE5C: 8B4608 MOV EAX,
0040CE5F: 03CF ADD ECX, EDI
0040CE61: 330C38 XOR ECX,
0040CE64: E8A0FFFFFF CALL 0040CE09H
0040CE69: 8B4508 MOV EAX,
0040CE6C: F6400466 TEST BYTE PTR , 66H
看如果标准vs编译的,结合区段不像有壳,你可以试试从其他方面入手。
页:
[1]