TMD2.0.5.0脱壳手记
【加壳方式】: Themida 2.0.5.0【保护方式】: Themida
【使用工具】: od,UIF,ImportRE
运行程序来到msvbvm60.ThunRTMain
7344357C >55 push ebp ; 注册表随.0051CDBE
7344357D 8BEC mov ebp,esp
7344357F 6A FF push -1
73443581 68 C0944573 push msvbvm60.734594C0
73443586 68 26B15273 push msvbvm60.7352B126
7344358B 64:A1 00000000mov eax,dword ptr fs:
7344357C >6AEC8B55U嬱j 数据窗口,硬件访问
来到401120向下找msvbvm60.ThunRTMain
004011BD ?98 cwde
004011BE ?02F0 add dh,al
004011C0 .- E9 B7230473 jmp msvbvm60.ThunRTMain 硬件断点
重新载入
00553175 /0F85 9D000000 jnz 注册表随.00553218 断在这里取消7344357断点
0055317B |0F8A 01000000 jpe 注册表随.00553182
00553181 |F9 stc
00553182 |66:8178 04 4C2E cmp word ptr ds:,2E4C
00553188 |0F85 8A000000 jnz 注册表随.00553218
0055318E |60 pushad
0055318F |50 push eax
00553190 |E9 10000000 jmp 注册表随.005531A5
005507E3 3B85 F5207406 cmp eax,dword ptr ss: ; msvbvm60.ThunRTMain来到这里
005507E9 0F84 22000000 je 注册表随.00550811 mgic jump 修改
005507EF F8 clc
005507F0 3B85 FD287406 cmp eax,dword ptr ss:
005507F6 0F85 2C000000 jnz 注册表随.00550828
004011BA .- E9 E8881073 jmp msvbvm60.EVENT_SINK_Release
004011BF AB db AB
004011C0 .- E9 B7230473 jmp msvbvm60.ThunRTMain 取消00553175断点,来到这里
004011C5 4C db 4C ;CHAR 'L'
0040135421354256VB5!
0040135862761FF0?vb
0040135C736863366chs
004013606C6C642E.dll
0012FF90 0054426F注册表随.0054426F
0012FF94 00401354注册表随.00401354
0012FF98 004FB701ASCII "`j"
0012FF9C 0012FFE0
0012FFA0 004EF3C8注册表随.004EF3C8
004011C0 .- E9 B7230473 jmp msvbvm60.ThunRTMain
004011C5 28 db 28 ;CHAR '('
004011C6 00 db 00
004011C7 68 54134000 push 注册表随.00401354 还原 oep
004011CC E8 EFFFFFFF call 注册表随.004011C0
004011D1 14 db 14
004011D2 00 db 00
004011D3 00 db 00
004011D4 00 db 00 好像还没有看懂啊,有差距啊!!! VB的程序? 试试其它的 没有看懂:rggrg 顶顶顶,高手
页:
[1]