好友
阅读权限10
听众
最后登录1970-1-1
|
WinUpack 0.2x - 0.3x
0103B070 > 55 PUSH EBP//壳入口 ctrl+G VirtualAlloc
0103B071 8BEC MOV EBP,ESP
0103B073 6A FF PUSH -1
0103B075 68 FC424000 PUSH 4042FC
0103B07A 68 04214000 PUSH 402104
0103B07F 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
7C809A51 > 8BFF MOV EDI,EDI//跟随到这里
7C809A53 55 PUSH EBP
7C809A54 8BEC MOV EBP,ESP
7C809A56 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C809A59 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809A5C FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809A5F FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809A62 6A FF PUSH -1
7C809A64 E8 09000000 CALL VirtualAllocEx
7C809A69 5D POP EBP
7C809A6A C2 1000 RET 10//F2下断点 F9运行程序 (8次程序运行 最后一次异常法)运行7次后F2取消断点 F7进入
01015F2A A3 F8850201 MOV DWORD PTR DS:[10285F8],EAX//停在这里 ctrl+g跟随 LoadLibraryA
01015F2F 8B15 F4850201 MOV EDX,DWORD PTR DS:[10285F4]
01015F35 C702 0D661900 MOV DWORD PTR DS:[EDX],19660D
01015F3B A1 F8850201 MOV EAX,DWORD PTR DS:[10285F8]
01015F40 C700 5FF36E3C MOV DWORD PTR DS:[EAX],3C6EF35F
01015F46 C745 EC 0000000>MOV DWORD PTR SS:[EBP-14],0
01015F4D C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
01015F54 68 00002E00 PUSH 2E0000
01015F59 E8 40FCFFFF CALL 01015B9E
7C801D77 > 8BFF MOV EDI,EDI//跟随到这里
7C801D79 55 PUSH EBP
7C801D7A 8BEC MOV EBP,ESP
7C801D7C 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C801D80 53 PUSH EBX
7C801D81 56 PUSH ESI
7C801D82 74 14 JE SHORT 7C801D98
7C801D84 68 C0E0807C PUSH 7C80E0C0 ; ASCII "twain_32.dll"
7C801D89 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801D8C FF15 9C13807C CALL DWORD PTR DS:[<&ntdll._strcmpi>] ; ntdll._stricmp
7C801D92 85C0 TEST EAX,EAX
7C801D94 59 POP ECX
7C801D95 59 POP ECX
7C801D96 74 12 JE SHORT 7C801DAA
7C801D98 6A 00 PUSH 0
7C801D9A 6A 00 PUSH 0
7C801D9C FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801D9F E8 ABFFFFFF CALL LoadLibraryExA
7C801DA4 5E POP ESI
7C801DA5 5B POP EBX
7C801DA6 5D POP EBP
7C801DA7 C2 0400 RET 4//F2下断点 F9运行 F2取消断点 F7进入
0102159E 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX//停在这里 向下查找段尾
010215A1 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
010215A5 75 16 JNZ SHORT 010215BD
010215A7 FF35 F0540201 PUSH DWORD PTR DS:[10254F0] ; UnpackMe.01027CF4
010216F1 C3 RET//F2下断点 F9运行 F2取消 F7进入
010216F2 55 PUSH EBP
01021552 83C4 0C ADD ESP,0C//停在这里
01021555 68 F0550201 PUSH 010255F0 ; ASCII "oleaut32.dll"
0102155A 6A 02 PUSH 2
0102155C 68 A8830201 PUSH 010283A8
01021561 E8 13000000 CALL 01021579
01021566 83C4 0C ADD ESP,0C
01021569 68 AC550201 PUSH 010255AC ; ASCII "kernel32.dll"
0102156E FF15 98860201 CALL DWORD PTR DS:[1028698] ; kernel32.GetModuleHandleA
01021574 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
01021577 C9 LEAVE
01021578 C3 RET//F2下断点 shift+F9运行 F2取消 F7进入
0101C797 E8 EA7BFFFF CALL 01014386//停在这里 向下查找段尾
0101C79C A1 04860201 MOV EAX,DWORD PTR DS:[1028604]
0101C7A1 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
0101C7A4 894D EC MOV DWORD PTR SS:[EBP-14],ECX
0101C936 C3 RET//F2下断点 F9运行 F2取消 F7进入
0101C937 CC INT3
0101C938 CC INT3
010162CB 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]/停在这里
010162CE 894D 08 MOV DWORD PTR SS:[EBP+8],ECX
010162D1 833D B4C90201 0>CMP DWORD PTR DS:[102C9B4],0
010162D8 74 13 JE SHORT 010162ED
010162DA 6A 00 PUSH 0
010162DC 6A 00 PUSH 0
010162DE 6A 00 PUSH 0
010162E0 8B15 B4C90201 MOV EDX,DWORD PTR DS:[102C9B4]
010162E6 52 PUSH EDX
010162E7 FF15 B8870201 CALL DWORD PTR DS:[10287B8] ; user32.PostMessageA
010162ED 33C0 XOR EAX,EAX
010162EF 5F POP EDI
010162F0 5E POP ESI
010162F1 5B POP EBX
010162F2 8BE5 MOV ESP,EBP
010162F4 5D POP EBP
010162F5 C3 RET//F2下断点 shift+F9运行 F2取消 F7进入
0101572B 58 POP EAX //停在这里 ; UnpackMe.0100739D
0101572C 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
01015730 61 POPAD
01015731 58 POP EAX
01015732 58 POP EAX
01015733 FFD0 CALL EAX//F7进入就是程序的OEP
0100739D . 6A 70 PUSH 70//OEP
0100739F . 68 98180001 PUSH 01001898
010073A4 . E8 BF010000 CALL 01007568
010073A9 . 33DB XOR EBX,EBX
010073AB . 53 PUSH EBX |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2009-3-6 22:39
