Upack 2.4 - 2.9 beta
查壳Upack 2.4 - 2.9 beta -> Dwing载入程序后
008DB34A >BE 88014000 MOV ESI,牧民远控.00400188停在这里
008DB34F AD LODS DWORD PTR DS:
008DB350 8BF8 MOV EDI,EAX
008DB352 95 XCHG EAX,EBP
008DB353 AD LODS DWORD PTR DS:
008DB354 91 XCHG EAX,ECX
008DB355 F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>
008DB4C0 3B7E 2C CMP EDI,DWORD PTR DS:
008DB4C3 73 03 JNB SHORT 牧民远控.008DB4C8跟随 F4
008DB4C5 FF66 28 JMP DWORD PTR DS:
008DB4C8 58 POP EAX
008DB4E7 AB STOS DWORD PTR ES:
008DB4E8^ E2 E5 LOOPD SHORT 牧民远控.008DB4CF 关键特征
008DB4EA 8B5E 34 MOV EBX,DWORD PTR DS:
008DB4ED 8B76 38 MOV ESI,DWORD PTR DS:
008DB4F0 46 INC ESI
008DB4F1 AD LODS DWORD PTR DS:
008DB4F2 85C0 TEST EAX,EAX
008DB4F4- 0F84 D66ED2FF JE 牧民远控.006023D0 下断,运行。让它实现跳转
也可以跟随,运行到所选,
直接脱壳
0012FFC0 007CE06B\ProcNameOrOrdinal = "VirtualFree"虚拟内存这个断点
00401FBE 84C0 TEST AL,AL
00401FC0 75 17 JNZ SHORT 牧民远控.00401FD9
00401FC2 A1 18B66000 MOV EAX,DWORD PTR DS:[60B618>
00401FC7 891D 18B66000 MOV DWORD PTR DS:,EB>
00401FCD 8B10 MOV EDX,DWORD PTR DS:
00401FCF 8943 04 MOV DWORD PTR DS:,EAX
00401FD2 8913 MOV DWORD PTR DS:,EDX
00401FD4 8918 MOV DWORD PTR DS:,EBX
00401FD6 895A 04 MOV DWORD PTR DS:,EBX
00401FD9 5F POP EDI
00401FDA 5E POP ESI
00401FDB 5B POP EBX
00401FDC C3 RETN
教程地址http://www.fs2you.com/files/beb1ae1e-bba1-11dc-bfa0-0014221b798a/
页:
[1]