请各位老大帮忙看看,这个壳应该怎么脱?(已解决)
在下一介菜鸟,初涉脱壳破解。遇一难题,发于各位,请诸位老大不吝赐教!PEID查壳:PECompact 1.4x or above -> Jeremy Collake
OD载入,用phantom隐藏,如下:
00401000 > $ /EB 06 jmp short 00401008
00401002 . |68 2EA80000 push 0A82E
00401007 . |C3 retn
00401008 > \9C pushfd
00401009 .60 pushad
0040100A .E8 02000000 call 00401011
0040100F .33C0 xor eax, eax
00401011 $8BC4 mov eax, esp
00401013 .83C0 04 add eax, 4
00401016 .93 xchg eax, ebx
00401017 .8BE3 mov esp, ebx
00401019 .8B5B FC mov ebx, dword ptr
0040101C .81EB 3F904000 sub ebx, 0040903F
00401022 .61 popad
00401023 .9D popfd
00401024 .- E9 7D2A3600 jmp 00763AA6
ESP定律,至00401024,F8进:
00763AA6 60 pushad
00763AA7 E8 00000000 call 00763AAC
00763AAC 83C4 04 add esp, 4
00763AAF 8B6C24 FC mov ebp, dword ptr
00763AB3 E8 80020000 call 00763D38
00763AB8 E8 69240000 call 00765F26
00763ABD 837C24 28 01 cmp dword ptr , 1
00763AC2 75 0C jnz short 00763AD0
00763AC4 8B4424 24 mov eax, dword ptr
00763AC8 8985 95450000 mov dword ptr , eax
00763ACE EB 0C jmp short 00763ADC
00763AD0 8B85 91450000 mov eax, dword ptr
00763AD6 8985 95450000 mov dword ptr , eax
00763ADC E8 0A0D0000 call 007647EB
00763AE1 EB 03 jmp short 00763AE6
00763AE3 24 00 and al, 0
00763AE5 00E8 add al, ch
00763AE7 1923 sbb dword ptr , esp
00763AE9 0000 add byte ptr , al
00763AEB 8DB5 7E530000 lea esi, dword ptr
00763AF1 8D9D 0C030000 lea ebx, dword ptr
00763AF7 33FF xor edi, edi
00763AF9 E8 453C0000 call 00767743
00763AFE EB 03 jmp short 00763B03
00763B00 2D 0000EB1B sub eax, 1BEB0000
00763B05 8B85 95450000 mov eax, dword ptr
00763B0B FF7437 04 push dword ptr
00763B0F 010424 add dword ptr , eax
00763B12 FF3437 push dword ptr
00763B15 010424 add dword ptr , eax
00763B18 FFD3 call ebx
00763B1A 83C4 08 add esp, 8
00763B1D 83C7 08 add edi, 8
00763B20 833C37 00 cmp dword ptr , 0
00763B24^ 75 DF jnz short 00763B05
00763B26 83BD 5E530000 0>cmp dword ptr , 0
00763B2D 74 0E je short 00763B3D
00763B2F 83BD 62530000 0>cmp dword ptr , 0
00763B36 74 05 je short 00763B3D
00763B38 E8 ED0B0000 call 0076472A
00763B3D 8D7437 04 lea esi, dword ptr
00763B41 E8 600B0000 call 007646A6
00763B46 8B85 E74B0000 mov eax, dword ptr
00763B4C 0BC0 or eax, eax
00763B4E 74 0B je short 00763B5B
00763B50 0385 95450000 add eax, dword ptr
00763B56 E8 BC030000 call 00763F17
00763B5B 83BD E54D0000 0>cmp dword ptr , 1
00763B62 75 13 jnz short 00763B77
00763B64 89B5 E94D0000 mov dword ptr , esi
00763B6A EB 03 jmp short 00763B6F
00763B6C 83C6 04 add esi, 4
00763B6F 837E FC FF cmp dword ptr , -1
00763B73^ 75 F7 jnz short 00763B6C
00763B75 EB 03 jmp short 00763B7A
00763B77 83C6 08 add esi, 8
00763B7A 8B06 mov eax, dword ptr
00763B7C 8985 B1450000 mov dword ptr , eax
00763B82 83C6 04 add esi, 4
00763B85 E8 B53E0000 call 00767A3F
00763B8A 83C6 04 add esi, 4
00763B8D 53 push ebx
00763B8E 6A 40 push 40
00763B90 68 00100000 push 1000
00763B95 68 BB090000 push 9BB
00763B9A 6A 00 push 0
00763B9C FF95 F2030000 call dword ptr
00763BA2 8985 7A530000 mov dword ptr , eax
00763BA8 5B pop ebx
00763BA9 FFB5 7A530000 push dword ptr
00763BAF 56 push esi
00763BB0 FFD3 call ebx
00763BB2 83C4 08 add esp, 8
00763BB5 E8 713D0000 call 0076792B
00763BBA E8 1D340000 call 00766FDC
00763BBF 83BD 8E4E0000 0>cmp dword ptr , 0
00763BC6 74 13 je short 00763BDB
00763BC8 83BD AE4C0000 0>cmp dword ptr , 0
00763BCF 74 0A je short 00763BDB
00763BD1 E8 C4320000 call 00766E9A
00763BD6 E8 0C2C0000 call 007667E7
00763BDB 8BB5 7A530000 mov esi, dword ptr
00763BE1 8BC6 mov eax, esi
00763BE3 EB 01 jmp short 00763BE6
00763BE5 40 inc eax
00763BE6 8038 01 cmp byte ptr , 1
00763BE9^ 75 FA jnz short 00763BE5
00763BEB 40 inc eax
00763BEC 8B38 mov edi, dword ptr
00763BEE 8B8D 91450000 mov ecx, dword ptr
00763BF4 3B8D 95450000 cmp ecx, dword ptr
00763BFA 74 1A je short 00763C16
00763BFC 83BD F34B0000 0>cmp dword ptr , 0
00763C03 76 11 jbe short 00763C16
00763C05 83BD 0B4C0000 0>cmp dword ptr , 0
00763C0C 75 08 jnz short 00763C16
00763C0E 03F9 add edi, ecx
00763C10 2BBD 95450000 sub edi, dword ptr
00763C16 03BD 95450000 add edi, dword ptr
00763C1C 83C0 04 add eax, 4
00763C1F 8985 76530000 mov dword ptr , eax
00763C25 E8 1F0C0000 call 00764849
00763C2A E8 150D0000 call 00764944
00763C2F E8 AD100000 call 00764CE1
00763C34 E8 E6380000 call 0076751F
00763C39 E9 AC000000 jmp 00763CEA
00763C3E E8 6B200000 call 00765CAE
00763C43 56 push esi
00763C44 FF95 FE030000 call dword ptr
00763C4A 85C0 test eax, eax
00763C4C 0F84 B9200000 je 00765D0B
00763C52 8985 72530000 mov dword ptr , eax
00763C58 8BC6 mov eax, esi
00763C5A EB 3E jmp short 00763C9A
00763C5C 8B85 76530000 mov eax, dword ptr
00763C62 8B00 mov eax, dword ptr
00763C64 50 push eax
00763C65 FFB5 72530000 push dword ptr
00763C6B E8 4D3F0000 call 00767BBD
00763C70 85C0 test eax, eax
00763C72 0F84 5A200000 je 00765CD2
00763C78 EB 03 jmp short 00763C7D
00763C7A 36:0000 add byte ptr ss:, al
00763C7D E8 C6340000 call 00767148
00763C82 83C7 04 add edi, 4
00763C85 8B85 76530000 mov eax, dword ptr
00763C8B 8938 mov dword ptr , edi
00763C8D 8385 76530000 0>add dword ptr , 4
00763C94 8B85 76530000 mov eax, dword ptr
00763C9A 8338 00 cmp dword ptr , 0
00763C9D^ 75 BD jnz short 00763C5C
00763C9F EB 01 jmp short 00763CA2
00763CA1 46 inc esi
00763CA2 803E 00 cmp byte ptr , 0
00763CA5^ 75 FA jnz short 00763CA1
00763CA7 46 inc esi
00763CA8 83C0 04 add eax, 4
00763CAB 8B38 mov edi, dword ptr
00763CAD 8B8D 91450000 mov ecx, dword ptr
00763CB3 3B8D 95450000 cmp ecx, dword ptr
00763CB9 74 1A je short 00763CD5
00763CBB 83BD F34B0000 0>cmp dword ptr , 0
00763CC2 76 11 jbe short 00763CD5
00763CC4 83BD 0B4C0000 0>cmp dword ptr , 0
00763CCB 75 08 jnz short 00763CD5
00763CCD 03F9 add edi, ecx
00763CCF 2BBD 95450000 sub edi, dword ptr
00763CD5 03BD 95450000 add edi, dword ptr
00763CDB C700 FFFFFFFF mov dword ptr , -1
00763CE1 83C0 04 add eax, 4
00763CE4 8985 76530000 mov dword ptr , eax
00763CEA 803E 01 cmp byte ptr , 1
00763CED^ 0F85 4BFFFFFF jnz 00763C3E
00763CF3 E8 C3340000 call 007671BB
00763CF8 68 00400000 push 4000
00763CFD 68 BB090000 push 9BB
00763D02 FFB5 7A530000 push dword ptr
00763D08 FF95 FA030000 call dword ptr
00763D0E E8 CF220000 call 00765FE2
00763D13 E8 0D340000 call 00767125
00763D18 E8 DE0B0000 call 007648FB
00763D1D E8 840A0000 call 007647A6
00763D22 83BD 1F4C0000 0>cmp dword ptr , 0
00763D29 74 07 je short 00763D32
00763D2B E9 0F100000 jmp 00764D3F
00763D30 EB 01 jmp short 00763D33
00763D32 61 popad
00763D33- E9 FB6ACDFF jmp 0043A833
再ESP至00763D33,F8,
0043A833 /E9 D3281C00 jmp 005FD10B ; (initial cpu selection)
0043A838 |CC int3
0043A839 |CC int3
0043A83A |CC int3
0043A83B |CC int3
0043A83C |CC int3
0043A83D |CC int3
0043A83E |CC int3
0043A83F |CC int3
0043A840 |CC int3
0043A841 |CC int3
……
按道理应该到ESP了,程序应该全部解码了,应为此时已能查到参考字符。dump下来,修复后无论无何都无法运行。
请各位老大予以赐教,这是PECompact 1.4x or above -> Jeremy Collake壳吗?还是伪装壳?已经忙了一个星期了,怎么都脱不下来!(
[ 本帖最后由 wangjianglou 于 2008-7-13 15:21 编辑 ]
页:
[1]