穿山甲(Armadillo)6.04的壳,到了魔法跳转以后就不知道怎么去找OEP了
软件名称:Sothink SWF Decompiler
官方下载地址:
http://www.sothink.com/product/flashdecompiler/index.htm
附件是注册机,可以用来注册.
检测结果如下:
<------- 28-08-2008 09:27:36 ------->
C:\Program Files\SourceTec\Sothink SWF Decompiler\SWFDecompiler.exe
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Standard protection or Minimum protection
Enable Import Table Elimination
Enable Strategic Code Splicing
!- <Backup Key Options>
Variable Backup Keys
!- <Compression Options>
Minimal/Fastest Compression
!- <Other Options>
Disable Monitoring Thread
487FDD00 Version 6.04 18-07-2008
!- Elapsed Time 00h 00m 00s 329ms
我找到魔法跳转了,如下:
01769D7C /74 02 je short 01769D80
01769D7E^|EB 82 jmp short 01769D02
01769D80 \8D8D F0FEFFFF lea ecx, dword ptr
01769D86 51 push ecx
01769D87 FF15 C8807A01 call dword ptr ; kernel32.GetModuleHandleA
01769D8D 8B55 F8 mov edx, dword ptr
01769D90 8B0D 0C807B01 mov ecx, dword ptr
01769D96 890491 mov dword ptr , eax
01769D99 8B55 F8 mov edx, dword ptr
01769D9C A1 0C807B01 mov eax, dword ptr
01769DA1 833C90 00 cmp dword ptr , 0
01769DA5 75 5F jnz short 01769E06
01769DA7 8B4D FC mov ecx, dword ptr
01769DAA 8B51 08 mov edx, dword ptr
01769DAD 83E2 02 and edx, 2
01769DB0 74 3B je short 01769DED
01769DB2 B8 21000000 mov eax, 21
01769DB7 C1E0 02 shl eax, 2
01769DBA 8B0D FC5A7B01 mov ecx, dword ptr ; SWFDecom.0091A390
01769DC0 8B15 FC5A7B01 mov edx, dword ptr ; SWFDecom.0091A390
01769DC6 8B35 FC5A7B01 mov esi, dword ptr ; SWFDecom.0091A390
01769DCC 8B5E 0C mov ebx, dword ptr
01769DCF 339A 90000000 xor ebx, dword ptr
01769DD5 331C01 xor ebx, dword ptr
01769DD8 83E3 10 and ebx, 10
01769DDB F7DB neg ebx
01769DDD 1BDB sbb ebx, ebx
01769DDF F7DB neg ebx
01769DE1 0FB6C3 movzx eax, bl
01769DE4 85C0 test eax, eax
01769DE6 75 05 jnz short 01769DED
01769DE8^ E9 15FFFFFF jmp 01769D02
01769DED 8D8D F0FEFFFF lea ecx, dword ptr
01769DF3 51 push ecx
01769DF4 FF15 88807A01 call dword ptr ; kernel32.LoadLibraryA
01769DFA 8B55 F8 mov edx, dword ptr
01769DFD 8B0D 0C807B01 mov ecx, dword ptr
01769E03 890491 mov dword ptr , eax
01769E06 8B55 F8 mov edx, dword ptr
01769E09 A1 0C807B01 mov eax, dword ptr
01769E0E 833C90 00 cmp dword ptr , 0
01769E12 75 05 jnz short 01769E19
01769E14^ E9 E9FEFFFF jmp 01769D02
01769E19 C785 E4FEFFFF 0>mov dword ptr , 0
01769E23 C785 E8FEFFFF 0>mov dword ptr , 0
01769E2D 8B4D FC mov ecx, dword ptr
01769E30 8B51 04 mov edx, dword ptr
01769E33 8995 ECFEFFFF mov dword ptr , edx
01769E39 EB 0F jmp short 01769E4A
01769E3B 8B85 ECFEFFFF mov eax, dword ptr
01769E41 83C0 0C add eax, 0C
01769E44 8985 ECFEFFFF mov dword ptr , eax
01769E4A 8B8D ECFEFFFF mov ecx, dword ptr
01769E50 8339 00 cmp dword ptr , 0
01769E53 74 11 je short 01769E66
01769E55 8B95 E8FEFFFF mov edx, dword ptr
01769E5B 83C2 01 add edx, 1
01769E5E 8995 E8FEFFFF mov dword ptr , edx
01769E64^ EB D5 jmp short 01769E3B
01769E66 33C9 xor ecx, ecx
01769E68 8B85 E8FEFFFF mov eax, dword ptr
01769E6E BA 04000000 mov edx, 4
01769E73 F7E2 mul edx
01769E75 0F90C1 seto cl
01769E78 F7D9 neg ecx
01769E7A 0BC8 or ecx, eax
01769E7C 51 push ecx
01769E7D E8 2D790200 call 017917AF
01769E82 83C4 04 add esp, 4
01769E85 8985 ACFDFFFF mov dword ptr , eax
01769E8B 8B45 F8 mov eax, dword ptr
01769E8E 8B0D 04807B01 mov ecx, dword ptr
01769E94 8B95 ACFDFFFF mov edx, dword ptr
01769E9A 891481 mov dword ptr , edx
01769E9D 33C9 xor ecx, ecx
01769E9F 8B85 E8FEFFFF mov eax, dword ptr
01769EA5 BA 04000000 mov edx, 4
01769EAA F7E2 mul edx
01769EAC 0F90C1 seto cl
01769EAF F7D9 neg ecx
01769EB1 0BC8 or ecx, eax
01769EB3 51 push ecx
01769EB4 E8 F6780200 call 017917AF
01769EB9 83C4 04 add esp, 4
01769EBC 8985 A8FDFFFF mov dword ptr , eax
01769EC2 8B45 F8 mov eax, dword ptr
01769EC5 8B0D 08807B01 mov ecx, dword ptr
01769ECB 8B95 A8FDFFFF mov edx, dword ptr
01769ED1 891481 mov dword ptr , edx
01769ED4 8B45 FC mov eax, dword ptr
01769ED7 8B48 04 mov ecx, dword ptr
01769EDA 898D ECFEFFFF mov dword ptr , ecx
01769EE0 EB 1E jmp short 01769F00
01769EE2 8B95 ECFEFFFF mov edx, dword ptr
01769EE8 83C2 0C add edx, 0C
01769EEB 8995 ECFEFFFF mov dword ptr , edx
01769EF1 8B85 E4FEFFFF mov eax, dword ptr
01769EF7 83C0 01 add eax, 1
01769EFA 8985 E4FEFFFF mov dword ptr , eax
01769F00 8B8D ECFEFFFF mov ecx, dword ptr
01769F06 8339 00 cmp dword ptr , 0
01769F09 0F84 4D010000 je 0176A05C
01769F0F 68 00010000 push 100
01769F14 8D95 E0FDFFFF lea edx, dword ptr
01769F1A 52 push edx
01769F1B 8B85 ECFEFFFF mov eax, dword ptr
01769F21 8B08 mov ecx, dword ptr
01769F23 51 push ecx
01769F24 E8 276E0200 call 01790D50
01769F29 83C4 0C add esp, 0C
01769F2C 8B15 FC5A7B01 mov edx, dword ptr ; SWFDecom.0091A390
01769F32 A1 FC5A7B01 mov eax, dword ptr
01769F37 8B4A 34 mov ecx, dword ptr
01769F3A 3348 0C xor ecx, dword ptr
01769F3D 8B15 FC5A7B01 mov edx, dword ptr ; SWFDecom.0091A390
01769F43 338A 90000000 xor ecx, dword ptr
01769F49 A1 FC5A7B01 mov eax, dword ptr
01769F4E 3348 14 xor ecx, dword ptr
01769F51 898D A4FDFFFF mov dword ptr , ecx
01769F57 8D8D E0FDFFFF lea ecx, dword ptr
01769F5D 51 push ecx
01769F5E 8B55 F8 mov edx, dword ptr
01769F61 A1 0C807B01 mov eax, dword ptr
01769F66 8B0C90 mov ecx, dword ptr
01769F69 51 push ecx
01769F6A FF15 D4817A01 call dword ptr ; kernel32.GetProcAddress
01769F70 3385 A4FDFFFF xor eax, dword ptr
01769F76 8B55 F8 mov edx, dword ptr
01769F79 8B0D 04807B01 mov ecx, dword ptr
01769F7F 8B1491 mov edx, dword ptr
01769F82 8B8D E4FEFFFF mov ecx, dword ptr
01769F88 89048A mov dword ptr , eax
01769F8B 6A 01 push 1
01769F8D 8D95 E0FDFFFF lea edx, dword ptr
01769F93 52 push edx
01769F94 8B45 F8 mov eax, dword ptr
01769F97 8B0D 0C807B01 mov ecx, dword ptr
01769F9D 8B1481 mov edx, dword ptr
01769FA0 52 push edx
01769FA1 E8 2A090000 call 0176A8D0
01769FA6 83C4 0C add esp, 0C
01769FA9 8B4D F8 mov ecx, dword ptr
01769FAC 8B15 08807B01 mov edx, dword ptr
01769FB2 8B0C8A mov ecx, dword ptr
01769FB5 8B95 E4FEFFFF mov edx, dword ptr
01769FBB 890491 mov dword ptr , eax
01769FBE 8B45 F8 mov eax, dword ptr
01769FC1 8B0D 08807B01 mov ecx, dword ptr
01769FC7 8B1481 mov edx, dword ptr
01769FCA 8B85 E4FEFFFF mov eax, dword ptr
01769FD0 833C82 00 cmp dword ptr , 0
01769FD4 75 32 jnz short 0176A008
01769FD6 6A 00 push 0
01769FD8 8D8D E0FDFFFF lea ecx, dword ptr
01769FDE 51 push ecx
01769FDF 8B55 F8 mov edx, dword ptr
01769FE2 A1 0C807B01 mov eax, dword ptr
01769FE7 8B0C90 mov ecx, dword ptr
01769FEA 51 push ecx
01769FEB E8 E0080000 call 0176A8D0
01769FF0 83C4 0C add esp, 0C
01769FF3 8B55 F8 mov edx, dword ptr
01769FF6 8B0D 08807B01 mov ecx, dword ptr
01769FFC 8B1491 mov edx, dword ptr
01769FFF 8B8D E4FEFFFF mov ecx, dword ptr
0176A005 89048A mov dword ptr , eax
0176A008 8B55 F8 mov edx, dword ptr
0176A00B A1 08807B01 mov eax, dword ptr
0176A010 8B0C90 mov ecx, dword ptr
0176A013 8B15 FC5A7B01 mov edx, dword ptr ; SWFDecom.0091A390
0176A019 A1 FC5A7B01 mov eax, dword ptr
0176A01E 8B35 FC5A7B01 mov esi, dword ptr ; SWFDecom.0091A390
0176A024 8B3D FC5A7B01 mov edi, dword ptr ; SWFDecom.0091A390
0176A02A 8B7F 34 mov edi, dword ptr
0176A02D 337E 0C xor edi, dword ptr
0176A030 33B8 90000000 xor edi, dword ptr
0176A036 337A 14 xor edi, dword ptr
0176A039 8B95 E4FEFFFF mov edx, dword ptr
0176A03F 333C91 xor edi, dword ptr
0176A042 8B45 F8 mov eax, dword ptr
0176A045 8B0D 08807B01 mov ecx, dword ptr
0176A04B 8B1481 mov edx, dword ptr
0176A04E 8B85 E4FEFFFF mov eax, dword ptr
0176A054 893C82 mov dword ptr , edi
0176A057^ E9 86FEFFFF jmp 01769EE2
0176A05C 8B0D FC5A7B01 mov ecx, dword ptr ; SWFDecom.0091A390
0176A062 8B15 FC5A7B01 mov edx, dword ptr ; SWFDecom.0091A390
0176A068 A1 FC5A7B01 mov eax, dword ptr
0176A06D 8B35 FC5A7B01 mov esi, dword ptr ; SWFDecom.0091A390
0176A073 8B76 4C mov esi, dword ptr
0176A076 33B0 90000000 xor esi, dword ptr
0176A07C 3372 18 xor esi, dword ptr
0176A07F 3371 68 xor esi, dword ptr
0176A082 8B4D F8 mov ecx, dword ptr
0176A085 8B15 0C807B01 mov edx, dword ptr
0176A08B 33348A xor esi, dword ptr
0176A08E 8B45 F8 mov eax, dword ptr
0176A091 8B0D 0C807B01 mov ecx, dword ptr
0176A097 893481 mov dword ptr , esi
0176A09A^ E9 63FCFFFF jmp 01769D02
0176A09F E9 21010000 jmp 0176A1C5
0176A0A4 0FB615 FC7F7B01 movzx edx, byte ptr
0176A0AB 83FA 01 cmp edx, 1
0176A0AE 75 12 jnz short 0176A0C2
0176A0B0 68 E07F7B01 push 17B7FE0
0176A0B5 FF15 4C827A01 call dword ptr ; ntdll.RtlDeleteCriticalSection
0176A0BB C605 FC7F7B01 0>mov byte ptr , 0
0176A0C2 0FB605 FD7F7B01 movzx eax, byte ptr
0176A0C9 85C0 test eax, eax
0176A0CB 74 05 je short 0176A0D2
0176A0CD E9 F3000000 jmp 0176A1C5
0176A0D2 C785 DCFDFFFF 0>mov dword ptr , 0
0176A0DC C785 DCFDFFFF 0>mov dword ptr , 0
0176A0E6 EB 0F jmp short 0176A0F7
0176A0E8 8B8D DCFDFFFF mov ecx, dword ptr
0176A0EE 83C1 01 add ecx, 1
0176A0F1 898D DCFDFFFF mov dword ptr , ecx
0176A0F7 8B95 DCFDFFFF mov edx, dword ptr
0176A0FD 3B15 10807B01 cmp edx, dword ptr
0176A103 73 42 jnb short 0176A147
0176A105 8B85 DCFDFFFF mov eax, dword ptr
0176A10B 8B0D 18807B01 mov ecx, dword ptr
0176A111 8B1481 mov edx, dword ptr
0176A114 8995 A0FDFFFF mov dword ptr , edx
0176A11A C785 D4FDFFFF 0>mov dword ptr , 0
0176A124 8B85 A0FDFFFF mov eax, dword ptr
0176A12A 8985 D8FDFFFF mov dword ptr , eax
0176A130 8D8D CCFDFFFF lea ecx, dword ptr
0176A136 51 push ecx
0176A137 68 E0A17601 push 176A1E0
0176A13C FF15 68517B01 call dword ptr
0176A142 83C4 08 add esp, 8
0176A145^ EB A1 jmp short 0176A0E8
0176A147 C705 10807B01 0>mov dword ptr , 0
0176A151 C785 DCFDFFFF 0>mov dword ptr , 0
0176A15B EB 0F jmp short 0176A16C
0176A15D 8B85 DCFDFFFF mov eax, dword ptr
0176A163 83C0 01 add eax, 1
0176A166 8985 DCFDFFFF mov dword ptr , eax
0176A16C 8B8D DCFDFFFF mov ecx, dword ptr
0176A172 3B0D 1C807B01 cmp ecx, dword ptr
0176A178 73 41 jnb short 0176A1BB
0176A17A 8B95 DCFDFFFF mov edx, dword ptr
0176A180 A1 24807B01 mov eax, dword ptr
0176A185 8B0C90 mov ecx, dword ptr
0176A188 898D 9CFDFFFF mov dword ptr , ecx
0176A18E C785 C4FDFFFF 0>mov dword ptr , 0
0176A198 8B95 9CFDFFFF mov edx, dword ptr
0176A19E 8995 C8FDFFFF mov dword ptr , edx
0176A1A4 8D85 BCFDFFFF lea eax, dword ptr
0176A1AA 50 push eax
0176A1AB 68 00A27601 push 176A200
0176A1B0 FF15 68517B01 call dword ptr
0176A1B6 83C4 08 add esp, 8
0176A1B9^ EB A2 jmp short 0176A15D
0176A1BB C705 1C807B01 0>mov dword ptr , 0
0176A1C5 5F pop edi
0176A1C6 5E pop esi
0176A1C7 5B pop ebx
0176A1C8 8B4D F0 mov ecx, dword ptr
0176A1CB 33CD xor ecx, ebp
0176A1CD E8 87720200 call 01791459
0176A1D2 8BE5 mov esp, ebp
0176A1D4 5D pop ebp
0176A1D5 C3 retn
0176A1D6 CC int3
我认为,上面红色那行就是魔法跳转了,但是往后找不到传说中的"EB 03 D6 D6",自己试了很多种办法,10多天了,还是找不到OEP,请朋友们帮忙指点一下,谢谢!
这个软件网上有汉化的,也有注册机了,我只是个人学习脱壳,希望大家赐教,谢谢!
[ 本帖最后由 示申言舌 于 2008-8-28 09:35 编辑 ] 楼主的名字很特别哦
/:08 原帖由 天使的锁链 于 2008-8-28 10:55 发表 https://www.chinapyg.com/images/common/back.gif
楼主的名字很特别哦
/:08
/:L ,我借的别人的ID,就等着9.1开放注册了!
版主还是帮我弄一下嘛! 017D9915 /75 43 jnz short 017D995A
017D9917 |8B0D FC5A8001 mov ecx, dword ptr ; SWFDecom.0091A390
017D991D |8B15 FC5A8001 mov edx, dword ptr ; SWFDecom.0091A390
017D9923 |8B41 34 mov eax, dword ptr
017D9926 |3382 90000000 xor eax, dword ptr
017D992C |8B0D FC5A8001 mov ecx, dword ptr ; SWFDecom.0091A390
017D9932 |3341 1C xor eax, dword ptr
017D9935 |8945 DC mov dword ptr , eax
017D9938 |8B55 08 mov edx, dword ptr
017D993B |8B42 04 mov eax, dword ptr
017D993E |50 push eax
017D993F |8B4D 08 mov ecx, dword ptr
017D9942 |8B51 08 mov edx, dword ptr
017D9945 |52 push edx
017D9946 |6A 00 push 0
017D9948 |8B45 08 mov eax, dword ptr
017D994B |8B48 0C mov ecx, dword ptr ; SWFDecom.00400000
017D994E |51 push ecx
017D994F |8B55 F4 mov edx, dword ptr
017D9952 |2B55 DC sub edx, dword ptr
017D9955 |FFD2 call edx //这里就是OEP的入口,F7进入
017D9957 |8945 FC mov dword ptr , eax
017D995A \8B45 FC mov eax, dword ptr
017D995D 5E pop esi
017D995E 8BE5 mov esp, ebp
017D9960 5D pop ebp
017D9961 C3 retn
[ 本帖最后由 lqiulu 于 2008-8-28 12:12 编辑 ] 原帖由 lqiulu 于 2008-8-28 11:52 发表 https://www.chinapyg.com/images/common/back.gif
017D9915 /75 43 jnz short 017D995A
017D9917 |8B0D FC5A8001 mov ecx, dword ptr ; SWFDecom.0091A390
017D991D |8B15 FC5A8001 mov edx, dword ptr
请问怎么来的啊,我的魔法跳转找的对不?
如果是对的,那么接下来应该怎么做才能到OEP? 呵呵-不会穿山甲
不过Armag3ddon_v1.4 直接脱掉 原帖由 wangwei.hebtu 于 2008-8-28 15:11 发表 https://www.chinapyg.com/images/common/back.gif
呵呵-不会穿山甲
不过Armag3ddon_v1.4 直接脱掉
高版本的可以吗? 在.text段下内存断点,F9后单步走~ 高人都在这里出现!!
页:
[1]