脱壳 Themida 2.0.3 之vb
运行程序 搜索到这里 JMP MSVBVM60.ThunRTMain00401123 . C3 RETN
00401124 ? FA CLI
00401125 ? 7B 02 JPO SHORT UnPackMe.00401129
00401127 3F DB 3F ;CHAR '?'
00401128 .-E9 7724F972 JMP MSVBVM60.ThunRTMain 来到这里 下断
0040112D DB DB DB
0040112E 00 DB 00
0040112F 00 DB 00
JMP 733935A4 下断
重来 shift+f9
00566565 0F85 9D000000 JNZ UnPackMe.00566608断下 JMP 733935A4 取消断点单步
0056656B 0F83 0B000000 JNB UnPackMe.0056657C
00566571 60 PUSHAD
00566572 66:81E0 506E AND AX,6E50
00566577 66:B8 9EAF MOV AX,0AF9E
0056657B 61 POPAD
0056657C F5 CMC
0056657D 66:8178 04 4C2ECMP WORD PTR DS:,2E4C
00566583 0F85 7F000000 JNZ UnPackMe.00566608
00566589 60 PUSHAD
0056658A B9 5584D85B MOV ECX,5BD88455
0056658F 66:B9 5118 MOV CX,1851
00566593 61 POPAD
00566608 81EC 04000000 SUB ESP,4
0056660E 892C24 MOV DWORD PTR SS:,EBP
00566611 89C5 MOV EBP,EAX
00566613 89EE MOV ESI,EBP
00566615 5D POP EBP
00566616 F8 CLC
00566617 53 PUSH EBX
00566618 89C3 MOV EBX,EAX
EBP=FA088D2B
Stack SS:=733935A4 (MSVBVM60.ThunRTMain)
00566681 3C 2E CMP AL,2E
00566683 0F84 AD000000 JE UnPackMe.00566736
00566689 F5 CMC
0056668A F9 STC
0056668B 3C 30 CMP AL,30
0056668D 0F82 08060000 JB UnPackMe.00566C9B
00566693 60 PUSHAD
00566694 8BD7 MOV EDX,EDI
00566696 81E1 3FFC5F36 AND ECX,365FFC3F
00566648 AC LODS BYTE PTR DS:
00566649 0F8D 08000000 JGE UnPackMe.00566657
0056664F 0F82 02000000 JB UnPackMe.00566657
00566655 60 PUSHAD
00566656 61 POPAD
00566657 3C 00 CMP AL,0
00566659 0F84 41010000 JE UnPackMe.005667A0
00566681 3C 2E CMP AL,2E
00566683 0F84 AD000000 JE UnPackMe.00566736
00566689 F5 CMC
0056668A F9 STC
0056668B 3C 30 CMP AL,30
0056668D 0F82 08060000 JB UnPackMe.00566C9B
00566693 60 PUSHAD
005666FC 0F82 99050000 JB UnPackMe.00566C9B
00566702 F9 STC
00566703 3C 7A CMP AL,7A
00566705^0F86 3DFFFFFF JBE UnPackMe.00566648
0056670B F5 CMC
0056670C 60 PUSHAD
0056670D 51 PUSH ECX ???????????
0056670E E9 11000000 JMP UnPackMe.00566724
00566713 0C 32 OR AL,32
00566724 5E POP ESI ; MSVBVM60.733935A6
00566725 61 POPAD
00566726 E9 70050000 JMP UnPackMe.00566C9B
0056672B E9 06000000 JMP UnPackMe.00566736
00566730 CC INT3
00566C9B 61 POPAD
00566C9C E9 11000000 JMP UnPackMe.00566CB2
00566CA1 E6 45 OUT 45,AL ; I/O command
00566CA3 3242 13 XOR AL,BYTE PTR DS:
00566CA6 17 POP SS ; Modification of segment register
00566CB2 FC CLD
00566CB3 C3 RETN
00566CB4 0F8E 07000000 JLE UnPackMe.00566CC1
00566CBA 0F82 01000000 JB UnPackMe.00566CC1
00566CC0 FC CLD
00566CC1 60 PUSHAD
0056374C F8 CLC
0056374D 81EC 04000000 SUB ESP,4
00563753 890C24 MOV DWORD PTR SS:,ECX
00563756 89C1 MOV ECX,EAX
00563758 89CF MOV EDI,ECX
0056375A 59 POP ECX
005637E4 60 PUSHAD
005637E5 51 PUSH ECX ; MSVBVM60.#1374
005637E6 E8 11000000 CALL UnPackMe.005637FC
005638AE D38498 33D1B4A0ROL DWORD PTR DS:,CL
005638B5^74 C9 JE SHORT UnPackMe.00563880
005638B7 3B85 992B4206 CMP EAX,DWORD PTR SS: ; kernel32.ExitProcess
00563825 3B85 51294206 CMP EAX,DWORD PTR SS: ; MSVBVM60.ThunRTMain 来到这里
0056382B 0F84 32000000 JE UnPackMe.00563863 mgic jump 修改
00563831 0F86 0A000000 JBE UnPackMe.00563841
00563837 60 PUSHAD
00563838 8BC8 MOV ECX,EAX
0056383A 0F89 00000000 JNS UnPackMe.00563840
00563840 61 POPAD
00563841 3B85 B50D4206 CMP EAX,DWORD PTR SS:
00563847 0F85 1C000000 JNZ UnPackMe.00563869
0056384D 0F8C 10000000 JL UnPackMe.00563863
00563853 60 PUSHAD
00563854 E9 09000000 JMP UnPackMe.00563862
00563859 239B 3BDE35A4 AND EBX,DWORD PTR DS:
0056385F 9E SAHF
00563860 313B XOR DWORD PTR DS:,EDI
00563862 61 POPAD
00563863^E9 C0FEFFFF JMP UnPackMe.00563728
SS:=733935A4 (MSVBVM60.ThunRTMain)
EAX=734891C6 (MSVBVM60._CIcos)
004010FE .-E9 D0820873 JMP MSVBVM60._CIsqrt
00401103 . 39E9 CMP ECX,EBP
00401105 . 7B 83 JPO SHORT UnPackMe.0040108A
00401107 . 0873 73 OR BYTE PTR DS:,DH
0040110A .-E9 1EDC0773 JMP MSVBVM60._allmul
0040110F E2 DB E2
00401110 .-E9 CEAB0573 JMP MSVBVM60.__vbaEnd
00401115 DA DB DA
00401116 .-E9 C5870573 JMP MSVBVM60.EVENT_SINK_QueryInte**ce
0040111B 7E DB 7E ;CHAR '~'
0040111C .-E9 AE880573 JMP MSVBVM60.EVENT_SINK_AddRef
00401121 . 32E9 XOR CH,CL
00401123 . BB 88057300 MOV EBX,730588
00401128 .-E9 7724F972 JMP MSVBVM60.ThunRTMain shift+f9 来到这里
00401130 > $ 68 EC124000 PUSH 复件_unp.004012EC
00401135 . E8 EEFFFFFF CALL 复件_unp.00401128
看堆栈窗口
0012FF90 0055690AUnPackMe.0055690A
0012FF94 004012ECUnPackMe.004012ECoep
0012FF98 FFFFA130
0012FF9C 0012FFE0
0012FFA0 004FA637UnPackMe.004FA637
00563148 3B8D A11F4206 CMP ECX,DWORD PTR SS:
0056314E^0F85 9BFFFFFF JNZ UnPackMe.005630EF
00563154 0F85 0C000000 JNZ UnPackMe.00563166
0056315A 60 PUSHAD
0056315B BF 7F538073 MOV EDI,7380537F
00563160 66:81C0 CB7C ADD AX,7CCB
00563165 61 POPAD
00563166 57 PUSH EDI ; UnPackMe.0040112D
00563167 BF 651F8708 MOV EDI,8871F65
**** Hidden Message *****
工具 odbg110 Sabre-Gold http://filebeam.com/52c4cccd247b4f27ae6f7dd2420508d7 头一个老膜拜 TMD,我的恐惧,瞧瞧先 看看哦,强壳哦 我对TMD已经麻木了........../:10 这个要顶一下
谢谢了 支持下强壳视频。 学习一下。 看看 上次还碰见这个壳了 谢谢楼主的分享学习下思路呵呵