没事时,试着用S-Recorder录制一个脱壳动画
就是用ESP定律脱ESP定律脱nspack2.40加壳的记事本。很简单的过程。主要是试一下S-Recorder。发现它真的很好用呀。 密码:339171218或暴:
00403E5B/$B8 E3144100 MOV EAX,ESP定律?004114E3
00403E60|.E8 9B750000 CALL <JMP.&MSVCRT._EH_prolog>
00403E65|.81EC A8000000 SUB ESP,0A8
00403E6B|.A1 18EB4100 MOV EAX,DWORD PTR DS:
00403E70|.56 PUSH ESI
00403E71|.6A 00 PUSH 0
00403E73|.8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:
00403E79|.8BB0 D4000000 MOV ESI,DWORD PTR DS:
00403E7F|.E8 EDDDFFFF CALL ESP定律?00401C71
00403E84|.8365 FC 00 AND DWORD PTR SS:,0
00403E88|.56 PUSH ESI ; /s
00403E89|.E8 C2750000 CALL <JMP.&MSVCRT.strlen> ; \strlen
00403E8E|.85C0 TEST EAX,EAX
00403E90|.59 POP ECX
00403E91 0F85 AD000000 JNZ ESP定律?00403F44
00403E97|.E8 B4750000 CALL <JMP.&MSVCRT.strlen> ; \strlen
00403E9C|.85C0 TEST EAX,EAX
00403E9E|.59 POP ECX
00403E9F|.75 1A JNZ SHORT ESP定律?00403EBB
00403EA1|.8D46 3C LEA EAX,DWORD PTR DS:
00403EA4|.50 PUSH EAX ; /s
00403EA5|.E8 A6750000 CALL <JMP.&MSVCRT.strlen> ; \strlen
00403EAA|.85C0 TEST EAX,EAX
00403EAC|.59 POP ECX
00403EAD|.75 0C JNZ SHORT ESP定律?00403EBB
00403EAF|.3886 78010000 CMP BYTE PTR DS:,AL
00403EB5|.0F84 89000000 JE ESP定律?00403F44
00403EBB|>56 PUSH ESI
00403EBC|.8D4D E8 LEA ECX,DWORD PTR SS:
00403EBF|.E8 9A710000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
00403EC4|.8D46 78 LEA EAX,DWORD PTR DS:
00403EC7|.8D4D E4 LEA ECX,DWORD PTR SS:
00403ECA|.50 PUSH EAX
00403ECB|.E8 8E710000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
00403ED0|.8D46 3C LEA EAX,DWORD PTR DS:
00403ED3|.8D4D EC LEA ECX,DWORD PTR SS:
00403ED6|.50 PUSH EAX
00403ED7|.E8 82710000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
00403EDC|.0FB68E 78010000 MOVZX ECX,BYTE PTR DS:
00403EE3|.8D86 78010000 LEA EAX,DWORD PTR DS:
00403EE9|.894D E0 MOV DWORD PTR SS:,ECX
00403EEC|.8038 00 CMP BYTE PTR DS:,0
00403EEF|.74 12 JE SHORT ESP定律?00403F03
00403EF1|.81C6 79010000 ADD ESI,179
00403EF7|.8D45 AC LEA EAX,DWORD PTR SS:
00403EFA|.56 PUSH ESI ; /src
00403EFB|.50 PUSH EAX ; |dest
00403EFC|.E8 49750000 CALL <JMP.&MSVCRT.strcpy> ; \strcpy
00403F01|.59 POP ECX
00403F02|.59 POP ECX
00403F03|>8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:
00403F09|.E8 B86F0000 CALL <JMP.&MFC42.#2514_?DoModal@CDialog@@UAEHXZ>
00403F0E|.83F8 01 CMP EAX,1 ;程序返回到这~
00403F11|.74 31 JE SHORT ESP定律?00403F44 ;跳~
00403F13|.8B0D 18EB4100 MOV ECX,DWORD PTR DS:
00403F19|.E8 F9EBFFFF CALL ESP定律?00402B17
00403F1E|.8B0D 18EB4100 MOV ECX,DWORD PTR DS:
00403F24|.8981 F4000000 MOV DWORD PTR DS:,EAX
00403F2A|.A1 18EB4100 MOV EAX,DWORD PTR DS:
00403F2F|.C780 D8000000 0>MOV DWORD PTR DS:,2
00403F39|.8B0D 18EB4100 MOV ECX,DWORD PTR DS:
00403F3F|.E8 B1E9FFFF CALL ESP定律?004028F5
00403F44|>834D FC FF OR DWORD PTR SS:,FFFFFFFF
00403F48|.8D8D 4CFFFFFF LEA ECX,DWORD PTR SS:
00403F4E|.E8 E6DDFFFF CALL ESP定律?00401D39
00403F53|.8B4D F4 MOV ECX,DWORD PTR SS:
00403F56|.5E POP ESI
00403F57|.64:890D 0000000>MOV DWORD PTR FS:,ECX
00403F5E|.C9 LEAVE
00403F5F\.C3 RETN
[ 本帖最后由 野猫III 于 2006-8-1 21:28 编辑 ] 支持的说!! 有趣,猫III很有趣呀 猫兄 超强~~看了看,真的很简单的脱壳过程~~ :victory::victory::victory: 支持下,谢谢。。。。。。。。。。。。 超强~~看了看,真的很简单的脱壳过程~~
页:
[1]