关于aspr壳的特征码和补区段的问题
最近学习脱ASProtect 2.1x SKE 壳,遇到不少问题,没办法本人就是这么愚钝.问题大致如下:用Volx脚本:Aspr2.XX_IATfixer_v1.02.osc到达oep后,提示"Stolen code start, press OK button to addcomments",lordpe dump下来;参考syscom,machenglin 等大侠的文章,采用补区段的方法完成后,od载入dumped文件试着从伪OEP步进搞定Route Check,但怎么也没发现特征码
014D8A66 8B40 34 mov eax,dword ptr ds:
014D8A69 FFD0 call eax
014D8A6B 2945 0C sub dword ptr ss:,eax
014D8A6E 8B45 0C mov eax,dword ptr ss:
在dumped文件伪OEP处Ctrl+B 查找 8B40 34FFD0 2945 0C 8B45 0C也没找到.
请问各位大侠,到底怎样找特征码?还有怎样看stolen code和VM区段?怎样看看壳用到哪几个区段?
下面是补区段完成但还没搞定Route check 的dumped文件伪oep处代码:
016E02AE >55 push ebp
016E02AF E9 C70A0000 jmp 016E0D7B
016E02B4 F2: prefix repne:
016E02B5 EB 01 jmp short 016E02B8
016E02B7 F0:B8 065F4A00lock mov eax, 004A5F06 ; 不允许锁定前缀
016E02BD B8 BE334400 mov eax, 004433BE
016E02C2 26:EB 02 jmp short 016E02C7
016E02C5 CD20 65EB0169 vxdjump 6901EB65
016E02CB B8 88C84A00 mov eax, 004AC888
016E02D0 F3: prefix rep:
016E02D1 EB 02 jmp short 016E02D5
016E02D3 CD20 8D8428D6 vxdjump D628848D
016E02D9 42 inc edx
016E02DA 49 dec ecx
016E02DB 0081 F0F2292B add , al
016E02E1 8A8D 442B4A2B mov cl,
016E02E7 C58D 40B6E969 lds ecx,
016E02ED 0F0000 sldt
016E02F0 6A 80 push -80
016E02F2 F2: prefix repne:
016E02F3 EB 01 jmp short 016E02F6
016E02F5- E9 669C5181 jmp 82BF9F60
016E02FA E1 36 loopdeshort 016E0332
016E02FC 77 64 ja short 016E0362
016E02FE FB sti
016E02FF 81D9 CE3704D2 sbb ecx, D20437CE
016E0305 F2: prefix repne:
016E0306 EB 01 jmp short 016E0309
016E0308 9A 8D4C243A 83E>call far E983:3A244C8D
016E030F 3A65 EB cmp ah,
016E0312 019A 8D4C0106 add , ebx
016E0318 2BC8 sub ecx, eax
016E031A F3: prefix rep:
016E031B EB 02 jmp short 016E031F
016E031D CD20 64FF3500 vxdjump 35FF64
016E0323 0000 add , al
016E0325 0057 8D add , dl
016E0328 7C 4B jl short 016E0375
016E032A 6C ins byte ptr es:, dx
016E032B F2: prefix repne:
016E032C EB 01 jmp short 016E032F
016E032E F3: prefix rep:
016E032F 8D7C07 94 lea edi,
016E0333 2BF8 sub edi, eax
016E0335 2BF9 sub edi, ecx
016E0337 8D3C11 lea edi,
016E033A 8D7C24 7D lea edi,
016E033E 8D7C2F 83 lea edi,
016E0342 2BFD sub edi, ebp
016E0344 EB 02 jmp short 016E0348
016E0346 CD20 83C704C7 vxdjump C704C783
016E034C 07 pop es
016E034D D6 salc
016E034E 5B pop ebx
016E034F 48 dec eax
016E0350 005F 8F add , bl
016E0353 41 inc ecx
016E0354 0059 66 add , bl
016E0357 9D popfd
016E0358 C3 retn
[ 本帖最后由 jjwspj 于 2006-9-16 22:58 编辑 ] 牛壳,有心无力~ 还是自己解决了
00E3F8D0 55 push ebp ; 断在这里
00E3F8D1 8BEC mov ebp,esp
00E3F8D3 83C4 F8 add esp,-8
00E3F8D6 53 push ebx
00E3F8D7 56 push esi
00E3F8D8 57 push edi
00E3F8D9 8B5D 08 mov ebx,dword ptr ss:
00E3F8DC EB 01 jmp short dumped_A.00E3F8DF ; 这里跳到00E3F8DF!
......
由00E3F8DC跳来,到这里.
00E3F8DF 8B45 18 mov eax,dword ptr ss: ; 来到这里
00E3F8E2 83E8 08 sub eax,8
00E3F8E5 8B00 mov eax,dword ptr ds:
00E3F8E7 50 push eax
00E3F8E8 8A8B 96000000 mov cl,byte ptr ds:
00E3F8EE 8B55 14 mov edx,dword ptr ss:
00E3F8F1 8BC3 mov eax,ebx
00E3F8F3 E8 B4FFFFFF call dumped_A.00E3F8AC
00E3F8F8 8B45 18 mov eax,dword ptr ss:
00E3F8FB 50 push eax
00E3F8FC B1 04 mov cl,4
00E3F8FE 8B55 14 mov edx,dword ptr ss:
00E3F901 8BC3 mov eax,ebx
00E3F903 E8 A4FFFFFF call dumped_A.00E3F8AC
00E3F908 EB 01 jmp short dumped_A.00E3F90B
00E3F90A 698B 73308B7B 1>imul ecx,dword ptr ds:,AA4>
00E3F914 E5 00 in eax,0
00E3F916 8B40 34 mov eax,dword ptr ds: ; 从这里开始修改。特征码
00E3F919 FFD0 call eax
00E3F91B 2945 0C sub dword ptr ss:,eax
00E3F91E 8B45 0C mov eax,dword ptr ss:
00E3F921 2B43 18 sub eax,dword ptr ds:
00E3F924 2B43 68 sub eax,dword ptr ds:
00E3F927 8945 FC mov dword ptr ss:,eax
00E3F92A 8D43 24 lea eax,dword ptr ds:
00E3F92D 8945 F8 mov dword ptr ss:,eax
00E3F930 85FF test edi,edi
00E3F932 76 63 jbe short dumped_A.00E3F997
00E3F934 EB 01 jmp short dumped_A.00E3F937
00E3F936 C7 ??? ; 未知命令
00E3F937 8B45 F8 mov eax,dword ptr ss:
00E3F93A 0FB600 movzx eax,byte ptr ds:
00E3F93D 8B5483 40 mov edx,dword ptr ds:
00E3F941 8BC6 mov eax,esi
00E3F943 FFD2 call edx
00E3F945 3B45 FC cmp eax,dword ptr ss:
00E3F948 75 45 jnz short dumped_A.00E3F98F
00E3F94A EB 01 jmp short dumped_A.00E3F94D
00E3F94C 9A 807B7400 742>call far 2274:00747B80
00E3F953 EB 01 jmp short dumped_A.00E3F956
00E3F955 9A 8B451050 8B4>call far 458B:5010458B
00E3F95C 14 50 adc al,50
00E3F95E E8 69FCFFFF call dumped_A.00E3F5CC
00E3F963 50 push eax
00E3F964 8BCE mov ecx,esi
00E3F966 8B55 18 mov edx,dword ptr ss:
00E3F969 8BC3 mov eax,ebx
00E3F96B E8 70F8FFFF call dumped_A.00E3F1E0
00E3F970 EB 1D jmp short dumped_A.00E3F98F
00E3F972 EB 01 jmp short dumped_A.00E3F975
00E3F974 - E9 8B451050 jmp 50F43F04
00E3F979 8B45 14 mov eax,dword ptr ss:
00E3F97C 50 push eax
00E3F97D E8 4AFCFFFF call dumped_A.00E3F5CC
00E3F982 50 push eax
00E3F983 8BCE mov ecx,esi
00E3F985 8B55 18 mov edx,dword ptr ss:
00E3F988 8BC3 mov eax,ebx
00E3F98A E8 D5F9FFFF call dumped_A.00E3F364
00E3F98F 4F dec edi
00E3F990 0373 6C add esi,dword ptr ds:
00E3F993 85FF test edi,edi
00E3F995 ^ 77 A0 ja short dumped_A.00E3F937
00E3F997 68 B4F9E300 push dumped_A.00E3F9B4 ; ASCII "111"
00E3F99C E8 9357FFFF call dumped_A.00E35134 强烈建议LZ做个视频教程,以兹后人! 全是牛人!!学习中!!! 做个教程吧,很有价值的
页:
[1]