- UID
- 36770
注册时间2007-11-3
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
脱壳 ASPack 2.12 带IAT
方法一
00BFD001 > 60 PUSHAD
00BFD002 E8 03000000 CALL uc.00BFD00A F7
00BFD007 - E9 EB045D45 JMP 461CD4F7
00BFD00C 55 PUSH EBP
00BFD00D C3 RETN
00BFD00E E8 01000000 CALL uc.00BFD014
00BFD00A 5D POP EBP
00BFD00B 45 INC EBP ; uc.00BFD007
00BFD00C 55 PUSH EBP
00BFD00D C3 RETN
00BFD00E E8 01000000 CALL uc.00BFD014 F4 然后 F7
00BFD014 5D POP EBP ; uc.00BFD013
00BFD015 BB EDFFFFFF MOV EBX,-13
00BFD01A 03DD ADD EBX,EBP
00BFD01C 81EB 00D07F00 SUB EBX,uc.007FD000
00BFD022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
00BFD029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
00BFD02F /0F85 65030000 JNZ uc.00BFD39A 跳转未实现 让它实现
00BFD035 |8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
00BFD03B |50 PUSH EAX
00BFD03C |FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00BFD042 |8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00BFD39A B8 B41F0000 MOV EAX,1FB4
00BFD39F 50 PUSH EAX
00BFD3A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
00BFD3A6 59 POP ECX
00BFD39A B8 B41F0000 MOV EAX,1FB4
00BFD39F 50 PUSH EAX
00BFD3A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
00BFD3A6 59 POP ECX
00BFD3A7 0BC9 OR ECX,ECX
00BFD3A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
00BFD3AF 61 POPAD oep标志
00BFD3B0 75 08 JNZ SHORT uc.00BFD3BA
00BFD3B2 B8 01000000 MOV EAX,1
00BFD3B7 C2 0C00 RETN 0C
00BFD3BA 68 B41F4000 PUSH uc.00401FB4
00BFD3BF C3 RETN
00401FB4 /EB 10 JMP SHORT uc.00401FC6 oep直接脱壳
00401FB6 |66:623A BOUND DI,DWORD PTR DS:[EDX]
00401FB9 |43 INC EBX
00401FBA |2B2B SUB EBP,DWORD PTR DS:[EBX]
00401FBC |48 DEC EAX
00401FBD |4F DEC EDI
00401FBE |4F DEC EDI
00401FBF |4B DEC EBX
方法二 用esp定律直接到达oep
IAT 开始007C2F10 - FF25 18AC9900 JMP DWORD PTR DS:[99AC18] ; vcl60.@Consts@initialization$qqrv
IAT 结束007C6AC2 - FF25 D0FF9900 JMP DWORD PTR DS:[99FFD0] ; wininet.InternetSetOptionA
99AC18-400000=59AC18
99FFD0-400000=59FFD0
59FFD0-59AC18=53B8 大小
教程md5 65167a35f8c8c38604cfa2a1c6bda069
http://www.fs2you.com/zh-cn/file ... -b638-00142218fc6e/ |
|
IP卡
发表于 2008-1-17 23:08:49
提升卡
置顶卡
变色卡
千斤顶
显身卡