- UID
- 28352
注册时间2007-2-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2024-5-1 14:44 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
发表于 2008-1-6 12:36:45
|
显示全部楼层
打开OD,用ESP定律脱壳
00401000 > B8 30266600 MOV EAX,mydiary.00662630 ; //F8
00401005 50 PUSH EAX
00401006 64:FF35 0000000>PUSH DWORD PTR FS:[0] ; //下断点hr esp,F9
0040100D 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00401014 33C0 XOR EAX,EAX
00401016 8908 MOV DWORD PTR DS:[EAX],ECX
00401018 50 PUSH EAX
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
7C957826 3B45 F8 CMP EAX,DWORD PTR SS:[EBP-8] ; //删除硬件断点后,ALT+F9
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00662663 53 PUSH EBX
00662664 51 PUSH ECX
00662665 57 PUSH EDI
00662666 56 PUSH ESI
00662667 52 PUSH EDX
00662668 8D98 57120010 LEA EBX,DWORD PTR DS:[EAX+10001257]
0066266E 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
00662671 52 PUSH EDX
00662672 8BE8 MOV EBP,EAX
00662674 6A 40 PUSH 40
00662676 68 00100000 PUSH 1000
0066267B FF73 04 PUSH DWORD PTR DS:[EBX+4]
0066267E 6A 00 PUSH 0
00662680 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
00662683 03CA ADD ECX,EDX
00662685 8B01 MOV EAX,DWORD PTR DS:[ECX]
00662687 FFD0 CALL EAX
00662689 5A POP EDX
0066268A 8BF8 MOV EDI,EAX
0066268C 50 PUSH EAX
0066268D 52 PUSH EDX
0066268E 8B33 MOV ESI,DWORD PTR DS:[EBX]
00662690 8B43 20 MOV EAX,DWORD PTR DS:[EBX+20]
00662693 03C2 ADD EAX,EDX
00662695 8B08 MOV ECX,DWORD PTR DS:[EAX]
00662697 894B 20 MOV DWORD PTR DS:[EBX+20],ECX
0066269A 8B43 1C MOV EAX,DWORD PTR DS:[EBX+1C]
0066269D 03C2 ADD EAX,EDX
0066269F 8B08 MOV ECX,DWORD PTR DS:[EAX]
006626A1 894B 1C MOV DWORD PTR DS:[EBX+1C],ECX
006626A4 03F2 ADD ESI,EDX
006626A6 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
006626A9 03CA ADD ECX,EDX
006626AB 8D43 1C LEA EAX,DWORD PTR DS:[EBX+1C]
006626AE 50 PUSH EAX
006626AF 57 PUSH EDI
006626B0 56 PUSH ESI
006626B1 FFD1 CALL ECX
006626B3 5A POP EDX
006626B4 58 POP EAX
006626B5 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
006626B8 8BF8 MOV EDI,EAX
006626BA 52 PUSH EDX
006626BB 8BF0 MOV ESI,EAX
006626BD 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
006626C0 83C0 04 ADD EAX,4
006626C3 2BF0 SUB ESI,EAX
006626C5 8956 08 MOV DWORD PTR DS:[ESI+8],EDX
006626C8 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
006626CB 894E 14 MOV DWORD PTR DS:[ESI+14],ECX
006626CE FFD7 CALL EDI
006626D0 8985 3F130010 MOV DWORD PTR SS:[EBP+1000133F],EAX
006626D6 8BF0 MOV ESI,EAX
006626D8 8B4B 14 MOV ECX,DWORD PTR DS:[EBX+14]
006626DB 5A POP EDX
006626DC EB 0C JMP SHORT mydiary.006626EA
006626DE 03CA ADD ECX,EDX
006626E0 68 00800000 PUSH 8000
006626E5 6A 00 PUSH 0
006626E7 57 PUSH EDI
006626E8 FF11 CALL DWORD PTR DS:[ECX]
006626EA 8BC6 MOV EAX,ESI
006626EC 5A POP EDX
006626ED 5E POP ESI
006626EE 5F POP EDI
006626EF 59 POP ECX
006626F0 5B POP EBX
006626F1 5D POP EBP
006626F2 - FFE0 JMP EAX ; //下硬件执行断点,F9,删除硬件断点,F8
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
005A2A40 55 PUSH EBP ; //DUMP
005A2A41 8BEC MOV EBP,ESP
005A2A43 83C4 F0 ADD ESP,-10
005A2A46 53 PUSH EBX
005A2A47 B8 D8215A00 MOV EAX,mydiary.005A21D8
005A2A4C E8 FB46E6FF CALL mydiary.0040714C
005A2A51 8B1D 70775A00 MOV EBX,DWORD PTR DS:[5A7770] ; mydiary.005A8BF4
005A2A57 8B03 MOV EAX,DWORD PTR DS:[EBX] |
|
楼主: jacksunblack
IP卡
发表于 2007-12-29 13:03:17
显身卡
发表于 2008-1-8 22:11:46
