- UID
- 248
注册时间2005-3-6
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心 2018-6-4 20:46 |
---|
签到天数: 1 天 [LV.1]初来乍到
|
【标 题】帮网页特效咖啡豆脱衣服(脱壳)
【下载 地址】PYG的FTP里有
【脱衣服工具】OD,PEiD
【衣服 类型】ASPack 2.1 -> Alexey Solodovnikov
【任 务】把衣服脱掉(找到OEP,然后DUMP,修复输入表!)
【脱衣服作者】crazysky
【脱衣服声明】我只是个小菜鸟,不好之处多多包涵!
【备 注】老手勿看!
【脱衣服过程】
在脱之前先说一下,脱衣服时程序里面会有有好多循环,
对付循环时,只能让程序往前运行,基本不能让它往回跳,要想法跳出循环圈。(请记住!)
用OD载入TheEndTx.exe,忽略所有异常(提示是否继续分析,选择"否" )
得到代码如下:
00622001 T> 60 pushad ;按F8
00622002 E8 72050000 call TheEndTx.00622579 ;F8
00622007 EB 33 jmp short TheEndTx.0062203C ;跳F8
00622009 87DB xchg ebx,ebx
0062200B 90 nop
0062200C 00A0 4A0010A0 add byte ptr ds:[eax+A010004A],ah
00622012 4A dec edx
00622013 000C67 add byte ptr ds:[edi],cl
0062203C BB 3C394400 mov ebx,TheEndTx.0044393C ;跳在这里,下面一直按F8
00622041 03DD add ebx,ebp
00622043 2B9D 60394400 sub ebx,dword ptr ss:[ebp+443960]
00622049 83BD 98474400 00 cmp dword ptr ss:[ebp+444798],0
00622050 899D 98474400 mov dword ptr ss:[ebp+444798],ebx
00622056 0F85 81040000 jnz TheEndTx.006224DD
0062205C 8D85 A0474400 lea eax,dword ptr ss:[ebp+4447A0]
00622062 50 push eax
00622063 FF95 AC484400 call dword ptr ss:[ebp+4448AC]
00622069 8985 9C474400 mov dword ptr ss:[ebp+44479C],eax
0062206F 8BF8 mov edi,eax
00622071 8D9D AD474400 lea ebx,dword ptr ss:[ebp+4447AD]
00622077 53 push ebx
00622078 50 push eax
00622079 FF95 A8484400 call dword ptr ss:[ebp+4448A8]
0062207F 8985 F5394400 mov dword ptr ss:[ebp+4439F5],eax
00622085 8D9D BA474400 lea ebx,dword ptr ss:[ebp+4447BA]
0062208B 53 push ebx
0062208C 57 push edi
0062208D FF95 A8484400 call dword ptr ss:[ebp+4448A8]
00622093 8985 F9394400 mov dword ptr ss:[ebp+4439F9],eax
00622099 8D85 0A3B4400 lea eax,dword ptr ss:[ebp+443B0A]
0062209F FFE0 jmp eax ; 在这里跳,F8
006220A1 0000 add byte ptr ds:[eax],al
006221CE 8B9D 6C394400 mov ebx,dword ptr ss:[ebp+44396C] ;跳在这里,
006221D4 0BDB or ebx,ebx
006221D6 74 0A je short TheEndTx.006221E2 ;这里跳
006221D8 8B03 mov eax,dword ptr ds:[ebx]
006221DA 8785 70394400 xchg dword ptr ss:[ebp+443970],eax
006221E0 8903 mov dword ptr ds:[ebx],eax
006221E2 8DB5 1A3A4400 lea esi,dword ptr ss:[ebp+443A1A] ;跳到这里,下面一直按F8
006221E8 833E 00 cmp dword ptr ds:[esi],0
006221EB 0F84 1F010000 je TheEndTx.00622310
006221F1 8DB5 1A3A4400 lea esi,dword ptr ss:[ebp+443A1A]
006221F7 6A 04 push 4
006221F9 68 00100000 push 1000
006221FE 68 00180000 push 1800
00622203 6A 00 push 0
00622205 FF95 F5394400 call dword ptr ss:[ebp+4439F5]
0062220B 8985 F1394400 mov dword ptr ss:[ebp+4439F1],eax
00622211 8B46 04 mov eax,dword ptr ds:[esi+4]
00622214 05 0E010000 add eax,10E
00622219 6A 04 push 4
0062221B 68 00100000 push 1000
00622220 50 push eax
00622221 6A 00 push 0
00622223 FF95 F5394400 call dword ptr ss:[ebp+4439F5]
00622229 8985 ED394400 mov dword ptr ss:[ebp+4439ED],eax
0062222F 56 push esi
00622230 8B1E mov ebx,dword ptr ds:[esi]
00622232 039D 98474400 add ebx,dword ptr ss:[ebp+444798]
00622238 FFB5 F1394400 push dword ptr ss:[ebp+4439F1]
0062223E FF76 04 push dword ptr ds:[esi+4]
00622241 50 push eax
00622242 53 push ebx
00622243 E8 3B030000 call TheEndTx.00622583
00622248 80BD 0D3A4400 00 cmp byte ptr ss:[ebp+443A0D],0
0062224F 75 5E jnz short TheEndTx.006222AF
00622251 FE85 0D3A4400 inc byte ptr ss:[ebp+443A0D]
00622257 8B3E mov edi,dword ptr ds:[esi]
00622259 03BD 98474400 add edi,dword ptr ss:[ebp+444798]
0062225F FF37 push dword ptr ds:[edi]
00622261 C607 C3 mov byte ptr ds:[edi],0C3
00622264 FFD7 call edi
00622266 8F07 pop dword ptr ds:[edi]
00622268 50 push eax
00622269 51 push ecx
0062226A 56 push esi
0062226B 53 push ebx
0062226C 8BC8 mov ecx,eax
0062226E 83E9 06 sub ecx,6
00622271 8BB5 ED394400 mov esi,dword ptr ss:[ebp+4439ED]
00622277 33DB xor ebx,ebx
00622279 0BC9 or ecx,ecx
0062227B 74 2E je short TheEndTx.006222AB
0062227D 78 2C js short TheEndTx.006222AB
0062227F AC lods byte ptr ds:[esi]
00622280 3C E8 cmp al,0E8
00622282 74 0A je short TheEndTx.0062228E
00622284 EB 00 jmp short TheEndTx.00622286 ;在这里跳
00622286 3C E9 cmp al,0E9 ;跳到这里
00622288 74 04 je short TheEndTx.0062228E
0062228A 43 inc ebx
0062228B 49 dec ecx
0062228C ^ EB EB jmp short TheEndTx.00622279 ;到了这里,这个会跳回去的(不要按F8),在下一条指令点一下鼠标
0062228E 8B06 mov eax,dword ptr ds:[esi] ;在这里,按F4,
00622290 EB 00 jmp short TheEndTx.00622292 ;这里要跳,F8
00622292 803E 19 cmp byte ptr ds:[esi],19 ;跳到这里
00622295 ^ 75 F3 jnz short TheEndTx.0062228A ;这个往回跳的,在下一条指令上按F4
00622297 24 00 and al,0 ;也就是在这里按F4
00622299 C1C0 18 rol eax,18
0062229C 2BC3 sub eax,ebx
0062229E 8906 mov dword ptr ds:[esi],eax
006222A0 83C3 05 add ebx,5
006222A3 83C6 04 add esi,4
006222A6 83E9 05 sub ecx,5
006222A9 ^ EB CE jmp short TheEndTx.00622279 ;这里也是跳回去的
006222AB 5B pop ebx ;在这里按F4
006222AC 5E pop esi
006222AD 59 pop ecx
006222AE 58 pop eax
006222AF 8BC8 mov ecx,eax
006222B1 8B3E mov edi,dword ptr ds:[esi]
006222B3 03BD 98474400 add edi,dword ptr ss:[ebp+444798]
006222B9 8BB5 ED394400 mov esi,dword ptr ss:[ebp+4439ED]
006222BF C1F9 02 sar ecx,2
006222C2 F3:A5 rep movs dword ptr es:[edi],dword ptr>
006222C4 8BC8 mov ecx,eax
006222C6 83E1 03 and ecx,3
006222C9 F3:A4 rep movs byte ptr es:[edi],byte ptr d>
006222CB 5E pop esi
006222CC 68 00800000 push 8000
006222D1 6A 00 push 0
006222D3 FFB5 ED394400 push dword ptr ss:[ebp+4439ED]
006222D9 FF95 F9394400 call dword ptr ss:[ebp+4439F9]
006222DF 83C6 08 add esi,8
006222E2 833E 00 cmp dword ptr ds:[esi],0
006222E5 ^ 0F85 26FFFFFF jnz TheEndTx.00622211 ;这里会跳回去的
006222EB 68 00800000 push 8000 ;在这里按F4
006222F0 6A 00 push 0
006222F2 FFB5 F1394400 push dword ptr ss:[ebp+4439F1]
006222F8 FF95 F9394400 call dword ptr ss:[ebp+4439F9]
006222FE 8B9D 6C394400 mov ebx,dword ptr ss:[ebp+44396C]
00622304 0BDB or ebx,ebx
00622306 74 08 je short TheEndTx.00622310 ;这里跳到下面
00622308 8B03 mov eax,dword ptr ds:[ebx]
0062230A 8785 70394400 xchg dword ptr ss:[ebp+443970],eax
00622310 8B95 98474400 mov edx,dword ptr ss:[ebp+444798] ;跳到这里
00622316 8B85 64394400 mov eax,dword ptr ss:[ebp+443964]
0062231C 2BD0 sub edx,eax
0062231E 74 79 je short TheEndTx.00622399 ;向下跳(F8跳)
00622320 8BC2 mov eax,edx
00622322 C1E8 10 shr eax,10
(还没完的,在下一楼里!唉!系统不给一次贴出来,限制在10000字节!)
[ Last edited by crazysky on 2005-3-27 at 02:17 PM ] |
|