Asprotect v2.0 Stolen code的一次修复旅程【目 标】:久久奇迹v3.6版(MU99)
【工 具】:Olydbg1.1(diy版)、LORDPE、ImportREC1.6F
【任 务】:比较简单的找回壳所抽的代码
【操作平台】:Windows Xp sp2
【作 者】:loveboom[DFCG][FCG][US]
【简要说明】:这个壳应该很多朋友都清楚新版本抽代码很”严重”,所以我就要“偷窥”一下被抽的代码.因为是外挂,所以我就不放源程序上来,目标程序你们自己去找找.【详细过程】:设置OD打开int3异常项,其它忽略.主要讲自怎么找回stolen code,所以自己修复IAT我就不讲,在最后一次内存异常后找到的push [xxxxxx]RETN的代码就是原OEP执行原程序代码开始处,我用脚本简化了一下过程,我用自己原来写的ASPR2的脚本改了一下:/*////////////////////////////////////////////////// Script for Asprotect v2.0 Author: loveboom Email :
[email protected] OS : WinXP sp2,Ollydbg 1.1,OllyScript v0.92 Date : 2004-11-15 Action: Stop stolen code Config: Ignore all exceptions except 'INT 3 breaks' Note : If you have one or more question, email me please,thank you!//////////////////////////////////////////////////*/ var addr lblask: ask "Press 1 clear junkcode,press other key run script." cmp $RESULT,1 je lblcCode lblsetting: msgyn "Setting:Ignore all exceptions except 'INT 3 breaks',Continue?" cmp $RESULT,1 je lblbp1 //这里修改一下 ret //这里开始改变一下lblbp1: gpa "LoadLibraryA","kernel32.dll" //获取LOADlibraryA的地址 mov addr,$RESULT add addr,B //bp LoadLibraryA+0B bp addr run lblbc1: bc addr rtu //返回用户代码 rtr //执行到return处 sto find eip,#E8# //查找CALL go $RESULT sti //跟进 find eip,#8B550C8B128902# //找处理IAT代码 mov addr,$RESULT add addr,5 mov [addr],#891A# //下面调用原来的代码start: dbh runlbl1: find eip,#5B5A59C3# //Found commands 'pop ebx, pop edx, pop ecx, retn' cmp $RESULT,0 je lblerr mov addr,$RESULT add addr,3 bp addr lbl2: esto lbl3: cmp eip,addr jne lbl2 bc addr lbl4: find eip,#FF35????????C3# cmp $RESULT,0 je lblerr mov addr,$RESULT add addr,2 mov addr,[addr] //Get push address mov addr,[addr] //Get push value(address) bp addr run lbl5: cmp eip,addr jne lblerr bc addr lbl7: cmt eip,"Stolen code." msgyn "Clear Junkcode?" //CLEAR JUNKCODE? cmp $RESULT,0 je lblend lblcCode: //jmp 01 repl eip,#2EEB01??#,#90909090#,1000 repl eip,#65EB01??#,#90909090#,1000 repl eip,#F2EB01??#,#90909090#,1000 repl eip,#F3EB01??#,#90909090#,1000 repl eip,#F3EB01??#,#90909090#,1000 repl eip,#EB01??#,#909090#,1000 //jmp 02 repl eip,#26EB02????#,#9090909090#,1000 repl eip,#3EEB02????#,#9090909090#,1000 repl eip,#F3EB02????#,#9090909090#,1000 repl eip,#EB02????#,#90909090#,1000 lblend: msg "Script by loveboom[DFCG][FCG][US],Thank you for using my Scripts!" ret lblerr: msg "Error!Script aborted.Maybe target is not protect by asprotect 2.0 or your forgot Ignore all exceptions except 'INT 3 breaks'." ret改完后,直接用脚本跑到目的地.注:这里开始就要花点心去看了,因为壳写了N多垃圾代码,一不小心可能就跟飞了。00F802FF 55 PUSH EBP ; ☆☆☆☆☆ Stolen code.这里第一行,先记下这个地址,后面还有用00F80300 81E5 148A85F7 AND EBP,F7858A1400F80306 90 NOP……00F803F2 90 NOP00F803F3 90 NOP00F803F4 90 NOP00F803F5 2BC3 SUB EAX,EBX00F803F7 58 POP EAX00F803F8 0BF7 OR ESI,EDI00F803FA 5E POP ESI00F803FB 90 NOP00F803FC 90 NOP00F803FD 90 NOP00F803FE 90 NOP00F803FF 2BEE SUB EBP,ESI ; ☆☆☆☆☆ 这里第二行mov ebp,esp00F80401 6A FF PUSH –1 ; ☆☆☆☆☆ 第三行push -100F80403 90 NOP00F80404 90 NOP……00F80408 FF7424 0C PUSH DWORD PTR SS:[ESP+C]00F8040C 66:9C PUSHFW00F8040E 51 PUSH ECX00F8040F 03CD ADD ECX,EBP00F80411 03CD ADD ECX,EBP00F80413 034C24 18 ADD ECX,DWORD PTR SS:[ESP+18]00F80417 B9 3E064200 MOV ECX,42063E00F8041C 8D4C14 12 LEA ECX,DWORD PTR SS:[ESP+EDX+12]00F80420 2BCA SUB ECX,EDX00F80422 8D4C01 EE LEA ECX,DWORD PTR DS:[ECX+EAX-12]00F80426 2BC8 SUB ECX,EAX00F80428 64:90 NOP ; Superfluous prefix00F8042A 90 NOP00F8042B 90 NOP00F8042C 90 NOP00F8042D 8D4C39 06 LEA ECX,DWORD PTR DS:[ECX+EDI+6]00F80431 2BCF SUB ECX,EDI00F80433 68 68A74300 PUSH 43A76800F80438 90 NOP00F80439 90 NOP00F8043A 90 NOP00F8043B 90 NOP00F8043C 8F01 POP DWORD PTR DS:[ECX] ; ☆☆☆☆☆ 这里就是第四句,到这里的时候看看那个值就知道.push 43A768-------------------------0012FFB8 0043A768 99mu.0043A768-------------------------00F8043E 59 POP ECX00F8043F 66:9D POPFW……00F8062E 64:FF35 0000000>PUSH DWORD PTR FS:[0]00F80635 66:9C PUSHFW00F80637 53 PUSH EBX00F80638 90 NOP00F80639 90 NOP00F8063A 90 NOP00F8063B 90 NOP00F8063C 90 NOP00F8063D 81D3 4EFB8179 ADC EBX,7981FB4E00F80643 8BDC MOV EBX,ESP00F80645 90 NOP00F80646 90 NOP00F80647 90 NOP00F80648 90 NOP00F80649 8D5B 06 LEA EBX,DWORD PTR DS:[EBX+6]00F8064C 52 PUSH EDX00F8064D 8D940B AE784500 LEA EDX,DWORD PTR DS:[EBX+ECX+4578AE]00F80654 8D9427 AA1B4300 LEA EDX,DWORD PTR DS:[EDI+431BAA]00F8065B 2BD7 SUB EDX,EDI00F8065D 8913 MOV DWORD PTR DS:[EBX],EDX ;☆☆☆☆☆ PUSH 431BAA00F8065F 5A POP EDX00F80660 5B POP EBX00F80661 90 NOP00F80662 90 NOP00F80663 90 NOP00F80664 90 NOP00F80665 66:9D POPFW00F80667 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] ; ☆☆☆☆☆00F8066D 50 PUSH EAX ; ☆☆☆☆☆00F8066E 64:8925 0000000>MOV DWORD PTR FS:[0],ESP ; ☆☆☆☆☆00F80675 36:90 NOP ; Superfluous prefix00F80677 90 NOP00F80678 90 NOP00F80679 83EC 68 SUB ESP,68 ; ☆☆☆☆☆00F8067C 53 PUSH EBX ; ☆☆☆☆☆00F8067D 56 PUSH ESI ; ☆☆☆☆☆00F8067E 57 PUSH EDI ; ☆☆☆☆☆00F8067F 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP ; ☆☆☆☆☆00F80682 33DB XOR EBX,EBX ; ☆☆☆☆☆00F80684 895D FC MOV DWORD PTR SS:[EBP-4],EBX ; ☆☆☆☆☆00F80687 6A 02 PUSH 2 ; ☆☆☆☆☆00F80689 FF15 94644300 CALL DWORD PTR DS:[436494] ; ☆☆☆☆☆00F8068F 59 POP ECX ; ☆☆☆☆☆00F80690 830D 10874500 F>OR DWORD PTR DS:[458710],FFFFFFFF ; ☆☆☆☆☆00F80697 830D 14874500 F>OR DWORD PTR DS:[458714],FFFFFFFF ; ☆☆☆☆☆00F8069E FF15 BC644300 CALL DWORD PTR DS:[4364BC] ; ☆☆☆☆☆00F806A4 90 NOP00F806A5 90 NOP00F806A6 90 NOP00F806A7 90 NOP00F806A8 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28] ; 这里都是垃圾代码00F806AC 83C9 71 OR ECX,7100F806AF 90 NOP00F806B0 90 NOP00F806B1 90 NOP00F806B2 90 NOP00F806B3 FF35 04874500 PUSH DWORD PTR DS:[458704]00F806B9 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38] ; 垃圾代码00F806BD 034C24 18 ADD ECX,DWORD PTR SS:[ESP+18]00F806C1 59 POP ECX ; ☆☆☆☆☆ 这里也就是MOV ECX,[458704]00F806C2 8908 MOV DWORD PTR DS:[EAX],ECX ; ☆☆☆☆☆00F806C4 FF15 5C644300 CALL DWORD PTR DS:[43645C] ; ☆☆☆☆☆ msvcrt.__p__commode00F806CA 83E9 33 SUB ECX,3300F806CD 83D9 8F SBB ECX,-7100F806D0 90 NOP00F806D1 90 NOP00F806D2 90 NOP00F806D3 90 NOP00F806D4 90 NOP00F806D5 FF35 00874500 PUSH DWORD PTR DS:[458700]00F806DB 334C24 28 XOR ECX,DWORD PTR SS:[ESP+28]00F806DF 83D9 89 SBB ECX,-7700F806E2 59 POP ECX ; ☆☆☆☆☆ mov ecx,[458700]00F806E3 8908 MOV DWORD PTR DS:[EAX],ECX ; ☆☆☆☆☆00F806E5 64:90 NOP ; Superfluous prefix00F806E7 90 NOP00F806E8 90 NOP00F806E9 90 NOP00F806EA 8D440B 36 LEA EAX,DWORD PTR DS:[EBX+ECX+36]00F806EE FF35 50644300 PUSH DWORD PTR DS:[436450] ; msvcrt._adjust_fdiv00F806F4 81C8 FA2D991F OR EAX,1F992DFA00F806FA 58 POP EAX ; ☆☆☆☆☆ MOV EAX,[436450]00F806FB ^ E9 88FEFFFF JMP 00F8058800F80588 8B00 MOV EAX,DWORD PTR DS:[EAX] ; ☆☆☆☆☆00F8058A A3 0C874500 MOV DWORD PTR DS:[45870C],EAX ; ☆☆☆☆☆00F8058F 68 9D08F800 PUSH 0F8089D ; 这里就是第一个call的代码了00F80594 E8 67FA1000 CALL 01090000 ; 跟进进来看看先:进来后就有更多垃圾代码了,不过不用怕,实际好对付的。01090000 64:90 NOP ; 跟进后到这里01090002 90 NOP01090003 90 NOP01090004 90 NOP01090005 51 PUSH ECX01090006 9C PUSHFD01090007 90 NOP01090008 90 NOP01090009 90 NOP0109000A 90 NOP0109000B 81C1 9F3A8AB8 ADD ECX,B88A3A9F01090011 64:90 NOP ; Superfluous prefix……一直向下找到一个call 寄存器0109010D 0BD1 OR EDX,ECX0109010F C1D9 23 RCR ECX,23 ; Shift constant out of range 1..3101090112 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38]01090116 68 A429D600 PUSH 0D629A40109011B 81E1 D82E9C40 AND ECX,409C2ED801090121 59 POP ECX01090122 FFD1 CALL ECX ; 向下找到这里,这里继续跟进01090124 FF7424 10 PUSH DWORD PTR SS:[ESP+10]01090128 8D4C0B 06 LEA ECX,DWORD PTR DS:[EBX+ECX+6]再次到来到这里:00D629A4 55 PUSH EBP00D629A5 8BEC MOV EBP,ESP00D629A7 83C4 F8 ADD ESP,-800D629AA 53 PUSH EBX00D629AB 56 PUSH ESI00D629AC 57 PUSH EDI00D629AD 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8],这里还是很多垃圾代码.……00D62A12 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]00D62A15 50 PUSH EAX00D62A16 E8 CDF3FFFF CALL 00D61DE800D62A1B 50 PUSH EAX00D62A1C 8BCE MOV ECX,ESI00D62A1E 8B55 18 MOV EDX,DWORD PTR SS:[EBP+18]00D62A21 8BC3 MOV EAX,EBX00D62A23 E8 8CFDFFFF CALL 00D627B4 ; 到这里继续跟进00D62A28 4F DEC EDI00D62A29 0373 70 ADD ESI,DWORD PTR DS:[EBX+70]00D62A2C 85FF TEST EDI,EDI00D62A2E ^ 77 CB JA SHORT 00D629FB再跟进来看看00D627B4 55 PUSH EBP ; 进到这里00D627B5 8BEC MOV EBP,ESP00D627B7 83C4 F0 ADD ESP,-1000D627BA 53 PUSH EBX00D627BB 56 PUSH ESI00D627BC 57 PUSH EDI……进来后一直向下找到JMP DWORD PTR DS:[EAX+24].找到这里:00D62959 FF75 0C PUSH DWORD PTR SS:[EBP+C]00D6295C 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]00D6295F FF60 24 JMP DWORD PTR DS:[EAX+24] ; 找到这里后,直接F4到这里.再按F8一次终于到了我们想到的地方:010A0000 64:90 NOP ; 进到这里直接到POPFD010A0002 90 NOP010A0003 90 NOP010A0004 90 NOP010A0005 90 NOP010A0006 90 NOP010A0007 90 NOP010A0008 C1D9 D7 RCR ECX,0D7 ; Shift constant out of range 1..31010A000B 36:90 NOP ; Superfluous prefix010A000D 90 NOP010A000E 90 NOP010A000F 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]010A0013 59 POP ECX010A0014 035424 18 ADD EDX,DWORD PTR SS:[ESP+18]到这里后,直接CTRL+S找POPFDPOP ESPJMP [ESP-4]找到这里:010A00BA 59 POP ECX010A00BB 9D POPFD010A00BC 5C POP ESP010A00BD - FF6424 FC JMP DWORD PTR SS:[ESP-4] ; 99mu.00431BDD找到后直接在010a00bd处下一个断,下次就不用再重复上面的工作了(当然这个地址,每次载入后不一定相同)。执行到010a00bd处后,看到跳去的值就是原程序处,所以我们这里的代码就是:☆☆☆☆☆ CALL 431BDD继续返回到壳代码中,继续跟出代码来.00F8089D 391D 781C4400 CMP DWORD PTR DS:[441C78],EBX ; ☆☆☆☆☆返回到这里继续00F808A3 0F85 61000000 JNZ 00F8090A ; ☆☆☆☆☆这里的跳转不能直接写,我们要记下先,这里会跳下去。00F808A9 64:FF35 0000000>PUSH DWORD PTR FS:[0]00F808B0 90 NOP00F808B1 90 NOP00F808B2 90 NOP00F808B3 66:9C PUSHFW00F808B5 57 PUSH EDI00F808B6 1BFB SBB EDI,EBX00F808B8 90 NOP00F808B9 90 NOP00F808BA 90 NOP00F808BB 90 NOP00F808BC 90 NOP00F808BD 90 NOP00F808BE 90 NOP00F808BF C1C7 8D ROL EDI,8D ; Shift constant out of range 1..3100F808C2 90 NOP00F808C3 90 NOP00F808C4 90 NOP00F808C5 90 NOP00F808C6 83E7 40 AND EDI,4000F808C9 90 NOP00F808CA 90 NOP00F808CB 90 NOP00F808CC 90 NOP00F808CD 2BFD SUB EDI,EBP00F808CF 8D7C0C 36 LEA EDI,DWORD PTR SS:[ESP+ECX+36]00F808D3 2BF9 SUB EDI,ECX00F808D5 8D7C2F CA LEA EDI,DWORD PTR DS:[EDI+EBP-36]00F808D9 90 NOP00F808DA 90 NOP00F808DB 90 NOP00F808DC 90 NOP00F808DD 2BFD SUB EDI,EBP00F808DF 36:90 NOP ; Superfluous prefix00F808E1 90 NOP00F808E2 90 NOP00F808E3 8D7C27 06 LEA EDI,DWORD PTR DS:[EDI+6]00F808E7 55 PUSH EBP00F808E8 C1C5 97 ROL EBP,97 ; Shift constant out of range 1..3100F808EB C1C5 B3 ROL EBP,0B3 ; Shift constant out of range 1..3100F808EE 8DAC26 DA1B4300 LEA EBP,DWORD PTR DS:[ESI+431BDA]00F808F5 90 NOP00F808F6 90 NOP00F808F7 90 NOP00F808F8 90 NOP00F808F9 90 NOP00F808FA 2BEE SUB EBP,ESI00F808FC 55 PUSH EBP00F808FD 8F07 POP DWORD PTR DS:[EDI] ; ☆☆☆☆☆ PUSH 431BDA00F808FF 5D POP EBP00F80900 5F POP EDI00F80901 66:9D POPFW00F80903 FF15 54644300 CALL DWORD PTR DS:[436454] ; ☆☆☆☆☆00F80909 59 POP ECX ; ☆☆☆☆☆00F8090A 68 7B04F800 PUSH 0F8047B ; 不相等就跳到这里00F8090F E8 ECF61000 CALL 01090000 ; 这里再次跟进,这里又是一个call了,00F80914 68 B6134800 PUSH 4813B6好了,上面的代码是用这种方法来整理:CMP [441C78],EBXJNZ @FPUSH 431BDACALL [436454]POP ECX@@: CALL @C1进到上面的call后,就会发现又到了第一次那个很多垃圾代码的地方,记得我们在010A00BD下断了吧,对了,直接运行后中断到目的地。00F80599 68 72EC4400 PUSH 44EC72 ; 继续中断后f8就到这里00F8059E 66:9C PUSHFW00F805A0 50 PUSH EAX00F805A1 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]00F805A5 83E8 ED SUB EAX,-1300F805A8 90 NOP00F805A9 90 NOP00F805AA 90 NOP00F805AB 90 NOP00F805AC 8D8435 584E4300 LEA EAX,DWORD PTR SS:[EBP+ESI+434E58]00F805B3 90 NOP00F805B4 90 NOP00F805B5 90 NOP00F805B6 90 NOP00F805B7 8D4424 52 LEA EAX,DWORD PTR SS:[ESP+52]00F805BB 8D4428 AE LEA EAX,DWORD PTR DS:[EAX+EBP-52]00F805BF 90 NOP00F805C0 90 NOP00F805C1 90 NOP00F805C2 90 NOP00F805C3 90 NOP00F805C4 2BC5 SUB EAX,EBP00F805C6 8D40 06 LEA EAX,DWORD PTR DS:[EAX+6]00F805C9 52 PUSH EDX00F805CA 81DA 8CB4B73D SBB EDX,3DB7B48C00F805D0 8D97 00000300 LEA EDX,DWORD PTR DS:[EDI+30000]00F805D6 2BD7 SUB EDX,EDI00F805D8 90 NOP00F805D9 90 NOP00F805DA 90 NOP00F805DB 52 PUSH EDX00F805DC 90 NOP00F805DD 90 NOP00F805DE 90 NOP00F805DF 90 NOP00F805E0 8F00 POP DWORD PTR DS:[EAX] ; ☆☆☆☆☆ push 3000000F805E2 5A POP EDX00F805E3 58 POP EAX00F805E4 90 NOP00F805E5 90 NOP00F805E6 90 NOP00F805E7 66:9D POPFW……00F8070E 56 PUSH ESI00F8070F 66:9C PUSHFW00F80711 51 PUSH ECX00F80712 1BCD SBB ECX,EBP00F80714 90 NOP00F80715 90 NOP00F80716 90 NOP00F80717 90 NOP00F80718 2BCB SUB ECX,EBX00F8071A 8D4C24 29 LEA ECX,DWORD PTR SS:[ESP+29]00F8071E 8D4C29 D7 LEA ECX,DWORD PTR DS:[ECX+EBP-29]00F80722 90 NOP00F80723 90 NOP00F80724 90 NOP00F80725 90 NOP00F80726 90 NOP00F80727 2BCD SUB ECX,EBP00F80729 90 NOP00F8072A 90 NOP00F8072B 90 NOP00F8072C 90 NOP00F8072D 90 NOP00F8072E 90 NOP00F8072F 8D4C11 06 LEA ECX,DWORD PTR DS:[ECX+EDX+6]00F80733 2BCA SUB ECX,EDX00F80735 36:90 NOP ; Superfluous prefix00F80737 90 NOP00F80738 90 NOP00F80739 53 PUSH EBX00F8073A BB 96594000 MOV EBX,40599600F8073F BB 4EED4500 MOV EBX,45ED4E00F80744 8D9C22 00000100 LEA EBX,DWORD PTR DS:[EDX+10000]00F8074B 2BDA SUB EBX,EDX00F8074D 8919 MOV DWORD PTR DS:[ECX],EBX ; ☆☆☆☆☆ push 1000000F8074F 5B POP EBX00F80750 59 POP ECX00F80751 90 NOP00F80752 90 NOP00F80753 90 NOP00F80754 90 NOP00F80755 90 NOP00F80756 66:9D POPFW00F80758 68 7504F800 PUSH 0F80475 ; 这里又来了00F8075D E8 9EF81000 CALL 01090000运行再次中断到jmp [esp-4]处后,f8一次到这里:00431BDE - FF25 B0644300 JMP DWORD PTR DS:[4364B0] ; msvcrt._controlfp到原程序代码处后,再F8进了API中,进入后ALT+F9再次返回到壳中:00F80475 59 POP ECX ; ☆☆☆☆☆00F80476 E9 04040000 JMP 00F8087F……00F8087F 59 POP ECX ; ☆☆☆☆☆00F80880 C3 RETN ; ☆☆☆☆☆00F80881 ^ E9 90FFFFFF JMP 00F80816所以@c1的代码就是: PUSH 30000 PUSH 10000 CALL 431BDE POP ECX POP ECX RETN继续跟:00F8047B 52 PUSH EDX ; 返回到这里,00F8047C 66:9C PUSHFW ; 继续跟下去00F8047E 55 PUSH EBP00F8047F 81F5 4ACE18D1 XOR EBP,D118CE4A00F80485 8BEC MOV EBP,ESP00F80487 8D6C1D 07 LEA EBP,DWORD PTR SS:[EBP+EBX+7]00F8048B 50 PUSH EAX00F8048C 51 PUSH ECX00F8048D 83D8 1B SBB EAX,1B00F80490 034424 38 ADD EAX,DWORD PTR SS:[ESP+38]00F80494 B8 01FC196F MOV EAX,6F19FC0100F80499 C1D9 9D RCR ECX,9D ; Shift constant out of range 1..3100F8049C 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]00F804A0 334C24 08 XOR ECX,DWORD PTR SS:[ESP+8]00F804A4 B9 1A884800 MOV ECX,48881A00F804A9 8D48 41 LEA ECX,DWORD PTR DS:[EAX+41]00F804AC 52 PUSH EDX00F804AD 035424 18 ADD EDX,DWORD PTR SS:[ESP+18]00F804B1 035424 38 ADD EDX,DWORD PTR SS:[ESP+38]00F804B5 90 NOP00F804B6 90 NOP00F804B7 90 NOP00F804B8 90 NOP00F804B9 90 NOP00F804BA BA DA1522A8 MOV EDX,A82215DA00F804BF 83F2 C3 XOR EDX,FFFFFFC300F804C2 F7D2 NOT EDX00F804C4 83F2 5F XOR EDX,5F00F804C7 F7D2 NOT EDX00F804C9 81F2 5BEADD57 XOR EDX,57DDEA5B00F804CF 4A DEC EDX00F804D0 90 NOP00F804D1 90 NOP00F804D2 90 NOP00F804D3 90 NOP00F804D4 90 NOP00F804D5 8D0C11 LEA ECX,DWORD PTR DS:[ECX+EDX]00F804D8 90 NOP00F804D9 90 NOP00F804DA 90 NOP00F804DB 90 NOP00F804DC C1DA 8F RCR EDX,8F ; Shift constant out of range 1..3100F804DF 90 NOP00F804E0 90 NOP00F804E1 90 NOP00F804E2 83DA 51 SBB EDX,5100F804E5 5A POP EDX00F804E6 83E9 5D SUB ECX,5D00F804E9 81C1 7BECB8F7 ADD ECX,F7B8EC7B00F804EF F7D9 NEG ECX00F804F1 81E9 83172D98 SUB ECX,982D178300F804F7 49 DEC ECX00F804F8 87C1 XCHG ECX,EAX00F804FA C1C0 48 ROL EAX,48 ; Shift constant out of range 1..3100F804FD 2BE8 SUB EBP,EAX00F804FF 8D8F 9CAF4600 LEA ECX,DWORD PTR DS:[EDI+46AF9C]00F80505 59 POP ECX00F80506 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]00F8050A B8 CA7C4100 MOV EAX,417CCA00F8050F 58 POP EAX00F80510 2BEB SUB EBP,EBX00F80512 90 NOP00F80513 90 NOP00F80514 90 NOP00F80515 90 NOP00F80516 90 NOP00F80517 56 PUSH ESI00F80518 1BF7 SBB ESI,EDI00F8051A 8DB3 20F04300 LEA ESI,DWORD PTR DS:[EBX+43F020]00F80520 2BF3 SUB ESI,EBX00F80522 56 PUSH ESI00F80523 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F02000F80526 5E POP ESI00F80527 5D POP EBP00F80528 66:9D POPFW00F8052A E9 E5030000 JMP 00F8091400F80914 68 B6134800 PUSH 4813B600F80919 90 NOP00F8091A 90 NOP00F8091B 90 NOP00F8091C 90 NOP00F8091D 90 NOP00F8091E 66:9C PUSHFW00F80920 57 PUSH EDI00F80921 23FB AND EDI,EBX00F80923 64:90 NOP ; Superfluous prefix00F80925 90 NOP00F80926 90 NOP00F80927 90 NOP00F80928 03F9 ADD EDI,ECX00F8092A 2BF9 SUB EDI,ECX00F8092C 8D7C2C 4F LEA EDI,DWORD PTR SS:[ESP+EBP+4F]00F80930 2BFD SUB EDI,EBP00F80932 8D7C0F B1 LEA EDI,DWORD PTR DS:[EDI+ECX-4F]00F80936 2BF9 SUB EDI,ECX00F80938 8D7C0F 06 LEA EDI,DWORD PTR DS:[EDI+ECX+6]00F8093C 2BF9 SUB EDI,ECX00F8093E 90 NOP00F8093F 90 NOP00F80940 90 NOP00F80941 50 PUSH EAX00F80942 90 NOP00F80943 90 NOP00F80944 90 NOP00F80945 90 NOP00F80946 90 NOP00F80947 81F0 00395087 XOR EAX,8750390000F8094D 8D85 1CF04300 LEA EAX,DWORD PTR SS:[EBP+43F01C]00F80953 2BC5 SUB EAX,EBP00F80955 36:90 NOP ; Superfluous prefix00F80957 90 NOP00F80958 90 NOP00F80959 8907 MOV DWORD PTR DS:[EDI],EAX ; ☆☆☆☆☆ PUSH 43F01C00F8095B 58 POP EAX00F8095C 5F POP EDI00F8095D 66:9D POPFW00F8095F 68 4405F800 PUSH 0F8054400F80964 E8 97F61000 CALL 01090000 ; 这里继续F9到JMP [ESP-4]处F8后到这里:00431BC2 - FF25 58644300 JMP DWORD PTR DS:[436458] ; msvcrt._initterm所以这句就是: CALL 431BC2……00F80544 B8 EA064700 MOV EAX,4706EA ; 再次到壳代码处,00F80549 90 NOP00F8054A 90 NOP00F8054B 90 NOP00F8054C 90 NOP00F8054D 034424 38 ADD EAX,DWORD PTR SS:[ESP+38] ; 垃圾代码00F80551 90 NOP00F80552 90 NOP00F80553 90 NOP00F80554 90 NOP00F80555 FF35 FC864500 PUSH DWORD PTR DS:[4586FC]00F8055B 334424 28 XOR EAX,DWORD PTR SS:[ESP+28]00F8055F 334424 08 XOR EAX,DWORD PTR SS:[ESP+8]00F80563 58 POP EAX ; ☆☆☆☆☆ MOV EAX,[4586FC]00F80564 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX ; ☆☆☆☆☆00F80567 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C] ; ☆☆☆☆☆00F8056A 50 PUSH EAX ; ☆☆☆☆☆00F8056B FF35 F8864500 PUSH DWORD PTR DS:[4586F8] ; ☆☆☆☆☆00F80571 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64] ; ☆☆☆☆☆00F80574 50 PUSH EAX ; ☆☆☆☆☆00F80575 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70] ; ☆☆☆☆☆00F80578 50 PUSH EAX ; ☆☆☆☆☆00F80579 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] ; ☆☆☆☆☆00F8057C 50 PUSH EAX ; ☆☆☆☆☆00F8057D FF15 60644300 CALL DWORD PTR DS:[436460] ; ☆☆☆☆☆00F80583 E9 49020000 JMP 00F807D1……00F807D1 68 DA08370C PUSH 0C3708DA00F807D6 66:9C PUSHFW00F807D8 55 PUSH EBP00F807D9 2BE9 SUB EBP,ECX00F807DB 90 NOP00F807DC 90 NOP00F807DD 90 NOP00F807DE 90 NOP00F807DF 90 NOP00F807E0 81E5 18EBDD3E AND EBP,3EDDEB1800F807E6 8D6C24 38 LEA EBP,DWORD PTR SS:[ESP+38]00F807EA 8D6D C8 LEA EBP,DWORD PTR SS:[EBP-38]00F807ED 8D6D 06 LEA EBP,DWORD PTR SS:[EBP+6]00F807F0 52 PUSH EDX00F807F1 81DA 5463F448 SBB EDX,48F4635400F807F7 36:90 NOP ; Superfluous prefix00F807F9 90 NOP00F807FA 90 NOP00F807FB 8D9427 18F04300 LEA EDX,DWORD PTR DS:[EDI+43F018]00F80802 2BD7 SUB EDX,EDI00F80804 90 NOP00F80805 90 NOP00F80806 90 NOP00F80807 90 NOP00F80808 90 NOP00F80809 52 PUSH EDX00F8080A 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F01800F8080D 5A POP EDX00F8080E 5D POP EBP00F8080F 66:9D POPFW00F80811 ^ E9 4CFFFFFF JMP 00F8076200F80763 90 NOP00F80764 90 NOP00F80765 90 NOP00F80766 FF7424 10 PUSH DWORD PTR SS:[ESP+10]00F8076A 66:9C PUSHFW00F8076C 55 PUSH EBP00F8076D 0BE9 OR EBP,ECX00F8076F 90 NOP00F80770 90 NOP00F80771 90 NOP00F80772 90 NOP00F80773 8D6C11 F7 LEA EBP,DWORD PTR DS:[ECX+EDX-9]00F80777 2BEA SUB EBP,EDX00F80779 8D6C24 7B LEA EBP,DWORD PTR SS:[ESP+7B]00F8077D 8D6C35 85 LEA EBP,DWORD PTR SS:[EBP+ESI-7B]00F80781 90 NOP00F80782 90 NOP00F80783 90 NOP00F80784 2BEE SUB EBP,ESI00F80786 8D6C1D 06 LEA EBP,DWORD PTR SS:[EBP+EBX+6]00F8078A 90 NOP00F8078B 90 NOP00F8078C 90 NOP00F8078D 90 NOP00F8078E 90 NOP00F8078F 2BEB SUB EBP,EBX00F80791 51 PUSH ECX00F80792 83E9 EB SUB ECX,-1500F80795 034C24 38 ADD ECX,DWORD PTR SS:[ESP+38]00F80799 8D8C22 00F04300 LEA ECX,DWORD PTR DS:[EDX+43F000]00F807A0 2BCA SUB ECX,EDX00F807A2 90 NOP00F807A3 90 NOP00F807A4 90 NOP00F807A5 90 NOP00F807A6 51 PUSH ECX00F807A7 64:90 NOP ; Superfluous prefix00F807A9 90 NOP00F807AA 90 NOP00F807AB 90 NOP00F807AC 8F45 00 POP DWORD PTR SS:[EBP] ; ☆☆☆☆☆ PUSH 43F00000F807AF 59 POP ECX00F807B0 5D POP EBP00F807B1 66:9D POPFW继续F9到jmp [esp-4],然后F8一次,到这里:00431BC2 - FF25 58644300 JMP DWORD PTR DS:[436458] ; msvcrt._initterm所以这里就是: ☆☆☆☆☆ CALL 431BC2再到壳里:00F80703 90 NOP00F80704 90 NOP00F80705 90 NOP00F80706 83C4 24 ADD ESP,24 ; ☆☆☆☆☆00F80709 E9 49010000 JMP 00F80857……00F80857 0BC5 OR EAX,EBP00F80859 90 NOP00F8085A 90 NOP00F8085B 90 NOP00F8085C 81D8 D4487ABE SBB EAX,BE7A48D400F80862 8D87 64644300 LEA EAX,DWORD PTR DS:[EDI+436464]00F80868 2BC7 SUB EAX,EDI00F8086A 90 NOP ; 这里要注意一下,稍微有点不同.00F8086B 90 NOP00F8086C 90 NOP00F8086D 90 NOP00F8086E FF30 PUSH DWORD PTR DS:[EAX] ; 注意EAX的值00F80870 034424 18 ADD EAX,DWORD PTR SS:[ESP+18] ; 垃圾代码00F80874 B8 1EA84600 MOV EAX,46A81E00F80879 58 POP EAX ; ☆☆☆☆☆ 还原出来就是MOV EAX,[436464]00F8087A ^ E9 C4FFFFFF JMP 00F8084300F80843 90 NOP00F80844 90 NOP00F80845 90 NOP00F80846 BE 0E3F4000 MOV ESI,403F0E ; 垃圾代码00F8084B BE 46A74100 MOV ESI,41A74600F80850 8B30 MOV ESI,DWORD PTR DS:[EAX] ; ☆☆☆☆☆00F80852 E9 34010000 JMP 00F8098B00F8098B 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆00F8098E E8 6DF61000 CALL 0109000000F80836 46 INC ESI ; ☆☆☆☆☆00F80837 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆00F8083A 8A06 MOV AL,BYTE PTR DS:[ESI] ; ☆☆☆☆☆00F8083C 3AC3 CMP AL,BL ; ☆☆☆☆☆00F8083E E8 BDF71000 CALL 01090000后面见到call 01090000的都按f9àf8的方法过去.00F807C4 > 3C 22 CMP AL,22 ; ☆☆☆☆☆00F807C6 0F85 6A000000 JNZ 00F80836这里只要细心一下就可以得出大概代码:@@: INC ESIMOV DWORD PTR SS:[EBP-74],ESIMOV AL,BYTE PTR DS:[ESI]CMP AL,BLJE @FCMP AL,22JNZ @B@@:这里的代码现在看不出来,不知道是不是壳处理过了.@@:因为这里要循环好几次,所以我设置条件中断Break if AL==22.00F807C4 3C 22 CMP AL,22 ; ☆☆☆☆☆……00F80999 46 INC ESI ; ☆☆☆☆☆00F8099A 8975 8C MOV DWORD PTR SS:[EBP-74],ESI ; ☆☆☆☆☆00F8099D 8A06 MOV AL,BYTE PTR DS:[ESI] ; ☆☆☆☆☆00F8099F 3AC3 CMP AL,BL ; ☆☆☆☆☆00F809A1 ^ 0F84 47FCFFFF JE 00F805EE ; ☆☆☆☆☆,这里的跳转值不能直接抄,记下先00F809A7 3C 20 CMP AL,20 ; ☆☆☆☆☆00F809A9 E8 52F61000 CALL 01090000……00F805EE 895D D0 MOV DWORD PTR SS:[EBP-30],EBX ; ☆☆☆☆☆00F805F1 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C] ; ☆☆☆☆☆00F805F4 50 PUSH EAX ; ☆☆☆☆☆00F805F5 FF15 68604300 CALL DWORD PTR DS:[436068] ; ☆☆☆☆☆00F805FB F645 D0 01 TEST BYTE PTR SS:[EBP-30],1 ; ☆☆☆☆☆00F805FF 0F84 8D020000 JE 00F80892 ; ☆☆☆☆☆00F80605 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C] ; ☆☆☆☆☆00F80609 E9 87020000 JMP 00F80895……00F80892 6A 0A PUSH 0A ; ☆☆☆☆☆00F80894 58 POP EAX ; ☆☆☆☆☆00F80895 50 PUSH EAX ; ☆☆☆☆☆00F80896 56 PUSH ESI ; ☆☆☆☆☆00F80897 53 PUSH EBX ; ☆☆☆☆☆00F80898 ^ E9 E9FFFFFF JMP 00F8088600F80886 53 PUSH EBX ; ☆☆☆☆☆00F80887 FF15 6C604300 CALL DWORD PTR DS:[43606C] ; ☆☆☆☆☆ GetModuleHandleA00F8088D ^ E9 D8FBFFFF JMP 00F8046A到这里后,我们整理一下:@@:INC ESIMOV DWORD PTR SS:[EBP-74],ESIMOV AL,BYTE PTR DS:[ESI]CMP AL,BLJE @FCMP AL,20JNE @B @@: MOV DWORD PTR SS:[EBP-30],EBXLEA EAX,DWORD PTR SS:[EBP-5C]PUSH EAXCALL DWORD PTR DS:[436068]TEST BYTE PTR SS:[EBP-30],1JE MOVZX EAX,WORD PTR SS:[EBP-2C]JMP p1 PUSH 0APOP EAXp1: PUSH EAXPUSH ESIPUSH EBXPUSH EBXCALL [43606C] ;GetModuleHandleA00F8046A 50 PUSH EAX ; ☆☆☆☆☆00F8046B 68 6204F800 PUSH 0F80462 ;这里又是 CALL ……00F80470 E8 8BFB1000 CALL 01090000 ;继续到JMP [esp-4]处00F80816 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆00F8081A E9 4A010000 JMP 00F8096900F80969 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆00F8096D ^ E9 E3FAFFFF JMP 00F8045500F80455 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆00F80459 FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; ☆☆☆☆☆00F8045D E9 B1010000 JMP 00F8061300F80613 68 0007F800 PUSH 0F80700 ; 又call地址00F80618 E8 E3F91000 CALL 01090000F9->f8后到这里:00431C6C - FF25 48644300 JMP DWORD PTR DS:[436448] ; mfc42.#1576_?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z所以这里就是 CALL 431C6C在这里看一下ESP的值,然后在[ESP]处下断,因为这里再按一下程序就运行了,不要再按ALT+F9之类的,那样容易程序没响应。00F80700 C2 1000 RETN 10 ; ☆☆☆☆☆00F80703 90 NOP00F80704 90 NOP总结@C2就是:@C2: PUSH [ESP+10] PUSH [ESP+10] PUSH [ESP+10] PUSH [ESP+10] CALL 431C6C RETN 10返回后,继续找回代码,到这里把被抽的代码找的差不多了:00F80462 8945 98 MOV DWORD PTR SS:[EBP-68],EAX ; ☆☆☆☆☆00F80465 E9 B3010000 JMP 00F8061D00F8061D 50 PUSH EAX ; ☆☆☆☆☆00F8061E FF15 B8644300 CALL DWORD PTR DS:[4364B8] ; ☆☆☆☆☆,这里过了程序就退出去了00F80624 E9 F6010000 JMP 00F8081F到了exit处程序就结束了,所在这里先不要按F8,我们直接看代码(当然你也可以完全在这里就不找了,因为后面的代码好像不会执行到):00F8081F 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; ☆☆☆☆☆00F80822 81D1 6C64A1C4 ADC ECX,C4A1646C00F80828 FF30 PUSH DWORD PTR DS:[EAX]00F8082A 83C9 59 OR ECX,5900F8082D 83E9 55 SUB ECX,5500F80830 59 POP ECX ; ☆☆☆☆☆ MOV ECX,[EAX]00F80972 FF31 PUSH DWORD PTR DS:[ECX]00F80974 B9 C66E4900 MOV ECX,496EC600F80979 90 NOP00F8097A 90 NOP00F8097B 90 NOP00F8097C 90 NOP00F8097D B9 8AE34800 MOV ECX,48E38A00F80982 59 POP ECX ; ☆☆☆☆☆MOV ECX,[ECX]00F80983 894D 88 MOV DWORD PTR SS:[EBP-78],ECX ; ☆☆☆☆☆00F80986 ^ E9 32FEFFFF JMP 00F807BD00F807BD 50 PUSH EAX ; ☆☆☆☆☆00F807BE 51 PUSH ECX ; ☆☆☆☆☆00F807BF ^ E9 82FCFFFF JMP 00F80446到这里跟不进去了.后面几句代码是根据别的程序而抄来的.现在已经找回代码了,那代码放什么地方呢,另外找一个空地方?,不用的,在前面开始处,我们不是记下了那个地址吗?对了,在code段里找: JMP 00F802FF,找到这里:00431A46 - E9 B4E8B400 JMP 00F802FF为什么这找这里,我上一篇关于aspr的文章里已经说过了,我也不再多说.也就是说原程序的OEP就是431A46.全部整理一下出来这么个“样子”:PUSH EBPMOV EBP,ESPPUSH -1push 43a768PUSH 431BAAMOV EAX,FS:[0]PUSH EAXMOV FS:[0],ESPSUB ESP,68PUSH EBXPUSH ESIPUSH EDIMOV DWORD PTR SS:[EBP-18],ESPXOR EBX,EBXMOV DWORD PTR SS:[EBP-4],EBXPUSH 2CALL DWORD PTR DS:[436494] ; msvcrt.__set_app_typePOP ECXOR DWORD PTR DS:[458710],FFFFFFFFOR DWORD PTR DS:[458714],FFFFFFFFCALL DWORD PTR DS:[4364BC] MOV ECX,[458704]MOV [EAX],ECXCALL [43645C]MOV ECX,[458700]MOV [EAX],ECXMOV EAX,[436450]MOV EAX,[EAX]MOV [45870C],EAXCALL 431BDDCMP [441C78],EBXJNZ @FPUSH 431BDACALL [436454]POP ECX@@: CALL @C1PUSH 43F020PUSH 43F01CCALL 431BC2MOV EAX,[4586FC]MOV DWORD PTR SS:[EBP-6C],EAXLEA EAX,DWORD PTR SS:[EBP-6C]PUSH EAXPUSH DWORD PTR DS:[4586F8]LEA EAX,DWORD PTR SS:[EBP-64]PUSH EAXLEA EAX,DWORD PTR SS:[EBP-70]PUSH EAXLEA EAX,DWORD PTR SS:[EBP-60]PUSH EAXCALL DWORD PTR DS:[436460] ; msvcrt.__getmainargsPUSH 43F018PUSH 43F000CALL 431BC2ADD ESP,24MOV EAX,[436464]MOV ESI,[EAX]MOV DWORD PTR SS:[EBP-74],ESI @@: INC ESIMOV DWORD PTR SS:[EBP-74],ESIMOV AL,BYTE PTR DS:[ESI]CMP AL,BLJE @FCMP AL,22JNZ @B@@: @@:INC ESIMOV DWORD PTR SS:[EBP-74],ESIMOV AL,BYTE PTR DS:[ESI]CMP AL,BLJE @FCMP AL,20JNE @B @@: MOV DWORD PTR SS:[EBP-30],EBXLEA EAX,DWORD PTR SS:[EBP-5C]PUSH EAXCALL DWORD PTR DS:[436068]TEST BYTE PTR SS:[EBP-30],1JE MOVZX EAX,WORD PTR SS:[EBP-2C]JMP p1 PUSH 0APOP EAXp1: PUSH EAXPUSH ESIPUSH EBXPUSH EBXCALL [43606C] ;GetModuleHandleAPUSH EAXCALL @C2MOV [EBP-68],EAXPUSH EAXCALL DWORD PTR DS:[4364B8] ; msvcrt.exitMOV EAX,[EBP-14]MOV ECX,[EAX]MOV ECX,[ECX]MOV DWORD PTR SS:[EBP-78],ECXPUSH EAXPUSH ECXCALL 431BBCPOP ECXPOP ECXRETN那几个不明的地方对照别的程序就可以轻松搞定.最后可用结果:00431A46 /. 55 PUSH EBP00431A47 |. 8BEC MOV EBP,ESP00431A49 |. 6A FF PUSH -100431A4B |. 68 68A74300 PUSH 0043A76800431A50 |. 68 AA1B4300 PUSH 00431BAA ; JMP to msvcrt._except_handler3; SE handler installation00431A55 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]00431A5B |. 50 PUSH EAX00431A5C |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP00431A63 |. 83EC 68 SUB ESP,6800431A66 |. 53 PUSH EBX00431A67 |. 56 PUSH ESI00431A68 |. 57 PUSH EDI00431A69 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP00431A6C |. 33DB XOR EBX,EBX00431A6E |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX00431A71 |. 6A 02 PUSH 200431A73 |. FF15 94644300 CALL DWORD PTR DS:[436494] ; msvcrt.__set_app_type00431A79 |. 59 POP ECX00431A7A |. 830D 10874500>OR DWORD PTR DS:[458710],FFFFFFFF00431A81 |. 830D 14874500>OR DWORD PTR DS:[458714],FFFFFFFF00431A88 |. FF15 BC644300 CALL DWORD PTR DS:[4364BC] ; msvcrt.__p__fmode00431A8E |. 8B0D 04874500 MOV ECX,DWORD PTR DS:[458704]00431A94 |. 8908 MOV DWORD PTR DS:[EAX],ECX00431A96 |. FF15 5C644300 CALL DWORD PTR DS:[43645C] ; msvcrt.__p__commode00431A9C |. 8B0D 00874500 MOV ECX,DWORD PTR DS:[458700]00431AA2 |. 8908 MOV DWORD PTR DS:[EAX],ECX00431AA4 |. A1 50644300 MOV EAX,DWORD PTR DS:[436450]00431AA9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]00431AAB |. A3 0C874500 MOV DWORD PTR DS:[45870C],EAX00431AB0 |. E8 28010000 CALL 00431BDD00431AB5 |. 391D 781C4400 CMP DWORD PTR DS:[441C78],EBX00431ABB |. 75 0C JNZ SHORT 00431AC900431ABD |. 68 DA1B4300 PUSH 00431BDA00431AC2 |. FF15 54644300 CALL DWORD PTR DS:[436454] ; msvcrt.__setusermatherr00431AC8 |. 59 POP ECX00431AC9 |> E8 9E380000 CALL 0043536C00431ACE |. 68 20F04300 PUSH 0043F02000431AD3 |. 68 1CF04300 PUSH 0043F01C00431AD8 |. E8 E5000000 CALL 00431BC2 ; JMP to msvcrt._initterm00431ADD |. A1 FC864500 MOV EAX,DWORD PTR DS:[4586FC]00431AE2 |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX00431AE5 |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]00431AE8 |. 50 PUSH EAX00431AE9 |. FF35 F8864500 PUSH DWORD PTR DS:[4586F8]00431AEF |. 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]00431AF2 |. 50 PUSH EAX00431AF3 |. 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]00431AF6 |. 50 PUSH EAX00431AF7 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]00431AFA |. 50 PUSH EAX00431AFB |. FF15 60644300 CALL DWORD PTR DS:[436460] ; msvcrt.__getmainargs00431B01 |. 68 18F04300 PUSH 0043F01800431B06 |. 68 00F04300 PUSH 0043F00000431B0B |. E8 B2000000 CALL 00431BC2 ; JMP to msvcrt._initterm00431B10 |. 83C4 24 ADD ESP,2400431B13 |. A1 64644300 MOV EAX,DWORD PTR DS:[436464]00431B18 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]00431B1A |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI00431B1D |. 803E 22 CMP BYTE PTR DS:[ESI],2200431B20 |. 75 3A JNZ SHORT 00431B5C00431B22 |> 46 /INC ESI00431B23 |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI00431B26 |. 8A06 |MOV AL,BYTE PTR DS:[ESI]00431B28 |. 3AC3 |CMP AL,BL00431B2A |. 74 04 |JE SHORT 00431B3000431B2C |. 3C 22 |CMP AL,2200431B2E |.^ 75 F2 \JNZ SHORT 00431B2200431B30 |> 803E 22 CMP BYTE PTR DS:[ESI],2200431B33 |. 75 04 JNZ SHORT 00431B3900431B35 |> 46 INC ESI00431B36 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI00431B39 |> 8A06 MOV AL,BYTE PTR DS:[ESI]00431B3B |. 3AC3 CMP AL,BL00431B3D |. 74 04 JE SHORT 00431B4300431B3F |. 3C 20 CMP AL,2000431B41 |.^ 76 F2 JBE SHORT 00431B3500431B43 |> 895D D0 MOV DWORD PTR SS:[EBP-30],EBX00431B46 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]00431B49 |. 50 PUSH EAX ; /pStartupinfo00431B4A |. FF15 68604300 CALL DWORD PTR DS:[436068] ; \GetStartupInfoA00431B50 |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],100431B54 |. 74 11 JE SHORT 00431B6700431B56 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]00431B5A |. EB 0E JMP SHORT 00431B6A00431B5C |> 803E 20 /CMP BYTE PTR DS:[ESI],2000431B5F |.^ 76 D8 |JBE SHORT 00431B3900431B61 |. 46 |INC ESI00431B62 |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI00431B65 |.^ EB F5 \JMP SHORT 00431B5C00431B67 |> 6A 0A PUSH 0A00431B69 |. 58 POP EAX00431B6A |> 50 PUSH EAX00431B6B |. 56 PUSH ESI00431B6C |. 53 PUSH EBX00431B6D |. 53 PUSH EBX ; /pModule00431B6E |. FF15 6C604300 CALL DWORD PTR DS:[43606C] ; \GetModuleHandleA00431B74 |. 50 PUSH EAX00431B75 |. E8 07380000 CALL 0043538100431B7A |. 8945 98 MOV DWORD PTR SS:[EBP-68],EAX00431B7D |. 50 PUSH EAX ; /status00431B7E |. FF15 B8644300 CALL DWORD PTR DS:[4364B8] ; \exit00431B84 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]00431B87 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]00431B89 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]00431B8B |. 894D 88 MOV DWORD PTR SS:[EBP-78],ECX00431B8E |. 50 PUSH EAX00431B8F |. 51 PUSH ECX00431B90 |. E8 27000000 CALL 00431BBC ; JMP to msvcrt._XcptFilter00431B95 |. 59 POP ECX00431B96 |. 59 POP ECX00431B97 \. C3 RETN那两个CALL也可以在程序的相关位置找到,我就偷一下懒,在空地上补上去:0043536C ? 68 00000300 PUSH 3000000435371 ? 68 00000100 PUSH 10000 ; UNICODE "ALLUSERSPROFILE=D:\Documents and Settings\All Users"00435376 . E8 63C8FFFF CALL <JMP.&msvcrt._controlfp> ; \_controlfp0043537B . 59 POP ECX0043537C . 59 POP ECX0043537D . C3 RETN0043537E 00 DB 000043537F 00 DB 0000435380 00 DB 0000435381 /$ FF7424 10 PUSH DWORD PTR SS:[ESP+10]00435385 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]00435389 |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]0043538D |. FF7424 10 PUSH DWORD PTR SS:[ESP+10]00435391 |. E8 D6C8FFFF CALL <JMP.&mfc42.#1576_?AfxWinMain@@YGHP>00435396 \. C2 1000 RETN 10刚好抽了一个段的代码,修复完代码就dump+fixdump一下.这次旅程也就算结束了.谢谢你能坚持到底:-)
Greetz: Fly.Jingulong,yock,tDasm.David.ahao.UFO(brother).alan(sister).all of my friends and you! By loveboom[DFCG][FCG][US]Email:
[email protected]
本文地址:http://com.8s8s.com/it/it22395.htm