以下是用OD打开的程序开头部分
00D87001 > 60 PUSHAD
00D87002 E8 03000000 CALL RealLink.00D8700A
00D87007 -E9 EB045D45 JMP 463574F7
00D8700C 55 PUSH EBP
00D8700D C3 RETN
00D8700E E8 01000000 CALL RealLink.00D87014
00D87013 EB 5D JMP SHORT RealLink.00D87072
00D87015 BB EDFFFFFF MOV EBX,-13
00D8701A 03DD ADD EBX,EBP
00D8701C 81EB 00709800 SUB EBX,RealLink.00987000
00D87022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00D87029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
00D8702F 0F85 65030000 JNZ RealLink.00D8739A
00D87035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
00D8703B 50 PUSH EAX
00D8703C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00D87042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00D87048 8BF8 MOV EDI,EAX
00D8704A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
00D8704D 53 PUSH EBX
00D8704E 50 PUSH EAX
00D8704F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00D87055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
00D8705B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
00D8705E 53 PUSH EBX
00D8705F 57 PUSH EDI
00D87060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00D87066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
00D8706C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
00D8706F FFE0 JMP EAX
00D87071 56 PUSH ESI
00D87072 6972 74 75616C41 IMUL ESI,DWORD PTR DS:[EDX+74],416C6175
00D87079 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00D8707A 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00D8707B 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O command
00D8707C 6300 ARPL DWORD PTR DS:[EAX],EAX
00D8707E 56 PUSH ESI
00D8707F 6972 74 75616C46 IMUL ESI,DWORD PTR DS:[EDX+74],466C6175
00D87086 72 65 JB SHORT RealLink.00D870ED
00D87088 65:008B 9D310500 ADD BYTE PTR GS:[EBX+5319D],CL
00D8708F 000B ADD BYTE PTR DS:[EBX],CL
00D87091 DB ??? ; Unknown command
00D87092 74 0A JE SHORT RealLink.00D8709E
00D87094 8B03 MOV EAX,DWORD PTR DS:[EBX]
00D87096 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
00D8709C 8903 MOV DWORD PTR DS:[EBX],EAX
00D8709E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569]
00D870A4 833E 00 CMP DWORD PTR DS:[ESI],0
00D870A7 0F84 21010000 JE RealLink.00D871CE
00D870AD 6A 04 PUSH 4
00D870AF 68 00100000 PUSH 1000
00D870B4 68 00180000 PUSH 1800
00D870B9 6A 00 PUSH 0
00D870BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
00D870C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
00D870C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
00D870CA 05 0E010000 ADD EAX,10E
00D870CF 6A 04 PUSH 4
00D870D1 68 00100000 PUSH 1000
00D870D6 50 PUSH EAX
00D870D7 6A 00 PUSH 0
00D870D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
00D870DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
00D870E5 56 PUSH ESI
00D870E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
00D870E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
00D870EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
00D870F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
00D870F7 50 PUSH EAX
00D870F8 53 PUSH EBX
00D870F9 E8 6E050000 CALL RealLink.00D8766C
00D870FE B3 00 MOV BL,0
00D87100 80FB 00 CMP BL,0
00D87103 75 5E JNZ SHORT RealLink.00D87163
00D87105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
00D8710B 8B3E MOV EDI,DWORD PTR DS:[ESI]
00D8710D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
00D87113 FF37 PUSH DWORD PTR DS:[EDI]
00D87115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
00D87118 FFD7 CALL EDI
00D8711A 8F07 POP DWORD PTR DS:[EDI]
00D8711C 50 PUSH EAX
00D8711D 51 PUSH ECX
00D8711E 56 PUSH ESI
00D8711F 53 PUSH EBX
00D87120 8BC8 MOV ECX,EAX
00D87122 83E9 06 SUB ECX,6
其中 CALL RealLink.00D8700A该跟进去的,但后面的没有这个地址。所以应该是花指令吧
这个程序是不是不光用ASPack 2.12 -> Alexey Solodovnikov加的壳?还有其他的东西么?
PEID查出来说是ASPack 2.12 -> Alexey Solodovnikov的壳。
试着用手脱,可手脱和看到的程序与别人说的脱壳过程好像有所不同啊。
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
