今天碰到一个程序,ASPack 2.12 -> Alexey Solodovnikov加的壳,这个本来是个很好的脱的,但作者对程序做了反调试检测.
1、是用改版的OD调试
0053E001 > 60 PUSHAD
0053E002 E8 03000000 CALL QQ伴侣.0053E00A //ESP 定侓 hr 0012ffa4
0053E007 - E9 EB045D45 JMP 45B0E4F7
0053E00C 55 PUSH EBP
0053E00D C3 RETN
0053E00E E8 01000000 CALL QQ伴侣.0053E014
0053E013 EB 5D JMP SHORT QQ伴侣.0053E072
0053E015 BB EDFFFFFF MOV EBX,-13
0053E01A 03DD ADD EBX,EBP
0053E01C 81EB 00E01300 SUB EBX,13E000
0053E022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0
0053E029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0053E02F 0F85 65030000 JNZ QQ伴侣.0053E39A
============================================
断在这里
0053E3B0 /75 08 JNZ SHORT QQ伴侣.0053E3BA
0053E3B2 |B8 01000000 MOV EAX,1
0053E3B7 |C2 0C00 RETN 0C
0053E3BA \68 15635300 PUSH QQ伴侣.00536315
0053E3BF C3 RETN //这里本来是对应ASPACK2.12去往的OEP,但它却去了其它的地方,有跟了一个有很多CALL可能是检查OD的.........能力有限无法跟出
0053E3C0 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
0053E3C6 8D8D 3B040000 LEA ECX,DWORD PTR SS:[EBP+43B]
0053E3CC 51 PUSH ECX
0053E3CD 50 PUSH EAX
0053E3CE FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
0053E3D4 8985 55050000 MOV DWORD PTR SS:[EBP+555],EAX
0053E3DA 8D85 47040000 LEA EAX,DWORD PTR SS:[EBP+447]
0053E3E0 50 PUSH EAX
0053E3E1 FF95 510F0000 CALL DWORD PTR SS:[EBP+F51]
0053E3E7 8985 2A040000 MOV DWORD PTR SS:[EBP+42A],EAX
===================================
2、用了隐藏调试器的插件无法让程序跑起来.A debugger has been found running in you system.......
3、有反调试,所又用了StrongOD v0.3.3 by 海风月影最新版的,本想隐藏起来。但这是程序一载入就出错了.根本就无法载入
4、后来又用了挂载。只要OD一挂载程序和OD就退出!不知道要如何下手才好.都避不过反调试检测...有哪位大大能帮忙看一下.
程序下载:
ba9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8G2N6$3&6Q4x3X3g2I4M7h3u0S2L8X3I4$3i4K6u0W2j5$3&6Q4x3V1k6$3x3W2)9J5k6e0j5#2i4K6u0W2M7X3q4J5i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4c8e0N6Q4b7V1u0Q4b7V1k6Q4c8e0S2Q4z5o6W2Q4b7U0u0Q4c8e0N6Q4z5o6W2Q4z5o6S2Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0k6Q4z5f1y4Q4b7f1y4Q4c8e0k6Q4z5f1c8Q4b7e0g2Q4c8e0k6Q4z5o6y4Q4b7U0y4Q4c8e0S2Q4z5o6c8Q4b7U0q4Q4c8e0g2Q4b7f1g2Q4z5o6y4Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0g2Q4b7e0y4Q4b7U0y4Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
