AstonShellv1.9 a-msater ASPR壳[原创]-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

AstonShellv1.9 a-msater ASPR壳[原创]

发表于: 2005-7-17 00:09 5506

AstonShellv1.9 a-msater ASPR壳[原创]

MARCH

2005-7-17 00:09

5506

Aston Shell (请从后面看,后面是首次跟踪,前面是整理 zzhzihui@tom.com)
a-msater.exe v1.9  ASPR 1.24 RC4壳
再跟踪一遍,整理:

=======
OD-ollscript,专门找ASPR STOLEN BYTES的脚本跟,或者手动跟,注意去掉内存访问异常
0042CA5B 0000          ADD BYTE PTR DS:[EAX],AL
0042CA5D 0000          ADD BYTE PTR DS:[EAX],AL
0042CA5F E8 AC46FDFF    CALL A-MAST~2.00401110 >>>
0042CA64 E8 EB18FEFF    CALL A-MAST~2.0040E354 ;返回这里,假OEP
0042CA69 E8 9E45FDFF    CALL A-MAST~2.0040100C
========

00401110 31C0          XOR EAX,EAX <<< //od可以跟到这里,
///实际这是aspr改变oep附近的一个CALL kernel32.GetModuleHandleA ,所以这里就应该DUMP了.
00401112 50             PUSH EAX
00401113 E8 E8FFFFFF    CALL A-MAST~2.00401100 >>>
00401118 8905 08004300 MOV DWORD PTR DS:[430008],EAX
0040111E C3             RETN

00401100  - FF25 08114400 JMP DWORD PTR DS:[441108] <<<..>>>
00401106 8BC0          MOV EAX,EAX
00401108  - FF25 04114400 JMP DWORD PTR DS:[441104]
0040110E 8BC0          MOV EAX,EAX
00401110 31C0          XOR EAX,EAX

009B1C64 55             PUSH EBP <<<<
009B1C65 8BEC          MOV EBP,ESP
009B1C67 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
009B1C6A 85C0          TEST EAX,EAX
009B1C6C 75 13          JNZ SHORT 009B1C81
009B1C6E 813D A47A9B00 0>CMP DWORD PTR DS:[9B7AA4],400000       ; ASCII "MZP"
009B1C78 75 07          JNZ SHORT 009B1C81
009B1C7A A1 A47A9B00    MOV EAX,DWORD PTR DS:[9B7AA4]
009B1C7F EB 06          JMP SHORT 009B1C87
009B1C81 50             PUSH EAX
009B1C82 E8 3135FFFF    CALL 009A51B8                         ; JMP to kernel32.GetModuleHandleA
009B1C87 5D             POP EBP
009B1C88 C2 0400       RETN 4

===
009C6C92 55             PUSH EBP ;像STOLEN BYTES,就是oep处的代码,计算一下OEP应该是42CA54
009C6C93 8BEC          MOV EBP,ESP
009C6C95 53             PUSH EBX
009C6C96 56             PUSH ESI
009C6C97 8B75 0C       MOV ESI,DWORD PTR SS:[EBP+C]
009C6C9A 8B5D 08       MOV EBX,DWORD PTR SS:[EBP+8] ;//到这里为止
009C6C9D EB 11          JMP SHORT 009C6CB0

=====

===
0042C6D0 .  B8 ACE84200 MOV EAX,ADUMP-~3.0042E8AC ;42e8ac开始的13字节被加密.
密文:0042E8AC  5A 5A 88 44 07 8D 07 F7 39 85 0B F3 EE
解密:0042E8AC  5B 58 8B 40 02 8B 00 FF 30 8F 00 FF E3
//通过0042C6D5    3018       XOR BYTE PTR DS:[EAX],BL 解密,BL是逐渐加1的.
0042C6D5    EB 07       JMP SHORT ADUMP-~3.0042C6DE ;修改后的指令,下面的解密代码不执行,可将密文直接还原,因为我们还要修改解密的代码.
0042C6D7 .  43          INC EBX
0042C6D8 .  40          INC EAX
0042C6D9 .  83FB 0E    CMP EBX,0E
0042C6DC .^ 75 F7       JNZ SHORT ADUMP-~3.0042C6D5
0042C6DE .  33C0       XOR EAX,EAX ;跳到这里
0042C6E0 .  55          PUSH EBP
0042C6E1 .  68 07C74200 PUSH ADUMP-~3.0042C707
0042C6E6 .  64:FF30    PUSH DWORD PTR FS:[EAX]
---
又一个加密段
0042C727 E8 8C49FDFF    CALL A-MAST~2.004010B8
0042C72C BB 01000000    MOV EBX,1
0042C731 B8 ACE84200    MOV EAX,A-MAST~2.0042E8AC ;这里42E8AC
0042C736 3018          XOR BYTE PTR DS:[EAX],BL
0042C738 43             INC EBX
0042C739 40             INC EAX
0042C73A 83FB 0E       CMP EBX,0E
0042C73D  ^ 75 F7          JNZ SHORT A-MAST~2.0042C736
---
0042E8B3 FF30          PUSH DWORD PTR DS:[EAX] ;EAX,就是GETSYSTEMTIME的地址...注意这段代码在42C6D0动态解密
0042E8B5 8F00          POP DWORD PTR DS:[EAX] ;这里如果脱壳POP到GETSYSTEMTIME函数地址造成异常,这里可能是检测是否脱壳.
0042E8B7 FFE3          JMP EBX
----
0042C48C  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]             ; |
0042C48E  |.  50          PUSH EAX                               ; |hModule
0042C48F  |.  E8 844DFDFF CALL <JMP.&kernel32.GetProcAddress>    ; \GetProcAddress
0042C494  |.  FFD0       CALL EAX ///异常,加壳程序EAX返回1B ,哈哈,其实是剩余天数了.
///可以这样改0042C494    B0 FF       MOV AL,0FF
0042C496  |.  8B15 C0EE4200 MOV EDX,DWORD PTR DS:[42EEC0]          ;  A-MAST~4.00440E7C
0042C49C  |.  8902       MOV DWORD PTR DS:[EDX],EAX
0042C49E  |.  A1 C0EE4200 MOV EAX,DWORD PTR DS:[42EEC0]
0042C4A3  |.  8338 00    CMP DWORD PTR DS:[EAX],0
0042C4A6  |.  74 02       JE SHORT A-MAST~4.0042C4AA
0042C4A8  |.  B3 01       MOV BL,1

这样修复IAT后ABOUT窗不闪烁了.但9X下肯定出问题,因为IAT不同
98修复IAT，运行正常。IAT附后，根据以往经验,98下修复的IAT可在2K,XP下运行.
*******************************************************************
===
首次跟踪::>>

ASPRDBGR的调试信息:
AsprDbgr v1.0beta (:P) Made by me... Manko.

  iEP=401000 (C:\temp\1\1\A-master19.exe)

  GST returns to: 992667
Trick aspr GST... (EAX=12121212h)
  GV returns to: 9A1A61
IAT Start: 441104 //IAT开始的地方
      End: 4414FC
   Length: 3F8 //IAT的大小,可以用IMPORTREC重建IAT表了.
   IATentry 441108 = 9A1C64 resolved as GetModuleHandleA
   IATentry 441178 = 9A17A4 resolved as GetProcAddress
   IATentry 44117C = 9A1C64 resolved as GetModuleHandleA
   IATentry 441194 = 9A1CD8 resolved as GetCommandLineA
   IATentry 44133C = 9A1D14 resolved as DialogBoxParamA
11 invalid entries erased.
  Dip-Table at adress: 9A7AB4
0 412F20 0 0 0 0 0 42C514 40E2F4 40E344 0 0 0 0
  Last SEH passed. Searching for signatures. Singlestepping to OEP!
Call + OEP-jump-setup at: 9B73D9 ( Code: E8000000 5D81ED )
Mutated, stolen bytes at: 9B7424 ( Code: 61F2EB01 9A2EEB01 )
Erase of stolen bytes at: 9B7388 ( Code: 9CFCBFC7 739B00B9 )
   Repz ... found. Skipping erase of stolen bytes. ;)
  Dip from pre-OEP: 401100 (Reached from: 9B7399)
  Sugested tempOEP at: 7FFDEFFB
DebugProcess ended. (??)
====
009A1C64 55             PUSH EBP ;这里可能是OEP的原是代码.
009A1C65 8BEC          MOV EBP,ESP
009A1C67 8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
009A1C6A 85C0          TEST EAX,EAX
009A1C6C 75 13          JNZ SHORT 009A1C81
009A1C6E 813D A47A9A00 0>CMP DWORD PTR DS:[9A7AA4],400000       ; ASCII "MZP"
009A1C78 75 07          JNZ SHORT 009A1C81
009A1C7A A1 A47A9A00    MOV EAX,DWORD PTR DS:[9A7AA4] ;这里不久就会返回真正OEP
---
猜想OEP代码(dephi)
push ebp
mov ebp,esp
add esp,-0c
mov eax,4203f8
---
修改后OEP处的代码:
0042CA53 > $  55          PUSH EBP
0042CA54 .  8BEC       MOV EBP,ESP
0042CA56 .  83C4 F4    ADD ESP,-0C
0042CA59 .  B8 44C94200 MOV EAX,ADUMP-~4.0042C944
0042CA5E .  90          NOP ;//其实OEP应该在42CA54,因为这里多了一字节,不过这样也行
0042CA5F .  E8 AC46FDFF CALL ADUMP-~4.00401110
0042CA64 .  E8 EB18FEFF CALL ADUMP-~4.0040E354 //加壳程序会返回这里
0042CA69 .  E8 9E45FDFF CALL ADUMP-~4.0040100C
0042CA6E .  8BC0       MOV EAX,EAX
0042CA70 .  0000       ADD BYTE PTR DS:[EAX],AL
0042CA72 .  0000       ADD BYTE PTR DS:[EAX],AL
====
0042C6D0 .  B8 ACE84200 MOV EAX,ADUMP-~3.0042E8AC ;42e8ac开始的13字节被加密.
密文:0042E8AC  5A 5A 88 44 07 8D 07 F7 39 85 0B F3 EE
解密:0042E8AC  5B 58 8B 40 02 8B 00 FF 30 8F 00 FF E3
//通过0042C6D5    3018       XOR BYTE PTR DS:[EAX],BL 解密,BL是逐渐加1的.

0042C6D5    EB 07       JMP SHORT ADUMP-~3.0042C6DE ;修改后的指令,下面的解密代码不执行,可将密文直接还原,因为我们还要修改解密的代码.
0042C6D7 .  43          INC EBX
0042C6D8 .  40          INC EAX
0042C6D9 .  83FB 0E    CMP EBX,0E
0042C6DC .^ 75 F7       JNZ SHORT ADUMP-~3.0042C6D5
0042C6DE .  33C0       XOR EAX,EAX ;跳到这里
0042C6E0 .  55          PUSH EBP
0042C6E1 .  68 07C74200 PUSH ADUMP-~3.0042C707
0042C6E6 .  64:FF30    PUSH DWORD PTR FS:[EAX]
====
0042E8B1 8B00          MOV EAX,DWORD PTR DS:[EAX];这里即为加密代码
0042E8B3 EB 02          JMP SHORT ADUMP-~4.0042E8B7 ;这是修改后的指令,因为这里会产生非法指令
0042E8B5 8F00          POP DWORD PTR DS:[EAX]
0042E8B7 FFE3          JMP EBX
0042E8B9 8D40 00       LEA EAX,DWORD PTR DS:[EAX]
///这个异常
===
0042C744 .  E8 17CCFEFF CALL ADUMP-~4.00419360
0042C749 .  EB 03       JMP SHORT ADUMP-~4.0042C74E ;这里异常,直接跳过.
0042C74B    90          NOP
0042C74C    90          NOP
0042C74D    90          NOP
0042C74E >  84C0       TEST AL,AL
0042C750 .  0F84 8C010000 JE ADUMP-~4.0042C8E2
0042C756 .  A1 44EE4200 MOV EAX,DWORD PTR DS:[42EE44]
0042C75B .  8B00       MOV EAX,DWORD PTR DS:[EAX]

现在DUMP的程序可以运行了,但是不知是否安全,这只是在XP下.
但是点ABOUT会导致屏幕闪烁.
***********
WIN98下IAT表:
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;                         it to zero if you edit it).
;                         - Ordinal is not considered but you should let '0000' as value.
;                         - ModuleName is not considered but you should let '?' as value.
;
;       1 = valid: yes -> All next parameters on the line will be considered.
;                         Function imported by ordinal must have no name (the 4th TAB must
;                                                                         be there though).
;
;       2 = Equivalent to 0 but it is for the loader.
;
;       3 = Equivalent to 1 but it is for the loader.
;
;       4 = Equivalent to 0 with (R) tag.
;
;       5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)

Target: C:\ASTON\A-MASTER.EXE
OEP: 0002CA54 IATRVA: 00041104 IATSize: 000003F8

FThunk: 00041104 NbFunc: 00000002
1 00041104 kernel32.dll 0291 RtlUnwind
1 00041108 kernel32.dll 018D GetModuleHandleA

FThunk: 00041110 NbFunc: 00000006
1 00041110 advapi32.dll 0103 RegSetValueExA
1 00041114 advapi32.dll 00F7 RegQueryValueExA
1 00041118 advapi32.dll 00EE RegOpenKeyA
1 0004111C advapi32.dll 00DB RegCreateKeyA
1 00041120 advapi32.dll 00D8 RegCloseKey
1 00041124 advapi32.dll 0099 GetUserNameA

FThunk: 0004112C NbFunc: 00000026
1 0004112C kernel32.dll 035F lstrlen
1 00041130 kernel32.dll 0359 lstrcpy
1 00041134 kernel32.dll 0356 lstrcmpi
1 00041138 kernel32.dll 0353 lstrcmp
1 0004113C kernel32.dll 0350 lstrcat
1 00041140 kernel32.dll 0348 _hwrite
1 00041144 kernel32.dll 034A _lcreat
1 00041148 kernel32.dll 0349 _lclose
1 0004114C kernel32.dll 0327 WaitForSingleObject
1 00041150 kernel32.dll 02F6 Sleep
1 00041154 kernel32.dll 02D4 SetLastError
1 00041158 kernel32.dll 02C9 SetErrorMode
1 0004115C kernel32.dll 028E ResumeThread
1 00041160 kernel32.dll 027E ReadFile
1 00041164 kernel32.dll 0251 MulDiv
1 00041168 kernel32.dll 0229 LoadLibraryA
1 0004116C kernel32.dll 01DD GetVersionExA
1 00041170 kernel32.dll 01D6 GetTickCount
1 00041174 kernel32.dll 01B7 GetShortPathNameA
1 00041178 kernel32.dll 01A3 GetProcAddress
1 0004117C kernel32.dll 018D GetModuleHandleA
1 00041180 kernel32.dll 018B GetModuleFileNameA
1 00041184 kernel32.dll 0182 GetLocalTime
1 00041188 kernel32.dll 0181 GetLastError
1 0004118C kernel32.dll 0177 GetFileSize
1 00041190 kernel32.dll 015D GetCurrentThreadId
1 00041194 kernel32.dll 0149 GetCommandLineA
1 00041198 kernel32.dll 0133 FreeLibrary
1 0004119C kernel32.dll 0121 FindNextFileA
1 000411A0 kernel32.dll 011C FindFirstFileA
1 000411A4 kernel32.dll 0118 FindClose
1 000411A8 kernel32.dll 00F8 ExitProcess
1 000411AC kernel32.dll 00CD CreateThread
1 000411B0 kernel32.dll 00C1 CreateMutexA
1 000411B4 kernel32.dll 00B9 CreateFileA
1 000411B8 kernel32.dll 00B2 CreateDirectoryA
1 000411BC kernel32.dll 00AD CopyFileA
1 000411C0 kernel32.dll 00A0 CloseHandle

FThunk: 000411C8 NbFunc: 00000014
1 000411C8 gdi32.dll 01A7 StretchBlt
1 000411CC gdi32.dll 019C SetTextColor
1 000411D0 gdi32.dll 0198 SetStretchBltMode
1 000411D4 gdi32.dll 0181 SetDIBitsToDevice
1 000411D8 gdi32.dll 017A SetBkMode
1 000411DC gdi32.dll 0179 SetBkColor
1 000411E0 gdi32.dll 0173 SelectObject
1 000411E4 gdi32.dll 0129 GetStockObject
1 000411E8 gdi32.dll 00FA GetDeviceCaps
1 000411EC gdi32.dll 00F9 GetDIBits
1 000411F0 gdi32.dll 00CE ExtTextOutA
1 000411F4 gdi32.dll 00BC EnumFontFamiliesA
1 000411F8 gdi32.dll 00B0 DeleteObject
1 000411FC gdi32.dll 00AD DeleteDC
1 00041200 gdi32.dll 0095 CreateFontA
1 00041204 gdi32.dll 0089 CreateCompatibleDC
1 00041208 gdi32.dll 0088 CreateCompatibleBitmap
1 0004120C gdi32.dll 0083 CreateBitmap
1 00041210 gdi32.dll 0072 BitBlt
1 00041214 gdi32.dll 006B AddFontResourceA

FThunk: 0004121C NbFunc: 00000059
1 0004121C user32.dll 02A1 wvsprintfA
1 00041220 user32.dll 0296 WinHelpA
1 00041224 user32.dll 0274 UpdateWindow
1 00041228 user32.dll 0270 UnregisterClassA
1 0004122C user32.dll 026B UnhookWindowsHookEx
1 00041230 user32.dll 0263 TrackPopupMenuEx
1 00041234 user32.dll 0257 SystemParametersInfoA
1 00041238 user32.dll 0250 ShowWindow
1 0004123C user32.dll 024F ShowScrollBar
1 00041240 user32.dll 024D ShowCursor
1 00041244 user32.dll 024C ShowCaret
1 00041248 user32.dll 0249 SetWindowsHookExA
1 0004124C user32.dll 0245 SetWindowTextA
1 00041250 user32.dll 0243 SetWindowPos
1 00041254 user32.dll 0240 SetWindowLongA
1 00041258 user32.dll 0239 SetTimer
1 0004125C user32.dll 0231 SetScrollInfo
1 00041260 user32.dll 0230 SetRectEmpty
1 00041264 user32.dll 022F SetRect
1 00041268 user32.dll 021B SetFocus
1 0004126C user32.dll 0212 SetCursor
1 00041270 user32.dll 020C SetCaretPos
1 00041274 user32.dll 020A SetCapture
1 00041278 user32.dll 0201 SendMessageA
1 0004127C user32.dll 01FC SendDlgItemMessageA
1 00041280 user32.dll 01FB ScrollWindowEx
1 00041284 user32.dll 01F8 ScreenToClient
1 00041288 user32.dll 01F2 ReleaseDC
1 0004128C user32.dll 01F1 ReleaseCapture
1 00041290 user32.dll 01E2 RegisterClassA
1 00041294 user32.dll 01DE PtInRect
1 00041298 user32.dll 01D9 PostMessageA
1 0004129C user32.dll 01CC OffsetRect
1 000412A0 user32.dll 01C3 MoveWindow
1 000412A4 user32.dll 01B7 MessageBoxA
1 000412A8 user32.dll 01AF MapDialogRect
1 000412AC user32.dll 01A1 LoadImageA
1 000412B0 user32.dll 019F LoadIconA
1 000412B4 user32.dll 019B LoadCursorA
1 000412B8 user32.dll 0196 KillTimer
1 000412BC user32.dll 0191 IsWindow
1 000412C0 user32.dll 018C IsDlgButtonChecked
1 000412C4 user32.dll 017C InvalidateRect
1 000412C8 user32.dll 017B IntersectRect
1 000412CC user32.dll 0173 InflateRect
1 000412D0 user32.dll 0160 HideCaret
1 000412D4 user32.dll 0155 GetWindowRect
1 000412D8 user32.dll 0150 GetWindowLongA
1 000412DC user32.dll 0141 GetSystemMetrics
1 000412E0 user32.dll 013F GetSysColorBrush
1 000412E4 user32.dll 013E GetSysColor
1 000412E8 user32.dll 0131 GetParent
1 000412EC user32.dll 0115 GetLastActivePopup
1 000412F0 user32.dll 0100 GetDlgItemTextA
1 000412F4 user32.dll 00FE GetDlgItem
1 000412F8 user32.dll 00FD GetDlgCtrlID
1 000412FC user32.dll 00F9 GetDC
1 00041300 user32.dll 00F8 GetCursorPos
1 00041304 user32.dll 00ED GetClientRect
1 00041308 user32.dll 00EA GetClassNameA
1 0004130C user32.dll 00E0 GetAsyncKeyState
1 00041310 user32.dll 00D5 FindWindowA
1 00041314 user32.dll 00D4 FillRect
1 00041318 user32.dll 00BD EnumChildWindows
1 0004131C user32.dll 00BB EndPaint
1 00041320 user32.dll 00B9 EndDialog
1 00041324 user32.dll 00B7 EnableWindow
1 00041328 user32.dll 00AF DrawTextA
1 0004132C user32.dll 00AA DrawIconEx
1 00041330 user32.dll 00A9 DrawIcon
1 00041334 user32.dll 00A8 DrawFrameControl
1 00041338 user32.dll 00A5 DrawEdge
1 0004133C user32.dll 0093 DialogBoxParamA
1 00041340 user32.dll 0090 DestroyWindow
1 00041344 user32.dll 008F DestroyMenu
1 00041348 user32.dll 008D DestroyCursor
1 0004134C user32.dll 008C DestroyCaret
1 00041350 user32.dll 0087 DefWindowProcA
1 00041354 user32.dll 005D CreateWindowExA
1 00041358 user32.dll 005C CreatePopupMenu
1 0004135C user32.dll 0053 CreateDialogParamA
1 00041360 user32.dll 004D CreateCaret
1 00041364 user32.dll 0049 CopyRect
1 00041368 user32.dll 003E ClipCursor
1 0004136C user32.dll 003D ClientToScreen
1 00041370 user32.dll 0017 CallWindowProcA
1 00041374 user32.dll 0016 CallNextHookEx
1 00041378 user32.dll 000C BeginPaint
1 0004137C user32.dll 0007 AppendMenuA

FThunk: 00041384 NbFunc: 00000001
1 00041384 shell32.dll 010F SHFileOperation

FThunk: 0004138C NbFunc: 0000003A
1 0004138C starter.dll 0006 LayeredStyle
1 00041390 starter.dll 001A SetForeWndFix
1 00041394 starter.dll 0056 SHFree
1 00041398 starter.dll 000F FileExists
1 0004139C starter.dll 0011 DoneExtractor
1 000413A0 starter.dll 0012 IconMCount
1 000413A4 starter.dll 0013 MakeHIcon
1 000413A8 starter.dll 0014 FreeExIcon
1 000413AC starter.dll 0015 AdjustIcon
1 000413B0 starter.dll 0016 ReadIconFromModule
1 000413B4 starter.dll 0017 InitExtractor
1 000413B8 starter.dll 001C NotifyTip
1 000413BC starter.dll 001E DeleteKey
1 000413C0 starter.dll 0020 NewNode
1 000413C4 starter.dll 0021 FindNextNode
1 000413C8 starter.dll 0022 FindFirstNode
1 000413CC starter.dll 0023 FreeNodeList
1 000413D0 starter.dll 0024 GetNodeList
1 000413D4 starter.dll 0025 SetCFGFont
1 000413D8 starter.dll 0026 SetCFGPic
1 000413DC starter.dll 0027 SetCFGHex
1 000413E0 starter.dll 0028 SetCFGInt
1 000413E4 starter.dll 0029 SetCFGString
1 000413E8 starter.dll 0033 InsertString
1 000413EC starter.dll 0034 Scan
1 000413F0 starter.dll 0031 GetCFGFont
1 000413F4 starter.dll 002C GetCFGBool
1 000413F8 starter.dll 002D GetCFGHex
1 000413FC starter.dll 002E GetCFGInt
1 00041400 starter.dll 002F GetCFGString
1 00041404 starter.dll 0036 FindSection
1 00041408 starter.dll 0037 CloseCFGr
1 0004140C starter.dll 0038 OpenCFGr
1 00041410 starter.dll 002A CloseCFGw
1 00041414 starter.dll 002B OpenCFGw
1 00041418 starter.dll 003D GetFontHandle
1 0004141C starter.dll 0039 CheckInt
1 00041420 starter.dll 0042 GetParamStr
1 00041424 starter.dll 0044 Unquote
1 00041428 starter.dll 0045 Quote
1 0004142C starter.dll 0041 Run
1 00041430 starter.dll 0047 FreePicture
1 00041434 starter.dll 001F FreeNode
1 00041438 starter.dll 0049 DrawSkin
1 0004143C starter.dll 004A DrawPicture
1 00041440 starter.dll 0043 GetRegInt
1 00041444 starter.dll 004F LoadImageEx
1 00041448 starter.dll 003E ResetFontCache
1 0004144C starter.dll 0052 IsPSTREmpty
1 00041450 starter.dll 0053 strmoven
1 00041454 starter.dll 0054 strecopy
1 00041458 starter.dll 0055 strcopy
1 0004145C starter.dll 005A realloc
1 00041460 starter.dll 005B free
1 00041464 starter.dll 005C malloc
1 00041468 starter.dll 001B DoneAstonAPI
1 0004146C starter.dll 005D InitAstonAPI
1 00041470 starter.dll 0050 ResetPictureCache

FThunk: 00041478 NbFunc: 00000003
1 00041478 kernel32.dll 0290 RtlMoveMemory
1 0004147C kernel32.dll 028F RtlFillMemory
1 00041480 kernel32.dll 0292 RtlZeroMemory

FThunk: 00041488 NbFunc: 00000003
1 00041488 shell32.dll 0109 SHBrowseForFolder
1 0004148C shell32.dll 0123 SHGetSpecialFolderLocation
1 00041490 shell32.dll 011F SHGetPathFromIDList

FThunk: 00041498 NbFunc: 00000011
1 00041498 comctl32.dll 0032 ImageList_DragShowNolock
1 0004149C comctl32.dll 0031 ImageList_DragMove
1 000414A0 comctl32.dll 0030 ImageList_DragLeave
1 000414A4 comctl32.dll 002F ImageList_DragEnter
1 000414A8 comctl32.dll 0037 ImageList_EndDrag
1 000414AC comctl32.dll 002B ImageList_BeginDrag
1 000414B0 comctl32.dll 003A ImageList_GetIcon
1 000414B4 comctl32.dll 0044 ImageList_Remove
1 000414B8 comctl32.dll 0034 ImageList_DrawEx
1 000414BC comctl32.dll 002A ImageList_AddMasked
1 000414C0 comctl32.dll 0045 ImageList_Replace
1 000414C4 comctl32.dll 0051 ImageList_SetOverlayImage
1 000414C8 comctl32.dll 0046 ImageList_ReplaceIcon
1 000414CC comctl32.dll 0028 ImageList_Add
1 000414D0 comctl32.dll 002E ImageList_Destroy
1 000414D4 comctl32.dll 002D ImageList_Create
1 000414D8 comctl32.dll 0011 InitCommonControls

FThunk: 000414E0 NbFunc: 00000001
1 000414E0 drawpng.dll 0001 AlphaBlt

FThunk: 000414E8 NbFunc: 00000005
1 000414E8 comdlg32.dll 0075 PrintDlgA
1 000414EC comdlg32.dll 0067 ChooseFontA
1 000414F0 comdlg32.dll 0065 ChooseColorA
1 000414F4 comdlg32.dll 0070 GetSaveFileNameA
1 000414F8 comdlg32.dll 006E GetOpenFileNameA

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (4)
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 23 关注私信	KuNgBiM 66 2 楼最初由 MARCH 发布 Aston Shell (请从后面看,后面是首次跟踪,前面是整理 zzhzihui@tom.com) a-msater.exe v1.9 ASPR 1.24 RC4壳再跟踪一遍,整理: ........ 嗯？有ASPR 1.24 RC4壳么？，我怎么不知道啊？？ 2005-7-17 16:05 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 3 楼支持 2005-7-17 16:26 0
MARCH 雪币： 207 活跃值： (25) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 59 粉丝 0 关注私信	MARCH 1 4 楼 PEID检测的,是这个 ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov 2005-7-18 15:09 0
MARCH 雪币： 207 活跃值： (25) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 59 粉丝 0 关注私信	MARCH 1 5 楼老弟可用google搜索一下,我不是高手,对这个不精通啊. 2005-7-18 17:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

MARCH

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
KuNgBiM 雪币： 817 活跃值： (1927) 能力值： ( LV12，RANK：2670 ) 在线值：发帖 500 回帖 2517 粉丝 23 关注私信	KuNgBiM 66 2 楼最初由 MARCH 发布 Aston Shell (请从后面看,后面是首次跟踪,前面是整理 zzhzihui@tom.com) a-msater.exe v1.9 ASPR 1.24 RC4壳再跟踪一遍,整理: ........ 嗯？有ASPR 1.24 RC4壳么？，我怎么不知道啊？？ 2005-7-17 16:05 0
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 3 楼支持 2005-7-17 16:26 0
MARCH 雪币： 207 活跃值： (25) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 59 粉丝 0 关注私信	MARCH 1 4 楼 PEID检测的,是这个 ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov 2005-7-18 15:09 0
MARCH 雪币： 207 活跃值： (25) 能力值： ( LV4，RANK：50 ) 在线值：发帖 18 回帖 59 粉丝 0 关注私信	MARCH 1 5 楼老弟可用google搜索一下,我不是高手,对这个不精通啊. 2005-7-18 17:26 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复