-
-
[旧帖] [原创]手动脱壳入门Aspack2.12+爆破 0.00雪花
-
发表于: 2007-3-8 19:40
-
手动脱壳入门Aspack2.12+爆破
【脱文标题】 手动脱壳入门Aspack2.12
【脱文作者】 //phantom//[ghoster]
【作者邮箱】webmast9492@163.com
【使用工具】 Peid、Ollydbg 、ImportREC
【脱壳平台】 Win98/XP
【软件名称】 私人磁盘管理
【软件简介】 Aspack 2.12加壳的
【软件大小】 418K
【加壳方式】 ASPack 2.12 -> Alexey Solodovnikov
【脱壳声明】 为了技术而破解,别无所求。
好,我们这次脱Aspack2.12的壳看看它的特性。
首先必须的工具要准备好,
附件中壳为PEiD查壳为ASPack 2.12 -> Alexey Solodovnikov
手动脱壳建议大家用Ollydbg,工作平台,Win98系统,哎电脑破么^_^
手动脱壳时,用Olldbg载入程序,脱壳程序里面会有有好多循环。对付循环时,只能让程序往前运行,基本不
能让它往回跳,要想法跳出循环圈。不要用Peid查入口,单步跟踪,提高手动找入口能力。
用OD载入程序后。
确定一个入口警告,OD提示软件可能有自解压或自修改功能,当然,因为它加了壳。
停在这里
00588001 > 60 PUSHAD ;asppack 的特点与popad相对应,F8单步跟踪
00588002 E8 03000000 CALL SRCP395P.0058800A ;
00588007 - E9 EB045D45 JMP 45B584F7
0058800C 55 PUSH EBP
0058800D C3 RETN
0058800E E8 01000000 CALL SRCP395P.00588014
00588013 EB 5D JMP SHORT SRCP395P.00588072
00588015 BB EDFFFFFF MOV EBX,-13
0058801A 03DD ADD EBX,EBP
0058801C 81EB 00801800 SUB EBX,188000
00588022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00588029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0058802F 0F85 65030000 JNZ SRCP395P.0058839A
00588035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0058803B 50 PUSH EAX
0058803C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00588042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00588048 8BF8 MOV EDI,EAX
0058804A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0058804D 53 PUSH EBX
0058804E 50 PUSH EAX
0058804F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0058805B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0058805E 53 PUSH EBX
0058805F 57 PUSH EDI
00588060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0058806C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0058806F FFE0 JMP EAX
00588071 56 PUSH ESI
00588072 6972 74 75616C41 IMUL ESI,DWORD PTR DS:[EDX+74],4>
00588079 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0058807A 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0058807B 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
0058807C 6300 ARPL WORD PTR DS:[EAX],AX
0058807E 56 PUSH ESI
0058807F 6972 74 75616C46 IMUL ESI,DWORD PTR DS:[EDX+74],4>
00588086 72 65 JB SHORT SRCP395P.005880ED
00588088 65:008B 9D310500 ADD BYTE PTR GS:[EBX+5319D],CL
0058808F 000B ADD BYTE PTR DS:[EBX],CL
00588091 DB ??? ; 未知命令
00588092 74 0A JE SHORT SRCP395P.0058809E
00588094 8B03 MOV EAX,DWORD PTR DS:[EBX]
00588096 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
0058809C 8903 MOV DWORD PTR DS:[EBX],EAX
0058809E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569]
005880A4 833E 00 CMP DWORD PTR DS:[ESI],0
005880A7 0F84 21010000 JE SRCP395P.005881CE
005880AD 6A 04 PUSH 4
005880AF 68 00100000 PUSH 1000
005880B4 68 00180000 PUSH 1800
005880B9 6A 00 PUSH 0
005880BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
005880C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
005880C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
005880CA 05 0E010000 ADD EAX,10E
005880CF 6A 04 PUSH 4
005880D1 68 00100000 PUSH 1000
005880D6 50 PUSH EAX
005880D7 6A 00 PUSH 0
005880D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
005880DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
005880E5 56 PUSH ESI
005880E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
005880E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
005880EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005880F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
005880F7 50 PUSH EAX
005880F8 53 PUSH EBX
005880F9 E8 6E050000 CALL SRCP395P.0058866C
005880FE B3 01 MOV BL,1
00588100 80FB 00 CMP BL,0
00588103 75 5E JNZ SHORT SRCP395P.00588163
00588105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0058810B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0058810D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
00588113 FF37 PUSH DWORD PTR DS:[EDI]
00588115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
00588118 FFD7 CALL EDI
0058811A 8F07 POP DWORD PTR DS:[EDI]
0058811C 50 PUSH EAX
0058811D 51 PUSH ECX
0058811E 56 PUSH ESI
0058811F 53 PUSH EBX
00588120 8BC8 MOV ECX,EAX
00588122 83E9 06 SUB ECX,6
00588125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0058812B 33DB XOR EBX,EBX
0058812D 0BC9 OR ECX,ECX
0058812F 74 2E JE SHORT SRCP395P.0058815F
00588131 78 2C JS SHORT SRCP395P.0058815F
00588133 AC LODS BYTE PTR DS:[ESI]
00588134 3C E8 CMP AL,0E8
00588136 74 0A JE SHORT SRCP395P.00588142
00588138 EB 00 JMP SHORT SRCP395P.0058813A
0058813A 3C E9 CMP AL,0E9
0058813C 74 04 JE SHORT SRCP395P.00588142
0058813E 43 INC EBX
0058813F 49 DEC ECX
00588140 ^ EB EB JMP SHORT SRCP395P.0058812D
00588142 8B06 MOV EAX,DWORD PTR DS:[ESI]
00588144 EB 00 JMP SHORT SRCP395P.00588146
00588146 803E 19 CMP BYTE PTR DS:[ESI],19
00588149 ^ 75 F3 JNZ SHORT SRCP395P.0058813E
0058814B 24 00 AND AL,0
0058814D C1C0 18 ROL EAX,18
00588150 2BC3 SUB EAX,EBX
00588152 8906 MOV DWORD PTR DS:[ESI],EAX
00588154 83C3 05 ADD EBX,5
00588157 83C6 04 ADD ESI,4
0058815A 83E9 05 SUB ECX,5
0058815D ^ EB CE JMP SHORT SRCP395P.0058812D
0058815F 5B POP EBX
00588160 5E POP ESI
00588161 59 POP ECX
00588162 58 POP EAX
00588163 EB 08 JMP SHORT SRCP395P.0058816D
00588165 0000 ADD BYTE PTR DS:[EAX],AL
00588167 CF IRETD
00588168 0000 ADD BYTE PTR DS:[EAX],AL
0058816A 00CE ADD DH,CL
0058816C 008B C88B3E03 ADD BYTE PTR DS:[EBX+33E8BC8],CL
00588172 BD 22040000 MOV EBP,422
00588177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0058817D C1F9 02 SAR ECX,2
00588180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWOR>
00588182 8BC8 MOV ECX,EAX
00588184 83E1 03 AND ECX,3
00588187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
00588189 5E POP ESI
0058818A 68 00800000 PUSH 8000
0058818F 6A 00 PUSH 0
00588191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
00588197 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
0058819D 83C6 08 ADD ESI,8
005881A0 833E 00 CMP DWORD PTR DS:[ESI],0
005881A3 ^ 0F85 1EFFFFFF JNZ SRCP395P.005880C7
005881A9 68 00800000 PUSH 8000
005881AE 6A 00 PUSH 0
005881B0 FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005881B6 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
005881BC 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531]
005881C2 0BDB OR EBX,EBX
005881C4 74 08 JE SHORT SRCP395P.005881CE
005881C6 8B03 MOV EAX,DWORD PTR DS:[EBX]
005881C8 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
005881CE 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
005881D4 8B85 2D050000 MOV EAX,DWORD PTR SS:[EBP+52D]
005881DA 2BD0 SUB EDX,EAX
005881DC 74 79 JE SHORT SRCP395P.00588257
005881DE 8BC2 MOV EAX,EDX
005881E0 C1E8 10 SHR EAX,10
005881E3 33DB XOR EBX,EBX
005881E5 8BB5 39050000 MOV ESI,DWORD PTR SS:[EBP+539]
005881EB 03B5 22040000 ADD ESI,DWORD PTR SS:[EBP+422]
005881F1 833E 00 CMP DWORD PTR DS:[ESI],0
005881F4 74 61 JE SHORT SRCP395P.00588257
005881F6 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
005881F9 83E9 08 SUB ECX,8
005881FC D1E9 SHR ECX,1
005881FE 8B3E MOV EDI,DWORD PTR DS:[ESI]
00588200 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
00588206 83C6 08 ADD ESI,8
00588209 66:8B1E MOV BX,WORD PTR DS:[ESI]
0058820C C1EB 0C SHR EBX,0C
0058820F 83FB 01 CMP EBX,1
00588212 74 0C JE SHORT SRCP395P.00588220
00588214 83FB 02 CMP EBX,2
00588217 74 16 JE SHORT SRCP395P.0058822F
00588219 83FB 03 CMP EBX,3
0058821C 74 20 JE SHORT SRCP395P.0058823E
0058821E EB 2C JMP SHORT SRCP395P.0058824C
00588220 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588223 81E3 FF0F0000 AND EBX,0FFF
00588229 66:01041F ADD WORD PTR DS:[EDI+EBX],AX
0058822D EB 1D JMP SHORT SRCP395P.0058824C
0058822F 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588232 81E3 FF0F0000 AND EBX,0FFF
00588238 66:01141F ADD WORD PTR DS:[EDI+EBX],DX
0058823C EB 0E JMP SHORT SRCP395P.0058824C
0058823E 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588241 81E3 FF0F0000 AND EBX,0FFF
00588247 01141F ADD DWORD PTR DS:[EDI+EBX],EDX
0058824A EB 00 JMP SHORT SRCP395P.0058824C
0058824C 66:830E FF OR WORD PTR DS:[ESI],0FFFF
00588250 83C6 02 ADD ESI,2
00588253 ^ E2 B4 LOOPD SHORT SRCP395P.00588209
00588255 ^ EB 9A JMP SHORT SRCP395P.005881F1
00588257 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0058825D 8BB5 41050000 MOV ESI,DWORD PTR SS:[EBP+541]
00588263 0BF6 OR ESI,ESI
00588265 74 11 JE SHORT SRCP395P.00588278
00588267 03F2 ADD ESI,EDX
00588269 AD LODS DWORD PTR DS:[ESI]
0058826A 0BC0 OR EAX,EAX
0058826C 74 0A JE SHORT SRCP395P.00588278
0058826E 03C2 ADD EAX,EDX
00588270 8BF8 MOV EDI,EAX
00588272 66:AD LODS WORD PTR DS:[ESI]
00588274 66:AB STOS WORD PTR ES:[EDI]
00588276 ^ EB F1 JMP SHORT SRCP395P.00588269
00588278 BE 00800C00 MOV ESI,0C8000
0058827D 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00588283 03F2 ADD ESI,EDX
00588285 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588288 85C0 TEST EAX,EAX
0058828A 0F84 0A010000 JE SRCP395P.0058839A
00588290 03C2 ADD EAX,EDX
00588292 8BD8 MOV EBX,EAX
00588294 50 PUSH EAX
00588295 FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0058829B 85C0 TEST EAX,EAX
0058829D 75 07 JNZ SHORT SRCP395P.005882A6
0058829F 53 PUSH EBX
005882A0 FF95 510F0000 CALL DWORD PTR SS:[EBP+F51]
005882A6 8985 45050000 MOV DWORD PTR SS:[EBP+545],EAX
005882AC C785 49050000 00000000 MOV DWORD PTR SS:[EBP+549],0
005882B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
005882BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
005882BE 85C0 TEST EAX,EAX
005882C0 75 03 JNZ SHORT SRCP395P.005882C5
005882C2 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
005882C5 03C2 ADD EAX,EDX
005882C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
005882CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
005882CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
005882D2 03FA ADD EDI,EDX
005882D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
005882DA 85DB TEST EBX,EBX
005882DC 0F84 A2000000 JE SRCP395P.00588384
005882E2 F7C3 00000080 TEST EBX,80000000
005882E8 75 04 JNZ SHORT SRCP395P.005882EE
005882EA 03DA ADD EBX,EDX
005882EC 43 INC EBX
005882ED 43 INC EBX
005882EE 53 PUSH EBX
005882EF 81E3 FFFFFF7F AND EBX,7FFFFFFF
005882F5 53 PUSH EBX
005882F6 FFB5 45050000 PUSH DWORD PTR SS:[EBP+545]
005882FC FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588302 85C0 TEST EAX,EAX
00588304 5B POP EBX
00588305 75 6F JNZ SHORT SRCP395P.00588376
00588307 F7C3 00000080 TEST EBX,80000000
0058830D 75 19 JNZ SHORT SRCP395P.00588328
0058830F 57 PUSH EDI
00588310 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588313 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
00588319 50 PUSH EAX
0058831A 53 PUSH EBX
0058831B 8D85 75040000 LEA EAX,DWORD PTR SS:[EBP+475]
00588321 50 PUSH EAX
00588322 57 PUSH EDI
00588323 E9 98000000 JMP SRCP395P.005883C0
00588328 81E3 FFFFFF7F AND EBX,7FFFFFFF
0058832E 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
00588334 3985 45050000 CMP DWORD PTR SS:[EBP+545],EAX
0058833A 75 24 JNZ SHORT SRCP395P.00588360
0058833C 57 PUSH EDI
0058833D 8BD3 MOV EDX,EBX
0058833F 4A DEC EDX
00588340 C1E2 02 SHL EDX,2
00588343 8B9D 45050000 MOV EBX,DWORD PTR SS:[EBP+545]
00588349 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C]
0058834C 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+78>
00588350 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+1C>
00588354 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
00588357 0385 45050000 ADD EAX,DWORD PTR SS:[EBP+545]
0058835D 5F POP EDI
0058835E EB 16 JMP SHORT SRCP395P.00588376
00588360 57 PUSH EDI
00588361 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588364 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0058836A 50 PUSH EAX
0058836B 53 PUSH EBX
0058836C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
00588372 50 PUSH EAX
00588373 57 PUSH EDI
00588374 EB 4A JMP SHORT SRCP395P.005883C0
00588376 8907 MOV DWORD PTR DS:[EDI],EAX
00588378 8385 49050000 04 ADD DWORD PTR SS:[EBP+549],4
0058837F ^ E9 32FFFFFF JMP SRCP395P.005882B6
00588384 8906 MOV DWORD PTR DS:[ESI],EAX
00588386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
00588389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0058838C 83C6 14 ADD ESI,14
0058838F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00588395 ^ E9 EBFEFFFF JMP SRCP395P.00588285
0058839A B8 AC3F0C00 MOV EAX,0C3FAC
0058839F 50 PUSH EAX
005883A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
005883A6 59 POP ECX
005883A7 0BC9 OR ECX,ECX
005883A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005883AF 61 POPAD
005883B0 75 08 JNZ SHORT SRCP395P.005883BA ;f8执行到005883BA
005883B2 B8 01000000 MOV EAX,1
005883B7 C2 0C00 RETN 0C
005883BA 68 AC3F4C00 PUSH SRCP395P.004C3FAC ; F8大的转移,4c3fac即为程序真争的入口点
005883BF C3 RETN ; F8前往程序的入口点的
04C3FAB 0055 8B ADD BYTE PTR SS:[EBP-75],DL ; 此处为RETN的返回地址,程序的入口点,但是其显示的是4C3FAB.
004C3FAE EC IN AL,DX ; I/O 命令
004C3FAF 83C4 F0 ADD ESP,-10
004C3FB2 53 PUSH EBX
004C3FB3 56 PUSH ESI
004C3FB4 B8 643C4C00 MOV EAX,SRCP395P.004C3C64
004C3FB9 E8 2E2FF4FF CALL SRCP395P.00406EEC
004C3FBE 8B35 C86B4C00 MOV ESI,DWORD PTR DS:[4C6BC8] ; SRCP395P.004C7C30
004C3FC4 8B06 MOV EAX,DWORD PTR DS:[ESI]
004C3FC6 E8 BD0FFAFF CALL SRCP395P.00464F88
004C3FCB 8B06 MOV EAX,DWORD PTR DS:[ESI]
004C3FCD BA E0404C00 MOV EDX,SRCP395P.004C40E0
004C3FD2 E8 BD0BFAFF CALL SRCP395P.00464B94
004C3FD7 68 EC404C00 PUSH SRCP395P.004C40EC
004C3FDC 6A 00 PUSH 0
004C3FDE 6A 00 PUSH 0
004C3FE0 E8 BF30F4FF CALL SRCP395P.004070A4
004C3FE5 8BD8 MOV EBX,EAX
004C3FE7 E8 8831F4FF CALL SRCP395P.00407174
004C3FEC 3D B7000000 CMP EAX,0B7
004C3FF1 0F84 BB000000 JE SRCP395P.004C40B2
004C3FF7 8B06 MOV EAX,DWORD PTR DS:[ESI]
用ollyDBG的ollyDBGDUMP抓取内存文件,在抓取时取掉rebuild import这项。
不要关闭ollyDBG,打开imprec找到scr395pro,在OEP中输入004C3FAC(程序的真正入口点),执行“自动查找IAT”――获取输入表,修复转存文件即可。
以下是次软件的爆破过程。
脱壳后用PEID 载入文件,显示为此软件用Borland Delphi6.0-7.0编写
04C3440 /$ 55 PUSH EBP ; 4C3440到4C3883为启动检验是否注册的大循环
004C3441 |. 8BEC MOV EBP,ESP
004C3443 |. 81C4 0CFEFFFF ADD ESP,-1F4
004C3449 |. 53 PUSH EBX
004C344A |. 56 PUSH ESI
004C344B |. 57 PUSH EDI
004C344C |. 33D2 XOR EDX,EDX ;将EDX置零
004C344E |. 8995 0CFEFFFF MOV DWORD PTR SS:[EBP-1F4],EDX
004C3454 |. 8995 10FEFFFF MOV DWORD PTR SS:[EBP-1F0],EDX
004C345A |. 8995 14FEFFFF MOV DWORD PTR SS:[EBP-1EC],EDX
004C3460 |. 8995 18FEFFFF MOV DWORD PTR SS:[EBP-1E8],EDX
004C3466 |. 8995 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EDX
004C346C |. 8995 24FEFFFF MOV DWORD PTR SS:[EBP-1DC],EDX
004C3472 |. 8995 20FEFFFF MOV DWORD PTR SS:[EBP-1E0],EDX
004C3478 |. 8995 28FEFFFF MOV DWORD PTR SS:[EBP-1D8],EDX
004C347E |. 8995 2CFEFFFF MOV DWORD PTR SS:[EBP-1D4],EDX
004C3484 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004C3487 |. 8BF0 MOV ESI,EAX
004C3489 |. 33C0 XOR EAX,EAX ;将EAX置零
004C348B |. 55 PUSH EBP
004C348C |. 68 84384C00 PUSH UPACKPRT.004C3884
004C3491 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004C3494 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004C3497 |. B2 01 MOV DL,1
004C3499 |. A1 A09B4600 MOV EAX,DWORD PTR DS:[469BA0]
004C349E |. E8 FD67FAFF CALL UPACKPRT.00469CA0
004C34A3 |. 8BD8 MOV EBX,EAX
004C34A5 |. BA 02000080 MOV EDX,80000002
004C34AA |. 8BC3 MOV EAX,EBX
004C34AC |. E8 8F68FAFF CALL UPACKPRT.00469D40
004C34B1 |. B1 01 MOV CL,1
004C34B3 |. BA 9C384C00 MOV EDX,UPACKPRT.004C389C ; software\udver
004C34B8 |. 8BC3 MOV EAX,EBX
004C34BA |. E8 C569FAFF CALL UPACKPRT.00469E84
004C34BF |. BA B4384C00 MOV EDX,UPACKPRT.004C38B4 ; spl
004C34C4 |. 8BC3 MOV EAX,EBX
004C34C6 |. E8 196FFAFF CALL UPACKPRT.0046A3E4
004C34CB |. 84C0 TEST AL,AL ; 测试AL是不是为空
004C34CD 0F85 24030000 JNZ UPACKPRT.004C37F7 ; 改为:JMP 004C37F5跳过下面两个注册窗口
004C34D3 |. 8D85 2CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1D4]
004C34D9 |. E8 CEBDFFFF CALL UPACKPRT.004BF2AC
004C34DE |. 8D85 2CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1D4]
004C34E4 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C34E9 |. E8 A618F4FF CALL UPACKPRT.00404D94
004C34EE |. 8B85 2CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1D4]
004C34F4 |. E8 3360F4FF CALL UPACKPRT.0040952C
004C34F9 |. 84C0 TEST AL,AL
004C34FB |. 0F84 8E020000 JE UPACKPRT.004C378F
004C3501 |. 8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
004C3507 |. E8 A0BDFFFF CALL UPACKPRT.004BF2AC
004C350C |. 8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
004C3512 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C3517 |. E8 7818F4FF CALL UPACKPRT.00404D94
004C351C |. 8B95 28FEFFFF MOV EDX,DWORD PTR SS:[EBP-1D8]
004C3522 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3528 |. E8 C7F9F3FF CALL UPACKPRT.00402EF4
004C352D |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3533 |. E8 4CF7F3FF CALL UPACKPRT.00402C84
004C3538 |. E8 6FF3F3FF CALL UPACKPRT.004028AC
004C353D |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004C3540 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3546 |. E8 95FEF3FF CALL UPACKPRT.004033E0
004C354B |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3551 |. E8 F6FEF3FF CALL UPACKPRT.0040344C
004C3556 |. E8 51F3F3FF CALL UPACKPRT.004028AC
004C355B |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3561 |. E8 0AFBF3FF CALL UPACKPRT.00403070
004C3566 |. E8 41F3F3FF CALL UPACKPRT.004028AC
004C356B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C356E |. E8 815DF4FF CALL UPACKPRT.004092F4
004C3573 |. 8BF8 MOV EDI,EAX
004C3575 |. 85FF TEST EDI,EDI
004C3577 |. 7E 05 JLE SHORT UPACKPRT.004C357E
004C3579 |. 83FF 0F CMP EDI,0F
004C357C 7E 73 JLE SHORT UPACKPRT.004C35F1
004C357E |> 33C9 XOR ECX,ECX
004C3580 |. BA B4384C00 MOV EDX,UPACKPRT.004C38B4 ; spl
004C3585 |. 8BC3 MOV EAX,EBX
004C3587 |. E8 946CFAFF CALL UPACKPRT.0046A220
004C358C |. 33D2 XOR EDX,EDX
004C358E |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C3594 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3596 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3599 |. B2 01 MOV DL,1
004C359B |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C35A1 |. E8 8E1AF8FF CALL UPACKPRT.00445034
004C35A6 |. BA D8384C00 MOV EDX,UPACKPRT.004C38D8 ; 注册
004C35AB |. 8B86 00040000 MOV EAX,DWORD PTR DS:[ESI+400]
004C35B1 |. E8 8A5DFCFF CALL UPACKPRT.00489340
004C35B6 |. BA E8384C00 MOV EDX,UPACKPRT.004C38E8 ; 软件试用期已到,如要继续使用请注册,谢谢!
004C35BB |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C35C1 |. E8 7E1BF8FF CALL UPACKPRT.00445144
004C35C6 |. 6A 01 PUSH 1
004C35C8 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C35CD |. 68 14394C00 PUSH UPACKPRT.004C3914
004C35D2 |. 68 18394C00 PUSH UPACKPRT.004C3918 ; 2acK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C35D7 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C35DC |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C35E1 |. E8 B681F8FF CALL UPACKPRT.0044B79C
004C35E6 |. 50 PUSH EAX ; |hWnd
004C35E7 |. E8 A849F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C35EC |. E9 6D020000 JMP UPACKPRT.004C385E
004C35F1 83FF 04 CMP EDI,4
004C35F4 0F8F 0A010000 JG UPACKPRT.004C3704
004C35FA |. 33D2 XOR EDX,EDX
004C35FC |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C3602 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3604 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3607 |. B2 01 MOV DL,1
004C3609 |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C360F |. E8 201AF8FF CALL UPACKPRT.00445034
004C3614 |. 68 60394C00 PUSH UPACKPRT.004C3960 ; 您还能再使用
004C3619 |. 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
004C361F |. 8BC7 MOV EAX,EDI
004C3621 |. 48 DEC EAX
004C3622 |. E8 2D5CF4FF CALL UPACKPRT.00409254
004C3627 |. FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0]
004C362D |. 68 78394C00 PUSH UPACKPRT.004C3978 ; 次,请注册后再继续使用私人磁盘,或者及时将存放在私人磁盘中的文件取出,谢谢!
004C3632 |. 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
004C3638 |. BA 03000000 MOV EDX,3
004C363D |. E8 0A18F4FF CALL UPACKPRT.00404E4C
004C3642 |. 8B95 24FEFFFF MOV EDX,DWORD PTR SS:[EBP-1DC]
004C3648 |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C364E |. E8 F11AF8FF CALL UPACKPRT.00445144
004C3653 |. 6A 01 PUSH 1
004C3655 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C365A |. 68 14394C00 PUSH UPACKPRT.004C3914
004C365F |. 68 18394C00 PUSH UPACKPRT.004C3918 ; cdaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C3664 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C3669 |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C366E |. E8 2981F8FF CALL UPACKPRT.0044B79C
004C3673 |. 50 PUSH EAX ; |hWnd
004C3674 |. E8 1B49F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C3679 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C367C |. E8 735CF4FF CALL UPACKPRT.004092F4
004C3681 |. 48 DEC EAX
004C3682 |. 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]
004C3688 |. E8 C75BF4FF CALL UPACKPRT.00409254
004C368D |. 8B95 1CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1E4]
004C3693 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C3696 |. E8 D114F4FF CALL UPACKPRT.00404B6C
004C369B |. 8D85 18FEFFFF LEA EAX,DWORD PTR SS:[EBP-1E8]
004C36A1 |. E8 06BCFFFF CALL UPACKPRT.004BF2AC
004C36A6 |. 8D85 18FEFFFF LEA EAX,DWORD PTR SS:[EBP-1E8]
004C36AC |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C36B1 |. E8 DE16F4FF CALL UPACKPRT.00404D94
004C36B6 |. 8B95 18FEFFFF MOV EDX,DWORD PTR SS:[EBP-1E8]
004C36BC |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36C2 |. E8 2DF8F3FF CALL UPACKPRT.00402EF4
004C36C7 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36CD |. E8 BEF5F3FF CALL UPACKPRT.00402C90
004C36D2 |. E8 D5F1F3FF CALL UPACKPRT.004028AC
004C36D7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004C36DA |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36E0 |. E8 BB1AF4FF CALL UPACKPRT.004051A0
004C36E5 |. E8 CA00F4FF CALL UPACKPRT.004037B4
004C36EA |. E8 BDF1F3FF CALL UPACKPRT.004028AC
004C36EF |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36F5 |. E8 76F9F3FF CALL UPACKPRT.00403070
004C36FA |. E8 ADF1F3FF CALL UPACKPRT.004028AC
004C36FF |. E9 5A010000 JMP UPACKPRT.004C385E
004C3704 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C3707 |. E8 E85BF4FF CALL UPACKPRT.004092F4
004C370C |. 48 DEC EAX
004C370D |. 8D95 14FEFFFF LEA EDX,DWORD PTR SS:[EBP-1EC]
004C3713 |. E8 3C5BF4FF CALL UPACKPRT.00409254
004C3718 |. 8B95 14FEFFFF MOV EDX,DWORD PTR SS:[EBP-1EC]
004C371E |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C3721 |. E8 4614F4FF CALL UPACKPRT.00404B6C
004C3726 |. 8D85 10FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F0]
004C372C |. E8 7BBBFFFF CALL UPACKPRT.004BF2AC
004C3731 |. 8D85 10FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F0]
004C3737 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C373C |. E8 5316F4FF CALL UPACKPRT.00404D94
004C3741 |. 8B95 10FEFFFF MOV EDX,DWORD PTR SS:[EBP-1F0]
004C3747 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C374D |. E8 A2F7F3FF CALL UPACKPRT.00402EF4
004C3752 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3758 |. E8 33F5F3FF CALL UPACKPRT.00402C90
004C375D |. E8 4AF1F3FF CALL UPACKPRT.004028AC
004C3762 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004C3765 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C376B |. E8 301AF4FF CALL UPACKPRT.004051A0
004C3770 |. E8 3F00F4FF CALL UPACKPRT.004037B4
004C3775 |. E8 32F1F3FF CALL UPACKPRT.004028AC
004C377A |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3780 |. E8 EBF8F3FF CALL UPACKPRT.00403070
004C3785 |. E8 22F1F3FF CALL UPACKPRT.004028AC
004C378A |. E9 C8000000 JMP UPACKPRT.004C3857
004C378F |> 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C3795 |. E8 12BBFFFF CALL UPACKPRT.004BF2AC
004C379A |. 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C37A0 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C37A5 |. E8 EA15F4FF CALL UPACKPRT.00404D94
004C37AA |. 8B95 0CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1F4]
004C37B0 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37B6 |. E8 39F7F3FF CALL UPACKPRT.00402EF4
004C37BB |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37C1 |. E8 CAF4F3FF CALL UPACKPRT.00402C90
004C37C6 |. E8 E1F0F3FF CALL UPACKPRT.004028AC
004C37CB |. BA D0394C00 MOV EDX,UPACKPRT.004C39D0 ; 15
004C37D0 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37D6 |. E8 C519F4FF CALL UPACKPRT.004051A0
004C37DB |. E8 D4FFF3FF CALL UPACKPRT.004037B4
004C37E0 |. E8 C7F0F3FF CALL UPACKPRT.004028AC
004C37E5 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37EB |. E8 80F8F3FF CALL UPACKPRT.00403070
004C37F0 |. E8 B7F0F3FF CALL UPACKPRT.004028AC
004C37F5 |. EB 60 JMP SHORT UPACKPRT.004C3857
004C37F7 |> 33D2 XOR EDX,EDX
004C37F9 |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C37FF |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3801 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3804 |. B2 01 MOV DL,1
004C3806 |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C380C |. E8 2318F8FF CALL UPACKPRT.00445034
004C3811 |. BA E8384C00 MOV EDX,UPACKPRT.004C38E8 ; 软件试用期已到,如要继续使用请注册,谢谢!
004C3816 |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C381C |. E8 2319F8FF CALL UPACKPRT.00445144
004C3821 |. BA D8384C00 MOV EDX,UPACKPRT.004C38D8 ; 注册
004C3826 |. 8B86 00040000 MOV EAX,DWORD PTR DS:[ESI+400]
004C382C |. E8 0F5BFCFF CALL UPACKPRT.00489340 ; 关键call
004C3831 |. 6A 01 PUSH 1
004C3833 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C3838 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C383D |. 68 18394C00 PUSH UPACKPRT.004C3918 ; 11cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C3842 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C3847 |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C384C |. E8 4B7FF8FF CALL UPACKPRT.0044B79C
004C3851 |. 50 PUSH EAX ; |hWnd
004C3852 |. E8 3D47F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C3857 |> 8BC3 MOV EAX,EBX
004C3859 |. E8 EA04F4FF CALL UPACKPRT.00403D48
004C385E |> 33C0 XOR EAX,EAX
004C3860 |. 5A POP EDX
004C3861 |. 59 POP ECX
004C3862 |. 59 POP ECX
004C3863 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004C3866 |. 68 8B384C00 PUSH UPACKPRT.004C388B
004C386B |> 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C3871 |. BA 09000000 MOV EDX,9
004C3876 |. E8 7D12F4FF CALL UPACKPRT.00404AF8
004C387B |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C387E |. E8 5112F4FF CALL UPACKPRT.00404AD4
004C3883 \. C3 RETN
【脱文标题】 手动脱壳入门Aspack2.12
【脱文作者】 //phantom//[ghoster]
【作者邮箱】webmast9492@163.com
【使用工具】 Peid、Ollydbg 、ImportREC
【脱壳平台】 Win98/XP
【软件名称】 私人磁盘管理
【软件简介】 Aspack 2.12加壳的
【软件大小】 418K
【加壳方式】 ASPack 2.12 -> Alexey Solodovnikov
【脱壳声明】 为了技术而破解,别无所求。
好,我们这次脱Aspack2.12的壳看看它的特性。
首先必须的工具要准备好,
附件中壳为PEiD查壳为ASPack 2.12 -> Alexey Solodovnikov
手动脱壳建议大家用Ollydbg,工作平台,Win98系统,哎电脑破么^_^
手动脱壳时,用Olldbg载入程序,脱壳程序里面会有有好多循环。对付循环时,只能让程序往前运行,基本不
能让它往回跳,要想法跳出循环圈。不要用Peid查入口,单步跟踪,提高手动找入口能力。
用OD载入程序后。
确定一个入口警告,OD提示软件可能有自解压或自修改功能,当然,因为它加了壳。
停在这里
00588001 > 60 PUSHAD ;asppack 的特点与popad相对应,F8单步跟踪
00588002 E8 03000000 CALL SRCP395P.0058800A ;
00588007 - E9 EB045D45 JMP 45B584F7
0058800C 55 PUSH EBP
0058800D C3 RETN
0058800E E8 01000000 CALL SRCP395P.00588014
00588013 EB 5D JMP SHORT SRCP395P.00588072
00588015 BB EDFFFFFF MOV EBX,-13
0058801A 03DD ADD EBX,EBP
0058801C 81EB 00801800 SUB EBX,188000
00588022 83BD 22040000 00 CMP DWORD PTR SS:[EBP+422],0
00588029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX
0058802F 0F85 65030000 JNZ SRCP395P.0058839A
00588035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E]
0058803B 50 PUSH EAX
0058803C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
00588042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX
00588048 8BF8 MOV EDI,EAX
0058804A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E]
0058804D 53 PUSH EBX
0058804E 50 PUSH EAX
0058804F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX
0058805B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B]
0058805E 53 PUSH EBX
0058805F 57 PUSH EDI
00588060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX
0058806C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77]
0058806F FFE0 JMP EAX
00588071 56 PUSH ESI
00588072 6972 74 75616C41 IMUL ESI,DWORD PTR DS:[EDX+74],4>
00588079 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0058807A 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
0058807B 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
0058807C 6300 ARPL WORD PTR DS:[EAX],AX
0058807E 56 PUSH ESI
0058807F 6972 74 75616C46 IMUL ESI,DWORD PTR DS:[EDX+74],4>
00588086 72 65 JB SHORT SRCP395P.005880ED
00588088 65:008B 9D310500 ADD BYTE PTR GS:[EBX+5319D],CL
0058808F 000B ADD BYTE PTR DS:[EBX],CL
00588091 DB ??? ; 未知命令
00588092 74 0A JE SHORT SRCP395P.0058809E
00588094 8B03 MOV EAX,DWORD PTR DS:[EBX]
00588096 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
0058809C 8903 MOV DWORD PTR DS:[EBX],EAX
0058809E 8DB5 69050000 LEA ESI,DWORD PTR SS:[EBP+569]
005880A4 833E 00 CMP DWORD PTR DS:[ESI],0
005880A7 0F84 21010000 JE SRCP395P.005881CE
005880AD 6A 04 PUSH 4
005880AF 68 00100000 PUSH 1000
005880B4 68 00180000 PUSH 1800
005880B9 6A 00 PUSH 0
005880BB FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
005880C1 8985 56010000 MOV DWORD PTR SS:[EBP+156],EAX
005880C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
005880CA 05 0E010000 ADD EAX,10E
005880CF 6A 04 PUSH 4
005880D1 68 00100000 PUSH 1000
005880D6 50 PUSH EAX
005880D7 6A 00 PUSH 0
005880D9 FF95 4D050000 CALL DWORD PTR SS:[EBP+54D]
005880DF 8985 52010000 MOV DWORD PTR SS:[EBP+152],EAX
005880E5 56 PUSH ESI
005880E6 8B1E MOV EBX,DWORD PTR DS:[ESI]
005880E8 039D 22040000 ADD EBX,DWORD PTR SS:[EBP+422]
005880EE FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005880F4 FF76 04 PUSH DWORD PTR DS:[ESI+4]
005880F7 50 PUSH EAX
005880F8 53 PUSH EBX
005880F9 E8 6E050000 CALL SRCP395P.0058866C
005880FE B3 01 MOV BL,1
00588100 80FB 00 CMP BL,0
00588103 75 5E JNZ SHORT SRCP395P.00588163
00588105 FE85 EC000000 INC BYTE PTR SS:[EBP+EC]
0058810B 8B3E MOV EDI,DWORD PTR DS:[ESI]
0058810D 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
00588113 FF37 PUSH DWORD PTR DS:[EDI]
00588115 C607 C3 MOV BYTE PTR DS:[EDI],0C3
00588118 FFD7 CALL EDI
0058811A 8F07 POP DWORD PTR DS:[EDI]
0058811C 50 PUSH EAX
0058811D 51 PUSH ECX
0058811E 56 PUSH ESI
0058811F 53 PUSH EBX
00588120 8BC8 MOV ECX,EAX
00588122 83E9 06 SUB ECX,6
00588125 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0058812B 33DB XOR EBX,EBX
0058812D 0BC9 OR ECX,ECX
0058812F 74 2E JE SHORT SRCP395P.0058815F
00588131 78 2C JS SHORT SRCP395P.0058815F
00588133 AC LODS BYTE PTR DS:[ESI]
00588134 3C E8 CMP AL,0E8
00588136 74 0A JE SHORT SRCP395P.00588142
00588138 EB 00 JMP SHORT SRCP395P.0058813A
0058813A 3C E9 CMP AL,0E9
0058813C 74 04 JE SHORT SRCP395P.00588142
0058813E 43 INC EBX
0058813F 49 DEC ECX
00588140 ^ EB EB JMP SHORT SRCP395P.0058812D
00588142 8B06 MOV EAX,DWORD PTR DS:[ESI]
00588144 EB 00 JMP SHORT SRCP395P.00588146
00588146 803E 19 CMP BYTE PTR DS:[ESI],19
00588149 ^ 75 F3 JNZ SHORT SRCP395P.0058813E
0058814B 24 00 AND AL,0
0058814D C1C0 18 ROL EAX,18
00588150 2BC3 SUB EAX,EBX
00588152 8906 MOV DWORD PTR DS:[ESI],EAX
00588154 83C3 05 ADD EBX,5
00588157 83C6 04 ADD ESI,4
0058815A 83E9 05 SUB ECX,5
0058815D ^ EB CE JMP SHORT SRCP395P.0058812D
0058815F 5B POP EBX
00588160 5E POP ESI
00588161 59 POP ECX
00588162 58 POP EAX
00588163 EB 08 JMP SHORT SRCP395P.0058816D
00588165 0000 ADD BYTE PTR DS:[EAX],AL
00588167 CF IRETD
00588168 0000 ADD BYTE PTR DS:[EAX],AL
0058816A 00CE ADD DH,CL
0058816C 008B C88B3E03 ADD BYTE PTR DS:[EBX+33E8BC8],CL
00588172 BD 22040000 MOV EBP,422
00588177 8BB5 52010000 MOV ESI,DWORD PTR SS:[EBP+152]
0058817D C1F9 02 SAR ECX,2
00588180 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWOR>
00588182 8BC8 MOV ECX,EAX
00588184 83E1 03 AND ECX,3
00588187 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
00588189 5E POP ESI
0058818A 68 00800000 PUSH 8000
0058818F 6A 00 PUSH 0
00588191 FFB5 52010000 PUSH DWORD PTR SS:[EBP+152]
00588197 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
0058819D 83C6 08 ADD ESI,8
005881A0 833E 00 CMP DWORD PTR DS:[ESI],0
005881A3 ^ 0F85 1EFFFFFF JNZ SRCP395P.005880C7
005881A9 68 00800000 PUSH 8000
005881AE 6A 00 PUSH 0
005881B0 FFB5 56010000 PUSH DWORD PTR SS:[EBP+156]
005881B6 FF95 51050000 CALL DWORD PTR SS:[EBP+551]
005881BC 8B9D 31050000 MOV EBX,DWORD PTR SS:[EBP+531]
005881C2 0BDB OR EBX,EBX
005881C4 74 08 JE SHORT SRCP395P.005881CE
005881C6 8B03 MOV EAX,DWORD PTR DS:[EBX]
005881C8 8785 35050000 XCHG DWORD PTR SS:[EBP+535],EAX
005881CE 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
005881D4 8B85 2D050000 MOV EAX,DWORD PTR SS:[EBP+52D]
005881DA 2BD0 SUB EDX,EAX
005881DC 74 79 JE SHORT SRCP395P.00588257
005881DE 8BC2 MOV EAX,EDX
005881E0 C1E8 10 SHR EAX,10
005881E3 33DB XOR EBX,EBX
005881E5 8BB5 39050000 MOV ESI,DWORD PTR SS:[EBP+539]
005881EB 03B5 22040000 ADD ESI,DWORD PTR SS:[EBP+422]
005881F1 833E 00 CMP DWORD PTR DS:[ESI],0
005881F4 74 61 JE SHORT SRCP395P.00588257
005881F6 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
005881F9 83E9 08 SUB ECX,8
005881FC D1E9 SHR ECX,1
005881FE 8B3E MOV EDI,DWORD PTR DS:[ESI]
00588200 03BD 22040000 ADD EDI,DWORD PTR SS:[EBP+422]
00588206 83C6 08 ADD ESI,8
00588209 66:8B1E MOV BX,WORD PTR DS:[ESI]
0058820C C1EB 0C SHR EBX,0C
0058820F 83FB 01 CMP EBX,1
00588212 74 0C JE SHORT SRCP395P.00588220
00588214 83FB 02 CMP EBX,2
00588217 74 16 JE SHORT SRCP395P.0058822F
00588219 83FB 03 CMP EBX,3
0058821C 74 20 JE SHORT SRCP395P.0058823E
0058821E EB 2C JMP SHORT SRCP395P.0058824C
00588220 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588223 81E3 FF0F0000 AND EBX,0FFF
00588229 66:01041F ADD WORD PTR DS:[EDI+EBX],AX
0058822D EB 1D JMP SHORT SRCP395P.0058824C
0058822F 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588232 81E3 FF0F0000 AND EBX,0FFF
00588238 66:01141F ADD WORD PTR DS:[EDI+EBX],DX
0058823C EB 0E JMP SHORT SRCP395P.0058824C
0058823E 66:8B1E MOV BX,WORD PTR DS:[ESI]
00588241 81E3 FF0F0000 AND EBX,0FFF
00588247 01141F ADD DWORD PTR DS:[EDI+EBX],EDX
0058824A EB 00 JMP SHORT SRCP395P.0058824C
0058824C 66:830E FF OR WORD PTR DS:[ESI],0FFFF
00588250 83C6 02 ADD ESI,2
00588253 ^ E2 B4 LOOPD SHORT SRCP395P.00588209
00588255 ^ EB 9A JMP SHORT SRCP395P.005881F1
00588257 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
0058825D 8BB5 41050000 MOV ESI,DWORD PTR SS:[EBP+541]
00588263 0BF6 OR ESI,ESI
00588265 74 11 JE SHORT SRCP395P.00588278
00588267 03F2 ADD ESI,EDX
00588269 AD LODS DWORD PTR DS:[ESI]
0058826A 0BC0 OR EAX,EAX
0058826C 74 0A JE SHORT SRCP395P.00588278
0058826E 03C2 ADD EAX,EDX
00588270 8BF8 MOV EDI,EAX
00588272 66:AD LODS WORD PTR DS:[ESI]
00588274 66:AB STOS WORD PTR ES:[EDI]
00588276 ^ EB F1 JMP SHORT SRCP395P.00588269
00588278 BE 00800C00 MOV ESI,0C8000
0058827D 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00588283 03F2 ADD ESI,EDX
00588285 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588288 85C0 TEST EAX,EAX
0058828A 0F84 0A010000 JE SRCP395P.0058839A
00588290 03C2 ADD EAX,EDX
00588292 8BD8 MOV EBX,EAX
00588294 50 PUSH EAX
00588295 FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D]
0058829B 85C0 TEST EAX,EAX
0058829D 75 07 JNZ SHORT SRCP395P.005882A6
0058829F 53 PUSH EBX
005882A0 FF95 510F0000 CALL DWORD PTR SS:[EBP+F51]
005882A6 8985 45050000 MOV DWORD PTR SS:[EBP+545],EAX
005882AC C785 49050000 00000000 MOV DWORD PTR SS:[EBP+549],0
005882B6 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
005882BC 8B06 MOV EAX,DWORD PTR DS:[ESI]
005882BE 85C0 TEST EAX,EAX
005882C0 75 03 JNZ SHORT SRCP395P.005882C5
005882C2 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
005882C5 03C2 ADD EAX,EDX
005882C7 0385 49050000 ADD EAX,DWORD PTR SS:[EBP+549]
005882CD 8B18 MOV EBX,DWORD PTR DS:[EAX]
005882CF 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+10]
005882D2 03FA ADD EDI,EDX
005882D4 03BD 49050000 ADD EDI,DWORD PTR SS:[EBP+549]
005882DA 85DB TEST EBX,EBX
005882DC 0F84 A2000000 JE SRCP395P.00588384
005882E2 F7C3 00000080 TEST EBX,80000000
005882E8 75 04 JNZ SHORT SRCP395P.005882EE
005882EA 03DA ADD EBX,EDX
005882EC 43 INC EBX
005882ED 43 INC EBX
005882EE 53 PUSH EBX
005882EF 81E3 FFFFFF7F AND EBX,7FFFFFFF
005882F5 53 PUSH EBX
005882F6 FFB5 45050000 PUSH DWORD PTR SS:[EBP+545]
005882FC FF95 490F0000 CALL DWORD PTR SS:[EBP+F49]
00588302 85C0 TEST EAX,EAX
00588304 5B POP EBX
00588305 75 6F JNZ SHORT SRCP395P.00588376
00588307 F7C3 00000080 TEST EBX,80000000
0058830D 75 19 JNZ SHORT SRCP395P.00588328
0058830F 57 PUSH EDI
00588310 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588313 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
00588319 50 PUSH EAX
0058831A 53 PUSH EBX
0058831B 8D85 75040000 LEA EAX,DWORD PTR SS:[EBP+475]
00588321 50 PUSH EAX
00588322 57 PUSH EDI
00588323 E9 98000000 JMP SRCP395P.005883C0
00588328 81E3 FFFFFF7F AND EBX,7FFFFFFF
0058832E 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]
00588334 3985 45050000 CMP DWORD PTR SS:[EBP+545],EAX
0058833A 75 24 JNZ SHORT SRCP395P.00588360
0058833C 57 PUSH EDI
0058833D 8BD3 MOV EDX,EBX
0058833F 4A DEC EDX
00588340 C1E2 02 SHL EDX,2
00588343 8B9D 45050000 MOV EBX,DWORD PTR SS:[EBP+545]
00588349 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+3C]
0058834C 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+78>
00588350 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+1C>
00588354 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]
00588357 0385 45050000 ADD EAX,DWORD PTR SS:[EBP+545]
0058835D 5F POP EDI
0058835E EB 16 JMP SHORT SRCP395P.00588376
00588360 57 PUSH EDI
00588361 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00588364 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
0058836A 50 PUSH EAX
0058836B 53 PUSH EBX
0058836C 8D85 C6040000 LEA EAX,DWORD PTR SS:[EBP+4C6]
00588372 50 PUSH EAX
00588373 57 PUSH EDI
00588374 EB 4A JMP SHORT SRCP395P.005883C0
00588376 8907 MOV DWORD PTR DS:[EDI],EAX
00588378 8385 49050000 04 ADD DWORD PTR SS:[EBP+549],4
0058837F ^ E9 32FFFFFF JMP SRCP395P.005882B6
00588384 8906 MOV DWORD PTR DS:[ESI],EAX
00588386 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
00588389 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
0058838C 83C6 14 ADD ESI,14
0058838F 8B95 22040000 MOV EDX,DWORD PTR SS:[EBP+422]
00588395 ^ E9 EBFEFFFF JMP SRCP395P.00588285
0058839A B8 AC3F0C00 MOV EAX,0C3FAC
0058839F 50 PUSH EAX
005883A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
005883A6 59 POP ECX
005883A7 0BC9 OR ECX,ECX
005883A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
005883AF 61 POPAD
005883B0 75 08 JNZ SHORT SRCP395P.005883BA ;f8执行到005883BA
005883B2 B8 01000000 MOV EAX,1
005883B7 C2 0C00 RETN 0C
005883BA 68 AC3F4C00 PUSH SRCP395P.004C3FAC ; F8大的转移,4c3fac即为程序真争的入口点
005883BF C3 RETN ; F8前往程序的入口点的
04C3FAB 0055 8B ADD BYTE PTR SS:[EBP-75],DL ; 此处为RETN的返回地址,程序的入口点,但是其显示的是4C3FAB.
004C3FAE EC IN AL,DX ; I/O 命令
004C3FAF 83C4 F0 ADD ESP,-10
004C3FB2 53 PUSH EBX
004C3FB3 56 PUSH ESI
004C3FB4 B8 643C4C00 MOV EAX,SRCP395P.004C3C64
004C3FB9 E8 2E2FF4FF CALL SRCP395P.00406EEC
004C3FBE 8B35 C86B4C00 MOV ESI,DWORD PTR DS:[4C6BC8] ; SRCP395P.004C7C30
004C3FC4 8B06 MOV EAX,DWORD PTR DS:[ESI]
004C3FC6 E8 BD0FFAFF CALL SRCP395P.00464F88
004C3FCB 8B06 MOV EAX,DWORD PTR DS:[ESI]
004C3FCD BA E0404C00 MOV EDX,SRCP395P.004C40E0
004C3FD2 E8 BD0BFAFF CALL SRCP395P.00464B94
004C3FD7 68 EC404C00 PUSH SRCP395P.004C40EC
004C3FDC 6A 00 PUSH 0
004C3FDE 6A 00 PUSH 0
004C3FE0 E8 BF30F4FF CALL SRCP395P.004070A4
004C3FE5 8BD8 MOV EBX,EAX
004C3FE7 E8 8831F4FF CALL SRCP395P.00407174
004C3FEC 3D B7000000 CMP EAX,0B7
004C3FF1 0F84 BB000000 JE SRCP395P.004C40B2
004C3FF7 8B06 MOV EAX,DWORD PTR DS:[ESI]
用ollyDBG的ollyDBGDUMP抓取内存文件,在抓取时取掉rebuild import这项。
不要关闭ollyDBG,打开imprec找到scr395pro,在OEP中输入004C3FAC(程序的真正入口点),执行“自动查找IAT”――获取输入表,修复转存文件即可。
以下是次软件的爆破过程。
脱壳后用PEID 载入文件,显示为此软件用Borland Delphi6.0-7.0编写
04C3440 /$ 55 PUSH EBP ; 4C3440到4C3883为启动检验是否注册的大循环
004C3441 |. 8BEC MOV EBP,ESP
004C3443 |. 81C4 0CFEFFFF ADD ESP,-1F4
004C3449 |. 53 PUSH EBX
004C344A |. 56 PUSH ESI
004C344B |. 57 PUSH EDI
004C344C |. 33D2 XOR EDX,EDX ;将EDX置零
004C344E |. 8995 0CFEFFFF MOV DWORD PTR SS:[EBP-1F4],EDX
004C3454 |. 8995 10FEFFFF MOV DWORD PTR SS:[EBP-1F0],EDX
004C345A |. 8995 14FEFFFF MOV DWORD PTR SS:[EBP-1EC],EDX
004C3460 |. 8995 18FEFFFF MOV DWORD PTR SS:[EBP-1E8],EDX
004C3466 |. 8995 1CFEFFFF MOV DWORD PTR SS:[EBP-1E4],EDX
004C346C |. 8995 24FEFFFF MOV DWORD PTR SS:[EBP-1DC],EDX
004C3472 |. 8995 20FEFFFF MOV DWORD PTR SS:[EBP-1E0],EDX
004C3478 |. 8995 28FEFFFF MOV DWORD PTR SS:[EBP-1D8],EDX
004C347E |. 8995 2CFEFFFF MOV DWORD PTR SS:[EBP-1D4],EDX
004C3484 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004C3487 |. 8BF0 MOV ESI,EAX
004C3489 |. 33C0 XOR EAX,EAX ;将EAX置零
004C348B |. 55 PUSH EBP
004C348C |. 68 84384C00 PUSH UPACKPRT.004C3884
004C3491 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004C3494 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004C3497 |. B2 01 MOV DL,1
004C3499 |. A1 A09B4600 MOV EAX,DWORD PTR DS:[469BA0]
004C349E |. E8 FD67FAFF CALL UPACKPRT.00469CA0
004C34A3 |. 8BD8 MOV EBX,EAX
004C34A5 |. BA 02000080 MOV EDX,80000002
004C34AA |. 8BC3 MOV EAX,EBX
004C34AC |. E8 8F68FAFF CALL UPACKPRT.00469D40
004C34B1 |. B1 01 MOV CL,1
004C34B3 |. BA 9C384C00 MOV EDX,UPACKPRT.004C389C ; software\udver
004C34B8 |. 8BC3 MOV EAX,EBX
004C34BA |. E8 C569FAFF CALL UPACKPRT.00469E84
004C34BF |. BA B4384C00 MOV EDX,UPACKPRT.004C38B4 ; spl
004C34C4 |. 8BC3 MOV EAX,EBX
004C34C6 |. E8 196FFAFF CALL UPACKPRT.0046A3E4
004C34CB |. 84C0 TEST AL,AL ; 测试AL是不是为空
004C34CD 0F85 24030000 JNZ UPACKPRT.004C37F7 ; 改为:JMP 004C37F5跳过下面两个注册窗口
004C34D3 |. 8D85 2CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1D4]
004C34D9 |. E8 CEBDFFFF CALL UPACKPRT.004BF2AC
004C34DE |. 8D85 2CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1D4]
004C34E4 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C34E9 |. E8 A618F4FF CALL UPACKPRT.00404D94
004C34EE |. 8B85 2CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1D4]
004C34F4 |. E8 3360F4FF CALL UPACKPRT.0040952C
004C34F9 |. 84C0 TEST AL,AL
004C34FB |. 0F84 8E020000 JE UPACKPRT.004C378F
004C3501 |. 8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
004C3507 |. E8 A0BDFFFF CALL UPACKPRT.004BF2AC
004C350C |. 8D85 28FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D8]
004C3512 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C3517 |. E8 7818F4FF CALL UPACKPRT.00404D94
004C351C |. 8B95 28FEFFFF MOV EDX,DWORD PTR SS:[EBP-1D8]
004C3522 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3528 |. E8 C7F9F3FF CALL UPACKPRT.00402EF4
004C352D |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3533 |. E8 4CF7F3FF CALL UPACKPRT.00402C84
004C3538 |. E8 6FF3F3FF CALL UPACKPRT.004028AC
004C353D |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004C3540 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3546 |. E8 95FEF3FF CALL UPACKPRT.004033E0
004C354B |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3551 |. E8 F6FEF3FF CALL UPACKPRT.0040344C
004C3556 |. E8 51F3F3FF CALL UPACKPRT.004028AC
004C355B |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3561 |. E8 0AFBF3FF CALL UPACKPRT.00403070
004C3566 |. E8 41F3F3FF CALL UPACKPRT.004028AC
004C356B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C356E |. E8 815DF4FF CALL UPACKPRT.004092F4
004C3573 |. 8BF8 MOV EDI,EAX
004C3575 |. 85FF TEST EDI,EDI
004C3577 |. 7E 05 JLE SHORT UPACKPRT.004C357E
004C3579 |. 83FF 0F CMP EDI,0F
004C357C 7E 73 JLE SHORT UPACKPRT.004C35F1
004C357E |> 33C9 XOR ECX,ECX
004C3580 |. BA B4384C00 MOV EDX,UPACKPRT.004C38B4 ; spl
004C3585 |. 8BC3 MOV EAX,EBX
004C3587 |. E8 946CFAFF CALL UPACKPRT.0046A220
004C358C |. 33D2 XOR EDX,EDX
004C358E |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C3594 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3596 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3599 |. B2 01 MOV DL,1
004C359B |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C35A1 |. E8 8E1AF8FF CALL UPACKPRT.00445034
004C35A6 |. BA D8384C00 MOV EDX,UPACKPRT.004C38D8 ; 注册
004C35AB |. 8B86 00040000 MOV EAX,DWORD PTR DS:[ESI+400]
004C35B1 |. E8 8A5DFCFF CALL UPACKPRT.00489340
004C35B6 |. BA E8384C00 MOV EDX,UPACKPRT.004C38E8 ; 软件试用期已到,如要继续使用请注册,谢谢!
004C35BB |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C35C1 |. E8 7E1BF8FF CALL UPACKPRT.00445144
004C35C6 |. 6A 01 PUSH 1
004C35C8 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C35CD |. 68 14394C00 PUSH UPACKPRT.004C3914
004C35D2 |. 68 18394C00 PUSH UPACKPRT.004C3918 ; 2acK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C35D7 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C35DC |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C35E1 |. E8 B681F8FF CALL UPACKPRT.0044B79C
004C35E6 |. 50 PUSH EAX ; |hWnd
004C35E7 |. E8 A849F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C35EC |. E9 6D020000 JMP UPACKPRT.004C385E
004C35F1 83FF 04 CMP EDI,4
004C35F4 0F8F 0A010000 JG UPACKPRT.004C3704
004C35FA |. 33D2 XOR EDX,EDX
004C35FC |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C3602 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3604 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3607 |. B2 01 MOV DL,1
004C3609 |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C360F |. E8 201AF8FF CALL UPACKPRT.00445034
004C3614 |. 68 60394C00 PUSH UPACKPRT.004C3960 ; 您还能再使用
004C3619 |. 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
004C361F |. 8BC7 MOV EAX,EDI
004C3621 |. 48 DEC EAX
004C3622 |. E8 2D5CF4FF CALL UPACKPRT.00409254
004C3627 |. FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0]
004C362D |. 68 78394C00 PUSH UPACKPRT.004C3978 ; 次,请注册后再继续使用私人磁盘,或者及时将存放在私人磁盘中的文件取出,谢谢!
004C3632 |. 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
004C3638 |. BA 03000000 MOV EDX,3
004C363D |. E8 0A18F4FF CALL UPACKPRT.00404E4C
004C3642 |. 8B95 24FEFFFF MOV EDX,DWORD PTR SS:[EBP-1DC]
004C3648 |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C364E |. E8 F11AF8FF CALL UPACKPRT.00445144
004C3653 |. 6A 01 PUSH 1
004C3655 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C365A |. 68 14394C00 PUSH UPACKPRT.004C3914
004C365F |. 68 18394C00 PUSH UPACKPRT.004C3918 ; cdaK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C3664 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C3669 |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C366E |. E8 2981F8FF CALL UPACKPRT.0044B79C
004C3673 |. 50 PUSH EAX ; |hWnd
004C3674 |. E8 1B49F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C3679 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C367C |. E8 735CF4FF CALL UPACKPRT.004092F4
004C3681 |. 48 DEC EAX
004C3682 |. 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]
004C3688 |. E8 C75BF4FF CALL UPACKPRT.00409254
004C368D |. 8B95 1CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1E4]
004C3693 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C3696 |. E8 D114F4FF CALL UPACKPRT.00404B6C
004C369B |. 8D85 18FEFFFF LEA EAX,DWORD PTR SS:[EBP-1E8]
004C36A1 |. E8 06BCFFFF CALL UPACKPRT.004BF2AC
004C36A6 |. 8D85 18FEFFFF LEA EAX,DWORD PTR SS:[EBP-1E8]
004C36AC |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C36B1 |. E8 DE16F4FF CALL UPACKPRT.00404D94
004C36B6 |. 8B95 18FEFFFF MOV EDX,DWORD PTR SS:[EBP-1E8]
004C36BC |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36C2 |. E8 2DF8F3FF CALL UPACKPRT.00402EF4
004C36C7 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36CD |. E8 BEF5F3FF CALL UPACKPRT.00402C90
004C36D2 |. E8 D5F1F3FF CALL UPACKPRT.004028AC
004C36D7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004C36DA |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36E0 |. E8 BB1AF4FF CALL UPACKPRT.004051A0
004C36E5 |. E8 CA00F4FF CALL UPACKPRT.004037B4
004C36EA |. E8 BDF1F3FF CALL UPACKPRT.004028AC
004C36EF |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C36F5 |. E8 76F9F3FF CALL UPACKPRT.00403070
004C36FA |. E8 ADF1F3FF CALL UPACKPRT.004028AC
004C36FF |. E9 5A010000 JMP UPACKPRT.004C385E
004C3704 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004C3707 |. E8 E85BF4FF CALL UPACKPRT.004092F4
004C370C |. 48 DEC EAX
004C370D |. 8D95 14FEFFFF LEA EDX,DWORD PTR SS:[EBP-1EC]
004C3713 |. E8 3C5BF4FF CALL UPACKPRT.00409254
004C3718 |. 8B95 14FEFFFF MOV EDX,DWORD PTR SS:[EBP-1EC]
004C371E |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C3721 |. E8 4614F4FF CALL UPACKPRT.00404B6C
004C3726 |. 8D85 10FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F0]
004C372C |. E8 7BBBFFFF CALL UPACKPRT.004BF2AC
004C3731 |. 8D85 10FEFFFF LEA EAX,DWORD PTR SS:[EBP-1F0]
004C3737 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C373C |. E8 5316F4FF CALL UPACKPRT.00404D94
004C3741 |. 8B95 10FEFFFF MOV EDX,DWORD PTR SS:[EBP-1F0]
004C3747 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C374D |. E8 A2F7F3FF CALL UPACKPRT.00402EF4
004C3752 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3758 |. E8 33F5F3FF CALL UPACKPRT.00402C90
004C375D |. E8 4AF1F3FF CALL UPACKPRT.004028AC
004C3762 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004C3765 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C376B |. E8 301AF4FF CALL UPACKPRT.004051A0
004C3770 |. E8 3F00F4FF CALL UPACKPRT.004037B4
004C3775 |. E8 32F1F3FF CALL UPACKPRT.004028AC
004C377A |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C3780 |. E8 EBF8F3FF CALL UPACKPRT.00403070
004C3785 |. E8 22F1F3FF CALL UPACKPRT.004028AC
004C378A |. E9 C8000000 JMP UPACKPRT.004C3857
004C378F |> 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C3795 |. E8 12BBFFFF CALL UPACKPRT.004BF2AC
004C379A |. 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C37A0 |. BA C0384C00 MOV EDX,UPACKPRT.004C38C0 ; \msudspl.dll
004C37A5 |. E8 EA15F4FF CALL UPACKPRT.00404D94
004C37AA |. 8B95 0CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1F4]
004C37B0 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37B6 |. E8 39F7F3FF CALL UPACKPRT.00402EF4
004C37BB |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37C1 |. E8 CAF4F3FF CALL UPACKPRT.00402C90
004C37C6 |. E8 E1F0F3FF CALL UPACKPRT.004028AC
004C37CB |. BA D0394C00 MOV EDX,UPACKPRT.004C39D0 ; 15
004C37D0 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37D6 |. E8 C519F4FF CALL UPACKPRT.004051A0
004C37DB |. E8 D4FFF3FF CALL UPACKPRT.004037B4
004C37E0 |. E8 C7F0F3FF CALL UPACKPRT.004028AC
004C37E5 |. 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
004C37EB |. E8 80F8F3FF CALL UPACKPRT.00403070
004C37F0 |. E8 B7F0F3FF CALL UPACKPRT.004028AC
004C37F5 |. EB 60 JMP SHORT UPACKPRT.004C3857
004C37F7 |> 33D2 XOR EDX,EDX
004C37F9 |. 8B86 B0030000 MOV EAX,DWORD PTR DS:[ESI+3B0]
004C37FF |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004C3801 |. FF51 64 CALL DWORD PTR DS:[ECX+64]
004C3804 |. B2 01 MOV DL,1
004C3806 |. 8B86 F4030000 MOV EAX,DWORD PTR DS:[ESI+3F4]
004C380C |. E8 2318F8FF CALL UPACKPRT.00445034
004C3811 |. BA E8384C00 MOV EDX,UPACKPRT.004C38E8 ; 软件试用期已到,如要继续使用请注册,谢谢!
004C3816 |. 8B86 FC030000 MOV EAX,DWORD PTR DS:[ESI+3FC]
004C381C |. E8 2319F8FF CALL UPACKPRT.00445144
004C3821 |. BA D8384C00 MOV EDX,UPACKPRT.004C38D8 ; 注册
004C3826 |. 8B86 00040000 MOV EAX,DWORD PTR DS:[ESI+400]
004C382C |. E8 0F5BFCFF CALL UPACKPRT.00489340 ; 关键call
004C3831 |. 6A 01 PUSH 1
004C3833 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C3838 |. 68 14394C00 PUSH UPACKPRT.004C3914
004C383D |. 68 18394C00 PUSH UPACKPRT.004C3918 ; 11cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4Z5j5i4u0W2j5X3q4F1K9#2)9J5k6h3y4G2L8g2)9J5k6h3y4F1i4K6u0r3M7$3!0X3N6q4)9J5c8Y4y4G2k6Y4c8T1N6i4W2Q4x3X3g2H3K9s2m8Q4x3@1k6K6L8$3W2V1i4K6y4p5x3e0l9^5x3e0f1`.
004C3842 |. 68 50394C00 PUSH UPACKPRT.004C3950 ; open
004C3847 |. A1 C87D4C00 MOV EAX,DWORD PTR DS:[4C7DC8]
004C384C |. E8 4B7FF8FF CALL UPACKPRT.0044B79C
004C3851 |. 50 PUSH EAX ; |hWnd
004C3852 |. E8 3D47F7FF CALL <JMP.&shell32.ShellExecuteA> ; \ShellExecuteA
004C3857 |> 8BC3 MOV EAX,EBX
004C3859 |. E8 EA04F4FF CALL UPACKPRT.00403D48
004C385E |> 33C0 XOR EAX,EAX
004C3860 |. 5A POP EDX
004C3861 |. 59 POP ECX
004C3862 |. 59 POP ECX
004C3863 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004C3866 |. 68 8B384C00 PUSH UPACKPRT.004C388B
004C386B |> 8D85 0CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1F4]
004C3871 |. BA 09000000 MOV EDX,9
004C3876 |. E8 7D12F4FF CALL UPACKPRT.00404AF8
004C387B |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C387E |. E8 5112F4FF CALL UPACKPRT.00404AD4
004C3883 \. C3 RETN
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
