-
-
[旧帖] [求助]UPX壳外挂破解遇难,求高手帮助! 0.00雪花
-
发表于: 2008-2-1 14:47
-
用PEID查为UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
用脱壳机脱过后,查程序为Borland C++ 1999写的,程序也可能运行,说明壳已经脱了
但是用OD再载入为
00401000 > /EB 10 jmp short 00401012
00401002 |66:623A bound di, dword ptr [edx]
00401005 |43 inc ebx
00401006 |2B2B sub ebp, dword ptr [ebx]
00401008 |48 dec eax
00401009 |4F dec edi
0040100A |4F dec edi
0040100B |4B dec ebx
0040100C |90 nop
0040100D -|E9 F8F64B00 jmp 008C070A
00401012 \A1 EBF64B00 mov eax, dword ptr [4BF6EB]
00401017 C1E0 02 shl eax, 2
0040101A A3 EFF64B00 mov dword ptr [4BF6EF], eax
0040101F 52 push edx
00401020 6A 00 push 0
00401022 E8 63CE0B00 call <jmp.&KERNEL32.GetModuleHandleA>
00401027 8BD0 mov edx, eax
00401029 E8 1AE00A00 call 004AF048
0040102E 5A pop edx
0040102F E8 78DF0A00 call 004AEFAC
00401034 E8 4FE00A00 call 004AF088
00401039 6A 00 push 0
0040103B E8 4CF30A00 call 004B038C
00401040 59 pop ecx
00401041 68 94F64B00 push 004BF694
00401046 6A 00 push 0
00401048 E8 3DCE0B00 call <jmp.&KERNEL32.GetModuleHandleA>
0040104D A3 F3F64B00 mov dword ptr [4BF6F3], eax
00401052 6A 00 push 0
00401054 - E9 177F0B00 jmp 004B8F70
00401059 > E9 7AF30A00 jmp 004B03D8
0040105E 33C0 xor eax, eax
00401060 A0 DDF64B00 mov al, byte ptr [4BF6DD]
00401065 C3 retn
00401066 A1 F3F64B00 mov eax, dword ptr [4BF6F3]
0040106B C3 retn
0040106C 60 pushad
0040106D BB 0050B0BC mov ebx, BCB05000
00401072 53 push ebx
00401073 68 AD0B0000 push 0BAD
00401078 C3 retn
用F9运行程序时,代码段一直不动,而且下断点也没有用
请教高手是壳没脱掉还是程序里还有检测命令
比较急着想用,求高手帮帮忙(本人是个菜鸟,需要用这个外挂,就学着想破解,可是技术太差了
)
程序在 badK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6e0p5$3x3$3c8A6M7$3E0Q4x3X3g2U0L8$3#2Q4x3V1k6H3K9h3y4C8i4K6u0W2j5i4y4H3P5q4)9K6c8X3y4G2k6r3g2Q4x3@1b7I4y4K6R3I4x3K6x3I4x3o6p5#2
里面有原程序和脱过壳的程序
用脱壳机脱过后,查程序为Borland C++ 1999写的,程序也可能运行,说明壳已经脱了
但是用OD再载入为
00401000 > /EB 10 jmp short 00401012
00401002 |66:623A bound di, dword ptr [edx]
00401005 |43 inc ebx
00401006 |2B2B sub ebp, dword ptr [ebx]
00401008 |48 dec eax
00401009 |4F dec edi
0040100A |4F dec edi
0040100B |4B dec ebx
0040100C |90 nop
0040100D -|E9 F8F64B00 jmp 008C070A
00401012 \A1 EBF64B00 mov eax, dword ptr [4BF6EB]
00401017 C1E0 02 shl eax, 2
0040101A A3 EFF64B00 mov dword ptr [4BF6EF], eax
0040101F 52 push edx
00401020 6A 00 push 0
00401022 E8 63CE0B00 call <jmp.&KERNEL32.GetModuleHandleA>
00401027 8BD0 mov edx, eax
00401029 E8 1AE00A00 call 004AF048
0040102E 5A pop edx
0040102F E8 78DF0A00 call 004AEFAC
00401034 E8 4FE00A00 call 004AF088
00401039 6A 00 push 0
0040103B E8 4CF30A00 call 004B038C
00401040 59 pop ecx
00401041 68 94F64B00 push 004BF694
00401046 6A 00 push 0
00401048 E8 3DCE0B00 call <jmp.&KERNEL32.GetModuleHandleA>
0040104D A3 F3F64B00 mov dword ptr [4BF6F3], eax
00401052 6A 00 push 0
00401054 - E9 177F0B00 jmp 004B8F70
00401059 > E9 7AF30A00 jmp 004B03D8
0040105E 33C0 xor eax, eax
00401060 A0 DDF64B00 mov al, byte ptr [4BF6DD]
00401065 C3 retn
00401066 A1 F3F64B00 mov eax, dword ptr [4BF6F3]
0040106B C3 retn
0040106C 60 pushad
0040106D BB 0050B0BC mov ebx, BCB05000
00401072 53 push ebx
00401073 68 AD0B0000 push 0BAD
00401078 C3 retn
用F9运行程序时,代码段一直不动,而且下断点也没有用
请教高手是壳没脱掉还是程序里还有检测命令
比较急着想用,求高手帮帮忙(本人是个菜鸟,需要用这个外挂,就学着想破解,可是技术太差了
)程序在 badK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6e0p5$3x3$3c8A6M7$3E0Q4x3X3g2U0L8$3#2Q4x3V1k6H3K9h3y4C8i4K6u0W2j5i4y4H3P5q4)9K6c8X3y4G2k6r3g2Q4x3@1b7I4y4K6R3I4x3K6x3I4x3o6p5#2
里面有原程序和脱过壳的程序
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
