标题:
大家来看看这个壳的补代码 Themida 1.8.x.x - 1.9.x.x
[打印本页]
作者:
2000gaobo
时间:
2009-1-23 19:12
标题:
大家来看看这个壳的补代码 Themida 1.8.x.x - 1.9.x.x
大家来看看这个壳的补代码 Themida 1.8.x.x - 1.9.x.x
首先 PEID查壳为:Themida 1.8.x.x - 1.9.x.x -> Oreans Technologies
1、隐藏以下OD
2、忽略所有异常
OD载入停留在:
005E0014 > B8 00000000 MOV EAX,0
005E0019 60 PUSHAD
005E001A 0BC0 OR EAX,EAX
005E001C 74 68 JE SHORT 丝路飞人.005E0086
005E001E E8 00000000 CALL 丝路飞人.005E0023
005E0023 58 POP EAX
005E0024 05 53000000 ADD EAX,53
005E0029 8038 E9 CMP BYTE PTR DS:[EAX],0E9
005E002C 75 13 JNZ SHORT 丝路飞人.005E0041
005E002E 61 POPAD
005E002F EB 45 JMP SHORT 丝路飞人.005E0076
005E0031 DB2D 37005E00 FLD TBYTE PTR DS:[5E0037]
005E0037 FFFF ??? ; 未知命令
005E0039 FFFF ??? ; 未知命令
005E003B FFFF ??? ; 未知命令
005E003D FFFF ??? ; 未知命令
005E003F 3D 40E80000 CMP EAX,0E840
005E0044 0000 ADD BYTE PTR DS:[EAX],AL
005E0046 58 POP EAX
005E0047 25 00F0FFFF AND EAX,FFFFF000
005E004C 33FF XOR EDI,EDI
005E004E 66:BB 195A MOV BX,5A19
然后运行这个脚本直接到伪OEP
0046F85B E8 D0ABFFFF CALL 丝路飞人.0046A430
0046F860 8965 84 MOV DWORD PTR SS:[EBP-7C],ESP
0046F863 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0046F866 8B45 84 MOV EAX,DWORD PTR SS:[EBP-7C]
0046F869 8945 90 MOV DWORD PTR SS:[EBP-70],EAX
0046F86C 8B4D 90 MOV ECX,DWORD PTR SS:[EBP-70]
0046F86F C701 94000000 MOV DWORD PTR DS:[ECX],94
0046F875 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
0046F878 52 PUSH EDX
0046F879 FF15 20045500 CALL DWORD PTR DS:[550420] ; kernel32.GetVersionExA
0046F87F 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
0046F882 8B48 10 MOV ECX,DWORD PTR DS:[EAX+10]
0046F885 890D 34035B00 MOV DWORD PTR DS:[5B0334],ECX
0046F88B 8B55 90 MOV EDX,DWORD PTR SS:[EBP-70]
0046F88E 8B42 04 MOV EAX,DWORD PTR DS:[EDX+4]
0046F891 A3 40035B00 MOV DWORD PTR DS:[5B0340],EAX
0046F896 8B4D 90 MOV ECX,DWORD PTR SS:[EBP-70]
0046F899 8B51 08 MOV EDX,DWORD PTR DS:[ECX+8]
0046F89C 8915 44035B00 MOV DWORD PTR DS:[5B0344],EDX
0046F8A2 8B45 90 MOV EAX,DWORD PTR SS:[EBP-70]
0046F8A5 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C]
0046F8A8 81E1 FF7F0000 AND ECX,7FFF
0046F8AE 890D 38035B00 MOV DWORD PTR DS:[5B0338],ECX
0046F8B4 833D 34035B00 0>CMP DWORD PTR DS:[5B0334],2
一看就是 VC++7.0写的 就是代码被偷了
那位高手给我帮个忙帮我找到被偷的代码最好做个教程 谢谢
欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com/)
Powered by Discuz! 7.2