- UID
- 65246
注册时间2010-1-2
阅读权限8
最后登录1970-1-1
初入江湖
该用户从未签到
|
peid v0.94 得下面的结果
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
OD 打开时说是入口点超出代码范围 可能是自解压或自修改文件
里面 有很多 ??? 号的反汇编
还有 注释 不允许锁定前缀的 和多余的前缀的
请问下该如何入手 脱壳
下面是部分代码:
004E3000 > 60 PUSHAD
004E3001 E8 00000000 CALL Load_wy1.004E3006
004E3006 5D POP EBP
004E3007 50 PUSH EAX
004E3008 51 PUSH ECX
004E3009 0FCA BSWAP EDX
004E300B F7D2 NOT EDX
004E300D 9C PUSHFD
004E300E F7D2 NOT EDX
004E3010 0FCA BSWAP EDX
004E3012 EB 0F JMP SHORT Load_wy1.004E3023
004E3014 B9 EB0FB8EB MOV ECX,EBB80FEB
004E3019 07 POP ES ; 段寄存器更改
004E301A B9 EB0F90EB MOV ECX,EB900FEB
004E301F 08FD OR CH,BH
004E3021 EB 0B JMP SHORT Load_wy1.004E302E
004E3023 F2: PREFIX REPNE: ; 多余的前缀 不知道什么东东 用来做什么
004E3024 ^ EB F5 JMP SHORT Load_wy1.004E301B
004E3026 ^ EB F6 JMP SHORT Load_wy1.004E301E
004E3028 F2: PREFIX REPNE: ; 多余的前缀
004E3029 EB 08 JMP SHORT Load_wy1.004E3033
004E302B FD STD
004E302C ^ EB E9 JMP SHORT Load_wy1.004E3017
004E302E F3: PREFIX REP: ; 多余的前缀
004E302F ^ EB E4 JMP SHORT Load_wy1.004E3015
004E3031 FC CLD
004E3032 - E9 9D0FC98B JMP 8C173FD4
004E3037 CA F7D1 RETF 0D1F7 ; 远返回
004E303A 59 POP ECX
004E303B 58 POP EAX
004E303C 50 PUSH EAX
004E303D 51 PUSH ECX
004E303E 0FCA BSWAP EDX
004E3040 F7D2 NOT EDX
004E3042 9C PUSHFD
004E3043 F7D2 NOT EDX
004E3045 0FCA BSWAP EDX
004E3047 EB 0F JMP SHORT Load_wy1.004E3058
004E3049 B9 EB0FB8EB MOV ECX,EBB80FEB
004E304E 07 POP ES ; 段寄存器更改
004E304F B9 EB0F90EB MOV ECX,EB900FEB
004E3054 08FD OR CH,BH
004E3056 EB 0B JMP SHORT Load_wy1.004E3063
004E3058 F2: PREFIX REPNE: ; 多余的前缀
004E3059 ^ EB F5 JMP SHORT Load_wy1.004E3050
004E305B ^ EB F6 JMP SHORT Load_wy1.004E3053
004E305D F2: PREFIX REPNE: ; 多余的前缀
004E305E EB 08 JMP SHORT Load_wy1.004E3068
004E3060 FD STD
004E3061 ^ EB E9 JMP SHORT Load_wy1.004E304C
004E3063 F3: PREFIX REP: ; 多余的前缀
004E3064 ^ EB E4 JMP SHORT Load_wy1.004E304A
004E3066 FC CLD
004E3067 - E9 9D0FC98B JMP 8C174009
004E306C CA F7D1 RETF 0D1F7 ; 远返回
004E306F 59 POP ECX
004E3070 58 POP EAX
004E3071 50 PUSH EAX
004E3072 51 PUSH ECX
004E3073 0FCA BSWAP EDX
004E3075 F7D2 NOT EDX
004E3077 9C PUSHFD
004E3078 F7D2 NOT EDX
004E307A 0FCA BSWAP EDX
004E307C EB 0F JMP SHORT Load_wy1.004E308D
004E307E B9 EB0FB8EB MOV ECX,EBB80FEB
004E3083 07 POP ES ; 段寄存器更改
004E3084 B9 EB0F90EB MOV ECX,EB900FEB
004E3089 08FD OR CH,BH
004E308B EB 0B JMP SHORT Load_wy1.004E3098
004E308D F2: PREFIX REPNE: ; 多余的前缀
004E308E ^ EB F5 JMP SHORT Load_wy1.004E3085
004E3090 ^ EB F6 JMP SHORT Load_wy1.004E3088
004E3092 F2: PREFIX REPNE: ; 多余的前缀
004E3093 EB 08 JMP SHORT Load_wy1.004E309D
004E3095 FD STD
004E3096 ^ EB E9 JMP SHORT Load_wy1.004E3081
004E3098 F3: PREFIX REP: ; 多余的前缀
004E3099 ^ EB E4 JMP SHORT Load_wy1.004E307F
004E309B FC CLD
004E309C - E9 9D0FC98B JMP 8C17403E
004E30A1 CA F7D1 RETF 0D1F7 ; 远返回
004E30A4 59 POP ECX
004E30A5 58 POP EAX
004E30A6 60 PUSHAD
004E30A7 33C9 XOR ECX,ECX
004E30A9 75 02 JNZ SHORT Load_wy1.004E30AD
004E30AB EB 15 JMP SHORT Load_wy1.004E30C2
004E30AD EB 33 JMP SHORT Load_wy1.004E30E2
004E30AF C9 LEAVE
004E30B0 75 18 JNZ SHORT Load_wy1.004E30CA
004E30B2 7A 0C JPE SHORT Load_wy1.004E30C0
004E30B4 70 0E JO SHORT Load_wy1.004E30C4
004E30B6 EB 0D JMP SHORT Load_wy1.004E30C5
004E30B8 E8 720E79F1 CALL F1C73F2F
004E30BD FF15 00790974 CALL DWORD PTR DS:[74097900]
004E30C3 F0:EB 87 LOCK JMP SHORT Load_wy1.004E304D ; 不允许锁定前缀 不知道什么东东
004E30C6 DB7A F0 FSTP TBYTE PTR DS:[EDX-10]
004E30C9 A0 33615051 MOV AL,BYTE PTR DS:[51506133]
004E30CE 0FCA BSWAP EDX
004E30D0 F7D2 NOT EDX
004E30D2 9C PUSHFD
004E30D3 F7D2 NOT EDX
004E30D5 0FCA BSWAP EDX
004E30D7 EB 0F JMP SHORT Load_wy1.004E30E8
004E30D9 B9 EB0FB8EB MOV ECX,EBB80FEB
004E30DE 07 POP ES ; 段寄存器更改
004E30DF B9 EB0F90EB MOV ECX,EB900FEB
004E30E4 08FD OR CH,BH
004E30E6 EB 0B JMP SHORT Load_wy1.004E30F3
004E30E8 F2: PREFIX REPNE: ; 多余的前缀
004E30E9 ^ EB F5 JMP SHORT Load_wy1.004E30E0
004E30EB ^ EB F6 JMP SHORT Load_wy1.004E30E3
004E30ED F2: PREFIX REPNE: ; 多余的前缀
004E30EE EB 08 JMP SHORT Load_wy1.004E30F8
004E30F0 FD STD
004E30F1 ^ EB E9 JMP SHORT Load_wy1.004E30DC
004E30F3 F3: PREFIX REP: ; 多余的前缀
004E30F4 ^ EB E4 JMP SHORT Load_wy1.004E30DA
004E30F6 FC CLD
004E30F7 - E9 9D0FC98B JMP 8C174099
004E30FC CA F7D1 RETF 0D1F7 ; 远返回
004E30FF 59 POP ECX
004E3100 58 POP EAX
004E3101 60 PUSHAD
004E3102 9C PUSHFD
004E3103 33C0 XOR EAX,EAX
004E3105 E8 09000000 CALL Load_wy1.004E3113
004E310A E8 E8230000 CALL Load_wy1.004E54F7
004E310F 007A 23 ADD BYTE PTR DS:[EDX+23],BH
004E3112 A0 8B0424EB MOV AL,BYTE PTR DS:[EB24048B]
004E3117 037A 29 ADD EDI,DWORD PTR DS:[EDX+29]
004E311A - E9 C60090C3 JMP C3DE31E5
004E311F E8 70F087D2 CALL D2D62194
004E3124 71 07 JNO SHORT Load_wy1.004E312D
004E3126 - E9 00408BDB JMP DBD9712B
004E312B 7A 11 JPE SHORT Load_wy1.004E313E
004E312D EB 08 JMP SHORT Load_wy1.004E3137
004E312F - E9 EBF7EBC3 JMP C43A291F
004E3134 E8 7AE970DA CALL DABF1AB3
004E3139 7B D1 JPO SHORT Load_wy1.004E310C
004E313B ^ 71 F3 JNO SHORT Load_wy1.004E3130
004E313D - E9 7BF371D6 JMP D6C024BD
004E3142 - E9 9D6183ED JMP EDD192E4
004E3147 06 PUSH ES
004E3148 B8 7B010000 MOV EAX,17B
004E314D 03C5 ADD EAX,EBP
004E314F 33DB XOR EBX,EBX
004E3151 81C3 01010101 ADD EBX,1010101
004E3157 3118 XOR DWORD PTR DS:[EAX],EBX
004E3159 8138 78540000 CMP DWORD PTR DS:[EAX],5478
004E315F 74 04 JE SHORT Load_wy1.004E3165
004E3161 3118 XOR DWORD PTR DS:[EAX],EBX
004E3163 ^ EB EC JMP SHORT Load_wy1.004E3151
004E3165 B9 4F9B0000 MOV ECX,9B4F
004E316A 81E3 FF000000 AND EBX,0FF
004E3170 83C0 03 ADD EAX,3
004E3173 40 INC EAX
004E3174 3018 XOR BYTE PTR DS:[EAX],BL
004E3176 49 DEC ECX
004E3177 ^ 75 FA JNZ SHORT Load_wy1.004E3173
004E3179 EB 04 JMP SHORT Load_wy1.004E317F
004E317B D7 XLAT BYTE PTR DS:[EBX+AL]
004E317C FB STI
004E317D AF SCAS DWORD PTR ES:[EDI]
004E317E AF SCAS DWORD PTR ES:[EDI]
004E317F FF47 8B INC DWORD PTR DS:[EDI-75]
004E3182 AF SCAS DWORD PTR ES:[EDI]
004E3183 AF SCAS DWORD PTR ES:[EDI]
004E3184 AF SCAS DWORD PTR ES:[EDI]
004E3185 24 E3 AND AL,0E3
004E3187 8BA3 2C2E17AF MOV ESP,DWORD PTR DS:[EBX+AF172E2C]
004E318D AF SCAS DWORD PTR ES:[EDI]
004E318E AF SCAS DWORD PTR ES:[EDI]
004E318F AD LODS DWORD PTR DS:[ESI]
004E3190 9C PUSHFD
004E3191 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
004E3192 26:EE OUT DX,AL ; I/O 命令
004E3194 AB STOS DWORD PTR ES:[EDI]
004E3195 26:EE OUT DX,AL ; I/O 命令
004E3197 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
004E3198 26:EE OUT DX,AL ; I/O 命令
004E319A A3 26EEBF26 MOV DWORD PTR DS:[26BFEE26],EAX
004E319F EE OUT DX,AL ; I/O 命令
004E31A0 BB 68EEB7FA MOV EBX,FAB7EE68
004E31A5 AE SCAS BYTE PTR ES:[EDI]
004E31A6 AF SCAS DWORD PTR ES:[EDI]
004E31A7 AF SCAS DWORD PTR ES:[EDI]
004E31A8 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
004E31A9 9C PUSHFD
004E31AA 6F OUTS DX,DWORD PTR ES:[EDI] ; I/O 命令
004E31AB CB RETF ; 远返回
004E31AC 50 PUSH EAX
004E31AD 9F LAHF
004E31AE CB RETF ; 远返回
004E31AF 26:8F ??? ; 未知命令 这又是干什么的
|
|
IP卡
发表于 2010-1-2 22:07:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-1-21 13:37:47