• 标 题:响应FLY的号召-脱ASProtect 1.23 RC4
  • 作 者:辉仔Yock
  • 时 间:2003年12月17日 11:45
  • 链 接:http://bbs.pediy.com

【前    言】:哈哈,二哥叫我帮忙脱的,看幻影差点就忘记了!现在才看,对不起哦!

脱掉ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov

【软件名称】:Christmas 3D Screensaver

【下载页面】:http://www.3planesoft.com

【软件大小】:有点大!

【应用平台】:WIN9X/WINNT/WIN2K/WINXP

【软件简介】:好像是一个圣诞节有关的东西,谁要是破了就发个注册机出来给偶下载回家过圣诞!谢谢

【软件限制】:ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov

【文章作者】:辉仔Yock

【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机或是补丁文件任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件!(在这里最此软件的作者以万二分的歉意鞠躬...)

【破解工具】:OD lordpe impor



————————————————————————————————— 
【过    程】:

读者看之前一定要紧记住ASProtect可的地址每次都不同的,下面的代码在最后那一小段我是分开两次复制的,所以不要看代码地址,寻呼要学会理解我所做的!

OD载入后隐藏OD!忽略所有异常(除内存)

F9运行,会异常,用Shift+F9通过异常25次到下面这里!

00AE39EC    3100            XOR     [EAX],EAX
//这里异常!

00AE39EE    64:8F05 0000000>POP     DWORD PTR FS:[0]                 ; 0012FFE0
00AE39F5    58              POP     EAX                              ; 0012FFE0
00AE39F6    833D B07EAE00 0>CMP     DWORD PTR [AE7EB0],0
00AE39FD    74 14           JE      SHORT 00AE3A13
00AE39FF    6A 0C           PUSH    0C
00AE3A01    B9 B07EAE00     MOV     ECX,0AE7EB0
00AE3A06    8D45 F8         LEA     EAX,[EBP-8]
00AE3A09    BA 04000000     MOV     EDX,4
00AE3A0E    E8 2DD1FFFF     CALL    00AE0B40
00AE3A13    FF75 FC         PUSH    DWORD PTR [EBP-4]
00AE3A16    FF75 F8         PUSH    DWORD PTR [EBP-8]
00AE3A19    8B45 F4         MOV     EAX,[EBP-C]                      ; Christma.004707D2
00AE3A1C    8338 00         CMP     DWORD PTR [EAX],0
00AE3A1F    74 02           JE      SHORT 00AE3A23
00AE3A21    FF30            PUSH    DWORD PTR [EAX]
00AE3A23    FF75 F0         PUSH    DWORD PTR [EBP-10]               ; Christma.00400000
00AE3A26    FF75 EC         PUSH    DWORD PTR [EBP-14]
00AE3A29    C3              RETN
//在这里F2下断,再按Shift+F9就停在这里了!
//取消断点后按F7返回

00AF4F28    8AF3            MOV     DH,BL
//返回到这里!
//下面就要按F7慢慢跟咯!

00AF4F2A    66:81C0 A665    ADD     AX,65A6
00AF4F2F    66:81C9 3236    OR      CX,3632
00AF4F34    E8 08000000     CALL    00AF4F41
00AF4F39    0039            ADD     [ECX],BH
00AF4F3B  ^ 7E DF           JLE     SHORT 00AF4F1C
00AF4F3D    2C F5           SUB     AL,0F5
00AF4F3F    8AFB            MOV     BH,BL
00AF4F41    0F84 02000000   JE      00AF4F49
00AF4F47    8BC3            MOV     EAX,EBX
00AF4F49    5F              POP     EDI                              ; Christma.00400000
00AF4F4A    0FBFD0          MOVSX   EDX,AX
00AF4F4D    81C7 15160000   ADD     EDI,1615
00AF4F53    B9 1D4FD976     MOV     ECX,76D94F1D
00AF4F58    66:B8 19C0      MOV     AX,0C019
00AF4F5C    66:BA 8C55      MOV     DX,558C
00AF4F60    2BDB            SUB     EBX,EBX
00AF4F62    E9 0D000000     JMP     00AF4F74
00AF4F67    51              PUSH    ECX
00AF4F68    B6 B7           MOV     DH,0B7
00AF4F6A    24 8D           AND     AL,8D
00AF4F6C    42              INC     EDX
00AF4F6D    53              PUSH    EBX
00AF4F6E    90              NOP
00AF4F6F    898E AFBC45B9   MOV     [ESI+B945BCAF],ECX
00AF4F75    C138 5A         SAR     DWORD PTR [EAX],5A               ; 移动常数超出 1..31 的范围
00AF4F78    67:0F87 0600000>JA      00AF4F85                         ; 多余的前缀
00AF4F7F    66:8BD6         MOV     DX,SI
00AF4F82    80F1 EC         XOR     CL,0EC
00AF4F85    FF343B          PUSH    DWORD PTR [EBX+EDI]
00AF4F88    81E0 842A501B   AND     EAX,1B502A84
00AF4F8E    0FB7CF          MOVZX   ECX,DI
00AF4F91    5E              POP     ESI                              ; Christma.00400000
00AF4F92    0F83 05000000   JNB     00AF4F9D
00AF4F98    80C9 C6         OR      CL,0C6
00AF4F9B    B1 43           MOV     CL,43
00AF4F9D    81C6 2A7E6325   ADD     ESI,25637E2A
00AF4FA3    E8 06000000     CALL    00AF4FAE
00AF4FA8    76 77           JBE     SHORT 00AF5021
00AF4FAA    E4 4D           IN      AL,4D                            ; I/O 命令
00AF4FAC    0213            ADD     DL,[EBX]
00AF4FAE    66:B8 0507      MOV     AX,705
00AF4FB2    B4 0E           MOV     AH,0E
00AF4FB4    5A              POP     EDX                              ; Christma.00400000
00AF4FB5    53              PUSH    EBX
00AF4FB6    B9 B90CD669     MOV     ECX,69D60CB9
00AF4FBB    0FBFC1          MOVSX   EAX,CX
00AF4FBE    5A              POP     EDX                              ; Christma.00400000
00AF4FBF    66:81E2 5734    AND     DX,3457
00AF4FC4    81F6 1BB4497A   XOR     ESI,7A49B41B
00AF4FCA    80E5 B0         AND     CH,0B0
00AF4FCD    8AF4            MOV     DH,AH
00AF4FCF    81EE B819242E   SUB     ESI,2E2419B8
00AF4FD5    81DA 47E12F2A   SBB     EDX,2A2FE147
00AF4FDB    E8 12000000     CALL    00AF4FF2
00AF4FE0    12E3            ADC     AH,BL
00AF4FE2  ^ E0 99           LOOPDNE SHORT 00AF4F7D
00AF4FE4    5E              POP     ESI                              ; Christma.00400000
00AF4FE5    3F              AAS
00AF4FE6    0C 55           OR      AL,55
00AF4FE8    6A 5B           PUSH    5B
00AF4FEA    F8              CLC
00AF4FEB    D136            SAL     DWORD PTR [ESI],1
00AF4FED    37              AAA
00AF4FEE    A4              MOVS    BYTE PTR ES:[EDI],BYTE PTR [ESI]
00AF4FEF    0D C2D3E913     OR      EAX,13E9D3C2
00AF4FF4    0000            ADD     [EAX],AL
00AF4FF6    002F            ADD     [EDI],CH
00AF4FF8    3C C5           CMP     AL,0C5
00AF4FFA    1A4B 28         SBB     CL,[EBX+28]
00AF4FFD    41              INC     ECX
00AF4FFE    E6 27           OUT     27,AL                            ; I/O 命令
00AF5000    D4 7D           AAM     7D
00AF5002  ^ 72 C3           JB      SHORT 00AF4FC7
00AF5004    40              INC     EAX                              ; Christma.004707D2
00AF5005  ^ 79 BE           JNS     SHORT 00AF4FC5
00AF5007    1F              POP     DS                               ; 修正的段位寄存器
00AF5008    6C              INS     BYTE PTR ES:[EDI],DX             ; I/O 命令
00AF5009    35 B2A25856     XOR     EAX,5658A2B2
00AF500E    81DA E9138344   SBB     EDX,448313E9
00AF5014    0F8B 08000000   JPO     00AF5022
00AF501A    66:8BD0         MOV     DX,AX
00AF501D    BA 4657B770     MOV     EDX,70B75746
00AF5022    E8 09000000     CALL    00AF5030
00AF5027    5D              POP     EBP                              ; Christma.00400000
00AF5028    D2A3 A0591EFF   SHL     BYTE PTR [EBX+FF1E59A0],CL
00AF502E    CC              INT3
00AF502F    15 66B8914A     ADC     EAX,4A91B866
00AF5034    B9 CDFE696D     MOV     ECX,6D69FECD
00AF5039    80D9 FC         SBB     CL,0FC
00AF503C    58              POP     EAX                              ; Christma.00400000
00AF503D    8F041F          POP     DWORD PTR [EDI+EBX]              ; Christma.00400000
00AF5040    8BCA            MOV     ECX,EDX
00AF5042    66:8BD3         MOV     DX,BX
00AF5045    66:BA 2C34      MOV     DX,342C
00AF5049    0FB7C3          MOVZX   EAX,BX
00AF504C    83EB 04         SUB     EBX,4
00AF504F    8AD1            MOV     DL,CL
00AF5051    8BD6            MOV     EDX,ESI
00AF5053    E8 14000000     CALL    00AF506C
00AF5058    5C              POP     ESP                              ; Christma.00400000
00AF5059    65:3AEB         CMP     CH,BL                            ; 多余的前缀
00AF505C    48              DEC     EAX                              ; Christma.004707D2
00AF505D    E1 06           LOOPDE  SHORT 00AF5065
00AF505F    C7              ???                                      ; 未知命令
00AF5060    F4              HLT                                      ; 特权级命令
00AF5061    1D 92636019     SBB     EAX,19606392
00AF5066    DEBF 8CD5EADB   FIDIVR  WORD PTR [EDI+DBEAD58C]
00AF506C    B0 C0           MOV     AL,0C0
00AF506E    56              PUSH    ESI
00AF506F    BA BCDCF462     MOV     EDX,62F4DCBC
00AF5074    0FB7CB          MOVZX   ECX,BX
00AF5077    59              POP     ECX                              ; Christma.00400000
00AF5078    5A              POP     EDX                              ; Christma.00400000
00AF5079    81FB 54EBFFFF   CMP     EBX,-14AC
00AF507F  ^ 0F85 00FFFFFF   JNZ     00AF4F85
//注意这里是跳回去循环的!再下面设断点!之后按断点!

00AF5085    E9 0E000000     JMP     00AF5098
//在这里设断!断下后清除之再按F7
===============================================
00AF5098   /0F8F 04000000   JG      00AF50A2
//来到这里!
//下面是一下新型的花指令,很有意思,要有耐心慢慢跟!

00AF509E   |66:B9 2579      MOV     CX,7925
00AF50A2   66:B8 A182      MOV     AX,82A1
00AF50A6    5B              POP     EBX                              ; Christma.00400000
00AF50A7    58              POP     EAX                              ; Christma.00400000
00AF50A8    05 1E9EDFB8     ADD     EAX,B8DF9E1E
00AF50AD    5C              POP     ESP                              ; Christma.00400000
00AF50AE    EB 44           JMP     SHORT 00AF50F4
00AF50B0    EB 01           JMP     SHORT 00AF50B3
00AF50B2    9A 51579CFC BF0>CALL    FAR 00BF:FC9C5751                ; 远距呼叫
00AF50B9    0000            ADD     [EAX],AL
00AF50BB    00B9 00000000   ADD     [ECX],BH
00AF50C1    F3:AA           REP     STOS BYTE PTR ES:[EDI]
00AF50C3    9D              POPFD
00AF50C4    5F              POP     EDI                              ; Christma.00400000
00AF50C5    59              POP     ECX                              ; Christma.00400000
00AF50C6    C3              RETN
00AF50C7    55              PUSH    EBP
00AF50C8    8BEC            MOV     EBP,ESP
00AF50CA    53              PUSH    EBX
00AF50CB    56              PUSH    ESI
00AF50CC    8B75 0C         MOV     ESI,[EBP+C]
00AF50CF    8B5D 08         MOV     EBX,[EBP+8]                      ; Christma.004703C2
00AF50D2    EB 11           JMP     SHORT 00AF50E5
00AF50D4    0FB703          MOVZX   EAX,WORD PTR [EBX]
00AF50D7    03C6            ADD     EAX,ESI
00AF50D9    83C3 02         ADD     EBX,2
00AF50DC    8BD0            MOV     EDX,EAX
00AF50DE    8BC6            MOV     EAX,ESI
00AF50E0    E8 0C000000     CALL    00AF50F1
00AF50E5    66:833B 00      CMP     WORD PTR [EBX],0
00AF50E9  ^ 75 E9           JNZ     SHORT 00AF50D4
00AF50EB    5E              POP     ESI                              ; Christma.00400000
00AF50EC    5B              POP     EBX                              ; Christma.00400000
00AF50ED    5D              POP     EBP                              ; Christma.00400000
00AF50EE    C2 0800         RETN    8
00AF50F1    0102            ADD     [EDX],EAX
00AF50F3    C3              RETN
00AF50F4    03C3            ADD     EAX,EBX
00AF50F6    BB 36030000     MOV     EBX,336
00AF50FB    0BDB            OR      EBX,EBX
00AF50FD    75 07           JNZ     SHORT 00AF5106
00AF50FF    894424 1C       MOV     [ESP+1C],EAX
00AF5103    61              POPAD
00AF5104    50              PUSH    EAX
00AF5105    C3              RETN
00AF5106    E8 00000000     CALL    00AF510B
00AF510B    5D              POP     EBP                              ; Christma.00400000
00AF510C    81ED 4DE14B00   SUB     EBP,4BE14D
00AF5112    8D85 F2E04B00   LEA     EAX,[EBP+4BE0F2]
00AF5118    8D8D 94E14B00   LEA     ECX,[EBP+4BE194]
00AF511E    03CB            ADD     ECX,EBX
00AF5120    8941 01         MOV     [ECX+1],EAX
00AF5123    8D85 36E14B00   LEA     EAX,[EBP+4BE136]
00AF5129    8D8D FAE04B00   LEA     ECX,[EBP+4BE0FA]
00AF512F    8901            MOV     [ECX],EAX
00AF5131    B8 5E140000     MOV     EAX,145E
00AF5136    8D8D FFE04B00   LEA     ECX,[EBP+4BE0FF]
00AF513C    8901            MOV     [ECX],EAX
00AF513E    8D8D 94E14B00   LEA     ECX,[EBP+4BE194]
00AF5144    8D85 94F34B00   LEA     EAX,[EBP+4BF394]
00AF514A    51              PUSH    ECX
00AF514B    50              PUSH    EAX
00AF514C    E8 76FFFFFF     CALL    00AF50C7
00AF5151    61              POPAD
00AF5152    F2:             PREFIX REPNE:                            ; 多余的前缀
//看见这里没有!嘿嘿!有你受的!

00AF5153    EB 01           JMP     SHORT 00AF5156
00AF5155    9A F3EB02CD 205>CALL    FAR 5320:CD02EBF3                ; 远距呼叫
00AF515C    36:EB 02        JMP     SHORT 00AF5161                   ; 多余的前缀
00AF515F    CD20 0BDFEB02   VxDCall 2EBDF0B
00AF5165    CD20 C1C308EB   VxDCall EB08C3C1
00AF516B    02CD            ADD     CL,CH
00AF516D    20F2            AND     DL,DH
00AF516F    EB 01           JMP     SHORT 00AF5172
00AF5171    698D 1CADFD4D F>IMUL    ECX,[EBP+4DFDAD1C],EBF2B1F4
00AF517B    010F            ADD     [EDI],ECX
00AF517D    65:EB 02        JMP     SHORT 00AF5182                   ; 多余的前缀
00AF5180    CD20 55F3EB02   VxDCall 2EBF355
00AF5186    CD20 C7442400   VxDCall 2444C7
00AF518C    2C 00           SUB     AL,0
00AF518E    0000            ADD     [EAX],AL
00AF5190    5B              POP     EBX                              ; Christma.00400000
00AF5191    FF53 1B         CALL    [EBX+1B]
00AF5194    699A 0F9A0F4E 0>IMUL    EBX,[EDX+4E0F9A0F],E8000000
00AF519E    F3:             PREFIX REP:                              ; 多余的前缀
00AF519F    9A 5B26EB01 9A8>CALL    FAR 819A:01EB265B                ; 远距呼叫
00AF51A6    D3EF            SHR     EDI,CL
00AF51A8    FA              CLI
00AF51A9    96              XCHG    EAX,ESI
00AF51AA    42              INC     EDX
00AF51AB    F2:             PREFIX REPNE:                            ; 多余的前缀
00AF51AC    EB 01           JMP     SHORT 00AF51AF
00AF51AE    C7              ???                                      ; 未知命令
00AF51AF    F3:             PREFIX REP:                              ; 多余的前缀
00AF51B0    EB 02           JMP     SHORT 00AF51B4
00AF51B2    CD20 0FA3CBF2   VxDCall F2CBA30F
00AF51B8    EB 01           JMP     SHORT 00AF51BB
00AF51BA    E8 2BDF5B6A     CALL    6B0B30EA
00AF51BF    60              PUSHAD
00AF51C0    68 A0444300     PUSH    4344A0
00AF51C5    F3:             PREFIX REP:                              ; 多余的前缀
00AF51C6    EB 02           JMP     SHORT 00AF51CA
00AF51C8    CD20 66812D82   VxDCall 822D8166
00AF51CE    0000            ADD     [EAX],AL
00AF51D0    0085 47F3704A   ADD     [EBP+4A70F347],AL
00AF51D6    CD20 53EB087F   VxDCall 7F08EB53
00AF51DC  ^ 7D F4           JGE     SHORT 00AF51D2
00AF51DE    FC              CLD
00AF51DF    7F 7D           JG      SHORT 00AF525E
00AF51E1    F4              HLT                                      ; 特权级命令
00AF51E2    FC              CLD
00AF51E3    F3:             PREFIX REP:                              ; 多余的前缀
00AF51E4    EB 02           JMP     SHORT 00AF51E8
00AF51E6    CD20 8D9E8900   VxDCall 899E8D
00AF51EC    0000            ADD     [EAX],AL
00AF51EE    2BDE            SUB     EBX,ESI
00AF51F0    F2:             PREFIX REPNE:                            ; 多余的前缀
00AF51F1    EB 01           JMP     SHORT 00AF51F4
00AF51F3    F0:83EC 08      LOCK SUB ESP,8                           ; 锁定前缀是不允许的
00AF51F7    EB 02           JMP     SHORT 00AF51FB
00AF51F9    CD20 8D640404   VxDCall 404648D
00AF51FF    2BE0            SUB     ESP,EAX
00AF5201    F3:             PREFIX REP:                              ; 多余的前缀
00AF5202    EB 02           JMP     SHORT 00AF5206
00AF5204    CD20 50EB02CD   VxDCall CD02EB50
00AF520A    208F 442400F3   AND     [EDI+F3002444],CL
00AF5210    EB 02           JMP     SHORT 00AF5214
00AF5212    CD20 8B430026   VxDCall 2600438B
00AF5218    EB 01           JMP     SHORT 00AF521B
00AF521A    0F57EB          XORPS   XMM5,XMM3
00AF521D    02CD            ADD     CL,CH
00AF521F    208D 6424F583   AND     [EBP+83F52464],CL
00AF5225    C458 8D         LES     EBX,[EAX-73]                     ; 修正的段位寄存器
00AF5228    64:24 AF        AND     AL,0AF                           ; 多余的前缀
00AF522B    EB 01           JMP     SHORT 00AF522E
00AF522D    9A 53F3EB02 CD2>CALL    FAR 20CD:02EBF353                ; 远距呼叫
00AF5234    8F4424 00       POP     DWORD PTR [ESP]                  ; Christma.00400000
00AF5238    F3:             PREFIX REP:                              ; 多余的前缀
00AF5239    EB 02           JMP     SHORT 00AF523D
00AF523B    CD20 55F3EB02   VxDCall 2EBF355
00AF5241    CD20 8D6424CE   VxDCall CE24648D
00AF5247    F2:             PREFIX REPNE:                            ; 多余的前缀
00AF5248    EB 01           JMP     SHORT 00AF524B
00AF524A    E8 8D643C63     CALL    63EBB6DC
00AF524F    2BE7            SUB     ESP,EDI
00AF5251    2E:EB 02        JMP     SHORT 00AF5256                   ; 多余的前缀
00AF5254    CD20 8D6434CB   VxDCall CB34648D
00AF525A    2BE6            SUB     ESP,ESI
00AF525C    26:EB 02        JMP     SHORT 00AF5261                   ; 多余的前缀
00AF525F    CD20 89542400   VxDCall 245489
00AF5265    EB 02           JMP     SHORT 00AF5269
00AF5267    CD20 83EC0F36   VxDCall 360FEC83
00AF526D    EB 02           JMP     SHORT 00AF5271
00AF526F    CD20 8D642467   VxDCall 6724648D
00AF5275    EB 01           JMP     SHORT 00AF5278
00AF5277    698D 6424A4F2 E>IMUL    ECX,[EBP+F2A42464],51F001EB
00AF5281    2E:EB 01        JMP     SHORT 00AF5285                   ; 多余的前缀
00AF5284    F3:             PREFIX REP:                              ; 多余的前缀
00AF5285    8F4424 00       POP     DWORD PTR [ESP]                  ; Christma.00400000
00AF5289    F3:             PREFIX REP:                              ; 多余的前缀
00AF528A    EB 02           JMP     SHORT 00AF528E
00AF528C    CD20 F2EB019A   VxDCall 9A01EBF2
00AF5292    68 3704FF07     PUSH    7FF0437
00AF5297    51              PUSH    ECX
00AF5298    897424 04       MOV     [ESP+4],ESI
00AF529C    EB 02           JMP     SHORT 00AF52A0
00AF529E    CD20 8F4424FC   VxDCall FC24448F
00AF52A4    F3:             PREFIX REP:                              ; 多余的前缀
00AF52A5    EB 02           JMP     SHORT 00AF52A9
00AF52A7    CD20 C1C066EB   VxDCall EB66C0C1
00AF52AD    01F3            ADD     EBX,ESI
00AF52AF    48              DEC     EAX
00AF52B0    8BE8            MOV     EBP,EAX
00AF52B2    EB 02           JMP     SHORT 00AF52B6
00AF52B4    CD20 83F5EB87   VxDCall 87EBF583
00AF52BA    FD              STD
00AF52BB    F3:             PREFIX REP:                              ; 多余的前缀
00AF52BC    EB 02           JMP     SHORT 00AF52C0
00AF52BE    CD20 C1CF232E   VxDCall 2E23CFC1
00AF52C4    EB 02           JMP     SHORT 00AF52C8
00AF52C6    CD20 F7D7575E   VxDCall 5E57D7F7
00AF52CC    EB 02           JMP     SHORT 00AF52D0
00AF52CE    CD20 81EE2EDD   VxDCall DD2EEE81
00AF52D4    06              PUSH    ES
00AF52D5    3E:8BC6         MOV     EAX,ESI                          ; 多余的前缀
00AF52D8    2E:EB 02        JMP     SHORT 00AF52DD                   ; 多余的前缀
00AF52DB    CD20 81F00749   VxDCall 4907F081
00AF52E1    DF              ???                                      ; 未知命令
00AF52E2    09F3            OR      EBX,ESI
00AF52E4    EB 02           JMP     SHORT 00AF52E8
00AF52E6    CD20 4036EB02   VxDCall 2EB3640
00AF52EC    CD20 5EEB01C7   VxDCall C701EB5E
00AF52F2    59              POP     ECX                              ; Christma.00400000
00AF52F3    F3:             PREFIX REP:                              ; 多余的前缀
00AF52F4    EB 02           JMP     SHORT 00AF52F8
00AF52F6    CD20 5A2EEB02   VxDCall 2EB2E5A
00AF52FC    CD20 5DF2EB01   VxDCall 1EBF25D
00AF5302    E8 5BEB01F0     CALL    F0B13E62
00AF5307    5F              POP     EDI                              ; Christma.00400000
00AF5308    EB 01           JMP     SHORT 00AF530B
00AF530A    69BB 8D000000 F>IMUL    EDI,[EBX+8D],0F01EBF2
00AF5314    8943 00         MOV     [EBX],EAX
00AF5317    58              POP     EAX                              ; Christma.00400000
00AF5318    5B              POP     EBX                              ; Christma.00400000
00AF5319    EB 02           JMP     SHORT 00AF531D
00AF531B    CD20 FF358D00   VxDCall 8D35FF
00AF5321    0000            ADD     [EAX],AL
00AF5323    68 BC3D4200     PUSH    423DBC
00AF5328    64:A1 00000000  MOV     EAX,FS:[0]
00AF532E    F3:             PREFIX REP:                              ; 多余的前缀
00AF532F    EB 02           JMP     SHORT 00AF5333
00AF5331    CD20 F3EB02CD   VxDCall CD02EBF3
00AF5337    20FF            AND     BH,BH
00AF5339    74 24           JE      SHORT 00AF535F
00AF533B    05 66812DF4     ADD     EAX,F42D8166
00AF5340    0100            ADD     [EAX],EAX
00AF5342    00BCDA EBBEA720 ADD     [EDX+EBX*8+20A7BEEB],BH
00AF5349    64:FF35 0000000>PUSH    DWORD PTR FS:[0]
00AF5350    894424 04       MOV     [ESP+4],EAX
00AF5354    66:8105 0C02000>ADD     WORD PTR [20C],0C008
00AF535D    3E:E3 42        JECXZ   SHORT 00AF53A2                   ; 多余的前缀
00AF5360    CD20 83EC2583   VxDCall 8325EC83
00AF5366    C429            LES     EBP,[ECX]                        ; 修正的段位寄存器
00AF5368    8B4424 10       MOV     EAX,[ESP+10]
00AF536C    896C24 10       MOV     [ESP+10],EBP
00AF5370    8D6C24 10       LEA     EBP,[ESP+10]
00AF5374    2BE0            SUB     ESP,EAX
00AF5376    F3:             PREFIX REP:                              ; 多余的前缀
00AF5377    EB 02           JMP     SHORT 00AF537B
00AF5379    CD20 F3EB02CD   VxDCall CD02EBF3
00AF537F    20FF            AND     BH,BH
00AF5381    74 24           JE      SHORT 00AF53A7
00AF5383    05 66812D3C     ADD     EAX,3C2D8166
00AF5388    0200            ADD     AL,[EAX]
00AF538A    00BCDA EBBEA720 ADD     [EDX+EBX*8+20A7BEEB],BH
00AF5391    64:FF35 0000000>PUSH    DWORD PTR FS:[0]
00AF5398    895C24 04       MOV     [ESP+4],EBX
00AF539C    66:8105 5402000>ADD     WORD PTR [254],0C008
00AF53A5    3E:E3 42        JECXZ   SHORT 00AF53EA                   ; 多余的前缀
00AF53A8    CD20 83EC2583   VxDCall 8325EC83
00AF53AE    C429            LES     EBP,[ECX]                        ; 修正的段位寄存器
00AF53B0    F3:             PREFIX REP:                              ; 多余的前缀
00AF53B1    EB 02           JMP     SHORT 00AF53B5
00AF53B3    CD20 F3EB02CD   VxDCall CD02EBF3
00AF53B9    20FF            AND     BH,BH
00AF53BB    74 24           JE      SHORT 00AF53E1
00AF53BD    05 66812D76     ADD     EAX,762D8166
00AF53C2    0200            ADD     AL,[EAX]
00AF53C4    00BCDA EBBEA720 ADD     [EDX+EBX*8+20A7BEEB],BH
00AF53CB    64:FF35 0000000>PUSH    DWORD PTR FS:[0]
00AF53D2    897424 04       MOV     [ESP+4],ESI
00AF53D6    66:8105 8E02000>ADD     WORD PTR [28E],0C008
00AF53DF    3E:E3 42        JECXZ   SHORT 00AF5424                   ; 多余的前缀
00AF53E2    CD20 83EC2583   VxDCall 8325EC83
00AF53E8    C429            LES     EBP,[ECX]                        ; 修正的段位寄存器
00AF53EA    F3:             PREFIX REP:                              ; 多余的前缀
00AF53EB    EB 02           JMP     SHORT 00AF53EF
00AF53ED    CD20 F3EB02CD   VxDCall CD02EBF3
00AF53F3    20FF            AND     BH,BH
00AF53F5    74 24           JE      SHORT 00AF541B
00AF53F7    05 66812DB0     ADD     EAX,B02D8166
00AF53FC    0200            ADD     AL,[EAX]
00AF53FE    00BCDA EBBEA720 ADD     [EDX+EBX*8+20A7BEEB],BH
00AF5405    64:FF35 0000000>PUSH    DWORD PTR FS:[0]
00AF540C    897C24 04       MOV     [ESP+4],EDI
00AF5410    66:8105 C802000>ADD     WORD PTR [2C8],0C008
00AF5419    3E:E3 42        JECXZ   SHORT 00AF545E                   ; 多余的前缀
00AF541C    CD20 83EC2583   VxDCall 8325EC83
00AF5422    C429            LES     EBP,[ECX]                        ; 修正的段位寄存器
00AF5424    8B45 F8         MOV     EAX,[EBP-8]
00AF5427    8965 E8         MOV     [EBP-18],ESP
00AF542A    F3:             PREFIX REP:                              ; 多余的前缀
00AF542B    EB 02           JMP     SHORT 00AF542F
00AF542D    CD20 F3EB02CD   VxDCall CD02EBF3
00AF5433    20FF            AND     BH,BH
00AF5435    74 24           JE      SHORT 00AF545B
00AF5437    05 66812DF0     ADD     EAX,F02D8166
00AF543C    0200            ADD     AL,[EAX]
00AF543E    00BCDA EBBEA720 ADD     [EDX+EBX*8+20A7BEEB],BH
00AF5445    64:FF35 0000000>PUSH    DWORD PTR FS:[0]
00AF544C    894424 04       MOV     [ESP+4],EAX
00AF5450    66:8105 0803000>ADD     WORD PTR [308],0C008
00AF5459    3E:E3 42        JECXZ   SHORT 00AF549E                   ; 多余的前缀
00AF545C    CD20 83EC2583   VxDCall 8325EC83
00AF5462    C429            LES     EBP,[ECX]                        ; 修正的段位寄存器
00AF5464    8B45 FC         MOV     EAX,[EBP-4]
00AF5467    C745 FC FFFFFFF>MOV     DWORD PTR [EBP-4],-1
00AF546E    8945 F8         MOV     [EBP-8],EAX
00AF5471    8D45 F0         LEA     EAX,[EBP-10]
00AF5474    64:A3 00000000  MOV     FS:[0],EAX
00AF547A    F2:             PREFIX REPNE:                            ; 多余的前缀
00AF547B    EB 01           JMP     SHORT 00AF547E
00AF547D    9A 36EB02CD 206>CALL    FAR 6820:CD02EB36                ; 远距呼叫
00AF5484    A6              CMPS    BYTE PTR [ESI],BYTE PTR ES:[EDI]
00AF5485    73 42           JNB     SHORT 00AF54C9
//这里好多花指令啊!在花指令堆里面有一个跳转!会一下子跳到下面这里!

00AF79AF    68 A6734200     PUSH    4273A6
//上面的花指令堆跳到了这里!

00AF79B4    68 DC75AF00     PUSH    0AF75DC
00AF79B9    C3              RETN
//这个地方返回!!!!!
==================================================
00AF50B0   /EB 01           JMP     SHORT 00AF50B3
//返回到这里!
//注意了!

00AF75DF    51              PUSH    ECX
00AF75E0    57              PUSH    EDI
00AF75E1    9C              PUSHFD
00AF75E2    FC              CLD
00AF75E3    BF 2076AF00     MOV     EDI,0AF7620
00AF75E8    B9 5E140000     MOV     ECX,145E
00AF75ED    F3:AA           REP     STOS BYTE PTR ES:[EDI]
00AF75EF    9D              POPFD
00AF75F0    5F              POP     EDI                              ; Christma.004273A6
00AF75F1    59              POP     ECX                              ; Christma.004273A6
00AF75F2    C3              RETN
//返回咯!
---------------------------------------
00AF75F3    55              PUSH    EBP
00AF75F4    8BEC            MOV     EBP,ESP
00AF75F6    53              PUSH    EBX
00AF75F7    56              PUSH    ESI
00AF75F8    8B75 0C         MOV     ESI,[EBP+C]
00AF75FB    8B5D 08         MOV     EBX,[EBP+8]
---------------------------------------
//注意这里!这里其实就是入口的代码,一会要复制回去的所以现在要把他保存起来!

===========================================================

004273A6    C3              RETN
//00AF75F2返回到这里!继续返回至4247C9!(这里不是OEP!)OEP在上面就已经进行了,而且现在不知道哪去咯!


004247BD    0000            ADD     [EAX],AL
004247BF    0000            ADD     [EAX],AL
004247C1    0000            ADD     [EAX],AL
004247C3    00E8            ADD     AL,CH
004247C5    90              NOP
004247C6    90              NOP
004247C7    90              NOP
004247C8    90              NOP
//注意这里,上面的入口代码给消灭掉了!那么我们把00AF75F3复制过来就OK了!
//我这个初中生在这里很难用语言来表达,希望读者能看懂和消化!

004247C9    BF 94000000     MOV     EDI,94
004247CE    8BC7            MOV     EAX,EDI
004247D0    E8 1BF2FFFF     CALL    004239F0
004247D5    8965 E8         MOV     [EBP-18],ESP
004247D8    8BF4            MOV     ESI,ESP
004247DA    893E            MOV     [ESI],EDI
004247DC    56              PUSH    ESI
004247DD    FF15 D0204300   CALL    [4320D0]

========================================================

把代码都复制好后就用LordPE把他DUMP出来!

然后运行ImportREC1.6把他修复好,其中有一个指针要多找几次才能找到(用上插件,我机子就全不的指针都找到了!)

关于怎么用ImportREC1.6我就不说了,多多看看FLY的文章就知道ImportREC1.6怎么用的了!

脱壳后差看是Microsoft Visual C++ 6.0写的!

197K->532K(我不知道怎么优化,惭愧ING....)

说真的,觉得这个可好容易脱,才半小时,连文章都写好了!

睡觉咯~~~~~祝大家圣诞快了,算法高手快破了这个,做个主厕机出来给Crack们一起庆祝圣诞Ing..........