【前 言】:哈哈,二哥叫我帮忙脱的,看幻影差点就忘记了!现在才看,对不起哦!
脱掉ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov
【软件名称】:Christmas 3D Screensaver
【下载页面】:http://www.3planesoft.com
【软件大小】:有点大!
【应用平台】:WIN9X/WINNT/WIN2K/WINXP
【软件简介】:好像是一个圣诞节有关的东西,谁要是破了就发个注册机出来给偶下载回家过圣诞!谢谢
【软件限制】:ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov
【文章作者】:辉仔Yock
【作者声明】:本人发表这篇文章只是为了学习和研究!!!请不用于商业用途或是将本文方法制作的注册机或是补丁文件任意传播,读者看了文章后所做的事情与我无关,我也不会负责,请读者看了文章后三思而后行!最后希望大家在经济基础好的时候,支持共享软件!(在这里最此软件的作者以万二分的歉意鞠躬...)
【破解工具】:OD lordpe impor
—————————————————————————————————
【过 程】:
读者看之前一定要紧记住ASProtect可的地址每次都不同的,下面的代码在最后那一小段我是分开两次复制的,所以不要看代码地址,寻呼要学会理解我所做的!
OD载入后隐藏OD!忽略所有异常(除内存)
F9运行,会异常,用Shift+F9通过异常25次到下面这里!
00AE39EC 3100 XOR [EAX],EAX
//这里异常!
00AE39EE 64:8F05 0000000>POP DWORD PTR FS:[0] ; 0012FFE0
00AE39F5 58 POP EAX ; 0012FFE0
00AE39F6 833D B07EAE00 0>CMP DWORD PTR [AE7EB0],0
00AE39FD 74 14 JE SHORT 00AE3A13
00AE39FF 6A 0C PUSH 0C
00AE3A01 B9 B07EAE00 MOV ECX,0AE7EB0
00AE3A06 8D45 F8 LEA EAX,[EBP-8]
00AE3A09 BA 04000000 MOV EDX,4
00AE3A0E E8 2DD1FFFF CALL 00AE0B40
00AE3A13 FF75 FC PUSH DWORD PTR [EBP-4]
00AE3A16 FF75 F8 PUSH DWORD PTR [EBP-8]
00AE3A19 8B45 F4 MOV EAX,[EBP-C] ; Christma.004707D2
00AE3A1C 8338 00 CMP DWORD PTR [EAX],0
00AE3A1F 74 02 JE SHORT 00AE3A23
00AE3A21 FF30 PUSH DWORD PTR [EAX]
00AE3A23 FF75 F0 PUSH DWORD PTR [EBP-10] ; Christma.00400000
00AE3A26 FF75 EC PUSH DWORD PTR [EBP-14]
00AE3A29 C3 RETN
//在这里F2下断,再按Shift+F9就停在这里了!
//取消断点后按F7返回
00AF4F28 8AF3 MOV DH,BL
//返回到这里!
//下面就要按F7慢慢跟咯!
00AF4F2A 66:81C0 A665 ADD AX,65A6
00AF4F2F 66:81C9 3236 OR CX,3632
00AF4F34 E8 08000000 CALL 00AF4F41
00AF4F39 0039 ADD [ECX],BH
00AF4F3B ^ 7E DF JLE SHORT 00AF4F1C
00AF4F3D 2C F5 SUB AL,0F5
00AF4F3F 8AFB MOV BH,BL
00AF4F41 0F84 02000000 JE 00AF4F49
00AF4F47 8BC3 MOV EAX,EBX
00AF4F49 5F POP EDI ; Christma.00400000
00AF4F4A 0FBFD0 MOVSX EDX,AX
00AF4F4D 81C7 15160000 ADD EDI,1615
00AF4F53 B9 1D4FD976 MOV ECX,76D94F1D
00AF4F58 66:B8 19C0 MOV AX,0C019
00AF4F5C 66:BA 8C55 MOV DX,558C
00AF4F60 2BDB SUB EBX,EBX
00AF4F62 E9 0D000000 JMP 00AF4F74
00AF4F67 51 PUSH ECX
00AF4F68 B6 B7 MOV DH,0B7
00AF4F6A 24 8D AND AL,8D
00AF4F6C 42 INC EDX
00AF4F6D 53 PUSH EBX
00AF4F6E 90 NOP
00AF4F6F 898E AFBC45B9 MOV [ESI+B945BCAF],ECX
00AF4F75 C138 5A SAR DWORD PTR [EAX],5A ; 移动常数超出 1..31 的范围
00AF4F78 67:0F87 0600000>JA 00AF4F85 ; 多余的前缀
00AF4F7F 66:8BD6 MOV DX,SI
00AF4F82 80F1 EC XOR CL,0EC
00AF4F85 FF343B PUSH DWORD PTR [EBX+EDI]
00AF4F88 81E0 842A501B AND EAX,1B502A84
00AF4F8E 0FB7CF MOVZX ECX,DI
00AF4F91 5E POP ESI ; Christma.00400000
00AF4F92 0F83 05000000 JNB 00AF4F9D
00AF4F98 80C9 C6 OR CL,0C6
00AF4F9B B1 43 MOV CL,43
00AF4F9D 81C6 2A7E6325 ADD ESI,25637E2A
00AF4FA3 E8 06000000 CALL 00AF4FAE
00AF4FA8 76 77 JBE SHORT 00AF5021
00AF4FAA E4 4D IN AL,4D ; I/O 命令
00AF4FAC 0213 ADD DL,[EBX]
00AF4FAE 66:B8 0507 MOV AX,705
00AF4FB2 B4 0E MOV AH,0E
00AF4FB4 5A POP EDX ; Christma.00400000
00AF4FB5 53 PUSH EBX
00AF4FB6 B9 B90CD669 MOV ECX,69D60CB9
00AF4FBB 0FBFC1 MOVSX EAX,CX
00AF4FBE 5A POP EDX ; Christma.00400000
00AF4FBF 66:81E2 5734 AND DX,3457
00AF4FC4 81F6 1BB4497A XOR ESI,7A49B41B
00AF4FCA 80E5 B0 AND CH,0B0
00AF4FCD 8AF4 MOV DH,AH
00AF4FCF 81EE B819242E SUB ESI,2E2419B8
00AF4FD5 81DA 47E12F2A SBB EDX,2A2FE147
00AF4FDB E8 12000000 CALL 00AF4FF2
00AF4FE0 12E3 ADC AH,BL
00AF4FE2 ^ E0 99 LOOPDNE SHORT 00AF4F7D
00AF4FE4 5E POP ESI ; Christma.00400000
00AF4FE5 3F AAS
00AF4FE6 0C 55 OR AL,55
00AF4FE8 6A 5B PUSH 5B
00AF4FEA F8 CLC
00AF4FEB D136 SAL DWORD PTR [ESI],1
00AF4FED 37 AAA
00AF4FEE A4 MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
00AF4FEF 0D C2D3E913 OR EAX,13E9D3C2
00AF4FF4 0000 ADD [EAX],AL
00AF4FF6 002F ADD [EDI],CH
00AF4FF8 3C C5 CMP AL,0C5
00AF4FFA 1A4B 28 SBB CL,[EBX+28]
00AF4FFD 41 INC ECX
00AF4FFE E6 27 OUT 27,AL ; I/O 命令
00AF5000 D4 7D AAM 7D
00AF5002 ^ 72 C3 JB SHORT 00AF4FC7
00AF5004 40 INC EAX ; Christma.004707D2
00AF5005 ^ 79 BE JNS SHORT 00AF4FC5
00AF5007 1F POP DS ; 修正的段位寄存器
00AF5008 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
00AF5009 35 B2A25856 XOR EAX,5658A2B2
00AF500E 81DA E9138344 SBB EDX,448313E9
00AF5014 0F8B 08000000 JPO 00AF5022
00AF501A 66:8BD0 MOV DX,AX
00AF501D BA 4657B770 MOV EDX,70B75746
00AF5022 E8 09000000 CALL 00AF5030
00AF5027 5D POP EBP ; Christma.00400000
00AF5028 D2A3 A0591EFF SHL BYTE PTR [EBX+FF1E59A0],CL
00AF502E CC INT3
00AF502F 15 66B8914A ADC EAX,4A91B866
00AF5034 B9 CDFE696D MOV ECX,6D69FECD
00AF5039 80D9 FC SBB CL,0FC
00AF503C 58 POP EAX ; Christma.00400000
00AF503D 8F041F POP DWORD PTR [EDI+EBX] ; Christma.00400000
00AF5040 8BCA MOV ECX,EDX
00AF5042 66:8BD3 MOV DX,BX
00AF5045 66:BA 2C34 MOV DX,342C
00AF5049 0FB7C3 MOVZX EAX,BX
00AF504C 83EB 04 SUB EBX,4
00AF504F 8AD1 MOV DL,CL
00AF5051 8BD6 MOV EDX,ESI
00AF5053 E8 14000000 CALL 00AF506C
00AF5058 5C POP ESP ; Christma.00400000
00AF5059 65:3AEB CMP CH,BL ; 多余的前缀
00AF505C 48 DEC EAX ; Christma.004707D2
00AF505D E1 06 LOOPDE SHORT 00AF5065
00AF505F C7 ??? ; 未知命令
00AF5060 F4 HLT ; 特权级命令
00AF5061 1D 92636019 SBB EAX,19606392
00AF5066 DEBF 8CD5EADB FIDIVR WORD PTR [EDI+DBEAD58C]
00AF506C B0 C0 MOV AL,0C0
00AF506E 56 PUSH ESI
00AF506F BA BCDCF462 MOV EDX,62F4DCBC
00AF5074 0FB7CB MOVZX ECX,BX
00AF5077 59 POP ECX ; Christma.00400000
00AF5078 5A POP EDX ; Christma.00400000
00AF5079 81FB 54EBFFFF CMP EBX,-14AC
00AF507F ^ 0F85 00FFFFFF JNZ 00AF4F85
//注意这里是跳回去循环的!再下面设断点!之后按断点!
00AF5085 E9 0E000000 JMP 00AF5098
//在这里设断!断下后清除之再按F7
===============================================
00AF5098 /0F8F 04000000 JG 00AF50A2
//来到这里!
//下面是一下新型的花指令,很有意思,要有耐心慢慢跟!
00AF509E |66:B9 2579 MOV CX,7925
00AF50A2 66:B8 A182 MOV AX,82A1
00AF50A6 5B POP EBX ; Christma.00400000
00AF50A7 58 POP EAX ; Christma.00400000
00AF50A8 05 1E9EDFB8 ADD EAX,B8DF9E1E
00AF50AD 5C POP ESP ; Christma.00400000
00AF50AE EB 44 JMP SHORT 00AF50F4
00AF50B0 EB 01 JMP SHORT 00AF50B3
00AF50B2 9A 51579CFC BF0>CALL FAR 00BF:FC9C5751 ; 远距呼叫
00AF50B9 0000 ADD [EAX],AL
00AF50BB 00B9 00000000 ADD [ECX],BH
00AF50C1 F3:AA REP STOS BYTE PTR ES:[EDI]
00AF50C3 9D POPFD
00AF50C4 5F POP EDI ; Christma.00400000
00AF50C5 59 POP ECX ; Christma.00400000
00AF50C6 C3 RETN
00AF50C7 55 PUSH EBP
00AF50C8 8BEC MOV EBP,ESP
00AF50CA 53 PUSH EBX
00AF50CB 56 PUSH ESI
00AF50CC 8B75 0C MOV ESI,[EBP+C]
00AF50CF 8B5D 08 MOV EBX,[EBP+8] ; Christma.004703C2
00AF50D2 EB 11 JMP SHORT 00AF50E5
00AF50D4 0FB703 MOVZX EAX,WORD PTR [EBX]
00AF50D7 03C6 ADD EAX,ESI
00AF50D9 83C3 02 ADD EBX,2
00AF50DC 8BD0 MOV EDX,EAX
00AF50DE 8BC6 MOV EAX,ESI
00AF50E0 E8 0C000000 CALL 00AF50F1
00AF50E5 66:833B 00 CMP WORD PTR [EBX],0
00AF50E9 ^ 75 E9 JNZ SHORT 00AF50D4
00AF50EB 5E POP ESI ; Christma.00400000
00AF50EC 5B POP EBX ; Christma.00400000
00AF50ED 5D POP EBP ; Christma.00400000
00AF50EE C2 0800 RETN 8
00AF50F1 0102 ADD [EDX],EAX
00AF50F3 C3 RETN
00AF50F4 03C3 ADD EAX,EBX
00AF50F6 BB 36030000 MOV EBX,336
00AF50FB 0BDB OR EBX,EBX
00AF50FD 75 07 JNZ SHORT 00AF5106
00AF50FF 894424 1C MOV [ESP+1C],EAX
00AF5103 61 POPAD
00AF5104 50 PUSH EAX
00AF5105 C3 RETN
00AF5106 E8 00000000 CALL 00AF510B
00AF510B 5D POP EBP ; Christma.00400000
00AF510C 81ED 4DE14B00 SUB EBP,4BE14D
00AF5112 8D85 F2E04B00 LEA EAX,[EBP+4BE0F2]
00AF5118 8D8D 94E14B00 LEA ECX,[EBP+4BE194]
00AF511E 03CB ADD ECX,EBX
00AF5120 8941 01 MOV [ECX+1],EAX
00AF5123 8D85 36E14B00 LEA EAX,[EBP+4BE136]
00AF5129 8D8D FAE04B00 LEA ECX,[EBP+4BE0FA]
00AF512F 8901 MOV [ECX],EAX
00AF5131 B8 5E140000 MOV EAX,145E
00AF5136 8D8D FFE04B00 LEA ECX,[EBP+4BE0FF]
00AF513C 8901 MOV [ECX],EAX
00AF513E 8D8D 94E14B00 LEA ECX,[EBP+4BE194]
00AF5144 8D85 94F34B00 LEA EAX,[EBP+4BF394]
00AF514A 51 PUSH ECX
00AF514B 50 PUSH EAX
00AF514C E8 76FFFFFF CALL 00AF50C7
00AF5151 61 POPAD
00AF5152 F2: PREFIX REPNE: ; 多余的前缀
//看见这里没有!嘿嘿!有你受的!
00AF5153 EB 01 JMP SHORT 00AF5156
00AF5155 9A F3EB02CD 205>CALL FAR 5320:CD02EBF3 ; 远距呼叫
00AF515C 36:EB 02 JMP SHORT 00AF5161 ; 多余的前缀
00AF515F CD20 0BDFEB02 VxDCall 2EBDF0B
00AF5165 CD20 C1C308EB VxDCall EB08C3C1
00AF516B 02CD ADD CL,CH
00AF516D 20F2 AND DL,DH
00AF516F EB 01 JMP SHORT 00AF5172
00AF5171 698D 1CADFD4D F>IMUL ECX,[EBP+4DFDAD1C],EBF2B1F4
00AF517B 010F ADD [EDI],ECX
00AF517D 65:EB 02 JMP SHORT 00AF5182 ; 多余的前缀
00AF5180 CD20 55F3EB02 VxDCall 2EBF355
00AF5186 CD20 C7442400 VxDCall 2444C7
00AF518C 2C 00 SUB AL,0
00AF518E 0000 ADD [EAX],AL
00AF5190 5B POP EBX ; Christma.00400000
00AF5191 FF53 1B CALL [EBX+1B]
00AF5194 699A 0F9A0F4E 0>IMUL EBX,[EDX+4E0F9A0F],E8000000
00AF519E F3: PREFIX REP: ; 多余的前缀
00AF519F 9A 5B26EB01 9A8>CALL FAR 819A:01EB265B ; 远距呼叫
00AF51A6 D3EF SHR EDI,CL
00AF51A8 FA CLI
00AF51A9 96 XCHG EAX,ESI
00AF51AA 42 INC EDX
00AF51AB F2: PREFIX REPNE: ; 多余的前缀
00AF51AC EB 01 JMP SHORT 00AF51AF
00AF51AE C7 ??? ; 未知命令
00AF51AF F3: PREFIX REP: ; 多余的前缀
00AF51B0 EB 02 JMP SHORT 00AF51B4
00AF51B2 CD20 0FA3CBF2 VxDCall F2CBA30F
00AF51B8 EB 01 JMP SHORT 00AF51BB
00AF51BA E8 2BDF5B6A CALL 6B0B30EA
00AF51BF 60 PUSHAD
00AF51C0 68 A0444300 PUSH 4344A0
00AF51C5 F3: PREFIX REP: ; 多余的前缀
00AF51C6 EB 02 JMP SHORT 00AF51CA
00AF51C8 CD20 66812D82 VxDCall 822D8166
00AF51CE 0000 ADD [EAX],AL
00AF51D0 0085 47F3704A ADD [EBP+4A70F347],AL
00AF51D6 CD20 53EB087F VxDCall 7F08EB53
00AF51DC ^ 7D F4 JGE SHORT 00AF51D2
00AF51DE FC CLD
00AF51DF 7F 7D JG SHORT 00AF525E
00AF51E1 F4 HLT ; 特权级命令
00AF51E2 FC CLD
00AF51E3 F3: PREFIX REP: ; 多余的前缀
00AF51E4 EB 02 JMP SHORT 00AF51E8
00AF51E6 CD20 8D9E8900 VxDCall 899E8D
00AF51EC 0000 ADD [EAX],AL
00AF51EE 2BDE SUB EBX,ESI
00AF51F0 F2: PREFIX REPNE: ; 多余的前缀
00AF51F1 EB 01 JMP SHORT 00AF51F4
00AF51F3 F0:83EC 08 LOCK SUB ESP,8 ; 锁定前缀是不允许的
00AF51F7 EB 02 JMP SHORT 00AF51FB
00AF51F9 CD20 8D640404 VxDCall 404648D
00AF51FF 2BE0 SUB ESP,EAX
00AF5201 F3: PREFIX REP: ; 多余的前缀
00AF5202 EB 02 JMP SHORT 00AF5206
00AF5204 CD20 50EB02CD VxDCall CD02EB50
00AF520A 208F 442400F3 AND [EDI+F3002444],CL
00AF5210 EB 02 JMP SHORT 00AF5214
00AF5212 CD20 8B430026 VxDCall 2600438B
00AF5218 EB 01 JMP SHORT 00AF521B
00AF521A 0F57EB XORPS XMM5,XMM3
00AF521D 02CD ADD CL,CH
00AF521F 208D 6424F583 AND [EBP+83F52464],CL
00AF5225 C458 8D LES EBX,[EAX-73] ; 修正的段位寄存器
00AF5228 64:24 AF AND AL,0AF ; 多余的前缀
00AF522B EB 01 JMP SHORT 00AF522E
00AF522D 9A 53F3EB02 CD2>CALL FAR 20CD:02EBF353 ; 远距呼叫
00AF5234 8F4424 00 POP DWORD PTR [ESP] ; Christma.00400000
00AF5238 F3: PREFIX REP: ; 多余的前缀
00AF5239 EB 02 JMP SHORT 00AF523D
00AF523B CD20 55F3EB02 VxDCall 2EBF355
00AF5241 CD20 8D6424CE VxDCall CE24648D
00AF5247 F2: PREFIX REPNE: ; 多余的前缀
00AF5248 EB 01 JMP SHORT 00AF524B
00AF524A E8 8D643C63 CALL 63EBB6DC
00AF524F 2BE7 SUB ESP,EDI
00AF5251 2E:EB 02 JMP SHORT 00AF5256 ; 多余的前缀
00AF5254 CD20 8D6434CB VxDCall CB34648D
00AF525A 2BE6 SUB ESP,ESI
00AF525C 26:EB 02 JMP SHORT 00AF5261 ; 多余的前缀
00AF525F CD20 89542400 VxDCall 245489
00AF5265 EB 02 JMP SHORT 00AF5269
00AF5267 CD20 83EC0F36 VxDCall 360FEC83
00AF526D EB 02 JMP SHORT 00AF5271
00AF526F CD20 8D642467 VxDCall 6724648D
00AF5275 EB 01 JMP SHORT 00AF5278
00AF5277 698D 6424A4F2 E>IMUL ECX,[EBP+F2A42464],51F001EB
00AF5281 2E:EB 01 JMP SHORT 00AF5285 ; 多余的前缀
00AF5284 F3: PREFIX REP: ; 多余的前缀
00AF5285 8F4424 00 POP DWORD PTR [ESP] ; Christma.00400000
00AF5289 F3: PREFIX REP: ; 多余的前缀
00AF528A EB 02 JMP SHORT 00AF528E
00AF528C CD20 F2EB019A VxDCall 9A01EBF2
00AF5292 68 3704FF07 PUSH 7FF0437
00AF5297 51 PUSH ECX
00AF5298 897424 04 MOV [ESP+4],ESI
00AF529C EB 02 JMP SHORT 00AF52A0
00AF529E CD20 8F4424FC VxDCall FC24448F
00AF52A4 F3: PREFIX REP: ; 多余的前缀
00AF52A5 EB 02 JMP SHORT 00AF52A9
00AF52A7 CD20 C1C066EB VxDCall EB66C0C1
00AF52AD 01F3 ADD EBX,ESI
00AF52AF 48 DEC EAX
00AF52B0 8BE8 MOV EBP,EAX
00AF52B2 EB 02 JMP SHORT 00AF52B6
00AF52B4 CD20 83F5EB87 VxDCall 87EBF583
00AF52BA FD STD
00AF52BB F3: PREFIX REP: ; 多余的前缀
00AF52BC EB 02 JMP SHORT 00AF52C0
00AF52BE CD20 C1CF232E VxDCall 2E23CFC1
00AF52C4 EB 02 JMP SHORT 00AF52C8
00AF52C6 CD20 F7D7575E VxDCall 5E57D7F7
00AF52CC EB 02 JMP SHORT 00AF52D0
00AF52CE CD20 81EE2EDD VxDCall DD2EEE81
00AF52D4 06 PUSH ES
00AF52D5 3E:8BC6 MOV EAX,ESI ; 多余的前缀
00AF52D8 2E:EB 02 JMP SHORT 00AF52DD ; 多余的前缀
00AF52DB CD20 81F00749 VxDCall 4907F081
00AF52E1 DF ??? ; 未知命令
00AF52E2 09F3 OR EBX,ESI
00AF52E4 EB 02 JMP SHORT 00AF52E8
00AF52E6 CD20 4036EB02 VxDCall 2EB3640
00AF52EC CD20 5EEB01C7 VxDCall C701EB5E
00AF52F2 59 POP ECX ; Christma.00400000
00AF52F3 F3: PREFIX REP: ; 多余的前缀
00AF52F4 EB 02 JMP SHORT 00AF52F8
00AF52F6 CD20 5A2EEB02 VxDCall 2EB2E5A
00AF52FC CD20 5DF2EB01 VxDCall 1EBF25D
00AF5302 E8 5BEB01F0 CALL F0B13E62
00AF5307 5F POP EDI ; Christma.00400000
00AF5308 EB 01 JMP SHORT 00AF530B
00AF530A 69BB 8D000000 F>IMUL EDI,[EBX+8D],0F01EBF2
00AF5314 8943 00 MOV [EBX],EAX
00AF5317 58 POP EAX ; Christma.00400000
00AF5318 5B POP EBX ; Christma.00400000
00AF5319 EB 02 JMP SHORT 00AF531D
00AF531B CD20 FF358D00 VxDCall 8D35FF
00AF5321 0000 ADD [EAX],AL
00AF5323 68 BC3D4200 PUSH 423DBC
00AF5328 64:A1 00000000 MOV EAX,FS:[0]
00AF532E F3: PREFIX REP: ; 多余的前缀
00AF532F EB 02 JMP SHORT 00AF5333
00AF5331 CD20 F3EB02CD VxDCall CD02EBF3
00AF5337 20FF AND BH,BH
00AF5339 74 24 JE SHORT 00AF535F
00AF533B 05 66812DF4 ADD EAX,F42D8166
00AF5340 0100 ADD [EAX],EAX
00AF5342 00BCDA EBBEA720 ADD [EDX+EBX*8+20A7BEEB],BH
00AF5349 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00AF5350 894424 04 MOV [ESP+4],EAX
00AF5354 66:8105 0C02000>ADD WORD PTR [20C],0C008
00AF535D 3E:E3 42 JECXZ SHORT 00AF53A2 ; 多余的前缀
00AF5360 CD20 83EC2583 VxDCall 8325EC83
00AF5366 C429 LES EBP,[ECX] ; 修正的段位寄存器
00AF5368 8B4424 10 MOV EAX,[ESP+10]
00AF536C 896C24 10 MOV [ESP+10],EBP
00AF5370 8D6C24 10 LEA EBP,[ESP+10]
00AF5374 2BE0 SUB ESP,EAX
00AF5376 F3: PREFIX REP: ; 多余的前缀
00AF5377 EB 02 JMP SHORT 00AF537B
00AF5379 CD20 F3EB02CD VxDCall CD02EBF3
00AF537F 20FF AND BH,BH
00AF5381 74 24 JE SHORT 00AF53A7
00AF5383 05 66812D3C ADD EAX,3C2D8166
00AF5388 0200 ADD AL,[EAX]
00AF538A 00BCDA EBBEA720 ADD [EDX+EBX*8+20A7BEEB],BH
00AF5391 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00AF5398 895C24 04 MOV [ESP+4],EBX
00AF539C 66:8105 5402000>ADD WORD PTR [254],0C008
00AF53A5 3E:E3 42 JECXZ SHORT 00AF53EA ; 多余的前缀
00AF53A8 CD20 83EC2583 VxDCall 8325EC83
00AF53AE C429 LES EBP,[ECX] ; 修正的段位寄存器
00AF53B0 F3: PREFIX REP: ; 多余的前缀
00AF53B1 EB 02 JMP SHORT 00AF53B5
00AF53B3 CD20 F3EB02CD VxDCall CD02EBF3
00AF53B9 20FF AND BH,BH
00AF53BB 74 24 JE SHORT 00AF53E1
00AF53BD 05 66812D76 ADD EAX,762D8166
00AF53C2 0200 ADD AL,[EAX]
00AF53C4 00BCDA EBBEA720 ADD [EDX+EBX*8+20A7BEEB],BH
00AF53CB 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00AF53D2 897424 04 MOV [ESP+4],ESI
00AF53D6 66:8105 8E02000>ADD WORD PTR [28E],0C008
00AF53DF 3E:E3 42 JECXZ SHORT 00AF5424 ; 多余的前缀
00AF53E2 CD20 83EC2583 VxDCall 8325EC83
00AF53E8 C429 LES EBP,[ECX] ; 修正的段位寄存器
00AF53EA F3: PREFIX REP: ; 多余的前缀
00AF53EB EB 02 JMP SHORT 00AF53EF
00AF53ED CD20 F3EB02CD VxDCall CD02EBF3
00AF53F3 20FF AND BH,BH
00AF53F5 74 24 JE SHORT 00AF541B
00AF53F7 05 66812DB0 ADD EAX,B02D8166
00AF53FC 0200 ADD AL,[EAX]
00AF53FE 00BCDA EBBEA720 ADD [EDX+EBX*8+20A7BEEB],BH
00AF5405 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00AF540C 897C24 04 MOV [ESP+4],EDI
00AF5410 66:8105 C802000>ADD WORD PTR [2C8],0C008
00AF5419 3E:E3 42 JECXZ SHORT 00AF545E ; 多余的前缀
00AF541C CD20 83EC2583 VxDCall 8325EC83
00AF5422 C429 LES EBP,[ECX] ; 修正的段位寄存器
00AF5424 8B45 F8 MOV EAX,[EBP-8]
00AF5427 8965 E8 MOV [EBP-18],ESP
00AF542A F3: PREFIX REP: ; 多余的前缀
00AF542B EB 02 JMP SHORT 00AF542F
00AF542D CD20 F3EB02CD VxDCall CD02EBF3
00AF5433 20FF AND BH,BH
00AF5435 74 24 JE SHORT 00AF545B
00AF5437 05 66812DF0 ADD EAX,F02D8166
00AF543C 0200 ADD AL,[EAX]
00AF543E 00BCDA EBBEA720 ADD [EDX+EBX*8+20A7BEEB],BH
00AF5445 64:FF35 0000000>PUSH DWORD PTR FS:[0]
00AF544C 894424 04 MOV [ESP+4],EAX
00AF5450 66:8105 0803000>ADD WORD PTR [308],0C008
00AF5459 3E:E3 42 JECXZ SHORT 00AF549E ; 多余的前缀
00AF545C CD20 83EC2583 VxDCall 8325EC83
00AF5462 C429 LES EBP,[ECX] ; 修正的段位寄存器
00AF5464 8B45 FC MOV EAX,[EBP-4]
00AF5467 C745 FC FFFFFFF>MOV DWORD PTR [EBP-4],-1
00AF546E 8945 F8 MOV [EBP-8],EAX
00AF5471 8D45 F0 LEA EAX,[EBP-10]
00AF5474 64:A3 00000000 MOV FS:[0],EAX
00AF547A F2: PREFIX REPNE: ; 多余的前缀
00AF547B EB 01 JMP SHORT 00AF547E
00AF547D 9A 36EB02CD 206>CALL FAR 6820:CD02EB36 ; 远距呼叫
00AF5484 A6 CMPS BYTE PTR [ESI],BYTE PTR ES:[EDI]
00AF5485 73 42 JNB SHORT 00AF54C9
//这里好多花指令啊!在花指令堆里面有一个跳转!会一下子跳到下面这里!
00AF79AF 68 A6734200 PUSH 4273A6
//上面的花指令堆跳到了这里!
00AF79B4 68 DC75AF00 PUSH 0AF75DC
00AF79B9 C3 RETN
//这个地方返回!!!!!
==================================================
00AF50B0 /EB 01 JMP SHORT 00AF50B3
//返回到这里!
//注意了!
00AF75DF 51 PUSH ECX
00AF75E0 57 PUSH EDI
00AF75E1 9C PUSHFD
00AF75E2 FC CLD
00AF75E3 BF 2076AF00 MOV EDI,0AF7620
00AF75E8 B9 5E140000 MOV ECX,145E
00AF75ED F3:AA REP STOS BYTE PTR ES:[EDI]
00AF75EF 9D POPFD
00AF75F0 5F POP EDI ; Christma.004273A6
00AF75F1 59 POP ECX ; Christma.004273A6
00AF75F2 C3 RETN
//返回咯!
---------------------------------------
00AF75F3 55 PUSH EBP
00AF75F4 8BEC MOV EBP,ESP
00AF75F6 53 PUSH EBX
00AF75F7 56 PUSH ESI
00AF75F8 8B75 0C MOV ESI,[EBP+C]
00AF75FB 8B5D 08 MOV EBX,[EBP+8]
---------------------------------------
//注意这里!这里其实就是入口的代码,一会要复制回去的所以现在要把他保存起来!
===========================================================
004273A6 C3 RETN
//00AF75F2返回到这里!继续返回至4247C9!(这里不是OEP!)OEP在上面就已经进行了,而且现在不知道哪去咯!
004247BD 0000 ADD [EAX],AL
004247BF 0000 ADD [EAX],AL
004247C1 0000 ADD [EAX],AL
004247C3 00E8 ADD AL,CH
004247C5 90 NOP
004247C6 90 NOP
004247C7 90 NOP
004247C8 90 NOP
//注意这里,上面的入口代码给消灭掉了!那么我们把00AF75F3复制过来就OK了!
//我这个初中生在这里很难用语言来表达,希望读者能看懂和消化!
004247C9 BF 94000000 MOV EDI,94
004247CE 8BC7 MOV EAX,EDI
004247D0 E8 1BF2FFFF CALL 004239F0
004247D5 8965 E8 MOV [EBP-18],ESP
004247D8 8BF4 MOV ESI,ESP
004247DA 893E MOV [ESI],EDI
004247DC 56 PUSH ESI
004247DD FF15 D0204300 CALL [4320D0]
========================================================
把代码都复制好后就用LordPE把他DUMP出来!
然后运行ImportREC1.6把他修复好,其中有一个指针要多找几次才能找到(用上插件,我机子就全不的指针都找到了!)
关于怎么用ImportREC1.6我就不说了,多多看看FLY的文章就知道ImportREC1.6怎么用的了!
脱壳后差看是Microsoft Visual C++ 6.0写的!
197K->532K(我不知道怎么优化,惭愧ING....)
说真的,觉得这个可好容易脱,才半小时,连文章都写好了!
睡觉咯~~~~~祝大家圣诞快了,算法高手快破了这个,做个主厕机出来给Crack们一起庆祝圣诞Ing..........