软件下载于华军软件园
昨天在论坛上看到的一片有关的贴子。不知怎么今天不见了
在这里谢谢fly的有关的贴子。
在《加密与解密》第二版上也看到了有关的文章。
用peid查壳说是delphi heuritic (不明白)
用fi差为softsentry :idea:
用od调一下。
510F4270 > 55 PUSH EBP
510F4271 8BEC MOV EBP,ESP
510F4273 83EC 78 SUB ESP,78
510F4276 53 PUSH EBX
510F4277 56 PUSH ESI
510F4278 57 PUSH EDI
510F4279 E9 C4060000 JMP FLASHDS_.510F4942 *****标准的softsentry***** :)
510F427E 0000 ADD BYTE PTR DS:[EAX],AL
510F4280 70 42 JO SHORT FLASHDS_.510F42C4
一步一步往下跳:
510F4940 EB 05 JMP SHORT FLASHDS_.510F4947
510F4942 ^E9 27FAFFFF JMP FLASHDS_.510F436E <=到这里,接着跳
510F4947 5F POP EDI
510F4948 5E POP ESI
510F436E C745 E4 00000000 MOV DWORD PTR SS:[EBP-1C],0
510F4375 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
510F4378 50 PUSH EAX
510F4379 FF15 30F10F51 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>
510F437F 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
510F4382 83E1 01 AND ECX,1
510F4385 85C9 TEST ECX,ECX
510F4387 74 0E JE SHORT FLASHDS_.510F4397
510F4389 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
510F438C 81E2 FFFF0000 AND EDX,0FFFF
510F4392 8955 88 MOV DWORD PTR SS:[EBP-78],EDX
510F4395 EB 07 JMP SHORT FLASHDS_.510F439E <==跳
510F439E 8B45 88 MOV EAX,DWORD PTR SS:[EBP-78]
510F43A1 8945 14 MOV DWORD PTR SS:[EBP+14],EAX
510F43A4 6A 00 PUSH 0
510F43A6 FF15 40F10F51 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>
510F43AC 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
510F43AF C745 0C 00000000 MOV DWORD PTR SS:[EBP+C],0
510F43B6 FF15 1CF10F51 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>
510F43BC 8945 10 MOV DWORD PTR SS:[EBP+10],EAX
510F43BF 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
510F43C2 894D AC MOV DWORD PTR SS:[EBP-54],ECX
510F43C5 66:C705 00EF0F51>MOV WORD PTR DS:[510FEF00],0
510F43CE 66:C705 F8EB0F51>MOV WORD PTR DS:[510FEBF8],0
510F43D7 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
510F43DB 75 13 JNZ SHORT FLASHDS_.510F43F0
510F43DD 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
510F43E0 E8 FB100000 CALL FLASHDS_.510F54E0
510F43E5 85C0 TEST EAX,EAX
510F43E7 75 07 JNZ SHORT FLASHDS_.510F43F0 <==跳
510F43F0 68 04010000 PUSH 104
510F43F5 68 6CED0F51 PUSH FLASHDS_.510FED6C
510F43FA 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
510F43FD 52 PUSH EDX
510F43FE FF15 20F10F51 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>
510F4404 85C0 TEST EAX,EAX
510F4406 75 07 JNZ SHORT FLASHDS_.510F440F <==跳
510F440F 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]
510F4412 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
510F4415 E8 26110000 CALL FLASHDS_.510F5540
510F441A 85C0 TEST EAX,EAX
510F441C 75 1B JNZ SHORT FLASHDS_.510F4439 <==跳
510F4439 C745 B4 01000000 MOV DWORD PTR SS:[EBP-4C],1
510F4440 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
510F4443 A3 0CED0F51 MOV DWORD PTR DS:[510FED0C],EAX
510F4448 E8 D32E0000 CALL FLASHDS_.510F7320
510F444D 85C0 TEST EAX,EAX
510F444F 0F84 28010000 JE FLASHDS_.510F457D <====停一停,将这句改成nop.不然就…… :shock:
510F4455 66:C705 00EF0F51>MOV WORD PTR DS:[510FEF00],1
510F445E C705 E8EE0F51 01>MOV DWORD PTR DS:[510FEEE8],1
510F4468 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F446E 83E1 03 AND ECX,3
510F4471 85C9 TEST ECX,ECX
510F4473 75 1C JNZ SHORT FLASHDS_.510F4491
510F4475 8B15 04EF0F51 MOV EDX,DWORD PTR DS:[510FEF04]
510F447B 83CA 03 OR EDX,3
510F447E 8915 04EF0F51 MOV DWORD PTR DS:[510FEF04],EDX
510F4484 A1 70EE0F51 MOV EAX,DWORD PTR DS:[510FEE70]
510F4489 83F0 03 XOR EAX,3
510F448C A3 70EE0F51 MOV DWORD PTR DS:[510FEE70],EAX
510F4491 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F4497 83E1 70 AND ECX,70
510F449A 85C9 TEST ECX,ECX
510F449C 75 1C JNZ SHORT FLASHDS_.510F44BA
510F449E 8B15 04EF0F51 MOV EDX,DWORD PTR DS:[510FEF04]
510F44A4 83CA 70 OR EDX,70
510F44A7 8915 04EF0F51 MOV DWORD PTR DS:[510FEF04],EDX
510F44AD A1 70EE0F51 MOV EAX,DWORD PTR DS:[510FEE70]
510F44B2 83F0 70 XOR EAX,70
510F44B5 A3 70EE0F51 MOV DWORD PTR DS:[510FEE70],EAX
510F44BA 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F44C0 81E1 000A0000 AND ECX,0A00
510F44C6 85C9 TEST ECX,ECX
510F44C8 75 1E JNZ SHORT FLASHDS_.510F44E8
510F44CA 8B15 04EF0F51 MOV EDX,DWORD PTR DS:[510FEF04]
510F44D0 80CE 0A OR DH,0A
510F44D3 8915 04EF0F51 MOV DWORD PTR DS:[510FEF04],EDX
510F44D9 A1 70EE0F51 MOV EAX,DWORD PTR DS:[510FEE70]
510F44DE 35 000A0000 XOR EAX,0A00
510F44E3 A3 70EE0F51 MOV DWORD PTR DS:[510FEE70],EAX
510F44E8 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F44EE 81E1 00E00000 AND ECX,0E000
510F44F4 85C9 TEST ECX,ECX
510F44F6 75 1E JNZ SHORT FLASHDS_.510F4516 <==跳
510F4516 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F451C 81E1 00000600 AND ECX,60000
510F4522 85C9 TEST ECX,ECX
510F4524 75 21 JNZ SHORT FLASHDS_.510F4547 <==跳
510F4547 8B0D 04EF0F51 MOV ECX,DWORD PTR DS:[510FEF04]
510F454D 81E1 00002000 AND ECX,200000
510F4553 85C9 TEST ECX,ECX
510F4555 75 21 JNZ SHORT FLASHDS_.510F4578
510F4557 8B15 04EF0F51 MOV EDX,DWORD PTR DS:[510FEF04]
510F455D 81CA 00002000 OR EDX,200000
510F4563 8915 04EF0F51 MOV DWORD PTR DS:[510FEF04],EDX
510F4569 A1 70EE0F51 MOV EAX,DWORD PTR DS:[510FEE70]
510F456E 35 00002000 XOR EAX,200000
510F4573 A3 70EE0F51 MOV DWORD PTR DS:[510FEE70],EAX
510F4578 E9 30030000 JMP FLASHDS_.510F48AD <==跳
510F48AD 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
510F48B0 8D4D B0 LEA ECX,DWORD PTR SS:[EBP-50]
510F48B3 E8 18010000 CALL FLASHDS_.510F49D0
510F48B8 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
510F48BB 6A 00 PUSH 0
510F48BD 6A 00 PUSH 0
510F48BF 6A 10 PUSH 10
510F48C1 A1 28ED0F51 MOV EAX,DWORD PTR DS:[510FED28]
510F48C6 50 PUSH EAX
510F48C7 FF15 08F20F51 CALL DWORD PTR DS:[<&USER32.SendMessageA>
510F48CD 833D FCEE0F51 02 CMP DWORD PTR DS:[510FEEFC],2
510F48D4 74 4F JE SHORT FLASHDS_.510F4925
510F48D6 837D B4 01 CMP DWORD PTR SS:[EBP-4C],1
510F48DA 75 49 JNZ SHORT FLASHDS_.510F4925
510F48DC 33C9 XOR ECX,ECX
510F48DE 66:8B0D 00EF0F51 MOV CX,WORD PTR DS:[510FEF00]
510F48E5 85C9 TEST ECX,ECX
510F48E7 74 3C JE SHORT FLASHDS_.510F4925
510F48E9 33D2 XOR EDX,EDX
510F48EB 66:8B15 64ED0F51 MOV DX,WORD PTR DS:[510FED64]
510F48F2 81FA 05800000 CMP EDX,8005
510F48F8 74 2B JE SHORT FLASHDS_.510F4925
510F48FA 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
510F48FD 50 PUSH EAX
510F48FE 68 88B20F51 PUSH FLASHDS_.510FB288 ; ASCII "sSENTRYWndClass"
510F4903 FF15 98F10F51 CALL DWORD PTR DS:[<&USER32.UnregisterCl>
510F4909 33C9 XOR ECX,ECX
510F490B 66:8B0D 98B20F51 MOV CX,WORD PTR DS:[510FB298]
510F4912 85C9 TEST ECX,ECX
510F4914 74 0F JE SHORT FLASHDS_.510F4925
510F4916 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
510F4919 52 PUSH EDX
510F491A 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
510F491D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
510F4920 E8 2B000000 CALL FLASHDS_.510F4950 <====关键之所在,跟进
510F4925 837D B0 00 CMP DWORD PTR SS:[EBP-50],0
510F4929 74 08 JE SHORT FLASHDS_.510F4933
510F492B 8B4D B0 MOV ECX,DWORD PTR SS:[EBP-50]
510F492E E8 1D3B0000 CALL FLASHDS_.510F8450
510F4933 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
510F4936 50 PUSH EAX
510F4937 FF15 24F10F51 CALL DWORD PTR DS:[<&KERNEL32.ExitProces> <==结束
**************call flashda_.510f4950*********
510F4950 A1 70EE0F51 MOV EAX,DWORD PTR DS:[510FEE70]
510F4955 53 PUSH EBX
510F4956 55 PUSH EBP
510F4957 56 PUSH ESI
510F4958 8B71 06 MOV ESI,DWORD PTR DS:[ECX+6]
510F495B 57 PUSH EDI
510F495C 8BFA MOV EDI,EDX
510F495E 8B51 02 MOV EDX,DWORD PTR DS:[ECX+2]
510F4961 33D0 XOR EDX,EAX
510F4963 8BC2 MOV EAX,EDX
510F4965 8951 02 MOV DWORD PTR DS:[ECX+2],EDX ; 过不去?
510F4968 8B51 0A MOV EDX,DWORD PTR DS:[ECX+A]
510F496B 33F0 XOR ESI,EAX
510F496D 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
510F4971 33F2 XOR ESI,EDX
510F4973 03F0 ADD ESI,EAX ; 传说中的oep (510761ac) FLASHDS_.51000000
510F4975 33D2 XOR EDX,EDX
510F4977 8BC6 MOV EAX,ESI
510F4979 8B59 06 MOV EBX,DWORD PTR DS:[ECX+6]
510F497C 8B28 MOV EBP,DWORD PTR DS:[EAX]
510F497E 33EB XOR EBP,EBX
510F4980 42 INC EDX
510F4981 8928 MOV DWORD PTR DS:[EAX],EBP
510F4983 8B59 0A MOV EBX,DWORD PTR DS:[ECX+A]
510F4986 8B68 04 MOV EBP,DWORD PTR DS:[EAX+4]
510F4989 83C0 04 ADD EAX,4
510F498C 33EB XOR EBP,EBX
510F498E 42 INC EDX
510F498F 8928 MOV DWORD PTR DS:[EAX],EBP
510F4991 83C0 04 ADD EAX,4
510F4994 83FA 14 CMP EDX,14
510F4997 ^7C E0 JL SHORT FLASHDS_.510F4979
510F4999 8B0F MOV ECX,DWORD PTR DS:[EDI]
510F499B E8 B03A0000 CALL FLASHDS_.510F8450
510F49A0 C707 00000000 MOV DWORD PTR DS:[EDI],0
510F49A6 66:833D 00EF0F51>CMP WORD PTR DS:[510FEF00],0
510F49AE 74 0C JE SHORT FLASHDS_.510F49BC
510F49B0 66:833D 9AB20F51>CMP WORD PTR DS:[510FB29A],0
510F49B8 74 02 JE SHORT FLASHDS_.510F49BC
510F49BA FFD6 CALL ESI <==亲爱的游客,光明顶到了跟进 8)
510F49BC 5F POP EDI
510F49BD 5E POP ESI
510F49BE 5D POP EBP
510F49BF 5B POP EBX
510F49C0 C2 0400 RETN 4
**************call esi*************
510761AC 55 DB 55 ; CHAR 'U' 在这里停下,用lordPE( full dump 进程)
510761AD 8B DB 8B
510761AE EC DB EC
510761AF 83 DB 83
510761B0 C4 DB C4
510761B1 F0 DB F0
510761B2 53 DB 53 ; CHAR 'S'
。
。
。
。
*************************************8
F9,用importREC.选中该进程
将OEP改为761ac,点击IAT AutoSearch,点击Get imports,点击Fix dump.运行正常。不过为什么只有快捷方式才能运行 :?:
差不多ok了.
---------------------------------------------------------------------------------------------------------
这是我手工脱的第一个壳,感觉心里美得很。要谢谢fly于《加密与解密》第二版
同时,我要说这个壳的确太脆弱了。标志性语句太多,太明显。