• ±ê Ì⣺ÎÒÒ²°ÑAsprotect 1.23RC4ÍѵôÁË,¹þ¹þ¹þ,Ì«¼¤¶¯ÁË!!
  • ×÷ ÕߣºDonQuixote
  • ʱ ¼ä£º004-10-18,12:50
  • Á´ ½Ó£ºhttp://bbs.pediy.com

Ô­ÎÄÁ´½Ó£ºhttp://bbs.pediy.com/showthread.php?s=&threadid=5876

×òÌìÖÕÓÚ°ÑAsprotect 1.23RC4¼ÓÃܵÄNotepadÍÑ¿ÇÁË,Ì«¼¤¶¯ÁË!ÕâÊÇÎÒµÚÒ»´Îƾ×Ô¼ºµÄÄÜÁ¦ÍѵÄ!
ËäÈ»ÒÔÇ°¾ÍÍѹýÕâ¸ö¿Ç,²»¹ýÒÔÇ°½ö½öÖ»ÖªµÀTrace N´ÎºóDumpºó¿ªAsprDbgrÐÞ¸´IAT....ΪʲôҪÕâÑù×öÈ´ÍêÈ«²»¶®,ÏÖÔÚ²»½öÖªµÀHOW¶øÇÒÖªµÀWHYÁË!
ÏÂÃæÊÇÍѿǹý³Ì,¾ÍËãÊÇÎҵĵÚһƪÍÑÎÄ°É

ÎÒÍÑÕâ¸ö¿ÇÓÃÁË8¸öСʱ(Íø°ÉÉÏÍøºÃ¹ó....),×ßÁËNÌõÍä·,ÄÇЩÍä·ÎҾͲ»Ð´ÁË,Ö»¼ÇÏÂÔõÑùÕÒµ½ÕýÈ·µÄ·½·¨µÄ

Ä¿±ê:Asprotect 1.23RC4¼ÓÃܵÄNotepad:µã»÷´Ë´¦ÏÂÔØ»òÊó±êÓÒ¼üÁí´æΪ¡£
²Ù×÷ϵͳÊÇWin98

¶ÔÕâ¸ö¿ÇÎÒÒѾ­ÖªµÀһЩÇé¿ö,Asprotect»áÓÃ20¶à´ÎSEH,È»ºó°Ñ³ÌÐòÈë¿ÚµÄһЩ´úÂëÒƶ¯±ðµÄµØ·½(StolenCode),²¢ÇÒIAT±íûÓÐÖ¸ÏòÕýÈ·µÄAPI,¶øÊÇÖ¸µ½ÁË¿ÇHookAPIµÄ´úÂë

ÎÒµÄ˼·ÊÇÕÒµ½Èë¿Úµã,È»ºóDump,ÔÙÐÞ¸´IAT,ÖÁÓÚStolenCodeµ½Ê±ºòÔÙ¿¼ÂÇ

Ê×ÏÈÓÃOD¼ÓÔØNotepady.exe
ÔÚ Ñ¡Ïî->µ÷ÊÔÑ¡Ïî Àï°Ñ"ºöÂÔ(´«µÝµ½³ÌÐò)ÒÔϵÄÒì³£"µÄ6¸ö¹³È¥µô
±íʾµ±ÕâЩÒì³£·¢Éúʱ¾ÍÖжÏÏÂÀ´,ÕâÑù¾Í¿ÉÒÔ¸ú×Ùµ½¿Ç¼¤»îSEHµÄµØ·½

Õâô×öµÄÔ­ÒòÊÇÒ»¸öûÓдíÎóµÄ³ÌÐò²»»á¼¤»îSEH,¼ÙÉè¼Çʱ¾¾ÍÊÇÕâô¸ö³ÌÐò
ÕâÑùSEH¾ÍÒ»°ãÖ»»áÔڿǵĴúÂëÀï±»¼¤»îÁË,ËùÒÔ¸úµ½×îºóÒ»¸öSEHʱ±íʾÒѾ­½Ó½ü³ÌÐòÈë¿ÚµãÁË
(¿´µ½ºÜ¶àƪÍÑÎÄÀﶼֻÀ¹½ØÄÚ´æÒì³£,¶ø²»ÊÇËùÓÐÒì³£¶¼À¹½Ø,һֱûÓÐÏëͬÕâÊÇΪʲô,Ë­¿ÉÒÔÌáʾһÏÂÂð?)

È»ºó°´F9ÔËÐгÌÐò,»áÖжÏÏÂÀ´,ÒòΪ¿ÇÖÆÔìÒì³£À´¼¤»îSEH,°´Shift+F9ºöÂÔÒì³£¼ÌÐøÖ´ÐÐ
ÔÚ14¸öSEHʱÔÙ°´Ò»ÏÂShift+F9¾Í³öÏÖ¶Ô»°¿òÌáʾ¼ì²âµ½µ÷ÊÔÆ÷(ÏÖÔÚÖªµÀÊÇIsDebugµÄHideÔÚWin98ÏÂÎÞЧ),ËùÒÔÒªÊÖ¹¤±Ü¿ª¼ì²â

°´¼¸ÏÂF8µ¥²½ÔËÐÐ,À´µ½ÏÂÃæµÄ´úÂë:

010C3EFE     74 09               je short 010C3F09
010C3F00     E8 4BD7FFFF         call 010C1650
010C3F05     8BD8                mov ebx,eax
010C3F07     EB 07               jmp short 010C3F10
010C3F09     E8 B6D6FFFF         call 010C15C4
010C3F0E     8BD8                mov ebx,eax
010C3F10     84DB                test bl,bl
010C3F12     75 09               jnz short 010C3F1D
010C3F14     E8 3BD7FFFF         call 010C1654         //¿ÉÄÜÊǼì²âº¯Êý
010C3F19     84C0                test al,al         //·µ»Ø0¾ÍÌø¹ýcall 010C2678
010C3F1B     74 10               je short 010C3F2D
010C3F1D     A1 A47E0C01         mov eax,dword ptr ds:[10C7EA4]
010C3F22     50                  push eax         //ÔËÐе½ÕâÀï·¢ÏÖeax->"Debugger detected...."
010C3F23     68 6C3F0C01         push 10C3F6C                      ; ASCII "Protection Error"
010C3F28     E8 4BE7FFFF         call 010C2678         //ÓÉÉÏÃæµÄ×Ö·û´®²Â²âÕâÀïÓ¦¸ÃÊDzúÉú¶Ô»°¿ò²¢ÖжϳÌÐòµÄCALL
010C3F2D     E8 7EE6FFFF         call 010C25B0
010C3F32     33C0                xor eax,eax

·ÖÎöһϷ¢ÏÖcall 010C1654¿ÉÄÜÊǼì²âº¯Êý,µ±Õâ¸öº¯Êý·µ»Ø0ʱ¾ÍÌø¹ý"Protection Error"µÄ¶Ô»°¿ò
ÑéÖ¤Ò»ÏÂÉÏÃæµÄ²Â²â:ÖØÐÂÔËÐÐ,µ½test al,alÕâÀï¾Í°ÑeaxµÄÖµ¸ÄΪ0,È»ºó¿ñ°´Shift+F9,·¢ÏÖ¼Çʱ¾ÕýÈ·ÔËÐÐÁË
ÕâÑù¾Í±Ü¿ªÁ˼ì²â,ÒÔºóÿ´ÎÔËÐÐNotepady.exe¶¼ÒªÔÚÕâÀïÖжÏÏÂÀ´ÐÞ¸Äeax,ÏÂÃæ¾Í²»ÔÙÖظ´ËµÃ÷

ÔٴμÓÔسÌÐò,°´Shift+F9,·¢ÏÖ°´ÁË29´Î¾Í´ò¿ª¼Çʱ¾ÁË(ËùÒÔµÚ28´ÎʱÊÇ×îºóÒ»¸öSEH)
È»ºó°´F12ÔÝÍ£³ÌÐò,ÕâʱִÐеĴúÂë¾ÍÊdzÌÐòµÄ´úÂëÁË,¸ú×ÙһϷ¢ÏÖÊÇÔÚ

while(GetMessage(....))
{
TranslateMessage();
DispatchMessage();
}

Õâ¸öÑ­»·Àï,´úÂëÈçÏÂ:

0040213F     50                  push eax
00402140     FF15 98644000       call dword ptr ds:[406498] //TranslateMessage
00402146     8D45 E4             lea eax,dword ptr ss:[ebp-1C]
00402149     50                  push eax
0040214A     FF15 9C644000       call dword ptr ds:[40649C] //DispatchMessage
00402150     56                  push esi
00402151     8D45 E4             lea eax,dword ptr ss:[ebp-1C]
00402154     56                  push esi
00402155     56                  push esi
00402156     50                  push eax
00402157     FF15 A0644000       call dword ptr ds:[4064A0] //GetMessage
0040215D     85C0                test eax,eax
0040215F   ^ 75 A5               jnz short NOTEPADY.00402106

TranslateMessage,DispatchMessage,GetMessage¶¼±»ODʶ±ð³öÀ´,˵Ã÷¿ÇûÓмÓÃÜÕâ3¸öº¯Êý
´ÓÖл¹¿ÉÒÔ¿´³ö³ÌÐòµÄ´úÂë¶ÎµØÖ·´ó¸ÅÊÇÔÚ402000×óÓÒ(²Â²â¿ÉÄܾÍÊÇVCÉú³ÉµÄ.text¶Î,´Ó401000¿ªÊ¼)
ÁíÍâ,IATÓ¦¸ÃÔÚ406400¸½½ü

ÖØмÓÔسÌÐò,ÔÚ×îºóÒ»¸öSEHʱ°´F7¸ú×Ù
Èç¹ûEIP´Ó010*****Ìøµ½0040****¾Í˵Ã÷¿ÇÒѾ­°Ñ¿ØÖÆȨ½»¸øÁ˳ÌÐòµÄ´úÂë

010C39EC     3100                xor dword ptr ds:[eax],eax //×îºóÒ»¸öÒì³£,°´Shfit+F8µ¥²½Ö´ÐÐ
010C39EE     64:8F05 00000000    pop dword ptr fs:[0]
010C39F5     58                  pop eax
010C39F6     833D B07E0C01 00    cmp dword ptr ds:[10C7EB0],0
010C39FD     74 14               je short 010C3A13
010C39FF     6A 0C               push 0C
010C3A01     B9 B07E0C01         mov ecx,10C7EB0
010C3A06     8D45 F8             lea eax,dword ptr ss:[ebp-8]
010C3A09     BA 04000000         mov edx,4
010C3A0E     E8 2DD1FFFF         call 010C0B40 //µ½ÕâÀï°´F8Ìø¹ýÈ¥,ÒòΪÌø¹ýÕâ¸öCALL²¢Ã»ÓÐÏÔʾ¼Çʱ¾µÄ´°¿Ú,˵Ã÷³ÌÐòÈë¿Úµã»¹ÔÚÏÂÃæ
010C3A13     FF75 FC             push dword ptr ss:[ebp-4] //´ÓÕâÀïÒÔºó°´F7µ¥²½¸ú×Ù
010C3A16     FF75 F8             push dword ptr ss:[ebp-8]
010C3A19     8B45 F4             mov eax,dword ptr ss:[ebp-C]
010C3A1C     8338 00             cmp dword ptr ds:[eax],0
010C3A1F     74 02               je short 010C3A23
010C3A21     FF30                push dword ptr ds:[eax]
010C3A23     FF75 F0             push dword ptr ss:[ebp-10]
010C3A26     FF75 EC             push dword ptr ss:[ebp-14]
010C3A29     C3                  retn


°´ÏÂF7²»·Å,¹ýÁËÒ»¶Îʱ¼ä·¢ÏÖËƺõÊÇÔÚÒ»¸ö¸´ÔÓµÄÑ­»·Àï,¼¸¸öCALLÏ໥µ÷ÓÃ×ÅÑ­»·

¼ÈÈ»ÎÒÃÇÒѾ­ÖªµÀ³ÌÐò´úÂë´ó¸ÅÊÇ402000¸½½ü
¾Í¿ÉÒÔÓàµ÷ÊÔ->¸ú×Ù½øÈë À´ÈÃOD×Ô¶¯¸ú×Ù
¾ßÌåÕâÑù²Ù×÷:
µã µ÷ÊÔ->ÉèÖÃÌõ¼þ ÔÚ"EIP Î»ÓÚ·¶Î§ÄÚ"´òÉϹ³,ºóÃæÌîÈë00400000,00403000(ÕâÑùµ±EIPÔÚÕâÀïÃæ¾Í»áÖжÏÏÂÀ´)µãÈ·¶¨
µã µ÷ÊÔ->¿ªÊ¼»òÇå³ýÔËÐиú×Ù È»ºóµã µ÷ÊÔ->¸ú×Ù½øÈë (ÎÒÔõô֪µÀÕâÑù²Ù×÷? N´Î³¢ÊÔºó·¢ÏÖµÄ...)
 

µÈ´ý¼¸ÃëÖÓ,ODÖжÏÏÂÀ´:
004010C5     0000                add byte ptr ds:[eax],al
004010C7     000D 0A000000       add byte ptr ds:[A],cl
004010CD     0000                add byte ptr ds:[eax],al
004010CF     0000                add byte ptr ds:[eax],al
004010D1     0000                add byte ptr ds:[eax],al
004010D3     FF15 E4634000       call dword ptr ds:[4063E4] //ODÖжÏÔÚÕâÀï,¿ÉÒÔ¿´³öÉÏÃæµÄ´úÂëÏÔȻûÓÐÒâÒå
004010D9     8BF0                mov esi,eax
004010DB     8A00                mov al,byte ptr ds:[eax]
004010DD     3C 22               cmp al,22
004010DF     75 1B               jnz short NOTEPADY.004010FC
004010E1     56                  push esi
004010E2     FF15 F4644000       call dword ptr ds:[4064F4]
004010E8     8BF0                mov esi,eax
004010EA     8A00                mov al,byte ptr ds:[eax]
004010EC     84C0                test al,al
004010EE     74 04               je short NOTEPADY.004010F4
004010F0     3C 22               cmp al,22

µã ²é¿´->ÔËÐиú×Ù ¿ÉÒԲ鿴¸Õ²ÅOD¼Ç¼µÄÈ«²¿ÔËÐйý³Ì,À­µ½×îÏÂÃæ¿´µ½¿ÇÊÇÔÚ010D3A88 retnÕâÀïÌøµ½ÉÏÃæµÄ´úÂë(004010D3)


µã µ÷ÊÔ->¹Ø±ÕÔËÐиú×Ù

ÕâʱÎÒÃÇÒѾ­ÕÒµ½Á˳ÌÐòÈë¿ÚµãOEP=004010D3
²»¹ýÕýÈ·µÄÈë¿ÚµãÓ¦¸ÃÊÇÔÚ0x401000(VCĬÈÏÉú³ÉµÄÈë¿Úµã)
¶øÇÒÓ¦¸ÃÊÇpush ebp;mov ebp,esp¿ªÍ·µÄ
ËùÒÔOEP=004010D3Ç°Ãæ¿Ï¶¨ÓÐÒ»²¿·Ö´úÂë±»¿Ç°áµ½±ðµÄµØ·½È¥Ö´ÐÐÁË
´Ó¸ú×ÙÔËÐÐÀï¿ÉÒÔ¿´µ½ÕâЩ±»°áµôµÄ´úÂë(Èç¹û°´ÉÏÃæ˵µÄÖ´ÐÐ,ÄÇôÒѾ­¹Ø±ÕÔËÐиú×Ù,û¹Øϵ,ÔÙTraceÒ»±é...)
 
 
ËùÒÔÕýÈ·µÄOEPÓ¦¸ÃÊÇ010D3A75(ͼÖлƵÄÄÇÐÐ),ÒòΪÏÂÃæÓкܶàrep stos,¸ú×ÙÒ»¸öVC6³ÌÐò»á·¢ÏÖVC×ÜÊÇÔÚÿ¸öº¯Êý¿ªÍ·¶¼¼ÓÉÏÒ»¾ärep stosÀ´³õʼ»¯Õ»Çø,ËùÒԲ²â010D3A75ÊÇÔ­À´µÄOEP

ÕâʱӦ¸Ã¿ÉÒÔ°Ñ010D3A75ÕâÀïµÄ´úÂë°áµ½0401000À´¾ÍÐÐÁË,²»¹ýÎÒ²»ÊÇÕâô×ö

¼ÈÈ»NotepadÊÇVCдµÄ,ÄÇôӦ¸ÃÓÐÒ»¶ÎVCÉú³ÉµÄÈë¿Ú´úÂëÀ´µ÷ÓÃWinMain
ÎÒµÄÏë·¨ÊDz»È¥ÐÞ²¹Èë¿Ú´úÂë,¶øÊÇ×Ô¼ºÐ´Ò»¶Î´úÂëÀ´call WinMain,¾ÍÏóÕâÑù:
WinMain(GetModuleHandle(NULL), NULL, GetCommandLine(), SW_SHOWNORMAL);
Óûã±à¾ÍÊÇ
push 0A
call GetCommandLineA
push eax
push 0
push 0
call GetModuleHandle
push eax
call WinMain

ËùÒÔÖ»ÒªÔÚÏÂÃæÕÒWinMain¾ÍÐÐ(²»¹ýÎÒ×îºó·¢ÏÖÕâÑùʵ¼ÊÉÏÈÆÁËÍä·)

´Ó004010D3Õâ¸öOEP¿ªÊ¼F8¸ú×Ù:

004010D3     FF15 E4634000       call dword ptr ds:[4063E4]
004010D9     8BF0                mov esi,eax

0x4010D3Õâ¸öCALLµÄµØÖ·Ó¦¸ÃÊÇÔÚIATÀï(ÏëÏë¸Õ²Å¿´µ½µÄGetMessageµÄµØÖ·)
µ«ÊÇODûÓÐʶ±ð³öÀ´,¿ÉÄÜÊDZ»¿Ç¼ÓÁËÃܵÄAPI,ÏȲ»¸ú×ÙËü,µÈÐÞ¸´IATʱÔÙÑо¿
²»¹ýÕâ¸öcall·µ»ØÁËeax=81D6DB44,(ASCII ""E:\Crack\NOTEPADy.EXE"")
Óɴ˲²âÕâ¸öAPI¿ÉÄÜÊÇCommandLineA,µÈÐÞ¸´IATʱÔÙ¼ìÑéÊDz»ÊÇ

F8¼¸²½ÒÔºó½øÈëÒ»¸öÑ­»·,´Ó¼Ä´æÆ÷´°¿Ú¿´³öÕâ¸öÑ­»·ºÃÏóÔÚ´¦ÀíÃüÁîÐвÎÊý
¹ýÁËÕâ¸öÑ­»·¾ÍÀ´µ½ÕâÀï:

00401146     50                  push eax
00401147     56                  push esi
00401148     6A 00               push 0
0040114A     6A 00               push 0
0040114C     FF15 9C634000       call dword ptr ds:[40639C] //´Ó40639CÀ´¿´Ó¦¸ÃÊÇAPI
00401152     50                  push eax
00401153     E8 760F0000         call NOTEPADY.004020CE //¿ÉÄÜÊÇWinMain
00401158     50                  push eax
00401159     8BF0                mov esi,eax
0040115B     FF15 A0634000       call dword ptr ds:[4063A0] //KERNEL32.ExitProcess
00401161     8BC6                mov eax,esi
00401163     5E                  pop esi
00401164     8BE5                mov esp,ebp
00401166     5D                  pop ebp
00401167     C3                  retn

Ìø¹ýcall dword ptr ds:[4063A0]Õâ¸öcall,½á¹û¿´µ½¼Çʱ¾µÄ´°¿Úµ¯³öÀ´ÁË!WinMainÓпÉÄܾÍÊÇÕâÀï!

ÖØиú×Ùµ½ÕâÀï,×¢Òâcall NOTEPADY.004020CEµÄ²ÎÊý,×îºóÒ»¸öÊÇ40000,¾ÍÊǵ±Ç°µÄÄ£¿é!
¶øÏÂÃæcall dword ptr ds:[4063A0]Ö¸ÏòKERNEL32.ExitProcess
˵Ã÷¹ýÁËcall NOTEPADY.004020CE³ÌÐò¾Í½áÊøÁË!
ÏÖÔÚÍêÈ«ÓÐÀíÓɲ²âÕâÀï¾ÍÊÇWinMain(×îºó·¢Ïֲ´íÁË....)

ÏÖÔÚÔÚEIP=00401153ÕâÀ↑LordPE°Ñnotepady.exeÍêÈ«ÍѿDZ£´æ³Édumped.exe
(Ææ¹Ö,µãOllyDumpÌáʾ"ûÓпÉÒÔÍѿǵĽø³Ì",Ë­ÖªµÀÕâÊÇÔõô»ØÊÂ?ÊDz»ÊÇOllyDumpÔÚwin98Ï»áʧЧ?)

ÏÖÔÚdump½áÊø,½ÓÏÂÀ´ÒªÐÞ¸´IAT,»¹Òª×Ô¼ºÐ´¶Î´úÂëÀ´jmpµ½

ÏÈÐÞ¸´IAT,¸Ð¾õÐÞ¸´IATºÃÏóÊǸöÏà¶Ô¶ÀÁ¢µÄ¹ý³Ì

¹Ø±ÕOD,°Ñnotepady.exe¸´Öƺó¸ÄÃûΪnotepady_bak.exe
ÔËÐÐnotepady_bak.exe(×¢ÒâÕâÀïÊÇÖ±½ÓÔÚä¯ÀÀÆ÷ÀïË«»÷ÔËÐÐ,²»ÊÇÓÃOD¼ÓÔØ)
È»ºóÔÙÓÃOD¼ÓÔØnotepady.exe,¸ú×Ùµ½³ÌÐò´úÂëÀï
(ÒòΪODµ÷ÊÔnotepady.exeʱÎÞ·¨¸´ÖÆnotepady.exe)

´ò¿ªRecImport,Ñ¡Ôñnotepady_bak.exe
(Èç¹ûÑ¡ÔñÕýÔÚµ÷ÊԵĽø³Ì½«ÎÞ·¨¶ÁÈ¡Êý¾Ý)

ÒÔÇ°·¢ÏÖµÄGetMessageµÄµØÖ·ÊÇds:[4064A0]
Çл»µ½OD¿´4064A0µÄÄÚ´æ:

ÏòÉÏÀ­ÄÚ´æ,À´µ½406000¶¼Ò»Ö±ÓÐÊý¾Ý,ÔÙÍùÉϾͲ»ÔÙÕâ¸öÄ£¿éÀïÁË
ËùÒÔIATµÄ¿ªÊ¼µØÖ·¿Ï¶¨²»¿ÉÄÜÔÚ406000Ç°Ãæ
ÔÚRecImportÀïÌîÈë006000×÷ΪIATµÄ¿ªÊ¼µØÖ·RAV(ÏÈÕâôÌî)
(·¢ÏÖÕâÀïRecImportºÃÏóÆ´´íÁË,Ó¦¸ÃÊÇRVA°É?)
ÏòÏÂÀ­·¢ÏÖµ½406E00¾ÍûÓÐÊý¾ÝÁË,ËùÒÔIAT´óСÌîÈëE00(=406E00-406000)
µã »ñµÃÊäÈë±í ,µÃµ½µÄIATÊý¾ÝÈçÏÂ(±£´æÊ÷ÎļþµÄÊý¾Ý):

0  00006000  ?  0000  ECEDF09B //ÕâÀïÊÇ×ʼ
0  00006004  ?  0000  DCCFDDBC
0  00006008  ?  0000  6FFA3DDF //Ò»Ö±ÍùÏÂÀ­
.....
0  000062D4  ?  0000  F8F71C33
0  000062D8  ?  0000  CAD26836
0  000062DC  ?  0000  A0569B26
0  000062E0  ?  0000  CDDA23E0 //ÕâÀïÒÔÉϵÄÏÔÈ»ÎÞЧ
1  000062E4  advapi32.dll  00F7  RegQueryValueExA
1  000062E8  advapi32.dll  00D8  RegCloseKey
1  000062EC  advapi32.dll  0103  RegSetValueExA
.....
1  00006518  comdlg32.dll  0070  GetSaveFileNameA
1  0000651C  comdlg32.dll  0069  CommDlgExtendedError
1  00006520  comdlg32.dll  006C  GetFileTitleA
0  00006524  ?  0000  5188AEDE //ÏÂÃæµÄҲûÓÐÒâÒå
0  00006528  ?  0000  D10692B9
0  0000652C  ?  0000  21413DDA
.....


·ÖÎöÒ»ÏÂÕâЩÊý¾Ý,ÏÔÈ»000062E0(ÕâÀïÊÇRVAµØÖ·)Õâ¸öÖ¸ÕëÒÔÇ°µÄ¶¼ÊÇûÓÐÒâÒåµÄÊý¾Ý(²»ÊÇÓÐЧµÄÄÚ´æµØÖ·)
ËùÒÔIATµÄ¿ªÊ¼µØÖ·Ó¦¸ÃÊÇ000062E4
00006524ÒÔºóµÄÊý¾ÝҲûÓÐÒâÒå,ËùÒÔ00006524ÊÇIAT½áÊøµØÖ·
¼ÆËãÒ»ÏÂ,´óС=00006524-000062E4=240

µã Çå³ýÊäÈë±í ,È»ºóÖØÐÂÌîÈë RAV=000062E4 ´óС=240 ,µã »ñµÃÊäÈë±í
·¢ÏÖ»¹ÓкܶຯÊýûÓб»Ê¶±ð³öÀ´

ÁíÍâ·¢ÏÖÁ½¸ödllÖ®¼ä»áÓÐÒ»¸öÎÞЧָÕë:
1  000062F0  advapi32.dll  00EE  RegOpenKeyA
1  000062F4  advapi32.dll  00DB  RegCreateKeyA
0  000062F8  ?  0000  A32F18E7 //Õâ¸öµØÖ·ÏÔÈ»ÊÇÎÞЧµÄÄÚ´æµØÖ·
1  000062FC  gdi32.dll  011A  GetObjectA
1  00006300  gdi32.dll  00FA  GetDeviceCaps

ÎҲ²â¿ÉÄÜÿÁ½¸öDLLµÄIAT±íÖ®¼äÓÐ4¸ö×ֽڵĿÕ϶°É

ÕÒµ½µÚÒ»¸öÎÞ·¨Ê¶±ðµÄÖ¸Õë:

1  0000634C  gdi32.dll  012F  GetTextCharset
1  00006350  gdi32.dll  00B0  DeleteObject
1  00006354  gdi32.dll  0129  GetStockObject
0  00006358  ?  0000  C6AFBA7C //¿Õ϶
0  0000635C  ?  0000  010D0334 //µÚÒ»¸öÎÞ·¨Ê¶±ðµÄÖ¸Õë
0  00006360  ?  0000  010D04F0
0  00006364  ?  0000  010D6F3C

ÕâÀïÓиöÎÊÌâ,ÎÒÒ²²»ÖªµÀÔõô»ØÊÂ:

ÔÚODÀïAlt+GÌøµ½010D0334ÕâÀïµÄ´úÂë,·¢ÏÖÍêȫûÓÐÒâÒå:
010D0334     3003                xor byte ptr ds:[ebx],al
010D0336     0D 01240000         or eax,2401
010D033B     0010                add byte ptr ds:[eax],dl
010D033D     0000                add byte ptr ds:[eax],al
010D033F     0017                add byte ptr ds:[edi],dl

¶øÔÚODÀï²é¿´0040635C(0000635C+»ùÖ·00400000),·¢ÏÖÖµÊÇ010D6F3C,²»ÊÇ010D0334!
(ÕâʱOD¼ÓÔصÄnotepadyÒ²ÊÇÔÚÔËÐÐ״̬,¼Çʱ¾ÒѾ­´ò¿ªÁË) 
ÎÒÒ²Ï벻ͨΪʲôÕâÑù?ÄѵÀÊÇRecImport³ö´íÁË?

ÔÝʱ²»¹ÜËüÁË,·´Õý¼ÈÈ»010D0334µÄµØÖ·ÊÇ´íµÄ,¾ÍÒÔODµÄΪ׼ºÃÁË

ÔÚODÀïAlt+GÌøµ½010D6F3C:
010D6F3C     68 3B0CFABF         push KERNEL32._lwrite
010D6F41     68 DD4F158E         push 8E154FDD
010D6F46     C3                  retn //ÕâÀïÊDZäÐÎCALLµ½8E154FDD

ÔÚODÀïAlt+GÌøµ½8E154FDD:
8E154FDD   - E9 250BE431         jmp KERNEL32.BFF95B07

ÔÚÉÏÃæÕâÒ»Ðа´»Ø³µ¾ÍÌøµ½BFF95B07:

BFF95B07     9C                  pushfd //ѹÈë±êÖ¾
BFF95B08     FC                  cld
BFF95B09     50                  push eax
BFF95B0A     53                  push ebx
BFF95B0B     52                  push edx // 3´Îѹջ
BFF95B0C     64:8B15 20000000    mov edx,dword ptr fs:[20] //¼ì²éµ÷ÊÔÆ÷
BFF95B13     0BD2                or edx,edx
BFF95B15     74 09               je short KERNEL32.BFF95B20
BFF95B17     8B42 04             mov eax,dword ptr ds:[edx+4]
BFF95B1A     0BC0                or eax,eax
BFF95B1C     74 07               je short KERNEL32.BFF95B25
BFF95B1E     EB 42               jmp short KERNEL32.BFF95B62
BFF95B20     5A                  pop edx
BFF95B21     5B                  pop ebx
BFF95B22     58                  pop eax //3´Îµ¯Õ»
BFF95B23     9D                  popfd //µ¯³ö±êÖ¾
BFF95B24     C3                  retn

´ÓÉÏÃæ¿ÉÒÔ¿´³ö¶ÑÕ»×îºó»¹ÊDz»±ä,ËùÒÔ
push XXXXXXXX
push 8E154FDD
retn
×îÖÕ»¹ÊÇÈ¥Ö´ÐÐXXXXXXXX

8E154FDDÊÇÔÚϵͳ¿Õ¼äÀï,¿ÉÄÜÊÇAsprotectÔÚKERNEL32µÄij¸ö´úÂë¿Õ϶ÀïÔìÁËÄǶδúÂë,ÓÃÀ´¼ì²éµ÷ÊÔÆ÷
(Ææ¹ÖµÄÊÇAsprotect¼ì²éµ÷ÊÔÆ÷ʱΪʲôûÓз¢ÏÖOD?)

ºÃÁË,ÏÖÔÚÒѾ­ÖªµÀds:[40635C]ÕâÀïÊÇKERNEL32._lwrite

ÔÚRecImportÀïË«»÷ RVA:0000635C ptr:010D0334 ,DLLÄÇÀïÑ¡Ôñkernel32.dll,º¯ÊýÑ¡Ôñ_lwrite

ºÃÁË,µÚÒ»¸öº¯ÊýÐÞ²¹Íê³É,½Ó×ÅÀ´ÏÂÒ»¸ö:
0  00006360  ?  0000  010D04F0

²é¿´010D04F0:
010D04F0     68 591EFABF         push KERNEL32.DeleteFileA
010D04F5   - E9 F34A088D         jmp 8E154FED
Ìøµ½8E154FED:
8E154FED   - E9 150BE431         jmp KERNEL32.BFF95B07

ÓÖÊÇKERNEL32.BFF95B07,ÉÏÃæ·ÖÎö¹ýÁË,ËùÒÔ00006360ÊÇKERNEL32.DeleteFileA,ÐÞ¸´Ëü

È»ºóÊÇÏÂÒ»¸ö....¼á³Öס!ʤÀûÊôÓÚÎÒÃÇ!

0  00006364  ?  0000  010D6F3C

010D6F3C     68 3B0CFABF         push KERNEL32._lwrite
010D6F41     68 DD4F158E         push 8E154FDD
010D6F46     C3                  retn

8E154FDD   - E9 250BE431         jmp KERNEL32.BFF95B07

¶¼ÊÇһģһÑùµÄ×ö·¨,ÐÞ¸´00006364=KERNEL32._lwrite,È»ºóÊÇÏÂÒ»¸ö.....
(¼¸ºõRecImport²»ÄÜʶ±ðµÄº¯Êý¶¼ÊÇͨ¹ýBFF95B07À´ÌøתµÄ)

ÕâÑù¾­¹ýÂþ³¤µÄÐÞ¸´....................ÖÕÓÚÐÞ¸´ÁËBFF95B07±£»¤µÄÈ«²¿º¯Êý
(ÎÒÊÇÈ«²¿ÊÖ¹¤ÐÞ¸´µÄ,Ë­ÖªµÀÕâÀïÓÐʲô¼ò±ãµÄ·½·¨Âð???)

²»¹ý»¹ÓÐÁ½¸öÀýÍâµÄº¯Êý:

0  0000639C  ?  0000  010C1C64

²é¿´010C1C64

010C1C64     55                  push ebp
010C1C65     8BEC                mov ebp,esp
010C1C67     8B45 08             mov eax,dword ptr ss:[ebp+8] //µÚÒ»¸ö²ÎÊý
010C1C6A     85C0                test eax,eax
010C1C6C     75 13               jnz short 010C1C81  //²»Îª0¾ÍѹÈëÕâ¸ö²ÎÊýÈ»ºócall 010B51B8
010C1C6E     813D A47A0C01 00004>cmp dword ptr ds:[10C7AA4],400000 //Ϊ0¾ÍÅжÏds:[10C7AA4]ÊDz»ÊÇ400000 
010C1C78     75 07               jnz short 010C1C81 //Èç¹ûÊǾͷµ»Ø400000,·ñÔò¾Íµ÷ÓÃ010B51B8
010C1C7A     A1 A47A0C01         mov eax,dword ptr ds:[10C7AA4]
010C1C7F     EB 06               jmp short 010C1C87
010C1C81     50                  push eax
010C1C82     E8 3135FFFF         call 010B51B8
010C1C87     5D                  pop ebp
010C1C88     C2 0400             retn 4 //˵Ã÷Ö»ÓÐÒ»¸ö²ÎÊý

²é¿´010B51B8:
010B51B8   - FF25 08820C01       jmp dword ptr ds:[10C8208]
²é¿´ds:[10C8208]=8E154E68
²é¿´8E154E68:
8E154E68     68 9677F7BF         push KERNEL32.GetModuleHandleA
8E154E6D   - E9 950CE431         jmp KERNEL32.BFF95B07 //ÓÖÊÇÕâ¸ö

ºÜÃ÷ÏÔ,0000639CÕâÀï¾ÍÊÇKERNEL32.GetModuleHandleA
Èç¹û²ÎÊýÊÇNULL(±íʾµ±Ç°Ä£¿é),Ëû¾ÍÅжÏÒ»ÏÂds:[10C7AA4],È»ºó·µ»Ø40000
Èç¹û²»ÊÇNULL¾Í¹Ô¹ÔµÄµ÷ÓÃGetModuleHandleA

ºÃÁË,ÐÞ¸´Ëü

ÁíÒ»¸öº¯ÊýÊÇ:
0  000063E4  ?  0000  010C1CD8

µÈµÈ!»¹¼ÇµÃÄǸö͵µôÒ»²¿·Ö´úÂëºóµÄOEPÂð?
004010D3     FF15 E4634000       call dword ptr ds:[4063E4]
ÉÏÃæµ÷ÊÔµÄʱºòÒѾ­·¢ÏÖÕâÀï·µ»ØµÄ¾ÍÊÇÃüÁîÐÐ

²é¿´010C1CD8:
010C1CD8     6A 00               push 0
010C1CDA     E8 D934FFFF         call 010B51B8
010C1CDF     FF35 147E0C01       push dword ptr ds:[10C7E14]
010C1CE5     58                  pop eax
010C1CE6     8B05 247E0C01       mov eax,dword ptr ds:[10C7E24] 
010C1CEC     C3                  retn
×îºóµÄ·µ»ØÖµ=ds:[10C7E24],ºÍcall 010B51B8,ÏÂÃæÒ²ÑéÖ¤ÁËÕâÒ»µã:

²é¿´010B51B8:
010B51B8   - FF25 08820C01       jmp dword ptr ds:[10C8208]

²é¿´ds:[010C8208]=8E154E68, (Thunk to KERNEL32.GetModuleHandleA)

¿ÇÓбØÒªµ÷ÓÃGetModuleHandleA(NULL)Âð?

ÔÙ¿´Ò»ÏÂÒѾ­ÐÞ¸´µÄº¯Êý,ÀïÃæûÓÐGetCommandLineA
ËùÒÔÏÖÔÚÖ»ÄÜÈÏΪ010C1CD8ÊÇÃüÁîÐÐ
(ÓÃOD¼ÓÔØʱÊäÈëÃüÁîÐÐÒ²ÄÜÑÏÕûÕâÒ»µã)
ÔÚRecImportÀïÐÞ¸´010C1CD8=kernel32.GetCommandLineA

×îºó,»¹ÓÐÁ½¸öDLLÖ®¼äµÄ¼ä϶ÊÇÎÞЧµÄ,ÓÒ»÷ËüÃÇ,µã ¼õÇÐÖ¸ÕëÊý¾Ý ,ÕâÑù¾ÍÈ«²¿ÓÐЧÁË
´ò¿ªLordPE,ÉèÖÃÑ¡ÏîÀïµÄÖؽ¨,Ñ¡"״̬´°¿Ú","ÍÑ¿ÇÐÞ¸´","ÖØ×éÎļþ","ÑéÖ¤ PE Îļþ",È»ºóÖؽ¨dumped.exe
(ÎÒÒ²²»ÖªµÀÕâô×ö¶Ô²»¶Ô,²»¹ýÉÏÃæ˵µÄ¶¼ÊÇĬÈÏÑ¡Ïî,ĬÈÏÑ¡µÄ»¹ÓÐ"Öؽ¨ÊäÈë±í",ÎÒ¾õµÃ¼ÈÈ»ÊÖ¹¤Öؽ¨Á˾ÍÓ¦¸Ã¿ÉÒÔ°ÑËüÈ¡ÏûÁË)
È»ºóÓÃRecImportµã ÐÞ¸´×¥È¡Îļþ,ÕâÑù¾ÍÐÞ¸´ºÃIATÁË,ÖÕÓÚ....


ÏÖÔÚ×¼±¸ÊÖ¹¤¹¹ÔìÈë¿Úµã

ÏÈÓÃLordPE°ÑÈë¿Úµã¸ÃΪ1000,ÒòΪ²é¿´0x401000ûÓз¢ÏÖÓÐÒâÒåµÄ´úÂë,¾ÍÔÚÕâÀï¼ÓÈëÐÞ²¹µÄÈë¿Ú

ÏÖÔÚÔÙ¿´Ò»ÏÂ00401153 call NOTEPADY.004020CE¸½½üµÄ´úÂë:

0040113B     B8 0A000000         mov eax,0A
00401140     74 04               je short NOTEPADY.00401146
00401142     0FB745 EC           movzx eax,word ptr ss:[ebp-14]
00401146     50                  push eax  //eax=0A
00401147     56                  push esi
00401148     6A 00               push 0
0040114A     6A 00               push 0
0040114C     FF15 9C634000       call dword ptr ds:[40639C]
00401152     50                  push eax
00401153     E8 760F0000         call NOTEPADY.004020CE

µÚÒ»¸ö²ÎÊý¾ÍÊÇ0A,µÚ¶þ¸öÊÇesi,µÚÈý¸öÊÇ0,µÚËĸöÊÇGetModuleHandle(0)

ΪÁËÈ·¶¨esiÊDz»ÊÇGetCommandLineA,ÓÃOD´ò¿ª¼Ó¿ÇµÄ³ÌÐò,²ÎÊýÄÇÀïÊäÈëa.txt

ÔËÐе½00401147 push esiÕâÒ»ÐÐ,½á¹û·¢ÏÖesi->"a.txt"!

ËùÒÔesi²»ÄÜÓÃGetCommandLineAÀ´´úÌæ!

ÔÙ¿´Ò»ÏÂÇ°ÃæµÄ´úÂë:

004010D3     FF15 E4634000       call dword ptr ds:[4063E4] //ÕâÊÇ͵ÁË´úÂëºóµÄOEP,=GetCommandLineA
004010D9     8BF0                mov esi,eax //esi=char*ptr;
004010DB     8A00                mov al,byte ptr ds:[eax]
004010DD     3C 22               cmp al,22 //ÅжϵÚÒ»¸ö×Ö·ûÊDz»ÊÇ"ºÅ("ASCÂë22)
004010DF     75 1B               jnz short NOTEPADY.004010FC
004010E1     56                  push esi
004010E2     FF15 F4644000       call dword ptr ds:[4064F4] //CharNext,»ñÈ¡ÏÂÒ»¸ö×Ö·û
004010E8     8BF0                mov esi,eax
004010EA     8A00                mov al,byte ptr ds:[eax]
004010EC     84C0                test al,al //ÅжÏÏÂÒ»¸ö×Ö·ûÊDz»ÊÇ\0
004010EE     74 04               je short NOTEPADY.004010F4
004010F0     3C 22               cmp al,22 //ÅжÏÏÂÒ»¸ö×Ö·ûÊDz»ÊÇ"
004010F2   ^ 75 ED               jnz short NOTEPADY.004010E1 //²»ÊǾÍÌøת,ÅжÏÔÙÏÂÒ»¸ö
004010F4     803E 22             cmp byte ptr ds:[esi],22
004010F7     75 15               jnz short NOTEPADY.0040110E //Ö±µ½ÕÒµ½ÁË"
004010F9     46                  inc esi //¼Ó1,Ö¸Ïò"ºÅÏÂÒ»¸ö×Ö·û
004010FA     EB 12               jmp short NOTEPADY.0040110E
004010FC     3C 20               cmp al,20
004010FE     7E 0E               jle short NOTEPADY.0040110E
00401100     56                  push esi
00401101     FF15 F4644000       call dword ptr ds:[4064F4]
00401107     8038 20             cmp byte ptr ds:[eax],20
0040110A     8BF0                mov esi,eax
0040110C   ^ 7F F2               jg short NOTEPADY.00401100
0040110E     803E 00             cmp byte ptr ds:[esi],0 //ÅжÏÊDz»ÊÇ\0,Èç¹ûÊǾÍÌøµ½ÏÂÒ»¶Î³ÌÐò
00401111     74 13               je short NOTEPADY.00401126
00401113     803E 20             cmp byte ptr ds:[esi],20 //ÅжϿոñ
00401116     77 0E               ja short NOTEPADY.00401126
00401118     56                  push esi
00401119     FF15 F4644000       call dword ptr ds:[4064F4]
0040111F     8038 00             cmp byte ptr ds:[eax],0
00401122     8BF0                mov esi,eax
00401124   ^ 75 ED               jnz short NOTEPADY.00401113
¾­¹ýÕâÒ»¶Î´úÂëºóeax¾ÍÖ¸ÏòÃüÁîÐеIJÎÊý
±ÈÈçGetCommandLineAµÄ½á¹ûÊÇ"E:\Crack\Notepady.exe" a.txt
ÄÇôµ½ÁËÕâÀïesi->a.txt,ËùÒÔ»¹ÒªÔÚÈë¿Úµã¼ÓÉÏÕâ¶Î´úÂë
ÀïÃæÈ«²¿¶¼ÊǶÌÌøת(Ïà¶ÔÌøת),Ö»Òª°ÑÕâЩ×Ö½ÚÔ­Ñù¸´ÖƹýÈ¥¾Í¿ÉÒÔÁË

ÓÃHIEWÌøµ½400(401000µÄÎļþÆ«ÒÆ),ÊäÈëÏÂÃæµÄ´úÂë:
push 0A
call d,[4063E4]          //ÕâÀïµ÷ÓÃGetCommandLineA

È»ºóÔÚODÀﰴסShiftÑ¡ÖдÓ004010D9µ½00401124µÄ´úÂë,ÓÒ»÷,Ñ¡ ÔÚת´æÖиúËæ->Ñ¡Ôñ²¿·Ö
ÕâʱÄÚ´æÀïÏÔʾÁËÉÏÃæÕâ¶Î´úÂëµÄÊý¾Ý:
8B F0 8A 00 3C 22 75 1B 56 FF 15 F4 64 40 00 8B F0 8A 00 84 C0 74 04 3C 22 75 ED 80 3E 22 75 15
46 EB 12 3C 20 7E 0E 56 FF 15 F4 64 40 00 80 38 20 8B F0 7F F2 80 3E 00 74 13 80 3E 20 77 0E 56
FF 15 F4 64 40 00 80 38 00 8B F0 75 ED

ÏÖÔÚÒª°ÑÕⲿ·Ö°áµ½ÐÞ²¹ÁËIATµÄ³ÌÐòÀï,µ«ÊÇ·¢ÏÖLordPEÀïµÄ16½øÖƱ༭Æ÷²»ÄÜÕ³Ìù!
ÎÒ×îºóÊÇ°ÑÕⲿ·ÖÊÖ¹¤ÊäÈëµÄ(¾Íµ±ÊÇÁ·Ï°´ò×ÖºÃÁË,ÎÒÃǵÄÉÏ»ú¿Î¾ÍÌìÌìÁ·Ï°Õâ¸ö....)
Ë­ÖªµÀÓÐʲôºÃµãµÄ·½·¨Âð?(²»¹ýÎÒ¹À¼ÆË­ÒªÊÇÓÐÄÍÐÄ¿´µ½ÕâÀï¿Ï¶¨»áÓÐЩ¾«Éñ±ÀÀ£...)

 

×¢Òâpush 0A;call d,[4063E4];ÕâÁ½¾äÒѾ­Õ¼ÁË8¸ö×Ö½Ú,ËùÒÔÒª´Ó401008¿ªÊ¼ÊäÈë

ºÃÁË,ÏÖÔÚ´ò¿ªHIEW,À­µ½401055ÕâÀï,¼ÓÉÏÒ»¾ä:
push esi
push 0
push 0
call d,[0040639C]  //KERNEL32.GetModuleHandleA
push eax
jmp 553
ÕâÀïѹÈë²ÎÊý,È»ºóÌøתµ½WinMainÄÇÀï(553=00401153-401000+400,HIEWÀïÒªÊäÈëÎļþÆ«ÒÆ)

ÏÖÔÚÖÕÓÚÐÞ²¹ºÃÁË,ÔËÐÐÐ޸ĺóµÄdumped_.exe.......

ûÓÐÏÔʾ¼Çʱ¾!!!¿É¶ñ!!!

ÖØÐÂÓÃOD¼ÓÔØdumped_.exe,ÔÚ¿ªÒ»¸öOD¼ÓÔؼӿǵÄnotepady.exe,¶Ô±ÈÔËÐÐ,¿´ÄÇÀï²»Ò»Ñù

·¢ÏÖ½øÈëWinMainºóµÄµÚÒ»¸öCALL¾Í²»Í¬:
004020CE   /$  55                push ebp
004020CF   |.  8BEC              mov ebp,esp
004020D1   |.  83EC 1C           sub esp,1C
004020D4   |.  56                push esi
004020D5   |.  FF75 14           push dword ptr ss:[ebp+14]        ; /Arg4
004020D8   |.  FF75 10           push dword ptr ss:[ebp+10]        ; |Arg3 = 81D60F0E
004020DB   |.  FF75 0C           push dword ptr ss:[ebp+C]         ; |Arg2
004020DE   |.  FF75 08           push dword ptr ss:[ebp+8]         ; |Arg1
004020E1   |.  E8 BB0B0000       call DUMPED_.00402CA1             ; \DUMPED_.00402CA1
004020E6   |.  85C0              test eax,eax           //dumped_.exeÕâÀïÊÇeax=0,notepady.exeÊÇ1

¸ú½ø00402CA1,·¢ÏÖ¼Çʱ¾¼ÓÔØÁ˺ܶà×ÊÔ´Îļþ,È»ºóµ÷ÓÃCreateWindowsExA,µ½ÕâÀïÁ½¸ö³ÌÐò¶¼ÊÇÒ»ÑùµÄ
ÔÙÍùÏÂ,ÓÖµ½ÁËÒ»¸öCreateWindowsExA:
00402DC3   |.  50                push eax                          ; |Style
00402DC4   |.  68 00104000       push DUMPED_.<ModuleEntryPoint>   ; |WindowName = "j
ÿäc@"
00402DC9   |.  68 54104000       push DUMPED_.00401054             ; |Class = "íVj"
00402DCE   |.  68 00020000       push 200                          ; |ExtStyle = WS_EX_CLIENTEDGE
00402DD3   |.  FF15 3C644000     call dword ptr ds:[<&user32.Creat>; \CreateWindowExA

¶ø¼Ó¿ÇµÄnotepady.exeÔËÐе½ÕâÀïpush DUMPED_.00401054->"Edit"!!!!
Ô­À´¿Ç°Ñ"Edit\0"±£´æÔÚ00401054ÁË,¸Õ²ÅÐÞ²¹Èë¿ÚµãʱռÓÃÁË00401054
ËùÒÔûÓÐÕýÈ·µÄClass,µ¼ÖÂÕâ¸öCreateWindowExAʧ°ÜÁË!
»¹ÓÐWindowNameÒ²ÊÇ´íÎóµÄ,¿ÇÀïWindowNameÖ¸Ïò->"\0"

ÖØÐÂÓÃHIEW´ò¿ªdumped_.exe,Ìøµ½401070 (F5 470),»»³É16½øÖƱ༭
ÔÚ401070ÊäÈë 00 00 (ÕâÀïÊÇWindowName="\0")
ÔÚ401080ÊäÈë 45 64 69 74 00 (ÕâÀïÊÇclass="Edit\0")

F5µ½21C4(21C4=00402DC4-401000+400),Ð޸ĴúÂëΪ
push 401070
push 401080
F9±£´æ

ÔËÐÐdumped_.exe,ÕýÈ·µ¯³öÁ˼Çʱ¾!!!Íѿdzɹ¦ÁË!!!!


Õû¸öÍѿǹý³ÌºÜÂé·³,µ«Ë¼Â·ºÜÇåÎú,¾ÍÊÇ Òþ²ØOD,ÕÒµ½OEP,ÐÞ¸´IAT,ÕÒ¸öÊʺϵĵصãDUMP,ÐÞ¸´Èë¿Úµã,×îºó¼ì²é´íÎó

²»¹ýÕâ¸ö°æ±¾µÄAsprotectºÜ¾ÉÁË,¶øÇÒÒѾ­ÓÐÍÑ¿Ç»úºÍNƪÍÑÎÄÁË,ËùÒÔÎÒдµÄÕâƪҲûʲô¼ÛÖµ,¾ÍËãÊǼÍÄîһϵÚÒ»´ÎÕæÕýµÄÍѿdzɹ¦°É!