以壳解壳之SVKP

标题：以壳解壳之SVKP
作者：wynney
时间：2007-11-24 12:14
链接：http://bbs.pediy.com/showthread.php?t=55410

【文章标题】: 以壳解壳SVKP
【文章作者】: wynney
【软件名称】: 硬盘里找的
【下载地址】: 自己搜索下载
【作者声明】: 工作不怎么忙了，出来冒冒泡
--------------------------------------------------------------------------------
【详细过程】
  一、到OEP去溜达，SFX

  忽略所有异常，看图，Ctrl+F2,不一会就到FOEP了[如果中间有异常，Shift+F9过]



引用:
  00405DC8   .  53              push ebx                                ;  SFX 代码真实入口点
  00405DC9   .  8BD8            mov ebx,eax                             ;  很典型的Delphi特征
  00405DCB   .  33C0            xor eax,eax
  00405DCD   .  A3 9C304800     mov dword ptr ds:[48309C],eax
  00405DD2   .  6A 00           push 0
  00405DD4   .  E8 2BFFFFFF     call SVKP.00405D04
  00405DD9   .  A3 64664800     mov dword ptr ds:[486664],eax
  00405DDE   .  A1 64664800     mov eax,dword ptr ds:[486664]
  00405DE3   .  A3 A8304800     mov dword ptr ds:[4830A8],eax
  00405DE8   .  33C0            xor eax,eax
  00405DEA   .  A3 AC304800     mov dword ptr ds:[4830AC],eax
  00405DEF   .  33C0            xor eax,eax
  00405DF1   .  A3 B0304800     mov dword ptr ds:[4830B0],eax
  00405DF6   .  E8 C1FFFFFF     call SVKP.00405DBC
  00405DFB   .  BA A4304800     mov edx,SVKP.004830A4
  00405E00   .  8BC3            mov eax,ebx
  00405E02   .  E8 9DDDFFFF     call SVKP.00403BA4
  00405E07   .  5B              pop ebx
  00405E08   .  C3              retn                                    ;  返回到FOEP




引用:
??  004823B7    E8 0C3AF8FF       call SVKP.00405DC8                      ; FOEP,上面的代码被抽，今天不讲如何修复Stolen
  004823BC    A1 2C5C4800       mov eax,dword ptr ds:[485C2C]           ; retn到这


  二、以壳解壳点

  忽略除了内存异常和指定异常外的所有异常，Ctrl+F2



引用:
  005B8000 >  60                pushad                                  ; 入口
  005B8001    E8 00000000       call SVKP.005B8006                      ; F8到这，hr ESP
  005B8006    5D                pop ebp
  005B8007    81ED 06000000     sub ebp,6


  4次Shift+F9，到最后一次内存异常



引用:
  00FBDC09    CD 01             int 1                                   ; 最后一次内存异常
  00FBDC0B    E8 01000000       call 00FBDC11
  00FBDC10  - E9 83C4047C       jmp 7D00A098
  00FBDC15    03EB              add ebp,ebx
  00FBDC17    039A 74FB648F     add ebx,dword ptr ds:[edx+8F64FB74]
  00FBDC1D    05 00000000       add eax,0
  00FBDC22    E8 02000000       call 00FBDC29
  00FBDC27    CD20 83042408     vxdcall 8240483
  00FBDC2D    C3                retn


  硬件断点不要删，到Code断下断，Shift+F9



引用:
  00FDE8D3    8A06              mov al,byte ptr ds:[esi]                ; 中断在这，删除内存断点
  00FDE8D5    46                inc esi
  00FDE8D6    47                inc edi
  00FDE8D7    8843 0F           mov byte ptr ds:[ebx+F],al
  00FDE8DA    8A46 FF           mov al,byte ptr ds:[esi-1]
  00FDE8DD    55                push ebp


  Shift+F9，硬件中断在SVKP的典型代码了



引用:
0012FC40    60                pushad                                  ; 中断
  0012FC41    E8 03000000       call 0012FC49
  0012FC46    D2EB              shr bl,cl
  0012FC48    0A58 EB           or bl,byte ptr ds:[eax-15]
  0012FC4B    0148 40           add dword ptr ds:[eax+40],ecx
  0012FC4E    EB 01             jmp short 0012FC51
  0012FC50    35 FFE061E8       xor eax,E861E0FF
  0012FC55    0100              add dword ptr ds:[eax],eax


  删除硬件断点，Ctrl+G:004823B7,F2,Ctrl+F11,中断在004823B7，点“运行跟踪”，看跟踪窗口



引用:

地址=0012FC53
   命令=popad
   修改后的寄存器=EAX=0105E159，ESP=0012FFC4


  看EAX，0105E159就是Stolen开始的位置了

  取消004823B7处的断点，开始LordPE,Dump了，并且补上两个取段

  打开 ImportREC,OEP输入000823B7[004823B7 - 00400000]，获取IAT，全部无效，先用等级1修复，有很大一部分被修复了，
  剩下10个没有修复的[这几个指针就是SVKP会特殊处理的几个指针了，大家应该比较熟悉，这里我们不需要修复她们]
  ，可以看看，没有被修复的指针所指向的地址全部在需要补的两个区段里

引用:
Target: D:\Downloads\以壳解壳SVKP\SVKP.exe
OEP: 000823B7  IATRVA: 0019113C  IATSize: 000006EC

FThunk: 00191140  NbFunc: 00000022
1  00191140  kernel32.dll  0080  DeleteCriticalSection
1  00191144  kernel32.dll  0241  LeaveCriticalSection
1  00191148  kernel32.dll  0097  EnterCriticalSection
1  0019114C  kernel32.dll  0216  InitializeCriticalSection
1  00191150  kernel32.dll  036E  VirtualFree
1  00191154  kernel32.dll  036B  VirtualAlloc
1  00191158  kernel32.dll  024C  LocalFree
1  0019115C  kernel32.dll  0248  LocalAlloc
0  00191160  ?  0000  01057FB8
1  00191164  kernel32.dll  013F  GetCurrentThreadId
1  00191168  kernel32.dll  021A  InterlockedDecrement
1  0019116C  kernel32.dll  021E  InterlockedIncrement
1  00191170  kernel32.dll  0373  VirtualQuery
1  00191174  kernel32.dll  037F  WideCharToMultiByte
1  00191178  kernel32.dll  0265  MultiByteToWideChar
1  0019117C  kernel32.dll  03B3  lstrlen
1  00191180  kernel32.dll  03B0  lstrcpyn
1  00191184  kernel32.dll  0243  LoadLibraryExA
1  00191188  kernel32.dll  01CD  GetThreadLocale
1  0019118C  kernel32.dll  01AD  GetStartupInfoA
1  00191190  kernel32.dll  0198  GetProcAddress
0  00191194  ?  0000  0103D19C
1  00191198  kernel32.dll  0174  GetModuleFileNameA
1  0019119C  kernel32.dll  016C  GetLocaleInfoA
0  001911A0  ?  0000  0103A15A
1  001911A4  kernel32.dll  00F1  FreeLibrary
1  001911A8  kernel32.dll  00D1  FindFirstFileA
1  001911AC  kernel32.dll  00CD  FindClose
0  001911B0  ?  0000  010376A9
1  001911B4  kernel32.dll  038C  WriteFile
1  001911B8  kernel32.dll  0358  UnhandledExceptionFilter
1  001911BC  kernel32.dll  02C5  RtlUnwind
1  001911C0  kernel32.dll  0297  RaiseException
1  001911C4  kernel32.dll  01AF  GetStdHandle

FThunk: 001911CC  NbFunc: 00000004
1  001911CC  user32.dll  0128  GetKeyboardType
1  001911D0  user32.dll  01C9  LoadStringA
0  001911D4  ?  0000  0105A078
1  001911D8  user32.dll  002B  CharNextA

FThunk: 001911E0  NbFunc: 00000003
1  001911E0  advapi32.dll  01EE  RegQueryValueExA
1  001911E4  advapi32.dll  01E4  RegOpenKeyExA
1  001911E8  advapi32.dll  01CB  RegCloseKey

FThunk: 001911F0  NbFunc: 00000003
1  001911F0  oleaut32.dll  0006  SysFreeString
1  001911F4  oleaut32.dll  0005  SysReAllocStringLen
1  001911F8  oleaut32.dll  0004  SysAllocStringLen

FThunk: 00191200  NbFunc: 00000004
1  00191200  kernel32.dll  034F  TlsSetValue
1  00191204  kernel32.dll  034E  TlsGetValue
1  00191208  kernel32.dll  0248  LocalAlloc
0  0019120C  ?  0000  0103D19C

FThunk: 00191214  NbFunc: 00000003
1  00191214  advapi32.dll  01EE  RegQueryValueExA
1  00191218  advapi32.dll  01E4  RegOpenKeyExA
1  0019121C  advapi32.dll  01CB  RegCloseKey

FThunk: 00191224  NbFunc: 00000045
1  00191224  kernel32.dll  03AD  lstrcpy
1  00191228  kernel32.dll  038C  WriteFile
1  0019122C  kernel32.dll  037B  WaitForSingleObject
1  00191230  kernel32.dll  0373  VirtualQuery
1  00191234  kernel32.dll  036B  VirtualAlloc
1  00191238  kernel32.dll  033F  Sleep
1  0019123C  kernel32.dll  033E  SizeofResource
1  00191240  kernel32.dll  032D  SetThreadLocale
1  00191244  kernel32.dll  0307  SetFilePointer
1  00191248  kernel32.dll  0302  SetEvent
1  0019124C  kernel32.dll  0301  SetErrorMode
1  00191250  kernel32.dll  02FE  SetEndOfFile
1  00191254  kernel32.dll  02BD  ResetEvent
1  00191258  kernel32.dll  02A4  ReadFile
1  0019125C  kernel32.dll  0265  MultiByteToWideChar
1  00191260  kernel32.dll  0264  MulDiv
1  00191264  kernel32.dll  0255  LockResource
1  00191268  kernel32.dll  0247  LoadResource
1  0019126C  kernel32.dll  0242  LoadLibraryA
1  00191270  kernel32.dll  0241  LeaveCriticalSection
1  00191274  kernel32.dll  0225  IsBadReadPtr
1  00191278  kernel32.dll  0216  InitializeCriticalSection
1  0019127C  kernel32.dll  01FD  GlobalUnlock
1  00191280  kernel32.dll  01F9  GlobalReAlloc
1  00191284  kernel32.dll  01F5  GlobalHandle
1  00191288  kernel32.dll  01F6  GlobalLock
1  0019128C  kernel32.dll  01F2  GlobalFree
1  00191290  kernel32.dll  01EE  GlobalFindAtomA
1  00191294  kernel32.dll  01ED  GlobalDeleteAtom
1  00191298  kernel32.dll  01EB  GlobalAlloc
1  0019129C  kernel32.dll  01E9  GlobalAddAtomA
0  001912A0  ?  0000  01058FCE
0  001912A4  ?  0000  01057FB8
1  001912A8  kernel32.dll  01D2  GetTickCount
1  001912AC  kernel32.dll  01CD  GetThreadLocale
1  001912B0  kernel32.dll  01C9  GetTempPathA
1  001912B4  kernel32.dll  01B9  GetSystemInfo
1  001912B8  kernel32.dll  01B1  GetStringTypeExA
1  001912BC  kernel32.dll  01AF  GetStdHandle
1  001912C0  kernel32.dll  0198  GetProcAddress
0  001912C4  ?  0000  0103D19C
1  001912C8  kernel32.dll  0174  GetModuleFileNameA
1  001912CC  kernel32.dll  016C  GetLocaleInfoA
1  001912D0  kernel32.dll  016B  GetLocalTime
1  001912D4  kernel32.dll  0169  GetLastError
1  001912D8  kernel32.dll  0162  GetFullPathNameA
1  001912DC  kernel32.dll  0146  GetDiskFreeSpaceA
1  001912E0  kernel32.dll  0140  GetDateFormatA
1  001912E4  kernel32.dll  013F  GetCurrentThreadId
1  001912E8  kernel32.dll  013D  GetCurrentProcessId
1  001912EC  kernel32.dll  00FE  GetCPInfo
1  001912F0  kernel32.dll  00F7  GetACP
1  001912F4  kernel32.dll  00F3  FreeResource
1  001912F8  kernel32.dll  021B  InterlockedExchange
1  001912FC  kernel32.dll  00F1  FreeLibrary
1  00191300  kernel32.dll  00EC  FormatMessageA
1  00191304  kernel32.dll  00E0  FindResourceA
1  00191308  kernel32.dll  00D1  FindFirstFileA
1  0019130C  kernel32.dll  00CD  FindClose
1  00191310  kernel32.dll  00C3  FileTimeToLocalFileTime
1  00191314  kernel32.dll  00C2  FileTimeToDosDateTime
1  00191318  kernel32.dll  0098  EnumCalendarInfoA
1  0019131C  kernel32.dll  0097  EnterCriticalSection
1  00191320  kernel32.dll  0080  DeleteCriticalSection
1  00191324  kernel32.dll  006D  CreateThread
1  00191328  kernel32.dll  0050  CreateFileA
1  0019132C  kernel32.dll  004C  CreateEventA
1  00191330  kernel32.dll  0038  CompareStringA
1  00191334  kernel32.dll  0032  CloseHandle

FThunk: 0019133C  NbFunc: 00000003
1  0019133C  version.dll  000B  VerQueryValueA
1  00191340  version.dll  0002  GetFileVersionInfoSizeA
1  00191344  version.dll  0001  GetFileVersionInfoA

FThunk: 0019134C  NbFunc: 0000004C
1  0019134C  gdi32.dll  0253  UnrealizeObject
1  00191350  gdi32.dll  024A  StretchBlt
1  00191354  gdi32.dll  0244  SetWindowOrgEx
1  00191358  gdi32.dll  0242  SetWinMetaFileBits
1  0019135C  gdi32.dll  0240  SetViewportOrgEx
1  00191360  gdi32.dll  023D  SetTextColor
1  00191364  gdi32.dll  0239  SetStretchBltMode
1  00191368  gdi32.dll  0236  SetROP2
1  0019136C  gdi32.dll  0232  SetPixel
1  00191370  gdi32.dll  0223  SetEnhMetaFileBits
1  00191374  gdi32.dll  021F  SetDIBColorTable
1  00191378  gdi32.dll  021A  SetBrushOrgEx
1  0019137C  gdi32.dll  0217  SetBkMode
1  00191380  gdi32.dll  0216  SetBkColor
1  00191384  gdi32.dll  0210  SelectPalette
1  00191388  gdi32.dll  020F  SelectObject
1  0019138C  gdi32.dll  020D  SelectClipRgn
1  00191390  gdi32.dll  0208  SaveDC
1  00191394  gdi32.dll  0202  RoundRect
1  00191398  gdi32.dll  0201  RestoreDC
1  0019139C  gdi32.dll  01F7  Rectangle
1  001913A0  gdi32.dll  01F6  RectVisible
1  001913A4  gdi32.dll  01F4  RealizePalette
1  001913A8  gdi32.dll  01EF  Polyline
1  001913AC  gdi32.dll  01EE  Polygon
1  001913B0  gdi32.dll  01E1  PlayEnhMetaFile
1  001913B4  gdi32.dll  01DE  PatBlt
1  001913B8  gdi32.dll  01D2  MoveToEx
1  001913BC  gdi32.dll  01CF  MaskBlt
1  001913C0  gdi32.dll  01CE  LineTo
1  001913C4  gdi32.dll  01C8  IntersectClipRect
1  001913C8  gdi32.dll  01C4  GetWindowOrgEx
1  001913CC  gdi32.dll  01C2  GetWinMetaFileBits
1  001913D0  gdi32.dll  01C1  GetViewportOrgEx
1  001913D4  gdi32.dll  01BD  GetTextMetricsA
1  001913D8  gdi32.dll  01B7  GetTextExtentPointA
1  001913DC  gdi32.dll  01B5  GetTextExtentPoint32A
1  001913E0  gdi32.dll  01AA  GetSystemPaletteEntries
1  001913E4  gdi32.dll  01A6  GetStockObject
1  001913E8  gdi32.dll  019D  GetPixel
1  001913EC  gdi32.dll  019B  GetPaletteEntries
1  001913F0  gdi32.dll  0196  GetObjectA
1  001913F4  gdi32.dll  0176  GetEnhMetaFilePaletteEntries
1  001913F8  gdi32.dll  0175  GetEnhMetaFileHeader
1  001913FC  gdi32.dll  0172  GetEnhMetaFileBits
1  00191400  gdi32.dll  016C  GetDeviceCaps
1  00191404  gdi32.dll  016B  GetDIBits
1  00191408  gdi32.dll  016A  GetDIBColorTable
1  0019140C  gdi32.dll  0168  GetDCOrgEx
1  00191410  gdi32.dll  0166  GetCurrentPositionEx
1  00191414  gdi32.dll  0165  GetCurrentObject
1  00191418  gdi32.dll  0161  GetClipBox
1  0019141C  gdi32.dll  0151  GetBrushOrgEx
1  00191420  gdi32.dll  014B  GetBitmapBits
1  00191424  gdi32.dll  011C  GdiFlush
1  00191428  gdi32.dll  00DA  ExtCreateRegion
1  0019142C  gdi32.dll  00D8  ExcludeClipRect
1  00191430  gdi32.dll  0090  DeleteObject
1  00191434  gdi32.dll  008E  DeleteEnhMetaFile
1  00191438  gdi32.dll  008D  DeleteDC
1  0019143C  gdi32.dll  0051  CreateSolidBrush
1  00191440  gdi32.dll  004C  CreateRectRgn
1  00191444  gdi32.dll  0049  CreatePenIndirect
1  00191448  gdi32.dll  0048  CreatePen
1  0019144C  gdi32.dll  0046  CreatePalette
1  00191450  gdi32.dll  0040  CreateHalftonePalette
1  00191454  gdi32.dll  003B  CreateFontIndirectA
1  00191458  gdi32.dll  0034  CreateDIBitmap
1  0019145C  gdi32.dll  0033  CreateDIBSection
1  00191460  gdi32.dll  002E  CreateCompatibleDC
1  00191464  gdi32.dll  002D  CreateCompatibleBitmap
1  00191468  gdi32.dll  002A  CreateBrushIndirect
1  0019146C  gdi32.dll  0028  CreateBitmap
1  00191470  gdi32.dll  0024  CopyEnhMetaFileA
1  00191474  gdi32.dll  0022  CombineRgn
1  00191478  gdi32.dll  0013  BitBlt

FThunk: 00191480  NbFunc: 000000B0
1  00191480  user32.dll  0061  CreateWindowExA
1  00191484  user32.dll  02D6  WindowFromPoint
1  00191488  user32.dll  02D3  WinHelpA
1  0019148C  user32.dll  02D1  WaitMessage
1  00191490  user32.dll  02BC  UpdateWindow
1  00191494  user32.dll  02B4  UnregisterClassA
1  00191498  user32.dll  02AF  UnhookWindowsHookEx
1  0019149C  user32.dll  02AB  TranslateMessage
1  001914A0  user32.dll  02AA  TranslateMDISysAccel
1  001914A4  user32.dll  02A5  TrackPopupMenu
1  001914A8  user32.dll  029A  SystemParametersInfoA
1  001914AC  user32.dll  0293  ShowWindow
1  001914B0  user32.dll  0291  ShowScrollBar
1  001914B4  user32.dll  0290  ShowOwnedPopups
1  001914B8  user32.dll  028F  ShowCursor
1  001914BC  user32.dll  0285  SetWindowRgn
1  001914C0  user32.dll  028B  SetWindowsHookExA
1  001914C4  user32.dll  0287  SetWindowTextA
1  001914C8  user32.dll  0284  SetWindowPos
1  001914CC  user32.dll  0283  SetWindowPlacement
1  001914D0  user32.dll  0282  SetWindowLongW
1  001914D4  user32.dll  0281  SetWindowLongA
1  001914D8  user32.dll  027B  SetTimer
1  001914DC  user32.dll  0271  SetScrollRange
1  001914E0  user32.dll  0270  SetScrollPos
1  001914E4  user32.dll  026F  SetScrollInfo
1  001914E8  user32.dll  026D  SetRect
1  001914EC  user32.dll  026B  SetPropA
1  001914F0  user32.dll  0267  SetParent
1  001914F4  user32.dll  0263  SetMenuItemInfoA
1  001914F8  user32.dll  025E  SetMenu
1  001914FC  user32.dll  0258  SetForegroundWindow
1  00191500  user32.dll  0257  SetFocus
1  00191504  user32.dll  024E  SetCursor
1  00191508  user32.dll  024B  SetClipboardData
1  0019150C  user32.dll  0248  SetClassLongA
1  00191510  user32.dll  0245  SetCapture
1  00191514  user32.dll  0244  SetActiveWindow
1  00191518  user32.dll  023C  SendMessageA
1  0019151C  user32.dll  0235  ScrollWindow
1  00191520  user32.dll  0232  ScreenToClient
1  00191524  user32.dll  022D  RemovePropA
1  00191528  user32.dll  022C  RemoveMenu
1  0019152C  user32.dll  022B  ReleaseDC
1  00191530  user32.dll  022A  ReleaseCapture
1  00191534  user32.dll  021B  RegisterClipboardFormatA
1  00191538  user32.dll  021B  RegisterClipboardFormatA
1  0019153C  user32.dll  0217  RegisterClassA
1  00191540  user32.dll  0216  RedrawWindow
1  00191544  user32.dll  020C  PtInRect
1  00191548  user32.dll  0202  PostQuitMessage
1  0019154C  user32.dll  0200  PostMessageA
1  00191550  user32.dll  01FE  PeekMessageA
1  00191554  user32.dll  01F4  OpenClipboard
1  00191558  user32.dll  01F3  OffsetRect
1  0019155C  user32.dll  01EF  OemToCharA
1  00191560  user32.dll  01EA  MoveWindow
0  00191564  ?  0000  0105A078
1  00191568  user32.dll  01DC  MessageBeep
1  0019156C  user32.dll  01D8  MapWindowPoints
1  00191570  user32.dll  01D4  MapVirtualKeyA
1  00191574  user32.dll  01C9  LoadStringA
1  00191578  user32.dll  01C0  LoadKeyboardLayoutA
1  0019157C  user32.dll  01BC  LoadIconA
1  00191580  user32.dll  01B8  LoadCursorA
1  00191584  user32.dll  01B6  LoadBitmapA
1  00191588  user32.dll  01B3  KillTimer
1  0019158C  user32.dll  01B1  IsZoomed
1  00191590  user32.dll  01B0  IsWindowVisible
1  00191594  user32.dll  01AF  IsWindowUnicode
1  00191598  user32.dll  01AD  IsWindowEnabled
1  0019159C  user32.dll  01AC  IsWindow
1  001915A0  user32.dll  01A9  IsRectEmpty
1  001915A4  user32.dll  01A7  IsIconic
1  001915A8  user32.dll  01A1  IsDialogMessage
1  001915AC  user32.dll  019F  IsChild
1  001915B0  user32.dll  0194  InvalidateRect
1  001915B4  user32.dll  0193  IntersectRect
1  001915B8  user32.dll  018F  InsertMenuItemA
1  001915BC  user32.dll  018E  InsertMenuA
1  001915C0  user32.dll  018B  InflateRect
1  001915C4  user32.dll  017C  GetWindowThreadProcessId
1  001915C8  user32.dll  017A  GetWindowTextLengthW
1  001915CC  user32.dll  017B  GetWindowTextW
1  001915D0  user32.dll  0178  GetWindowTextA
1  001915D4  user32.dll  0175  GetWindowRect
1  001915D8  user32.dll  0174  GetWindowPlacement
1  001915DC  user32.dll  0170  GetWindowLongW
1  001915E0  user32.dll  016F  GetWindowLongA
1  001915E4  user32.dll  016D  GetWindowDC
1  001915E8  user32.dll  0164  GetTopWindow
1  001915EC  user32.dll  015E  GetSystemMetrics
1  001915F0  user32.dll  015D  GetSystemMenu
1  001915F4  user32.dll  015C  GetSysColorBrush
1  001915F8  user32.dll  015B  GetSysColor
1  001915FC  user32.dll  015A  GetSubMenu
1  00191600  user32.dll  0158  GetScrollRange
1  00191604  user32.dll  0157  GetScrollPos
1  00191608  user32.dll  0156  GetScrollInfo
1  0019160C  user32.dll  014B  GetPropA
1  00191610  user32.dll  0146  GetParent
1  00191614  user32.dll  016B  GetWindow
1  00191618  user32.dll  0139  GetMenuStringA
1  0019161C  user32.dll  0138  GetMenuState
1  00191620  user32.dll  0135  GetMenuItemInfoA
1  00191624  user32.dll  0134  GetMenuItemID
1  00191628  user32.dll  0133  GetMenuItemCount
1  0019162C  user32.dll  012D  GetMenu
1  00191630  user32.dll  0129  GetLastActivePopup
1  00191634  user32.dll  0127  GetKeyboardState
1  00191638  user32.dll  0124  GetKeyboardLayoutList
1  0019163C  user32.dll  0123  GetKeyboardLayout
1  00191640  user32.dll  0122  GetKeyState
1  00191644  user32.dll  0120  GetKeyNameTextA
1  00191648  user32.dll  011B  GetIconInfo
1  0019164C  user32.dll  0118  GetForegroundWindow
1  00191650  user32.dll  0117  GetFocus
1  00191654  user32.dll  0116  GetDoubleClickTime
1  00191658  user32.dll  0111  GetDlgCtrlID
1  0019165C  user32.dll  010F  GetDesktopWindow
1  00191660  user32.dll  010E  GetDCEx
1  00191664  user32.dll  010D  GetDC
1  00191668  user32.dll  010C  GetCursorPos
1  0019166C  user32.dll  0109  GetCursor
1  00191670  user32.dll  0102  GetClipboardData
1  00191674  user32.dll  0100  GetClientRect
1  00191678  user32.dll  00FD  GetClassNameA
1  0019167C  user32.dll  00F7  GetClassInfoA
1  00191680  user32.dll  00F4  GetCapture
1  00191684  user32.dll  00EC  GetActiveWindow
1  00191688  user32.dll  00EA  FrameRect
1  0019168C  user32.dll  00E5  FindWindowExA
1  00191690  user32.dll  00E4  FindWindowA
1  00191694  user32.dll  00E3  FillRect
1  00191698  user32.dll  00E0  EqualRect
1  0019169C  user32.dll  00DF  EnumWindows
1  001916A0  user32.dll  00DC  EnumThreadWindows
1  001916A4  user32.dll  00C9  EndPaint
1  001916A8  user32.dll  00C5  EnableWindow
1  001916AC  user32.dll  00C4  EnableScrollBar
1  001916B0  user32.dll  00C3  EnableMenuItem
1  001916B4  user32.dll  00C2  EmptyClipboard
1  001916B8  user32.dll  00C0  DrawTextW
1  001916BC  user32.dll  00BD  DrawTextA
1  001916C0  user32.dll  00B9  DrawMenuBar
1  001916C4  user32.dll  00B8  DrawIconEx
1  001916C8  user32.dll  00B7  DrawIcon
1  001916CC  user32.dll  00B6  DrawFrameControl
1  001916D0  user32.dll  00B4  DrawFocusRect
1  001916D4  user32.dll  00B3  DrawEdge
1  001916D8  user32.dll  00A2  DispatchMessageA
1  001916DC  user32.dll  009A  DestroyWindow
1  001916E0  user32.dll  0098  DestroyMenu
1  001916E4  user32.dll  0096  DestroyCursor
1  001916E8  user32.dll  0096  DestroyCursor
1  001916EC  user32.dll  0092  DeleteMenu
1  001916F0  user32.dll  008F  DefWindowProcA
1  001916F4  user32.dll  008C  DefMDIChildProcA
1  001916F8  user32.dll  008A  DefFrameProcA
1  001916FC  user32.dll  005F  CreatePopupMenu
1  00191700  user32.dll  005E  CreateMenu
1  00191704  user32.dll  0058  CreateIcon
1  00191708  user32.dll  004A  CopyImage
1  0019170C  user32.dll  0043  CloseClipboard
1  00191710  user32.dll  0041  ClientToScreen
1  00191714  user32.dll  003A  CheckMenuItem
1  00191718  user32.dll  001C  CallWindowProcA
1  0019171C  user32.dll  001B  CallNextHookEx
1  00191720  user32.dll  000E  BeginPaint
1  00191724  user32.dll  002B  CharNextA
1  00191728  user32.dll  0028  CharLowerBuffA
1  0019172C  user32.dll  0027  CharLowerA
1  00191730  user32.dll  0036  CharUpperBuffA
1  00191734  user32.dll  0031  CharToOemA
1  00191738  user32.dll  0003  AdjustWindowRectEx
1  0019173C  user32.dll  0001  ActivateKeyboardLayout

FThunk: 00191744  NbFunc: 00000001
1  00191744  kernel32.dll  033F  Sleep

FThunk: 0019174C  NbFunc: 00000008
1  0019174C  oleaut32.dll  0094  SafeArrayPtrOfIndex
1  00191750  oleaut32.dll  0013  SafeArrayGetUBound
1  00191754  oleaut32.dll  0014  SafeArrayGetLBound
1  00191758  oleaut32.dll  000F  SafeArrayCreate
1  0019175C  oleaut32.dll  000C  VariantChangeType
1  00191760  oleaut32.dll  000A  VariantCopy
1  00191764  oleaut32.dll  0009  VariantClear
1  00191768  oleaut32.dll  0008  VariantInit

FThunk: 00191770  NbFunc: 00000017
1  00191770  comctl32.dll  004F  ImageList_SetIconSize
1  00191774  comctl32.dll  003B  ImageList_GetIconSize
1  00191778  comctl32.dll  0052  ImageList_Write
1  0019177C  comctl32.dll  0043  ImageList_Read
1  00191780  comctl32.dll  0038  ImageList_GetDragImage
1  00191784  comctl32.dll  0031  ImageList_DragShowNolock
1  00191788  comctl32.dll  004C  ImageList_SetDragCursorImage
1  0019178C  comctl32.dll  0030  ImageList_DragMove
1  00191790  comctl32.dll  002F  ImageList_DragLeave
1  00191794  comctl32.dll  002E  ImageList_DragEnter
1  00191798  comctl32.dll  0036  ImageList_EndDrag
1  0019179C  comctl32.dll  002A  ImageList_BeginDrag
1  001917A0  comctl32.dll  003F  ImageList_LoadImage
1  001917A4  comctl32.dll  0044  ImageList_Remove
1  001917A8  comctl32.dll  0033  ImageList_DrawEx
1  001917AC  comctl32.dll  0032  ImageList_Draw
1  001917B0  comctl32.dll  0037  ImageList_GetBkColor
1  001917B4  comctl32.dll  004B  ImageList_SetBkColor
1  001917B8  comctl32.dll  0046  ImageList_ReplaceIcon
1  001917BC  comctl32.dll  0027  ImageList_Add
1  001917C0  comctl32.dll  003C  ImageList_GetImageCount
1  001917C4  comctl32.dll  002D  ImageList_Destroy
1  001917C8  comctl32.dll  002C  ImageList_Create

FThunk: 001917D0  NbFunc: 0000000D
1  001917D0  kernel32.dll  03A0  _llseek
1  001917D4  kernel32.dll  039C  _hread
1  001917D8  kernel32.dll  039E  _lclose
1  001917DC  kernel32.dll  03A1  _lopen
1  001917E0  kernel32.dll  033E  SizeofResource
1  001917E4  kernel32.dll  0247  LoadResource
1  001917E8  kernel32.dll  00E0  FindResourceA
1  001917EC  kernel32.dll  033F  Sleep
1  001917F0  kernel32.dll  024C  LocalFree
1  001917F4  kernel32.dll  0248  LocalAlloc
1  001917F8  kernel32.dll  032E  SetThreadPriority
1  001917FC  kernel32.dll  006D  CreateThread
1  00191800  kernel32.dll  0032  CloseHandle

FThunk: 00191808  NbFunc: 00000007
1  00191808  winmm.dll  00CF  waveOutWrite
1  0019180C  winmm.dll  00CE  waveOutUnprepareHeader
1  00191810  winmm.dll  00C9  waveOutReset
1  00191814  winmm.dll  00C8  waveOutPrepareHeader
1  00191818  winmm.dll  00C6  waveOutOpen
1  0019181C  winmm.dll  00C3  waveOutGetPosition
1  00191820  winmm.dll  00BA  waveOutClose

??  把OEP改成00C5E159[0105E159 - 00400000]，FixDump 。。。。。

  可以正常运行....



引用:
??  0105E159 >  81C5 21AA9095     add ebp,9590AA21    ；以壳解壳OEP
  0105E15F    50                push eax
  0105E160    89E4              mov esp,esp
  0105E162    E9 1C0F0000       jmp Unpack_.0105F083
  0105E167    E7 47             out 47,eax
  0105E169    11A5 BDB4A83F     adc dword ptr ss:[ebp+3FA8B4BD],esp
  0105E16F    E8 FA4E6D58       call 5973306E


??

--------------------------------------------------------------------------------
【经验总结】
  本文介绍的东西没什么适用价值，只是一种技术探讨，希望大家能举一反三....

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2007年11月23日下午 04:26:14