上一篇
下一篇
QQ伴侣去自效验
作者:admin 日期:2009-11-16
QQ伴侣去自效验
2.41之后作者加的壳很简单了,ASPack 2.12 -> Alexey Solodovnikov,ESP定律轻松搞定。
脱完后再查Microsoft Visual Basic 5.0 / 6.0,VB的程序,但运行不起来,很明显有自效验。
OD载入,下BP rtcFileLen,断下来:
73466045 > 55 PUSH EBP
73466046 8BEC MOV EBP,ESP
73466048 81EC 40010000 SUB ESP,140
7346604E 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
73466054 50 PUSH EAX
73466055 FF75 08 PUSH DWORD PTR SS:[EBP+8]
73466058 E8 E9000000 CALL msvbvm60.73466146
7346605D 85C0 TEST EAX,EAX
7346605F 74 06 JE SHORT msvbvm60.73466067 /修改标志位让这里不跳程序可以运行
73466061 50 PUSH EAX
73466062 E8 1F80FFFF CALL msvbvm60.7345E086
73466067 8B85 E0FEFFFF MOV EAX,DWORD PTR SS:[EBP-120]
7346606D C9 LEAVE
虽然修改标志位可以运行,但这里不是程序领空,修改不了。跟来跟去也跟不到程序领空。- -!
根据前人的分析知道是VB PCODE,
http://bbs.pediy.com/showthread.php?t=99289
使用VBExplorer载入脱壳后的程序,分析Main窗体代码,注意到这里:
******Possible String Ref To->".exe"
|
:0045EEB0 1B1200 LitStr ;Push ptr_0041E7EC
:0045EEB3 2A ConcatStr ;vbaStrCat
:0045EEB4 2324FF FStStrNoPop ;SysFreeString [LOCAL_00DC]; [LOCAL_00DC]=[stack]
**********Reference To->msvbvm60.rtcFileLen
|
:0045EEB7 5E13000400 ImpAdCallI2 ;Call ptr_00401232; check stack 0004; Push EAX
:0045EEBC 7158FF FStR4 ;Pop DWORD [LOCAL_00A8]
:0045EEBF 2804FF0200 LitVarI2 ;PushVarInteger 0002
:0045EEC4 F502000000 LitI4 ;Push 00000002
:0045EEC9 6C58FF ILdRf ;Push DWORD [LOCAL_00A8]
:0045EECC FD6938FF CVarI4 ;
:0045EED0 04F4FE FLdRfVar ;Push LOCAL_010C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0045EED3 0A14001000 ImpAdCallFPR4 ;Call ptr_004011E4; check stack 0010; Push EAX
:0045EED8 04F4FE FLdRfVar ;Push LOCAL_010C
:0045EEDB 55 CI2Var ;vbaI2Var
:0045EEDC 7070FF FStI2 ;Pop WORD [LOCAL_0090]
:0045EEDF 320A0060FF2CFF5C FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 000A/2 times ~ arg
:0045EEEC 29040034FF30FF FFreeAd ;
:0045EEF3 36060038FF04FFF4 FFreeVar ;Free 0006/2 variants
:0045EEFC 001A LargeBos ;IDE beginning of line with 1A byte codes
:0045EEFE 750B00 ImpAdLdI2 ;Pop [STACK_000B]
:0045EF01 F4FF LitI2_Byte ;Push FF
:0045EF03 C6 EqI2 ;
:0045EF04 6B70FF FLdI2 ;Push WORD [LOCAL_0090]
:0045EF07 F400 LitI2_Byte ;Push 00
:0045EF09 DA GtI2 ;Push (Pop1 > Pop2)
:0045EF0A C4 AndI4 ;
:0045EF0B 6B70FF FLdI2 ;Push WORD [LOCAL_0090]
:0045EF0E 6B72FF FLdI2 ;Push WORD [LOCAL_008E]
:0045EF11 CB NeI2 ;
:0045EF12 C4 AndI4 ;
:0045EF13 1C3A01 BranchF ;If Pop=0 then ESI=0045EF1A
:0045EF16 0004 LargeBos ;IDE beginning of line with 04 byte codes
:0045EF18 FCC800 End ;
:0045EF1B C7 EqI4 ;Push (Pop1 == Pop2)
:0045EF1C F500000000 LitI4 ;Push 00000000
:0045EF21 0460FF FLdRfVar ;Push LOCAL_00A0
:0045EF24 0434FF FLdRfVar ;Push LOCAL_00CC
:0045EF27 050D00 ImpAdLdRf ;Push ptr
:0045EF2A 240E00 NewIfNullPr ;[Pop] [SR]
OD再载入,来到0045EF13,修改1C为1D,保存,OK运行起来了。
广告好多就不去了,而且更新频繁。本文仅为学习备忘之用。
2.41之后作者加的壳很简单了,ASPack 2.12 -> Alexey Solodovnikov,ESP定律轻松搞定。
脱完后再查Microsoft Visual Basic 5.0 / 6.0,VB的程序,但运行不起来,很明显有自效验。
OD载入,下BP rtcFileLen,断下来:
73466045 > 55 PUSH EBP
73466046 8BEC MOV EBP,ESP
73466048 81EC 40010000 SUB ESP,140
7346604E 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
73466054 50 PUSH EAX
73466055 FF75 08 PUSH DWORD PTR SS:[EBP+8]
73466058 E8 E9000000 CALL msvbvm60.73466146
7346605D 85C0 TEST EAX,EAX
7346605F 74 06 JE SHORT msvbvm60.73466067 /修改标志位让这里不跳程序可以运行
73466061 50 PUSH EAX
73466062 E8 1F80FFFF CALL msvbvm60.7345E086
73466067 8B85 E0FEFFFF MOV EAX,DWORD PTR SS:[EBP-120]
7346606D C9 LEAVE
虽然修改标志位可以运行,但这里不是程序领空,修改不了。跟来跟去也跟不到程序领空。- -!
根据前人的分析知道是VB PCODE,
http://bbs.pediy.com/showthread.php?t=99289
使用VBExplorer载入脱壳后的程序,分析Main窗体代码,注意到这里:
******Possible String Ref To->".exe"
|
:0045EEB0 1B1200 LitStr ;Push ptr_0041E7EC
:0045EEB3 2A ConcatStr ;vbaStrCat
:0045EEB4 2324FF FStStrNoPop ;SysFreeString [LOCAL_00DC]; [LOCAL_00DC]=[stack]
**********Reference To->msvbvm60.rtcFileLen
|
:0045EEB7 5E13000400 ImpAdCallI2 ;Call ptr_00401232; check stack 0004; Push EAX
:0045EEBC 7158FF FStR4 ;Pop DWORD [LOCAL_00A8]
:0045EEBF 2804FF0200 LitVarI2 ;PushVarInteger 0002
:0045EEC4 F502000000 LitI4 ;Push 00000002
:0045EEC9 6C58FF ILdRf ;Push DWORD [LOCAL_00A8]
:0045EECC FD6938FF CVarI4 ;
:0045EED0 04F4FE FLdRfVar ;Push LOCAL_010C
**********Reference To->msvbvm60.rtcMidCharVar
|
:0045EED3 0A14001000 ImpAdCallFPR4 ;Call ptr_004011E4; check stack 0010; Push EAX
:0045EED8 04F4FE FLdRfVar ;Push LOCAL_010C
:0045EEDB 55 CI2Var ;vbaI2Var
:0045EEDC 7070FF FStI2 ;Pop WORD [LOCAL_0090]
:0045EEDF 320A0060FF2CFF5C FFreeStr ;Do SysFreeString [arg_n]; [arg_n]=0 000A/2 times ~ arg
:0045EEEC 29040034FF30FF FFreeAd ;
:0045EEF3 36060038FF04FFF4 FFreeVar ;Free 0006/2 variants
:0045EEFC 001A LargeBos ;IDE beginning of line with 1A byte codes
:0045EEFE 750B00 ImpAdLdI2 ;Pop [STACK_000B]
:0045EF01 F4FF LitI2_Byte ;Push FF
:0045EF03 C6 EqI2 ;
:0045EF04 6B70FF FLdI2 ;Push WORD [LOCAL_0090]
:0045EF07 F400 LitI2_Byte ;Push 00
:0045EF09 DA GtI2 ;Push (Pop1 > Pop2)
:0045EF0A C4 AndI4 ;
:0045EF0B 6B70FF FLdI2 ;Push WORD [LOCAL_0090]
:0045EF0E 6B72FF FLdI2 ;Push WORD [LOCAL_008E]
:0045EF11 CB NeI2 ;
:0045EF12 C4 AndI4 ;
:0045EF13 1C3A01 BranchF ;If Pop=0 then ESI=0045EF1A
:0045EF16 0004 LargeBos ;IDE beginning of line with 04 byte codes
:0045EF18 FCC800 End ;
:0045EF1B C7 EqI4 ;Push (Pop1 == Pop2)
:0045EF1C F500000000 LitI4 ;Push 00000000
:0045EF21 0460FF FLdRfVar ;Push LOCAL_00A0
:0045EF24 0434FF FLdRfVar ;Push LOCAL_00CC
:0045EF27 050D00 ImpAdLdRf ;Push ptr
:0045EF2A 240E00 NewIfNullPr ;[Pop] [SR]
OD再载入,来到0045EF13,修改1C为1D,保存,OK运行起来了。
广告好多就不去了,而且更新频繁。本文仅为学习备忘之用。
文章来自: 
引用通告: 
Tags: 评论: 1 | 引用: 0 | 查看次数: 469
发表评论
麻烦能不能跟新下