[收藏本方案]

AcProtect 1.41 外壳分析[17]

[入库:2005年8月19日] [更新:2007年3月24日]

本文简介:选择自 bmd2chen 的 blog
首页 上页 下页 尾页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69]

; 这里又是程序代码了 00423ac9 e8 96f10800 call 004b2c64 ; jmp to mfc42.#5943 00423ace 60 pushad 00423acf 6a 05 push 5 00423ad1 6a 00 push 0 00423ad3 6a 00 push 0 00423ad5 6a ff push -1 00423ad7 ff15 c8784b00 call dword ptr ds:[4b78c8] ; <maincon.sub_sdk_disposal> 这里跟进去可以看到sdk处理的核心部分sub_embeddprotect 00423add 61 popad 00423ade 90 nop ...... 00423fa9 /e9 08000000 jmp 00423fb6 00423fae |66:81d3 a6af adc bx,0afa6 00423fb3 |66:03d9 add bx,cx 00423fb6 \e9 e91d0000 jmp 00425da4 ; 呵呵又一个远程跳,必有动作 00423fbb 0000 add byte ptr ds:[eax],al ...... 00426066 /79 01 jns short 00426069 00426068 |90 nop 00426069 \e8 68f8ffff call <anti_fake_unpack_check_import> 0042606e 0f83 02000000 jnb 00426076 00426074 d3de rcr esi,cl 00426076 8bcd mov ecx,ebp ...... 00426242 ^\71 83 jno short 004261c7 00426244 c40458 les eax,fword ptr ds:[eax+ebx*2] ; modification of segment register 00426247 e8 5fe1ffff call <sub_fuck_ring0'debugger> 0042624c 87c7 xchg edi,eax ; maincon.004262f6 0042624e 4f dec edi ...... 004266ab 830424 06 add dword ptr ss:[esp],6 004266af c3 retn 004266b0 e8 3de7ffff call <sub_check_ring3_debug> 004266b5 e9 10000000 jmp 004266ca 004266ba 0f84 02000000 je 004266c2 004266c0 87d1 xchg ecx,edx ...... 0042670c e8 01000000 call 00426712 00426711 - e9 83c40458 jmp 58472b99 00426716 e8 dedfffff call <sub_crc> 0042671b 0bcf or ecx,edi 0042671d 87d9 xchg ecx,ebx 0042671f e8 00000000 call 00426724 ...... 00426b78 4f dec edi 00426b79 e9 82010000 jmp 00426d00 ; 跳去执行程序代码了 00426b7e e8 01000000 call 00426b84 ...... 00426d00 61 popad ; 又开始程序代码 00426d01 e8 58bf0800 call 004b2c5e ; jmp to mfc42.#1168 00426d06 8b40 08 mov eax,dword ptr ds:[eax+8] 00426d09 6a 00 push 0 00426d0b 6a 00 push 0 00426d0d 68 8c164c00 push 004c168c ; ascii "demo" 00426d12 50 push eax 00426d13 e8 940f0600 call 00487cac 00426d18 60 pushad 00426d19 6a 04 push 4 ; 为4时表示加密 00426d1b 6a 00 push 0 00426d1d 6a 00 push 0 00426d1f 6a ff push -1 00426d21 ff15 c8784b00 call dword ptr ds:[4b78c8] ; <maincon.sub_sdk_disposal> 00426d27 eb 1e jmp short 00426d47 00426d29 7d 66 jge short 00426d91 00426d2b 99 cdq 00426d2c - e9 6e3956cb jmp cb98a69f 00426d31 67:a8 69 test al,69 ; superfluous prefix 00426d34 df59 e5 fistp

首页 上页 下页 尾页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69]
本文关键:AcProtect 1.41 外壳分析
  相关方案
Google
 

本站最佳浏览方式为 分辨率 1024x768 IE 6.0(或更高版本的 IE浏览器)

go top