|
本站严厉禁止求脱求破行为(包含无自我分析直接求思路),如发现此类求助主题请点击“举报”,让我们共同维护优质的学习环境!
100HB
本帖最后由 puagin 于 2014-12-24 00:01 编辑
主程式没办法找了(我也是远程看过,我也木有)。。。。
只有补丁和一个D LL
最近在研究EY,看他这个就想研究一下,可以研究半天
没发现他有程式码,他是怎么实现的?想知道大致原理,特别是他的程式码是怎么换掉了。
壳 : Aspack v2.24-2.32 ( 07.2013 )
到这应该就是干货的地方了
00401372 |. |6A 00 push 0x0 ; /ExitCode = 0x0
00401374 |. |FF15 B4214100 call dword ptr ds:[<&kernel32.ExitProces>; \ExitProcess
0040137A |> \8B4424 40 mov eax,dword ptr ss:[esp+0x40]
0040137E |. 50 push eax ; /ProcessId
0040137F |. 6A 00 push 0x0 ; |Inheritable = FALSE
00401381 |. 68 FF0F1F00 push 0x1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401386 |. FF15 B8214100 call dword ptr ds:[<&kernel32.OpenProces>; \OpenProcess
0040138C |. 8B3D BC214100 mov edi,dword ptr ds:[<&kernel32.ReadPro>; kernel32.ReadProcessMemory
00401392 |. 6A 00 push 0x0 ; /pBytesRead = NULL
00401394 |. 8D8C24 800000>lea ecx,dword ptr ss:[esp+0x80] ; |
0040139B |. 6A 02 push 0x2 ; |BytesToRead = 0x2
0040139D |. 8BF0 mov esi,eax ; |
0040139F |. 51 push ecx ; |Buffer
004013A0 |. 55 push ebp ; |pBaseAddress
004013A1 |. 56 push esi ; |hProcess
004013A2 |. C64424 2A EB mov byte ptr ss:[esp+0x2A],0xEB ; |
004013A7 |. C64424 2B FE mov byte ptr ss:[esp+0x2B],0xFE ; |
004013AC |. FFD7 call edi ; \ReadProcessMemory
004013AE |. 8B1D C0214100 mov ebx,dword ptr ds:[<&kernel32.WritePr>; kernel32.WriteProcessMemory
004013B4 |. 6A 00 push 0x0 ; /pBytesWritten = NULL
004013B6 |. 8D5424 1A lea edx,dword ptr ss:[esp+0x1A] ; |
004013BA |. 6A 02 push 0x2 ; |BytesToWrite = 0x2
004013BC |. 52 push edx ; |Buffer
004013BD |. 55 push ebp ; |Address
004013BE |. 56 push esi ; |hProcess
004013BF |. FFD3 call ebx ; \WriteProcessMemory
004013C1 |. 8B4424 3C mov eax,dword ptr ss:[esp+0x3C]
004013C5 |. 50 push eax ; /hThread
004013C6 |. FF15 C4214100 call dword ptr ds:[<&kernel32.ResumeThre>; \ResumeThread
004013CC |. C78424 000300>mov dword ptr ss:[esp+0x300],0x10007
004013D7 |> 8B5424 3C /mov edx,dword ptr ss:[esp+0x3C]
004013DB |. 8D8C24 000300>|lea ecx,dword ptr ss:[esp+0x300]
004013E2 |. 51 |push ecx ; /pContext
004013E3 |. 52 |push edx ; |hThread
004013E4 |. FF15 C8214100 |call dword ptr ds:[<&kernel32.GetThread>; \GetThreadContext
004013EA |. 39AC24 B80300>|cmp dword ptr ss:[esp+0x3B8],ebp
004013F1 |.^ 75 E4 \jnz Xunpacked.004013D7
004013F3 |. 8B4424 3C mov eax,dword ptr ss:[esp+0x3C]
004013F7 |. 50 push eax ; /hThread
004013F8 |. FF15 CC214100 call dword ptr ds:[<&kernel32.SuspendThr>; \SuspendThread
004013FE |. 8B4C24 28 mov ecx,dword ptr ss:[esp+0x28]
00401402 |. 51 push ecx ; /pModule
00401403 |. FF15 D0214100 call dword ptr ds:[<&kernel32.GetModuleH>; \GetModuleHandleA
00401409 |. 8B5424 30 mov edx,dword ptr ss:[esp+0x30]
0040140D |. 52 push edx ; /ProcNameOrOrdinal
0040140E |. 50 push eax ; |hModule
0040140F |. FF15 D4214100 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
地址:
链接: http://pan.baidu.com/s/1bn5yYrP 密码: 04tb
呃,@520Kelly ,这样不知道可不可以?如果还不行,你出手吧,轻点就行。。。。。。。。。
|
|