求教关于asprotect脱壳的问题
最近在学习脱ASProtect的壳。目标程序是ilink。
查出的壳是ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov
这个壳和以前的ASProtect的壳好像有所不同,可能是最新版本的东西。而且现在ASProtect的新版本已经不提供免费的下载了。
先用OD打开后,hide标志,然后按SHIFT+F9到最后一次异常。代码如下:
0105FAA5 C700 EFCA5C85 MOV DWORD PTR DS:[EAX],855CCAEF
0105FAAB 67:64:8F06 0000 POP DWORD PTR FS:[0]
0105FAB1 83C4 04 ADD ESP,4
0105FAB4 83E8 AF SUB EAX,-51
0105FAB7 83C8 4B OR EAX,4B
0105FABA 58 POP EAX
0105FABB A1 0C380601 MOV EAX,DWORD PTR DS:[106380C]
0105FAC0 8B00 MOV EAX,DWORD PTR DS:[EAX]
0105FAC2 8B68 1C MOV EBP,DWORD PTR DS:[EAX+1C]
0105FAC5 A1 0C380601 MOV EAX,DWORD PTR DS:[106380C]
0105FACA 8B00 MOV EAX,DWORD PTR DS:[EAX]
0105FACC 8B00 MOV EAX,DWORD PTR DS:[EAX]
0105FACE 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
0105FAD2 A1 0C380601 MOV EAX,DWORD PTR DS:[106380C]
0105FAD7 8B00 MOV EAX,DWORD PTR DS:[EAX]
0105FAD9 8D78 18 LEA EDI,DWORD PTR DS:[EAX+18]
0105FADC A1 8C370601 MOV EAX,DWORD PTR DS:[106378C]
0105FAE1 8858 08 MOV BYTE PTR DS:[EAX+8],BL
0105FAE4 833F 00 CMP DWORD PTR DS:[EDI],0
0105FAE7 75 1D JNZ SHORT 0105FB06
0105FAE9 83C5 20 ADD EBP,20
0105FAEC A1 84360601 MOV EAX,DWORD PTR DS:[1063684]
0105FAF1 8078 0A 00 CMP BYTE PTR DS:[EAX+A],0
0105FAF5 75 0F JNZ SHORT 0105FB06
0105FAF7 B8 1F000000 MOV EAX,1F
0105FAFC E8 C32DFDFF CALL 010328C4
0105FB01 C1E0 02 SHL EAX,2
0105FB04 2BE8 SUB EBP,EAX
0105FB06 E8 A9D0FFFF CALL 0105CBB4
0105FB0B 8BD8 MOV EBX,EAX
0105FB0D 833D E4B50601 00 CMP DWORD PTR DS:[106B5E4],0
0105FB14 74 15 JE SHORT 0105FB2B
0105FB16 6A 04 PUSH 4
0105FB18 B9 E4B50601 MOV ECX,106B5E4
0105FB1D 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0105FB21 BA 04000000 MOV EDX,4
0105FB26 E8 3944FEFF CALL 01043F64
0105FB2B 833D 14B60601 00 CMP DWORD PTR DS:[106B614],0
0105FB32 74 15 JE SHORT 0105FB49
0105FB34 6A 0C PUSH 0C
0105FB36 B9 14B60601 MOV ECX,106B614
0105FB3B 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0105FB3F BA 04000000 MOV EDX,4
0105FB44 E8 1B44FEFF CALL 01043F64
0105FB49 833F 00 CMP DWORD PTR DS:[EDI],0
0105FB4C 74 08 JE SHORT 0105FB56
0105FB4E 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0105FB51 A3 24B60601 MOV DWORD PTR DS:[106B624],EAX
0105FB56 8B07 MOV EAX,DWORD PTR DS:[EDI]
0105FB58 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
0105FB5C 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
0105FB60 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0105FB63 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
0105FB67 A1 8C370601 MOV EAX,DWORD PTR DS:[106378C]
0105FB6C 8818 MOV BYTE PTR DS:[EAX],BL
0105FB6E A1 B8370601 MOV EAX,DWORD PTR DS:[10637B8]
0105FB73 C600 E1 MOV BYTE PTR DS:[EAX],0E1
0105FB76 E8 65ECFEFF CALL 0104E7E0
0105FB7B 8B15 78370601 MOV EDX,DWORD PTR DS:[1063778]
0105FB81 8802 MOV BYTE PTR DS:[EDX],AL
0105FB83 A1 0CB60601 MOV EAX,DWORD PTR DS:[106B60C]
0105FB88 E8 7B81FFFF CALL 01057D08
0105FB8D A1 78370601 MOV EAX,DWORD PTR DS:[1063778]
0105FB92 8038 00 CMP BYTE PTR DS:[EAX],0
0105FB95 74 26 JE SHORT 0105FBBD
0105FB97 A1 58370601 MOV EAX,DWORD PTR DS:[1063758]
0105FB9C C600 EA MOV BYTE PTR DS:[EAX],0EA
0105FB9F B8 32000000 MOV EAX,32
0105FBA4 E8 1B2DFDFF CALL 010328C4
0105FBA9 2905 20B60601 SUB DWORD PTR DS:[106B620],EAX
0105FBAF B8 64000000 MOV EAX,64
0105FBB4 E8 0B2DFDFF CALL 010328C4
0105FBB9 014424 04 ADD DWORD PTR SS:[ESP+4],EAX
0105FBBD A1 20B60601 MOV EAX,DWORD PTR DS:[106B620]
0105FBC2 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
0105FBC6 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0105FBCA 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
0105FBCE A1 0CB60601 MOV EAX,DWORD PTR DS:[106B60C]
0105FBD3 E8 3C30FDFF CALL 01032C14
0105FBD8 A1 B8370601 MOV EAX,DWORD PTR DS:[10637B8]
0105FBDD C600 E3 MOV BYTE PTR DS:[EAX],0E3
0105FBE0 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0105FBE4 A1 2CB60601 MOV EAX,DWORD PTR DS:[106B62C]
0105FBE9 E8 7695FFFF CALL 01059164
0105FBEE E8 3160FFFF CALL 01055C24
0105FBF3 8BC6 MOV EAX,ESI
0105FBF5 E8 1A30FDFF CALL 01032C14
0105FBFA E8 B5D0FFFF CALL 0105CCB4
0105FBFF 83C4 2C ADD ESP,2C
0105FC02 5D POP EBP
0105FC03 5F POP EDI
0105FC04 5E POP ESI
0105FC05 5B POP EBX
0105FC06 C3 RETN
接下去就不知道该怎么办了。有人会么?
