yoda’s Protector 1.3 -> Ashkbiz Danehkar 手脱笔记

2023-02-28 09:14:39 浏览数 (1)

目标:Agama Web Buttons2.52

用od载入后忽略所有异常,对code段下F2断点,F9运行,注意观察堆栈窗口,直到出现Se handle 跟入处理的数据,ctrl g转到61390B

代码语言:javascript复制
0061390B     55                   push ebp  ;F2断点
0061390C     8BEC                 mov ebp,esp
0061390E     57                   push edi
0061390F     36:8B45 10           mov eax,dword ptr ss:[ebp 10]
00613913     3E:8BB8 C4000000     mov edi,dword ptr ds:[eax C4]
0061391A     3E:FF37              push dword ptr ds:[edi]
0061391D     33FF                 xor edi,edi
0061391F     64:8F07              pop dword ptr fs:[edi]
00613922     3E:8380 C4000000 08  add dword ptr ds:[eax C4],8
0061392A     3E:8BB8 A4000000     mov edi,dword ptr ds:[eax A4]
00613931     C1C7 07              rol edi,7
00613934     3E:89B8 B8000000     mov dword ptr ds:[eax B8],edi                 ; edi就是程序入口点
0061393B     B8 00000000          mov eax,0
00613940     5F                   pop edi
00613941     C9                   leave
00613942     C3                   retn

下F2断点,shift F9运行,中断后开始单步运行,注意寄存器窗口,标注的edi就是程序入口点,直接转到edi数值。F2下断。shift F9运行,中断后即可用LordPe脱壳。

代码语言:javascript复制
0052F814     55                   push ebp ;F2断点
0052F815     8BEC                 mov ebp,esp
0052F817     83C4 E4              add esp,-1C
0052F81A     33C0                 xor eax,eax
0052F81C     8945 E4              mov dword ptr ss:[ebp-1C],eax
0052F81F     8945 E8              mov dword ptr ss:[ebp-18],eax
0052F822     8945 EC              mov dword ptr ss:[ebp-14],eax
0052F825     B8 FCF35200          mov eax,Agama.0052F3FC
0052F82A     E8 E975EDFF          call Agama.00406E18
0052F82F     33C0                 xor eax,eax
0052F831     55                   push ebp
0052F832     68 31FB5200          push Agama.0052FB31
0052F837     64:FF30              push dword ptr fs:[eax]
0052F83A     64:8920              mov dword ptr fs:[eax],esp
0052F83D     B9 34655300          mov ecx,Agama.00536534
0052F842     BA 30655300          mov edx,Agama.00536530
0052F847     B8 2C655300          mov eax,Agama.0053652C
0052F84C     E8 EFEDFFFF          call Agama.0052E640
0052F851     833D 2C655300 10     cmp dword ptr ds:[53652C],10
0052F858     7C 0C                jl short Agama.0052F866
0052F85A     813D 30655300 240300>cmp dword ptr ds:[536530],324
0052F864     7D 0F                jge short Agama.0052F875
0052F866     B8 48FB5200          mov eax,Agama.0052FB48                        ; ASCII "This software requires 16 bit colors adapter and 800x640 resolution as the minimu!"

0 人点赞