當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

手脱ACProtect V1.4X(有Stolen Code)之补区段

發布時間：2023/12/20 编程问答 28 豆豆

生活随笔收集整理的這篇文章主要介紹了手脱ACProtect V1.4X(有Stolen Code)之补区段小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

首先需要說的是，這個殼是ximo大神視頻教程里的

0041F000 > 60 pushad ; //程序入口點 0041F001 E8 01000000 call NgaMy.0041F007 0041F006 E8 83042406 call 0665F48E 0041F00B C3 retn 0041F00C 43 inc ebx 0041F00D D3DA rcr edx,cl 0041F00F BE 75FC1F8F mov esi,8F1FFC75

3.打開內存界面，在”.rdata”處下段，然后shift+F9運行，有些程序可能沒有”.rdata”，那么就找”.idata”，之所以會有不同，應該是因為程序的編程語言不同導致。

Memory map, 項目 19地址=0040A000大小=00002000 (8192.)屬主=NgaMy 00400000區段=.rdata包含=代碼,數據類型=映像 01001002訪問=R初始訪問=RWE

4.落腳點應該是這個位置，首先看下這段代碼，據說這段代碼fly大神曾經解讀過，可惜我沒有找到，如果有朋友找到了可以分享一下，感激不盡。在這里我們需要做的是看我寫的注釋位置，有兩行代碼要nop掉(右鍵單擊需要nop掉的那一行—二進制—使用nop填充)，還有一行代碼改成jmp跳(je改為jmp)。

0043383D 8B46 0C mov eax,dword ptr ds:[esi+C] ; //落腳點 00433840 0BC0 or eax,eax 00433842 0F84 25020000 je NgaMy.00433A6D 00433848 8366 0C 00 and dword ptr ds:[esi+C],0 0043384C 03C2 add eax,edx 0043384E 8BD8 mov ebx,eax 00433850 56 push esi 00433851 57 push edi 00433852 50 push eax 00433853 8BF3 mov esi,ebx 00433855 8BFB mov edi,ebx 00433857 AC lods byte ptr ds:[esi] 00433858 C0C0 03 rol al,3 0043385B AA stos byte ptr es:[edi] 0043385C 803F 00 cmp byte ptr ds:[edi],0 0043385F ^ 75 F6 jnz short NgaMy.00433857 00433861 58 pop eax 00433862 5F pop edi 00433863 5E pop esi 00433864 50 push eax 00433865 FF95 90E24100 call dword ptr ss:[ebp+41E290] 0043386B 0BC0 or eax,eax 0043386D 75 43 jnz short NgaMy.004338B2 0043386F 90 nop 00433870 90 nop 00433871 90 nop 00433872 90 nop 00433873 53 push ebx 00433874 FF95 94E24100 call dword ptr ss:[ebp+41E294] 0043387A 0BC0 or eax,eax 0043387C 75 34 jnz short NgaMy.004338B2 0043387E 90 nop 0043387F 90 nop 00433880 90 nop 00433881 90 nop 00433882 8B95 1FFC4000 mov edx,dword ptr ss:[ebp+40FC1F] 00433888 0195 1D1F4000 add dword ptr ss:[ebp+401F1D],edx 0043388E 0195 211F4000 add dword ptr ss:[ebp+401F21],edx 00433894 6A 00 push 0 00433896 FFB5 1D1F4000 push dword ptr ss:[ebp+401F1D] 0043389C FFB5 211F4000 push dword ptr ss:[ebp+401F21] 004338A2 6A 00 push 0 004338A4 FF95 9CE24100 call dword ptr ss:[ebp+41E29C] 004338AA 6A 00 push 0 004338AC FF95 98E24100 call dword ptr ss:[ebp+41E298] 004338B2 60 pushad 004338B3 2BC0 sub eax,eax 004338B5 8803 mov byte ptr ds:[ebx],al 004338B7 43 inc ebx 004338B8 3803 cmp byte ptr ds:[ebx],al 004338BA ^ 75 F9 jnz short NgaMy.004338B5 004338BC 61 popad 004338BD 8985 17FC4000 mov dword ptr ss:[ebp+40FC17],eax 004338C3 C785 1BFC4000 0>mov dword ptr ss:[ebp+40FC1B],0 004338CD 8B95 1FFC4000 mov edx,dword ptr ss:[ebp+40FC1F] 004338D3 8B06 mov eax,dword ptr ds:[esi] 004338D5 0BC0 or eax,eax 004338D7 75 07 jnz short NgaMy.004338E0 004338D9 90 nop 004338DA 90 nop 004338DB 90 nop 004338DC 90 nop 004338DD 8B46 10 mov eax,dword ptr ds:[esi+10] 004338E0 03C2 add eax,edx 004338E2 0385 1BFC4000 add eax,dword ptr ss:[ebp+40FC1B] 004338E8 8B18 mov ebx,dword ptr ds:[eax] 004338EA 8B7E 10 mov edi,dword ptr ds:[esi+10] 004338ED 03FA add edi,edx 004338EF 03BD 1BFC4000 add edi,dword ptr ss:[ebp+40FC1B] 004338F5 85DB test ebx,ebx 004338F7 0F84 62010000 je NgaMy.00433A5F 004338FD F7C3 00000080 test ebx,80000000 00433903 75 1D jnz short NgaMy.00433922 00433905 90 nop 00433906 90 nop 00433907 90 nop 00433908 90 nop 00433909 03DA add ebx,edx 0043390B 83C3 02 add ebx,2 0043390E 56 push esi 0043390F 57 push edi 00433910 50 push eax 00433911 8BF3 mov esi,ebx 00433913 8BFB mov edi,ebx 00433915 AC lods byte ptr ds:[esi] 00433916 C0C0 03 rol al,3 00433919 AA stos byte ptr es:[edi] 0043391A 803F 00 cmp byte ptr ds:[edi],0 0043391D ^ 75 F6 jnz short NgaMy.00433915 0043391F 58 pop eax 00433920 5F pop edi 00433921 5E pop esi 00433922 3B9D 1FFC4000 cmp ebx,dword ptr ss:[ebp+40FC1F] 00433928 7C 11 jl short NgaMy.0043393B 0043392A 90 nop 0043392B 90 nop 0043392C 90 nop 0043392D 90 nop 0043392E 83BD 02244000 0>cmp dword ptr ss:[ebp+402402],0 00433935 75 0A jnz short NgaMy.00433941 00433937 90 nop 00433938 90 nop 00433939 90 nop 0043393A 90 nop 0043393B 81E3 FFFFFF0F and ebx,0FFFFFFF 00433941 53 push ebx 00433942 FFB5 17FC4000 push dword ptr ss:[ebp+40FC17] 00433948 FF95 8CE24100 call dword ptr ss:[ebp+41E28C] 0043394E 3B9D 1FFC4000 cmp ebx,dword ptr ss:[ebp+40FC1F] 00433954 7C 0F jl short NgaMy.00433965 00433956 90 nop 00433957 90 nop 00433958 90 nop 00433959 90 nop 0043395A 60 pushad 0043395B 2BC0 sub eax,eax 0043395D 8803 mov byte ptr ds:[ebx],al 0043395F 43 inc ebx 00433960 3803 cmp byte ptr ds:[ebx],al 00433962 ^ 75 F9 jnz short NgaMy.0043395D 00433964 61 popad 00433965 0BC0 or eax,eax 00433967 ^ 0F84 15FFFFFF je NgaMy.00433882 0043396D 3B85 9CE24100 cmp eax,dword ptr ss:[ebp+41E29C] ; //比較是否是MessageBoxA 00433973 74 20 je short NgaMy.00433995 ; //這里要nop掉 00433975 90 nop 00433976 90 nop 00433977 90 nop 00433978 90 nop 00433979 3B85 9D014100 cmp eax,dword ptr ss:[ebp+41019D] ; //比較是否是RegisterHotKey 0043397F 74 09 je short NgaMy.0043398A ; //這里要nop掉 00433981 90 nop 00433982 90 nop 00433983 90 nop 00433984 90 nop 00433985 EB 14 jmp short NgaMy.0043399B 00433987 90 nop 00433988 90 nop 00433989 90 nop 0043398A 8D85 0A024100 lea eax,dword ptr ss:[ebp+41020A] 00433990 EB 09 jmp short NgaMy.0043399B 00433992 90 nop 00433993 90 nop 00433994 90 nop 00433995 8D85 24024100 lea eax,dword ptr ss:[ebp+410224] 0043399B 56 push esi 0043399C FFB5 17FC4000 push dword ptr ss:[ebp+40FC17] 004339A2 5E pop esi 004339A3 39B5 FA234000 cmp dword ptr ss:[ebp+4023FA],esi 004339A9 74 15 je short NgaMy.004339C0 004339AB 90 nop 004339AC 90 nop 004339AD 90 nop 004339AE 90 nop 004339AF 39B5 FE234000 cmp dword ptr ss:[ebp+4023FE],esi 004339B5 74 09 je short NgaMy.004339C0 004339B7 90 nop 004339B8 90 nop 004339B9 90 nop 004339BA 90 nop 004339BB EB 63 jmp short NgaMy.00433A20 004339BD 90 nop 004339BE 90 nop 004339BF 90 nop 004339C0 80BD D2594100 0>cmp byte ptr ss:[ebp+4159D2],0 004339C7 74 57 je short NgaMy.00433A20 ; //magic跳，je改jmp 004339C9 90 nop 004339CA 90 nop 004339CB 90 nop 004339CC 90 nop 004339CD EB 07 jmp short NgaMy.004339D6 004339CF 90 nop 004339D0 90 nop 004339D1 90 nop 004339D2 0100 add dword ptr ds:[eax],eax 004339D4 0000 add byte ptr ds:[eax],al 004339D6 8BB5 E4FC4000 mov esi,dword ptr ss:[ebp+40FCE4] 004339DC 83C6 0D add esi,0D 004339DF 81EE EA1B4000 sub esi,NgaMy.00401BEA 004339E5 2BF5 sub esi,ebp 004339E7 83FE 00 cmp esi,0 004339EA 7F 34 jg short NgaMy.00433A20 004339EC 90 nop 004339ED 90 nop 004339EE 90 nop 004339EF 90 nop

5.步驟4執行完畢后再次打開內存界面，在00401000處內存訪問斷點，SHIFT+F9一次，下面是他的落腳點，落腳后先清除內存訪問斷點然后在下面最近的retn處F4，然后F8一次

00405560 3D 00100000 cmp eax,1000 //落腳點 00405565 73 0E jnb short NgaMy.00405575 00405567 F7D8 neg eax 00405569 03C4 add eax,esp 0040556B 83C0 04 add eax,4 0040556E 8500 test dword ptr ds:[eax],eax 00405570 94 xchg eax,esp 00405571 8B00 mov eax,dword ptr ds:[eax] 00405573 50 push eax 00405574 C3 retn //F4，然后F8

6.然后再次來到內存界面，在00401000處下內存訪問斷點，shift+F9運行一次，下面是落腳點，落腳后先清除內存訪問斷點，然后在retn處F4，F8一次

7.然后再次來到內存界面在00401000處下內存訪問斷點，shift+F9運行一次，來到假的OEP

0040305C 83F9 02 cmp ecx,2 //這里就是假OEP 0040305F 74 0C je short NgaMy.0040306D 00403061 81CE 00800000 or esi,8000 00403067 8935 B0DE4000 mov dword ptr ds:[40DEB0],esi 0040306D C1E0 08 shl eax,8 00403070 03C2 add eax,edx 00403072 A3 B4DE4000 mov dword ptr ds:[40DEB4],eax 00403077 33F6 xor esi,esi 00403079 56 push esi 0040307A 8B3D B0A04000 mov edi,dword ptr ds:[40A0B0] 00403080 FFD7 call edi 00403082 66:8138 4D5A cmp word ptr ds:[eax],5A4D

8.至此可以先脫殼了，脫殼的時候需要手動查找IAT，這個比較簡單，起始位置是A000，結尾位置是A171

9.重新載入原程序(Ctrl+F2),程序的入口點是一個pushad，F8到下一行使用ESP定律，下硬件訪問斷點然后shift+F9運行到最后一次異常

0041F000 > 60 pushad ; //入口點 0041F001 E8 01000000 call NgaMy.0041F007 ; //ESP 0041F006 E8 83042406 call 0665F48E 0041F00B C3 retn 0041F00C 43 inc ebx 0041F00D D3DA rcr edx,cl 0041F00F BE 75FC1F8F mov esi,0x8F1FFC75

10.最后一次異常法的落腳點，pushad 上面的就是Stolen Code（NOP可以不復制），二進制復制一下，然后F4運行到注釋中的位置(記得清除硬件斷點)，也就是pushad下一行再次使用ESP定律，下硬件斷點然后shift+F9一次

004365F4 8915 F5FD4100 mov dword ptr ds:[41FDF5],edx ; //落腳點 004365FA FF35 F5FD4100 push dword ptr ds:[41FDF5] 00436600 8F05 2DFE4100 pop dword ptr ds:[41FE2D] 00436606 FF35 2DFE4100 push dword ptr ds:[41FE2D] 0043660C C70424 60000000 mov dword ptr ss:[esp],60 00436613 56 push esi 00436614 890C24 mov dword ptr ss:[esp],ecx 00436617 68 8DFD4100 push NgaMy.0041FD8D 0043661C 59 pop ecx 0043661D 8919 mov dword ptr ds:[ecx],ebx 0043661F 8B0C24 mov ecx,dword ptr ss:[esp] 00436622 8F05 ADFE4100 pop dword ptr ds:[41FEAD] 00436628 FF35 8DFD4100 push dword ptr ds:[41FD8D] 0043662E C70424 48A24000 mov dword ptr ss:[esp],NgaMy.0040A248 00436635 8905 B9FD4100 mov dword ptr ds:[41FDB9],eax 0043663B FF35 B9FD4100 push dword ptr ds:[41FDB9] 00436641 90 nop 00436642 90 nop 00436643 60 pushad 00436644 E8 01000000 call NgaMy.0043664A //F4到這里，然后用ESP

11.落腳點到這個位置，還是一樣二進制復制pushad上面的代碼(記得清除硬件斷點)，然后F4運行到pushad下面一行使用ESP定律，下硬件訪問斷點，shift+F9一次

00436F16 68 1DFD4100 push NgaMy.0041FD1D ;//落腳點 00436F1B 58 pop eax 00436F1C 8930 mov dword ptr ds:[eax],esi 00436F1E 8F05 79FC4100 pop dword ptr ds:[41FC79] 00436F24 8B05 79FC4100 mov eax,dword ptr ds:[41FC79] 00436F2A FF35 1DFD4100 push dword ptr ds:[41FD1D] 00436F30 56 push esi 00436F31 891C24 mov dword ptr ss:[esp],ebx 00436F34 C70424 383D4000 mov dword ptr ss:[esp],NgaMy.00403D38 00436F3B 8B3424 mov esi,dword ptr ss:[esp] 00436F3E 8F05 A5FE4100 pop dword ptr ds:[41FEA5] 00436F44 8905 01FF4100 mov dword ptr ds:[41FF01],eax 00436F4A FF35 01FF4100 push dword ptr ds:[41FF01] 00436F50 891C24 mov dword ptr ss:[esp],ebx 00436F53 56 push esi 00436F54 C70424 45FE4100 mov dword ptr ss:[esp],NgaMy.0041FE45 00436F5B 8F05 31FE4100 pop dword ptr ds:[41FE31] 00436F61 90 nop 00436F62 90 nop 00436F63 60 pushad 00436F64 E8 01000000 call NgaMy.00436F6A ;//F4到這里，然后ESP

68 1D FD 41 00 58 89 30 8F 05 79 FC 41 00 8B 05 79 FC 41 00 FF 35 1D FD 41 00 56 89 1C 24 C7 04 24 38 3D 40 00 8B 34 24 8F 05 A5 FE 41 00 89 05 01 FF 41 00 FF 35 01 FF 41 00 89 1C 24 56 C7 04 24 45 FE 41 00 8F 05 31 FE 41 00

12.同步驟10和步驟11一樣的操作，再來一次ESP，shift+F9運行一次

0043783F 8B1D 31FE4100 mov ebx,dword ptr ds:[41FE31] ; //落腳點 00437845 8933 mov dword ptr ds:[ebx],esi 00437847 8F05 39FC4100 pop dword ptr ds:[41FC39] 0043784D FF35 39FC4100 push dword ptr ds:[41FC39] 00437853 5B pop ebx 00437854 8F05 09FE4100 pop dword ptr ds:[41FE09] 0043785A 891D 21FC4100 mov dword ptr ds:[41FC21],ebx 00437860 FF35 21FC4100 push dword ptr ds:[41FC21] 00437866 C705 19FC4100 09FE4>mov dword ptr ds:[41FC19],NgaMy.0041FE09 00437870 8B1D 19FC4100 mov ebx,dword ptr ds:[41FC19] 00437876 8B33 mov esi,dword ptr ds:[ebx] 00437878 8F05 FDFB4100 pop dword ptr ds:[41FBFD] 0043787E 8B1D FDFB4100 mov ebx,dword ptr ds:[41FBFD] 00437884 FF15 45FE4100 call dword ptr ds:[41FE45] 0043788A 90 nop 0043788B 90 nop 0043788C 60 pushad 0043788D E8 01000000 call NgaMy.00437893 ;//F4到這里，然后ESP

8B 1D 31 FE 41 00 89 33 8F 05 39 FC 41 00 FF 35 39 FC 41 00 5B 8F 05 09 FE 41 00 89 1D 21 FC 41 00 FF 35 21 FC 41 00 C7 05 19 FC 41 00 09 FE 41 00 8B 1D 19 FC 41 00 8B 33 8F 05 FD FB 41 00 8B 1D FD FB 41 00 FF 15 45 FE 41 00

13.落腳后，還是二進制復制pushad上面的代碼(記得清除硬件斷點)，然后F4運行到pushad下一行，然后shift+F9，不過這次要多運行幾次，找到和我們需要的代碼長得差不多的。

0043813D 890D B1FD4100 mov dword ptr ds:[41FDB1],ecx ;//落腳點 00438143 FF35 B1FD4100 push dword ptr ds:[41FDB1] 00438149 8F05 B5FC4100 pop dword ptr ds:[41FCB5] 0043814F FF35 B5FC4100 push dword ptr ds:[41FCB5] 00438155 56 push esi 00438156 BE FDFC4100 mov esi,NgaMy.0041FCFD 0043815B 893E mov dword ptr ds:[esi],edi 0043815D 5E pop esi 0043815E FF35 FDFC4100 push dword ptr ds:[41FCFD] 00438164 68 94000000 push 94 00438169 8F05 E5FC4100 pop dword ptr ds:[41FCE5] 0043816F FF35 E5FC4100 push dword ptr ds:[41FCE5] 00438175 5F pop edi 00438176 893D 3DFE4100 mov dword ptr ds:[41FE3D],edi 0043817C FF35 3DFE4100 push dword ptr ds:[41FE3D] 00438182 8B0C24 mov ecx,dword ptr ss:[esp] 00438185 8F05 7DFE4100 pop dword ptr ds:[41FE7D] 0043818B 90 nop 0043818C 90 nop 0043818D 60 pushad 0043818E 50 push eax ;//F4到這里，然后ESP

89 0D B1 FD 41 00 FF 35 B1 FD 41 00 8F 05 B5 FC 41 00 FF 35 B5 FC 41 00 56 BE FD FC 41 00 89 3E 5E FF 35 FD FC 41 00 68 94 00 00 00 8F 05 E5 FC 41 00 FF 35 E5 FC 41 00 5F 89 3D 3D FE 41 00 FF 35 3D FE 41 00 8B 0C 24 8F 05 7D FE 41 00

14.同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，還是多運行幾次

00438ACD 8B3C24 mov edi,dword ptr ss:[esp] ; //落腳點 00438AD0 8F05 79FD4100 pop dword ptr ds:[41FD79] 00438AD6 8935 25FC4100 mov dword ptr ds:[41FC25],esi 00438ADC FF35 25FC4100 push dword ptr ds:[41FC25] 00438AE2 890C24 mov dword ptr ss:[esp],ecx 00438AE5 8B3C24 mov edi,dword ptr ss:[esp] 00438AE8 8F05 B9FC4100 pop dword ptr ds:[41FCB9] 00438AEE 8F05 19FE4100 pop dword ptr ds:[41FE19] 00438AF4 8905 89FD4100 mov dword ptr ds:[41FD89],eax 00438AFA FF35 89FD4100 push dword ptr ds:[41FD89] 00438B00 57 push edi 00438B01 BF 19FE4100 mov edi,NgaMy.0041FE19 00438B06 8BC7 mov eax,edi 00438B08 5F pop edi 00438B09 8B08 mov ecx,dword ptr ds:[eax] 00438B0B 8F05 95FC4100 pop dword ptr ds:[41FC95] 00438B11 8B05 95FC4100 mov eax,dword ptr ds:[41FC95] 00438B17 53 push ebx 00438B18 90 nop 00438B19 90 nop 00438B1A 60 pushad 00438B1B 50 push eax ;//F4到這里，然后ESP

8B 3C 24 8F 05 79 FD 41 00 89 35 25 FC 41 00 FF 35 25 FC 41 00 89 0C 24 8B 3C 24 8F 05 B9 FC 41 00 8F 05 19 FE 41 00 89 05 89 FD 41 00 FF 35 89 FD 41 00 57 BF 19 FE 41 00 8B C7 5F 8B 08 8F 05 95 FC 41 00 8B 05 95 FC 41 00 53

15.同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，還是多運行幾次

004393FF 8F05 5DFE4100 pop dword ptr ds:[41FE5D] ; //落腳點 00439405 FF35 5DFE4100 push dword ptr ds:[41FE5D] 0043940B 890C24 mov dword ptr ss:[esp],ecx 0043940E 893D 91FE4100 mov dword ptr ds:[41FE91],edi 00439414 FF35 91FE4100 push dword ptr ds:[41FE91] 0043941A 8F05 81FC4100 pop dword ptr ds:[41FC81] 00439420 891D 89FE4100 mov dword ptr ds:[41FE89],ebx 00439426 FF35 89FE4100 push dword ptr ds:[41FE89] 0043942C 68 81FC4100 push NgaMy.0041FC81 00439431 5B pop ebx 00439432 8B0B mov ecx,dword ptr ds:[ebx] 00439434 8F05 C9FC4100 pop dword ptr ds:[41FCC9] 0043943A 8B1D C9FC4100 mov ebx,dword ptr ds:[41FCC9] 00439440 57 push edi 00439441 890424 mov dword ptr ss:[esp],eax 00439444 890C24 mov dword ptr ss:[esp],ecx 00439447 8B0424 mov eax,dword ptr ss:[esp] 0043944A 90 nop 0043944B 90 nop 0043944C 60 pushad 0043944D 76 03 jbe short NgaMy.00439452 ;//F4到這里，然后ESP ? 8F 05 5D FE 41 00 FF 35 5D FE 41 00 89 0C 24 89 3D 91 FE 41 00 FF 35 91 FE 41 00 8F 05 81 FC 41 00 89 1D 89 FE 41 00 FF 35 89 FE 41 00 68 81 FC 41 00 5B 8B 0B 8F 05 C9 FC 41 00 8B 1D C9 FC 41 00 57 89 04 24 89 0C 24 8B 04 24

16.同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，還是多運行幾次

00439D39 8F05 D5FD4100 pop dword ptr ds:[41FDD5] ; //落腳點 00439D3F 8B0C24 mov ecx,dword ptr ss:[esp] 00439D42 8F05 4DFC4100 pop dword ptr ds:[41FC4D] 00439D48 50 push eax 00439D49 891424 mov dword ptr ss:[esp],edx 00439D4C 8F05 BDFE4100 pop dword ptr ds:[41FEBD] 00439D52 FF35 BDFE4100 push dword ptr ds:[41FEBD] 00439D58 51 push ecx 00439D59 B9 DDFD4100 mov ecx,NgaMy.0041FDDD 00439D5E 8939 mov dword ptr ds:[ecx],edi 00439D60 59 pop ecx 00439D61 FF35 DDFD4100 push dword ptr ds:[41FDDD] 00439D67 C705 A9FE4100 60554>mov dword ptr ds:[41FEA9],NgaMy.00405560 00439D71 FF35 A9FE4100 push dword ptr ds:[41FEA9] 00439D77 8B3C24 mov edi,dword ptr ss:[esp] 00439D7A 8F05 95FD4100 pop dword ptr ds:[41FD95] 00439D80 891D 29FD4100 mov dword ptr ds:[41FD29],ebx 00439D86 90 nop 00439D87 90 nop 00439D88 60 pushad 00439D89 E8 01000000 call NgaMy.00439D8F ;//F4到這里，然后ESP ? 8F 05 D5 FD 41 00 8B 0C 24 8F 05 4D FC 41 00 50 89 14 24 8F 05 BD FE 41 00 FF 35 BD FE 41 00 51 B9 DD FD 41 00 89 39 59 FF 35 DD FD 41 00 C7 05 A9 FE 41 00 60 55 40 00 FF 35 A9 FE 41 00 8B 3C 24 8F 05 95 FD 41 00 89 1D 29 FD 41 00

17.我已經想吐了，同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，還是多運行幾次

0043A6FB FF35 29FD4100 push dword ptr ds:[41FD29] ; //落腳點 0043A701 8BDF mov ebx,edi 0043A703 8BD3 mov edx,ebx 0043A705 5B pop ebx 0043A706 8F05 E9FE4100 pop dword ptr ds:[41FEE9] 0043A70C 8B3D E9FE4100 mov edi,dword ptr ds:[41FEE9] 0043A712 52 push edx 0043A713 891C24 mov dword ptr ss:[esp],ebx 0043A716 68 9DFE4100 push NgaMy.0041FE9D 0043A71B 5B pop ebx 0043A71C 8913 mov dword ptr ds:[ebx],edx 0043A71E 8B1C24 mov ebx,dword ptr ss:[esp] 0043A721 8F05 49FE4100 pop dword ptr ds:[41FE49] 0043A727 8B1424 mov edx,dword ptr ss:[esp] 0043A72A 8F05 69FD4100 pop dword ptr ds:[41FD69] 0043A730 FF15 9DFE4100 call dword ptr ds:[41FE9D] 0043A736 8965 E8 mov dword ptr ss:[ebp-18],esp 0043A739 8925 C5FD4100 mov dword ptr ds:[41FDC5],esp 0043A73F 891D 21FD4100 mov dword ptr ds:[41FD21],ebx 0043A745 FF35 21FD4100 push dword ptr ds:[41FD21] 0043A74B 60 pushad 0043A74C 74 03 je short NgaMy.0043A751 ;//F4到這里，然后ESP

FF 35 29 FD 41 00 8B DF 8B D3 5B 8F 05 E9 FE 41 00 8B 3D E9 FE 41 00 52 89 1C 24 68 9D FE 41 00 5B 89 13 8B 1C 24 8F 05 49 FE 41 00 8B 14 24 8F 05 69 FD 41 00 FF 15 9D FE 41 00 89 65 E8 89 25 C5 FD 41 00 89 1D 21 FD 41 00 FF 35 21 FD 41 00

18.同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，還是多運行幾次

0043B097 68 C5FD4100 push NgaMy.0041FDC5 ; //落腳點 0043B09C 5B pop ebx 0043B09D 8B33 mov esi,dword ptr ds:[ebx] 0043B09F 8B1C24 mov ebx,dword ptr ss:[esp] 0043B0A2 8F05 A9FC4100 pop dword ptr ds:[41FCA9] 0043B0A8 893E mov dword ptr ds:[esi],edi 0043B0AA 57 push edi 0043B0AB 8F05 F5FE4100 pop dword ptr ds:[41FEF5] 0043B0B1 FF35 F5FE4100 push dword ptr ds:[41FEF5] 0043B0B7 893424 mov dword ptr ss:[esp],esi 0043B0BA FF15 BCA04000 call dword ptr ds:[40A0BC] 0043B0C0 8B4E 10 mov ecx,dword ptr ds:[esi+10] 0043B0C3 50 push eax 0043B0C4 B8 F9FB4100 mov eax,NgaMy.0041FBF9 0043B0C9 8910 mov dword ptr ds:[eax],edx 0043B0CB 58 pop eax 0043B0CC FF35 F9FB4100 push dword ptr ds:[41FBF9] 0043B0D2 56 push esi 0043B0D3 C70424 ACDE4000 mov dword ptr ss:[esp],NgaMy.0040DEAC 0043B0DA 8B1424 mov edx,dword ptr ss:[esp] 0043B0DD 8F05 ADFD4100 pop dword ptr ds:[41FDAD] 0043B0E3 890A mov dword ptr ds:[edx],ecx 0043B0E5 90 nop 0043B0E6 90 nop 0043B0E7 60 pushad 0043B0E8 E8 01000000 call NgaMy.0043B0EE ;//F4到這里，然后ESP

68 C5 FD 41 00 5B 8B 33 8B 1C 24 8F 05 A9 FC 41 00 89 3E 57 8F 05 F5 FE 41 00 FF 35 F5 FE 41 00 89 34 24 FF 15 BC A0 40 00 8B 4E 10 50 B8 F9 FB 41 00 89 10 58 FF 35 F9 FB 41 00 56 C7 04 24 AC DE 40 00 8B 14 24 8F 05 AD FD 41 00 89 0A

19.同樣復制pushad上面的代碼，清除硬件斷點，F4運行到pushad下一面一行ESP定律，這次只要運行一次就好了

0043B9DA 8F05 29FE4100 pop dword ptr ds:[41FE29] ; //落腳點 0043B9E0 FF35 29FE4100 push dword ptr ds:[41FE29] 0043B9E6 5A pop edx 0043B9E7 8B46 04 mov eax,dword ptr ds:[esi+4] 0043B9EA A3 B8DE4000 mov dword ptr ds:[40DEB8],eax 0043B9EF 8B56 08 mov edx,dword ptr ds:[esi+8] 0043B9F2 52 push edx 0043B9F3 8F05 3DFD4100 pop dword ptr ds:[41FD3D] 0043B9F9 FF35 3DFD4100 push dword ptr ds:[41FD3D] 0043B9FF 8F05 BCDE4000 pop dword ptr ds:[40DEBC] 0043BA05 8B76 0C mov esi,dword ptr ds:[esi+C] 0043BA08 81E6 FF7F0000 and esi,7FFF 0043BA0E 53 push ebx 0043BA0F BB 35FE4100 mov ebx,NgaMy.0041FE35 0043BA14 8933 mov dword ptr ds:[ebx],esi 0043BA16 5B pop ebx 0043BA17 FF35 35FE4100 push dword ptr ds:[41FE35] 0043BA1D 8F05 B0DE4000 pop dword ptr ds:[40DEB0] 0043BA23 90 nop 0043BA24 90 nop 0043BA25 60 pushad 0043BA26 E8 01000000 call NgaMy.0043BA2C ;//F4到這里，然后ESP

8F 05 29 FE 41 00 FF 35 29 FE 41 00 5A 8B 46 04 A3 B8 DE 40 00 8B 56 08 52 8F 05 3D FD 41 00 FF 35 3D FD 41 00 8F 05 BC DE 40 00 8B 76 0C 81 E6 FF 7F 00 00 53 BB 35 FE 41 00 89 33 5B FF 35 35 FE 41 00 8F 05 B0 DE 40 00

20.落腳點是一個大跳轉，F8單步跟一次

0043BE77 /EB 01 jmp short NgaMy.0043BE7A ;//落腳點 0043BE79 |E8 FF25BCBE call BEFFE47D 0043BE7E 43 inc ebx 0043BE7F 0060 E8 add byte ptr ds:[eax-18],ah 0043BE82 0000 add byte ptr ds:[eax],al 0043BE84 0000 add byte ptr ds:[eax],al 0043BE86 5E pop esi 0043BE87 83EE 06 sub esi,6 0043BE8A B9 66000000 mov ecx,66 0043BE8F 29CE sub esi,ecx 0043BE91 BA 8A261D6A mov edx,6A1D268A 0043BE96 C1E9 02 shr ecx,2 0043BE99 83E9 02 sub ecx,2 0043BE9C 83F9 00 cmp ecx,0

21.程序來到這里，這就是跳向假的OEP的地方了

0043BE7A - FF25 BCBE4300 jmp dword ptr ds:[43BEBC] ; //跳到假的OEP

22.把被抽取的代碼整合一下

89 15 F5 FD 41 00 FF 35 F5 FD 41 00 8F 05 2D FE 41 00 FF 35 2D FE 41 00 C7 04 24 60 00 00 00 56 89 0C 24 68 8D FD 41 00 59 89 19 8B 0C 24 8F 05 AD FE 41 00 FF 35 8D FD 41 00 C7 04 24 48 A2 40 00 89 05 B9 FD 41 00 FF 35 B9 FD 41 00 68 1D FD 41 00 58 89 30 8F 05 79 FC 41 00 8B 05 79 FC 41 00 FF 35 1D FD 41 00 56 89 1C 24 C7 04 24 38 3D 40 00 8B 34 24 8F 05 A5 FE 41 00 89 05 01 FF 41 00 FF 35 01 FF 41 00 89 1C 24 56 C7 04 24 45 FE 41 00 8F 05 31 FE 41 00 8B 1D 31 FE 41 00 89 33 8F 05 39 FC 41 00 FF 35 39 FC 41 00 5B 8F 05 09 FE 41 00 89 1D 21 FC 41 00 FF 35 21 FC 41 00 C7 05 19 FC 41 00 09 FE 41 00 8B 1D 19 FC 41 00 8B 33 8F 05 FD FB 41 00 8B 1D FD FB 41 00 FF 15 45 FE 41 00 89 0D B1 FD 41 00 FF 35 B1 FD 41 00 8F 05 B5 FC 41 00 FF 35 B5 FC 41 00 56 BE FD FC 41 00 89 3E 5E FF 35 FD FC 41 00 68 94 00 00 00 8F 05 E5 FC 41 00 FF 35 E5 FC 41 00 5F 89 3D 3D FE 41 00 FF 35 3D FE 41 00 8B 0C 24 8F 05 7D FE 41 00 8B 3C 24 8F 05 79 FD 41 00 89 35 25 FC 41 00 FF 35 25 FC 41 00 89 0C 24 8B 3C 24 8F 05 B9 FC 41 00 8F 05 19 FE 41 00 89 05 89 FD 41 00 FF 35 89 FD 41 00 57 BF 19 FE 41 00 8B C7 5F 8B 08 8F 05 95 FC 41 00 8B 05 95 FC 41 00 53 8F 05 5D FE 41 00 FF 35 5D FE 41 00 89 0C 24 89 3D 91 FE 41 00 FF 35 91 FE 41 00 8F 05 81 FC 41 00 89 1D 89 FE 41 00 FF 35 89 FE 41 00 68 81 FC 41 00 5B 8B 0B 8F 05 C9 FC 41 00 8B 1D C9 FC 41 00 57 89 04 24 89 0C 24 8B 04 24 8F 05 D5 FD 41 00 8B 0C 24 8F 05 4D FC 41 00 50 89 14 24 8F 05 BD FE 41 00 FF 35 BD FE 41 00 51 B9 DD FD 41 00 89 39 59 FF 35 DD FD 41 00 C7 05 A9 FE 41 00 60 55 40 00 FF 35 A9 FE 41 00 8B 3C 24 8F 05 95 FD 41 00 89 1D 29 FD 41 00 FF 35 29 FD 41 00 8B DF 8B D3 5B 8F 05 E9 FE 41 00 8B 3D E9 FE 41 00 52 89 1C 24 68 9D FE 41 00 5B 89 13 8B 1C 24 8F 05 49 FE 41 00 8B 14 24 8F 05 69 FD 41 00 FF 15 9D FE 41 00 89 65 E8 89 25 C5 FD 41 00 89 1D 21 FD 41 00 FF 35 21 FD 41 00 68 C5 FD 41 00 5B 8B 33 8B 1C 24 8F 05 A9 FC 41 00 89 3E 57 8F 05 F5 FE 41 00 FF 35 F5 FE 41 00 89 34 24 FF 15 BC A0 40 00 8B 4E 10 50 B8 F9 FB 41 00 89 10 58 FF 35 F9 FB 41 00 56 C7 04 24 AC DE 40 00 8B 14 24 8F 05 AD FD 41 00 89 0A 8F 05 29 FE 41 00 FF 35 29 FE 41 00 5A 8B 46 04 A3 B8 DE 40 00 8B 56 08 52 8F 05 3D FD 41 00 FF 35 3D FD 41 00 8F 05 BC DE 40 00 8B 76 0C 81 E6 FF 7F 00 00 53 BB 35 FE 41 00 89 33 5B FF 35 35 FE 41 00 8F 05 B0 DE 40 00

23.使用工具新建一個區段，ximo教程中使用的是topo.exe，打開該工具，瀏覽選中剛剛脫殼后的程序，然后數一下整合好的字節數，將字節數填入工具中(最好自己估摸著輸入一個大于整合好代碼字節數的數字)，單擊執行，執行完之后記錄下工具中顯示的內存地址，這個地址就是新增區段的起始地址

記錄下的地址：0043E000

24.OD載入新topo處理過的程序，載入后跟隨表達式，地址填寫記錄下的地址，也就是”0043E000”.跟隨過去之后將整合好的代碼粘貼到OD中nop的位置上去。

25.然后在粘貼好的代碼下面一行輸入匯編命令”jmp 0040305C”，這個地址也就是假的OEP地址。這些操作都做完之后保存文件(選中這些新增代碼右鍵—-復制到可執行文件–選擇部分—右鍵–保存文件)

26.文件保存好后還需要進行最后一步，就是用loadPE打開保存好的文件，把入口點改為0043E000-00400000也就是3E000，為什么減00400000這個大家應該懂得，就不在解釋了，改完后記得保存一下。至此這個殼就算脫掉了。雖然使用peid查殼查不出來，但是確確實實是脫掉了。

轉載于:https://www.cnblogs.com/JianXu/p/5158367.html

總結

以上是生活随笔為你收集整理的手脱ACProtect V1.4X(有Stolen Code)之补区段的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： linux路由器压力测试,Apache
下一篇： unix架构