沈阳电脑维修上门服务13889116605: delphi:55PUSHEBP8BECMOVEBP,ESP83C4F0ADDESP,-10B8A86F4B00MOVEAX,PE.004B6FA8vc++55PUS...
delphi:
55PUSHEBP
8BECMOVEBP,ESP
83C4F0ADDESP,-10
B8A86F4B00MOVEAX,PE.004B6FA8
vc++
55PUSHEBP
8BECMOVEBP,ESP
83EC44SUBESP,44
56PUSHESI
vc6.0
55pushebp
8BECmovebp,esp
6AFFpush-1
vc7.0
6A70push70
6850110001pushhh.01001150
E81D020000callhh.010017B0
33DBxorebx,ebx
vb:
00401166–FF256C104000JMPDWORDPTRDS:[<&MSVBVM60.#100>];MSVBVM60.ThunRTMain
0040116C>68147C4000PUSHPACKME.00407C14
00401171E8F0FFFFFFCALL<JMP.&MSVBVM60.#100>
004011760000ADDBYTEPTRDS:[EAX],AL
004011780000ADDBYTEPTRDS:[EAX],AL
0040117A0000ADDBYTEPTRDS:[EAX],AL
0040117C3000XORBYTEPTRDS:[EAX],AL
bc++
0040163C>$/EB10JMPSHORTBCLOCK.0040164E
0040163E|66DB66;CHAR‘f’
0040163F|62DB62;CHAR‘b’
00401640|3ADB3A;CHAR‘:’
00401641|43DB43;CHAR‘C’
00401642|2BDB2B;CHAR‘+’
00401643|2BDB2B;CHAR‘+’
00401644|48DB48;CHAR‘H’
00401645|4FDB4F;CHAR‘O’
00401646|4FDB4F;CHAR‘O’
00401647|4BDB4B;CHAR‘K’
00401648|90NOP
00401649|E9DBE9
0040164A.|98E04E00DDOFFSETBCLOCK.___CPPdebugHook
0040164E>\A18BE04E00MOVEAX,DWORDPTRDS:[4EE08B]
00401653.C1E002SHLEAX,2
00401656.A38FE04E00MOVDWORDPTRDS:[4EE08F],EAX
0040165B.52PUSHEDX
0040165C.6A00PUSH0;/pModule=NULL
0040165E.E8DFBC0E00CALL<JMP.&KERNEL32.GetModuleHandleA>;\GetModuleHandleA
00401663.8BD0MOVEDX,EAX
dasm:
00401000>/$6A00PUSH0;/pModule=NULL
00401002|.E8C50A0000CALL<JMP.&KERNEL32.GetModuleHandleA>;\GetModuleHandleA
00401007|.A30C354000MOVDWORDPTRDS:[40350C],EAX
0040100C|.E8B50A0000CALL<JMP.&KERNEL32.GetCommandLineA>;[GetCommandLineA
00401011|.A310354000MOVDWORDPTRDS:[403510],EAX
00401016|.6A0APUSH0A;/Arg4=0000000A
00401018|.FF3510354000PUSHDWORDPTRDS:[403510];|Arg3=00000000
0040101E|.6A00PUSH0;|Arg2=00000000
00401020|.FF350C354000PUSHDWORDPTRDS:[40350C];|Arg1=00000000
++++++++++++++++++++++++++++++++
看到这里,你应该会问:那么要如何为装?下面我们简单的介绍一下:
1、用ToPo增加大约128字节的空间[注:个人爱好而定],
2、进入LordPE的PEEditor,打开Target.exe,
把.topo0段名改为.text,装的更像一点[注:也可以个性一点改成自己的大名,不影响结果]
记下VOffset:13000,把入口点改为这个值.OllyDbg载入Target.exe,轰~我们来到了一个异常,
向上拉动滚动条,来到413000处改写代码:
++++++++++++++++++++++++++++++++
伪造VC++入口代码特征
++++++++++++++++++++++++++++++++
pushebp
movebp,esp
push-1
push666666
push888888
moveax,fs:[0]
pusheax
movfs:[0],esp
+++++++++++++++下边再恢复+++++++++++++++
popeax
movfs:[0],eax
popeax
popeax
popeax
popeax
movebp,eax
别忘了jmp405000,也就是壳的入口点.选中修改过的代码按右键,把它保存为newTarget.exe.
PEiD侦测一下:MicrosoftVisualC++,并且运行正常,任务完成
上一篇:
Root 和grub加密与破解
