|
|
【字体:大 中 小】
【颜色:红 蓝 黑】
背景:
|
|
ASProtect SKE 2.4 0226之记事本(图)
|
|
作者:
文章来源: 点击数:150 更新时间:3/16/2009 9:27:23 AM
|
/*
保护时选择了一下项目:
Resources Protection
Preserve Extra Data
Anti-Debugger Protection
CheckSum Protection
*/ //入口: 00401000 > 68 01D04000 push 0040D001 00401005 E8 01000000 call 0040100B 0040100A C3 retn 0040100B C3 retn //PhantOm全选以后Ctrl+G来到GetSystemTime,F2设置断点,然后F9运行程序,中断两次取消断点返回。 7C80176F kernel32.GetSystemTime 8BFF mov edi, edi //F2 7C801771 55 push ebp 7C801772 8BEC mov ebp, esp 7C801774 83EC 18 sub esp, 18 7C801777 A1 1800FE7F mov eax, dword ptr [7FFE0018] //返回到此处 00AC2777 0FB745 F0 movzx eax, word ptr [ ebp-10] 00AC277B 6BC0 3C imul eax, eax, 3C 00AC277E 66:0345 F2 add ax, word ptr [ ebp-E] 00AC2782 6BC0 3C imul eax, eax, 3C 00AC2785 31D2 xor edx, edx 00AC2787 66:8B55 F4 mov dx, word ptr [ ebp-C] 00AC278B 01D0 add eax, edx 00AC278D 69C0 E8030000 imul eax, eax, 3E8 00AC2793 66:8B55 F6 mov dx, word ptr [ ebp-A] 00AC2797 01D0 add eax, edx 00AC2799 8905 3C30B000 mov dword ptr [B0303C], eax 00AC279F 8BE5 mov esp, ebp 00AC27A1 5D pop ebp 00AC27A2 C3 retn //此处F2然后F9运行到这里,之后F8单步返回 00AE15D0 8BC7 mov eax, edi //返回到此处 00AE15D2 E8 39FAFFFF call 00AE1010 00AE15D7 C747 18 FFFFFFF> mov dword ptr [ edi+18], -1 00AE15DE A1 482BB000 mov eax, dword ptr [B02B48] 00AE15E3 83C0 0D add eax, 0D 00AE15E6 8947 0C mov dword ptr [ edi+C], eax 00AE15E9 33D2 xor edx, edx ....... ....... 00AE1683 83C4 0C add esp, 0C 00AE1686 8BC7 mov eax, edi 00AE1688 5F pop edi 00AE1689 5E pop esi 00AE168A 5B pop ebx 00AE168B C3 retn //段尾Ret处F2然后F9,F8 00B00226 8B15 982BB000 mov edx, dword ptr [B02B98] //返回到这里 00B0022C 8902 mov dword ptr [ edx], eax 00B0022E A1 982BB000 mov eax, dword ptr [B02B98] 00B00233 8B00 mov eax, dword ptr [ eax] 00B00235 E8 462BFEFF call 00AE2D80 ....... ....... 00B002C5 59 pop ecx 00B002C6 5A pop edx 00B002C7 5B pop ebx 00B002C8 C3 retn //段尾Ret处F2然后F9,F8 00ACED60 68 A75915E2 push E21559A7 //返回到这里…… 00ACED65 68 F0290000 push 29F0 00ACED6A 68 B4150200 push 215B4 00ACED6F 68 C0200000 push 20C0 00ACED74 68 9CCC0000 push 0CC9C 00ACED79 68 00500500 push 55000 00ACED7E FF35 D434B000 push dword ptr [B034D4] 00ACED84 E8 23D1FFFF call 00ACBEAC 00ACED89 310424 xor dword ptr [ esp], eax 00ACED8C 8B05 D434B000 mov eax, dword ptr [B034D4] 00ACED92 010424 add dword ptr [ esp], eax 00ACED95 C3 retn //段尾Ret处F2然后F9,F8 00B002E0 68 9B311C0B push 0B1C319B //返回到这里…… 00B002E5 68 E0020000 push 2E0 00B002EA 68 6C590100 push 1596C 00B002EF 68 5C140000 push 145C 00B002F4 68 80EE0300 push 3EE80 00B002F9 68 00500500 push 55000 00B002FE FF35 D434B000 push dword ptr [B034D4] 00B00304 E8 01000000 call 00B0030A 00B00309 8183 C404E89A B> add dword ptr [ ebx+9AE804C4], E8FFFC> 00B00313 0100 add dword ptr [ eax], eax 00B00315 0000 add byte ptr [ eax], al 00B00317 8183 C4043104 2> add dword ptr [ ebx+43104C4], 1E824 00B00321 0000 add byte ptr [ eax], al 00B00323 68 83C4048B push 8B04C483 00B00328 05 D434B000 add eax, 0B034D4 00B0032D E8 02000000 call 00B00334 00B00332 E8 6883C404 call 0574869F 00B00337 010424 add dword ptr [ esp], eax 00B0033A C3 retn //段尾Ret处F2然后F9,F8 00AFFC8A E8 61F1FFFF call 00AFEDF0 //在离返回出最近的一处Call处F2然后F9,F7 00AFFC8F 83C4 24 add esp, 24 00AFFC92 5F pop edi 00AFFC93 5E pop esi 00AFFC94 5B pop ebx 00AFFC95 C3 retn 00AFFC96 8BC0 mov eax, eax 00AFFC98 E8 E7FEFFFF call 00AFFB84 //返回到这里 00AFFC9D C3 retn 00AFEDF0 BF 02DB4A00 mov edi, 4ADB02 //到这里,往下单步跟踪到返回 00AFEDF5 337C24 28 xor edi, dword ptr [ esp+28] ...... ...... 00AFEF17 037C24 18 add edi, dword ptr [ esp+18] 00AFEF1B C3 retn //返回处 01B70000 80F2 23 xor [
|
|
|