📄 chap8-3-3.htm.primary
字号:
</span>
<p> <span class="p9"><font face="Times New Roman" color="#000000">0137:0043D110 JMP 0043D122 </font>
<font face="宋体" color="#000000">跳到解压程序</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">所以我们马上把机器代码抄下来:</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">EB,10</font>
</span></p>
<p> <span class="p9"><font face="宋体" color="#000000">第二个是:</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">0137:0043D255 E9D6A1FDFF JMP 00417430 </font>
<font face="宋体" color="#000000">这就是程序的真正入口了</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">机器代码就是:</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">E9,D6,A1,FD,FF</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">好了,所有的要找到东西我们都已经找到了,我们就开始编写</font>
<font face="Times New Roman" color="#000000">UPX0.82</font> <font face="宋体" color="#000000">的脱壳扩展了。</font>
</span></p>
<p> <span class="p9"><font face="宋体" color="#000000">我编写的具体如下:</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">[UPX0.7X-0.8X]</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L1=OBJR ;</font>
<font face="宋体" color="#000000">在扫描开始处设置初始的内存地址</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L2=LOOK EB,10 ;</font>
<font face="宋体" color="#000000">查找第一个</font> <font face="Times New Roman" color="#000000">EB,10</font>
<font face="宋体" color="#000000">程序代码</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L3=BP ;</font>
<font face="宋体" color="#000000">在当前内存位置设置断点</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L4=WALK ;</font>
<font face="宋体" color="#000000">交还控制权到</font> <font face="Times New Roman" color="#000000">Procdump</font>
<font face="宋体" color="#000000">并且执行下一个指令</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L5=OBJR ;</font>
<font face="宋体" color="#000000">在扫描开始处设置初始的内存地址</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L6=LOOK 61,E9 ;</font>
<font face="宋体" color="#000000">查找第一个</font> <font face="Times New Roman" color="#000000">EB,10</font>
<font face="宋体" color="#000000">程序代码</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L7=BP ;</font>
<font face="宋体" color="#000000">在当前内存位置设置断点</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L8=STEP ;</font>
<font face="宋体" color="#000000">一步一步地跟踪分析程式</font> </span></p>
<p> </p>
<span class="p9"><font face="宋体" color="#000000">好了,以上的解释都很清楚了,没有什么不明白了,我们把文件保存后,再次运行</font>
</span><span class="p9"><font face="Times New Roman" color="#000000">Procdump1.50</font>
<font face="宋体" color="#000000">,</font> </span><span class="p9"><font face="宋体" color="#000000">在</font>
<font face="Times New Roman" color="#000000">Choose Unpacker</font> <font face="宋体" color="#000000">中可以见到多了一个</font>
<font face="Times New Roman" color="#000000">UPX0.7X-0.8X</font> <font face="宋体" color="#000000">项了,选择</font></span><span class="p9"><font face="宋体" color="#000000">它,进行脱我们加了脱的程序,</font>
</span><span class="p9"><font face="宋体" color="#000000">哈哈,叫我们保存了,你可以不要高兴得太早了,你试一</font></span><span class="p9"><font face="宋体" color="#000000">试运行</font>
<font face="Times New Roman" color="#000000">dump</font> <font face="宋体" color="#000000">程序,哦不能运行,非法操作。</font></span>
<span class="p9"><font face="宋体" color="#000000">不要心急,我们好象还有点东西要加上呢!</font></span><span class="p9"><font face="宋体" color="#000000">那就是</font>
<font face="Times New Roman" color="#000000">dump</font> <font face="宋体" color="#000000">的可选参数了,</font>
<font face="Times New Roman" color="#000000">Procdump1.50</font> <font face="宋体" color="#000000">一共给我们</font>
</span><span class="p9"><font face="宋体" color="#000000">提供了五组可选参数,如果你</font></span><span class="p9"><font face="宋体" color="#000000">没有特别指出,就用默认值。好我们加上去试一试吧!</font>
</span>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL1=00000000</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL2=01010001</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL3=01010001</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL4=00030000</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL5=00000000</font>
</span></p>
<p> </p>
<span class="p9"><font face="宋体" color="#000000"> 以上这五参数是最常用的,你加参数时可要先试试,或者加了之后就可以用了,好我们</font></span><span class="p9"><font face="宋体" color="#000000">加上,试一试。</font></span>
<p> <span class="p9"><font face="宋体" color="#000000">以下文章所述,可能在有的机器上有不同的结果,请自行修正:</font>
</span></p>
<p> <span class="p9"><font face="宋体" color="#000000">作者的机器是:</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">赛扬</font> <font face="Times New Roman" color="#000000">300A</font>
<font face="宋体" color="#000000">(超</font> <font face="Times New Roman" color="#000000">450</font>
<font face="宋体" color="#000000">)</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">PC100-64M</font>
<font face="宋体" color="#000000">内存</font> </span></p>
<span class="p9"><font face="宋体" color="#000000">当我再次运行</font> <font face="Times New Roman" color="#000000">Procdump1.50</font>
<font face="宋体" color="#000000">来脱壳程序时,竟然程序一下子就运行了,根本不象上次那</font></span><span class="p9"><font face="宋体" color="#000000">样提示要我保存</font>
</span><span class="p9"><font face="宋体" color="#000000">脱壳后的文件,所以我想,可能这些参数有些不合适我的机器,于是我认</font></span><span class="p9"><font face="宋体" color="#000000">真分析了每一个参数的真正含义</font></span><span class="p9"><font face="宋体" color="#000000">之后,就把参数作了如下的修改:</font>
</span>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL1=00000001 </font>
<font face="宋体" color="#000000">这是延迟时间,我设为</font> <font face="Times New Roman" color="#000000">1ms </font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL2=01010101 </font>
<font face="宋体" color="#000000">采用了快速</font> <font face="Times New Roman" color="#000000">dump</font>
<font face="宋体" color="#000000">的工作方式</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL3=01010001</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL4=00030000</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL5=00000000</font>
</span></p>
<p> </p>
<span class="p9"><font face="宋体" color="#000000">今次再运行</font> <font face="Times New Roman" color="#000000">Procdump1.50</font>
<font face="宋体" color="#000000">进行脱壳,哈哈!!!可以脱了,然后再双击脱壳后的文件,</font></span><span class="p9"><font face="宋体" color="#000000">咦,可以执行了,</font>
</span><span class="p9"><font face="宋体" color="#000000">再用</font> <font face="Times New Roman" color="#000000">Wdasm8.93</font>
<font face="宋体" color="#000000">反汇编分析一下文件,发现基本和原文件相同,只是</font></span><span class="p9"><font face="宋体" color="#000000">文件大小有点不同,大了一点,再用</font></span><span class="p9"><font face="宋体" color="#000000">了一下软件的各种功能,一切正常,所以应该说脱壳</font></span><span class="p9"><font face="宋体" color="#000000">是成功的,到此,文章也该在此结束了,不过好象还</font></span><span class="p9"><font face="宋体" color="#000000">漏了点事,就是用</font>
<font face="Times New Roman" color="#000000">MakePe1.27</font> <font face="宋体" color="#000000">帮助脱壳后的文件作进一步的优化,这就不一一描述了</font></span>
<span class="p9"><font face="宋体" color="#000000">,自己看帮助进</font> </span><span class="p9"><font face="宋体" color="#000000">行吧!</font>
</span> <span class="p9"><font face="宋体" color="#000000">好了,最后总结一下吧!</font> </span>
<p> <span class="p9"><font face="宋体" color="#000000">完整地加入:</font> </span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">[UPX0.7X-0.8X]</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L1=OBJR</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L2=LOOK EB,10</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L3=BP</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L4=WALK</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L5=OBJR</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L6=LOOK 61,E9</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L7=BP</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">L8=STEP</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL1=00000001</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL2=01010101</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL3=01010001</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL4=00030000</font>
</span></p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">OPTL5=00000000</font>
</span></p>
<p> </p>
<p> <span class="p9"><font face="Times New Roman" color="#000000">By The Way</font>
<font face="宋体" color="#000000">!</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">我发现对于使用</font> <font face="Times New Roman" color="#000000">UPX0.7x</font>
<font face="宋体" color="#000000">到</font> <font face="Times New Roman" color="#000000">UPX0.8x</font>
<font face="宋体" color="#000000">加壳的软件,用我的方法都可以成功脱壳。</font> </span></p>
<p> </p>
<p> <span class="p9"><font face="宋体" color="#000000">作者:</font> <font face="Times New Roman" color="#000000">Ru Feng</font>
</span></p>
<p> <span class="p9"><font face="宋体" color="#000000">信箱:</font> <font face="Times New Roman" color="#000000">ocq@163.net</font>
<font face="宋体" color="#000000">(未得作者允许,严禁</font> <font face="Times New Roman" color="#000000">Email</font>
<font face="宋体" color="#000000">任何软件到此信箱)</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">主页(一):</font> <font face="Times New Roman" color="#000000">http://ocq.163.net</font>
<font face="宋体" color="#000000">(枫林居)</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">主页(二):</font> <font face="Times New Roman" color="#000000">http://ocq.yeah.net</font>
<font face="宋体" color="#000000">(最</font> <font face="Times New Roman" color="#000000">Cool</font>
<font face="宋体" color="#000000">的</font> <font face="Times New Roman" color="#000000">VB</font>
<font face="宋体" color="#000000">控件天堂)</font> </span></p>
<p> <span class="p9"><font face="宋体" color="#000000">主页(三):</font> <font face="Times New Roman" color="#000000">http://ocqpat.163.net</font>
<font face="宋体" color="#000000">(我的作品,主要介绍“电子资料库”软件)</font></span></p>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap8-3-2.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap8-3-4.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright
© 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights
Reserved.</span></font></span></font></span></div>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -