首先用PEID檢測一下 
有殼wwPack32 經典殼,現在接觸的帶殼程序不多,上次直接脫殼軟件搞定,這次跟著教程手動搞了一下 首先單步調試找到跨段跳轉 
跳入之后下斷點(一般跳入之后就是程序開始的地方),但里面的沒有反匯編代碼,看著比較難受。 
首先脫殼 
脫殼之后打不開,我看有的題解上脫殼后可以打開···· 利用PEID查看什么程序編寫 
利用dede反編譯沒有什么成果,直接利用IDR分析Delphi
分析算法
0044A30C |. E8 FBA0FDFF CALL 3.0042440C ; name string0044A311 |. 8B45 FC MOV EAX,[LOCAL.1]0044A314 |. E8 EFD6FBFF CALL 3.00407A08 ; strtoint0044A319 |. 8BF0 MOV ESI,EAX0044A31B |. 8B45 FC MOV EAX,[LOCAL.1]0044A31E |. E8 5DD7FBFF CALL 3.00407A800044A323 |. 52 PUSH EDX0044A324 |. 50 PUSH EAX0044A325 |. 8BC6 MOV EAX,ESI0044A327 |. 99 CDQ0044A328 |. 030424 ADD EAX,DWORD PTR SS:[ESP] ; 0x7b + 0x7b0044A32B |. 135424 04 ADC EDX,DWORD PTR SS:[ESP+4]0044A32F |. 83C4 08 ADD ESP,80044A332 |. 52 PUSH EDX0044A333 |. 50 PUSH EAX0044A334 |. 8BC6 MOV EAX,ESI0044A336 |. 99 CDQ0044A337 |. 030424 ADD EAX,DWORD PTR SS:[ESP] ; 0x7b + 0xf60044A33A |. 135424 04 ADC EDX,DWORD PTR SS:[ESP+4]0044A33E |. 83C4 08 ADD ESP,80044A341 |. 52 PUSH EDX ; /Arg20044A342 |. 50 PUSH EAX ; |Arg10044A343 |. 8D55 F8 LEA EDX,[LOCAL.2] ; |0044A346 |. B8 06000000 MOV EAX,6 ; |0044A34B |. E8 78D6FBFF CALL 3.004079C8 ; /int to hex0044A350 |. 8B55 F8 MOV EDX,[LOCAL.2]0044A353 |. 8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]0044A359 |. E8 DEA0FDFF CALL 3.0042443C0044A35E |. 8D55 F4 LEA EDX,[LOCAL.3]0044A361 |. 8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]0044A367 |. E8 A0A0FDFF CALL 3.0042440C0044A36C |. 8B45 F4 MOV EAX,[LOCAL.3]0044A36F |. 50 PUSH EAX0044A370 |. 8D55 F0 LEA EDX,[LOCAL.4]0044A373 |. 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]0044A379 |. E8 8EA0FDFF CALL 3.0042440C0044A37E |. 8B55 F0 MOV EDX,[LOCAL.4]0044A381 |. 58 POP EAX0044A382 >|. E8 6198FBFF CALL 3.00403BE8 ; strcmp寫出注冊機
s = '0x3e74984b'PRint int(s,16)/3
新聞熱點
疑難解答
