双进程脱壳分析(国外英语资料).docVIP

双进程脱壳分析(国外英语资料) Armadillo 3.78-4. Xx - Silicon Toolworks double process unshell analysis [quick!] Armadillo 3.78-4. Xx - Silicon Toolworks double process unshell analysis [quick!] PEID detection is Armadillo 3.78-4. Xx - Silicon Toolworks The OD loader comes in here: 0050F000 Ea 60 pushad 0050F001 E8call easydvdc.0050f006 0050F006 5D pop ebp 0050F007. 50 push eax 0050F008 51 push ecx 0050F009 0FCA bswap edx 0050F00B F7D2 not edx 0050F00D 9C pushfd 0050F00E F7D2 not edx 0050F010, 0FCA bswap edx 050f012 EB 0050F014, B9, B9, EBB80FEB 0050f0197 pop es 0050F01A B9 eb0eb mov ecx, EB900FEB 0050f08fd or ch, bh 050f021 EB 0050F023 F2: prefix repne: 0050 f024 ^ EB F5 JMP short EasyDVDC. 0050 f01b 0050 f026 ^ EB F6 JMP short EasyDVDC. 0050 f01e 0050F028 F2: prefix repne: ex.0050f029 0050F02B FD STD 0050 f02c ^ EB E9 JMP short EasyDVDC. 0050 f017 0050F02E F3: prefix rep: 0050 f02f ^ EB E4 JMP short EasyDVDC. 0050 f015 0050F031 FC CLD 0050f032-e9d0fc98b JMP 8C19FFD4 050f037 CA F7D1 retf 0D1F7 Alt + E Find EasyDVDConverter - right-click - view the name, and then find WriteProcessMemory - right-click - follow the import function in the disassembly window. 7C80220F ke BBBFF mov edi, edi 7C802211 55 push ebp 7C802212 8BEC mov ebp, esp / / here is the break point 7C802214 51 push ecx 7C802215 51 push ecx 7C802216 8B45 0C mov eax, dword PTR ss: [ebp + C] 7C802219 53 push ebx 7C80221A 8B5D 14 mov ebx, dword PTR ss: [ebp + 14] 7C80221D 56 push esi 7C80221E 8B35 B812807C mov esi, dword PTR ds: [ ntddll 7C802224 57 push edi 7C802225 8B7D 2008 mov edi, dword PTR ss: [ebp + 8] 7C802228 8945 F8 mov dword PTR ss: [ebp-8], eax 7C80222B 8d4514 lea eax, dword PTR ss: [ebp + 14] 7C80222E 50 push eax 7C80222F 6A 40 push 40 Shift + f9 runs after 7C802211 F2. Then Alt + f9 returns Back here: 004ee8a5/707-jo short easydvddc.004ee8ae Its 004EE8A7 004EE8A9，jmp，短时间，0。004 EE8B0 004EE8AB E8 74FBEBF9调用FA3AE424 004EE8B0 EB 5F jmp短EasyDVDC。004 EE911 004EE8B2 8D55，dword ptr ss:ebp-4 004 ee8b5 52