我一直在努力扭转一个可以执行 delphi 的应用程序。所以我相信 PEiD 会告诉我有关该应用程序的真相,但不幸的是我发现了这些
Nothing found[overlay]*
然后我切换了 Kanal 插件,它检测到了加密签名
ADLER32
BASE64
BZIP2
CCITT-CRC16[word]
CRC(rev)
CRC32
CRC32b
CSS [table0]
FORK-256 [mixing]
MD5
SHA1[compress]
SHA-224[init]
SHA-256[mixing]
ZLIB deflate[word]
{big number}
所以就我而言,除了 Base64 之外,我从未拥有过这些
我所需要的只是在 PEiD 中显示其平台的应用程序,我该如何处理这种类型的压缩?-------------------------------------------------- ----------------------------------这就是我试图实现的这是我的两个按钮的 onclick 事件. 我希望在调用 @005A6DBD 之前 ESI 为 00000011,所以我试图更改 JNZ @005A6F44,但 ESI 变为 00000018,这是另一个按钮的事件。因此,当我单击 ESI 时,它现在是按钮(我的目标)变为 00000000,它只是执行调用 @005A6DBD 内的 Case switch Table 的默认值
005A6EC4 . 55 PUSH EBP ; programform buttonclick event
005A6EC5 . 8BEC MOV EBP,ESP
005A6EC7 . 83C4 F0 ADD ESP,-10
005A6ECA . 53 PUSH EBX
005A6ECB . 56 PUSH ESI ; AcroByte.<ModuleEntryPoint>
005A6ECC . 57 PUSH EDI ; AcroByte.<ModuleEntryPoint>
005A6ECD . 33C9 XOR ECX,ECX
005A6ECF . 894D FC MOV DWORD PTR SS:[EBP-4],ECX
005A6ED2 . 8BDA MOV EBX,EDX ; ntdll.KiFastSystemCallRet
005A6ED4 . 33C0 XOR EAX,EAX
005A6ED6 . 55 PUSH EBP
005A6ED7 . 68 9C6F5A00 PUSH AcroByte.005A6F9C
005A6EDC . 64:FF30 PUSH DWORD PTR FS:[EAX]
005A6EDF . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A6EE2 . 33C0 XOR EAX,EAX
005A6EE4 . 55 PUSH EBP
005A6EE5 . 68 7C6F5A00 PUSH AcroByte.005A6F7C
005A6EEA . 64:FF30 PUSH DWORD PTR FS:[EAX]
005A6EED . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005A6EF0 . C745 F4 0C000000 MOV DWORD PTR SS:[EBP-C],0C
005A6EF7 . 8BC3 MOV EAX,EBX
005A6EF9 . 8B15 30D24600 MOV EDX,DWORD PTR DS:[46D230] ; AcroByte.0046D288
005A6EFF . E8 A8F1E5FF CALL AcroByte.004060AC
005A6F04 . 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
005A6F07 . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005A6F0A . E8 D50DE6FF CALL AcroByte.00407CE4
005A6F0F . 6945 F4 7C1B0900 IMUL EAX,DWORD PTR SS:[EBP-C],91B7C
005A6F16 . 8B04C5 08D25F00 MOV EAX,DWORD PTR DS:[EAX*8+5FD208]
005A6F1D . 85C0 TEST EAX,EAX
005A6F1F . 7C 51 JL SHORT AcroByte.005A6F72
005A6F21 . 40 INC EAX
005A6F22 . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
005A6F25 . C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
005A6F2C . BB 08D25F00 MOV EBX,AcroByte.005FD208
005A6F31 > 6975 F4 7C1B0900 IMUL ESI,DWORD PTR SS:[EBP-C],91B7C
005A6F38 . 8B44F3 04 MOV EAX,DWORD PTR DS:[EBX+ESI*8+4]
005A6F3C . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
005A6F3F . E8 6C17E6FF CALL AcroByte.004086B0 ;call @UStrEqual( cmp eax,edx inside the call)
005A6F44 . 75 1E JNZ SHORT AcroByte.005A6F64 ; this jump
005A6F46 . 8B44F3 08 MOV EAX,DWORD PTR DS:[EBX+ESI*8+8]
005A6F4A . 85C0 TEST EAX,EAX
005A6F4C . 7C 16 JL SHORT AcroByte.005A6F64
005A6F4E . 40 INC EAX
005A6F4F . 89C6 MOV ESI,EAX
005A6F51 . 33FF XOR EDI,EDI ; AcroByte.<ModuleEntryPoint>
005A6F53 > 8BCF MOV ECX,EDI ; AcroByte.<ModuleEntryPoint>
005A6F55 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; sets the value to EDX(important)
005A6F58 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005A6F5B . E8 E8EFFFFF CALL AcroByte.005A5F48
005A6F60 . 47 INC EDI ; AcroByte.<ModuleEntryPoint>
005A6F61 . 4E DEC ESI ; AcroByte.<ModuleEntryPoint>
005A6F62 .^ 75 EF JNZ SHORT AcroByte.005A6F53
005A6F64 > FF45 F8 INC DWORD PTR SS:[EBP-8] ; AcroByte.015C2BD4
005A6F67 . 81C3 ACB80000 ADD EBX,0B8AC
005A6F6D . FF4D F0 DEC DWORD PTR SS:[EBP-10]
005A6F70 .^ 75 BF JNZ SHORT AcroByte.005A6F31
005A6F72 > 33C0 XOR EAX,EAX
005A6F74 . 5A POP EDX ; user32.7500925A
005A6F75 . 59 POP ECX ; user32.7500925A
005A6F76 . 59 POP ECX ; user32.7500925A
005A6F77 . 64:8910 MOV DWORD PTR FS:[EAX],EDX ; ntdll.KiFastSystemCallRet
005A6F7A . EB 0A JMP SHORT AcroByte.005A6F86
005A6F7C .^ E9 CBFCE5FF JMP AcroByte.00406C4C
005A6F81 . E8 1E01E6FF CALL AcroByte.004070A4
005A6F86 > 33C0 XOR EAX,EAX
005A6F88 . 5A POP EDX ; user32.7500925A
005A6F89 . 59 POP ECX ; user32.7500925A
005A6F8A . 59 POP ECX ; user32.7500925A
005A6F8B . 64:8910 MOV DWORD PTR FS:[EAX],EDX ; ntdll.KiFastSystemCallRet
005A6F8E . 68 A36F5A00 PUSH AcroByte.005A6FA3
005A6F93 > 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005A6F96 . E8 4109E6FF CALL AcroByte.004078DC
005A6F9B . C3 RETN
===========================================================================================================================================================================the folowing is just piece only to show whats happening before the call cause the Whole repeat the same thing
005A6D6D . 53 PUSH EBX ; AcroByte.03CA2088
005A6D6E . 69DA 2B2E0000 IMUL EBX,EDX,2E2B
005A6D74 . 69F8 7C1B0900 IMUL EDI,EAX,91B7C
005A6D7A . 8D3CFD 08D25F00 LEA EDI,DWORD PTR DS:[EDI*8+5FD208]
005A6D81 . FF749F 04 PUSH DWORD PTR DS:[EDI+EBX*4+4]
005A6D85 . 69DA 2B2E0000 IMUL EBX,EDX,2E2B
005A6D8B . 69F8 7C1B0900 IMUL EDI,EAX,91B7C
005A6D91 . 8D3CFD 08D25F00 LEA EDI,DWORD PTR DS:[EDI*8+5FD208]
005A6D98 . 8D1C9F LEA EBX,DWORD PTR DS:[EDI+EBX*4]
005A6D9B . 53 PUSH EBX ; AcroByte.03CA2088
005A6D9C . 5B POP EBX ; AcroByte.03CA2088
005A6D9D . FF74B3 0C PUSH DWORD PTR DS:[EBX+ESI*4+C]
005A6DA1 . 69D2 2B2E0000 IMUL EDX,EDX,2E2B
005A6DA7 . 69C0 7C1B0900 IMUL EAX,EAX,91B7C
005A6DAD . 8D04C5 08D25F00 LEA EAX,DWORD PTR DS:[EAX*8+5FD208]
005A6DB4 . 8D0490 LEA EAX,DWORD PTR DS:[EAX+EDX*4]
005A6DB7 . 8B4CB0 10 MOV ECX,DWORD PTR DS:[EAX+ESI*4+10]
005A6DBB . 5A POP EDX
005A6DBC . 58 POP EAX
005A6DBD . E8 E6D1FFFF CALL AcroByte.005A3FA8 ; call the function that does the job
005A6DC2 . 33C0 XOR EAX,EAX
为了更好地理解呼叫@005A6F3F 转到
Cmp,eax.edx; Eax=1E37BEE4 Unicode _27, Edx=1E37B68C Unicode _27
JE 004086E4;Jumps to retn
Test eax,edx
JE 004086DA; jumps to another bitwise AND
这就是我好奇的地方!!!