菜鸟裹裹互助取件同学看不到我的快递 0.98加壳的DLL脱壳

菜鸟驿站正式开启送货上门服务啦，昨日官方已经正式发布通知，目前只在几个城市开放，还没有覆盖到全国。那么菜鸟驿站免费送货上门首批开启城市有哪些？怎么进行免费送货上门的操作，操作端口在哪，下面就来详细说明下。

软件目标：http://count.skycn.com/softdown.php?id=9987&;url=http://hndown.skycn.com/down/cookbookxchy.exe（名称自己去看吧）  软件大小：1380 KB  应用平台： Win95/98/NT/2000/XP  破解工具：ollydbg 1.09汉化版、peid8cn、Hex Workshop 4.0、peditor、Lordpe工作平台WINXP（98死得惨）  破解方法：学习如何脱壳  声明：此文仅用于学习之用，转载请注明出处。本人对读者阅读本文之后的行为不负任何责任。  脱壳过程：  一、查壳找入口点，用peid8cn打开主程序，结果是telock0.98，入口点:5a172c（关键入口点用PEID8CN右下下拉菜单中的OEP查找搞定）  二、用OLLYDBG载入主程序，第一对话框点确定，第二对话框点否，来到这儿  0064FBD6 >^E9 25E4FFFF      JMP cookbook.0064E000  0064FBDB  0000            ADD BYTE PTR DS:[EAX],AL  0064FBDD  003E            ADD BYTE PTR DS:[ESI],BH  0064FBDF  4F              DEC EDI  0064FBE0  BB B71EFC24      MOV EBX,24FC1EB7  0064FBE5  0000            ADD BYTE PTR DS:[EAX],AL  0064FBE7  0000            ADD BYTE PTR DS:[EAX],AL  0064FBE9  0000            ADD BYTE PTR DS:[EAX],AL  0064FBEB  0000            ADD BYTE PTR DS:[EAX],AL  0064FBED  003E            ADD BYTE PTR DS:[ESI],BH  0064FBEF  FC              CLD  0064FBF0  24 00            AND AL,0  0064FBF2  2E:FC            CLD                                      ; Superfluous prefix  0064FBF4  24 00            AND AL,0  0064FBF6  26:FC            CLD                                      ; Superfluous prefix  0064FBF8  24 00            AND AL,0  0064FBFA  0000            ADD BYTE PTR DS:[EAX],AL  0064FBFC  0000            ADD BYTE PTR DS:[EAX],AL  0064FBFE  0000            ADD BYTE PTR DS:[EAX],AL  0064FC00  0000            ADD BYTE PTR DS:[EAX],AL  0064FC02  4B              DEC EBX  0064FC03  FC              CLD  0064FC04  24 00            AND AL,0  0064FC06  36:FC            CLD                                      ; Superfluous prefix  0064FC08  24 00            AND AL,0  0064FC0A  0000            ADD BYTE PTR DS:[EAX],AL  0064FC0C  0000            ADD BYTE PTR DS:[EAX],AL  F9运行，SHIFT＋F9进行到这时停下  0064EBA6  CD 68            INT 68  //记住此处一定不要过了，否则不好玩  0064EBA8  66:05 7B0C      ADD AX,0C7B  0064EBAC  66:48            DEC AX  0064EBAE  74 55            JE SHORT cookbook.0064EC05  0064EBB0  8D85 450B0000    LEA EAX,DWORD PTR SS:[EBP+B45]  0064EBB6  894424 04        MOV DWORD PTR SS:[ESP+4],EAX  0064EBBA  64:67:8926 0000  MOV DWORD PTR FS:[0],ESP  0064EBC0  EB 1F            JMP SHORT cookbook.0064EBE1  0064EBC2  CD20 8B642408    VxDCall 824648B  0064EBC8  8B6C24 08        MOV EBP,DWORD PTR SS:[ESP+8]  0064EBCC  8D85 7A0B0000    LEA EAX,DWORD PTR SS:[EBP+B7A]  0064EBD2  50              PUSH EAX  0064EBD3  EB 01            JMP SHORT cookbook.0064EBD6  0064EBD5  E8 81AD591C      CALL 1CBE995B  0064EBDA  0000            ADD BYTE PTR DS:[EAX],AL  0064EBDC  88B465 CCC3EB01  MOV BYTE PTR SS:[EBP+1EBC3CC],DH  0064EBE3  EB 33            JMP SHORT cookbook.0064EC18  0064EBE5  DB              ???                                      ; Unknown command  0064EBE6  8BC3            MOV EAX,EBX  0064EBE8  66:BE 4746      MOV SI,4647  0064EBEC  66:BF 4D4A      MOV DI,4A4D  0064EBF0  CC              INT3  0064EBF1  90              NOP  0064EBF2  66:81FE 4746    CMP SI,4647  0064EBF7  75 0C            JNZ SHORT cookbook.0064EC05  0064EBF9  64:67:8F06 0000  POP DWORD PTR FS:[0]  0064EBFF  83C4 04          ADD ESP,4  按CTRL＋F查找TEST ESI，ESI到这儿(我们要找的可不是这儿）  0064F17D  85F6            TEST ESI,ESI  0064F17F  0F84 8B000000    JE cookbook.0064F210  0064F185  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]  0064F18B  03F2            ADD ESI,EDX  0064F18D  2B95 66D34000    SUB EDX,DWORD PTR SS:[EBP+40D366]  0064F193  74 7B            JE SHORT cookbook.0064F210  0064F195  8BDA            MOV EBX,EDX  0064F197  C1EB 10          SHR EBX,10  0064F19A  8B06            MOV EAX,DWORD PTR DS:[ESI]  0064F19C  85C0            TEST EAX,EAX  0064F19E  74 70            JE SHORT cookbook.0064F210  0064F1A0  8B4E 04          MOV ECX,DWORD PTR DS:[ESI+4]  0064F1A3  83E9 08          SUB ECX,8  0064F1A6  D1E9            SHR ECX,1  0064F1A8  8BBD 62D34000    MOV EDI,DWORD PTR SS:[EBP+40D362]  0064F1AE  03F8            ADD EDI,EAX  0064F1B0  83C6 08          ADD ESI,8  0064F1B3  0FB706          MOVZX EAX,WORD PTR DS:[ESI]  0064F1B6  C1C8 0C          ROR EAX,0C  0064F1B9  FEC8            DEC AL  0064F1BB  78 4C            JS SHORT cookbook.0064F209  0064F1BD  74 0E            JE SHORT cookbook.0064F1CD  0064F1BF  FEC8            DEC AL  0064F1C1  74 13            JE SHORT cookbook.0064F1D6  0064F1C3  FEC8            DEC AL  0064F1C5  74 3C            JE SHORT cookbook.0064F203  0064F1C7  FEC8            DEC AL  再来一次CRTL+L到此  0064F21C  85F6            TEST ESI,ESI  //关键部位到了F2设断切记，目的是DUM出完好的输入表  0064F21E  0F84 06040000    JE cookbook.0064F62A  0064F224  03F2            ADD ESI,EDX  0064F226  83A5 52D44000 00 AND DWORD PTR SS:[EBP+40D452],0  0064F22D  8B46 0C          MOV EAX,DWORD PTR DS:[ESI+C]  0064F230  8366 0C 00      AND DWORD PTR DS:[ESI+C],0  //telock加壳死穴，亦可查找此关键点  0064F234  85C0            TEST EAX,EAX  0064F236  0F84 EE030000    JE cookbook.0064F62A  0064F23C  03C2            ADD EAX,EDX  0064F23E  8BD8            MOV EBX,EAX  0064F240  50              PUSH EAX  0064F241  FF95 D0D24000    CALL DWORD PTR SS:[EBP+40D2D0]  0064F247  85C0            TEST EAX,EAX  0064F249  0F85 BA000000    JNZ cookbook.0064F309  0064F24F  53              PUSH EBX  0064F250  FF95 E4BA4000    CALL DWORD PTR SS:[EBP+40BAE4]  0064F256  85C0            TEST EAX,EAX  0064F258  0F85 AB000000    JNZ cookbook.0064F309  0064F25E  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]  0064F264  0195 2AD34000    ADD DWORD PTR SS:[EBP+40D32A],EDX  0064F26A  0195 36D34000    ADD DWORD PTR SS:[EBP+40D336],EDX  0064F270  6A 30            PUSH 30  0064F272  53              PUSH EBX  0064F273  FFB5 36D34000    PUSH DWORD PTR SS:[EBP+40D336]  0064F279  EB 53            JMP SHORT cookbook.0064F2CE  0064F27B  8B95 62D34000    MOV EDX,DWORD PTR SS:[EBP+40D362]  0064F281  0195 2AD34000    ADD DWORD PTR SS:[EBP+40D32A],EDX  按SHIFT+F9运行到此处，查看ESI的值为001AA000  然后在OLLYDBG左下角下命令D 005AA000(001AA000+400000)然后向下查找后面全部为00的地方来到5AD0F0  用系统自带计算器计算5AD0F0-5AA000=30F0，为什么到这呢，而不是其它地方，向下太多会出错，向上也会出错，不能太多，也不能太少哦  起动LordPe先主程序进程。点右键选部份脱壳，填上005AA000-------000030F0脱出输入表30F0.DMP备用，退出LORDPE，切换到OLLYDBG，F2取消断点，按SHIFT+F9继续到这  0064F6F1  8DC0            LEA EAX,EAX                              ; Illegal use of register  0064F6F3  EB 01            JMP SHORT cookbook.0064F6F6  0064F6F5  EB 68            JMP SHORT cookbook.0064F75F  0064F6F7  33C0            XOR EAX,EAX  0064F6F9  -EB FE            JMP SHORT cookbook.0064F6F9  0064F6FB  FFE4            JMP ESP  0064F6FD  CD20 8B642408    VxDCall 824648B  0064F703  33C0            XOR EAX,EAX  0064F705  FF6424 08        JMP DWORD PTR SS:[ESP+8]  0064F709  -E9 58508304      JMP 04E84766  0064F70E  24 37            AND AL,37  0064F710  FFE0            JMP EAX  0064F712  CD20 648F0058    VxDCall 58008F64  0064F718  EB 02            JMP SHORT cookbook.0064F71C  0064F71A  -E9 01585DEB      JMP EBC24F20  0064F71F  01B8 E8780000    ADD DWORD PTR DS:[EAX+78E8],EDI  0064F725  008F 5C55DB03    ADD BYTE PTR DS:[EDI+3DB555C],CL  0064F72B  9E              SAHF  0064F72C  79 22            JNS SHORT cookbook.0064F750  0064F72E  9A 26E92B6E 913F CALL FAR 3F91:6E2BE926                  ; Far call  0064F735  26:A0 1342047E  MOV AL,BYTE PTR ES:[7E044213]  0064F73B  40              INC EAX  0064F73C  0B03            OR EAX,DWORD PTR DS:[EBX]  0064F73E  2208            AND CL,BYTE PTR DS:[EAX]  0064F740  BC 923FBB1B      MOV ESP,1BBB3F92  0064F745  D223            SHL BYTE PTR DS:[EBX],CL  0064F747  5C              POP ESP  在左下角命令框下BP 5A172C(入口点哦)按SHIFT+F9运行到入口处，再次起动LORDPE选主程序点右键选完全脱壳脱出文件UNPACKED.EXE，退出OLLYDBG，  三、置入输入表  起动HEXWORKSHOP程序分别打开刚脱出的两个文件，在30F0文件按CRTL＋ACOPY，然后选打开的UNPACKED文件按CRTL＋G填001AA000，在HEXWORKSHOP编辑菜单下选中选择块填入1AD0F0，然后粘贴保存退出  四、修正入口点和输入表位置  起动揫PEDITOR，载入文件UNPACKED.EXE将入口改为001A172C，输入表位置改为001AA000，点重建输入表  五、试运行文件，一切正常，OK收活路，其它你想搞什么你自己玩去，886