脱壳PeCompact 2.79
PeCompact 2.79api 定位这个壳oep 好找
004271B0 > $55 PUSH EBP
004271B1 .8BEC MOV EBP,ESP
004271B3 .6A FF PUSH -1
004271B5 .68 600E4500 PUSH unpackme.00450E60
004271BA .68 C8924200 PUSH unpackme.004292C8 ;SE 处理程序安装
004271BF .64:A1 0000000>MOV EAX,DWORD PTR FS:
004271C5 .50 PUSH EAX
004271C6 .64:8925 00000>MOV DWORD PTR FS:,ESP
004271CD .83C4 A8 ADD ESP,-58
004271D0 .53 PUSH EBX
004271D1 .56 PUSH ESI
004271D2 .57 PUSH EDI
004271D3 .8965 E8 MOV DWORD PTR SS:,ESP
004271D6 .FF15 DC0A4600 CALL DWORD PTR DS:[<&kernel32.GetVersion>;kernel32.GetVersion
004271DC .33D2 XOR EDX,EDX
目的查找GetProcAddress
00060428+400000 LoadlibraryA
0046041800061112
0046041C000610FE
00460420000610EA
00460424000610D0
00460428000610C0
00E2154F F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>
00E21551 03C8 ADD ECX,EAX
00E21553 83E1 03 AND ECX,3
00E21556 F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
00E21558 59 POP ECX
00E21559 83C3 1C ADD EBX,1C
00E2155C 49 DEC ECX
00E2155D^ 75 A2 JNZ SHORT 00E21501
00E21924 83C2 04 ADD EDX,4 断下 向上PUSH DWORD PTR SS: 硬件断点
00E21927 83C6 04 ADD ESI,4
00E2192A^ EB AC JMP SHORT 00E218D8
00E2192C 33C0 XOR EAX,EAX
00E2192E 5E POP ESI
00E2190E FF75 FC PUSH DWORD PTR SS: ; kernel32.7C800000
00E21911 FF93 1F1F3C00 CALL DWORD PTR DS:
00E21917 5A POP EDX
00E21918 85C0 TEST EAX,EAX
00E2191A^ 0F84 6FFFFFFF JE 00E2188F
00E21920 8906 MOV DWORD PTR DS:,EAX
00E21922 8902 MOV DWORD PTR DS:,EAX
00E21924 83C2 04 ADD EDX,4
00E21927 83C6 04 ADD ESI,4
0012FF30004610B0ASCII "GetProcAddress"读api 函数
0012FF3400000116
0012FF380046042CUnPackMe.0046042C
0012FF3C00460014UnPackMe.00460014
0012FF4000460974UnPackMe.00460974
0012FF4400E20F68
271B0
脱壳PeCompact 2.79 .rar :) 现在的水平看不懂,做个记号,水平高了再细看 :) 学习下......... 學習 API 定位方法
感謝分享:) :time:学习中 :lol谢谢楼主了,收藏之!!! 天音00000淘宝复制软
页:
[1]