tElocK快速脱壳2
呵呵和http://www.52pojie.cn/thread-19979-1-1.html都是用同一个程序PEiD查壳tElock 0.98b1 -> tE!
忽略所有异常
0040DBD6 >^\E9 25E4FFFF jmp tElock.0040C000//壳入口呵呵
0040DBDB 0000 add byte ptr ds:,al
0040DBDD 0038 add byte ptr ds:,bh
0040DBDF A4 movs byte ptr es:,byte ptr ds:
0040DBE0 54 push esp
0040DBE1 47 inc edi
0040DBE2 1E push ds
heidOD 插件隐藏选项(用英文版)
打开内存进镜像在rsrc下F2断点
Memory map, item 26
Address=00407000
Size=00005000 (20480.)
Owner=tElock 00400000
Section=.rsrc//下F2断点 F9运行 shift+f9忽略运行
Contains=code,resources
Type=Imag 01001002
Access=R
Initial access=RWE
0040D0A9 F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>//停在这里
0040D0AB 8BCB MOV ECX,EBX
0040D0AD F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
0040D0AF 8BF2 MOV ESI,EDX
0040D0B1 8B7C24 28 MOV EDI,DWORD PTR SS:
ctrl+g 在HEX+04填入 0A F6 89 55
0040D346 0AF6 OR DH,DH//跟随到这里
0040D348 895424 1C MOV DWORD PTR SS:,EDX
0040D34C 61 POPAD
0040D34D C685 D7CC4000 0>MOV BYTE PTR SS:,0
0040D354 74 24 JE SHORT 0040D37A/修改这个 jz变JMP
0040D356 80EC 08 SUB AH,8
0040D359 B0 01 MOV AL,1
0040D35B FECC DEC AH
0040D35D 74 04 JE SHORT 0040D363
0040D35F D0E0 SHL AL,1
0040D361^ EB F8 JMP SHORT 0040D35B
打开内存镜像在text下F2断点
Memory map, item 23
Address=00401000
Size=00004000 (16384.)
Owner=tElock 00400000
Section=//F2 F9运行F2取消断点返回内存镜像shift+f9忽略运行
Contains=code
Type=Imag 01001002
Access=R
Initial access=RWE
004010CC 55 PUSH EBP//程序OEP
004010CD 8BEC MOV EBP,ESP
004010CF 83EC 44 SUB ESP,44
004010D2 56 PUSH ESI
004010D3 FF15 E4634000 CALL DWORD PTR DS:
页:
[1]