手脱PE Pack v1.0
声明:1.只为纪录自己成长历程,高手勿喷
2.您的热心是新手持续发帖的动力
1.PEID查壳
PE Pack v1.0
2.载入OD,一上来就这架势,先F8走着
00403235 > /74 00 je short Pepack_1.00403237 ; //入口点
00403237-\E9 C49D0000 jmp Pepack_1.0040D000
0040323C 0000 add byte ptr ds:,al
0040323E 0000 add byte ptr ds:,al
00403240 0000 add byte ptr ds:,al
00403242 0000 add byte ptr ds:,al
00403244 0000 add byte ptr ds:,al
3.走到这里,一个pushad,又是我最喜欢的ESP定律,硬件访问断点,shift+F9一次
0040D000 60 pushad
0040D001 E8 00000000 call Pepack_1.0040D006 ; //ESP
0040D006 5D pop ebp
0040D007 83ED 06 sub ebp,0x6
0040D00A 80BD 3E050000 0>cmp byte ptr ss:,0x1
0040D011 0F84 48020000 je Pepack_1.0040D25F
0040D017 C685 3E050000 0>mov byte ptr ss:,0x1
4.ESP落脚点,这个落脚点是一个大跳转,也是指向OEP的关键跳,之前有朋友问过怎么确定它是关键跳,我只想说因为他跳过去就是OEP,所以他是关键跳
0040D270- FFE0 jmp eax ; //ESP落脚点
0040D272 8D85 CE050000 lea eax,dword ptr ss:
0040D278 50 push eax
0040D279 8DBD D1040000 lea edi,dword ptr ss:
0040D27F 53 push ebx
0040D280 57 push edi
0040D281 50 push eax
5.来到OEP,脱壳把
004010CC 55 push ebp ;//OEP
004010CD 8BEC mov ebp,esp
004010CF 83EC 44 sub esp,0x44
004010D2 56 push esi
004010D3 FF15 E4634000 call dword ptr ds:
004010D9 8BF0 mov esi,eax
004010DB 8A00 mov al,byte ptr ds:
004010DD 3C 22 cmp al,0x22
004010DF 75 1B jnz short Pepack_1.004010FC
6.运行,查壳
运行OK,查壳:Microsoft Visual C++ v6.0 SPx
谢谢分享
页:
[1]