The Bat! 1.39脱壳笔记,脱壳,脱壳技术 2008年06月23日 星期一 下午 05:39 1. 主程序的脱壳 014F:00990B35 8B10 MOV EDX,[EAX] 014F:00990B37 8B4508 MOV EAX,[EBP 08] 014F:00990B3A 035018 ADD EDX,[EAX 18] 014F:00990B3D 8B4508 MOV EAX,[EBP 08] 014F:00990B40 8B401C MOV EAX,[EAX 1C] 014F:00990B43 E880F9FFFF CALL 009904C8 <-这里! F8进入 014F:009904C8 89C4 MOV ESP,EAX 014F:009904CA 89D0 MOV EAX,EDX 014F:009904CC 8B1D34569900 MOV EBX,[00995634] 014F:009904D2 89041C MOV [EBX ESP],EAX 014F:009904D5 61 POPAD 014F:009904D6 50 PUSH EAX <-记下EAX的值(61C528) 014F:009904D7 C3 RET <-这里用Procdump脱壳 2. 获得完整的.idata section 如上得到的脱壳后的程序,在你改过EIP后仍无法运行. 还有工作要做,你得用Icedump. 014F:009909FF 8B4508 MOV EAX,[EBP 08] 014F:00990A02 8D4824 LEA ECX,[EAX 24] 014F:00990A05 8B4508 MOV EAX,[EBP 08] 014F:00990A08 8B500C MOV EDX,[EAX 0C] 014F:00990A0B 8B4508 MOV EAX,[EBP 08] 014F:00990A0E 8B4008 MOV EAX,[EAX 08] 014F:00990A11 E8FAF6FFFF CALL 00990110 014F:00990A16 33C0 XOR EAX,EAX <-这里! 014F:00990A18 5A POP EDX 014F:00990A19 59 POP ECX 014F:00990A1A 59 POP ECX 014F:00990A1B 648910 MOV FS:[EAX],EDX 014F:00990A1E EB13 JMP 00990A33 在00990A16行, Pagein D 62e000 3000 c:\thebat.bin 3. 运行Hex编辑程序,用完整的.idata替换掉脱壳后主程序中.idata部分. Job done. |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 21:26 , Processed in 0.129069 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.