PECompact 2.x -> Jeremy Collake脱壳手记,PECompact,Jeremy ,Collake,脱壳,脱壳技术 2008年06月23日 星期一 下午 07:01 用peid查,显示是PECompact 2.x -> Jeremy Collake的壳 用OD载入后停在 00401000 B8 D4A14300 mov eax,CoralQQ.0043A1D4 F8单步运行 00401005 50 push eax 00401006 64:FF35 00000000 push dword ptr fs:[0] 0040100D 64:8925 00000000 mov dword ptr fs:[0],esp 00401014 33C0 xor eax,eax 到这里我们看到在堆栈窗口 ———————————————————————————————————————————————— 0012FFBC 0012FFE0 指针到下一个 SEH 记录 0012FFC0 0043A1D4 SE 句柄 0012FFC4 7C816D4F 返回到 kernel32.7C816D4F ———————————————————————————————————————————————— 看回来,我们ctrl G到 0043A1D4,到达后在此处下断点,然后F9运行, 程序被断下。 0043A1D4 B8 7E9043F0 mov eax,F043907E 0043A1D9 8D88 79110010 lea ecx,dword ptr ds:[eax 10001179] 0043A1DF 8941 01 mov dword ptr ds:[ecx 1],eax 0043A1E2 8B5424 04 mov edx,dword ptr ss:[esp 4] 0043A1E6 8B52 0C mov edx,dword ptr ds:[edx C] 0043A1E9 C602 E9 mov byte ptr ds:[edx],0E9 0043A1EC 83C2 05 add edx,5 0043A1EF 2BCA sub ecx,edx 0043A1F1 894A FC mov dword ptr ds:[edx-4],ecx 取消断点,然后在0043A1F7下断点 0043A1F7 B8 78563412 mov eax,12345678 0043A1FC 64:8F05 00000000 pop dword ptr fs:[0] 0043A203 83C4 04 add esp,4 0043A206 55 push ebp 0043A207 53 push ebx 0043A208 51 push ecx 0043A209 57 push edi 0043A20A 56 push esi 0043A20B 52 push edx 再按F9运行,程序又被断下,取消断点。F8单步运行, 一直F8到了0043A29F, 0043A281 8985 23120010 mov dword ptr ss:[ebp 10001223],eax 0043A287 8BF0 mov esi,eax 0043A289 59 pop ecx 0043A28A 5A pop edx 0043A28B 03CA add ecx,edx 0043A28D 68 00800000 push 8000 0043A292 6A 00 push 0 0043A294 57 push edi 0043A295 FF11 call dword ptr ds:[ecx] 0043A297 8BC6 mov eax,esi 0043A299 5A pop edx 0043A29A 5E pop esi 0043A29B 5F pop edi 0043A29C 59 pop ecx 0043A29D 5B pop ebx 0043A29E 5D pop ebp 0043A29F FFE0 jmp eax F8到这里,跳OEP 00418E2C 55 push ebp 到达OEP |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-29 19:22 , Processed in 0.297466 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
