简单示例
手脱实例[软件名称] 中华老黄历2007V1.0
[脱壳工具] PEiD OllyICE V1.10
1、用PEiD查壳为ASPack 2.12 -> Alexey Solodovnikov(见图)
http://www.chinadforce.com/images/d4s/attachimg.gif http://www.chinadforce.com/attachments/day_071021/20071021_53adf73635cd476e99c7TeiVVwD4dtrI.jpg http://www.chinadforce.com/images/attachicons/image.gif 0011.jpg (31.97 KB)
2007-10-21 11:34
2、用OD载入软件,弹出的分析对话框中选择“否”。
打开后停在这里(开始:第一步按F8,以下操作未注明按F8)
00408001 >60 pushad ; (initial cpu selection) (入栈)
00408002 E8 03000000 call 0040800A 按F7
(注:这里的call离壳入口很近,应该用F7跟入,否则你就掉入“陷井”了)
F7后来到这里:
0040800A 5D pop ebp ; Zhlhl.00408007
0040800B 45 inc ebp
0040800C 55 push ebp
0040800D C3 retn 这里回跳到0040800A
0040800E E8 01000000 call 00408014 这里0040800A跳来 按F7
(注:这里的call离入口也很近,应该用F7跟入,否则你就掉入“陷井”了)
F7后来到这里:
00408014 5D pop ebp ; Zhlhl.00408013
00408015 BB EDFFFFFF mov ebx, -13
~~~~~~~~~~~~~~~~~~(中间过程省略,全部F8)
00408060 FF95 490F0000 call dword ptr
00408066 8985 51050000 mov dword ptr , eax
0040806C 8D45 77 lea eax, dword ptr
0040806F FFE0 jmp eax 这里跳
0040808A 8B9D 31050000 mov ebx, dword ptr 跳到这里
00408090 0BDB or ebx, ebx
00408092 74 0A je short 0040809E
~~~~~~~~~~~~~~~~~~(中间过程省略,全部F8)
00408136 74 0A je short 00408142
00408138 EB 00 jmp short 0040813A 这里跳
0040813A 3C E9 cmp al, 0E9 跳到这里
0040813C 74 04 je short 00408142
0040813E 43 inc ebx
0040813F 49 dec ecx
00408140^ EB EB jmp short 0040812D 这里回跳
00408142 8B06 mov eax, dword ptr 这里左键点一下后按F4
00408144 EB 00 jmp short 00408146 这里跳
00408146 803E 06 cmp byte ptr , 6 跳到这里
00408149^ 75 F3 jnz short 0040813E 这里回跳
0040814B 24 00 and al, 0 这里左键点一下后按F4
0040814D C1C0 18 rol eax, 18
00408150 2BC3 sub eax, ebx
00408152 8906 mov dword ptr , eax
00408154 83C3 05 add ebx, 5
00408157 83C6 04 add esi, 4
0040815A 83E9 05 sub ecx, 5
0040815D^ EB CE jmp short 0040812D 这里回跳
0040815F 5B pop ebx 这里左键点一下后按F4
00408160 5E pop esi
00408161 59 pop ecx
00408162 58 pop eax
00408163 EB 08 jmp short 0040816D 这里跳
0040816D 8BC8 mov ecx, eax 跳到这里
0040816F 8B3E mov edi, dword ptr
00408171 03BD 22040000 add edi, dword ptr
00408177 8BB5 52010000 mov esi, dword ptr
0040817D C1F9 02 sar ecx, 2
00408180 F3:A5 rep movs dword ptr es:, dword p>
00408182 8BC8 mov ecx, eax
00408184 83E1 03 and ecx, 3
00408187 F3:A4 rep movs byte ptr es:, byte ptr>
00408189 5E pop esi
0040818A 68 00800000 push 8000
0040818F 6A 00 push 0
00408191 FFB5 52010000 push dword ptr
00408197 FF95 51050000 call dword ptr
0040819D 83C6 08 add esi, 8
004081A0 833E 00 cmp dword ptr , 0
004081A3^ 0F85 1EFFFFFF jnz 004080C7 这里回跳
004081A9 68 00800000 push 8000 这里左键点一下后按F4
004081AE 6A 00 push 0
004081B0 FFB5 56010000 push dword ptr
004081B6 FF95 51050000 call dword ptr
004081BC 8B9D 31050000 mov ebx, dword ptr
004081C2 0BDB or ebx, ebx
004081C4 74 08 je short 004081CE 这里跳
004081CE 8B95 22040000 mov edx, dword ptr 跳到这里
004081D4 8B85 2D050000 mov eax, dword ptr
004081DA 2BD0 sub edx, eax
004081DC 74 79 je short 00408257 这里跳
00408257 8B95 22040000 mov edx, dword ptr 跳到这里
0040825D 8BB5 41050000 mov esi, dword ptr
00408263 0BF6 or esi, esi
00408265 74 11 je short 00408278 这里跳
00408278 BE 00700000 mov esi, 7000 跳到这里
0040827D 8B95 22040000 mov edx, dword ptr
00408283 03F2 add esi, edx
~~~~~~~~~~~~~~~~~~(中间过程省略,全部F8)
004082B6 8B95 22040000 mov edx, dword ptr
004082BC 8B06 mov eax, dword ptr
004082BE 85C0 test eax, eax
004082C0 75 03 jnz short 004082C5 这里跳
004082C5 03C2 add eax, edx 跳到这里
004082C7 0385 49050000 add eax, dword ptr
004082CD 8B18 mov ebx, dword ptr
~~~~~~~~~~~~~~~~~~(中间过程省略,全部F8)
004082FC FF95 490F0000 call dword ptr
00408302 85C0 test eax, eax
00408304 5B pop ebx
00408305 75 6F jnz short 00408376 这里跳
00408376 8907 mov dword ptr , eax 跳到这里
00408378 8385 49050000 0>add dword ptr , 4
0040837F^ E9 32FFFFFF jmp 004082B6 这里回跳
00408384 8906 mov dword ptr , eax 点一下左键后F4
00408386 8946 0C mov dword ptr , eax
00408389 8946 10 mov dword ptr , eax
0040838C 83C6 14 add esi, 14
0040838F 8B95 22040000 mov edx, dword ptr
00408395^ E9 EBFEFFFF jmp 00408285 这里回跳
0040839A B8 943C0000 mov eax, 3C94 点一下左键后F4
0040839F 50 push eax
004083A0 0385 22040000 add eax, dword ptr
004083A6 59 pop ecx
004083A7 0BC9 or ecx, ecx
004083A9 8985 A8030000 mov dword ptr , eax
004083AF 61 popad 出栈(离OEP不远了)
004083B0 75 08 jnz short 004083BA 这里跳
004083BA 68 00000000 push 0 跳到这里
004083BF C3 retn 这里结束,直接跳到OEP(跨段跳转)
00403C94 55 push ebp 跳到这里(OEP入口),直接用OD插件DUMP后保存(见图)。
http://www.chinadforce.com/images/d4s/attachimg.gif http://www.chinadforce.com/attachments/day_071020/20071020_9bb9cc686d264c0f5f63IKfk3MjMTl2G.jpg http://www.chinadforce.com/images/attachicons/image.gif 001.jpg (103.08 KB)
2007-10-20 22:31
3、脱壳完了(见图)__呵呵__简单,就这么几个键你不能说不会吧。用PEiD查壳己脱(见图)
http://www.chinadforce.com/images/d4s/attachimg.gif http://www.chinadforce.com/attachments/day_071021/20071021_dcc6483d45a6de10ffc62Ahf78MMX16Q.jpg http://www.chinadforce.com/images/attachicons/image.gif 002.jpg (32 KB)
2007-10-21 11:34
页:
[1]