OD载入程序后
00401000 > B8 90A85A00 mov eax,UnicornV.005AA890
00401005 50 push eax
00401006 64:FF35 0000000>push dword ptr fs:[0]
0040100D 64:8925 0000000>mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
00401016 8908 mov dword ptr ds:[eax],ecx
00401018 50 push eax
00401019 45 inc ebp
0040101A 43 inc ebx
0040101B 6F outs dx,dword ptr es:[edi]
0040101C 6D ins dword ptr es:[edi],dx
0040101D 70 61 jo short UnicornV.00401080
0040101F 637432 00 arpl word ptr ds:[edx+esi],si
00401023 B7 BC mov bh,0BC
F8单步跟踪,到00401018后会跳转到如下所示
7C92E460 |. 8B1C24 mov ebx,dword ptr ss:[esp]
7C92E463 |. 51 push ecx
7C92E464 |. 53 push ebx
7C92E465 |. E8 E6C40100 call ntdll.7C94A950
7C92E46A |. 0AC0 or al,al
7C92E46C |. 74 0C je short ntdll.7C92E47A
7C92E46E |. 5B pop ebx
7C92E46F |. 59 pop ecx
7C92E470 |. 6A 00 push 0
7C92E472 |. 51 push ecx
7C92E473 |. E8 C8EBFFFF call ntdll.ZwContinue
7C92E478 |. EB 0B jmp short ntdll.7C92E485
7C92E47A |> 5B pop ebx
遇到7C92E473使用F7跟入,然后如下:
7C92D040 >/$ B8 20000000 mov eax,20
7C92D045 |. BA 0003FE7F mov edx,7FFE0300
7C92D04A |. FF12 call dword ptr ds:[edx]
7C92D04C \. C2 0800 retn 8
7C92D04F 90 nop
7C92D050 >/$ B8 21000000 mov eax,21
7C92D055 |. BA 0003FE7F mov edx,7FFE0300
7C92D05A |. FF12 call dword ptr ds:[edx]
7C92D05C \. C2 1000 retn 10
7C92D05F 90 nop
7C92D060 >/$ B8 22000000 mov eax,22
7C92D065 |. BA 0003FE7F mov edx,7FFE0300
7C92D06A |. FF12 call dword ptr ds:[edx]
7C92D06C \. C2 0C00 retn 0C
7C92D06F 90 nop
7C92D070 >/$ B8 23000000 mov eax,23
7C92D075 |. BA 0003FE7F mov edx,7FFE0300
7C92D07A |. FF12 call dword ptr ds:[edx]
7C92D07C \. C2 1400 retn 14
到了7C92D04A再次F7,如下:
7C92E4F0 >/$ 8BD4 mov edx,esp
7C92E4F2 |. 0F34 sysenter
7C92E4F4 > C3 retn
7C92E4F5 . 8DA424 000000>lea esp,dword ptr ss:[esp]
7C92E4FC . 8D6424 00 lea esp,dword ptr ss:[esp]
7C92E500 >/$ 8D5424 08 lea edx,dword ptr ss:[esp+8]
7C92E504 |. CD 2E int 2E
7C92E506 \. C3 retn
7C92E507 90 nop
7C92E508 >/$ 55 push ebp
7C92E509 |. 8BEC mov ebp,esp
7C92E50B |. 9C pushfd
7C92E50C |. 81EC D0020000 sub esp,2D0
7C92E512 |. 8985 DCFDFFFF mov dword ptr ss:[ebp-224],eax
7C92E518 |. 898D D8FDFFFF mov dword ptr ss:[ebp-228],ecx
7C92E51E |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
7C92E521 |. 8B4D 04 mov ecx,dword ptr ss:[ebp+4]
7C92E524 |. 8948 0C mov dword ptr ds:[eax+C],ecx
7C92E527 |. 8D85 2CFDFFFF lea eax,dword ptr ss:[ebp-2D4]
之后一直F8单步跟踪,很快就会到达如下所示
005AA952 - FFE0 jmp eax ; UnicornV.004FA799
005AA954 99 cdq
005AA955 A7 cmps dword ptr ds:[esi],dword ptr es:[e>
005AA956 4F dec edi
005AA957 0000 add byte ptr ds:[eax],al
005AA959 0000 add byte ptr ds:[eax],al
005AA95B 0000 add byte ptr ds:[eax],al
005AA95D 0000 add byte ptr ds:[eax],al
005AA95F 0000 add byte ptr ds:[eax],al
005AA961 0000 add byte ptr ds:[eax],al
005AA963 0000 add byte ptr ds:[eax],al
005AA965 0000 add byte ptr ds:[eax],al
005AA967 0000 add byte ptr ds:[eax],al
在寄存器中 EAX的值为:004FA799
从005AA952跳到004FA799应该算是一个比较大的跳转吧?
进去看看再说;
004FA799 55 push ebp
004FA79A 8BEC mov ebp,esp
004FA79C 6A FF push -1
004FA79E 68 506E5600 push UnicornV.00566E50
004FA7A3 68 68ED4F00 push UnicornV.004FED68
004FA7A8 64:A1 00000000 mov eax,dword ptr fs:[0]
004FA7AE 50 push eax
004FA7AF 64:8925 0000000>mov dword ptr fs:[0],esp
004FA7B6 83EC 58 sub esp,58
004FA7B9 53 push ebx
004FA7BA 56 push esi
004FA7BB 57 push edi
004FA7BC 8965 E8 mov dword ptr ss:[ebp-18],esp
004FA7BF FF15 68B35300 call dword ptr ds:[53B368] ; kernel32.GetVersion
004FA7C5 33D2 xor edx,edx
004FA7C7 8AD4 mov dl,ah
004FA7C9 8915 18B95900 mov dword ptr ds:[59B918],edx
嘿嘿。OEP到了,这个不用说了吧。
脱壳的时候我使用的是OD自带的插件ollydump,方式1和方式2我都使用了下。方式1脱得比较干净,而且还不用修复。如果使用方式2或者LordPE的话可能要修复,反正我是修复了之后才能运行的。
希望版主给个邀请码。
[课程]FART 脱壳王!加量不加价!FART作者讲授!