oep:
com:
If CS=DS=ES=SS,SP=FFFE,the we reach the OEP of a .COM
exe:
If DS=ES,and DS:0000==CD 20,we may reach the OEP of an .EXE
com
一般就是g 100
exe脱壳
测试壳:
GOKNL CRUNSH.TXT
goreg cs ax=0 bx=0
一般常dos用命令:
TR mem.exe
exe1
reload
g 1e0e
wexe1
exe2
reload
g 1e0e
wexe2
q
mkexe
-----------------------------------
TR exel666.exe
exe1
reload
g 6c2
r ip 6d5
goknl
wexe1
exe2
reload
g 6c2
r ip 6d5
goknl
wexe2
q
MKEXE
-------------------------------------
TR kinst.exe
exe1
reload
g 71 ;前面没有什么,你可以从这里往后跟踪几步,
;看它怎么干的。
gg cs:41f ;把一切精彩表演都跳过去了!
g ip<100 ;就到新文件头了
wexe1 ;存起来
exe2
reload
g 71 ;同样
gg cs:41f
g ip<100
wexe2 ;又存一次
q
MKEXE ;make new exe file
mem.exe ;you can try and pray!
------------------------------------------------------------
EXE1
RELOAD
PRET
PRET
T
R IP IP+6
PRET
PRET
T
WEXE1
EXE2
RELOAD
PRET
PRET
R IP IP+6
PRET
PRET
T
WEXE2
-------------------------------------------------------
EXE1
RELOAD
GOINT 10 AX=0F0F
GOREG CS
WEXE1
EXE2
RELOAD
GOINT 10 AX=0F0F
GOREG CS
WEXE2
----------------------------------------------------------
GETKNL [count]
其中count为脱几层外壳,缺省为1
TR cs.exe
getknl 2 ;means get out of 2 shells
mkexe
