用PEID查出壳是:UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo [Overlay]
我脱的过程如下:
用OLLDBG加载程序,得到:
005743B0 > $ 60 pushad
005743B1 . BE 00F04F00 mov esi, 004FF000 ; ASCII "卷稃"
005743B6 . 8DBE 0020F0FF lea edi, [esi+FFF02000]
005743BC . C787 F0201000>mov dword ptr [edi+1020F0], 004829FD
005743C6 . 57 push edi
005743C7 . 83CD FF or ebp, FFFFFFFF
005743CA . EB 0E jmp short 005743DA
用ctrl+f输入:popad 开始查找!来到:
00574508 . 48 dec eax
00574509 . F2:AE repne scas byte ptr es:[edi]
0057450B . 55 push ebp
0057450C . FF96 EC691700 call [esi+1769EC]
00574512 . 09C0 or eax, eax
00574514 . 74 07 je short 0057451D
00574516 . 8903 mov [ebx], eax
00574518 . 83C3 04 add ebx, 4
0057451B .^ EB D8 jmp short 005744F5
0057451D > FF96 F0691700 call [esi+1769F0]
00574523 > 61 popad
00574524 .- E9 43D0E8FF jmp 0040156C
F4执行到00574524处!F8单步走来到:
0040156C /EB 10 jmp short 0040157E
0040156E |66:623A bound di, [edx]
00401571 |43 inc ebx
00401572 |2B2B sub ebp, [ebx]
00401574 |48 dec eax
00401575 |4F dec edi
00401576 |4F dec edi
00401577 |4B dec ebx
00401578 |90 nop
00401579 -|E9 98104F00 jmp 008F2616
0040157E \A1 8B104F00 mov eax, [4F108B]
00401583 C1E0 02 shl eax, 2
00401586 A3 8F104F00 mov [4F108F], eax
0040158B 52 push edx
0040158C 6A 00 push 0
0040158E E8 83E60E00 call 004EFC16 ; jmp 到 KERNEL32.GetModuleHandleA
00401593 8BD0 mov edx, eax
00401595 E8 E2EF0C00 call 004D057C
0040159A 5A pop edx
0040159B E8 40EF0C00 call 004D04E0
004015A0 E8 17F00C00 call 004D05BC
004015A5 6A 00 push 0
004015A7 E8 FC040D00 call 004D1AA8
004015AC 59 pop ecx
004015AD 68 34104F00 push 004F1034
004015B2 6A 00 push 0
004015B4 E8 5DE60E00 call 004EFC16 ; jmp 到 KERNEL32.GetModuleHandleA
单步走到:0040157E A1 8B104F00 mov eax, [4F108B]
DUMP出来!脱壳成功!
为什么用脱壳机却不成功???
这个可没有什么特别的呀??!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课