今天帮朋友脱个FSG的壳。但脱了就是不能运行怀疑入口点没有找对。高手指点下可以吗?
004001BF ^\EB 9F JMP SHORT 盗Q黑侠B.00400160
004001C1 5E POP ESI
004001C2 AD LODS DWORD PTR DS:[ESI]
004001C3 97 XCHG EAX,EDI
004001C4 AD LODS DWORD PTR DS:[ESI]
004001C5 50 PUSH EAX
004001C6 FF53 10 CALL DWORD PTR DS:[EBX+10]
004001C9 95 XCHG EAX,EBP
004001CA 8B07 MOV EAX,DWORD PTR DS:[EDI]
004001CC 40 INC EAX
004001CD ^ 78 F3 JS SHORT 盗Q黑侠B.004001C2
004001CF 75 03 JNZ SHORT 盗Q黑侠B.004001D4//向下004001d4
004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C] ////这断点进去
004001D4 50 PUSH EAX
004001D5 55 PUSH EBP
004001D6 FF53 14 CALL DWORD PTR DS:[EBX+14]
004001D9 AB STOS DWORD PTR ES:[EDI]
004001DA >^ EB EE JMP SHORT 盗Q黑侠B.004001CA
004001DC 33C9 XOR ECX,ECX ////////////////////F4运行
004001DE 41 INC ECX
004001DF FF13 CALL DWORD PTR DS:[EBX]
004001E1 13C9 ADC ECX,ECX
004001E3 FF13 CALL DWORD PTR DS:[EBX]
004001E5 ^ 72 F8 JB SHORT 盗Q黑侠B.004001DF
************************************************************
进入004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C]
0045B1A8 55 PUSH 这里脱壳EBP ; shell32.#598
0045B1A9 8BEC MOV EBP,ESP
0045B1AB 83C4 F0 ADD ESP,-10
0045B1AE B8 30B04500 MOV EAX,盗Q黑侠B.0045B030
0045B1B3 E8 8CB6FAFF CALL 盗Q黑侠B.00406844
0045B1B8 A1 30CF4500 MOV EAX,DWORD PTR DS:[45CF30]
0045B1BD 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045B1BF E8 90A2FFFF CALL 盗Q黑侠B.00455454
0045B1C4 A1 30CF4500 MOV EAX,DWORD PTR DS:[45CF30]
0045B1C9 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045B1CB 33D2 XOR EDX,EDX
0045B1CD E8 A69EFFFF CALL 盗Q黑侠B.00455078
0045B1D2 8B0D 04D04500 MOV ECX,DWORD PTR DS:[45D004] ; 盗Q黑侠B.0045EC50
0045B1D8 A1 30CF4500 MOV EAX,DWORD PTR DS:[45CF30]
0045B1DD 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045B1DF 8B15 648D4500 MOV EDX,DWORD PTR DS:[458D64] ; 盗Q黑侠B.00458DB0
0045B1E5 E8 82A2FFFF CALL 盗Q黑侠B.0045546C
0045B1EA A1 30CF4500 MOV EAX,DWORD PTR DS:[45CF30]
0045B1EF 8B00 MOV EAX,DWORD PTR DS:[EAX]
0045B1F1 E8 F6A2FFFF CALL 盗Q黑侠B.004554EC
0045B1F6 E8 ED91FAFF CALL 盗Q黑侠B.004043E8
脱后怎么修都不能运行。我有个疑问。0045B1A8 55 PUSH 是入口点吗?
004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C]这里断点进去对不对
[课程]Linux pwn 探索篇!
