近日遇到一DDOS服务端很怪,用PEiD查出来是Microsoft Visual C++ 6.0,表示没加壳,但用OD载入时提示加了壳,我知道是因为程序可能穿了Microsoft Visual C++ 6.0的花,被改动过了,请问这样的PE文件要怎么样跟出他的OEP?
开始段的代码如下:
004A7060 > 55 push ebp
004A7061 8BEC mov ebp, esp
004A7063 6A FF push -1
004A7065 68 3E1E4000 push 00401E3E
004A706A 68 521E4000 push 00401E52
004A706F 64:A1 00000000 mov eax, fs:[0]
004A7075 50 push eax
004A7076 64:8925 0000000>mov fs:[0], esp
004A707D 83EC 44 sub esp, 44
004A7080 53 push ebx
004A7081 56 push esi
004A7082 57 push edi
004A7083 66:9C pushfw
004A7085 6A 10 push 10
004A7087 73 0B jnb short 004A7094
004A7089 EB 02 jmp short 004A708D
004A708B C151 E8 06 rcl dword ptr [ecx-18], 6
004A708F 0000 add [eax], al
004A7091 00CA add dl, cl
004A7093 1173 F7 adc [ebx-9], esi
004A7096 5B pop ebx
004A7097 CD 83 int 83
004A7099 C404EB les eax, [ebx+ebp*8]
004A709C 0299 EBFF0C24 add bl, [ecx+240CFFEB]
004A70A2 71 01 jno short 004A70A5
004A70A4 E8 79E07A01 call 01C55122
004A70A9 ^ 75 83 jnz short 004A702E
004A70AB C40466 les eax, [esi]
004A70AE 9D popfd
004A70AF 71 03 jno short 004A70B4
004A70B1 70 01 jo short 004A70B4
004A70B3 75 5F jnz short 004A7114
004A70B5 5E pop esi
004A70B6 5B pop ebx
004A70B7 83C4 44 add esp, 44
004A70BA 64:8B25 0000000>mov esp, fs:[0]
004A70C1 83C4 0C add esp, 0C
004A70C4 8BE5 mov esp, ebp
004A70C6 5D pop ebp
004A70C7 33C0 xor eax, eax
004A70C9 66:9C pushfw
004A70CB 72 08 jb short 004A70D5
004A70CD EB 01 jmp short 004A70D0
004A70CF 63E8 arpl ax, bp
004A70D1 0300 add eax, [eax]
004A70D3 0000 add [eax], al
004A70D5 ^ 72 F6 jb short 004A70CD
004A70D7 8383 C404669D E>add dword ptr [ebx+9D6604C4], -15
004A70DE 0175 60 add [ebp+60], esi
004A70E1 70 12 jo short 004A70F5
004A70E3 71 10 jno short 004A70F5
004A70E5 B1 F0 mov cl, 0F0
004A70E7 CE into
004A70E8 CA C8CB retf 0CBC8
004A70EB C9 leave
004A70EC FA cli
004A70ED D3D0 rcl eax, cl
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!
