能力值:
( LV9,RANK:3410 )
|
-
-
2 楼
可以根据编译语言的特征来找OEP
打开一个无壳的delphi程序观察
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000507A0 E4 03 45 00 88 03 45 00 F0 0F 45 00 C0 0F 45 00 ?E ?E ?E ?E
000507B0 A8 11 45 00 78 11 45 00 00 00 00 00 B0 11 45 00 ?E x E ?E
000507C0 55 8B EC 83 C4 F0 B8 D8 11 45 00 E8 F8 47 FB FF U??鸶?E 桫G?
000507D0 A1 28 30 45 00 8B 00 E8 AC DA FF FF 8B 0D 08 31 ?0E ?璎?? 1
000507E0 45 00 A1 28 30 45 00 8B 00 8B 15 28 04 45 00 E8 E ?0E ??( E ?
000507F0 AC DA FF FF 8B 0D 40 31 45 00 A1 28 30 45 00 8B ???@1E ?0E ?
00050800 00 8B 15 F8 0F 45 00 E8 94 DA FF FF A1 28 30 45 ??E ???0E
00050810 00 8B 00 E8 08 DB FF FF E8 03 29 FB FF 8D 40 00 ????)??
00050820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050880 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050890 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000508F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050900 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050910 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050920 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050980 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050990 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000509F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050A00 00 00 00 00 00 00 00 00 02 8D 40 00 00 00 00 00 ?
00050A10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050A20 32 13 8B C0 02 00 8B C0 00 8D 40 00 00 8D 40 00 2 ? ? ? ?
00050A30 00 8D 40 00 00 00 00 00 00 00 00 00 E8 20 40 00 ? ?@
00050A40 78 22 40 00 F8 25 40 00 00 CB CC C8 C9 D7 CF C8 x"@ ?@ 颂壬紫?
00050A50 CD CE DB D8 DA D9 CA DC DD DE DF E0 E1 E3 00 E4 臀圬谫受蒉哙徙 ?
00050A60 E5 8D 40 00 45 72 72 6F 72 00 8B C0 52 75 6E 74 ?@ Error ?Runt
00050A70 69 6D 65 20 65 72 72 6F 72 20 20 20 20 20 61 74 ime error at
00050A80 20 30 30 30 30 30 30 30 30 00 8B C0 30 31 32 33 00000000 ?0123
00050A90 34 35 36 37 38 39 41 42 43 44 45 46 FF FF FF FF 456789ABCDEF??
00050AA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00050AB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
第二区段从00050A00处开始
向上看
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000507B0 A8 11 45 00 78 11 45 00 00 00 00 00 B0 11 45 00 ?E x E ?E
000507C0 55 8B EC 83 C4 F0 B8 D8 11 45 00 E8 F8 47 FB FF U??鸶?E 桫G?
偏移507C0就是OEP
|
能力值:
( LV6,RANK:90 )
|
-
-
3 楼
其实也不一定要是OEP,只要能够在它附近dump Full下来就可以了
然后IDA能够解析就好~
还是感谢fly
|
能力值:
( LV9,RANK:3410 )
|
-
-
4 楼
知道OEP后可以使用内存断点或者硬件断点
中断后就可以dump了
|
能力值:
( LV6,RANK:90 )
|
-
-
5 楼
不过后来发现该软件是ASProtect伪装成yoda的壳
呵呵,直接用脱壳机了
|
|
|