能力值:
( LV9,RANK:3410 )
|
-
-
2 楼
先按照yoda's Crypter V1.2的脱壳方法
进入第2层壳
再脱PECompact
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
不行,第一层都脱不掉。
|
能力值:
(RANK:1060 )
|
-
-
4 楼
除了Memory access violation都忽略
IsDebug插件隐藏oD
f9
shift+f9直到
00411769 0000 ADD [EAX], AL
0041176B 0000 ADD [EAX], AL
0041176D 0000 ADD [EAX], AL
ctrl+g
[esp+4]
f2
shift+f9
中断
0041172D C1C7 07 ROL EDI, 7//f4
f8
ctrl+g
edi
f2
f9
中断
命令行插件输入
hr esp-4
f9直到
004010CD 8BEC MOV EBP, ESP
004010CF 83EC 44 SUB ESP, 44
ctrl+V(下)调整可以看到OEp
004010CC 55 PUSH EBP
004010CD 8BEC MOV EBP, ESP
004010CF 83EC 44 SUB ESP, 44
004010D2 56 PUSH ESI
004010D3 FF15 E4634000 CALL [4063E4] ; kernel32.GetCommandLineA
OD dump插件,OEP=10CC,不选rebuild IT->dumped.exe
ImpRec, IAT Auto Search.000062E0/00000248
Fixdump -> dumped.exe -> dumped_.exe
LordPE, Rebuild PE.
All done.
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
版主您好:
到ctrl+g
[esp+4]
f2
shift+f9
中断
0041172D C1C7 07 ROL EDI, 7//f4
不是中断在0041172d,而是在
004117CC 0000 ADD BYTE PTR DS:[EAX],AL
004117CE 0000 ADD BYTE PTR DS:[EAX],AL
004117D0 0000 ADD BYTE PTR DS:[EAX],AL
esp=12ffbc+4=12ffc0
|
能力值:
( LV9,RANK:3410 )
|
-
-
6 楼
你的系统?
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
WinXP
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
版主您们好:
我用您们教的
除了Memory access violation都忽略
BP IsDebuggerPresent
f9
shift+f9直到
00411769 0000 ADD [EAX], AL
0041176B 0000 ADD [EAX], AL
0041176D 0000 ADD [EAX], AL
ctrl+g
41170c
F2
shift+f9
中断
0041170C 55 push ebp
F8一直到
0041173D C3 retn
ctrl+g
40C000
f2
f9
中断
0040C000 /EB 06 jmp short note_aPl.0040C008
命令行插件输入
G 4010CC
004010CC 55 push ebp
dump
谢谢您们的帮忙!!!
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
or u can use this method to unpack this exe
00411060 > 60 PUSHAD
00411061 E8 00000000 CALL NOTEPAD.00411066 <-- f8 to this code
now right click ESP register and follow in dump
highligh the 4 bytes and set hardware breakpoint at access
0012FFA4 40 00 80 7C @.? <--may be different at ur computer...
press F9 3 times.. until u reach this code..
0040D54F 9D POPFD
0040D550 50 PUSH EAX
0040D551 68 CC104000 PUSH NOTEPAD.004010CC
0040D556 C2 0400 RETN 4 <--F8 until here
F8 until the RETN4 and u r at OEP... dump and fix IAT...
004010CC 55 PUSH EBP <--OEP
004010CD 8BEC MOV EBP,ESP
004010CF 83EC 44 SUB ESP,44
004010D2 56 PUSH ESI
004010D3 FF15 E4634000 CALL DWORD PTR DS:[4063E4] ; kernel32.GetCommandLineA
|
|
|