ollydbg脱Aspack2.12
ollydbg脱Aspack2.12,基本点:基本一路F8,遇到牺牲了要记得call地址,下次f7就可以了
让od显示跳转路径,向上跳的一律光标定在下一行,F4跳过,很快就搞定了
004B4001 > 60 PUSHAD
004B4002 E8 03000000 CALL LZDDZ.004B400A //F8就牺牲了,F7进入
004B4007 - E9 EB045D45 JMP 45A844F7
004B400C 55 PUSH EBP
004B400D C3 RETN
004B400E E8 01000000 CALL LZDDZ.004B4014 //F8就牺牲了,F7进入
下面这段反复循环,
004B412F /74 2E JE SHORT LZDDZ.004B415F
004B4131 |78 2C JS SHORT LZDDZ.004B415F
004B4133 |AC LODS BYTE PTR DS:[ESI]
004B4134 |3C E8 CMP AL,0E8
004B4136 |74 0A JE SHORT LZDDZ.004B4142
004B4138 |EB 00 JMP SHORT LZDDZ.004B413A
004B413A |3C E9 CMP AL,0E9
004B413C |74 04 JE SHORT LZDDZ.004B4142
004B413E |43 INC EBX
004B413F |49 DEC ECX
004B4140 ^|EB EB JMP SHORT LZDDZ.004B412D
004B4142 8B06 MOV EAX,DWORD PTR DS:[ESI] //光标定在这里,F4跳到这里
004B4144 EB 00 JMP SHORT LZDDZ.004B4146
004B4146 803E 0D CMP BYTE PTR DS:[ESI],0D
004B4149 ^ 75 F3 JNZ SHORT LZDDZ.004B413E
下面这段反复循环
004B412D 0BC9 OR ECX,ECX
004B412F 74 2E JE SHORT LZDDZ.004B415F
004B4131 78 2C JS SHORT LZDDZ.004B415F
004B4133 AC LODS BYTE PTR DS:[ESI]
004B4134 3C E8 CMP AL,0E8
004B4136 74 0A JE SHORT LZDDZ.004B4142
004B4138 EB 00 JMP SHORT LZDDZ.004B413A
004B413A 3C E9 CMP AL,0E9
004B413C 74 04 JE SHORT LZDDZ.004B4142
004B413E 43 INC EBX
004B413F 49 DEC ECX
004B4140 ^ EB EB JMP SHORT LZDDZ.004B412D
004B4142 8B06 MOV EAX,DWORD PTR DS:[ESI] //光标定在这里,F4跳到这里
这里跳回到上面的循环,修改为jz
004B4149 ^\75 F3 JNZ SHORT LZDDZ.004B413E
这里又跳回到上面的循环,好变态啊,光标定在下一行,F4跳过
004B415D ^\EB CE JMP SHORT LZDDZ.004B412D
这里又跳回到上面的循环,光标定在下一行,F4跳过
004B41A3 ^\0F85 1EFFFFFF JNZ LZDDZ.004B40C7
光标定在下一行,F4跳过
004B437F ^\E9 32FFFFFF JMP LZDDZ.004B42B6
光标定在下一行,F4跳过
004B4395 ^\E9 EBFEFFFF JMP LZDDZ.004B4285
004B4395 ^\E9 EBFEFFFF JMP LZDDZ.004B4285
004B439A B8 9CB10500 MOV EAX,5B19C
004B439F 50 PUSH EAX
004B43A0 0385 22040000 ADD EAX,DWORD PTR SS:[EBP+422]
004B43A6 59 POP ECX
004B43A7 0BC9 OR ECX,ECX
004B43A9 8985 A8030000 MOV DWORD PTR SS:[EBP+3A8],EAX
004B43AF 61 POPAD //////////////////////////////////
004B43B0 75 08 JNZ SHORT LZDDZ.004B43BA
004B43B2 B8 01000000 MOV EAX,1
004B43B7 C2 0C00 RETN 0C
004B43B7 C2 0C00 RETN 0C
004B43BA 68 9CB14500 PUSH LZDDZ.0045B19C
004B43BF C3 RETN
返回就到了入口
0045B19C 55 PUSH EBP //到这里停
调出ollydump->dump debugged process
输入oep:0045B19C,ok点击Dump,输入文件名(test.exe),这个时候不要关闭ollydbg,启动Import REConstructor
选择我们的脱壳软件,输入oep,这里是0045B19C-00400000 = 5B19C,点击
IAT AutoSearch,确定,选择Fix Dump,找到刚才的test.exe,ok了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课