-
-
[原创]压缩壳之dePACK壳分析
-
发表于:
2009-3-10 23:17
5916
-
前面已经有过几篇压缩壳的文章,接下来还是对于压缩壳的一点个人分析,
壳开始代码的其中一部分
loc_46B003: [color=#008000]; CODE XREF: startj[/color]
.depack:0046B003 [color=#0000FF]pusha[/color]
.depack:0046B004 [color=#0000FF]push[/color] [color=#FF0000]offset[/color] dword_401000 [color=#008000]; .text[/color]
.depack:0046B009 [color=#0000FF]push[/color] 0A181h
.depack:0046B00E [color=#0000FF]call[/color] DePack
.depack:0046B013 [color=#0000FF]push[/color] [color=#FF0000]offset[/color] unk_44B000 [color=#008000]; .rdata[/color]
.depack:0046B018 [color=#0000FF]push[/color] 0C81h
.depack:0046B01D [color=#0000FF]call[/color] DePack
.depack:0046B022 [color=#0000FF]push[/color] [color=#FF0000]offset[/color] unk_457000 [color=#008000]; .data[/color]
.depack:0046B027 [color=#0000FF]push[/color] 581h
.depack:0046B02C [color=#0000FF]call[/color] DePack
.depack:0046B031 [color=#0000FF]nop[/color]
.depack:0046B032 [color=#0000FF]jmp[/color] [color=#FF0000]short[/color] loc_46B035
[color=#0000FF]push[/color] [color=#808000]ebp[/color]
[color=#0000FF]mov[/color] [color=#808000]ebp[/color], [color=#808000]esp[/color]
[color=#0000FF]pusha[/color]
[color=#0000FF]push[/color] [color=#808000]ebp[/color]
[color=#0000FF]mov[/color] [color=#808000]esi[/color], [[color=#808000]ebp[/color]+arg_0]
[color=#0000FF]mov[/color] [color=#808000]edi[/color], [[color=#808000]ebp[/color]+arg_4] [color=#008000]; 401000[/color]
[color=#0000FF]call[/color] sub_46B04F
[color=#0000FF]jmp[/color] [color=#FF0000]short[/color] loc_46B053
DePack [color=#FF0000]endp[/color]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!