1、PEiD查殼:
PECompact 2.5 Retail -> Jeremy Collake
2、OD載入程式,程式斷到藍色代碼處:
01001000 B8 90BA0101 mov eax,PECompac.0101BA90
01001005 50 push eax
01001006 64:FF35 0000000>push dword ptr fs:[0]
0100100D 64:8925 0000000>mov dword ptr fs:[0],esp
此時,在指令行處,輸入:BP VirtualFree,回車,Shift+F9,程式斷下,并按ALT+F9,來到程式領空:
002F0CF5 8BC8 mov ecx,eax
002F0CF7 40 inc eax
002F0CF8 74 74 je short 002F0D6E
002F0CFA 33C0 xor eax,eax
002F0CFC 0345 F4 add eax,dword ptr ss:[ebp-C]
002F0CFF 74 12 je short 002F0D13
(以下代碼省略)
F8單步跟蹤,其跟蹤的宗旨,跳轉隻能向下跳轉,不能回跳!單步跟蹤時,會經過類似于如下的代碼處:
0101BB3D 8985 C8120010 mov dword ptr ss:[ebp+100012C8],eax ; PECompac.0100739D
0101BB43 8BF0 mov esi,eax
0101BB45 59 pop ecx
0101BB46 5A pop edx
0101BB47 EB 0C jmp short PECompac.0101BB55
0101BB49 03CA add ecx,edx
0101BB4B 68 00800000 push 8000
0101BB50 6A 00 push 0
0101BB52 57 push edi
0101BB53 FF11 call dword ptr ds:[ecx]
0101BB55 8BC6 mov eax,esi
0101BB57 5A pop edx
0101BB58 5E pop esi
0101BB59 5F pop edi
0101BB5A 59 pop ecx
0101BB5B 5B pop ebx
0101BB5C 5D pop ebp
0101BB5D FFE0 jmp eax
0101BB5F 0000 add byte ptr ds:[eax],al
0101BB61 0000 add byte ptr ds:[eax],al
注意如上的紅色代碼行,此處就是跳轉到真正的OEP。向下,就是脫殼了,此處不再贅述!
