1、PEiD查壳:
PECompact 2.5 Retail -> Jeremy Collake
2、OD载入程序,程序断到蓝色代码处:
01001000 B8 90BA0101 mov eax,PECompac.0101BA90
01001005 50 push eax
01001006 64:FF35 0000000>push dword ptr fs:[0]
0100100D 64:8925 0000000>mov dword ptr fs:[0],esp
此时,在命令行处,输入:BP VirtualFree,回车,Shift+F9,程序断下,并按ALT+F9,来到程序领空:
002F0CF5 8BC8 mov ecx,eax
002F0CF7 40 inc eax
002F0CF8 74 74 je short 002F0D6E
002F0CFA 33C0 xor eax,eax
002F0CFC 0345 F4 add eax,dword ptr ss:[ebp-C]
002F0CFF 74 12 je short 002F0D13
(以下代码省略)
F8单步跟踪,其跟踪的宗旨,跳转只能向下跳转,不能回跳!单步跟踪时,会经过类似于如下的代码处:
0101BB3D 8985 C8120010 mov dword ptr ss:[ebp+100012C8],eax ; PECompac.0100739D
0101BB43 8BF0 mov esi,eax
0101BB45 59 pop ecx
0101BB46 5A pop edx
0101BB47 EB 0C jmp short PECompac.0101BB55
0101BB49 03CA add ecx,edx
0101BB4B 68 00800000 push 8000
0101BB50 6A 00 push 0
0101BB52 57 push edi
0101BB53 FF11 call dword ptr ds:[ecx]
0101BB55 8BC6 mov eax,esi
0101BB57 5A pop edx
0101BB58 5E pop esi
0101BB59 5F pop edi
0101BB5A 59 pop ecx
0101BB5B 5B pop ebx
0101BB5C 5D pop ebp
0101BB5D FFE0 jmp eax
0101BB5F 0000 add byte ptr ds:[eax],al
0101BB61 0000 add byte ptr ds:[eax],al
注意如上的红色代码行,此处就是跳转到真正的OEP。向下,就是脱壳了,此处不再赘述!
