|
CODE
0057161D 8B1B mov ebx,dword ptr ds:[ebx]
0057161F 3B5D 90 cmp ebx,dword ptr ss:[ebp-70]
00571622 0F85 4DFFFFFF jnz 00571575
00571628 8B85 30FEFFFF mov eax,dword ptr ss:[ebp-1D0]
//[ebp-1D0]=000271B0 OEP RVA
0057162E 0345 F4 add eax,dword ptr ss:[ebp-C]
//EAX=000271B0+00400000=004271B0
00571631 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
00571634 5E pop esi
00571635 5F pop edi
00571636 5B pop ebx
00571637 C9 leave
00571638 C2 0C00 retn 0C
//返回00571217
00571217 5F pop edi
00571218 5E pop esi
00571219 5D pop ebp
0057121A 83C4 04 add esp,4
0057121D 5B pop ebx
0057121E 5A pop edx
0057121F 83C4 08 add esp,8
00571222 894C24 04 mov dword ptr ss:[esp+4],ecx
00571226 FFE0 jmp near eax
//飞向光明之巅
CODE
004271B0 55 push ebp
//OEP
004271B1 8BEC mov ebp,esp
004271B3 6A FF push -1
004271B5 68 600E4500 push 00450E60
004271BA 68 C8924200 push 004292C8
004271BF 64:A1 00000000 mov eax,dword ptr fs:[0]
004271C5 50 push eax
004271C6 64:8925 00000000 mov dword ptr fs:[0],esp
004271CD 83C4 A8 add esp,-58
004271D0 53 push ebx
004271D1 56 push esi
004271D2 57 push edi
004271D3 8965 E8 mov dword ptr ss:[ebp-18],esp
004271D6 FF15 DC0A4600 call near dword ptr ds:[460ADC]; kernel32.GetVersion
_____________________________________________________________
六.简化脱壳流程
OllyDBG载入CI Crypt V0.1加壳文件暂停在EP
BP VirtualAlloc Shift+F9,中断后取消断点,Alt+F9返回
Ctrl+F向下搜索命令: mov ebx,dword ptr ss:[ebp-178]
找到在005714EF处后F4过去,或者设断后Shift+F9中断
此时就可以使用LordPE抓取进程了,注意LordPE的Task Viewer选项设置
在这里脱壳可以说是完美脱壳,dump的文件基本就是加壳前的原始文件了
Game Over
上一页 [1] [2] [3] [4] |
