1.载入PEID
FSG v1.33 (Eng) -> dulek/xt
2.载入OD,先F8跟一会
004103E3 > BE A4014000 mov esi,fsg1_33.004001A4 ; //程序入口 004103E8 AD lods dword ptr ds:[esi] 004103E9 93 xchg eax,ebx 004103EA AD lods dword ptr ds:[esi] 004103EB 97 xchg eax,edi 004103EC AD lods dword ptr ds:[esi]
3.来到这个位置的时候,我们看到一个push入栈,可以使用ESP定律,下硬件断点,然后shift+F9运行
004103EC AD lods dword ptr ds:[esi] 004103ED 56 push esi 004103EE 96 xchg eax,esi ; //ESP 004103EF B2 80 mov dl,0x80 004103F1 A4 movs byte ptr es:[edi],byte ptr d> 004103F2 B6 80 mov dh,0x80
4.ESP落脚点,然后继续F8,记得向上跳转的下一行F4,这就不多说了
0041045A AD lods dword ptr ds:[esi] ; //ESP落脚点 0041045B 48 dec eax 0041045C 74 0A je short fsg1_33.00410468 0041045E 79 02 jns short fsg1_33.00410462 00410460 AD lods dword ptr ds:[esi] 00410461 50 push eax 00410462 56 push esi
5.OK,找到关键跳了,可是这个跳转没有实现,我们需要让他实现,那么就要下条件断点,先分析跳转上一行的汇编代码,这是一个递减语句,具体汇编代码可以查看http://www.52pojie.cn/thread-420306-1-1.html,自己去分析学习。右键–断点–条件断点–输入”[esi]==0”–F9,OK,这样跳转就实现了,继续F8一下就是OEP了
00410482 FE0E dec byte ptr ds:[esi] 00410484 - 0F84 420CFFFF je fsg1_33.004010CC ; //关键跳 0041048A 56 push esi 0041048B 55 push ebp 0041048C FF53 04 call dword ptr ds:[ebx+0x4] 0041048F AB stos dword ptr es:[edi]
6.来到OEP,可以脱壳了
004010CC 55 push ebp ; //来到OEP 004010CD 8BEC mov ebp,esp 004010CF 83EC 44 sub esp,0x44 004010D2 56 push esi 004010D3 FF15 E0634000 call dword ptr ds:[0x4063E0] 004010D9 8BF0 mov esi,eax 004010DB 8A00 mov al,byte ptr ds:[eax] 004010DD 3C 22 cmp al,0x22
7.运行查壳
运行OK,查壳:Microsoft Visual C++ v6.0 SPx