1.载入PEID
PEtite v2.1
2.载入OD,先F8跟一下
0042C10F > B8 00C04200 mov eax,跑跑排行.0042C000 ; //程序入口点 0042C114 6A 00 push 0x0 0042C116 68 E5E84000 push 跑跑排行.0040E8E5 0042C11B 64:FF35 0000000>push dword ptr fs:[0] 0042C122 64:8925 0000000>mov dword ptr fs:[0],esp
3.一直到这里,看到一个pushad入栈,下一行使用ESP定律一次,下硬件访问断点,然后shift+F9运行一次
0042C122 64:8925 0000000>mov dword ptr fs:[0],esp 0042C129 66:9C pushfw 0042C12B 60 pushad 0042C12C 50 push eax ; //这里ESP定律 0042C12D 8BD8 mov ebx,eax 0042C12F 0300 add eax,dword ptr ds:[eax] 0042C131 68 10D80000 push 0xD810
4.来到ESP的落脚点,然后继续单步就可以到OEP了
0042C10A 66:9D popfw ; //ESP落脚点 0042C10C 83C4 0C add esp,0xC 0042C10F >- E9 0AE3FDFF jmp 跑跑排行.0040A41E ; //指向OEP的关键跳 0042C114 - E9 57163E77 jmp msvcrt._except_handler3 0042C119 - E9 B0663C77 jmp msvcrt.__p__fmode 0042C11E - E9 72733D77 jmp msvcrt.__CxxFrameHandler3
5.来到OEP,可以脱壳了
0040A41E 55 push ebp ; //来到OEP 0040A41F 8BEC mov ebp,esp 0040A421 6A FF push -0x1 0040A423 68 C8CB4000 push 跑跑排行.0040CBC8 0040A428 68 A4A54000 push 跑跑排行.0040A5A4 0040A42D 64:A1 00000000 mov eax,dword ptr fs:[0] 0040A433 50 push eax 0040A434 64:8925 0000000>mov dword ptr fs:[0],esp 0040A43B 83EC 68 sub esp,0x68
6.运行,查壳
运行OK,查壳:Microsoft Visual C++ v6.0