1.PEID查壳
EXE32Pack v1.39
2.载入OD,先F8跟一下
0040A00C > 3BC0 cmp eax,eax ; //程序入口点 0040A00E 74 02 je short sticker.0040A012 0040A010 8183 553BC074 0>add dword ptr ds:[ebx+0x74C03B55]> 0040A01A 3BC9 cmp ecx,ecx 0040A01C 74 01 je short sticker.0040A01F 0040A01E BC 563BD274 mov esp,0x74D23B56
3.直到这里,我们看到一个push入栈,ESP跟一下,下硬件访问断点,然后shift+F9
0040A012 55 push ebp 0040A013 3BC0 cmp eax,eax ; //ESP定律 0040A015 74 02 je short sticker.0040A019 0040A017 8183 533BC974 0>add dword ptr ds:[ebx+0x74C93B53]> 0040A021 D27402 81 sal byte ptr ds:[edx+eax-0x7F],cl 0040A025 8557 E8 test dword ptr ds:[edi-0x18],edx 0040A028 0000 add byte ptr ds:[eax],al
4.ESP落脚点,然后继续F8单步跟一下
0040EE6F 3BE4 cmp esp,esp ; //ESP落脚点 0040EE71 74 01 je short sticker.0040EE74 0040EE73 BF FFE0B801 mov edi,0x1B8E0FF 0040EE78 0000 add byte ptr ds:[eax],al 0040EE7A 003B add byte ptr ds:[ebx],bh 0040EE7C C9 leave 0040EE7D 74 02 je short sticker.0040EE81 0040EE7F 81845F 3BD27401>add dword ptr ds:[edi+ebx*2+0x174>
5.OK,找到指向OEP的关键跳
0040EE74 - FFE0 jmp eax ; //指向OEP的关键跳 0040EE76 B8 01000000 mov eax,0x1 0040EE7B 3BC9 cmp ecx,ecx 0040EE7D 74 02 je short sticker.0040EE81 0040EE7F 81845F 3BD27401>add dword ptr ds:[edi+ebx*2+0x174> 0040EE8A 74 02 je short sticker.0040EE8E 0040EE8C 8186 5B3BDB74 0>add dword ptr ds:[esi+0x74DB3B5B]>
6.来到OEP
0040535F 55 push ebp ; //来到OEP 00405360 8BEC mov ebp,esp 00405362 6A FF push -0x1 00405364 68 D0124000 push sticker.004012D0 00405369 68 20534000 push sticker.00405320 0040536E 64:A1 00000000 mov eax,dword ptr fs:[0] 00405374 50 push eax 00405375 64:8925 0000000>mov dword ptr fs:[0],esp 0040537C 83EC 68 sub esp,0x68
7.loadPE+ImportREC脱壳,运行,查壳
OK,可以运行,查壳:Microsoft Visual C++ v6.0 (16 ms)