zoukankan      html  css  js  c++  java
  • 手脱nSPack 1.3

    1.PEID查壳

    nSPack 1.3 -> North Star/Liu Xing Ping
    

    2.载入OD,pushad下面的call哪里使用ESP定律,下硬件访问断点,然后shift+F9运行

    00432356 >  9C              pushfd                            ; //程序入口点
    00432357    60              pushad
    00432358    E8 00000000     call QQ个性网.0043235D            ; //这里使用ESP
    0043235D    5D              pop ebp                           
    0043235E    B8 B3854000     mov eax,QQ个性网.004085B3
    00432363    2D AC854000     sub eax,QQ个性网.004085AC
    00432368    2BE8            sub ebp,eax                       
    0043236A    8DB5 D6FEFFFF   lea esi,dword ptr ss:[ebp-0x12A]
     

    3.ESP落脚点,落脚点的下一行就是一个大跳转,就是跳向OEP的,F8单步跟着跳

    0043257A    9D              popfd                             ; //ESP落脚点
    0043257B  - E9 54EDFCFF     jmp QQ个性网.004012D4             ; //跳向OEP的大跳转
    00432580    8BB5 AEFEFFFF   mov esi,dword ptr ss:[ebp-0x152]
    00432586    0BF6            or esi,esi
    00432588    0F84 97000000   je QQ个性网.00432625
     

    4.来到OEP,可以脱壳了

    004012D4    68 54474000     push QQ个性网.00404754               ; //来到OEP
    004012D9    E8 F0FFFFFF     call QQ个性网.004012CE               
    004012DE    0000            add byte ptr ds:[eax],al
    004012E0    0000            add byte ptr ds:[eax],al
    004012E2    0000            add byte ptr ds:[eax],al
    004012E4    3000            xor byte ptr ds:[eax],al
    004012E6    0000            add byte ptr ds:[eax],al
    004012E8    48              dec eax    

    5.查壳运行

    运行OK,查壳:Microsoft Visual Basic v5.0/v6.0
    
  • 相关阅读:
    C
    B
    A
    G
    BZOJ_1208_&_Codevs_1258_[HNOI2004]_宠物收养所_(平衡树/set)
    Codevs_1230_元素查找_(set/Hash)
    POJ_2503_Babelfish_(Trie/map)
    POJ_2001_Shortest_Prefixes_(Trie)
    BZOJ_3670_[NOI2014]_动物园_(kmp)
    BZOJ_3196_二逼平衡树_(树套树,线段树+Treap)
  • 原文地址:https://www.cnblogs.com/JianXu/p/5158386.html
Copyright © 2011-2022 走看看