1.PEID查壳
深度扫描下:nSPack 2.2 -> North Star/Liu Xing Ping
2.载入OD,上来就是一个大跳转,F8单步跟下去
0040101B >- E9 82130300 jmp QQ个性网.004323A2 ; //程序入口 00401020 B4 09 mov ah,0x9 00401022 BA 0B01CD21 mov edx,0x21CD010B 00401027 B4 4C mov ah,0x4C 00401029 CD 21 int 0x21 0040102B 70 61 jo short QQ个性网.0040108E 0040102D 636B 65 arpl word ptr ds:[ebx+0x65],bp 00401030 64:2062 79 and byte ptr fs:[edx+0x79],ah
3.大跳转的落脚点,在pushad下面的call使用ESP定律,下硬件访问断点,然后shift+F9
004323A2 9C pushfd ; //大跳转落脚点 004323A3 60 pushad 004323A4 E8 00000000 call QQ个性网.004323A9 ; //ESP定律 004323A9 5D pop ebp 004323AA B8 07000000 mov eax,0x7 004323AF 2BE8 sub ebp,eax
4.ESP定律的落脚点,可以看到落脚点下面一行就是一个大跳转,我们继续F8
0043261B 9D popfd ; //ESP落脚点 0043261C - E9 B3ECFCFF jmp QQ个性网.004012D4 ; //这里就是OEP 00432621 8BB5 62FEFFFF mov esi,dword ptr ss:[ebp-0x19E] 00432627 0BF6 or esi,esi 00432629 0F84 97000000 je QQ个性网.004326C6 0043262F 8B95 6AFEFFFF mov edx,dword ptr ss:[ebp-0x196] 00432635 03F2 add esi,edx
;
5.来到OEP,可以脱壳了
004012D4 68 54474000 push QQ个性网.00404754 ;//来到OEP 004012D9 E8 F0FFFFFF call QQ个性网.004012CE 004012DE 0000 add byte ptr ds:[eax],al 004012E0 0000 add byte ptr ds:[eax],al 004012E2 0000 add byte ptr ds:[eax],al 004012E4 3000 xor byte ptr ds:[eax],al 004012E6 0000 add byte ptr ds:[eax],al 004012E8 48 dec eax 004012E9 0000 add byte ptr ds:[eax],al 004012EB 0000 add byte ptr ds:[eax],al
6.运行查壳
运行OK,查壳显示:Microsoft Visual Basic v5.0/v6.0