1.PEID查壳提示为:
ASPack 2.12 -> Alexey Solodovnikov
2.载入OD,程序入口点是一个pushad,在他的下一行就可以进行ESP定律,下硬件访问断点然后shift+F9
00430001 > 60 pushad ; //入口位置 00430002 E8 03000000 call QQ个性网.0043000A; //用ESP定律 00430007 - E9 EB045D45 jmp 45A004F7 0043000C 55 push ebp 0043000D C3 retn 0043000E E8 01000000 call QQ个性网.00430014 00430013 EB 5D jmp short QQ个性网.00430072
3.ESP的落脚点,是一个向下跳转,单步F8跟下去,再F8一下就是一个retn,这里就是跳向OEP的地方了
004303B0 /75 08 jnz short QQ个性网.004303BA; //落脚点 004303B2 |B8 01000000 mov eax,0x1 004303B7 |C2 0C00 retn 0xC 004303BA 68 D4124000 push QQ个性网.004012D4 004303BF C3 retn ; //这里跳向OEP 004303C0 8B85 26040000 mov eax,dword ptr ss:[ebp+0x426] 004303C6 8D8D 3B040000 lea ecx,dword ptr ss:[ebp+0x43B] 004303CC 51 push ecx 004303CD 50 push eax
4.来到OEP进行脱壳
004012D4 68 54474000 push QQ个性网.00404754; //来到OEP 004012D9 E8 F0FFFFFF call QQ个性网.004012CE 004012DE 0000 add byte ptr ds:[eax],al 004012E0 0000 add byte ptr ds:[eax],al 004012E2 0000 add byte ptr ds:[eax],al 004012E4 3000 xor byte ptr ds:[eax],al 004012E6 0000 add byte ptr ds:[eax],al 004012E8 48 dec eax
5.查壳运行
OK,已经脱掉了
Microsoft Visual Basic v5.0/v6.0