关于脱壳的一些笔记

方法1：单步跟踪

遇到循环直接跳出

方法2：ESP定律法

注意在入栈时候esp的变化

方法3：2次内存镜像法

吾爱破解的OD可能存在无法使用这类方法，必须使用原版的OD

方法6：SFX

设置OD调试设置总的SFX设置 直接到oep

方法7：最后一次异常法；

1.取消所有忽略异常    OD调试器设置、异常全部不勾

2.F9 直到跑飞后，计算F9的次数  

3.F9次数 – 1  找SE句柄，设置硬件断点为SE句柄的值，然后F9

4.在停下来的地方设置断点，然后F9

5.基本上离OEP很近了

常见语言的入口点：

VB：

004012D4 >  68 54474000     push QQ个性网.00404754

004012D9    E8 F0FFFFFF     call <jmp.&MSVBVM60.#100>

004012DE    0000            add byte ptr ds:[eax],al

004012E0    0000            add byte ptr ds:[eax],al

004012E2    0000            add byte ptr ds:[eax],al

004012E4    3000            xor byte ptr ds:[eax],al

004012E6    0000            add byte ptr ds:[eax],al

004012E8    48              dec eax

delphi:

004A5C54 >  55              push ebp

004A5C55    8BEC            mov ebp,esp

004A5C57    83C4 F0         add esp,-10

004A5C5A    B8 EC594A00     mov eax,openpro.004A59EC

BC++:

00401678 > /EB 10           jmp short btengine.0040168A

0040167A   |66:623A         bound di,dword ptr ds:[edx]

0040167D   |43              inc ebx

0040167E   |2B2B            sub ebp,dword ptr ds:[ebx]

00401680   |48              dec eax

00401681   |4F              dec edi

00401682   |4F              dec edi

00401683   |4B              dec ebx

00401684   |90              nop

00401685  -|E9 98005400     jmp 00941722

0040168A   A1 8B005400     mov eax,dword ptr ds:[54008B]

0040168F    C1E0 02         shl eax,2

00401692    A3 8F005400     mov dword ptr ds:[54008F],eax

00401697    52              push edx

00401698    6A 00           push 0

0040169A    E8 99D01300     call <jmp.&KERNEL32.GetModuleHandleA>

0040169F    8BD0            mov edx,eax

VC++:

0040A41E >  55              push ebp

0040A41F    8BEC            mov ebp,esp

0040A421    6A FF           push -1

0040A423    68 C8CB4000     push 跑跑排行.0040CBC8

0040A428    68 A4A54000     push <jmp.&MSVCRT._except_handler3>

0040A42D    64:A1 00000000  mov eax,dword ptr fs:[0]

0040A433    50              push eax

0040A434    64:8925 0000000>mov dword ptr fs:[0],esp

0040A43B    83EC 68         sub esp,68

0040A43E    53              push ebx

0040A43F    56              push esi

0040A440    57              push edi

MASM(汇编):

004035C9 >  6A 00           push 0

004035CB    E8 A20A0000     call <jmp.&kernel32.GetModuleHandleA>

004035D0    A3 5B704000     mov dword ptr ds:[40705B],eax

004035D5    68 80000000     push 80

004035DA    68 2C754000     push 11.0040752C

004035DF    FF35 5B704000   push dword ptr ds:[40705B]

004035E5    E8 820A0000     call <jmp.&kernel32.GetModuleFileNameA>

004035EA    E8 87070000     call 11.00403D76

004035EF    6A 00           push 0

004035F1    68 0B364000     push 11.0040360B

004035F6    6A 00           push 0

004035F8    6A 64           push 64

004035FA    FF35 5B704000   push dword ptr ds:[40705B]

附加数据overlay 

  WIN HEX或HEX WORKSHOP