脱壳基本的思路及小结
脱壳的基本方法:1.单步2.ESP定律
3.内存镜像
4.模拟跟踪(2类)1)SFX跟踪
2)tc eip<XXXX5.最后一次异常
6.特殊常见语言的入口点:VB:004012D4 >68 54474000 push QQ个性网.00404754
004012D9 E8 F0FFFFFF call
004012DE 0000 add byte ptr ds:,al
004012E0 0000 add byte ptr ds:,al
004012E2 0000 add byte ptr ds:,al
004012E4 3000 xor byte ptr ds:,al
004012E6 0000 add byte ptr ds:,al
004012E8 48 dec eax
delphi:004A5C54 >55 push ebp
004A5C55 8BEC mov ebp,esp
004A5C57 83C4 F0 add esp,-10
004A5C5A B8 EC594A00 mov eax,openpro.004A59EC
BC++:00401678 > /EB 10 jmp short btengine.0040168A
0040167A |66:623A bound di,dword ptr ds:
0040167D |43 inc ebx
0040167E |2B2B sub ebp,dword ptr ds:
00401680 |48 dec eax
00401681 |4F dec edi
00401682 |4F dec edi
00401683 |4B dec ebx
00401684 |90 nop
00401685-|E9 98005400 jmp 00941722
0040168A \A1 8B005400 mov eax,dword ptr ds:
0040168F C1E0 02 shl eax,2
00401692 A3 8F005400 mov dword ptr ds:,eax
00401697 52 push edx
00401698 6A 00 push 0
0040169A E8 99D01300 call
0040169F 8BD0 mov edx,eax
VC++:0040A41E >55 push ebp
0040A41F 8BEC mov ebp,esp
0040A421 6A FF push -1
0040A423 68 C8CB4000 push 跑跑排行.0040CBC8
0040A428 68 A4A54000 push
0040A42D 64:A1 00000000mov eax,dword ptr fs:
0040A433 50 push eax
0040A434 64:8925 0000000>mov dword ptr fs:,esp
0040A43B 83EC 68 sub esp,68
0040A43E 53 push ebx
0040A43F 56 push esi
0040A440 57 push edi
MASM(汇编):004035C9 >6A 00 push 0
004035CB E8 A20A0000 call
004035D0 A3 5B704000 mov dword ptr ds:,eax
004035D5 68 80000000 push 80
004035DA 68 2C754000 push 11.0040752C
004035DF FF35 5B704000 push dword ptr ds:
004035E5 E8 820A0000 call
004035EA E8 87070000 call 11.00403D76
004035EF 6A 00 push 0
004035F1 68 0B364000 push 11.0040360B
004035F6 6A 00 push 0
004035F8 6A 64 push 64
004035FA FF35 5B704000 push dword ptr ds:
页:
[1]