手脱EXE32Pack v1.39

时间:2023-02-13 14:26:56

1.PEID查壳

EXE32Pack v1.39

2.载入OD,先F8跟一下

0040A00C >  3BC0            cmp eax,eax                       ; //程序入口点
0040A00E je short sticker.0040A012
0040A010 553BC074 >add dword ptr ds:[ebx+0x74C03B55]>
0040A01A 3BC9 cmp ecx,ecx
0040A01C je short sticker.0040A01F
0040A01E BC 563BD274 mov esp,0x74D23B56
 

3.直到这里,我们看到一个push入栈,ESP跟一下,下硬件访问断点,然后shift+F9

0040A012                  push ebp
0040A013 3BC0 cmp eax,eax ; //ESP定律
0040A015 je short sticker.0040A019
0040A017 533BC974 >add dword ptr ds:[ebx+0x74C93B53]>
0040A021 D27402 sal byte ptr ds:[edx+eax-0x7F],cl
0040A025 E8 test dword ptr ds:[edi-0x18],edx
0040A028 add byte ptr ds:[eax],al
 

4.ESP落脚点,然后继续F8单步跟一下

0040EE6F    3BE4            cmp esp,esp                       ; //ESP落脚点
0040EE71 je short sticker.0040EE74
0040EE73 BF FFE0B801 mov edi,0x1B8E0FF
0040EE78 add byte ptr ds:[eax],al
0040EE7A 003B add byte ptr ds:[ebx],bh
0040EE7C C9 leave
0040EE7D je short sticker.0040EE81
0040EE7F 81845F 3BD27401>add dword ptr ds:[edi+ebx*+0x174>
 

5.OK,找到指向OEP的关键跳

0040EE74  - FFE0            jmp eax                           ; //指向OEP的关键跳
0040EE76 B8 mov eax,0x1
0040EE7B 3BC9 cmp ecx,ecx
0040EE7D je short sticker.0040EE81
0040EE7F 81845F 3BD27401>add dword ptr ds:[edi+ebx*+0x174>
0040EE8A je short sticker.0040EE8E
0040EE8C 5B3BDB74 >add dword ptr ds:[esi+0x74DB3B5B]>
 

6.来到OEP

0040535F                  push ebp                          ; //来到OEP
8BEC mov ebp,esp
6A FF push -0x1
D0124000 push sticker.004012D0
push sticker.
0040536E :A1 mov eax,dword ptr fs:[]
push eax
: >mov dword ptr fs:[],esp
0040537C 83EC sub esp,0x68
 

7.loadPE+ImportREC脱壳,运行,查壳

OK,可以运行,查壳:Microsoft Visual C++ v6.0 (16 ms)