手动脱壳的基本技巧(2)

核心提示： 再次来到这个CALL时, 按F8追进去. 你将看到以下代码. 不过记着先BPX 004145D7.004145E2 64A100000000 MOV EAX,FS:[00000000]004145E8 55 PUSH EBP004145E9 8BEC MOV EBP,ESP004145EB

再次来到这个CALL时, 按F8追进去. 你将看到以下代码. 不过记着先BPX 004145D7.

004145E2 64A100000000 MOV EAX,FS:[00000000]
004145E8 55 PUSH EBP
004145E9 8BEC MOV EBP,ESP
004145EB 6AFF PUSH FF
004145ED 6810E04000 PUSH 0040E010
004145F2 68EC5D4100 PUSH 00415DEC
004145F7 50 PUSH EAX
004145F8 64892500000000 MOV FS:[00000000],ESP
004145FF 83EC14 SUB ESP,14
00414602 C745E401000000 MOV DWORD PTR [EBP-1C],00000001
00414609 53 PUSH EBX
0041460A 56 PUSH ESI
0041460B 57 PUSH EDI
0041460C 8965E8 MOV [EBP-18],ESP
0041460F C745FC00000000 MOV DWORD PTR [EBP-04],00000000
00414616 8B450C MOV EAX,[EBP+0C]
00414619 83F801 CMP EAX,01
0041461C 7510 JNZ 0041462E (NO JUMP)
0041461E E886030000 CALL 004149A9
00414623 FF05C0F14000 INC DWORD PTR [0040F1C0]
00414629 E882F6FFFF CALL 00413CB0
0041462E 8B35C0F14000 MOV ESI,[0040F1C0]
00414634 85F6 TEST ESI,ESI
00414636 0F848D000000 JZ 004146C9 (NO JUMP)
0041463C 833DC4F1400000 CMP DWORD PTR [0040F1C4],00
00414643 7526 JNZ 0041466B (NO JUMP)
00414645 833D6417410000 CMP DWORD PTR [00411764],00
0041464C 741D JZ 0041466B (NO JUMP)
0041464E A164174100 MOV EAX,[00411764]

**EAX现在的值是000010CC

00414653 030588184100 ADD EAX,[00411888]

**EAX现在的值是004010CC

00414659 8945DC MOV [EBP-24],EAX

**[EBP-24]现在含的是004010CC