用OLLYDBG给Win设置大师脱壳

核心提示：Windows设置大师 2003 V2.0 Build 0420脱壳应用平台： Win9x/NT/2000/XP一、DUMP程序：00601DD5 97 XCHG EAX,EDI00601DD6 ^ EB 87 JMP SHORT Windows?00601D5F00601DD8 AD LODS DWORD PTR D

Windows设置大师 2003 V2.0 Build 0420脱壳

应用平台： Win9x/NT/2000/XP

一、DUMP程序：

00601DD5 97 XCHG EAX,EDI
00601DD6 ^ EB 87 JMP SHORT Windows?00601D5F
00601DD8 AD LODS DWORD PTR DS:[ESI]
00601DD9 93 XCHG EAX,EBX
00601DDA 5E POP ESI
00601DDB 46 INC ESI
00601DDC AD LODS DWORD PTR DS:[ESI]
00601DDD 97 XCHG EAX,EDI
00601DDE 56 PUSH ESI
00601DDF FF13 CALL DWORD PTR DS:[EBX]
00601DE1 95 XCHG EAX,EBP
00601DE2 AC LODS BYTE PTR DS:[ESI]
00601DE3 84C0 TEST AL,AL
00601DE5 ^ 75 FB JNZ SHORT Windows?00601DE2
00601DE7 FE0E DEC BYTE PTR DS:[ESI]
00601DE9 ^ 74 F0 JE SHORT Windows?00601DDB
00601DEB 79 05 JNS SHORT Windows?00601DF2
00601DED 46 INC ESI
00601DEE AD LODS DWORD PTR DS:[ESI]
00601DEF 50 PUSH EAX
00601DF0 EB 09 JMP SHORT Windows?00601DFB
00601DF2 FE0E DEC BYTE PTR DS:[ESI]
00601DF4 - 0F84 06F2DFFF JE Windows?00401000＝＝＝＞此处下断。程序断下后，再在快捷命令中输入 bp 401000 　　回车，按F9运行，程序会停在00601DF4处，清除这里的断点，再按F9运行，程序就会断在401000处，然后DUMP程序。
00601DFA 56 PUSH ESI
00601DFB 55 PUSH EBP
00601DFC FF53 04 CALL DWORD PTR DS:[EBX+4]
00601DFF AB STOS DWORD PTR ES:[EDI]
00601E00 ^ EB E0 JMP SHORT Windows?00601DE2
00601E02 33C9 XOR ECX,ECX
00601E04 41 INC ECX

二、修复引入表

程序DUMP后，用ImprotREC修复引入表，OK！ 程序可以正常运行，但反汇编后看不到字符串。