WEB开发网
开发学院网络安全黑客技术 压缩与脱壳-手动脱壳 阅读

压缩与脱壳-手动脱壳

 2007-01-12 20:11:56 来源:WEB开发网   
核心提示: **Softice中断时,你会在这儿. 一直按F10走过这部分代码0041454FFFFFINVALID0041455655PUSHEBP004145578BECMOVEBP,ESP0041455956PUSHESI0041455A57PUSHEDI0041455B756BJNZ00414

**Softice中断时,你会在这儿. 一直按F10走过这部分代码

0041454F FFFF        INVALID
00414556 55         PUSH   EBP
00414557 8BEC        MOV   EBP,ESP
00414559 56         PUSH   ESI
0041455A 57         PUSH   EDI
0041455B 756B        JNZ   004145C8        (NO JUMP)
0041455D 6800010000     PUSH   00000100
00414562 E8D60B0000     CALL   0041513D
00414567 83C404       ADD   ESP,04
0041456A 8B7508       MOV   ESI,[EBP+08]
0041456D A3B4F14000     MOV   [0040F1B4],EAX
00414572 85F6        TEST   ESI,ESI
00414574 7423        JZ    00414599        (JUMP)
00414599 33FF        XOR   EDI,EDI
0041459B 57         PUSH   EDI
0041459C 893D8C184100    MOV   [0041188C],EDI
004145A2 FF1510224100    CALL   [KERNEL32!GetModuleHandleA]
004145A8 8BF0        MOV   ESI,EAX
004145AA 68FF000000     PUSH   000000FF
004145AF A1B4F14000     MOV   EAX,[0040F1B4]
004145B4 897D10       MOV   [EBP+10],EDI
004145B7 C7450C01000000   MOV   DWORD PTR [EBP+0C],00000001
004145BE 50         PUSH   EAX
004145BF 56         PUSH   ESI
004145C0 FF15F4214100    CALL   [KERNEL32!GetModuleFileNameA]
004145C6 EB03        JMP   004145CB        (JUMP)
004145CB E830EAFFFF     CALL   00413000
004145D0 FF7510       PUSH   DWORD PTR [EBP+10]
004145D3 FF750C       PUSH   DWORD PTR [EBP+0C]
004145D6 56         PUSH   ESI
004145D7 E806000000     CALL   004145E2

**当你走过这个位于004145D7的CALL, 压缩过的notepad.exe就自由运行了. 再次用symbol loader装入. 再次来到这个CALL时, 按F8追进去. 你将看到以下代码. 不过记着先BPX 004145D7.

上一页  2 3 4 5 6 7 8 9 10  下一页

Tags:压缩 脱壳 手动

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接