1. 主程序的脱壳
014F:00990B35 8B10
MOV EDX,[EAX]
014F:00990B37 8B4508 MOV
EAX,[EBP+08]
014F:00990B3A 035018 ADD
EDX,[EAX+18]
014F:00990B3D 8B4508 MOV
EAX,[EBP+08]
014F:00990B40 8B401C MOV
EAX,[EAX+1C]
014F:00990B43 E880F9FFFF CALL
009904C8 <-这里! F8进入
014F:009904C8 89C4
MOV ESP,EAX
014F:009904CA 89D0
MOV EAX,EDX
014F:009904CC 8B1D34569900 MOV
EBX,[00995634]
014F:009904D2 89041C MOV
[EBX+ESP],EAX
014F:009904D5 61
POPAD
014F:009904D6 50
PUSH EAX <-记下EAX的值(61C528)
014F:009904D7 C3
RET <-这里用Procdump脱壳
2. 获得完整的.idata section
如上得到的脱壳后的程序,在你改过EIP后仍无法运行. 还有工作要做,你得用Icedump.
014F:009909FF 8B4508 MOV
EAX,[EBP+08]
014F:00990A02 8D4824 LEA
ECX,[EAX+24]
014F:00990A05 8B4508 MOV
EAX,[EBP+08]
014F:00990A08 8B500C MOV
EDX,[EAX+0C]
014F:00990A0B 8B4508 MOV
EAX,[EBP+08]
014F:00990A0E 8B4008 MOV
EAX,[EAX+08]
014F:00990A11 E8FAF6FFFF CALL
00990110
014F:00990A16 33C0
XOR EAX,EAX <-这里!
014F:00990A18 5A
POP EDX
014F:00990A19 59
POP ECX
014F:00990A1A 59
POP ECX
014F:00990A1B 648910 MOV
FS:[EAX],EDX
014F:00990A1E EB13
JMP 00990A33
在00990A16行, Pagein D 62e000 3000 c:\thebat.bin
3. 运行Hex编辑程序,用完整的.idata替换掉脱壳后主程序中.idata部分. Job done.
- 标 题:The Bat! 1.39脱壳笔记 (1千字)
- 作 者:冰毒
- 时 间:2000-3-12 9:04:01
- 链 接:http://bbs.pediy.com