软件脱壳教程(如何给软件脱壳)
一、用PEiD先查一下程序有无加壳,得到有加了壳:FSG 2.0 -> bart/xt二、用OllySTC载入程序,如下:
00400154 > 8725 74A24100 XCHG DWORD PTR DS:,ESP -->载入后到这里
F8单步进入,
0040015A 61 POPAD
0040015B 94 XCHG EAX,ESP
0040015C 55 PUSH EBP
0040015D A4 MOVS BYTE PTR ES:,BYTE PTR DS:
0040015E B6 80 MOV DH,80
00400160 FF13 CALL DWORD PTR DS:
00400162 ^ 73 F9 JNB SHORT FSG2_0.0040015D -->没有回跳,按F8
00400164 33C9 XOR ECX,ECX
00400166 FF13 CALL DWORD PTR DS:
00400168 73 16 JNB SHORT FSG2_0.00400180 -->没有回跳,按F8
0040016A 33C0 XOR EAX,EAX
0040016C FF13 CALL DWORD PTR DS:
0040016E 73 1F JNB SHORT FSG2_0.0040018F -->跳到0040018F
F8来到了0040018F处:
0040018F AC LODS BYTE PTR DS:
00400190 D1E8 SHR EAX,1
00400192 74 2D JE SHORT FSG2_0.004001C1 -->没有回跳,按F8
00400194 13C9 ADC ECX,ECX
00400196 EB 18 JMP SHORT FSG2_0.004001B0 -->跳到004001B0处
00400198 91 XCHG EAX,ECX
00400199 48 DEC EAX
0040019A C1E0 08 SHL EAX,8
0040019D AC LODS BYTE PTR DS:
0040019E FF53 04 CALL DWORD PTR DS:
004001A1 3B43 F8 CMP EAX,DWORD PTR DS:
004001A4 73 0A JNB SHORT FSG2_0.004001B0
004001A6 80FC 05 CMP AH,5
004001A9 73 06 JNB SHORT FSG2_0.004001B1
004001AB 83F8 7F CMP EAX,7F
004001AE 77 02 JA SHORT FSG2_0.004001B2
004001B0 41 INC ECX -->到这里了
004001B1 41 INC ECX
004001B2 95 XCHG EAX,EBP
004001B3 8BC5 MOV EAX,EBP
004001B5 B6 00 MOV DH,0
004001B7 56 PUSH ESI ; FSG2_0.00416393
004001B8 8BF7 MOV ESI,EDI
004001BA 2BF0 SUB ESI,EAX
004001BC F3:A4 REP MOVS BYTE PTR ES:,BYTE PTR DS:[>
004001BE 5E POP ESI
004001BF ^ EB 9F JMP SHORT FSG2_0.00400160 -->回跳到00400160处,用F4跳试到下一行
004001C1 5E POP ESI -->F8继续
004001C2 AD LODS DWORD PTR DS:
004001C3 97 XCHG EAX,EDI
004001C4 AD LODS DWORD PTR DS:
004001C5 50 PUSH EAX
004001C6 FF53 10 CALL DWORD PTR DS:
004001C9 95 XCHG EAX,EBP
004001CA 8B07 MOV EAX,DWORD PTR DS:
004001CC 40 INC EAX
004001CD ^ 78 F3 JS SHORT FSG2_0.004001C2 -->没有回跳,按F8
004001CF 75 03 JNZ SHORT FSG2_0.004001D4 -->这里千万不要再F8了,不信自己试一下。用F4跳试到下一行
004001D1 - FF63 0C JMP DWORD PTR DS: ; FSG2_0.004010CC这是Win98记事本程序的入口点F8进入
004001D4 50 PUSH EAX
页:
[1]