用OLLYDBG给Win设置大师脱壳

Windows设置大年夜师 2003 V2.0 Build 0420脱壳

利用平台: Win9x/NT/2000/XP

一、DUMP法度榜样:

00601DD5 97 XCHG EAX,EDI

00601DD6 ^ EB 87 JMP SHORT Windows?00601D5F

00601DD8 AD LODS DWORD PTR DS:[ESI]

00601DD9 93 XCHG EAX,EBX

00601DDA 5E POP ESI

00601DDB 46 INC ESI

00601DDC AD LODS DWORD PTR DS:[ESI]

00601DDD 97 XCHG EAX,EDI

00601DDE 56 PUSH ESI

00601DDF FF13 CALL DWORD PTR DS:[EBX]

00601DE1 95 XCHG EAX,EBP

00601DE2 AC LODS BYTE PTR DS:[ESI]

00601DE3 84C0 TEST AL,AL

00601DE5 ^ 75 FB JNZ SHORT Windows?00601DE2

00601DE7 FE0E DEC BYTE PTR DS:[ESI]

00601DE9 ^ 74 F0 JE SHORT Windows?00601DDB

00601DEB 79 05 JNS SHORT Windows?00601DF2

00601DED 46 INC ESI

00601DEE AD LODS DWORD PTR DS:[ESI]

00601DEF 50 PUSH EAX

00601DF0 EB 09 JMP SHORT Windows?00601DFB

00601DF2 FE0E DEC BYTE PTR DS:[ESI]

00601DF4 - 0F84 06F2DFFF JE Windows?00401000===>此处下断。法度榜样断下后,再在快捷敕令中输入 bp 401000   回车,按F9运行,法度榜样会停在00601DF4处,清除这里的断点,再按F9运行,法度榜样就会断在401000处,然后DUMP法度榜样。

00601DFA 56 PUSH ESI

00601DFB 55 PUSH EBP

00601DFC FF53 04 CALL DWORD PTR DS:[EBX+4]

00601DFF AB STOS DWORD PTR ES:[EDI]

00601E00 ^ EB E0 JMP SHORT Windows?00601DE2

00601E02 33C9 XOR ECX,ECX

00601E04 41 INC ECX

二、修复引入表

法度榜样DUMP后,用ImprotREC修复引入表,OK! 法度榜样可以正常运行,但反汇编后看不到字符串。

您可能还会对下面的文章感兴趣: