目标:Agama Web Buttons2.52
用od载入后忽略所有异常,对code段下F2断点,F9运行,注意观察堆栈窗口,直到出现Se handle
跟入处理的数据,ctrl+g转到61390B
0061390B 55 push ebp ;F2断点 0061390C 8BEC mov ebp,esp 0061390E 57 push edi 0061390F 36:8B45 10 mov eax,dword ptr ss:[ebp+10] 00613913 3E:8BB8 C4000000 mov edi,dword ptr ds:[eax+C4] 0061391A 3E:FF37 push dword ptr ds:[edi] 0061391D 33FF xor edi,edi 0061391F 64:8F07 pop dword ptr fs:[edi] 00613922 3E:8380 C4000000 08 add dword ptr ds:[eax+C4],8 0061392A 3E:8BB8 A4000000 mov edi,dword ptr ds:[eax+A4] 00613931 C1C7 07 rol edi,7 00613934 3E:89B8 B8000000 mov dword ptr ds:[eax+B8],edi ; edi就是程序入口点 0061393B B8 00000000 mov eax,0 00613940 5F pop edi 00613941 C9 leave 00613942 C3 retn |
下F2断点,shift+F9运行,中断后开始单步运行,注意寄存器窗口,标注的edi就是程序入口点,直接转到edi数值。F2下断。shift+F9运行,中断后即可用LordPe脱壳。
0052F814 55 push ebp ;F2断点 0052F815 8BEC mov ebp,esp 0052F817 83C4 E4 add esp,-1C 0052F81A 33C0 xor eax,eax 0052F81C 8945 E4 mov dword ptr ss:[ebp-1C],eax 0052F81F 8945 E8 mov dword ptr ss:[ebp-18],eax 0052F822 8945 EC mov dword ptr ss:[ebp-14],eax 0052F825 B8 FCF35200 mov eax,Agama.0052F3FC 0052F82A E8 E975EDFF call Agama.00406E18 0052F82F 33C0 xor eax,eax 0052F831 55 push ebp 0052F832 68 31FB5200 push Agama.0052FB31 0052F837 64:FF30 push dword ptr fs:[eax] 0052F83A 64:8920 mov dword ptr fs:[eax],esp 0052F83D B9 34655300 mov ecx,Agama.00536534 0052F842 BA 30655300 mov edx,Agama.00536530 0052F847 B8 2C655300 mov eax,Agama.0053652C 0052F84C E8 EFEDFFFF call Agama.0052E640 0052F851 833D 2C655300 10 cmp dword ptr ds:[53652C],10 0052F858 7C 0C jl short Agama.0052F866 0052F85A 813D 30655300 240300>cmp dword ptr ds:[536530],324 0052F864 7D 0F jge short Agama.0052F875 0052F866 B8 48FB5200 mov eax,Agama.0052FB48 ; ASCII "This software requires 16 bit colors adapter and 800x640 resolution as the minimu!" |
原创文章,转载请注明: 转载自 obaby@mars
本文标题: 《yoda’s Protector 1.3 -> Ashkbiz Danehkar 手脱笔记》
本文链接地址: http://h4ck.org.cn/2009/08/yodas-protector-1-3-ashkbiz-danehkar-unpack/