目标:Agama Web Buttons2.52
用od载入后忽略所有异常,对code段下F2断点,F9运行,注意观察堆栈窗口,直到出现Se handle
跟入处理的数据,ctrl+g转到61390B
0061390B 55 push ebp ;F2断点
0061390C 8BEC mov ebp,esp
0061390E 57 push edi
0061390F 36:8B45 10 mov eax,dword ptr ss:[ebp+10]
00613913 3E:8BB8 C4000000 mov edi,dword ptr ds:[eax+C4]
0061391A 3E:FF37 push dword ptr ds:[edi]
0061391D 33FF xor edi,edi
0061391F 64:8F07 pop dword ptr fs:[edi]
00613922 3E:8380 C4000000 08 add dword ptr ds:[eax+C4],8
0061392A 3E:8BB8 A4000000 mov edi,dword ptr ds:[eax+A4]
00613931 C1C7 07 rol edi,7
00613934 3E:89B8 B8000000 mov dword ptr ds:[eax+B8],edi ; edi就是程序入口点
0061393B B8 00000000 mov eax,0
00613940 5F pop edi
00613941 C9 leave
00613942 C3 retn
下F2断点,shift+F9运行,中断后开始单步运行,注意寄存器窗口,标注的edi就是程序入口点,直接转到edi数值。F2下断。shift+F9运行,中断后即可用LordPe脱壳。
0052F814 55 push ebp ;F2断点
0052F815 8BEC mov ebp,esp
0052F817 83C4 E4 add esp,-1C
0052F81A 33C0 xor eax,eax
0052F81C 8945 E4 mov dword ptr ss:[ebp-1C],eax
0052F81F 8945 E8 mov dword ptr ss:[ebp-18],eax
0052F822 8945 EC mov dword ptr ss:[ebp-14],eax
0052F825 B8 FCF35200 mov eax,Agama.0052F3FC
0052F82A E8 E975EDFF call Agama.00406E18
0052F82F 33C0 xor eax,eax
0052F831 55 push ebp
0052F832 68 31FB5200 push Agama.0052FB31
0052F837 64:FF30 push dword ptr fs:[eax]
0052F83A 64:8920 mov dword ptr fs:[eax],esp
0052F83D B9 34655300 mov ecx,Agama.00536534
0052F842 BA 30655300 mov edx,Agama.00536530
0052F847 B8 2C655300 mov eax,Agama.0053652C
0052F84C E8 EFEDFFFF call Agama.0052E640
0052F851 833D 2C655300 10 cmp dword ptr ds:[53652C],10
0052F858 7C 0C jl short Agama.0052F866
0052F85A 813D 30655300 240300>cmp dword ptr ds:[536530],324
0052F864 7D 0F jge short Agama.0052F875
0052F866 B8 48FB5200 mov eax,Agama.0052FB48 ; ASCII "This software requires 16 bit colors adapter and 800x640 resolution as the minimu!"
原创文章,转载请注明: 转载自 obaby@mars
本文标题: 《yoda’s Protector 1.3 -> Ashkbiz Danehkar 手脱笔记》
本文链接地址: http://h4ck.org.cn/2009/08/yodas-protector-1-3-ashkbiz-danehkar-unpack/