⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 chap8-4-3.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 2 页
字号:
🔍
12 
  &nbsp; 000000FF <br>
  004145AF&nbsp; A1B4F14000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; 
  &nbsp; EAX,[0040F1B4] <br>
  004145B4&nbsp; 897D10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; [EBP+10],EDI <br>
  004145B7&nbsp; C7450C01000000&nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; DWORD 
  PTR [EBP+0C],00000001 <br>
  004145BE&nbsp; 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; EAX <br>
  004145BF&nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; ESI <br>
  004145C0&nbsp; FF15F4214100&nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; &nbsp; 
  [KERNEL32!GetModuleFileNameA] <br>
  004145C6&nbsp; EB03&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; JMP&nbsp; 
  &nbsp; &nbsp; 004145CB&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  (JUMP) <br>
  004145CB&nbsp; E830EAFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; 
  &nbsp; 00413000 <br>
  004145D0&nbsp; FF7510&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; DWORD PTR [EBP+10] <br>
  004145D3&nbsp; FF750C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; DWORD PTR [EBP+0C] <br>
  004145D6&nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; ESI <br>
  004145D7&nbsp; E806000000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; 
  &nbsp; 004145E2 <br>
  <br>
  **当你走过这个位于004145D7的CALL, 压缩过的notepad.exe就自由运行了. 再次用 <br>
  &nbsp; symbol loader装入. 再次来到这个CALL时, 按F8追进去. 你将看到以下代码. 不 <br>
  &nbsp; 过记着先BPX 004145D7. <br>
  <br>
  004145E2&nbsp; 64A100000000&nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; 
  EAX,FS:[00000000] <br>
  004145E8&nbsp; 55&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; EBP <br>
  004145E9&nbsp; 8BEC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; EBP,ESP <br>
  004145EB&nbsp; 6AFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; FF <br>
  004145ED&nbsp; 6810E04000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; &nbsp; 
  &nbsp; 0040E010 <br>
  004145F2&nbsp; 68EC5D4100&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; &nbsp; 
  &nbsp; 00415DEC <br>
  004145F7&nbsp; 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; EAX <br>
  004145F8&nbsp; 64892500000000&nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; FS:[00000000],ESP 
  <br>
  004145FF&nbsp; 83EC14&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; SUB&nbsp; 
  &nbsp; &nbsp; ESP,14 <br>
  00414602&nbsp; C745E401000000&nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; DWORD 
  PTR [EBP-1C],00000001 <br>
  00414609&nbsp; 53&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; EBX <br>
  0041460A&nbsp; 56&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; ESI <br>
  0041460B&nbsp; 57&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  PUSH&nbsp; &nbsp; &nbsp; EDI <br>
  0041460C&nbsp; 8965E8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; [EBP-18],ESP <br>
  0041460F&nbsp; C745FC00000000&nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; DWORD 
  PTR [EBP-04],00000000 <br>
  00414616&nbsp; 8B450C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; EAX,[EBP+0C] <br>
  00414619&nbsp; 83F801&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CMP&nbsp; 
  &nbsp; &nbsp; EAX,01 <br>
  0041461C&nbsp; 7510&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; JNZ&nbsp; 
  &nbsp; &nbsp; 0041462E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  (NO JUMP) <br>
  0041461E&nbsp; E886030000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; 
  &nbsp; 004149A9 <br>
  00414623&nbsp; FF05C0F14000&nbsp; &nbsp; &nbsp; &nbsp; INC&nbsp; &nbsp; &nbsp; 
  DWORD PTR [0040F1C0] <br>
  00414629&nbsp; E882F6FFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; &nbsp; 
  &nbsp; 00413CB0 <br>
  0041462E&nbsp; 8B35C0F14000&nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; &nbsp; 
  ESI,[0040F1C0] <br>
  00414634&nbsp; 85F6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TEST&nbsp; 
  &nbsp; &nbsp; ESI,ESI <br>
  00414636&nbsp; 0F848D000000&nbsp; &nbsp; &nbsp; &nbsp; JZ&nbsp; &nbsp; &nbsp; 
  &nbsp; 004146C9&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; (NO JUMP) 
  <br>
  0041463C&nbsp; 833DC4F1400000&nbsp; &nbsp; &nbsp; CMP&nbsp; &nbsp; &nbsp; DWORD 
  PTR [0040F1C4],00 <br>
  00414643&nbsp; 7526&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; JNZ&nbsp; 
  &nbsp; &nbsp; 0041466B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  (NO JUMP) <br>
  00414645&nbsp; 833D6417410000&nbsp; &nbsp; &nbsp; CMP&nbsp; &nbsp; &nbsp; DWORD 
  PTR [00411764],00 <br>
  0041464C&nbsp; 741D&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; JZ&nbsp; 
  &nbsp; &nbsp; &nbsp; 0041466B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; (NO JUMP) <br>
  0041464E&nbsp; A164174100&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; &nbsp; 
  &nbsp; EAX,[00411764] <br>
  <br>
  **EAX现在的值是000010CC <br>
  <br>
  00414653&nbsp; 030588184100&nbsp; &nbsp; &nbsp; &nbsp; ADD&nbsp; &nbsp; &nbsp; 
  EAX,[00411888] <br>
  <br>
  **EAX现在的值是004010CC <br>
  <br>
  00414659&nbsp; 8945DC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
  &nbsp; &nbsp; [EBP-24],EAX <br>
  <br>
  **[EBP-24]现在含的是004010CC <br>
  <br>
  0041465C&nbsp; FF7510&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; DWORD PTR [EBP+10] <br>
  0041465F&nbsp; FF750C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; DWORD PTR [EBP+0C] <br>
  00414662&nbsp; FF7508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; PUSH&nbsp; 
  &nbsp; &nbsp; DWORD PTR [EBP+08] <br>
  00414665&nbsp; FF55DC&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
  &nbsp; &nbsp; [EBP-24] <br>
  <br>
  **假如你追过最后这个CALL,notepad.exe将再次自由运行. <br>
  &nbsp; 由上得知, 既然[EBP-24] = 004010CC, 最后这句代码就意味着压缩过的程序在 <br>
  &nbsp; CALL 004010CC. 如果你追进这个CALL, 你会发现notepad.exe很快就会运行了. <br>
  &nbsp; <br>
  假如你曾经追过更多shrinker v3.4压缩的程序, 你总会见到这个"CALL [EBP-24]". <br>
  所以, 程序实际上正在进入已脱壳的程序的真正入口. <br>
  <br>
  再次装入压缩过的notepad.exe,中断之后,按F5,你将中断于004145D7行(这里你原来 <br>
  设过断点). 追进去直到你到达00414665行,这里程序正要进入已脱壳程序的真正入口. <br>
  <br>
  现在,键入以下命令: <br>
  a eip (然后按回车) <br>
  jmp eip (然后按回车) <br>
  按下F5 <br>
  <br>
  这样将改变00414665行的代码. 你会注意到在键入"jmp eip"并按下回车后,00414665的 <br>
  指令现在是一个jmp.这将有效地使程序"暂停". 按下F5使你回到window,你就可以dump <br>
  已经脱壳的程序到你的硬盘了. <br>
  <br>
  现在又要用ProcDump了,在Task的列表中的第一个list上点击鼠标右键,然后选择"Refresh <br>
  list". 在Task列表中找到notepad.exe,在它的上面点击鼠标右键. <br>
  然后,选中"Dump (Full)",给脱壳的程序起名存盘. <br>
  再在notepad.exe上点击鼠标右键,然后选中"Kill Task". <br>
  <br>
  _________________________________________________________________________ <br>
  <br>
  &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;改动程序入口值 <br>
  <br>
  如果你记得的话, 脱壳的notepad.exe程序入口是004010CC. <br>
  再次使用ProcDump的PE Editor功能, 打开已脱壳的notepad.exe. <br>
  <br>
  在"Header Infos"一项, 你会看见程序入口值是0001454F,这当然是错误的. 如果你试着 <br>
  不改动这个入口值而运行脱壳后的notepad.exe,程序将无法运行. <br>
  <br>
  改变入口值为Entry Poin=004010CC-基址(ImageBase ),点击"OK". <br>
  <br>
  现在, 运行脱壳后的notepad.exe吧,它应该正常运行了. 8) <br>
  <br>
  __________________________________________________________________________ <br>
  <br>
  <br>
  &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
  &nbsp; &nbsp; &nbsp; 最后的说明 <br>
  <br>
  这篇教程是为所有和我一样的newbies而作. <br>
  <br>
  我感谢和感激: <br>
  <br>
  MiZ. 从他那里我学会了脱壳的基本技巧. <br>
  <br>
  所有破解教程和CrackMe的作者,以及所有一直支持我的网站和论坛的Cracker们.</p>
<p align="center"><a href="../Catalog.htm"><img src="../image/navtoc.gif" width="84" height="23" border="0"></a><a href="Chap8-4-2.htm"><img src="../image/Navprev.gif" width="80" height="23" border="0"></a><a href="Chap8-4-4.htm"><img src="../image/navnext.gif" width="83" height="23" border="0"></a></p>
<hr width=735>
<div align="center"><span class="p9"><font size="2"><span class="p9"><font size="2"><span class="p9">Copyright 
  &copy; 2000-2001 <a href="http://www.pediy.com/">KanXue Studio</a> All Rights 
  Reserved.</span></font></span></font></span></div>
</body>
</html>
12

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -