手脱EXE32Pack v1.39

1.PEID查壳

EXE32Packv1.39

2.载入OD，先F8跟一下

0040A00C>3BC0cmpeax,eax;//程序入口点
0040A00E7402jeshortsticker.0040A012
0040A0108183553BC0740>adddwordptrds:[ebx+0x74C03B55]>
0040A01A3BC9cmpecx,ecx
0040A01C7401jeshortsticker.0040A01F
0040A01EBC563BD274movesp,0x74D23B56

3.直到这里，我们看到一个push入栈，ESP跟一下，下硬件访问断点，然后shift+F9

0040A01255pushebp
0040A0133BC0cmpeax,eax;//ESP定律
0040A0157402jeshortsticker.0040A019
0040A0178183533BC9740>adddwordptrds:[ebx+0x74C93B53]>
0040A021D2740281salbyteptrds:[edx+eax-0x7F],cl
0040A0258557E8testdwordptrds:[edi-0x18],edx
0040A0280000addbyteptrds:[eax],al

4.ESP落脚点，然后继续F8单步跟一下

0040EE6F3BE4cmpesp,esp;//ESP落脚点
0040EE717401jeshortsticker.0040EE74
0040EE73BFFFE0B801movedi,0x1B8E0FF
0040EE780000addbyteptrds:[eax],al
0040EE7A003Baddbyteptrds:[ebx],bh
0040EE7CC9leave
0040EE7D7402jeshortsticker.0040EE81
0040EE7F81845F3BD27401>adddwordptrds:[edi+ebx*2+0x174>

5.OK，找到指向OEP的关键跳

0040EE74-FFE0jmpeax;//指向OEP的关键跳
0040EE76B801000000moveax,0x1
0040EE7B3BC9cmpecx,ecx
0040EE7D7402jeshortsticker.0040EE81
0040EE7F81845F3BD27401>adddwordptrds:[edi+ebx*2+0x174>
0040EE8A7402jeshortsticker.0040EE8E
0040EE8C81865B3BDB740>adddwordptrds:[esi+0x74DB3B5B]>

6.来到OEP

0040535F55pushebp;//来到OEP
004053608BECmovebp,esp
004053626AFFpush-0x1
0040536468D0124000pushsticker.004012D0
004053696820534000pushsticker.00405320
0040536E64:A100000000moveax,dwordptrfs:[0]
0040537450pusheax
0040537564:89250000000>movdwordptrfs:[0],esp
0040537C83EC68subesp,0x68

7.loadPE+ImportREC脱壳，运行，查壳

OK，可以运行，查壳：MicrosoftVisualC++v6.0(16ms)