新手入门脱壳简单介绍

壳的分类：压缩壳、加密壳 脱壳的基本方法： 1。单步 2。ESP定律 3。内存镜像 4。模拟跟踪（2类） 5。最后一次异常 1）SFX跟踪 2）tc eip<XXXX 6。特殊 常见语言的入口点：

 VB：

004012D4 > 68 54474000 push QQ个性网.00404754
004012D9 E8 F0FFFFFF call <jmp.&MSVBVM60.#100>
004012DE 0000 add byte ptr ds:\[eax\],al
004012E0 0000 add byte ptr ds:\[eax\],al
004012E2 0000 add byte ptr ds:\[eax\],al
004012E4 3000 xor byte ptr ds:\[eax\],al
004012E6 0000 add byte ptr ds:\[eax\],al
004012E8 48 dec eax

delphi:

004A5C54 > 55 push ebp
004A5C55 8BEC mov ebp,esp
004A5C57 83C4 F0 add esp,-10
004A5C5A B8 EC594A00 mov eax,openpro.004A59EC

BC++:

00401678 > /EB 10 jmp short btengine.0040168A
0040167A |66:623A bound di,dword ptr ds:\[edx\]
0040167D |43 inc ebx
0040167E |2B2B sub ebp,dword ptr ds:\[ebx\]
00401680 |48 dec eax
00401681 |4F dec edi
00401682 |4F dec edi
00401683 |4B dec ebx
00401684 |90 nop
00401685 -|E9 98005400 jmp 00941722
0040168A \\A1 8B005400 mov eax,dword ptr ds:\[54008B\]
0040168F C1E0 02 shl eax,2
00401692 A3 8F005400 mov dword ptr ds:\[54008F\],eax
00401697 52 push edx
00401698 6A 00 push 0
0040169A E8 99D01300 call <jmp.&KERNEL32.GetModuleHandleA>
0040169F 8BD0 mov edx,eax

VC++:

0040A41E > 55 push ebp
0040A41F 8BEC mov ebp,esp
0040A421 6A FF push -1
0040A423 68 C8CB4000 push 跑跑排行.0040CBC8
0040A428 68 A4A54000 push <jmp.&MSVCRT.\_except\_handler3>
0040A42D 64:A1 00000000 mov eax,dword ptr fs:\[0\]
0040A433 50 push eax
0040A434 64:8925 0000000>mov dword ptr fs:\[0\],esp
0040A43B 83EC 68 sub esp,68
0040A43E 53 push ebx
0040A43F 56 push esi
0040A440 57 push edi

MASM(汇编):

004035C9 > 6A 00 push 0
004035CB E8 A20A0000 call <jmp.&kernel32.GetModuleHandleA>
004035D0 A3 5B704000 mov dword ptr ds:\[40705B\],eax
004035D5 68 80000000 push 80
004035DA 68 2C754000 push 11.0040752C
004035DF FF35 5B704000 push dword ptr ds:\[40705B\]
004035E5 E8 820A0000 call <jmp.&kernel32.GetModuleFileNameA>
004035EA E8 87070000 call 11.00403D76
004035EF 6A 00 push 0
004035F1 68 0B364000 push 11.0040360B
004035F6 6A 00 push 0
004035F8 6A 64 push 64
004035FA FF35 5B704000 push dword ptr ds:\[40705B\]