1.PEID查壳
nSPack 1.3 -> North Star/Liu Xing Ping
2.载入OD,pushad下面的call哪里使用ESP定律,下硬件访问断点,然后shift+F9运行
00432356 > 9C pushfd ; //程序入口点 00432357 60 pushad 00432358 E8 00000000 call QQ个性网.0043235D ; //这里使用ESP 0043235D 5D pop ebp 0043235E B8 B3854000 mov eax,QQ个性网.004085B3 00432363 2D AC854000 sub eax,QQ个性网.004085AC 00432368 2BE8 sub ebp,eax 0043236A 8DB5 D6FEFFFF lea esi,dword ptr ss:[ebp-0x12A]
3.ESP落脚点,落脚点的下一行就是一个大跳转,就是跳向OEP的,F8单步跟着跳
0043257A 9D popfd ; //ESP落脚点 0043257B - E9 54EDFCFF jmp QQ个性网.004012D4 ; //跳向OEP的大跳转 00432580 8BB5 AEFEFFFF mov esi,dword ptr ss:[ebp-0x152] 00432586 0BF6 or esi,esi 00432588 0F84 97000000 je QQ个性网.00432625
4.来到OEP,可以脱壳了
004012D4 68 54474000 push QQ个性网.00404754 ; //来到OEP 004012D9 E8 F0FFFFFF call QQ个性网.004012CE 004012DE 0000 add byte ptr ds:[eax],al 004012E0 0000 add byte ptr ds:[eax],al 004012E2 0000 add byte ptr ds:[eax],al 004012E4 3000 xor byte ptr ds:[eax],al 004012E6 0000 add byte ptr ds:[eax],al 004012E8 48 dec eax
5.查壳运行
运行OK,查壳:Microsoft Visual Basic v5.0/v6.0