用peid查,显示是PECompact 2.x -> Jeremy Collake的壳
用OD载入后停在
00401000 B8 D4A14300 mov eax,CoralQQ.0043A1D4
F8单步运行
00401005 50 push eax
00401006 64:FF35 00000000 push dword ptr fs:[0]
0040100D 64:8925 00000000 mov dword ptr fs:[0],esp
00401014 33C0 xor eax,eax
到这里我们看到在堆栈窗口
————————————————————————————————————————————————
0012FFBC 0012FFE0 指针到下一个 SEH 记录
0012FFC0 0043A1D4 SE 句柄
0012FFC4 7C816D4F 返回到 kernel32.7C816D4F
————————————————————————————————————————————————
看回来,我们ctrl+G到 0043A1D4,到达后在此处下断点,然后F9运行,
程序被断下。
0043A1D4 B8 7E9043F0 mov eax,F043907E
0043A1D9 8D88 79110010 lea ecx,dword ptr ds:[eax+10001179]
0043A1DF 8941 01 mov dword ptr ds:[ecx+1],eax
0043A1E2 8B5424 04 mov edx,dword ptr ss:[esp+4]
0043A1E6 8B52 0C mov edx,dword ptr ds:[edx+C]
0043A1E9 C602 E9 mov byte ptr ds:[edx],0E9
0043A1EC 83C2 05 add edx,5
0043A1EF 2BCA sub ecx,edx
0043A1F1 894A FC mov dword ptr ds:[edx-4],ecx
取消断点,然后在0043A1F7下断点
0043A1F7 B8 78563412 mov eax,12345678
0043A1FC 64:8F05 00000000 pop dword ptr fs:[0]
0043A203 83C4 04 add esp,4
0043A206 55 push ebp
0043A207 53 push ebx
0043A208 51 push ecx
0043A209 57 push edi
0043A20A 56 push esi
0043A20B 52 push edx
再按F9运行,程序又被断下,取消断点。F8单步运行,
一直F8到了0043A29F,
0043A281 8985 23120010 mov dword ptr ss:[ebp+10001223],eax
0043A287 8BF0 mov esi,eax
0043A289 59 pop ecx
0043A28A 5A pop edx
0043A28B 03CA add ecx,edx
0043A28D 68 00800000 push 8000
0043A292 6A 00 push 0
0043A294 57 push edi
0043A295 FF11 call dword ptr ds:[ecx]
0043A297 8BC6 mov eax,esi
0043A299 5A pop edx
0043A29A 5E pop esi
0043A29B 5F pop edi
0043A29C 59 pop ecx
0043A29D 5B pop ebx
0043A29E 5D pop ebp
0043A29F FFE0 jmp eax
F8到这里,跳OEP
00418E2C 55 push ebp 到达OEP
