脱壳后到达FOEP 代码如下
004077B0 >/$ 53 push ebx
004077B1 |. 8BD8 mov ebx, eax
004077B3 |. 33C0 xor eax, eax
004077B5 |. A3 C4205200 mov dword ptr [5220C4], eax
004077BA |. 6A 00 push 0 ; /pModule = NULL
004077BC |. E8 2BFFFFFF call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
004077C1 |. A3 68C65200 mov dword ptr [52C668], eax
004077C6 |. A1 68C65200 mov eax, dword ptr [52C668]
004077CB |. A3 D0205200 mov dword ptr [5220D0], eax
004077D0 |. 33C0 xor eax, eax
004077D2 |. A3 D4205200 mov dword ptr [5220D4], eax
004077D7 |. 33C0 xor eax, eax
004077D9 |. A3 D8205200 mov dword ptr [5220D8], eax
004077DE |. E8 C1FFFFFF call 004077A4
004077E3 |. BA CC205200 mov edx, 005220CC
004077E8 |. 8BC3 mov eax, ebx
004077EA |. E8 99D5FFFF call 00404D88
004077EF |. 5B pop ebx
004077F0 \. C3 retn
004077F1 8D40 00 lea eax, dword ptr [eax]
004077F4 . 55 push ebp
004077F5 . 8BEC mov ebp, esp
004077F7 . 33C0 xor eax, eax
004077F9 . 55 push ebp
004077FA . 68 19784000 push 00407819
004077FF . 64:FF30 push dword ptr fs:[eax]
00407802 . 64:8920 mov dword ptr fs:[eax], esp
00407805 . FF05 6CC65200 inc dword ptr [52C66C]
0040780B . 33C0 xor eax, eax
0040780D . 5A pop edx
0040780E . 59 pop ecx
0040780F . 59 pop ecx
00407810 . 64:8910 mov dword ptr fs:[eax], edx
00407813 . 68 20784000 push 00407820
00407818 > C3 retn ; RET 用作跳转到 00407820
我找了这个软件的老版本脱壳后得到原始的DELPHI程序入口.代码如下:
004F6190 > $ 55 push ebp
004F6191 . 8BEC mov ebp, esp
004F6193 . 83C4 F0 add esp, -10
004F6196 . 53 push ebx
004F6197 . B8 F85C4F00 mov eax, 004F5CF8
004F619C . E8 B30FF1FF call 00407154 注这个call跟进后代码和上面那个伪OEP的代码一样
004F61A1 . 8B1D 90AE4F00 mov ebx, dword ptr [4FAE90] ; dm.004FCBE8
004F61A7 . 8B03 mov eax, dword ptr [ebx]
004F61A9 . E8 BEFEF7FF call 0047606C
004F61AE . 8B03 mov eax, dword ptr [ebx]
004F61B0 . BA 1C624F00 mov edx, 004F621C
004F61B5 . E8 9AFAF7FF call 00475C54
004F61BA . 8B0D 90AB4F00 mov ecx, dword ptr [4FAB90] ; dm.004FDF9C
004F61C0 . 8B03 mov eax, dword ptr [ebx]
004F61C2 . 8B15 107B4E00 mov edx, dword ptr [4E7B10] ; dm.004E7B5C
004F61C8 . E8 B7FEF7FF call 00476084
004F61CD . 8B0D 3CB04F00 mov ecx, dword ptr [4FB03C] ; dm.004FDF38
004F61D3 . 8B03 mov eax, dword ptr [ebx]
004F61D5 . 8B15 E0034D00 mov edx, dword ptr [4D03E0] ; dm.004D042C
004F61DB . E8 A4FEF7FF call 00476084
004F61E0 . 8B0D F0AA4F00 mov ecx, dword ptr [4FAAF0] ; dm.004FDF40
004F61E6 . 8B03 mov eax, dword ptr [ebx]
004F61E8 . 8B15 34404D00 mov edx, dword ptr [4D4034] ; dm.004D4080
004F61EE . E8 91FEF7FF call 00476084
004F61F3 . 8B0D 14AB4F00 mov ecx, dword ptr [4FAB14] ; dm.004FDF2C
004F61F9 . 8B03 mov eax, dword ptr [ebx]
004F61FB . 8B15 ECE24C00 mov edx, dword ptr [4CE2EC] ; dm.004CE338
004F6201 . E8 7EFEF7FF call 00476084
004F6206 . 8B03 mov eax, dword ptr [ebx]
004F6208 . E8 F7FEF7FF call 00476104
004F620D . 5B pop ebx
004F620E . E8 CDE8F0FF call 00404AE0
004F6213 . 00FF add bh, bh
004F6215 FF db FF
刚开始想用补区段的方法,但是该软件有自校验修改SizeOfStackReserve值后,直接运行会出现“文件损坏....”.所以请大侠指点一下怎么样补CODE.写个详细的教程发上来.在此非常感谢
附上该软件下载地址
235K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4W2^5j5%4q4Q4x3X3g2U0L8$3#2Q4x3V1k6^5P5W2)9J5k6i4u0S2M7R3`.`.
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
和你一样。。delphi程序脱壳后 停在那里 程序无法运行
