OD载入,最简单的脱法就是ESP,但是前提是你的OD 能过IsDebuggerPresent,
还有窗口不能显示Ollydbg
0043A000 > 60 pushad
0043A001 E8 00000000 call suchost_.0043A006 ;在这里ESP大法
0043A006 5D pop ebp
0043A007 81ED CA474000 sub ebp,suchost_.004047CA
0043A00D FF7424 20 push dword ptr ss:[esp+20]
0043A011 E8 D3030000 call suchost_.0043A3E9
0043A016 0BC0 or eax,eax
0043A018 0F84 13030000 je suchost_.0043A331
0043A01E 8985 B84E4000 mov dword ptr ss:[ebp+404EB8],eax
0043A024 66:8CD8 mov ax,ds
0043A027 A8 04 test al,4
0043A029 74 0C je short suchost_.0043A037
0043A02B C785 8C4E4000 01000000 mov dword ptr ss:[ebp+404E8C],1
0043A035 EB 12 jmp short suchost_.0043A049
0043A037 64:A1 30000000 mov eax,dword ptr fs:[30]
0043A03D 0FB640 02 movzx eax,byte ptr ds:[eax+2]
检测IsDebuggerPresent
0043A0D7 FFB5 B84E4000 push dword ptr ss:[ebp+404EB8]
0043A0DD E8 75030000 call suchost_.0043A457
0043A0E2 0BC0 or eax,eax
0043A0E4 0F84 50020000 je suchost_.0043A33A
0043A0EA FFD0 call eax ; kernel32.IsDebuggerPresent
0043A0EC 0BC0 or eax,eax
0043A0EE 0F85 3D020000 jnz suchost_.0043A331
0043A0F4 8D85 5B4D4000 lea eax,dword ptr ss:[ebp+404D5>
0043A0FA 50 push eax
0043A0FB FFB5 B84E4000 push dword ptr ss:[ebp+404EB8]
FindWIndow
0043A161 /0F84 CA010000 je suchost_.0043A331
0043A167 |8985 A44E4000 mov dword ptr ss:[ebp+404EA4],e>
0043A16D |8DB5 864D4000 lea esi,dword ptr ss:[ebp+404D8>
0043A173 |56 push esi
0043A174 |6A 00 push 0
0043A176 |FFD0 call eax ; USER32.FindWindowA
0043A178 |0BC0 or eax,eax
0043A17A |0F85 B1010000 jnz suchost_.0043A331
0043A180 |8D85 644D4000 lea eax,dword ptr ss:[ebp+404D6>
0043A186 |50 push eax
0043A187 |FFB5 BC4E4000 push dword ptr ss:[ebp+404EBC]
0043A18D |E8 C5020000 call suchost_.0043A457
0043A192 |0BC0 or eax,eax
0043A194 |0F84 97010000 je suchost_.0043A331
查找窗口是否含有一下字符
TrainerSpy XP + NT / 2000 / XP + Coded By BofeN.
OLLYDBG.
\\.\TRAS
PY.VXD.
API-Log v1.2 by M.o.D. [F2F].
VxDMonClass.
TRW2000 for Windows 9x.
Cool Debugger for Win32.
The Customiser Configuration Screen.
The Customiser.Hacked Spy.
有了退出~
0043A2F2 6A 00 push 0
0043A2F4 68 80000000 push 80
0043A2F9 6A 03 push 3
0043A2FB 6A 00 push 0
0043A2FD 6A 03 push 3
0043A2FF 68 000000C0 push C0000000
0043A304 8DB5 754E4000 lea esi,dword ptr ss:[ebp+404E7>
0043A30A 56 push esi ; 创建一个对象
0043A30B FFD0 call eax ; CreateFileA
0043A30D 40 inc eax
0043A30E 74 02 je short suchost_.0043A312
0043A310 EB 1F jmp short suchost_.0043A331
0043A312 8D85 484D4000 lea eax,dword ptr ss:[ebp+404D4>
0043A318 50 push eax
0043A319 FFB5 B84E4000 push dword ptr ss:[ebp+404EB8]
0043A31F E8 33010000 call suchost_.0043A457
0043A324 8038 CC cmp byte ptr ds:[eax],0CC
0043A327 74 08 je short suchost_.0043A331
0043A329 8D85 FE4A4000 lea eax,dword ptr ss:[ebp+404AF>
0043A32F FFE0 jmp eax
0043A331 8D85 0F4B4000 lea eax,dword ptr ss:[ebp+404B0>
0043A337 50 push eax
0043A338 FFE0 jmp eax
0043A33A 8B85 C04E4000 mov eax,dword ptr ss:[ebp+404EC>
0043A340 0BC0 or eax,eax
0043A342 74 07 je short suchost_.0043A34B
0043A344 894424 1C mov dword ptr ss:[esp+1C],eax
0043A348 61 popad
0043A349 - FFE0 jmp eax ; 跳到OEP
这个感觉不像是壳,却像一个保护层而已,主要功能就是反调试~
