这是一个简单的打包加壳工具!
PEid查壳显示为:PEBundle 2.0x – 2.4x-> Jeremy Collake
虽然打包了DLL进去,但是并没有对DLL进行一些处理,相当于打包压缩似的!
只需要找到地址,给复制过来就OK了,相对打包,另外就是对一些IAT的指针加密了,视频主要讲的就是这方面,呵呵!
视频与目标程序都打包在一起了,需要的自行下载!
下面是跟踪时记录下来的一些代码:
PEBundle 2.0x - 2.4x-> Jeremy Collake
00407078 0041063E EdrTest.0041063E
EAX 7C800000 kernel32.7C800000
ECX 00407620 ASCII " {"
EDX 00400000 EdrTest.00400000
EBX 004111E5 ASCII "C:\WINDOWS\system32\EdrLib.dll"
00410CA3 >7C809BD7 kernel32.CloseHandle
00410CA7 >7C821794 kernel32.CreateDirectoryA
00410CAB >7C801A28 kernel32.CreateFileA
00410CAF >7C831EC5 kernel32.DeleteFileA
00410CB3 >7C81CAFA kernel32.ExitProcess
00410CB7 >7C80AC6E kernel32.FreeLibrary
00410CBB >7C812FAD kernel32.GetCommandLineA
00410CBF >7C831C35 kernel32.GetFileTime
00410CC3 >7C80B731 kernel32.GetModuleHandleA
00410CC7 >7C80AE30 kernel32.GetProcAddress
00410CCB >7C814F7A kernel32.GetSystemDirectoryA
00410CCF >7C835DE2 kernel32.GetTempPathA
00410CD3 >7C82134B kernel32.GetWindowsDirectoryA
00410CD7 >7C801D7B kernel32.LoadLibraryA
00410CDB >7C834D59 kernel32.lstrcatA
00410CDF >7C80BB31 kernel32.lstrcmpiA
00410CE3 >7C85C121 kernel32.RemoveDirectoryA
00410CE7 >7C831CA8 kernel32.SetFileTime
00410CEB >7C809AE1 kernel32.VirtualAlloc
00410CEF >7C809B74 kernel32.VirtualFree
00410CF3 >7C810E17 kernel32.WriteFile
[url=http://down.huacolor.com/down/blog/PEBundle 2.0x的脱壳视频.rar][color=#FF0000]点击下载[/color][/url]
嘿嘿 跟大侠学习了