yygx 发表于 2005-4-18 09:59:53

〔求助〕:如何确定overlay的起始位置?

一些壳壳是overlay,如何确定overlay的起始位置?看了一些脱文上说从最后往上发现00与数字的明显区别,从数字到最后就是。但有些分隔就不明显,不知道该如何确定,如下:一段00
后跟数据,数据后再一段00,中间还夹着几个数据,起始位置应该是那个?

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FE7F83F1FE7FF9C7981BFE9F8A61FE7FE667F83FFA4FFBBFFC3FC003CE7FFE7FE007FE7FFE7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006E0A000000D0030061EF0300000000000000000000000000000000000000000000100000CD00000006010000000000000000000000000000000000000010000048C90000000000005C0D000000000000C8EE0300D7EE0300E8EE0300F9EE030008EF030016EF03000000000024EF030000000000000000000000000000000000B0EE030050EE0300000000000000000000000000BDEE03006CEE030000000000000000000000000000000000000000004B45524E454C33322E444C4C005553455233322E646C6C0000004C6F61644C69(后面都是数据)..

yygx 发表于 2005-4-19 13:28:01

唉,没人帮忙,只好靠自己了。搞定了。

jjwspj 发表于 2006-9-10 19:02:12

yygx兄弟,可以讲讲是怎样确定的吗?

ljq897 发表于 2007-12-18 11:07:55

学习了,BPX是代码断点,BP是函数断点

ljq897 发表于 2007-12-18 11:09:17

学习了,BPX是代码断点,BP是函数断点

rxzcums 发表于 2007-12-24 23:14:27

用PEiD看最后的区段,确定该区段最后字符的位置,其后你看见的就是附加数据了。

swlilike 发表于 2007-12-30 17:26:16

学习了不过前楼的大哥说的我还是不明白
页: [1]
查看完整版本: 〔求助〕:如何确定overlay的起始位置?