逆向核心原理最后示例

运行debug4示例程序并保持打开
运行petools找到子进程并转存

转存后用od打开：

00401000   $  68 C0994000   push Dumped.004099C0                     ; /MutexName = "ReverseCore:DebugMe4"
00401005   .  6A 00         push 0x0                                 ; |InitialOwner = FALSE
00401007   .  6A 00         push 0x0                                 ; |pSecurity = NULL
00401009   .  FF15 04804000 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexW
0040100F   .  85C0          test eax,eax
00401011   .  75 17         jnz XDumped.0040102A
00401013   .  FF15 1C804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
00401019   .  50            push eax
0040101A   .  68 EC994000   push Dumped.004099EC                     ;  ASCII "CreateMutex() failed! [%d]
"
0040101F   .  E8 21030000   call Dumped.00401345
00401024   .  83C4 08       add esp,0x8
00401027   .  33C0          xor eax,eax
00401029   .  C3            retn
0040102A   >  FF15 1C804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
00401030   .  3D B7000000   cmp eax,0xB7
00401035      74 08         je XDumped.0040103F
00401037      E8 24000000   call Dumped.00401060
0040103C      33C0          xor eax,eax
0040103E      C3            retn
0040103F      8DC0          lea eax,eax                              ;  非法使用寄存器
00401041   .  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
00401043   .  68 089A4000   push Dumped.00409A08                     ; |Title = "DebugMe4"
00401048   .  68 1C9A4000   push Dumped.00409A1C                     ; |Text = "Child Process"
0040104D   .  6A 00         push 0x0                                 ; |hOwner = NULL
0040104F   .  FF15 1C814000 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
00401055   .  C3            retn

发现子进程运行时加密的部分已经解开，处理下Mutex判断和21行处的非法指令即可提出子程序

原理：通过恰好的时机使用转存脱壳，（前提需要对程序流程十分了解）