[求助]水晶情缘的xp星号查看器不能用模拟跟踪法了!!
现在调试到此了。
00406ABF FF13 CALL DWORD PTR DS:[EBX]
00406AC1 95 XCHG EAX,EBP
00406AC2 AC LODS BYTE PTR DS:[ESI]
00406AC3 84C0 TEST AL,AL
00406AC5 ^ 75 FB JNZ SHORT passxp0.00406AC2
00406AC7 FE0E DEC BYTE PTR DS:[ESI]
00406AC9 ^ 74 F0 JE SHORT passxp0.00406ABB
00406ACB 79 05 JNS SHORT passxp0.00406AD2
00406ACD 46 INC ESI
00406ACE AD LODS DWORD PTR DS:[ESI]
00406ACF 50 PUSH EAX
00406AD0 EB 09 JMP SHORT passxp0.00406ADB
00406AD2 FE0E DEC BYTE PTR DS:[ESI]
00406AD4 - 0F84 6EA5FFFF JE passxp0.00401048
看到那个00401048应该就是oep的了,enter进入。得到
00401048 68 DB 68 ; CHAR 'h'
00401049 28 DB 28 ; CHAR '('
0040104A 13 DB 13
0040104B 40 DB 40 ; CHAR '@'
0040104C 00 DB 00
0040104D E8 DB E8
0040104E F0 DB F0
0040104F FF DB FF
00401050 FF DB FF
00401051 FF DB FF
00401052 00 DB 00
00401053 00 DB 00
00401054 00 DB 00
00401055 00 DB 00
00401056 00 DB 00
00401057 00 DB 00
对00401048F2设断,F9运行,F2取消下端。然后分析”--“从模块中删除分析得到。脱之。得到的程序却不能运行!不知道我的方法是不是有问题的。用PE查是Microsoft Visual Basic 5.0 / 6.0。看来是壳脱了,,要修复?