能力值:
( LV8,RANK:130 )
|
-
-
2 楼
是的,anti-debug
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
有什么方法避免,我用ollydbg
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我是脱了壳以后调试才退出的
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
004341DC >/$ 55 PUSH EBP
004341DD |. 8BEC MOV EBP,ESP
004341DF |. 6A FF PUSH -1
004341E1 |. 68 80E35400 PUSH _Mir2NoS.0054E380
004341E6 |. 68 04414300 PUSH _Mir2NoS.00434104 ; SE handler installation
004341EB |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004341F1 |. 50 PUSH EAX
004341F2 |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004341F9 |. 83EC 58 SUB ESP,58
004341FC |. 53 PUSH EBX
004341FD |. 56 PUSH ESI
004341FE |. 57 PUSH EDI
004341FF |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00434202 |. FF15 48445400 CALL DWORD PTR DS:[<&kernel32.GetVersion>; KERNEL32.GetVersion
00434208 |. 33D2 XOR EDX,EDX
0043420A |. 8AD4 MOV DL,AH
0043420C |. 8915 0C175900 MOV DWORD PTR DS:[59170C],EDX
00434212 |. 8BC8 MOV ECX,EAX
00434214 |. 81E1 FF000000 AND ECX,0FF
0043421A |. 890D 08175900 MOV DWORD PTR DS:[591708],ECX
00434220 |. C1E1 08 SHL ECX,8
00434223 |. 03CA ADD ECX,EDX
00434225 |. 890D 04175900 MOV DWORD PTR DS:[591704],ECX
0043422B |. C1E8 10 SHR EAX,10
0043422E |. A3 00175900 MOV DWORD PTR DS:[591700],EAX
00434233 |. 6A 01 PUSH 1
00434235 |. E8 C86B0000 CALL _Mir2NoS.0043AE02
0043423A |. 59 POP ECX
0043423B |. 85C0 TEST EAX,EAX
0043423D |. 75 08 JNZ SHORT _Mir2NoS.00434247
0043423F |. 6A 1C PUSH 1C
00434241 |. E8 C3000000 CALL _Mir2NoS.00434309
00434246 |. 59 POP ECX
00434247 |> E8 B0350000 CALL _Mir2NoS.004377FC
0043424C |. 85C0 TEST EAX,EAX
0043424E |. 75 08 JNZ SHORT _Mir2NoS.00434258
00434250 |. 6A 10 PUSH 10
00434252 |. E8 B2000000 CALL _Mir2NoS.00434309
00434257 |. 59 POP ECX
00434258 |> 33F6 XOR ESI,ESI
0043425A |. 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0043425D |. E8 E4690000 CALL _Mir2NoS.0043AC46
00434262 |. FF15 DC425400 CALL DWORD PTR DS:[<&kernel32.GetCommand>; [GetCommandLineA
00434268 |. A3 40445900 MOV DWORD PTR DS:[594440],EAX
0043426D |. E8 A2680000 CALL _Mir2NoS.0043AB14
00434272 |. A3 F0165900 MOV DWORD PTR DS:[5916F0],EAX
00434277 |. E8 4B660000 CALL _Mir2NoS.0043A8C7
0043427C |. E8 8D650000 CALL _Mir2NoS.0043A80E
00434281 |. E8 A30E0000 CALL _Mir2NoS.00435129
00434286 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
00434289 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
0043428C |. 50 PUSH EAX ; /pStartupinfo
0043428D |. FF15 E0425400 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
00434293 |. E8 1E650000 CALL _Mir2NoS.0043A7B6
00434298 |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
0043429B |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
0043429F |. 74 06 JE SHORT _Mir2NoS.004342A7
004342A1 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004342A5 |. EB 03 JMP SHORT _Mir2NoS.004342AA
004342A7 |> 6A 0A PUSH 0A
004342A9 |. 58 POP EAX
004342AA |> 50 PUSH EAX
004342AB |. FF75 9C PUSH DWORD PTR SS:[EBP-64]
004342AE |. 56 PUSH ESI
004342AF |. 56 PUSH ESI ; /pModule
004342B0 |. FF15 10445400 CALL DWORD PTR DS:[<&kernel32.GetModuleH>; \GetModuleHandleA
004342B6 |. 50 PUSH EAX
004342B7 |. E8 BB930C00 CALL _Mir2NoS.004FD677
004342BC |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
004342BF |. 50 PUSH EAX
004342C0 |. E8 910E0000 CALL _Mir2NoS.00435156
004342C5 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004342C8 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004342CA |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
004342CC |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
004342CF |. 50 PUSH EAX
004342D0 |. 51 PUSH ECX
004342D1 |. E8 68630000 CALL _Mir2NoS.0043A63E
004342D6 |. 59 POP ECX
004342D7 |. 59 POP ECX
004342D8 \. C3 RETN
程序开始时,看看在判断我用调试的程序在哪里?
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
一个CALL一个CALL试
|
