网通客户端Dr.comV3.72在登陆后总是弹出个网页,还用IE打开的,我用的是遨游浏览器,每次看见IE跳出来还问是否设为默认浏览器就很烦,所以想jmp掉调用IE的代码...
用PEID一查,是 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
UPX壳,我就手工脱了,用PEID再查 Microsoft Visual C++ 6.0 正常了,就用OD载入找ShellExecuteA
--------------------------------------------------------------------------------------------------
地址 区段 类型 名称
0041D460 CODE 输入(已知) shell32.ShellExecuteA
--------------------------------------------------------------------------------------------------
可是转到0x0041D460去的时候却是
---------------------------------------------------------------------------------
0041D455 90 nop
0041D456 EB 76 jmp short 0041D4CE
0041D458 > FB sti
0041D459 68 EB760000 push 76EB
0041D45E 0000 add byte ptr [eax], al
0041D460 > F0:0E lock push cs ; 不允许锁定前缀
0041D462 61 popad
0041D463 ^ 7D B1 jge short 0041D416
0041D465 0C 5F or al, 5F
0041D467 7D 00 jge short 0041D469
0041D469 0000 add byte ptr [eax], al
0041D46B 0050 13 add byte ptr [eax+13], dl
0041D46E 24 72 and al, 72
0041D470 0000 add byte ptr [eax], al
0041D472 0000 add byte ptr [eax], al
0041D474 > EE out dx, al
0041D475 50 push eax
0041D476 D6 salc
0041D477 ^ 77 EE ja short 0041D467
0041D479 EF out dx, eax
0041D47A D4 77 aam 77
----------------------------------------------------------------------------------------------
0041D460 > F0:0E lock push cs ; 不允许锁定前缀
怎么这样子了?请各位指教!
我该去哪里找调用ShellExecuteA的代码?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课