-
-
[旧帖] OEP被偷请教如何处理? 0.00雪花
-
发表于: 2009-12-26 10:30
-
PC-Guard 4.03 - 4.15 -> Blagoje Ceklic OEP被偷请教如何处理?
00401000 > FC cld -->EP
00401001 55 push ebp
00401002 50 push eax
00401003 E8 00000000 call 11.00401008
00401008 5D pop ebp
00401009 EB 01 jmp short 11.0040100C
0040100B E3 60 jecxz short 11.0040106D
0040100D E8 03000000 call 11.00401015
00401012 D2EB shr bl,cl
00401014 0B58 EB or ebx,dword ptr ds:[eax-15]
00401017 0148 40 add dword ptr ds:[eax+40],ecx
0040101A EB 01 jmp short 11.0040101D
0040101C 35 FFE0E761 xor eax,61E7E0FF
00401021 58 pop eax
00401022 5D pop ebp
00401023 - E9 35412D00 jmp 11.006D515D
00401028 0000 add byte ptr ds:[eax],al
0040102A 0000 add byte ptr ds:[eax],al
0040102C 0000 add byte ptr ds:[eax],al
0040102E 0000 add byte ptr ds:[eax],al
.......
-----------------
bp GetModuleFileNameA ,F9
7C80B56F > 8BFF mov edi,edi 断在这里 ALT+F9返回
7C80B571 55 push ebp
7C80B572 8BEC mov ebp,esp
7C80B574 83EC 10 sub esp,10
7C80B577 57 push edi
7C80B578 64:A1 18000000 mov eax,dword ptr fs:[18]
7C80B57E 8B7D 10 mov edi,dword ptr ss:[ebp+10]
7C80B581 8B40 30 mov eax,dword ptr ds:[eax+30]
7C80B584 8D0C3F lea ecx,dword ptr ds:[edi+edi]
.........
-----------------
006D8E9C 0BC0 or eax,eax 取消断点 F8单步 ; comctl32.5D170000
006D8E9E 0F85 BC000000 jnz 11.006D8F60
006D8EA4 60 pushad
006D8EA5 68 04010000 push 104
006D8EAA FFB5 86530000 push dword ptr ss:[ebp+5386]
006D8EB0 83BD AC4E0000 0>cmp dword ptr ss:[ebp+4EAC],0
006D8EB7 74 08 je short 11.006D8EC1
006D8EB9 FFB5 AC4E0000 push dword ptr ss:[ebp+4EAC]
006D8EBF EB 06 jmp short 11.006D8EC7
006D8EC1 FFB5 A84E0000 push dword ptr ss:[ebp+4EA8]
006D8EC7 FFD7 call edi
006D8EC9 8B85 86530000 mov eax,dword ptr ss:[ebp+5386]
006D8ECF EB 01 jmp short 11.006D8ED2
006D8ED1 40 inc eax
006D8ED2 8038 00 cmp byte ptr ds:[eax],0
006D8ED5 ^ 75 FA jnz short 11.006D8ED1
006D8ED7 EB 04 jmp short 11.006D8EDD
006D8ED9 C600 00 mov byte ptr ds:[eax],0
.........
------------------------------------
数步后到达这里:
006D5413 E8 DC120000 call 11.006D66F4
006D5418 E8 7C110000 call 11.006D6599
006D541D 83BD C2530000 0>cmp dword ptr ss:[ebp+53C2],0
006D5424 74 07 je short 11.006D542D JMp
006D5426 E9 01170000 jmp 11.006D6B2C
006D542B EB 01 jmp short 11.006D542E
006D542D 61 popad
006D542E - E9 2144ECFF jmp 11.00599854 JMp OEP?
-----------------------------------
00599854 处:
00599854 90 nop
00599855 90 nop
00599856 90 nop
00599857 90 nop
00599858 90 nop
00599859 90 nop
0059985A 90 nop
0059985B 90 nop
0059985C 90 nop
0059985D 90 nop
0059985E 90 nop
0059985F 90 nop
00599860 90 nop
00599861 90 nop
00599862 90 nop
00599863 90 nop
00599864 90 nop
00599865 90 nop
00599866 90 nop
00599867 - FF25 2E04E400 jmp dword ptr ds:[E4042E]
0059986D E8 D2F2FFFF call 11.00598B44
00599872 84C0 test al,al
00599874 74 65 je short 11.005998DB
00599876 BB FFC99A3B mov ebx,3B9AC9FF
0059987B 6A 00 push 0
0059987D 6A 00 push 0
0059987F - E9 B36B8A00 jmp 00E40437
00599884 - E9 DC6B8A00 jmp 00E40465
00599889 6A 00 push 0
0059988B 8B06 mov eax,dword ptr ds:[esi]
0059988D 8B40 30 mov eax,dword ptr ds:[eax+30]
00599890 50 push eax
00599891 E8 9A47EAFF call 11.0043E030 ; jmp to shell32.ShellExecuteA
00599896 6A 00 push 0
00599898 6A 00 push 0
0059989A - E9 F46B8A00 jmp 00E40493
0059989F - E9 1D6C8A00 jmp 00E404C1
005998A4 6A 00 push 0
005998A6 8B06 mov eax,dword ptr ds:[esi]
005998A8 8B40 30 mov eax,dword ptr ds:[eax+30]
005998AB 50 push eax
005998AC E8 7F47EAFF call 11.0043E030 ; jmp to shell32.ShellExecuteA
005998B1 6A 00 push 0
005998B3 6A 00 push 0
005998B5 - E9 356C8A00 jmp 00E404EF
005998BA - E9 5E6C8A00 jmp 00E4051D
005998BF 6A 00 push 0
005998C1 8B06 mov eax,dword ptr ds:[esi]
005998C3 8B40 30 mov eax,dword ptr ds:[eax+30]
005998C6 50 push eax
请问各位大侠我如何修复它?
11.rar
00401000 > FC cld -->EP
00401001 55 push ebp
00401002 50 push eax
00401003 E8 00000000 call 11.00401008
00401008 5D pop ebp
00401009 EB 01 jmp short 11.0040100C
0040100B E3 60 jecxz short 11.0040106D
0040100D E8 03000000 call 11.00401015
00401012 D2EB shr bl,cl
00401014 0B58 EB or ebx,dword ptr ds:[eax-15]
00401017 0148 40 add dword ptr ds:[eax+40],ecx
0040101A EB 01 jmp short 11.0040101D
0040101C 35 FFE0E761 xor eax,61E7E0FF
00401021 58 pop eax
00401022 5D pop ebp
00401023 - E9 35412D00 jmp 11.006D515D
00401028 0000 add byte ptr ds:[eax],al
0040102A 0000 add byte ptr ds:[eax],al
0040102C 0000 add byte ptr ds:[eax],al
0040102E 0000 add byte ptr ds:[eax],al
.......
-----------------
bp GetModuleFileNameA ,F9
7C80B56F > 8BFF mov edi,edi 断在这里 ALT+F9返回
7C80B571 55 push ebp
7C80B572 8BEC mov ebp,esp
7C80B574 83EC 10 sub esp,10
7C80B577 57 push edi
7C80B578 64:A1 18000000 mov eax,dword ptr fs:[18]
7C80B57E 8B7D 10 mov edi,dword ptr ss:[ebp+10]
7C80B581 8B40 30 mov eax,dword ptr ds:[eax+30]
7C80B584 8D0C3F lea ecx,dword ptr ds:[edi+edi]
.........
-----------------
006D8E9C 0BC0 or eax,eax 取消断点 F8单步 ; comctl32.5D170000
006D8E9E 0F85 BC000000 jnz 11.006D8F60
006D8EA4 60 pushad
006D8EA5 68 04010000 push 104
006D8EAA FFB5 86530000 push dword ptr ss:[ebp+5386]
006D8EB0 83BD AC4E0000 0>cmp dword ptr ss:[ebp+4EAC],0
006D8EB7 74 08 je short 11.006D8EC1
006D8EB9 FFB5 AC4E0000 push dword ptr ss:[ebp+4EAC]
006D8EBF EB 06 jmp short 11.006D8EC7
006D8EC1 FFB5 A84E0000 push dword ptr ss:[ebp+4EA8]
006D8EC7 FFD7 call edi
006D8EC9 8B85 86530000 mov eax,dword ptr ss:[ebp+5386]
006D8ECF EB 01 jmp short 11.006D8ED2
006D8ED1 40 inc eax
006D8ED2 8038 00 cmp byte ptr ds:[eax],0
006D8ED5 ^ 75 FA jnz short 11.006D8ED1
006D8ED7 EB 04 jmp short 11.006D8EDD
006D8ED9 C600 00 mov byte ptr ds:[eax],0
.........
------------------------------------
数步后到达这里:
006D5413 E8 DC120000 call 11.006D66F4
006D5418 E8 7C110000 call 11.006D6599
006D541D 83BD C2530000 0>cmp dword ptr ss:[ebp+53C2],0
006D5424 74 07 je short 11.006D542D JMp
006D5426 E9 01170000 jmp 11.006D6B2C
006D542B EB 01 jmp short 11.006D542E
006D542D 61 popad
006D542E - E9 2144ECFF jmp 11.00599854 JMp OEP?
-----------------------------------
00599854 处:
00599854 90 nop
00599855 90 nop
00599856 90 nop
00599857 90 nop
00599858 90 nop
00599859 90 nop
0059985A 90 nop
0059985B 90 nop
0059985C 90 nop
0059985D 90 nop
0059985E 90 nop
0059985F 90 nop
00599860 90 nop
00599861 90 nop
00599862 90 nop
00599863 90 nop
00599864 90 nop
00599865 90 nop
00599866 90 nop
00599867 - FF25 2E04E400 jmp dword ptr ds:[E4042E]
0059986D E8 D2F2FFFF call 11.00598B44
00599872 84C0 test al,al
00599874 74 65 je short 11.005998DB
00599876 BB FFC99A3B mov ebx,3B9AC9FF
0059987B 6A 00 push 0
0059987D 6A 00 push 0
0059987F - E9 B36B8A00 jmp 00E40437
00599884 - E9 DC6B8A00 jmp 00E40465
00599889 6A 00 push 0
0059988B 8B06 mov eax,dword ptr ds:[esi]
0059988D 8B40 30 mov eax,dword ptr ds:[eax+30]
00599890 50 push eax
00599891 E8 9A47EAFF call 11.0043E030 ; jmp to shell32.ShellExecuteA
00599896 6A 00 push 0
00599898 6A 00 push 0
0059989A - E9 F46B8A00 jmp 00E40493
0059989F - E9 1D6C8A00 jmp 00E404C1
005998A4 6A 00 push 0
005998A6 8B06 mov eax,dword ptr ds:[esi]
005998A8 8B40 30 mov eax,dword ptr ds:[eax+30]
005998AB 50 push eax
005998AC E8 7F47EAFF call 11.0043E030 ; jmp to shell32.ShellExecuteA
005998B1 6A 00 push 0
005998B3 6A 00 push 0
005998B5 - E9 356C8A00 jmp 00E404EF
005998BA - E9 5E6C8A00 jmp 00E4051D
005998BF 6A 00 push 0
005998C1 8B06 mov eax,dword ptr ds:[esi]
005998C3 8B40 30 mov eax,dword ptr ds:[eax+30]
005998C6 50 push eax
请问各位大侠我如何修复它?
11.rar
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
|
|
|---|---|
