像如下l加壳的 Enigma Protector 1.9x,被保护是Delphi,一般的API可以修改像
mov edx,dword ptr ss:[ebp-4]
mov ecx,dword ptr ss:[ebp-10]
mov dword ptr ds:[edx+eax*4+4],ecx // nop
但如同: 4083CC 的这行应该是Emulated.Windows.APIs保护吧,我不太了解这壳,不知该怎么处理好,试过将 00C700EF 这行的 330B 标记为 GetModuleHandleA等等,发现其它程序就不适应了,该如何处理如何是上策?有操作过的兄弟能否提点一下小弟 》》
call 4083CC
004083CC jmp dword ptr [8EB33C] ; asv2010-.00BA9914
004083D2 mov eax, eax
004083D4 jmp dword ptr [8EB338] ; kernel32.LocalAlloc
004083DA mov eax, eax
004083DC jmp dword ptr [8EB334] ; kernel32.TlsGetValue
004083E2 mov eax, eax
004083E4 jmp dword ptr [8EB330] ; kernel32.TlsSetValue
00BA9914 jmp 00C700EF
00BA9919 wait
00BA991A rol byte ptr [edx+8D657A9A], 1B
00BA9921 adc al, 6F
00BA9923 sti
00BA9924 jmp far C0C1:89407D56
00C700EF push 330B
00C700F4 jmp 00C65500
00C700F9 push 3319
00C700FE jmp 00C65500
00C70103 push 331C
00C70108 jmp 00C65500
00C7010D push 3321
00C70112 jmp 00C65500
00C70117 push 332A
00C7011C jmp 00C65500
00C65500 pushad
00C65501 pushfd
00C65502 mov dl, 1
00C65504 mov esi, 0
00C65509 lea edi, dword ptr [esi+C677C4]
00C6550F lea edi, dword ptr [edi]
00C65511 mov ecx, 1
00C65516 xor eax, eax
00C65518 lock cmpxchg dword ptr [edi], ecx
00C6551C je short 00C6552D
00C6551E cmp dl, byte ptr [C677C0]
00C65524 je short 00C65502
00C65526 inc dl
00C65528 add esi, 64
00C6552B jmp short 00C65509
00C6552D lea eax, dword ptr [esi+C677C4]
00C65533 lea eax, dword ptr [eax+10]
00C65536 mov ecx, dword ptr [esp]
00C65539 mov dword ptr [eax+50], ecx
00C6553C mov ecx, dword ptr [esp+4]
00C65540 mov dword ptr [eax+1C], ecx
00C65543 mov ecx, dword ptr [esp+8]
00C65547 mov dword ptr [eax+18], ecx
00C6554A mov ecx, dword ptr [esp+C]
00C6554E mov dword ptr [eax+14], ecx
00C65551 mov ecx, dword ptr [esp+10]
00C65555 mov dword ptr [eax+10], ecx
00C65558 mov ecx, dword ptr [esp+14]
00C6555C mov dword ptr [eax+C], ecx
00C6555F mov ecx, dword ptr [esp+18]
00C65563 mov dword ptr [eax+8], ecx
00C65566 mov ecx, dword ptr [esp+1C]
00C6556A mov dword ptr [eax+4], ecx
00C6556D mov ecx, dword ptr [esp+20]
00C65571 mov dword ptr [eax], ecx
00C65573 add dword ptr [eax+10], 4
00C65577 lea edi, dword ptr [esi+C677C4]
00C6557D mov eax, edi
00C6557F call 00C60210
00C65584 mov eax, edi
00C65586 call 00C60258
00C6558B mov esp, dword ptr [edi+4]
00C6558E push edi
00C6558F lea ecx, dword ptr [edi+10]
00C65592 mov ecx, dword ptr [ecx+10]
00C65595 push dword ptr [ecx-4]
00C65598 call 00C614D0
00C6559D push eax
00C6559E mov eax, edi
00C655A0 call 00C60234
00C655A5 pop eax
00C655A6 lea edi, dword ptr [edi+10]
00C655A9 mov ecx, dword ptr [edi+10]
00C655AC sub ecx, 4
00C655AF mov dword ptr [ecx], eax
00C655B1 mov eax, dword ptr [edi+50]
00C655B4 sub ecx, 4
00C655B7 mov dword ptr [ecx], eax
00C655B9 mov eax, dword ptr [edi]
00C655BB sub ecx, 4
00C655BE mov dword ptr [ecx], eax
00C655C0 mov eax, dword ptr [edi+4]
00C655C3 sub ecx, 4
00C655C6 mov dword ptr [ecx], eax
00C655C8 mov eax, dword ptr [edi+8]
00C655CB sub ecx, 4
00C655CE mov dword ptr [ecx], eax
00C655D0 mov eax, dword ptr [edi+C]
00C655D3 sub ecx, 4
00C655D6 mov dword ptr [ecx], eax
00C655D8 mov eax, dword ptr [edi+10]
00C655DB sub ecx, 4
00C655DE mov dword ptr [ecx], eax
00C655E0 mov eax, dword ptr [edi+14]
00C655E3 sub ecx, 4
00C655E6 mov dword ptr [ecx], eax
00C655E8 mov eax, dword ptr [edi+18]
00C655EB sub ecx, 4
00C655EE mov dword ptr [ecx], eax
00C655F0 mov eax, dword ptr [edi+1C]
00C655F3 sub ecx, 4
00C655F6 mov dword ptr [ecx], eax
00C655F8 lea eax, dword ptr [esi+C677C4]
00C655FE mov byte ptr [eax], 0
00C65601 mov esp, ecx
00C65603 popad
00C65604 popfd
00C65605 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
