00406964 /$ 55 PUSH EBP
00406965 |. 8BEC MOV EBP,ESP
00406967 |. 83EC 10 SUB ESP,10
0040696A |. A1 1CD04000 MOV EAX,DWORD PTR DS:[40D01C] ; EAX= BB40E64E
0040696F |. 8365 F8 00 AND DWORD PTR SS:[EBP-8],0
00406973 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00406977 |. 53 PUSH EBX
00406978 |. 57 PUSH EDI
00406979 |. BF 4EE640BB MOV EDI,BB40E64E ;问题就在此处,此处如何恰巧知道eax中存储的就是BB40E64E呢??如果对这段进行还原,那么C代码应该是什么样的呢??
——————————————————————————————
0040697E |. 3BC7 CMP EAX,EDI ; 相等 跳
00406980 |. BB 0000FFFF MOV EBX,FFFF0000
00406985 |. 74 0D JE SHORT ST.00406994
00406987 |. 85C3 TEST EBX,EAX
00406989 |. 74 09 JE SHORT ST.00406994
0040698B |. F7D0 NOT EAX
0040698D |. A3 20D04000 MOV DWORD PTR DS:[40D020],EAX
00406992 |. EB 60 JMP SHORT ST.004069F4
00406994 |> 56 PUSH ESI
00406995 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00406998 |. 50 PUSH EAX ; /pFileTime
00406999 |. FF15 F0814000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] ; \GetSystemTimeAsFileTime
0040699F |. 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
004069A2 |. 3375 F8 XOR ESI,DWORD PTR SS:[EBP-8]
004069A5 |. FF15 C4814000 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentProcessId>] ; [GetCurrentProcessId
004069AB |. 33F0 XOR ESI,EAX ;问题:为什么每次都要将esi与返回值进行异或 ,这是为什么?这句的C源码是什么??
004069AD |. FF15 80814000 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentThreadId>] ; [GetCurrentThreadId
004069B3 |. 33F0 XOR ESI,EAX
004069B5 |. FF15 E8814000 CALL DWORD PTR DS:[<&KERNEL32.GetTickCount>] ; [GetTickCount
004069BB |. 33F0 XOR ESI,EAX
.......
[课程]FART 脱壳王!加量不加价!FART作者讲授!
