0187:00423CE0 E804000000 CALL 00423CE9
0187:00423CE5 0400 ADD AL,00
0187:00423CE7 0000 ADD [EAX],AL
0187:00423CE9 5A POP EDX
0187:00423CEA 8B442404 MOV EAX,[ESP+04]
0187:00423CEE 8B00 MOV EAX,[EAX]
0187:00423CF0 8B4C240C MOV ECX,[ESP+0C]
0187:00423CF4 FF81B8000000 INC DWORD [ECX+B8]
0187:00423CFA 3D03000080 CMP EAX,80000003 ;断点异常吗?
0187:00423CFF 754D JNZ 00423D4E
0187:00423D01 8D8202114000 LEA EAX,[EDX+00401102]
0187:00423D07 2D0E104000 SUB EAX,0040100E
0187:00423D0C 894104 MOV [ECX+04],EAX
0187:00423D0F 8D8204114000 LEA EAX,[EDX+00401104]
0187:00423D15 2D0E104000 SUB EAX,0040100E
0187:00423D1A 894108 MOV [ECX+08],EAX
0187:00423D1D 8D8206114000 LEA EAX,[EDX+00401106]
0187:00423D23 2D0E104000 SUB EAX,0040100E
0187:00423D28 89410C MOV [ECX+0C],EAX
0187:00423D2B 8D8208114000 LEA EAX,[EDX+00401108]
0187:00423D31 2D0E104000 SUB EAX,0040100E
0187:00423D36 894110 MOV [ECX+10],EAX
0187:00423D39 33C0 XOR EAX,EAX
0187:00423D3B 816114F00FFFFF AND DWORD [ECX+14],FFFF0FF0
0187:00423D42 C7411855010000 MOV DWORD [ECX+18],0155
0187:00423D49 E980000000 JMP 00423DCE
0187:00423D4E 3D940000C0 CMP EAX,C0000094 ;除0异常吗?
0187:00423D53 752A JNZ 00423D7F
0187:00423D55 C70200000000 MOV DWORD [EDX],00
0187:00423D5B FF81B8000000 INC DWORD [ECX+B8]
0187:00423D61 33C0 XOR EAX,EAX
0187:00423D63 214104 AND [ECX+04],EAX
0187:00423D66 214108 AND [ECX+08],EAX
0187:00423D69 21410C AND [ECX+0C],EAX
0187:00423D6C 214110 AND [ECX+10],EAX
0187:00423D6F 816114F00FFFFF AND DWORD [ECX+14],FFFF0FF0
0187:00423D76 81611800DC0000 AND DWORD [ECX+18],DC00
0187:00423D7D EB4F JMP SHORT 00423DCE
0187:00423D7F 3D04000080 CMP EAX,80000004 ;单步异常吗?
0187:00423D84 7545 JNZ 00423DCB
0187:00423D86 FF02 INC DWORD [EDX]
0187:00423D88 8B02 MOV EAX,[EDX]
0187:00423D8A 83F801 CMP EAX,BYTE +01
0187:00423D8D 750C JNZ 00423D9B
0187:00423D8F C781A8000000B83E+MOV DWORD [ECX+A8],00423EB8
0187:00423D99 EB2C JMP SHORT 00423DC7
0187:00423D9B 83F802 CMP EAX,BYTE +02
0187:00423D9E 750C JNZ 00423DAC
0187:00423DA0 C781B0000000A2A0+MOV DWORD [ECX+B0],D1E6A0A2
0187:00423DAA EB1B JMP SHORT 00423DC7
0187:00423DAC 83F803 CMP EAX,BYTE +03
0187:00423DAF 750C JNZ 00423DBD
0187:00423DB1 81A9B000000005BC+SUB DWORD [ECX+B0],728CBC05
0187:00423DBB EB0A JMP SHORT 00423DC7
0187:00423DBD C781A0000000A400+MOV DWORD [ECX+A0],A4
0187:00423DC7 33C0 XOR EAX,EAX
0187:00423DC9 EB03 JMP SHORT 00423DCE
0187:00423DCB 33C0 XOR EAX,EAX
0187:00423DCD 40 INC EAX
0187:00423DCE C3 RET
这是Acprotect V1.41的某段异常处理代码,似曾相识?不怕tElock上诉侵权?
看来技术无国界。
至此,已可直捣黄龙府(OEP)。个人感觉,反跟踪意义不大,真正麻烦的是榫码技术(也就是把原程序代码嵌到壳里),那可是要真功夫的。技之尽处是蛮力,功夫再深,也无捷径!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)