看这个外挂peid查壳显示为 Microsoft Visual Basic 5.0 / 6.0 [Overlay]
虽od载入
00401960 > $ 68 201B4000 PUSH PokerToo.00401B20 ; vb5!6&vb6chs.dll
00401965 . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>
0040196A . 0000 ADD BYTE PTR DS:[EAX],AL
0040196C . 0000 ADD BYTE PTR DS:[EAX],AL
0040196E . 0000 ADD BYTE PTR DS:[EAX],AL
00401970 . 3000 XOR BYTE PTR DS:[EAX],AL
00401972 . 0000 ADD BYTE PTR DS:[EAX],AL
00401974 . 40 INC EAX
00401975 . 0000 ADD BYTE PTR DS:[EAX],AL
00401977 . 0000 ADD BYTE PTR DS:[EAX],AL
00401979 . 0000 ADD BYTE PTR DS:[EAX],AL
0040197B . 0020 ADD BYTE PTR DS:[EAX],AH
0040197D . 2AD4 SUB DL,AH
0040197F . D7 XLAT BYTE PTR DS:[EBX+AL]
00401980 A1 DB A1
00401981 99 DB 99
00401982 36 DB 36 ; CHAR '6'
00401983 4D DB 4D ; CHAR 'M'
00401984 BF DB BF
00401985 3A DB 3A ; CHAR ':'
00401986 3D DB 3D ; CHAR '='
停在这里
下bp rtcMsgBox断点
7346CF7E > 55 PUSH EBP
7346CF7F 8BEC MOV EBP,ESP
7346CF81 83EC 4C SUB ESP,4C
7346CF84 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
7346CF87 53 PUSH EBX
7346CF88 56 PUSH ESI
7346CF89 57 PUSH EDI
7346CF8A 66:8339 0A CMP WORD PTR DS:[ECX],0A
7346CF8E B8 04000280 MOV EAX,80020004
7346CF93 0F85 FC000000 JNZ MSVBVM60.7346D095
7346CF99 3941 08 CMP DWORD PTR DS:[ECX+8],EAX
7346CF9C 0F85 F3000000 JNZ MSVBVM60.7346D095
7346CFA2 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
7346CFA6 33F6 XOR ESI,ESI
7346CFA8 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18]
7346CFAB 66:8339 0A CMP WORD PTR DS:[ECX],0A
7346CFAF 0F85 EA000000 JNZ MSVBVM60.7346D09F
7346CFB5 3941 08 CMP DWORD PTR DS:[ECX+8],EAX
7346CFB8 0F85 E1000000 JNZ MSVBVM60.7346D09F
7346CFBE 834D F8 FF OR DWORD PTR SS:[EBP-8],FFFFFFFF
7346CFC2 8B7D 10 MOV EDI,DWORD PTR SS:[EBP+10]
7346CFC5 66:833F 0A CMP WORD PTR DS:[EDI],0A
停在这里点执行用户代码
出现程序提示
你的记牌器未开通,
再点确定程序退出,破解陷入僵局。望有可以搞得懂得帮忙分析一下,谢谢
[课程]Linux pwn 探索篇!
