程序是ASProtect 2.1x SKE的壳,脱壳后发现是Microsoft Visual C++ 6.0写的,可以运行。但是用OD载入后,按F9运行就提示程序遇到问题需要关闭,无法调试。请问各位大侠怎么解决。关键出错代码段为:7C92E470 FF1490 call dword ptr ds:[eax+edx*4]
7C92E473 33C9 xor ecx,ecx
7C92E475 33D2 xor edx,edx
7C92E477 CD 2B int 2B
7C92E479 CC int3
7C92E47A 8BFF mov edi,edi
7C92E47C > 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
7C92E480 8B1C24 mov ebx,dword ptr ss:[esp]
7C92E483 51 push ecx
7C92E484 53 push ebx
7C92E485 E8 9AC30100 call ntdll.7C94A824
调用最后一个CALL,程序运行,但是就会出错。
此CALL代码:7C94A824 8BFF mov edi,edi
7C94A826 55 push ebp
7C94A827 8BEC mov ebp,esp
7C94A829 83EC 64 sub esp,64
7C94A82C 56 push esi
7C94A82D FF75 0C push dword ptr ss:[ebp+C]
7C94A830 8B75 08 mov esi,dword ptr ss:[ebp+8]
7C94A833 56 push esi
7C94A834 C645 FF 00 mov byte ptr ss:[ebp-1],0
7C94A838 E8 ABFFFFFF call ntdll.7C94A7E8
7C94A83D 84C0 test al,al
7C94A83F 0F85 C5590200 jnz ntdll.7C97020A
7C94A845 53 push ebx
7C94A846 8D45 F4 lea eax,dword ptr ss:[ebp-C]
7C94A849 50 push eax
7C94A84A 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C94A84D 50 push eax
7C94A84E E8 898BFDFF call ntdll.7C9233DC
7C94A853 E8 A08BFDFF call ntdll.7C9233F8
7C94A858 8365 08 00 and dword ptr ss:[ebp+8],0
7C94A85C 8BD8 mov ebx,eax
7C94A85E 83FB FF cmp ebx,-1
7C94A861 0F84 8F000000 je ntdll.7C94A8F6
7C94A867 57 push edi
7C94A868 3B5D F8 cmp ebx,dword ptr ss:[ebp-8]
7C94A86B ^ 0F82 DDE0FFFF jb ntdll.7C94894E
7C94A871 8D43 08 lea eax,dword ptr ds:[ebx+8]
7C94A874 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
7C94A877 ^ 0F87 D1E0FFFF ja ntdll.7C94894E
7C94A87D F6C3 03 test bl,3
7C94A880 ^ 0F85 C8E0FFFF jnz ntdll.7C94894E
7C94A886 8B43 04 mov eax,dword ptr ds:[ebx+4]
7C94A889 3B45 F8 cmp eax,dword ptr ss:[ebp-8]
7C94A88C 72 09 jb short ntdll.7C94A897
7C94A88E 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
7C94A891 ^ 0F82 B7E0FFFF jb ntdll.7C94894E
7C94A897 50 push eax
7C94A898 E8 67000000 call ntdll.7C94A904
7C94A89D 84C0 test al,al
7C94A89F ^ 0F84 A9E0FFFF je ntdll.7C94894E
7C94A8A5 F605 1AE4997C 8>test byte ptr ds:[7C99E41A],80
7C94A8AC 0F85 61590200 jnz ntdll.7C970213
7C94A8B2 FF73 04 push dword ptr ds:[ebx+4]
7C94A8B5 8D45 EC lea eax,dword ptr ss:[ebp-14]
7C94A8B8 50 push eax
7C94A8B9 FF75 0C push dword ptr ss:[ebp+C]
7C94A8BC 53 push ebx
7C94A8BD 56 push esi
7C94A8BE E8 8489FDFF call ntdll.7C923247
7C94A8C3 F605 1AE4997C 8>test byte ptr ds:[7C99E41A],80
7C94A8CA 8BF8 mov edi,eax
7C94A8CC 0F85 57590200 jnz ntdll.7C970229
7C94A8D2 395D 08 cmp dword ptr ss:[ebp+8],ebx
7C94A8D5 0F84 5C590200 je ntdll.7C970237
7C94A8DB 8BC7 mov eax,edi
7C94A8DD 33C9 xor ecx,ecx
7C94A8DF 2BC1 sub eax,ecx
7C94A8E1 ^ 0F85 46E0FFFF jnz ntdll.7C94892D
7C94A8E7 F646 04 01 test byte ptr ds:[esi+4],1
7C94A8EB 0F85 90590200 jnz ntdll.7C970281
7C94A8F1 C645 FF 01 mov byte ptr ss:[ebp-1],1
7C94A8F5 5F pop edi
7C94A8F6 5B pop ebx
7C94A8F7 8A45 FF mov al,byte ptr ss:[ebp-1]
7C94A8FA 5E pop esi
7C94A8FB C9 leave
7C94A8FC C2 0800 retn 8
返回地址为:最后那个CALL的上一行。
[课程]Linux pwn 探索篇!