PEID查壳为Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
OD载入,隐藏OD,忽略所有异常
he GetModuleHandleA,shift+F9,程序断在下面的地方
7C80B731 > 8BFF mov edi, edi ; ntdll.7C930208
7C80B733 55 push ebp
7C80B734 8BEC mov ebp, esp
7C80B736 837D 08 00 cmp dword ptr [ebp+8], 0
7C80B73A 74 18 je short 7C80B754 //F2下断
7C80B73C FF75 08 push dword ptr [ebp+8]
7C80B73F E8 C0290000 call 7C80E104
7C80B744 85C0 test eax, eax
7C80B746 74 08 je short 7C80B750
7C80B748 FF70 04 push dword ptr [eax+4]
7C80B74B E8 7D2D0000 call GetModuleHandleW
7C80B750 5D pop ebp
7C80B751 C2 0400 retn 4
7C80B754 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80B75A 8B40 30 mov eax, dword ptr [eax+30]
7C80B75D 8B40 08 mov eax, dword ptr [eax+8]
7C80B760 ^ EB EE jmp short 7C80B750
取消硬件断点,在7C80B73A处F2下断,shift+F9,运行到此处
堆栈窗口
0012FF34 /0012FFC0
0012FF38 |004A3D0B 返回到 DX游戏通.<模块入口点>+0C8 来自 kernel32.GetModuleHandleA
0012FF3C |00000000
0012FF40 |00000000
0012FF44 |00161F41
0012FF48 |0000000A
0012FF4C |7C930208 ntdll.7C930208
继续shift+F9
堆栈窗口
0012EE78 /0012EEB0
0012EE7C |77C079B2 返回到 msvcrt.77C079B2 来自 kernel32.GetModuleHandleA
0012EE80 |77BE31BC ASCII "kernel32.dll"
0012EE84 |77C31A70 msvcrt.77C31A70
0012EE88 |00000000
0012EE8C |77BEF2A1 msvcrt.<模块入口点>
0012EE90 |001637B8
0012EE94 |0012EEBC
0012EE98 |0012EE84
0012EE9C |C0000100
0012EEA0 |0012F088 指向下一个 SEH 记录的指针
0012EEA4 |77C05C94 SE处理程序
继续shift+F9
堆栈窗口
0012EF20 /0012EF3C
0012EF24 |77F45CD0 返回到 77F45CD0 来自 kernel32.GetModuleHandleA
0012EF28 |77F4501C ASCII "KERNEL32.DLL"
0012EF2C |00000001
0012EF30 |77F40000
0012EF34 |00000000
0012EF38 |0000380B
继续shift+F9
堆栈窗口
0012F738 /0012F7A0
0012F73C |0048E8F3 返回到 DX游戏通.0048E8F3 来自 kernel32.GetModuleHandleA
0012F740 |00000000
0012F744 |0000FFFF
继续shift+F9
堆栈窗口
00129524 /0012EC6C
00129528 |00B47105 返回到 00B47105 来自 kernel32.GetModuleHandleA
0012952C |00B5BC1C ASCII "kernel32.dll"
00129530 |00B5CEC4 ASCII "VirtualAlloc"
00129534 |00B5FA98
00129538 |7C9210E0 ntdll.RtlLeaveCriticalSection
继续shift+F9
堆栈窗口
00129524 /0012EC6C
00129528 |00B47122 返回到 00B47122 来自 kernel32.GetModuleHandleA
0012952C |00B5BC1C ASCII "kernel32.dll"
00129530 |00B5CEB8 ASCII "VirtualFree"
00129534 |00B5FA98
00129538 |7C9210E0 ntdll.RtlLeaveCriticalSection
继续shift+F9
堆栈窗口
00129288 /00129528
0012928C |00B35FC9 返回到 00B35FC9 来自 kernel32.GetModuleHandleA
00129290 |001293DC ASCII "kernel32.dll"
取消断点,ALT+F9返回
00B35FC9 8B0D AC40B600 mov ecx, dword ptr [B640AC]
00B35FCF 89040E mov dword ptr [esi+ecx], eax
00B35FD2 A1 AC40B600 mov eax, dword ptr [B640AC]
00B35FD7 391C06 cmp dword ptr [esi+eax], ebx
00B35FDA 75 16 jnz short 00B35FF2
00B35FDC 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
00B35FE2 50 push eax
00B35FE3 FF15 BC62B500 call dword ptr [B562BC] ; kernel32.LoadLibraryA
00B35FE9 8B0D AC40B600 mov ecx, dword ptr [B640AC]
00B35FEF 89040E mov dword ptr [esi+ecx], eax
00B35FF2 A1 AC40B600 mov eax, dword ptr [B640AC]
00B35FF7 391C06 cmp dword ptr [esi+eax], ebx
00B35FFA 0F84 2F010000 je 00B3612F //Magic跳,修改为jmp
00B36000 33C9 xor ecx, ecx
00B36002 8B07 mov eax, dword ptr [edi]
00B36004 3918 cmp dword ptr [eax], ebx
00B36006 74 06 je short 00B3600E
00B36008 41 inc ecx
00B36009 83C0 0C add eax, 0C
00B3600C ^ EB F6 jmp short 00B36004
00B35FFA处为Magic跳,修改为jmp,打开内存映像,在00401000处下断,shift+F9,然后程序没有到达OEP,而是停在了下面的位置:
0044C0AD AA stos byte ptr es:[edi] ; (initial cpu selection)
0044C0AE 60 pushad
0044C0AF FF3424 push dword ptr [esp]
0044C0B2 9C pushfd
0044C0B3 B3 02 mov bl, 2
0044C0B5 53 push ebx
0044C0B6 E9 94660100 jmp 0046274F
0044C0BB 41 inc ecx
0044C0BC 44 inc esp
0044C0BD 56 push esi
0044C0BE 41 inc ecx
0044C0BF 50 push eax
0044C0C0 49 dec ecx
0044C0C1 3332 xor esi, dword ptr [edx]
0044C0C3 2E: prefix cs:
0044C0C4 64:6C ins byte ptr es:[edi], dx
0044C0C6 6C ins byte ptr es:[edi], dx
0044C0C7 000A add byte ptr [edx], cl
0044C0C9 0AD2 or dl, dl
0044C0CB 875B 2A xchg dword ptr [ebx+2A], ebx
0044C0CE C687 F6AB5EFE D>mov byte ptr [edi+FE5EABF6], 0D3
0044C0D5 - E9 24185400 jmp 0098D8FE
0044C0DA EC in al, dx
0044C0DB 6B33 83 imul esi, dword ptr [ebx], -7D
0044C0DE 0B74C4 B2 or esi, dword ptr [esp+eax*8-4E]
0044C0E2 6E outs dx, byte ptr es:[edi]
0044C0E3 37 aaa
0044C0E4 A0 68851034 mov al, byte ptr [34108568]
0044C0E9 C9 leave
0044C0EA BF F54323D5 mov edi, D52343F5
0044C0EF EF out dx, eax
0044C0F0 C9 leave
0044C0F1 234A 98 and ecx, dword ptr [edx-68]
0044C0F4 ED in eax, dx
0044C0F5 B2 52 mov dl, 52
0044C0F7 A9 FC0F640E test eax, 0E640FFC
0044C0FC 95 xchg eax, ebp
0044C0FD F695 6A85FF84 not byte ptr [ebp+84FF856A]
0044C103 50 push eax
0044C104 93 xchg eax, ebx
0044C105 0C BB or al, 0BB
0044C107 3E:889B 34056E2>mov byte ptr [ebx+2E6E0534], bl
0044C10E 27 daa
0044C10F A3 1F01E398 mov dword ptr [98E3011F], eax
0044C114 ^ E3 FD jecxz short 0044C113
0044C116 ^ 72 E9 jb short 0044C101
0044C118 CB retf
0044C119 44 inc esp
0044C11A 5E pop esi
0044C11B D9 ??? ; 未知命令
个人技术比较差,不知道这是什么情况,该怎么处理,希望大家能帮助一下,或者帮忙指明一下是什么样的问题,谢谢大家!附件在下面,谢谢大家!
DX游戏通用窗口化工具.part1.rar
DX游戏通用窗口化工具.part2.rar
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
抛文件上来瞅瞅~
