在跟踪一个armadillo加壳的程序时发现它的Magic Jump的位置与通常情况下
不大一样(如下,不知道找的位置正确不?
) 恳请大虾指点下面
的代码是否有Magic Jump以及如何修改能避开IAT加密。先谢了。
00D2210B FF15 08B1D200 call dword ptr ds:[D2B108] ; kernel32.VirtualProtect
00D22111 6A 01 push 1
00D22113 58 pop eax
00D22114 85C0 test eax,eax
00D22116 0F84 7D010000 je 00D22299
00D2211C 83A5 6CFCFFFF 00 and dword ptr ss:[ebp-394],0
00D22123 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22129 0FBE00 movsx eax,byte ptr ds:[eax]
00D2212C 85C0 test eax,eax
00D2212E 75 12 jnz short 00D22142
00D22130 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22136 40 inc eax
00D22137 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
00D2213D E9 57010000 jmp 00D22299
00D22142 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22148 0FB600 movzx eax,byte ptr ds:[eax]
00D2214B 3D FF000000 cmp eax,0FF
00D22150 0F85 A7000000 jnz 00D221FD
00D22156 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D2215C 40 inc eax
00D2215D 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
00D22163 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22169 66:8B00 mov ax,word ptr ds:[eax]
00D2216C 66:8985 68FCFFFF mov word ptr ss:[ebp-398],ax
00D22173 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22179 40 inc eax
00D2217A 40 inc eax
00D2217B 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
00D22181 0FB785 68FCFFFF movzx eax,word ptr ss:[ebp-398]
00D22188 50 push eax
00D22189 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
00D2218F E8 D229FFFF call 00D14B66
00D22194 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
00D2219A 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
00D221A1 75 58 jnz short 00D221FB
00D221A3 FF15 C4B0D200 call dword ptr ds:[D2B0C4] ; ntdll.RtlGetLastWin32Error
00D221A9 83F8 32 cmp eax,32
00D221AC 75 0A jnz short 00D221B8
00D221AE C785 6CFCFFFF 5B4BD10>mov dword ptr ss:[ebp-394],0D14B5B
00D221B8 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
00D221BF 75 3A jnz short 00D221FB
00D221C1 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D221C4 8B00 mov eax,dword ptr ds:[eax]
00D221C6 C700 03000000 mov dword ptr ds:[eax],3
00D221CC FF15 C4B0D200 call dword ptr ds:[D2B0C4] ; ntdll.RtlGetLastWin32Error
00D221D2 50 push eax
00D221D3 0FB785 68FCFFFF movzx eax,word ptr ss:[ebp-398]
00D221DA 50 push eax
00D221DB FFB5 70FCFFFF push dword ptr ss:[ebp-390]
00D221E1 68 A4E5D200 push 0D2E5A4 ; ASCII "File "%s", ordinal %d (error %d)"
00D221E6 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D221E9 FF70 04 push dword ptr ds:[eax+4]
00D221EC E8 CB2C0000 call 00D24EBC
00D221F1 83C4 14 add esp,14
00D221F4 33C0 xor eax,eax
00D221F6 E9 57050000 jmp 00D22752
00D221FB EB 7A jmp short 00D22277
00D221FD 8B85 9CFEFFFF mov eax,dword ptr ss:[ebp-164]
00D22203 8985 64FCFFFF mov dword ptr ss:[ebp-39C],eax
00D22209 6A 00 push 0
00D2220B FFB5 9CFEFFFF push dword ptr ss:[ebp-164]
00D22211 E8 EA2B0000 call 00D24E00
00D22216 59 pop ecx
00D22217 59 pop ecx
00D22218 40 inc eax
00D22219 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
00D2221F FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
00D22225 FFB5 88FCFFFF push dword ptr ss:[ebp-378]
00D2222B E8 3629FFFF call 00D14B66
00D22230 8985 6CFCFFFF mov dword ptr ss:[ebp-394],eax
00D22236 83BD 6CFCFFFF 00 cmp dword ptr ss:[ebp-394],0
00D2223D 75 38 jnz short 00D22277
00D2223F 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D22242 8B00 mov eax,dword ptr ds:[eax]
00D22244 C700 03000000 mov dword ptr ds:[eax],3
00D2224A FF15 C4B0D200 call dword ptr ds:[D2B0C4] ; ntdll.RtlGetLastWin32Error
00D22250 50 push eax
00D22251 FFB5 64FCFFFF push dword ptr ss:[ebp-39C]
00D22257 FFB5 70FCFFFF push dword ptr ss:[ebp-390]
00D2225D 68 80E5D200 push 0D2E580 ; ASCII "File "%s", function "%s" (error %d)"
00D22262 8B45 08 mov eax,dword ptr ss:[ebp+8]
00D22265 FF70 04 push dword ptr ds:[eax+4]
00D22268 E8 4F2C0000 call 00D24EBC
00D2226D 83C4 14 add esp,14
00D22270 33C0 xor eax,eax
00D22272 E9 DB040000 jmp 00D22752
00D22277 8B85 74FCFFFF mov eax,dword ptr ss:[ebp-38C]
00D2227D 8B8D 6CFCFFFF mov ecx,dword ptr ss:[ebp-394]
00D22283 8908 mov dword ptr ds:[eax],ecx
00D22285 8B85 74FCFFFF mov eax,dword ptr ss:[ebp-38C]
00D2228B 83C0 04 add eax,4
00D2228E 8985 74FCFFFF mov dword ptr ss:[ebp-38C],eax
00D22294 ^ E9 78FEFFFF jmp 00D22111
00D22299 0FB685 80FCFFFF movzx eax,byte ptr ss:[ebp-380]
00D222A0 85C0 test eax,eax
00D222A2 74 7F je short 00D22323
00D222A4 6A 00 push 0
00D222A6 8B85 84FCFFFF mov eax,dword ptr ss:[ebp-37C]
00D222AC C1E0 02 shl eax,2
00D222AF 50 push eax
00D222B0 8B85 64FDFFFF mov eax,dword ptr ss:[ebp-29C]
00D222B6 0385 7CFCFFFF add eax,dword ptr ss:[ebp-384]
00D222BC 50 push eax
00D222BD E8 5D0C0000 call 00D22F1F
00D222C2 83C4 0C add esp,0C
00D222C5 8B85 84FCFFFF mov eax,dword ptr ss:[ebp-37C]
00D222CB C1E0 02 shl eax,2
00D222CE 50 push eax
00D222CF FFB5 8CFCFFFF push dword ptr ss:[ebp-374]
00D222D5 8B85 64FDFFFF mov eax,dword ptr ss:[ebp-29C]
00D222DB 0385 7CFCFFFF add eax,dword ptr ss:[ebp-384]
00D222E1 50 push eax
00D222E2 E8 39220000 call 00D24520
00D222E7 83C4 0C add esp,0C
00D222EA 6A 01 push 1
00D222EC 8B85 84FCFFFF mov eax,dword ptr ss:[ebp-37C]
00D222F2 C1E0 02 shl eax,2
00D222F5 50 push eax
00D222F6 8B85 64FDFFFF mov eax,dword ptr ss:[ebp-29C]
00D222FC 0385 7CFCFFFF add eax,dword ptr ss:[ebp-384]
00D22302 50 push eax
00D22303 E8 170C0000 call 00D22F1F
00D22308 83C4 0C add esp,0C
00D2230B 8B85 8CFCFFFF mov eax,dword ptr ss:[ebp-374]
00D22311 8985 90EBFFFF mov dword ptr ss:[ebp-1470],eax
00D22317 FFB5 90EBFFFF push dword ptr ss:[ebp-1470]
00D2231D E8 F0210000 call 00D24512
00D22322 59 pop ecx
00D22323 8D85 78FCFFFF lea eax,dword ptr ss:[ebp-388]
00D22329 50 push eax
00D2232A FFB5 78FCFFFF push dword ptr ss:[ebp-388]
00D22330 8B85 84FCFFFF mov eax,dword ptr ss:[ebp-37C]
00D22336 C1E0 02 shl eax,2
00D22339 50 push eax
00D2233A 8B85 64FDFFFF mov eax,dword ptr ss:[ebp-29C]
00D22340 0385 7CFCFFFF add eax,dword ptr ss:[ebp-384]
00D22346 50 push eax
00D22347 FF15 08B1D200 call dword ptr ds:[D2B108] ; kernel32.VirtualProtect
[课程]FART 脱壳王!加量不加价!FART作者讲授!