小弟最近看了FLY老大的Armadillo V4.X CopyMem-II,就自己加Armadillo V4.0加了一个98记事本来试着做做练习.
按照FLY说的到了
00428E43 83BD CCF5FFFF 0>cmp dword ptr ss:[ebp-A34],0 //原来是0,我就没改
00428E4A 0F8C A8020000 jl ARM4_0双.004290F8
00428E50 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
00428E56 3B0D 483F4600 cmp ecx,dword ptr ds:[463F48]
00428E5C 0F8D 96020000 jge ARM4_0双.004290F8 *在004290F8下断
00428E62 8B95 40F6FFFF mov edx,dword ptr ss:[ebp-9C0]
00428E68 81E2 FF000000 and edx,0FF
00428E6E 85D2 test edx,edx
00428E70 0F84 AD000000 je ARM4_0双.00428F23
00428E76 6A 00 push 0
00428E78 8BB5 CCF5FFFF mov esi,dword ptr ss:[ebp-A34]
00428E7E C1E6 04 shl esi,4
00428E81 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
00428E87 25 07000080 and eax,80000007
00428E8C 79 05 jns short ARM4_0双.00428E93
00428E8E 48 dec eax
00428E8F 83C8 F8 or eax,FFFFFFF8
00428E92 40 inc eax
00428E93 33C9 xor ecx,ecx
00428E95 8A88 1C194600 mov cl,byte ptr ds:[eax+46191C]
00428E9B 8B95 CCF5FFFF mov edx,dword ptr ss:[ebp-A34]
00428EA1 81E2 07000080 and edx,80000007
00428EA7 79 05 jns short ARM4_0双.00428EAE
00428EA9 4A dec edx
00428EAA 83CA F8 or edx,FFFFFFF8
00428EAD 42 inc edx
00428EAE 33C0 xor eax,eax
00428EB0 8A82 1D194600 mov al,byte ptr ds:[edx+46191D]
00428EB6 8B3C8D 70D34500 mov edi,dword ptr ds:[ecx*4+45D370>
00428EBD 333C85 70D34500 xor edi,dword ptr ds:[eax*4+45D370>
00428EC4 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
00428ECA 81E1 07000080 and ecx,80000007
00428ED0 79 05 jns short ARM4_0双.00428ED7
00428ED2 49 dec ecx
00428ED3 83C9 F8 or ecx,FFFFFFF8
00428ED6 41 inc ecx
00428ED7 33D2 xor edx,edx
00428ED9 8A91 1E194600 mov dl,byte ptr ds:[ecx+46191E]
00428EDF 333C95 70D34500 xor edi,dword ptr ds:[edx*4+45D370>
00428EE6 8B85 CCF5FFFF mov eax,dword ptr ss:[ebp-A34]
00428EEC 99 cdq
00428EED B9 1C000000 mov ecx,1C
00428EF2 F7F9 idiv ecx
00428EF4 8BCA mov ecx,edx
00428EF6 D3EF shr edi,cl
00428EF8 83E7 0F and edi,0F
00428EFB 03F7 add esi,edi
00428EFD 8B15 2C3F4600 mov edx,dword ptr ds:[463F2C]
00428F03 8D04B2 lea eax,dword ptr ds:[edx+esi*4]
00428F06 50 push eax
00428F07 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
00428F0D 51 push ecx
00428F0E E8 2F210000 call ARM4_0双.0042B042
00428F13 83C4 0C add esp,0C
00428F16 25 FF000000 and eax,0FF //这里Patch
00428F1B 85C0 test eax,eax
00428F1D 0F84 D5010000 je ARM4_0双.004290F8
Patch代码我是这样写的也不知道对不对
0060FF16 FF85 CCF5FFFF inc dword ptr ss:[ebp-0A34]
0060FF1C C705 4CAF6400 0>mov dword ptr ds:[463f48+4],1
0060FF26 E9 18FFFFFF jmp 00428E43
然后到WriteProcessMemory断点处我已经能看到OEP了,但是按FLY说的中断到004290F8就可以运行LordPE,完全Dump出子进程.可是我失败了.请问是哪出错了.小弟是笨虫虫很笨的,所以请教各位老大,附带:加了壳的记事本,请各位老大教教,谢谢
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)