将od2.01载入od1.1,并下断点advapi32.IsTextUnicode
然后再od2.01载入测试的程序,在2.01里查找所有的字符串,程序会断在下面:
00487CFE |. 56 push esi
00487CFF |. 8D8D E0FEFFFF lea ecx, dword ptr [ebp-0x120]
00487D05 |. 51 push ecx
00487D06 |. FF15 64E75700 call dword ptr [0x57E764] ; advapi32.IsTextUnicode
00487D0C |. 85C0 test eax, eax
00487D0E |. 74 5A je short 00487D6A
00487D10 |. 68 02525400 push 00545202 ; /Arg3 = 00545202
00487D15 |. 8B45 14 mov eax, dword ptr [ebp+0x14] ; |
在寄存器窗口可以看到所有字符串,而且中文字符串也显示正常:
EAX 0012C184
ECX 0012C06C UNICODE "正在下载第"
但就是不能正确显示在字符串的窗口,可能是中文的处理出问题了。
下面是找字符串的代码:
004A2F60 |> /8B4D F8 /mov ecx, dword ptr [ebp-0x8]
004A2F63 |. |51 |push ecx ; /Arg2
004A2F64 |. |68 285E5D00 |push 005D5E28 ; |p
004A2F69 |. |E8 4A59F7FF |call _Getsortedbyindex ; \_Getsortedbyindex
004A2F6E |. |83C4 08 |add esp, 0x8
004A2F71 |. |8945 CC |mov dword ptr [ebp-0x34], eax
004A2F74 |. |837D CC 00 |cmp dword ptr [ebp-0x34], 0x0
004A2F78 |. |0F84 4D050000 |je 004A34CB
004A2F7E |. |8B45 CC |mov eax, dword ptr [ebp-0x34]
004A2F81 |. |F640 0B 08 |test byte ptr [eax+0xB], 0x8
004A2F85 |. |0F85 40050000 |jnz 004A34CB
004A2F8B |. |8B55 08 |mov edx, dword ptr [ebp+0x8]
004A2F8E |. |8B45 CC |mov eax, dword ptr [ebp-0x34]
004A2F91 |. |8B00 |mov eax, dword ptr [eax]
004A2F93 |. |8B12 |mov edx, dword ptr [edx]
004A2F95 |. |3BD0 |cmp edx, eax
004A2F97 |. |0F87 2E050000 |ja 004A34CB
004A2F9D |. |8B4D 08 |mov ecx, dword ptr [ebp+0x8]
004A2FA0 |. |0351 04 |add edx, dword ptr [ecx+0x4]
004A2FA3 |. |3BC2 |cmp eax, edx
004A2FA5 |. |0F83 20050000 |jnb 004A34CB
004A2FAB |. |8B55 CC |mov edx, dword ptr [ebp-0x34]
004A2FAE |. |F742 08 00500>|test dword ptr [edx+0x8], 0x200>
004A2FB5 |. |0F84 10050000 |je 004A34CB
004A2FBB |. |8B55 CC |mov edx, dword ptr [ebp-0x34]
004A2FBE |. |8B52 04 |mov edx, dword ptr [edx+0x4]
004A2FC1 |. |0155 D4 |add dword ptr [ebp-0x2C], edx
004A2FC4 |. |8BF0 |mov esi, eax
004A2FC6 |. |8955 E4 |mov dword ptr [ebp-0x1C], edx
004A2FC9 |. |6A 00 |push 0x0 ; /Arg2 = 00000000
004A2FCB |. |8B45 E4 |mov eax, dword ptr [ebp-0x1C] ; |
004A2FCE |. |50 |push eax ; |Arg1
004A2FCF |. |E8 9C0CF6FF |call _Memalloc ; \_Memalloc
004A2FD4 |. |83C4 08 |add esp, 0x8
004A2FD7 |. |8945 D0 |mov dword ptr [ebp-0x30], eax
004A2FDA |. |837D D0 00 |cmp dword ptr [ebp-0x30], 0x0
004A2FDE |. |0F84 E7040000 |je 004A34CB
004A2FE4 |. |E8 DBC3FAFF |call _Suspendallthreads
004A2FE9 |. |6A 00 |push 0x0 ; /Arg4 = 00000000
004A2FEB |. |8B55 E4 |mov edx, dword ptr [ebp-0x1C] ; |
004A2FEE |. |52 |push edx ; |Arg3
004A2FEF |. |56 |push esi ; |Arg2
004A2FF0 |. |8B4D D0 |mov ecx, dword ptr [ebp-0x30] ; |
004A2FF3 |. |51 |push ecx ; |Arg1
004A2FF4 |. |E8 9B56FBFF |call _Readmemory ; \_Readmemory
004A2FF9 |. |83C4 10 |add esp, 0x10
004A2FFC |. |8BD8 |mov ebx, eax
004A2FFE |. |E8 41C4FAFF |call _Resumeallthreads
004A3003 |. |3B5D E4 |cmp ebx, dword ptr [ebp-0x1C]
004A3006 |. |74 0F |je short 004A3017
004A3008 |. |8B45 D0 |mov eax, dword ptr [ebp-0x30]
004A300B |. |50 |push eax ; /Arg1
004A300C |. |E8 6B0DF6FF |call _Memfree ; \_Memfree
004A3011 |. |59 |pop ecx
004A3012 |. |E9 B4040000 |jmp 004A34CB
004A3017 |> |8B55 CC |mov edx, dword ptr [ebp-0x34]
004A301A |. |8B7A 64 |mov edi, dword ptr [edx+0x64]
004A301D |. |8975 E0 |mov dword ptr [ebp-0x20], esi
004A3020 |. |8BDE |mov ebx, esi
004A3022 |. |8B45 CC |mov eax, dword ptr [ebp-0x34]
004A3025 |. |8B40 04 |mov eax, dword ptr [eax+0x4]
004A3028 |. |B9 F4010000 |mov ecx, 0x1F4
004A302D |. |33D2 |xor edx, edx
004A302F |. |F7F1 |div ecx
004A3031 |. |8945 BC |mov dword ptr [ebp-0x44], eax
004A3034 |. |C745 B8 00200>|mov dword ptr [ebp-0x48], 0x20>
004A303B |. |8B45 B8 |mov eax, dword ptr [ebp-0x48]
004A303E |. |3B45 BC |cmp eax, dword ptr [ebp-0x44]
004A3041 |. |76 05 |jbe short 004A3048
004A3043 |. |8D55 B8 |lea edx, dword ptr [ebp-0x48]
004A3046 |. |EB 03 |jmp short 004A304B
004A3048 |> |8D55 BC |lea edx, dword ptr [ebp-0x44]
004A304B |> |8B02 |mov eax, dword ptr [edx]
004A304D |. |8945 DC |mov dword ptr [ebp-0x24], eax
004A3050 |. |E9 5F040000 |jmp 004A34B4
004A3055 |> |3B5D E0 |/cmp ebx, dword ptr [ebp-0x20]
004A3058 |. |0F82 88000000 ||jb 004A30E6
004A305E |. |68 DCF45400 ||push 0054F4DC ; /Searching -
004A3063 |. |E8 5CB70300 ||call _T ; \_T
004A3068 |. |59 ||pop ecx
004A3069 |. |50 ||push eax ; /Arg2
004A306A |. |8B4D D8 ||mov ecx, dword ptr [ebp-0x28] ; |
004A306D |. |51 ||push ecx ; |/Divisor
004A306E |. |68 E8030000 ||push 0x3E8 ; ||Multiplier = 3E8 (1000.)
004A3073 |. |8B45 D4 ||mov eax, dword ptr [ebp-0x2C] ; ||
004A3076 |. |03C3 ||add eax, ebx ; ||
004A3078 |. |2BC6 ||sub eax, esi ; ||
004A307A |. |2B45 E4 ||sub eax, dword ptr [ebp-0x1C] ; ||
004A307D |. |50 ||push eax ; ||Multiplicand
004A307E |. |E8 4D260500 ||call <jmp.&KERNEL32.MulDiv> ; |\MulDiv
004A3083 |. |50 ||push eax ; |Arg1
004A3084 |. |E8 336DF6FF ||call _Progress ; \_Progress
004A3089 |. |8B55 DC ||mov edx, dword ptr [ebp-0x24]
004A308C |. |83C4 08 ||add esp, 0x8
004A308F |. |03D3 ||add edx, ebx
004A3091 |. |8B0D 38FE5700 ||mov ecx, dword ptr [hwollymai>
004A3097 |. |8955 E0 ||mov dword ptr [ebp-0x20], edx
004A309A |. |6A 01 ||push 0x1 ; /RemoveMsg = PM_REMOVE
004A309C |. |68 00010000 ||push 0x100 ; |MsgFilterMax = WM_KEYDOWN
004A30A1 |. |68 00010000 ||push 0x100 ; |MsgFilterMin = WM_KEYDOWN
004A30A6 |. |51 ||push ecx ; |hWnd => 002805DE ('ollydbg_Fix_02 - 图库下载.exe',class='ollydbg_Fix_02')
004A30A7 |. |8D85 88DAFFFF ||lea eax, dword ptr [ebp-0x257>; |
004A30AD |. |50 ||push eax ; |pMsg
004A30AE |. |E8 832A0500 ||call <jmp.&USER32.PeekMessageW>; \PeekMessageW
004A30B3 |. |85C0 ||test eax, eax
004A30B5 |. |74 2F ||je short 004A30E6
004A30B7 |. |8B85 90DAFFFF ||mov eax, dword ptr [ebp-0x257>
004A30BD |. |83F8 20 ||cmp eax, 0x20
004A30C0 |. |74 05 ||je short 004A30C7
004A30C2 |. |83F8 1B ||cmp eax, 0x1B
004A30C5 |. |75 1F ||jnz short 004A30E6
004A30C7 |> |68 F6F45400 ||push 0054F4F6 ; /Search interrupted
004A30CC |. |E8 F3B60300 ||call _T ; \_T
004A30D1 |. |59 ||pop ecx
004A30D2 |. |50 ||push eax ; /Arg1
004A30D3 |. |E8 706CF6FF ||call _Flash ; \_Flash
004A30D8 |. |59 ||pop ecx
004A30D9 |. |C745 F0 01000>||mov dword ptr [ebp-0x10], 0x1
004A30E0 |. |E9 DC030000 ||jmp 004A34C1
004A30E5 |> |43 ||/inc ebx
004A30E6 |> |85FF || test edi, edi
004A30E8 |. |0F84 E6000000 |||je 004A31D4
004A30EE |. |8B55 E4 |||mov edx, dword ptr [ebp-0x1C>
004A30F1 |. |03D6 |||add edx, esi
004A30F3 |. |3BDA |||cmp ebx, edx
004A30F5 |. |0F83 D9000000 |||jnb 004A31D4
004A30FB |. |8BCB |||mov ecx, ebx
004A30FD |. |2BCE |||sub ecx, esi
004A30FF |. |F6040F 1F |||test byte ptr [edi+ecx], 0x1F
004A3103 |. |0F84 CB000000 |||je 004A31D4
004A3109 |. |8BC3 |||mov eax, ebx
004A310B |. |2BC6 |||sub eax, esi
004A310D |. |33D2 |||xor edx, edx
004A310F |. |8A1407 |||mov dl, byte ptr [edi+eax]
004A3112 |. |83E2 1F |||and edx, 0x1F
004A3115 |. |83FA 04 |||cmp edx, 0x4
004A3118 |. |0F84 B6000000 |||je 004A31D4
004A311E |. |8BCB |||mov ecx, ebx
004A3120 |. |2BCE |||sub ecx, esi
004A3122 |. |33C0 |||xor eax, eax
004A3124 |. |8A040F |||mov al, byte ptr [edi+ecx]
004A3127 |. |83E0 1F |||and eax, 0x1F
004A312A |. |83F8 07 |||cmp eax, 0x7
004A312D |. |0F84 A1000000 |||je 004A31D4
004A3133 |. |8BD3 |||mov edx, ebx
004A3135 |. |2BD6 |||sub edx, esi
004A3137 |. |33C9 |||xor ecx, ecx
004A3139 |. |8A0C17 |||mov cl, byte ptr [edi+edx]
004A313C |. |83E1 1F |||and ecx, 0x1F
004A313F |. |83F9 08 |||cmp ecx, 0x8
004A3142 |. |0F84 8C000000 |||je 004A31D4
004A3148 |. |8BC3 |||mov eax, ebx
004A314A |. |2BC6 |||sub eax, esi
004A314C |. |33D2 |||xor edx, edx
004A314E |. |8A1407 |||mov dl, byte ptr [edi+eax]
004A3151 |. |83E2 1F |||and edx, 0x1F
004A3154 |. |83FA 09 |||cmp edx, 0x9
004A3157 |. |74 7B |||je short 004A31D4
004A3159 |. |8BCB |||mov ecx, ebx
004A315B |. |2BCE |||sub ecx, esi
004A315D |. |33C0 |||xor eax, eax
004A315F |. |8A040F |||mov al, byte ptr [edi+ecx]
004A3162 |. |83E0 1F |||and eax, 0x1F
004A3165 |. |83F8 0B |||cmp eax, 0xB
004A3168 |. |74 6A |||je short 004A31D4
004A316A |. |8BD3 |||mov edx, ebx
004A316C |. |2BD6 |||sub edx, esi
004A316E |. |33C9 |||xor ecx, ecx
004A3170 |. |8A0C17 |||mov cl, byte ptr [edi+edx]
004A3173 |. |83E1 1F |||and ecx, 0x1F
004A3176 |. |83F9 18 |||cmp ecx, 0x18
004A3179 |. |74 59 |||je short 004A31D4
004A317B |. |8BC3 |||mov eax, ebx
004A317D |. |2BC6 |||sub eax, esi
004A317F |. |33D2 |||xor edx, edx
004A3181 |. |8A1407 |||mov dl, byte ptr [edi+eax]
004A3184 |. |83E2 1F |||and edx, 0x1F
004A3187 |. |83FA 19 |||cmp edx, 0x19
004A318A |. |74 48 |||je short 004A31D4
004A318C |. |8BCB |||mov ecx, ebx
004A318E |. |2BCE |||sub ecx, esi
004A3190 |. |33C0 |||xor eax, eax
004A3192 |. |8A040F |||mov al, byte ptr [edi+ecx]
004A3195 |. |83E0 1F |||and eax, 0x1F
004A3198 |. |83F8 1A |||cmp eax, 0x1A
004A319B |. |74 37 |||je short 004A31D4
004A319D |. |8BD3 |||mov edx, ebx
004A319F |. |2BD6 |||sub edx, esi
004A31A1 |. |33C9 |||xor ecx, ecx
004A31A3 |. |8A0C17 |||mov cl, byte ptr [edi+edx]
004A31A6 |. |83E1 1F |||and ecx, 0x1F
004A31A9 |. |83F9 1C |||cmp ecx, 0x1C
004A31AC |. |74 26 |||je short 004A31D4
004A31AE |. |8BC3 |||mov eax, ebx
004A31B0 |. |2BC6 |||sub eax, esi
004A31B2 |. |33D2 |||xor edx, edx
004A31B4 |. |8A1407 |||mov dl, byte ptr [edi+eax]
004A31B7 |. |83E2 1F |||and edx, 0x1F
004A31BA |. |83FA 1D |||cmp edx, 0x1D
004A31BD |. |74 15 |||je short 004A31D4
004A31BF |. |8BCB |||mov ecx, ebx
004A31C1 |. |2BCE |||sub ecx, esi
004A31C3 |. |33C0 |||xor eax, eax
004A31C5 |. |8A040F |||mov al, byte ptr [edi+ecx]
004A31C8 |. |83E0 1F |||and eax, 0x1F
004A31CB |. |83F8 1E |||cmp eax, 0x1E
004A31CE |.^|0F85 11FFFFFF ||\jnz 004A30E5
004A31D4 |> |8B55 E4 ||mov edx, dword ptr [ebp-0x1C]
004A31D7 |. |03D6 ||add edx, esi
004A31D9 |. |3BDA ||cmp ebx, edx
004A31DB |. |0F83 E0020000 ||jnb 004A34C1
004A31E1 |. |895D E8 ||mov dword ptr [ebp-0x18], ebx
004A31E4 |. |85FF ||test edi, edi
004A31E6 |. |74 22 ||je short 004A320A
004A31E8 |. |8BCB ||mov ecx, ebx
004A31EA |. |2BCE ||sub ecx, esi
004A31EC |. |33C0 ||xor eax, eax
004A31EE |. |8A040F ||mov al, byte ptr [edi+ecx]
004A31F1 |. |83E0 1F ||and eax, 0x1F
004A31F4 |. |83F8 09 ||cmp eax, 0x9
004A31F7 |. |75 11 ||jnz short 004A320A
004A31F9 |. |B8 00000201 ||mov eax, 0x1020000
004A31FE |. |8B55 E8 ||mov edx, dword ptr [ebp-0x18]
004A3201 |. |8955 EC ||mov dword ptr [ebp-0x14], edx
004A3204 |. |43 ||inc ebx
004A3205 |. |E9 4A020000 ||jmp 004A3454
004A320A |> |85FF ||test edi, edi
004A320C |. |74 22 ||je short 004A3230
004A320E |. |8BCB ||mov ecx, ebx
004A3210 |. |2BCE ||sub ecx, esi
004A3212 |. |33C0 ||xor eax, eax
004A3214 |. |8A040F ||mov al, byte ptr [edi+ecx]
004A3217 |. |83E0 1F ||and eax, 0x1F
004A321A |. |83F8 0B ||cmp eax, 0xB
004A321D |. |75 11 ||jnz short 004A3230
004A321F |. |B8 00000201 ||mov eax, 0x1020000
004A3224 |. |8B55 E8 ||mov edx, dword ptr [ebp-0x18]
004A3227 |. |8955 EC ||mov dword ptr [ebp-0x14], edx
004A322A |. |43 ||inc ebx
004A322B |. |E9 24020000 ||jmp 004A3454
004A3230 |> |85FF ||test edi, edi
004A3232 |. |0F84 93000000 ||je 004A32CB
004A3238 |. |8BCB ||mov ecx, ebx
004A323A |. |2BCE ||sub ecx, esi
004A323C |. |33C0 ||xor eax, eax
004A323E |. |8A040F ||mov al, byte ptr [edi+ecx]
004A3241 |. |83E0 1F ||and eax, 0x1F
004A3244 |. |83F8 18 ||cmp eax, 0x18
004A3247 |. |74 12 ||je short 004A325B
004A3249 |. |8BD3 ||mov edx, ebx
004A324B |. |2BD6 ||sub edx, esi
004A324D |. |83F8 19 ||cmp eax, 0x19
004A3250 |. |74 09 ||je short 004A325B
004A3252 |. |8BCB ||mov ecx, ebx
004A3254 |. |2BCE ||sub ecx, esi
004A3256 |. |83F8 1A ||cmp eax, 0x1A
004A3259 |. |75 70 ||jnz short 004A32CB
004A325B |> |8B45 08 ||mov eax, dword ptr [ebp+0x8]
004A325E |. |8D95 A4DAFFFF ||lea edx, dword ptr [ebp-0x255>
004A3264 |. |50 ||push eax
004A3265 |. |6A 00 ||push 0x0
004A3267 |. |52 ||push edx
004A3268 |. |53 ||push ebx
004A3269 |. |8BCB ||mov ecx, ebx
004A326B |. |8B45 E4 ||mov eax, dword ptr [ebp-0x1C]
004A326E |. |2BCE ||sub ecx, esi
004A3270 |. |2BC1 ||sub eax, ecx
004A3272 |. |50 ||push eax
004A3273 |. |8B55 D0 ||mov edx, dword ptr [ebp-0x30]
004A3276 |. |03D3 ||add edx, ebx
004A3278 |. |2BD6 ||sub edx, esi
004A327A |. |52 ||push edx
004A327B |. |E8 60E70200 ||call _Ndisasm
004A3280 |. |83C4 18 ||add esp, 0x18
004A3283 |. |43 ||inc ebx
004A3284 |. |83BD C8DAFFFF>||cmp dword ptr [ebp-0x2538], 0>
004A328B |. |0F85 23020000 ||jnz 004A34B4
004A3291 |. |8B8D CCDAFFFF ||mov ecx, dword ptr [ebp-0x253>
004A3297 |. |81E1 FF000000 ||and ecx, 0xFF
004A329D |. |83F9 07 ||cmp ecx, 0x7
004A32A0 |. |0F85 0E020000 ||jnz 004A34B4
004A32A6 |. |8B85 C0DAFFFF ||mov eax, dword ptr [ebp-0x254>
004A32AC |. |25 000000FF ||and eax, 0xFF000000
004A32B1 |. |3D 00000070 ||cmp eax, 0x70000000
004A32B6 |. |0F85 F8010000 ||jnz 004A34B4
004A32BC |. |33D2 ||xor edx, edx
004A32BE |. |B8 00000200 ||mov eax, 0x20000
004A32C3 |. |8955 EC ||mov dword ptr [ebp-0x14], edx
004A32C6 |. |E9 89010000 ||jmp 004A3454
004A32CB |> |6A 00 ||push 0x0
004A32CD |. |6A 00 ||push 0x0
004A32CF |. |6A 00 ||push 0x0
004A32D1 |. |8D95 D0E2FFFF ||lea edx, dword ptr [ebp-0x1D3>
004A32D7 |. |52 ||push edx
004A32D8 |. |85FF ||test edi, edi
004A32DA |. |75 04 ||jnz short 004A32E0
004A32DC |. |33C9 ||xor ecx, ecx
004A32DE |. |EB 06 ||jmp short 004A32E6
004A32E0 |> |8BCB ||mov ecx, ebx
004A32E2 |. |03CF ||add ecx, edi
004A32E4 |. |2BCE ||sub ecx, esi
004A32E6 |> |51 ||push ecx ; |Arg4
004A32E7 |. |53 ||push ebx ; |Arg3
004A32E8 |. |8BC3 ||mov eax, ebx ; |
004A32EA |. |2BC6 ||sub eax, esi ; |
004A32EC |. |8B55 E4 ||mov edx, dword ptr [ebp-0x1C] ; |
004A32EF |. |2BD0 ||sub edx, eax ; |
004A32F1 |. |52 ||push edx ; |Arg2
004A32F2 |. |8B45 D0 ||mov eax, dword ptr [ebp-0x30] ; |
004A32F5 |. |03C3 ||add eax, ebx ; |
004A32F7 |. |2BC6 ||sub eax, esi ; |
004A32F9 |. |50 ||push eax ; |Arg1
004A32FA |. |E8 75E2F9FF ||call _Disasm ; \_Disasm
004A32FF |. |83C4 20 ||add esp, 0x20
004A3302 |. |43 ||inc ebx
004A3303 |. |83BD FCE2FFFF>||cmp dword ptr [ebp-0x1D04], 0>
004A330A |. |0F85 A4010000 ||jnz 004A34B4
004A3310 |. |8B85 E4E2FFFF ||mov eax, dword ptr [ebp-0x1D1>
004A3316 |. |83E0 1F ||and eax, 0x1F
004A3319 |. |83F8 06 ||cmp eax, 0x6
004A331C |. |0F84 92010000 ||je 004A34B4
004A3322 |. |83F8 07 ||cmp eax, 0x7
004A3325 |. |0F84 89010000 ||je 004A34B4
004A332B |. |83F8 08 ||cmp eax, 0x8
004A332E |. |0F84 80010000 ||je 004A34B4
004A3334 |. |83F8 09 ||cmp eax, 0x9
004A3337 |. |0F84 77010000 ||je 004A34B4
004A333D |. |83F8 0C ||cmp eax, 0xC
004A3340 |. |0F84 6E010000 ||je 004A34B4
004A3346 |. |83F8 0D ||cmp eax, 0xD
004A3349 |. |0F84 65010000 ||je 004A34B4
004A334F |. |33D2 ||xor edx, edx
004A3351 |. |8D8D 1CE3FFFF ||lea ecx, dword ptr [ebp-0x1CE>
004A3357 |. |8955 FC ||mov dword ptr [ebp-0x4], edx
004A335A |. |894D C8 ||mov dword ptr [ebp-0x38], ecx
004A335D |> |8B45 C8 ||/mov eax, dword ptr [ebp-0x38>
004A3360 |. |F640 01 02 |||test byte ptr [eax+0x1], 0x2
004A3364 |. |74 54 |||je short 004A33BA
004A3366 |. |8B55 C8 |||mov edx, dword ptr [ebp-0x38>
004A3369 |. |8B42 04 |||mov eax, dword ptr [edx+0x4]
004A336C |. |25 00000F00 |||and eax, 0xF0000
004A3371 |. |3D 00000300 |||cmp eax, 0x30000
004A3376 |. |74 42 |||je short 004A33BA
004A3378 |. |3D 00000700 |||cmp eax, 0x70000
004A337D |. |74 3B |||je short 004A33BA
004A337F |. |8B55 C8 |||mov edx, dword ptr [ebp-0x38>
004A3382 |. |8B4A 30 |||mov ecx, dword ptr [edx+0x30>
004A3385 |. |894D EC |||mov dword ptr [ebp-0x14], ec>
004A3388 |. |817D EC 00000>|||cmp dword ptr [ebp-0x14], 0x>
004A338F |. |72 29 |||jb short 004A33BA
004A3391 |. |817D EC 0000F>|||cmp dword ptr [ebp-0x14], 0x>
004A3398 |. |73 20 |||jnb short 004A33BA
004A339A |. |68 00010000 |||push 0x100 ; /Arg4 = 00000100
004A339F |. |8D85 B8FDFFFF |||lea eax, dword ptr [ebp-0x24>; |
004A33A5 |. |50 |||push eax ; |Arg3
004A33A6 |. |6A 01 |||push 0x1 ; |Arg2 = 00000001
004A33A8 |. |8B55 EC |||mov edx, dword ptr [ebp-0x14>; |
004A33AB |. |52 |||push edx ; |Arg1
004A33AC |. |E8 CF40FEFF |||call _Isstring ; \_Isstring
004A33B1 |. |83C4 10 |||add esp, 0x10
004A33B4 |. |85C0 |||test eax, eax
004A33B6 |. |74 02 |||je short 004A33BA
004A33B8 |. |EB 10 |||jmp short 004A33CA
004A33BA |> |FF45 FC |||inc dword ptr [ebp-0x4]
004A33BD |. |8145 C8 60040>|||add dword ptr [ebp-0x38], 0x>
004A33C4 |. |837D FC 04 |||cmp dword ptr [ebp-0x4], 0x4
004A33C8 |.^|7C 93 ||\jl short 004A335D
004A33CA |> |837D FC 04 ||cmp dword ptr [ebp-0x4], 0x4
004A33CE |. |7C 7F ||jl short 004A344F
004A33D0 |. |833D D0E65B00>||cmp dword ptr [0x5BE6D0], 0x0
004A33D7 |. |0F84 D7000000 ||je 004A34B4
004A33DD |. |8B8D E4E2FFFF ||mov ecx, dword ptr [ebp-0x1D1>
004A33E3 |. |83E1 1F ||and ecx, 0x1F
004A33E6 |. |83F9 0A ||cmp ecx, 0xA
004A33E9 |. |0F85 C5000000 ||jnz 004A34B4
004A33EF |. |8B45 E8 ||mov eax, dword ptr [ebp-0x18]
004A33F2 |. |50 ||push eax ; /Arg2
004A33F3 |. |8B55 08 ||mov edx, dword ptr [ebp+0x8] ; |
004A33F6 |. |81C2 50090000 ||add edx, 0x950 ; |
004A33FC |. |52 ||push edx ; |Arg1
004A33FD |. |E8 A67AF9FF ||call _Findsimpledata ; \_Findsimpledata
004A3402 |. |83C4 08 ||add esp, 0x8
004A3405 |. |8945 C4 ||mov dword ptr [ebp-0x3C], eax
004A3408 |. |837D C4 00 ||cmp dword ptr [ebp-0x3C], 0x0
004A340C |. |0F84 A2000000 ||je 004A34B4
004A3412 |. |8B4D C4 ||mov ecx, dword ptr [ebp-0x3C]
004A3415 |. |0FB741 04 ||movzx eax, word ptr [ecx+0x4]
004A3419 |. |83E0 3F ||and eax, 0x3F
004A341C |. |83F8 20 ||cmp eax, 0x20
004A341F |. |0F85 8F000000 ||jnz 004A34B4
004A3425 |. |68 00010000 ||push 0x100 ; /Arg4 = 00000100
004A342A |. |8D95 B8FDFFFF ||lea edx, dword ptr [ebp-0x248>; |
004A3430 |. |52 ||push edx ; |Arg3
004A3431 |. |6A 01 ||push 0x1 ; |Arg2 = 00000001
004A3433 |. |8B4D C4 ||mov ecx, dword ptr [ebp-0x3C] ; |
004A3436 |. |8B41 0E ||mov eax, dword ptr [ecx+0xE] ; |
004A3439 |. |50 ||push eax ; |Arg1
004A343A |. |E8 4140FEFF ||call _Isstring ; \_Isstring
004A343F |. |83C4 10 ||add esp, 0x10
004A3442 |. |85C0 ||test eax, eax
004A3444 |. |74 6E ||je short 004A34B4
004A3446 |. |8B55 C4 ||mov edx, dword ptr [ebp-0x3C]
004A3449 |. |8B4A 0E ||mov ecx, dword ptr [edx+0xE]
004A344C |. |894D EC ||mov dword ptr [ebp-0x14], ecx
004A344F |> |B8 00000200 ||mov eax, 0x20000
004A3454 |> |8B55 E8 ||mov edx, dword ptr [ebp-0x18]
004A3457 |. |8995 A0FBFFFF ||mov dword ptr [ebp-0x460], ed>
004A345D |. |C785 A4FBFFFF>||mov dword ptr [ebp-0x45C], 0x>
004A3467 |. |8985 A8FBFFFF ||mov dword ptr [ebp-0x458], ea>
004A346D |. |8B8D A0FBFFFF ||mov ecx, dword ptr [ebp-0x460>
004A3473 |. |3B4D 0C ||cmp ecx, dword ptr [ebp+0xC]
004A3476 |. |75 0F ||jnz short 004A3487
004A3478 |. |818D A8FBFFFF>||or dword ptr [ebp-0x458], 0x>
004A3482 |. |33C0 ||xor eax, eax
004A3484 |. |8945 0C ||mov dword ptr [ebp+0xC], eax
004A3487 |> |8B55 EC ||mov edx, dword ptr [ebp-0x14]
004A348A |. |33C9 ||xor ecx, ecx
004A348C |. |8995 ACFBFFFF ||mov dword ptr [ebp-0x454], ed>
004A3492 |. |898D B0FBFFFF ||mov dword ptr [ebp-0x450], ec>
004A3498 |. |33C0 ||xor eax, eax
004A349A |. |8D95 A0FBFFFF ||lea edx, dword ptr [ebp-0x460>
004A34A0 |. |8985 B4FBFFFF ||mov dword ptr [ebp-0x44C], ea>
004A34A6 |. |52 ||push edx ; /Arg2
004A34A7 |. |68 D4A85F00 ||push 005FA8D4 ; |Arg1 = 005FA8D4
004A34AC |. |E8 CF44F7FF ||call _Addsorteddata ; \_Addsorteddata
004A34B1 |. |83C4 08 ||add esp, 0x8
004A34B4 |> |8B4D E4 | mov ecx, dword ptr [ebp-0x1C]
004A34B7 |. |03CE ||add ecx, esi
004A34B9 |. |3BD9 ||cmp ebx, ecx
004A34BB |.^|0F82 94FBFFFF |\jb 004A3055
看得有点晕
004A34C1 |> \8B45 D0 |mov eax, dword ptr [ebp-0x30]
004A34C4 |. 50 |push eax
004A34C5 |. E8 B208F6FF |call _Memfree
004A34CA |. 59 |pop ecx
004A34CB |> FF45 F8 |inc dword ptr [ebp-0x8]
004A34CE |> 8B55 F8 mov edx, dword ptr [ebp-0x8]
004A34D1 |. 3B15 285E5D00 |cmp edx, dword ptr [0x5D5E28]
004A34D7 |. 7D 0A |jge short 004A34E3
004A34D9 |. 837D F0 00 |cmp dword ptr [ebp-0x10], 0x0
004A34DD |.^ 0F84 7DFAFFFF \je 004A2F60
004A34E3 |> 833D D8E65B00>cmp dword ptr [0x5BE6D8], 0x0
[0x5BE6D8]保存找到字符的条数!
我们看程序在哪里改写[0x5BE6D8],对程序下内存写入断点即可,程序断在下面:
00417DC1 |. E8 2EF70C00 call 004E74F4 ; \程序断在下面
00417DC6 |. FF03 inc dword ptr [ebx] ; 字符串条数+1
几个F8来到下面:
004A34AC |. E8 CF44F7FF ||call _Addsorteddata ; \_Addsorteddata
004A34B1 |. 83C4 08 ||add esp, 0x8 ; f8返回到这里
这个代码在上面那段很长的代码里面。
我们往上看:
004A343A |. E8 4140FEFF ||call _Isstring ; \_Isstring
004A343F |. 83C4 10 ||add esp, 0x10 ; 可以看出上面的call是判断是否为字符串
004A3442 |. 85C0 ||test eax, eax
004A3444 |. 74 6E ||je short 004A34B4
004A3446 |. 8B55 C4 ||mov edx, dword ptr [ebp-0x3C]
004A3449 |. 8B4A 0E ||mov ecx, dword ptr [edx+0xE]
004A344C |. 894D EC ||mov dword ptr [ebp-0x14], ecx
004A344F |> B8 00000200 ||mov eax, 0x20000
004A3454 |> 8B55 E8 ||mov edx, dword ptr [ebp-0x18]
004A3457 |. 8995 A0FBFFFF ||mov dword ptr [ebp-0x460], ed>
004A345D |. C785 A4FBFFFF>||mov dword ptr [ebp-0x45C], 0x>
004A3467 |. 8985 A8FBFFFF ||mov dword ptr [ebp-0x458], ea>
004A346D |. 8B8D A0FBFFFF ||mov ecx, dword ptr [ebp-0x460>
004A3473 |. 3B4D 0C ||cmp ecx, dword ptr [ebp+0xC]
004A3476 |. 75 0F ||jnz short 004A3487
004A3478 |. 818D A8FBFFFF>||or dword ptr [ebp-0x458], 0x>
004A3482 |. 33C0 ||xor eax, eax
004A3484 |. 8945 0C ||mov dword ptr [ebp+0xC], eax
004A3487 |> 8B55 EC ||mov edx, dword ptr [ebp-0x14]
004A348A |. 33C9 ||xor ecx, ecx
004A348C |. 8995 ACFBFFFF ||mov dword ptr [ebp-0x454], ed>
004A3492 |. 898D B0FBFFFF ||mov dword ptr [ebp-0x450], ec>
004A3498 |. 33C0 ||xor eax, eax
004A349A |. 8D95 A0FBFFFF ||lea edx, dword ptr [ebp-0x460>
004A34A0 |. 8985 B4FBFFFF ||mov dword ptr [ebp-0x44C], ea>
004A34A6 |. 52 ||push edx ; /Arg2
004A34A7 |. 68 D4A85F00 ||push 005FA8D4 ; |Arg1 = 005FA8D4
004A34AC |. E8 CF44F7FF ||call _Addsorteddata ; \_Addsorteddata
004A34B1 |. 83C4 08 ||add esp, 0x8 ; f8带到这里
004A34B4 |> 8B4D E4 | mov ecx, dword ptr [ebp-0x1C]
004A34B7 |. 03CE ||add ecx, esi
004A34B9 |. 3BD9 ||cmp ebx, ecx
004A34BB |.^ 0F82 94FBFFFF |\jb 004A3055
可以看到一些关键的判断。
跟了一下,好像在这段代码之前程序就已经确认那些可能是字符的东西,所以那些中文字符还是不能在这里看到。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法