[讨论]od2.01有关字符串的猜想-资源下载-看雪-安全社区|安全招聘|kanxue.com

[讨论]od2.01有关字符串的猜想

发表于: 2013-10-23 14:29 1990

[讨论]od2.01有关字符串的猜想

menglv

2013-10-23 14:29

1990

将od2.01载入od1.1，并下断点advapi32.IsTextUnicode
然后再od2.01载入测试的程序，在2.01里查找所有的字符串，程序会断在下面：
00487CFE  |.  56          push esi
00487CFF  |.  8D8D E0FEFFFF lea    ecx, dword ptr [ebp-0x120]
00487D05  |.  51          push ecx
00487D06  |.  FF15 64E75700 call dword ptr [0x57E764]    ;  advapi32.IsTextUnicode
00487D0C  |.  85C0       test eax, eax
00487D0E  |.  74 5A       je    short 00487D6A
00487D10  |.  68 02525400 push 00545202                ; /Arg3 = 00545202
00487D15  |.  8B45 14    mov    eax, dword ptr [ebp+0x14]  ; |

在寄存器窗口可以看到所有字符串，而且中文字符串也显示正常：

EAX 0012C184
ECX 0012C06C UNICODE "正在下载第"

但就是不能正确显示在字符串的窗口，可能是中文的处理出问题了。

下面是找字符串的代码：
004A2F60  |> /8B4D F8    /mov    ecx, dword ptr [ebp-0x8]
004A2F63  |. |51          |push ecx                      ; /Arg2
004A2F64  |. |68 285E5D00 |push 005D5E28                ; |p
004A2F69  |. |E8 4A59F7FF |call _Getsortedbyindex       ; \_Getsortedbyindex
004A2F6E  |. |83C4 08    |add    esp, 0x8
004A2F71  |. |8945 CC    |mov    dword ptr [ebp-0x34], eax
004A2F74  |. |837D CC 00 |cmp    dword ptr [ebp-0x34], 0x0
004A2F78  |. |0F84 4D050000 |je    004A34CB
004A2F7E  |. |8B45 CC    |mov    eax, dword ptr [ebp-0x34]
004A2F81  |. |F640 0B 08 |test byte ptr [eax+0xB], 0x8
004A2F85  |. |0F85 40050000 |jnz    004A34CB
004A2F8B  |. |8B55 08    |mov    edx, dword ptr [ebp+0x8]
004A2F8E  |. |8B45 CC    |mov    eax, dword ptr [ebp-0x34]
004A2F91  |. |8B00       |mov    eax, dword ptr [eax]
004A2F93  |. |8B12       |mov    edx, dword ptr [edx]
004A2F95  |. |3BD0       |cmp    edx, eax
004A2F97  |. |0F87 2E050000 |ja    004A34CB
004A2F9D  |. |8B4D 08    |mov    ecx, dword ptr [ebp+0x8]
004A2FA0  |. |0351 04    |add    edx, dword ptr [ecx+0x4]
004A2FA3  |. |3BC2       |cmp    eax, edx
004A2FA5  |. |0F83 20050000 |jnb    004A34CB
004A2FAB  |. |8B55 CC    |mov    edx, dword ptr [ebp-0x34]
004A2FAE  |. |F742 08 00500>|test dword ptr [edx+0x8], 0x200>
004A2FB5  |. |0F84 10050000 |je    004A34CB
004A2FBB  |. |8B55 CC    |mov    edx, dword ptr [ebp-0x34]
004A2FBE  |. |8B52 04    |mov    edx, dword ptr [edx+0x4]
004A2FC1  |. |0155 D4    |add    dword ptr [ebp-0x2C], edx
004A2FC4  |. |8BF0       |mov    esi, eax
004A2FC6  |. |8955 E4    |mov    dword ptr [ebp-0x1C], edx
004A2FC9  |. |6A 00       |push 0x0                      ; /Arg2 = 00000000
004A2FCB  |. |8B45 E4    |mov    eax, dword ptr [ebp-0x1C]  ; |
004A2FCE  |. |50          |push eax                      ; |Arg1
004A2FCF  |. |E8 9C0CF6FF |call _Memalloc                ; \_Memalloc
004A2FD4  |. |83C4 08    |add    esp, 0x8
004A2FD7  |. |8945 D0    |mov    dword ptr [ebp-0x30], eax
004A2FDA  |. |837D D0 00 |cmp    dword ptr [ebp-0x30], 0x0
004A2FDE  |. |0F84 E7040000 |je    004A34CB
004A2FE4  |. |E8 DBC3FAFF |call _Suspendallthreads
004A2FE9  |. |6A 00       |push 0x0                      ; /Arg4 = 00000000
004A2FEB  |. |8B55 E4    |mov    edx, dword ptr [ebp-0x1C]  ; |
004A2FEE  |. |52          |push edx                      ; |Arg3
004A2FEF  |. |56          |push esi                      ; |Arg2
004A2FF0  |. |8B4D D0    |mov    ecx, dword ptr [ebp-0x30]  ; |
004A2FF3  |. |51          |push ecx                      ; |Arg1
004A2FF4  |. |E8 9B56FBFF |call _Readmemory             ; \_Readmemory
004A2FF9  |. |83C4 10    |add    esp, 0x10
004A2FFC  |. |8BD8       |mov    ebx, eax
004A2FFE  |. |E8 41C4FAFF |call _Resumeallthreads
004A3003  |. |3B5D E4    |cmp    ebx, dword ptr [ebp-0x1C]
004A3006  |. |74 0F       |je    short 004A3017
004A3008  |. |8B45 D0    |mov    eax, dword ptr [ebp-0x30]
004A300B  |. |50          |push eax                      ; /Arg1
004A300C  |. |E8 6B0DF6FF |call _Memfree                ; \_Memfree
004A3011  |. |59          |pop    ecx
004A3012  |. |E9 B4040000 |jmp    004A34CB
004A3017  |> |8B55 CC    |mov    edx, dword ptr [ebp-0x34]
004A301A  |. |8B7A 64    |mov    edi, dword ptr [edx+0x64]
004A301D  |. |8975 E0    |mov    dword ptr [ebp-0x20], esi
004A3020  |. |8BDE       |mov    ebx, esi
004A3022  |. |8B45 CC    |mov    eax, dword ptr [ebp-0x34]
004A3025  |. |8B40 04    |mov    eax, dword ptr [eax+0x4]
004A3028  |. |B9 F4010000 |mov    ecx, 0x1F4
004A302D  |. |33D2       |xor    edx, edx
004A302F  |. |F7F1       |div    ecx
004A3031  |. |8945 BC    |mov    dword ptr [ebp-0x44], eax
004A3034  |. |C745 B8 00200>|mov    dword ptr [ebp-0x48], 0x20>
004A303B  |. |8B45 B8    |mov    eax, dword ptr [ebp-0x48]
004A303E  |. |3B45 BC    |cmp    eax, dword ptr [ebp-0x44]
004A3041  |. |76 05       |jbe    short 004A3048
004A3043  |. |8D55 B8    |lea    edx, dword ptr [ebp-0x48]
004A3046  |. |EB 03       |jmp    short 004A304B
004A3048  |> |8D55 BC    |lea    edx, dword ptr [ebp-0x44]
004A304B  |> |8B02       |mov    eax, dword ptr [edx]
004A304D  |. |8945 DC    |mov    dword ptr [ebp-0x24], eax
004A3050  |. |E9 5F040000 |jmp    004A34B4
004A3055  |> |3B5D E0    |/cmp    ebx, dword ptr [ebp-0x20]
004A3058  |. |0F82 88000000 ||jb    004A30E6
004A305E  |. |68 DCF45400 ||push 0054F4DC                ; /Searching -
004A3063  |. |E8 5CB70300 ||call _T                      ; \_T
004A3068  |. |59          ||pop    ecx
004A3069  |. |50          ||push eax                      ; /Arg2
004A306A  |. |8B4D D8    ||mov    ecx, dword ptr [ebp-0x28] ; |
004A306D  |. |51          ||push ecx                      ; |/Divisor
004A306E  |. |68 E8030000 ||push 0x3E8                   ; ||Multiplier = 3E8 (1000.)
004A3073  |. |8B45 D4    ||mov    eax, dword ptr [ebp-0x2C] ; ||
004A3076  |. |03C3       ||add    eax, ebx                ; ||
004A3078  |. |2BC6       ||sub    eax, esi                ; ||
004A307A  |. |2B45 E4    ||sub    eax, dword ptr [ebp-0x1C] ; ||
004A307D  |. |50          ||push eax                      ; ||Multiplicand
004A307E  |. |E8 4D260500 ||call <jmp.&KERNEL32.MulDiv> ; |\MulDiv
004A3083  |. |50          ||push eax                      ; |Arg1
004A3084  |. |E8 336DF6FF ||call _Progress                ; \_Progress
004A3089  |. |8B55 DC    ||mov    edx, dword ptr [ebp-0x24]
004A308C  |. |83C4 08    ||add    esp, 0x8
004A308F  |. |03D3       ||add    edx, ebx
004A3091  |. |8B0D 38FE5700 ||mov    ecx, dword ptr [hwollymai>
004A3097  |. |8955 E0    ||mov    dword ptr [ebp-0x20], edx
004A309A  |. |6A 01       ||push 0x1                      ; /RemoveMsg = PM_REMOVE
004A309C  |. |68 00010000 ||push 0x100                   ; |MsgFilterMax = WM_KEYDOWN
004A30A1  |. |68 00010000 ||push 0x100                   ; |MsgFilterMin = WM_KEYDOWN
004A30A6  |. |51          ||push ecx                      ; |hWnd => 002805DE ('ollydbg_Fix_02 - 图库下载.exe',class='ollydbg_Fix_02')
004A30A7  |. |8D85 88DAFFFF ||lea    eax, dword ptr [ebp-0x257>; |
004A30AD  |. |50          ||push eax                      ; |pMsg
004A30AE  |. |E8 832A0500 ||call <jmp.&USER32.PeekMessageW>; \PeekMessageW
004A30B3  |. |85C0       ||test eax, eax
004A30B5  |. |74 2F       ||je    short 004A30E6
004A30B7  |. |8B85 90DAFFFF ||mov    eax, dword ptr [ebp-0x257>
004A30BD  |. |83F8 20    ||cmp    eax, 0x20
004A30C0  |. |74 05       ||je    short 004A30C7
004A30C2  |. |83F8 1B    ||cmp    eax, 0x1B
004A30C5  |. |75 1F       ||jnz    short 004A30E6
004A30C7  |> |68 F6F45400 ||push 0054F4F6                ; /Search interrupted
004A30CC  |. |E8 F3B60300 ||call _T                      ; \_T
004A30D1  |. |59          ||pop    ecx
004A30D2  |. |50          ||push eax                      ; /Arg1
004A30D3  |. |E8 706CF6FF ||call _Flash                   ; \_Flash
004A30D8  |. |59          ||pop    ecx
004A30D9  |. |C745 F0 01000>||mov    dword ptr [ebp-0x10], 0x1
004A30E0  |. |E9 DC030000 ||jmp    004A34C1
004A30E5  |> |43          ||/inc    ebx
004A30E6  |> |85FF       || test edi, edi
004A30E8  |. |0F84 E6000000 |||je    004A31D4
004A30EE  |. |8B55 E4    |||mov    edx, dword ptr [ebp-0x1C>
004A30F1  |. |03D6       |||add    edx, esi
004A30F3  |. |3BDA       |||cmp    ebx, edx
004A30F5  |. |0F83 D9000000 |||jnb    004A31D4
004A30FB  |. |8BCB       |||mov    ecx, ebx
004A30FD  |. |2BCE       |||sub    ecx, esi
004A30FF  |. |F6040F 1F    |||test byte ptr [edi+ecx], 0x1F
004A3103  |. |0F84 CB000000 |||je    004A31D4
004A3109  |. |8BC3       |||mov    eax, ebx
004A310B  |. |2BC6       |||sub    eax, esi
004A310D  |. |33D2       |||xor    edx, edx
004A310F  |. |8A1407       |||mov    dl, byte ptr [edi+eax]
004A3112  |. |83E2 1F    |||and    edx, 0x1F
004A3115  |. |83FA 04    |||cmp    edx, 0x4
004A3118  |. |0F84 B6000000 |||je    004A31D4
004A311E  |. |8BCB       |||mov    ecx, ebx
004A3120  |. |2BCE       |||sub    ecx, esi
004A3122  |. |33C0       |||xor    eax, eax
004A3124  |. |8A040F       |||mov    al, byte ptr [edi+ecx]
004A3127  |. |83E0 1F    |||and    eax, 0x1F
004A312A  |. |83F8 07    |||cmp    eax, 0x7
004A312D  |. |0F84 A1000000 |||je    004A31D4
004A3133  |. |8BD3       |||mov    edx, ebx
004A3135  |. |2BD6       |||sub    edx, esi
004A3137  |. |33C9       |||xor    ecx, ecx
004A3139  |. |8A0C17       |||mov    cl, byte ptr [edi+edx]
004A313C  |. |83E1 1F    |||and    ecx, 0x1F
004A313F  |. |83F9 08    |||cmp    ecx, 0x8
004A3142  |. |0F84 8C000000 |||je    004A31D4
004A3148  |. |8BC3       |||mov    eax, ebx
004A314A  |. |2BC6       |||sub    eax, esi
004A314C  |. |33D2       |||xor    edx, edx
004A314E  |. |8A1407       |||mov    dl, byte ptr [edi+eax]
004A3151  |. |83E2 1F    |||and    edx, 0x1F
004A3154  |. |83FA 09    |||cmp    edx, 0x9
004A3157  |. |74 7B       |||je    short 004A31D4
004A3159  |. |8BCB       |||mov    ecx, ebx
004A315B  |. |2BCE       |||sub    ecx, esi
004A315D  |. |33C0       |||xor    eax, eax
004A315F  |. |8A040F       |||mov    al, byte ptr [edi+ecx]
004A3162  |. |83E0 1F    |||and    eax, 0x1F
004A3165  |. |83F8 0B    |||cmp    eax, 0xB
004A3168  |. |74 6A       |||je    short 004A31D4
004A316A  |. |8BD3       |||mov    edx, ebx
004A316C  |. |2BD6       |||sub    edx, esi
004A316E  |. |33C9       |||xor    ecx, ecx
004A3170  |. |8A0C17       |||mov    cl, byte ptr [edi+edx]
004A3173  |. |83E1 1F    |||and    ecx, 0x1F
004A3176  |. |83F9 18    |||cmp    ecx, 0x18
004A3179  |. |74 59       |||je    short 004A31D4
004A317B  |. |8BC3       |||mov    eax, ebx
004A317D  |. |2BC6       |||sub    eax, esi
004A317F  |. |33D2       |||xor    edx, edx
004A3181  |. |8A1407       |||mov    dl, byte ptr [edi+eax]
004A3184  |. |83E2 1F    |||and    edx, 0x1F
004A3187  |. |83FA 19    |||cmp    edx, 0x19
004A318A  |. |74 48       |||je    short 004A31D4
004A318C  |. |8BCB       |||mov    ecx, ebx
004A318E  |. |2BCE       |||sub    ecx, esi
004A3190  |. |33C0       |||xor    eax, eax
004A3192  |. |8A040F       |||mov    al, byte ptr [edi+ecx]
004A3195  |. |83E0 1F    |||and    eax, 0x1F
004A3198  |. |83F8 1A    |||cmp    eax, 0x1A
004A319B  |. |74 37       |||je    short 004A31D4
004A319D  |. |8BD3       |||mov    edx, ebx
004A319F  |. |2BD6       |||sub    edx, esi
004A31A1  |. |33C9       |||xor    ecx, ecx
004A31A3  |. |8A0C17       |||mov    cl, byte ptr [edi+edx]
004A31A6  |. |83E1 1F    |||and    ecx, 0x1F
004A31A9  |. |83F9 1C    |||cmp    ecx, 0x1C
004A31AC  |. |74 26       |||je    short 004A31D4
004A31AE  |. |8BC3       |||mov    eax, ebx
004A31B0  |. |2BC6       |||sub    eax, esi
004A31B2  |. |33D2       |||xor    edx, edx
004A31B4  |. |8A1407       |||mov    dl, byte ptr [edi+eax]
004A31B7  |. |83E2 1F    |||and    edx, 0x1F
004A31BA  |. |83FA 1D    |||cmp    edx, 0x1D
004A31BD  |. |74 15       |||je    short 004A31D4
004A31BF  |. |8BCB       |||mov    ecx, ebx
004A31C1  |. |2BCE       |||sub    ecx, esi
004A31C3  |. |33C0       |||xor    eax, eax
004A31C5  |. |8A040F       |||mov    al, byte ptr [edi+ecx]
004A31C8  |. |83E0 1F    |||and    eax, 0x1F
004A31CB  |. |83F8 1E    |||cmp    eax, 0x1E
004A31CE  |.^|0F85 11FFFFFF ||\jnz    004A30E5
004A31D4  |> |8B55 E4    ||mov    edx, dword ptr [ebp-0x1C]
004A31D7  |. |03D6       ||add    edx, esi
004A31D9  |. |3BDA       ||cmp    ebx, edx
004A31DB  |. |0F83 E0020000 ||jnb    004A34C1
004A31E1  |. |895D E8    ||mov    dword ptr [ebp-0x18], ebx
004A31E4  |. |85FF       ||test edi, edi
004A31E6  |. |74 22       ||je    short 004A320A
004A31E8  |. |8BCB       ||mov    ecx, ebx
004A31EA  |. |2BCE       ||sub    ecx, esi
004A31EC  |. |33C0       ||xor    eax, eax
004A31EE  |. |8A040F       ||mov    al, byte ptr [edi+ecx]
004A31F1  |. |83E0 1F    ||and    eax, 0x1F
004A31F4  |. |83F8 09    ||cmp    eax, 0x9
004A31F7  |. |75 11       ||jnz    short 004A320A
004A31F9  |. |B8 00000201 ||mov    eax, 0x1020000
004A31FE  |. |8B55 E8    ||mov    edx, dword ptr [ebp-0x18]
004A3201  |. |8955 EC    ||mov    dword ptr [ebp-0x14], edx
004A3204  |. |43          ||inc    ebx
004A3205  |. |E9 4A020000 ||jmp    004A3454
004A320A  |> |85FF       ||test edi, edi
004A320C  |. |74 22       ||je    short 004A3230
004A320E  |. |8BCB       ||mov    ecx, ebx
004A3210  |. |2BCE       ||sub    ecx, esi
004A3212  |. |33C0       ||xor    eax, eax
004A3214  |. |8A040F       ||mov    al, byte ptr [edi+ecx]
004A3217  |. |83E0 1F    ||and    eax, 0x1F
004A321A  |. |83F8 0B    ||cmp    eax, 0xB
004A321D  |. |75 11       ||jnz    short 004A3230
004A321F  |. |B8 00000201 ||mov    eax, 0x1020000
004A3224  |. |8B55 E8    ||mov    edx, dword ptr [ebp-0x18]
004A3227  |. |8955 EC    ||mov    dword ptr [ebp-0x14], edx
004A322A  |. |43          ||inc    ebx
004A322B  |. |E9 24020000 ||jmp    004A3454
004A3230  |> |85FF       ||test edi, edi
004A3232  |. |0F84 93000000 ||je    004A32CB
004A3238  |. |8BCB       ||mov    ecx, ebx
004A323A  |. |2BCE       ||sub    ecx, esi
004A323C  |. |33C0       ||xor    eax, eax
004A323E  |. |8A040F       ||mov    al, byte ptr [edi+ecx]
004A3241  |. |83E0 1F    ||and    eax, 0x1F
004A3244  |. |83F8 18    ||cmp    eax, 0x18
004A3247  |. |74 12       ||je    short 004A325B
004A3249  |. |8BD3       ||mov    edx, ebx
004A324B  |. |2BD6       ||sub    edx, esi
004A324D  |. |83F8 19    ||cmp    eax, 0x19
004A3250  |. |74 09       ||je    short 004A325B
004A3252  |. |8BCB       ||mov    ecx, ebx
004A3254  |. |2BCE       ||sub    ecx, esi
004A3256  |. |83F8 1A    ||cmp    eax, 0x1A
004A3259  |. |75 70       ||jnz    short 004A32CB
004A325B  |> |8B45 08    ||mov    eax, dword ptr [ebp+0x8]
004A325E  |. |8D95 A4DAFFFF ||lea    edx, dword ptr [ebp-0x255>
004A3264  |. |50          ||push eax
004A3265  |. |6A 00       ||push 0x0
004A3267  |. |52          ||push edx
004A3268  |. |53          ||push ebx
004A3269  |. |8BCB       ||mov    ecx, ebx
004A326B  |. |8B45 E4    ||mov    eax, dword ptr [ebp-0x1C]
004A326E  |. |2BCE       ||sub    ecx, esi
004A3270  |. |2BC1       ||sub    eax, ecx
004A3272  |. |50          ||push eax
004A3273  |. |8B55 D0    ||mov    edx, dword ptr [ebp-0x30]
004A3276  |. |03D3       ||add    edx, ebx
004A3278  |. |2BD6       ||sub    edx, esi
004A327A  |. |52          ||push edx
004A327B  |. |E8 60E70200 ||call _Ndisasm
004A3280  |. |83C4 18    ||add    esp, 0x18
004A3283  |. |43          ||inc    ebx
004A3284  |. |83BD C8DAFFFF>||cmp    dword ptr [ebp-0x2538], 0>
004A328B  |. |0F85 23020000 ||jnz    004A34B4
004A3291  |. |8B8D CCDAFFFF ||mov    ecx, dword ptr [ebp-0x253>
004A3297  |. |81E1 FF000000 ||and    ecx, 0xFF
004A329D  |. |83F9 07    ||cmp    ecx, 0x7
004A32A0  |. |0F85 0E020000 ||jnz    004A34B4
004A32A6  |. |8B85 C0DAFFFF ||mov    eax, dword ptr [ebp-0x254>
004A32AC  |. |25 000000FF ||and    eax, 0xFF000000
004A32B1  |. |3D 00000070 ||cmp    eax, 0x70000000
004A32B6  |. |0F85 F8010000 ||jnz    004A34B4
004A32BC  |. |33D2       ||xor    edx, edx
004A32BE  |. |B8 00000200 ||mov    eax, 0x20000
004A32C3  |. |8955 EC    ||mov    dword ptr [ebp-0x14], edx
004A32C6  |. |E9 89010000 ||jmp    004A3454
004A32CB  |> |6A 00       ||push 0x0
004A32CD  |. |6A 00       ||push 0x0
004A32CF  |. |6A 00       ||push 0x0
004A32D1  |. |8D95 D0E2FFFF ||lea    edx, dword ptr [ebp-0x1D3>
004A32D7  |. |52          ||push edx
004A32D8  |. |85FF       ||test edi, edi
004A32DA  |. |75 04       ||jnz    short 004A32E0
004A32DC  |. |33C9       ||xor    ecx, ecx
004A32DE  |. |EB 06       ||jmp    short 004A32E6
004A32E0  |> |8BCB       ||mov    ecx, ebx
004A32E2  |. |03CF       ||add    ecx, edi
004A32E4  |. |2BCE       ||sub    ecx, esi
004A32E6  |> |51          ||push ecx                      ; |Arg4
004A32E7  |. |53          ||push ebx                      ; |Arg3
004A32E8  |. |8BC3       ||mov    eax, ebx                ; |
004A32EA  |. |2BC6       ||sub    eax, esi                ; |
004A32EC  |. |8B55 E4    ||mov    edx, dword ptr [ebp-0x1C] ; |
004A32EF  |. |2BD0       ||sub    edx, eax                ; |
004A32F1  |. |52          ||push edx                      ; |Arg2
004A32F2  |. |8B45 D0    ||mov    eax, dword ptr [ebp-0x30] ; |
004A32F5  |. |03C3       ||add    eax, ebx                ; |
004A32F7  |. |2BC6       ||sub    eax, esi                ; |
004A32F9  |. |50          ||push eax                      ; |Arg1
004A32FA  |. |E8 75E2F9FF ||call _Disasm                ; \_Disasm
004A32FF  |. |83C4 20    ||add    esp, 0x20
004A3302  |. |43          ||inc    ebx
004A3303  |. |83BD FCE2FFFF>||cmp    dword ptr [ebp-0x1D04], 0>
004A330A  |. |0F85 A4010000 ||jnz    004A34B4
004A3310  |. |8B85 E4E2FFFF ||mov    eax, dword ptr [ebp-0x1D1>
004A3316  |. |83E0 1F    ||and    eax, 0x1F
004A3319  |. |83F8 06    ||cmp    eax, 0x6
004A331C  |. |0F84 92010000 ||je    004A34B4
004A3322  |. |83F8 07    ||cmp    eax, 0x7
004A3325  |. |0F84 89010000 ||je    004A34B4
004A332B  |. |83F8 08    ||cmp    eax, 0x8
004A332E  |. |0F84 80010000 ||je    004A34B4
004A3334  |. |83F8 09    ||cmp    eax, 0x9
004A3337  |. |0F84 77010000 ||je    004A34B4
004A333D  |. |83F8 0C    ||cmp    eax, 0xC
004A3340  |. |0F84 6E010000 ||je    004A34B4
004A3346  |. |83F8 0D    ||cmp    eax, 0xD
004A3349  |. |0F84 65010000 ||je    004A34B4
004A334F  |. |33D2       ||xor    edx, edx
004A3351  |. |8D8D 1CE3FFFF ||lea    ecx, dword ptr [ebp-0x1CE>
004A3357  |. |8955 FC    ||mov    dword ptr [ebp-0x4], edx
004A335A  |. |894D C8    ||mov    dword ptr [ebp-0x38], ecx
004A335D  |> |8B45 C8    ||/mov    eax, dword ptr [ebp-0x38>
004A3360  |. |F640 01 02 |||test byte ptr [eax+0x1], 0x2
004A3364  |. |74 54       |||je    short 004A33BA
004A3366  |. |8B55 C8    |||mov    edx, dword ptr [ebp-0x38>
004A3369  |. |8B42 04    |||mov    eax, dword ptr [edx+0x4]
004A336C  |. |25 00000F00 |||and    eax, 0xF0000
004A3371  |. |3D 00000300 |||cmp    eax, 0x30000
004A3376  |. |74 42       |||je    short 004A33BA
004A3378  |. |3D 00000700 |||cmp    eax, 0x70000
004A337D  |. |74 3B       |||je    short 004A33BA
004A337F  |. |8B55 C8    |||mov    edx, dword ptr [ebp-0x38>
004A3382  |. |8B4A 30    |||mov    ecx, dword ptr [edx+0x30>
004A3385  |. |894D EC    |||mov    dword ptr [ebp-0x14], ec>
004A3388  |. |817D EC 00000>|||cmp    dword ptr [ebp-0x14], 0x>
004A338F  |. |72 29       |||jb    short 004A33BA
004A3391  |. |817D EC 0000F>|||cmp    dword ptr [ebp-0x14], 0x>
004A3398  |. |73 20       |||jnb    short 004A33BA
004A339A  |. |68 00010000 |||push 0x100                   ; /Arg4 = 00000100
004A339F  |. |8D85 B8FDFFFF |||lea    eax, dword ptr [ebp-0x24>; |
004A33A5  |. |50          |||push eax                   ; |Arg3
004A33A6  |. |6A 01       |||push 0x1                   ; |Arg2 = 00000001
004A33A8  |. |8B55 EC    |||mov    edx, dword ptr [ebp-0x14>; |
004A33AB  |. |52          |||push edx                   ; |Arg1
004A33AC  |. |E8 CF40FEFF |||call _Isstring             ; \_Isstring
004A33B1  |. |83C4 10    |||add    esp, 0x10
004A33B4  |. |85C0       |||test eax, eax
004A33B6  |. |74 02       |||je    short 004A33BA
004A33B8  |. |EB 10       |||jmp    short 004A33CA
004A33BA  |> |FF45 FC    |||inc    dword ptr [ebp-0x4]
004A33BD  |. |8145 C8 60040>|||add    dword ptr [ebp-0x38], 0x>
004A33C4  |. |837D FC 04 |||cmp    dword ptr [ebp-0x4], 0x4
004A33C8  |.^|7C 93       ||\jl    short 004A335D
004A33CA  |> |837D FC 04 ||cmp    dword ptr [ebp-0x4], 0x4
004A33CE  |. |7C 7F       ||jl    short 004A344F
004A33D0  |. |833D D0E65B00>||cmp    dword ptr [0x5BE6D0], 0x0
004A33D7  |. |0F84 D7000000 ||je    004A34B4
004A33DD  |. |8B8D E4E2FFFF ||mov    ecx, dword ptr [ebp-0x1D1>
004A33E3  |. |83E1 1F    ||and    ecx, 0x1F
004A33E6  |. |83F9 0A    ||cmp    ecx, 0xA
004A33E9  |. |0F85 C5000000 ||jnz    004A34B4
004A33EF  |. |8B45 E8    ||mov    eax, dword ptr [ebp-0x18]
004A33F2  |. |50          ||push eax                      ; /Arg2
004A33F3  |. |8B55 08    ||mov    edx, dword ptr [ebp+0x8]  ; |
004A33F6  |. |81C2 50090000 ||add    edx, 0x950             ; |
004A33FC  |. |52          ||push edx                      ; |Arg1
004A33FD  |. |E8 A67AF9FF ||call _Findsimpledata          ; \_Findsimpledata
004A3402  |. |83C4 08    ||add    esp, 0x8
004A3405  |. |8945 C4    ||mov    dword ptr [ebp-0x3C], eax
004A3408  |. |837D C4 00 ||cmp    dword ptr [ebp-0x3C], 0x0
004A340C  |. |0F84 A2000000 ||je    004A34B4
004A3412  |. |8B4D C4    ||mov    ecx, dword ptr [ebp-0x3C]
004A3415  |. |0FB741 04    ||movzx eax, word ptr [ecx+0x4]
004A3419  |. |83E0 3F    ||and    eax, 0x3F
004A341C  |. |83F8 20    ||cmp    eax, 0x20
004A341F  |. |0F85 8F000000 ||jnz    004A34B4
004A3425  |. |68 00010000 ||push 0x100                   ; /Arg4 = 00000100
004A342A  |. |8D95 B8FDFFFF ||lea    edx, dword ptr [ebp-0x248>; |
004A3430  |. |52          ||push edx                      ; |Arg3
004A3431  |. |6A 01       ||push 0x1                      ; |Arg2 = 00000001
004A3433  |. |8B4D C4    ||mov    ecx, dword ptr [ebp-0x3C] ; |
004A3436  |. |8B41 0E    ||mov    eax, dword ptr [ecx+0xE]  ; |
004A3439  |. |50          ||push eax                      ; |Arg1
004A343A  |. |E8 4140FEFF ||call _Isstring                ; \_Isstring
004A343F  |. |83C4 10    ||add    esp, 0x10
004A3442  |. |85C0       ||test eax, eax
004A3444  |. |74 6E       ||je    short 004A34B4
004A3446  |. |8B55 C4    ||mov    edx, dword ptr [ebp-0x3C]
004A3449  |. |8B4A 0E    ||mov    ecx, dword ptr [edx+0xE]
004A344C  |. |894D EC    ||mov    dword ptr [ebp-0x14], ecx
004A344F  |> |B8 00000200 ||mov    eax, 0x20000
004A3454  |> |8B55 E8    ||mov    edx, dword ptr [ebp-0x18]
004A3457  |. |8995 A0FBFFFF ||mov    dword ptr [ebp-0x460], ed>
004A345D  |. |C785 A4FBFFFF>||mov    dword ptr [ebp-0x45C], 0x>
004A3467  |. |8985 A8FBFFFF ||mov    dword ptr [ebp-0x458], ea>
004A346D  |. |8B8D A0FBFFFF ||mov    ecx, dword ptr [ebp-0x460>
004A3473  |. |3B4D 0C    ||cmp    ecx, dword ptr [ebp+0xC]
004A3476  |. |75 0F       ||jnz    short 004A3487
004A3478  |. |818D A8FBFFFF>||or    dword ptr [ebp-0x458], 0x>
004A3482  |. |33C0       ||xor    eax, eax
004A3484  |. |8945 0C    ||mov    dword ptr [ebp+0xC], eax
004A3487  |> |8B55 EC    ||mov    edx, dword ptr [ebp-0x14]
004A348A  |. |33C9       ||xor    ecx, ecx
004A348C  |. |8995 ACFBFFFF ||mov    dword ptr [ebp-0x454], ed>
004A3492  |. |898D B0FBFFFF ||mov    dword ptr [ebp-0x450], ec>
004A3498  |. |33C0       ||xor    eax, eax
004A349A  |. |8D95 A0FBFFFF ||lea    edx, dword ptr [ebp-0x460>
004A34A0  |. |8985 B4FBFFFF ||mov    dword ptr [ebp-0x44C], ea>
004A34A6  |. |52          ||push edx                      ; /Arg2
004A34A7  |. |68 D4A85F00 ||push 005FA8D4                ; |Arg1 = 005FA8D4
004A34AC  |. |E8 CF44F7FF ||call _Addsorteddata          ; \_Addsorteddata
004A34B1  |. |83C4 08    ||add    esp, 0x8
004A34B4  |> |8B4D E4    | mov    ecx, dword ptr [ebp-0x1C]
004A34B7  |. |03CE       ||add    ecx, esi
004A34B9  |. |3BD9       ||cmp    ebx, ecx
004A34BB  |.^|0F82 94FBFFFF |\jb    004A3055

看得有点晕

004A34C1  |> \8B45 D0    |mov    eax, dword ptr [ebp-0x30]
004A34C4  |.  50          |push eax
004A34C5  |.  E8 B208F6FF |call _Memfree
004A34CA  |.  59          |pop    ecx
004A34CB  |>  FF45 F8    |inc    dword ptr [ebp-0x8]
004A34CE  |>  8B55 F8       mov    edx, dword ptr [ebp-0x8]
004A34D1  |.  3B15 285E5D00 |cmp    edx, dword ptr [0x5D5E28]
004A34D7  |.  7D 0A       |jge    short 004A34E3
004A34D9  |.  837D F0 00 |cmp    dword ptr [ebp-0x10], 0x0
004A34DD  |.^ 0F84 7DFAFFFF \je    004A2F60
004A34E3  |>  833D D8E65B00>cmp    dword ptr [0x5BE6D8], 0x0

[0x5BE6D8]保存找到字符的条数!

我们看程序在哪里改写[0x5BE6D8]，对程序下内存写入断点即可，程序断在下面：

00417DC1  |.  E8 2EF70C00 call 004E74F4                   ; \程序断在下面
00417DC6  |.  FF03       inc    dword ptr [ebx]          ;  字符串条数+1

几个F8来到下面：

004A34AC  |.  E8 CF44F7FF ||call _Addsorteddata          ; \_Addsorteddata
004A34B1  |.  83C4 08    ||add    esp, 0x8                ;  f8返回到这里

这个代码在上面那段很长的代码里面。

我们往上看：

004A343A  |.  E8 4140FEFF ||call _Isstring                ; \_Isstring
004A343F  |.  83C4 10    ||add    esp, 0x10                ;  可以看出上面的call是判断是否为字符串
004A3442  |.  85C0       ||test eax, eax
004A3444  |.  74 6E       ||je    short 004A34B4
004A3446  |.  8B55 C4    ||mov    edx, dword ptr [ebp-0x3C]
004A3449  |.  8B4A 0E    ||mov    ecx, dword ptr [edx+0xE]
004A344C  |.  894D EC    ||mov    dword ptr [ebp-0x14], ecx
004A344F  |>  B8 00000200 ||mov    eax, 0x20000
004A3454  |>  8B55 E8    ||mov    edx, dword ptr [ebp-0x18]
004A3457  |.  8995 A0FBFFFF ||mov    dword ptr [ebp-0x460], ed>
004A345D  |.  C785 A4FBFFFF>||mov    dword ptr [ebp-0x45C], 0x>
004A3467  |.  8985 A8FBFFFF ||mov    dword ptr [ebp-0x458], ea>
004A346D  |.  8B8D A0FBFFFF ||mov    ecx, dword ptr [ebp-0x460>
004A3473  |.  3B4D 0C    ||cmp    ecx, dword ptr [ebp+0xC]
004A3476  |.  75 0F       ||jnz    short 004A3487
004A3478  |.  818D A8FBFFFF>||or    dword ptr [ebp-0x458], 0x>
004A3482  |.  33C0       ||xor    eax, eax
004A3484  |.  8945 0C    ||mov    dword ptr [ebp+0xC], eax
004A3487  |>  8B55 EC    ||mov    edx, dword ptr [ebp-0x14]
004A348A  |.  33C9       ||xor    ecx, ecx
004A348C  |.  8995 ACFBFFFF ||mov    dword ptr [ebp-0x454], ed>
004A3492  |.  898D B0FBFFFF ||mov    dword ptr [ebp-0x450], ec>
004A3498  |.  33C0       ||xor    eax, eax
004A349A  |.  8D95 A0FBFFFF ||lea    edx, dword ptr [ebp-0x460>
004A34A0  |.  8985 B4FBFFFF ||mov    dword ptr [ebp-0x44C], ea>
004A34A6  |.  52          ||push edx                      ; /Arg2
004A34A7  |.  68 D4A85F00 ||push 005FA8D4                ; |Arg1 = 005FA8D4
004A34AC  |.  E8 CF44F7FF ||call _Addsorteddata          ; \_Addsorteddata
004A34B1  |.  83C4 08    ||add    esp, 0x8                ;  f8带到这里
004A34B4  |>  8B4D E4    | mov    ecx, dword ptr [ebp-0x1C]
004A34B7  |.  03CE       ||add    ecx, esi
004A34B9  |.  3BD9       ||cmp    ebx, ecx
004A34BB  |.^ 0F82 94FBFFFF |\jb    004A3055

可以看到一些关键的判断。

跟了一下，好像在这段代码之前程序就已经确认那些可能是字符的东西，所以那些中文字符还是不能在这里看到。

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・2

免费・0

支持

最新回复 (3)
学雄雪币： 371 活跃值： (72) 能力值： ( LV5，RANK：60 ) 在线值：发帖 19 回帖 426 粉丝 0 关注私信	学雄 1 2 楼不明觉厉,好长... 2013-10-23 15:29 0
LOCKLOSE 雪币： 13597 活跃值： (4393) 能力值： ( LV7，RANK：100 ) 在线值：发帖 32 回帖 1038 粉丝 20 关注私信	LOCKLOSE 2 3 楼就是SBCS和DBCS的问题. 2013-10-23 17:13 0
chixiaojie 雪币： 3202 活跃值： (1917) 能力值： ( LV2，RANK：10 ) 在线值：发帖 91 回帖 1357 粉丝 2 关注私信	chixiaojie 4 楼大牛出修正版本了没有？ 2013-10-23 17:56 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

menglv

发帖

770

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
学雄雪币： 371 活跃值： (72) 能力值： ( LV5，RANK：60 ) 在线值：发帖 19 回帖 426 粉丝 0 关注私信	学雄 1 2 楼不明觉厉,好长... 2013-10-23 15:29 0
LOCKLOSE 雪币： 13597 活跃值： (4393) 能力值： ( LV7，RANK：100 ) 在线值：发帖 32 回帖 1038 粉丝 20 关注私信	LOCKLOSE 2 3 楼就是SBCS和DBCS的问题. 2013-10-23 17:13 0
chixiaojie 雪币： 3202 活跃值： (1917) 能力值： ( LV2，RANK：10 ) 在线值：发帖 91 回帖 1357 粉丝 2 关注私信	chixiaojie 4 楼大牛出修正版本了没有？ 2013-10-23 17:56 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复