前几天我D盘被GHOST还原了 东西都不在了 想找回来 用了好几个软件找不回来 后来找到个数据恢复软件DataExplore,但是有功能限制,我试着想把限制解除,可是软件有 自校验 发现程序被改动一运行就退出.
我费了好大劲找到个关键 但这个关键点可能没找对 修改后进程序不自动退出了,可是一点 开始搜索文件 就程序出错.看来是我没找对地方,大家帮帮忙,看看应该怎么修改,先谢谢了!!!
程序下载地址:
下载地址一 下载地址二PEID查壳显示Microsoft Visual C++ 7.0 [Debug] [Overlay]
部分代码
0053709B > /51 push ecx
0053709C . |51 push ecx ; DataExpl.005CCDE8
0053709D . |53 push ebx
0053709E . |55 push ebp
0053709F . |56 push esi
005370A0 . |57 push edi
005370A1 . |8BF1 mov esi,ecx
005370A3 . |E8 48A70100 call DataExpl.005517F0
005370A8 . |33DB xor ebx,ebx
005370AA . |43 inc ebx
005370AB . |33ED xor ebp,ebp
005370AD . |894424 14 mov dword ptr ss:[esp+14],eax
005370B1 . |896C24 10 mov dword ptr ss:[esp+10],ebp
005370B5 > |3BDD cmp ebx,ebp
005370B7 . |74 2F je short DataExpl.005370E8
005370B9 . |8B7C24 14 mov edi,dword ptr ss:[esp+14]
005370BD . |83C7 30 add edi,30
005370C0 > |55 push ebp ; /RemoveMsg
005370C1 . |55 push ebp ; |MsgFilterMax
005370C2 . |55 push ebp ; |MsgFilterMin
005370C3 . |55 push ebp ; |hWnd
005370C4 . |57 push edi ; |pMsg
005370C5 . |FF15 18075800 call dword ptr ds:[<&USER32.Pe>; \PeekMessageA
005370CB . |85C0 test eax,eax
005370CD . |75 19 jnz short DataExpl.005370E8
005370CF . |FF7424 10 push dword ptr ss:[esp+10]
005370D3 . |8B06 mov eax,dword ptr ds:[esi]
005370D5 . |8BCE mov ecx,esi
005370D7 . |FF50 60 call dword ptr ds:[eax+60]
005370DA . |FF4424 10 inc dword ptr ss:[esp+10]
005370DE . |85C0 test eax,eax
005370E0 . |75 02 jnz short DataExpl.005370E4
005370E2 . |33DB xor ebx,ebx
005370E4 > |3BDD cmp ebx,ebp
005370E6 .^|75 D8 jnz short DataExpl.005370C0
005370E8 > |8B06 mov eax,dword ptr ds:[esi]
005370EA . |8BCE mov ecx,esi
005370EC . |FF50 5C call dword ptr ds:[eax+5C]
005370EF . |85C0 test eax,eax
005370F1 . |8B06 mov eax,dword ptr ds:[esi]
005370F3 . |8BCE mov ecx,esi
005370F5 . |74 27 je short DataExpl.0053711E///////把这里NOP,再运行程序就不退出了 但是用的时候会出错
005370F7 . |8B7C24 14 mov edi,dword ptr ss:[esp+14]
005370FB . |83C7 30 add edi,30
005370FE . |57 push edi
005370FF . |FF50 64 call dword ptr ds:[eax+64]
00537102 . |85C0 test eax,eax
00537104 . |74 07 je short DataExpl.0053710D
00537106 . |33DB xor ebx,ebx
00537108 . |43 inc ebx
00537109 . |896C24 10 mov dword ptr ss:[esp+10],ebp
0053710D > |55 push ebp ; /RemoveMsg
0053710E . |55 push ebp ; |MsgFilterMax
0053710F . |55 push ebp ; |MsgFilterMin
00537110 . |55 push ebp ; |hWnd
00537111 . |57 push edi ; |pMsg
00537112 . |FF15 18075800 call dword ptr ds:[<&USER32.Pe>; \PeekMessageA
00537118 . |85C0 test eax,eax
0053711A .^|75 CC jnz short DataExpl.005370E8
0053711C .^|EB 97 jmp short DataExpl.005370B5
0053711E > |5F pop edi ////原程序运行不到这
0053711F . |5E pop esi
00537120 . |5D pop ebp
00537121 . |5B pop ebx
00537122 . |83C4 08 add esp,8
00537125 . |FF60 68 jmp dword ptr ds:[eax+68]
00537128 . |E8 C3A60100 call DataExpl.005517F0
0053712D . |8B40 38 mov eax,dword ptr ds:[eax+38]
00537130 . |C3 retn
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
