我放的notepad_2这个能修复好吗?
我这里不行啊。
改成了abc.exe的名字,调试卡在这里了:
Eip==0100739D
GetLastError:::7C930331
未知壳
0100739D B8E05C0101 MOV EAX,1015CE0
010073A2 50 PUSH EAX
010073A3 64FF3500000000 PUSH DWORD PTR FS:[0]
010073AA 64892500000000 MOV DWORD PTR FS:[0],ESP
010073B1 33C0 XOR EAX,EAX
010073B3 8908 MOV DWORD PTR [EAX],ECX
发生异常!
FS:[0]==0006FFBC
异常处理程序地址:01015CE0
这个异常被成功捕获!
01015CE0 B8D74A01F1 MOV EAX,F1014AD7
01015CE5 8D882C120010 LEA ECX,DWORD PTR [EAX+01000122Ch]
01015CEB 894101 MOV DWORD PTR [ECX+01h],EAX
01015CEE 8B542404 MOV EDX,DWORD PTR [ESP+04h]
01015CF2 8B520C MOV EDX,DWORD PTR [EDX+0Ch]
01015CF5 C602E9 MOV BYTE PTR [EDX],E9
01015CF8 83C205 ADD EDX,5
01015CFB 2BCA SUB ECX,EDX
01015CFD 894AFC MOV DWORD PTR [EDX-04h],ECX
01015D00 33C0 XOR EAX,EAX
01015D02 C3 RET
异常处理代码结束!
010073B3 E94BE90000 JMP 01015D03
01015D03 B8D74A01F1 MOV EAX,F1014AD7
01015D08 648F0500000000 POP DWORD PTR FS:[0]
01015D0F 83C404 ADD ESP,4
01015D12 55 PUSH EBP
01015D13 53 PUSH EBX
01015D14 51 PUSH ECX
01015D15 57 PUSH EDI
01015D16 56 PUSH ESI
01015D17 52 PUSH EDX
01015D18 8D98E5110010 LEA EBX,DWORD PTR [EAX+0100011E5h]
01015D1E 8B5318 MOV EDX,DWORD PTR [EBX+018h]
01015D21 52 PUSH EDX
01015D22 8BE8 MOV EBP,EAX
01015D24 6A40 PUSH 40
01015D26 6800100000 PUSH 1000
01015D2B FF7304 PUSH DWORD PTR [EBX+04h]
01015D2E 6A00 PUSH 0
01015D30 8B4B10 MOV ECX,DWORD PTR [EBX+010h]
01015D33 03CA ADD ECX,EDX
01015D35 8B01 MOV EAX,DWORD PTR [ECX]
01015D37 FFD0 CALL EAX
01015D37 ***API: KERNEL32.DLL!VirtualAlloc
7C809A81 8BFF MOV EDI,EDI
7C809A83 55 PUSH EBP
7C809A84 8BEC MOV EBP,ESP
7C809A86 FF7514 PUSH DWORD PTR [EBP+014h]
7C809A89 FF7510 PUSH DWORD PTR [EBP+010h]
7C809A8C FF750C PUSH DWORD PTR [EBP+0Ch]
7C809A8F FF7508 PUSH DWORD PTR [EBP+08h]
7C809A92 6AFF PUSH FF
7C809A94 E809000000 CALL 7C809AA2
7C809A99 5D POP EBP
7C809A9A C21000 RET 10
01015D39 5A POP EDX
01015D3A 8BF8 MOV EDI,EAX
01015D3C 50 PUSH EAX
01015D3D 52 PUSH EDX
01015D3E 8B33 MOV ESI,DWORD PTR [EBX]
01015D40 8B4320 MOV EAX,DWORD PTR [EBX+020h]
01015D43 03C2 ADD EAX,EDX
01015D45 8B08 MOV ECX,DWORD PTR [EAX]
01015D47 894B20 MOV DWORD PTR [EBX+020h],ECX
01015D4A 8B431C MOV EAX,DWORD PTR [EBX+01Ch]
01015D4D 03C2 ADD EAX,EDX
01015D4F 8B08 MOV ECX,DWORD PTR [EAX]
01015D51 894B1C MOV DWORD PTR [EBX+01Ch],ECX
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
002C79F2 ***API: KERNEL32.DLL!GetProcAddress
00F500E9 ***API: KERNEL32.DLL!GetCurrentProcess
002C79EF ***API: KERNEL32.DLL!IsWow64Process
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
00F50EFB ***API: KERNEL32.DLL!IsDebuggerPresent
002C79F2 ***API: KERNEL32.DLL!VirtualAlloc
002C79EE ***API: KERNEL32.DLL!LoadLibraryA
002C79EF ***API: KERNEL32.DLL!GetProcAddress
002C79EF ***API: KERNEL32.DLL!GetProcAddress
00F50696 ***API: KERNEL32.DLL!VirtualAlloc
00F506D6 ***API: KERNEL32.DLL!VirtualFree
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!VirtualAlloc
002C79F2 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
002C79F2 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!LoadLibraryA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
00F51620 ***API: KERNEL32.DLL!GetModuleHandleA
002C79F2 ***API: KERNEL32.DLL!VirtualProtect
002C79F2 ***API: KERNEL32.DLL!VirtualProtect
002C79F2 ***API: KERNEL32.DLL!VirtualProtect
002C79F2 ***API: KERNEL32.DLL!VirtualProtect
002C79F2 ***API: KERNEL32.DLL!VirtualProtect
002C79F2 ***API: KERNEL32.DLL!VirtualFree
可能到OEP了,如果不完全正确,请再单步走几下!
01015DA2 FFE0 JMP EAX
可能到OEP了,如果不完全正确,请再单步走几下!
0100739D 6A70 PUSH 70
002C79F1 ***API: MSVCRT.DLL!__set_app_type
0100740B FF1538130001 CALL DWORD PTR [+01001338h]
Make PE now
Start:7C920000 End:7C9B4000
GetLastError:::7C930331
Start:7C800000 End:7C91C000
Start:10000000 End:100A2000
Start:77BE0000 End:77C38000
Start:73D30000 End:73E2E000
Start:77EF0000 End:77F37000
Start:77D10000 End:77D9F000
Start:76300000 End:7631D000
Start:77DA0000 End:77E49000
Start:77E50000 End:77EE1000
Start:62C20000 End:62C29000
Start:73FA0000 End:7400B000
Start:61BE0000 End:61BED000
Start:77BD0000 End:77BD8000
Start:7D590000 End:7DD82000
Start:77F40000 End:77FB6000
Start:77180000 End:77282000
Start:770F0000 End:7717C000
Start:76990000 End:76ACD000
Start:71A20000 End:71A37000
Start:71A10000 End:71A18000
Start:76320000 End:76367000
Start:72F70000 End:72F96000
HODULE=010000E0
nSec=2
VirtualSize RVA PhysicalSize PhysicalOffset
p=010001D8
13000 1000 7000 400
p=01000200
2000 14000 1e00 7400
pStart=01001000
pEnd=01001344