我在原帖跟了回帖,有一些疑问不能解开,怕看的人少了没人回复我,所以新开这个主题,希望看到的人能否帮我看看?
引用------------------------
下断:BP GetTickCount 中断后取消断点返回
00E88D57 FF15 AC22E900 call dword ptr ds:[E922AC] ; kernel32.GetTickCount
00E88D5D 8985 8CC3FFFF mov dword ptr ss:[ebp-3C74],eax
//返回这里
00E88D63 6A 01 push 1
00E88D65 58 pop eax
00E88D66 85C0 test eax,eax
00E88D68 0F84 A8030000 je 00E89116
下面还有一处GetTickCount取时间
00E89100 8908 mov dword ptr ds:[eax],ecx
//函数写入。在这里可以看见输入表函数开始地址005D7208,输入表处理结束后可以计算出大小=8B4
00E89102 8B85 FCC7FFFF mov eax,dword ptr ss:[ebp-3804]
00E89108 83C0 04 add eax,4
00E8910B 8985 FCC7FFFF mov dword ptr ss:[ebp-3804],eax
00E89111 E9 4DFCFFFF jmp 00E88D63
00E89116 FF15 AC22E900 call dword ptr ds:[E922AC] ; kernel32.GetTickCount
00E8911C 2B85 8CC3FFFF sub eax,dword ptr ss:[ebp-3C74]
00E89122 8B8D 90C3FFFF mov ecx,dword ptr ss:[ebp-3C70]
00E89128 6BC9 32 imul ecx,ecx,32
00E8912B 81C1 D0070000 add ecx,7D0
00E89131 3BC1 cmp eax,ecx
//时间校验
00E89133 76 07 jbe short 00E8913C
//修改为:JMP 00E8913C ★
00E89135 C685 20C8FFFF 0>mov byte ptr ss:[ebp-37E0],1
00E8913C 83BD D0C6FFFF 0>cmp dword ptr ss:[ebp-3930],0
00E89143 0F85 8A000000 jnz 00E891D3
00E891B8 83C4 0C add esp,0C
00E891BB 8B85 58C8FFFF mov eax,dword ptr ss:[ebp-37A8]
00E891C1 8985 A49EFFFF mov dword ptr ss:[ebp+FFFF9EA4],eax
00E891C7 FFB5 A49EFFFF push dword ptr ss:[ebp+FFFF9EA4]
00E891CD E8 64820000 call 00E91436 ; jmp to msvcrt.operator delete
00E891D2 59 pop ecx
00E891D3 E9 05F7FFFF jmp 00E888DD
00E891D8 8B85 DCC6FFFF mov eax,dword ptr ss:[ebp-3924]
//这里下断,中断后输入表处理完毕
---------------------------
我在按教程unpack一程序的时候,如下:
00AE6FFD 8908 mov dword ptr ds:[eax],ecx
//函数写入。在这里可以看见输入表函数开始地址[eax];
00AE6FFF 8B85 04C8FFFF mov eax,dword ptr ss:[ebp-37FC]
00AE7005 83C0 04 add eax,4
00AE7008 8985 04C8FFFF mov dword ptr ss:[ebp-37FC],eax
00AE700E ^ E9 CEFCFFFF jmp 00AE6CE1
00AE7013 FF15 9C02AF00 call dword ptr ds:[AF029C] ; kernel32.GetTickCount
00AE7019 2B85 94C4FFFF sub eax,dword ptr ss:[ebp-3B6C]
00AE701F 8B8D 98C4FFFF mov ecx,dword ptr ss:[ebp-3B68]
00AE7025 6BC9 32 imul ecx,ecx,32
00AE7028 81C1 D0070000 add ecx,7D0
00AE702E 3BC1 cmp eax,ecx
00AE7030 EB 07 jbe short 00AE7039
//修改为JMP;
00AE7032 C685 28C8FFFF 0>mov byte ptr ss:[ebp-37D8],1
00AE7039 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0
00AE7040 0F85 8A000000 jnz 00AE70D0
00AE7046 0FB685 84C4FFFF movzx eax,byte ptr ss:[ebp-3B7C]
00AE704D 85C0 test eax,eax
00AE704F 74 7F je short 00AE70D0
00AE7051 6A 00 push 0
...
...
...
0AE708E 50 push eax
00AE708F E8 EC7D0000 call 00AEEE80 ; jmp to msvcrt.memcpy
00AE7094 83C4 0C add esp,0C
00AE7097 6A 01 push 1
00AE7099 8B85 88C4FFFF mov eax,dword ptr ss:[ebp-3B78]
00AE709F C1E0 02 shl eax,2
00AE70A2 50 push eax
00AE70A3 8B85 00C7FFFF mov eax,dword ptr ss:[ebp-3900]
00AE70A9 0385 80C4FFFF add eax,dword ptr ss:[ebp-3B80]
00AE70AF 50 push eax
00AE70B0 E8 341B0000 call 00AE8BE9
00AE70B5 83C4 0C add esp,0C
00AE70B8 8B85 60C8FFFF mov eax,dword ptr ss:[ebp-37A0]
00AE70BE 8985 C8AFFFFF mov dword ptr ss:[ebp+FFFFAFC8],eax
00AE70C4 FFB5 C8AFFFFF push dword ptr ss:[ebp+FFFFAFC8]
00AE70CA E8 AB7D0000 call 00AEEE7A ; jmp to msvcrt.operator delete
00AE70CF 59 pop ecx
00AE70D0 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0
00AE70D7 75 2A jnz short 00AE7103
00AE70D9 8D85 7CC4FFFF lea eax,dword ptr ss:[ebp-3B84]
00AE70DF 50 push eax
00AE70E0 FFB5 7CC4FFFF push dword ptr ss:[ebp-3B84]
00AE70E6 8B85 88C4FFFF mov eax,dword ptr ss:[ebp-3B78]
00AE70EC C1E0 02 shl eax,2
00AE70EF 50 push eax
00AE70F0 8B85 00C7FFFF mov eax,dword ptr ss:[ebp-3900]
00AE70F6 0385 80C4FFFF add eax,dword ptr ss:[ebp-3B80]
00AE70FC 50 push eax
00AE70FD FF15 4801AF00 call dword ptr ds:[AF0148] ; kernel32.VirtualProtect
00AE7103 ^ E9 E3F7FFFF jmp 00AE68EB
00AE7108 8B85 E4C6FFFF mov eax,dword ptr ss:[ebp-391C]
00AE710E 8985 C4AFFFFF mov dword ptr ss:[ebp+FFFFAFC4],eax
00AE7114 FFB5 C4AFFFFF push dword ptr ss:[ebp+FFFFAFC4]
00AE711A E8 5B7D0000 call 00AEEE7A ; jmp to msvcrt.operator delete
00AE711F 59 pop ecx
00AE7120 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0
00AE7127 0F84 59010000 je 00AE7286
00AE712D A1 2800B000 mov eax,dword ptr ds:[B00028]
00AE7132 8B40 58 mov eax,dword ptr ds:[eax+58]
00AE7135 8985 D4ADFFFF mov dword ptr ss:[ebp+FFFFADD4],eax
00AE713B 8B85 D4ADFFFF mov eax,dword ptr ss:[ebp+FFFFADD4]
00AE7141 8985 44C1FFFF mov dword ptr ss:[ebp-3EBC],eax
00AE7147 E8 8D360000 call 00AEA7D9
00AE714C F7D8 neg eax
00AE714E 1BC0 sbb eax,eax
00AE7150 25 00010000 and eax,100
00AE7155 05 00010000 add eax,100
00AE715A 8985 C0ADFFFF mov dword ptr ss:[ebp+FFFFADC0],eax
00AE7160 68 0D5EDF01 push 1DF5E0D
00AE7165 FFB5 44C1FFFF push dword ptr ss:[ebp-3EBC]
00AE716B 8D8D 44C1FFFF lea ecx,dword ptr ss:[ebp-3EBC]
00AE7171 E8 FB9EFDFF call 00AC1071
00AE7176 40 inc eax
请教前辈最后一次下断在哪里合适,另:如何察看函数输入表结束位置,以便于计算Size。还请赐教,希望能解说详细。比如Fly说的最后看函数表是否结束,在数据窗口往下拉,可否直接将Data贴出来我看看,这样比较形象。
[课程]FART 脱壳王!加量不加价!FART作者讲授!