//33次异常后 然后往上找到OEP后,dump。。。。。 修复IAT 成功。0063DC44 2> 55 push ebp
0063DC45 8BEC mov ebp,esp
0063DC47 6A FF push -1
0063DC49 68 807E6700 push 2_.00677E80
0063DC4E 68 CCDD6300 push <jmp.&msvcrt._except_handler3>
0063DC53 64:A1 00000000 mov eax,dword ptr fs:[0]
0063DC59 50 push eax
0063DC5A 64:8925 00000000 mov dword ptr fs:[0],esp
0063DC61 83EC 68 sub esp,68
0063DC64 53 push ebx
0063DC65 56 push esi
0063DC66 57 push edi
0063DC67 8965 E8 mov dword ptr ss:[ebp-18],esp
0063DC6A 33DB xor ebx,ebx
0063DC6C 895D FC mov dword ptr ss:[ebp-4],ebx
0063DC6F 6A 02 push 2
0063DC71 E8 8A239B00 call 00FF0000 ★★★★被挪动的部分
0063DC76 95 xchg eax,ebp
0063DC77 59 pop ecx
0063DC78 830D 5C446C00 FF or dword ptr ds:[6C445C],FFFFFFFF
0063DC7F 830D 60446C00 FF or dword ptr ds:[6C4460],FFFFFFFF
0063DC86 FF15 D8106700 call dword ptr ds:[<&msvcrt.__p__fmo>; msvcrt.__p__fmode
0063DC8C 8B0D 04406C00 mov ecx,dword ptr ds:[6C4004]
0063DC92 8908 mov dword ptr ds:[eax],ecx
0063DC94 FF15 DC106700 call dword ptr ds:[<&msvcrt.__p__com>; msvcrt.__p__commode
0063DC9A 8B0D 00406C00 mov ecx,dword ptr ds:[6C4000]
0063DCA0 8908 mov dword ptr ds:[eax],ecx
0063DCA2 A1 E0106700 mov eax,dword ptr ds:[<&msvcrt._adju>
0063DCA7 8B00 mov eax,dword ptr ds:[eax]
0063DCA9 A3 58446C00 mov dword ptr ds:[6C4458],eax
0063DCAE E8 58010000 call 2_.0063DE0B
0063DCB3 391D 50B26B00 cmp dword ptr ds:[6BB250],ebx
0063DCB9 75 0C jnz short 2_.0063DCC7
0063DCBB 68 08DE6300 push 2_.0063DE08
0063DCC0 FF15 E4106700 call dword ptr ds:[<&msvcrt.__setuse>; msvcrt.__setusermatherr
0063DCC6 59 pop ecx
0063DCC7 E8 24010000 call 2_.0063DDF0
0063DCCC 68 9C566B00 push 2_.006B569C
0063DCD1 68 98566B00 push 2_.006B5698
0063DCD6 E8 0F010000 call <jmp.&msvcrt._initterm>
0063DCDB A1 FC3F6C00 mov eax,dword ptr ds:[6C3FFC]
0063DCE0 8945 94 mov dword ptr ss:[ebp-6C],eax
0063DCE3 8D45 94 lea eax,dword ptr ss:[ebp-6C]
0063DCE6 50 push eax
0063DCE7 FF35 F83F6C00 push dword ptr ds:[6C3FF8]
0063DCED 8D45 9C lea eax,dword ptr ss:[ebp-64]
0063DCF0 50 push eax
0063DCF1 8D45 90 lea eax,dword ptr ss:[ebp-70]
0063DCF4 50 push eax
0063DCF5 8D45 A0 lea eax,dword ptr ss:[ebp-60]
0063DCF8 50 push eax
0063DCF9 FF15 EC106700 call dword ptr ds:[<&msvcrt.__getmai>; msvcrt.__getmainargs
0063DCFF 68 94566B00 push 2_.006B5694
0063DD04 68 00506B00 push 2_.006B5000
0063DD09 E8 DC000000 call <jmp.&msvcrt._initterm>
0063DD0E 83C4 24 add esp,24
0063DD11 A1 F0106700 mov eax,dword ptr ds:[<&msvcrt._acmd>
0063DD16 8B30 mov esi,dword ptr ds:[eax]
0063DD18 8975 8C mov dword ptr ss:[ebp-74],esi
0063DD1B 803E 22 cmp byte ptr ds:[esi],22
0063DD1E 75 3A jnz short 2_.0063DD5A
0063DD20 46 inc esi
0063DD21 8975 8C mov dword ptr ss:[ebp-74],esi
0063DD24 8A06 mov al,byte ptr ds:[esi]
0063DD26 3AC3 cmp al,bl
0063DD28 74 04 je short 2_.0063DD2E
0063DD2A 3C 22 cmp al,22
0063DD2C ^ 75 F2 jnz short 2_.0063DD20
0063DD2E 803E 22 cmp byte ptr ds:[esi],22
0063DD31 75 04 jnz short 2_.0063DD37
0063DD33 46 inc esi
0063DD34 8975 8C mov dword ptr ss:[ebp-74],esi
0063DD37 8A06 mov al,byte ptr ds:[esi]
0063DD39 3AC3 cmp al,bl
0063DD3B 74 04 je short 2_.0063DD41
0063DD3D 3C 20 cmp al,20
0063DD3F ^ 76 F2 jbe short 2_.0063DD33
0063DD41 895D D0 mov dword ptr ss:[ebp-30],ebx
0063DD44 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0063DD47 50 push eax
0063DD48 E8 B3229B00 call 00FF0000 ★★★★
0063DD4D 32F6 xor dh,dh
0063DD4F 45 inc ebp
0063DD50 D001 rol byte ptr ds:[ecx],1
0063DD52 74 11 je short 2_.0063DD65
0063DD54 0FB745 D4 movzx eax,word ptr ss:[ebp-2C]
0063DD58 EB 0E jmp short 2_.0063DD68
0063DD5A 803E 20 cmp byte ptr ds:[esi],20
0063DD5D ^ 76 D8 jbe short 2_.0063DD37
0063DD5F 46 inc esi
0063DD60 8975 8C mov dword ptr ss:[ebp-74],esi
0063DD63 ^ EB F5 jmp short 2_.0063DD5A
0063DD65 6A 0A push 0A
0063DD67 58 pop eax
0063DD68 50 push eax
0063DD69 56 push esi
0063DD6A 53 push ebx
0063DD6B 53 push ebx
0063DD6C E8 8F229B00 call 00FF0000 ★★★★
0063DD71 0C 50 or al,50
0063DD73 E8 5C4DFDFF call 2_.00612AD4
0063DD78 8945 98 mov dword ptr ss:[ebp-68],eax
0063DD7B 50 push eax
0063DD7C FF15 C0116700 call dword ptr ds:[<&msvcrt.exit>] ; msvcrt.exit
0063DD82 8B45 EC mov eax,dword ptr ss:[ebp-14]
0063DD85 8B08 mov ecx,dword ptr ds:[eax]
0063DD87 8B09 mov ecx,dword ptr ds:[ecx]
0063DD89 894D 88 mov dword ptr ss:[ebp-78],ecx
0063DD8C 50 push eax
0063DD8D 51 push ecx
0063DD8E E8 4B000000 call <jmp.&msvcrt._XcptFilter>
0063DD93 59 pop ecx
0063DD94 59 pop ecx
0063DD95 C3 retn
F7步进 打开跟踪记录
00FF0000 jmp short 00FF0003
00FF0003 push edx
00FF0004 pushfd
00FF0005 mov edx,44849E
00FF000A add edx,dword ptr ss:[esp+18]
00FF000E sub esp,20
00FF0011 add edx,ebp
00FF0013 lea edx,dword ptr ss:[ebp+esi+25]
00FF0017 lea edx,dword ptr ss:[esp+29]
00FF001B sub edx,29
00FF001E prefix repne:
00FF0022 mov dword ptr ds:[edx+1C],edi
00FF0025 xor edi,dword ptr ss:[esp+8]
00FF0029 mov edi,4352DA
00FF002E jmp short 00FF0032
00FF0032 push eax
00FF0033 pop dword ptr ds:[edx]
00FF0037 sub eax,61
00FF003A prefix repne:
00FF003E mov eax,479566
00FF0043 push ebp
00FF0044 pop dword ptr ds:[edx+14]
00FF0047 adc ebp,ecx
00FF0049 mov dword ptr ds:[edx+18],esi
00FF004C sub esi,9
00FF004F rol esi,5
00FF0052 push ebx
00FF0053 pop dword ptr ds:[edx+C]
00FF0056 sub ebx,6C1986E4
00FF005C mov dword ptr ds:[edx+4],ecx
00FF005F mov ecx,477F16
00FF0064 add ecx,dword ptr ss:[esp+38]
00FF0068 mov edi,47F7D2
...............
00FF00F1 mov edi,40EED2
00FF00F6 xor edi,dword ptr ss:[esp+28]
00FF00FA push 0E3085C
00FF00FF jmp short 00FF0104
00FF0104 lea edi,dword ptr ds:[ebx+ecx+43429E]
00FF010B pop edi
00FF010C push edi
00FF010D or edi,edi
00FF010F sbb edx,49
00FF0112 xor edx,dword ptr ss:[esp+28]
00FF0116 prefix rep:
00FF011B push 0DF9EE0
00FF0120 mov edx,408FA6
00FF0125 sub edx,2F
00FF0128 pop edx
00FF0129 call edx
.....
.....
如何解决呢?什么办法可以绕过API加密。 还原成原代码??
帮忙看看 谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
看过的兄弟们 能不能给点提示??
