-
-
[求助]请朋友们看看,这类软件应该如何追踪。谢谢。
-
发表于: 2015-1-31 01:25 3945
-
10001B30 > $ 55 PUSH EBP ; (初始 cpu 选择)
10001B31 . 8BEC MOV EBP,ESP
10001B33 . 6A FF PUSH -1
10001B35 . 68 A0500010 PUSH drug.100050A0
10001B3A . 68 28300010 PUSH drug.10003028 ; SE 处理程序安装
10001B3F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
10001B45 . 50 PUSH EAX
10001B46 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
10001B4D . 83C4 A8 ADD ESP,-58
10001B50 . 53 PUSH EBX
10001B51 . 56 PUSH ESI
10001B52 . 57 PUSH EDI
10001B53 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
10001B56 . FF15 1C500010 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
10001B5C . 33D2 XOR EDX,EDX
10001B5E . 8AD4 MOV DL,AH
10001B60 . 8915 24870010 MOV DWORD PTR DS:[10008724],EDX
10001B66 . 8BC8 MOV ECX,EAX
10001B68 . 81E1 FF000000 AND ECX,0FF
10001B6E . 890D 20870010 MOV DWORD PTR DS:[10008720],ECX
10001B74 . C1E1 08 SHL ECX,8
10001B77 . 03CA ADD ECX,EDX
10001B79 . 890D 1C870010 MOV DWORD PTR DS:[1000871C],ECX
10001B7F . C1E8 10 SHR EAX,10
10001B82 . A3 18870010 MOV DWORD PTR DS:[10008718],EAX
10001B87 . E8 64130000 CALL drug.10002EF0
10001B8C . 85C0 TEST EAX,EAX
10001B8E . 75 0A JNZ SHORT drug.10001B9A
10001B90 . 6A 1C PUSH 1C
10001B92 . E8 69010000 CALL drug.10001D00
10001B97 . 83C4 04 ADD ESP,4
10001B9A > C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
10001BA1 . E8 4A110000 CALL drug.10002CF0
10001BA6 . E8 65060000 CALL drug.10002210
10001BAB . FF15 08500010 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
10001BB1 . A3 B4890010 MOV DWORD PTR DS:[100089B4],EAX
10001BB6 . E8 D50F0000 CALL drug.10002B90
10001BBB . A3 BC840010 MOV DWORD PTR DS:[100084BC],EAX
10001BC0 . 85C0 TEST EAX,EAX
10001BC2 . 74 09 JE SHORT drug.10001BCD
10001BC4 . A1 B4890010 MOV EAX,DWORD PTR DS:[100089B4]
10001BC9 . 85C0 TEST EAX,EAX
10001BCB . 75 0A JNZ SHORT drug.10001BD7
10001BCD > 6A FF PUSH -1
10001BCF . E8 7C090000 CALL drug.10002550
10001BD4 . 83C4 04 ADD ESP,4
10001BD7 > E8 040D0000 CALL drug.100028E0
10001BDC . E8 0F0C0000 CALL drug.100027F0
10001BE1 . E8 3A090000 CALL drug.10002520
10001BE6 . 8B35 B4890010 MOV ESI,DWORD PTR DS:[100089B4]
10001BEC . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001BEF . 803E 22 CMP BYTE PTR DS:[ESI],22
10001BF2 . 0F85 BE000000 JNZ drug.10001CB6
10001BF8 > 46 INC ESI
10001BF9 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001BFC . 8A06 MOV AL,BYTE PTR DS:[ESI]
10001BFE . 3C 22 CMP AL,22
10001C00 . 74 1C JE SHORT drug.10001C1E
10001C02 . 84C0 TEST AL,AL
10001C04 . 74 18 JE SHORT drug.10001C1E
10001C06 . 25 FF000000 AND EAX,0FF
10001C0B . 50 PUSH EAX
10001C0C . E8 9FFEFFFF CALL drug.10001AB0
10001C11 . 83C4 04 ADD ESP,4
10001C14 . 85C0 TEST EAX,EAX
10001C16 .^ 74 E0 JE SHORT drug.10001BF8
10001C18 . 46 INC ESI
10001C19 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C1C .^ EB DA JMP SHORT drug.10001BF8
10001C1E > 803E 22 CMP BYTE PTR DS:[ESI],22
10001C21 . 75 04 JNZ SHORT drug.10001C27
10001C23 . 46 INC ESI
10001C24 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C27 > 8A06 MOV AL,BYTE PTR DS:[ESI]
10001C29 . 84C0 TEST AL,AL
10001C2B . 74 0A JE SHORT drug.10001C37
10001C2D . 3C 20 CMP AL,20
10001C2F . 77 06 JA SHORT drug.10001C37
10001C31 . 46 INC ESI
10001C32 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C35 .^ EB F0 JMP SHORT drug.10001C27
10001C37 > C745 D0 00000>MOV DWORD PTR SS:[EBP-30],0
10001C3E . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
10001C41 . 50 PUSH EAX ; /pStartupinfo
10001C42 . FF15 18500010 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
10001C48 . F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
10001C4C . 74 0A JE SHORT drug.10001C58
10001C4E . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
10001C51 . 25 FFFF0000 AND EAX,0FFFF
10001C56 . EB 05 JMP SHORT drug.10001C5D
10001C58 > B8 0A000000 MOV EAX,0A
10001C5D > 50 PUSH EAX
10001C5E . 56 PUSH ESI
10001C5F . 6A 00 PUSH 0
10001C61 . 6A 00 PUSH 0 ; /pModule = NULL
10001C63 . FF15 14500010 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
10001C69 . 50 PUSH EAX
10001C6A . E8 91F3FFFF CALL drug.10001000
这个地方进入了,
10001000 /$ 56 PUSH ESI
10001001 |. 57 PUSH EDI
10001002 |. FF15 08500010 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
10001008 |. 8BF0 MOV ESI,EAX
1000100A |. 8A06 MOV AL,BYTE PTR DS:[ESI]
1000100C |. 46 INC ESI
1000100D |. 3C 22 CMP AL,22
1000100F |. 75 3E JNZ SHORT drug.1000104F
10001011 |. E8 DA000000 CALL drug.100010F0
10001016 |. 85C0 TEST EAX,EAX
10001018 |. 6A 22 PUSH 22
1000101A |. 56 PUSH ESI
1000101B |. 74 07 JE SHORT drug.10001024
1000101D |. E8 7E070000 CALL drug.100017A0
10001022 |. EB 05 JMP SHORT drug.10001029
10001024 |> E8 B7060000 CALL drug.100016E0
10001029 |> 8BD0 MOV EDX,EAX
1000102B |. 83C4 08 ADD ESP,8
1000102E |. 85D2 TEST EDX,EDX
10001030 |. 74 44 JE SHORT drug.10001076
10001032 |. 8BFA MOV EDI,EDX
10001034 |. 83C9 FF OR ECX,FFFFFFFF
10001037 |. 33C0 XOR EAX,EAX
10001039 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
1000103B |. F7D1 NOT ECX
1000103D |. 49 DEC ECX
1000103E |. 83F9 02 CMP ECX,2
10001041 |. 77 07 JA SHORT drug.1000104A
10001043 |. BE B0840010 MOV ESI,drug.100084B0
10001048 |. EB 2C JMP SHORT drug.10001076
1000104A |> 8D72 02 LEA ESI,DWORD PTR DS:[EDX+2]
1000104D |. EB 27 JMP SHORT drug.10001076
1000104F |> E8 9C000000 CALL drug.100010F0
10001054 |. 85C0 TEST EAX,EAX
10001056 |. 6A 20 PUSH 20
10001058 |. 56 PUSH ESI
10001059 |. 74 07 JE SHORT drug.10001062
1000105B |. E8 40070000 CALL drug.100017A0
10001060 |. EB 05 JMP SHORT drug.10001067
10001062 |> E8 79060000 CALL drug.100016E0
10001067 |> 83C4 08 ADD ESP,8
1000106A |. BE B4840010 MOV ESI,drug.100084B4
1000106F |. 85C0 TEST EAX,EAX
10001071 |. 74 03 JE SHORT drug.10001076
10001073 |. 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
10001076 |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
1000107A |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
1000107E |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
10001082 |. 6A 00 PUSH 0
10001084 |. 68 E8030000 PUSH 3E8
10001089 |. 51 PUSH ECX
1000108A |. 56 PUSH ESI
1000108B |. 52 PUSH EDX
1000108C |. 50 PUSH EAX
1000108D |. E8 2E060000 CALL <JMP.&PBVM90.#137>
这个地方就直接跳到了PBVm90.dll的领空,单步进入,回到drug领空,但过下面代码又回去了,
100016C0 $- FF25 94500010 JMP DWORD PTR DS:[<&PBVM90.#137>] ; PBVM90.FN_RunExecutable
10BEEFB0 > 56 PUSH ESI
10BEEFB1 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
10BEEFB5 56 PUSH ESI
10BEEFB6 E8 E53D0F00 CALL PBVM90.rt_stop_run
10BEEFBB 56 PUSH ESI
10BEEFBC E8 6F690800 CALL PBVM90.ob_unshare_typedef_group
10BEEFC1 56 PUSH ESI
10BEEFC2 E8 B92D0600 CALL PBVM90.ob_mgr_terminate
10BEEFC7 B8 01000000 MOV EAX,1
10BEEFCC 5E POP ESI
10BEEFCD C2 0400 RETN 4
10BEEFD0 > 83EC 18 SUB ESP,18
10BEEFD3 56 PUSH ESI
10BEEFD4 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
10BEEFD8 56 PUSH ESI
10BEEFD9 E8 0232FEFF CALL PBVM90.FN_MinimumVersion
10BEEFDE 85C0 TEST EAX,EAX
10BEEFE0 75 07 JNZ SHORT PBVM90.10BEEFE9
10BEEFE2 5E POP ESI
10BEEFE3 83C4 18 ADD ESP,18
10BEEFE6 C2 1800 RETN 18
10BEEFE9 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
10BEEFED 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
10BEEFF1 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
10BEEFF5 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
10BEEFF9 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10BEEFFD 897424 04 MOV DWORD PTR SS:[ESP+4],ESI
10BEF001 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10BEF005 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
10BEF009 85C0 TEST EAX,EAX
10BEF00B 894C24 0C MOV DWORD PTR SS:[ESP+C],ECX
10BEF00F 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
10BEF013 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
10BEF017 74 11 JE SHORT PBVM90.10BEF02A
10BEF019 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
10BEF01D 51 PUSH ECX
10BEF01E E8 1D000000 CALL PBVM90.FN_RunExecutableEx
10BEF023 5E POP ESI
10BEF024 83C4 18 ADD ESP,18
10BEF027 C2 1800 RETN 18
10BEF02A 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
10BEF02E 52 PUSH EDX
10BEF02F E8 0C000000 CALL PBVM90.FN_RunExecutableEx
这个CALL跳过了下面的代码直接到了10BEF040处。
10BEF034 5E POP ESI
10BEF035 83C4 18 ADD ESP,18
10BEF038 C2 1800 RETN 18
10BEF03B 90 NOP
10BEF03C 90 NOP
10BEF03D 90 NOP
10BEF03E 90 NOP
10BEF03F 90 NOP
10BEF040 > 83EC 28 SUB ESP,28
10BEF043 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
10BEF047 53 PUSH EBX
10BEF048 55 PUSH EBP
10BEF049 56 PUSH ESI
10BEF04A 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
10BEF04D 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
10BEF050 8B30 MOV ESI,DWORD PTR DS:[EAX]
10BEF052 8B68 08 MOV EBP,DWORD PTR DS:[EAX+8]
10BEF055 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX
10BEF059 8B48 10 MOV ECX,DWORD PTR DS:[EAX+10]
10BEF05C 895424 2C MOV DWORD PTR SS:[ESP+2C],EDX
10BEF060 8B50 14 MOV EDX,DWORD PTR DS:[EAX+14]
10BEF063 57 PUSH EDI
10BEF064 6A 00 PUSH 0
10BEF066 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
10BEF06A 896C24 28 MOV DWORD PTR SS:[ESP+28],EBP
10BEF06E 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX
10BEF072 895424 2C MOV DWORD PTR SS:[ESP+2C],EDX
10BEF076 E8 554BF6FF CALL PBVM90.pbstg_begin
10BEF07B 8BD8 MOV EBX,EAX
10BEF07D 85DB TEST EBX,EBX
10BEF07F 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
10BEF083 74 07 JE SHORT PBVM90.10BEF08C
10BEF085 C743 0C D457DF1>MOV DWORD PTR DS:[EBX+C],PBVM90.10DF57D4 ; ASCII "Executable RTE/RTF"
10BEF08C 53 PUSH EBX
10BEF08D E8 2E3AFBFF CALL PBVM90.sh_dbg_init
10BEF092 6A 00 PUSH 0
10BEF094 8BF8 MOV EDI,EAX
10BEF096 68 04010000 PUSH 104
10BEF09B 53 PUSH EBX
10BEF09C 897C24 20 MOV DWORD PTR SS:[ESP+20],EDI
10BEF0A0 E8 CB50F6FF CALL PBVM90.pbstg_alc
10BEF0A5 68 04010000 PUSH 104
10BEF0AA 50 PUSH EAX
10BEF0AB 56 PUSH ESI
10BEF0AC 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
10BEF0B0 FF15 A8D2DB10 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
10BEF0B6 6A 00 PUSH 0
10BEF0B8 55 PUSH EBP
10BEF0B9 53 PUSH EBX
10BEF0BA E8 61C3FBFF CALL PBVM90.pbstg_strdup
10BEF0BF 8BF0 MOV ESI,EAX
10BEF0C1 897424 3C MOV DWORD PTR SS:[ESP+3C],ESI
10BEF0C5 E8 2629FEFF CALL PBVM90.10BD19F0
10BEF0CA 85C0 TEST EAX,EAX
10BEF0CC 56 PUSH ESI
10BEF0CD 74 08 JE SHORT PBVM90.10BEF0D7
10BEF0CF FF15 94D5DB10 CALL DWORD PTR DS:[<&MSVCRT._mbsupr>] ; msvcrt._mbsupr
10BEF0D5 EB 06 JMP SHORT PBVM90.10BEF0DD
10BEF0D7 FF15 C8D4DB10 CALL DWORD PTR DS:[<&MSVCRT._strupr>] ; msvcrt._strupr
10BEF0DD 8A0E MOV CL,BYTE PTR DS:[ESI]
10BEF0DF 83C4 04 ADD ESP,4
10BEF0E2 33ED XOR EBP,EBP
10BEF0E4 8BC6 MOV EAX,ESI
10BEF0E6 84C9 TEST CL,CL
10BEF0E8 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
10BEF0EC 0F84 CD000000 JE PBVM90.10BEF1BF
10BEF0F2 B9 08000000 MOV ECX,8
10BEF0F7 BF E857DF10 MOV EDI,PBVM90.10DF57E8 ; ASCII "/PBDEBUG"
10BEF0FC 8BF0 MOV ESI,EAX
10BEF0FE 33D2 XOR EDX,EDX
10BEF100 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF102 0F84 96000000 JE PBVM90.10BEF19E
10BEF108 B9 08000000 MOV ECX,8
10BEF10D BF F457DF10 MOV EDI,PBVM90.10DF57F4 ; ASCII "-PBDEBUG"
10BEF112 8BF0 MOV ESI,EAX
10BEF114 33D2 XOR EDX,EDX
10BEF116 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF118 0F84 80000000 JE PBVM90.10BEF19E
10BEF11E B9 07000000 MOV ECX,7
10BEF123 BF 0C58DF10 MOV EDI,PBVM90.10DF580C ; ASCII "/DEBUG="
10BEF128 8BF0 MOV ESI,EAX
10BEF12A 33D2 XOR EDX,EDX
10BEF12C F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF12E 74 12 JE SHORT PBVM90.10BEF142
10BEF130 B9 07000000 MOV ECX,7
10BEF135 BF 1458DF10 MOV EDI,PBVM90.10DF5814 ; ASCII "-DEBUG="
10BEF13A 8BF0 MOV ESI,EAX
10BEF13C 33D2 XOR EDX,EDX
10BEF13E F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF140 75 4E JNZ SHORT PBVM90.10BEF190
10BEF142 8B15 1C58DF10 MOV EDX,DWORD PTR DS:[10DF581C]
10BEF148 8BC8 MOV ECX,EAX
10BEF14A 83C0 07 ADD EAX,7
10BEF14D C74424 10 01000>MOV DWORD PTR SS:[ESP+10],1
10BEF155 8911 MOV DWORD PTR DS:[ECX],EDX
10BEF157 66:8B15 2058DF1>MOV DX,WORD PTR DS:[10DF5820]
10BEF15E 66:8951 04 MOV WORD PTR DS:[ECX+4],DX
10BEF162 8A15 2258DF10 MOV DL,BYTE PTR DS:[10DF5822]
10BEF168 8851 06 MOV BYTE PTR DS:[ECX+6],DL
10BEF16B 8A08 MOV CL,BYTE PTR DS:[EAX]
10BEF16D 80F9 30 CMP CL,30
10BEF170 72 1E JB SHORT PBVM90.10BEF190
10BEF172 80F9 39 CMP CL,39
10BEF175 77 19 JA SHORT PBVM90.10BEF190
10BEF177 8D54AD 00 LEA EDX,DWORD PTR SS:[EBP+EBP*4]
10BEF17B 81E1 FF000000 AND ECX,0FF
10BEF181 C600 20 MOV BYTE PTR DS:[EAX],20
10BEF184 40 INC EAX
10BEF185 8D6C51 D0 LEA EBP,DWORD PTR DS:[ECX+EDX*2-30]
10BEF189 8A08 MOV CL,BYTE PTR DS:[EAX]
10BEF18B 80F9 30 CMP CL,30
10BEF18E ^ 73 E2 JNB SHORT PBVM90.10BEF172
10BEF190 8A48 01 MOV CL,BYTE PTR DS:[EAX+1]
10BEF193 40 INC EAX
10BEF194 84C9 TEST CL,CL
10BEF196 ^ 0F85 56FFFFFF JNZ PBVM90.10BEF0F2
这个跳转实现了
10BEF19C EB 19 JMP SHORT PBVM90.10BEF1B7
10BEF19E 8B0D 0058DF10 MOV ECX,DWORD PTR DS:[10DF5800]
10BEF1A4 C74424 10 01000>MOV DWORD PTR SS:[ESP+10],1
10BEF1AC 8908 MOV DWORD PTR DS:[EAX],ECX
10BEF1AE 8B15 0458DF10 MOV EDX,DWORD PTR DS:[10DF5804]
10BEF1B4 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
10BEF1B7 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
10BEF1BB 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF1BF 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10BEF1C3 85C0 TEST EAX,EAX
10BEF1C5 74 51 JE SHORT PBVM90.10BEF218
10BEF1C7 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10BEF1CB 50 PUSH EAX
10BEF1CC 6A 00 PUSH 0
10BEF1CE 53 PUSH EBX
10BEF1CF E8 2C96FBFF CALL PBVM90.osPathCreate
10BEF1D4 8BF0 MOV ESI,EAX
10BEF1D6 68 2458DF10 PUSH PBVM90.10DF5824 ; ASCII "dbg"
10BEF1DB 56 PUSH ESI
10BEF1DC E8 5F98FBFF CALL PBVM90.osPathAddExtension
10BEF1E1 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8]
10BEF1E4 51 PUSH ECX
10BEF1E5 57 PUSH EDI
10BEF1E6 E8 753AFBFF CALL PBVM90.sh_dbg_outfile
10BEF1EB 56 PUSH ESI
10BEF1EC E8 6F9BFBFF CALL PBVM90.osPathDestroy
10BEF1F1 85ED TEST EBP,EBP
10BEF1F3 7E 0D JLE SHORT PBVM90.10BEF202
10BEF1F5 55 PUSH EBP
10BEF1F6 57 PUSH EDI
10BEF1F7 E8 743BFBFF CALL PBVM90.sh_dbg_set
10BEF1FC 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF200 EB 21 JMP SHORT PBVM90.10BEF223
10BEF202 6A 1E PUSH 1E
10BEF204 57 PUSH EDI
10BEF205 E8 663BFBFF CALL PBVM90.sh_dbg_set
10BEF20A 6A 1F PUSH 1F
10BEF20C 57 PUSH EDI
10BEF20D E8 5E3BFBFF CALL PBVM90.sh_dbg_set
10BEF212 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF216 EB 0B JMP SHORT PBVM90.10BEF223
10BEF218 68 2858DF10 PUSH PBVM90.10DF5828 ; ASCII "nul"
10BEF21D 57 PUSH EDI
10BEF21E E8 3D3AFBFF CALL PBVM90.sh_dbg_outfile
10BEF223 57 PUSH EDI
10BEF224 E8 D746FBFF CALL PBVM90.sh_dbg_on
10BEF229 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10BEF22D 85C0 TEST EAX,EAX
10BEF22F 74 08 JE SHORT PBVM90.10BEF239
10BEF231 6A 00 PUSH 0
10BEF233 57 PUSH EDI
10BEF234 E8 173EFBFF CALL PBVM90.sh_dbg_header
10BEF239 56 PUSH ESI
10BEF23A 53 PUSH EBX
10BEF23B E8 204BF6FF CALL PBVM90.pbstg_fee
10BEF240 6A 00 PUSH 0
10BEF242 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
10BEF246 52 PUSH EDX
10BEF247 53 PUSH EBX
10BEF248 E8 D3C1FBFF CALL PBVM90.pbstg_strdup
10BEF24D 53 PUSH EBX
10BEF24E 57 PUSH EDI
10BEF24F 894424 44 MOV DWORD PTR SS:[ESP+44],EAX
10BEF253 E8 F8220600 CALL PBVM90.ob_mgr_init
10BEF258 8BE8 MOV EBP,EAX
10BEF25A 6A 02 PUSH 2
10BEF25C 55 PUSH EBP
10BEF25D E8 1E2C0600 CALL PBVM90.ob_set_mode
10BEF262 B8 01000000 MOV EAX,1
10BEF267 394424 28 CMP DWORD PTR SS:[ESP+28],EAX
10BEF26B 75 08 JNZ SHORT PBVM90.10BEF275
10BEF26D 8985 4C010000 MOV DWORD PTR SS:[EBP+14C],EAX
10BEF273 EB 0A JMP SHORT PBVM90.10BEF27F
10BEF275 C785 4C010000 0>MOV DWORD PTR SS:[EBP+14C],0
10BEF27F 8B85 48010000 MOV EAX,DWORD PTR SS:[EBP+148]
10BEF285 53 PUSH EBX
10BEF286 0C 03 OR AL,3
10BEF288 55 PUSH EBP
10BEF289 8985 48010000 MOV DWORD PTR SS:[EBP+148],EAX
10BEF28F E8 0C3D0F00 CALL PBVM90.rt_init
10BEF294 8BF0 MOV ESI,EAX
10BEF296 6A 00 PUSH 0
10BEF298 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
10BEF29C 50 PUSH EAX
10BEF29D 53 PUSH EBX
10BEF29E 56 PUSH ESI
10BEF29F C746 5E 0000000>MOV DWORD PTR DS:[ESI+5E],0
10BEF2A6 E8 452DFEFF CALL PBVM90.FN_Init
10BEF2AB 8BF8 MOV EDI,EAX
10BEF2AD 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
10BEF2B1 53 PUSH EBX
10BEF2B2 55 PUSH EBP
10BEF2B3 E8 58BF0800 CALL PBVM90.ob_init_executable
10BEF2B8 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
10BEF2BB 53 PUSH EBX
10BEF2BC 51 PUSH ECX
10BEF2BD 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
10BEF2C1 E8 9A4AF6FF CALL PBVM90.pbstg_fee
10BEF2C6 33DB XOR EBX,EBX
10BEF2C8 66:817C24 1A 00>CMP WORD PTR SS:[ESP+1A],0C000
10BEF2CF 0F84 D5000000 JE PBVM90.10BEF3AA
10BEF2D5 55 PUSH EBP
10BEF2D6 E8 C5E40900 CALL PBVM90.10C8D7A0
10BEF2DB 56 PUSH ESI
10BEF2DC E8 7F3A0F00 CALL PBVM90.rt_start_run
10BEF2E1 8B4F 70 MOV ECX,DWORD PTR DS:[EDI+70]
10BEF2E4 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
10BEF2E8 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+1C]
10BEF2EC 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C]
10BEF2F0 83C9 02 OR ECX,2
10BEF2F3 8997 A8000000 MOV DWORD PTR DS:[EDI+A8],EDX
10BEF2F9 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
10BEF2FD 894F 70 MOV DWORD PTR DS:[EDI+70],ECX
10BEF300 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
10BEF304 52 PUSH EDX
10BEF305 53 PUSH EBX
10BEF306 899F A4000000 MOV DWORD PTR DS:[EDI+A4],EBX
10BEF30C 8947 7C MOV DWORD PTR DS:[EDI+7C],EAX
10BEF30F 890F MOV DWORD PTR DS:[EDI],ECX
10BEF311 FF15 D4D7DB10 CALL DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
10BEF317 8947 74 MOV DWORD PTR DS:[EDI+74],EAX
10BEF31A A1 ECCEE210 MOV EAX,DWORD PTR DS:[10E2CEEC]
10BEF31F 85C0 TEST EAX,EAX
10BEF321 74 25 JE SHORT PBVM90.10BEF348
10BEF323 6A 00 PUSH 0
10BEF325 6A 32 PUSH 32
10BEF327 FF15 9CD8DB10 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; USER32.GetSystemMetrics
10BEF32D 50 PUSH EAX
10BEF32E 6A 31 PUSH 31
10BEF330 FF15 9CD8DB10 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; USER32.GetSystemMetrics
10BEF336 50 PUSH EAX
10BEF337 6A 01 PUSH 1
10BEF339 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10BEF33D 50 PUSH EAX
10BEF33E 53 PUSH EBX
10BEF33F FF15 98D9DB10 CALL DWORD PTR DS:[<&USER32.LoadImageA>] ; USER32.LoadImageA
10BEF345 8947 78 MOV DWORD PTR DS:[EDI+78],EAX
10BEF348 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10BEF34C 51 PUSH ECX
10BEF34D 56 PUSH ESI
10BEF34E E8 1D0A0000 CALL PBVM90.10BEFD70
一直来到这里,进入了。
10BEFD70 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
10BEFD74 83EC 10 SUB ESP,10
10BEFD77 55 PUSH EBP
10BEFD78 56 PUSH ESI
10BEFD79 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C]
10BEFD7D 50 PUSH EAX
10BEFD7E 56 PUSH ESI
10BEFD7F 8B6E 52 MOV EBP,DWORD PTR DS:[ESI+52]
10BEFD82 E8 F9FDFFFF CALL PBVM90.10BEFB80
10BEFD87 83C4 08 ADD ESP,8
10BEFD8A 85C0 TEST EAX,EAX
10BEFD8C 75 06 JNZ SHORT PBVM90.10BEFD94
10BEFD8E 5E POP ESI
10BEFD8F 5D POP EBP
10BEFD90 83C4 10 ADD ESP,10
10BEFD93 C3 RETN
10BEFD94 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
10BEFD97 8B45 7C MOV EAX,DWORD PTR SS:[EBP+7C]
10BEFD9A 57 PUSH EDI
10BEFD9B 33FF XOR EDI,EDI
10BEFD9D 8B91 1E010000 MOV EDX,DWORD PTR DS:[ECX+11E]
10BEFDA3 53 PUSH EBX
10BEFDA4 3BC7 CMP EAX,EDI
10BEFDA6 52 PUSH EDX
10BEFDA7 74 03 JE SHORT PBVM90.10BEFDAC
10BEFDA9 50 PUSH EAX
10BEFDAA EB 05 JMP SHORT PBVM90.10BEFDB1
10BEFDAC 68 ECD1E210 PUSH PBVM90.10E2D1EC
10BEFDB1 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
10BEFDB4 50 PUSH EAX
10BEFDB5 E8 66B6FBFF CALL PBVM90.pbstg_strdup
10BEFDBA 6A 0C PUSH 0C
10BEFDBC 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10BEFDC0 66:C74424 18 00>MOV WORD PTR SS:[ESP+18],0D00
10BEFDC7 66:C74424 1A 06>MOV WORD PTR SS:[ESP+1A],6
10BEFDCE E8 7DCC1A00 CALL <JMP.&libjsybheap.#13_Syb_Heap_mall>
10BEFDD3 83C4 04 ADD ESP,4
10BEFDD6 3BC7 CMP EAX,EDI
10BEFDD8 74 0B JE SHORT PBVM90.10BEFDE5
10BEFDDA 8978 08 MOV DWORD PTR DS:[EAX+8],EDI
10BEFDDD C700 F0FADB10 MOV DWORD PTR DS:[EAX],PBVM90.10DBFAF0
10BEFDE3 8BF8 MOV EDI,EAX
10BEFDE5 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
10BEFDE8 57 PUSH EDI
10BEFDE9 51 PUSH ECX
10BEFDEA E8 61130700 CALL PBVM90.ob_set_windows_dispatch_hand>
10BEFDEF 33C9 XOR ECX,ECX
10BEFDF1 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
10BEFDF5 51 PUSH ECX
10BEFDF6 6A 01 PUSH 1
10BEFDF8 6A 15 PUSH 15
10BEFDFA 6A 01 PUSH 1
10BEFDFC 52 PUSH EDX
10BEFDFD 8BD8 MOV EBX,EAX
10BEFDFF 8B85 D4000000 MOV EAX,DWORD PTR SS:[EBP+D4]
10BEFE05 8B6C24 24 MOV EBP,DWORD PTR SS:[ESP+24]
10BEFE09 83EC 10 SUB ESP,10
10BEFE0C 8BD4 MOV EDX,ESP
10BEFE0E 56 PUSH ESI
10BEFE0F 892A MOV DWORD PTR DS:[EDX],EBP
10BEFE11 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
10BEFE14 33C0 XOR EAX,EAX
10BEFE16 894A 08 MOV DWORD PTR DS:[EDX+8],ECX
10BEFE19 8942 0C MOV DWORD PTR DS:[EDX+C],EAX
10BEFE1C E8 0FDD0E00 CALL PBVM90.rtRoutineExec
来到这里进去。
10CDDB30 > 83EC 28 SUB ESP,28
10CDDB33 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
10CDDB37 53 PUSH EBX
10CDDB38 55 PUSH EBP
10CDDB39 33ED XOR EBP,EBP
10CDDB3B 56 PUSH ESI
10CDDB3C 8B7424 38 MOV ESI,DWORD PTR SS:[ESP+38]
10CDDB40 3BC5 CMP EAX,EBP
10CDDB42 57 PUSH EDI
10CDDB43 896C24 14 MOV DWORD PTR SS:[ESP+14],EBP
10CDDB47 896C24 28 MOV DWORD PTR SS:[ESP+28],EBP
10CDDB4B 896C24 20 MOV DWORD PTR SS:[ESP+20],EBP
10CDDB4F 896C24 24 MOV DWORD PTR SS:[ESP+24],EBP
10CDDB53 75 32 JNZ SHORT PBVM90.10CDDB87
10CDDB55 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+44]
10CDDB59 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
10CDDB5D 51 PUSH ECX
10CDDB5E 50 PUSH EAX
10CDDB5F 56 PUSH ESI
10CDDB60 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
10CDDB64 E8 27FEFAFF CALL PBVM90.10C8D990
10CDDB69 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDB6D 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
10CDDB71 83C4 0C ADD ESP,0C
10CDDB74 66:894424 1A MOV WORD PTR SS:[ESP+1A],AX
10CDDB79 66:8B4A 10 MOV CX,WORD PTR DS:[EDX+10]
10CDDB7D 66:894C24 18 MOV WORD PTR SS:[ESP+18],CX
10CDDB82 /E9 E5000000 JMP PBVM90.10CDDC6C
10CDDB87 |BA 01000000 MOV EDX,1
10CDDB8C |3BC2 CMP EAX,EDX
10CDDB8E |75 72 JNZ SHORT PBVM90.10CDDC02
10CDDB90 |8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
10CDDB94 |89AE 32010000 MOV DWORD PTR DS:[ESI+132],EBP
10CDDB9A |66:81F9 FFFF CMP CX,0FFFF
10CDDB9F |894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
10CDDBA3 |75 15 JNZ SHORT PBVM90.10CDDBBA
10CDDBA5 |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDBA9 |896C24 3C MOV DWORD PTR SS:[ESP+3C],EBP
10CDDBAD |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDBB1 |896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP
10CDDBB5 |E9 B2000000 JMP PBVM90.10CDDC6C
10CDDBBA |8BBE AE000000 MOV EDI,DWORD PTR DS:[ESI+AE]
10CDDBC0 |8BC1 MOV EAX,ECX
10CDDBC2 |25 FFFF0000 AND EAX,0FFFF
10CDDBC7 |3BF8 CMP EDI,EAX
10CDDBC9 |76 1E JBE SHORT PBVM90.10CDDBE9
10CDDBCB |8BBE 9A000000 MOV EDI,DWORD PTR DS:[ESI+9A]
10CDDBD1 |8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
10CDDBD4 |C1E0 04 SHL EAX,4
10CDDBD7 |8B4407 04 MOV EAX,DWORD PTR DS:[EDI+EAX+4]
10CDDBDB |3BC5 CMP EAX,EBP
10CDDBDD |74 0A JE SHORT PBVM90.10CDDBE9
10CDDBDF |3950 12 CMP DWORD PTR DS:[EAX+12],EDX
10CDDBE2 |74 05 JE SHORT PBVM90.10CDDBE9
10CDDBE4 |8B40 0E MOV EAX,DWORD PTR DS:[EAX+E]
10CDDBE7 |EB 07 JMP SHORT PBVM90.10CDDBF0
10CDDBE9 |51 PUSH ECX
10CDDBEA |56 PUSH ESI
10CDDBEB |E8 8073F9FF CALL PBVM90.ob_group_data_srch
10CDDBF0 |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDBF4 |894424 3C MOV DWORD PTR SS:[ESP+3C],EAX
10CDDBF8 |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDBFC |896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP
10CDDC00 |EB 6A JMP SHORT PBVM90.10CDDC6C
10CDDC02 |83F8 02 CMP EAX,2
10CDDC05 |75 65 JNZ SHORT PBVM90.10CDDC6C
10CDDC07 |8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
10CDDC0B |89AE 32010000 MOV DWORD PTR DS:[ESI+132],EBP
10CDDC11 |66:81F9 FFFF CMP CX,0FFFF
10CDDC16 |894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
10CDDC1A |75 06 JNZ SHORT PBVM90.10CDDC22
10CDDC1C |896C24 3C MOV DWORD PTR SS:[ESP+3C],EBP
10CDDC20 |EB 3A JMP SHORT PBVM90.10CDDC5C
10CDDC22 |8BBE AE000000 MOV EDI,DWORD PTR DS:[ESI+AE]
10CDDC28 |8BC1 MOV EAX,ECX
10CDDC2A |25 FFFF0000 AND EAX,0FFFF
10CDDC2F |3BF8 CMP EDI,EAX
10CDDC31 |76 1E JBE SHORT PBVM90.10CDDC51
10CDDC33 |8BBE 9A000000 MOV EDI,DWORD PTR DS:[ESI+9A]
10CDDC39 |8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
10CDDC3C |C1E0 04 SHL EAX,4
10CDDC3F |8B4407 04 MOV EAX,DWORD PTR DS:[EDI+EAX+4]
10CDDC43 |3BC5 CMP EAX,EBP
10CDDC45 |74 0A JE SHORT PBVM90.10CDDC51
10CDDC47 |3950 12 CMP DWORD PTR DS:[EAX+12],EDX
10CDDC4A |74 05 JE SHORT PBVM90.10CDDC51
10CDDC4C |8B40 0E MOV EAX,DWORD PTR DS:[EAX+E]
10CDDC4F |EB 07 JMP SHORT PBVM90.10CDDC58
10CDDC51 |51 PUSH ECX
10CDDC52 |56 PUSH ESI
10CDDC53 |E8 1873F9FF CALL PBVM90.ob_group_data_srch
10CDDC58 |894424 3C MOV DWORD PTR SS:[ESP+3C],EAX
10CDDC5C |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDC60 |8B5424 44 MOV EDX,DWORD PTR SS:[ESP+44]
10CDDC64 |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDC68 |895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
10CDDC6C \8B46 72 MOV EAX,DWORD PTR DS:[ESI+72]
10CDDC6F 8B4C24 4C MOV ECX,DWORD PTR SS:[ESP+4C]
10CDDC73 8B56 38 MOV EDX,DWORD PTR DS:[ESI+38]
10CDDC76 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX
10CDDC7A 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
10CDDC7D 894E 72 MOV DWORD PTR DS:[ESI+72],ECX
10CDDC80 50 PUSH EAX
10CDDC81 895424 38 MOV DWORD PTR SS:[ESP+38],EDX
10CDDC85 896E 38 MOV DWORD PTR DS:[ESI+38],EBP
10CDDC88 E8 A302F1FF CALL PBVM90.FN_RtSuspended
10CDDC8D 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
10CDDC90 55 PUSH EBP
10CDDC91 51 PUSH ECX
10CDDC92 894424 38 MOV DWORD PTR SS:[ESP+38],EAX
10CDDC96 E8 7502F1FF CALL PBVM90.FN_RtSuspend
10CDDC9B 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDC9F 8B7C24 58 MOV EDI,DWORD PTR SS:[ESP+58]
10CDDCA3 3BDD CMP EBX,EBP
10CDDCA5 0F86 D0000000 JBE PBVM90.10CDDD7B
10CDDCAB 8B5424 60 MOV EDX,DWORD PTR SS:[ESP+60]
10CDDCAF 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
10CDDCB3 52 PUSH EDX
10CDDCB4 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
10CDDCB8 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
10CDDCBC 50 PUSH EAX
10CDDCBD 51 PUSH ECX
10CDDCBE 57 PUSH EDI
10CDDCBF 52 PUSH EDX
10CDDCC0 8B5424 64 MOV EDX,DWORD PTR SS:[ESP+64]
10CDDCC4 8D4424 3C LEA EAX,DWORD PTR SS:[ESP+3C]
10CDDCC8 53 PUSH EBX
10CDDCC9 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
10CDDCCD 50 PUSH EAX
10CDDCCE 51 PUSH ECX
10CDDCCF 52 PUSH EDX
10CDDCD0 56 PUSH ESI
10CDDCD1 E8 CA020000 CALL PBVM90.10CDDFA0
10CDDCD6 83C4 28 ADD ESP,28
10CDDCD9 3BC5 CMP EAX,EBP
10CDDCDB 0F85 94000000 JNZ PBVM90.10CDDD75
10CDDCE1 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDCE6 75 11 JNZ SHORT PBVM90.10CDDCF9
10CDDCE8 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDCEC C74424 5C 04000>MOV DWORD PTR SS:[ESP+5C],4
10CDDCF4 E9 B9010000 JMP PBVM90.10CDDEB2
10CDDCF9 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDCFD 57 PUSH EDI
10CDDCFE 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDD02 50 PUSH EAX
10CDDD03 51 PUSH ECX
10CDDD04 56 PUSH ESI
10CDDD05 E8 B6BDFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDD0A 25 FFFF0000 AND EAX,0FFFF
10CDDD0F 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDD13 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDD17 81E1 FF3F0000 AND ECX,3FFF
10CDDD1D C74424 5C 04000>MOV DWORD PTR SS:[ESP+5C],4
10CDDD25 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDD28 8D3C89 LEA EDI,DWORD PTR DS:[ECX+ECX*4]
10CDDD2B 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDD2E 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDD31 33C9 XOR ECX,ECX
10CDDD33 66:8B4CBD 0C MOV CX,WORD PTR SS:[EBP+EDI*4+C]
10CDDD38 8D3C89 LEA EDI,DWORD PTR DS:[ECX+ECX*4]
10CDDD3B C1E7 04 SHL EDI,4
10CDDD3E 2BF9 SUB EDI,ECX
10CDDD40 8B4A 2C MOV ECX,DWORD PTR DS:[EDX+2C]
10CDDD43 8B52 28 MOV EDX,DWORD PTR DS:[EDX+28]
10CDDD46 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8]
10CDDD49 8B6A 08 MOV EBP,DWORD PTR DS:[EDX+8]
10CDDD4C 8B4C79 28 MOV ECX,DWORD PTR DS:[ECX+EDI*2+28]
10CDDD50 8B04C1 MOV EAX,DWORD PTR DS:[ECX+EAX*8]
10CDDD53 8B08 MOV ECX,DWORD PTR DS:[EAX]
10CDDD55 81E1 FFFFFF7F AND ECX,7FFFFFFF
10CDDD5B 03CD ADD ECX,EBP
10CDDD5D 51 PUSH ECX
10CDDD5E 68 47500000 PUSH 5047
10CDDD63 56 PUSH ESI
10CDDD64 E8 57F5FFFF CALL PBVM90._rt_formatted_error
10CDDD69 8B6C24 64 MOV EBP,DWORD PTR SS:[ESP+64]
10CDDD6D 83C4 0C ADD ESP,0C
10CDDD70 E9 3D010000 JMP PBVM90.10CDDEB2
10CDDD75 896C24 58 MOV DWORD PTR SS:[ESP+58],EBP
10CDDD79 /EB 04 JMP SHORT PBVM90.10CDDD7F
10CDDD7B |8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDD7F \83BE 4C010000 0>CMP DWORD PTR DS:[ESI+14C],1
10CDDD86 75 3B JNZ SHORT PBVM90.10CDDDC3
10CDDD88 8B4424 5C MOV EAX,DWORD PTR SS:[ESP+5C]
10CDDD8C 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
10CDDD90 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDD94 50 PUSH EAX
10CDDD95 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10CDDD99 51 PUSH ECX
10CDDD9A 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10CDDD9E 57 PUSH EDI
10CDDD9F 52 PUSH EDX
10CDDDA0 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+4C]
10CDDDA4 53 PUSH EBX
10CDDDA5 50 PUSH EAX
10CDDDA6 51 PUSH ECX
10CDDDA7 52 PUSH EDX
10CDDDA8 56 PUSH ESI
10CDDDA9 E8 C20D0000 CALL PBVM90.10CDEB70
10CDDDAE 83C4 24 ADD ESP,24
10CDDDB1 83F8 01 CMP EAX,1
10CDDDB4 894424 5C MOV DWORD PTR SS:[ESP+5C],EAX
10CDDDB8 0F84 F4000000 JE PBVM90.10CDDEB2
10CDDDBE E9 EA000000 JMP PBVM90.10CDDEAD
10CDDDC3 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDDC7 57 PUSH EDI
10CDDDC8 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDDCC 50 PUSH EAX
10CDDDCD 51 PUSH ECX
10CDDDCE 56 PUSH ESI
10CDDDCF E8 ECBCFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDDD4 25 FFFF0000 AND EAX,0FFFF
10CDDDD9 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDDDD 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDDE1 81E1 FF3F0000 AND ECX,3FFF
10CDDDE7 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDDEA 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDDED 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDDF0 8B52 2C MOV EDX,DWORD PTR DS:[EDX+2C]
10CDDDF3 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDDF6 33C9 XOR ECX,ECX
10CDDDF8 66:8B4C9D 0C MOV CX,WORD PTR SS:[EBP+EBX*4+C]
10CDDDFD 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDE00 C1E3 04 SHL EBX,4
10CDDE03 2BD9 SUB EBX,ECX
10CDDE05 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDE08 8B5459 28 MOV EDX,DWORD PTR DS:[ECX+EBX*2+28]
10CDDE0C 8D2C59 LEA EBP,DWORD PTR DS:[ECX+EBX*2]
10CDDE0F 8D1CC2 LEA EBX,DWORD PTR DS:[EDX+EAX*8]
10CDDE12 8B04C2 MOV EAX,DWORD PTR DS:[EDX+EAX*8]
10CDDE15 66:8B50 16 MOV DX,WORD PTR DS:[EAX+16]
10CDDE19 66:8B48 18 MOV CX,WORD PTR DS:[EAX+18]
10CDDE1D 66:8B40 1E MOV AX,WORD PTR DS:[EAX+1E]
10CDDE21 C1E8 09 SHR EAX,9
10CDDE24 83E0 07 AND EAX,7
10CDDE27 74 05 JE SHORT PBVM90.10CDDE2E
10CDDE29 83F8 01 CMP EAX,1
10CDDE2C 75 47 JNZ SHORT PBVM90.10CDDE75
10CDDE2E 66:81F9 FFFF CMP CX,0FFFF
10CDDE33 75 40 JNZ SHORT PBVM90.10CDDE75
10CDDE35 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDE3A 75 27 JNZ SHORT PBVM90.10CDDE63
10CDDE3C 6A 00 PUSH 0
10CDDE3E 56 PUSH ESI
10CDDE3F E8 DC25FCFF CALL PBVM90.ob_set_curr_rtinst_and_return
10CDDE44 8B03 MOV EAX,DWORD PTR DS:[EBX]
10CDDE46 66:8B40 1C MOV AX,WORD PTR DS:[EAX+1C]
10CDDE4A 66:85C0 TEST AX,AX
10CDDE4D 75 04 JNZ SHORT PBVM90.10CDDE53
10CDDE4F 6A 08 PUSH 8
10CDDE51 EB 01 JMP SHORT PBVM90.10CDDE54
10CDDE53 50 PUSH EAX
10CDDE54 56 PUSH ESI
10CDDE55 E8 46FBFEFF CALL PBVM90.10CCD9A0
10CDDE5A 83C4 08 ADD ESP,8
10CDDE5D 56 PUSH ESI
10CDDE5E E8 6D26FCFF CALL PBVM90.ob_unset_curr_rtinst_and_return
10CDDE63 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDE67 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDE6B C74424 5C 01000>MOV DWORD PTR SS:[ESP+5C],1
10CDDE73 EB 3D JMP SHORT PBVM90.10CDDEB2
10CDDE75 33C9 XOR ECX,ECX
10CDDD79 /EB 04 JMP SHORT PBVM90.10CDDD7F
10CDDD7B |8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDD7F \83BE 4C010000 0>CMP DWORD PTR DS:[ESI+14C],1
10CDDD86 75 3B JNZ SHORT PBVM90.10CDDDC3
10CDDD88 8B4424 5C MOV EAX,DWORD PTR SS:[ESP+5C]
10CDDD8C 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
10CDDD90 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDD94 50 PUSH EAX
10CDDD95 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10CDDD99 51 PUSH ECX
10CDDD9A 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10CDDD9E 57 PUSH EDI
10CDDD9F 52 PUSH EDX
10CDDDA0 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+4C]
10CDDDA4 53 PUSH EBX
10CDDDA5 50 PUSH EAX
10CDDDA6 51 PUSH ECX
10CDDDA7 52 PUSH EDX
10CDDDA8 56 PUSH ESI
10CDDDA9 E8 C20D0000 CALL PBVM90.10CDEB70
10CDDDAE 83C4 24 ADD ESP,24
10CDDDB1 83F8 01 CMP EAX,1
10CDDDB4 894424 5C MOV DWORD PTR SS:[ESP+5C],EAX
10CDDDB8 0F84 F4000000 JE PBVM90.10CDDEB2
10CDDDBE E9 EA000000 JMP PBVM90.10CDDEAD
10CDDDC3 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDDC7 57 PUSH EDI
10CDDDC8 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDDCC 50 PUSH EAX
10CDDDCD 51 PUSH ECX
10CDDDCE 56 PUSH ESI
10CDDDCF E8 ECBCFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDDD4 25 FFFF0000 AND EAX,0FFFF
10CDDDD9 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDDDD 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDDE1 81E1 FF3F0000 AND ECX,3FFF
10CDDDE7 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDDEA 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDDED 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDDF0 8B52 2C MOV EDX,DWORD PTR DS:[EDX+2C]
10CDDDF3 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDDF6 33C9 XOR ECX,ECX
10CDDDF8 66:8B4C9D 0C MOV CX,WORD PTR SS:[EBP+EBX*4+C]
10CDDDFD 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDE00 C1E3 04 SHL EBX,4
10CDDE03 2BD9 SUB EBX,ECX
10CDDE05 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDE08 8B5459 28 MOV EDX,DWORD PTR DS:[ECX+EBX*2+28]
10CDDE0C 8D2C59 LEA EBP,DWORD PTR DS:[ECX+EBX*2]
10CDDE0F 8D1CC2 LEA EBX,DWORD PTR DS:[EDX+EAX*8]
10CDDE12 8B04C2 MOV EAX,DWORD PTR DS:[EDX+EAX*8]
10CDDE15 66:8B50 16 MOV DX,WORD PTR DS:[EAX+16]
10CDDE19 66:8B48 18 MOV CX,WORD PTR DS:[EAX+18]
10CDDE1D 66:8B40 1E MOV AX,WORD PTR DS:[EAX+1E]
10CDDE21 C1E8 09 SHR EAX,9
10CDDE24 83E0 07 AND EAX,7
10CDDE27 74 05 JE SHORT PBVM90.10CDDE2E
10CDDE29 83F8 01 CMP EAX,1
10CDDE2C 75 47 JNZ SHORT PBVM90.10CDDE75
10CDDE2E 66:81F9 FFFF CMP CX,0FFFF
10CDDE33 75 40 JNZ SHORT PBVM90.10CDDE75
10CDDE35 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDE3A 75 27 JNZ SHORT PBVM90.10CDDE63
10CDDE3C 6A 00 PUSH 0
10CDDE3E 56 PUSH ESI
10CDDE3F E8 DC25FCFF CALL PBVM90.ob_set_curr_rtinst_and_return
10CDDE44 8B03 MOV EAX,DWORD PTR DS:[EBX]
10CDDE46 66:8B40 1C MOV AX,WORD PTR DS:[EAX+1C]
10CDDE4A 66:85C0 TEST AX,AX
10CDDE4D 75 04 JNZ SHORT PBVM90.10CDDE53
10CDDE4F 6A 08 PUSH 8
10CDDE51 EB 01 JMP SHORT PBVM90.10CDDE54
10CDDE53 50 PUSH EAX
10CDDE54 56 PUSH ESI
10CDDE55 E8 46FBFEFF CALL PBVM90.10CCD9A0
10CDDE5A 83C4 08 ADD ESP,8
10CDDE5D 56 PUSH ESI
10CDDE5E E8 6D26FCFF CALL PBVM90.ob_unset_curr_rtinst_and_return
10CDDE63 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDE67 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDE6B C74424 5C 01000>MOV DWORD PTR SS:[ESP+5C],1
10CDDE73 EB 3D JMP SHORT PBVM90.10CDDEB2
10CDDE75 33C9 XOR ECX,ECX
10CDDE77 6A 00 PUSH 0
10CDDE79 394C24 60 CMP DWORD PTR SS:[ESP+60],ECX
10CDDE7D 57 PUSH EDI
10CDDE7E 53 PUSH EBX
10CDDE7F 8B5C24 60 MOV EBX,DWORD PTR SS:[ESP+60]
10CDDE83 0F95C1 SETNE CL
10CDDE86 41 INC ECX
10CDDE87 51 PUSH ECX
10CDDE88 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
10CDDE8C 55 PUSH EBP
10CDDE8D 52 PUSH EDX
10CDDE8E 8B5424 40 MOV EDX,DWORD PTR SS:[ESP+40]
10CDDE92 50 PUSH EAX
10CDDE93 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10CDDE97 51 PUSH ECX
10CDDE98 8B4C24 5C MOV ECX,DWORD PTR SS:[ESP+5C]
10CDDE9C 52 PUSH EDX
10CDDE9D 50 PUSH EAX
10CDDE9E 53 PUSH EBX
10CDDE9F 51 PUSH ECX
10CDDEA0 56 PUSH ESI
10CDDEA1 E8 4A0E0000 CALL PBVM90.10CDECF0
这个CALL进入了。
......
跟了很久,最近就跳到了CPU线程里面去了,
反回到了MScorwks模块,走几步,就到了NTDLL模块,就不动了。
单步过,到了kernel32里面,走几步回到MScorwks模块,
79F97065 C745 FC FEFFFFF>MOV DWORD PTR SS:[EBP-4],-2
79F9706C 6A 00 PUSH 0
79F9706E 6A 00 PUSH 0
79F97070 E8 79F4FFFF CALL mscorwks.79F964EE
79F97075 50 PUSH EAX
79F97076 68 06151380 PUSH 80131506
79F9707B E8 29310C00 CALL mscorwks.7A05A1A9
在里面转了一下就又回到了NTDLL。还是一样的不动了。
软件本身在这个地方是要输入服务器地址和帐套,然后点登录就进去了检测
加密狗和试用期的。但是OD下不能显示出来。
10001B31 . 8BEC MOV EBP,ESP
10001B33 . 6A FF PUSH -1
10001B35 . 68 A0500010 PUSH drug.100050A0
10001B3A . 68 28300010 PUSH drug.10003028 ; SE 处理程序安装
10001B3F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
10001B45 . 50 PUSH EAX
10001B46 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
10001B4D . 83C4 A8 ADD ESP,-58
10001B50 . 53 PUSH EBX
10001B51 . 56 PUSH ESI
10001B52 . 57 PUSH EDI
10001B53 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
10001B56 . FF15 1C500010 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; kernel32.GetVersion
10001B5C . 33D2 XOR EDX,EDX
10001B5E . 8AD4 MOV DL,AH
10001B60 . 8915 24870010 MOV DWORD PTR DS:[10008724],EDX
10001B66 . 8BC8 MOV ECX,EAX
10001B68 . 81E1 FF000000 AND ECX,0FF
10001B6E . 890D 20870010 MOV DWORD PTR DS:[10008720],ECX
10001B74 . C1E1 08 SHL ECX,8
10001B77 . 03CA ADD ECX,EDX
10001B79 . 890D 1C870010 MOV DWORD PTR DS:[1000871C],ECX
10001B7F . C1E8 10 SHR EAX,10
10001B82 . A3 18870010 MOV DWORD PTR DS:[10008718],EAX
10001B87 . E8 64130000 CALL drug.10002EF0
10001B8C . 85C0 TEST EAX,EAX
10001B8E . 75 0A JNZ SHORT drug.10001B9A
10001B90 . 6A 1C PUSH 1C
10001B92 . E8 69010000 CALL drug.10001D00
10001B97 . 83C4 04 ADD ESP,4
10001B9A > C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
10001BA1 . E8 4A110000 CALL drug.10002CF0
10001BA6 . E8 65060000 CALL drug.10002210
10001BAB . FF15 08500010 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
10001BB1 . A3 B4890010 MOV DWORD PTR DS:[100089B4],EAX
10001BB6 . E8 D50F0000 CALL drug.10002B90
10001BBB . A3 BC840010 MOV DWORD PTR DS:[100084BC],EAX
10001BC0 . 85C0 TEST EAX,EAX
10001BC2 . 74 09 JE SHORT drug.10001BCD
10001BC4 . A1 B4890010 MOV EAX,DWORD PTR DS:[100089B4]
10001BC9 . 85C0 TEST EAX,EAX
10001BCB . 75 0A JNZ SHORT drug.10001BD7
10001BCD > 6A FF PUSH -1
10001BCF . E8 7C090000 CALL drug.10002550
10001BD4 . 83C4 04 ADD ESP,4
10001BD7 > E8 040D0000 CALL drug.100028E0
10001BDC . E8 0F0C0000 CALL drug.100027F0
10001BE1 . E8 3A090000 CALL drug.10002520
10001BE6 . 8B35 B4890010 MOV ESI,DWORD PTR DS:[100089B4]
10001BEC . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001BEF . 803E 22 CMP BYTE PTR DS:[ESI],22
10001BF2 . 0F85 BE000000 JNZ drug.10001CB6
10001BF8 > 46 INC ESI
10001BF9 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001BFC . 8A06 MOV AL,BYTE PTR DS:[ESI]
10001BFE . 3C 22 CMP AL,22
10001C00 . 74 1C JE SHORT drug.10001C1E
10001C02 . 84C0 TEST AL,AL
10001C04 . 74 18 JE SHORT drug.10001C1E
10001C06 . 25 FF000000 AND EAX,0FF
10001C0B . 50 PUSH EAX
10001C0C . E8 9FFEFFFF CALL drug.10001AB0
10001C11 . 83C4 04 ADD ESP,4
10001C14 . 85C0 TEST EAX,EAX
10001C16 .^ 74 E0 JE SHORT drug.10001BF8
10001C18 . 46 INC ESI
10001C19 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C1C .^ EB DA JMP SHORT drug.10001BF8
10001C1E > 803E 22 CMP BYTE PTR DS:[ESI],22
10001C21 . 75 04 JNZ SHORT drug.10001C27
10001C23 . 46 INC ESI
10001C24 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C27 > 8A06 MOV AL,BYTE PTR DS:[ESI]
10001C29 . 84C0 TEST AL,AL
10001C2B . 74 0A JE SHORT drug.10001C37
10001C2D . 3C 20 CMP AL,20
10001C2F . 77 06 JA SHORT drug.10001C37
10001C31 . 46 INC ESI
10001C32 . 8975 9C MOV DWORD PTR SS:[EBP-64],ESI
10001C35 .^ EB F0 JMP SHORT drug.10001C27
10001C37 > C745 D0 00000>MOV DWORD PTR SS:[EBP-30],0
10001C3E . 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
10001C41 . 50 PUSH EAX ; /pStartupinfo
10001C42 . FF15 18500010 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
10001C48 . F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
10001C4C . 74 0A JE SHORT drug.10001C58
10001C4E . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
10001C51 . 25 FFFF0000 AND EAX,0FFFF
10001C56 . EB 05 JMP SHORT drug.10001C5D
10001C58 > B8 0A000000 MOV EAX,0A
10001C5D > 50 PUSH EAX
10001C5E . 56 PUSH ESI
10001C5F . 6A 00 PUSH 0
10001C61 . 6A 00 PUSH 0 ; /pModule = NULL
10001C63 . FF15 14500010 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
10001C69 . 50 PUSH EAX
10001C6A . E8 91F3FFFF CALL drug.10001000
这个地方进入了,
10001000 /$ 56 PUSH ESI
10001001 |. 57 PUSH EDI
10001002 |. FF15 08500010 CALL DWORD PTR DS:[<&KERNEL32.GetCommand>; [GetCommandLineA
10001008 |. 8BF0 MOV ESI,EAX
1000100A |. 8A06 MOV AL,BYTE PTR DS:[ESI]
1000100C |. 46 INC ESI
1000100D |. 3C 22 CMP AL,22
1000100F |. 75 3E JNZ SHORT drug.1000104F
10001011 |. E8 DA000000 CALL drug.100010F0
10001016 |. 85C0 TEST EAX,EAX
10001018 |. 6A 22 PUSH 22
1000101A |. 56 PUSH ESI
1000101B |. 74 07 JE SHORT drug.10001024
1000101D |. E8 7E070000 CALL drug.100017A0
10001022 |. EB 05 JMP SHORT drug.10001029
10001024 |> E8 B7060000 CALL drug.100016E0
10001029 |> 8BD0 MOV EDX,EAX
1000102B |. 83C4 08 ADD ESP,8
1000102E |. 85D2 TEST EDX,EDX
10001030 |. 74 44 JE SHORT drug.10001076
10001032 |. 8BFA MOV EDI,EDX
10001034 |. 83C9 FF OR ECX,FFFFFFFF
10001037 |. 33C0 XOR EAX,EAX
10001039 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
1000103B |. F7D1 NOT ECX
1000103D |. 49 DEC ECX
1000103E |. 83F9 02 CMP ECX,2
10001041 |. 77 07 JA SHORT drug.1000104A
10001043 |. BE B0840010 MOV ESI,drug.100084B0
10001048 |. EB 2C JMP SHORT drug.10001076
1000104A |> 8D72 02 LEA ESI,DWORD PTR DS:[EDX+2]
1000104D |. EB 27 JMP SHORT drug.10001076
1000104F |> E8 9C000000 CALL drug.100010F0
10001054 |. 85C0 TEST EAX,EAX
10001056 |. 6A 20 PUSH 20
10001058 |. 56 PUSH ESI
10001059 |. 74 07 JE SHORT drug.10001062
1000105B |. E8 40070000 CALL drug.100017A0
10001060 |. EB 05 JMP SHORT drug.10001067
10001062 |> E8 79060000 CALL drug.100016E0
10001067 |> 83C4 08 ADD ESP,8
1000106A |. BE B4840010 MOV ESI,drug.100084B4
1000106F |. 85C0 TEST EAX,EAX
10001071 |. 74 03 JE SHORT drug.10001076
10001073 |. 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
10001076 |> 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
1000107A |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
1000107E |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
10001082 |. 6A 00 PUSH 0
10001084 |. 68 E8030000 PUSH 3E8
10001089 |. 51 PUSH ECX
1000108A |. 56 PUSH ESI
1000108B |. 52 PUSH EDX
1000108C |. 50 PUSH EAX
1000108D |. E8 2E060000 CALL <JMP.&PBVM90.#137>
这个地方就直接跳到了PBVm90.dll的领空,单步进入,回到drug领空,但过下面代码又回去了,
100016C0 $- FF25 94500010 JMP DWORD PTR DS:[<&PBVM90.#137>] ; PBVM90.FN_RunExecutable
10BEEFB0 > 56 PUSH ESI
10BEEFB1 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
10BEEFB5 56 PUSH ESI
10BEEFB6 E8 E53D0F00 CALL PBVM90.rt_stop_run
10BEEFBB 56 PUSH ESI
10BEEFBC E8 6F690800 CALL PBVM90.ob_unshare_typedef_group
10BEEFC1 56 PUSH ESI
10BEEFC2 E8 B92D0600 CALL PBVM90.ob_mgr_terminate
10BEEFC7 B8 01000000 MOV EAX,1
10BEEFCC 5E POP ESI
10BEEFCD C2 0400 RETN 4
10BEEFD0 > 83EC 18 SUB ESP,18
10BEEFD3 56 PUSH ESI
10BEEFD4 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
10BEEFD8 56 PUSH ESI
10BEEFD9 E8 0232FEFF CALL PBVM90.FN_MinimumVersion
10BEEFDE 85C0 TEST EAX,EAX
10BEEFE0 75 07 JNZ SHORT PBVM90.10BEEFE9
10BEEFE2 5E POP ESI
10BEEFE3 83C4 18 ADD ESP,18
10BEEFE6 C2 1800 RETN 18
10BEEFE9 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
10BEEFED 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
10BEEFF1 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
10BEEFF5 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
10BEEFF9 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10BEEFFD 897424 04 MOV DWORD PTR SS:[ESP+4],ESI
10BEF001 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10BEF005 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
10BEF009 85C0 TEST EAX,EAX
10BEF00B 894C24 0C MOV DWORD PTR SS:[ESP+C],ECX
10BEF00F 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
10BEF013 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
10BEF017 74 11 JE SHORT PBVM90.10BEF02A
10BEF019 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
10BEF01D 51 PUSH ECX
10BEF01E E8 1D000000 CALL PBVM90.FN_RunExecutableEx
10BEF023 5E POP ESI
10BEF024 83C4 18 ADD ESP,18
10BEF027 C2 1800 RETN 18
10BEF02A 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
10BEF02E 52 PUSH EDX
10BEF02F E8 0C000000 CALL PBVM90.FN_RunExecutableEx
这个CALL跳过了下面的代码直接到了10BEF040处。
10BEF034 5E POP ESI
10BEF035 83C4 18 ADD ESP,18
10BEF038 C2 1800 RETN 18
10BEF03B 90 NOP
10BEF03C 90 NOP
10BEF03D 90 NOP
10BEF03E 90 NOP
10BEF03F 90 NOP
10BEF040 > 83EC 28 SUB ESP,28
10BEF043 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
10BEF047 53 PUSH EBX
10BEF048 55 PUSH EBP
10BEF049 56 PUSH ESI
10BEF04A 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
10BEF04D 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
10BEF050 8B30 MOV ESI,DWORD PTR DS:[EAX]
10BEF052 8B68 08 MOV EBP,DWORD PTR DS:[EAX+8]
10BEF055 894C24 28 MOV DWORD PTR SS:[ESP+28],ECX
10BEF059 8B48 10 MOV ECX,DWORD PTR DS:[EAX+10]
10BEF05C 895424 2C MOV DWORD PTR SS:[ESP+2C],EDX
10BEF060 8B50 14 MOV EDX,DWORD PTR DS:[EAX+14]
10BEF063 57 PUSH EDI
10BEF064 6A 00 PUSH 0
10BEF066 897424 20 MOV DWORD PTR SS:[ESP+20],ESI
10BEF06A 896C24 28 MOV DWORD PTR SS:[ESP+28],EBP
10BEF06E 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX
10BEF072 895424 2C MOV DWORD PTR SS:[ESP+2C],EDX
10BEF076 E8 554BF6FF CALL PBVM90.pbstg_begin
10BEF07B 8BD8 MOV EBX,EAX
10BEF07D 85DB TEST EBX,EBX
10BEF07F 895C24 34 MOV DWORD PTR SS:[ESP+34],EBX
10BEF083 74 07 JE SHORT PBVM90.10BEF08C
10BEF085 C743 0C D457DF1>MOV DWORD PTR DS:[EBX+C],PBVM90.10DF57D4 ; ASCII "Executable RTE/RTF"
10BEF08C 53 PUSH EBX
10BEF08D E8 2E3AFBFF CALL PBVM90.sh_dbg_init
10BEF092 6A 00 PUSH 0
10BEF094 8BF8 MOV EDI,EAX
10BEF096 68 04010000 PUSH 104
10BEF09B 53 PUSH EBX
10BEF09C 897C24 20 MOV DWORD PTR SS:[ESP+20],EDI
10BEF0A0 E8 CB50F6FF CALL PBVM90.pbstg_alc
10BEF0A5 68 04010000 PUSH 104
10BEF0AA 50 PUSH EAX
10BEF0AB 56 PUSH ESI
10BEF0AC 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
10BEF0B0 FF15 A8D2DB10 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
10BEF0B6 6A 00 PUSH 0
10BEF0B8 55 PUSH EBP
10BEF0B9 53 PUSH EBX
10BEF0BA E8 61C3FBFF CALL PBVM90.pbstg_strdup
10BEF0BF 8BF0 MOV ESI,EAX
10BEF0C1 897424 3C MOV DWORD PTR SS:[ESP+3C],ESI
10BEF0C5 E8 2629FEFF CALL PBVM90.10BD19F0
10BEF0CA 85C0 TEST EAX,EAX
10BEF0CC 56 PUSH ESI
10BEF0CD 74 08 JE SHORT PBVM90.10BEF0D7
10BEF0CF FF15 94D5DB10 CALL DWORD PTR DS:[<&MSVCRT._mbsupr>] ; msvcrt._mbsupr
10BEF0D5 EB 06 JMP SHORT PBVM90.10BEF0DD
10BEF0D7 FF15 C8D4DB10 CALL DWORD PTR DS:[<&MSVCRT._strupr>] ; msvcrt._strupr
10BEF0DD 8A0E MOV CL,BYTE PTR DS:[ESI]
10BEF0DF 83C4 04 ADD ESP,4
10BEF0E2 33ED XOR EBP,EBP
10BEF0E4 8BC6 MOV EAX,ESI
10BEF0E6 84C9 TEST CL,CL
10BEF0E8 896C24 10 MOV DWORD PTR SS:[ESP+10],EBP
10BEF0EC 0F84 CD000000 JE PBVM90.10BEF1BF
10BEF0F2 B9 08000000 MOV ECX,8
10BEF0F7 BF E857DF10 MOV EDI,PBVM90.10DF57E8 ; ASCII "/PBDEBUG"
10BEF0FC 8BF0 MOV ESI,EAX
10BEF0FE 33D2 XOR EDX,EDX
10BEF100 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF102 0F84 96000000 JE PBVM90.10BEF19E
10BEF108 B9 08000000 MOV ECX,8
10BEF10D BF F457DF10 MOV EDI,PBVM90.10DF57F4 ; ASCII "-PBDEBUG"
10BEF112 8BF0 MOV ESI,EAX
10BEF114 33D2 XOR EDX,EDX
10BEF116 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF118 0F84 80000000 JE PBVM90.10BEF19E
10BEF11E B9 07000000 MOV ECX,7
10BEF123 BF 0C58DF10 MOV EDI,PBVM90.10DF580C ; ASCII "/DEBUG="
10BEF128 8BF0 MOV ESI,EAX
10BEF12A 33D2 XOR EDX,EDX
10BEF12C F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF12E 74 12 JE SHORT PBVM90.10BEF142
10BEF130 B9 07000000 MOV ECX,7
10BEF135 BF 1458DF10 MOV EDI,PBVM90.10DF5814 ; ASCII "-DEBUG="
10BEF13A 8BF0 MOV ESI,EAX
10BEF13C 33D2 XOR EDX,EDX
10BEF13E F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
10BEF140 75 4E JNZ SHORT PBVM90.10BEF190
10BEF142 8B15 1C58DF10 MOV EDX,DWORD PTR DS:[10DF581C]
10BEF148 8BC8 MOV ECX,EAX
10BEF14A 83C0 07 ADD EAX,7
10BEF14D C74424 10 01000>MOV DWORD PTR SS:[ESP+10],1
10BEF155 8911 MOV DWORD PTR DS:[ECX],EDX
10BEF157 66:8B15 2058DF1>MOV DX,WORD PTR DS:[10DF5820]
10BEF15E 66:8951 04 MOV WORD PTR DS:[ECX+4],DX
10BEF162 8A15 2258DF10 MOV DL,BYTE PTR DS:[10DF5822]
10BEF168 8851 06 MOV BYTE PTR DS:[ECX+6],DL
10BEF16B 8A08 MOV CL,BYTE PTR DS:[EAX]
10BEF16D 80F9 30 CMP CL,30
10BEF170 72 1E JB SHORT PBVM90.10BEF190
10BEF172 80F9 39 CMP CL,39
10BEF175 77 19 JA SHORT PBVM90.10BEF190
10BEF177 8D54AD 00 LEA EDX,DWORD PTR SS:[EBP+EBP*4]
10BEF17B 81E1 FF000000 AND ECX,0FF
10BEF181 C600 20 MOV BYTE PTR DS:[EAX],20
10BEF184 40 INC EAX
10BEF185 8D6C51 D0 LEA EBP,DWORD PTR DS:[ECX+EDX*2-30]
10BEF189 8A08 MOV CL,BYTE PTR DS:[EAX]
10BEF18B 80F9 30 CMP CL,30
10BEF18E ^ 73 E2 JNB SHORT PBVM90.10BEF172
10BEF190 8A48 01 MOV CL,BYTE PTR DS:[EAX+1]
10BEF193 40 INC EAX
10BEF194 84C9 TEST CL,CL
10BEF196 ^ 0F85 56FFFFFF JNZ PBVM90.10BEF0F2
这个跳转实现了
10BEF19C EB 19 JMP SHORT PBVM90.10BEF1B7
10BEF19E 8B0D 0058DF10 MOV ECX,DWORD PTR DS:[10DF5800]
10BEF1A4 C74424 10 01000>MOV DWORD PTR SS:[ESP+10],1
10BEF1AC 8908 MOV DWORD PTR DS:[EAX],ECX
10BEF1AE 8B15 0458DF10 MOV EDX,DWORD PTR DS:[10DF5804]
10BEF1B4 8950 04 MOV DWORD PTR DS:[EAX+4],EDX
10BEF1B7 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
10BEF1BB 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF1BF 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10BEF1C3 85C0 TEST EAX,EAX
10BEF1C5 74 51 JE SHORT PBVM90.10BEF218
10BEF1C7 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10BEF1CB 50 PUSH EAX
10BEF1CC 6A 00 PUSH 0
10BEF1CE 53 PUSH EBX
10BEF1CF E8 2C96FBFF CALL PBVM90.osPathCreate
10BEF1D4 8BF0 MOV ESI,EAX
10BEF1D6 68 2458DF10 PUSH PBVM90.10DF5824 ; ASCII "dbg"
10BEF1DB 56 PUSH ESI
10BEF1DC E8 5F98FBFF CALL PBVM90.osPathAddExtension
10BEF1E1 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8]
10BEF1E4 51 PUSH ECX
10BEF1E5 57 PUSH EDI
10BEF1E6 E8 753AFBFF CALL PBVM90.sh_dbg_outfile
10BEF1EB 56 PUSH ESI
10BEF1EC E8 6F9BFBFF CALL PBVM90.osPathDestroy
10BEF1F1 85ED TEST EBP,EBP
10BEF1F3 7E 0D JLE SHORT PBVM90.10BEF202
10BEF1F5 55 PUSH EBP
10BEF1F6 57 PUSH EDI
10BEF1F7 E8 743BFBFF CALL PBVM90.sh_dbg_set
10BEF1FC 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF200 EB 21 JMP SHORT PBVM90.10BEF223
10BEF202 6A 1E PUSH 1E
10BEF204 57 PUSH EDI
10BEF205 E8 663BFBFF CALL PBVM90.sh_dbg_set
10BEF20A 6A 1F PUSH 1F
10BEF20C 57 PUSH EDI
10BEF20D E8 5E3BFBFF CALL PBVM90.sh_dbg_set
10BEF212 8B7424 3C MOV ESI,DWORD PTR SS:[ESP+3C]
10BEF216 EB 0B JMP SHORT PBVM90.10BEF223
10BEF218 68 2858DF10 PUSH PBVM90.10DF5828 ; ASCII "nul"
10BEF21D 57 PUSH EDI
10BEF21E E8 3D3AFBFF CALL PBVM90.sh_dbg_outfile
10BEF223 57 PUSH EDI
10BEF224 E8 D746FBFF CALL PBVM90.sh_dbg_on
10BEF229 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
10BEF22D 85C0 TEST EAX,EAX
10BEF22F 74 08 JE SHORT PBVM90.10BEF239
10BEF231 6A 00 PUSH 0
10BEF233 57 PUSH EDI
10BEF234 E8 173EFBFF CALL PBVM90.sh_dbg_header
10BEF239 56 PUSH ESI
10BEF23A 53 PUSH EBX
10BEF23B E8 204BF6FF CALL PBVM90.pbstg_fee
10BEF240 6A 00 PUSH 0
10BEF242 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
10BEF246 52 PUSH EDX
10BEF247 53 PUSH EBX
10BEF248 E8 D3C1FBFF CALL PBVM90.pbstg_strdup
10BEF24D 53 PUSH EBX
10BEF24E 57 PUSH EDI
10BEF24F 894424 44 MOV DWORD PTR SS:[ESP+44],EAX
10BEF253 E8 F8220600 CALL PBVM90.ob_mgr_init
10BEF258 8BE8 MOV EBP,EAX
10BEF25A 6A 02 PUSH 2
10BEF25C 55 PUSH EBP
10BEF25D E8 1E2C0600 CALL PBVM90.ob_set_mode
10BEF262 B8 01000000 MOV EAX,1
10BEF267 394424 28 CMP DWORD PTR SS:[ESP+28],EAX
10BEF26B 75 08 JNZ SHORT PBVM90.10BEF275
10BEF26D 8985 4C010000 MOV DWORD PTR SS:[EBP+14C],EAX
10BEF273 EB 0A JMP SHORT PBVM90.10BEF27F
10BEF275 C785 4C010000 0>MOV DWORD PTR SS:[EBP+14C],0
10BEF27F 8B85 48010000 MOV EAX,DWORD PTR SS:[EBP+148]
10BEF285 53 PUSH EBX
10BEF286 0C 03 OR AL,3
10BEF288 55 PUSH EBP
10BEF289 8985 48010000 MOV DWORD PTR SS:[EBP+148],EAX
10BEF28F E8 0C3D0F00 CALL PBVM90.rt_init
10BEF294 8BF0 MOV ESI,EAX
10BEF296 6A 00 PUSH 0
10BEF298 8B4424 20 MOV EAX,DWORD PTR SS:[ESP+20]
10BEF29C 50 PUSH EAX
10BEF29D 53 PUSH EBX
10BEF29E 56 PUSH ESI
10BEF29F C746 5E 0000000>MOV DWORD PTR DS:[ESI+5E],0
10BEF2A6 E8 452DFEFF CALL PBVM90.FN_Init
10BEF2AB 8BF8 MOV EDI,EAX
10BEF2AD 8B5C24 18 MOV EBX,DWORD PTR SS:[ESP+18]
10BEF2B1 53 PUSH EBX
10BEF2B2 55 PUSH EBP
10BEF2B3 E8 58BF0800 CALL PBVM90.ob_init_executable
10BEF2B8 8B4E 10 MOV ECX,DWORD PTR DS:[ESI+10]
10BEF2BB 53 PUSH EBX
10BEF2BC 51 PUSH ECX
10BEF2BD 894424 20 MOV DWORD PTR SS:[ESP+20],EAX
10BEF2C1 E8 9A4AF6FF CALL PBVM90.pbstg_fee
10BEF2C6 33DB XOR EBX,EBX
10BEF2C8 66:817C24 1A 00>CMP WORD PTR SS:[ESP+1A],0C000
10BEF2CF 0F84 D5000000 JE PBVM90.10BEF3AA
10BEF2D5 55 PUSH EBP
10BEF2D6 E8 C5E40900 CALL PBVM90.10C8D7A0
10BEF2DB 56 PUSH ESI
10BEF2DC E8 7F3A0F00 CALL PBVM90.rt_start_run
10BEF2E1 8B4F 70 MOV ECX,DWORD PTR DS:[EDI+70]
10BEF2E4 8B5424 2C MOV EDX,DWORD PTR SS:[ESP+2C]
10BEF2E8 8B5C24 1C MOV EBX,DWORD PTR SS:[ESP+1C]
10BEF2EC 8B4424 3C MOV EAX,DWORD PTR SS:[ESP+3C]
10BEF2F0 83C9 02 OR ECX,2
10BEF2F3 8997 A8000000 MOV DWORD PTR DS:[EDI+A8],EDX
10BEF2F9 8B5424 20 MOV EDX,DWORD PTR SS:[ESP+20]
10BEF2FD 894F 70 MOV DWORD PTR DS:[EDI+70],ECX
10BEF300 8B4C24 30 MOV ECX,DWORD PTR SS:[ESP+30]
10BEF304 52 PUSH EDX
10BEF305 53 PUSH EBX
10BEF306 899F A4000000 MOV DWORD PTR DS:[EDI+A4],EBX
10BEF30C 8947 7C MOV DWORD PTR DS:[EDI+7C],EAX
10BEF30F 890F MOV DWORD PTR DS:[EDI],ECX
10BEF311 FF15 D4D7DB10 CALL DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
10BEF317 8947 74 MOV DWORD PTR DS:[EDI+74],EAX
10BEF31A A1 ECCEE210 MOV EAX,DWORD PTR DS:[10E2CEEC]
10BEF31F 85C0 TEST EAX,EAX
10BEF321 74 25 JE SHORT PBVM90.10BEF348
10BEF323 6A 00 PUSH 0
10BEF325 6A 32 PUSH 32
10BEF327 FF15 9CD8DB10 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; USER32.GetSystemMetrics
10BEF32D 50 PUSH EAX
10BEF32E 6A 31 PUSH 31
10BEF330 FF15 9CD8DB10 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; USER32.GetSystemMetrics
10BEF336 50 PUSH EAX
10BEF337 6A 01 PUSH 1
10BEF339 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10BEF33D 50 PUSH EAX
10BEF33E 53 PUSH EBX
10BEF33F FF15 98D9DB10 CALL DWORD PTR DS:[<&USER32.LoadImageA>] ; USER32.LoadImageA
10BEF345 8947 78 MOV DWORD PTR DS:[EDI+78],EAX
10BEF348 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10BEF34C 51 PUSH ECX
10BEF34D 56 PUSH ESI
10BEF34E E8 1D0A0000 CALL PBVM90.10BEFD70
一直来到这里,进入了。
10BEFD70 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
10BEFD74 83EC 10 SUB ESP,10
10BEFD77 55 PUSH EBP
10BEFD78 56 PUSH ESI
10BEFD79 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C]
10BEFD7D 50 PUSH EAX
10BEFD7E 56 PUSH ESI
10BEFD7F 8B6E 52 MOV EBP,DWORD PTR DS:[ESI+52]
10BEFD82 E8 F9FDFFFF CALL PBVM90.10BEFB80
10BEFD87 83C4 08 ADD ESP,8
10BEFD8A 85C0 TEST EAX,EAX
10BEFD8C 75 06 JNZ SHORT PBVM90.10BEFD94
10BEFD8E 5E POP ESI
10BEFD8F 5D POP EBP
10BEFD90 83C4 10 ADD ESP,10
10BEFD93 C3 RETN
10BEFD94 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
10BEFD97 8B45 7C MOV EAX,DWORD PTR SS:[EBP+7C]
10BEFD9A 57 PUSH EDI
10BEFD9B 33FF XOR EDI,EDI
10BEFD9D 8B91 1E010000 MOV EDX,DWORD PTR DS:[ECX+11E]
10BEFDA3 53 PUSH EBX
10BEFDA4 3BC7 CMP EAX,EDI
10BEFDA6 52 PUSH EDX
10BEFDA7 74 03 JE SHORT PBVM90.10BEFDAC
10BEFDA9 50 PUSH EAX
10BEFDAA EB 05 JMP SHORT PBVM90.10BEFDB1
10BEFDAC 68 ECD1E210 PUSH PBVM90.10E2D1EC
10BEFDB1 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10]
10BEFDB4 50 PUSH EAX
10BEFDB5 E8 66B6FBFF CALL PBVM90.pbstg_strdup
10BEFDBA 6A 0C PUSH 0C
10BEFDBC 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
10BEFDC0 66:C74424 18 00>MOV WORD PTR SS:[ESP+18],0D00
10BEFDC7 66:C74424 1A 06>MOV WORD PTR SS:[ESP+1A],6
10BEFDCE E8 7DCC1A00 CALL <JMP.&libjsybheap.#13_Syb_Heap_mall>
10BEFDD3 83C4 04 ADD ESP,4
10BEFDD6 3BC7 CMP EAX,EDI
10BEFDD8 74 0B JE SHORT PBVM90.10BEFDE5
10BEFDDA 8978 08 MOV DWORD PTR DS:[EAX+8],EDI
10BEFDDD C700 F0FADB10 MOV DWORD PTR DS:[EAX],PBVM90.10DBFAF0
10BEFDE3 8BF8 MOV EDI,EAX
10BEFDE5 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
10BEFDE8 57 PUSH EDI
10BEFDE9 51 PUSH ECX
10BEFDEA E8 61130700 CALL PBVM90.ob_set_windows_dispatch_hand>
10BEFDEF 33C9 XOR ECX,ECX
10BEFDF1 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
10BEFDF5 51 PUSH ECX
10BEFDF6 6A 01 PUSH 1
10BEFDF8 6A 15 PUSH 15
10BEFDFA 6A 01 PUSH 1
10BEFDFC 52 PUSH EDX
10BEFDFD 8BD8 MOV EBX,EAX
10BEFDFF 8B85 D4000000 MOV EAX,DWORD PTR SS:[EBP+D4]
10BEFE05 8B6C24 24 MOV EBP,DWORD PTR SS:[ESP+24]
10BEFE09 83EC 10 SUB ESP,10
10BEFE0C 8BD4 MOV EDX,ESP
10BEFE0E 56 PUSH ESI
10BEFE0F 892A MOV DWORD PTR DS:[EDX],EBP
10BEFE11 8942 04 MOV DWORD PTR DS:[EDX+4],EAX
10BEFE14 33C0 XOR EAX,EAX
10BEFE16 894A 08 MOV DWORD PTR DS:[EDX+8],ECX
10BEFE19 8942 0C MOV DWORD PTR DS:[EDX+C],EAX
10BEFE1C E8 0FDD0E00 CALL PBVM90.rtRoutineExec
来到这里进去。
10CDDB30 > 83EC 28 SUB ESP,28
10CDDB33 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
10CDDB37 53 PUSH EBX
10CDDB38 55 PUSH EBP
10CDDB39 33ED XOR EBP,EBP
10CDDB3B 56 PUSH ESI
10CDDB3C 8B7424 38 MOV ESI,DWORD PTR SS:[ESP+38]
10CDDB40 3BC5 CMP EAX,EBP
10CDDB42 57 PUSH EDI
10CDDB43 896C24 14 MOV DWORD PTR SS:[ESP+14],EBP
10CDDB47 896C24 28 MOV DWORD PTR SS:[ESP+28],EBP
10CDDB4B 896C24 20 MOV DWORD PTR SS:[ESP+20],EBP
10CDDB4F 896C24 24 MOV DWORD PTR SS:[ESP+24],EBP
10CDDB53 75 32 JNZ SHORT PBVM90.10CDDB87
10CDDB55 8B4424 44 MOV EAX,DWORD PTR SS:[ESP+44]
10CDDB59 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
10CDDB5D 51 PUSH ECX
10CDDB5E 50 PUSH EAX
10CDDB5F 56 PUSH ESI
10CDDB60 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
10CDDB64 E8 27FEFAFF CALL PBVM90.10C8D990
10CDDB69 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDB6D 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
10CDDB71 83C4 0C ADD ESP,0C
10CDDB74 66:894424 1A MOV WORD PTR SS:[ESP+1A],AX
10CDDB79 66:8B4A 10 MOV CX,WORD PTR DS:[EDX+10]
10CDDB7D 66:894C24 18 MOV WORD PTR SS:[ESP+18],CX
10CDDB82 /E9 E5000000 JMP PBVM90.10CDDC6C
10CDDB87 |BA 01000000 MOV EDX,1
10CDDB8C |3BC2 CMP EAX,EDX
10CDDB8E |75 72 JNZ SHORT PBVM90.10CDDC02
10CDDB90 |8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
10CDDB94 |89AE 32010000 MOV DWORD PTR DS:[ESI+132],EBP
10CDDB9A |66:81F9 FFFF CMP CX,0FFFF
10CDDB9F |894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
10CDDBA3 |75 15 JNZ SHORT PBVM90.10CDDBBA
10CDDBA5 |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDBA9 |896C24 3C MOV DWORD PTR SS:[ESP+3C],EBP
10CDDBAD |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDBB1 |896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP
10CDDBB5 |E9 B2000000 JMP PBVM90.10CDDC6C
10CDDBBA |8BBE AE000000 MOV EDI,DWORD PTR DS:[ESI+AE]
10CDDBC0 |8BC1 MOV EAX,ECX
10CDDBC2 |25 FFFF0000 AND EAX,0FFFF
10CDDBC7 |3BF8 CMP EDI,EAX
10CDDBC9 |76 1E JBE SHORT PBVM90.10CDDBE9
10CDDBCB |8BBE 9A000000 MOV EDI,DWORD PTR DS:[ESI+9A]
10CDDBD1 |8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
10CDDBD4 |C1E0 04 SHL EAX,4
10CDDBD7 |8B4407 04 MOV EAX,DWORD PTR DS:[EDI+EAX+4]
10CDDBDB |3BC5 CMP EAX,EBP
10CDDBDD |74 0A JE SHORT PBVM90.10CDDBE9
10CDDBDF |3950 12 CMP DWORD PTR DS:[EAX+12],EDX
10CDDBE2 |74 05 JE SHORT PBVM90.10CDDBE9
10CDDBE4 |8B40 0E MOV EAX,DWORD PTR DS:[EAX+E]
10CDDBE7 |EB 07 JMP SHORT PBVM90.10CDDBF0
10CDDBE9 |51 PUSH ECX
10CDDBEA |56 PUSH ESI
10CDDBEB |E8 8073F9FF CALL PBVM90.ob_group_data_srch
10CDDBF0 |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDBF4 |894424 3C MOV DWORD PTR SS:[ESP+3C],EAX
10CDDBF8 |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDBFC |896C24 1C MOV DWORD PTR SS:[ESP+1C],EBP
10CDDC00 |EB 6A JMP SHORT PBVM90.10CDDC6C
10CDDC02 |83F8 02 CMP EAX,2
10CDDC05 |75 65 JNZ SHORT PBVM90.10CDDC6C
10CDDC07 |8B4C24 40 MOV ECX,DWORD PTR SS:[ESP+40]
10CDDC0B |89AE 32010000 MOV DWORD PTR DS:[ESI+132],EBP
10CDDC11 |66:81F9 FFFF CMP CX,0FFFF
10CDDC16 |894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
10CDDC1A |75 06 JNZ SHORT PBVM90.10CDDC22
10CDDC1C |896C24 3C MOV DWORD PTR SS:[ESP+3C],EBP
10CDDC20 |EB 3A JMP SHORT PBVM90.10CDDC5C
10CDDC22 |8BBE AE000000 MOV EDI,DWORD PTR DS:[ESI+AE]
10CDDC28 |8BC1 MOV EAX,ECX
10CDDC2A |25 FFFF0000 AND EAX,0FFFF
10CDDC2F |3BF8 CMP EDI,EAX
10CDDC31 |76 1E JBE SHORT PBVM90.10CDDC51
10CDDC33 |8BBE 9A000000 MOV EDI,DWORD PTR DS:[ESI+9A]
10CDDC39 |8D0480 LEA EAX,DWORD PTR DS:[EAX+EAX*4]
10CDDC3C |C1E0 04 SHL EAX,4
10CDDC3F |8B4407 04 MOV EAX,DWORD PTR DS:[EDI+EAX+4]
10CDDC43 |3BC5 CMP EAX,EBP
10CDDC45 |74 0A JE SHORT PBVM90.10CDDC51
10CDDC47 |3950 12 CMP DWORD PTR DS:[EAX+12],EDX
10CDDC4A |74 05 JE SHORT PBVM90.10CDDC51
10CDDC4C |8B40 0E MOV EAX,DWORD PTR DS:[EAX+E]
10CDDC4F |EB 07 JMP SHORT PBVM90.10CDDC58
10CDDC51 |51 PUSH ECX
10CDDC52 |56 PUSH ESI
10CDDC53 |E8 1873F9FF CALL PBVM90.ob_group_data_srch
10CDDC58 |894424 3C MOV DWORD PTR SS:[ESP+3C],EAX
10CDDC5C |8B4C24 42 MOV ECX,DWORD PTR SS:[ESP+42]
10CDDC60 |8B5424 44 MOV EDX,DWORD PTR SS:[ESP+44]
10CDDC64 |894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
10CDDC68 |895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
10CDDC6C \8B46 72 MOV EAX,DWORD PTR DS:[ESI+72]
10CDDC6F 8B4C24 4C MOV ECX,DWORD PTR SS:[ESP+4C]
10CDDC73 8B56 38 MOV EDX,DWORD PTR DS:[ESI+38]
10CDDC76 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX
10CDDC7A 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
10CDDC7D 894E 72 MOV DWORD PTR DS:[ESI+72],ECX
10CDDC80 50 PUSH EAX
10CDDC81 895424 38 MOV DWORD PTR SS:[ESP+38],EDX
10CDDC85 896E 38 MOV DWORD PTR DS:[ESI+38],EBP
10CDDC88 E8 A302F1FF CALL PBVM90.FN_RtSuspended
10CDDC8D 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
10CDDC90 55 PUSH EBP
10CDDC91 51 PUSH ECX
10CDDC92 894424 38 MOV DWORD PTR SS:[ESP+38],EAX
10CDDC96 E8 7502F1FF CALL PBVM90.FN_RtSuspend
10CDDC9B 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDC9F 8B7C24 58 MOV EDI,DWORD PTR SS:[ESP+58]
10CDDCA3 3BDD CMP EBX,EBP
10CDDCA5 0F86 D0000000 JBE PBVM90.10CDDD7B
10CDDCAB 8B5424 60 MOV EDX,DWORD PTR SS:[ESP+60]
10CDDCAF 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
10CDDCB3 52 PUSH EDX
10CDDCB4 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C]
10CDDCB8 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
10CDDCBC 50 PUSH EAX
10CDDCBD 51 PUSH ECX
10CDDCBE 57 PUSH EDI
10CDDCBF 52 PUSH EDX
10CDDCC0 8B5424 64 MOV EDX,DWORD PTR SS:[ESP+64]
10CDDCC4 8D4424 3C LEA EAX,DWORD PTR SS:[ESP+3C]
10CDDCC8 53 PUSH EBX
10CDDCC9 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
10CDDCCD 50 PUSH EAX
10CDDCCE 51 PUSH ECX
10CDDCCF 52 PUSH EDX
10CDDCD0 56 PUSH ESI
10CDDCD1 E8 CA020000 CALL PBVM90.10CDDFA0
10CDDCD6 83C4 28 ADD ESP,28
10CDDCD9 3BC5 CMP EAX,EBP
10CDDCDB 0F85 94000000 JNZ PBVM90.10CDDD75
10CDDCE1 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDCE6 75 11 JNZ SHORT PBVM90.10CDDCF9
10CDDCE8 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDCEC C74424 5C 04000>MOV DWORD PTR SS:[ESP+5C],4
10CDDCF4 E9 B9010000 JMP PBVM90.10CDDEB2
10CDDCF9 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDCFD 57 PUSH EDI
10CDDCFE 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDD02 50 PUSH EAX
10CDDD03 51 PUSH ECX
10CDDD04 56 PUSH ESI
10CDDD05 E8 B6BDFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDD0A 25 FFFF0000 AND EAX,0FFFF
10CDDD0F 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDD13 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDD17 81E1 FF3F0000 AND ECX,3FFF
10CDDD1D C74424 5C 04000>MOV DWORD PTR SS:[ESP+5C],4
10CDDD25 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDD28 8D3C89 LEA EDI,DWORD PTR DS:[ECX+ECX*4]
10CDDD2B 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDD2E 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDD31 33C9 XOR ECX,ECX
10CDDD33 66:8B4CBD 0C MOV CX,WORD PTR SS:[EBP+EDI*4+C]
10CDDD38 8D3C89 LEA EDI,DWORD PTR DS:[ECX+ECX*4]
10CDDD3B C1E7 04 SHL EDI,4
10CDDD3E 2BF9 SUB EDI,ECX
10CDDD40 8B4A 2C MOV ECX,DWORD PTR DS:[EDX+2C]
10CDDD43 8B52 28 MOV EDX,DWORD PTR DS:[EDX+28]
10CDDD46 8B49 08 MOV ECX,DWORD PTR DS:[ECX+8]
10CDDD49 8B6A 08 MOV EBP,DWORD PTR DS:[EDX+8]
10CDDD4C 8B4C79 28 MOV ECX,DWORD PTR DS:[ECX+EDI*2+28]
10CDDD50 8B04C1 MOV EAX,DWORD PTR DS:[ECX+EAX*8]
10CDDD53 8B08 MOV ECX,DWORD PTR DS:[EAX]
10CDDD55 81E1 FFFFFF7F AND ECX,7FFFFFFF
10CDDD5B 03CD ADD ECX,EBP
10CDDD5D 51 PUSH ECX
10CDDD5E 68 47500000 PUSH 5047
10CDDD63 56 PUSH ESI
10CDDD64 E8 57F5FFFF CALL PBVM90._rt_formatted_error
10CDDD69 8B6C24 64 MOV EBP,DWORD PTR SS:[ESP+64]
10CDDD6D 83C4 0C ADD ESP,0C
10CDDD70 E9 3D010000 JMP PBVM90.10CDDEB2
10CDDD75 896C24 58 MOV DWORD PTR SS:[ESP+58],EBP
10CDDD79 /EB 04 JMP SHORT PBVM90.10CDDD7F
10CDDD7B |8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDD7F \83BE 4C010000 0>CMP DWORD PTR DS:[ESI+14C],1
10CDDD86 75 3B JNZ SHORT PBVM90.10CDDDC3
10CDDD88 8B4424 5C MOV EAX,DWORD PTR SS:[ESP+5C]
10CDDD8C 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
10CDDD90 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDD94 50 PUSH EAX
10CDDD95 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10CDDD99 51 PUSH ECX
10CDDD9A 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10CDDD9E 57 PUSH EDI
10CDDD9F 52 PUSH EDX
10CDDDA0 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+4C]
10CDDDA4 53 PUSH EBX
10CDDDA5 50 PUSH EAX
10CDDDA6 51 PUSH ECX
10CDDDA7 52 PUSH EDX
10CDDDA8 56 PUSH ESI
10CDDDA9 E8 C20D0000 CALL PBVM90.10CDEB70
10CDDDAE 83C4 24 ADD ESP,24
10CDDDB1 83F8 01 CMP EAX,1
10CDDDB4 894424 5C MOV DWORD PTR SS:[ESP+5C],EAX
10CDDDB8 0F84 F4000000 JE PBVM90.10CDDEB2
10CDDDBE E9 EA000000 JMP PBVM90.10CDDEAD
10CDDDC3 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDDC7 57 PUSH EDI
10CDDDC8 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDDCC 50 PUSH EAX
10CDDDCD 51 PUSH ECX
10CDDDCE 56 PUSH ESI
10CDDDCF E8 ECBCFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDDD4 25 FFFF0000 AND EAX,0FFFF
10CDDDD9 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDDDD 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDDE1 81E1 FF3F0000 AND ECX,3FFF
10CDDDE7 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDDEA 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDDED 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDDF0 8B52 2C MOV EDX,DWORD PTR DS:[EDX+2C]
10CDDDF3 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDDF6 33C9 XOR ECX,ECX
10CDDDF8 66:8B4C9D 0C MOV CX,WORD PTR SS:[EBP+EBX*4+C]
10CDDDFD 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDE00 C1E3 04 SHL EBX,4
10CDDE03 2BD9 SUB EBX,ECX
10CDDE05 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDE08 8B5459 28 MOV EDX,DWORD PTR DS:[ECX+EBX*2+28]
10CDDE0C 8D2C59 LEA EBP,DWORD PTR DS:[ECX+EBX*2]
10CDDE0F 8D1CC2 LEA EBX,DWORD PTR DS:[EDX+EAX*8]
10CDDE12 8B04C2 MOV EAX,DWORD PTR DS:[EDX+EAX*8]
10CDDE15 66:8B50 16 MOV DX,WORD PTR DS:[EAX+16]
10CDDE19 66:8B48 18 MOV CX,WORD PTR DS:[EAX+18]
10CDDE1D 66:8B40 1E MOV AX,WORD PTR DS:[EAX+1E]
10CDDE21 C1E8 09 SHR EAX,9
10CDDE24 83E0 07 AND EAX,7
10CDDE27 74 05 JE SHORT PBVM90.10CDDE2E
10CDDE29 83F8 01 CMP EAX,1
10CDDE2C 75 47 JNZ SHORT PBVM90.10CDDE75
10CDDE2E 66:81F9 FFFF CMP CX,0FFFF
10CDDE33 75 40 JNZ SHORT PBVM90.10CDDE75
10CDDE35 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDE3A 75 27 JNZ SHORT PBVM90.10CDDE63
10CDDE3C 6A 00 PUSH 0
10CDDE3E 56 PUSH ESI
10CDDE3F E8 DC25FCFF CALL PBVM90.ob_set_curr_rtinst_and_return
10CDDE44 8B03 MOV EAX,DWORD PTR DS:[EBX]
10CDDE46 66:8B40 1C MOV AX,WORD PTR DS:[EAX+1C]
10CDDE4A 66:85C0 TEST AX,AX
10CDDE4D 75 04 JNZ SHORT PBVM90.10CDDE53
10CDDE4F 6A 08 PUSH 8
10CDDE51 EB 01 JMP SHORT PBVM90.10CDDE54
10CDDE53 50 PUSH EAX
10CDDE54 56 PUSH ESI
10CDDE55 E8 46FBFEFF CALL PBVM90.10CCD9A0
10CDDE5A 83C4 08 ADD ESP,8
10CDDE5D 56 PUSH ESI
10CDDE5E E8 6D26FCFF CALL PBVM90.ob_unset_curr_rtinst_and_return
10CDDE63 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDE67 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDE6B C74424 5C 01000>MOV DWORD PTR SS:[ESP+5C],1
10CDDE73 EB 3D JMP SHORT PBVM90.10CDDEB2
10CDDE75 33C9 XOR ECX,ECX
10CDDD79 /EB 04 JMP SHORT PBVM90.10CDDD7F
10CDDD7B |8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDD7F \83BE 4C010000 0>CMP DWORD PTR DS:[ESI+14C],1
10CDDD86 75 3B JNZ SHORT PBVM90.10CDDDC3
10CDDD88 8B4424 5C MOV EAX,DWORD PTR SS:[ESP+5C]
10CDDD8C 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
10CDDD90 8B5424 48 MOV EDX,DWORD PTR SS:[ESP+48]
10CDDD94 50 PUSH EAX
10CDDD95 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
10CDDD99 51 PUSH ECX
10CDDD9A 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
10CDDD9E 57 PUSH EDI
10CDDD9F 52 PUSH EDX
10CDDDA0 8B5424 4C MOV EDX,DWORD PTR SS:[ESP+4C]
10CDDDA4 53 PUSH EBX
10CDDDA5 50 PUSH EAX
10CDDDA6 51 PUSH ECX
10CDDDA7 52 PUSH EDX
10CDDDA8 56 PUSH ESI
10CDDDA9 E8 C20D0000 CALL PBVM90.10CDEB70
10CDDDAE 83C4 24 ADD ESP,24
10CDDDB1 83F8 01 CMP EAX,1
10CDDDB4 894424 5C MOV DWORD PTR SS:[ESP+5C],EAX
10CDDDB8 0F84 F4000000 JE PBVM90.10CDDEB2
10CDDDBE E9 EA000000 JMP PBVM90.10CDDEAD
10CDDDC3 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
10CDDDC7 57 PUSH EDI
10CDDDC8 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
10CDDDCC 50 PUSH EAX
10CDDDCD 51 PUSH ECX
10CDDDCE 56 PUSH ESI
10CDDDCF E8 ECBCFAFF CALL PBVM90.ob_type_vtable_module_srch
10CDDDD4 25 FFFF0000 AND EAX,0FFFF
10CDDDD9 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C]
10CDDDDD 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
10CDDDE1 81E1 FF3F0000 AND ECX,3FFF
10CDDDE7 8B52 2A MOV EDX,DWORD PTR DS:[EDX+2A]
10CDDDEA 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDDED 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDDF0 8B52 2C MOV EDX,DWORD PTR DS:[EDX+2C]
10CDDDF3 8B69 02 MOV EBP,DWORD PTR DS:[ECX+2]
10CDDDF6 33C9 XOR ECX,ECX
10CDDDF8 66:8B4C9D 0C MOV CX,WORD PTR SS:[EBP+EBX*4+C]
10CDDDFD 8D1C89 LEA EBX,DWORD PTR DS:[ECX+ECX*4]
10CDDE00 C1E3 04 SHL EBX,4
10CDDE03 2BD9 SUB EBX,ECX
10CDDE05 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
10CDDE08 8B5459 28 MOV EDX,DWORD PTR DS:[ECX+EBX*2+28]
10CDDE0C 8D2C59 LEA EBP,DWORD PTR DS:[ECX+EBX*2]
10CDDE0F 8D1CC2 LEA EBX,DWORD PTR DS:[EDX+EAX*8]
10CDDE12 8B04C2 MOV EAX,DWORD PTR DS:[EDX+EAX*8]
10CDDE15 66:8B50 16 MOV DX,WORD PTR DS:[EAX+16]
10CDDE19 66:8B48 18 MOV CX,WORD PTR DS:[EAX+18]
10CDDE1D 66:8B40 1E MOV AX,WORD PTR DS:[EAX+1E]
10CDDE21 C1E8 09 SHR EAX,9
10CDDE24 83E0 07 AND EAX,7
10CDDE27 74 05 JE SHORT PBVM90.10CDDE2E
10CDDE29 83F8 01 CMP EAX,1
10CDDE2C 75 47 JNZ SHORT PBVM90.10CDDE75
10CDDE2E 66:81F9 FFFF CMP CX,0FFFF
10CDDE33 75 40 JNZ SHORT PBVM90.10CDDE75
10CDDE35 837C24 5C 01 CMP DWORD PTR SS:[ESP+5C],1
10CDDE3A 75 27 JNZ SHORT PBVM90.10CDDE63
10CDDE3C 6A 00 PUSH 0
10CDDE3E 56 PUSH ESI
10CDDE3F E8 DC25FCFF CALL PBVM90.ob_set_curr_rtinst_and_return
10CDDE44 8B03 MOV EAX,DWORD PTR DS:[EBX]
10CDDE46 66:8B40 1C MOV AX,WORD PTR DS:[EAX+1C]
10CDDE4A 66:85C0 TEST AX,AX
10CDDE4D 75 04 JNZ SHORT PBVM90.10CDDE53
10CDDE4F 6A 08 PUSH 8
10CDDE51 EB 01 JMP SHORT PBVM90.10CDDE54
10CDDE53 50 PUSH EAX
10CDDE54 56 PUSH ESI
10CDDE55 E8 46FBFEFF CALL PBVM90.10CCD9A0
10CDDE5A 83C4 08 ADD ESP,8
10CDDE5D 56 PUSH ESI
10CDDE5E E8 6D26FCFF CALL PBVM90.ob_unset_curr_rtinst_and_return
10CDDE63 8B5C24 54 MOV EBX,DWORD PTR SS:[ESP+54]
10CDDE67 8B6C24 58 MOV EBP,DWORD PTR SS:[ESP+58]
10CDDE6B C74424 5C 01000>MOV DWORD PTR SS:[ESP+5C],1
10CDDE73 EB 3D JMP SHORT PBVM90.10CDDEB2
10CDDE75 33C9 XOR ECX,ECX
10CDDE77 6A 00 PUSH 0
10CDDE79 394C24 60 CMP DWORD PTR SS:[ESP+60],ECX
10CDDE7D 57 PUSH EDI
10CDDE7E 53 PUSH EBX
10CDDE7F 8B5C24 60 MOV EBX,DWORD PTR SS:[ESP+60]
10CDDE83 0F95C1 SETNE CL
10CDDE86 41 INC ECX
10CDDE87 51 PUSH ECX
10CDDE88 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
10CDDE8C 55 PUSH EBP
10CDDE8D 52 PUSH EDX
10CDDE8E 8B5424 40 MOV EDX,DWORD PTR SS:[ESP+40]
10CDDE92 50 PUSH EAX
10CDDE93 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
10CDDE97 51 PUSH ECX
10CDDE98 8B4C24 5C MOV ECX,DWORD PTR SS:[ESP+5C]
10CDDE9C 52 PUSH EDX
10CDDE9D 50 PUSH EAX
10CDDE9E 53 PUSH EBX
10CDDE9F 51 PUSH ECX
10CDDEA0 56 PUSH ESI
10CDDEA1 E8 4A0E0000 CALL PBVM90.10CDECF0
这个CALL进入了。
......
跟了很久,最近就跳到了CPU线程里面去了,
反回到了MScorwks模块,走几步,就到了NTDLL模块,就不动了。
单步过,到了kernel32里面,走几步回到MScorwks模块,
79F97065 C745 FC FEFFFFF>MOV DWORD PTR SS:[EBP-4],-2
79F9706C 6A 00 PUSH 0
79F9706E 6A 00 PUSH 0
79F97070 E8 79F4FFFF CALL mscorwks.79F964EE
79F97075 50 PUSH EAX
79F97076 68 06151380 PUSH 80131506
79F9707B E8 29310C00 CALL mscorwks.7A05A1A9
在里面转了一下就又回到了NTDLL。还是一样的不动了。
软件本身在这个地方是要输入服务器地址和帐套,然后点登录就进去了检测
加密狗和试用期的。但是OD下不能显示出来。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
