LordPE dump或fix会有TradeMark,《加密与解密》中介绍加/NOTRADEMARK命令行参数解决。使用过程中感觉不太方便,扔进IDA分析,找到关键位置。
1、00404367 call CMDLineHandler
2、命令行比较并设置标志位NoTM
.text:004045B6 lea eax, [esp+140h+NoTM]
.text:004045BA push edi
.text:004045BB mov edi, ds:strstr
.text:004045C1 push eax
.text:004045C2 push ecx
.text:004045C3 mov [esp+14Ch+var_134], 1
.text:004045CB call edi ; strstr
.text:004045CD add esp, 8
.text:004045D0 test eax, eax
.text:004045D2 jz short loc_4045DE
.text:004045D4 mov NoTM, 1
3、修改方案
(1)直接修改
.data:0041D994 NoTM dd 0
改为1
(2)彻底nop以下几处
.text:0040307A mov eax, NoTM
.text:0040307F test eax, eax
.text:00403081 jz short loc_40308C
.text:00403083 push ebp ; Base
.text:00403084 call PastTM
.text:00403089 add esp, 4
.text:00406E7B mov eax, NoTM
.text:00406E80 test eax, eax
.text:00406E82 jz short loc_406E8D
.text:00406E84 push esi ; Base
.text:00406E85 call PastTM
.text:00406E8A add esp, 4
.text:004071E1 mov eax, NoTM
.text:004071E6 add esp, 4
.text:004071E9 test eax, eax
.text:004071EB jz short loc_4071F6
.text:004071ED push esi ; Base
.text:004071EE call PastTM
.text:004071F3 add esp, 4
.text:0040E9A6 mov eax, NoTM
.text:0040E9AB test eax, eax
.text:0040E9AD jz short loc_40E9BE
.text:0040E9AF mov edx, Base
.text:0040E9B5 push edx ; Base
.text:0040E9B6 call PastTM
.text:0040E9BB add esp, 4
.text:00417ED1 mov eax, NoTM
.text:00417ED6 test eax, eax
.text:00417ED8 jz short loc_417EE7
.text:00417EDA mov ecx, [esp+154h+lpBuffer]
.text:00417EDE push ecx ; Base
.text:00417EDF call PastTM
.text:00417EE4 add esp, 4
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!