在学脱UltraProtect 1.x中,通过下内存断点,找到伪OEP如下:
004603EC 55 PUSH EBP 伪OEP
004603ED 8BEC MOV EBP,ESP
004603EF 6A 00 PUSH 0
004603F1 53 PUSH EBX
004603F2 56 PUSH ESI
004603F3 8BF2 MOV ESI,EDX
004603F5 8BD8 MOV EBX,EAX
004603F7 33C0 XOR EAX,EAX
004603F9 55 PUSH EBP
004603FA 68 6E044600 PUSH Mir31.0046046E
004603FF 64:FF30 PUSH DWORD PTR FS:[EAX]
00460402 64:8920 MOV DWORD PTR FS:[EAX],ESP
00460405 80BB A4000000 0>CMP BYTE PTR DS:[EBX+A4],0
0046040C 74 3D JE SHORT Mir31.0046044B
0046040E 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00460411 8BC3 MOV EAX,EBX
00460413 E8 88FFFFFF CALL Mir31.004603A0
00460418 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046041B 8BD6 MOV EDX,ESI
0046041D E8 6E3FFAFF CALL Mir31.00404390
用ImportREC,选择这个进程,把OEP改为603EC,点IT AutoSearch,点“Get Import”,函数无效,用“追踪层次3”,却不能修复,这是为何?
[课程]Android-CTF解题方法汇总!