想了几天也没农明白,关键call,转移不知道是那个,请侠虾闷帮偶看看,指点一二撒。
0043060B 55 push ebp
0043060C 8DAC24 68FFFFFF lea ebp,dword ptr ss:[esp-98]
00430613 81EC 18010000 sub esp,118
00430619 A1 FC884400 mov eax,dword ptr ds:[4488FC]
0043061E 53 push ebx
0043061F 56 push esi
00430620 57 push edi
00430621 8BF1 mov esi,ecx
00430623 33FF xor edi,edi
00430625 57 push edi
00430626 8985 94000000 mov dword ptr ss:[ebp+94],eax
0043062C 8975 84 mov dword ptr ss:[ebp-7C],esi
0043062F E8 0CFFFFFF call AAA_.00430540
(F2断下F7跟进)
77D36476 U> 833D D0C3D677 0>cmp dword ptr ds:[77D6C3D0],0
77D3647D 0F85 885B0100 jnz USER32.77D4C00B
77D36483 6A 00 push 0
77D36485 FF7424 14 push dword ptr ss:[esp+14]
77D36489 FF7424 14 push dword ptr ss:[esp+14]
77D3648D FF7424 14 push dword ptr ss:[esp+14]
77D36491 FF7424 14 push dword ptr ss:[esp+14]
77D36495 E8 03000000 call USER32.MessageBoxExA
77D3649A C2 1000 retn 10
77D3649D U> 55 push ebp
77D3649E 8BEC mov ebp,esp
77D364A0 6A FF push -1
这里是比较?
---------------------------------
00430634 8D45 8C lea eax,dword ptr ss:[ebp-74]
00430637 50 push eax
00430638 57 push edi
00430639 E8 2FFFFFFF call AAA_.0043056D
0043063E 8BD8 mov ebx,eax
00430640 3B5D 8C cmp ebx,dword ptr ss:[ebp-74]
00430643 895D 80 mov dword ptr ss:[ebp-80],ebx
00430646 74 09 je short AAA_.00430651
00430648 6A 01 push 1
0043064A 53 push ebx
0043064B FF15 54954300 call dword ptr ds:[<&user32.EnableWindow>>; USER32.EnableWindow
00430651 85DB test ebx,ebx
00430653 74 18 je short AAA_.0043066D
00430655 6A 00 push 0
00430657 6A 00 push 0
00430659 68 76030000 push 376
0043065E 53 push ebx
0043065F FF15 64954300 call dword ptr ds:[<&user32.SendMessageA>>; USER32.SendMessageA
00430665 85C0 test eax,eax
00430667 74 04 je short AAA_.0043066D
00430669 8BF8 mov edi,eax
0043066B EB 07 jmp short AAA_.00430674
0043066D 85F6 test esi,esi
0043066F 74 03 je short AAA_.00430674
00430671 8D7E 74 lea edi,dword ptr ds:[esi+74]
00430674 8365 88 00 and dword ptr ss:[ebp-78],0
00430678 85FF test edi,edi
0043067A 74 16 je short AAA_.00430692
0043067C 8B07 mov eax,dword ptr ds:[edi]
0043067E 8945 88 mov dword ptr ss:[ebp-78],eax
00430681 8B85 A8000000 mov eax,dword ptr ss:[ebp+A8]
00430687 85C0 test eax,eax
00430689 74 07 je short AAA_.00430692
0043068B 05 00000300 add eax,30000
00430690 8907 mov dword ptr ds:[edi],eax
00430692 F685 A4000000 F>test byte ptr ss:[ebp+A4],0F0
00430699 75 1F jnz short AAA_.004306BA
0043069B 8B85 A4000000 mov eax,dword ptr ss:[ebp+A4]
004306A1 83E0 0F and eax,0F
004306A4 83F8 01 cmp eax,1
004306A7 76 0A jbe short AAA_.004306B3
004306A9 83F8 02 cmp eax,2
004306AC 76 0C jbe short AAA_.004306BA
004306AE 83F8 04 cmp eax,4
004306B1 77 07 ja short AAA_.004306BA
004306B3 838D A4000000 3>or dword ptr ss:[ebp+A4],30
004306BA 85F6 test esi,esi
004306BC C645 90 00 mov byte ptr ss:[ebp-70],0
004306C0 74 05 je short AAA_.004306C7
004306C2 8B5E 4C mov ebx,dword ptr ds:[esi+4C]
004306C5 EB 22 jmp short AAA_.004306E9
004306C7 8D5D 90 lea ebx,dword ptr ss:[ebp-70]
004306CA BE 04010000 mov esi,104
004306CF 56 push esi
004306D0 8BC3 mov eax,ebx
004306D2 50 push eax
004306D3 6A 00 push 0
004306D5 FF15 AC924300 call dword ptr ds:[<&kernel32.GetModuleFi>; kernel32.GetModuleFileNameA
004306DB 3BC6 cmp eax,esi
004306DD 8B75 84 mov esi,dword ptr ss:[ebp-7C]
004306E0 75 07 jnz short AAA_.004306E9
004306E2 C685 93000000 0>mov byte ptr ss:[ebp+93],0
004306E9 FFB5 A4000000 push dword ptr ss:[ebp+A4]
004306EF 53 push ebx
004306F0 FFB5 A0000000 push dword ptr ss:[ebp+A0]
004306F6 FF75 80 push dword ptr ss:[ebp-80]
004306F9 FF15 68954300 call dword ptr ds:[<&user32.MessageBoxA>] ; USER32.MessageBoxA
(这里断下)
004306FF 85FF test edi,edi
00430701 8BD8 mov ebx,eax
00430703 74 05 je short AAA_.0043070A
00430705 8B45 88 mov eax,dword ptr ss:[ebp-78]
00430708 8907 mov dword ptr ds:[edi],eax
0043070A 837D 8C 00 cmp dword ptr ss:[ebp-74],0
0043070E 74 0B je short AAA_.0043071B
00430710 6A 01 push 1
00430712 FF75 8C push dword ptr ss:[ebp-74]
00430715 FF15 54954300 call dword ptr ds:[<&user32.EnableWindow>>; USER32.EnableWindow
0043071B 6A 01 push 1
0043071D 8BCE mov ecx,esi
0043071F E8 1CFEFFFF call AAA_.00430540
00430724 8B8D 94000000 mov ecx,dword ptr ss:[ebp+94]
0043072A 5F pop edi
0043072B 5E pop esi
0043072C 8BC3 mov eax,ebx
0043072E 5B pop ebx
0043072F E8 6564FEFF call AAA_.00416B99
00430734 81C5 98000000 add ebp,98
0043073A C9 leave
0043073B C2 0C00 retn 0C
0043073E 55 push ebp
0043073F 8BEC mov ebp,esp
00430741 E8 5F180000 call AAA_.00431FA5
00430746 8B40 04 mov eax,dword ptr ds:[eax+4]
00430749 85C0 test eax,eax
0043074B 74 0B je short AAA_.00430758
0043074D 8B10 mov edx,dword ptr ds:[eax]
0043074F 8BC8 mov ecx,eax
00430751 5D pop ebp
00430752 FFA2 98000000 jmp dword ptr ds:[edx+98]
00430758 33C9 xor ecx,ecx
0043075A 5D pop ebp
0043075B ^ E9 ABFEFFFF jmp AAA_.0043060B
00430760 B8 557B4300 mov eax,AAA_.00437B55
00430765 E8 EA82FEFF call AAA_.00418A54
0043076A 51 push ecx
0043076B E8 D08EFFFF call AAA_.00429640
00430770 8B10 mov edx,dword ptr ds:[eax]
00430772 8BC8 mov ecx,eax
00430774 FF52 0C call dword ptr ds:[edx+C]
00430777 83C0 10 add eax,10
0043077A 8945 F0 mov dword ptr ss:[ebp-10],eax
0043077D FF75 08 push dword ptr ss:[ebp+8]
00430780 8365 FC 00 and dword ptr ss:[ebp-4],0
00430784 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00430787 E8 1411FDFF call AAA_.004018A0
0043078C 8B45 10 mov eax,dword ptr ss:[ebp+10]
0043078F 83F8 FF cmp eax,-1
00430792 75 03 jnz short AAA_.00430797
00430794 8B45 08 mov eax,dword ptr ss:[ebp+8]
00430797 56 push esi
00430798 8B75 F0 mov esi,dword ptr ss:[ebp-10]
0043079B 57 push edi
0043079C 50 push eax
0043079D FF75 0C push dword ptr ss:[ebp+C]
004307A0 56 push esi
004307A1 E8 98FFFFFF call AAA_.0043073E
004307A6 8D4E F0 lea ecx,dword ptr ds:[esi-10]
004307A9 8BF8 mov edi,eax
004307AB E8 100AFDFF call AAA_.004011C0
004307B0 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
004307B3 8BC7 mov eax,edi
004307B5 5F pop edi
004307B6 5E pop esi
004307B7 64:890D 0000000>mov dword ptr fs:[0],ecx
004307BE C9 leave
004307BF C2 0C00 retn 0C
004307C2 8379 54 00 cmp dword ptr ds:[ecx+54],0
004307C6 75 03 jnz short AAA_.004307CB
004307C8 33C0 xor eax,eax
004307CA C3 retn
004307CB 8B49 54 mov ecx,dword ptr ds:[ecx+54]
004307CE 8B01 mov eax,dword ptr ds:[ecx]
004307D0 FF60 10 jmp dword ptr ds:[eax+10]
004307D3 51 push ecx
004307D4 53 push ebx
004307D5 55 push ebp
004307D6 56 push esi
004307D7 57 push edi
004307D8 894C24 10 mov dword ptr ss:[esp+10],ecx
004307DC FF15 00944300 call dword ptr ds:[<&user32.GetCapture>] ; USER32.GetCapture
004307E2 8B35 64954300 mov esi,dword ptr ds:[<&user32.SendMessag>; USER32.SendMessageA
004307E8 BB 65030000 mov ebx,365
004307ED 33ED xor ebp,ebp
004307EF EB 10 jmp short AAA_.00430801
004307F1 55 push ebp
004307F2 55 push ebp
004307F3 53 push ebx
004307F4 57 push edi
004307F5 FFD6 call esi
004307F7 85C0 test eax,eax
004307F9 75 70 jnz short AAA_.0043086B
004307FB 57 push edi
004307FC E8 5BBAFFFF call AAA_.0042C25C
00430801 8BF8 mov edi,eax
00430803 3BFD cmp edi,ebp
00430805 ^ 75 EA jnz short AAA_.004307F1
00430807 FF15 B8944300 call dword ptr ds:[<&user32.GetFocus>] ; USER32.GetFocus
0043080D EB 10 jmp short AAA_.0043081F
0043080F 55 push ebp
00430810 55 push ebp
00430811 53 push ebx
00430812 57 push edi
00430813 FFD6 call esi
00430815 85C0 test eax,eax
00430817 75 52 jnz short AAA_.0043086B
00430819 57 push edi
0043081A E8 3DBAFFFF call AAA_.0042C25C
0043081F 8BF8 mov edi,eax
00430821 3BFD cmp edi,ebp
00430823 ^ 75 EA jnz short AAA_.0043080F
00430825 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00430829 E8 73BAFFFF call AAA_.0042C2A1
0043082E 3BC5 cmp eax,ebp
00430830 75 04 jnz short AAA_.00430836
00430832 33C0 xor eax,eax
00430834 EB 03 jmp short AAA_.00430839
00430836 8B40 1C mov eax,dword ptr ds:[eax+1C]
00430839 50 push eax
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
