用PEid查看是Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks
用Fi查看是Armadillo 3.01
用OD载入
004D2049 >/$ 55 PUSH EBP
004D204A |. 8BEC MOV EBP,ESP
004D204C |. 6A FF PUSH -1
004D204E |. 68 48724F00 PUSH kernet.004F7248
004D2053 |. 68 901A4D00 PUSH kernet.004D1A90 ; SE 处理程序安装
004D2058 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004D205E |. 50 PUSH EAX
004D205F |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004D2066 |. 83EC 58 SUB ESP,58
004D2069 |. 53 PUSH EBX
004D206A |. 56 PUSH ESI
004D206B |. 57 PUSH EDI
bp OpenMutexA F9
7C80EC1B > 8BFF MOV EDI,EDI
7C80EC1D 55 PUSH EBP
7C80EC1E 8BEC MOV EBP,ESP
7C80EC20 51 PUSH ECX
7C80EC21 51 PUSH ECX
7C80EC22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EC26 56 PUSH ESI
7C80EC27 0F84 7A500300 JE kernel32.7C843CA7
7C80EC2D 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80EC33 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C80EC36 8DB0 F80B0000 LEA ESI,DWORD PTR DS:[EAX+BF8]
7C80EC3C 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C80EC3F 50 PUSH EAX
堆栈的数据如下:
0012F5B4 004C8D8C /CALL 到 OpenMutexA 来自 kernet.004C8D86
0012F5B8 001F0001 |Access = 1F0001
0012F5BC 00000000 |Inheritable = FALSE
0012F5C0 0012FBF4 \MutexName = "470::DA2E9BADAD"
Ctrl+G 401000
粘贴二进制数据
60 9C 68 F4 FB 12 00 33 C0 50 50 E8 2F DB 40 7C 9D 61 E9 04 DC 40 7C
在00401000处新建起源
F9
再次断在
7C80EC1B > 8BFF MOV EDI,EDI
7C80EC1D 55 PUSH EBP
7C80EC1E 8BEC MOV EBP,ESP
7C80EC20 51 PUSH ECX
7C80EC21 51 PUSH ECX
7C80EC22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EC26 56 PUSH ESI
7C80EC27 0F84 7A500300 JE kernel32.7C843CA7
7C80EC2D 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80EC33 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C80EC36 8DB0 F80B0000 LEA ESI,DWORD PTR DS:[EAX+BF8]
7C80EC3C 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C80EC3F 50 PUSH EAX
Ctrl+G 401000
撤消修改
BP GetModuleHandleA
F9
7C80B529 > 8BFF MOV EDI,EDI
7C80B52B 55 PUSH EBP
7C80B52C 8BEC MOV EBP,ESP
7C80B52E 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
7C80B532 74 18 JE SHORT kernel32.7C80B54C
7C80B534 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C80B537 E8 682D0000 CALL kernel32.7C80E2A4
7C80B53C 85C0 TEST EAX,EAX
7C80B53E 74 08 JE SHORT kernel32.7C80B548
7C80B540 FF70 04 PUSH DWORD PTR DS:[EAX+4]
7C80B543 E8 F4300000 CALL kernel32.GetModuleHandleW
7C80B548 5D POP EBP
7C80B549 C2 0400 RETN 4
堆栈的数据如下:
0012E858 77F45BD8 /CALL 到 GetModuleHandleA 来自 77F45BD2
0012E85C 77F4501C \pModule = "KERNEL32.DLL"
0012E860 00000001
*************************************************************
取消断点在7C80B52E处下断
*************************************************************
00C5EE74 /00C5EF90
00C5EE78 |74683BEE 返回到 74683BEE 来自 kernel32.GetModuleHandleA
00C5EE7C |00C5EE80 ASCII "C:\WINDOWS\system32\ntdll.dll"
*****************************************************************
00C5EE7C /00C5EF98
00C5EE80 |74683BEE 返回到 74683BEE 来自 kernel32.GetModuleHandleA
00C5EE84 |00C5EE88 ASCII "C:\WINDOWS\system32\imm32.dll"
*****************************************************************
00C5EDC8 /00C5EEE4
00C5EDCC |74683BEE 返回到 74683BEE 来自 kernel32.GetModuleHandleA
00C5EDD0 |00C5EDD4 ASCII "C:\WINDOWS\system32\KERNEL32"
*****************************************************************
00C5F554 /00C5F670
00C5F558 |7365D4A4 返回到 msctfime.7365D4A4 来自 kernel32.GetModuleHandleA
00C5F55C |00C5F560 ASCII "C:\WINDOWS\system32\ntdll.dll"
*****************************************************************
0012ED48 /0012ED64
0012ED4C |77F45BD8 返回到 77F45BD8 来自 kernel32.GetModuleHandleA
0012ED50 |77F4501C ASCII "KERNEL32.DLL"
******************************************************************
0012E53C /0012E574
0012E540 |5D175394 返回到 5D175394 来自 kernel32.GetModuleHandleA
0012E544 |5D1753E0 ASCII "kernel32.dll"
******************************************************************
0012F55C /0012F5BC
0012F560 |004C8073 返回到 kernet.004C8073 来自 kernel32.GetModuleHandleA
0012F564 |00000000
0012F568 |7C939BA0 返回到 ntdll.7C939BA0 来自 ntdll.7C9399B5
*******************************************************************
0012D288 /0012D514
0012D28C |00D0519B 返回到 00D0519B 来自 kernel32.GetModuleHandleA
0012D290 |0012D3C8 ASCII "kernel32.dll"
取消断点 Alt+F9
00D0519B 8B0D 80D7D200 MOV ECX,DWORD PTR DS:[D2D780]
00D051A1 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D051A4 A1 80D7D200 MOV EAX,DWORD PTR DS:[D2D780]
00D051A9 393C06 CMP DWORD PTR DS:[ESI+EAX],EDI
00D051AC 75 16 JNZ SHORT 00D051C4
00D051AE 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00D051B4 50 PUSH EAX
00D051B5 FF15 B850D200 CALL DWORD PTR DS:[D250B8] ;
kernel32.LoadLibraryA
00D051BB 8B0D 80D7D200 MOV ECX,DWORD PTR DS:[D2D780]
00D051C1 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D051C4 A1 80D7D200 MOV EAX,DWORD PTR DS:[D2D780]
00D051C9 393C06 CMP DWORD PTR DS:[ESI+EAX],EDI
00D051CC 0F84 AD000000 JE 00D0527F 改JE为JMP
00D051D2 33C9 XOR ECX,ECX
00D051D4 8B03 MOV EAX,DWORD PTR DS:[EBX]
00D051D6 3938 CMP DWORD PTR DS:[EAX],EDI
BP GetCurrentThreadId F9
7C809737 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80973D 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
7C809740 C3 RETN
7C809741 90 NOP
堆栈的数据如下:
0012CB4C 73391E36 /CALL 到 GetCurrentThreadId 来自 73391E30
0012CB50 00000001
0012CB54 73391C1A 返回到 73391C1A 来自 73391DE2
0012CB58 73391B60 返回到 73391B60 来自 73391B8C
******************************************************************
0012CB2C 7339353F /CALL 到 GetCurrentThreadId 来自 73393539
0012CB30 00000000
0012CB34 734A0470
******************************************************************
报入口点超出范围,点确定
0012CD84 6BC4B003 /CALL 到 GetCurrentThreadId 来自 6BC4AFFD
0012CD88 00000000
0012CD8C 6BD13738
******************************************************************
0012CD90 76DB3705 /CALL 到 GetCurrentThreadId 来自 76DB36FF
0012CD94 76DBF014
0012CD98 FFFFFFFF
********************************************************************
0012CDA0 76685212 /CALL 到 GetCurrentThreadId 来自 WININET.7668520C
0012CDA4 00000000
0012CDA8 76680000 WININET.76680000
********************************************************************
0012F5AC 00D1CF47 /CALL 到 GetCurrentThreadId 来自 00D1CF41
0012F5B0 0012FF2C
0012F5B4 00000000
取消断点,Alt+F9
00D1CF47 A3 8C16D300 MOV DWORD PTR DS:[D3168C],EAX
00D1CF4C E8 5F85FEFF CALL 00D054B0
00D1CF51 6A 00 PUSH 0
00D1CF53 E8 51E0FEFF CALL 00D0AFA9
00D1CF58 59 POP ECX
00D1CF59 E8 074CFFFF CALL 00D11B65
00D1CF5E 8BF8 MOV EDI,EAX
00D1CF60 A1 8016D300 MOV EAX,DWORD PTR DS:[D31680]
00D1CF65 8B48 60 MOV ECX,DWORD PTR DS:[EAX+60]
00D1CF68 3348 28 XOR ECX,DWORD PTR DS:[EAX+28]
00D1CF6B 3348 04 XOR ECX,DWORD PTR DS:[EAX+4]
00D1CF6E 03F9 ADD EDI,ECX
00D1CF70 8B0E MOV ECX,DWORD PTR DS:[ESI]
00D1CF72 85C9 TEST ECX,ECX
00D1CF74 75 2F JNZ SHORT 00D1CFA5
00D1CF76 8B78 60 MOV EDI,DWORD PTR DS:[EAX+60]
00D1CF79 E8 E74BFFFF CALL 00D11B65
00D1CF7E 8B0D 8016D300 MOV ECX,DWORD PTR DS:[D31680] ; kernet.004F4238
00D1CF84 FF76 14 PUSH DWORD PTR DS:[ESI+14]
00D1CF87 8B51 28 MOV EDX,DWORD PTR DS:[ECX+28]
00D1CF8A FF76 10 PUSH DWORD PTR DS:[ESI+10]
00D1CF8D 3351 04 XOR EDX,DWORD PTR DS:[ECX+4]
00D1CF90 FF76 0C PUSH DWORD PTR DS:[ESI+C]
00D1CF93 33D7 XOR EDX,EDI
00D1CF95 03C2 ADD EAX,EDX
00D1CF97 8B51 58 MOV EDX,DWORD PTR DS:[ECX+58]
00D1CF9A 3351 34 XOR EDX,DWORD PTR DS:[ECX+34]
00D1CF9D 33D7 XOR EDX,EDI
00D1CF9F 2BC2 SUB EAX,EDX
00D1CFA1 FFD0 CALL EAX
00D1CFA3 EB 25 JMP SHORT 00D1CFCA
00D1CFA5 83F9 01 CMP ECX,1
00D1CFA8 75 22 JNZ SHORT 00D1CFCC
00D1CFAA FF76 04 PUSH DWORD PTR DS:[ESI+4]
00D1CFAD FF76 08 PUSH DWORD PTR DS:[ESI+8]
00D1CFB0 6A 00 PUSH 0
00D1CFB2 E8 AE4BFFFF CALL 00D11B65
00D1CFB7 50 PUSH EAX
00D1CFB8 A1 8016D300 MOV EAX,DWORD PTR DS:[D31680]
00D1CFBD 8B48 60 MOV ECX,DWORD PTR DS:[EAX+60]
00D1CFC0 3348 58 XOR ECX,DWORD PTR DS:[EAX+58]
00D1CFC3 3348 34 XOR ECX,DWORD PTR DS:[EAX+34]
00D1CFC6 2BF9 SUB EDI,ECX
00D1CFC8 FFD7 CALL EDI
F8单步到CALL EDI F7进入
0045728E 55 PUSH EBP
0045728F 8BEC MOV EBP,ESP
00457291 6A FF PUSH -1
00457293 68 086A4600 PUSH kernet.00466A08
00457298 68 7C714500 PUSH kernet.0045717C ; JMP 到
msvcrt._except_handler3
0045729D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004572A3 50 PUSH EAX
004572A4 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004572AB 83EC 68 SUB ESP,68
004572AE 53 PUSH EBX
004572AF 56 PUSH ESI
004572B0 57 PUSH EDI
004572B1 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004572B4 33DB XOR EBX,EBX
004572B6 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004572B9 6A 02 PUSH 2
004572BB FF15 F8FB4500 CALL DWORD PTR DS:[45FBF8] ;
msvcrt.__set_app_type
004572C1 59 POP ECX
004572C2 830D 708E4800 F>OR DWORD PTR DS:[488E70],FFFFFFFF
004572C9 830D 748E4800 F>OR DWORD PTR DS:[488E74],FFFFFFFF
004572D0 FF15 F4FB4500 CALL DWORD PTR DS:[45FBF4] ; msvcrt.__p__fmode
004572D6 8B0D 648E4800 MOV ECX,DWORD PTR DS:[488E64]
004572DC 8908 MOV DWORD PTR DS:[EAX],ECX
004572DE FF15 F0FB4500 CALL DWORD PTR DS:[45FBF0] ;
msvcrt.__p__commode
004572E4 8B0D 608E4800 MOV ECX,DWORD PTR DS:[488E60]
004572EA 8908 MOV DWORD PTR DS:[EAX],ECX
004572EC A1 ECFB4500 MOV EAX,DWORD PTR DS:[45FBEC]
004572F1 8B00 MOV EAX,DWORD PTR DS:[EAX]
004572F3 A3 6C8E4800 MOV DWORD PTR DS:[488E6C],EAX
004572F8 E8 3C010000 CALL kernet.00457439
004572FD 391D D8834700 CMP DWORD PTR DS:[4783D8],EBX
00457303 75 0C JNZ SHORT kernet.00457311
00457305 68 36744500 PUSH kernet.00457436
0045730A FF15 6CFB4500 CALL DWORD PTR DS:[45FB6C] ;
msvcrt.__setusermatherr
00457310 59 POP ECX
00457311 E8 0E010000 CALL kernet.00457424
00457316 68 84304700 PUSH kernet.00473084
0045731B 68 80304700 PUSH kernet.00473080
00457320 E8 F9000000 CALL kernet.0045741E ; JMP 到
msvcrt._initterm
00457325 A1 5C8E4800 MOV EAX,DWORD PTR DS:[488E5C]
0045732A 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
0045732D 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00457330 50 PUSH EAX
00457331 FF35 588E4800 PUSH DWORD PTR DS:[488E58]
00457337 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0045733A 50 PUSH EAX
0045733B 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
0045733E 50 PUSH EAX
0045733F 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00457342 50 PUSH EAX
00457343 FF15 E4FB4500 CALL DWORD PTR DS:[45FBE4] ;
msvcrt.__getmainargs
00457349 68 7C304700 PUSH kernet.0047307C
0045734E 68 00304700 PUSH kernet.00473000
00457353 E8 C6000000 CALL kernet.0045741E ; JMP 到
msvcrt._initterm
00457358 83C4 24 ADD ESP,24
0045735B A1 E0FB4500 MOV EAX,DWORD PTR DS:[45FBE0]
00457360 8B30 MOV ESI,DWORD PTR DS:[EAX]
00457362 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00457365 803E 22 CMP BYTE PTR DS:[ESI],22
00457368 75 3A JNZ SHORT kernet.004573A4
0045736A 46 INC ESI
0045736B 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
0045736E 8A06 MOV AL,BYTE PTR DS:[ESI]
00457370 3AC3 CMP AL,BL
00457372 74 04 JE SHORT kernet.00457378
00457374 3C 22 CMP AL,22
00457376 ^ 75 F2 JNZ SHORT kernet.0045736A
00457378 803E 22 CMP BYTE PTR DS:[ESI],22
0045737B 75 04 JNZ SHORT kernet.00457381
0045737D 46 INC ESI
0045737E 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00457381 8A06 MOV AL,BYTE PTR DS:[ESI]
00457383 3AC3 CMP AL,BL
00457385 74 04 JE SHORT kernet.0045738B
00457387 3C 20 CMP AL,20
00457389 ^ 76 F2 JBE SHORT kernet.0045737D
0045738B 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
0045738E 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00457391 50 PUSH EAX
00457392 FF15 58F34500 CALL DWORD PTR DS:[45F358] ;
kernel32.GetStartupInfoA
00457398 F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
0045739C 74 11 JE SHORT kernet.004573AF
0045739E 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004573A2 EB 0E JMP SHORT kernet.004573B2
004573A4 803E 20 CMP BYTE PTR DS:[ESI],20
004573A7 ^ 76 D8 JBE SHORT kernet.00457381
004573A9 46 INC ESI
004573AA 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
004573AD ^ EB F5 JMP SHORT kernet.004573A4
004573AF 6A 0A PUSH 0A
004573B1 58 POP EAX
004573B2 50 PUSH EAX
004573B3 56 PUSH ESI
004573B4 53 PUSH EBX
004573B5 53 PUSH EBX
004573B6 FF15 78F24500 CALL DWORD PTR DS:[45F278] ;
kernel32.GetModuleHandleA
004573BC 50 PUSH EAX
004573BD E8 9E010000 CALL kernet.00457560
此时用Imprec 1.6F查看进程所有函数无效
请高手指教,我的问题出在哪里了.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
