请教各位大神,如何跳过附件DLL中的Activated/Deactivated判断结果啊?
或者直接修改判断逻辑一直为真呢?
付费求助,谢谢!
mov [rsp+arg_0], rcx
push rdi
sub rsp, 460h
mov rdi, rsp
mov ecx, 118h
mov eax, 0CCCCCCCCh
rep stosd
mov rcx, [rsp+468h+arg_0]
mov rax, cs:__security_cookie
xor rax, rsp
mov [rsp+468h+var_18], rax
mov [rsp+468h+var_434], 30h ; '0'
lea rax, [rsp+468h+var_420]
mov rdi, rax
xor eax, eax
mov ecx, 10h
rep stosb
mov [rsp+468h+var_420], 10h
mov [rsp+468h+var_41C], 2
mov [rsp+468h+var_418], 1
mov [rsp+468h+var_414], 3
mov rax, [rsp+468h+arg_0]
add rax, 210h
xor edx, edx
mov rcx, rax
call sub_18001A210
mov [rsp+468h+var_400], rax
mov rax, [rsp+468h+arg_0]
add rax, 210h
mov edx, 1
mov rcx, rax
call sub_18001A210
mov [rsp+468h+var_3F8], rax
mov rax, [rsp+468h+arg_0]
add rax, 210h
mov edx, 2
mov rcx, rax
call sub_18001A210
mov [rsp+468h+var_3F0], rax
mov rax, [rsp+468h+arg_0]
add rax, 210h
mov edx, 3
mov rcx, rax
call sub_18001A210
mov [rsp+468h+var_3E8], rax
mov rax, [rsp+468h+arg_0]
add rax, 210h
mov edx, 4
mov rcx, rax
call sub_18001A210
mov [rsp+468h+var_3E0], rax
lea rdx, aDeactivated ; "Deactivated"
lea rcx, [rsp+468h+var_3D0]
call sub_1800022F0
lea rdx, aActivated ; "Activated"
lea rcx, [rsp+468h+var_3B8]
call sub_1800022F0
mov rax, [rsp+468h+arg_0]
cmp dword ptr [rax+0ACh], 0
jz loc_180004B88
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课