双进程Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks
OD载入
004AE000 > 60 PUSHAD
004AE001 E8 00000000 CALL 南平红二.004AE006
004AE006 5D POP EBP
004AE007 50 PUSH EAX
004AE008 51 PUSH ECX
004AE009 EB 0F JMP SHORT 南平红二.004AE01A
004AE00B B9 EB0FB8EB MOV ECX,EBB80FEB
004AE010 07 POP ES ; 段寄存器更改
分离进程这就不详说了
HE GetModuleHandleA
0012ECE0 77F45BD8 /CALL 到 GetModuleHandleA 来自 SHLWAPI.77F45BD2
0012ECE4 77F4501C \pModule = "KERNEL32.DLL"
0012EC20 5D175394 /CALL 到 GetModuleHandleA 来自 COMCTL32.5D17538E
0012EC24 5D1753E0 \pModule = "kernel32.dll"
0012EC28 5D1E2B38 COMCTL32.5D1E2B38
0012F534 00492073 /CALL 到 GetModuleHandleA 来自 南平红二.0049206D
0012F538 00000000 \pModule = NULL
0012C258 00D65331 /CALL 到 GetModuleHandleA 来自 00D6532B
0012C25C 0012C394 \pModule = "kernel32.dll"
0012C260 00000002
0012C264 003F1BA8
0012C268 00000000
取消断点返回
00D65331 8B0D 60D8D800 MOV ECX,DWORD PTR DS:[D8D860]
00D65337 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D6533A A1 60D8D800 MOV EAX,DWORD PTR DS:[D8D860]
00D6533F 393C06 CMP DWORD PTR DS:[ESI+EAX],EDI
00D65342 75 16 JNZ SHORT 00D6535A
00D65344 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00D6534A 50 PUSH EAX
00D6534B FF15 B850D800 CALL DWORD PTR DS:[D850B8] ; kernel32.LoadLibraryA
00D65351 8B0D 60D8D800 MOV ECX,DWORD PTR DS:[D8D860]
00D65357 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00D6535A A1 60D8D800 MOV EAX,DWORD PTR DS:[D8D860]
00D6535F 393C06 CMP DWORD PTR DS:[ESI+EAX],EDI
00D65362 0F84 AD000000 JE 00D65415 这里改为JMP
00D65368 33C9 XOR ECX,ECX
00D6536A 8B03 MOV EAX,DWORD PTR DS:[EBX]
00D6536C 3938 CMP DWORD PTR DS:[EAX],EDI
00D6536E 74 06 JE SHORT 00D65376
00D65370 41 INC ECX
00D65371 83C0 0C ADD EAX,0C
bp GetCurrentThreadId断点
0012BAD8 66001E3A /CALL 到 GetCurrentThreadId 来自 66001E34
0012BADC 00000001
0012BAE0 66001C1E 返回到 66001C1E 来自 66001DE6
0012BAE4 66001B64 返回到 66001B64 来自 66001B90
0012BAB8 66003505 /CALL 到 GetCurrentThreadId 来自 660034FF
0012F580 00D7CF2D /CALL 到 GetCurrentThreadId 来自 00D7CF27
0012F584 0012FF04
0012F588 00000000
取消断点返回
00D7CF27 FF15 FC50D800 CALL DWORD PTR DS:[D850FC] ; kernel32.GetCurrentThreadId
00D7CF2D A3 F018D900 MOV DWORD PTR DS:[D918F0],EAX停在这
00D7CF32 E8 2487FEFF CALL 00D6565B
00D7CF37 6A 00 PUSH 0
00D7CF39 E8 4BD9FEFF CALL 00D6A889
00D7CF3E 59 POP ECX
00D7CF3F E8 7D39FFFF CALL 00D708C1
00D7CF44 8BF8 MOV EDI,EAX
00D7CF46 A1 E018D900 MOV EAX,DWORD PTR DS:[D918E0]
00D7CF4B 8B48 74 MOV ECX,DWORD PTR DS:[EAX+74]
00D7CF4E 3348 5C XOR ECX,DWORD PTR DS:[EAX+5C]
00D7CF51 3308 XOR ECX,DWORD PTR DS:[EAX]
00D7CF53 03F9 ADD EDI,ECX
00D7CF55 8B0E MOV ECX,DWORD PTR DS:[ESI]
00D7CF57 85C9 TEST ECX,ECX
00D7CF59 75 2E JNZ SHORT 00D7CF89
00D7CF5B 8B78 5C MOV EDI,DWORD PTR DS:[EAX+5C]
00D7CF5E E8 5E39FFFF CALL 00D708C1
00D7CF63 8B0D E018D900 MOV ECX,DWORD PTR DS:[D918E0] ; 南平红二.004BE258
00D7CF69 FF76 14 PUSH DWORD PTR DS:[ESI+14]
00D7CF6C 8B51 74 MOV EDX,DWORD PTR DS:[ECX+74]
00D7CF6F FF76 10 PUSH DWORD PTR DS:[ESI+10]
00D7CF72 33D7 XOR EDX,EDI
00D7CF74 3311 XOR EDX,DWORD PTR DS:[ECX]
00D7CF76 FF76 0C PUSH DWORD PTR DS:[ESI+C]
00D7CF79 03C2 ADD EAX,EDX
00D7CF7B 8B51 78 MOV EDX,DWORD PTR DS:[ECX+78]
00D7CF7E 3351 14 XOR EDX,DWORD PTR DS:[ECX+14]
00D7CF81 33D7 XOR EDX,EDI
00D7CF83 2BC2 SUB EAX,EDX
00D7CF85 FFD0 CALL EAX
00D7CF87 EB 25 JMP SHORT 00D7CFAE
00D7CF89 83F9 01 CMP ECX,1
00D7CF8C 75 22 JNZ SHORT 00D7CFB0
00D7CF8E FF76 04 PUSH DWORD PTR DS:[ESI+4]
00D7CF91 FF76 08 PUSH DWORD PTR DS:[ESI+8]
00D7CF94 6A 00 PUSH 0
00D7CF96 E8 2639FFFF CALL 00D708C1
00D7CF9B 50 PUSH EAX
00D7CF9C A1 E018D900 MOV EAX,DWORD PTR DS:[D918E0]
00D7CFA1 8B48 78 MOV ECX,DWORD PTR DS:[EAX+78]
00D7CFA4 3348 5C XOR ECX,DWORD PTR DS:[EAX+5C]
00D7CFA7 3348 14 XOR ECX,DWORD PTR DS:[EAX+14]
00D7CFAA 2BF9 SUB EDI,ECX
00D7CFAC FFD7 CALL EDI F7进
00D7CFAE 8BD8 MOV EBX,EAX
00D7CFB0 5F POP EDI
00D7CFB1 8BC3 MOV EAX,EBX
00D7CFB3 5E POP ESI
00D7CFB4 5B POP EBX
00D7CFB5 C3 RETN
进去后到这
0048C000 E8 AA000000 CALL 南平红二.0048C0AF 不像大家说的OEP,F7
0048C005 0000 ADD BYTE PTR DS:[EAX],AL
0048C007 0000 ADD BYTE PTR DS:[EAX],AL
0048C009 0000 ADD BYTE PTR DS:[EAX],AL
0048C00B 0000 ADD BYTE PTR DS:[EAX],AL
0048C00D 0000 ADD BYTE PTR DS:[EAX],AL
0048C00F 0000 ADD BYTE PTR DS:[EAX],AL
0048C011 3D C0080000 CMP EAX,8C0
0048C016 0000 ADD BYTE PTR DS:[EAX],AL
0048C018 0000 ADD BYTE PTR DS:[EAX],AL
0048C01A 0000 ADD BYTE PTR DS:[EAX],AL
0048C01C 0000 ADD BYTE PTR DS:[EAX],AL
0048C01E 0000 ADD BYTE PTR DS:[EAX],AL
0048C020 0000 ADD BYTE PTR DS:[EAX],AL
0048C022 0000 ADD BYTE PTR DS:[EAX],AL
0048C024 0000 ADD BYTE PTR DS:[EAX],AL
0048C026 0000 ADD BYTE PTR DS:[EAX],AL
0048C028 0000 ADD BYTE PTR DS:[EAX],AL
0048C02A 0000 ADD BYTE PTR DS:[EAX],AL
0048C02C 0028 ADD BYTE PTR DS:[EAX],CH
0048C02E AC LODS BYTE PTR DS:[ESI]
0048C02F 807C29 B5 80 CMP BYTE PTR DS:[ECX+EBP-4B],80
0048C034 7C 77 JL SHORT 南平红二.0048C0AD
0048C036 1D 807C9A63 SBB EAX,639A7C80
0048C03B D6 SALC
0048C03C 004B 45 ADD BYTE PTR DS:[EBX+45],CL
0048C03F 52 PUSH EDX
0048C040 4E DEC ESI
0048C041 45 INC EBP
0048C042 4C DEC ESP
0048C043 3332 XOR ESI,DWORD PTR DS:[EDX]
0048C045 2E: PREFIX CS: ; 多余的前缀
0048C046 64:6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
进来后到这
0048C0AF 5D POP EBP ; 南平红二.0048C005
0048C0B0 81ED 05000000 SUB EBP,5
0048C0B6 8D75 3D LEA ESI,DWORD PTR SS:[EBP+3D]
0048C0B9 56 PUSH ESI
0048C0BA FF55 31 CALL DWORD PTR SS:[EBP+31]
0048C0BD 8DB5 86000000 LEA ESI,DWORD PTR SS:[EBP+86]
0048C0C3 56 PUSH ESI
0048C0C4 50 PUSH EAX
0048C0C5 FF55 2D CALL DWORD PTR SS:[EBP+2D]
0048C0C8 8985 93000000 MOV DWORD PTR SS:[EBP+93],EAX
0048C0CE 6A 04 PUSH 4
0048C0D0 68 00100000 PUSH 1000
0048C0D5 FFB5 82000000 PUSH DWORD PTR SS:[EBP+82]
0048C0DB 6A 00 PUSH 0
0048C0DD FF95 93000000 CALL DWORD PTR SS:[EBP+93]
0048C0E3 50 PUSH EAX
0048C0E4 8B9D 7E000000 MOV EBX,DWORD PTR SS:[EBP+7E]
0048C0EA 03DD ADD EBX,EBP
0048C0EC 50 PUSH EAX
0048C0ED 53 PUSH EBX
0048C0EE E8 04000000 CALL 南平红二.0048C0F7
0048C0F3 5A POP EDX
0048C0F4 55 PUSH EBP
0048C0F5 FFE2 JMP EDX 这里进去走几步程序就终止
0048C0F7 60 PUSHAD
0048C0F8 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
0048C0FC 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28]
0048C100 FC CLD
0048C101 B2 80 MOV DL,80
0048C103 33DB XOR EBX,EBX
0048C105 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR >
0048C106 B3 02 MOV BL,2
0048C108 E8 6D000000 CALL 南平红二.0048C17A
0048C10D ^ 73 F6 JNB SHORT 南平红二.0048C105
0048C10F 33C9 XOR ECX,ECX
0048C111 E8 64000000 CALL 南平红二.0048C17A
0048C116 73 1C JNB SHORT 南平红二.0048C134
0048C118 33C0 XOR EAX,EAX
0048C11A E8 5B000000 CALL 南平红二.0048C17A
0048C11F 73 23 JNB SHORT 南平红二.0048C144
0048C121 B3 02 MOV BL,2
0048C123 41 INC ECX
0048C124 B0 10 MOV AL,10
0048C126 E8 4F000000 CALL 南平红二.0048C17A
0048C12B 12C0 ADC AL,AL
0048C12D ^ 73 F7 JNB SHORT 南平红二.0048C126
0048C12F 75 3F JNZ SHORT 南平红二.0048C170
0048C131 AA STOS BYTE PTR ES:[EDI]
0048C132 ^ EB D4 JMP SHORT 南平红二.0048C108
0048C134 E8 4D000000 CALL 南平红二.0048C186
0048C139 2BCB SUB ECX,EBX
0048C13B 75 10 JNZ SHORT 南平红二.0048C14D
0048C13D E8 42000000 CALL 南平红二.0048C184
0048C142 EB 28 JMP SHORT 南平红二.0048C16C
0048C144 AC LODS BYTE PTR DS:[ESI]
0048C145 D1E8 SHR EAX,1
0048C147 74 4D JE SHORT 南平红二.0048C196
0048C149 13C9 ADC ECX,ECX
0048C14B EB 1C JMP SHORT 南平红二.0048C169
0048C14D 91 XCHG EAX,ECX
0048C14E 48 DEC EAX
0048C14F C1E0 08 SHL EAX,8
0048C152 AC LODS BYTE PTR DS:[ESI]
0048C153 E8 2C000000 CALL 南平红二.0048C184
0048C158 3D 007D0000 CMP EAX,7D00
0048C15D 73 0A JNB SHORT 南平红二.0048C169
0048C15F 80FC 05 CMP AH,5
0048C162 73 06 JNB SHORT 南平红二.0048C16A
0048C164 83F8 7F CMP EAX,7F
0048C167 77 02 JA SHORT 南平红二.0048C16B
0048C169 41 INC ECX
0048C16A 41 INC ECX
0048C16B 95 XCHG EAX,EBP
0048C16C 8BC5 MOV EAX,EBP
0048C16E B3 01 MOV BL,1
0048C170 56 PUSH ESI
0048C171 8BF7 MOV ESI,EDI
0048C173 2BF0 SUB ESI,EAX
0048C175 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
0048C177 5E POP ESI
0048C178 ^ EB 8E JMP SHORT 南平红二.0048C108
0048C17A 02D2 ADD DL,DL
0048C17C 75 05 JNZ SHORT 南平红二.0048C183
0048C17E 8A16 MOV DL,BYTE PTR DS:[ESI]
0048C180 46 INC ESI
0048C181 12D2 ADC DL,DL
0048C183 C3 RETN
0048C184 33C9 XOR ECX,ECX
0048C186 41 INC ECX
0048C187 E8 EEFFFFFF CALL 南平红二.0048C17A
0048C18C 13C9 ADC ECX,ECX
0048C18E E8 E7FFFFFF CALL 南平红二.0048C17A
0048C193 ^ 72 F2 JB SHORT 南平红二.0048C187
0048C195 C3 RETN
0048C196 2B7C24 28 SUB EDI,DWORD PTR SS:[ESP+28]
0048C19A 897C24 1C MOV DWORD PTR SS:[ESP+1C],EDI
0048C19E 61 POPAD 直接运行到这
0048C19F C2 0800 RETN 8 F8
来到
0048C0F3 5A POP EDX ; 01450000
0048C0F4 55 PUSH EBP
0048C0F5 FFE2 JMP EDX
0048C0F7 60 PUSHAD
0048C0F8 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
0048C0FC 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28]
0048C100 FC CLD
0048C101 B2 80 MOV DL,80
0048C103 33DB XOR EBX,EBX
0048C105 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR >
0048C106 B3 02 MOV BL,2
0048C108 E8 6D000000 CALL 南平红二.0048C17A
0048C10D ^ 73 F6 JNB SHORT 南平红二.0048C105
0048C10F 33C9 XOR ECX,ECX
0048C111 E8 64000000 CALL 南平红二.0048C17A
0048C116 73 1C JNB SHORT 南平红二.0048C134
0048C118 33C0 XOR EAX,EAX
0048C11A E8 5B000000 CALL 南平红二.0048C17A
0048C11F 73 23 JNB SHORT 南平红二.0048C144
0048C121 B3 02 MOV BL,2
0048C123 41 INC ECX
0048C124 B0 10 MOV AL,10
0048C126 E8 4F000000 CALL 南平红二.0048C17A
0048C12B 12C0 ADC AL,AL
0048C12D ^ 73 F7 JNB SHORT 南平红二.0048C126
0048C12F 75 3F JNZ SHORT 南平红二.0048C170
0048C131 AA STOS BYTE PTR ES:[EDI]
0048C132 ^ EB D4 JMP SHORT 南平红二.0048C108
0048C134 E8 4D000000 CALL 南平红二.0048C186
0048C139 2BCB SUB ECX,EBX
0048C13B 75 10 JNZ SHORT 南平红二.0048C14D
0048C13D E8 42000000 CALL 南平红二.0048C184
0048C142 EB 28 JMP SHORT 南平红二.0048C16C
0048C144 AC LODS BYTE PTR DS:[ESI]
0048C145 D1E8 SHR EAX,1
0048C147 74 4D JE SHORT 南平红二.0048C196
0048C149 13C9 ADC ECX,ECX
0048C14B EB 1C JMP SHORT 南平红二.0048C169
0048C14D 91 XCHG EAX,ECX
0048C14E 48 DEC EAX
0048C14F C1E0 08 SHL EAX,8
0048C152 AC LODS BYTE PTR DS:[ESI]
0048C153 E8 2C000000 CALL 南平红二.0048C184
0048C158 3D 007D0000 CMP EAX,7D00
0048C15D 73 0A JNB SHORT 南平红二.0048C169
0048C15F 80FC 05 CMP AH,5
0048C162 73 06 JNB SHORT 南平红二.0048C16A
0048C164 83F8 7F CMP EAX,7F
0048C167 77 02 JA SHORT 南平红二.0048C16B
0048C169 41 INC ECX
0048C16A 41 INC ECX
0048C16B 95 XCHG EAX,EBP
0048C16C 8BC5 MOV EAX,EBP
0048C16E B3 01 MOV BL,1
0048C170 56 PUSH ESI
0048C171 8BF7 MOV ESI,EDI
0048C173 2BF0 SUB ESI,EAX
0048C175 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
0048C177 5E POP ESI
0048C178 ^ EB 8E JMP SHORT 南平红二.0048C108
0048C17A 02D2 ADD DL,DL
0048C17C 75 05 JNZ SHORT 南平红二.0048C183
0048C17E 8A16 MOV DL,BYTE PTR DS:[ESI]
0048C180 46 INC ESI
0048C181 12D2 ADC DL,DL
0048C183 C3 RETN
0048C184 33C9 XOR ECX,ECX
0048C186 41 INC ECX
0048C187 E8 EEFFFFFF CALL 南平红二.0048C17A
0048C18C 13C9 ADC ECX,ECX
0048C18E E8 E7FFFFFF CALL 南平红二.0048C17A
0048C193 ^ 72 F2 JB SHORT 南平红二.0048C187
0048C195 C3 RETN
0048C196 2B7C24 28 SUB EDI,DWORD PTR SS:[ESP+28]
0048C19A 897C24 1C MOV DWORD PTR SS:[ESP+1C],EDI
0048C19E 61 POPAD 运行到这
0048C19F C2 0800 RETN 8
来到
01451D30 8B0C2B MOV ECX,DWORD PTR DS:[EBX+EBP]
01451D33 56 PUSH ESI
01451D34 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE >
01451D36 5E POP ESI
01451D37 53 PUSH EBX
01451D38 68 00800000 PUSH 8000
01451D3D 6A 00 PUSH 0
01451D3F 56 PUSH ESI
01451D40 FF95 E9020000 CALL DWORD PTR SS:[EBP+2E9]
01451D46 5B POP EBX
01451D47 83C3 0C ADD EBX,0C
01451D4A ^ EB B3 JMP SHORT 01451CFF
01451D4C 8B85 B8020000 MOV EAX,DWORD PTR SS:[EBP+2B8]
01451D52 0BC0 OR EAX,EAX
01451D54 0F85 81000000 JNZ 01451DDB
01451D5A 8BBD C0020000 MOV EDI,DWORD PTR SS:[EBP+2C0]
01451D60 03BD B4020000 ADD EDI,DWORD PTR SS:[EBP+2B4]
01451D66 8B77 0C MOV ESI,DWORD PTR DS:[EDI+C]
01451D69 0BF6 OR ESI,ESI
01451D6B 75 02 JNZ SHORT 01451D6F
01451D6D EB 6A JMP SHORT 01451DD9
01451D6F 03B5 B4020000 ADD ESI,DWORD PTR SS:[EBP+2B4]
01451D75 56 PUSH ESI
01451D76 FF95 A8020000 CALL DWORD PTR SS:[EBP+2A8]
01451D7C 0BC0 OR EAX,EAX
01451D7E 75 07 JNZ SHORT 01451D87
01451D80 56 PUSH ESI
01451D81 FF95 AC020000 CALL DWORD PTR SS:[EBP+2AC]
01451D87 8BF0 MOV ESI,EAX
01451D89 8B17 MOV EDX,DWORD PTR DS:[EDI]
01451D8B 0BD2 OR EDX,EDX
01451D8D 75 03 JNZ SHORT 01451D92
01451D8F 8B57 10 MOV EDX,DWORD PTR DS:[EDI+10]
01451D92 0395 B4020000 ADD EDX,DWORD PTR SS:[EBP+2B4]
01451D98 8B5F 10 MOV EBX,DWORD PTR DS:[EDI+10]
01451D9B 039D B4020000 ADD EBX,DWORD PTR SS:[EBP+2B4]
01451DA1 8B02 MOV EAX,DWORD PTR DS:[EDX]
01451DA3 0BC0 OR EAX,EAX
01451DA5 75 02 JNZ SHORT 01451DA9
01451DA7 EB 2B JMP SHORT 01451DD4
01451DA9 53 PUSH EBX
01451DAA 52 PUSH EDX
01451DAB 99 CDQ
01451DAC 0BD2 OR EDX,EDX
01451DAE 75 0B JNZ SHORT 01451DBB
01451DB0 83C0 02 ADD EAX,2
01451DB3 0385 B4020000 ADD EAX,DWORD PTR SS:[EBP+2B4]
01451DB9 EB 05 JMP SHORT 01451DC0
01451DBB 25 FFFFFF7F AND EAX,7FFFFFFF
01451DC0 50 PUSH EAX
01451DC1 56 PUSH ESI
01451DC2 FF95 A4020000 CALL DWORD PTR SS:[EBP+2A4]
01451DC8 8903 MOV DWORD PTR DS:[EBX],EAX
01451DCA 5A POP EDX
01451DCB 5B POP EBX
01451DCC 83C2 04 ADD EDX,4
01451DCF 83C3 04 ADD EBX,4
01451DD2 ^ EB CD JMP SHORT 01451DA1
01451DD4 83C7 14 ADD EDI,14
01451DD7 ^ EB 8D JMP SHORT 01451D66
01451DD9 EB 75 JMP SHORT 01451E50
01451DDB 8B95 C0020000 MOV EDX,DWORD PTR SS:[EBP+2C0]
01451DE1 03D5 ADD EDX,EBP
01451DE3 8B3A MOV EDI,DWORD PTR DS:[EDX]
01451DE5 0BFF OR EDI,EDI
01451DE7 75 02 JNZ SHORT 01451DEB
01451DE9 EB 65 JMP SHORT 01451E50
01451DEB 03BD B4020000 ADD EDI,DWORD PTR SS:[EBP+2B4]
01451DF1 83C2 05 ADD EDX,5
01451DF4 8BF2 MOV ESI,EDX
01451DF6 56 PUSH ESI
01451DF7 FF95 A8020000 CALL DWORD PTR SS:[EBP+2A8]
01451DFD 0BC0 OR EAX,EAX
01451DFF 75 07 JNZ SHORT 01451E08
01451E01 56 PUSH ESI
01451E02 FF95 AC020000 CALL DWORD PTR SS:[EBP+2AC]
01451E08 0FB64E FF MOVZX ECX,BYTE PTR DS:[ESI-1]
01451E0C 03F1 ADD ESI,ECX
01451E0E 8BD6 MOV EDX,ESI
01451E10 8BF0 MOV ESI,EAX
01451E12 42 INC EDX
01451E13 8B0A MOV ECX,DWORD PTR DS:[EDX]
01451E15 83C2 04 ADD EDX,4
01451E18 51 PUSH ECX
01451E19 0FB602 MOVZX EAX,BYTE PTR DS:[EDX]
01451E1C 0BC0 OR EAX,EAX
01451E1E 75 14 JNZ SHORT 01451E34
01451E20 42 INC EDX
01451E21 52 PUSH EDX
01451E22 8B02 MOV EAX,DWORD PTR DS:[EDX]
01451E24 50 PUSH EAX
01451E25 56 PUSH ESI
01451E26 FF95 A4020000 CALL DWORD PTR SS:[EBP+2A4]
01451E2C 8907 MOV DWORD PTR DS:[EDI],EAX
01451E2E 5A POP EDX
01451E2F 83C2 04 ADD EDX,4
01451E32 EB 13 JMP SHORT 01451E47
01451E34 42 INC EDX
01451E35 52 PUSH EDX
01451E36 52 PUSH EDX
01451E37 56 PUSH ESI
01451E38 FF95 A4020000 CALL DWORD PTR SS:[EBP+2A4]
01451E3E 8907 MOV DWORD PTR DS:[EDI],EAX
01451E40 5A POP EDX
01451E41 0FB642 FF MOVZX EAX,BYTE PTR DS:[EDX-1]
01451E45 03D0 ADD EDX,EAX
01451E47 42 INC EDX
01451E48 83C7 04 ADD EDI,4
01451E4B 59 POP ECX
01451E4C ^ E2 CA LOOPD SHORT 01451E18
01451E4E ^ EB 93 JMP SHORT 01451DE3
01451E50 8B85 BC020000 MOV EAX,DWORD PTR SS:[EBP+2BC]
01451E56 83F8 01 CMP EAX,1
01451E59 75 27 JNZ SHORT 01451E82
01451E5B 8BBD C4020000 MOV EDI,DWORD PTR SS:[EBP+2C4]
01451E61 03FD ADD EDI,EBP
01451E63 8DB5 4D020000 LEA ESI,DWORD PTR SS:[EBP+24D]
01451E69 8B07 MOV EAX,DWORD PTR DS:[EDI]
01451E6B 0BC0 OR EAX,EAX
01451E6D 75 02 JNZ SHORT 01451E71
01451E6F EB 11 JMP SHORT 01451E82
01451E71 25 FFFFFF7F AND EAX,7FFFFFFF
01451E76 8BDE MOV EBX,ESI
01451E78 2BD8 SUB EBX,EAX
01451E7A 8958 FC MOV DWORD PTR DS:[EAX-4],EBX
01451E7D 83C7 08 ADD EDI,8
01451E80 ^ EB E7 JMP SHORT 01451E69
01451E82 64:FF35 3000000>PUSH DWORD PTR FS:[30]
01451E89 58 POP EAX
01451E8A 85C0 TEST EAX,EAX
01451E8C 78 0F JS SHORT 01451E9D
01451E8E 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
01451E91 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
01451E94 C740 20 0010000>MOV DWORD PTR DS:[EAX+20],1000
01451E9B EB 1C JMP SHORT 01451EB9
01451E9D 6A 00 PUSH 0
01451E9F FF95 A8020000 CALL DWORD PTR SS:[EBP+2A8]
01451EA5 85D2 TEST EDX,EDX
01451EA7 79 10 JNS SHORT 01451EB9
01451EA9 837A 08 FF CMP DWORD PTR DS:[EDX+8],-1
01451EAD 75 0A JNZ SHORT 01451EB9
01451EAF 8B52 04 MOV EDX,DWORD PTR DS:[EDX+4]
01451EB2 C742 50 0010000>MOV DWORD PTR DS:[EDX+50],1000
01451EB9 89AD 58020000 MOV DWORD PTR SS:[EBP+258],EBP
01451EBF 8B85 C8020000 MOV EAX,DWORD PTR SS:[EBP+2C8]
01451EC5 0385 B4020000 ADD EAX,DWORD PTR SS:[EBP+2B4]
01451ECB FFE0 JMP EAX 运行到这进去
01451ECD 50 PUSH EAX
01451ECE 8BC4 MOV EAX,ESP
01451ED0 60 PUSHAD
01451ED1 8BD8 MOV EBX,EAX
01451ED3 E8 04000000 CALL 01451EDC
01451ED8 801C45 015D8B6D>SBB BYTE PTR DS:[EAX*2+6D8B5D01]>
01451EE0 8B7B 04 MOV EDI,DWORD PTR DS:[EBX+4]
01451EE3 8BB5 C4020000 MOV ESI,DWORD PTR SS:[EBP+2C4]
01451EE9 03F5 ADD ESI,EBP
01451EEB 8B06 MOV EAX,DWORD PTR DS:[ESI]
01451EED 33D2 XOR EDX,EDX
01451EEF B9 02000000 MOV ECX,2
01451EF4 F7E1 MUL ECX
01451EF6 D1E8 SHR EAX,1
01451EF8 3BF8 CMP EDI,EAX
01451EFA 75 0A JNZ SHORT 01451F06
01451EFC 0AD2 OR DL,DL
01451EFE 75 04 JNZ SHORT 01451F04
01451F00 EB 09 JMP SHORT 01451F0B
01451F02 EB 02 JMP SHORT 01451F06
01451F04 EB 10 JMP SHORT 01451F16
01451F06 83C6 08 ADD ESI,8
01451F09 ^ EB E0 JMP SHORT 01451EEB
01451F0B 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
01451F0E 8903 MOV DWORD PTR DS:[EBX],EAX
01451F10 61 POPAD
01451F11 58 POP EAX
01451F12 8B00 MOV EAX,DWORD PTR DS:[EAX]
01451F14 FFE0 JMP EAX
01451F16 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
01451F19 8903 MOV DWORD PTR DS:[EBX],EAX
01451F1B 61 POPAD
01451F1C 58 POP EAX
01451F1D 83C4 04 ADD ESP,4
01451F20 8B00 MOV EAX,DWORD PTR DS:[EAX]
01451F22 FFE0 JMP EAX
01451F24 28AC80 7C29B580 SUB BYTE PTR DS:[EAX+EAX*4+80B52>
01451F2B 7C 77 JL SHORT 01451FA4
01451F2D 1D 807C819A SBB EAX,9A817C80
01451F32 807C00 00 40 CMP BYTE PTR DS:[EAX+EAX],40
01451F37 0001 ADD BYTE PTR DS:[ECX],AL
01451F39 0000 ADD BYTE PTR DS:[EAX],AL
01451F3B 0001 ADD BYTE PTR DS:[ECX],AL
01451F3D 0000 ADD BYTE PTR DS:[EAX],AL
01451F3F 008D 03000020 ADD BYTE PTR SS:[EBP+20000003],C>
01451F45 14 00 ADC AL,0
01451F47 00BE B70000F7 ADD BYTE PTR DS:[ESI+F70000B7],B>
01451F4D C048 00 4B ROR BYTE PTR DS:[EAX],4B ; 移位常量超出 1..31 的范围
01451F51 45 INC EBP
01451F52 52 PUSH EDX
01451F53 4E DEC ESI
01451F54 45 INC EBP
01451F55 4C DEC ESP
01451F56 3332 XOR ESI,DWORD PTR DS:[EDX]
01451F58 2E: PREFIX CS: ; 多余的前缀
01451F59 64:6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
01451F5B 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
01451F5C 0056 69 ADD BYTE PTR DS:[ESI+69],DL
01451F5F 72 74 JB SHORT 01451FD5
01451F61 75 61 JNZ SHORT 01451FC4
01451F63 6C INS BYTE PTR ES:[EDI],DX ; I/O 命令
01451F64 46 INC ESI
01451F65 72 65 JB SHORT 01451FCC
来到
0040B7BE 55 PUSH EBP 全是红色代码,应该就是OEP啦
0040B7BF 8BEC MOV EBP,ESP
0040B7C1 6A FF PUSH -1
0040B7C3 68 28224200 PUSH 南平红二.00422228
0040B7C8 68 ACE84000 PUSH 南平红二.0040E8AC
0040B7CD 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040B7D3 50 PUSH EAX
0040B7D4 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
0040B7DB 83EC 58 SUB ESP,58
0040B7DE 53 PUSH EBX
0040B7DF 56 PUSH ESI
0040B7E0 57 PUSH EDI
0040B7E1 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0040B7E4 90 NOP
0040B7E5 E8 E3660401 CALL 01451ECD Code Splicing下面还有好多一样的
0040B7EA 33D2 XOR EDX,EDX
0040B7EC 8AD4 MOV DL,AH
0040B7EE 8915 A0DA4200 MOV DWORD PTR DS:[42DAA0],EDX
0040B7F4 8BC8 MOV ECX,EAX
0040B7F6 81E1 FF000000 AND ECX,0FF
0040B7FC 890D 9CDA4200 MOV DWORD PTR DS:[42DA9C],ECX
0040B802 C1E1 08 SHL ECX,8
用LORDEP修正镜像大小,全部转存,ImportREC修复
运行后提示01451ECD指令引用的01451ECD内存。该内存不能为READ
按昭大侠们所说这个是Code Splicing
用ArmInline试图修复ALT+M查看Memory map, 条目 49
地址=01450000
大小=00005000 (20480.)
属主= 01450000 (自身)
区段=
类型=Priv 00021004
访问=RW
初始访问=RW
选择进程,填入01450000 大小5000,,点删除拼接,显示为末发现拼接。。
请问大侠们还有什么方法可以修复,还是我那做错了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
