-
-
程序跑去执行数据去了
-
发表于: 2006-12-29 21:22
-
程序开始时这样的
00465000 > 68 F5561800 PUSH 1856F5 ; (初始 cpu 选择)
00465005 59 POP ECX
00465006 68 18504600 PUSH jxsdfox.00465018
0046500B 5F POP EDI
0046500C BE C4060000 MOV ESI,6C4
00465011 310C3E XOR DWORD PTR DS:[ESI+EDI],ECX
00465014 4E DEC ESI
00465015 83EE 03 SUB ESI,3
00465018 ^ 75 F7 JNZ SHORT jxsdfox.00465011
;esi的初始值是0x6c4,在此处循环是一个自解压过程
。。。。。。
上面那个循环结束之后,程序来到这里
0046501A 90 NOP
0046501B 90 NOP
0046501C E8 7D010000 CALL jxsdfox.0046519E
跟进这个call
0046519E 55 PUSH EBP
0046519F 8BEC MOV EBP,ESP
004651A1 81C4 B4FEFFFF ADD ESP,-14C
004651A7 C645 F7 00 MOV BYTE PTR SS:[EBP-9],0
004651AB 8BC5 MOV EAX,EBP
004651AD 83C0 04 ADD EAX,4
004651B0 8B10 MOV EDX,DWORD PTR DS:[EAX]
004651B2 83EA 05 SUB EDX,5
004651B5 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004651B8 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; (初始 cpu 选择)
004651BB 81C1 84000000 ADD ECX,84
004651C1 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004651C4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004651C7 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
004651CA 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004651CD 0351 08 ADD EDX,DWORD PTR DS:[ECX+8]
004651D0 8BC5 MOV EAX,EBP
004651D2 83C0 04 ADD EAX,4
004651D5 8910 MOV DWORD PTR DS:[EAX],EDX
004651D7 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004651DA FF75 FC PUSH DWORD PTR SS:[EBP-4]
004651DD 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004651E0 52 PUSH EDX
004651E1 E8 78000000 CALL jxsdfox.0046525E
004651E6 84C0 TEST AL,AL
004651E8 74 6D JE SHORT jxsdfox.00465257
004651EA FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004651ED 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004651F0 51 PUSH ECX
004651F1 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004651F7 50 PUSH EAX
004651F8 E8 05020000 CALL jxsdfox.00465402
004651FD 84C0 TEST AL,AL
004651FF 74 23 JE SHORT jxsdfox.00465224
00465201 66:83BD B4FEFFF>CMP WORD PTR SS:[EBP-14C],6
00465209 72 19 JB SHORT jxsdfox.00465224
0046520B FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0046520E FF75 FC PUSH DWORD PTR SS:[EBP-4]
00465211 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00465214 52 PUSH EDX
00465215 8D8D B6FEFFFF LEA ECX,DWORD PTR SS:[EBP-14A]
0046521B 51 PUSH ECX
0046521C E8 51020000 CALL jxsdfox.00465472
00465221 8845 F7 MOV BYTE PTR SS:[EBP-9],AL
00465224 807D F7 00 CMP BYTE PTR SS:[EBP-9],0
00465228 75 2D JNZ SHORT jxsdfox.00465257
0046522A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0046522D 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00465230 50 PUSH EAX
00465231 8D95 B6FEFFFF LEA EDX,DWORD PTR SS:[EBP-14A]
00465237 52 PUSH EDX
00465238 E8 81020000 CALL jxsdfox.004654BE
0046523D 84C0 TEST AL,AL
0046523F 74 16 JE SHORT jxsdfox.00465257
00465241 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00465244 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00465247 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0046524A 51 PUSH ECX
0046524B 8D85 B6FEFFFF LEA EAX,DWORD PTR SS:[EBP-14A]
00465251 50 PUSH EAX
00465252 E8 1B020000 CALL jxsdfox.00465472
00465257 8BE5 MOV ESP,EBP
00465259 5D POP EBP
然后返回,返回之后就到这里了
00450224 55 DB 55 ; CHAR 'U'
00450225 8B DB 8B
00450226 EC DB EC
00450227 83 DB 83
00450228 C4 DB C4
00450229 F0 DB F0
0045022A 53 DB 53 ; CHAR 'S'
0045022B B8 DB B8
0045022C . 44004500 DD jxsdfox.00450044
00450230 E8 DB E8
00450231 93 DB 93
00450232 59 DB 59 ; CHAR 'Y'
00450233 FB DB FB
00450234 FF DB FF
00450235 68 DB 68 ; CHAR 'h'
00450236 . E4024500 DD jxsdfox.004502E4 ; ASCII "App_Choice_netman"
0045023A 6A DB 6A ; CHAR 'j'
0045023B 00 DB 00
0045023C 6A DB 6A ; CHAR 'j'
0045023D 00 DB 00
0045023E E8 DB E8
0045023F 85 DB 85
00450240 5B DB 5B ; CHAR '['
00450241 FB DB FB
00450242 FF DB FF
。。。
很不明白,这里都是数据-_-
跟的过程OD时不时跳出一个“可以断点”来,提示我是否在数据上下断点
盼望高手能给我解释一下困惑
00465000 > 68 F5561800 PUSH 1856F5 ; (初始 cpu 选择)
00465005 59 POP ECX
00465006 68 18504600 PUSH jxsdfox.00465018
0046500B 5F POP EDI
0046500C BE C4060000 MOV ESI,6C4
00465011 310C3E XOR DWORD PTR DS:[ESI+EDI],ECX
00465014 4E DEC ESI
00465015 83EE 03 SUB ESI,3
00465018 ^ 75 F7 JNZ SHORT jxsdfox.00465011
;esi的初始值是0x6c4,在此处循环是一个自解压过程
。。。。。。
上面那个循环结束之后,程序来到这里
0046501A 90 NOP
0046501B 90 NOP
0046501C E8 7D010000 CALL jxsdfox.0046519E
跟进这个call
0046519E 55 PUSH EBP
0046519F 8BEC MOV EBP,ESP
004651A1 81C4 B4FEFFFF ADD ESP,-14C
004651A7 C645 F7 00 MOV BYTE PTR SS:[EBP-9],0
004651AB 8BC5 MOV EAX,EBP
004651AD 83C0 04 ADD EAX,4
004651B0 8B10 MOV EDX,DWORD PTR DS:[EAX]
004651B2 83EA 05 SUB EDX,5
004651B5 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004651B8 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; (初始 cpu 选择)
004651BB 81C1 84000000 ADD ECX,84
004651C1 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004651C4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004651C7 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C]
004651CA 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004651CD 0351 08 ADD EDX,DWORD PTR DS:[ECX+8]
004651D0 8BC5 MOV EAX,EBP
004651D2 83C0 04 ADD EAX,4
004651D5 8910 MOV DWORD PTR DS:[EAX],EDX
004651D7 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004651DA FF75 FC PUSH DWORD PTR SS:[EBP-4]
004651DD 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004651E0 52 PUSH EDX
004651E1 E8 78000000 CALL jxsdfox.0046525E
004651E6 84C0 TEST AL,AL
004651E8 74 6D JE SHORT jxsdfox.00465257
004651EA FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004651ED 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004651F0 51 PUSH ECX
004651F1 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
004651F7 50 PUSH EAX
004651F8 E8 05020000 CALL jxsdfox.00465402
004651FD 84C0 TEST AL,AL
004651FF 74 23 JE SHORT jxsdfox.00465224
00465201 66:83BD B4FEFFF>CMP WORD PTR SS:[EBP-14C],6
00465209 72 19 JB SHORT jxsdfox.00465224
0046520B FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0046520E FF75 FC PUSH DWORD PTR SS:[EBP-4]
00465211 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00465214 52 PUSH EDX
00465215 8D8D B6FEFFFF LEA ECX,DWORD PTR SS:[EBP-14A]
0046521B 51 PUSH ECX
0046521C E8 51020000 CALL jxsdfox.00465472
00465221 8845 F7 MOV BYTE PTR SS:[EBP-9],AL
00465224 807D F7 00 CMP BYTE PTR SS:[EBP-9],0
00465228 75 2D JNZ SHORT jxsdfox.00465257
0046522A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0046522D 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
00465230 50 PUSH EAX
00465231 8D95 B6FEFFFF LEA EDX,DWORD PTR SS:[EBP-14A]
00465237 52 PUSH EDX
00465238 E8 81020000 CALL jxsdfox.004654BE
0046523D 84C0 TEST AL,AL
0046523F 74 16 JE SHORT jxsdfox.00465257
00465241 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00465244 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00465247 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
0046524A 51 PUSH ECX
0046524B 8D85 B6FEFFFF LEA EAX,DWORD PTR SS:[EBP-14A]
00465251 50 PUSH EAX
00465252 E8 1B020000 CALL jxsdfox.00465472
00465257 8BE5 MOV ESP,EBP
00465259 5D POP EBP
然后返回,返回之后就到这里了
00450224 55 DB 55 ; CHAR 'U'
00450225 8B DB 8B
00450226 EC DB EC
00450227 83 DB 83
00450228 C4 DB C4
00450229 F0 DB F0
0045022A 53 DB 53 ; CHAR 'S'
0045022B B8 DB B8
0045022C . 44004500 DD jxsdfox.00450044
00450230 E8 DB E8
00450231 93 DB 93
00450232 59 DB 59 ; CHAR 'Y'
00450233 FB DB FB
00450234 FF DB FF
00450235 68 DB 68 ; CHAR 'h'
00450236 . E4024500 DD jxsdfox.004502E4 ; ASCII "App_Choice_netman"
0045023A 6A DB 6A ; CHAR 'j'
0045023B 00 DB 00
0045023C 6A DB 6A ; CHAR 'j'
0045023D 00 DB 00
0045023E E8 DB E8
0045023F 85 DB 85
00450240 5B DB 5B ; CHAR '['
00450241 FB DB FB
00450242 FF DB FF
。。。
很不明白,这里都是数据-_-
跟的过程OD时不时跳出一个“可以断点”来,提示我是否在数据上下断点
盼望高手能给我解释一下困惑
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
