0040209E - FF25 F0114000 JMP DWORD PTR DS:[4011F0] ; msvbvm60.__vbaLateMemCallLd
004020A4 - FF25 54114000 JMP DWORD PTR DS:[401154] ; msvbvm60.rtcCreateObject2
004020AA - FF25 DC104000 JMP DWORD PTR DS:[4010DC] ; msvbvm60.__vbaObjVar
004020B0 - FF25 14114000 JMP DWORD PTR DS:[401114] ; msvbvm60.rtcShell
004020B6 - FF25 24104000 JMP DWORD PTR DS:[401024] ; msvbvm60.rtcRgb
004020BC - FF25 24114000 JMP DWORD PTR DS:[401124] ; msvbvm60.EVENT_SINK_QueryInterface
004020C2 - FF25 C4104000 JMP DWORD PTR DS:[4010C4] ; msvbvm60.EVENT_SINK_AddRef
004020C8 - FF25 10114000 JMP DWORD PTR DS:[401110] ; msvbvm60.EVENT_SINK_Release
004020CE - FF25 C8114000 JMP DWORD PTR DS:[4011C8] ; msvbvm60.ThunRTMain
004020D4 - E9 CAE1D101 JMP 021202A3
004020D9 C146 A5 06 ROL DWORD PTR DS:[ESI-5B],6
004020DD 9F LAHF
004020DE 27 DAA
004020DF 0000 ADD BYTE PTR DS:[EAX],AL
004020E1 0000 ADD BYTE PTR DS:[EAX],AL
004020E3 0030 ADD BYTE PTR DS:[EAX],DH
004020E5 0000 ADD BYTE PTR DS:[EAX],AL
004020E7 0040 00 ADD BYTE PTR DS:[EAX],AL
004020EA 0000 ADD BYTE PTR DS:[EAX],AL
004020EC 0000 ADD BYTE PTR DS:[EAX],AL
004020EE 0000 ADD BYTE PTR DS:[EAX],AL
004020F0 56 PUSH ESI
004020F1 4B DEC EBX
20CE是OEP?脱壳出来,PEid不能查到,是不是偷了码啊.
0012FFBC 021202F2 返回到 021202F2 来自 08070000
0012FFC0 0040695C ASCII "VB5!6&vb6chs.dll"
0012FFC4 7C816FD7 返回到 kernel32.7C816FD7
0012FFC8 7C930738 ntdll.7C930738
0012FFCC FFFFFFFF
0012FFD0 7FFDA000
0012FFD4 8054B938
0012FFD8 0012FFC8
0012FFDC FF31C020
0012FFE0 FFFFFFFF SEH 链尾部
0012FFE4 7C839AA8 SE处理程序
0012FFE8 7C816FE0 kernel32.7C816FE0
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 00401000 test.<模块入口点>
我加行代码push 40695C
CALL 4020CE
PEid查到是vb.
两个脱出来的壳用ImportREC修复,仍然不能使用.
????首先问问OEP找对了吗?
[课程]FART 脱壳王!加量不加价!FART作者讲授!