不浪费资源了 大家去unpack.cn 下吧
http://www.unpack.cn/viewthread.php?tid=17497&page=1&extra=page%3D1
Visual.Assist.X.V10.3.1561.0
va_x.dll
od加载 va_x.dll
按F9
提示内存错不理 点确定
下断he VirtualAlloc 按Shift+F9
然后hd VirtualAlloc取消断点 按Alt+F9返回
00CF8983 25 0000FF03 and eax, 3FF0000
00CF8988 A3 DC50D300 mov dword ptr ds:[D350DC], eax
00CF898D EB 13 jmp short 00CF89A2
00CF898F 83BD 50D6FFFF 00 cmp dword ptr ss:[ebp-29B0], 0
00CF8996 75 0A jnz short 00CF89A2
00CF8998 C705 DC50D300 000000>mov dword ptr ds:[D350DC], 0
00CF89A2 6A 40 push 40
00CF89A4 68 00200000 push 2000
00CF89A9 8B8D 4CD6FFFF mov ecx, dword ptr ss:[ebp-29B4]
00CF89AF 51 push ecx
00CF89B0 8B15 DC50D300 mov edx, dword ptr ds:[D350DC] ; 下断he 这个地址
00CF89B6 52 push edx
00CF89B7 FF15 94E1D100 call dword ptr ds:[D1E194] ; kernel32.VirtualAlloc
00CF89BD 8985 70D7FFFF mov dword ptr ss:[ebp-2890], eax ; 返回到这里
00CF89C3 83BD 70D7FFFF 00 cmp dword ptr ss:[ebp-2890], 0
00CF89CA 74 67 je short 00CF8A33
00CF89CC 6A 40 push 40
00CF89CE 68 00100000 push 1000
00CF89D3 8B85 4CD6FFFF mov eax, dword ptr ss:[ebp-29B4]
00CF89D9 50 push eax
00CF89DA 8B0D DC50D300 mov ecx, dword ptr ds:[D350DC]
00CF89E0 51 push ecx
00CF89E1 FF15 94E1D100 call dword ptr ds:[D1E194] ; kernel32.VirtualAlloc
00CF89E7 8985 70D7FFFF mov dword ptr ss:[ebp-2890], eax ; 注意eax的值应不为0
先记下这个地址 00CF89B0
现在来找magic jmp Ctrl+F2重来
按F9 提示内存错不理
下命令 bp GetModuleHandleA+5
点确定 按Shift+F9
留意堆栈
001299EC /0012F100
001299F0 |00CF5845 返回到 00CF5845 来自 kernel32.GetModuleHandleA
001299F4 |00D20C0C ASCII "kernel32.dll"
001299F8 |00D21AD8 ASCII "VirtualAlloc"
001299FC |001696D8
00129A00 |1F05D398 va_x.1F05D398
001299EC /0012F100
001299F0 |00CF5863 返回到 00CF5863 来自 kernel32.GetModuleHandleA
001299F4 |00D20C0C ASCII "kernel32.dll"
001299F8 |00D21ACC ASCII "VirtualFree"
001299FC |001696D8
00129A00 |1F05D398 va_x.1F05D398
00129738 /001299F0
0012973C |00CD8354 返回到 00CD8354 来自 kernel32.GetModuleHandleA
00129740 |001298B8 ASCII "kernel32.dll"
00129744 |00000000
00129748 |1F05D398 va_x.1F05D398
嗯 是这了 取消断点Alt+F9 返回
上下看看 找magic jmp 的特征
00CD82BC C745 F4 00000000 mov dword ptr ss:[ebp-C], 0
00CD82C3 C745 F8 3C72D200 mov dword ptr ss:[ebp-8], 0D2723C
00CD82CA EB 12 jmp short 00CD82DE
00CD82CC 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00CD82CF 83C1 0C add ecx, 0C
00CD82D2 894D F8 mov dword ptr ss:[ebp-8], ecx
00CD82D5 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD82D8 83C2 01 add edx, 1
00CD82DB 8955 F4 mov dword ptr ss:[ebp-C], edx
00CD82DE 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00CD82E1 8338 00 cmp dword ptr ds:[eax], 0 ; 记下这个地址 00CD82E1
00CD82E4 0F84 70030000 je 00CD865A ; 这就是magic jmp了
00CD82EA 68 00010000 push 100
00CD82EF 8D8D C8FEFFFF lea ecx, dword ptr ss:[ebp-138]
00CD82F5 51 push ecx
00CD82F6 8B55 F8 mov edx, dword ptr ss:[ebp-8]
00CD82F9 8B02 mov eax, dword ptr ds:[edx]
00CD82FB 50 push eax
00CD82FC E8 0FA7FDFF call 00CB2A10
00CD8301 83C4 0C add esp, 0C
00CD8304 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00CD8307 8B51 08 mov edx, dword ptr ds:[ecx+8]
00CD830A 83E2 01 and edx, 1
00CD830D 74 38 je short 00CD8347
00CD830F B8 15000000 mov eax, 15
00CD8314 C1E0 02 shl eax, 2
00CD8317 8B0D 04BBD200 mov ecx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD831D 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8323 8B35 04BBD200 mov esi, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8329 8B5E 74 mov ebx, dword ptr ds:[esi+74]
00CD832C 335A 50 xor ebx, dword ptr ds:[edx+50]
00CD832F 331C01 xor ebx, dword ptr ds:[ecx+eax]
00CD8332 81E3 80000000 and ebx, 80
00CD8338 F7DB neg ebx
00CD833A 1BDB sbb ebx, ebx
00CD833C F7DB neg ebx
00CD833E 0FB6C3 movzx eax, bl
00CD8341 85C0 test eax, eax
00CD8343 74 02 je short 00CD8347
00CD8345 ^ EB 85 jmp short 00CD82CC
00CD8347 8D8D C8FEFFFF lea ecx, dword ptr ss:[ebp-138]
00CD834D 51 push ecx
00CD834E FF15 C0E0D100 call dword ptr ds:[D1E0C0] ; kernel32.GetModuleHandleA
00CD8354 8B55 F4 mov edx, dword ptr ss:[ebp-C] ; 返回到这里
00CD8357 8B0D 7CDFD200 mov ecx, dword ptr ds:[D2DF7C]
00CD835D 890491 mov dword ptr ds:[ecx+edx*4], eax
00CD8360 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD8363 A1 7CDFD200 mov eax, dword ptr ds:[D2DF7C]
00CD8368 833C90 00 cmp dword ptr ds:[eax+edx*4], 0
00CD836C 75 5C jnz short 00CD83CA
00CD836E 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00CD8371 8B51 08 mov edx, dword ptr ds:[ecx+8]
00CD8374 83E2 02 and edx, 2
00CD8377 74 38 je short 00CD83B1
00CD8379 B8 05000000 mov eax, 5
00CD837E C1E0 02 shl eax, 2
00CD8381 8B0D 04BBD200 mov ecx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8387 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD838D 8B35 04BBD200 mov esi, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8393 8B5E 74 mov ebx, dword ptr ds:[esi+74]
00CD8396 335A 50 xor ebx, dword ptr ds:[edx+50]
00CD8399 331C01 xor ebx, dword ptr ds:[ecx+eax]
00CD839C 83E3 10 and ebx, 10
00CD839F F7DB neg ebx
00CD83A1 1BDB sbb ebx, ebx
00CD83A3 F7DB neg ebx
00CD83A5 0FB6C3 movzx eax, bl
00CD83A8 85C0 test eax, eax
00CD83AA 75 05 jnz short 00CD83B1
00CD83AC ^ E9 1BFFFFFF jmp 00CD82CC
00CD83B1 8D8D C8FEFFFF lea ecx, dword ptr ss:[ebp-138]
00CD83B7 51 push ecx
00CD83B8 FF15 D8E1D100 call dword ptr ds:[D1E1D8] ; kernel32.LoadLibraryA
00CD83BE 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD83C1 8B0D 7CDFD200 mov ecx, dword ptr ds:[D2DF7C]
00CD83C7 890491 mov dword ptr ds:[ecx+edx*4], eax
00CD83CA 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD83CD A1 7CDFD200 mov eax, dword ptr ds:[D2DF7C]
00CD83D2 833C90 00 cmp dword ptr ds:[eax+edx*4], 0
00CD83D6 75 05 jnz short 00CD83DD
00CD83D8 ^ E9 EFFEFFFF jmp 00CD82CC
00CD83DD C785 BCFEFFFF 000000>mov dword ptr ss:[ebp-144], 0
00CD83E7 C785 C0FEFFFF 000000>mov dword ptr ss:[ebp-140], 0
00CD83F1 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00CD83F4 8B51 04 mov edx, dword ptr ds:[ecx+4]
00CD83F7 8995 C4FEFFFF mov dword ptr ss:[ebp-13C], edx
00CD83FD EB 0F jmp short 00CD840E
00CD83FF 8B85 C4FEFFFF mov eax, dword ptr ss:[ebp-13C]
00CD8405 83C0 0C add eax, 0C
00CD8408 8985 C4FEFFFF mov dword ptr ss:[ebp-13C], eax
00CD840E 8B8D C4FEFFFF mov ecx, dword ptr ss:[ebp-13C]
00CD8414 8339 00 cmp dword ptr ds:[ecx], 0
00CD8417 74 11 je short 00CD842A
00CD8419 8B95 C0FEFFFF mov edx, dword ptr ss:[ebp-140]
00CD841F 83C2 01 add edx, 1
00CD8422 8995 C0FEFFFF mov dword ptr ss:[ebp-140], edx
00CD8428 ^ EB D5 jmp short 00CD83FF
00CD842A 33C9 xor ecx, ecx
00CD842C 8B85 C0FEFFFF mov eax, dword ptr ss:[ebp-140]
00CD8432 BA 04000000 mov edx, 4
00CD8437 F7E2 mul edx
00CD8439 0F90C1 seto cl
00CD843C F7D9 neg ecx
00CD843E 0BC8 or ecx, eax
00CD8440 51 push ecx
00CD8441 E8 19FE0200 call 00D0825F
00CD8446 83C4 04 add esp, 4
00CD8449 8985 7CFDFFFF mov dword ptr ss:[ebp-284], eax
00CD844F 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD8452 8B0D 74DFD200 mov ecx, dword ptr ds:[D2DF74]
00CD8458 8B95 7CFDFFFF mov edx, dword ptr ss:[ebp-284]
00CD845E 891481 mov dword ptr ds:[ecx+eax*4], edx
00CD8461 33C9 xor ecx, ecx
00CD8463 8B85 C0FEFFFF mov eax, dword ptr ss:[ebp-140]
00CD8469 BA 04000000 mov edx, 4
00CD846E F7E2 mul edx
00CD8470 0F90C1 seto cl
00CD8473 F7D9 neg ecx
00CD8475 0BC8 or ecx, eax
00CD8477 51 push ecx
00CD8478 E8 E2FD0200 call 00D0825F
00CD847D 83C4 04 add esp, 4
00CD8480 8985 78FDFFFF mov dword ptr ss:[ebp-288], eax
00CD8486 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD8489 8B0D 78DFD200 mov ecx, dword ptr ds:[D2DF78]
00CD848F 8B95 78FDFFFF mov edx, dword ptr ss:[ebp-288]
00CD8495 891481 mov dword ptr ds:[ecx+eax*4], edx
00CD8498 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00CD849B 8B48 04 mov ecx, dword ptr ds:[eax+4]
00CD849E 898D C4FEFFFF mov dword ptr ss:[ebp-13C], ecx
00CD84A4 EB 1E jmp short 00CD84C4
00CD84A6 8B95 C4FEFFFF mov edx, dword ptr ss:[ebp-13C]
00CD84AC 83C2 0C add edx, 0C
00CD84AF 8995 C4FEFFFF mov dword ptr ss:[ebp-13C], edx
00CD84B5 8B85 BCFEFFFF mov eax, dword ptr ss:[ebp-144]
00CD84BB 83C0 01 add eax, 1
00CD84BE 8985 BCFEFFFF mov dword ptr ss:[ebp-144], eax
00CD84C4 8B8D C4FEFFFF mov ecx, dword ptr ss:[ebp-13C]
00CD84CA 8339 00 cmp dword ptr ds:[ecx], 0
00CD84CD 0F84 47010000 je 00CD861A
00CD84D3 68 00010000 push 100
00CD84D8 8D95 B8FDFFFF lea edx, dword ptr ss:[ebp-248]
00CD84DE 52 push edx
00CD84DF 8B85 C4FEFFFF mov eax, dword ptr ss:[ebp-13C]
00CD84E5 8B08 mov ecx, dword ptr ds:[eax]
00CD84E7 51 push ecx
00CD84E8 E8 23A5FDFF call 00CB2A10
00CD84ED 83C4 0C add esp, 0C
00CD84F0 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD84F6 A1 04BBD200 mov eax, dword ptr ds:[D2BB04]
00CD84FB 8B4A 10 mov ecx, dword ptr ds:[edx+10]
00CD84FE 3348 74 xor ecx, dword ptr ds:[eax+74]
00CD8501 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8507 334A 50 xor ecx, dword ptr ds:[edx+50]
00CD850A A1 04BBD200 mov eax, dword ptr ds:[D2BB04]
00CD850F 3348 5C xor ecx, dword ptr ds:[eax+5C]
00CD8512 898D 6CFDFFFF mov dword ptr ss:[ebp-294], ecx
00CD8518 8D8D B8FDFFFF lea ecx, dword ptr ss:[ebp-248]
00CD851E 51 push ecx
00CD851F 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD8522 A1 7CDFD200 mov eax, dword ptr ds:[D2DF7C]
00CD8527 8B0C90 mov ecx, dword ptr ds:[eax+edx*4]
00CD852A 51 push ecx
00CD852B FF15 04E3D100 call dword ptr ds:[D1E304] ; kernel32.GetProcAddress
00CD8531 3385 6CFDFFFF xor eax, dword ptr ss:[ebp-294]
00CD8537 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD853A 8B0D 74DFD200 mov ecx, dword ptr ds:[D2DF74]
00CD8540 8B1491 mov edx, dword ptr ds:[ecx+edx*4]
00CD8543 8B8D BCFEFFFF mov ecx, dword ptr ss:[ebp-144]
00CD8549 89048A mov dword ptr ds:[edx+ecx*4], eax
00CD854C 6A 01 push 1
00CD854E 8D95 B8FDFFFF lea edx, dword ptr ss:[ebp-248]
00CD8554 52 push edx
00CD8555 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD8558 8B0D 7CDFD200 mov ecx, dword ptr ds:[D2DF7C]
00CD855E 8B1481 mov edx, dword ptr ds:[ecx+eax*4]
00CD8561 52 push edx
00CD8562 E8 D9090000 call 00CD8F40
00CD8567 83C4 0C add esp, 0C
00CD856A 8B4D F4 mov ecx, dword ptr ss:[ebp-C]
00CD856D 8B15 78DFD200 mov edx, dword ptr ds:[D2DF78]
00CD8573 8B0C8A mov ecx, dword ptr ds:[edx+ecx*4]
00CD8576 8B95 BCFEFFFF mov edx, dword ptr ss:[ebp-144]
00CD857C 890491 mov dword ptr ds:[ecx+edx*4], eax
00CD857F 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD8582 8B0D 78DFD200 mov ecx, dword ptr ds:[D2DF78]
00CD8588 8B1481 mov edx, dword ptr ds:[ecx+eax*4]
00CD858B 8B85 BCFEFFFF mov eax, dword ptr ss:[ebp-144]
00CD8591 833C82 00 cmp dword ptr ds:[edx+eax*4], 0
00CD8595 75 32 jnz short 00CD85C9
00CD8597 6A 00 push 0
00CD8599 8D8D B8FDFFFF lea ecx, dword ptr ss:[ebp-248]
00CD859F 51 push ecx
00CD85A0 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD85A3 A1 7CDFD200 mov eax, dword ptr ds:[D2DF7C]
00CD85A8 8B0C90 mov ecx, dword ptr ds:[eax+edx*4]
00CD85AB 51 push ecx
00CD85AC E8 8F090000 call 00CD8F40
00CD85B1 83C4 0C add esp, 0C
00CD85B4 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD85B7 8B0D 78DFD200 mov ecx, dword ptr ds:[D2DF78]
00CD85BD 8B1491 mov edx, dword ptr ds:[ecx+edx*4]
00CD85C0 8B8D BCFEFFFF mov ecx, dword ptr ss:[ebp-144]
00CD85C6 89048A mov dword ptr ds:[edx+ecx*4], eax
00CD85C9 8B55 F4 mov edx, dword ptr ss:[ebp-C]
00CD85CC A1 78DFD200 mov eax, dword ptr ds:[D2DF78]
00CD85D1 8B0C90 mov ecx, dword ptr ds:[eax+edx*4]
00CD85D4 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD85DA A1 04BBD200 mov eax, dword ptr ds:[D2BB04]
00CD85DF 8B35 04BBD200 mov esi, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD85E5 8B3D 04BBD200 mov edi, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD85EB 8B7F 10 mov edi, dword ptr ds:[edi+10]
00CD85EE 337E 74 xor edi, dword ptr ds:[esi+74]
00CD85F1 3378 50 xor edi, dword ptr ds:[eax+50]
00CD85F4 337A 5C xor edi, dword ptr ds:[edx+5C]
00CD85F7 8B95 BCFEFFFF mov edx, dword ptr ss:[ebp-144]
00CD85FD 333C91 xor edi, dword ptr ds:[ecx+edx*4]
00CD8600 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD8603 8B0D 78DFD200 mov ecx, dword ptr ds:[D2DF78]
00CD8609 8B1481 mov edx, dword ptr ds:[ecx+eax*4]
00CD860C 8B85 BCFEFFFF mov eax, dword ptr ss:[ebp-144]
00CD8612 893C82 mov dword ptr ds:[edx+eax*4], edi
00CD8615 ^ E9 8CFEFFFF jmp 00CD84A6
00CD861A 8B0D 04BBD200 mov ecx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8620 8B15 04BBD200 mov edx, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8626 A1 04BBD200 mov eax, dword ptr ds:[D2BB04]
00CD862B 8B35 04BBD200 mov esi, dword ptr ds:[D2BB04] ; va_x.1F05D398
00CD8631 8B76 70 mov esi, dword ptr ds:[esi+70]
00CD8634 3370 50 xor esi, dword ptr ds:[eax+50]
00CD8637 3372 78 xor esi, dword ptr ds:[edx+78]
00CD863A 3371 08 xor esi, dword ptr ds:[ecx+8]
00CD863D 8B4D F4 mov ecx, dword ptr ss:[ebp-C]
00CD8640 8B15 7CDFD200 mov edx, dword ptr ds:[D2DF7C]
00CD8646 33348A xor esi, dword ptr ds:[edx+ecx*4]
00CD8649 8B45 F4 mov eax, dword ptr ss:[ebp-C]
00CD864C 8B0D 7CDFD200 mov ecx, dword ptr ds:[D2DF7C]
00CD8652 893481 mov dword ptr ds:[ecx+eax*4], esi
00CD8655 ^ E9 72FCFFFF jmp 00CD82CC
00CD865A EB 03 jmp short 00CD865F
00CD865C D6 salc
00CD865D D6 salc
00CD865E 8F ??? ; 未知命令
00CD865F 8B15 8C4CD300 mov edx, dword ptr ds:[D34C8C] ; 在这里下F2 中断后还原magic jmp的代码
00CD8665 8995 B4FDFFFF mov dword ptr ss:[ebp-24C], edx
00CD866B 83BD B4FDFFFF 00 cmp dword ptr ss:[ebp-24C], 0
00CD8672 74 36 je short 00CD86AA
记下 00CD82E1 这个地址
好了 需要的东东找齐了现在来一次过脱
Ctrl+F2 重来
下断he 00CF89B0
下断he 00CD82E1
按Shift+F9
断在了 magic jmp 上一点的 00CD82E1 处
修改
00CD82E4 /0F84 70030000 je 00CD865A ; 这就是magic jmp了
为
00CD82E4 /E9 71030000 jmp 00CD865A ; 这就是magic jmp了
00CD82E9 |90 nop
再到下面的 00CD8665 下F2 00CF89B0的硬件断点可取消或多按几下F9了
继续F9
中断在00CD8665后还原上面magic的代码
取消00CD8665断点 继续F9
00CF8998 C705 DC50D300 000000>mov dword ptr ds:[D350DC], 0
00CF89A2 6A 40 push 40
00CF89A4 68 00200000 push 2000
00CF89A9 8B8D 4CD6FFFF mov ecx, dword ptr ss:[ebp-29B4]
00CF89AF 51 push ecx
00CF89B0 8B15 DC50D300 mov edx, dword ptr ds:[D350DC] ; 下断he 这个地址
00CF89B6 52 push edx
00CF89B7 FF15 94E1D100 call dword ptr ds:[D1E194] ; kernel32.VirtualAlloc
00CF89BD 8985 70D7FFFF mov dword ptr ss:[ebp-2890], eax ; 返回到这里
00CF89C3 83BD 70D7FFFF 00 cmp dword ptr ss:[ebp-2890], 0
00CF89CA 74 67 je short 00CF8A33
00CF89CC 6A 40 push 40
00CF89CE 68 00100000 push 1000
00CF89D3 8B85 4CD6FFFF mov eax, dword ptr ss:[ebp-29B4]
00CF89D9 50 push eax
00CF89DA 8B0D DC50D300 mov ecx, dword ptr ds:[D350DC]
00CF89E0 51 push ecx
00CF89E1 FF15 94E1D100 call dword ptr ds:[D1E194] ; kernel32.VirtualAlloc
00CF89E7 8985 70D7FFFF mov dword ptr ss:[ebp-2890], eax ; 注意eax的值应不为0
断在 00CF89B0 了
这时 d [[D350DC] = 03A50000
这是申请出来放va_x.dll初始化时用到的数据的内存段了
嗯 成改成 1F200000吧
改好后壳会自动帮你调整调用到 jmp 1F30xxxx 的地址为 jmp 1F30xxxx的了 方便一会补区段
好了Alt+M 在第二个段下内存读断点吧(直接F2也行,不用一会取消哦 :)~)
然后按F9~
中断在OEP了
LordPE 上场了 先完全Dump吧
再来部分Deump 地址:1F300000 大小:20000 就是上面我改成1F300000的段哦
接着就用ImportREC 来修复IAT了
由于此DLL加载后没有进行重定位,所以保留 Use PE Header From Disk 选项
oep:17A17C 点IAT AutoSearch 自动找到
RVA:001F2000 Size: 00000B28
获取输入表
CUT掉无效的函数
修复
重定位表修复
Armadillo对于DLL比较友好,没有加密重定位表,因此就没有再调试时跟踪此重定位处理了
LordPE察看区段,“.reloc”段RVA即是重定位表RVA,Size看看其结尾的00就知道了
RVA: 002C8000 Size: 002EDBc4 - 002C8000 = 25BC4
LordPE导入Dumped.dmp的数据也就是刚才1F200000的数据了
修正区段的RVA: 1F300000 - 1ED00000 = 600000
LorePE只选验证PE 重建一下文件
(注意一下原来Win2003对导入表所在区段的属性有限制 C0000040即可)
1ED9B450 >/$ 83EC 0C sub esp, 0C ; 导出函数 COMSETUP
1ED9B453 |. 68 5004F01E push va_x.1EF00450 ; ASCII "VAX:IDE Main Thread"
1ED9B458 |. E8 A3D6F7FF call va_x.1ED18B00
1ED9B45D |. 83C4 04 add esp, 4
1ED9B460 |. E8 7BF5F7FF call va_x.1ED1A9E0
1ED9B465 |. 50 push eax
1ED9B466 |. 8D4C24 04 lea ecx, dword ptr ss:[esp+4]
1ED9B46A |. E8 11F30500 call va_x.1EDFA780
1ED9B46F |. E8 ECAAFAFF call va_x.1ED45F60 ; 进去看看
1ED9B474 |. 85C0 test eax, eax
1ED9B476 |. 0F84 CA010000 je va_x.1ED9B646
1ED9B47C |. 8B0424 mov eax, dword ptr ss:[esp]
1ED9B47F |. 8B48 F8 mov ecx, dword ptr ds:[eax-8]
1ED9B482 |. 85C9 test ecx, ecx
1ED9B484 |. 0F84 BC010000 je va_x.1ED9B646
1ED9B48A |. F605 F09DF61E 01 test byte ptr ds:[1EF69DF0], 1
1ED9B491 |. 74 0D je short va_x.1ED9B4A0
1ED9B493 |. 68 4404F01E push va_x.1EF00444 ; ASCII "ComSetup"
1ED9B498 |. E8 1338FEFF call va_x.1ED7ECB0
1ED9B49D |. 83C4 04 add esp, 4
1ED9B4A0 |> E8 92BE0D00 call va_x.1EE77337
1ED45F60 /$ 64:A1 00000000 mov eax, dword ptr fs:[0]
1ED45F66 |. 6A FF push -1
1ED45F68 |. 68 80EBEB1E push va_x.1EEBEB80
1ED45F6D |. 50 push eax
1ED45F6E |. 64:8925 00000000 mov dword ptr fs:[0], esp
1ED45F75 |. 83EC 38 sub esp, 38
1ED45F78 |. 6A 00 push 0
1ED45F7A |. 68 9D000000 push 9D
1ED45F7F |. 68 7885EF1E push va_x.1EEF8578 ; ASCII "EDL:"
1ED45F84 |. E8 77960300 call va_x.1ED7F600
1ED45F89 |. 83C4 0C add esp, 0C
1ED45F8C |. E8 9FFCFFFF call va_x.1ED45C30
1ED45F91 |. A1 F09DF61E mov eax, dword ptr ds:[1EF69DF0]
1ED45F96 |. 85C0 test eax, eax
1ED45F98 |. 74 20 je short va_x.1ED45FBA
1ED45F9A |. 6A 00 push 0
1ED45F9C |. E8 2F8F0300 call va_x.1ED7EED0
1ED45FA1 |. A1 F09DF61E mov eax, dword ptr ds:[1EF69DF0]
1ED45FA6 |. 83C4 04 add esp, 4
1ED45FA9 |. 85C0 test eax, eax
1ED45FAB |. 74 0D je short va_x.1ED45FBA
1ED45FAD |. 68 348AEF1E push va_x.1EEF8A34 ; ASCII "InitInstance EdDll loading"
1ED45FB2 |. E8 F98C0300 call va_x.1ED7ECB0
1ED45FB7 |. 83C4 04 add esp, 4
1ED45FBA |> A1 7CE5F51E mov eax, dword ptr ds:[1EF5E57C]
1ED45FBF |. 8B40 04 mov eax, dword ptr ds:[eax+4]
1ED45FC2 |. 83F8 02 cmp eax, 2
1ED45FC5 |. 74 05 je short va_x.1ED45FCC
1ED45FC7 |. 83F8 03 cmp eax, 3
1ED45FCA |. 75 39 jnz short va_x.1ED46005
1ED45FCC |> 68 288AEF1E push va_x.1EEF8A28 ; /pModule = "cwvsnet.dll"
1ED45FD1 |. FF15 8093231F call dword ptr ds:[<&kernel32.GetModuleHandleA>] ; \GetModuleHandleA
1ED45FD7 |. 85C0 test eax, eax
1ED45FD9 |. 74 2A je short va_x.1ED46005
1ED45FDB |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
1ED45FDD |. 68 188AEF1E push va_x.1EEF8A18 ; |Title = "Visual Assist"
1ED45FE2 |. 68 F088EF1E push va_x.1EEF88F0 ; |Text = "Unfortunately, Visual Assist X is not compatible with CodeWright for
Microsoft Visual Studio .NET. You must remove CodeWright using the
Add/Remove Programs before running Visual Assist X.
Please contact support@wholetomato.com or cwne"...
1ED45FE7 |. FF15 8899231F call dword ptr ds:[<&user32.GetFocus>] ; |[GetFocus
1ED45FED |. 50 push eax ; |hOwner
1ED45FEE |. FF15 AC99231F call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA
1ED45FF4 |. 33C0 xor eax, eax
1ED45FF6 |. 8B4C24 38 mov ecx, dword ptr ss:[esp+38]
1ED45FFA |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1ED46001 |. 83C4 44 add esp, 44
1ED46004 |. C3 retn
1ED46005 |> 56 push esi
1ED46006 |. E8 66521400 call va_x.1EE8B271
1ED4600B |. 8B10 mov edx, dword ptr ds:[eax]
1ED4600D |. 8BC8 mov ecx, eax
1ED4600F |. FF52 0C call dword ptr ds:[edx+C]
1ED46012 |. 83C0 10 add eax, 10
1ED46015 |. 894424 04 mov dword ptr ss:[esp+4], eax
1ED46019 |. 8D4424 10 lea eax, dword ptr ss:[esp+10]
1ED4601D |. 68 E488EF1E push va_x.1EEF88E4 ; ASCII "DAYSLEFT"
1ED46022 |. 50 push eax
1ED46023 |. C74424 4C 00000000 mov dword ptr ss:[esp+4C], 0
1ED4602B |. E8 A0FDFFFF call va_x.1ED45DD0
1ED46030 |. 8BF0 mov esi, eax
1ED46032 |. 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
1ED46036 |. 68 D488EF1E push va_x.1EEF88D4 ; ASCII "DAYSINSTALLED"
1ED4603B |. 51 push ecx
1ED4603C |. C64424 54 01 mov byte ptr ss:[esp+54], 1
1ED46041 |. E8 8AFDFFFF call va_x.1ED45DD0
1ED46046 |. 8B16 mov edx, dword ptr ds:[esi]
1ED46048 |. 8B00 mov eax, dword ptr ds:[eax]
1ED4604A |. 52 push edx
1ED4604B |. 50 push eax
1ED4604C |. 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1ED46050 |. 68 C888EF1E push va_x.1EEF88C8 ; ASCII "TI: %s-%s"
1ED46055 |. 51 push ecx
1ED46056 |. C64424 64 02 mov byte ptr ss:[esp+64], 2
1ED4605B |. E8 90BDFBFF call va_x.1ED01DF0
1ED46060 |. 8B4424 2C mov eax, dword ptr ss:[esp+2C]
1ED46064 |. 83C0 F0 add eax, -10
1ED46067 |. 83C4 20 add esp, 20
1ED4606A |. C64424 44 01 mov byte ptr ss:[esp+44], 1
1ED4606F |. 8D50 0C lea edx, dword ptr ds:[eax+C]
1ED46072 |. 83C9 FF or ecx, FFFFFFFF
1ED46075 |. F0:0FC10A lock xadd dword ptr ds:[edx], ecx
1ED46079 |. 49 dec ecx
1ED4607A |. 85C9 test ecx, ecx
1ED4607C |. 7F 08 jg short va_x.1ED46086
1ED4607E |. 8B08 mov ecx, dword ptr ds:[eax]
1ED46080 |. 8B11 mov edx, dword ptr ds:[ecx]
1ED46082 |. 50 push eax
1ED46083 |. FF52 04 call dword ptr ds:[edx+4]
1ED46086 |> 8B4424 10 mov eax, dword ptr ss:[esp+10]
1ED4608A |. 83C0 F0 add eax, -10
1ED4608D |. C64424 44 00 mov byte ptr ss:[esp+44], 0
1ED46092 |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED46095 |. 83CA FF or edx, FFFFFFFF
1ED46098 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED4609C |. 4A dec edx
1ED4609D |. 85D2 test edx, edx
1ED4609F |. 7F 08 jg short va_x.1ED460A9
1ED460A1 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED460A3 |. 8B11 mov edx, dword ptr ds:[ecx]
1ED460A5 |. 50 push eax
1ED460A6 |. FF52 04 call dword ptr ds:[edx+4]
1ED460A9 |> 8B7424 04 mov esi, dword ptr ss:[esp+4]
1ED460AD |. 53 push ebx
1ED460AE |. 57 push edi
1ED460AF |. 6A 00 push 0
1ED460B1 |. 68 B9000000 push 0B9
1ED460B6 |. 56 push esi
1ED460B7 |. E8 44950300 call va_x.1ED7F600
1ED460BC |. 8D4424 24 lea eax, dword ptr ss:[esp+24]
1ED460C0 |. 68 D488EF1E push va_x.1EEF88D4 ; ASCII "DAYSINSTALLED"
1ED460C5 |. 50 push eax
1ED460C6 |. E8 05FDFFFF call va_x.1ED45DD0
1ED460CB |. 8B08 mov ecx, dword ptr ds:[eax]
1ED460CD |. 8B79 F4 mov edi, dword ptr ds:[ecx-C]
1ED460D0 |. 8B4424 2C mov eax, dword ptr ss:[esp+2C]
1ED460D4 |. 83C4 14 add esp, 14
1ED460D7 |. 85FF test edi, edi
1ED460D9 |. 0F94C3 sete bl
1ED460DC |. 83C0 F0 add eax, -10
1ED460DF |. 8D50 0C lea edx, dword ptr ds:[eax+C]
1ED460E2 |. 83C9 FF or ecx, FFFFFFFF
1ED460E5 |. F0:0FC10A lock xadd dword ptr ds:[edx], ecx
1ED460E9 |. 49 dec ecx
1ED460EA |. 85C9 test ecx, ecx
1ED460EC |. 7F 08 jg short va_x.1ED460F6
1ED460EE |. 8B08 mov ecx, dword ptr ds:[eax]
1ED460F0 |. 8B11 mov edx, dword ptr ds:[ecx]
1ED460F2 |. 50 push eax
1ED460F3 |. FF52 04 call dword ptr ds:[edx+4]
1ED460F6 |> 84DB test bl, bl ; License是否正确,正确就跳向1Ed46148,否则返回0
1ED460F8 |. 74 4E je short va_x.1ED46148 ; 修改为 jmp 1ED46148
1ED460FA |. A1 78ACF61E mov eax, dword ptr ds:[1EF6AC78]
1ED460FF |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
1ED46101 |. 68 C088EF1E push va_x.1EEF88C0 ; |Title = "License"
1ED46106 |. 68 B888EF1E push va_x.1EEF88B8 ; |Text = "Error"
1ED4610B |. 50 push eax ; |hOwner => NULL
1ED4610C |. FF15 AC99231F call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA
1ED46112 |. 8D46 F0 lea eax, dword ptr ds:[esi-10]
1ED46115 |> C74424 4C FFFFFFFF mov dword ptr ss:[esp+4C], -1
1ED4611D |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED46120 |. 83CA FF or edx, FFFFFFFF
1ED46123 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED46127 |. 4A dec edx
1ED46128 |. 85D2 test edx, edx
1ED4612A |. 7F 08 jg short va_x.1ED46134
1ED4612C |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4612E |. 8B11 mov edx, dword ptr ds:[ecx]
1ED46130 |. 50 push eax
1ED46131 |. FF52 04 call dword ptr ds:[edx+4]
1ED46134 |> 5F pop edi
1ED46135 |. 5B pop ebx
1ED46136 |. 33C0 xor eax, eax
1ED46138 |. 5E pop esi
1ED46139 |. 8B4C24 38 mov ecx, dword ptr ss:[esp+38]
1ED4613D |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1ED46144 |. 83C4 44 add esp, 44
1ED46147 |. C3 retn
1ED46148 |> 55 push ebp ; License 正确定到这进一步验证
1ED46149 |. 8D4424 34 lea eax, dword ptr ss:[esp+34]
1ED4614D |. 68 B088EF1E push va_x.1EEF88B0 ; ASCII "EXPIRED"
1ED46152 |. 50 push eax
1ED46153 |. E8 18F9FFFF call va_x.1ED45A70
1ED46158 |. 8BF0 mov esi, eax
1ED4615A |. 8D4C24 38 lea ecx, dword ptr ss:[esp+38]
1ED4615E |. 68 D488EF1E push va_x.1EEF88D4 ; ASCII "DAYSINSTALLED"
1ED46163 |. 51 push ecx
1ED46164 |. C64424 60 03 mov byte ptr ss:[esp+60], 3
1ED46169 |. E8 02F9FFFF call va_x.1ED45A70
1ED4616E |. 8BF8 mov edi, eax
1ED46170 |. 8D5424 3C lea edx, dword ptr ss:[esp+3C]
1ED46174 |. 68 E488EF1E push va_x.1EEF88E4 ; ASCII "DAYSLEFT"
1ED46179 |. 52 push edx
1ED4617A |. C64424 68 04 mov byte ptr ss:[esp+68], 4
1ED4617F |. E8 ECF8FFFF call va_x.1ED45A70
1ED46184 |. 83C4 18 add esp, 18
1ED46187 |. 8BE8 mov ebp, eax
1ED46189 |. C64424 50 05 mov byte ptr ss:[esp+50], 5
1ED4618E |. E8 4D320B00 call va_x.1EDF93E0
1ED46193 |. 8B00 mov eax, dword ptr ds:[eax]
1ED46195 |. 68 A888EF1E push va_x.1EEF88A8 ; ASCII "EDL: "
1ED4619A |. 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1ED4619E |. 894424 1C mov dword ptr ss:[esp+1C], eax
1ED461A2 |. E8 493A0B00 call va_x.1EDF9BF0
1ED461A7 |. 55 push ebp
1ED461A8 |. 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1ED461AC |. 51 push ecx
1ED461AD |. 8D5424 30 lea edx, dword ptr ss:[esp+30]
1ED461B1 |. 52 push edx
1ED461B2 |. C64424 5C 06 mov byte ptr ss:[esp+5C], 6
1ED461B7 |. E8 34470B00 call va_x.1EDFA8F0
1ED461BC |. 68 A488EF1E push va_x.1EEF88A4 ; ASCII ", "
1ED461C1 |. 50 push eax
1ED461C2 |. 8D4424 2C lea eax, dword ptr ss:[esp+2C]
1ED461C6 |. 50 push eax
1ED461C7 |. C64424 5C 07 mov byte ptr ss:[esp+5C], 7
1ED461CC |. E8 CF470B00 call va_x.1EDFA9A0
1ED461D1 |. 57 push edi
1ED461D2 |. 50 push eax
1ED461D3 |. 8D4C24 28 lea ecx, dword ptr ss:[esp+28]
1ED461D7 |. 51 push ecx
1ED461D8 |. C64424 5C 08 mov byte ptr ss:[esp+5C], 8
1ED461DD |. E8 0E470B00 call va_x.1EDFA8F0
1ED461E2 |. 68 A488EF1E push va_x.1EEF88A4 ; ASCII ", "
1ED461E7 |. 50 push eax
1ED461E8 |. 8D5424 24 lea edx, dword ptr ss:[esp+24]
1ED461EC |. 52 push edx
1ED461ED |. C64424 5C 09 mov byte ptr ss:[esp+5C], 9
1ED461F2 |. E8 A9470B00 call va_x.1EDFA9A0
1ED461F7 |. 56 push esi
1ED461F8 |. 50 push eax
1ED461F9 |. 8D4424 1C lea eax, dword ptr ss:[esp+1C]
1ED461FD |. 50 push eax
1ED461FE |. C64424 5C 0A mov byte ptr ss:[esp+5C], 0A
1ED46203 |. E8 E8460B00 call va_x.1EDFA8F0
1ED46208 |. 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1ED4620C |. C64424 50 13 mov byte ptr ss:[esp+50], 13
1ED46211 |. E8 DA310B00 call va_x.1EDF93F0
1ED46216 |. 8D4C24 20 lea ecx, dword ptr ss:[esp+20]
1ED4621A |. C64424 50 12 mov byte ptr ss:[esp+50], 12
1ED4621F |. E8 CC310B00 call va_x.1EDF93F0
1ED46224 |. C64424 50 11 mov byte ptr ss:[esp+50], 11
1ED46229 |. 8D4C24 24 lea ecx, dword ptr ss:[esp+24]
1ED4622D |. E8 BE310B00 call va_x.1EDF93F0
1ED46232 |. 8D4C24 28 lea ecx, dword ptr ss:[esp+28]
1ED46236 |. C64424 50 10 mov byte ptr ss:[esp+50], 10
1ED4623B |. E8 B0310B00 call va_x.1EDF93F0
1ED46240 |. 8D4C24 18 lea ecx, dword ptr ss:[esp+18]
1ED46244 |. C64424 50 0F mov byte ptr ss:[esp+50], 0F
1ED46249 |. E8 A2310B00 call va_x.1EDF93F0
1ED4624E |. 8D4C24 2C lea ecx, dword ptr ss:[esp+2C]
1ED46252 |. C64424 50 0E mov byte ptr ss:[esp+50], 0E
1ED46257 |. E8 94310B00 call va_x.1EDF93F0
1ED4625C |. 8D4C24 30 lea ecx, dword ptr ss:[esp+30]
1ED46260 |. C64424 50 0D mov byte ptr ss:[esp+50], 0D
1ED46265 |. E8 86310B00 call va_x.1EDF93F0
1ED4626A |. 8D4C24 34 lea ecx, dword ptr ss:[esp+34]
1ED4626E |. C64424 50 0C mov byte ptr ss:[esp+50], 0C
1ED46273 |. E8 78310B00 call va_x.1EDF93F0
1ED46278 |. 8B4C24 14 mov ecx, dword ptr ss:[esp+14]
1ED4627C |. 6A 00 push 0
1ED4627E |. 68 C7000000 push 0C7
1ED46283 |. 51 push ecx
1ED46284 |. E8 77930300 call va_x.1ED7F600
1ED46289 |. 83C4 0C add esp, 0C
1ED4628C |. E8 F4B21600 call va_x.1EEB1585
1ED46291 |. 8B40 08 mov eax, dword ptr ds:[eax+8]
1ED46294 |. 50 push eax
1ED46295 |. E8 F6610C00 call va_x.1EE0C490
1ED4629A |. 8D5424 3C lea edx, dword ptr ss:[esp+3C]
1ED4629E |. 52 push edx
1ED4629F |. 8D4424 44 lea eax, dword ptr ss:[esp+44]
1ED462A3 |. 50 push eax
1ED462A4 |. 8D4C24 4C lea ecx, dword ptr ss:[esp+4C]
1ED462A8 |. 51 push ecx
1ED462A9 |. E8 9204FDFF call va_x.1ED16740
1ED462AE |. 8B5424 48 mov edx, dword ptr ss:[esp+48]
1ED462B2 |. 8B4424 4C mov eax, dword ptr ss:[esp+4C]
1ED462B6 |. 8B4C24 50 mov ecx, dword ptr ss:[esp+50]
1ED462BA |. 52 push edx
1ED462BB |. 50 push eax
1ED462BC |. 51 push ecx
1ED462BD |. E8 DE610C00 call va_x.1EE0C4A0
1ED462C2 |. 83C4 1C add esp, 1C
1ED462C5 |. E8 36660C00 call va_x.1EE0C900
1ED462CA |. 85C0 test eax, eax
1ED462CC |. 5D pop ebp
1ED462CD |. 0F84 1E010000 je va_x.1ED463F1 ; 看看注册码正确跳到返回真,否则看是否过期了 一定要jmp
1ED462D3 |. 83F8 02 cmp eax, 2
1ED462D6 |. 0F94C2 sete dl
1ED462D9 |. 52 push edx
1ED462DA |. E8 D1970B00 call va_x.1EDFFAB0 ; 弹出Licenes信息窗口
1ED462DF |. 83C4 04 add esp, 4
1ED462E2 |. 85C0 test eax, eax
1ED462E4 |. 75 31 jnz short va_x.1ED46317
1ED462E6 |. 50 push eax ; /Style
1ED462E7 |. A1 78ACF61E mov eax, dword ptr ds:[1EF6AC78] ; |
1ED462EC |. 68 F437EF1E push va_x.1EEF37F4 ; |Title = "Visual Assist X"
1ED462F1 |. 68 2888EF1E push va_x.1EEF8828 ; |Text = "Visual Assist X is loaded but dormant. You should uninstall the
software or purchase a license if your trial has expired."
1ED462F6 |. 50 push eax ; |hOwner => NULL
1ED462F7 |. FF15 AC99231F call dword ptr ds:[<&user32.MessageBoxA>] ; \MessageBoxA
1ED462FD |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1ED46301 |. C64424 4C 00 mov byte ptr ss:[esp+4C], 0
1ED46306 |. E8 E5300B00 call va_x.1EDF93F0
1ED4630B |. 8B4424 0C mov eax, dword ptr ss:[esp+C]
1ED4630F |. 83C0 F0 add eax, -10
1ED46312 |.^ E9 FEFDFFFF jmp va_x.1ED46115
1ED46317 |> E8 E4650C00 call va_x.1EE0C900
1ED4631C |. 85C0 test eax, eax
1ED4631E |. 0F84 CD000000 je va_x.1ED463F1
1ED46324 |. 8D4424 40 lea eax, dword ptr ss:[esp+40]
1ED46328 |. 68 1C88EF1E push va_x.1EEF881C ; ASCII "CLOCKBACK"
1ED4632D |. 50 push eax
1ED4632E |. E8 9DFAFFFF call va_x.1ED45DD0
1ED46333 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED46335 |. 8B71 F4 mov esi, dword ptr ds:[ecx-C]
1ED46338 |. 83C4 08 add esp, 8
1ED4633B |. 8D4C24 40 lea ecx, dword ptr ss:[esp+40]
1ED4633F |. E8 ACB3FBFF call va_x.1ED016F0
1ED46344 |. 85F6 test esi, esi
1ED46346 |. 74 10 je short va_x.1ED46358
1ED46348 |. 8B15 78ACF61E mov edx, dword ptr ds:[1EF6AC78]
1ED4634E |. 52 push edx
1ED4634F |. 6A 00 push 0
1ED46351 |. 68 7087EF1E push va_x.1EEF8770 ; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact support@wholetomato.com for assistance.
Error: CBX-3"
1ED46356 |. EB 66 jmp short va_x.1ED463BE
1ED46358 |> 8D4424 40 lea eax, dword ptr ss:[esp+40]
1ED4635C |. 68 5C87EF1E push va_x.1EEF875C ; ASCII "CLOCKFORWARD"
1ED46361 |. 50 push eax
1ED46362 |. E8 69FAFFFF call va_x.1ED45DD0
1ED46367 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED46369 |. 8B71 F4 mov esi, dword ptr ds:[ecx-C]
1ED4636C |. 83C4 08 add esp, 8
1ED4636F |. 8D4C24 40 lea ecx, dword ptr ss:[esp+40]
1ED46373 |. E8 78B3FBFF call va_x.1ED016F0
1ED46378 |. 85F6 test esi, esi
1ED4637A |. 74 10 je short va_x.1ED4638C
1ED4637C |. 8B15 78ACF61E mov edx, dword ptr ds:[1EF6AC78]
1ED46382 |. 52 push edx
1ED46383 |. 6A 00 push 0
1ED46385 |. 68 B086EF1E push va_x.1EEF86B0 ; ASCII "Visual Assist X is unable to start your trial. You may need to reboot your system. If the problem persists, contact support@wholetomato.com for assistance.
Error: CFX-3"
1ED4638A |. EB 32 jmp short va_x.1ED463BE
1ED4638C |> 8D4424 40 lea eax, dword ptr ss:[esp+40]
1ED46390 |. 68 B088EF1E push va_x.1EEF88B0 ; ASCII "EXPIRED"
1ED46395 |. 50 push eax
1ED46396 |. E8 35FAFFFF call va_x.1ED45DD0
1ED4639B |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4639D |. 8B71 F4 mov esi, dword ptr ds:[ecx-C]
1ED463A0 |. 83C4 08 add esp, 8
1ED463A3 |. 8D4C24 40 lea ecx, dword ptr ss:[esp+40]
1ED463A7 |. E8 44B3FBFF call va_x.1ED016F0
1ED463AC |. 85F6 test esi, esi
1ED463AE |. 74 46 je short va_x.1ED463F6
1ED463B0 |. 8B15 78ACF61E mov edx, dword ptr ds:[1EF6AC78]
1ED463B6 |. 52 push edx
1ED463B7 |. 6A 00 push 0
1ED463B9 |. 68 3086EF1E push va_x.1EEF8630 ; ASCII "There is a problem with your license for Visual Assist X. Please contact support@wholetomato.com for assistance.
Error: CEX-3"
1ED463BE |> E8 2D8A0300 call va_x.1ED7EDF0
1ED463C3 |. 83C4 0C add esp, 0C
1ED463C6 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1ED463CA |. C64424 4C 00 mov byte ptr ss:[esp+4C], 0
1ED463CF |. E8 1C300B00 call va_x.1EDF93F0
1ED463D4 |. 8D4C24 0C lea ecx, dword ptr ss:[esp+C]
1ED463D8 |. E8 13B3FBFF call va_x.1ED016F0
1ED463DD |. 5F pop edi
1ED463DE |. 5B pop ebx
1ED463DF |. 33C0 xor eax, eax
1ED463E1 |. 5E pop esi
1ED463E2 |. 8B4C24 38 mov ecx, dword ptr ss:[esp+38]
1ED463E6 |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1ED463ED |. 83C4 44 add esp, 44
1ED463F0 |. C3 retn
1ED463F1 |> E8 3A310300 call va_x.1ED79530
1ED463F6 |> A1 F09DF61E mov eax, dword ptr ds:[1EF69DF0]
1ED463FB |. 85C0 test eax, eax
1ED463FD |. 74 0D je short va_x.1ED4640C
1ED463FF |. 68 1086EF1E push va_x.1EEF8610 ; ASCII "InitInstance EdDll loaded"
1ED46404 |. E8 A7880300 call va_x.1ED7ECB0
1ED46409 |. 83C4 04 add esp, 4
1ED4640C |> 6A 00 push 0
1ED4640E |. 68 F6000000 push 0F6
1ED46413 |. 68 7885EF1E push va_x.1EEF8578 ; ASCII "EDL:"
1ED46418 |. E8 E3910300 call va_x.1ED7F600
1ED4641D |. 83C4 0C add esp, 0C
1ED46420 |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1ED46424 |. C64424 4C 00 mov byte ptr ss:[esp+4C], 0
1ED46429 |. E8 C22F0B00 call va_x.1EDF93F0
1ED4642E |. 8B4424 0C mov eax, dword ptr ss:[esp+C]
1ED46432 |. 83C0 F0 add eax, -10
1ED46435 |. C74424 4C FFFFFFFF mov dword ptr ss:[esp+4C], -1
1ED4643D |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED46440 |. 83CA FF or edx, FFFFFFFF
1ED46443 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED46447 |. 4A dec edx
1ED46448 |. 85D2 test edx, edx
1ED4644A |. 7F 08 jg short va_x.1ED46454
1ED4644C |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4644E |. 8B11 mov edx, dword ptr ds:[ecx]
1ED46450 |. 50 push eax
1ED46451 |. FF52 04 call dword ptr ds:[edx+4]
1ED46454 |> 8B4C24 44 mov ecx, dword ptr ss:[esp+44]
1ED46458 |. 5F pop edi
1ED46459 |. 5B pop ebx
1ED4645A |. B8 01000000 mov eax, 1
1ED4645F |. 5E pop esi
1ED46460 |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1ED46467 |. 83C4 44 add esp, 44
1ED4646A \. C3 retn
1ED4646B CC int3
1ED4646C CC int3
1ED4646D CC int3
1ED4646E CC int3
1ED4646F CC int3
1ED46470 /$ 6A FF push -1
1ED46472 |. 68 C0EBEB1E push va_x.1EEBEBC0 ; SE 处理程序安装
1ED46477 |. 64:A1 00000000 mov eax, dword ptr fs:[0]
1ED4647D |. 50 push eax
1ED4647E |. 64:8925 00000000 mov dword ptr fs:[0], esp
1ED46485 |. 83EC 18 sub esp, 18
1ED46488 |. 56 push esi
1ED46489 |. 8BF1 mov esi, ecx
1ED4648B |. 57 push edi
1ED4648C |. 56 push esi
1ED4648D |. 8D4C24 10 lea ecx, dword ptr ss:[esp+10]
1ED46491 |. E8 FABEFBFF call va_x.1ED02390
1ED46496 |. 68 4C8BEF1E push va_x.1EEF8B4C ; ASCII "\AddIns\"
1ED4649B |. 50 push eax
1ED4649C |. 8D4424 10 lea eax, dword ptr ss:[esp+10]
1ED464A0 |. 50 push eax
1ED464A1 |. C74424 34 00000000 mov dword ptr ss:[esp+34], 0
1ED464A9 |. E8 F20DFCFF call va_x.1ED072A0
1ED464AE |. 68 348BEF1E push va_x.1EEF8B34 ; ASCII "VisualAssist.DSAddin.1"
1ED464B3 |. 50 push eax
1ED464B4 |. 8D4C24 2C lea ecx, dword ptr ss:[esp+2C]
1ED464B8 |. 51 push ecx
1ED464B9 |. C64424 40 01 mov byte ptr ss:[esp+40], 1
1ED464BE |. E8 DD0DFCFF call va_x.1ED072A0
1ED464C3 |. 83C4 18 add esp, 18
1ED464C6 |. 8B4424 08 mov eax, dword ptr ss:[esp+8]
1ED464CA |. 83C0 F0 add eax, -10
1ED464CD |. C64424 28 04 mov byte ptr ss:[esp+28], 4
1ED464D2 |. 8D50 0C lea edx, dword ptr ds:[eax+C]
1ED464D5 |. 83C9 FF or ecx, FFFFFFFF
1ED464D8 |. F0:0FC10A lock xadd dword ptr ds:[edx], ecx
1ED464DC |. 49 dec ecx
1ED464DD |. 85C9 test ecx, ecx
1ED464DF |. 7F 08 jg short va_x.1ED464E9
1ED464E1 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED464E3 |. 8B11 mov edx, dword ptr ds:[ecx]
1ED464E5 |. 50 push eax
1ED464E6 |. FF52 04 call dword ptr ds:[edx+4]
1ED464E9 |> 8B4424 0C mov eax, dword ptr ss:[esp+C]
1ED464ED |. 83C0 F0 add eax, -10
1ED464F0 |. C64424 28 03 mov byte ptr ss:[esp+28], 3
1ED464F5 |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED464F8 |. 83CA FF or edx, FFFFFFFF
1ED464FB |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED464FF |. 4A dec edx
1ED46500 |. 85D2 test edx, edx
1ED46502 |. 7F 08 jg short va_x.1ED4650C
1ED46504 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED46506 |. 8B11 mov edx, dword ptr ds:[ecx]
1ED46508 |. 50 push eax
1ED46509 |. FF52 04 call dword ptr ds:[edx+4]
1ED4650C |> 56 push esi
1ED4650D |. 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
1ED46511 |. E8 7ABEFBFF call va_x.1ED02390
1ED46516 |. 68 248BEF1E push va_x.1EEF8B24 ; ASCII "\Text Editor"
1ED4651B |. 50 push eax
1ED4651C |. 8D4424 1C lea eax, dword ptr ss:[esp+1C]
1ED46520 |. 50 push eax
1ED46521 |. C64424 34 05 mov byte ptr ss:[esp+34], 5
1ED46526 |. E8 750DFCFF call va_x.1ED072A0
1ED4652B |. 83C4 0C add esp, 0C
1ED4652E |. 8B4424 10 mov eax, dword ptr ss:[esp+10]
1ED46532 |. 83C0 F0 add eax, -10
1ED46535 |. C64424 28 07 mov byte ptr ss:[esp+28], 7
1ED4653A |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED4653D |. 83CA FF or edx, FFFFFFFF
1ED46540 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED46544 |. 4A dec edx
1ED46545 |. 85D2 test edx, edx
1ED46547 |. 7F 08 jg short va_x.1ED46551
1ED46549 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4654B |. 8B11 mov edx, dword ptr ds:[ecx]
1ED4654D |. 50 push eax
1ED4654E |. FF52 04 call dword ptr ds:[edx+4]
1ED46551 |> 8B7424 14 mov esi, dword ptr ss:[esp+14]
1ED46555 |. 6A 00 push 0
1ED46557 |. 68 108BEF1E push va_x.1EEF8B10 ; ASCII "EnableAutoComments"
1ED4655C |. 56 push esi
1ED4655D |. 68 01000080 push 80000001
1ED46562 |. E8 69AC0300 call va_x.1ED811D0
1ED46567 |. 6A 00 push 0
1ED46569 |. 68 FC8AEF1E push va_x.1EEF8AFC ; ASCII "EnableParameterHelp"
1ED4656E |. 56 push esi
1ED4656F |. 68 01000080 push 80000001
1ED46574 |. E8 57AC0300 call va_x.1ED811D0
1ED46579 |. 6A 00 push 0
1ED4657B |. 68 E88AEF1E push va_x.1EEF8AE8 ; ASCII "EnableAutoComplete"
1ED46580 |. 56 push esi
1ED46581 |. 68 01000080 push 80000001
1ED46586 |. E8 45AC0300 call va_x.1ED811D0
1ED4658B |. 6A 00 push 0
1ED4658D |. 68 D88AEF1E push va_x.1EEF8AD8 ; ASCII "EnableQuickInfo"
1ED46592 |. 56 push esi
1ED46593 |. 68 01000080 push 80000001
1ED46598 |. E8 33AC0300 call va_x.1ED811D0
1ED4659D |. 8B7C24 58 mov edi, dword ptr ss:[esp+58]
1ED465A1 |. 83C4 40 add esp, 40
1ED465A4 |. 68 D48AEF1E push va_x.1EEF8AD4
1ED465A9 |. 6A 00 push 0
1ED465AB |. 57 push edi
1ED465AC |. 68 01000080 push 80000001
1ED465B1 |. E8 1AB40300 call va_x.1ED819D0
1ED465B6 |. 68 988AEF1E push va_x.1EEF8A98 ; ASCII "Visual Assist X adds new functionality to the VC++ editor."
1ED465BB |. 68 8C8AEF1E push va_x.1EEF8A8C ; ASCII "Description"
1ED465C0 |. 57 push edi
1ED465C1 |. 68 01000080 push 80000001
1ED465C6 |. E8 05B40300 call va_x.1ED819D0
1ED465CB |. 68 748AEF1E push va_x.1EEF8A74 ; ASCII "Visual Assist X Add-in"
1ED465D0 |. 68 688AEF1E push va_x.1EEF8A68 ; ASCII "DisplayName"
1ED465D5 |. 57 push edi
1ED465D6 |. 68 01000080 push 80000001
1ED465DB |. E8 F0B30300 call va_x.1ED819D0
1ED465E0 |. 83C4 30 add esp, 30
1ED465E3 |. 68 5C8AEF1E push va_x.1EEF8A5C ; ASCII "VAssist.dll"
1ED465E8 |. E8 A32FFDFF call va_x.1ED19590
1ED465ED |. 50 push eax
1ED465EE |. 8D4424 24 lea eax, dword ptr ss:[esp+24]
1ED465F2 |. 50 push eax
1ED465F3 |. E8 A8430B00 call va_x.1EDFA9A0
1ED465F8 |. 8B00 mov eax, dword ptr ds:[eax]
1ED465FA |. 50 push eax
1ED465FB |. 68 508AEF1E push va_x.1EEF8A50 ; ASCII "FileName"
1ED46600 |. 57 push edi
1ED46601 |. 68 01000080 push 80000001
1ED46606 |. C64424 38 08 mov byte ptr ss:[esp+38], 8
1ED4660B |. E8 C0B30300 call va_x.1ED819D0
1ED46610 |. 83C4 10 add esp, 10
1ED46613 |. 8D4C24 1C lea ecx, dword ptr ss:[esp+1C]
1ED46617 |. C64424 28 07 mov byte ptr ss:[esp+28], 7
1ED4661C |. E8 CF2D0B00 call va_x.1EDF93F0
1ED46621 |. 8D46 F0 lea eax, dword ptr ds:[esi-10]
1ED46624 |. C64424 28 03 mov byte ptr ss:[esp+28], 3
1ED46629 |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED4662C |. 83CA FF or edx, FFFFFFFF
1ED4662F |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED46633 |. 4A dec edx
1ED46634 |. 85D2 test edx, edx
1ED46636 |. 7F 08 jg short va_x.1ED46640
1ED46638 |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4663A |. 8B11 mov edx, dword ptr ds:[ecx]
1ED4663C |. 50 push eax
1ED4663D |. FF52 04 call dword ptr ds:[edx+4]
1ED46640 |> 8D47 F0 lea eax, dword ptr ds:[edi-10]
1ED46643 |. C74424 28 FFFFFFFF mov dword ptr ss:[esp+28], -1
1ED4664B |. 8D48 0C lea ecx, dword ptr ds:[eax+C]
1ED4664E |. 83CA FF or edx, FFFFFFFF
1ED46651 |. F0:0FC111 lock xadd dword ptr ds:[ecx], edx
1ED46655 |. 4A dec edx
1ED46656 |. 85D2 test edx, edx
1ED46658 |. 5F pop edi
1ED46659 |. 5E pop esi
1ED4665A |. 7F 08 jg short va_x.1ED46664
1ED4665C |. 8B08 mov ecx, dword ptr ds:[eax]
1ED4665E |. 8B11 mov edx, dword ptr ds:[ecx]
1ED46660 |. 50 push eax
1ED46661 |. FF52 04 call dword ptr ds:[edx+4]
1ED46664 |> 8B4C24 18 mov ecx, dword ptr ss:[esp+18]
1ED46668 |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1ED4666F |. 83C4 24 add esp, 24
1ED46672 \. C3 retn
对于同一局域网不能同时用的问题
查找字串
All instances of the license ."%s".are in use. Visual Assist X will be disabled. You must unlo
查 the license 就行了
找到反在下面的返回处下断
或 Ctrl+B查找 74 0E FF 71 44
找到一处这里
1EE1DDF4 /$ B8 F708ED1E mov eax, va_x.1EED08F7
1EE1DDF9 |. E8 86C90500 call va_x.1EE7A784
1EE1DDFE |. 51 push ecx
1EE1DDFF |. 8B41 50 mov eax, dword ptr ds:[ecx+50]
1EE1DE02 |. 85C0 test eax, eax
1EE1DE04 |. 53 push ebx
1EE1DE05 |. 56 push esi
1EE1DE06 |. 57 push edi
1EE1DE07 |. 8965 F0 mov [local.4], esp
1EE1DE0A |. 74 0E je short va_x.1EE1DE1A ; 这里好明显了jmp吧
1EE1DE0C |. FF71 44 push dword ptr ds:[ecx+44]
1EE1DE0F |. 8365 FC 00 and [local.1], 0
1EE1DE13 |. FF71 58 push dword ptr ds:[ecx+58]
1EE1DE16 |. FFD0 call eax
1EE1DE18 |. 59 pop ecx
1EE1DE19 |. 59 pop ecx
1EE1DE1A |> 8B4D F4 mov ecx, [local.3]
1EE1DE1D |. 5F pop edi
1EE1DE1E |. 5E pop esi
1EE1DE1F |. 64:890D 00000000 mov dword ptr fs:[0], ecx
1EE1DE26 |. 5B pop ebx
1EE1DE27 |. C9 leave
1EE1DE28 \. C3 retn
到此基本ok,收工 文件优化就不做了~懒~~~.
方便大家传一份上来
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
