调试工具:OD
壳版本:双进程
====================================
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
====================================
找到了OEP
:
004B79A6 6A 60 push 60 <================这里
004B79A8 68 00235D00 push 005D2300
004B79AD E8 26070000 call 004B80D8
004B79B2 BF 94000000 mov edi, 94
004B79B7 8BC7 mov eax, edi
004B79B9 E8 E2D1FFFF call 004B4BA0
004B79BE 8965 E8 mov dword ptr [ebp-18], esp
004B79C1 8BF4 mov esi, esp
004B79C3 893E mov dword ptr [esi], edi
004B79C5 56 push esi
004B79C6 FF15 A4445B00 call dword ptr [5B44A4] ; kernel32.GetVersionExA
004B79CC 8B4E 10 mov ecx, dword ptr [esi+10]
004B79CF 890D A4367C00 mov dword ptr [7C36A4], ecx
004B79D5 8B46 04 mov eax, dword ptr [esi+4]
004B79D8 A3 B0367C00 mov dword ptr [7C36B0], eax
004B79DD 8B56 08 mov edx, dword ptr [esi+8]
004B79E0 8915 B4367C00 mov dword ptr [7C36B4], edx
004B79E6 8B76 0C mov esi, dword ptr [esi+C]
004B79E9 81E6 FF7F0000 and esi, 7FFF
内存抓取:lordPE
修复: importREC (版本,v1.4.2)
竟然修复不了,说没can not find anything good at this oep
是不是版本过低??
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课