一个函数静态看OD静态看时(OD未运行被调试进程)和OD动态看时(OD已运行调试进程)完全不一样...IDA根本无法显示,只显示出一段乱码。
下面两段代码由同一个CALL调用(但静态时和动态时不一样)
OD分析时(未运行调试进程):
00509900 $ 55 push ebp
00509901 . 8BEC mov ebp, esp
00509903 . 8B45 08 mov eax, dword ptr [ebp+8]
00509906 . 56 push esi
00509907 . 85C0 test eax, eax
00509909 . 57 push edi
0050990A . 75 33 jnz short 0050993F
0050990C . 8B75 0C mov esi, dword ptr [ebp+C]
0050990F . 8B7D 14 mov edi, dword ptr [ebp+14]
00509912 . 57 push edi
00509913 . 56 push esi
00509914 . 8D46 08 lea eax, dword ptr [esi+8]
00509917 . 50 push eax
00509918 . E8 23900000 call 00512940
0050991D . 8BD6 mov edx, esi
0050991F . 33C9 xor ecx, ecx
00509921 . 8D47 08 lea eax, dword ptr [edi+8]
00509924 . 83C4 0C add esp, 0C
00509927 . 890A mov dword ptr [edx], ecx
00509929 . 83C7 08 add edi, 8
0050992C . 894A 04 mov dword ptr [edx+4], ecx
0050992F . 8B4D 10 mov ecx, dword ptr [ebp+10]
00509932 . 66:8906 mov word ptr [esi], ax
00509935 . 33C0 xor eax, eax
00509937 . 8939 mov dword ptr [ecx], edi
00509939 . 5F pop edi
0050993A . 5E pop esi
0050993B . 5D pop ebp
0050993C . C2 1400 retn 14
OD分析时(已运行调试进程):
00509900 $ 55 push ebp
00509901 . 8BEC mov ebp, esp
00509903 . 53 push ebx
00509904 ? 57 push edi
00509905 ? 56 push esi
00509906 . E8 00000000 call 0050990B
0050990B ? 5B pop ebx
0050990C . 81EB 17104000 sub ebx, 00401017
00509912 . 0FB683 A2324000 movzx eax, byte ptr [ebx+4032A2]
00509919 ? 0BC0 or eax, eax
0050991B ? 75 07 jnz short 00509924
0050991D . B8 F8FFFFFF mov eax, -8
00509922 ? EB 7F jmp short 005099A3
00509924 . 837D 0C 00 cmp dword ptr [ebp+C], 0
00509928 ? 74 06 je short 00509930
0050992A ? 837D 10 00 cmp dword ptr [ebp+10], 0
0050992E ? 75 07 jnz short 00509937
00509930 ? B8 F7FFFFFF mov eax, -9
00509935 . EB 6C jmp short 005099A3
00509937 . 8B45 10 mov eax, dword ptr [ebp+10]
0050993A . 8B00 mov eax, dword ptr [eax]
0050993C . 837D 08 00 cmp dword ptr [ebp+8], 0
00509940 ? 75 22 jnz short 00509964
00509942 . 83F8 28 cmp eax, 28
00509945 ? 73 07 jnb short 0050994E
00509947 . B8 F6FFFFFF mov eax, -0A
0050994C . EB 55 jmp short 005099A3
0050994E ? 8D93 8B144000 lea edx, dword ptr [ebx+40148B]
00509954 . FF75 18 push dword ptr [ebp+18]
00509957 ? FF75 14 push dword ptr [ebp+14]
0050995A . FF75 10 push dword ptr [ebp+10]
0050995D . FF75 0C push dword ptr [ebp+C]
00509960 ? FFD2 call edx
00509962 . EB 3F jmp short 005099A3
00509964 . 837D 08 01 cmp dword ptr [ebp+8], 1
00509968 ? 75 1C jnz short 00509986
0050996A ? 83F8 08 cmp eax, 8
0050996D 73 07 jnb short 00509976
0050996F B8 F5FFFFFF mov eax, -0B
00509974 EB 2D jmp short 005099A3
00509976 8D93 C81A4000 lea edx, dword ptr [ebx+401AC8]
0050997C FF75 10 push dword ptr [ebp+10]
0050997F FF75 0C push dword ptr [ebp+C]
00509982 FFD2 call edx
00509984 EB 1D jmp short 005099A3
00509986 837D 08 02 cmp dword ptr [ebp+8], 2
0050998A 75 10 jnz short 0050999C
0050998C 8D93 511D4000 lea edx, dword ptr [ebx+401D51]
00509992 FF75 10 push dword ptr [ebp+10]
00509995 FF75 0C push dword ptr [ebp+C]
00509998 FFD2 call edx
0050999A EB 07 jmp short 005099A3
0050999C B8 F4FFFFFF mov eax, -0C
005099A1 EB 00 jmp short 005099A3
005099A3 5E pop esi
005099A4 5F pop edi
005099A5 5B pop ebx
005099A6 C9 leave
005099A7 C2 1400 retn 14
并且在OD中鼠标在第二段代码上下移动时,代码会变换...偶尔在注释栏还会出现:"非法使用寄存器"字样....
请问这是什么原因造成哦? 我要分析出这段代码应该怎么做(因为这个段代码里包含了加密算法)....?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课