原来程序
0040119C . 6A 02 push 2 ; /Origin = FILE_END
0040119E . 53 push ebx ; |pOffsetHi
0040119F . 6A F8 push -8 ; |OffsetLo = FFFFFFF8 (-8.)
004011A1 . 57 push edi ; |hFile
004011A2 . FFD6 call esi ; \
004011A4 . 3D E8030000 cmp eax,3E8
004011A9 . 8945 F4 mov dword ptr ss:[ebp-C],eax
004011AC . 0F82 FD0200>jb 高峰旺旺.004014AF
004011B2 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004011B5 . 53 push ebx ;
004011B6 . 50 push eax ;
004011B7 . 8D45 DC lea eax,dword ptr ss:[ebp-24] ; |
004011BA . 6A 08 push 8 ;
004011BC . 50 push eax ;
004011BD . 57 push edi ;
004011BE . 895D E4 mov dword ptr ss:[ebp-1C],ebx ;
004011C1 . FF15 187040>call dword ptr ds:[407018] ;
004011C7 . 85C0 test eax,eax
004011C9 . 0F84 E90200>je 高峰旺旺.004014B8
004011CF . 837D E4 08 cmp dword ptr ss:[ebp-1C],8
004011D3 . 0F85 DF0200>jnz 高峰旺旺.004014B8
004011D9 . 8B45 DC mov eax,dword ptr ss:[ebp-24] ; -----------
004011DC . 817D E0 A5B>cmp dword ptr ss:[ebp-20],829AB>
004011E3 . 8945 08 mov dword ptr ss:[ebp+8],eax
004011E6 . 0F85 C30200>jnz 高峰旺旺.004014AF ; \\原 此处不跳
004011EC . 83F8 04 cmp eax,4
004011EF . 0F8C BA0200>jl 高峰旺旺.004014AF ; \\原 此处不跳
004011F5 . 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
004011F8 . 0F8D B10200>jge 高峰旺旺.004014AF
004011FE . 50 push eax
004011FF . E8 32220000 call 高峰旺旺.00403436
00401204 . 3BC3 cmp eax,ebx
00401206 . 59 pop ecx
00401207 . 8945 F8 mov dword ptr ss:[ebp-8],eax
0040120A . 0F84 070100>je 高峰旺旺.00401317
00401210 . 6A 02 push 2 ; /Origin = FILE_END
00401212 . 53 push ebx ; |pOffsetHi
00401213 . 6A F8 push -8 ; |
00401215 . 895D E8 mov dword ptr ss:[ebp-18],ebx ; |
00401218 . 58 pop eax ; |
00401219 . 2B45 08 sub eax,dword ptr ss:[ebp+8] ; |
0040121C . 50 push eax ; |OffsetLo
0040121D . 57 push edi ; |hFile
0040121E . FFD6 call esi ; \SetFilePointer
00401220 . 83F8 FF cmp eax,-1
00401223 . 0F84 7D0200>je 高峰旺旺.004014A6
00401229 . 8B75 F8 mov esi,dword ptr ss:[ebp-8]
---------------------------------------------------------------------------------------------------
脱壳后的程序
0040119C 6A 02 push 2
0040119E 53 push ebx
0040119F 6A F8 push -8
004011A1 57 push edi
004011A2 FFD6 call esi
004011A4 3D E8030000 cmp eax,3E8
004011A9 8945 F4 mov dword ptr ss:[ebp-C],eax
004011AC 0F82 FD020000 jb 1.004014AF
004011B2 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004011B5 53 push ebx
004011B6 50 push eax
004011B7 8D45 DC lea eax,dword ptr ss:[ebp-24]
004011BA 6A 08 push 8
004011BC 50 push eax
004011BD 57 push edi
004011BE 895D E4 mov dword ptr ss:[ebp-1C],ebx
004011C1 FF15 18704000 call dword ptr ds:[<&kernel32.R>; kernel32.ReadFile
004011C7 85C0 test eax,eax
004011C9 0F84 E9020000 je 1.004014B8
004011CF 837D E4 08 cmp dword ptr ss:[ebp-1C],8
004011D3 0F85 DF020000 jnz 1.004014B8
004011D9 8B45 DC mov eax,dword ptr ss:[ebp-24] ; -------------
004011DC 817D E0 A5B79>cmp dword ptr ss:[ebp-20],829AB>
004011E3 8945 08 mov dword ptr ss:[ebp+8],eax
004011E6 0F85 C3020000 jnz 1.004014AF ; \\ 脱壳后 此处跳。。
004011EC 83F8 04 cmp eax,4
004011EF 0F8C BA020000 jl 1.004014AF ; \\ 脱壳后 此处跳。。
004011F5 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
004011F8 0F8D B1020000 jge 1.004014AF
004011FE 50 push eax
004011FF E8 32220000 call 1.00403436
00401204 3BC3 cmp eax,ebx
后面还有很多跳都不一样.......有个跳改了就直接跳死...可不可以不改跳??
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
