手上有一软件,点击右上角的关闭按键无反应,用"文档"里的"退出"可以关闭窗口,但是无法关闭这个程序的进程,只能在任务管理器中终止进程.下面是反汇编的关键地方,但不知道如何改动,请各位高人指点,谢谢!
004618F8 $ 55 PUSH EBP
004618F9 . 8BEC MOV EBP,ESP
004618FB . 51 PUSH ECX
004618FC . 53 PUSH EBX
004618FD . 56 PUSH ESI
004618FE . 57 PUSH EDI
004618FF . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00461902 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00461905 . C680 A5000000>MOV BYTE PTR DS:[EAX+A5],1
0046190C . 33D2 XOR EDX,EDX
0046190E . 55 PUSH EBP
0046190F . 68 D6194600 PUSH 织物仿真.004619D6
00461914 . 64:FF32 PUSH DWORD PTR FS:[EDX]
00461917 . 64:8922 MOV DWORD PTR FS:[EDX],ESP
0046191A . B8 18884500 MOV EAX,织物仿真.00458818 ; 入口地址
0046191F . E8 B870FAFF CALL 织物仿真.004089DC
00461924 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00461927 . 8B40 44 MOV EAX,DWORD PTR DS:[EAX+44]
0046192A . 85C0 TEST EAX,EAX
0046192C . 0F84 8C000000 JE 织物仿真.004619BE
00461932 . 8B15 DCF74C00 MOV EDX,DWORD PTR DS:[4CF7DC] ; 织物仿真.004D0038
00461938 . 8B12 MOV EDX,DWORD PTR DS:[EDX]
0046193A . 83EA 03 SUB EDX,3 ; Switch (cases 3..7)
0046193D . 74 0E JE SHORT 织物仿真.0046194D
0046193F . 83EA 04 SUB EDX,4
00461942 . 75 10 JNZ SHORT 织物仿真.00461954
00461944 . C680 2B020000>MOV BYTE PTR DS:[EAX+22B],1 ; Case 7 of switch 0046193A
0046194B . EB 07 JMP SHORT 织物仿真.00461954
0046194D > B2 02 MOV DL,2 ; Case 3 of switch 0046193A
0046194F . E8 C8A6FFFF CALL 织物仿真.0045C01C
00461954 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Default case of switch 0046193A
00461957 . 8078 5B 00 CMP BYTE PTR DS:[EAX+5B],0
0046195B 74 20 JE SHORT 织物仿真.0046197D
0046195D . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00461960 . 8B40 44 MOV EAX,DWORD PTR DS:[EAX+44]
00461963 . 80B8 2B020000>CMP BYTE PTR DS:[EAX+22B],1
0046196A . 75 0A JNZ SHORT 织物仿真.00461976
0046196C . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046196F . E8 50F9FFFF CALL 织物仿真.004612C4
00461974 . EB 07 JMP SHORT 织物仿真.0046197D
00461976 > B2 01 MOV DL,1
00461978 . E8 6F96FFFF CALL 织物仿真.0045AFEC
0046197D > 33C0 XOR EAX,EAX
0046197F . 55 PUSH EBP
00461980 . 68 9D194600 PUSH 织物仿真.0046199D
00461985 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00461988 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0046198B . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0046198E . E8 D1FDFFFF CALL 织物仿真.00461764
00461993 . 33C0 XOR EAX,EAX
00461995 . 5A POP EDX
00461996 . 59 POP ECX
00461997 . 59 POP ECX
00461998 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0046199B EB 15 JMP SHORT 织物仿真.004619B2
0046199D ^ E9 6A26FAFF JMP 织物仿真.0040400C
004619A2 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004619A5 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004619A8 . E8 4B000000 CALL 织物仿真.004619F8
004619AD . E8 C229FAFF CALL 织物仿真.00404374
004619B2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004619B5 80B8 9C000000>CMP BYTE PTR DS:[EAX+9C],0
004619BC .^ 74 BF JE SHORT 织物仿真.0046197D 这里是一个死循环.若改为不跳,程序可以终止.
004619BE > 33C0 XOR EAX,EAX
004619C0 . 5A POP EDX
004619C1 . 59 POP ECX
004619C2 . 59 POP ECX
004619C3 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004619C6 . 68 DD194600 PUSH 织物仿真.004619DD
004619CB > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004619CE . C680 A5000000>MOV BYTE PTR DS:[EAX+A5],0
004619D5 . C3 RETN ; RET 用作跳转到 004619DD
.
.
.
.
.
.
.7C81CDC5 E8 FEFF5353 CALL CFD5CDC8
7C81CDCA 53 PUSH EBX
7C81CDCB E8 E1640100 CALL kernel32.WriteProfileStringW
7C81CDD0 ^ E9 61E8FEFF JMP kernel32.7C80B636
7C81CDD5 90 NOP
7C81CDD6 90 NOP
7C81CDD7 90 NOP
7C81CDD8 90 NOP
7C81CDD9 90 NOP
7C81CDDA > 8BFF MOV EDI,EDI
7C81CDDC 55 PUSH EBP
7C81CDDD 8BEC MOV EBP,ESP
7C81CDDF 6A FF PUSH -1
7C81CDE1 68 B0F3E877 PUSH 77E8F3B0
7C81CDE6 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C81CDE9 E8 46FFFFFF CALL kernel32.7C81CD34 这里是终结进程的地方
7C81CDEE E9 A2CC0100 JMP kernel32.7C839A95
7C81CDF3 90 NOP
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
