OD载入 直接到这里
00401000 >/$ E8 06000000 call QQWAIGUA.0040100B
00401005 |. 50 push eax ; /ExitCode
00401006 \. E8 BB010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
0040100B /$ 55 push ebp
0040100C |. 8BEC mov ebp,esp
0040100E |. 81C4 F0FEFFFF add esp,-110
00401014 |. E9 83000000 jmp QQWAIGUA.0040109C
00401019 |. 6B 72 6E 6C 6E >ascii "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6E >ascii "krnln.fne",0
0040102D |. 47 65 74 4E 65 >ascii "GetNewSock",0
00401038 |. 53 6F 66 74 77 >ascii "Software\FlySky\"
00401048 |. 45 5C 49 6E 73 >ascii "E\Install",0
00401052 |. 50 61 74 68 00 ascii "Path",0
00401057 |. 4E 6F 74 20 66 >ascii "Not found the ke"
00401067 |. 72 6E 65 6C 20 >ascii "rnel library or "
00401077 |. 74 68 65 20 6B >ascii "the kernel libra"
00401087 |. 72 79 20 69 73 >ascii "ry is invalid!",0
00401096 |. 45 72 72 6F 72 >ascii "Error",0
0040109C |> 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004010A2 |. 50 push eax
004010A3 |. E8 44010000 call QQWAIGUA.004011EC
004010A8 |. 68 19104000 push QQWAIGUA.00401019 ; /StringToAdd = "krnln.fnr"
004010AD |. 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104] ; |
004010B3 |. 50 push eax ; |ConcatString
004010B4 |. E8 25010000 call <jmp.&KERNEL32.lstrcatA> ; \lstrcatA
问了几个人 说以前的E语言就是这样的 但是伪壳 也现实E 没见过E语言的开头函数
帮忙看下
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课