这是一个Alcohol 120%的例子,请大家发表看法“仁者见仁,智者见智”吧
004016EC > /EB 10 jmp short 1.004016FE //入口
004016EE |66:623A bound di,dword ptr ds:[edx]
004016F1 |43 inc ebx
004016F2 |2B2B sub ebp,dword ptr ds:[ebx]
004016F4 |48 dec eax
004016F5 |4F dec edi
004016F6 |4F dec edi
004016F7 |4B dec ebx
004016F8 |90 nop
004016F9 -|E9 98906700 jmp 00A7A796
004016FE \A1 8B906700 mov eax,dword ptr ds:[67908B]
00401703 C1E0 02 shl eax,2
00401706 A3 8F906700 mov dword ptr ds:[67908F],eax
0040170B 52 push edx
0040170C 6A 00 push 0
0040170E E8 C55F2700 call <jmp.&kernel32.GetModuleHandle>
用 bp MessageBoxA下断
77D504EA > 8BFF mov edi,edi//程序断在这
77D504EC 55 push ebp
77D504ED 8BEC mov ebp,esp
77D504EF 833D BC04D777 0>cmp dword ptr ds:[77D704BC],0
77D504F6 74 24 je short USER32.77D5051C
77D504F8 64:A1 18000000 mov eax,dword ptr fs:[18]
77D504FE 6A 00 push 0
77D50500 FF70 24 push dword ptr ds:[eax+24]
77D50503 68 240BD777 push USER32.77D70B24
77D50508 FF15 C812D177 call dword ptr ds:[<&KERNEL32.Inter>; kernel32.InterlockedCompareExchange
77D5050E 85C0 test eax,eax
77D50510 75 0A jnz short USER32.77D5051C
77D50512 C705 200BD777 0>mov dword ptr ds:[77D70B20],1
77D5051C 6A 00 push 0
77D5051E FF75 14 push dword ptr ss:[ebp+14]
77D50521 FF75 10 push dword ptr ss:[ebp+10]
77D50524 FF75 0C push dword ptr ss:[ebp+C]
77D50527 FF75 08 push dword ptr ss:[ebp+8]
77D5052A E8 2D000000 call USER32.MessageBoxExA
77D5052F 5D pop ebp
77D50530 C2 1000 retn 10
堆栈显示
0012E5A8 00424FD7 /CALL 到 MessageBoxA 来自 1.00424FD2
0012E5AC 000602A4 |hOwner = 000602A4 ('注册',class='TForm',parent=00210294)
0012E5B0 00FCBFA8 |Text = "序列号无效! 注册失败!"
0012E5B4 00FBAC0C |Title = "注册"
0012E5B8 00000000 \Style = MB_OK|MB_APPLMODAL
我也不知道怎样找关键CALL了。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法