kongfoo你好!最近研究IAT问题较多,确实不好意思总是麻烦大侠,可是弄了N久又没有头绪,只能再次请教了
这是Asprotect 1.23 的记事本,用ImportREC修复后水平1修复后有两个函数不能修复(其实用脚本是很容易修复的)试用手工修复.
004010D3 FF15 E4634000 CALL DWORD PTR DS:[4063E4] ----------进入见绿色
004010D9 8BF0 MOV ESI,EAX
004010DB 8A00 MOV AL,BYTE PTR DS:[EAX]
004010DD 3C 22 CMP AL,22
004010DF 75 1B JNZ SHORT 1NOTEPAD.004010FC
-----------------------------------------------------------------------
00941CD8 6A 00 PUSH 0
00941CDA E8 D934FFFF CALL 009351B8 ; JMP to kernel32.GetModuleHandleA -----------API
00941CDF FF35 147E9400 PUSH DWORD PTR DS:[947E14]
00941CE5 58 POP EAX
00941CE6 8B05 247E9400 MOV EAX,DWORD PTR DS:[947E24]
跟踪调用<kernel32.GetModuleHandleA>而实际应该是<KERNEL32.GetCommandLineA> 为什么???5555
------------------------------------------------------------------------
0040114C FF15 9C634000 CALL DWORD PTR DS:[40639C] ----------进入见绿色
00401152 50 PUSH EAX
00401153 E8 760F0000 CALL 1NOTEPAD.004020CE
00401158 50 PUSH EAX
00401159 8BF0 MOV ESI,EAX
0040115B FF15 A0634000 CALL DWORD PTR DS:[4063A0]
------------------------------------------------------------------------
--
00941C64 55 PUSH EBP
00941C65 8BEC MOV EBP,ESP
00941C67 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00941C6A 85C0 TEST EAX,EAX
00941C6C 75 13 JNZ SHORT 00941C81
00941C6E 813D A47A9400 0>CMP DWORD PTR DS:[947AA4],400000
00941C78 75 07 JNZ SHORT 00941C81
00941C7A A1 A47A9400 MOV EAX,DWORD PTR DS:[947AA4]
00941C7F EB 06 JMP SHORT 00941C87
00941C81 50 PUSH EAX
00941C82 E8 3135FFFF CALL 009351B8 ; JMP to kernel32.GetModuleHandleA--------------API
00941C87 5D POP EBP
00941C88 C2 0400 RETN 4
跟踪调用<kernel32.GetModuleHandleA>而实际就是<kernel32.GetModuleHandleA> 我喜欢!!!!!
-----------------------------------------------------------------------
问题:
跟踪调用<kernel32.GetModuleHandleA>而实际应该是<KERNEL32.GetCommandLineA>
请教这个KERNEL32.GetCommandLineA怎么才能跟出??
请指教.多谢
点击下载:附件!
