在破解CALLERIP时,发现用FI读取是C++的,好象没有壳.用od载入发现文件头有点可疑.但本人新手.经验不足.如果是伪装壳但一按shift+F9就马上运行程序.没法脱壳.不知道是不是真的是伪装壳呢.如果用手动步进不一会就会运行程序的.以下是我发的一部分代码.请高手们指点指点.
004026C8 > 55 PUSH EBP
004026C9 8BEC MOV EBP,ESP
004026CB 6A FF PUSH -1
004026CD 68 00314000 PUSH CallerIP.00403100
004026D2 68 50284000 PUSH <JMP.&MSVCRT._except_handler3> ; SE 处理程序安装
004026D7 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004026DD 50 PUSH EAX
004026DE 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004026E5 83EC 68 SUB ESP,68
004026E8 53 PUSH EBX
004026E9 56 PUSH ESI
004026EA 57 PUSH EDI
004026EB 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004026EE 33DB XOR EBX,EBX
004026F0 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004026F3 6A 02 PUSH 2
004026F5 FF15 E0304000 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
004026FB 59 POP ECX
004026FC 830D 98454000 F>OR DWORD PTR DS:[404598],FFFFFFFF
00402703 830D 9C454000 F>OR DWORD PTR DS:[40459C],FFFFFFFF
0040270A FF15 DC304000 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
00402710 8B0D 94454000 MOV ECX,DWORD PTR DS:[404594]
00402716 8908 MOV DWORD PTR DS:[EAX],ECX
00402718 FF15 D8304000 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>; msvcrt.__p__commode
0040271E 8B0D 90454000 MOV ECX,DWORD PTR DS:[404590]
00402724 8908 MOV DWORD PTR DS:[EAX],ECX
00402726 A1 D4304000 MOV EAX,DWORD PTR DS:[<&MSVCRT._adjust_f>
0040272B 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040272D A3 A0454000 MOV DWORD PTR DS:[4045A0],EAX
00402732 E8 10010000 CALL CallerIP.00402847
00402737 391D 50454000 CMP DWORD PTR DS:[404550],EBX
0040273D 75 0C JNZ SHORT CallerIP.0040274B
0040273F 68 44284000 PUSH CallerIP.00402844
00402744 FF15 D0304000 CALL DWORD PTR DS:[<&MSVCRT.__setusermat>; msvcrt.__setusermatherr
0040274A 59 POP ECX
0040274B E8 E2000000 CALL CallerIP.00402832
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课