-
-
[旧帖]
[求助]我CreateThread追踪到这里》》。
0.00雪花
-
发表于:
2008-11-23 15:09
2760
-
[旧帖] [求助]我CreateThread追踪到这里》》。
0.00雪花
我CreateThread后取消断点追踪到Call edx F7进入这里,然后用PE完整转存2AEFA的代码,用Imprec修复,但是修复后的文件不能运行。
0042AEFA E8 15680000 call 00431714
0042AEFF ^ E9 79FEFFFF jmp 0042AD7D
0042AF04 8BFF mov edi, edi
0042AF06 55 push ebp
0042AF07 8BEC mov ebp, esp
0042AF09 56 push esi
0042AF0A 8B75 14 mov esi, dword ptr [ebp+14]
0042AF0D 57 push edi
0042AF0E 33FF xor edi, edi
0042AF10 3BF7 cmp esi, edi
0042AF12 75 04 jnz short 0042AF18
0042AF14 33C0 xor eax, eax
0042AF16 EB 65 jmp short 0042AF7D
后来发现
0042AEFF ^ E9 79FEFFFF jmp 0042AD7D这里有个JMP
0042AD7D 6A 58 push 58
0042AD7F 68 E8184500 push 004518E8
0042AD84 E8 8F1D0000 call 0042CB18
0042AD89 33F6 xor esi, esi
0042AD8B 8975 FC mov dword ptr [ebp-4], esi
0042AD8E 8D45 98 lea eax, dword ptr [ebp-68]
0042AD91 50 push eax
0042AD92 FF15 C4404400 call dword ptr [4440C4] ; kernel32.GetStartupInfoW
0042AD98 6A FE push -2
0042AD9A 5F pop edi
0042AD9B 897D FC mov dword ptr [ebp-4], edi
0042AD9E B8 4D5A0000 mov eax, 5A4D
0042ADA3 66:3905 0000400>cmp word ptr [400000], ax
0042ADAA 75 38 jnz short 0042ADE4
0042ADAC A1 3C004000 mov eax, dword ptr [40003C]
0042ADB1 81B8 00004000 5>cmp dword ptr [eax+400000], 4550
0042ADBB 75 27 jnz short 0042ADE4
0042ADBD B9 0B010000 mov ecx, 10B
我好像记得曾经有人说过存在拼接代码的问题,我是新手,请高人指教一二好吗?
[课程]FART 脱壳王!加量不加价!FART作者讲授!
