某一游戏,无壳,无反调试、使用VC++编写的。但是只能双开,限制多开。
之前是使用如下方法限制多开的:
00433DD2 |. 50 push eax ; /MutexName
00433DD3 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
00433DD5 |. 33F6 xor esi, esi ; |
00433DD7 |. 56 push esi ; |InitialOwner => FALSE
00433DD8 |. 56 push esi ; |pSecurity => NULL
00433DD9 |. FF15 CCF07800 call dword ptr [<&KERNEL32.CreateMute>; \CreateMutexA
00433DDF |. 8943 14 mov dword ptr [ebx+14], eax
00433DE2 |. 8B8424 140100>mov eax, dword ptr [esp+114]
00433DE9 |. 55 push ebp ; /MapName
00433DEA |. 50 push eax ; |MaximumSizeLow
00433DEB |. 56 push esi ; |MaximumSizeHigh => 0
00433DEC |. 6A 04 push 4 ; |Protection = PAGE_READWRITE
00433DEE |. 56 push esi ; |pSecurity => NULL
00433DEF |. 6A FF push -1 ; |hFile = FFFFFFFF
00433DF1 |. 8943 08 mov dword ptr [ebx+8], eax ; |保存申请的内存映像的大小
00433DF4 |. FF15 C8F07800 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingA
00433DFA |. 3BC6 cmp eax, esi ; 判断是否创建文件映像成功,
00433DFC |. 8903 mov dword ptr [ebx], eax ; 将文件映像的句柄保存到全局变量中,这是个申请的变量空间
00433DFE |. 75 15 jnz short 00433E15 ; 如果创建成功则跳转
00433E00 |. 8973 10 mov dword ptr [ebx+10], esi
00433E03 |. 8973 0C mov dword ptr [ebx+C], esi
00433E06 |. 5F pop edi
00433E07 |. 5E pop esi
00433E08 |. 5D pop ebp
00433E09 |. 33C0 xor eax, eax ; 创建失败,返回0
00433E0B |. 5B pop ebx
00433E0C |. 81C4 00010000 add esp, 100
00433E12 |. C2 0400 retn 4
00433E15 |> FF15 88F27800 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
00433E1B |. 3D B7000000 cmp eax, 0B7 ; 判断是否是之前已经创建一个实例
00433E20 |. B9 01000000 mov ecx, 1
00433E25 75 03 jnz short 00433E2A
00433E27 |. 894B 10 mov dword ptr [ebx+10], ecx ; 之前已经创建了实例,则将[1AAB538+10]置1,否则为0
00433E2A |> 8973 04 mov dword ptr [ebx+4], esi ; [1AAB538+4]=0
00433E2D |. 5F pop edi
00433E2E |. 5E pop esi
00433E2F |. 894B 0C mov dword ptr [ebx+C], ecx ; [1AAB538+C]=1
00433E32 |. 5D pop ebp
00433E33 |. 8BC1 mov eax, ecx
00433E35 |. 5B pop ebx
00433E36 |. 81C4 00010000 add esp, 100
00433E3C \. C2 0400 retn 4
将00433E25 75 03 jnz short 00433E2A 改为jmp short 00433E2A
就可以无限多开了。此时,还可以用多用户,沙盘等工具多开,
但是最近游戏又进行了更新,在选择服务器后登陆游戏的时候,又增加了一个检测, 一直显示“登陆重试”,大概1分钟以后,提示处一个对话框“登陆客户端过多”。然后就关闭游戏了。
这样采用多用户、沙盘都不能多开了。
各位大大们能给提供个思路吗,后面它采取的是那种方法判断多开的,感觉不是根据mutex,findwindows,我用hidetoolz将游戏隐藏也是不可以的。
我现在的思路是,用OD断到了“登陆客户端过多!”对话框,然后根据堆栈,一步往前推,看是在那个父函数中进行多开判断的:结果到下面的这个函数就彻底晕了,没看明白意思:
0044CAC0 /$ 64:A1 0000000>mov eax, dword ptr fs:[0] ; 保存FS到EAC
0044CAC6 |. 6A FF push -1 ; -1压栈
0044CAC8 |. 68 98CD7400 push 0074CD98 ; 辅\n|
0044CACD |. 50 push eax ; FS压栈
0044CACE |. 64:8925 00000>mov dword ptr fs:[0], esp ; 保存 ESP到FS
0044CAD5 |. 83EC 14 sub esp, 14 ; 申请局部变量空间
0044CAD8 |. 53 push ebx ; 保存EBP
0044CAD9 |. 8B5C24 2C mov ebx, dword ptr [esp+2C] ; 将第2个输入参数给EBX
0044CADD |. 55 push ebp ; 压栈EBP,ESI EDI
0044CADE |. 56 push esi
0044CADF |. 57 push edi
0044CAE0 |. 8B7C24 34 mov edi, dword ptr [esp+34] ; 将第一个参数给EDI
0044CAE4 |. 8B6F 30 mov ebp, dword ptr [edi+30] ; EBP=[pam1+30] pam1为参数1
0044CAE7 |. 83C5 08 add ebp, 8 ; ebp第一个参数的30字节处的内容,是malloc空间
0044CAEA |. 84DB test bl, bl ; 又将EBP+8
0044CAEC |. 74 6E je short 0044CB5C ; 判断parm2 是否为0,为0则跳转
0044CAEE |. 8BCF mov ecx, edi ; 将第一个参数传给ECX,作为输入参数
0044CAF0 |. E8 EBE7FFFF call 0044B2E0 ; 此函数根据[parm+10]的数值更改[parm+c]的值
0044CAF5 |. 8BF0 mov esi, eax
0044CAF7 |. 85F6 test esi, esi ; 判断返回值,如果为0则跳转
0044CAF9 |. 74 56 je short 0044CB51 ; 一般都跳转
0044CAFB |. 53 push ebx
0044CAFC |. 56 push esi
0044CAFD |. E8 BEFFFFFF call 0044CAC0
0044CB02 |. 8BD8 mov ebx, eax
0044CB04 |. 83C4 08 add esp, 8
0044CB07 |. 83FB 0A cmp ebx, 0A
0044CB0A |. 75 18 jnz short 0044CB24
0044CB0C |> 5F pop edi
0044CB0D |. 5E pop esi
0044CB0E |. 5D pop ebp
0044CB0F |. B8 0A000000 mov eax, 0A
0044CB14 |. 5B pop ebx
0044CB15 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CB19 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CB20 |. 83C4 20 add esp, 20
0044CB23 |. C3 retn
0044CB24 |> 8B06 mov eax, dword ptr [esi]
0044CB26 |. 50 push eax
0044CB27 |. 56 push esi
0044CB28 |. E8 E3E6FFFF call 0044B210
0044CB2D |. 83C4 08 add esp, 8
0044CB30 |. 8BCF mov ecx, edi
0044CB32 |. E8 D9D00800 call 004D9C10
0044CB37 |. 83FB 0B cmp ebx, 0B
0044CB3A |. 75 15 jnz short 0044CB51
0044CB3C |. 5F pop edi
0044CB3D |. 5E pop esi
0044CB3E |. 8BC3 mov eax, ebx
0044CB40 |. 5D pop ebp
0044CB41 |. 5B pop ebx
0044CB42 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CB46 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CB4D |. 83C4 20 add esp, 20
0044CB50 |. C3 retn
0044CB51 |> 8B47 44 mov eax, dword ptr [edi+44] ; EAX=[parm1+44]
0044CB54 |. 85C0 test eax, eax ; 判断是否为0,为0则跳转
0044CB56 |. 0F84 00020000 je 0044CD5C
0044CB5C |> 8B47 44 mov eax, dword ptr [edi+44] ; 一般不为0,再次判断
0044CB5F |. 85C0 test eax, eax ; 从函数入口处跳转过来,根据parm2的值,为0则跳转这里
0044CB61 |. 74 0A je short 0044CB6D ; 一般不跳转
0044CB63 |. 8B30 mov esi, dword ptr [eax] ; ESI=[parm1+44]
0044CB65 |. 8B40 0C mov eax, dword ptr [eax+C] ; EAX=[[parm1+44]+C]
0044CB68 |. 8947 44 mov dword ptr [edi+44], eax ; [parm1+44]=[[parm1+44]+C]
0044CB6B |. EB 19 jmp short 0044CB86 ; 可能是在进行链表的操作,感觉上是删除链表的节点
0044CB6D |> 8B45 00 mov eax, dword ptr [ebp] ; EAX=【EBP】=【[parm1+30]+8】
0044CB70 |. 85C0 test eax, eax ; 判断是否为0,不为0则跳转
0044CB72 |. 75 07 jnz short 0044CB7B
0044CB74 |. 8947 44 mov dword ptr [edi+44], eax
0044CB77 |. 33F6 xor esi, esi
0044CB79 |. EB 0B jmp short 0044CB86
0044CB7B |> 8B48 0C mov ecx, dword ptr [eax+C] ; ECX=[[[parm1+30]+8]+C]
0044CB7E |. 894F 44 mov dword ptr [edi+44], ecx ; [parm1+44]=[[[parm1+30]+8]+C]
0044CB81 |. 8B55 00 mov edx, dword ptr [ebp] ; EDX=[[parm1+30]+8]
0044CB84 |. 8B32 mov esi, dword ptr [edx] ; ESI=[[[parm1+30]+8]]
0044CB86 |> 33ED xor ebp, ebp ; 跳转到这里 EBP=0 EBP可能是参数
0044CB88 |. E8 F311FDFF call 0041DD80 ; EBP原来=【parm1+30】 ESI是返回值
0044CB8D |. 85F6 test esi, esi
0044CB8F |. 8BD8 mov ebx, eax ; EAX为返回值,是个根据系统时间除得到的数值
0044CB91 |. 895424 14 mov dword ptr [esp+14], edx ; EDX也是返回值之1
0044CB95 |. 0F84 C1010000 je 0044CD5C
0044CB9B |> 45 /inc ebp ; EBP原来是0,现在变为了1
0044CB9C |. 81FD E8030000 |cmp ebp, 3E8 ; 比较EBP和1000,小于等于则跳转
0044CBA2 |. 7E 24 |jle short 0044CBC8
0044CBA4 |. E8 D711FDFF |call 0041DD80
0044CBA9 |. 8B6C24 14 |mov ebp, dword ptr [esp+14]
0044CBAD |. 2BC3 |sub eax, ebx
0044CBAF |. 1BD5 |sbb edx, ebp
0044CBB1 |. 85D2 |test edx, edx
0044CBB3 |. 0F8F B8010000 |jg 0044CD71
0044CBB9 |. 7C 0B |jl short 0044CBC6
0044CBBB |. 3D E0930400 |cmp eax, 493E0
0044CBC0 |. 0F87 AB010000 |ja 0044CD71
0044CBC6 |> 33ED |xor ebp, ebp
0044CBC8 |> 8B46 04 |mov eax, dword ptr [esi+4] ; EAX=[[[parm1+30]+8] +4]
0044CBCB |. 83F8 19 |cmp eax, 19 ; Switch (cases 0..19)
0044CBCE |. 0F87 80000000 |ja 0044CC54 ; 判断是否是分支19,大于则跳转
0044CBD4 |. 33C9 |xor ecx, ecx ; 到这ECX没用了,清0
0044CBD6 |. 8A88 6CCE4400 |mov cl, byte ptr [eax+44CE6C] ; 根据EAX的数值进行分支跳转
0044CBDC |. FF248D 54CE44>|jmp dword ptr [ecx*4+44CE54]
0044CBE3 |> 68 99040000 |push 499 ; Case E of switch 0044CBCB
0044CBE8 |. 68 A04D8100 |push 00814DA0 ; e:\gbox\public\script\gobjscript.cpp
0044CBED |. E8 1E13FCFF |call 0040DF10
0044CBF2 |. 83C4 08 |add esp, 8
0044CBF5 |. 68 54528100 |push 00815254 ; 语句错误:sentence_continue
0044CBFA |. E8 6114FCFF |call 0040E060
0044CBFF |. 83C4 04 |add esp, 4
0044CC02 |. E9 3E010000 |jmp 0044CD45
0044CC07 |> 68 9C040000 |push 49C ; Case F of switch 0044CBCB
0044CC0C |. 68 A04D8100 |push 00814DA0 ; e:\gbox\public\script\gobjscript.cpp
0044CC11 |. E8 FA12FCFF |call 0040DF10
0044CC16 |. 83C4 08 |add esp, 8
0044CC19 |. 68 3C528100 |push 0081523C ; 语句错误:sentence_break
0044CC1E |. E8 3D14FCFF |call 0040E060
0044CC23 |. 83C4 04 |add esp, 4
0044CC26 |. E9 1A010000 |jmp 0044CD45
0044CC2B |> 8B4E 08 |mov ecx, dword ptr [esi+8] ; Case C of switch 0044CBCB
0044CC2E |. B8 04000000 |mov eax, 4
0044CC33 |. 3BC8 |cmp ecx, eax
0044CC35 |. 0F85 6A010000 |jnz 0044CDA5
0044CC3B |. 3BC8 |cmp ecx, eax
0044CC3D |. 74 0A |je short 0044CC49
0044CC3F |. 33F6 |xor esi, esi
0044CC41 |. 8977 44 |mov dword ptr [edi+44], esi
0044CC44 |. E9 FC000000 |jmp 0044CD45
0044CC49 |> 8B76 10 |mov esi, dword ptr [esi+10]
0044CC4C |. 8977 44 |mov dword ptr [edi+44], esi
0044CC4F |. E9 F1000000 |jmp 0044CD45
0044CC54 |> 8A47 4E |mov al, byte ptr [edi+4E] ; Default case of switch 0044CBCB
0044CC57 |. 84C0 |test al, al ; 判断[EDI+44]是否为0
0044CC59 |. 75 08 |jnz short 0044CC63
0044CC5B |. 8B46 14 |mov eax, dword ptr [esi+14] ; 不为0,则EAX=[ESI+14]
0044CC5E |. F6C4 40 |test ah, 40 ; 判断AH是否等于40,不等则跳转
0044CC61 |. 74 37 |je short 0044CC9A
0044CC63 |> 8B46 14 |mov eax, dword ptr [esi+14]
0044CC66 |. F6C4 40 |test ah, 40
0044CC69 |. 75 20 |jnz short 0044CC8B
0044CC6B |. 8D56 18 |lea edx, dword ptr [esi+18]
0044CC6E |. 8B46 18 |mov eax, dword ptr [esi+18]
0044CC71 |. 85C0 |test eax, eax
0044CC73 |. 8B4A 04 |mov ecx, dword ptr [edx+4]
0044CC76 |. 894C24 1C |mov dword ptr [esp+1C], ecx
0044CC7A |. 8B52 08 |mov edx, dword ptr [edx+8]
0044CC7D |. 895424 20 |mov dword ptr [esp+20], edx
0044CC81 |. 74 17 |je short 0044CC9A
0044CC83 |. 8B4424 38 |mov eax, dword ptr [esp+38]
0044CC87 |. 56 |push esi
0044CC88 |. 50 |push eax
0044CC89 |. EB 06 |jmp short 0044CC91
0044CC8B |> 8B4C24 38 |mov ecx, dword ptr [esp+38]
0044CC8F |. 56 |push esi
0044CC90 |. 51 |push ecx
0044CC91 |> 57 |push edi
0044CC92 |. E8 39B60900 |call 004E82D0
0044CC97 |. 83C4 0C |add esp, 0C
0044CC9A |> 8B46 04 |mov eax, dword ptr [esi+4] ; EAX=[[[parm1+30]+8]]
0044CC9D |. 48 |dec eax ; Switch (cases 1..14)
0044CC9E |. 83F8 13 |cmp eax, 13
0044CCA1 |. 0F87 50010000 |ja 0044CDF7 ; EAX>13则跳转
0044CCA7 |. FF2485 88CE44>|jmp dword ptr [eax*4+44CE88]
0044CCAE |> 57 |push edi ; Case 1 of switch 0044CC9D
0044CCAF |. 8BCE |mov ecx, esi
0044CCB1 |. E8 1A8C0900 |call 004E58D0
0044CCB6 |. EB 6C |jmp short 0044CD24
0044CCB8 |> 57 |push edi ; Case 2 of switch 0044CC9D
0044CCB9 |. 8BCE |mov ecx, esi
0044CCBB |. E8 108D0900 |call 004E59D0
0044CCC0 |. EB 62 |jmp short 0044CD24
0044CCC2 |> 57 |push edi ; Case 4 of switch 0044CC9D
0044CCC3 |. 8BCE |mov ecx, esi
0044CCC5 |. E8 D68D0900 |call 004E5AA0
0044CCCA |. EB 58 |jmp short 0044CD24
0044CCCC |> 57 |push edi ; Case 13 of switch 0044CC9D
0044CCCD >|. 8BCE |mov ecx, esi
0044CCCF |. E8 9C8E0900 |call 004E5B70
0044CCD4 |. EB 4E |jmp short 0044CD24 ; (initial cpu selection)
0044CCD6 |> 57 |push edi ; Case 14 of switch 0044CC9D
0044CCD7 |. 8BCE |mov ecx, esi
0044CCD9 |. E8 42910900 |call 004E5E20
0044CCDE |. EB 44 |jmp short 0044CD24
0044CCE0 |> 57 |push edi ; Cases 7,8,9 of switch 0044CC9D
0044CCE1 |. 8BCE |mov ecx, esi
0044CCE3 |. E8 B8950900 |call 004E62A0
0044CCE8 |. EB 3A |jmp short 0044CD24
0044CCEA |> 57 |push edi ; Case B of switch 0044CC9D
0044CCEB |. 8BCE |mov ecx, esi
0044CCED |. E8 8E970900 |call 004E6480
0044CCF2 |. EB 30 |jmp short 0044CD24
0044CCF4 |> 57 |push edi ; Case 3 of switch 0044CC9D
0044CCF5 |. 8BCE |mov ecx, esi
0044CCF7 |. E8 D49A0900 |call 004E67D0
0044CCFC |. EB 26 |jmp short 0044CD24
0044CCFE |> 57 |push edi ; Cases A,11,12 of switch 0044CC9D
0044CCFF |. 8BCE |mov ecx, esi
0044CD01 |. E8 6A9F0900 |call 004E6C70
0044CD06 |. EB 1C |jmp short 0044CD24
0044CD08 |> 57 |push edi ; Case D of switch 0044CC9D
0044CD09 |. 8BCE |mov ecx, esi
0044CD0B |. E8 F0A00900 |call 004E6E00
0044CD10 |. EB 12 |jmp short 0044CD24
0044CD12 |> 57 |push edi ; Case 5 of switch 0044CC9D
0044CD13 |. 8BCE |mov ecx, esi
0044CD15 |. E8 A6A20900 |call 004E6FC0
0044CD1A |. EB 08 |jmp short 0044CD24
0044CD1C |> 57 |push edi ; Case 6 of switch 0044CC9D
0044CD1D |. 8BCE |mov ecx, esi
0044CD1F |. E8 1CA40900 |call 004E7140
0044CD24 |> 83F8 0A |cmp eax, 0A
0044CD27 |.^ 0F84 DFFDFFFF |je 0044CB0C
0044CD2D |. 8A4F 4D |mov cl, byte ptr [edi+4D]
0044CD30 |. 84C9 |test cl, cl
0044CD32 |. 74 08 |je short 0044CD3C
0044CD34 |. 85C0 |test eax, eax
0044CD36 |. 0F85 FF000000 |jnz 0044CE3B
0044CD3C |> 83F8 0B |cmp eax, 0B
0044CD3F |. 0F84 F6000000 |je 0044CE3B
0044CD45 |> 8B47 44 |mov eax, dword ptr [edi+44] ; Cases 0,16,17,18 of switch 0044CBCB
0044CD48 |. 85C0 |test eax, eax
0044CD4A |. 74 10 |je short 0044CD5C
0044CD4C |. 8B30 |mov esi, dword ptr [eax]
0044CD4E |. 8B50 0C |mov edx, dword ptr [eax+C]
0044CD51 |. 85F6 |test esi, esi
0044CD53 |. 8957 44 |mov dword ptr [edi+44], edx
0044CD56 |.^ 0F85 3FFEFFFF \jnz 0044CB9B
0044CD5C |> 5F pop edi ; Case 19 of switch 0044CBCB
0044CD5D |. 5E pop esi
0044CD5E |. 5D pop ebp
0044CD5F |. 33C0 xor eax, eax
0044CD61 |. 5B pop ebx
0044CD62 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CD66 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CD6D |. 83C4 20 add esp, 20
0044CD70 |. C3 retn
0044CD71 |> 68 8E040000 push 48E
0044CD76 |. 68 A04D8100 push 00814DA0 ; e:\gbox\public\script\gobjscript.cpp
0044CD7B |. E8 9011FCFF call 0040DF10
0044CD80 |. 83C4 08 add esp, 8
0044CD83 |. 68 14528100 push 00815214 ; code run too match. over 3sec break;
0044CD88 |. E8 D312FCFF call 0040E060
0044CD8D |. 83C4 04 add esp, 4
0044CD90 |. 33C0 xor eax, eax
0044CD92 |. 5F pop edi
0044CD93 |. 5E pop esi
0044CD94 |. 5D pop ebp
0044CD95 |. 5B pop ebx
0044CD96 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CD9A |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CDA1 |. 83C4 20 add esp, 20
0044CDA4 |. C3 retn
0044CDA5 |> 68 A5040000 push 4A5
0044CDAA |. 68 A04D8100 push 00814DA0 ; e:\gbox\public\script\gobjscript.cpp
0044CDAF |. E8 5C11FCFF call 0040DF10
0044CDB4 |. 83C4 08 add esp, 8
0044CDB7 |. 68 04528100 push 00815204 ; goto格式不匹配
0044CDBC |. E8 9F12FCFF call 0040E060
0044CDC1 |. 83C4 04 add esp, 4
0044CDC4 |. B8 01000000 mov eax, 1
0044CDC9 |. 5F pop edi
0044CDCA |. 5E pop esi
0044CDCB |. 5D pop ebp
0044CDCC |. 5B pop ebx
0044CDCD |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CDD1 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CDD8 |. 83C4 20 add esp, 20
0044CDDB |. C3 retn
0044CDDC |> 57 push edi ; Case 10 of switch 0044CC9D
0044CDDD |. 8BCE mov ecx, esi
0044CDDF |. E8 1C990900 call 004E6700
0044CDE4 |. 5F pop edi
0044CDE5 |. 5E pop esi
0044CDE6 |. 5D pop ebp
0044CDE7 |. 5B pop ebx
0044CDE8 |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0044CDEC |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CDF3 |. 83C4 20 add esp, 20
0044CDF6 |. C3 retn
0044CDF7 |> 8D4424 34 lea eax, dword ptr [esp+34] ; Default case of switch 0044CC9D
0044CDFB |. 8BCE mov ecx, esi
0044CDFD |. 50 push eax
0044CDFE |. E8 2D840900 call 004E5230
0044CE03 |. 8B00 mov eax, dword ptr [eax]
0044CE05 |. 8BCE mov ecx, esi
0044CE07 |. 50 push eax
0044CE08 |. 68 F8518100 push 008151F8 ; 未知语句:%s
0044CE0D |. C74424 34 000>mov dword ptr [esp+34], 0
0044CE15 |. E8 768A0900 call 004E5890
0044CE1A |. 50 push eax
0044CE1B |. 68 2900DF00 push 0DF0029
0044CE20 |. 6A 07 push 7
0044CE22 |. E8 F912FCFF call 0040E120
0044CE27 |. 83C4 14 add esp, 14
0044CE2A |. 8D4C24 34 lea ecx, dword ptr [esp+34]
0044CE2E |. C74424 2C FFF>mov dword ptr [esp+2C], -1
0044CE36 |. E8 7562FBFF call 004030B0
0044CE3B |> 8B4C24 24 mov ecx, dword ptr [esp+24]
0044CE3F |. 5F pop edi
0044CE40 |. 5E pop esi
0044CE41 |. 5D pop ebp
0044CE42 |. B8 0B000000 mov eax, 0B
0044CE47 |. 5B pop ebx
0044CE48 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0044CE4F |. 83C4 20 add esp, 20
0044CE52 \. C3 retn
0044CE53 90 nop
0044CE54 . 45CD4400 dd rc3.0044CD45 ; 分支表 被用于 0044CBDC
0044CE58 . 2BCC4400 dd rc3.0044CC2B ; 1
0044CE5C . E3CB4400 dd rc3.0044CBE3 ; 2
0044CE60 . 07CC4400 dd rc3.0044CC07 ; 3
0044CE64 . 5CCD4400 dd rc3.0044CD5C ; 4
0044CE68 . 54CC4400 dd rc3.0044CC54 ; 5
0044CE6C . 00 db 00 ; 分支 0044CE54 索引表
0044CE6D . 05 db 05 ; ECX=1
0044CE6E . 05 db 05 ; ECX=2
0044CE6F . 05 db 05 ; ECX=3
0044CE70 . 05 db 05 ; ECX=4
0044CE71 . 05 db 05 ; ECX=5
0044CE72 . 05 db 05 ; ECX=6
0044CE73 . 05 db 05 ; ECX=7
0044CE74 . 05 db 05 ; ECX=8
0044CE75 . 05 db 05 ; ECX=9
0044CE76 . 05 db 05 ; ECX=A
0044CE77 . 05 db 05 ; ECX=B
0044CE78 . 01 db 01 ; ECX=C
0044CE79 . 05 db 05 ; ECX=D
0044CE7A . 02 db 02 ; ECX=E
0044CE7B . 03 db 03 ; ECX=F
0044CE7C . 05 db 05 ; ECX=10
0044CE7D . 05 db 05 ; ECX=11
0044CE7E . 05 db 05 ; ECX=12
0044CE7F . 05 db 05 ; ECX=13
0044CE80 . 05 db 05 ; ECX=14
0044CE81 . 05 db 05 ; ECX=15
0044CE82 . 00 db 00 ; ECX=16
0044CE83 . 00 db 00 ; ECX=17
0044CE84 . 00 db 00 ; ECX=18
0044CE85 . 04 db 04 ; ECX=19
0044CE86 8BFF mov edi, edi
0044CE88 . AECC4400 dd rc3.0044CCAE ; 分支表 被用于 0044CCA7
0044CE8C . B8CC4400 dd rc3.0044CCB8
0044CE90 . F4CC4400 dd rc3.0044CCF4
0044CE94 . C2CC4400 dd rc3.0044CCC2
0044CE98 . 12CD4400 dd rc3.0044CD12
0044CE9C . 1CCD4400 dd rc3.0044CD1C
0044CEA0 . E0CC4400 dd rc3.0044CCE0
0044CEA4 . E0CC4400 dd rc3.0044CCE0
0044CEA8 . E0CC4400 dd rc3.0044CCE0
0044CEAC . FECC4400 dd rc3.0044CCFE
0044CEB0 . EACC4400 dd rc3.0044CCEA
0044CEB4 . F7CD4400 dd rc3.0044CDF7
0044CEB8 . 08CD4400 dd rc3.0044CD08
0044CEBC . F7CD4400 dd rc3.0044CDF7
0044CEC0 . F7CD4400 dd rc3.0044CDF7
0044CEC4 . DCCD4400 dd rc3.0044CDDC
0044CEC8 . FECC4400 dd rc3.0044CCFE
0044CECC . FECC4400 dd rc3.0044CCFE
0044CED0 . CCCC4400 dd rc3.0044CCCC
0044CED4 . D6CC4400 dd rc3.0044CCD6
[课程]Android-CTF解题方法汇总!