一个TMD2.04的DELPHI程序,脚本完后到VM,然后代码段F2下断,F9
到这里
00405DDC 53 push ebx ; USER32.77D2028D
00405DDD 8BD8 mov ebx, eax
00405DDF 33C0 xor eax, eax
00405DE1 A3 9C504600 mov dword ptr [46509C], eax
00405DE6 6A 00 push 0
00405DE8 E8 2BFFFFFF call 00405D18 ; jmp 到 KERNEL32.GetModuleHandleA
00405DED A3 64764600 mov dword ptr [467664], eax
00405DF2 A1 64764600 mov eax, dword ptr [467664]
00405DF7 A3 A8504600 mov dword ptr [4650A8], eax
00405DFC 33C0 xor eax, eax
00405DFE A3 AC504600 mov dword ptr [4650AC], eax
00405E03 33C0 xor eax, eax
00405E05 A3 B0504600 mov dword ptr [4650B0], eax
00405E0A E8 C1FFFFFF call 00405DD0
00405E0F BA A4504600 mov edx, 004650A4
00405E14 8BC3 mov eax, ebx
00405E16 E8 C5DEFFFF call 00403CE0
00405E1B 5B pop ebx
00405E1C C3 retn
retn后又到VM
0082F4F8 68 F0E47D0D push 0D7DE4F0
0082F4FD ^ E9 1D1BE6FF jmp 0069101F
0082F502 CC int3
0082F503 68 C5E57D0D push 0D7DE5C5
0082F508 ^ E9 121BE6FF jmp 0069101F
0082F50D CC int3
0082F50E 68 FFE57D0D push 0D7DE5FF
0082F513 ^ E9 071BE6FF jmp 0069101F
0082F518 CC int3
0082F519 68 39E67D0D push 0D7DE639
0082F51E ^ E9 FC1AE6FF jmp 0069101F
然后代码断再F2下段,然后F9却到了这里,不知道改怎么办了
0046E94C 00E8 add al, ch
0046E94E EE out dx, al
0046E94F FFFF ??? ; 未知命令
0046E951 83C5 02 add ebp, 2
0046E954 68 2BB175D5 push D575B12B
0046E959 60 pushad
0046E95A 9C pushfd
0046E95B C60424 CA mov byte ptr [esp], 0CA
0046E95F 46 inc esi
0046E960 57 push edi
0046E961 66:895C24 04 mov word ptr [esp+4], bx
0046E966 FF7424 04 push dword ptr [esp+4]
0046E96A 66:891407 mov word ptr [edi+eax], dx
0046E96E 9C pushfd
0046E96F 8D6424 3C lea esp, dword ptr [esp+3C]
0046E973 ^ E9 C0F5FFFF jmp 0046DF38
0046E978 F9 stc
0046E979 F6D8 neg al
0046E97B E8 4DFFFFFF call 0046E8CD
0046E980 60 pushad
0046E981 9C pushfd
0046E982 60 pushad
0046E983 897424 40 mov dword ptr [esp+40], esi
0046E987 9C pushfd
0046E988 9C pushfd
0046E989 8D6424 48 lea esp, dword ptr [esp+48]
0046E98D ^ E9 37EDFFFF jmp 0046D6C9
0046E992 E8 B2FAFFFF call 0046E449
0046E997 ^ E9 64E6FFFF jmp 0046D000
0046E99C 68 33B07FEA push EA7FB033
0046E9A1 83C5 06 add ebp, 6
0046E9A4 66:893424 mov word ptr [esp], si
0046E9A8 51 push ecx
0046E9A9 68 F7DCB28A push 8AB2DCF7
0046E9AE 8810 mov byte ptr [eax], dl
0046E9B0 68 F9A7DAFA push FADAA7F9
0046E9B5 60 pushad
0046E9B6 884C24 04 mov byte ptr [esp+4], cl
0046E9BA 8D6424 30 lea esp, dword ptr [esp+30]
0046E9BE ^ E9 75F5FFFF jmp 0046DF38
0046E9C3 9C pushfd
0046E9C4 9C pushfd
0046E9C5 8F4424 40 pop dword ptr [esp+40]
0046E9C9 E8 DBFDFFFF call 0046E7A9
0046E9CE C70424 DF68C5A2 mov dword ptr [esp], A2C568DF
0046E9D5 66:892C24 mov word ptr [esp], bp
0046E9D9 66:2145 04 and word ptr [ebp+4], ax
0046E9DD C70424 AECD4FB1 mov dword ptr [esp], B14FCDAE
0046E9E4 ^ E9 60E9FFFF jmp 0046D349
0046E9E9 66:897424 04 mov word ptr [esp+4], si
0046E9EE 68 222D9C53 push 539C2D22
0046E9F3 86E0 xchg al, ah
0046E9F5 66:39CB cmp bx, cx
0046E9F8 881424 mov byte ptr [esp], dl
0046E9FB 66:0FBAE4 01 bt sp, 1
0046EA00 66:2D A5DF sub ax, 0DFA5
0046EA04 66:0FA3EE bt si, bp
0046EA08 86E0 xchg al, ah
0046EA0A 39E0 cmp eax, esp
0046EA0C 66:895C24 04 mov word ptr [esp+4], bx
0046EA11 66:31C3 xor bx, ax
0046EA14 C64424 04 12 mov byte ptr [esp+4], 12
0046EA19 F8 clc
0046EA1A C70424 42CC8256 mov dword ptr [esp], 5682CC42
0046EA21 98 cwde
0046EA22 9C pushfd
0046EA23 FF3424 push dword ptr [esp]
0046EA26 66:F7C2 DB15 test dx, 15DB
0046EA2B 83ED 04 sub ebp, 4
0046EA2E E8 55EDFFFF call 0046D788
0046EA33 66:8945 00 mov word ptr [ebp], ax
0046EA37 66:C70424 A2D0 mov word ptr [esp], 0D0A2
0046EA3D 66:895C24 0C mov word ptr [esp+C], bx
0046EA42 8D6424 10 lea esp, dword ptr [esp+10]
0046EA46 ^ E9 31E7FFFF jmp 0046D17C
0046EA4B ^ E9 BBFEFFFF jmp 0046E90B
0046EA50 66:0FABC0 bts ax, ax
0046EA54 D2E0 shl al, cl
0046EA56 D5 7D aad 7D
0046EA58 80FE FB cmp dh, 0FB
0046EA5B 8B06 mov eax, dword ptr [esi]
0046EA5D ^ E9 4AF3FFFF jmp 0046DDAC
0046EA62 9C pushfd
求高手指点一下,谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
