-
-
[求助]OllyDBG 出现怪问题
-
发表于: 2009-3-27 16:26
-
麻烦各位朋友帮我看看 
不知道怎么回事.我现在用OllyDBG不管打开什么程序.多小的程序.F9一运行都会出错.显示
不知道如何回避位于地址00c6E71的命令,请尝试更改 EIP 或忽略程序异常.
我看EIP出错都是因为中壳了.后他们才会出错的.为什么我也出错呢.
OllyDBG我都重新安装了.一运行还是出错.还不止安了一个版本
EIP是指令指针.
EIP错误是怎么回事.谁帮帮忙给讲解一下.也好让小弟我有个了解.
出错我截图了.我上传到临时空间了
http://www.live-share.com/files/385329/hello.jpg.html
http://www.live-share.com/files/385330/HelloMsg.exe.html
对了.能不能是我系统中毒了?总是出现内存不能读.
程序代码:
CPU Disasm
Address Hex dump Command Comments
00401000 /$ 6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401002 |. 68 44504000 PUSH OFFSET HelloMsg.00405044 ; |Caption = "HelloMsg"
00401007 |. 68 30504000 PUSH OFFSET HelloMsg.00405030 ; |Text = "Hello, Windows 98!"
0040100C |. 6A 00 PUSH 0 ; |hOwner = NULL
0040100E |. FF15 94404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; \USER32.MessageBoxA
00401014 |. 33C0 XOR EAX,EAX
00401016 \. C2 1000 RETN 10
00401019 90 NOP
0040101A 90 NOP
0040101B 90 NOP
0040101C 90 NOP
0040101D 90 NOP
0040101E 90 NOP
0040101F 90 NOP
00401020 /. 55 PUSH EBP
00401021 |. 8BEC MOV EBP,ESP
00401023 |. 6A FF PUSH -1
00401025 |. 68 A0404000 PUSH OFFSET HelloMsg.004040A0
0040102A |. 68 541B4000 PUSH HelloMsg.00401B54
0040102F |. 64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
00401035 |. 50 PUSH EAX
00401036 |. 64:8925 00000 MOV DWORD PTR FS:[0],ESP ; Installs SE handler 401B54
0040103D |. 83EC 58 SUB ESP,58
00401040 |. 53 PUSH EBX
00401041 |. 56 PUSH ESI
00401042 |. 57 PUSH EDI
00401043 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00401046 |. FF15 14404000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion ; [KERNEL32.GetVersion
0040104C |. 33D2 XOR EDX,EDX
0040104E |. 8AD4 MOV DL,AH
00401050 |. 8915 D4544000 MOV DWORD PTR DS:[4054D4],EDX
00401056 |. 8BC8 MOV ECX,EAX
00401058 |. 81E1 FF000000 AND ECX,000000FF
0040105E |. 890D D0544000 MOV DWORD PTR DS:[4054D0],ECX
00401064 |. C1E1 08 SHL ECX,8
00401067 |. 03CA ADD ECX,EDX
00401069 |. 890D CC544000 MOV DWORD PTR DS:[4054CC],ECX
0040106F |. C1E8 10 SHR EAX,10
00401072 |. A3 C8544000 MOV DWORD PTR DS:[4054C8],EAX
00401077 |. 33F6 XOR ESI,ESI
00401079 |. 56 PUSH ESI ; /Arg1 => 0
0040107A |. E8 A1090000 CALL 00401A20 ; \HelloMsg.00401A20
0040107F |. 59 POP ECX
00401080 |. 85C0 TEST EAX,EAX
00401082 |. 75 08 JNE SHORT 0040108C
00401084 |. 6A 1C PUSH 1C ; /Arg1 = 1C
00401086 |. E8 B0000000 CALL 0040113B ; \HelloMsg.0040113B
0040108B |. 59 POP ECX
0040108C |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0040108F |. E8 E1070000 CALL 00401875 ; [HelloMsg.00401875
00401094 |. FF15 10404000 CALL DWORD PTR DS:[<&KERNEL32.GetCommand ; [KERNEL32.GetCommandLineA
0040109A |. A3 D8594000 MOV DWORD PTR DS:[4059D8],EAX
0040109F |. E8 9F060000 CALL 00401743 ; [HelloMsg.00401743
004010A4 |. A3 B0544000 MOV DWORD PTR DS:[4054B0],EAX
004010A9 |. E8 48040000 CALL 004014F6 ; [HelloMsg.004014F6
004010AE |. E8 8A030000 CALL 0040143D ; [HelloMsg.0040143D
004010B3 |. E8 A7000000 CALL 0040115F ; [HelloMsg.0040115F
004010B8 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
004010BB |. 8D45 A4 LEA EAX,[EBP-5C]
004010BE |. 50 PUSH EAX ; /pStartupinfo
004010BF |. FF15 0C404000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup ; \KERNEL32.GetStartupInfoA
004010C5 |. E8 1B030000 CALL 004013E5 ; [HelloMsg.004013E5
004010CA |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
004010CD |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],01
004010D1 |. 74 06 JE SHORT 004010D9
004010D3 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004010D7 |. EB 03 JMP SHORT 004010DC
004010D9 |> 6A 0A PUSH 0A
004010DB |. 58 POP EAX
004010DC |> 50 PUSH EAX ; /Arg4
004010DD |. FF75 9C PUSH DWORD PTR SS:[EBP-64] ; |Arg3
004010E0 |. 56 PUSH ESI ; |Arg2
004010E1 |. 56 PUSH ESI ; |/ModuleName
004010E2 |. FF15 08404000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH ; |\KERNEL32.GetModuleHandleA
004010E8 |. 50 PUSH EAX ; |Arg1
004010E9 |. E8 12FFFFFF CALL 00401000 ; \HelloMsg.00401000
004010EE |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
004010F1 |. 50 PUSH EAX
004010F2 |. E8 95000000 CALL 0040118C
004010F7 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004010FA |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004010FC |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
004010FE |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
00401101 |. 50 PUSH EAX
00401102 |. 51 PUSH ECX
00401103 |. E8 59010000 CALL 00401261
00401108 |. 59 POP ECX
00401109 |. 59 POP ECX
0040110A \. C3 RETN
不知道怎么回事.我现在用OllyDBG不管打开什么程序.多小的程序.F9一运行都会出错.显示
不知道如何回避位于地址00c6E71的命令,请尝试更改 EIP 或忽略程序异常.
我看EIP出错都是因为中壳了.后他们才会出错的.为什么我也出错呢.
OllyDBG我都重新安装了.一运行还是出错.还不止安了一个版本
EIP是指令指针.
EIP错误是怎么回事.谁帮帮忙给讲解一下.也好让小弟我有个了解.
出错我截图了.我上传到临时空间了
http://www.live-share.com/files/385329/hello.jpg.html
http://www.live-share.com/files/385330/HelloMsg.exe.html
对了.能不能是我系统中毒了?总是出现内存不能读.
程序代码:
CPU Disasm
Address Hex dump Command Comments
00401000 /$ 6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401002 |. 68 44504000 PUSH OFFSET HelloMsg.00405044 ; |Caption = "HelloMsg"
00401007 |. 68 30504000 PUSH OFFSET HelloMsg.00405030 ; |Text = "Hello, Windows 98!"
0040100C |. 6A 00 PUSH 0 ; |hOwner = NULL
0040100E |. FF15 94404000 CALL DWORD PTR DS:[<&USER32.MessageBoxA> ; \USER32.MessageBoxA
00401014 |. 33C0 XOR EAX,EAX
00401016 \. C2 1000 RETN 10
00401019 90 NOP
0040101A 90 NOP
0040101B 90 NOP
0040101C 90 NOP
0040101D 90 NOP
0040101E 90 NOP
0040101F 90 NOP
00401020 /. 55 PUSH EBP
00401021 |. 8BEC MOV EBP,ESP
00401023 |. 6A FF PUSH -1
00401025 |. 68 A0404000 PUSH OFFSET HelloMsg.004040A0
0040102A |. 68 541B4000 PUSH HelloMsg.00401B54
0040102F |. 64:A1 0000000 MOV EAX,DWORD PTR FS:[0]
00401035 |. 50 PUSH EAX
00401036 |. 64:8925 00000 MOV DWORD PTR FS:[0],ESP ; Installs SE handler 401B54
0040103D |. 83EC 58 SUB ESP,58
00401040 |. 53 PUSH EBX
00401041 |. 56 PUSH ESI
00401042 |. 57 PUSH EDI
00401043 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00401046 |. FF15 14404000 CALL DWORD PTR DS:[<&KERNEL32.GetVersion ; [KERNEL32.GetVersion
0040104C |. 33D2 XOR EDX,EDX
0040104E |. 8AD4 MOV DL,AH
00401050 |. 8915 D4544000 MOV DWORD PTR DS:[4054D4],EDX
00401056 |. 8BC8 MOV ECX,EAX
00401058 |. 81E1 FF000000 AND ECX,000000FF
0040105E |. 890D D0544000 MOV DWORD PTR DS:[4054D0],ECX
00401064 |. C1E1 08 SHL ECX,8
00401067 |. 03CA ADD ECX,EDX
00401069 |. 890D CC544000 MOV DWORD PTR DS:[4054CC],ECX
0040106F |. C1E8 10 SHR EAX,10
00401072 |. A3 C8544000 MOV DWORD PTR DS:[4054C8],EAX
00401077 |. 33F6 XOR ESI,ESI
00401079 |. 56 PUSH ESI ; /Arg1 => 0
0040107A |. E8 A1090000 CALL 00401A20 ; \HelloMsg.00401A20
0040107F |. 59 POP ECX
00401080 |. 85C0 TEST EAX,EAX
00401082 |. 75 08 JNE SHORT 0040108C
00401084 |. 6A 1C PUSH 1C ; /Arg1 = 1C
00401086 |. E8 B0000000 CALL 0040113B ; \HelloMsg.0040113B
0040108B |. 59 POP ECX
0040108C |> 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0040108F |. E8 E1070000 CALL 00401875 ; [HelloMsg.00401875
00401094 |. FF15 10404000 CALL DWORD PTR DS:[<&KERNEL32.GetCommand ; [KERNEL32.GetCommandLineA
0040109A |. A3 D8594000 MOV DWORD PTR DS:[4059D8],EAX
0040109F |. E8 9F060000 CALL 00401743 ; [HelloMsg.00401743
004010A4 |. A3 B0544000 MOV DWORD PTR DS:[4054B0],EAX
004010A9 |. E8 48040000 CALL 004014F6 ; [HelloMsg.004014F6
004010AE |. E8 8A030000 CALL 0040143D ; [HelloMsg.0040143D
004010B3 |. E8 A7000000 CALL 0040115F ; [HelloMsg.0040115F
004010B8 |. 8975 D0 MOV DWORD PTR SS:[EBP-30],ESI
004010BB |. 8D45 A4 LEA EAX,[EBP-5C]
004010BE |. 50 PUSH EAX ; /pStartupinfo
004010BF |. FF15 0C404000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup ; \KERNEL32.GetStartupInfoA
004010C5 |. E8 1B030000 CALL 004013E5 ; [HelloMsg.004013E5
004010CA |. 8945 9C MOV DWORD PTR SS:[EBP-64],EAX
004010CD |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],01
004010D1 |. 74 06 JE SHORT 004010D9
004010D3 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
004010D7 |. EB 03 JMP SHORT 004010DC
004010D9 |> 6A 0A PUSH 0A
004010DB |. 58 POP EAX
004010DC |> 50 PUSH EAX ; /Arg4
004010DD |. FF75 9C PUSH DWORD PTR SS:[EBP-64] ; |Arg3
004010E0 |. 56 PUSH ESI ; |Arg2
004010E1 |. 56 PUSH ESI ; |/ModuleName
004010E2 |. FF15 08404000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH ; |\KERNEL32.GetModuleHandleA
004010E8 |. 50 PUSH EAX ; |Arg1
004010E9 |. E8 12FFFFFF CALL 00401000 ; \HelloMsg.00401000
004010EE |. 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX
004010F1 |. 50 PUSH EAX
004010F2 |. E8 95000000 CALL 0040118C
004010F7 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004010FA |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004010FC |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
004010FE |. 894D 98 MOV DWORD PTR SS:[EBP-68],ECX
00401101 |. 50 PUSH EAX
00401102 |. 51 PUSH ECX
00401103 |. E8 59010000 CALL 00401261
00401108 |. 59 POP ECX
00401109 |. 59 POP ECX
0040110A \. C3 RETN
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
谢谢回答.我大概明白了.
|
|
|
|
