RT
发现od载入程序后停止的地方:
00401400 >/$ 55 push ebp
00401401 |. 8BEC mov ebp, esp
00401403 |. 6A FF push -1
00401405 |. 68 B8214200 push 004221B8
0040140A |. 68 04564000 push 00405604 ; SE 处理程序安装
0040140F |. 64:A1 0000000>mov eax, dword ptr fs:[0]
00401415 |. 50 push eax
00401416 |. 64:8925 00000>mov dword ptr fs:[0], esp
0040141D |. 83C4 F0 add esp, -10
00401420 |. 53 push ebx
00401421 |. 56 push esi
00401422 |. 57 push edi
00401423 |. 8965 E8 mov dword ptr [ebp-18], esp
00401426 |. FF15 40714200 call dword ptr [<&KERNEL32.GetVersion>] ; kernel32.GetVersion
0040142C |. A3 08564200 mov dword ptr [425608], eax
00401431 |. A1 08564200 mov eax, dword ptr [425608]
00401436 |. C1E8 08 shr eax, 8
00401439 |. 25 FF000000 and eax, 0FF
0040143E |. A3 14564200 mov dword ptr [425614], eax
00401443 |. 8B0D 08564200 mov ecx, dword ptr [425608]
00401449 |. 81E1 FF000000 and ecx, 0FF
0040144F |. 890D 10564200 mov dword ptr [425610], ecx
不知道这些代码是处理什么用的,不是我自己程序的,我怎样才能定位到程序的真正开始处呢?比如说到达main()处,或者应该从那开始分析?
请教!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课