英语口语对话王 2004 B0402
www.coolboo.com
UPX 加壳,反调试
使用ProDump脱壳,unpack功能
Delphi作品
首先去掉反跟踪
初步跟踪发现在 005359F5 CALL 0044EC70 处退出
继续跟进,发现在如下处退出:
00447E1E /74 0F JE SHORT DUMP.00447E2F
00447E20 |E8 03B6FBFF CALL DUMP.00403428------------->带过则退出
跟进----------->
0040342B FF52 E4 CALL DWORD PTR DS:[EDX-1C] DUMP.00447E38--->带过则退出
跟进----------->
00447E43 /75 0A JNZ SHORT DUMP.00447E4F
00447E45 |8BC6 MOV EAX,ESI
00447E47 |8B10 MOV EDX,DWORD PTR DS:[EAX]
00447E49 |FF92 C0000000 CALL DWORD PTR DS:[EDX+C0] DUMP.0044811C--->带过则退出
00447E4F \F686 CC020000 2>TEST BYTE PTR DS:[ESI+2CC],20
00447E56 74 12 JE SHORT DUMP.00447E6A
00447E58 8BC6 MOV EAX,ESI
00447E5A 66:BB B6FF MOV BX,0FFB6
00447E5E E8 09B4FBFF CALL DUMP.0040326C
00447E63 80A6 CC020000 D>AND BYTE PTR DS:[ESI+2CC],0DF
00447E6A 5E POP ESI
00447E6B 5B POP EBX
00447E6C C3 RETN
跟进---------->
00448131 /74 41 JE SHORT DUMP.00448174
00448133 |33C0 XOR EAX,EAX
00448135 |55 PUSH EBP
00448136 |68 5D814400 PUSH DUMP.0044815D
0044813B |64:FF30 PUSH DWORD PTR FS:[EAX]
0044813E |64:8920 MOV DWORD PTR FS:[EAX],ESP
00448141 |8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00448144 |8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00448147 |8B83 BC020000 MOV EAX,DWORD PTR DS:[EBX+2BC]
0044814D |FF93 B8020000 CALL DWORD PTR DS:[EBX+2B8] DUMP.0051D880------->带过则退出
00448153 |33C0 XOR EAX,EAX
00448155 |5A POP EDX
00448156 |59 POP ECX
00448157 |59 POP ECX
00448158 |64:8910 MOV DWORD PTR FS:[EAX],EDX
0044815B |EB 17 JMP SHORT DUMP.00448174
0044815D ^|E9 DAB3FBFF JMP DUMP.0040353C
00448162 |8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00448165 |A1 D4B75300 MOV EAX,DWORD PTR DS:[53B7D4]
0044816A |E8 496C0000 CALL DUMP.0044EDB8
0044816F |E8 24B7FBFF CALL DUMP.00403898
00448174 \8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00448177 F680 CC020000 0>TEST BYTE PTR DS:[EAX+2CC],2
0044817E 74 0A JE SHORT DUMP.0044818A
00448180 B2 01 MOV DL,1
00448182 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00448185 E8 EA080000 CALL DUMP.00448A74
0044818A 5F POP EDI
0044818B 5E POP ESI
0044818C 5B POP EBX
0044818D 59 POP ECX
0044818E 5D POP EBP
0044818F C3 RETN
跟进--------------->
0051D880 /. 55 PUSH EBP
0051D881 |. 8BEC MOV EBP,ESP
0051D883 |. 6A 00 PUSH 0
0051D885 |. 6A 00 PUSH 0
0051D887 |. 6A 00 PUSH 0
0051D889 |. 53 PUSH EBX
0051D88A |. 56 PUSH ESI
0051D88B |. 57 PUSH EDI
0051D88C |. 8BD8 MOV EBX,EAX
0051D88E |. BF 00EB5300 MOV EDI,DUMP.0053EB00
0051D893 |. 33C0 XOR EAX,EAX
0051D895 |. 55 PUSH EBP
0051D896 |. 68 20DD5100 PUSH DUMP.0051DD20
0051D89B |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0051D89E |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0051D8A1 |. 6A 00 PUSH 0 ; /lParam = 0---------------->这个在搞鬼[0x11CEA1]
0051D8A3 |. 68 A8BC5100 PUSH DUMP.0051BCA8 ; |Callback = DUMP.0051BCA8
0051D8A8 |. E8 179BEEFF CALL <JMP.&USER32.EnumWindows> ; \EnumWindows
0051D8AD |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0051D8B0 |. A1 9C9F5300 MOV EAX,DWORD PTR DS:[539F9C]
0051D8B5 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0051D8B7 |. E8 FC18F3FF CALL DUMP.0044F1B8
0051D8BC |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0051D8BF |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0051D8C2 |. E8 FDB8EEFF CALL DUMP.004091C4
0051D8C7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0051D8CA |. 8D83 F8020000 LEA EAX,DWORD PTR DS:[EBX+2F8]
0051D8D0 |. E8 D764EEFF CALL DUMP.00403DAC
0051D8D5 |. C683 1C030000>MOV BYTE PTR DS:[EBX+31C],1
0051D8DC |. 8BCB MOV ECX,EBX
0051D8DE |. B2 01 MOV DL,1
0051D8E0 |. A1 E0534200 MOV EAX,DWORD PTR DS:[4253E0]
0051D8E5 |. E8 9EABF0FF CALL DUMP.00428488
0051D8EA |. 8BF0 MOV ESI,EAX
0051D8EC |. 89B3 10030000 MOV DWORD PTR DS:[EBX+310],ESI
0051D8F2 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051D8F4 |. 8BC6 MOV EAX,ESI
0051D8F6 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051D8F8 |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051D8FB |. 8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
0051D901 |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051D904 |. 8BC6 MOV EAX,ESI
0051D906 |. E8 9927F1FF CALL DUMP.004300A4
0051D90B |. 8B83 D0020000 MOV EAX,DWORD PTR DS:[EBX+2D0]
0051D911 |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051D914 |. 8BC6 MOV EAX,ESI
0051D916 |. E8 A927F1FF CALL DUMP.004300C4
0051D91B |. B2 01 MOV DL,1
0051D91D |. 8BC6 MOV EAX,ESI
0051D91F |. E8 782EF1FF CALL DUMP.0043079C
0051D924 |. 8B15 E4A05300 MOV EDX,DWORD PTR DS:[53A0E4]
0051D92A |. 8B92 6C020000 MOV EDX,DWORD PTR DS:[EDX+26C]
0051D930 |. 8BC6 MOV EAX,ESI
0051D932 |. E8 7D2FF1FF CALL DUMP.004308B4
0051D937 |. 33C0 XOR EAX,EAX
0051D939 |. 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0051D93C |. B2 01 MOV DL,1
0051D93E |. 8BC6 MOV EAX,ESI
0051D940 |. E8 7FAFF0FF CALL DUMP.004288C4
0051D945 |. 8BCB MOV ECX,EBX
0051D947 |. B2 01 MOV DL,1
0051D949 |. A1 E0534200 MOV EAX,DWORD PTR DS:[4253E0]
0051D94E |. E8 35ABF0FF CALL DUMP.00428488
0051D953 |. 8BF0 MOV ESI,EAX
0051D955 |. 89B3 14030000 MOV DWORD PTR DS:[EBX+314],ESI
0051D95B |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051D95D |. 8BC6 MOV EAX,ESI
0051D95F |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051D961 |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051D964 |. 8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
0051D96A |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051D96D |. 8BC6 MOV EAX,ESI
0051D96F |. E8 3027F1FF CALL DUMP.004300A4
0051D974 |. 8B83 D4020000 MOV EAX,DWORD PTR DS:[EBX+2D4]
0051D97A |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051D97D |. 8BC6 MOV EAX,ESI
0051D97F |. E8 4027F1FF CALL DUMP.004300C4
0051D984 |. 8B46 58 MOV EAX,DWORD PTR DS:[ESI+58]
0051D987 |. BA 0000A000 MOV EDX,0A00000
0051D98C |. E8 FBD3EFFF CALL DUMP.0041AD8C
0051D991 |. B2 01 MOV DL,1
0051D993 |. 8BC6 MOV EAX,ESI
0051D995 |. E8 022EF1FF CALL DUMP.0043079C
0051D99A |. 8B15 E4A05300 MOV EDX,DWORD PTR DS:[53A0E4]
0051D9A0 |. 8B92 70020000 MOV EDX,DWORD PTR DS:[EDX+270]
0051D9A6 |. 8BC6 MOV EAX,ESI
0051D9A8 |. E8 072FF1FF CALL DUMP.004308B4
0051D9AD |. 33C0 XOR EAX,EAX
0051D9AF |. 8946 0C MOV DWORD PTR DS:[ESI+C],EAX
0051D9B2 |. B2 01 MOV DL,1
0051D9B4 |. 8BC6 MOV EAX,ESI
0051D9B6 |. E8 09AFF0FF CALL DUMP.004288C4
0051D9BB |. 8BCB MOV ECX,EBX
0051D9BD |. B2 01 MOV DL,1
0051D9BF |. A1 28825100 MOV EAX,DWORD PTR DS:[518228]
0051D9C4 |. E8 FBABFFFF CALL DUMP.005185C4
0051D9C9 |. 8BF0 MOV ESI,EAX
0051D9CB |. 89B3 0C030000 MOV DWORD PTR DS:[EBX+30C],ESI
0051D9D1 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051D9D3 |. 8BC6 MOV EAX,ESI
0051D9D5 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051D9D7 |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051D9DA |. 8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
0051D9E0 |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051D9E3 |. 8BC6 MOV EAX,ESI
0051D9E5 |. E8 BA26F1FF CALL DUMP.004300A4
0051D9EA |. 8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
0051D9F0 |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051D9F3 |. 8BC6 MOV EAX,ESI
0051D9F5 |. E8 CA26F1FF CALL DUMP.004300C4
0051D9FA |. 8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
0051DA00 |. 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0051DA03 |. 8BC6 MOV EAX,ESI
0051DA05 |. E8 FE26F1FF CALL DUMP.00430108
0051DA0A |. 8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
0051DA10 |. 8B50 38 MOV EDX,DWORD PTR DS:[EAX+38]
0051DA13 |. 8BC6 MOV EAX,ESI
0051DA15 |. E8 CE26F1FF CALL DUMP.004300E8
0051DA1A |. B2 01 MOV DL,1
0051DA1C |. 8BC6 MOV EAX,ESI
0051DA1E |. E8 792DF1FF CALL DUMP.0043079C
0051DA23 |. B2 01 MOV DL,1
0051DA25 |. 8BC6 MOV EAX,ESI
0051DA27 |. E8 8CB2FFFF CALL DUMP.00518CB8
0051DA2C |. BA FFFFFF00 MOV EDX,0FFFFFF
0051DA31 |. 8BC6 MOV EAX,ESI
0051DA33 |. E8 60B0FFFF CALL DUMP.00518A98
0051DA38 |. BA FF800000 MOV EDX,80FF
0051DA3D |. 8BC6 MOV EAX,ESI
0051DA3F |. E8 68B0FFFF CALL DUMP.00518AAC
0051DA44 |. BA FFFF0000 MOV EDX,0FFFF
0051DA49 |. 8BC6 MOV EAX,ESI
0051DA4B |. E8 90B0FFFF CALL DUMP.00518AE0
0051DA50 |. BA 14000000 MOV EDX,14
0051DA55 |. 8BC6 MOV EAX,ESI
0051DA57 |. E8 50B1FFFF CALL DUMP.00518BAC
0051DA5C |. BA 01000000 MOV EDX,1
0051DA61 |. 8BC6 MOV EAX,ESI
0051DA63 |. E8 18B1FFFF CALL DUMP.00518B80
0051DA68 |. B2 01 MOV DL,1
0051DA6A |. 8BC6 MOV EAX,ESI
0051DA6C |. E8 2B2DF1FF CALL DUMP.0043079C
0051DA71 |. 8BCB MOV ECX,EBX
0051DA73 |. B2 01 MOV DL,1
0051DA75 |. A1 4C024A00 MOV EAX,DWORD PTR DS:[4A024C]
0051DA7A |. E8 95B5F8FF CALL DUMP.004A9014
0051DA7F |. 8BF0 MOV ESI,EAX
0051DA81 |. 89B3 FC020000 MOV DWORD PTR DS:[EBX+2FC],ESI
0051DA87 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051DA89 |. 8BC6 MOV EAX,ESI
0051DA8B |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DA8D |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051DA90 |. 8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
0051DA96 |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051DA99 |. 8BC6 MOV EAX,ESI
0051DA9B |. E8 0426F1FF CALL DUMP.004300A4
0051DAA0 |. 8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
0051DAA6 |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051DAA9 |. 8BC6 MOV EAX,ESI
0051DAAB |. E8 1426F1FF CALL DUMP.004300C4
0051DAB0 |. 8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
0051DAB6 |. 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0051DAB9 |. 8BC6 MOV EAX,ESI
0051DABB |. E8 4826F1FF CALL DUMP.00430108
0051DAC0 |. 8B83 DC020000 MOV EAX,DWORD PTR DS:[EBX+2DC]
0051DAC6 |. 8B50 38 MOV EDX,DWORD PTR DS:[EAX+38]
0051DAC9 |. 8BC6 MOV EAX,ESI
0051DACB |. E8 1826F1FF CALL DUMP.004300E8
0051DAD0 |. 8B15 E4A05300 MOV EDX,DWORD PTR DS:[53A0E4]
0051DAD6 |. 8B92 74020000 MOV EDX,DWORD PTR DS:[EDX+274]
0051DADC |. 8BC6 MOV EAX,ESI
0051DADE |. E8 D12DF1FF CALL DUMP.004308B4
0051DAE3 |. B2 01 MOV DL,1
0051DAE5 |. 8BC6 MOV EAX,ESI
0051DAE7 |. E8 B02CF1FF CALL DUMP.0043079C
0051DAEC |. B2 01 MOV DL,1
0051DAEE |. 8BC6 MOV EAX,ESI
0051DAF0 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DAF2 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
0051DAF5 |. 33C0 XOR EAX,EAX
0051DAF7 |. 8986 E8020000 MOV DWORD PTR DS:[ESI+2E8],EAX
0051DAFD |. 8986 EC020000 MOV DWORD PTR DS:[ESI+2EC],EAX
0051DB03 |. 8B93 EC020000 MOV EDX,DWORD PTR DS:[EBX+2EC]
0051DB09 |. 8BC6 MOV EAX,ESI
0051DB0B |. 8B08 MOV ECX,DWORD PTR DS:[EAX] ; DUMP.0051B954
0051DB0D |. FF91 C0000000 CALL DWORD PTR DS:[ECX+C0]
0051DB13 |. 6A 00 PUSH 0 ; /lParam = 0---------------->这个在搞鬼[0x11D113]
0051DB15 |. 68 A8BC5100 PUSH DUMP.0051BCA8 ; |Callback = DUMP.0051BCA8
0051DB1A |. E8 A598EEFF CALL <JMP.&USER32.EnumWindows> ; \EnumWindows
0051DB1F |. 8BCB MOV ECX,EBX
0051DB21 |. B2 01 MOV DL,1
0051DB23 |. A1 4C024A00 MOV EAX,DWORD PTR DS:[4A024C]
0051DB28 |. E8 E7B4F8FF CALL DUMP.004A9014
0051DB2D |. 8BF0 MOV ESI,EAX
0051DB2F |. 89B3 00030000 MOV DWORD PTR DS:[EBX+300],ESI
0051DB35 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051DB37 |. 8BC6 MOV EAX,ESI
0051DB39 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DB3B |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051DB3E |. 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0051DB44 |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051DB47 |. 8BC6 MOV EAX,ESI
0051DB49 |. E8 5625F1FF CALL DUMP.004300A4
0051DB4E |. 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0051DB54 |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051DB57 |. 8BC6 MOV EAX,ESI
0051DB59 |. E8 6625F1FF CALL DUMP.004300C4
0051DB5E |. 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0051DB64 |. 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0051DB67 |. 8BC6 MOV EAX,ESI
0051DB69 |. E8 9A25F1FF CALL DUMP.00430108
0051DB6E |. 8B83 E0020000 MOV EAX,DWORD PTR DS:[EBX+2E0]
0051DB74 |. 8B50 38 MOV EDX,DWORD PTR DS:[EAX+38]
0051DB77 |. 8BC6 MOV EAX,ESI
0051DB79 |. E8 6A25F1FF CALL DUMP.004300E8
0051DB7E |. 8B15 E4A05300 MOV EDX,DWORD PTR DS:[53A0E4]
0051DB84 |. 8B92 78020000 MOV EDX,DWORD PTR DS:[EDX+278]
0051DB8A |. 8BC6 MOV EAX,ESI
0051DB8C |. E8 232DF1FF CALL DUMP.004308B4
0051DB91 |. 33D2 XOR EDX,EDX
0051DB93 |. 8BC6 MOV EAX,ESI
0051DB95 |. E8 022CF1FF CALL DUMP.0043079C
0051DB9A |. 33D2 XOR EDX,EDX
0051DB9C |. 8BC6 MOV EAX,ESI
0051DB9E |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DBA0 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
0051DBA3 |. 33C0 XOR EAX,EAX
0051DBA5 |. 8986 E8020000 MOV DWORD PTR DS:[ESI+2E8],EAX
0051DBAB |. 8986 EC020000 MOV DWORD PTR DS:[ESI+2EC],EAX
0051DBB1 |. 8B93 EC020000 MOV EDX,DWORD PTR DS:[EBX+2EC]
0051DBB7 |. 8BC6 MOV EAX,ESI
0051DBB9 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DBBB |. FF91 C0000000 CALL DWORD PTR DS:[ECX+C0]
0051DBC1 |. B2 01 MOV DL,1
0051DBC3 |. 8BC6 MOV EAX,ESI
0051DBC5 |. E8 2A90F1FF CALL DUMP.00436BF4
0051DBCA |. 33D2 XOR EDX,EDX
0051DBCC |. 8BC6 MOV EAX,ESI
0051DBCE |. E8 0990F1FF CALL DUMP.00436BDC
0051DBD3 |. 8BCB MOV ECX,EBX
0051DBD5 |. B2 01 MOV DL,1
0051DBD7 |. A1 4C024A00 MOV EAX,DWORD PTR DS:[4A024C]
0051DBDC |. E8 33B4F8FF CALL DUMP.004A9014
0051DBE1 |. 8BF0 MOV ESI,EAX
0051DBE3 |. 89B3 04030000 MOV DWORD PTR DS:[EBX+304],ESI
0051DBE9 |. 8B17 MOV EDX,DWORD PTR DS:[EDI]
0051DBEB |. 8BC6 MOV EAX,ESI
0051DBED |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DBEF |. FF51 60 CALL DWORD PTR DS:[ECX+60]
0051DBF2 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
0051DBF8 |. 8B50 30 MOV EDX,DWORD PTR DS:[EAX+30]
0051DBFB |. 8BC6 MOV EAX,ESI
0051DBFD |. E8 A224F1FF CALL DUMP.004300A4
0051DC02 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
0051DC08 |. 8B50 34 MOV EDX,DWORD PTR DS:[EAX+34]
0051DC0B |. 8BC6 MOV EAX,ESI
0051DC0D |. E8 B224F1FF CALL DUMP.004300C4
0051DC12 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
0051DC18 |. 8B50 3C MOV EDX,DWORD PTR DS:[EAX+3C]
0051DC1B |. 8BC6 MOV EAX,ESI
0051DC1D |. E8 E624F1FF CALL DUMP.00430108
0051DC22 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
0051DC28 |. 8B50 38 MOV EDX,DWORD PTR DS:[EAX+38]
0051DC2B |. 8BC6 MOV EAX,ESI
0051DC2D |. E8 B624F1FF CALL DUMP.004300E8
0051DC32 |. 8B15 E4A05300 MOV EDX,DWORD PTR DS:[53A0E4]
0051DC38 |. 8B92 7C020000 MOV EDX,DWORD PTR DS:[EDX+27C]
0051DC3E |. 8BC6 MOV EAX,ESI
0051DC40 |. E8 6F2CF1FF CALL DUMP.004308B4
0051DC45 |. B2 01 MOV DL,1
0051DC47 |. 8BC6 MOV EAX,ESI
0051DC49 |. E8 4E2BF1FF CALL DUMP.0043079C
0051DC4E |. B2 01 MOV DL,1
0051DC50 |. 8BC6 MOV EAX,ESI
0051DC52 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DC54 |. FF51 5C CALL DWORD PTR DS:[ECX+5C]
0051DC57 |. 899E EC020000 MOV DWORD PTR DS:[ESI+2EC],EBX
0051DC5D |. C786 E8020000>MOV DWORD PTR DS:[ESI+2E8],DUMP.0051CFA8
0051DC67 |. 8B93 EC020000 MOV EDX,DWORD PTR DS:[EBX+2EC]
0051DC6D |. 8BC6 MOV EAX,ESI
0051DC6F |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0051DC71 |. FF91 C0000000 CALL DWORD PTR DS:[ECX+C0]
0051DC77 |. B2 01 MOV DL,1
0051DC79 |. 8BC6 MOV EAX,ESI
0051DC7B |. E8 748FF1FF CALL DUMP.00436BF4
0051DC80 |. 66:BA 0100 MOV DX,1
0051DC84 |. 8BC6 MOV EAX,ESI
0051DC86 |. E8 518FF1FF CALL DUMP.00436BDC
0051DC8B |. 8B93 08030000 MOV EDX,DWORD PTR DS:[EBX+308]
0051DC91 |. 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
0051DC97 |. E8 60AFFFFF CALL DUMP.00518BFC
0051DC9C |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DC9E |. 8998 7C020000 MOV DWORD PTR DS:[EAX+27C],EBX
0051DCA4 |. C780 78020000>MOV DWORD PTR DS:[EAX+278],DUMP.0051D5E4
0051DCAE |. 33D2 XOR EDX,EDX
0051DCB0 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DCB2 |. E8 4999F2FF CALL DUMP.00447600
0051DCB7 |. 33D2 XOR EDX,EDX
0051DCB9 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DCBB |. E8 8429F1FF CALL DUMP.00430644
0051DCC0 |. 33D2 XOR EDX,EDX
0051DCC2 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DCC4 |. E8 FF2CF1FF CALL DUMP.004309C8
0051DCC9 |. 8B15 64A05300 MOV EDX,DWORD PTR DS:[53A064]
0051DCCF |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
0051DCD1 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DCD3 |. E8 DC2BF1FF CALL DUMP.004308B4
0051DCD8 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0051DCDB |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0051DCDD |. E8 A22BF1FF CALL DUMP.00430884
0051DCE2 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0051DCE5 |. A1 9C9F5300 MOV EAX,DWORD PTR DS:[539F9C]
0051DCEA |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0051DCEC |. E8 6B0BF3FF CALL DUMP.0044E85C
0051DCF1 |. 6A 00 PUSH 0 ; /lParam = 0---------------->这个在搞鬼[0x11D2F1]
0051DCF3 |. 68 A8BC5100 PUSH DUMP.0051BCA8 ; |Callback = DUMP.0051BCA8
0051DCF8 |. E8 C796EEFF CALL <JMP.&USER32.EnumWindows> ; \EnumWindows
0051DCFD |. 33C0 XOR EAX,EAX
0051DCFF |. 5A POP EDX
0051DD00 |. 59 POP ECX
0051DD01 |. 59 POP ECX
0051DD02 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0051DD05 |. 68 27DD5100 PUSH DUMP.0051DD27
0051DD0A |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0051DD0D |. E8 4660EEFF CALL DUMP.00403D58
0051DD12 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0051DD15 |. BA 02000000 MOV EDX,2
0051DD1A |. E8 5D60EEFF CALL DUMP.00403D7C
0051DD1F \. C3 RETN
0051DD20 .- E9 CB5AEEFF JMP DUMP.004037F0
0051DD25 .^ EB E3 JMP SHORT DUMP.0051DD0A
0051DD27 . 5F POP EDI
0051DD28 . 5E POP ESI
0051DD29 . 5B POP EBX
0051DD2A . 8BE5 MOV ESP,EBP
0051DD2C . 5D POP EBP
0051DD2D . C3 RETN
所以让这个软件在OD下被我们乖乖的调试的办法就是把上面三个相同的函数调用统统都NOP
==================================================================================================================
总结一下这样找反跟踪的代码效率实在是太低,而且一个不小心就有可能要重新开始找了,各位老大有什么好办法还请不吝赐教。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)