|
CRTL+F12重新载入程序,F9,确定,SHIFT+F9,程序来到:
780109B3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]=====>程序停在此处。删除硬件断点。
780109B5 FF2495 C80A0178 JMP DWORD PTR DS:[EDX*4+78010AC8]
780109BC 8BC7 MOV EAX,EDI
780109BE BA 03000000 MOV EDX,3
780109C3 83E9 04 SUB ECX,4
780109C6 72 0C JB SHORT MSVCRT.780109D4
780109C8 83E0 03 AND EAX,3
780109CB 03C8 ADD ECX,EAX
780109CD FF2485 E0090178 JMP DWORD PTR DS:[EAX*4+780109E0]
780109D4 FF248D D80A0178 JMP DWORD PTR DS:[ECX*4+78010AD8]
780109DB FF248D 580A0178 JMP DWORD PTR DS:[ECX*4+78010A58]
780109E2 0000 ADD BYTE PTR DS:[EAX],AL
780109E4 F0:0901 LOCK OR DWORD PTR DS:[ECX],EAX ; LOCK prefix
780109E7 78 19 JS SHORT MSVCRT.78010A02
780109E9 0A01 OR AL,BYTE PTR DS:[ECX]
780109EB 78 3C JS SHORT MSVCRT.78010A29
780109ED 0A01 OR AL,BYTE PTR DS:[ECX]
780109EF 78 23 JS SHORT MSVCRT.78010A14
780109F1 D18A 0688078A ROR DWORD PTR DS:[EDX+8A078806],1
780109F7 46 INC ESI
780109F8 0188 47018A46 ADD DWORD PTR DS:[EAX+468A0147],ECX
780109FE 02C1 ADD AL,CL
78010A00 - E9 02884702 JMP 7A489207
78010A05 83C6 03 ADD ESI,3
78010A08 83C7 03 ADD EDI,3
78010A0B 83F9 08 CMP ECX,8
78010A0E ^ 72 CB JB SHORT MSVCRT.780109DB
78010A10 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
78010A12 FF2495 C80A0178 JMP DWORD PTR DS:[EDX*4+78010AC8]
78010A19 23D1 AND EDX,ECX
78010A1B 8A06 MOV AL,BYTE PTR DS:[ESI]
78010A1D 8807 MOV BYTE PTR DS:[EDI],AL
78010A1F 8A46 01 MOV AL,BYTE PTR DS:[ESI+1]
CTRL+F9执行到返回,再F7,来到:
00A5079A 83C4 0C ADD ESP,0C=====>返回到这里。用F8走。
00A5079D 8D85 D4E9FFFF LEA EAX,DWORD PTR SS:[EBP-162C]
00A507A3 50 PUSH EAX
00A507A4 FFB5 D4E9FFFF PUSH DWORD PTR SS:[EBP-162C]
00A507AA FFB5 DCE9FFFF PUSH DWORD PTR SS:[EBP-1624]
00A507B0 8B85 1CEBFFFF MOV EAX,DWORD PTR SS:[EBP-14E4]
00A507B6 0385 D8E9FFFF ADD EAX,DWORD PTR SS:[EBP-1628]
00A507BC 50 PUSH EAX
00A507BD FF15 3481A500 CALL DWORD PTR DS:[A58134] ; KERNEL32.VirtualProtect
00A507C3 8B85 E0E9FFFF MOV EAX,DWORD PTR SS:[EBP-1620]
00A507C9 8985 0CD4FFFF MOV DWORD PTR SS:[EBP-2BF4],EAX
00A507CF FFB5 0CD4FFFF PUSH DWORD PTR SS:[EBP-2BF4]
00A507D5 E8 146F0000 CALL 00A576EE ; JMP to MSVCRT.??3@YAXPAX@Z
00A507DA 59 POP ECX
00A507DB ^ E9 A5FAFFFF JMP 00A50285
00A507E0 8325 A055A600 0>AND DWORD PTR DS:[A655A0],0
00A507E7 83BD 78ECFFFF 0>CMP DWORD PTR SS:[EBP-1388],0
00A507EE 74 33 JE SHORT 00A50823
00A507F0 8D85 B0E9FFFF LEA EAX,DWORD PTR SS:[EBP-1650]
00A507F6 50 PUSH EAX
00A507F7 6A 20 PUSH 20
00A507F9 FFB5 78ECFFFF PUSH DWORD PTR SS:[EBP-1388]
00A507FF FF35 3C57A600 PUSH DWORD PTR DS:[A6573C]
00A50805 FF15 3481A500 CALL DWORD PTR DS:[A58134] ; KERNEL32.VirtualProtect
00A5080B 8B85 10EBFFFF MOV EAX,DWORD PTR SS:[EBP-14F0]
00A50811 8985 08D4FFFF MOV DWORD PTR SS:[EBP-2BF8],EAX
00A50817 FFB5 08D4FFFF PUSH DWORD PTR SS:[EBP-2BF8]
00A5081D E8 CC6E0000 CALL 00A576EE ; JMP to MSVCRT.??3@YAXPAX@Z
00A50822 59 POP ECX
00A50823 66:C785 FCEAFFF>MOV WORD PTR SS:[EBP-1504],4675
00A5082C 66:C785 64ECFFF>MOV WORD PTR SS:[EBP-139C],0B5F3
00A50835 C745 FC 0100000>MOV DWORD PTR SS:[EBP-4],1
00A5083C B9 00000000 MOV ECX,0
00A50841 66:8CC9 MOV CX,CS
00A50844 32C9 XOR CL,CL
00A50846 E3 64 JECXZ SHORT 00A508AC
00A50848 B4 43 MOV AH,43
00A5084A CD 68 INT 68
然后用F8走,一直来到:
00A512D3 83BD BCE8FFFF 0>CMP DWORD PTR SS:[EBP-1744],0
00A512DA 75 58 JNZ SHORT 00A51334
00A512DC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00A512DF 8B00 MOV EAX,DWORD PTR DS:[EAX]
00A512E1 C700 03000000 MOV DWORD PTR DS:[EAX],3
00A512E7 0FBE85 A4E7FFFF MOVSX EAX,BYTE PTR SS:[EBP-185C]
00A512EE 85C0 TEST EAX,EAX
00A512F0 74 0E JE SHORT 00A51300
00A512F2 8D85 A4E7FFFF LEA EAX,DWORD PTR SS:[EBP-185C]
00A512F8 8985 CCD1FFFF MOV DWORD PTR SS:[EBP-2E34],EAX
00A512FE EB 0C JMP SHORT 00A5130C
00A51300 8B85 A0E7FFFF MOV EAX,DWORD PTR SS:[EBP-1860]
00A51306 8985 CCD1FFFF MOV DWORD PTR SS:[EBP-2E34],EAX
00A5130C FF15 D480A500 CALL DWORD PTR DS:[A580D4] ; KERNEL32.GetLastError
00A51312 50 PUSH EAX
00A51313 FFB5 CCD1FFFF PUSH DWORD PTR SS:[EBP-2E34]
00A51319 68 34E5A500 PUSH 0A5E534 ; ASCII "File "%s", error %d"
00A5131E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00A51321 FF70 04 PUSH DWORD PTR DS:[EAX+4]
00A51324 FF15 C482A500 CALL DWORD PTR DS:[A582C4] ; MSVCRT.sprintf
00A5132A 83C4 10 ADD ESP,10
00A5132D 33C0 XOR EAX,EAX
00A5132F E9 74140000 JMP 00A527A8
00A51334 FFB5 BCE8FFFF PUSH DWORD PTR SS:[EBP-1744]
00A5133A E8 0664FEFF CALL 00A37745
00A5133F 59 POP ECX
00A51340 83A5 B8E8FFFF 0>AND DWORD PTR SS:[EBP-1748],0
00A51347 6A 00 PUSH 0
00A51349 FF15 C480A500 CALL DWORD PTR DS:[A580C4] ; KERNEL32.GetModuleHandleA
00A5134F 3985 BCE8FFFF CMP DWORD PTR SS:[EBP-1744],EAX
00A51355 75 0F JNZ SHORT 00A51366
00A51357 C785 B8E8FFFF 3>MOV DWORD PTR SS:[EBP-1748],0A5C530
00A51361 E9 C4000000 JMP 00A5142A
00A51366 83A5 94E6FFFF 0>AND DWORD PTR SS:[EBP-196C],0
00A5136D C785 90E6FFFF 4>MOV DWORD PTR SS:[EBP-1970],0A5CB48
00A51377 EB 1C JMP SHORT 00A51395
00A51379 8B85 90E6FFFF MOV EAX,DWORD PTR SS:[EBP-1970]
00A5137F 83C0 0C ADD EAX,0C
00A51382 8985 90E6FFFF MOV DWORD PTR SS:[EBP-1970],EAX
00A51388 8B85 94E6FFFF MOV EAX,DWORD PTR SS:[EBP-196C]
00A5138E 40 INC EAX
00A5138F 8985 94E6FFFF MOV DWORD PTR SS:[EBP-196C],EAX
00A51395 8B85 90E6FFFF MOV EAX,DWORD PTR SS:[EBP-1970]
00A5139B 8338 00 CMP DWORD PTR DS:[EAX],0
00A5139E 0F84 86000000 JE 00A5142A=====>在此下内存访问断点!
00A513A4 8B85 90E6FFFF MOV EAX,DWORD PTR SS:[EBP-1970]
00A513AA 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00A513AD 83E0 01 AND EAX,1
00A513B0 85C0 TEST EAX,EAX
00A513B2 74 25 JE SHORT 00A513D9
00A513B4 A1 9455A600 MOV EAX,DWORD PTR DS:[A65594]
00A513B9 8B0D 9455A600 MOV ECX,DWORD PTR DS:[A65594] ; NOTEPAD.0044D260
00A513BF 8B40 58 MOV EAX,DWORD PTR DS:[EAX+58]
00A513C2 3341 6C XOR EAX,DWORD PTR DS:[ECX+6C]
00A513C5 8B0D 9455A600 MOV ECX,DWORD PTR DS:[A65594] ; NOTEPAD.0044D260
00A513CB 3341 70 XOR EAX,DWORD PTR DS:[ECX+70]
00A513CE 25 80000000 AND EAX,80
00A513D3 85C0 TEST EAX,EAX
00A513D5 74 02 JE SHORT 00A513D9
00A513D7 ^ EB A0 JMP SHORT 00A51379
00A513D9 8B85 94E6FFFF MOV EAX,DWORD PTR SS:[EBP-196C]
00A513DF 8B0D E011A600 MOV ECX,DWORD PTR DS:[A611E0]
00A513E5 8B15 9455A600 MOV EDX,DWORD PTR DS:[A65594] ; NOTEPAD.0044D260
00A513EB 8B0481 MOV EAX,DWORD PTR DS:[ECX+EAX*4]
00A513EE 3342 54 XOR EAX,DWORD PTR DS:[EDX+54]
00A513F1 8B0D 9455A600 MOV ECX,DWORD PTR DS:[A65594] ; NOTEPAD.0044D260
00A513F7 3341 70 XOR EAX,DWORD PTR DS:[ECX+70]
00A513FA 8B0D 9455A600 MOV ECX,DWORD PTR DS:[A65594] ; NOTEPAD.0044D260
00A51400 3341 24 XOR EAX,DWORD PTR DS:[ECX+24]
F9运行,每次程序停在00A5139E时修改寄存器跳转标志Z为1,让其跳转。当程序停在别处时,再ALT+M打开内存镜像,在00401000行下内存访问断点,然后F9,程序直接停在入口处:
004010CC 55 PUSH EBP=====>断在此处!
004010CD 8BEC MOV EBP,ESP
004010CF 83EC 44 SUB ESP,44
004010D2 56 PUSH ESI
004010D3 FF15 E4634000 CALL DWORD PTR DS:[4063E4] ; KERNEL32.GetCommandLineA
004010D9 8BF0 MOV ESI,EAX
004010DB 8A00 MOV AL,BYTE PTR DS:[EAX]
004010DD 3C 22 CMP AL,22
004010DF 75 1B JNZ SHORT NOTEPAD.004010FC
004010E1 56 PUSH ESI
004010E2 FF15 F4644000 CALL DWORD PTR DS:[4064F4] ; USER32.CharNextA
004010E8 8BF0 MOV ESI,EAX
004010EA 8A00 MOV AL,BYTE PTR DS:[EAX]
004010EC 84C0 TEST AL,AL
004010EE 74 04 JE SHORT NOTEPAD.004010F4
004010F0 3C 22 CMP AL,22
004010F2 ^ 75 ED JNZ SHORT NOTEPAD.004010E1
004010F4 803E 22 CMP BYTE PTR DS:[ESI],22
004010F7 75 15 JNZ SHORT NOTEPAD.0040110E
004010F9 46 INC ESI
004010FA EB 12 JMP SHORT NOTEPAD.0040110E
004010FC 3C 20 CMP AL,20
运行ImprotREC修复,填入入口10CC,自动搜索,再把无效指针剪去,最后修复,OK!
csjwaman[DFCG]上一页 [1] [2] |
