![](/icons/95959de.gif)
![](/icons/95959dou.gif)
![](/icons/95959yi.gif)
![](/icons/95959de.gif)
![](/icons/95959yi.gif)
![](/icons/95959dou.gif)
![](/icons/95959de.gif)
![](/icons/95959dou2.gif)
就拿embird[bcg]在论坛贴
![](/icons/95959de.gif)
工具:trw2000,ImportREC v1.3
![](/icons/95959dou.gif)
![](/icons/95959yi.gif)
![](/icons/95959dou.gif)
很简单
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
2
![](/icons/95959dou.gif)
![](/icons/95959chengxu.gif)
在426F67处设断点
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
3
![](/icons/95959dou.gif)
下命令“suspend”挂起进程
![](/icons/95959dou2.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
输入OEP(4526f67-40000 = 26f67)
![](/icons/95959dou.gif)
"IAT AutoSearch"
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959yi.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
“fix dump”后生成dump_.exe
![](/icons/95959dou2.gif)
![](/icons/95959dou2.gif)
![](/icons/95959de.gif)
017F:0044DCF4 33DB XOR EBX,EBX
017F:0044DCF6 385814 CMP [EAX+14],BL
017F:0044DCF9 7409 JZ 0044DD04
017F:0044DCFB 838E14010000FF OR DWORD [ESI+0114],BYTE -01
017F:0044DD02 EB63 JMP SHORT 0044DD67
017F:0044DD04 53 PUSH EBX
017F:0044DD05 FF15FC364500 CALL [4536FC] <----这是非法操作
地方
017F:0044DD0B 3BC3 CMP EAX,EBX
017F:0044DD0D 7D0A JNL 0044DD19
017F:0044DD0F 53 PUSH EBX
017F:0044DD10 E863000000 CALL 0044DD78
查看[4536FC]![](/icons/95959de.gif)
![](/icons/95959dou2.gif)
![](/icons/95959dou.gif)
输入OEP
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959de.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
但是00052FFC+00000394=53390小于4536FC!原来petite
![](/icons/95959de.gif)
![](/icons/95959dou.gif)
![](/icons/95959de.gif)
那么我们就手动输入
![](/icons/95959yi.gif)
![](/icons/95959dou2.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
(00000709是个经验值
![](/icons/95959dou.gif)
![](/icons/95959dou2.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959yi.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959dou.gif)
![](/icons/95959chengxu.gif)
![](/icons/95959dou.gif)
![](/icons/95959yi.gif)
![](/icons/95959hanshu.gif)
![](/icons/95959dou2.gif)
![](/icons/95959dou2.gif)
这样dump_.exe可以运行了
![](/icons/95959dou2.gif)
017F:00417CE6 C6470165 MOV BYTE [EDI+01],65
017F:00417CEA FF75F0 PUSH DWORD [EBP-10]
017F:00417CED FF75D8 PUSH DWORD [EBP-28]
017F:00417CF0 FF75E8 PUSH DWORD [EBP-18]
017F:00417CF3 E8BB060000 CALL 004183B3 <-----此call是暗桩
F8进入
017F:00417CF8 83C40C ADD ESP,BYTE +0C
017F:00417CFB 85C0 TEST EAX,EAX
017F:00417CFD 0F8516010000 JNZ NEAR 00417E19
017F:00417D03 53 PUSH EBX
017F:00417D04 53 PUSH EBX
017F:004183B3 FF742408 PUSH DWORD [ESP+08]
017F:004183B7 FF742408 PUSH DWORD [ESP+08]
017F:004183BB E80CF1FFFF CALL 004174CC <-----
F8进入
017F:004183C0 2B442414 SUB EAX,[ESP+14]
017F:004183C4 59 POP ECX
017F:004183C5 59 POP ECX
017F:004183C6 F7D8 NEG EAX
017F:004183C8 1BC0 SBB EAX,EAX
017F:004183CA 40 INC EAX
017F:004183CB C3 RET
017F:004174CC 8B4C2408 MOV ECX,[ESP+08] ----------+
017F:004174D0 83C8FF OR EAX,BYTE -01 |
017F:004174D3 8BD1 MOV EDX,ECX |
017F:004174D5 49 DEC ECX |
017F:004174D6 85D2 TEST EDX,EDX |
017F:004174D8 7423 JZ 004174FD |
017F:004174DA 56 PUSH ESI |
017F:004174DB 8D5101 LEA EDX,[ECX+01] | 典型
crc32
017F:004174DE 8B4C2408 MOV ECX,[ESP+08] |
017F:004174E2 57 PUSH EDI |
017F:004174E3 0FB631 MOVZX ESI,BYTE [ECX] |
017F:004174E6 0FB6F8 MOVZX EDI,AL |
017F:004174E9 33F7 XOR ESI,EDI |
017F:004174EB C1E808 SHR EAX,08 |
017F:004174EE 8B34B590594600 MOV ESI,[ESI*4+00465990] |
017F:004174F5 33C6 XOR EAX,ESI |
017F:004174F7 41 INC ECX |
017F:004174F8 4A DEC EDX |
017F:004174F9 75E8 JNZ 004174E3 ---------------|
017F:004174FB 5F POP EDI
017F:004174FC 5E POP ESI
最新评论