脱壳后有自校验自动退出的代码
最近调试一软件,脱壳后有自校验自动退出!下断bp ExitProcess后到下面无法分析了,将0040425E由JNZ改为JMP后的程序无法运行,提示OX0040283指令引用的0X0000000,该内存不能为 REDA,请达人解惑!
004041B8/$53 PUSH EBX
004041B9|.56 PUSH ESI
004041BA|.57 PUSH EDI
004041BB|.55 PUSH EBP
004041BC|.BB 38265500 MOV EBX,14A388.00552638
004041C1|.BE 00B05400 MOV ESI,14A388.0054B000
004041C6|.BF 48205500 MOV EDI,14A388.00552048
004041CB|.807B 28 00 CMP BYTE PTR DS:,0
004041CF 75 16 JNZ SHORT 14A388.004041E7
004041D1|.833F 00 CMP DWORD PTR DS:,0
004041D4 74 11 JE SHORT 14A388.004041E7
004041D6|>8B17 /MOV EDX,DWORD PTR DS:
004041D8|.89D0 |MOV EAX,EDX
004041DA|.33D2 |XOR EDX,EDX
004041DC|.8917 |MOV DWORD PTR DS:,EDX
004041DE|.8BE8 |MOV EBP,EAX
004041E0|.FFD5 |CALL EBP
004041E2|.833F 00 |CMP DWORD PTR DS:,0
004041E5 ^ 75 EF \JNZ SHORT 14A388.004041D6
004041E7|>833D 04B05400>CMP DWORD PTR DS:,0
004041EE 74 11 JE SHORT 14A388.00404201
004041F0|.E8 ABFEFFFF CALL 14A388.004040A0
004041F5|.E8 32FFFFFF CALL 14A388.0040412C
004041FA|.33C0 XOR EAX,EAX
004041FC|.A3 04B05400 MOV DWORD PTR DS:,EAX
00404201|>807B 28 02 /CMP BYTE PTR DS:,2
00404205|.75 0A |JNZ SHORT 14A388.00404211
00404207|.833E 00 |CMP DWORD PTR DS:,0
0040420A|.75 05 |JNZ SHORT 14A388.00404211
0040420C|.33C0 |XOR EAX,EAX
0040420E|.8943 0C |MOV DWORD PTR DS:,EAX
00404211|>E8 1AFDFFFF |CALL 14A388.00403F30
00404216|.807B 28 01 |CMP BYTE PTR DS:,1
0040421A|.76 05 |JBE SHORT 14A388.00404221
0040421C|.833E 00 |CMP DWORD PTR DS:,0
0040421F|.74 21 |JE SHORT 14A388.00404242
00404221|>8B43 10 |MOV EAX,DWORD PTR DS:
00404224|.85C0 |TEST EAX,EAX
00404226|.74 1A |JE SHORT 14A388.00404242
00404228|.E8 6F1E0000 |CALL 14A388.0040609C
0040422D|.8B53 10 |MOV EDX,DWORD PTR DS:
00404230|.8B42 10 |MOV EAX,DWORD PTR DS:
00404233|.3B42 04 |CMP EAX,DWORD PTR DS:
00404236|.74 0A |JE SHORT 14A388.00404242
00404238|.85C0 |TEST EAX,EAX
0040423A|.74 06 |JE SHORT 14A388.00404242
0040423C|.50 |PUSH EAX ; /hLibModule
0040423D|.E8 0ED1FFFF |CALL <JMP.&kernel32.FreeLibrary> ; \FreeLibrary
00404242|>E8 C1FCFFFF |CALL 14A388.00403F08
00404247|.807B 28 01 |CMP BYTE PTR DS:,1
0040424B 75 03 |JNZ SHORT 14A388.00404250
0040424D|.FF53 24 |CALL DWORD PTR DS:
00404250|>807B 28 00 |CMP BYTE PTR DS:,0
00404254 74 05 |JE SHORT 14A388.0040425B
00404256|.E8 A1FEFFFF |CALL 14A388.004040FC
0040425B|>833B 00 |CMP DWORD PTR DS:,0
0040425E 75 17 JNZ SHORT 14A388.00404277 《----改为JMP后出错!!!
00404260|.833D 28205500>|CMP DWORD PTR DS:,0
00404267 74 06 JE SHORT 14A388.0040426F
00404269|.FF15 28205500 |CALL DWORD PTR DS:
0040426F|>8B06 |MOV EAX,DWORD PTR DS:
00404271|.50 |PUSH EAX ; /ExitCode
00404272|.E8 B9D0FFFF |CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
00404277|>8B03 |MOV EAX,DWORD PTR DS:
00404279|.56 |PUSH ESI
0040427A|.8BF0 |MOV ESI,EAX
0040427C|.8BFB |MOV EDI,EBX
0040427E|.B9 0B000000 |MOV ECX,0B
00404283|.F3:A5 |REP MOVS DWORD PTR ES:,DWORD PTR D>
00404285|.5E |POP ESI
00404286\.^ E9 76FFFFFF \JMP 14A388.00404201
[ 本帖最后由 xuewuzhijing 于 2008-4-2 10:38 编辑 ] 下断bp ExitProcess不是万能的.
没有改对..在下文件断点重新观察.. 好的我再看看!谢谢指导! 开2个OD对比着跑,就找到了哈:loveliness: 我试过了,看的眼都花了/:L 找关键地方对比,往往校验不止一个 谢谢各位。已经OK了, 哎呀 把解决问题的方法说出来呀,,,大伙学习学习嘛/:010 是啊,把解决的方法说出来,让我们学习一下 你ok了 怎么不说下方法呢?
页:
[1]
2