使用OD的困惑
这是一个检查仪器的程序OD载入。停在:
005256B0 > 55 PUSH EBP
005256B1|.8BEC MOV EBP,ESP
005256B3|.83C4 F4 ADD ESP,-0C
005256B6|.E8 15E1EDFF CALL TMS22.004037D0
005256BB|.E8 340AEEFF CALL TMS22.004060F4
005256C0|.E8 2F56EEFF CALL TMS22.0040ACF4
005256C5|.E8 9AC5EEFF CALL TMS22.00411C64
005256CA|.E8 6DD5EEFF CALL TMS22.00412C3C
005256CF|.E8 C4F4EEFF CALL TMS22.00414B98
005256D4|.E8 076DEFFF CALL TMS22.0041C3E0
005256D9|.E8 924DF0FF CALL TMS22.0042A470
005256DE|.E8 CD28F1FF CALL TMS22.00437FB0
005256E3|.E8 68A7F1FF CALL TMS22.0043FE50
005256E8|.E8 0333F3FF CALL TMS22.004589F0
005256ED|.E8 B635F3FF CALL TMS22.00458CA8
005256F2|.E8 6DA0F5FF CALL TMS22.0047F764
005256F7|.E8 D4F4F6FF CALL TMS22.00494BD0
005256FC|.E8 5B4BF9FF CALL TMS22.004BA25C
00525701|.E8 9657FBFF CALL TMS22.004DAE9C
00525706|.E8 3D6BFDFF CALL TMS22.004FC248
0052570B|.66:BA F5FF MOV DX,0FFF5
F9运行:停在:
7C81EB33 5E POP ESI
7C81EB34 C9 LEAVE
7C81EB35 C2 1000 RETN 10
7C81EB38 85FF TEST EDI,EDI
7C81EB3A^ 0F8E E6D0FEFF JLE kernel32.7C80BC26
7C81EB40 8B55 FC MOV EDX,DWORD PTR SS:
7C81EB43 8955 0C MOV DWORD PTR SS:,EDX
7C81EB46 0FB716 MOVZX EDX,WORD PTR DS:
7C81EB49 8B7D F8 MOV EDI,DWORD PTR SS:
7C81EB4C 8A143A MOV DL,BYTE PTR DS:
7C81EB4F 8811 MOV BYTE PTR DS:,DL
7C81EB51 8B78 0C MOV EDI,DWORD PTR DS:
7C81EB54 0FB6D2 MOVZX EDX,DL
7C81EB57 66:8B1457 MOV DX,WORD PTR DS:
7C81EB5B 66:3B16 CMP DX,WORD PTR DS:
7C81EB5E 0F85 2FC70200 JNZ kernel32.7C84B293
下面提示:Stack =FFFFFFFF
ESI=0012FD8C
此时寄存器情况为:
EAX 0012FD08
ECX 00000000
EDX 0044E150 TMS22.0044E150
EBX 00122208
ESP 0012FD04
EBP 0012FD58
ESI 0012FD8C
EDI 7C930738 ntdll.7C930738
EIP 7C81EB33 kernel32.7C81EB33
C 0ES 0023 32位 0(FFFFFFFF)
P 0CS 001B 32位 0(FFFFFFFF)
A 0SS 0023 32位 0(FFFFFFFF)
Z 0DS 0023 32位 0(FFFFFFFF)
S 0FS 003B 32位 7FFDD000(FFF)
T 0GS 0000 NULL
D 0
O 0LastErr ERROR_SUCCESS (00000000)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM BBB0 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020Cond 1 0 0 0Err 0 0 1 0 0 0 0 0(EQ)
FCW 1272Prec NEAR,53Mask 1 1 0 0 1 0
堆栈情况为:
0012FD04 FFFFFFFF
0012FD08 0EEDFACE
0012FD0C 00000001
0012FD10 00000000
0012FD14 7C81EB33RETURN to kernel32.7C81EB33 from ntdll.RtlRaiseException
0012FD18 00000007
0012FD1C 0044E150RETURN to TMS22.0044E150 from TMS22.004035A8
0012FD20 00FAE370
0012FD24 00122208
0012FD28 FFFFFFFF
0012FD2C 7C930738ntdll.7C930738
shift+F9:
出现对话框:
The last time this program was used,it was shut down incorrectly.
Chick"start"to check the database integrity
按“Start”
出现对话框:
Database recovery procedure completed.
No errors found
Click'Continue'to proceed with the topography program
按“Continue”又出现对话框:
Privileged instruction
按“确定”后程序界面出现,但显示“空间已满”。程序不能用。
Ctrl+F2返回
右键查找所有参考文本字串,没有找到“Privileged instruction”只好手动查找,来到这里:
0040A23C/$8B00 MOV EAX,DWORD PTR DS:
0040A23E|.3D 920000C0 CMP EAX,C0000092 ;Switch (cases C0000005..C000013A)
0040A243|.7F 2C JG SHORT TMS22.0040A271
0040A245|.74 59 JE SHORT TMS22.0040A2A0
0040A247|.3D 8E0000C0 CMP EAX,C000008E
0040A24C|.7F 15 JG SHORT TMS22.0040A263
0040A24E|.74 53 JE SHORT TMS22.0040A2A3
0040A250|.2D 050000C0 SUB EAX,C0000005
0040A255|.74 55 JE SHORT TMS22.0040A2AC
0040A257|.2D 87000000 SUB EAX,87
0040A25C|.74 3C JE SHORT TMS22.0040A29A
0040A25E|.48 DEC EAX
0040A25F|.74 48 JE SHORT TMS22.0040A2A9
0040A261|.EB 55 JMP SHORT TMS22.0040A2B8
0040A263|>05 71FFFF3F ADD EAX,3FFFFF71
0040A268|.83E8 02 SUB EAX,2
0040A26B|.72 33 JB SHORT TMS22.0040A2A0
0040A26D|.74 37 JE SHORT TMS22.0040A2A6
0040A26F|.EB 47 JMP SHORT TMS22.0040A2B8
0040A271|>3D 960000C0 CMP EAX,C0000096
0040A276|.7F 11 JG SHORT TMS22.0040A289
0040A278|.74 35 JE SHORT TMS22.0040A2AF
0040A27A|.2D 930000C0 SUB EAX,C0000093
0040A27F|.74 28 JE SHORT TMS22.0040A2A9
0040A281|.48 DEC EAX
0040A282|.74 13 JE SHORT TMS22.0040A297
0040A284|.48 DEC EAX
0040A285|.74 16 JE SHORT TMS22.0040A29D
0040A287|.EB 2F JMP SHORT TMS22.0040A2B8
0040A289|>2D FD0000C0 SUB EAX,C00000FD
0040A28E|.74 25 JE SHORT TMS22.0040A2B5
0040A290|.83E8 3D SUB EAX,3D
0040A293|.74 1D JE SHORT TMS22.0040A2B2
0040A295|.EB 21 JMP SHORT TMS22.0040A2B8
0040A297|>B0 03 MOV AL,3 ;Case C0000094 (INTEGER DIVIDE BY ZERO) of switch 0040A23E
0040A299|.C3 RETN
0040A29A|>B0 04 MOV AL,4 ;Case C000008C (ARRAY BOUNDS EXCEEDED) of switch 0040A23E
0040A29C|.C3 RETN
0040A29D|>B0 05 MOV AL,5 ;Case C0000095 (INTEGER OVERFLOW) of switch 0040A23E
0040A29F|.C3 RETN
0040A2A0|>B0 06 MOV AL,6 ;Cases C000008F (FLOAT INEXACT RESULT),C0000090 (FLOAT INVALID OPERATION),C0000092 (FLOAT STACK CHECK) of switch 0040A23E
0040A2A2|.C3 RETN
0040A2A3|>B0 07 MOV AL,7 ;Case C000008E (FLOAT DIVIDE BY ZERO) of switch 0040A23E
0040A2A5|.C3 RETN
0040A2A6|>B0 08 MOV AL,8 ;Case C0000091 (FLOAT OVERFLOW) of switch 0040A23E
0040A2A8|.C3 RETN
0040A2A9|>B0 09 MOV AL,9 ;Cases C000008D (FLOAT DENORMAL OPERAND),C0000093 (FLOAT UNDERFLOW) of switch 0040A23E
0040A2AB|.C3 RETN
0040A2AC|>B0 0B MOV AL,0B ;Case C0000005 (ACCESS VIOLATION) of switch 0040A23E
0040A2AE|.C3 RETN
0040A2AF|>B0 0C MOV AL,0C ;Case C0000096 (PRIVILEGED INSTRUCTION) of switch 0040A23E
0040A2B1|.C3 RETN
0040A2B2|>B0 0D MOV AL,0D ;Case C000013A (CONTROL C EXIT) of switch 0040A23E
0040A2B4|.C3 RETN
0040A2B5|>B0 0E MOV AL,0E ;Case C00000FD (STACK OVERFLOW) of switch 0040A23E
0040A2B7|.C3 RETN
0040A2B8|>B0 15 MOV AL,15 ;Default case of switch 0040A23E
0040A2BA\.C3 RETN
请看 00402A2F,提示 跳转来自0040A278.
0040A278|.74 35 JE SHORT TMS22.0040A2AF
将JE SHORT TMS22 0040A2AF改为
NOP.
重新运行,情况同前面开始的情况一样,只是到了按“Continue”后,对话框变成了“External exception”再按确定后还是提示“空间已满”。还是用不了。请各位高手看一下,还有那里有问题 不用OD打开呢?
如果正常的话,就是程序本身的 反调试技巧了~~ 原帖由 飘云 于 2006-4-3 22:37 发表
不用OD打开呢?
如果正常的话,就是程序本身的 反调试技巧了~~
谢谢,您的意思是用其他的调试工具试一下?我是新人,不知道还有什么好的调试工具。请指教。 原帖由 月之精灵 于 2006-4-4 12:31 发表
谢谢,您的意思是用其他的调试工具试一下?我是新人,不知道还有什么好的调试工具。请指教。
晕。我也不懂!
:L :L 高手也是这样一步步走过来的呀,今天的三位都是大牛啊! 本帖最后由 whdl 于 2010-8-4 00:49 编辑
还有这样的帖子啊!!!
当初的新手,现在的斑竹。
我该怎么学,才能也进步?
页:
[1]