|
|
发表于 2008-10-3 17:16:21
|
显示全部楼层
00401000 E8 85250000 call Ped.0040358A ; jmp to COMCTL32.InitCommonControls 这里是OEP
00401005 6A 00 push 0
00401007 E8 D6240000 call Ped.004034E2 ; jmp to kernel32.GetModuleHandleA
0040100C A3 1C654000 mov dword ptr ds:[40651C],eax
00401011 6A 00 push 0
00401013 68 29104000 push Ped.00401029
00401018 6A 00 push 0
0040101A 6A 65 push 65
0040101C 50 push eax
0040101D E8 1A250000 call Ped.0040353C ; jmp to USER32.DialogBoxParamA
00401022 6A 00 push 0
00401024 E8 A1240000 call Ped.004034CA ; jmp to kernel32.ExitProcess
只是看起来很奇怪而已~
0041707F 8B85 95334000 mov eax,dword ptr ss:[ebp+403395]
00417085 8B9D 9A334000 mov ebx,dword ptr ss:[ebp+40339A]
0041708B 03C3 add eax,ebx
0041708D 5D pop ebp
0041708E 5F pop edi
0041708F 5E pop esi
00417090 5A pop edx
00417091 59 pop ecx
00417092 5B pop ebx
00417093 - FFE0 jmp eax ; Ped.00401000 看这里 这里最后是跳到OEP的,前面没有偷代码的,所以上面那个应该是真的OEP了~!
00417095 8B95 9A334000 mov edx,dword ptr ss:[ebp+40339A] |
|
IP卡
发表于 2006-3-12 13:20:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-27 17:26:20
发表于 2008-9-28 15:59:12
