前天的帖子得到轩辕小聪老兄的指教,深深的感谢,我知道基础不够一定努力,现将今天的努力在贴出望指教
OD载入来到这里
0040389F >/$ 55 PUSH EBP ; (Initial CPU selection)F8一路走
004038A0 |. 8BEC MOV EBP, ESP
004038A2 |. 6A FF PUSH -1
004038A4 |. 68 F8724000 PUSH 004072F8
004038A9 |. 68 04554000 PUSH 00405504 ; SE 处理程序安装
004038AE |. 64:A1 0000000>MOV EAX, DWORD PTR FS:[0]
004038B4 |. 50 PUSH EAX
来到这里
00403968 |. E8 CDD7FFFF CALL 0040113A ; \(Initial CPU selection) F7进入不然程序跑起
004014E1 |. FFD0 CALL EAX ; (Initial CPU selection)
0040396D |. 8945 A0 MOV DWORD PTR SS:[EBP-60], EAX ; 00400000
00403970 |. 50 PUSH EAX ; 00400000
00403971 |. E8 01120000 CALL 00404B77
00403976 |. 8B45 EC MOV EAX, DWORD PTR SS:[EBP-14]
00403979 |. 8B08 MOV ECX, DWORD PTR DS:[EAX]
0040397B |. 8B09 MOV ECX, DWORD PTR DS:[ECX]
0040397D |. 894D 98 MOV DWORD PTR SS:[EBP-68], ECX
00403980 |. 50 PUSH EAX ; 00400000
00403981 |. 51 PUSH ECX
00403982 |. E8 C5120000 CALL 00404C4C
00403987 |. 59 POP ECX ; 00400000
00403988 |. 59 POP ECX ; 00400000
00403989 \. C3 RETN
来到这里
0040113A /$ 55 PUSH EBP ; F8走下去
0040113B |. 8BEC MOV EBP, ESP
0040113D |. 81EC 98020000 SUB ESP, 298
00401143 |. 53 PUSH EBX
00401144 |. 56 PUSH ESI
00401145 |. 57 PUSH EDI
00401146 |. 8D85 6CFEFFFF LEA EAX, DWORD PTR SS:[EBP-194]
0040114C |. 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
00401151 |. 50 PUSH EAX ; |PathBuffer = 00400000
00401152 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hModule = 020800A4
00401155 |. 33DB XOR EBX, EBX ; |
00401157 |. 895D FC MOV DWORD PTR SS:[EBP-4], EBX ; |
0040115A |. 895D F8 MOV DWORD PTR SS:[EBP-8], EBX ; |
0040115D |. 895D F0 MOV DWORD PTR SS:[EBP-10], EBX ; |
00401160 |. FF15 24704000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401166 |. 53 PUSH EBX ; /hTemplateFile = 7FFDF000
00401167 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040116C |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040116E |. 53 PUSH EBX ; |pSecurity = 7FFDF000
0040116F |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00401171 |. 8D85 6CFEFFFF LEA EAX, DWORD PTR SS:[EBP-194] ; |
00401177 |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
0040117C |. 50 PUSH EAX ; |FileName = "MZ?
0040117D |. FF15 20704000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
00401183 |. 8BF8 MOV EDI, EAX ; 00400000
00401185 |. 83FF FF CMP EDI, -1
00401188 |. 75 0C JNZ SHORT 00401196
0040118A |. C745 FC C0814>MOV DWORD PTR SS:[EBP-4], 004081C0 ; Can't open file!
00401191 |. E9 37030000 JMP 004014CD
00401196 |> 8B35 1C704000 MOV ESI, DWORD PTR DS:[<&KERNEL32.SetFil>; kernel32.SetFilePointer
0040119C |. 6A 02 PUSH 2 ; /Origin = FILE_END
0040119E |. 53 PUSH EBX ; |pOffsetHi = 7FFDF000
0040119F |. 6A F8 PUSH -8 ; |OffsetLo = FFFFFFF8 (-8.)
004011A1 |. 57 PUSH EDI ; |hFile = 020800A4
004011A2 |. FFD6 CALL ESI ; \SetFilePointer
004011A4 |. 3D E8030000 CMP EAX, 3E8
004011A9 |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX ; 00400000
004011AC |. 0F82 FD020000 JB 004014AF
来到这里
004014E1 |. FFD0 CALL EAX ; (Initial CPU selection)F7进入这里不进入程序跑起,f8走下
004014E3 |. EB 11 JMP SHORT 004014F6
004014E5 |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004014E7 |. 68 30804000 PUSH 00408030 ; |Error
004014EC |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Text = NULL
004014EF |. 53 PUSH EBX ; |hOwner = NULL
004014F0 |. FF15 B4704000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004014F6 |> 5F POP EDI ; 0040C000
004014F7 |. 5E POP ESI ; 0040C000
004014F8 |. 33C0 XOR EAX, EAX ; krnln.1002979A
004014FA |. 5B POP EBX ; 0040C000
004014FB |. C9 LEAVE
004014FC \. C2 1000 RETN 10
004014FF /$ 8B4424 0C MOV EAX, DWORD PTR SS:[ESP+C]
00401503 |. 53 PUSH EBX
00401504 |. 33DB XOR EBX, EBX
00401506 |. 56 PUSH ESI
00401507 |. 8B7424 0C MOV ESI, DWORD PTR SS:[ESP+C]
0040150B |. 3BC3 CMP EAX, EBX
0040150D |. 57 PUSH EDI
0040150E |. 74 05 JE SHORT 00401515
00401510 |. 8B4E 3C MOV ECX, DWORD PTR DS:[ESI+3C]
00401513 |. 8908 MOV DWORD PTR DS:[EAX], ECX
00401515 |> 8B06 MOV EAX, DWORD PTR DS:[ESI]
00401517 |. 8B7C24 14 MOV EDI, DWORD PTR SS:[ESP+14]
0040151B |. 83F8 04 CMP EAX, 4
0040151E |. 74 05 JE SHORT 00401525
00401520 |. 83F8 05 CMP EAX, 5
00401523 |. 75 0B JNZ SHORT 00401530
00401525 |> FF76 0C PUSH DWORD PTR DS:[ESI+C]
00401528 |. FF77 28 PUSH DWORD PTR DS:[EDI+28]
0040152B |. FF57 24 CALL DWORD PTR DS:[EDI+24]
0040152E |. 59 POP ECX ; 0040C000
0040152F |. 59 POP ECX ; 0040C000
00401530 |> 833E 06 CMP DWORD PTR DS:[ESI], 6
00401533 |. 75 0B JNZ SHORT 00401540
00401535 |. 57 PUSH EDI
00401536 |. FF76 04 PUSH DWORD PTR DS:[ESI+4]
00401539 |. E8 F40E0000 CALL 00402432
0040153E |. 59 POP ECX ; 0040C000
0040153F |. 59 POP ECX ; 0040C000
00401540 |> 8B46 28 MOV EAX, DWORD PTR DS:[ESI+28]
来到这里
1002979A 55 PUSH EBP F8向下
1002979B 8BEC MOV EBP, ESP
1002979D 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
100297A0 50 PUSH EAX ; krnln.1002979A
100297A1 B9 88BB0E10 MOV ECX, krnln.100EBB88
100297A6 E8 04F5FFFF CALL krnln.10028CAF 这里F7进入,不然程序跑起,F8向下
100297AB 5D POP EBP ; 004014E3
100297AC C2 0400 RETN 4
100297AF CC INT3
100297B0 55 PUSH EBP
100297B1 8BEC MOV EBP, ESP
100297B3 51 PUSH ECX
100297B4 894D FC MOV DWORD PTR SS:[EBP-4], ECX
100297B7 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
100297BA 33C9 XOR ECX, ECX
100297BC 8378 10 00 CMP DWORD PTR DS:[EAX+10], 0
100297C0 0F94C1 SETE CL
100297C3 8BC1 MOV EAX, ECX
100297C5 8BE5 MOV ESP, EBP
100297C7 5D POP EBP ; 004014E3
100297C8 C3 RETN
100297C9 CC INT3
100297CA CC INT3
来到这里,F8向下
10028CAF 55 PUSH EBP
10028CB0 8BEC MOV EBP, ESP
10028CB2 83EC 08 SUB ESP, 8
10028CB5 53 PUSH EBX
10028CB6 56 PUSH ESI
10028CB7 57 PUSH EDI
10028CB8 894D F8 MOV DWORD PTR SS:[EBP-8], ECX ; krnln.100EBB88
10028CBB FF15 E4230C10 CALL DWORD PTR DS:[<&KERNEL32.GetProcess>; kernel32.GetProcessHeap
10028CC1 8B4D F8 MOV ECX, DWORD PTR SS:[EBP-8] ; krnln.100297AB
10028CC4 8981 78040000 MOV DWORD PTR DS:[ECX+478], EAX ; 0040C000
10028CCA 8B55 08 MOV EDX, DWORD PTR SS:[EBP+8] ; 0040C000
10028CCD 8B42 30 MOV EAX, DWORD PTR DS:[EDX+30]
10028CD0 83E0 01 AND EAX, 1
10028CD3 85C0 TEST EAX, EAX ; 0040C000
10028CD5 75 10 JNZ SHORT krnln.10028CE7
10028CD7 8B4D 08 MOV ECX, DWORD PTR SS:[EBP+8] ; 0040C000
10028CDA 51 PUSH ECX ; krnln.100EBB88
10028CDB 8B4D F8 MOV ECX, DWORD PTR SS:[EBP-8] ; krnln.100297AB
10028CDE E8 1D010300 CALL krnln.10058E00
10028CE3 - FFE0 JMP EAX ; 0040C000
10028CE5 EB 0E JMP SHORT krnln.10028CF5
10028CE7 8B55 08 MOV EDX, DWORD PTR SS:[EBP+8] ; .0040C000
004187DA 5D POP EBP
004187DB C3 RETN
004187DC 55 PUSH EBP
004187DD 8BEC MOV EBP, ESP
004187DF 68 01000100 PUSH 10001
004187E4 68 5C000106 PUSH 601005C
004187E9 68 5D000152 PUSH 5201005D
004187EE 68 01000000 PUSH 1
004187F3 BB 60030000 MOV EBX, 360
004187F8 E8 57000000 CALL .00418854
004187FD 83C4 10 ADD ESP, 10
00418800 8BE5 MOV ESP, EBP
00418802 5D POP EBP
00418803 C3 RETN
00418804 C3 RETN
00418805 C3 RETN
来到这里
00418806 FC CLD
00418807 DBE3 FINIT
00418809 E8 F6FFFFFF CALL .00418804
0041880E 68 05884100 PUSH .00418805
00418813 B8 03000000 MOV EAX, 3
00418818 E8 31000000 CALL .0041884E
0041881D 83C4 04 ADD ESP, 4
00418820 68 01000152 PUSH 52010001
00418825 E8 1E000000 CALL .00418848
0041882A 83C4 04 ADD ESP, 4
0041882D 6A 00 PUSH 0
0041882F E8 0E000000 CALL .00418842 ; (Initial CPU selection)
00418834 E8 03000000 CALL .0041883C
00418839 83C4 04 ADD ESP, 4
0041883C - FF25 C9814100 JMP DWORD PTR DS:[4181C9] ; krnln.100296A2
00418842 - FF25 CD814100 JMP DWORD PTR DS:[4181CD] ; krnln.1002960D
00418848 - FF25 D1814100 JMP DWORD PTR DS:[4181D1] ; krnln.10029637
0041884E - FF25 D5814100 JMP DWORD PTR DS:[4181D5] ; krnln.10028DA5
00418854 - FF25 B1814100 JMP DWORD PTR DS:[4181B1] ; krnln.10028E21
0041885A - FF25 C5814100 JMP DWORD PTR DS:[4181C5] ; krnln.1002976A
00418860 - FF25 AD814100 JMP DWORD PTR DS:[4181AD] ; krnln.10028DCA
00418866 - FF25 B5814100 JMP DWORD PTR DS:[4181B5] ; krnln.100295C7
0041886C - FF25 BD814100 JMP DWORD PTR DS:[4181BD] ; krnln.10029662
00418872 3800 CMP BYTE PTR DS:[EAX], AL
00418874 0000 ADD BYTE PTR DS:[EAX], AL
00418876 AA STOS BYTE PTR ES:[EDI]
00418877 C8 000013 ENTER 0, 13
0041887B 0000 ADD BYTE PTR DS:[EAX], AL
0041887D 0076 61 ADD BYTE PTR DS:[ESI+61], DH
00418880 72 00 JB SHORT .00418882
00418882 0000 ADD BYTE PTR DS:[EAX], AL
00418884 0000 ADD BYTE PTR DS:[EAX], AL
00418886 0000 ADD BYTE PTR DS:[EAX], AL
00418888 0000 ADD BYTE PTR DS:[EAX], AL
0041888A 0000 ADD BYTE PTR DS:[EAX], AL
0041888C 0000 ADD BYTE PTR DS:[EAX], AL
0041888E 0000 ADD BYTE PTR DS:[EAX], AL
00418890 0000 ADD BYTE PTR DS:[EAX], AL
那位老兄再帮我看看不知再往下怎么做,也不知对不对
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
看来只有我大哥能解决
。
