为什么在OEP处脱壳不行?找到的API只有5个 而且是无效的
既然00601000是代码段,为什么还有CALL QHGXS.00405548这样的语句?
00400000 00001000 QHGXS PE 文件头 Imag R
00401000 00200000 QHGXS Imag R
00601000 00106000 QHGXS 代码 Imag R
00707000 00004000 QHGXS .rsrc 数据,输入表, Imag R
//以下是OEP
00670200 55 PUSH EBP
00670201 8BEC MOV EBP,ESP
00670203 B9 07000000 MOV ECX,7
00670208 6A 00 PUSH 0
0067020A 6A 00 PUSH 0
0067020C 49 DEC ECX
0067020D ^ 75 F9 JNZ SHORT QHGXS.00670208
0067020F B8 80BE6600 MOV EAX,QHGXS.0066BE80
00670214 E8 9B7CD9FF CALL QHGXS.00407EB4
00670219 33C0 XOR EAX,EAX
0067021B 55 PUSH EBP
0067021C 68 62046700 PUSH QHGXS.00670462
00670221 64:FF30 PUSH DWORD PTR FS:[EAX]
00670224 64:8920 MOV DWORD PTR FS:[EAX],ESP
00670227 A1 782C6800 MOV EAX,DWORD PTR DS:[682C78]
0067022C C600 00 MOV BYTE PTR DS:[EAX],0
0067022F A1 E02B6800 MOV EAX,DWORD PTR DS:[682BE0]
00670234 C600 00 MOV BYTE PTR DS:[EAX],0
00670237 A1 88266800 MOV EAX,DWORD PTR DS:[682688]
0067023C BA 78046700 MOV EDX,QHGXS.00670478
00670241 E8 0253D9FF CALL QHGXS.00405548
00670246 A1 5C286800 MOV EAX,DWORD PTR DS:[68285C]
0067024B C700 64000000 MOV DWORD PTR DS:[EAX],64
00670251 C740 04 0000000>MOV DWORD PTR DS:[EAX+4],0
00670258 A1 002D6800 MOV EAX,DWORD PTR DS:[682D00]
0067025D 8B00 MOV EAX,DWORD PTR DS:[EAX]
0067025F E8 A8D1E0FF CALL QHGXS.0047D40C
00670264 A1 88266800 MOV EAX,DWORD PTR DS:[682688]
00670269 BA 78046700 MOV EDX,QHGXS.00670478
0067026E E8 D552D9FF CALL QHGXS.00405548
00670273 A1 5C286800 MOV EAX,DWORD PTR DS:[68285C]
00670278 C700 64000000 MOV DWORD PTR DS:[EAX],64
0067027E C740 04 0000000>MOV DWORD PTR DS:[EAX+4],0
00670285 A1 D8266800 MOV EAX,DWORD PTR DS:[6826D8]
0067028A C600 2D MOV BYTE PTR DS:[EAX],2D
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
