用内存镜像设置内存访问断点运行来到这里
003CAA77 8B68 1C mov ebp,dword ptr ds:[eax+1C]
003CAA7A A1 04983D00 mov eax,dword ptr ds:[3D9804]
003CAA7F 8B00 mov eax,dword ptr ds:[eax]
003CAA81 8B00 mov eax,dword ptr ds:[eax]
003CAA83 894424 04 mov dword ptr ss:[esp+4],eax
003CAA87 A1 04983D00 mov eax,dword ptr ds:[3D9804]
003CAA8C 8B00 mov eax,dword ptr ds:[eax]
003CAA8E 8D78 18 lea edi,dword ptr ds:[eax+18]
003CAA91 A1 84973D00 mov eax,dword ptr ds:[3D9784]
003CAA96 8858 08 mov byte ptr ds:[eax+8],bl
003CAA99 833F 00 cmp dword ptr ds:[edi],0
003CAA9C 75 1D jnz short 003CAABB
003CAA9E 83C5 20 add ebp,20
003CAAA1 A1 70963D00 mov eax,dword ptr ds:[3D9670]
003CAAA6 8078 09 00 cmp byte ptr ds:[eax+9],0
003CAAAA 75 0F jnz short 003CAABB
003CAAAC B8 1F000000 mov eax,1F
003CAAB1 E8 1A7DFEFF call 003B27D0
003CAAB6 C1E0 02 shl eax,2
003CAAB9 2BE8 sub ebp,eax
003CAABB E8 B4CFFFFF call 003C7A74
003CAAC0 8BD8 mov ebx,eax
003CAAC2 833D F8B33D00 0>cmp dword ptr ds:[3DB3F8],0
003CAAC9 74 15 je short 003CAAE0
003CAACB 6A 04 push 4
003CAACD B9 F8B33D00 mov ecx,3DB3F8
003CAAD2 8D4424 04 lea eax,dword ptr ss:[esp+4]
003CAAD6 BA 04000000 mov edx,4
003CAADB E8 6C64FFFF call 003C0F4C
003CAAE0 833D 28B43D00 0>cmp dword ptr ds:[3DB428],0
003CAAE7 74 15 je short 003CAAFE
003CAAE9 6A 0C push 0C
003CAAEB B9 28B43D00 mov ecx,3DB428
003CAAF0 8D4424 04 lea eax,dword ptr ss:[esp+4]
003CAAF4 BA 04000000 mov edx,4
003CAAF9 E8 4E64FFFF call 003C0F4C
003CAAFE 833F 00 cmp dword ptr ds:[edi],0
003CAB01 74 08 je short 003CAB0B
003CAB03 8B0424 mov eax,dword ptr ss:[esp]
003CAB06 A3 38B43D00 mov dword ptr ds:[3DB438],eax
003CAB0B 8B07 mov eax,dword ptr ds:[edi]
003CAB0D 894424 08 mov dword ptr ss:[esp+8],eax
003CAB11 896C24 10 mov dword ptr ss:[esp+10],ebp
003CAB15 8B0424 mov eax,dword ptr ss:[esp]
003CAB18 894424 14 mov dword ptr ss:[esp+14],eax
003CAB1C A1 84973D00 mov eax,dword ptr ds:[3D9784]
003CAB21 8818 mov byte ptr ds:[eax],bl
003CAB23 A1 B0973D00 mov eax,dword ptr ds:[3D97B0]
003CAB28 C600 E1 mov byte ptr ds:[eax],0E1
003CAB2B E8 242E0000 call 003CD954
003CAB30 8B15 74973D00 mov edx,dword ptr ds:[3D9774]
003CAB36 8802 mov byte ptr ds:[edx],al
003CAB38 A1 20B43D00 mov eax,dword ptr ds:[3DB420]
003CAB3D E8 3AB0FFFF call 003C5B7C
003CAB42 A1 74973D00 mov eax,dword ptr ds:[3D9774]
003CAB47 8038 00 cmp byte ptr ds:[eax],0
003CAB4A 74 26 je short 003CAB72
003CAB4C A1 54973D00 mov eax,dword ptr ds:[3D9754]
003CAB51 C600 EA mov byte ptr ds:[eax],0EA
003CAB54 B8 32000000 mov eax,32
003CAB59 E8 727CFEFF call 003B27D0
003CAB5E 2905 34B43D00 sub dword ptr ds:[3DB434],eax
003CAB64 B8 64000000 mov eax,64
003CAB69 E8 627CFEFF call 003B27D0
003CAB6E 014424 04 add dword ptr ss:[esp+4],eax
003CAB72 A1 34B43D00 mov eax,dword ptr ds:[3DB434]
003CAB77 894424 0C mov dword ptr ss:[esp+C],eax
003CAB7B 8B4424 04 mov eax,dword ptr ss:[esp+4]
003CAB7F 894424 18 mov dword ptr ss:[esp+18],eax
003CAB83 A1 20B43D00 mov eax,dword ptr ds:[3DB420]
003CAB88 E8 937FFEFF call 003B2B20
003CAB8D A1 B0973D00 mov eax,dword ptr ds:[3D97B0]
003CAB92 C600 E3 mov byte ptr ds:[eax],0E3
003CAB95 A1 74963D00 mov eax,dword ptr ds:[3D9674]
003CAB9A 8B00 mov eax,dword ptr ds:[eax]
003CAB9C 8D5424 08 lea edx,dword ptr ss:[esp+8]
003CABA0 E8 3B880000 call 003D33E0
003CABA5 E8 E6820000 call 003D2E90
003CABAA 8BC6 mov eax,esi
003CABAC E8 6F7FFEFF call 003B2B20
003CABB1 E8 92D0FFFF call 003C7C48
003CABB6 83C4 2C add esp,2C
003CABB9 5D pop ebp
003CABBA 5F pop edi
003CABBB 5E pop esi
003CABBC 5B pop ebx
003CABBD C3 retn
003CABBE 8BC0 mov eax,eax
003CABC0 E8 13FDFFFF call 003CA8D8
003CABC5 C3 retn
这里不知道如何找到正确OEP
好象是ASProtect 2.X
ASProtect 2.X文章也比较少看了一些不太明白
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
