能力值:
( LV4,RANK:50 )
|
-
-
2 楼
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
DWORD v3; // esi@1
bool v4; // zf@2
BOOL v6; // eax@10
BOOL fdwReasona; // [sp+18h] [bp+Ch]@10
v3 = fdwReason;
if ( fdwReason )
{
if ( fdwReason != 1 && fdwReason != 2 )
goto LABEL_10;
if ( dword_10006D4C && !dword_10006D4C(hinstDLL, fdwReason, lpReserved) )
return 0;
v4 = _CRT_INIT(hinstDLL, fdwReason, lpReserved) == 0;
}
else
{
v4 = dword_100067C0 == 0;
}
if ( v4 )
return 0;
LABEL_10:
v6 = DllMain(hinstDLL, fdwReason, lpReserved);
fdwReasona = v6;
if ( v3 != 1 )
{
LABEL_13:
if ( !v3 || v3 == 3 )
{
if ( !_CRT_INIT(hinstDLL, v3, lpReserved) )
fdwReasona = 0;
if ( fdwReasona )
{
if ( dword_10006D4C )
fdwReasona = dword_10006D4C(hinstDLL, v3, lpReserved);
}
}
return fdwReasona;
}
if ( !v6 )
{
_CRT_INIT(hinstDLL, 0, lpReserved);
goto LABEL_13;
}
return fdwReasona;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
谢谢朋友,里面有很多函数,不仅是这一个。
后面的函数,都出现了错误了。就是什么sp 分析错误。
|
能力值:
( LV7,RANK:100 )
|
-
-
4 楼
IDA官方给了方法解决
b1aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Z5k6i4S2Q4x3X3c8J5j5i4W2K6i4K6u0W2j5$3!0E0i4K6u0r3M7s2u0G2k6s2g2U0N6s2y4Q4x3V1k6V1k6h3y4G2L8i4m8A6L8r3g2J5i4K6u0r3L8h3q4F1N6h3q4D9i4K6u0r3k6X3q4A6L8s2g2J5k6i4y4Q4x3X3g2K6K9s2c8E0L8l9`.`.
ALT+K调整吧.
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
谢谢,我看看啊
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
不会,哎。可否高手帮我贴出来?
|
能力值:
( LV5,RANK:70 )
|
-
-
7 楼
BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
signed int v3; // esi@2
HMODULE v4; // eax@4
int v5; // eax@4
BOOL result; // eax@8
DWORD *v7; // esi@10
CHAR LibFileName; // [sp+8h] [bp-30Ch]@4
CHAR Text; // [sp+10Ch] [bp-208h]@7
if ( fdwReason == 1 )
{
DisableThreadLibraryCalls(hinstDLL);
v3 = (signed int)&dwTlsIndex;
do
{
*(_DWORD *)v3 = TlsAlloc();
v3 += 4;
}
while ( v3 < (signed int)&dword_100067C0 );
v4 = GetModuleHandleA("PipJet.dll");
GetModuleFileNameA(v4, &LibFileName, 0x104u);
v5 = _mbsrchr(&LibFileName, 92);
if ( v5 )
*(_BYTE *)(v5 + 1) = 0;
lstrcatA(&LibFileName, "PipJet.dat");
hModule = LoadLibraryA(&LibFileName);
dword_100065B0 = (int)hModule;
if ( !hModule )
{
wsprintfA(&Text, "无法加载 %s,程?, &LibFileName);
MessageBoxA(0, &Text, "AheadLib", 0x10u);
}
sub_10001140();
result = hModule != 0;
}
else
{
if ( !fdwReason )
{
v7 = &dwTlsIndex;
do
{
TlsFree(*v7);
++v7;
}
while ( (signed int)v7 < (signed int)&dword_100067C0 );
if ( hModule )
FreeLibrary(hModule);
}
result = 1;
}
return result;
}
/////////////////////////////////////////////////
BOOL WINAPI TlsSetValue(
_In_ DWORD dwTlsIndex,
_In_opt_ LPVOID lpTlsValue
);
/////////////////////////////////////////////////
LPVOID WINAPI TlsGetValue(
_In_ DWORD dwTlsIndex
);
/////////////////////////////////////////////////
我一下子就看出堆栈不平衡的问题了。
public Activate
.text:100014A0 Activate proc near ; DATA XREF: .rdata:off_10005908o
.text:100014A0 push dwTlsIndex ; dwTlsIndex {esp+4}
.text:100014A6 call ds:TlsSetValue ; this function only has one parameter? NO
.text:100014AC push offset aActivate_0 ; {esp+4}
.text:100014B1 call sub_100012E0
.text:100014B6 call eax
.text:100014B8 push eax ; {esp+4}
.text:100014B9 push dwTlsIndex ; dwTlsIndex {esp+4}
.text:100014BF call ds:TlsGetValue ; only one parameter!
.text:100014C5 xchg eax, [esp+0]
.text:100014C8 retn
.text:100014C8 Activate endp ; sp-analysis failed
.text:100014C8
.text:100014C8 ; ---------------------------------------------------------------------------
.text:100014C9 align 10h
应该是TlsGetValue与TlsSetValue函数用反了,造成栈无法平衡。
这个跟你的相似: 533K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4@1j5h3y4C8L8%4k6W2M7X3k6D9L8%4N6Q4x3X3g2U0L8$3#2Q4x3V1k6I4N6h3g2K6N6r3W2G2L8Y4y4Q4x3V1j5I4x3o6p5$3y4e0f1I4x3g2)9J5c8X3W2V1j5g2)9J5k6s2m8G2M7$3W2@1K9i4k6W2i4K6u0V1M7%4m8Q4x3X3c8$3j5h3I4#2k6g2)9J5k6r3S2S2M7#2)9J5k6r3u0W2k6h3&6Q4x3X3c8X3L8%4g2F1k6q4)9J5k6r3g2J5M7X3!0J5
|
|
|
|
