小菜求助od对dll文件的单独调试求大牛指点思路跟方法。-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] 小菜求助od对dll文件的单独调试求大牛指点思路跟方法。 0.00雪花

发表于: 2015-12-10 12:41 4290

[旧帖] 小菜求助od对dll文件的单独调试求大牛指点思路跟方法。 0.00雪花

boyving

2015-12-10 12:41

4290

我已经直接用od载入exe安装释放出来的dll，查询dll是vb编写的。execl打开就会调用释放出来的dll，无法调试安装文件exe进行跟踪。
此dll注册应该是调用注册表进行的，所以我虽然找到了程序关键地方，但是无从跟进下手，求指点。

1107955C .  C785 D4FEFFFF>mov dword ptr ss:[ebp-0x12C],1.110061CC  ;  机器码:
11079566 .  C785 CCFEFFFF>mov dword ptr ss:[ebp-0x134],0x8
11079570 .  C785 B4FEFFFF>mov dword ptr ss:[ebp-0x14C],1.110061B8  ;  待破程序
1107957A .  C785 ACFEFFFF>mov dword ptr ss:[ebp-0x154],0x8
11079584 .  8D95 ACFEFFFF lea edx,dword ptr ss:[ebp-0x154]
1107958A .  8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-0xC4]
11079590 .  FF15 94110011 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;  msvbvm60.__vbaVarDup
11079596 .  C785 C4FEFFFF>mov dword ptr ss:[ebp-0x13C],1.110061A4  ;  请输入注册码
110795A0 .  C785 BCFEFFFF>mov dword ptr ss:[ebp-0x144],0x8
110795AA .  8D95 BCFEFFFF lea edx,dword ptr ss:[ebp-0x144]
110795B0 .  8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
110795B6 .  FF15 94110011 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;  msvbvm60.__vbaVarDup
110795BC .  8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
110795C2 .  51          push ecx
110795C3 .  8D95 0CFFFFFF lea edx,dword ptr ss:[ebp-0xF4]
110795C9 .  52          push edx
110795CA .  8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-0xE4]
110795D0 .  50          push eax                               ;  1.11000000
110795D1 .  8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-0xD4]
110795D7 .  51          push ecx
110795D8 .  8D95 CCFEFFFF lea edx,dword ptr ss:[ebp-0x134]
110795DE .  52          push edx
110795DF .  8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
110795E5 .  50          push eax                               ;  1.11000000
110795E6 .  8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-0xA4]
110795EC .  51          push ecx
110795ED .  FF15 24110011 call dword ptr ds:[<&MSVBVM60.__vbaVarCa>;  msvbvm60.__vbaVarCat
110795F3 .  50          push eax                               ;  1.11000000
110795F4 .  8D95 3CFFFFFF lea edx,dword ptr ss:[ebp-0xC4]
110795FA .  52          push edx
110795FB .  8D85 4CFFFFFF lea eax,dword ptr ss:[ebp-0xB4]
11079601 .  50          push eax                               ;  1.11000000
11079602 .  FF15 8C100011 call dword ptr ds:[<&MSVBVM60.#596>]    ;  msvbvm60.rtcInputBox
11079608 .  8985 F4FEFFFF mov dword ptr ss:[ebp-0x10C],eax       ;  1.11000000
1107960E .  C785 ECFEFFFF>mov dword ptr ss:[ebp-0x114],0x8
11079618 .  8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-0x114]
1107961E .  8D4D 88    lea ecx,dword ptr ss:[ebp-0x78]
11079621 .  FF15 18100011 call dword ptr ds:[<&MSVBVM60.__vbaVarMo>;  msvbvm60.__vbaVarMove
11079627 .  8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-0x104]
1107962D .  51          push ecx
1107962E .  8D95 0CFFFFFF lea edx,dword ptr ss:[ebp-0xF4]
11079634 .  52          push edx
11079635 .  8D85 1CFFFFFF lea eax,dword ptr ss:[ebp-0xE4]
1107963B .  50          push eax                               ;  1.11000000
1107963C .  8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-0xD4]
11079642 .  51          push ecx
11079643 .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
11079649 .  52          push edx
1107964A .  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4]
11079650 .  50          push eax                               ;  1.11000000
11079651 .  8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
11079657 .  51          push ecx
11079658 .  8D95 6CFFFFFF lea edx,dword ptr ss:[ebp-0x94]
1107965E .  52          push edx
1107965F .  6A 08       push 0x8
11079661 .  FF15 30100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
11079667 .  83C4 24    add esp,0x24
1107966A .  C745 FC 18000>mov dword ptr ss:[ebp-0x4],0x18
11079671 .  8D45 88    lea eax,dword ptr ss:[ebp-0x78]
11079674 .  50          push eax                               ; /var18 = 1.11000000
11079675 .  8B4D 08    mov ecx,dword ptr ss:[ebp+0x8]          ; |LoadDl_1.60000000
11079678 .  8B91 98000000 mov edx,dword ptr ds:[ecx+0x98]       ; |
1107967E .  52          push edx                               ; |var28 = NULL
1107967F .  FF15 C8100011 call dword ptr ds:[<&MSVBVM60.__vbaVarTs>; \__vbaVarTstEq
11079685 .  0FBFC0       movsx eax,ax
11079688 .  85C0       test eax,eax                            ;  1.11000000
1107968A .  0F84 9C010000 je 1.1107982C
11079690 .  C745 FC 19000>mov dword ptr ss:[ebp-0x4],0x19
11079697 .  C785 E4FEFFFF>mov dword ptr ss:[ebp-0x11C],1.11006158  ;  HKCU\Software\oldghost\test
110796A1 .  C785 DCFEFFFF>mov dword ptr ss:[ebp-0x124],0x8
110796AB .  8D4D 88    lea ecx,dword ptr ss:[ebp-0x78]
110796AE .  898D C4FEFFFF mov dword ptr ss:[ebp-0x13C],ecx
110796B4 .  C785 BCFEFFFF>mov dword ptr ss:[ebp-0x144],0x400C
110796BE .  C785 B4FEFFFF>mov dword ptr ss:[ebp-0x14C],1.110061DC  ;  REG_SZ
110796C8 .  C785 ACFEFFFF>mov dword ptr ss:[ebp-0x154],0x8
110796D2 .  B8 10000000 mov eax,0x10
110796D7 .  E8 E47EF8FF call <jmp.&MSVBVM60.__vbaChkstk>
110796DC .  8BD4       mov edx,esp
110796DE .  8B85 DCFEFFFF mov eax,dword ptr ss:[ebp-0x124]
110796E4 .  8902       mov dword ptr ds:[edx],eax             ;  1.11000000
110796E6 .  8B8D E0FEFFFF mov ecx,dword ptr ss:[ebp-0x120]       ;  ntdll.7C937DBA
110796EC .  894A 04    mov dword ptr ds:[edx+0x4],ecx
110796EF .  8B85 E4FEFFFF mov eax,dword ptr ss:[ebp-0x11C]       ;  Loaddll.00400000
110796F5 .  8942 08    mov dword ptr ds:[edx+0x8],eax          ;  1.11000000
110796F8 .  8B8D E8FEFFFF mov ecx,dword ptr ss:[ebp-0x118]
110796FE .  894A 0C    mov dword ptr ds:[edx+0xC],ecx
11079701 .  B8 10000000 mov eax,0x10
11079706 .  E8 B57EF8FF call <jmp.&MSVBVM60.__vbaChkstk>
1107970B .  8BD4       mov edx,esp
1107970D .  8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-0x144]       ;  Loaddll.00400000
11079713 .  8902       mov dword ptr ds:[edx],eax             ;  1.11000000
11079715 .  8B8D C0FEFFFF mov ecx,dword ptr ss:[ebp-0x140]       ;  Loaddll.004000D0
1107971B .  894A 04    mov dword ptr ds:[edx+0x4],ecx
1107971E .  8B85 C4FEFFFF mov eax,dword ptr ss:[ebp-0x13C]
11079724 .  8942 08    mov dword ptr ds:[edx+0x8],eax          ;  1.11000000
11079727 .  8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-0x138]
1107972D .  894A 0C    mov dword ptr ds:[edx+0xC],ecx
11079730 .  B8 10000000 mov eax,0x10
11079735 .  E8 867EF8FF call <jmp.&MSVBVM60.__vbaChkstk>
1107973A .  8BD4       mov edx,esp
1107973C .  8B85 ACFEFFFF mov eax,dword ptr ss:[ebp-0x154]
11079742 .  8902       mov dword ptr ds:[edx],eax             ;  1.11000000
11079744 .  8B8D B0FEFFFF mov ecx,dword ptr ss:[ebp-0x150]
1107974A .  894A 04    mov dword ptr ds:[edx+0x4],ecx
1107974D .  8B85 B4FEFFFF mov eax,dword ptr ss:[ebp-0x14C]
11079753 .  8942 08    mov dword ptr ds:[edx+0x8],eax          ;  1.11000000
11079756 .  8B8D B8FEFFFF mov ecx,dword ptr ss:[ebp-0x148]
1107975C .  894A 0C    mov dword ptr ds:[edx+0xC],ecx
1107975F .  6A 03       push 0x3
11079761 .  68 EC610011 push 1.110061EC                         ;  RegWrite
11079766 .  8B55 84    mov edx,dword ptr ss:[ebp-0x7C]       ;  LoadDl_1.60002042
11079769 .  52          push edx
1107976A .  FF15 88110011 call dword ptr ds:[<&MSVBVM60.__vbaLateM>;  msvbvm60.__vbaLateMemCall
11079770 .  83C4 3C    add esp,0x3C
11079773 .  C745 FC 1A000>mov dword ptr ss:[ebp-0x4],0x1A
1107977A .  C785 44FFFFFF>mov dword ptr ss:[ebp-0xBC],0x80020004
11079784 .  C785 3CFFFFFF>mov dword ptr ss:[ebp-0xC4],0xA
1107978E .  C785 54FFFFFF>mov dword ptr ss:[ebp-0xAC],0x80020004
11079798 .  C785 4CFFFFFF>mov dword ptr ss:[ebp-0xB4],0xA
110797A2 .  C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],0x80020004
110797AC .  C785 5CFFFFFF>mov dword ptr ss:[ebp-0xA4],0xA
110797B6 .  C785 E4FEFFFF>mov dword ptr ss:[ebp-0x11C],1.11006204  ;  OK
110797C0 .  C785 DCFEFFFF>mov dword ptr ss:[ebp-0x124],0x8
110797CA .  8D95 DCFEFFFF lea edx,dword ptr ss:[ebp-0x124]
110797D0 .  8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]
110797D6 .  FF15 94110011 call dword ptr ds:[<&MSVBVM60.__vbaVarDu>;  msvbvm60.__vbaVarDup
110797DC .  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4]
110797E2 .  50          push eax                               ;  1.11000000
110797E3 .  8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
110797E9 .  51          push ecx
110797EA .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
110797F0 .  52          push edx
110797F1 .  6A 00       push 0x0
110797F3 .  8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
110797F9 .  50          push eax                               ;  1.11000000
110797FA .  FF15 88100011 call dword ptr ds:[<&MSVBVM60.#595>]    ;  msvbvm60.rtcMsgBox
11079800 .  8D8D 3CFFFFFF lea ecx,dword ptr ss:[ebp-0xC4]
11079806 .  51          push ecx
11079807 .  8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-0xB4]
1107980D .  52          push edx
1107980E .  8D85 5CFFFFFF lea eax,dword ptr ss:[ebp-0xA4]
11079814 .  50          push eax                               ;  1.11000000
11079815 .  8D8D 6CFFFFFF lea ecx,dword ptr ss:[ebp-0x94]
1107981B .  51          push ecx
1107981C .  6A 04       push 0x4
1107981E .  FF15 30100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
11079824 .  83C4 14    add esp,0x14
11079827 .  E9 09010000 jmp 1.11079935
1107982C >  C745 FC 1C000>mov dword ptr ss:[ebp-0x4],0x1C
11079833 .  833D 00F50711>cmp dword ptr ds:[0x1107F500],0x0
1107983A .  75 1C       jnz short 1.11079858
1107983C .  68 00F50711 push 1.1107F500
11079841 .  68 2C620011 push 1.1100622C
11079846 .  FF15 40110011 call dword ptr ds:[<&MSVBVM60.__vbaNew2>>;  msvbvm60.__vbaNew2
1107984C .  C785 38FEFFFF>mov dword ptr ss:[ebp-0x1C8],1.1107F500
11079856 .  EB 0A       jmp short 1.11079862
11079858 >  C785 38FEFFFF>mov dword ptr ss:[ebp-0x1C8],1.1107F500
11079862 >  8B95 38FEFFFF mov edx,dword ptr ss:[ebp-0x1C8]       ;  ntdll.7C92E920
11079868 .  8B02       mov eax,dword ptr ds:[edx]
1107986A .  8985 68FEFFFF mov dword ptr ss:[ebp-0x198],eax       ;  1.11000000
11079870 .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
11079876 .  51          push ecx
11079877 .  8B95 68FEFFFF mov edx,dword ptr ss:[ebp-0x198]
1107987D .  8B02       mov eax,dword ptr ds:[edx]
1107987F .  8B8D 68FEFFFF mov ecx,dword ptr ss:[ebp-0x198]
11079885 .  51          push ecx
11079886 .  FF50 1C    call dword ptr ds:[eax+0x1C]
11079889 .  DBE2       fclex
1107988B .  8985 64FEFFFF mov dword ptr ss:[ebp-0x19C],eax       ;  1.11000000
11079891 .  83BD 64FEFFFF>cmp dword ptr ss:[ebp-0x19C],0x0
11079898 .  7D 23       jge short 1.110798BD
1107989A .  6A 1C       push 0x1C
1107989C .  68 1C620011 push 1.1100621C
110798A1 .  8B95 68FEFFFF mov edx,dword ptr ss:[ebp-0x198]
110798A7 .  52          push edx
110798A8 .  8B85 64FEFFFF mov eax,dword ptr ss:[ebp-0x19C]
110798AE .  50          push eax                               ;  1.11000000
110798AF .  FF15 60100011 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;  msvbvm60.__vbaHresultCheckObj
110798B5 .  8985 34FEFFFF mov dword ptr ss:[ebp-0x1CC],eax       ;  1.11000000
110798BB .  EB 0A       jmp short 1.110798C7
110798BD >  C785 34FEFFFF>mov dword ptr ss:[ebp-0x1CC],0x0
110798C7 >  8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-0x84]
110798CD .  898D 60FEFFFF mov dword ptr ss:[ebp-0x1A0],ecx
110798D3 .  8B95 60FEFFFF mov edx,dword ptr ss:[ebp-0x1A0]
110798D9 .  8B02       mov eax,dword ptr ds:[edx]
110798DB .  8B8D 60FEFFFF mov ecx,dword ptr ss:[ebp-0x1A0]
110798E1 .  51          push ecx
110798E2 .  FF90 98030000 call dword ptr ds:[eax+0x398]
110798E8 .  DBE2       fclex
110798EA .  8985 5CFEFFFF mov dword ptr ss:[ebp-0x1A4],eax       ;  1.11000000
110798F0 .  83BD 5CFEFFFF>cmp dword ptr ss:[ebp-0x1A4],0x0
110798F7 .  7D 26       jge short 1.1107991F
110798F9 .  68 98030000 push 0x398
110798FE .  68 A8520011 push 1.110052A8
11079903 .  8B95 60FEFFFF mov edx,dword ptr ss:[ebp-0x1A0]
11079909 .  52          push edx
1107990A .  8B85 5CFEFFFF mov eax,dword ptr ss:[ebp-0x1A4]
11079910 .  50          push eax                               ;  1.11000000
11079911 .  FF15 60100011 call dword ptr ds:[<&MSVBVM60.__vbaHresu>;  msvbvm60.__vbaHresultCheckObj
11079917 .  8985 30FEFFFF mov dword ptr ss:[ebp-0x1D0],eax       ;  1.11000000
1107991D .  EB 0A       jmp short 1.11079929
1107991F >  C785 30FEFFFF>mov dword ptr ss:[ebp-0x1D0],0x0
11079929 >  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
1107992F .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
11079935 >  68 199A0711 push 1.11079A19
1107993A .  EB 57       jmp short 1.11079993
1107993C .  8D8D 7CFFFFFF lea ecx,dword ptr ss:[ebp-0x84]
11079942 .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
11079948 .  8D8D ECFEFFFF lea ecx,dword ptr ss:[ebp-0x114]
1107994E .  51          push ecx
1107994F .  8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-0x104]
11079955 .  52          push edx
11079956 .  8D85 0CFFFFFF lea eax,dword ptr ss:[ebp-0xF4]
1107995C .  50          push eax                               ;  1.11000000
1107995D .  8D8D 1CFFFFFF lea ecx,dword ptr ss:[ebp-0xE4]
11079963 .  51          push ecx
11079964 .  8D95 2CFFFFFF lea edx,dword ptr ss:[ebp-0xD4]
1107996A .  52          push edx
1107996B .  8D85 3CFFFFFF lea eax,dword ptr ss:[ebp-0xC4]
11079971 .  50          push eax                               ;  1.11000000
11079972 .  8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-0xB4]
11079978 .  51          push ecx
11079979 .  8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-0xA4]
1107997F .  52          push edx
11079980 .  8D85 6CFFFFFF lea eax,dword ptr ss:[ebp-0x94]
11079986 .  50          push eax                               ;  1.11000000
11079987 .  6A 09       push 0x9
11079989 .  FF15 30100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVarList
1107998F .  83C4 28    add esp,0x28
11079992 .  C3          retn
11079993 >  8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]
11079999 .  51          push ecx
1107999A .  8D95 58FEFFFF lea edx,dword ptr ss:[ebp-0x1A8]
110799A0 .  52          push edx
110799A1 .  6A 02       push 0x2
110799A3 .  FF15 40100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObjList
110799A9 .  83C4 0C    add esp,0xC
110799AC .  8D4D DC    lea ecx,dword ptr ss:[ebp-0x24]
110799AF .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
110799B5 .  8D4D CC    lea ecx,dword ptr ss:[ebp-0x34]
110799B8 .  FF15 1C100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVar
110799BE .  8D4D C8    lea ecx,dword ptr ss:[ebp-0x38]
110799C1 .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
110799C7 .  8D4D C4    lea ecx,dword ptr ss:[ebp-0x3C]
110799CA .  FF15 DC110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
110799D0 .  8D4D C0    lea ecx,dword ptr ss:[ebp-0x40]
110799D3 .  FF15 DC110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
110799D9 .  8D4D BC    lea ecx,dword ptr ss:[ebp-0x44]
110799DC .  FF15 DC110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
110799E2 .  8D4D B8    lea ecx,dword ptr ss:[ebp-0x48]
110799E5 .  FF15 DC110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
110799EB .  8D4D A8    lea ecx,dword ptr ss:[ebp-0x58]
110799EE .  FF15 1C100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVar
110799F4 .  8D4D 9C    lea ecx,dword ptr ss:[ebp-0x64]
110799F7 .  FF15 DC110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeS>;  msvbvm60.__vbaFreeStr
110799FD .  8D4D 88    lea ecx,dword ptr ss:[ebp-0x78]
11079A00 .  FF15 1C100011 call dword ptr ds:[<&MSVBVM60.__vbaFreeV>;  msvbvm60.__vbaFreeVar
11079A06 .  8D4D 84    lea ecx,dword ptr ss:[ebp-0x7C]
11079A09 .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
11079A0F .  8D4D 80    lea ecx,dword ptr ss:[ebp-0x80]
11079A12 .  FF15 E0110011 call dword ptr ds:[<&MSVBVM60.__vbaFreeO>;  msvbvm60.__vbaFreeObj
11079A18 .  C3          retn
11079A19 .  8B45 08    mov eax,dword ptr ss:[ebp+0x8]          ;  LoadDl_1.60000000
11079A1C .  8B08       mov ecx,dword ptr ds:[eax]
11079A1E .  8B55 08    mov edx,dword ptr ss:[ebp+0x8]          ;  LoadDl_1.60000000
11079A21 .  52          push edx
11079A22 .  FF51 08    call dword ptr ds:[ecx+0x8]
11079A25 .  8B45 F0    mov eax,dword ptr ss:[ebp-0x10]       ;  1.11000000
11079A28 .  8B4D E0    mov ecx,dword ptr ss:[ebp-0x20]       ;  LoadDl_1.<ModuleEntryPoint>
11079A2B .  64:890D 00000>mov dword ptr fs:[0],ecx
11079A32 .  5F          pop edi                               ;  LoadDl_1.60001057
11079A33 .  5E          pop esi                               ;  LoadDl_1.60001057
11079A34 .  5B          pop ebx                               ;  LoadDl_1.60001057
11079A35 .  8BE5       mov esp,ebp
11079A37 .  5D          pop ebp                               ;  LoadDl_1.60001057
11079A38 .  C2 0400    retn 0x4

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持

最新回复 (5)
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 2 楼希望有大牛指点od单独调试dll的方法跟经验。 2015-12-10 12:46 0
靴子雪币： 33 活跃值： (653) 能力值： ( LV2，RANK：10 ) 在线值：发帖 19 回帖 533 粉丝 1 关注私信	靴子 3 楼自己写个Loder如何 2015-12-10 14:24 0
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 4 楼关键是不会哦。 2015-12-10 15:04 0
Viwiila 雪币： 49 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 13 粉丝 0 关注私信	Viwiila 5 楼找到exe释放dll的地方下个断点，等dll释放后修改入口代码为CC，保存dll后设置OD为实时调试器试试？ 2015-12-25 11:01 0
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 6 楼我试试吧。不行我都准备放弃了。 2015-12-25 11:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

boyving

发帖

186

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (5)
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 2 楼希望有大牛指点od单独调试dll的方法跟经验。 2015-12-10 12:46 0
靴子雪币： 33 活跃值： (653) 能力值： ( LV2，RANK：10 ) 在线值：发帖 19 回帖 533 粉丝 1 关注私信	靴子 3 楼自己写个Loder如何 2015-12-10 14:24 0
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 4 楼关键是不会哦。 2015-12-10 15:04 0
Viwiila 雪币： 49 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 13 粉丝 0 关注私信	Viwiila 5 楼找到exe释放dll的地方下个断点，等dll释放后修改入口代码为CC，保存dll后设置OD为实时调试器试试？ 2015-12-25 11:01 0
boyving 雪币： 3149 活跃值： (2749) 能力值： ( LV3，RANK：30 ) 在线值：发帖 4 回帖 186 粉丝 1 关注私信	boyving 6 楼我试试吧。不行我都准备放弃了。 2015-12-25 11:45 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复