Detect It Easy 显示用了MPRESS packer. (302K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2S2N6r3y4G2k6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6E0M7s2u0W2M7%4y4Q4x3X3g2Z5N6r3#2Q4x3U0V1`.

根据ESP定律,下硬件访问断点后到达入口点，

用Scylla 插件Dump, Fix Dump 得到脱壳后的文件svchost_dump_SCY.exe

查看一下字符串，发现Error: invalid command-line:

新建c:\mclick.txt，打开 DebugView 就能看到调试信息了

处在 OnInitDialog 函数里

这个程序需要参数才能运行，随便给个参数 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

命令行参数经过了编码，解码后得到 m_dwUserId

v6 为零会跳过正常的流程，在调试器直接修改 eax 的值为1即可

 <MCLICK> Open url: fb5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6A6L8X3k6G2i4K6u0W2L8r3#2Q4x3X3g2@1N6W2)9J5k6i4y4G2K9s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6U0M7$3I4Q4x3V1j5H3x3o6l9H3x3o6l9H3j5h3x3%4j5e0c8T1j5K6M7#2x3U0m8X3x3r3q4S2j5K6W2T1k6e0N6X3x3U0f1#2y4o6m8S2z5e0f1J5k6h3g2T1P5r3c8D9i4K6u0r3x3K6p5#2x3K6m8Q4x3X3g2V1L8H3`.`.

[培训]科锐逆向工程师培训第53期2025年7月8日开班！