我在反编译某软件的程序时,发现里面有如下代码,

/*403D30*/ cmp byte ptr [4F3028], 1
/*403D37*/ jbe short 00403D4A
/*403D39*/ push 0
/*403D3B*/ push 0
/*403D3D*/ push 0
/*403D3F*/ push 0EEDFADF
/*403D44*/ call dword ptr [4F8014]
/*403D4A*/ retn
...
/*403D4C*/ cmp byte ptr [4F3028], 0
/*403D53*/ je short 00403D6C
/*403D55*/ push eax
/*403D56*/ push eax
/*403D57*/ push edx
/*403D58*/ push esp
/*403D59*/ push 2
/*403D5B*/ push 0
/*403D5D*/ push 0EEDFAE4
/*403D62*/ call dword ptr [4F8014]
/*403D68*/ add esp, 8
/*403D6B*/ pop eax
/*403D6C*/ retn
...
/*403D6D*/ lea eax, dword ptr [eax]
/*403D70*/ push esp
/*403D71*/ push 1
/*403D73*/ push 0
/*403D75*/ push 0EEDFAE0
/*403D7A*/ call dword ptr [4F8014]
/*403D80*/ add esp, 4
/*403D83*/ pop eax
/*403D84*/ retn
...
/*403DD0*/ cmp byte ptr [4F3028], 1
/*403DD7*/ jbe short 00403DF6
/*403DD9*/ push eax
/*403DDA*/ push edx
/*403DDB*/ push ecx
/*403DDC*/ call 00403DB0
/*403DE1*/ push ecx
/*403DE2*/ push esp
/*403DE3*/ push 1
/*403DE5*/ push 0
/*403DE7*/ push 0EEDFAE1
/*403DEC*/ call dword ptr [4F8014]
/*403DF2*/ pop ecx
/*403DF3*/ pop ecx
/*403DF4*/ pop edx
/*403DF5*/ pop eax
/*403DF6*/ retn
...
/*403DF8*/ cmp byte ptr [4F3028], 1
/*403DFF*/ jbe short 00403E13
/*403E01*/ push edx
/*403E02*/ push esp
/*403E03*/ push 1
/*403E05*/ push 0
/*403E07*/ push 0EEDFAE2
/*403E0C*/ call dword ptr [4F8014]
/*403E12*/ pop edx
/*403E13*/ retn
...
/*403E14*/ push eax
/*403E15*/ push edx
/*403E16*/ cmp byte ptr [4F3028], 1
/*403E1D*/ jbe short 00403E2F
/*403E1F*/ push esp
/*403E20*/ push 2
/*403E22*/ push 0
/*403E24*/ push 0EEDFAE3
/*403E29*/ call dword ptr [4F8014]
/*403E2F*/ pop edx
/*403E30*/ pop eax
/*403E31*/ retn
...
/*4041E6*/ jnz short 004041F2
/*4041E8*/ mov eax, 0D8
/*4041ED*/ call 004047B8
/*4041F2*/ pop edx
/*4041F3*/ push esp
/*4041F4*/ push ebp
/*4041F5*/ push edi
/*4041F6*/ push esi
/*4041F7*/ push ebx
/*4041F8*/ push eax
/*4041F9*/ push edx
/*4041FA*/ push esp
/*4041FB*/ push 7
/*4041FD*/ push 1
/*4041FF*/ push 0EEDFADE
/*404204*/ push edx
/*404205*/ jmp dword ptr [4F8014]
/*40420B*/ retn
...
/*4044F0*/ mov dword ptr [4F8014], <jmp.&kernel32.RaiseException>

我查了这个函数的解释
VOID RaiseException(
DWORD dwExceptionCode, // exception code
DWORD dwExceptionFlags, // continuable exception flag
DWORD nNumberOfArguments, // number of arguments
CONST ULONG_PTR *lpArguments // array of arguments
);
Parameters
dwExceptionCode
[in] Specifies the application-defined exception code of the exception being raised. The filter expression and exception-handler block of an exception handler can use the GetExceptionCode function to retrieve this value.
Note that the system will clear bit 28 of dwExceptionCode before displaying a message This bit is a reserved exception bit, used by the system for its own purposes.

dwExceptionFlags
[in] Specifies the exception flags. This can be either zero to indicate a continuable exception, or EXCEPTION_NONCONTINUABLE to indicate a noncontinuable exception. Any attempt to continue execution after a noncontinuable exception causes the EXCEPTION_NONCONTINUABLE_EXCEPTION exception.
nNumberOfArguments
[in] Specifies the number of arguments in the lpArguments array. This value must not exceed EXCEPTION_MAXIMUM_PARAMETERS. This parameter is ignored if lpArguments is NULL.
lpArguments
[in] Pointer to an array of arguments. This parameter can be NULL. These arguments can contain any application-defined data that needs to be passed to the filter expression of the exception handler.
Return Values
This function does not return a value.

但是我不知道dwExceptionFlags不为0的时候,这个函数是如何工作的,
还有他会影响我用OD跟踪程序么?如何应对这种手段?

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课