我用脚本脱,提示找到伪OEP,确定运行到提示OEP处。
停在下面
00A2A26B E8 5D960500 call 00A838CD ; OEP == 58BB4A
00A2A270 883A mov byte ptr ds:[edx],bh
00A2A272 6D ins dword ptr es:[edi],dx
00A2A273 A2 CA0AD0F7 mov byte ptr ds:[F7D00ACA],al
00A2A278 E8 DF200A00 call 00ACC35C ; ScenesSe.00ACC35C
00A2A27D 0321 add esp,dword ptr ds:[ecx]
00A2A27F B8 6FC60A40 mov eax,400AC66F
00A2A284 ^ E1 E9 loopde short 00A2A26F ; ScenesSe.00A2A26F
00A2A286 B2 AA mov dl,0AA
00A2A288 04 00 add al,0
00A2A28A 81C2 65080101 add edx,1010865
00A2A290 871424 xchg dword ptr ss:[esp],edx ; ScenesSe.00A2A26B
Execryptor_2.xx_IAT_Fixer_v2.0SC,OEP:58BB4A IAT起始:6E6018 大小:3E0
我转到58BB4A
发现这不是程序的入口,请问是怎么回事?谢谢了先
0058BB4A - E9 1CE74900 jmp 00A2A26B ; ScenesSe.00A2A26B
0058BB4F 54 push esp
0058BB50 49 dec ecx ; ScenesSe.00A2A26B
0058BB51 C3 retn
0058BB52 2965 C4 sub dword ptr ss:[ebp-3C],esp
0058BB55 98 cwde
0058BB56 AA stos byte ptr es:[edi]
0058BB57 99 cdq
0058BB58 C8 0249BC enter 4902,0BC
0058BB5C 1C D3 sbb al,0D3
0058BB5E D7 xlat byte ptr ds:[ebx+al]
0058BB5F 30A3 CA9A7324 xor byte ptr ds:[ebx+24739ACA],ah
0058BB65 ^ 75 DF jnz short 0058BB46 ; ScenesSe.0058BB46
0058BB67 17 pop ss
0058BB68 E4 1D in al,1D
听其他大侠讲是OEP被VM的现象?但是我不知如何下手修复?望大侠们帮忙
软件地址:
950K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3&6S2L8h3W2H3j5h3&6Q4x3X3g2U0L8$3#2Q4x3V1k6V1i4K6u0r3f1@1y4Q4x3U0g2W2y4W2)9J5y4e0W2U0i4K6t1#2z5o6W2Q4x3U0g2W2z5g2)9J5y4e0V1&6i4K6t1#2z5e0m8Q4x3U0g2W2y4g2)9J5y4e0R3^5i4K6t1#2j5U0k6Q4x3X3g2*7K9i4m8Q4x3V1j5%4y4X3q4V1k6r3k6W2y4h3j5%4y4h3k6S2x3h3k6S2j5X3j5%4y4$3k6X3x3h3p5H3y4$3c8T1z5e0g2W2y4K6q4V1x3e0m8X3j5K6M7%4k6X3b7J5k6o6x3H3x3o6l9`.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
