您的位置:首页精文荟萃破解文章 → Magic Utilities 2003 V2.2.0 Pecompact 脱壳手记

Magic Utilities 2003 V2.2.0 Pecompact 脱壳手记

时间:2004/10/15 0:58:00来源:本站整理作者:蓝点我要评论(0)

  Fi3.01查得Pecompact v1.68-84加的壳。
  首先用Peditor查看mgutil.exe的区块信息:


Section   Virtual Size  Virtual Offset  Raw Size   Raw Offset  Characteristics


pec1       000A1000      00001000       0003EA00    00000400      E0000020
.rsrc      000C8000      000A2000       00054A00    0003EE00      C0000040
.pec       00004000      0016A000       00000600    00093800      E0000020
.rsrc      00001000      0016E000       00000600    00093E00      C0000040


   发现程序加壳后入口点所在的pec块的Characteristics为E0000020,说明该块可执行,于是直接用Softice载入,但是没有中断。于是在Softice中下断点bpint3,单击break'n'enter->Run,使程序强行中断在入口点处。
   Softice中断在下面的地方:
001B:0056A000  CC                  INT       3
/* 这里是用Peditor插入的int3断点 */
001B:0056A001  06                  PUSH      ES
001B:0056A002  689C120500          PUSH      0005129C
____________________________________________________________
   由于插入的int3断点改变了原来的入口指令,为使程序继续运行,必须将指令改回来。用Peditor的FLC查到56A000处的指令码为EB 06 68 9C 12 05 00 C3 9C ,于是再次中断在入口处,在Softice中下命令:eb eip eb (enter)
   纠正指令码如下:
001B:0056A000  EB06                JMP       0056A008             (JUMP )
001B:0056A002  689C120500          PUSH      0005129C
/* 其实这个就是OEP,这意味着OEP并没有被加密,不脱壳也可以方便地用SMC补丁主程序 */
001B:0056A007  C3                  RET
001B:0056A007  C3                  RET
001B:0056A008  9C                  PUSHFD
001B:0056A009  60                  PUSHAD
001B:0056A00A  E802000000          CALL      0056A011
/* 这个call是变形的jmp,因为调用地点就在下面第二行,用F8走入 */
001B:0056A00F  33C0                XOR       EAX,EAX
001B:0056A011  8BC4                MOV       EAX,ESP
001B:0056A013  83C004              ADD       EAX,04
001B:0056A016  93                  XCHG      EAX,EBX
001B:0056A017  8BE3                MOV       ESP,EBX
001B:0056A019  8B5BFC              MOV       EBX,[EBX-04]
001B:0056A01C  81EB3F904000        SUB       EBX,0040903F
001B:0056A022  87DD                XCHG      EBX,EBP
001B:0056A024  8B85E6904000        MOV       EAX,[EBP+004090E6]
001B:0056A02A  018533904000        ADD       [EBP+00409033],EAX
001B:0056A030  66C785309040009090  MOV       WORD PTR [EBP+00409030],9090
001B:0056A039  0185DA904000        ADD       [EBP+004090DA],EAX
001B:0056A03F  0185DE904000        ADD       [EBP+004090DE],EAX
001B:0056A045  0185E2904000        ADD       [EBP+004090E2],EAX
001B:0056A04B  BB7B110000          MOV       EBX,0000117B
001B:0056A050  039DEA904000        ADD       EBX,[EBP+004090EA]
001B:0056A056  039DE6904000        ADD       EBX,[EBP+004090E6]
001B:0056A05C  53                  PUSH      EBX
001B:0056A05D  8BC3                MOV       EAX,EBX
001B:0056A05F  8BFB                MOV       EDI,EBX
001B:0056A061  2DAC904000          SUB       EAX,004090AC
001B:0056A066  8985AD904000        MOV       [EBP+004090AD],EAX
001B:0056A06C  8DB5AC904000        LEA       ESI,[EBP+004090AC]
001B:0056A072  B940040000          MOV       ECX,00000440
001B:0056A077  F3A5                REPZ MOVSD
001B:0056A079  8BFB                MOV       EDI,EBX
001B:0056A07B  C3                  RET
/* 走过这个ret后来到下面的地方 */
001B:0056B17B  BDCF201600          MOV       EBP,001620CF
001B:0056B180  8BF7                MOV       ESI,EDI
001B:0056B182  83C654              ADD       ESI,54
001B:0056B185  81C7FF100000        ADD       EDI,000010FF
001B:0056B18B  56                  PUSH      ESI
001B:0056B18C  57                  PUSH      EDI
001B:0056B18D  57                  PUSH      EDI
001B:0056B18E  56                  PUSH      ESI
001B:0056B18F  FF95DA904000        CALL      [EBP+004090DA]
001B:0056B195  8BC8                MOV       ECX,EAX
001B:0056B197  5E                  POP       ESI
001B:0056B198  5F                  POP       EDI
001B:0056B199  8BC1                MOV       EAX,ECX
001B:0056B19B  C1F902              SAR       ECX,02
001B:0056B19E  F3A5                REPZ MOVSD
001B:0056B1A0  03C8                ADD       ECX,EAX
001B:0056B1A2  83E103              AND       ECX,03
001B:0056B1A5  F3A4                REPZ MOVSB
001B:0056B1A7  EB26                JMP       0056B1CF             (JUMP )
/* 注意这个jmp的目的地 */
001B:0056B1A9  B0E3                MOV       AL,E3
001B:0056B1AB  56                  PUSH      ESI
001B:0056B1AC  0098E3560074        ADD       [EAX+740056E3],BL
001B:0056B1B2  E356                JECXZ     0056B20A
001B:0056B1B4  0000                ADD       [EAX],AL
001B:0056B1B6  004000              ADD       [EAX+00],AL
001B:0056B1B9  00A0160000E0        ADD       [EAX+E0000016],AH ; STATUS_MORE_PRO
001B:0056B1BF  16                  PUSH      SS
001B:0056B1C0  0087DB87DB87        ADD       [EDI+87DB87DB],AL
001B:0056B1C6  DB87DB87DB87        FILD      DWORD PTR [EDI+87DB87DB]
001B:0056B1CC  DB87DB8BB5E6        FILD      DWORD PTR [EDI+E6B58BDB]
_____________________________________________________________


   这里有花指令,下命令
   :a 56b1cc
   001B:0056B1CC nop
   001B:0056B1CD
   :
   得到:
001B:0056B1CC  90                  NOP
001B:0056B1CD  87DB                XCHG      EBX,EBX
001B:0056B1CF  8BB5E6904000        MOV       ESI,[EBP+004090E6]
/* 这才是上面那个jmp的目的地 */
001B:0056B1D5  56                  PUSH      ESI
001B:0056B1D6  03B5EE904000        ADD       ESI,[EBP+004090EE]
001B:0056B1DC  83C614              ADD       ESI,14
001B:0056B1DF  03B535974000        ADD       ESI,[EBP+00409735]
001B:0056B1E5  8DBD39974000        LEA       EDI,[EBP+00409739]
001B:0056B1EB  B906000000          MOV       ECX,00000006
001B:0056B1F0  F3A5                REPZ MOVSD
001B:0056B1F2  6A04                PUSH      04
001B:0056B1F4  6800100000          PUSH      00001000
001B:0056B1F9  FFB551974000        PUSH      DWORD PTR [EBP+00409751]
001B:0056B1FF  6A00                PUSH      00
001B:0056B201  FF9541974000        CALL      [EBP+00409741]
001B:0056B207  8BF8                MOV       EDI,EAX
001B:0056B209  5B                  POP       EBX
001B:0056B20A  019D83944000        ADD       [EBP+00409483],EBX
001B:0056B210  8BB5DE904000        MOV       ESI,[EBP+004090DE]
001B:0056B216  80BD6B9D4000C3      CMP       BYTE PTR [EBP+00409D6B],C3
001B:0056B21D  742E                JZ        0056B24D
001B:0056B21F  60                  PUSHAD
001B:0056B220  8B9D39974000        MOV       EBX,[EBP+00409739]
001B:0056B226  8B8D3D974000        MOV       ECX,[EBP+0040973D]
001B:0056B22C  8B95E6904000        MOV       EDX,[EBP+004090E6]
001B:0056B232  8DBD6BA14000        LEA       EDI,[EBP+0040A16B]
001B:0056B238  56                  PUSH      ESI
001B:0056B239  52                  PUSH      EDX
001B:0056B23A  6A40                PUSH      40
001B:0056B23C  57                  PUSH      EDI
001B:0056B23D  51                  PUSH      ECX
001B:0056B23E  53                  PUSH      EBX
001B:0056B23F  E8F60B0000          CALL      0056BE3A
001B:0056B244  85C0                TEST      EAX,EAX
001B:0056B246  0F859F000000        JNZ       0056B2EB
001B:0056B24C  61                  POPAD
001B:0056B24D  57                  PUSH      EDI
001B:0056B24E  AD                  LODSD
001B:0056B24F  85C0                TEST      EAX,EAX
001B:0056B251  0F849B000000        JZ        0056B2F2
/* 注意这里jz的目的地 */
001B:0056B257  8BD0                MOV       EDX,EAX
001B:0056B259  0395E6904000        ADD       EDX,[EBP+004090E6]
001B:0056B25F  AD                  LODSD
001B:0056B260  56                  PUSH      ESI
001B:0056B261  8BC8                MOV       ECX,EAX
001B:0056B263  57                  PUSH      EDI
001B:0056B264  52                  PUSH      EDX
001B:0056B265  8DB56BA14000        LEA       ESI,[EBP+0040A16B]
001B:0056B26B  57                  PUSH      EDI
001B:0056B26C  51                  PUSH      ECX
001B:0056B26D  52                  PUSH      EDX
001B:0056B26E  6A40                PUSH      40
001B:0056B270  56                  PUSH      ESI
001B:0056B271  FFB53D974000        PUSH      DWORD PTR [EBP+0040973D]
001B:0056B277  FFB539974000        PUSH      DWORD PTR [EBP+00409739]
001B:0056B27D  E8B8090000          CALL      0056BC3A
001B:0056B282  5A                  POP       EDX
001B:0056B283  5F                  POP       EDI
001B:0056B284  8D85E4914000        LEA       EAX,[EBP+004091E4]
001B:0056B28A  50                  PUSH      EAX
001B:0056B28B  6467FF360000        PUSH      DWORD PTR FS:[0000]
001B:0056B291  646789260000        MOV       FS:[0000],ESP
001B:0056B297  52                  PUSH      EDX
001B:0056B298  57                  PUSH      EDI
001B:0056B299  FF95DA904000        CALL      [EBP+004090DA]
001B:0056B29F  64678F060000        POP       DWORD PTR FS:[0000]
001B:0056B2A5  83C404              ADD       ESP,04
001B:0056B2A8  85C0                TEST      EAX,EAX
001B:0056B2AA  7407                JZ        0056B2B3
001B:0056B2AC  8BC8                MOV       ECX,EAX
001B:0056B2AE  5E                  POP       ESI
001B:0056B2AF  5F                  POP       EDI
001B:0056B2B0  EB9B                JMP       0056B24D             (JUMP )
001B:0056B2B2  B9E8000000          MOV       ECX,000000E8
001B:0056B2B7  005D81              ADD       [EBP-7F],BL
001B:0056B2BA  ED                  IN        EAX,DX
001B:0056B2BB  E9914000E8          JMP       E856F351
_____________________________________________________________
   001B:0056B2F1处被花了:
001B:0056B2EB  FFA549974000        JMP       [EBP+00409749]
001B:0056B2F1  245F                AND       AL,5F
001B:0056B2F3  8BB5E2904000        MOV       ESI,[EBP+004090E2]
001B:0056B2F9  AD                  LODSD
001B:0056B2FA  83F8FF              CMP       EAX,-01
001B:0056B2FD  7474                JZ        0056B373    
   下命令:
   :a 56b2f1
   001B:0056B2F1 nop
   001B:0056B2F2
   纠正后指令如下:
001B:0056B2EB  FFA549974000        JMP       [EBP+00409749]
001B:0056B2F1  90                  NOP
001B:0056B2F2  5F                  POP       EDI
/* 这才是001B:0056B251处jz的目的地 */
001B:0056B2F3  8BB5E2904000        MOV       ESI,[EBP+004090E2]
001B:0056B2F9  AD                  LODSD
001B:0056B2FA  83F8FF              CMP       EAX,-01
001B:0056B2FD  7474                JZ        0056B373             (JUMP )
/* 注意这个jz的目的地 */
001B:0056B2FF  0385E6904000        ADD       EAX,[EBP+004090E6]
001B:0056B305  8BD8                MOV       EBX,EAX
001B:0056B307  AD                  LODSD
001B:0056B308  0385E6904000        ADD       EAX,[EBP+004090E6]
001B:0056B30E  8BD0                MOV       EDX,EAX
001B:0056B310  AD                  LODSD
001B:0056B311  8BC8                MOV       ECX,EAX
001B:0056B313  57                  PUSH      EDI
001B:0056B314  56                  PUSH      ESI
001B:0056B315  8BF3                MOV       ESI,EBX
001B:0056B317  57                  PUSH      EDI
001B:0056B318  51                  PUSH      ECX
001B:0056B319  8BC1                MOV       EAX,ECX
001B:0056B31B  C1F902              SAR       ECX,02
001B:0056B31E  F3A5                REPZ MOVSD
001B:0056B320  03C8                ADD       ECX,EAX
001B:0056B322  83E103              AND       ECX,03
001B:0056B325  F3A4                REPZ MOVSB
001B:0056B327  59                  POP       ECX
001B:0056B328  5E                  POP       ESI
001B:0056B329  8BFA                MOV       EDI,EDX
001B:0056B32B  8BC1                MOV       EAX,ECX
001B:0056B32D  C1F902              SAR       ECX,02
001B:0056B330  F3A5                REPZ MOVSD
001B:0056B332  03C8                ADD       ECX,EAX
001B:0056B334  83E103              AND       ECX,03
001B:0056B337  F3A4                REPZ MOVSB
001B:0056B339  5E                  POP       ESI
001B:0056B33A  AD                  LODSD
001B:0056B33B  8BC8                MOV       ECX,EAX
001B:0056B33D  8BD0                MOV       EDX,EAX
001B:0056B33F  33C0                XOR       EAX,EAX
001B:0056B341  C1F902              SAR       ECX,02
001B:0056B344  F3AB                REPZ STOSD
001B:0056B346  03CA                ADD       ECX,EDX
001B:0056B348  83E103              AND       ECX,03
001B:0056B34B  F3AA                REPZ STOSB
001B:0056B34D  8B7EF0              MOV       EDI,[ESI-10]
001B:0056B350  03BDE6904000        ADD       EDI,[EBP+004090E6]
001B:0056B356  8B4EF4              MOV       ECX,[ESI-0C]
001B:0056B359  038DE6904000        ADD       ECX,[EBP+004090E6]
001B:0056B35F  2BCF                SUB       ECX,EDI
001B:0056B361  8BD1                MOV       EDX,ECX
001B:0056B363  C1F902              SAR       ECX,02
001B:0056B366  F3AB                REPZ STOSD
001B:0056B368  03CA                ADD       ECX,EDX
001B:0056B36A  83E103              AND       ECX,03
001B:0056B36D  F3AA                REPZ STOSB
001B:0056B36F  5F                  POP       EDI
001B:0056B370  EB87                JMP       0056B2F9
001B:0056B372  0F6800              PUNPCKHBW MM0,[EAX]
001B:0056B375  40                  INC       EAX
001B:0056B376  0000                ADD       [EAX],AL
001B:0056B378  6A00                PUSH      00
001B:0056B37A  57                  PUSH      EDI
____________________________________________________
   上面001B:0056B372处又被花,纠正一下:
   :a 56b372
   001B:0056B372 nop
   001B:0056B373
   :
   得到:
001B:0056B372  90                  NOP
001B:0056B373  6800400000          PUSH      00004000
/* 这才是001B:0056B2FD处jz的目的地 */
001B:0056B378  6A00                PUSH      00
001B:0056B37A  57                  PUSH      EDI
001B:0056B37B  FF9545974000        CALL      [EBP+00409745]
001B:0056B381  8BBD3C964000        MOV       EDI,[EBP+0040963C]
001B:0056B387  03BDE6904000        ADD       EDI,[EBP+004090E6]
001B:0056B38D  8B8D40964000        MOV       ECX,[EBP+00409640]
001B:0056B393  51                  PUSH      ECX
001B:0056B394  57                  PUSH      EDI
001B:0056B395  33D2                XOR       EDX,EDX
001B:0056B397  33DB                XOR       EBX,EBX
001B:0056B399  33F6                XOR       ESI,ESI
001B:0056B39B  03FE                ADD       EDI,ESI
001B:0056B39D  03DE                ADD       EBX,ESI
001B:0056B39F  49                  DEC       ECX
001B:0056B3A0  7472                JZ        0056B414
001B:0056B3A2  7870                JS        0056B414
001B:0056B3A4  668B07              MOV       AX,[EDI]
001B:0056B3A7  2CE8                SUB       AL,E8
001B:0056B3A9  3C01                CMP       AL,01
001B:0056B3AB  7638                JBE       0056B3E5
001B:0056B3AD  663D1725            CMP       AX,2517
001B:0056B3B1  7451                JZ        0056B404
001B:0056B3B3  3C27                CMP       AL,27
001B:0056B3B5  750A                JNZ       0056B3C1
001B:0056B3B7  80FC80              CMP       AH,80
001B:0056B3BA  7205                JB        0056B3C1
001B:0056B3BC  80FC8F              CMP       AH,8F
001B:0056B3BF  7605                JBE       0056B3C6
001B:0056B3C1  47                  INC       EDI
001B:0056B3C2  43                  INC       EBX
001B:0056B3C3  EBDA                JMP       0056B39F
001B:0056B3C5  B88B470290          MOV       EAX,9002478B
001B:0056B3CA  90                  NOP
001B:0056B3CB  90                  NOP
001B:0056B3CC  90                  NOP
001B:0056B3CD  90                  NOP
001B:0056B3CE  90                  NOP
001B:0056B3CF  90                  NOP
001B:0056B3D0  90                  NOP
001B:0056B3D1  90                  NOP
001B:0056B3D2  90                  NOP
001B:0056B3D3  90                  NOP
001B:0056B3D4  90                  NOP
001B:0056B3D5  90                  NOP
001B:0056B3D6  2BC3                SUB       EAX,EBX
001B:0056B3D8  894702              MOV       [EDI+02],EAX
001B:0056B3DB  BE06000000          MOV       ESI,00000006
001B:0056B3E0  83E905              SUB       ECX,05
001B:0056B3E3  EBB6                JMP       0056B39B
001B:0056B3E5  8B4701              MOV       EAX,[EDI+01]
001B:0056B3E8  90                  NOP
001B:0056B3E9  90                  NOP
001B:0056B3EA  90                  NOP
001B:0056B3EB  90                  NOP
001B:0056B3EC  90                  NOP
001B:0056B3ED  90                  NOP
001B:0056B3EE  90                  NOP
001B:0056B3EF  90                  NOP
001B:0056B3F0  90                  NOP
001B:0056B3F1  90                  NOP
001B:0056B3F2  90                  NOP
001B:0056B3F3  90                  NOP
001B:0056B3F4  90                  NOP
001B:0056B3F5  2BC3                SUB       EAX,EBX
001B:0056B3F7  894701              MOV       [EDI+01],EAX
001B:0056B3FA  BE05000000          MOV       ESI,00000005
001B:0056B3FF  83E904              SUB       ECX,04
001B:0056B402  EB97                JMP       0056B39B
001B:0056B404  295702              SUB       [EDI+02],EDX
001B:0056B407  BE08000000          MOV       ESI,00000008
001B:0056B40C  83EA04              SUB       EDX,04
001B:0056B40F  2BCE                SUB       ECX,ESI
001B:0056B411  41                  INC       ECX
001B:0056B412  EB87                JMP       0056B39B
001B:0056B414  5F                  POP       EDI
/* 这里用g 56b414直接跳过来 */
001B:0056B415  59                  POP       ECX
001B:0056B416  33C0                XOR       EAX,EAX
001B:0056B418  85C9                TEST      ECX,ECX
001B:0056B41A  743B                JZ        0056B457
001B:0056B41C  8BF7                MOV       ESI,EDI
001B:0056B41E  33C0                XOR       EAX,EAX
001B:0056B420  83F904              CMP       ECX,04
001B:0056B423  7232                JB        0056B457
001B:0056B425  87DB                XCHG      EBX,EBX
001B:0056B427  87DB                XCHG      EBX,EBX
001B:0056B429  87DB                XCHG      EBX,EBX
001B:0056B42B  87DB                XCHG      EBX,EBX
001B:0056B42D  87DB                XCHG      EBX,EBX
001B:0056B42F  8B1E                MOV       EBX,[ESI]
001B:0056B431  03C3                ADD       EAX,EBX
001B:0056B433  D1E3                SHL       EBX,1
001B:0056B435  83D301              ADC       EBX,01
001B:0056B438  33C3                XOR       EAX,EBX
001B:0056B43A  83C604              ADD       ESI,04
001B:0056B43D  83E904              SUB       ECX,04
001B:0056B440  7415                JZ        0056B457
001B:0056B442  83F904              CMP       ECX,04
001B:0056B445  73E8                JAE       0056B42F
001B:0056B447  BA04000000          MOV       EDX,00000004
001B:0056B44C  2BD1                SUB       EDX,ECX
001B:0056B44E  2BF2                SUB       ESI,EDX
001B:0056B450  B904000000          MOV       ECX,00000004
001B:0056B455  EBD8                JMP       0056B42F
001B:0056B457  3B8567974000        CMP       EAX,[EBP+00409767]
/* 这里用g 56b457直接跳过来 */
001B:0056B45D  744D                JZ        0056B4AC
/* 注意这个jz的目的地 */
001B:0056B45F  E94FFEFFFF          JMP       0056B2B3
001B:0056B464  54                  PUSH      ESP
001B:0056B465  6869732065          PUSH      65207369
001B:0056B46A  7865                JS        0056B4D1
001B:0056B46C  637574              ARPL      [EBP+74],SI
001B:0056B46F  61                  POPAD
001B:0056B470  626C6520            BOUND     EBP,[EBP+20]
001B:0056B474  697320636F7272      IMUL      ESI,[EBX+20],72726F63
001B:0056B47B  7570                JNZ       0056B4ED
001B:0056B47D  7421                JZ        0056B4A0
001B:0056B47F  20506C              AND       [EAX+6C],DL
001B:0056B482  6561                POPAD
001B:0056B484  7365                JAE       0056B4EB
001B:0056B486  206F62              AND       [EDI+62],CH
001B:0056B489  7461                JZ        0056B4EC
001B:0056B48B  696E2061206E65      IMUL      EBP,[ESI+20],656E2061
001B:0056B492  7720                JA        0056B4B4
001B:0056B494  636F70              ARPL      [EDI+70],BP
001B:0056B497  792E                JNS       0056B4C7
001B:0056B499  004368              ADD       [EBX+68],AL
001B:0056B49C  65636B73            ARPL      GS:[EBX+73],BP
001B:0056B4A0  756D                JNZ       0056B50F
001B:0056B4A2  204661              AND       [ESI+61],AL
001B:0056B4A5  696C7572652100E8    IMUL      EBP,[ESI*2+EBP+72],E8002165
______________________________________________________________________
   001B:0056B4a5的指令又被花了,改正它:
   :a 56b4a5
   001B:0056B4A5 nop
   001B:0056B4A6
   :
   得到:
001B:0056B4A5  90                  NOP
001B:0056B4A6  6C                  INSB
001B:0056B4A7  7572                JNZ       0056B51B
001B:0056B4A9  652100              AND       GS:[EAX],EAX
001B:0056B4AC  E8A1010000          CALL      0056B652
001B:0056B4B1  E8A3000000          CALL      0056B559
001B:0056B4B6  736B                JAE       0056B523
001B:0056B4B8  E856020000          CALL      0056B713
001B:0056B4BD  8D9D1B974000        LEA       EBX,[EBP+0040971B]
001B:0056B4C3  53                  PUSH      EBX
001B:0056B4C4  50                  PUSH      EAX
001B:0056B4C5  FF953D974000        CALL      [EBP+0040973D]
001B:0056B4CB  8D9D6B974000        LEA       EBX,[EBP+0040976B]
001B:0056B4D1  53                  PUSH      EBX
001B:0056B4D2  83BD2D97400001      CMP       DWORD PTR [EBP+0040972D],01
001B:0056B4D9  7408                JZ        0056B4E3
001B:0056B4DB  8D8DB2964000        LEA       ECX,[EBP+004096B2]
001B:0056B4E1  EB06                JMP       0056B4E9
001B:0056B4E3  8D8D6E964000        LEA       ECX,[EBP+0040966E]
001B:0056B4E9  8B9525974000        MOV       EDX,[EBP+00409725]
001B:0056B4EF  8BBD29974000        MOV       EDI,[EBP+00409729]
001B:0056B4F5  57                  PUSH      EDI
001B:0056B4F6  52                  PUSH      EDX
001B:0056B4F7  51                  PUSH      ECX
001B:0056B4F8  53                  PUSH      EBX
001B:0056B4F9  FFD0                CALL      EAX
001B:0056B4FB  8D9D0F974000        LEA       EBX,[EBP+0040970F]
001B:0056B501  53                  PUSH      EBX
001B:0056B502  FFB538964000        PUSH      DWORD PTR [EBP+00409638]
001B:0056B508  FF953D974000        CALL      [EBP+0040973D]
001B:0056B50E  5B                  POP       EBX
001B:0056B50F  8D8D58964000        LEA       ECX,[EBP+00409658]
001B:0056B515  6A10                PUSH      10
001B:0056B517  51                  PUSH      ECX
001B:0056B518  53                  PUSH      EBX
001B:0056B519  6A00                PUSH      00
001B:0056B51B  FFD0                CALL      EAX
001B:0056B51D  FFA549974000        JMP       [EBP+00409749]

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程