mov dword ptr ds:[esi],2EF46698 数据传输指令的地址被修改了
本帖最后由 冥界3大法王 于 2023-4-6 08:58 编辑不太理解为啥要改成这个地址呢?
https://static.52pojie.cn/static/image/hrline/1.gif
2EE0E4E3 | 56 | push esi |
2EE0E4E4 | 6A 38 | push 38 |
2EE0E4E6 | C74424 08 00000000 | mov dword ptr ss:,0 |
2EE0E4EE | FF15 249FF12E | call dword ptr ds:[<&?doAlloc@FObj@@YAPAXI@Z>] |
2EE0E4F4 | 8BF0 | mov esi,eax |
2EE0E4F6 | 83C4 04 | add esp,4 |
2EE0E4F9 | 897424 08 | mov dword ptr ss:,esi |
2EE0E4FD | 85F6 | test esi,esi |
2EE0E4FF | 74 56 | je productlicensing.2EE0E557 |
2EE0E501 | C746 04 AC66F42E | mov dword ptr ds:,productlicensing.2EF466AC |
2EE0E508 | 8BCE | mov ecx,esi |
2EE0E50A | C746 30 E4D4F12E | mov dword ptr ds:,productlicensing.2EF1D4E4 |
2EE0E511 | 6A 00 | push 0 |
2EE0E513 | C746 34 00000000 | mov dword ptr ds:,0 |
2EE0E51A | E8 1178FFFF | call productlicensing.2EE05D30 |
2EE0E51F | 8B46 04 | mov eax,dword ptr ds: |
2EE0E522 | 8D4E 04 | lea ecx,dword ptr ds: |
2EE0E525 | C706 9866 F42E | mov dword ptr ds:,2EF46698 =====》(第1处)
2EE0E525 | C706 3C63 F42E | mov dword ptr ds:,2EF4633C
{:301_974:}各位老朋友,重点是上面这一句。我动态调试了下,唯独这里没整明白。{:301_974:}
2EE0E52B | 8B40 04 | mov eax,dword ptr ds: |
2EE0E52E | C74430 04 8C66F42E | mov dword ptr ds:,productlicensing.2EF4668C |
2EE0E536 | 8B46 04 | mov eax,dword ptr ds: |
2EE0E539 | 8B7424 10 | mov esi,dword ptr ss: |
2EE0E53D | 8B40 04 | mov eax,dword ptr ds: |
2EE0E540 | 03C8 | add ecx,eax |
2EE0E542 | 890E | mov dword ptr ds:,ecx |
2EE0E544 | 74 0A | je productlicensing.2EE0E550 |
2EE0E546 | 83C1 04 | add ecx,4 |
2EE0E549 | 51 | push ecx |
2EE0E54A | FF15 C89FF12E | call dword ptr ds:[<&InterlockedIncrement>] |
2EE0E550 | 8BC6 | mov eax,esi |
2EE0E552 | 5E | pop esi |
2EE0E553 | 83C4 08 | add esp,8 |
2EE0E556 | C3 | ret |
2EE0E557 | 8B4424 10 | mov eax,dword ptr ss: |
2EE0E55B | 5E | pop esi |
2EE0E55C | C700 00000000 | mov dword ptr ds:,0 |
2EE0E562 | 83C4 08 | add esp,8 |
2EE0E565 | C3 | ret |
2EE0E566 | CC | int3 |
2EE0E567 | CC | int3 |
2EE0E568 | CC | int3 |
2EE0E569 | CC | int3 |
2EE0E56A | CC | int3 |
2EE0E56B | CC | int3 |
2EE0E56C | CC | int3 |
2EE0E56D | CC | int3 |
2EE0E56E | CC | int3 |
2EE0E56F | CC | int3 |
2EE0E570 | 83EC 08 | sub esp,8 |
2EE0E573 | 6A 44 | push 44 |
2EE0E575 | C74424 04 00000000 | mov dword ptr ss:,0 |
2EE0E57D | FF15 249FF12E | call dword ptr ds:[<&?doAlloc@FObj@@YAPAXI@Z>] |
2EE0E583 | 83C4 04 | add esp,4 |
2EE0E586 | 894424 04 | mov dword ptr ss:,eax |
2EE0E58A | 85C0 | test eax,eax |
2EE0E58C | 74 32 | je productlicensing.2EE0E5C0 |
2EE0E58E | 6A 01 | push 1 |
2EE0E590 | 8BC8 | mov ecx,eax |
2EE0E592 | E8 9990FCFF | call productlicensing.2EDD7630 |
2EE0E597 | 85C0 | test eax,eax |
2EE0E599 | 74 25 | je productlicensing.2EE0E5C0 |
2EE0E59B | 8B48 04 | mov ecx,dword ptr ds: |
2EE0E59E | 56 | push esi |
2EE0E59F | 8B7424 10 | mov esi,dword ptr ss: |
2EE0E5A3 | 8B49 04 | mov ecx,dword ptr ds: |
2EE0E5A6 | 83C1 04 | add ecx,4 |
2EE0E5A9 | 03C8 | add ecx,eax |
2EE0E5AB | 890E | mov dword ptr ds:,ecx |
2EE0E5AD | 74 0A | je productlicensing.2EE0E5B9 |
2EE0E5AF | 83C1 04 | add ecx,4 |
2EE0E5B2 | 51 | push ecx |
2EE0E5B3 | FF15 C89FF12E | call dword ptr ds:[<&InterlockedIncrement>] |
2EE0E5B9 | 8BC6 | mov eax,esi |
2EE0E5BB | 5E | pop esi |
2EE0E5BC | 83C4 08 | add esp,8 |
2EE0E5BF | C3 | ret |
2EE0E5C0 | 8B4424 0C | mov eax,dword ptr ss: |
2EE0E5C4 | C700 00000000 | mov dword ptr ds:,0 |
2EE0E5CA | 83C4 08 | add esp,8 |
2EE0E5CD | C3 | ret |
2EE0E5CE | CC | int3 |
2EE0E5CF | CC | int3 |
2EE0E5D0 | 55 | push ebp |
2EE0E5D1 | 8BEC | mov ebp,esp |
2EE0E5D3 | 6A FF | push FFFFFFFF |
2EE0E5D5 | 68 78A4EF2E | push productlicensing.2EEFA478 |
2EE0E5DA | 64:A1 00000000 | mov eax,dword ptr fs: |
2EE0E5E0 | 50 | push eax |
2EE0E5E1 | 83EC 08 | sub esp,8 |
2EE0E5E4 | 53 | push ebx |
2EE0E5E5 | 56 | push esi |
2EE0E5E6 | 57 | push edi |
2EE0E5E7 | A1 0860FA2E | mov eax,dword ptr ds: |
2EE0E5EC | 33C5 | xor eax,ebp |
2EE0E5EE | 50 | push eax |
2EE0E5EF | 8D45 F4 | lea eax,dword ptr ss: |
2EE0E5F2 | 64:A3 00000000 | mov dword ptr fs:,eax |
2EE0E5F8 | 894D EC | mov dword ptr ss:,ecx |
2EE0E5FB | 8D4D F0 | lea ecx,dword ptr ss: |
2EE0E5FE | E8 ED130500 | call productlicensing.2EE5F9F0 |
2EE0E603 | C745 FC 00000000 | mov dword ptr ss:,0 |
2EE0E60A | 8B75 F0 | mov esi,dword ptr ss: |
2EE0E60D | 8B3D B89EF12E | mov edi,dword ptr ds:[<&?GenerateInternalError@FObj@@YA_NW4TIn |
2EE0E613 | 85F6 | test esi,esi |
2EE0E615 | 75 1D | jne productlicensing.2EE0E634 |
2EE0E617 | 6A 00 | push 0 |
2EE0E619 | 68 5B010000 | push 15B |
2EE0E61E | 68 88D4F12E | push productlicensing.2EF1D488 | 2EF1D488:L"E:\\Licensing4.3\\0\\FineObjects\\Inc\\Object.h"
2EE0E623 | 68 280EF32E | push productlicensing.2EF30E28 |
2EE0E628 | 68 280EF32E | push productlicensing.2EF30E28 |
2EE0E62D | 6A 00 | push 0 | 我琢磨了一下,这个模块大致干了三件坏事:
[*]Service服务进程检测
[*]*.dll(文件被破坏重安装内容在此)自校验问题(反调试)
[*]返回注册标志
页:
[1]