破文作者:fxyang
准备工作:--必须有完成了代码和iat表修复后的dump文件
使用工具:--修改后的OD 等试验对象:Easy CD-DA Extractor
下载地址:http://www.hanzify.org/?Go=Show::List&ID=7377,试验中使用machenglin提供的dump文件
让我们开始:
1.获得修复CC环境
已知主程序ezcddax.exe是Armadillo壳,且使用了CC保护方式。OD加载主程序ezcddax.exe 在Command窗口中:bp GetThreadContext 运行。
第一次中断后,F9继续,被中断在函数GetThreadContext中:
7C838EEB > 8BFF MOV EDI, EDI
7C838EED 55 PUSH EBP
7C838EEE 8BEC MOV EBP, ESP
7C838EF0 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C838EF3 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C838EF6 FF15 F814807C CALL DWORD PTR DS:[<&ntdll.NtGetConte>; ntdll.ZwGetContextThread
7C838EFC 85C0 TEST EAX, EAX
7C838EFE 0F8C 57B60000 JL kernel32.7C84455B
7C838F04 33C0 XOR EAX, EAX
7C838F06 40 INC EAX
7C838F07 5D POP EBP
7C838F08 C2 0800 RETN 8
Alt+F9到:
00805E47 . 50 PUSH EAX
00805E48 . F7D0 NOT EAX
00805E4A . 0FC8 BSWAP EAX
00805E4C . 58 POP EAX
00805E4D . 73 00 JNB SHORT ezcddax.00805E4F
00805E4F > 9C PUSHFD
00805E50 . 60 PUSHAD
00805E51 . EB 2B JMP SHORT ezcddax.00805E7E
在OD中删除分析,还原壳的代码,分析这段处理CC的代码。
请参考:http://bbs.pediy.com//showthread ... 0&threadid=6991
这里就不再分析了:
00805E26 83C4 0C ADD ESP, 0C
00805E29 C785 7CEBFFFF 0>MOV DWORD PTR SS:[EBP-1484], 10001
00805E33 8D85 7CEBFFFF LEA EAX, DWORD PTR SS:[EBP-1484]
00805E39 50 PUSH EAX
00805E3A 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0]
00805E40 51 PUSH ECX
00805E41 FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThre>; kernel32.GetThreadContext
00805E47 50 PUSH EAX
00805E48 F7D0 NOT EAX
00805E4A 0FC8 BSWAP EAX
{处理代码}
00806201 66:92 XCHG AX, DX
00806203 8BC0 MOV EAX, EAX
00806205 8D95 7CEBFFFF LEA EDX, DWORD PTR SS:[EBP-1484]
0080620B 52 PUSH EDX
0080620C 8B85 50EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B0]
00806212 50 PUSH EAX
00806213 FF15 DC808300 CALL DWORD PTR DS:[<&KERNEL32.SetThre>; kernel32.SetThreadContext
00806219 60 PUSHAD
0080621A 33C0 XOR EAX, EAX
0080621C 75 02 JNZ SHORT ezcddax.00806220
0080621E EB 15 JMP SHORT ezcddax.00806235
00806220 EB 33 JMP SHORT ezcddax.00806255
2.通过这段代码,大概查找CC的范围
通过分析知道:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
00805EC9 52 PUSH EDX
00805ECA 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
这段代码中的:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
是把Context域的CC发生时的下一字节地址传送的EDX中,在
00805E9F 52 PUSH EDX
设置[条件记录断点]
表达式:[EDX]
暂停程序:从不
记录表达式数据:永远
设置[记录]到文件,输入文件名保存,取消断点GetThreadContext 。
设置好后运行程序,最好运行程序的所有功能,关闭OD得到一个CC地址表:
00805E9F COND: 00439891
7C838EEB 断点位于 kernel32.GetThreadContext
00805E9F COND: 0043989E
00805E9F COND: 00439962
00805E9F COND: 00439989
00805E9F COND: 004399A3
00805E9F COND: 004399AD
00805E9F COND: 00439B5A
00805E9F COND: 00439B84
00805E9F COND: 00439B92
00805E9F COND: 00439C2D
00805E9F COND: 00439B9C
00805E9F COND: 00439BA4
00805E9F COND: 00439BE2
00805E9F COND: 00439C2D
00805E9F COND: 00439B9C
00805E9F COND: 00439BA4
00805E9F COND: 00439BE2
00805E9F COND: 00439C2D
00805E9F COND: 00439C52
00805E9F COND: 0046C5D4
00805E9F COND: 0046C604
00805E9F COND: 0046C786
00805E9F COND: 0046C82B
00805E9F COND: 004E3251
00805E9F COND: 004E3262
00805E9F COND: 004E3280
00805E9F COND: 004E32B1
00805E9F COND: 004E33D1
00805E9F COND: 004E34F1
00805E9F COND: 004E35A7
00805E9F COND: 0046DB82
00805E9F COND: 0046DBC7
00805E9F COND: 0046DC19
00400000 卸载 C:\Program Files\Easy CD-DA Extractor 9\ezcddax.exe
操作完成
由于只是演示方法,所以这个表可能不完整。
从上面的记录中可以看到CC的大概范围,用OD打开dump下的文件,到内存窗口中把text段的二进制代码保存到一个文件code.txt中待用。
3.查找CC地址
OD重新加载主程序,bp GetThreadContext 运行,第二次依然来得:
00805E26 83C4 0C ADD ESP, 0C
00805E29 C785 7CEBFFFF 0>MOV DWORD PTR SS:[EBP-1484], 10001
00805E33 8D85 7CEBFFFF LEA EAX, DWORD PTR SS:[EBP-1484]
00805E39 50 PUSH EAX
00805E3A 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0]
00805E40 51 PUSH ECX
00805E41 FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThre>; kernel32.GetThreadContext
00805E47 50 PUSH EAX //停在这里
到OD的内存窗口中,选择text段 双击打开text段:
00401000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
打开保存的code.txt文件把二进制代码复制到text段的内存中,在壳的段中找一段暂时不用的地址,存放获得的CC地址,如:
00828000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
记下现在的寄存器:
EAX 00000001
ECX 0012DC78
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7FFDE000
ESP 0012DC98
EBP 0012F79C
ESI 00000017
EDI 0012E2EC
EIP 00805E47 ezcddax.00805E47
C 0 ES 0023 32位 0(FFFFFFFF)
P 0 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SEM_TIMEOUT (00000079)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -UNORM D1D8 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
写段代码,查找CC地址:
007D8000 9C PUSHFD
007D8001 60 PUSHAD
007D8002 B8 00984300 MOV EAX, ezcddax.00439800
007D8007 BB 00808200 MOV EBX, ezcddax.00828000
007D800C 8038 CC CMP BYTE PTR DS:[EAX], 0CC
007D800F 74 0C JE SHORT ezcddax.007D801D
007D8011 83C0 01 ADD EAX, 1
007D8014 3D 00004700 CMP EAX, ezcddax.00470000
007D8019 74 11 JE SHORT ezcddax.007D802C
007D801B ^ EB EF JMP SHORT ezcddax.007D800C
007D801D 8D40 01 LEA EAX, DWORD PTR DS:[EAX+1]
007D8020 8903 MOV DWORD PTR DS:[EBX], EAX
007D8022 83C0 01 ADD EAX, 1
007D8025 83C3 04 ADD EBX, 4
007D8028 ^ EB E5 JMP SHORT ezcddax.007D800F
007D802A 90 NOP
007D802B 90 NOP
007D802C 61 POPAD
007D802D 9D POPFD
007D802E 90 NOP
二进制代码:
9C 60 B8 00 98 43 00 BB 00 80 82 00 80 38 CC 74 0C 83 C0 01 3D 00 00 47 00 74 11 EB EF 8D 40 01
89 03 83 C0 01 83 C3 04 EB E5 90 90 61 9D 90
在007D8000 新建EIP,007D802E 下中断,运行这段代码,在地址00828000处得到一张CC地址表:
00828000 91 98 43 00 9E 98 43 00 62 99 43 00 73 99 43 00 憳C.灅C.b機.s機.
00828010 89 99 43 00 A3 99 43 00 A7 99 43 00 AD 99 43 00 墮C.C.C.瓩C.
00828020 5A 9B 43 00 84 9B 43 00 92 9B 43 00 9C 9B 43 00 Z汣.剾C.挍C.湜C.
00828030 A4 9B 43 00 E2 9B 43 00 F7 9B 43 00 FB 9B 43 00 C.鉀C.鳑C.麤C.
00828040 2D 9C 43 00 52 9C 43 00 BC 9D 43 00 87 9F 43 00 -淐.R淐.紳C.嚐C.
00828050 F2 A0 43 00 14 A1 43 00 A6 A3 43 00 D2 A4 43 00 驙C.�.ΓC.窑C.
00828060 E3 A4 43 00 11 A5 43 00 D9 A5 43 00 CC A9 43 00 悚C.�.佶C.泰C.
00828070 37 AA 43 00 74 AA 43 00 87 AA 43 00 8F AA 43 00 7狢.t狢.嚜C.彧C.
00828080 27 B4 43 00 45 B5 43 00 C5 B6 43 00 DA B6 43 00 '碈.E礐.哦C.诙C.
00828090 5A B7 43 00 C3 B7 43 00 CC B7 43 00 60 B8 43 00 Z稢.梅C.谭C.`窩.
008280A0 81 B8 43 00 EC B8 43 00 29 B9 43 00 3C B9 43 00 伕C.旄C.)笴.<笴.
008280B0 44 B9 43 00 B5 BD 43 00 8F C1 43 00 95 C1 43 00 D笴.到C.徚C.暳C.
008280C0 AF C1 43 00 3E C2 43 00 C6 CC 43 00 5F CD 43 00 C.>翪.铺C._虲.
008280D0 65 CD 43 00 77 CD 43 00 86 CD 43 00 F9 CF 43 00 e虲.w虲.喭C.C.
008280E0 FC CF 43 00 03 D0 43 00 B6 D2 43 00 BC D2 43 00 C.�蠧.兑C.家C.
008280F0 56 D4 43 00 91 D4 43 00 97 D4 43 00 AA D4 43 00 V訡.懺C.椩C.C.
00828100 BD D4 43 00 D0 D4 43 00 E3 D4 43 00 F6 D4 43 00 皆C.性C.阍C.鲈C.
00828110 09 D5 43 00 1C D5 43 00 2F D5 43 00 42 D5 43 00 .誄.�誄./誄.B誄.
00828120 55 D5 43 00 6D D5 43 00 A3 D6 43 00 05 DD 43 00 U誄.m誄.VC.�軨.
00828130 BD E1 43 00 2A E6 43 00 45 E6 43 00 71 E8 43 00 结C.*鍯.E鍯.q鐲.
00828140 3C EE 43 00 6B EF 43 00 96 F8 43 00 19 F9 43 00 <頒.k顲.桒C.�鵆.
00828150 37 FA 43 00 6D FA 43 00 A3 FA 43 00 D9 FA 43 00 7鶦.m鶦.zC.羸C.
00828160 0F FB 43 00 53 FB 43 00 DD FB 43 00 2E FC 43 00 �鸆.S鸆.蓰C..麮.
00828170 AE 00 44 00 46 01 44 00 72 01 44 00 86 01 44 00 ?D.F�D.r�D.?D.
00828180 14 02 44 00 D0 02 44 00 FD 02 44 00 4F 03 44 00 ��D.?D.?D.O�D.
00828190 89 03 44 00 B5 03 44 00 98 08 44 00 C0 08 44 00 ?D.?D.?D.?D.
008281A0 2A 09 44 00 9F 09 44 00 BC 0D 44 00 BF 0D 44 00 *.D.?D.?D.?D.
008281B0 D9 0D 44 00 46 0E 44 00 3B 11 44 00 7D 12 44 00 ?D.F�D.;�D.}�D.
008281C0 1F 13 44 00 63 13 44 00 B5 16 44 00 AD 19 44 00 ��D.c�D.?D.?D.
008281D0 D4 19 44 00 E5 19 44 00 04 1A 44 00 5E 20 44 00 ?D.?D.��D.^ D.
008281E0 72 20 44 00 8C 20 44 00 9A 20 44 00 F8 20 44 00 r D.?D.?D.?D.
008281F0 FD 20 44 00 61 22 44 00 7D 22 44 00 95 22 44 00 ?D.a"D.}"D.?D.
00828200 AC 22 44 00 75 23 44 00 F9 23 44 00 FF 23 44 00 ?D.u#D.?D.#D.
00828210 8F 28 44 00 A5 28 44 00 BB 28 44 00 D1 28 44 00 ?D.?D.?D.?D.
00828220 37 2A 44 00 3D 2A 44 00 54 2A 44 00 B5 2A 44 00 7*D.=*D.T*D.?D.
00828230 D7 2A 44 00 0A 2D 44 00 D4 2D 44 00 23 2E 44 00 ?D..-D.?D.#.D.
00828240 0A 31 44 00 1C 31 44 00 BB 31 44 00 CB 31 44 00 .1D.�1D.?D.?D.
00828250 DD 31 44 00 7C 32 44 00 E1 33 44 00 B5 34 44 00 ?D.|2D.?D.?D.
00828260 EC 36 44 00 61 37 44 00 54 39 44 00 15 3B 44 00 ?D.a7D.T9D.�;D.
00828270 14 3E 44 00 4D 3E 44 00 CD 3E 44 00 D6 3F 44 00 �>D.M>D.?D.?D.
00828280 62 41 44 00 9F 43 44 00 F5 43 44 00 6E 44 44 00 bAD.烠D.魿D.nDD.
00828290 EF 44 44 00 F2 44 44 00 57 45 44 00 5D 45 44 00 顳D.駾D.WED.]ED.
008282A0 73 45 44 00 87 45 44 00 AB 45 44 00 93 46 44 00 sED.嘐D.獷D.揊D.
008282B0 AD 47 44 00 72 48 44 00 75 48 44 00 5B 4F 44 00 璆D.rHD.uHD.[OD.
008282C0 5E 4F 44 00 9A 4F 44 00 3B 51 44 00 3E 51 44 00 ^OD.歄D.;QD.>QD.
008282D0 7A 51 44 00 3E 53 44 00 71 53 44 00 74 53 44 00 zQD.>SD.qSD.tSD.
008282E0 00 54 44 00 2A 54 44 00 3E 54 44 00 76 54 44 00 .TD.*TD.>TD.vTD.
008282F0 A9 54 44 00 AC 54 44 00 D1 54 44 00 3E 55 44 00 ㏕D.琓D.裈D.>UD.
00828300 68 55 44 00 7C 55 44 00 15 59 44 00 AF 59 44 00 hUD.|UD.�YD.痀D.
00828310 BA 59 44 00 47 5A 44 00 0C 67 44 00 0F 67 44 00 篩D.GZD..gD.�gD.
00828320 32 67 44 00 5E 67 44 00 39 6A 44 00 C9 6A 44 00 2gD.^gD.9jD.蒵D.
00828330 D9 6A 44 00 1E 6B 44 00 33 6C 44 00 5B 6C 44 00 賘D.�kD.3lD.[lD.
00828340 69 6C 44 00 89 6D 44 00 8E 6D 44 00 AA 6D 44 00 ilD.塵D.巑D.猰D.
00828350 29 71 44 00 4A 71 44 00 0A 7C 44 00 15 7C 44 00 )qD.JqD..|D.�|D.
00828360 23 7C 44 00 36 7F 44 00 5E 7F 44 00 61 7F 44 00 #|D.6D.^D.aD.
00828370 CE 7F 44 00 F3 7F 44 00 07 80 44 00 40 81 44 00 ?D.?D.�€D.@丏.
00828380 43 81 44 00 53 81 44 00 1B 82 44 00 39 82 44 00 C丏.S丏.�侱.9侱.
00828390 33 83 44 00 47 83 44 00 D5 85 44 00 E5 85 44 00 3僁.G僁.諈D.鍏D.
008283A0 1E 8B 44 00 29 8B 44 00 6A 8B 44 00 E8 91 44 00 �婦.)婦.j婦.钁D.
008283B0 77 95 44 00 85 95 44 00 97 95 44 00 B5 A1 44 00 w旸.厱D.棔D.怠D.
008283C0 85 BA 44 00 D6 BA 44 00 12 BB 44 00 33 BB 44 00 吅D.趾D.�籇.3籇.
008283D0 DF BD 44 00 0D C3 44 00 F2 C4 44 00 FB C4 44 00 呓D..肈.蚰D.D.
008283E0 06 C5 44 00 17 C5 44 00 28 C5 44 00 39 C5 44 00 �臘.�臘.(臘.9臘.
008283F0 4A C5 44 00 5B C5 44 00 64 C5 44 00 6C C5 44 00 J臘.[臘.d臘.l臘.
00828400 7D C5 44 00 8E C5 44 00 9F C5 44 00 B0 C5 44 00 }臘.幣D.熍D.芭D.
00828410 C1 C5 44 00 CD C5 44 00 D9 C5 44 00 E5 C5 44 00 僚D.团D.倥D.迮D.
00828420 F1 C5 44 00 FD C5 44 00 09 C6 44 00 3D C9 44 00 衽D.D..艱.=蒁.
00828430 B5 CA 44 00 08 CD 44 00 0E CD 44 00 1F CD 44 00 凳D.�虳.�虳.�虳.
00828440 3B CD 44 00 D8 D7 44 00 DF D7 44 00 D5 DF 44 00 ;虳.刈D.咦D.者D.
00828450 50 E6 44 00 05 EB 44 00 65 EB 44 00 7E EC 44 00 P鍰.�隓.e隓.~霥.
00828460 78 EF 44 00 CD F5 44 00 68 F6 44 00 40 FC 44 00 x顳.王D.h鯠.@麯.
00828470 43 FC 44 00 4E FC 44 00 5A FC 44 00 66 FC 44 00 C麯.N麯.Z麯.f麯.
00828480 DF 04 45 00 05 05 45 00 2D 05 45 00 42 05 45 00 ?E.��E.-�E.B�E.
00828490 8B 05 45 00 C2 05 45 00 80 0A 45 00 DF 0A 45 00 ?E.?E.€.E.?E.
008284A0 FB 15 45 00 FE 15 45 00 07 16 45 00 7E 16 45 00 ?E.?E.��E.~�E.
008284B0 91 16 45 00 C0 16 45 00 CA 16 45 00 F3 16 45 00 ?E.?E.?E.?E.
008284C0 40 17 45 00 6A 17 45 00 D8 17 45 00 E1 17 45 00 @�E.j�E.?E.?E.
008284D0 EA 17 45 00 F4 17 45 00 FC 17 45 00 B3 18 45 00 ?E.?E.?E.?E.
008284E0 58 1A 45 00 AE 1A 45 00 64 1F 45 00 C3 1F 45 00 X�E.?E.d�E.?E.
008284F0 BA 20 45 00 E1 22 45 00 AE 24 45 00 BB 24 45 00 ?E.?E.?E.?E.
00828500 C1 24 45 00 D7 24 45 00 DF 25 45 00 F5 25 45 00 ?E.?E.?E.?E.
00828510 55 26 45 00 69 26 45 00 72 26 45 00 76 26 45 00 U&E.i&E.r&E.v&E.
00828520 81 26 45 00 8B 26 45 00 93 26 45 00 55 27 45 00 ?E.?E.?E.U'E.
00828530 99 28 45 00 2F 29 45 00 97 2B 45 00 C7 2B 45 00 ?E./)E.?E.?E.
00828540 28 2C 45 00 84 30 45 00 DE 30 45 00 57 32 45 00 (,E.?E.?E.W2E.
00828550 5B 33 45 00 D8 33 45 00 DD 33 45 00 2A 34 45 00 [3E.?E.?E.*4E.
00828560 5C 37 45 00 BA 37 45 00 94 42 45 00 B0 42 45 00 \7E.?E.擝E.癇E.
00828570 D0 42 45 00 00 43 45 00 93 45 45 00 EC 45 45 00 蠦E..CE.揈E.霦E.
00828580 FA 45 45 00 24 54 45 00 32 54 45 00 90 54 45 00 鶨E.$TE.2TE.怲E.
00828590 FB 56 45 00 0D 57 45 00 27 5D 45 00 ED 62 45 00 鸙E..WE.']E.韇E.
008285A0 51 70 45 00 C9 71 45 00 0D 77 45 00 22 78 45 00 QpE.蓂E..wE."xE.
008285B0 33 78 45 00 9A 78 45 00 FD 7C 45 00 19 82 45 00 3xE.歺E.齶E.�侲.
008285C0 1F 82 45 00 AA 84 45 00 3A 85 45 00 C3 87 45 00 �侲.獎E.:匛.脟E.
008285D0 4C 8D 45 00 68 8D 45 00 1D 92 45 00 71 93 45 00 L岴.h岴.�扙.q揈.
008285E0 8C 93 45 00 B9 93 45 00 CA 93 45 00 05 94 45 00 寭E.箵E.蕮E.�擡.
008285F0 0D 94 45 00 13 94 45 00 1A 94 45 00 22 94 45 00 .擡.�擡.�擡."擡.
00828600 58 94 45 00 C4 94 45 00 53 95 45 00 76 95 45 00 X擡.臄E.S旹.v旹.
00828610 96 95 45 00 B9 95 45 00 D9 95 45 00 DF 95 45 00 枙E.箷E.贂E.邥E.
00828620 FB 95 45 00 14 96 45 00 31 96 45 00 4A 96 45 00 麜E.�朎.1朎.J朎.
00828630 67 96 45 00 7C 96 45 00 8F 96 45 00 95 96 45 00 g朎.|朎.彇E.晼E.
00828640 B1 96 45 00 C6 96 45 00 D9 96 45 00 DF 96 45 00 睎E.茤E.贃E.邧E.
00828650 FB 96 45 00 10 97 45 00 23 97 45 00 FD 97 45 00 麞E.�桬.#桬.龡E.
00828660 19 98 45 00 65 98 45 00 75 98 45 00 87 98 45 00 �楨.e楨.u楨.嚇E.
00828670 95 98 45 00 A3 98 45 00 B1 98 45 00 BF 98 45 00 晿E.E.睒E.繕E.
00828680 CD 98 45 00 DB 98 45 00 E9 98 45 00 F7 98 45 00 蜆E.蹣E.闃E.鳂E.
00828690 31 9A 45 00 3D 9A 45 00 4C 9A 45 00 56 9A 45 00 1欵.=欵.L欵.V欵.
008286A0 67 9A 45 00 73 9A 45 00 84 9A 45 00 90 9A 45 00 g欵.s欵.剼E.悮E.
008286B0 A1 9A 45 00 AD 9A 45 00 BE 9A 45 00 CA 9A 45 00 E.瓪E.練E.蕷E.
008286C0 DB 9A 45 00 E7 9A 45 00 F5 9A 45 00 01 9B 45 00 蹥E.鐨E.鯕E.�汦.
008286D0 0F 9B 45 00 1B 9B 45 00 29 9B 45 00 35 9B 45 00 �汦.�汦.)汦.5汦.
008286E0 43 9B 45 00 14 9D 45 00 84 9D 45 00 A5 9E 45 00 C汦.�滶.劃E.E.
008286F0 B2 9E 45 00 F4 9E 45 00 FE 9E 45 00 94 9F 45 00 矠E.魹E.E.敓E.
00828700 09 A0 45 00 B5 A0 45 00 D3 A0 45 00 EE A0 45 00 .燛.禒E.訝E.顮E.
00828710 30 A2 45 00 3D A2 45 00 17 A3 45 00 1D A3 45 00 0.=.�.�.
00828720 6A A3 45 00 72 A3 45 00 8D A3 45 00 95 A3 45 00 j.r.崳E.暎E.
00828730 9F A3 45 00 A5 A3 45 00 A9 A3 45 00 AD A3 45 00 煟E.ィE.E.E.
00828740 52 A4 45 00 AB A4 45 00 45 A5 45 00 48 A5 45 00 R.E.E.H.
00828750 50 A5 45 00 65 A5 45 00 E3 A7 45 00 6D A9 45 00 P.e.悃E.m〦.
00828760 7E A9 45 00 9E A9 45 00 C8 A9 45 00 23 AA 45 00 ~〦.灘E.醛E.#狤.
00828770 43 AA 45 00 65 AB 45 00 D2 AB 45 00 E5 AB 45 00 C狤.e獷.耀E.瀚E.
00828780 83 AC 45 00 E1 AC 45 00 5E AD 45 00 8F AD 45 00 儸E.岈E.^璄.彮E.
00828790 AC AD 45 00 B6 AD 45 00 CA AD 45 00 D6 AD 45 00 E.董E.虱E.汁E.
008287A0 E2 AD 45 00 EE AD 45 00 02 AE 45 00 16 AE 45 00 猸E.瞽E.�瓻.�瓻.
008287B0 69 AF 45 00 75 AF 45 00 81 AF 45 00 57 B2 45 00 i疎.u疎.伅E.W睧.
008287C0 98 B4 45 00 77 B6 45 00 DA B7 45 00 DB BC 45 00 槾E.w禘.诜E.奂E.
008287D0 ED BC 45 00 00 BF 45 00 03 BF 45 00 0F BF 45 00 砑E..縀.�縀.�縀.
008287E0 A1 BF 45 00 FD BF 45 00 C3 C0 45 00 DC C0 45 00 】E.E.美E.芾E.
008287F0 EE C0 45 00 13 C1 45 00 25 C1 45 00 4A C1 45 00 罾E.�罞.%罞.J罞.
00828800 5C C1 45 00 81 C1 45 00 93 C1 45 00 A5 C1 45 00 \罞.伭E.摿E.チE.
00828810 B8 C2 45 00 D1 C2 45 00 F3 C2 45 00 28 C3 45 00 嘎E.崖E.舐E.(肊.
00828820 4A C3 45 00 7F C3 45 00 A1 C3 45 00 D6 C3 45 00 J肊.肊.∶E.置E.
00828830 F8 C3 45 00 1A C4 45 00 D8 C6 45 00 F6 C6 45 00 E.�腅.仄E.銎E.
00828840 8D C7 45 00 D7 C7 45 00 18 C8 45 00 26 C8 45 00 嵡E.浊E.�菶.&菶.
00828850 70 C8 45 00 9E C8 45 00 A1 C8 45 00 A4 C8 45 00 p菶.炄E.∪E.とE.
00828860 B1 C8 45 00 B7 C8 45 00 A5 C9 45 00 B5 C9 45 00 比E.啡E.ドE.瞪E.
00828870 0C CB 45 00 3D CB 45 00 75 CB 45 00 0B CD 45 00 .薊.=薊.u薊. 虴.
00828880 31 CD 45 00 39 D8 45 00 0A DD 45 00 0D DD 45 00 1虴.9谽..軪..軪.
00828890 C5 DD 45 00 5E DE 45 00 A3 DE 45 00 F1 DE 45 00 泡E.^轊.^E.褶E.
008288A0 F5 DE 45 00 06 E1 45 00 2C E1 45 00 0E E9 45 00 蹀E.�酔.,酔.�镋.
008288B0 7F F5 45 00 C6 F5 45 00 87 F6 45 00 A2 F6 45 00 鮁.契E.圅E.ⅥE.
008288C0 00 FB 45 00 9E FB 45 00 A1 FB 45 00 CC FB 45 00 .鸈.烕E.←E.帖E.
008288D0 4F FC 45 00 C3 FC 45 00 12 FD 45 00 D5 FF 45 00 O麰.命E.�鼸.?E.
008288E0 3E 00 46 00 FA 01 46 00 15 02 46 00 31 02 46 00 >.F.?F.��F.1�F.
008288F0 4D 02 46 00 14 04 46 00 52 04 46 00 FE 04 46 00 M�F.��F.R�F.?F.
00828900 20 0F 46 00 ED 12 46 00 8E 14 46 00 2D 18 46 00 �F.?F.?F.-�F.
00828910 61 1C 46 00 3E 23 46 00 7F 23 46 00 09 24 46 00 a�F.>#F.#F..$F.
00828920 13 24 46 00 1D 24 46 00 4F 24 46 00 59 24 46 00 �$F.�$F.O$F.Y$F.
00828930 7D 24 46 00 8D 24 46 00 99 24 46 00 A3 24 46 00 }$F.?F.?F.?F.
00828940 AD 24 46 00 DF 24 46 00 E9 24 46 00 10 25 46 00 ?F.?F.?F.�%F.
00828950 20 25 46 00 2C 25 46 00 36 25 46 00 40 25 46 00 %F.,%F.6%F.@%F.
00828960 72 25 46 00 7C 25 46 00 A3 25 46 00 B3 25 46 00 r%F.|%F.?F.?F.
00828970 BF 25 46 00 C9 25 46 00 D3 25 46 00 05 26 46 00 ?F.?F.?F.�&F.
00828980 0F 26 46 00 36 26 46 00 46 26 46 00 52 26 46 00 �&F.6&F.F&F.R&F.
00828990 5C 26 46 00 66 26 46 00 98 26 46 00 A2 26 46 00 \&F.f&F.?F.?F.
008289A0 C9 26 46 00 D9 26 46 00 EB 26 46 00 F5 26 46 00 ?F.?F.?F.?F.
008289B0 03 27 46 00 38 27 46 00 42 27 46 00 6F 27 46 00 �'F.8'F.B'F.o'F.
008289C0 7F 27 46 00 91 27 46 00 9B 27 46 00 A9 27 46 00 'F.?F.?F.?F.
008289D0 DE 27 46 00 E8 27 46 00 15 28 46 00 25 28 46 00 ?F.?F.�(F.%(F.
008289E0 37 28 46 00 41 28 46 00 4F 28 46 00 84 28 46 00 7(F.A(F.O(F.?F.
008289F0 8E 28 46 00 BB 28 46 00 CB 28 46 00 DD 28 46 00 ?F.?F.?F.?F.
00828A00 E7 28 46 00 F5 28 46 00 2A 29 46 00 34 29 46 00 ?F.?F.*)F.4)F.
00828A10 61 29 46 00 71 29 46 00 83 29 46 00 8D 29 46 00 a)F.q)F.?F.?F.
00828A20 9B 29 46 00 D0 29 46 00 DA 29 46 00 07 2A 46 00 ?F.?F.?F.�*F.
00828A30 17 2A 46 00 29 2A 46 00 33 2A 46 00 41 2A 46 00 �*F.)*F.3*F.A*F.
00828A40 76 2A 46 00 80 2A 46 00 AD 2A 46 00 BD 2A 46 00 v*F.€*F.?F.?F.
00828A50 CF 2A 46 00 D9 2A 46 00 E7 2A 46 00 1C 2B 46 00 ?F.?F.?F.�+F.
00828A60 26 2B 46 00 53 2B 46 00 63 2B 46 00 75 2B 46 00 &+F.S+F.c+F.u+F.
00828A70 7F 2B 46 00 8D 2B 46 00 C2 2B 46 00 CC 2B 46 00 +F.?F.?F.?F.
00828A80 F9 2B 46 00 09 2C 46 00 F2 2C 46 00 F8 2C 46 00 ?F..,F.?F.?F.
00828A90 11 2D 46 00 9A 33 46 00 AD 33 46 00 39 41 46 00 �-F.?F.?F.9AF.
00828AA0 6B 41 46 00 8C 41 46 00 B0 41 46 00 FD 41 46 00 kAF.孉F.癆F.鼳F.
00828AB0 87 42 46 00 A2 42 46 00 98 43 46 00 BA 43 46 00 嘊F.F.楥F.篊F.
00828AC0 E9 43 46 00 48 44 46 00 E5 44 46 00 07 46 46 00 镃F.HDF.錎F.�FF.
00828AD0 2D 46 46 00 50 46 46 00 74 46 46 00 0A 47 46 00 -FF.PFF.tFF..GF.
00828AE0 15 47 46 00 1B 47 46 00 3A 47 46 00 3D 47 46 00 �GF.�GF.:GF.=GF.
00828AF0 68 47 46 00 FD 51 46 00 F1 67 46 00 D2 76 46 00 hGF.齉F.駁F.襳F.
00828B00 9D 78 46 00 D8 79 46 00 EA 7B 46 00 4F 7D 46 00 漻F.貀F.陒F.O}F.
00828B10 52 7D 46 00 5D 7D 46 00 66 7D 46 00 8F 7D 46 00 R}F.]}F.f}F.弣F.
00828B20 A3 7D 46 00 B4 7D 46 00 65 7E 46 00 A5 7E 46 00 F.磢F.e~F.F.
00828B30 B5 7E 46 00 FE 7E 46 00 0D 80 46 00 0D 81 46 00 祣F.F..€F..丗.
00828B40 7D 81 46 00 51 82 46 00 1D 83 46 00 4B 83 46 00 }丗.Q侳.�僃.K僃.
00828B50 74 84 46 00 9A 84 46 00 86 85 46 00 C1 85 46 00 t凢.殑F.唴F.羺F.
00828B60 54 86 46 00 82 86 46 00 D2 87 46 00 F5 87 46 00 T咶.倖F.覈F.鯂F.
00828B70 DD 88 46 00 A1 89 46 00 D1 89 46 00 D6 89 46 00 輬F.F.褖F.謮F.
00828B80 9A 8A 46 00 BE 8A 46 00 E2 8B 46 00 BE 8C 46 00 殜F.緤F.鈰F.緦F.
00828B90 EE 8C 46 00 E2 8D 46 00 CF 91 46 00 E4 91 46 00 顚F.鈲F.蠎F.鋺F.
00828BA0 14 92 46 00 1E 92 46 00 27 92 46 00 38 92 46 00 �扚.�扚.'扚.8扚.
00828BB0 41 92 46 00 26 93 46 00 29 93 46 00 F6 93 46 00 A扚.&揊.)揊.鰮F.
00828BC0 F9 93 46 00 C4 97 46 00 44 98 46 00 5F 98 46 00 鶕F.臈F.D楩._楩.
00828BD0 68 98 46 00 8E 98 46 00 EA 98 46 00 00 99 46 00 h楩.帢F.陿F..橣.
00828BE0 19 9C 46 00 27 9C 46 00 3F 9C 46 00 6B 9D 46 00 �淔.'淔.?淔.k滷.
00828BF0 77 9D 46 00 99 9D 46 00 A5 9D 46 00 04 9E 46 00 w滷.櫇F.F.�濬.
00828C00 0E 9E 46 00 14 9E 46 00 C8 9E 46 00 10 9F 46 00 �濬.�濬.葹F.�烣.
00828C10 3C 9F 46 00 5D 9F 46 00 0A A4 46 00 A4 A4 46 00 <烣.]烣...いF.
00828C20 03 A5 46 00 E7 AB 46 00 03 AC 46 00 CC AC 46 00 �.绔F.�現.态F.
00828C30 94 AD 46 00 AF AD 46 00 78 AE 46 00 03 B0 46 00 敪F.F.x瓼.�癋.
00828C40 D3 B0 46 00 12 B1 46 00 18 B1 46 00 29 B1 46 00 影F.�盕.�盕.)盕.
00828C50 77 B1 46 00 3A B3 46 00 2A B8 46 00 4A B8 46 00 w盕.:矲.*窮.J窮.
00828C60 90 B8 46 00 9E B8 46 00 0B B9 46 00 3A B9 46 00 惛F.灨F. 笷.:笷.
00828C70 44 B9 46 00 6D B9 46 00 8F B9 46 00 3C BA 46 00 D笷.m笷.徆F.<篎.
00828C80 4A BA 46 00 A4 BA 46 00 12 BC 46 00 15 BC 46 00 J篎.ずF.�糉.�糉.
00828C90 18 BC 46 00 AE BC 46 00 B1 BC 46 00 B4 BC 46 00 �糉.F.奔F.醇F.
00828CA0 07 BD 46 00 29 BD 46 00 C6 BD 46 00 97 C3 46 00 �紽.)紽.平F.椕F.
00828CB0 B5 C3 46 00 C6 C5 46 00 D4 C5 46 00 04 C6 46 00 得F.婆F.耘F.�艶.
00828CC0 11 C6 46 00 23 C6 46 00 A5 C6 46 00 86 C7 46 00 �艶.#艶.テF.喦F.
00828CD0 C8 C7 46 00 2B C8 46 00 32 CB 46 00 80 CC 46 00 惹F.+菷.2薋.€蘁.
00828CE0 DE CC 46 00 85 D7 46 00 8B D7 46 00 B2 D7 46 00 尢F.呑F.嬜F.沧F.
00828CF0 CE D7 46 00 9A D9 46 00 2E DB 46 00 82 DB 46 00 巫F.氋F..跢.傐F.
00828D00 C7 DB 46 00 15 DC 46 00 19 DC 46 00 2D DC 46 00 芹F.�蹻.�蹻.-蹻.
00828D10 7D DC 46 00 B1 DC 46 00 08 DF 46 00 40 E0 46 00 }蹻.避F.�逨.@郌.
00828D20 90 E1 46 00 EC E2 46 00 24 E4 46 00 74 E5 46 00 愥F.焘F.$銯.t錐.
00828D30 86 E7 46 00 89 E7 46 00 D2 E7 46 00 AD E8 46 00 嗙F.夌F.溢F.F.
00828D40 D0 E8 46 00 D8 E8 46 00 EE E8 46 00 03 E9 46 00 需F.罔F.铊F.�镕.
00828D50 20 E9 46 00 1D EA 46 00 40 EA 46 00 48 EA 46 00 镕.�闒.@闒.H闒.
00828D60 5E EA 46 00 73 EA 46 00 90 EA 46 00 DC EA 46 00 ^闒.s闒.愱F.荜F.
00828D70 FA EA 46 00 91 EB 46 00 DB EB 46 00 1C EC 46 00 F.戨F.垭F.�霧.
00828D80 2A EC 46 00 74 EC 46 00 A2 EC 46 00 A5 EC 46 00 *霧.t霧.㈧F.レF.
00828D90 A8 EC 46 00 B8 EC 46 00 D6 EC 46 00 6D ED 46 00 F.胳F.朱F.m鞦.
00828DA0 B7 ED 46 00 F8 ED 46 00 06 EE 46 00 50 EE 46 00 讽F.F.�頕.P頕.
00828DB0 7E EE 46 00 81 EE 46 00 84 EE 46 00 DC EE 46 00 ~頕.侇F.勵F.茴F.
00828DC0 EA EE 46 00 1D EF 46 00 4D EF 46 00 7F F1 46 00 觐F.�颋.M颋.馞.
00828DD0 89 F1 46 00 B7 F1 46 00 D8 F1 46 00 CC F2 46 00 夞F.否F.伛F.舔F.
00828DE0 DD F2 46 00 15 F3 46 00 45 F6 46 00 48 F6 46 00 蒡F.�驠.E鯢.H鯢.
00828DF0 6B F6 46 00 AC F6 46 00 84 F7 46 00 A5 F7 46 00 k鯢.F.匃F.F.
00828E00 B3 F7 46 00 0B F8 46 00 3F F8 46 00 7A F8 46 00 橱F. 鳩.?鳩.z鳩.
00828E10 C4 FD 46 00 A1 FF 46 00 00 00 00 00 00 00 00 00 凝F.?F.........
91 98 43 00 9E 98 43 00 62 99 43 00 73 99 43 00 89 99 43 00 A3 99 43 00 A7 99 43 00 AD 99 43 00
5A 9B 43 00 84 9B 43 00 92 9B 43 00 9C 9B 43 00 A4 9B 43 00 E2 9B 43 00 F7 9B 43 00 FB 9B 43 00
2D 9C 43 00 52 9C 43 00 BC 9D 43 00 87 9F 43 00 F2 A0 43 00 14 A1 43 00 A6 A3 43 00 D2 A4 43 00
E3 A4 43 00 11 A5 43 00 D9 A5 43 00 CC A9 43 00 37 AA 43 00 74 AA 43 00 87 AA 43 00 8F AA 43 00
27 B4 43 00 45 B5 43 00 C5 B6 43 00 DA B6 43 00 5A B7 43 00 C3 B7 43 00 CC B7 43 00 60 B8 43 00
81 B8 43 00 EC B8 43 00 29 B9 43 00 3C B9 43 00 44 B9 43 00 B5 BD 43 00 8F C1 43 00 95 C1 43 00
AF C1 43 00 3E C2 43 00 C6 CC 43 00 5F CD 43 00 65 CD 43 00 77 CD 43 00 86 CD 43 00 F9 CF 43 00
FC CF 43 00 03 D0 43 00 B6 D2 43 00 BC D2 43 00 56 D4 43 00 91 D4 43 00 97 D4 43 00 AA D4 43 00
BD D4 43 00 D0 D4 43 00 E3 D4 43 00 F6 D4 43 00 09 D5 43 00 1C D5 43 00 2F D5 43 00 42 D5 43 00
55 D5 43 00 6D D5 43 00 A3 D6 43 00 05 DD 43 00 BD E1 43 00 2A E6 43 00 45 E6 43 00 71 E8 43 00
3C EE 43 00 6B EF 43 00 96 F8 43 00 19 F9 43 00 37 FA 43 00 6D FA 43 00 A3 FA 43 00 D9 FA 43 00
0F FB 43 00 53 FB 43 00 DD FB 43 00 2E FC 43 00 AE 00 44 00 46 01 44 00 72 01 44 00 86 01 44 00
14 02 44 00 D0 02 44 00 FD 02 44 00 4F 03 44 00 89 03 44 00 B5 03 44 00 98 08 44 00 C0 08 44 00
2A 09 44 00 9F 09 44 00 BC 0D 44 00 BF 0D 44 00 D9 0D 44 00 46 0E 44 00 3B 11 44 00 7D 12 44 00
1F 13 44 00 63 13 44 00 B5 16 44 00 AD 19 44 00 D4 19 44 00 E5 19 44 00 04 1A 44 00 5E 20 44 00
72 20 44 00 8C 20 44 00 9A 20 44 00 F8 20 44 00 FD 20 44 00 61 22 44 00 7D 22 44 00 95 22 44 00
AC 22 44 00 75 23 44 00 F9 23 44 00 FF 23 44 00 8F 28 44 00 A5 28 44 00 BB 28 44 00 D1 28 44 00
37 2A 44 00 3D 2A 44 00 54 2A 44 00 B5 2A 44 00 D7 2A 44 00 0A 2D 44 00 D4 2D 44 00 23 2E 44 00
0A 31 44 00 1C 31 44 00 BB 31 44 00 CB 31 44 00 DD 31 44 00 7C 32 44 00 E1 33 44 00 B5 34 44 00
EC 36 44 00 61 37 44 00 54 39 44 00 15 3B 44 00 14 3E 44 00 4D 3E 44 00 CD 3E 44 00 D6 3F 44 00
62 41 44 00 9F 43 44 00 F5 43 44 00 6E 44 44 00 EF 44 44 00 F2 44 44 00 57 45 44 00 5D 45 44 00
73 45 44 00 87 45 44 00 AB 45 44 00 93 46 44 00 AD 47 44 00 72 48 44 00 75 48 44 00 5B 4F 44 00
5E 4F 44 00 9A 4F 44 00 3B 51 44 00 3E 51 44 00 7A 51 44 00 3E 53 44 00 71 53 44 00 74 53 44 00
00 54 44 00 2A 54 44 00 3E 54 44 00 76 54 44 00 A9 54 44 00 AC 54 44 00 D1 54 44 00 3E 55 44 00
68 55 44 00 7C 55 44 00 15 59 44 00 AF 59 44 00 BA 59 44 00 47 5A 44 00 0C 67 44 00 0F 67 44 00
32 67 44 00 5E 67 44 00 39 6A 44 00 C9 6A 44 00 D9 6A 44 00 1E 6B 44 00 33 6C 44 00 5B 6C 44 00
69 6C 44 00 89 6D 44 00 8E 6D 44 00 AA 6D 44 00 29 71 44 00 4A 71 44 00 0A 7C 44 00 15 7C 44 00
23 7C 44 00 36 7F 44 00 5E 7F 44 00 61 7F 44 00 CE 7F 44 00 F3 7F 44 00 07 80 44 00 40 81 44 00
43 81 44 00 53 81 44 00 1B 82 44 00 39 82 44 00 33 83 44 00 47 83 44 00 D5 85 44 00 E5 85 44 00
1E 8B 44 00 29 8B 44 00 6A 8B 44 00 E8 91 44 00 77 95 44 00 85 95 44 00 97 95 44 00 B5 A1 44 00
85 BA 44 00 D6 BA 44 00 12 BB 44 00 33 BB 44 00 DF BD 44 00 0D C3 44 00 F2 C4 44 00 FB C4 44 00
06 C5 44 00 17 C5 44 00 28 C5 44 00 39 C5 44 00 4A C5 44 00 5B C5 44 00 64 C5 44 00 6C C5 44 00
7D C5 44 00 8E C5 44 00 9F C5 44 00 B0 C5 44 00 C1 C5 44 00 CD C5 44 00 D9 C5 44 00 E5 C5 44 00
F1 C5 44 00 FD C5 44 00 09 C6 44 00 3D C9 44 00 B5 CA 44 00 08 CD 44 00 0E CD 44 00 1F CD 44 00
3B CD 44 00 D8 D7 44 00 DF D7 44 00 D5 DF 44 00 50 E6 44 00 05 EB 44 00 65 EB 44 00 7E EC 44 00
78 EF 44 00 CD F5 44 00 68 F6 44 00 40 FC 44 00 43 FC 44 00 4E FC 44 00 5A FC 44 00 66 FC 44 00
DF 04 45 00 05 05 45 00 2D 05 45 00 42 05 45 00 8B 05 45 00 C2 05 45 00 80 0A 45 00 DF 0A 45 00
FB 15 45 00 FE 15 45 00 07 16 45 00 7E 16 45 00 91 16 45 00 C0 16 45 00 CA 16 45 00 F3 16 45 00
40 17 45 00 6A 17 45 00 D8 17 45 00 E1 17 45 00 EA 17 45 00 F4 17 45 00 FC 17 45 00 B3 18 45 00
58 1A 45 00 AE 1A 45 00 64 1F 45 00 C3 1F 45 00 BA 20 45 00 E1 22 45 00 AE 24 45 00 BB 24 45 00
C1 24 45 00 D7 24 45 00 DF 25 45 00 F5 25 45 00 55 26 45 00 69 26 45 00 72 26 45 00 76 26 45 00
81 26 45 00 8B 26 45 00 93 26 45 00 55 27 45 00 99 28 45 00 2F 29 45 00 97 2B 45 00 C7 2B 45 00
28 2C 45 00 84 30 45 00 DE 30 45 00 57 32 45 00 5B 33 45 00 D8 33 45 00 DD 33 45 00 2A 34 45 00
5C 37 45 00 BA 37 45 00 94 42 45 00 B0 42 45 00 D0 42 45 00 00 43 45 00 93 45 45 00 EC 45 45 00
FA 45 45 00 24 54 45 00 32 54 45 00 90 54 45 00 FB 56 45 00 0D 57 45 00 27 5D 45 00 ED 62 45 00
51 70 45 00 C9 71 45 00 0D 77 45 00 22 78 45 00 33 78 45 00 9A 78 45 00 FD 7C 45 00 19 82 45 00
1F 82 45 00 AA 84 45 00 3A 85 45 00 C3 87 45 00 4C 8D 45 00 68 8D 45 00 1D 92 45 00 71 93 45 00
8C 93 45 00 B9 93 45 00 CA 93 45 00 05 94 45 00 0D 94 45 00 13 94 45 00 1A 94 45 00 22 94 45 00
58 94 45 00 C4 94 45 00 53 95 45 00 76 95 45 00 96 95 45 00 B9 95 45 00 D9 95 45 00 DF 95 45 00
FB 95 45 00 14 96 45 00 31 96 45 00 4A 96 45 00 67 96 45 00 7C 96 45 00 8F 96 45 00 95 96 45 00
B1 96 45 00 C6 96 45 00 D9 96 45 00 DF 96 45 00 FB 96 45 00 10 97 45 00 23 97 45 00 FD 97 45 00
19 98 45 00 65 98 45 00 75 98 45 00 87 98 45 00 95 98 45 00 A3 98 45 00 B1 98 45 00 BF 98 45 00
CD 98 45 00 DB 98 45 00 E9 98 45 00 F7 98 45 00 31 9A 45 00 3D 9A 45 00 4C 9A 45 00 56 9A 45 00
67 9A 45 00 73 9A 45 00 84 9A 45 00 90 9A 45 00 A1 9A 45 00 AD 9A 45 00 BE 9A 45 00 CA 9A 45 00
DB 9A 45 00 E7 9A 45 00 F5 9A 45 00 01 9B 45 00 0F 9B 45 00 1B 9B 45 00 29 9B 45 00 35 9B 45 00
43 9B 45 00 14 9D 45 00 84 9D 45 00 A5 9E 45 00 B2 9E 45 00 F4 9E 45 00 FE 9E 45 00 94 9F 45 00
09 A0 45 00 B5 A0 45 00 D3 A0 45 00 EE A0 45 00 30 A2 45 00 3D A2 45 00 17 A3 45 00 1D A3 45 00
6A A3 45 00 72 A3 45 00 8D A3 45 00 95 A3 45 00 9F A3 45 00 A5 A3 45 00 A9 A3 45 00 AD A3 45 00
52 A4 45 00 AB A4 45 00 45 A5 45 00 48 A5 45 00 50 A5 45 00 65 A5 45 00 E3 A7 45 00 6D A9 45 00
7E A9 45 00 9E A9 45 00 C8 A9 45 00 23 AA 45 00 43 AA 45 00 65 AB 45 00 D2 AB 45 00 E5 AB 45 00
83 AC 45 00 E1 AC 45 00 5E AD 45 00 8F AD 45 00 AC AD 45 00 B6 AD 45 00 CA AD 45 00 D6 AD 45 00
E2 AD 45 00 EE AD 45 00 02 AE 45 00 16 AE 45 00 69 AF 45 00 75 AF 45 00 81 AF 45 00 57 B2 45 00
98 B4 45 00 77 B6 45 00 DA B7 45 00 DB BC 45 00 ED BC 45 00 00 BF 45 00 03 BF 45 00 0F BF 45 00
A1 BF 45 00 FD BF 45 00 C3 C0 45 00 DC C0 45 00 EE C0 45 00 13 C1 45 00 25 C1 45 00 4A C1 45 00
5C C1 45 00 81 C1 45 00 93 C1 45 00 A5 C1 45 00 B8 C2 45 00 D1 C2 45 00 F3 C2 45 00 28 C3 45 00
4A C3 45 00 7F C3 45 00 A1 C3 45 00 D6 C3 45 00 F8 C3 45 00 1A C4 45 00 D8 C6 45 00 F6 C6 45 00
8D C7 45 00 D7 C7 45 00 18 C8 45 00 26 C8 45 00 70 C8 45 00 9E C8 45 00 A1 C8 45 00 A4 C8 45 00
B1 C8 45 00 B7 C8 45 00 A5 C9 45 00 B5 C9 45 00 0C CB 45 00 3D CB 45 00 75 CB 45 00 0B CD 45 00
31 CD 45 00 39 D8 45 00 0A DD 45 00 0D DD 45 00 C5 DD 45 00 5E DE 45 00 A3 DE 45 00 F1 DE 45 00
F5 DE 45 00 06 E1 45 00 2C E1 45 00 0E E9 45 00 7F F5 45 00 C6 F5 45 00 87 F6 45 00 A2 F6 45 00
00 FB 45 00 9E FB 45 00 A1 FB 45 00 CC FB 45 00 4F FC 45 00 C3 FC 45 00 12 FD 45 00 D5 FF 45 00
3E 00 46 00 FA 01 46 00 15 02 46 00 31 02 46 00 4D 02 46 00 14 04 46 00 52 04 46 00 FE 04 46 00
20 0F 46 00 ED 12 46 00 8E 14 46 00 2D 18 46 00 61 1C 46 00 3E 23 46 00 7F 23 46 00 09 24 46 00
13 24 46 00 1D 24 46 00 4F 24 46 00 59 24 46 00 7D 24 46 00 8D 24 46 00 99 24 46 00 A3 24 46 00
AD 24 46 00 DF 24 46 00 E9 24 46 00 10 25 46 00 20 25 46 00 2C 25 46 00 36 25 46 00 40 25 46 00
72 25 46 00 7C 25 46 00 A3 25 46 00 B3 25 46 00 BF 25 46 00 C9 25 46 00 D3 25 46 00 05 26 46 00
0F 26 46 00 36 26 46 00 46 26 46 00 52 26 46 00 5C 26 46 00 66 26 46 00 98 26 46 00 A2 26 46 00
C9 26 46 00 D9 26 46 00 EB 26 46 00 F5 26 46 00 03 27 46 00 38 27 46 00 42 27 46 00 6F 27 46 00
7F 27 46 00 91 27 46 00 9B 27 46 00 A9 27 46 00 DE 27 46 00 E8 27 46 00 15 28 46 00 25 28 46 00
37 28 46 00 41 28 46 00 4F 28 46 00 84 28 46 00 8E 28 46 00 BB 28 46 00 CB 28 46 00 DD 28 46 00
E7 28 46 00 F5 28 46 00 2A 29 46 00 34 29 46 00 61 29 46 00 71 29 46 00 83 29 46 00 8D 29 46 00
9B 29 46 00 D0 29 46 00 DA 29 46 00 07 2A 46 00 17 2A 46 00 29 2A 46 00 33 2A 46 00 41 2A 46 00
76 2A 46 00 80 2A 46 00 AD 2A 46 00 BD 2A 46 00 CF 2A 46 00 D9 2A 46 00 E7 2A 46 00 1C 2B 46 00
26 2B 46 00 53 2B 46 00 63 2B 46 00 75 2B 46 00 7F 2B 46 00 8D 2B 46 00 C2 2B 46 00 CC 2B 46 00
F9 2B 46 00 09 2C 46 00 F2 2C 46 00 F8 2C 46 00 11 2D 46 00 9A 33 46 00 AD 33 46 00 39 41 46 00
6B 41 46 00 8C 41 46 00 B0 41 46 00 FD 41 46 00 87 42 46 00 A2 42 46 00 98 43 46 00 BA 43 46 00
E9 43 46 00 48 44 46 00 E5 44 46 00 07 46 46 00 2D 46 46 00 50 46 46 00 74 46 46 00 0A 47 46 00
15 47 46 00 1B 47 46 00 3A 47 46 00 3D 47 46 00 68 47 46 00 FD 51 46 00 F1 67 46 00 D2 76 46 00
9D 78 46 00 D8 79 46 00 EA 7B 46 00 4F 7D 46 00 52 7D 46 00 5D 7D 46 00 66 7D 46 00 8F 7D 46 00
A3 7D 46 00 B4 7D 46 00 65 7E 46 00 A5 7E 46 00 B5 7E 46 00 FE 7E 46 00 0D 80 46 00 0D 81 46 00
7D 81 46 00 51 82 46 00 1D 83 46 00 4B 83 46 00 74 84 46 00 9A 84 46 00 86 85 46 00 C1 85 46 00
54 86 46 00 82 86 46 00 D2 87 46 00 F5 87 46 00 DD 88 46 00 A1 89 46 00 D1 89 46 00 D6 89 46 00
9A 8A 46 00 BE 8A 46 00 E2 8B 46 00 BE 8C 46 00 EE 8C 46 00 E2 8D 46 00 CF 91 46 00 E4 91 46 00
14 92 46 00 1E 92 46 00 27 92 46 00 38 92 46 00 41 92 46 00 26 93 46 00 29 93 46 00 F6 93 46 00
F9 93 46 00 C4 97 46 00 44 98 46 00 5F 98 46 00 68 98 46 00 8E 98 46 00 EA 98 46 00 00 99 46 00
19 9C 46 00 27 9C 46 00 3F 9C 46 00 6B 9D 46 00 77 9D 46 00 99 9D 46 00 A5 9D 46 00 04 9E 46 00
0E 9E 46 00 14 9E 46 00 C8 9E 46 00 10 9F 46 00 3C 9F 46 00 5D 9F 46 00 0A A4 46 00 A4 A4 46 00
03 A5 46 00 E7 AB 46 00 03 AC 46 00 CC AC 46 00 94 AD 46 00 AF AD 46 00 78 AE 46 00 03 B0 46 00
D3 B0 46 00 12 B1 46 00 18 B1 46 00 29 B1 46 00 77 B1 46 00 3A B3 46 00 2A B8 46 00 4A B8 46 00
90 B8 46 00 9E B8 46 00 0B B9 46 00 3A B9 46 00 44 B9 46 00 6D B9 46 00 8F B9 46 00 3C BA 46 00
4A BA 46 00 A4 BA 46 00 12 BC 46 00 15 BC 46 00 18 BC 46 00 AE BC 46 00 B1 BC 46 00 B4 BC 46 00
07 BD 46 00 29 BD 46 00 C6 BD 46 00 97 C3 46 00 B5 C3 46 00 C6 C5 46 00 D4 C5 46 00 04 C6 46 00
11 C6 46 00 23 C6 46 00 A5 C6 46 00 86 C7 46 00 C8 C7 46 00 2B C8 46 00 32 CB 46 00 80 CC 46 00
DE CC 46 00 85 D7 46 00 8B D7 46 00 B2 D7 46 00 CE D7 46 00 9A D9 46 00 2E DB 46 00 82 DB 46 00
C7 DB 46 00 15 DC 46 00 19 DC 46 00 2D DC 46 00 7D DC 46 00 B1 DC 46 00 08 DF 46 00 40 E0 46 00
90 E1 46 00 EC E2 46 00 24 E4 46 00 74 E5 46 00 86 E7 46 00 89 E7 46 00 D2 E7 46 00 AD E8 46 00
D0 E8 46 00 D8 E8 46 00 EE E8 46 00 03 E9 46 00 20 E9 46 00 1D EA 46 00 40 EA 46 00 48 EA 46 00
5E EA 46 00 73 EA 46 00 90 EA 46 00 DC EA 46 00 FA EA 46 00 91 EB 46 00 DB EB 46 00 1C EC 46 00
2A EC 46 00 74 EC 46 00 A2 EC 46 00 A5 EC 46 00 A8 EC 46 00 B8 EC 46 00 D6 EC 46 00 6D ED 46 00
B7 ED 46 00 F8 ED 46 00 06 EE 46 00 50 EE 46 00 7E EE 46 00 81 EE 46 00 84 EE 46 00 DC EE 46 00
EA EE 46 00 1D EF 46 00 4D EF 46 00 7F F1 46 00 89 F1 46 00 B7 F1 46 00 D8 F1 46 00 CC F2 46 00
DD F2 46 00 15 F3 46 00 45 F6 46 00 48 F6 46 00 6B F6 46 00 AC F6 46 00 84 F7 46 00 A5 F7 46 00
B3 F7 46 00 0B F8 46 00 3F F8 46 00 7A F8 46 00 C4 FD 46 00 A1 FF 46 00 00 00 00 00 00 00 00 00
恢复修改的代码,回到原来的EIP处,检查各个寄存器值保持和原来的一样。
4.修改处理部分的代码,完成修复CC工作
要利用处理代码修复CC必须具备几个条件:
1.> CC 地址,这个我们通过上面的方法得到了。
2.> jump 的长度,这个通过分析知道在处理代码中提供给了我们,下面将会直接使用。
3.> jump 的跳转类型,这是个重点,也是个难点,我们将利用壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的代码。
让我们一个一个的来修改处理代码:
提供我们得到的CC地址给处理代码,利用这个代码--
修改这个代码为:
00805E51 8B15 00808200 MOV EDX, DWORD PTR DS:[828000] ; ezcddax.00439891
00805E57 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX ;传送参数
00805E5D C705 108F8200 0>MOV DWORD PTR DS:[828F10], ezcddax.00828000
00805E67 90 NOP
00805E68 90 NOP
00805E69 90 NOP
00805E6A 90 NOP
00805E6B 90 NOP
00805E6C 90 NOP
00805E6D 90 NOP
00805E6E 90 NOP
00805E6F 90 NOP
00805E70 90 NOP
00805E71 90 NOP
00805E72 90 NOP
00805E73 90 NOP
00805E74 90 NOP
00805E75 90 NOP
00805E76 90 NOP
00805E77 90 NOP
00805E78 90 NOP
00805E79 90 NOP
00805E7A 90 NOP
00805E7B 90 NOP
00805E7C EB 03 JMP SHORT ezcddax.00805E81
看看原来的取地址:
00805EC3 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC] //取Context域
00805EC9 52 PUSH EDX
修改方法是在地址00828F00 写入CC地址表的第一个地址:00439891 然后通过上面的修改把这个提供给处理代码使用。
下面这段代码是计算CC地址在不在表中
00805ECA 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00805ED0 FF1485 98CD8300 CALL DWORD PTR DS:[EAX*4+83CD98]
00805ED7 83C4 04 ADD ESP, 4
00805EDA 8985 78EBFFFF MOV DWORD PTR SS:[EBP-1488], EAX
00805EE0 C785 74EBFFFF 0>MOV DWORD PTR SS:[EBP-148C], 0
00805EEA 8B8D 48EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B8]
00805EF0 8B148D 00F38300 MOV EDX, DWORD PTR DS:[ECX*4+83F300]
00805EF7 8995 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], EDX
00805EFD 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
00805F03 3B85 54EEFFFF CMP EAX, DWORD PTR SS:[EBP-11AC]
00805F09 7D 5C JGE SHORT ezcddax.00805F67
00805F0B 8B85 54EEFFFF MOV EAX, DWORD PTR SS:[EBP-11AC]
00805F11 2B85 74EBFFFF SUB EAX, DWORD PTR SS:[EBP-148C]
00805F17 99 CDQ
00805F18 2BC2 SUB EAX, EDX
00805F1A D1F8 SAR EAX, 1
00805F1C 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805F22 03C8 ADD ECX, EAX
00805F24 898D 70EBFFFF MOV DWORD PTR SS:[EBP-1490], ECX
00805F2A 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F30 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F37 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F3D 8B95 78EBFFFF MOV EDX, DWORD PTR SS:[EBP-1488]
00805F43 3B1488 CMP EDX, DWORD PTR DS:[EAX+ECX*4]
00805F46 76 11 JBE SHORT ezcddax.00805F59
00805F48 8B85 70EBFFFF MOV EAX, DWORD PTR SS:[EBP-1490]
00805F4E 83C0 01 ADD EAX, 1
00805F51 8985 74EBFFFF MOV DWORD PTR SS:[EBP-148C], EAX
00805F57 EB 0C JMP SHORT ezcddax.00805F65
00805F59 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F5F 898D 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], ECX
00805F65 ^ EB 96 JMP SHORT ezcddax.00805EFD
00805F67 60 PUSHAD
00805F68 33C0 XOR EAX, EAX
00805F6A 75 02 JNZ SHORT ezcddax.00805F6E
00805F6C EB 15 JMP SHORT ezcddax.00805F83
00805F6E EB 33 JMP SHORT ezcddax.00805FA3
00805F70 C075 18 7A SAL BYTE PTR SS:[EBP+18], 7A
00805F74 0C 70 OR AL, 70
00805F76 0E PUSH CS
00805F77 EB 0D JMP SHORT ezcddax.00805F86
00805F79 E8 720E79F1 CALL F1F96DF0
00805F7E FF15 00790974 CALL DWORD PTR DS:[74097900]
00805F84 F0:EB 87 LOCK JMP SHORT ezcddax.00805F0E ; 不允许锁定前缀
00805F87 DB7A F0 FSTP TBYTE PTR DS:[EDX-10]
00805F8A A0 33618B95 MOV AL, BYTE PTR DS:[958B6133]
00805F8F 48 DEC EAX
00805F90 EE OUT DX, AL
00805F91 FFFF ??? ; 未知命令
00805F93 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F9A 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805FA0 8B1488 MOV EDX, DWORD PTR DS:[EAX+ECX*4]
00805FA3 3B95 78EBFFFF CMP EDX, DWORD PTR SS:[EBP-1488] //比较表中的值和CC地址计算的值是否相等,测试CC地址是否有效
00805FA9 0F85 90020000 JNZ ezcddax.0080623F
下面来到壳的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口,而这个入口是个与CC地址有关的变量。
00806006 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
0080600C 8B0C85 64F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F364]
00806013 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806019 8B0491 MOV EAX, DWORD PTR DS:[ECX+EDX*4]
0080601C 8985 5CEBFFFF MOV DWORD PTR SS:[EBP-14A4], EAX
00806022 8B8D 3CECFFFF MOV ECX, DWORD PTR SS:[EBP-13C4]
00806028 81E1 D70F0000 AND ECX, 0FD7
0080602E 898D 6CEBFFFF MOV DWORD PTR SS:[EBP-1494], ECX
00806034 8B95 5CEBFFFF MOV EDX, DWORD PTR SS:[EBP-14A4]
0080603A 81E2 000000FF AND EDX, FF000000
00806040 C1EA 18 SHR EDX, 18
00806043 8995 60EBFFFF MOV DWORD PTR SS:[EBP-14A0], EDX
00806049 8B85 5CEBFFFF MOV EAX, DWORD PTR SS:[EBP-14A4]
0080604F 25 FFFFFF00 AND EAX, 0FFFFFF
00806054 8985 64EBFFFF MOV DWORD PTR SS:[EBP-149C], EAX
0080605A 8B8D 28ECFFFF MOV ECX, DWORD PTR SS:[EBP-13D8]
00806060 51 PUSH ECX
00806061 8B95 6CEBFFFF MOV EDX, DWORD PTR SS:[EBP-1494]
00806067 52 PUSH EDX
00806068 8B85 64EBFFFF MOV EAX, DWORD PTR SS:[EBP-149C]
0080606E 50 PUSH EAX
0080606F 8B8D 60EBFFFF MOV ECX, DWORD PTR SS:[EBP-14A0]
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] //模拟模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
0080607C 83C4 0C ADD ESP, 0C
0080607F 8985 68EBFFFF MOV DWORD PTR SS:[EBP-1498], EAX
00806085 8B95 68EBFFFF MOV EDX, DWORD PTR SS:[EBP-1498] //取标志
0080608B 83E2 01 AND EDX, 1
0080608E 85D2 TEST EDX, EDX
00806090 0F84 AE000000 JE ezcddax.00806144 //判断是否需要跳转
在 00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] 下断点,这个就是手工修复的麻烦所在,要每次跟踪看看。
正是这种方法没有技术,所以一直觉得没必要写出来,怕误人。
中断在上面的地址处,看看函数的入口是:
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; ezcddax.007FCAE9
DS:[00838BBC]=007FCAE9 (ezcddax.007FCAE9)
F7进入,看看这个处理过程:
007FCAE9 55 PUSH EBP
007FCAEA 8BEC MOV EBP, ESP
007FCAEC 83EC 40 SUB ESP, 40
007FCAEF C745 D0 6400000>MOV DWORD PTR SS:[EBP-30], 64
007FCAF6 C745 D4 5900000>MOV DWORD PTR SS:[EBP-2C], 59
007FCAFD C745 D8 8400000>MOV DWORD PTR SS:[EBP-28], 84
007FCB04 C745 DC 9C00000>MOV DWORD PTR SS:[EBP-24], 9C
007FCB0B C745 E0 C500000>MOV DWORD PTR SS:[EBP-20], 0C5
007FCB12 C745 E4 7800000>MOV DWORD PTR SS:[EBP-1C], 78
007FCB19 C745 E8 9D00000>MOV DWORD PTR SS:[EBP-18], 9D
007FCB20 C745 EC 4700000>MOV DWORD PTR SS:[EBP-14], 47
007FCB27 C745 F0 0400000>MOV DWORD PTR SS:[EBP-10], 4
007FCB2E C745 C0 0700000>MOV DWORD PTR SS:[EBP-40], 7
007FCB35 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007FCB38 C1E8 04 SHR EAX, 4
007FCB3B 83E0 07 AND EAX, 7
007FCB3E 8B4C85 D0 MOV ECX, DWORD PTR SS:[EBP+EAX*4-30]
007FCB42 894D C4 MOV DWORD PTR SS:[EBP-3C], ECX
007FCB45 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007FCB48 99 CDQ
007FCB49 B9 19000000 MOV ECX, 19
007FCB4E F7F9 IDIV ECX
007FCB50 8945 CC MOV DWORD PTR SS:[EBP-34], EAX
007FCB53 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007FCB56 99 CDQ
007FCB57 B9 19000000 MOV ECX, 19
007FCB5C F7F9 IDIV ECX
007FCB5E 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007FCB61 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
007FCB64 3B55 C8 CMP EDX, DWORD PTR SS:[EBP-38]
007FCB67 75 11 JNZ SHORT ezcddax.007FCB7A
007FCB69 8B45 C8 MOV EAX, DWORD PTR SS:[EBP-38]
007FCB6C 83C0 01 ADD EAX, 1
007FCB6F 99 CDQ
007FCB70 B9 19000000 MOV ECX, 19
007FCB75 F7F9 IDIV ECX
007FCB77 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007FCB7A 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007FCB7D 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
007FCB80 8B0C95 48E48300 MOV ECX, DWORD PTR DS:[EDX*4+83E448]
007FCB87 330C85 CC828300 XOR ECX, DWORD PTR DS:[EAX*4+8382CC]
007FCB8E 8B55 C8 MOV EDX, DWORD PTR SS:[EBP-38]
007FCB91 330C95 CC828300 XOR ECX, DWORD PTR DS:[EDX*4+8382CC]
007FCB98 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007FCB9B 8B45 0C MOV EAX, DWORD PTR SS:[EBP+C]
007FCB9E 50 PUSH EAX
007FCB9F 8B4D C4 MOV ECX, DWORD PTR SS:[EBP-3C]
007FCBA2 0FBE91 88CC8300 MOVSX EDX, BYTE PTR DS:[ECX+83CC88]
007FCBA9 FF1495 C0CB8300 CALL DWORD PTR DS:[EDX*4+83CBC0]
007FCBB0 83C4 04 ADD ESP, 4
007FCBB3 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007FCBB6 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10]
007FCBB9 50 PUSH EAX
007FCBBA 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
007FCBBD 51 PUSH ECX
007FCBBE FF55 F8 CALL DWORD PTR SS:[EBP-8] //真正的模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
007FCBC1 83C4 08 ADD ESP, 8
007FCBC4 50 PUSH EAX
007FCBC5 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007FCBC8 0FBE82 88CC8300 MOVSX EAX, BYTE PTR DS:[EDX+83CC88]
007FCBCF FF1485 24CC8300 CALL DWORD PTR DS:[EAX*4+83CC24]
007FCBD6 83C4 04 ADD ESP, 4
007FCBD9 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007FCBDC 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
007FCBDF 83E0 01 AND EAX, 1
007FCBE2 8BE5 MOV ESP, EBP
007FCBE4 5D POP EBP
007FCBE5 C3 RETN
F7进入 007FCBBE (模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数 )
分析这个函数:
007E8FE9 55 PUSH EBP
007E8FEA 8BEC MOV EBP, ESP
007E8FEC 83EC 0C SUB ESP, 0C
007E8FEF 53 PUSH EBX
007E8FF0 56 PUSH ESI
007E8FF1 57 PUSH EDI
007E8FF2 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E8FF5 50 PUSH EAX
007E8FF6 FF15 5CCC8300 CALL DWORD PTR DS:[83CC5C] ; ezcddax.007DDF8E
007E8FFC 83C4 04 ADD ESP, 4
007E8FFF 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E9002 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] //取域中EFLAGS寄存器值
堆栈 SS:[0012DC30]=00000246 <--CC发生时EFLAGS寄存器值
EAX=00000246
007E9005 70 07 JO SHORT ezcddax.007E900E
007E9007 7C 03 JL SHORT ezcddax.007E900C
007E9009 EB 05 JMP SHORT ezcddax.007E9010
007E900B - E9 74FBEBF9 JMP FA6A8B84
007E9010 53 PUSH EBX
007E9011 8B5D 0C MOV EBX, DWORD PTR SS:[EBP+C]
007E9014 BB FFFF0000 MOV EBX, 0FFFF
007E9019 23C3 AND EAX, EBX //取后面2个字节,注意对EAX的处理
007E901B 51 PUSH ECX
007E901C B5 2C MOV CH, 2C
007E901E 80ED 01 SUB CH, 1
007E9021 80ED 20 SUB CH, 20
007E9024 FECD DEC CH
007E9026 FECD DEC CH
007E9028 80ED 04 SUB CH, 4
007E902B FECD DEC CH
007E902D 80ED 03 SUB CH, 3
007E9030 FECD DEC CH
007E9032 22E5 AND AH, CH
007E9034 B1 70 MOV CL, 70
007E9036 80E9 02 SUB CL, 2
007E9039 FEC9 DEC CL
007E903B FEC9 DEC CL
007E903D FEC9 DEC CL
007E903F 80E9 06 SUB CL, 6
007E9042 F6D0 NOT AL
007E9044 0FC9 BSWAP ECX
007E9046 F6D0 NOT AL
007E9048 83E0 00 AND EAX, 0 //EAX and 0 *
007E904B 0FC9 BSWAP ECX
007E904D FEC9 DEC CL
007E904F FEC9 DEC CL
007E9051 80E9 12 SUB CL, 12
007E9054 80C1 0B ADD CL, 0B
007E9057 FEC9 DEC CL
007E9059 FEC9 DEC CL
007E905B 70 07 JO SHORT ezcddax.007E9064
007E905D 7C 03 JL SHORT ezcddax.007E9062
007E905F EB 05 JMP SHORT ezcddax.007E9066
007E9061 C7 ???
007E9062 ^ 74 FB JE SHORT ezcddax.007E905F
007E9064 ^ EB F9 JMP SHORT ezcddax.007E905F
007E9066 FEC9 DEC CL
007E9068 FEC9 DEC CL
007E906A FEC9 DEC CL
007E906C FEC9 DEC CL
007E906E 80E9 40 SUB CL, 40
007E9071 80E9 01 SUB CL, 1
007E9074 FEC9 DEC CL
007E9076 FEC9 DEC CL
007E9078 FEC9 DEC CL
007E907A FEC9 DEC CL
007E907C FEC9 DEC CL
007E907E FEC9 DEC CL
007E9080 FEC9 DEC CL
007E9082 40 INC EAX // EAX +1 **
007E9083 FEC9 DEC CL
007E9085 F7D1 NOT ECX
007E9087 0FC8 BSWAP EAX
007E9089 F7D1 NOT ECX
007E908B 0FC8 BSWAP EAX
007E908D FEC1 INC CL
007E908F 80C1 02 ADD CL, 2
007E9092 59 POP ECX
007E9093 5B POP EBX
007E9094 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX // 得到的答案EAX=1 ***
007E9097 8B0D CC838300 MOV ECX, DWORD PTR DS:[8383CC]
007E909D 330D D0838300 XOR ECX, DWORD PTR DS:[8383D0]
007E90A3 D1E1 SHL ECX, 1
007E90A5 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E90A8 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E90AC 74 09 JE SHORT ezcddax.007E90B7 // 会跳吗?永远不
007E90AE 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E90B1 83CA 01 OR EDX, 1
007E90B4 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E90B7 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E90BA 50 PUSH EAX
007E90BB FF15 F8CB8300 CALL DWORD PTR DS:[83CBF8] ; ezcddax.007DDE09
007E90C1 83C4 04 ADD ESP, 4
007E90C4 5F POP EDI
007E90C5 5E POP ESI
007E90C6 5B POP EBX
007E90C7 8BE5 MOV ESP, EBP
007E90C9 5D POP EBP
007E90CA C3 RETN
继续到跳转时的计算偏移量的代码:
008060BB 61 POPAD
008060BC 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
008060C2 8B0C85 18F28300 MOV ECX, DWORD PTR DS:[EAX*4+83F218]
008060C9 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060CF 33D2 XOR EDX, EDX
008060D1 BE 17000000 MOV ESI, 17
008060D6 F7F6 DIV ESI
008060D8 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060DE 8B0C81 MOV ECX, DWORD PTR DS:[ECX+EAX*4]
008060E1 338C95 70EEFFFF XOR ECX, DWORD PTR SS:[EBP+EDX*4-1190] ; 计算偏移量
008060E8 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC] ;CC发生时的地址
008060EE 03D1 ADD EDX, ECX
ECX=00000004 计算偏移量
EDX=00439891 (ezcddax.00439891) CC发生时的地址
008060F0 8995 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], EDX
如果不跳转就到计算jump代码长度:
0080614F 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00806155 8B0C85 D0F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F3D0]
0080615C 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806162 33C0 XOR EAX, EAX
00806164 8A0411 MOV AL, BYTE PTR DS:[ECX+EDX]
///////////////////////////////////////////////////////////////
指向一张跳转代码长度表,这个表中数值是代码长度-1位(因为CC占了一位)
01E8DC70 01 05 01 01 04 01 01 01 01 01 01 05 05 01 01 01 ����������������
01E8DC80 01 05 04 01 05 01 01 01 01 04 01 01 01 01 05 04 ����������������
01E8DC90 01 05 05 01 01 01 01 01 01 01 01 01 01 05 01 01 ����������������
01E8DCA0 01 01 01 05 05 01 01 05 01 01 01 01 01 05 01 04 ����������������
01E8DCB0 01 01 05 05 04 01 01 01 05 01 05 01 01 05 05 01 ����������������
01E8DCC0 01 01 01 01 05 01 04 BA 0D F0 AD BA 0D F0 AD BA �������?瓠?瓠�
01E8DCD0 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ........
分析一般程序的代码都知道,跳转的长度存在3种情况:
I 短距离jump 长度为2个字节
II 长距离jump 长度为6个字节
III 长距离jmp 长度为5个字节
根据这个表的长度就能知道是长短jump,因为长短不同的jump的二进制表示方法不同。
//////////////////////////////////////////////////////////////////
00806167 8B8D 34ECFFFF MOV ECX, DWORD PTR SS:[EBP-13CC]
0080616D 03C8 ADD ECX, EAX
0080616F 898D 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], ECX
0080613A 61 POPAD
0080613B 9D POPFD
0080613C 66:92 XCHG AX, DX
0080613E 66:92 XCHG AX, DX
00806140 8BC0 MOV EAX, EAX
00806142 EB 75 JMP SHORT ezcddax.008061B9
重新传输参数,再次修复CC
008061B9 8305 108F8200 0>ADD DWORD PTR DS:[828F10], 4 ; 参数+1
008061C0 8B15 108F8200 MOV EDX, DWORD PTR DS:[828F10]
008061C6 8B12 MOV EDX, DWORD PTR DS:[EDX]
008061C8 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX
008061CE 83FA 00 CMP EDX, 0
008061D1 ^ 74 E6 JE SHORT ezcddax.008061B9 ; 如果出现00000000,表示这个地址不是CC
008061D3 83FA FF CMP EDX, -1
008061D6 74 08 JE SHORT ezcddax.008061E0 ; 如果是ffffffff 表示修复结束。
008061D8 ^ E9 A6FCFFFF JMP ezcddax.00805E83
008061DD 90 NOP
008061DE 90 NOP
008061DF 90 NOP
008061E0 90 NOP
008061E1 90 NOP
008061E2 90 NOP
83 05 10 8F 82 00 04 8B 15 10 8F 82 00 8B 12 89 15 00 8F 82 00 83 FA 00 74 E6 83 FA FF 74 08 E9
A6 FC FF FF 90 90 90 90 90 90
经过调试,把处理代码修改为下面这样,实行的功能基本完成。
运行修改代码前必须做到:
<1>. 把dump下的.text段二进制复制到,现在调试时的.text段中。
<2>. Alt+M 在内存窗口中修改.text段的[访问属性]为[完全访问]。
<3>. 把收集的CC地址的二进制值复制到指定的内存中,
我是放在[00828000]处,调试时发现不是int3的CC二进制修改为00000000,不停调试,不停的修改。
<4>. 在CC地址的最后放入FFFFFFFF用以表示CC修复结束。
<5>. 调试时要注意复制修改后的程序二进制数据,防止出现错误,完成后把.text中的二进制数据复制到dump的文件中保存。
00805E39 . 50 PUSH EAX ; /pContext
00805E3A . 8B8D 50EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B0] ; |
00805E40 . 51 PUSH ECX ; |hThread
00805E41 . FF15 E0808300 CALL DWORD PTR DS:[<&KERNEL32.GetThreadCo>; \GetThreadContext
00805E47 . 90 NOP
00805E48 . 90 NOP
00805E49 . 52 PUSH EDX
00805E4A . 8B15 00808200 MOV EDX, DWORD PTR DS:[828000] ; ezcddax.00439891
00805E50 . 8915 008F8200 MOV DWORD PTR DS:[828F00], EDX
00805E56 . C705 108F8200 0080>MOV DWORD PTR DS:[828F10], ezcddax.00828>
00805E60 . 5A POP EDX
00805E61 . 90 NOP
00805E62 . 90 NOP
00805E63 . 90 NOP
00805E64 . 90 NOP
00805E65 . 90 NOP
00805E66 . 90 NOP
00805E67 . 90 NOP
00805E68 . 90 NOP
00805E69 . 90 NOP
00805E6A . 90 NOP
00805E6B . 90 NOP
00805E6C . 90 NOP
00805E6D . 90 NOP
00805E6E . 90 NOP
00805E6F . 90 NOP
00805E70 . 90 NOP
00805E71 . 90 NOP
00805E72 . 90 NOP
00805E73 . 90 NOP
00805E74 . 90 NOP
00805E75 . 90 NOP
00805E76 . 90 NOP
00805E77 . 90 NOP
00805E78 . 90 NOP
00805E79 . 90 NOP
00805E7A . 90 NOP
00805E7B . 90 NOP
00805E7C . 90 NOP
00805E7D . 90 NOP
00805E7E . 90 NOP
00805E7F . 90 NOP
00805E80 . 90 NOP
00805E81 . 90 NOP
00805E82 . 90 NOP
00805E83 > 90 NOP
00805E84 . 90 NOP
00805E85 . 90 NOP
00805E86 . 90 NOP
00805E87 . 90 NOP
00805E88 . 90 NOP
00805E89 . 90 NOP
00805E8A . 60 PUSHAD
00805E8B . C785 78EBFFFF 0000>MOV DWORD PTR SS:[EBP-1488], 0
00805E95 . 6A FF PUSH -1 ; /Arg3 = FFFFFFFF
00805E97 . 6A 04 PUSH 4 ; |Arg2 = 00000004
00805E99 . 8D95 34ECFFFF LEA EDX, DWORD PTR SS:[EBP-13CC] ; |堆栈地址=0012E3D0
00805E9F . 52 PUSH EDX ; |Arg1
00805EA0 . E8 EB60FDFF CALL ezcddax.007DBF90 ; \ezcddax.007DBF90
00805EA5 . 83C4 0C ADD ESP, 0C
00805EA8 . 8985 4CEEFFFF MOV DWORD PTR SS:[EBP-11B4], EAX
00805EAE . 8B85 4CEEFFFF MOV EAX, DWORD PTR SS:[EBP-11B4]
00805EB4 . 33D2 XOR EDX, EDX
00805EB6 . B9 19000000 MOV ECX, 19
00805EBB . F7F1 DIV ECX
00805EBD . 8995 48EEFFFF MOV DWORD PTR SS:[EBP-11B8], EDX
00805EC3 . 8B95 34ECFFFF MOV EDX, DWORD PTR SS:[EBP-13CC]
00805EC9 . 52 PUSH EDX
00805ECA . 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
00805ED0 . FF1485 98CD8300 CALL DWORD PTR DS:[EAX*4+83CD98]
00805ED7 . 83C4 04 ADD ESP, 4
00805EDA . 8985 78EBFFFF MOV DWORD PTR SS:[EBP-1488], EAX
00805EE0 . C785 74EBFFFF 0000>MOV DWORD PTR SS:[EBP-148C], 0
00805EEA . 8B8D 48EEFFFF MOV ECX, DWORD PTR SS:[EBP-11B8]
00805EF0 . 8B148D 00F38300 MOV EDX, DWORD PTR DS:[ECX*4+83F300]
00805EF7 . 8995 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], EDX
00805EFD > 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
00805F03 . 3B85 54EEFFFF CMP EAX, DWORD PTR SS:[EBP-11AC]
00805F09 . 7D 5C JGE SHORT ezcddax.00805F67
00805F0B . 8B85 54EEFFFF MOV EAX, DWORD PTR SS:[EBP-11AC]
00805F11 . 2B85 74EBFFFF SUB EAX, DWORD PTR SS:[EBP-148C]
00805F17 . 99 CDQ
00805F18 . 2BC2 SUB EAX, EDX
00805F1A . D1F8 SAR EAX, 1
00805F1C . 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805F22 . 03C8 ADD ECX, EAX
00805F24 . 898D 70EBFFFF MOV DWORD PTR SS:[EBP-1490], ECX
00805F2A . 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F30 . 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F37 . 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F3D . 8B95 78EBFFFF MOV EDX, DWORD PTR SS:[EBP-1488]
00805F43 . 3B1488 CMP EDX, DWORD PTR DS:[EAX+ECX*4]
00805F46 . 76 11 JBE SHORT ezcddax.00805F59
00805F48 . 8B85 70EBFFFF MOV EAX, DWORD PTR SS:[EBP-1490]
00805F4E . 83C0 01 ADD EAX, 1
00805F51 . 8985 74EBFFFF MOV DWORD PTR SS:[EBP-148C], EAX
00805F57 . EB 0C JMP SHORT ezcddax.00805F65
00805F59 > 8B8D 70EBFFFF MOV ECX, DWORD PTR SS:[EBP-1490]
00805F5F . 898D 54EEFFFF MOV DWORD PTR SS:[EBP-11AC], ECX
00805F65 >^ EB 96 JMP SHORT ezcddax.00805EFD
00805F67 > 90 NOP
00805F68 . 90 NOP
00805F69 . 90 NOP
00805F6A . 90 NOP
00805F6B . 90 NOP
00805F6C . 90 NOP
00805F6D . 90 NOP
00805F6E . 90 NOP
00805F6F . 90 NOP
00805F70 . 90 NOP
00805F71 . 90 NOP
00805F72 . 90 NOP
00805F73 . 90 NOP
00805F74 . 90 NOP
00805F75 . 90 NOP
00805F76 . 90 NOP
00805F77 . 90 NOP
00805F78 . 90 NOP
00805F79 . 90 NOP
00805F7A . 90 NOP
00805F7B . 90 NOP
00805F7C . 90 NOP
00805F7D . 90 NOP
00805F7E . 90 NOP
00805F7F . 90 NOP
00805F80 . 90 NOP
00805F81 . 90 NOP
00805F82 . 90 NOP
00805F83 . 90 NOP
00805F84 . 90 NOP
00805F85 . 90 NOP
00805F86 . 90 NOP
00805F87 . 90 NOP
00805F88 . 90 NOP
00805F89 . 90 NOP
00805F8A . 90 NOP
00805F8B . 90 NOP
00805F8C . 90 NOP
00805F8D . 8B95 48EEFFFF MOV EDX, DWORD PTR SS:[EBP-11B8]
00805F93 . 8B0495 7CF28300 MOV EAX, DWORD PTR DS:[EDX*4+83F27C]
00805F9A . 8B8D 74EBFFFF MOV ECX, DWORD PTR SS:[EBP-148C]
00805FA0 . 8B1488 MOV EDX, DWORD PTR DS:[EAX+ECX*4]
00805FA3 . 3B95 78EBFFFF CMP EDX, DWORD PTR SS:[EBP-1488] ; 判断CC地址是否在表中
00805FA9 . 0F85 0A020000 JNZ ezcddax.008061B9
00805FAF . 90 NOP
00805FB0 . 90 NOP
00805FB1 . 90 NOP ; 下面开始修改相关代码:
00805FB2 . 90 NOP ; 首先通过壳计算jump代码长度的代码,获得代码长度,用以区分长短跳转。
00805FB3 . E8 97010000 CALL ezcddax.0080614F ; 把壳计算jump代码长度的一段修改成计算的函数
00805FB8 . 90 NOP
00805FB9 . 90 NOP
00805FBA . 90 NOP
00805FBB . 90 NOP
00805FBC . 90 NOP
00805FBD . 90 NOP
00805FBE . E8 F9000000 CALL ezcddax.008060BC ; 计算jump偏移量
00805FC3 . 803D 208F8200 04 CMP BYTE PTR DS:[828F20], 4 ; 根据代码长度判断长短跳转
00805FCA 7F 30 JG SHORT ezcddax.00805FFC
00805FCC 7C 38 JL SHORT ezcddax.00806006 ; 短跳转直接处理
00805FCE 66:833D 308F8200 0>CMP WORD PTR DS:[828F30], 4 ; 这是jmp的另一种类型,arm把跳转到下一代码的类型也判断为jmp 偏移量是4
00805FD6 74 0F JE SHORT ezcddax.00805FE7
00805FD8 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 剩下的就是长jmp类型了
00805FDE C640 FF E9 MOV BYTE PTR DS:[EAX-1], 0E9 ; 填入长jmp类型代码
00805FE2 E9 08010000 JMP ezcddax.008060EF ; 直接到判断正反方向跳转的代码
00805FE7 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 偏移量是4的jmp类型用nop填入
00805FED C640 FF 90 MOV BYTE PTR DS:[EAX-1], 90
00805FF1 C700 90909090 MOV DWORD PTR DS:[EAX], 90909090
00805FF7 E9 BD010000 JMP ezcddax.008061B9 ; 修复算完成,直接到下一循环。
00805FFC 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 如果是长跳转,写入长跳转标记代码
00806002 C640 FF 0F MOV BYTE PTR DS:[EAX-1], 0F ; 注意是单字节,写入CC地址
00806006 > 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8]
0080600C . 8B0C85 64F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F364]
00806013 . 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806019 . 8B0491 MOV EAX, DWORD PTR DS:[ECX+EDX*4]
0080601C . 8985 5CEBFFFF MOV DWORD PTR SS:[EBP-14A4], EAX
00806022 . 8B8D 3CECFFFF MOV ECX, DWORD PTR SS:[EBP-13C4]
00806028 . 81E1 D70F0000 AND ECX, 0FD7
0080602E . 898D 6CEBFFFF MOV DWORD PTR SS:[EBP-1494], ECX
00806034 . 8B95 5CEBFFFF MOV EDX, DWORD PTR SS:[EBP-14A4]
0080603A . 81E2 000000FF AND EDX, FF000000
00806040 . C1EA 18 SHR EDX, 18
00806043 . 8995 60EBFFFF MOV DWORD PTR SS:[EBP-14A0], EDX
00806049 . 8B85 5CEBFFFF MOV EAX, DWORD PTR SS:[EBP-14A4]
0080604F . 25 FFFFFF00 AND EAX, 0FFFFFF
00806054 . 8985 64EBFFFF MOV DWORD PTR SS:[EBP-149C], EAX
0080605A . 8B8D 28ECFFFF MOV ECX, DWORD PTR SS:[EBP-13D8]
00806060 . 51 PUSH ECX
00806061 . 8B95 6CEBFFFF MOV EDX, DWORD PTR SS:[EBP-1494]
00806067 . 52 PUSH EDX
00806068 . 8B85 64EBFFFF MOV EAX, DWORD PTR SS:[EBP-149C]
0080606E . 50 PUSH EAX
0080606F . 8B8D 60EBFFFF MOV ECX, DWORD PTR SS:[EBP-14A0]
00806075 . FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
0080607C . 83C4 0C ADD ESP, 0C
0080607F . 8985 68EBFFFF MOV DWORD PTR SS:[EBP-1498], EAX
00806085 . 8B95 68EBFFFF MOV EDX, DWORD PTR SS:[EBP-1498]
0080608B . 33D2 XOR EDX, EDX
0080608D . 803D 208F8200 04 CMP BYTE PTR DS:[828F20], 4 ; 下面根据不同的代码长度,到不同的写入偏移量的代码
00806094 . 0F8C D3000000 JL ezcddax.0080616D ; <4 是短跳转
0080609A . 7F 7D JG SHORT ezcddax.00806119 ; >4 是长跳转
0080609C . 74 51 JE SHORT ezcddax.008060EF ; =4 是jmp类型
0080609E . 90 NOP
0080609F . 90 NOP
008060A0 . 90 NOP
008060A1 . 90 NOP
008060A2 . 90 NOP
008060A3 . 90 NOP
008060A4 . 90 NOP
008060A5 . 90 NOP
008060A6 . 90 NOP
008060A7 . 90 NOP
008060A8 . 90 NOP
008060A9 . 90 NOP
008060AA . 90 NOP
008060AB . 90 NOP
008060AC . 90 NOP
008060AD . 90 NOP
008060AE . 90 NOP
008060AF . 90 NOP
008060B0 . 90 NOP
008060B1 . 90 NOP
008060B2 . 90 NOP
008060B3 . 90 NOP
008060B4 . 90 NOP
008060B5 . 90 NOP
008060B6 . 90 NOP
008060B7 90 NOP
008060B8 90 NOP
008060B9 90 NOP
008060BA 90 NOP
008060BB 90 NOP
008060BC /$ 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8] ; 修改成计算jump偏移量的函数
008060C2 |. 8B0C85 18F28300 MOV ECX, DWORD PTR DS:[EAX*4+83F218]
008060C9 |. 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060CF |. 33D2 XOR EDX, EDX
008060D1 |. BE 17000000 MOV ESI, 17
008060D6 |. F7F6 DIV ESI
008060D8 |. 8B85 74EBFFFF MOV EAX, DWORD PTR SS:[EBP-148C]
008060DE |. 8B0C81 MOV ECX, DWORD PTR DS:[ECX+EAX*4]
008060E1 |. 338C95 70EEFFFF XOR ECX, DWORD PTR SS:[EBP+EDX*4-1190] ; 计算偏移量
008060E8 |. 890D 308F8200 MOV DWORD PTR DS:[828F30], ECX ; 存放,便于使用。
008060EE \. C3 RETN
008060EF > 66:813D 308F8200 8>CMP WORD PTR DS:[828F30], 0FF80 ; jmp类型中的长跳转中的正反方向判断代码
008060F8 . 0F8C 87000000 JL ezcddax.00806185
008060FE . 66:833D 308F8200 7>CMP WORD PTR DS:[828F30], 7F
00806106 . 7E 2B JLE SHORT ezcddax.00806133
00806108 . EB 7B JMP SHORT ezcddax.00806185
0080610A 90 NOP
0080610B 90 NOP
0080610C 90 NOP
0080610D 90 NOP
0080610E 90 NOP
0080610F 90 NOP
00806110 90 NOP
00806111 90 NOP
00806112 90 NOP
00806113 90 NOP
00806114 90 NOP
00806115 90 NOP
00806116 90 NOP
00806117 90 NOP
00806118 90 NOP
00806119 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 长跳转类型
0080611F . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
00806125 . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
0080612B . 8950 01 MOV DWORD PTR DS:[EAX+1], EDX ; 写入偏移量的地址是CC地址+1,因为长跳转是用双字节表示的
0080612E . E9 86000000 JMP ezcddax.008061B9
00806133 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 向上的jmp长跳转修复代码
00806139 . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
0080613F . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
00806145 . 4A DEC EDX
00806146 . 8910 MOV DWORD PTR DS:[EAX], EDX
00806148 . EB 6F JMP SHORT ezcddax.008061B9
0080614A 90 NOP
0080614B 90 NOP
0080614C 90 NOP
0080614D 90 NOP
0080614E 90 NOP
0080614F /$ 8B85 48EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B8] ; 把壳计算jump代码长度的一段修改成计算的函数
00806155 |. 8B0C85 D0F38300 MOV ECX, DWORD PTR DS:[EAX*4+83F3D0]
0080615C |. 8B95 74EBFFFF MOV EDX, DWORD PTR SS:[EBP-148C]
00806162 |. 33C0 XOR EAX, EAX
00806164 |. 8A0411 MOV AL, BYTE PTR DS:[ECX+EDX]
00806167 |. A2 208F8200 MOV BYTE PTR DS:[828F20], AL ; 取得的值存放,以便调用
0080616C \. C3 RETN
0080616D > 90 NOP
0080616E . 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 取偏移量,这个偏移量是从CC的下一个字节开始的
00806174 . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20] ; 偏移量-jump代码长度=实际偏移量
0080617A . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC] ; 取CC发生时的下一字节地址
00806180 . 8810 MOV BYTE PTR DS:[EAX], DL ; 写入实际偏移量,注意是单字节
00806182 . EB 35 JMP SHORT ezcddax.008061B9
00806184 90 NOP
00806185 > 8B15 308F8200 MOV EDX, DWORD PTR DS:[828F30] ; 向下的jmp长跳转修复代码
0080618B . 2B15 208F8200 SUB EDX, DWORD PTR DS:[828F20]
00806191 . 8B85 34ECFFFF MOV EAX, DWORD PTR SS:[EBP-13CC]
00806197 . 90 NOP
00806198 . 8910 MOV DWORD PTR DS:[EAX], EDX ; 注意写入的dword类型值
0080619A . 90 NOP
0080619B . 90 NOP
0080619C . 90 NOP
0080619D . 90 NOP
0080619E . 90 NOP
0080619F . 90 NOP
008061A0 . 90 NOP
008061A1 . 90 NOP
008061A2 . 90 NOP
008061A3 . 90 NOP
008061A4 . 90 NOP
008061A5 . 90 NOP
008061A6 . 90 NOP
008061A7 . 90 NOP
008061A8 . 90 NOP
008061A9 . 90 NOP
008061AA . 90 NOP
008061AB . 90 NOP
008061AC . 90 NOP
008061AD . 90 NOP
008061AE . 90 NOP
008061AF . 90 NOP
008061B0 . 90 NOP
008061B1 . 90 NOP
008061B2 . 90 NOP
008061B3 . 90 NOP
008061B4 . 90 NOP
008061B5 . 90 NOP
008061B6 . 90 NOP
008061B7 . 90 NOP
008061B8 . 90 NOP
008061B9 > 8305 108F8200 04 ADD DWORD PTR DS:[828F10], 4 ; 参数+1
008061C0 > 8B15 108F8200 MOV EDX, DWORD PTR DS:[828F10] ; ezcddax.00828000
008061C6 . 8B12 MOV EDX, DWORD PTR DS:[EDX]
008061C8 . 8995 34ECFFFF MOV DWORD PTR SS:[EBP-13CC], EDX
008061CE . 83FA 00 CMP EDX, 0
008061D1 .^ 74 E6 JE SHORT ezcddax.008061B9 ; 如果出现00000000,表示这个地址不是CC
008061D3 . 83FA FF CMP EDX, -1
008061D6 . 74 08 JE SHORT ezcddax.008061E0 ; 如果是ffffffff 表示修复结束。
008061D8 . 61 POPAD
008061D9 .^ E9 A5FCFFFF JMP ezcddax.00805E83
008061DE 90 NOP
008061DF 90 NOP
008061E0 > 90 NOP
008061E1 . 90 NOP
008061E2 . 90 NOP
008061E3 . 90 NOP
008061E4 . 90 NOP
008061E5 . 90 NOP
008061E6 . 90 NOP
008061E7 . 90 NOP
008061E8 . 90 NOP
008061E9 . 90 NOP
008061EA . 90 NOP
008061EB . 90 NOP
008061EC . 90 NOP
008061ED . 90 NOP
008061EE . 90 NOP
008061EF . 90 NOP
008061F0 . 90 NOP
008061F1 . 90 NOP
008061F2 . 90 NOP
008061F3 . 90 NOP
008061F4 . 90 NOP
008061F5 . 90 NOP
008061F6 . 90 NOP
008061F7 . 90 NOP
008061F8 . 90 NOP
008061F9 . 90 NOP
008061FA . 90 NOP
008061FB . 90 NOP
008061FC . 90 NOP
008061FD . 90 NOP
008061FE . 90 NOP
008061FF . 90 NOP
00806200 . 90 NOP
00806201 . 90 NOP
00806202 . 90 NOP
00806203 . 90 NOP
00806204 . 90 NOP
00806205 . 90 NOP
00806206 . 90 NOP
00806207 . 90 NOP
00806208 . 90 NOP
00806209 . 90 NOP
0080620A . 90 NOP
0080620B . 52 PUSH EDX ; /pContext
0080620C . 8B85 50EEFFFF MOV EAX, DWORD PTR SS:[EBP-11B0] ; |
00806212 . 50 PUSH EAX ; |hThread
00806213 . FF15 DC808300 CALL DWORD PTR DS:[<&KERNEL32.SetThreadCo>; \SetThreadContext
50 8B 8D 50 EE FF FF 51 FF 15 E0 80 83 00 90 90 52 8B 15 00 80 82 00 89 15 00 8F 82 00 C7 05 10
8F 82 00 00 80 82 00 5A 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 C7 85 78 EB FF FF 00 00 00 00 6A FF 6A 04
8D 95 34 EC FF FF 52 E8 EB 60 FD FF 83 C4 0C 89 85 4C EE FF FF 8B 85 4C EE FF FF 33 D2 B9 19 00
00 00 F7 F1 89 95 48 EE FF FF 8B 95 34 EC FF FF 52 8B 85 48 EE FF FF FF 14 85 98 CD 83 00 83 C4
04 89 85 78 EB FF FF C7 85 74 EB FF FF 00 00 00 00 8B 8D 48 EE FF FF 8B 14 8D 00 F3 83 00 89 95
54 EE FF FF 8B 85 74 EB FF FF 3B 85 54 EE FF FF 7D 5C 8B 85 54 EE FF FF 2B 85 74 EB FF FF 99 2B
C2 D1 F8 8B 8D 74 EB FF FF 03 C8 89 8D 70 EB FF FF 8B 95 48 EE FF FF 8B 04 95 7C F2 83 00 8B 8D
70 EB FF FF 8B 95 78 EB FF FF 3B 14 88 76 11 8B 85 70 EB FF FF 83 C0 01 89 85 74 EB FF FF EB 0C
8B 8D 70 EB FF FF 89 8D 54 EE FF FF EB 96 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8B 95 48 EE FF FF 8B 04 95 7C F2 83
00 8B 8D 74 EB FF FF 8B 14 88 3B 95 78 EB FF FF 0F 85 0A 02 00 00 90 90 90 90 E8 97 01 00 00 90
90 90 90 90 90 E8 F9 00 00 00 80 3D 20 8F 82 00 04 7F 15 90 90 90 7C 35 8B 85 34 EC FF FF C6 40
FF E9 E9 0F 01 00 00 90 8B 85 34 EC FF FF C6 40 FF 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 8B 85 48 EE FF FF 8B 0C 85 64 F3 83 00 8B 95 74 EB FF FF
8B 04 91 89 85 5C EB FF FF 8B 8D 3C EC FF FF 81 E1 D7 0F 00 00 89 8D 6C EB FF FF 8B 95 5C EB FF
FF 81 E2 00 00 00 FF C1 EA 18 89 95 60 EB FF FF 8B 85 5C EB FF FF 25 FF FF FF 00 89 85 64 EB FF
FF 8B 8D 28 EC FF FF 51 8B 95 6C EB FF FF 52 8B 85 64 EB FF FF 50 8B 8D 60 EB FF FF FF 14 8D 0C
88 83 00 83 C4 0C 89 85 68 EB FF FF 8B 95 68 EB FF FF 33 D2 80 3D 20 8F 82 00 04 0F 8C D3 00 00
00 7F 7D 74 51 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 FD
00 00 00 8B 85 48 EE FF FF 8B 0C 85 18 F2 83 00 8B 85 74 EB FF FF 33 D2 BE 17 00 00 00 F7 F6 8B
85 74 EB FF FF 8B 0C 81 33 8C 95 70 EE FF FF 89 0D 30 8F 82 00 C3 66 81 3D 30 8F 82 00 80 FF 0F
8C 87 00 00 00 66 83 3D 30 8F 82 00 7F 7E 2B EB 7B 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
8B 15 30 8F 82 00 2B 15 20 8F 82 00 8B 85 34 EC FF FF 89 50 01 E9 86 00 00 00 8B 15 30 8F 82 00
2B 15 20 8F 82 00 8B 85 34 EC FF FF 4A 89 10 EB 6F 90 90 90 90 90 8B 85 48 EE FF FF 8B 0C 85 D0
F3 83 00 8B 95 74 EB FF FF 33 C0 8A 04 11 A2 20 8F 82 00 C3 90 8B 15 30 8F 82 00 2B 15 20 8F 82
00 8B 85 34 EC FF FF 88 10 EB 35 90 8B 15 30 8F 82 00 2B 15 20 8F 82 00 8B 85 34 EC FF FF 90 89
10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
83 05 10 8F 82 00 04 8B 15 10 8F 82 00 8B 12 89 95 34 EC FF FF 83 FA 00 74 E6 83 FA FF 74 08 61
E9 A5 FC FF FF 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 52 8B 85 50 EE FF FF 50 FF 15 DC 80 83 00
跟着练习的可以复制上面的二进制代码,看看效果。剩下的就是搞定跳转类型并写入代码中就行了。
下面要修复的就是跳转类型了,这是整个修复工作中最烦人,最没有技术含量的工作了,下面就几个例子来看看如何修复。
调整好上面的代码,在修复完成的地址处下个中断,取消其他的所有断点,在下面的函数入口处下中断,运行。
例1----CC发生时地址:0043989E
DS:[00828004]=0043989E (ezcddax.0043989E)
EAX=00828004 (ezcddax.00828004)
007F2BEF 55 PUSH EBP
007F2BF0 8BEC MOV EBP, ESP
007F2BF2 83EC 40 SUB ESP, 40
007F2BF5 C745 D0 D800000>MOV DWORD PTR SS:[EBP-30], 0D8
007F2BFC C745 D4 2400000>MOV DWORD PTR SS:[EBP-2C], 24
007F2C03 C745 D8 E400000>MOV DWORD PTR SS:[EBP-28], 0E4
007F2C0A C745 DC A600000>MOV DWORD PTR SS:[EBP-24], 0A6
007F2C11 C745 E0 9400000>MOV DWORD PTR SS:[EBP-20], 94
007F2C18 C745 E4 2900000>MOV DWORD PTR SS:[EBP-1C], 29
007F2C1F C745 E8 2A00000>MOV DWORD PTR SS:[EBP-18], 2A
007F2C26 C745 EC F300000>MOV DWORD PTR SS:[EBP-14], 0F3
007F2C2D C745 F0 0700000>MOV DWORD PTR SS:[EBP-10], 7
007F2C34 C745 C0 0700000>MOV DWORD PTR SS:[EBP-40], 7
007F2C3B 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007F2C3E C1E8 07 SHR EAX, 7
007F2C41 83E0 07 AND EAX, 7
007F2C44 8B4C85 D0 MOV ECX, DWORD PTR SS:[EBP+EAX*4-30]
007F2C48 894D C4 MOV DWORD PTR SS:[EBP-3C], ECX
007F2C4B 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C4E 99 CDQ
007F2C4F B9 19000000 MOV ECX, 19
007F2C54 F7F9 IDIV ECX
007F2C56 8945 CC MOV DWORD PTR SS:[EBP-34], EAX
007F2C59 8B45 C4 MOV EAX, DWORD PTR SS:[EBP-3C]
007F2C5C 99 CDQ
007F2C5D B9 19000000 MOV ECX, 19
007F2C62 F7F9 IDIV ECX
007F2C64 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C67 8B55 CC MOV EDX, DWORD PTR SS:[EBP-34]
007F2C6A 3B55 C8 CMP EDX, DWORD PTR SS:[EBP-38]
007F2C6D 75 11 JNZ SHORT ezcddax.007F2C80
007F2C6F 8B45 C8 MOV EAX, DWORD PTR SS:[EBP-38]
007F2C72 83C0 01 ADD EAX, 1
007F2C75 99 CDQ
007F2C76 B9 19000000 MOV ECX, 19
007F2C7B F7F9 IDIV ECX
007F2C7D 8955 C8 MOV DWORD PTR SS:[EBP-38], EDX
007F2C80 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2C83 8B45 CC MOV EAX, DWORD PTR SS:[EBP-34]
007F2C86 8B0C95 48E48300 MOV ECX, DWORD PTR DS:[EDX*4+83E448]
007F2C8D 330C85 CC828300 XOR ECX, DWORD PTR DS:[EAX*4+8382CC]
007F2C94 8B55 C8 MOV EDX, DWORD PTR SS:[EBP-38]
007F2C97 330C95 CC828300 XOR ECX, DWORD PTR DS:[EDX*4+8382CC]
007F2C9E 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007F2CA1 8B45 0C MOV EAX, DWORD PTR SS:[EBP+C]
007F2CA4 50 PUSH EAX
007F2CA5 8B4D C4 MOV ECX, DWORD PTR SS:[EBP-3C]
007F2CA8 0FBE91 88CC8300 MOVSX EDX, BYTE PTR DS:[ECX+83CC88]
007F2CAF FF1495 C0CB8300 CALL DWORD PTR DS:[EDX*4+83CBC0]
007F2CB6 83C4 04 ADD ESP, 4
007F2CB9 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007F2CBC 8B45 10 MOV EAX, DWORD PTR SS:[EBP+10]
007F2CBF 50 PUSH EAX
007F2CC0 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
007F2CC3 51 PUSH ECX
007F2CC4 FF55 F8 CALL DWORD PTR SS:[EBP-8] ; ezcddax.007EB7A0
堆栈 SS:[0012DC5C]=007EB7A0 (ezcddax.007EB7A0)
007F2CC7 83C4 08 ADD ESP, 8
007F2CCA 50 PUSH EAX
007F2CCB 8B55 C4 MOV EDX, DWORD PTR SS:[EBP-3C]
007F2CCE 0FBE82 88CC8300 MOVSX EAX, BYTE PTR DS:[EDX+83CC88]
007F2CD5 FF1485 24CC8300 CALL DWORD PTR DS:[EAX*4+83CC24]
007F2CDC 83C4 04 ADD ESP, 4
007F2CDF 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007F2CE2 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C]
007F2CE5 83E0 01 AND EAX, 1
007F2CE8 8BE5 MOV ESP, EBP
007F2CEA 5D POP EBP
007F2CEB C3 RETN
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
007EB7A9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB7AC 50 PUSH EAX
007EB7AD FF15 24CC8300 CALL DWORD PTR DS:[83CC24] ; ezcddax.007DC062
007EB7B3 83C4 04 ADD ESP, 4
007EB7B6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB7B9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EB7BC 51 PUSH ECX
007EB7BD B9 00080000 MOV ECX, 800
007EB7C2 B9 0A000000 MOV ECX, 0A
007EB7C7 F7D1 NOT ECX
007EB7C9 0FC8 BSWAP EAX
007EB7CB F7D1 NOT ECX
007EB7CD 41 INC ECX
007EB7CE 41 INC ECX
007EB7CF 41 INC ECX
007EB7D0 41 INC ECX
007EB7D1 41 INC ECX
007EB7D2 41 INC ECX
007EB7D3 41 INC ECX
007EB7D4 41 INC ECX
007EB7D5 41 INC ECX
007EB7D6 41 INC ECX
007EB7D7 41 INC ECX
007EB7D8 41 INC ECX
007EB7D9 41 INC ECX
007EB7DA 41 INC ECX
007EB7DB 41 INC ECX
007EB7DC 41 INC ECX
007EB7DD 41 INC ECX
007EB7DE 41 INC ECX
007EB7DF 41 INC ECX
007EB7E0 49 DEC ECX
007EB7E1 41 INC ECX
007EB7E2 FEC1 INC CL
007EB7E4 FEC1 INC CL
007EB7E6 FEC1 INC CL
007EB7E8 83C1 0D ADD ECX, 0D
007EB7EB FEC1 INC CL
007EB7ED FEC1 INC CL
007EB7EF FEC1 INC CL
007EB7F1 FEC1 INC CL
007EB7F3 FEC1 INC CL
007EB7F5 83C1 0A ADD ECX, 0A
007EB7F8 49 DEC ECX
007EB7F9 52 PUSH EDX
007EB7FA BA 04000000 MOV EDX, 4
007EB7FF 03CA ADD ECX, EDX
007EB801 41 INC ECX
007EB802 5A POP EDX
007EB803 0FC8 BSWAP EAX
007EB805 23C1 AND EAX, ECX
/////////////////////////////////////////////////
EBX=00000040
EAX=00000246
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=1
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是jz/je 判断是短跳转就在CC地址写入类型的代码74;长跳转则在CC发生时的地址写入84
/////////////////////////////////////////////////
007EB807 59 POP ECX
007EB808 F7D8 NEG EAX
007EB80A 1BC0 SBB EAX, EAX
007EB80C F7D8 NEG EAX
/////////////////////////////////////////////////
测试ZF位是否为1
////////////////////////////////////////////////
007EB80E 5A POP EDX
007EB80F 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB812 8B0D 94838300 MOV ECX, DWORD PTR DS:[838394]
007EB818 330D 98838300 XOR ECX, DWORD PTR DS:[838398]
007EB81E D1E1 SHL ECX, 1
007EB820 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB823 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB827 74 09 JE SHORT ezcddax.007EB832
007EB829 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB82C 83CA 01 OR EDX, 1
007EB82F 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB832 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB835 50 PUSH EAX
007EB836 FF15 C0CB8300 CALL DWORD PTR DS:[83CBC0] ; ezcddax.007DBFB0
007EB83C 83C4 04 ADD ESP, 4
007EB83F 5F POP EDI
007EB840 5E POP ESI
007EB841 5B POP EBX
007EB842 8BE5 MOV ESP, EBP
007EB844 5D POP EBP
007EB845 C3 RETN
修改为:
007EB7A0 55 PUSH EBP
007EB7A1 8BEC MOV EBP, ESP
007EB7A3 83EC 0C SUB ESP, 0C
007EB7A6 53 PUSH EBX
007EB7A7 56 PUSH ESI
007EB7A8 57 PUSH EDI
007EB7A9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB7AC 50 PUSH EAX
007EB7AD FF15 24CC8300 CALL DWORD PTR DS:[83CC24] ; ezcddax.007DC062
007EB7B3 83C4 04 ADD ESP, 4
007EB7B6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB7B9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
*******************************************************************************
{修改的代码是}
007EB7BC 90 NOP ; 下面是修改的代码
007EB7BD 90 NOP
007EB7BE 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10] ; 取CC发生时的地址
007EB7C4 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EB7C6 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F ; 比较是不是长跳转标志
007EB7CA 74 06 JE SHORT ezcddax.007EB7D2 ; 短跳转写入
007EB7CC C640 FF 74 MOV BYTE PTR DS:[EAX-1], 74
007EB7D0 EB 20 JMP SHORT ezcddax.007EB7F2 ; 长跳转写入,注意是写在CC发生时的地址而不是CC地址
007EB7D2 C600 84 MOV BYTE PTR DS:[EAX], 84
007EB7D5 90 NOP
007EB7D6 33C0 XOR EAX, EAX
********************************************************************************
007EB7D8 90 NOP
007EB7D9 90 NOP
007EB7DA 90 NOP
007EB7DB 90 NOP
007EB7DC 90 NOP
007EB7DD 90 NOP
007EB7DE 90 NOP
007EB7DF 90 NOP
007EB7E0 90 NOP
007EB7E1 90 NOP
007EB7E2 90 NOP
007EB7E3 90 NOP
007EB7E4 90 NOP
007EB7E5 90 NOP
007EB7E6 90 NOP
007EB7E7 90 NOP
007EB7E8 90 NOP
007EB7E9 90 NOP
007EB7EA 90 NOP
007EB7EB 90 NOP
007EB7EC 90 NOP
007EB7ED 90 NOP
007EB7EE 90 NOP
007EB7EF 90 NOP
007EB7F0 90 NOP
007EB7F1 90 NOP
007EB7F2 90 NOP
007EB7F3 90 NOP
007EB7F4 90 NOP
007EB7F5 90 NOP
007EB7F6 90 NOP
007EB7F7 90 NOP
007EB7F8 90 NOP
007EB7F9 90 NOP
007EB7FA 90 NOP
007EB7FB 90 NOP
007EB7FC 90 NOP
007EB7FD 90 NOP
007EB7FE 90 NOP
007EB7FF 90 NOP
007EB800 90 NOP
007EB801 90 NOP
007EB802 90 NOP
007EB803 90 NOP
007EB804 90 NOP
007EB805 90 NOP
007EB806 90 NOP
007EB807 90 NOP
007EB808 90 NOP
007EB809 90 NOP
007EB80A 90 NOP
007EB80B 90 NOP
007EB80C 90 NOP
007EB80D 90 NOP
007EB80E 90 NOP
007EB80F 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB812 8B0D 94838300 MOV ECX, DWORD PTR DS:[838394]
007EB818 330D 98838300 XOR ECX, DWORD PTR DS:[838398]
007EB81E D1E1 SHL ECX, 1
007EB820 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB823 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB827 74 09 JE SHORT ezcddax.007EB832
007EB829 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB82C 83CA 01 OR EDX, 1
007EB82F 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB832 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB835 50 PUSH EAX
007EB836 FF15 C0CB8300 CALL DWORD PTR DS:[83CBC0] ; ezcddax.007DBFB0
007EB83C 83C4 04 ADD ESP, 4
007EB83F 5F POP EDI
007EB840 5E POP ESI
007EB841 5B POP EBX
007EB842 8BE5 MOV ESP, EBP
007EB844 5D POP EBP
007EB845 C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 24 CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 74 EB 20 C6 00 84 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 45 F4 8B 0D 94 83 83 00 33 0D 98 83 83 00 D1 E1
89 4D F8 83 7D F4 00 74 09 8B 55 F8 83 CA 01 89 55 F8 8B 45 F8 50 FF 15 C0 CB 83 00 83 C4 04 5F
5E 5B 8B E5 5D C3
00439895 8B15 ECEB6C00 MOV EDX, DWORD PTR DS:[6CEBEC]
0043989B 85D2 TEST EDX, EDX
0043989D 0F84 AE030000 JE ezcddax.00439C51 //修复后的代码,是个长je类型
004398A3 66:C785 1CFDFFF>MOV WORD PTR SS:[EBP-2E4], 218
================================================================================================
例2:00439989
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
入口:DS:[00838A54]=007F720B (ezcddax.007F720B),F7进入:
007F72E0 FF55 F8 CALL DWORD PTR SS:[EBP-8] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数真正入口
堆栈 SS:[0012DC5C]=007E6809 (ezcddax.007E6809)
入口是:=007E6809 F7再次进入:
007E6809 55 PUSH EBP
007E680A 8BEC MOV EBP, ESP
007E680C 83EC 0C SUB ESP, 0C
007E680F 53 PUSH EBX
007E6810 56 PUSH ESI
007E6811 57 PUSH EDI
007E6812 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E6815 50 PUSH EAX
007E6816 FF15 28CC8300 CALL DWORD PTR DS:[83CC28] ; ezcddax.007DC1BD
007E681C 83C4 04 ADD ESP, 4
007E681F 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E6822 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值,看看壳怎么利用这个值,注意EAX
007E6825 53 PUSH EBX ; 取CC发生时的地址,注意这个地址是CC的下一个字节
007E6826 BB 80000000 MOV EBX, 80
007E682B EB 05 JMP SHORT ezcddax.007E6832
007E682D BB 04000000 MOV EBX, 4 ; 写入到CC地址中,所以要-1
007E6832 BB 32000000 MOV EBX, 32
007E6837 F7D3 NOT EBX
007E6839 0FC8 BSWAP EAX
007E683B F7D3 NOT EBX
007E683D 43 INC EBX
007E683E 43 INC EBX
007E683F 83C3 08 ADD EBX, 8
007E6842 4B DEC EBX
007E6843 51 PUSH ECX
007E6844 B9 04000000 MOV ECX, 4
007E6849 03D9 ADD EBX, ECX
007E684B 43 INC EBX
007E684C 59 POP ECX
007E684D 0FC8 BSWAP EAX
007E684F 23C3 AND EAX, EBX
//////////////////////////////////////////////////////////////////////
EBX=00000040
EAX=00000246
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=1
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是jz/je 判断是短跳转就在CC地址写入类型的代码74;长跳转则在CC发生时的地址写入84
//////////////////////////////////////////////////////////////////////
007E6851 5B POP EBX
007E6852 F7D8 NEG EAX
007E6854 1BC0 SBB EAX, EAX
007E6856 F7D8 NEG EAX
/////////////////////////////////////////////////
测试ZF位是否为1
/////////////////////////////////////////////////
007E6858 5A POP EDX
007E6859 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E685C 8B0D 98838300 MOV ECX, DWORD PTR DS:[838398]
007E6862 330D 9C838300 XOR ECX, DWORD PTR DS:[83839C]
007E6868 D1E1 SHL ECX, 1
007E686A 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E686D 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E6871 74 09 JE SHORT ezcddax.007E687C
007E6873 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E6876 83CA 01 OR EDX, 1
007E6879 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E687C 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E687F 50 PUSH EAX
007E6880 FF15 C4CB8300 CALL DWORD PTR DS:[83CBC4] ; ezcddax.007DC114
007E6886 83C4 04 ADD ESP, 4
007E6889 5F POP EDI
007E688A 5E POP ESI
007E688B 5B POP EBX
007E688C 8BE5 MOV ESP, EBP
007E688E 5D POP EBP
007E688F C3 RETN
这是一个同例一的相同类型,所以直接修改代码为:
007E6809 55 PUSH EBP
007E680A 8BEC MOV EBP, ESP
007E680C 83EC 0C SUB ESP, 0C
007E680F 53 PUSH EBX
007E6810 56 PUSH ESI
007E6811 57 PUSH EDI
007E6812 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E6815 50 PUSH EAX
007E6816 FF15 28CC8300 CALL DWORD PTR DS:[83CC28] ; ezcddax.007DC1BD
007E681C 83C4 04 ADD ESP, 4
007E681F 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E6822 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值,看看壳怎么利用这个值,注意EAX
007E6825 90 NOP ; 取CC发生时的地址,注意这个地址是CC的下一个字节
007E6826 E9 914F0000 JMP ezcddax.007EB7BC //跳到上一个修改的代码处理
007E682B 90 NOP
007E682C 90 NOP
007E682D 90 NOP
007E682E 90 NOP
007E682F 90 NOP
007E6830 90 NOP
007E6831 90 NOP
007E6832 90 NOP
007E6833 90 NOP
007E6834 90 NOP
007E6835 90 NOP
007E6836 90 NOP
007E6837 90 NOP
007E6838 90 NOP
007E6839 90 NOP
007E683A 90 NOP
007E683B 90 NOP
007E683C 90 NOP
007E683D 90 NOP
007E683E 90 NOP
007E683F 90 NOP
007E6840 90 NOP
007E6841 90 NOP
007E6842 90 NOP
007E6843 90 NOP
007E6844 90 NOP
007E6845 90 NOP
007E6846 90 NOP
007E6847 90 NOP
007E6848 90 NOP
007E6849 90 NOP
007E684A 90 NOP
007E684B 90 NOP
007E684C 90 NOP
007E684D 90 NOP
007E684E 90 NOP
007E684F 90 NOP
007E6850 90 NOP
007E6851 90 NOP
007E6852 90 NOP
007E6853 90 NOP
007E6854 90 NOP
007E6855 90 NOP
007E6856 90 NOP
007E6857 90 NOP
007E6858 90 NOP
007E6859 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E685C 8B0D 98838300 MOV ECX, DWORD PTR DS:[838398]
007E6862 330D 9C838300 XOR ECX, DWORD PTR DS:[83839C]
007E6868 D1E1 SHL ECX, 1
007E686A 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E686D 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E6871 74 09 JE SHORT ezcddax.007E687C
007E6873 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E6876 83CA 01 OR EDX, 1
007E6879 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E687C 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E687F 50 PUSH EAX
007E6880 FF15 C4CB8300 CALL DWORD PTR DS:[83CBC4] ; ezcddax.007DC114
007E6886 83C4 04 ADD ESP, 4
007E6889 5F POP EDI
007E688A 5E POP ESI
007E688B 5B POP EBX
007E688C 8BE5 MOV ESP, EBP
007E688E 5D POP EBP
007E688F C3 RETN
修复后的代码为:
0043995F 85C0 TEST EAX, EAX
00439961 74 13 JE SHORT ezcddax.00439976 //修复后的代码,是个断je类型
00439963 8B4D FC MOV ECX, DWORD PTR SS:[EBP-4]
00439966 8B81 E8070000 MOV EAX, DWORD PTR DS:[ECX+7E8]
0043996C 33D2 XOR EDX, EDX
0043996E 8B08 MOV ECX, DWORD PTR DS:[EAX]
例3:
00806075 FF148D 0C888300 CALL DWORD PTR DS:[ECX*4+83880C] ; 模拟处理EFLAGS寄存器值来判断标志寄存器的标志位的函数入口
入口:DS:[00838B24]=007FA56D (ezcddax.007FA56D) F7进入:
007FA63F FF55 F8 CALL DWORD PTR SS:[EBP-8] ; ezcddax.007E381A
真正入口:SS:[0012DC5C]=007E381A (ezcddax.007E381A) F7进入:
007E381A /. 55 PUSH EBP
007E381B |. 8BEC MOV EBP, ESP
007E381D |. 83EC 0C SUB ESP, 0C
007E3820 |. 53 PUSH EBX
007E3821 |. 56 PUSH ESI
007E3822 |. 57 PUSH EDI
007E3823 |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E3826 |. 50 PUSH EAX ; /Arg1
007E3827 |. FF15 64CC8300 CALL DWORD PTR DS:[83CC64] ; \ezcddax.007DE435
007E382D |. 83C4 04 ADD ESP, 4
007E3830 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E3833 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值
007E3836 |. 52 PUSH EDX
007E3837 |. BA FFFF0000 MOV EDX, 0FFFF
007E383C |. 23C2 AND EAX, EDX ; 取位
007E383E |. 53 PUSH EBX
007E383F |. 50 PUSH EAX ; 入栈
007E3840 |. B7 07 MOV BH, 7
007E3842 |. FECF DEC BH
007E3844 |. FECF DEC BH
007E3846 |. FECF DEC BH
007E3848 |. FECF DEC BH
007E384A |. FECF DEC BH
007E384C |. FECF DEC BH
007E384E |. FECF DEC BH
007E3850 |. 25 00080000 AND EAX, 800 ; 障眼法
007E3855 |. 0FC9 BSWAP ECX
007E3857 |. 58 POP EAX ; 出栈
007E3858 |. 0FC9 BSWAP ECX
007E385A |. 22E7 AND AH, BH ; 取位
007E385C |. B3 86 MOV BL, 86
007E385E |. 80EB 05 SUB BL, 5
007E3861 |. FECB DEC BL
007E3863 |. FECB DEC BL
007E3865 |. FECB DEC BL
007E3867 |. FECB DEC BL
007E3869 |. FECB DEC BL
007E386B |. FECB DEC BL
007E386D |. FECB DEC BL
007E386F |. 80EB 1A SUB BL, 1A
007E3872 |. FECB DEC BL
007E3874 |. 80EB 1F SUB BL, 1F
007E3877 |. 66:F7D3 NOT BX
007E387A |. 0FC8 BSWAP EAX
007E387C |. 66:F7D3 NOT BX
007E387F |. 0FC8 BSWAP EAX
007E3881 |. 22C3 AND AL, BL
//////////////////////////////////////////////////
; BL=40 ('@') AL=46 ('F')
这句才是关键,EFLAGS寄存器值and 40
分析看看,十六进制的40是二进制值10000000 受影响的是第七位ZF位,测试条件是ZF=0
相关知识请看:http://www.pediy.com/tutorial/chap2/Chap2-3.htm
这样就可以判断这个跳转类型是JNE/JNZ 短跳转在CC地址写入类型的代码75;长跳转在CC发生时地址写入85
///////////////////////////////////////////////////
007E3883 |. 8BC0 MOV EAX, EAX
007E3885 |. 5B POP EBX
007E3886 |. F7D8 NEG EAX
007E3888 |. 1BC0 SBB EAX, EAX
007E388A |. 40 INC EAX
/////////////////////////////////////////////////
测试ZF位是否为0
/////////////////////////////////////////////////
007E388B |. 5A POP EDX
007E388C |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E388F |. 8B0D D4838300 MOV ECX, DWORD PTR DS:[8383D4]
007E3895 |. 330D D8838300 XOR ECX, DWORD PTR DS:[8383D8]
007E389B |. D1E1 SHL ECX, 1
007E389D |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E38A0 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E38A4 |. 74 09 JE SHORT ezcddax.007E38AF
007E38A6 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E38A9 |. 83CA 01 OR EDX, 1
007E38AC |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E38AF |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E38B2 |. 50 PUSH EAX ; /Arg1
007E38B3 |. FF15 00CC8300 CALL DWORD PTR DS:[83CC00] ; \ezcddax.007DE2C9
007E38B9 |. 83C4 04 ADD ESP, 4
007E38BC |. 5F POP EDI
007E38BD |. 5E POP ESI
007E38BE |. 5B POP EBX
007E38BF |. 8BE5 MOV ESP, EBP
007E38C1 |. 5D POP EBP
007E38C2 \. C3 RETN
修改为:
007E381A 55 PUSH EBP
007E381B 8BEC MOV EBP, ESP
007E381D 83EC 0C SUB ESP, 0C
007E3820 53 PUSH EBX
007E3821 56 PUSH ESI
007E3822 57 PUSH EDI
007E3823 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E3826 50 PUSH EAX
007E3827 FF15 64CC8300 CALL DWORD PTR DS:[83CC64] ; ezcddax.007DE435
007E382D 83C4 04 ADD ESP, 4
007E3830 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E3833 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4] ; 取Context域中EFLAGS寄存器值
007E3836 90 NOP ; 取CC地址
007E3837 90 NOP
007E3838 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007E383E 8B00 MOV EAX, DWORD PTR DS:[EAX] ; 取CC地址
007E3840 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F ; 比较是不是长跳转标志
007E3844 74 06 JE SHORT ezcddax.007E384C
007E3846 C640 FF 75 MOV BYTE PTR DS:[EAX-1], 75 ; 短跳转写入在CC地址
007E384A EB 20 JMP SHORT ezcddax.007E386C
007E384C C600 85 MOV BYTE PTR DS:[EAX], 85 ; 长跳转写入,注意是写在CC发生时的地址而不是CC地址
007E384F 90 NOP
007E3850 33C0 XOR EAX, EAX
007E3852 90 NOP
007E3853 90 NOP
007E3854 90 NOP
007E3855 90 NOP
007E3856 90 NOP
007E3857 90 NOP
007E3858 90 NOP
007E3859 90 NOP
007E385A 90 NOP
007E385B 90 NOP
007E385C 90 NOP
007E385D 90 NOP
007E385E 90 NOP
007E385F 90 NOP
007E3860 90 NOP
007E3861 90 NOP
007E3862 90 NOP
007E3863 90 NOP
007E3864 90 NOP
007E3865 90 NOP
007E3866 90 NOP
007E3867 90 NOP
007E3868 90 NOP
007E3869 90 NOP
007E386A 90 NOP
007E386B 90 NOP
007E386C 90 NOP
007E386D 90 NOP
007E386E 90 NOP
007E386F 90 NOP
007E3870 90 NOP
007E3871 90 NOP
007E3872 90 NOP
007E3873 90 NOP
007E3874 90 NOP
007E3875 90 NOP
007E3876 90 NOP
007E3877 90 NOP
007E3878 90 NOP
007E3879 90 NOP
007E387A 90 NOP
007E387B 90 NOP
007E387C 90 NOP
007E387D 90 NOP
007E387E 90 NOP
007E387F 90 NOP
007E3880 90 NOP
007E3881 90 NOP
007E3882 90 NOP
007E3883 90 NOP
007E3884 90 NOP
007E3885 90 NOP
007E3886 90 NOP
007E3887 90 NOP
007E3888 90 NOP
007E3889 90 NOP
007E388A 90 NOP
007E388B 90 NOP
007E388C 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E388F 8B0D D4838300 MOV ECX, DWORD PTR DS:[8383D4]
007E3895 330D D8838300 XOR ECX, DWORD PTR DS:[8383D8]
007E389B D1E1 SHL ECX, 1
007E389D 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E38A0 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E38A4 74 09 JE SHORT ezcddax.007E38AF
007E38A6 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E38A9 83CA 01 OR EDX, 1
007E38AC 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E38AF 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E38B2 50 PUSH EAX
007E38B3 FF15 00CC8300 CALL DWORD PTR DS:[83CC00] ; ezcddax.007DE2C9
007E38B9 83C4 04 ADD ESP, 4
007E38BC 5F POP EDI
007E38BD 5E POP ESI
007E38BE 5B POP EBX
007E38BF 8BE5 MOV ESP, EBP
007E38C1 5D POP EBP
007E38C2 C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JMP短跳转类型 一般是EAX and 0 然后 inc EAX 二进制代码:EB
007EB5BE 55 PUSH EBP
007EB5BF 8BEC MOV EBP, ESP
007EB5C1 83EC 0C SUB ESP, 0C
007EB5C4 53 PUSH EBX
007EB5C5 56 PUSH ESI
007EB5C6 57 PUSH EDI
007EB5C7 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EB5CA 50 PUSH EAX
007EB5CB FF15 74CC8300 CALL DWORD PTR DS:[83CC74] ; ezcddax.007DEEA0
007EB5D1 83C4 04 ADD ESP, 4
007EB5D4 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EB5D7 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EB5DA 90 NOP ; jmp 类型
007EB5DB 90 NOP
007EB5DC 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007EB5E2 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EB5E4 C640 FF EB MOV BYTE PTR DS:[EAX-1], 0EB ; 短跳转写入在CC地址,注意前面加0
007EB5E8 90 NOP
007EB5E9 90 NOP
007EB5EA 90 NOP
007EB5EB 90 NOP
007EB5EC 90 NOP
007EB5ED 90 NOP
007EB5EE 90 NOP
007EB5EF 90 NOP
007EB5F0 90 NOP
007EB5F1 90 NOP
007EB5F2 90 NOP
007EB5F3 90 NOP
007EB5F4 90 NOP
007EB5F5 90 NOP
007EB5F6 90 NOP
007EB5F7 90 NOP
007EB5F8 90 NOP
007EB5F9 90 NOP
007EB5FA 90 NOP
007EB5FB 90 NOP
007EB5FC 90 NOP
007EB5FD 90 NOP
007EB5FE 90 NOP
007EB5FF 90 NOP
007EB600 90 NOP
007EB601 90 NOP
007EB602 90 NOP
007EB603 90 NOP
007EB604 90 NOP
007EB605 90 NOP
007EB606 90 NOP
007EB607 90 NOP
007EB608 90 NOP
007EB609 90 NOP
007EB60A 90 NOP
007EB60B 90 NOP
007EB60C 90 NOP
007EB60D 90 NOP
007EB60E 90 NOP
007EB60F 90 NOP
007EB610 90 NOP
007EB611 90 NOP
007EB612 90 NOP
007EB613 90 NOP
007EB614 90 NOP
007EB615 90 NOP
007EB616 90 NOP
007EB617 90 NOP
007EB618 90 NOP
007EB619 90 NOP
007EB61A 90 NOP
007EB61B 90 NOP
007EB61C 90 NOP
007EB61D 90 NOP
007EB61E 90 NOP
007EB61F 90 NOP
007EB620 90 NOP
007EB621 90 NOP
007EB622 90 NOP
007EB623 90 NOP
007EB624 90 NOP
007EB625 90 NOP
007EB626 90 NOP
007EB627 90 NOP
007EB628 90 NOP
007EB629 90 NOP
007EB62A 90 NOP
007EB62B 90 NOP
007EB62C 90 NOP
007EB62D 90 NOP
007EB62E 90 NOP
007EB62F 90 NOP
007EB630 90 NOP
007EB631 90 NOP
007EB632 90 NOP
007EB633 90 NOP
007EB634 90 NOP
007EB635 90 NOP
007EB636 90 NOP
007EB637 90 NOP
007EB638 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EB63B 8B0D E4838300 MOV ECX, DWORD PTR DS:[8383E4]
007EB641 330D E8838300 XOR ECX, DWORD PTR DS:[8383E8]
007EB647 D1E1 SHL ECX, 1
007EB649 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EB64C 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EB650 74 09 JE SHORT ezcddax.007EB65B
007EB652 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EB655 83CA 01 OR EDX, 1
007EB658 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EB65B 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EB65E 50 PUSH EAX
007EB65F FF15 10CC8300 CALL DWORD PTR DS:[83CC10] ; ezcddax.007DED83
007EB665 83C4 04 ADD ESP, 4
007EB668 5F POP EDI
007EB669 5E POP ESI
007EB66A 5B POP EBX
007EB66B 8BE5 MOV ESP, EBP
007EB66D 5D POP EBP
007EB66E C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jnp类型 测试 PF=0 二进制代码:7B
007E989C 55 PUSH EBP
007E989D 8BEC MOV EBP, ESP
007E989F 83EC 0C SUB ESP, 0C
007E98A2 53 PUSH EBX
007E98A3 56 PUSH ESI
007E98A4 57 PUSH EDI
007E98A5 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E98A8 50 PUSH EAX
007E98A9 FF15 70CC8300 CALL DWORD PTR DS:[83CC70] ; ezcddax.007DEC1F
007E98AF 83C4 04 ADD ESP, 4
007E98B2 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E98B5 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E98B8 52 PUSH EDX
007E98B9 BA FFFF0000 MOV EDX, 0FFFF
007E98BE 23C2 AND EAX, EDX
007E98C0 53 PUSH EBX
007E98C1 68 10040000 PUSH 410
007E98C6 5B POP EBX
007E98C7 FECF DEC BH
007E98C9 FECF DEC BH
007E98CB 80EF FF SUB BH, 0FF
007E98CE 80EF 02 SUB BH, 2
007E98D1 FECF DEC BH
007E98D3 22E7 AND AH, BH
007E98D5 B3 0E MOV BL, 0E
007E98D7 80EB 04 SUB BL, 4
007E98DA FECB DEC BL
007E98DC 80EB 01 SUB BL, 1
007E98DF 80EB 01 SUB BL, 1
007E98E2 80EB 01 SUB BL, 1
007E98E5 80EB 01 SUB BL, 1
007E98E8 80EB 01 SUB BL, 1
007E98EB 22C3 AND AL, BL ; BL=04 AL=46
007E98ED 5B POP EBX
007E98EE 5A POP EDX
007E98EF 85C0 TEST EAX, EAX ; 测试PF位=0 是jnp
007E98F1 74 08 JE SHORT ezcddax.007E98FB
007E98F3 F7D0 NOT EAX
007E98F5 83C0 01 ADD EAX, 1
007E98F8 F9 STC
007E98F9 EB 06 JMP SHORT ezcddax.007E9901
007E98FB F7D0 NOT EAX
007E98FD 83C0 01 ADD EAX, 1
007E9900 F8 CLC
007E9901 1BC0 SBB EAX, EAX
007E9903 40 INC EAX
007E9904 48 DEC EAX
007E9905 70 09 JO SHORT ezcddax.007E9910
007E9907 7C 05 JL SHORT ezcddax.007E990E
007E9909 EB 07 JMP SHORT ezcddax.007E9912
007E990B 0F1226 MOVLPS XMM4, QWORD PTR DS:[ESI]
007E990E ^ 74 F9 JE SHORT ezcddax.007E9909
007E9910 ^ EB F7 JMP SHORT ezcddax.007E9909
007E9912 40 INC EAX
007E9913 48 DEC EAX
007E9914 70 09 JO SHORT ezcddax.007E991F
007E9916 7C 05 JL SHORT ezcddax.007E991D
007E9918 EB 07 JMP SHORT ezcddax.007E9921
007E991A 0F1226 MOVLPS XMM4, QWORD PTR DS:[ESI]
007E991D ^ 74 F9 JE SHORT ezcddax.007E9918
007E991F ^ EB F7 JMP SHORT ezcddax.007E9918
007E9921 40 INC EAX
007E9922 48 DEC EAX
007E9923 40 INC EAX
007E9924 48 DEC EAX
007E9925 70 07 JO SHORT ezcddax.007E992E
007E9927 7C 03 JL SHORT ezcddax.007E992C
007E9929 EB 05 JMP SHORT ezcddax.007E9930
007E992B C7 ??? ; 未知命令
007E992C ^ 74 FB JE SHORT ezcddax.007E9929
007E992E ^ EB F9 JMP SHORT ezcddax.007E9929
007E9930 40 INC EAX
007E9931 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E9934 8B0D E0838300 MOV ECX, DWORD PTR DS:[8383E0]
007E993A 330D E4838300 XOR ECX, DWORD PTR DS:[8383E4]
007E9940 D1E1 SHL ECX, 1
007E9942 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E9945 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E9949 74 09 JE SHORT ezcddax.007E9954
007E994B 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E994E 83CA 01 OR EDX, 1
007E9951 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E9954 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E9957 50 PUSH EAX
007E9958 FF15 0CCC8300 CALL DWORD PTR DS:[83CC0C] ; ezcddax.007DEABB
007E995E 83C4 04 ADD ESP, 4
007E9961 5F POP EDI
007E9962 5E POP ESI
007E9963 5B POP EBX
007E9964 8BE5 MOV ESP, EBP
007E9966 5D POP EBP
007E9967 C3 RETN
修改为:
007E989C 55 PUSH EBP
007E989D 8BEC MOV EBP, ESP
007E989F 83EC 0C SUB ESP, 0C
007E98A2 53 PUSH EBX
007E98A3 56 PUSH ESI
007E98A4 57 PUSH EDI
007E98A5 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E98A8 50 PUSH EAX
007E98A9 FF15 70CC8300 CALL DWORD PTR DS:[83CC70] ; ezcddax.007DEC1F
007E98AF 83C4 04 ADD ESP, 4
007E98B2 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E98B5 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E98B8 90 NOP
007E98B9 90 NOP
007E98BA 90 NOP
007E98BB 90 NOP
007E98BC 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10] ; 测试PF位=0 是jnp类型
007E98C2 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E98C4 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E98C8 74 06 JE SHORT ezcddax.007E98D0
007E98CA C640 FF 7B MOV BYTE PTR DS:[EAX-1], 7B
007E98CE EB 20 JMP SHORT ezcddax.007E98F0
007E98D0 C600 8B MOV BYTE PTR DS:[EAX], 8B
007E98D3 90 NOP
007E98D4 33C0 XOR EAX, EAX
007E98D6 90 NOP
007E98D7 90 NOP
007E98D8 90 NOP
007E98D9 90 NOP
007E98DA 90 NOP
007E98DB 90 NOP
007E98DC 90 NOP
007E98DD 90 NOP
007E98DE 90 NOP
007E98DF 90 NOP
007E98E0 90 NOP
007E98E1 90 NOP
007E98E2 90 NOP
007E98E3 90 NOP
007E98E4 90 NOP
007E98E5 90 NOP
007E98E6 90 NOP
007E98E7 90 NOP
007E98E8 90 NOP
007E98E9 90 NOP
007E98EA 90 NOP
007E98EB 90 NOP ; BL=04 AL=46
007E98EC 90 NOP
007E98ED 90 NOP
007E98EE 90 NOP
007E98EF 90 NOP ; 测试PF位=0 是jnp
007E98F0 90 NOP
007E98F1 90 NOP
007E98F2 90 NOP
007E98F3 90 NOP
007E98F4 90 NOP
007E98F5 90 NOP
007E98F6 90 NOP
007E98F7 90 NOP
007E98F8 90 NOP
007E98F9 90 NOP
007E98FA 90 NOP
007E98FB 90 NOP
007E98FC 90 NOP
007E98FD 90 NOP
007E98FE 90 NOP
007E98FF 90 NOP
007E9900 90 NOP
007E9901 90 NOP
007E9902 90 NOP
007E9903 90 NOP
007E9904 90 NOP
007E9905 90 NOP
007E9906 90 NOP
007E9907 90 NOP
007E9908 90 NOP
007E9909 90 NOP
007E990A 90 NOP
007E990B 90 NOP
007E990C 90 NOP
007E990D 90 NOP
007E990E 90 NOP
007E990F 90 NOP
007E9910 90 NOP
007E9911 90 NOP
007E9912 90 NOP
007E9913 90 NOP
007E9914 90 NOP
007E9915 90 NOP
007E9916 90 NOP
007E9917 90 NOP
007E9918 90 NOP
007E9919 90 NOP
007E991A 90 NOP
007E991B 90 NOP
007E991C 90 NOP
007E991D 90 NOP
007E991E 90 NOP
007E991F 90 NOP
007E9920 90 NOP
007E9921 90 NOP
007E9922 90 NOP
007E9923 90 NOP
007E9924 90 NOP
007E9925 90 NOP
007E9926 90 NOP
007E9927 90 NOP
007E9928 90 NOP
007E9929 90 NOP
007E992A 90 NOP
007E992B 90 NOP
007E992C 90 NOP
007E992D 90 NOP
007E992E 90 NOP
007E992F 90 NOP
007E9930 90 NOP
007E9931 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E9934 8B0D E0838300 MOV ECX, DWORD PTR DS:[8383E0]
007E993A 330D E4838300 XOR ECX, DWORD PTR DS:[8383E4]
007E9940 D1E1 SHL ECX, 1
007E9942 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E9945 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E9949 74 09 JE SHORT ezcddax.007E9954
007E994B 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E994E 83CA 01 OR EDX, 1
007E9951 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E9954 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E9957 50 PUSH EAX
007E9958 FF15 0CCC8300 CALL DWORD PTR DS:[83CC0C] ; ezcddax.007DEABB
007E995E 83C4 04 ADD ESP, 4
007E9961 5F POP EDI
007E9962 5E POP ESI
007E9963 5B POP EBX
007E9964 8BE5 MOV ESP, EBP
007E9966 5D POP EBP
007E9967 C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JA/JNBE(比较无符号数) 测试CF和ZF=0 二进制代码:77
007E7E91 55 PUSH EBP
007E7E92 8BEC MOV EBP, ESP
007E7E94 83EC 0C SUB ESP, 0C
007E7E97 53 PUSH EBX
007E7E98 56 PUSH ESI
007E7E99 57 PUSH EDI
007E7E9A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E7E9D 50 PUSH EAX
007E7E9E FF15 44CC8300 CALL DWORD PTR DS:[83CC44] ; ezcddax.007DD15A
007E7EA4 83C4 04 ADD ESP, 4
007E7EA7 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E7EAA 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E7EAD 52 PUSH EDX
007E7EAE BA FFFF0000 MOV EDX, 0FFFF
007E7EB3 23C2 AND EAX, EDX
007E7EB5 53 PUSH EBX
007E7EB6 50 PUSH EAX
007E7EB7 B7 03 MOV BH, 3
007E7EB9 70 07 JO SHORT ezcddax.007E7EC2
007E7EBB 7C 03 JL SHORT ezcddax.007E7EC0
007E7EBD EB 05 JMP SHORT ezcddax.007E7EC4
007E7EBF - E9 74FBEBF9 JMP FA6A7A38
007E7EC4 FECF DEC BH
007E7EC6 FECF DEC BH
007E7EC8 FECF DEC BH
007E7ECA 25 00080000 AND EAX, 800
007E7ECF 0FC9 BSWAP ECX
007E7ED1 58 POP EAX
007E7ED2 0FC9 BSWAP ECX
007E7ED4 22E7 AND AH, BH
007E7ED6 B3 87 MOV BL, 87
007E7ED8 80EB 05 SUB BL, 5
007E7EDB FECB DEC BL
007E7EDD FECB DEC BL
007E7EDF FECB DEC BL
007E7EE1 FECB DEC BL
007E7EE3 FECB DEC BL
007E7EE5 FECB DEC BL
007E7EE7 FECB DEC BL
007E7EE9 FECB DEC BL
007E7EEB FECB DEC BL
007E7EED 80EB 1A SUB BL, 1A
007E7EF0 80EB 1E SUB BL, 1E
007E7EF3 66:F7D3 NOT BX
007E7EF6 0FC8 BSWAP EAX
007E7EF8 66:F7D3 NOT BX
007E7EFB 0FC8 BSWAP EAX
007E7EFD 70 07 JO SHORT ezcddax.007E7F06
007E7EFF 7C 03 JL SHORT ezcddax.007E7F04
007E7F01 EB 05 JMP SHORT ezcddax.007E7F08
007E7F03 - E9 74FBEBF9 JMP FA6A7A7C
007E7F08 22C3 AND AL, BL ; BL=41 ('A') AL=46
007E7F0A 8BC0 MOV EAX, EAX ; 测试CF和ZF=0,JA/JNBE(比较无符号数)类型
007E7F0C 5B POP EBX
007E7F0D F7D8 NEG EAX
007E7F0F 1BC0 SBB EAX, EAX
007E7F11 40 INC EAX
007E7F12 5A POP EDX
007E7F13 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E7F16 8B0D B4838300 MOV ECX, DWORD PTR DS:[8383B4]
007E7F1C 330D B8838300 XOR ECX, DWORD PTR DS:[8383B8]
007E7F22 D1E1 SHL ECX, 1
007E7F24 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E7F27 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E7F2B 74 09 JE SHORT ezcddax.007E7F36
007E7F2D 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E7F30 83CA 01 OR EDX, 1
007E7F33 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E7F36 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E7F39 50 PUSH EAX
007E7F3A FF15 E0CB8300 CALL DWORD PTR DS:[83CBE0] ; ezcddax.007DD0A5
007E7F40 83C4 04 ADD ESP, 4
007E7F43 5F POP EDI
007E7F44 5E POP ESI
007E7F45 5B POP EBX
007E7F46 8BE5 MOV ESP, EBP
007E7F48 5D POP EBP
007E7F49 C3 RETN
修改为:
007E7E91 55 PUSH EBP
007E7E92 8BEC MOV EBP, ESP
007E7E94 83EC 0C SUB ESP, 0C
007E7E97 53 PUSH EBX
007E7E98 56 PUSH ESI
007E7E99 57 PUSH EDI
007E7E9A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E7E9D 50 PUSH EAX
007E7E9E FF15 44CC8300 CALL DWORD PTR DS:[83CC44] ; ezcddax.007DD15A
007E7EA4 83C4 04 ADD ESP, 4
007E7EA7 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E7EAA 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E7EAD 90 NOP
007E7EAE 90 NOP
007E7EAF 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10] ; 测试CF和ZF=0,JA/JNBE(比较无符号数)类型
007E7EB5 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E7EB7 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E7EBB 74 06 JE SHORT ezcddax.007E7EC3
007E7EBD C640 FF 77 MOV BYTE PTR DS:[EAX-1], 77
007E7EC1 EB 20 JMP SHORT ezcddax.007E7EE3
007E7EC3 C600 87 MOV BYTE PTR DS:[EAX], 87
007E7EC6 90 NOP
007E7EC7 33C0 XOR EAX, EAX
007E7EC9 90 NOP
007E7ECA 90 NOP
007E7ECB 90 NOP
007E7ECC 90 NOP
007E7ECD 90 NOP
007E7ECE 90 NOP
007E7ECF 90 NOP
007E7ED0 90 NOP
007E7ED1 90 NOP
007E7ED2 90 NOP
007E7ED3 90 NOP
007E7ED4 90 NOP
007E7ED5 90 NOP
007E7ED6 90 NOP
007E7ED7 90 NOP
007E7ED8 90 NOP
007E7ED9 90 NOP
007E7EDA 90 NOP
007E7EDB 90 NOP
007E7EDC 90 NOP
007E7EDD 90 NOP
007E7EDE 90 NOP
007E7EDF 90 NOP
007E7EE0 90 NOP
007E7EE1 90 NOP
007E7EE2 90 NOP
007E7EE3 90 NOP
007E7EE4 90 NOP
007E7EE5 90 NOP
007E7EE6 90 NOP
007E7EE7 90 NOP
007E7EE8 90 NOP
007E7EE9 90 NOP
007E7EEA 90 NOP
007E7EEB 90 NOP
007E7EEC 90 NOP
007E7EED 90 NOP
007E7EEE 90 NOP
007E7EEF 90 NOP
007E7EF0 90 NOP
007E7EF1 90 NOP
007E7EF2 90 NOP
007E7EF3 90 NOP
007E7EF4 90 NOP
007E7EF5 90 NOP
007E7EF6 90 NOP
007E7EF7 90 NOP
007E7EF8 90 NOP
007E7EF9 90 NOP
007E7EFA 90 NOP
007E7EFB 90 NOP
007E7EFC 90 NOP
007E7EFD 90 NOP
007E7EFE 90 NOP
007E7EFF 90 NOP
007E7F00 90 NOP
007E7F01 90 NOP
007E7F02 90 NOP
007E7F03 90 NOP
007E7F04 90 NOP
007E7F05 90 NOP
007E7F06 90 NOP
007E7F07 90 NOP
007E7F08 90 NOP ; BL=41 ('A') AL=46
007E7F09 90 NOP
007E7F0A 90 NOP ; 测试CF和ZF=0,JA/JNBE(比较无符号数)类型
007E7F0B 90 NOP
007E7F0C 90 NOP
007E7F0D 90 NOP
007E7F0E 90 NOP
007E7F0F 90 NOP
007E7F10 90 NOP
007E7F11 90 NOP
007E7F12 90 NOP
007E7F13 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E7F16 8B0D B4838300 MOV ECX, DWORD PTR DS:[8383B4]
007E7F1C 330D B8838300 XOR ECX, DWORD PTR DS:[8383B8]
007E7F22 D1E1 SHL ECX, 1
007E7F24 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E7F27 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E7F2B 74 09 JE SHORT ezcddax.007E7F36
007E7F2D 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E7F30 83CA 01 OR EDX, 1
007E7F33 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E7F36 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E7F39 50 PUSH EAX
007E7F3A FF15 E0CB8300 CALL DWORD PTR DS:[83CBE0] ; ezcddax.007DD0A5
007E7F40 83C4 04 ADD ESP, 4
007E7F43 5F POP EDI
007E7F44 5E POP ESI
007E7F45 5B POP EBX
007E7F46 8BE5 MOV ESP, EBP
007E7F48 5D POP EBP
007E7F49 C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JL/JNGE(比较带符号数)类型 测试 S异或O=1 二进制代码:7C
007E7311 55 PUSH EBP
007E7312 8BEC MOV EBP, ESP
007E7314 83EC 0C SUB ESP, 0C
007E7317 53 PUSH EBX
007E7318 56 PUSH ESI
007E7319 57 PUSH EDI
007E731A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E731D 50 PUSH EAX
007E731E FF15 70CC8300 CALL DWORD PTR DS:[83CC70] ; ezcddax.007DEC1F
007E7324 83C4 04 ADD ESP, 4
007E7327 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E732A 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E732D 51 PUSH ECX
007E732E B9 00080000 MOV ECX, 800
007E7333 B9 40000000 MOV ECX, 40
007E7338 F7D1 NOT ECX
007E733A 0FC8 BSWAP EAX
007E733C F7D1 NOT ECX
007E733E 41 INC ECX
007E733F 41 INC ECX
007E7340 41 INC ECX
007E7341 41 INC ECX
007E7342 41 INC ECX
007E7343 83C1 0B ADD ECX, 0B
007E7346 41 INC ECX
007E7347 41 INC ECX
007E7348 41 INC ECX
007E7349 41 INC ECX
007E734A 41 INC ECX
007E734B 41 INC ECX
007E734C 41 INC ECX
007E734D 41 INC ECX
007E734E 41 INC ECX
007E734F 41 INC ECX
007E7350 49 DEC ECX
007E7351 41 INC ECX
007E7352 FEC1 INC CL
007E7354 FEC1 INC CL
007E7356 FEC1 INC CL
007E7358 83C1 0D ADD ECX, 0D
007E735B FEC1 INC CL
007E735D FEC1 INC CL
007E735F FEC1 INC CL
007E7361 FEC1 INC CL
007E7363 FEC1 INC CL
007E7365 83C1 0A ADD ECX, 0A
007E7368 49 DEC ECX
007E7369 52 PUSH EDX
007E736A BA 04000000 MOV EDX, 4
007E736F 03CA ADD ECX, EDX
007E7371 41 INC ECX
007E7372 5A POP EDX
007E7373 0FC8 BSWAP EAX
007E7375 83C1 03 ADD ECX, 3
007E7378 23C1 AND EAX, ECX ; ECX=00000080 EAX=00000246 测试SF位=0
007E737A 59 POP ECX
007E737B F7D8 NEG EAX
007E737D 1BC0 SBB EAX, EAX
007E737F 40 INC EAX
007E7380 5A POP EDX
007E7381 50 PUSH EAX
007E7382 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E7385 BA 000F0000 MOV EDX, 0F00
007E738A 80EE 01 SUB DH, 1
007E738D FECE DEC DH
007E738F FECE DEC DH
007E7391 FECE DEC DH
007E7393 FECE DEC DH
007E7395 FECE DEC DH
007E7397 FECE DEC DH
007E7399 23C2 AND EAX, EDX ; EDX=00000800 测试OF位=1
007E739B F7D8 NEG EAX
007E739D 1BC0 SBB EAX, EAX
007E739F 40 INC EAX
007E73A0 8BD0 MOV EDX, EAX
007E73A2 58 POP EAX
007E73A3 33C9 XOR ECX, ECX
007E73A5 70 07 JO SHORT ezcddax.007E73AE
007E73A7 7C 03 JL SHORT ezcddax.007E73AC
007E73A9 EB 05 JMP SHORT ezcddax.007E73B0
007E73AB C7 ??? ; 未知命令
007E73AC ^ 74 FB JE SHORT ezcddax.007E73A9
007E73AE ^ EB F9 JMP SHORT ezcddax.007E73A9
007E73B0 3BC2 CMP EAX, EDX ; S异或O=1 JL/JNGE(比较带符号数)类型
007E73B2 70 07 JO SHORT ezcddax.007E73BB
007E73B4 7C 03 JL SHORT ezcddax.007E73B9
007E73B6 EB 05 JMP SHORT ezcddax.007E73BD
007E73B8 C7 ??? ; 未知命令
007E73B9 ^ 74 FB JE SHORT ezcddax.007E73B6
007E73BB ^ EB F9 JMP SHORT ezcddax.007E73B6
007E73BD 74 11 JE SHORT ezcddax.007E73D0
007E73BF 83E0 00 AND EAX, 0
007E73C2 70 07 JO SHORT ezcddax.007E73CB
007E73C4 7C 03 JL SHORT ezcddax.007E73C9
007E73C6 EB 05 JMP SHORT ezcddax.007E73CD
007E73C8 C7 ??? ; 未知命令
007E73C9 ^ 74 FB JE SHORT ezcddax.007E73C6
007E73CB ^ EB F9 JMP SHORT ezcddax.007E73C6
007E73CD 40 INC EAX
007E73CE EB 03 JMP SHORT ezcddax.007E73D3
007E73D0 83E0 00 AND EAX, 0
007E73D3 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E73D6 8B0D E0838300 MOV ECX, DWORD PTR DS:[8383E0]
007E73DC 330D E4838300 XOR ECX, DWORD PTR DS:[8383E4]
007E73E2 D1E1 SHL ECX, 1
007E73E4 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E73E7 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E73EB 74 09 JE SHORT ezcddax.007E73F6
007E73ED 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E73F0 83CA 01 OR EDX, 1
007E73F3 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E73F6 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E73F9 50 PUSH EAX
007E73FA FF15 0CCC8300 CALL DWORD PTR DS:[83CC0C] ; ezcddax.007DEABB
007E7400 83C4 04 ADD ESP, 4
007E7403 5F POP EDI
007E7404 5E POP ESI
007E7405 5B POP EBX
007E7406 8BE5 MOV ESP, EBP
007E7408 5D POP EBP
007E7409 C3 RETN
修改为:
007E7311 55 PUSH EBP
007E7312 8BEC MOV EBP, ESP
007E7314 83EC 0C SUB ESP, 0C
007E7317 53 PUSH EBX
007E7318 56 PUSH ESI
007E7319 57 PUSH EDI
007E731A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E731D 50 PUSH EAX
007E731E FF15 70CC8300 CALL DWORD PTR DS:[83CC70] ; ezcddax.007DEC1F
007E7324 83C4 04 ADD ESP, 4
007E7327 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E732A 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E732D 90 NOP
007E732E 90 NOP
007E732F 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10] ; S异或O=1 JL/JNGE(比较带符号数)类型
007E7335 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E7337 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E733B 74 06 JE SHORT ezcddax.007E7343
007E733D C640 FF 7C MOV BYTE PTR DS:[EAX-1], 7C
007E7341 EB 20 JMP SHORT ezcddax.007E7363
007E7343 C600 8C MOV BYTE PTR DS:[EAX], 8C
007E7346 90 NOP
007E7347 33C0 XOR EAX, EAX
007E7349 90 NOP
007E734A 90 NOP
007E734B 90 NOP
007E734C 90 NOP
007E734D 90 NOP
007E734E 90 NOP
007E734F 90 NOP
007E7350 90 NOP
007E7351 90 NOP
007E7352 90 NOP
007E7353 90 NOP
007E7354 90 NOP
007E7355 90 NOP
007E7356 90 NOP
007E7357 90 NOP
007E7358 90 NOP
007E7359 90 NOP
007E735A 90 NOP
007E735B 90 NOP
007E735C 90 NOP
007E735D 90 NOP
007E735E 90 NOP
007E735F 90 NOP
007E7360 90 NOP
007E7361 90 NOP
007E7362 90 NOP
007E7363 90 NOP
007E7364 90 NOP
007E7365 90 NOP
007E7366 90 NOP
007E7367 90 NOP
007E7368 90 NOP
007E7369 90 NOP
007E736A 90 NOP
007E736B 90 NOP
007E736C 90 NOP
007E736D 90 NOP
007E736E 90 NOP
007E736F 90 NOP
007E7370 90 NOP
007E7371 90 NOP
007E7372 90 NOP
007E7373 90 NOP
007E7374 90 NOP
007E7375 90 NOP
007E7376 90 NOP
007E7377 90 NOP
007E7378 90 NOP ; ECX=00000080 EAX=00000246 测试SF位=0
007E7379 90 NOP
007E737A 90 NOP
007E737B 90 NOP
007E737C 90 NOP
007E737D 90 NOP
007E737E 90 NOP
007E737F 90 NOP
007E7380 90 NOP
007E7381 90 NOP
007E7382 90 NOP
007E7383 90 NOP
007E7384 90 NOP
007E7385 90 NOP
007E7386 90 NOP
007E7387 90 NOP
007E7388 90 NOP
007E7389 90 NOP
007E738A 90 NOP
007E738B 90 NOP
007E738C 90 NOP
007E738D 90 NOP
007E738E 90 NOP
007E738F 90 NOP
007E7390 90 NOP
007E7391 90 NOP
007E7392 90 NOP
007E7393 90 NOP
007E7394 90 NOP
007E7395 90 NOP
007E7396 90 NOP
007E7397 90 NOP
007E7398 90 NOP
007E7399 90 NOP ; EDX=00000800 测试OF位=1
007E739A 90 NOP
007E739B 90 NOP
007E739C 90 NOP
007E739D 90 NOP
007E739E 90 NOP
007E739F 90 NOP
007E73A0 90 NOP
007E73A1 90 NOP
007E73A2 90 NOP
007E73A3 90 NOP
007E73A4 90 NOP
007E73A5 90 NOP
007E73A6 90 NOP
007E73A7 90 NOP
007E73A8 90 NOP
007E73A9 90 NOP
007E73AA 90 NOP
007E73AB 90 NOP
007E73AC 90 NOP
007E73AD 90 NOP
007E73AE 90 NOP
007E73AF 90 NOP
007E73B0 90 NOP ; S异或O=1 JL/JNGE(比较带符号数)类型
007E73B1 90 NOP
007E73B2 90 NOP
007E73B3 90 NOP
007E73B4 90 NOP
007E73B5 90 NOP
007E73B6 90 NOP
007E73B7 90 NOP
007E73B8 90 NOP
007E73B9 90 NOP
007E73BA 90 NOP
007E73BB 90 NOP
007E73BC 90 NOP
007E73BD 90 NOP
007E73BE 90 NOP
007E73BF 90 NOP
007E73C0 90 NOP
007E73C1 90 NOP
007E73C2 90 NOP
007E73C3 90 NOP
007E73C4 90 NOP
007E73C5 90 NOP
007E73C6 90 NOP
007E73C7 90 NOP
007E73C8 90 NOP
007E73C9 90 NOP
007E73CA 90 NOP
007E73CB 90 NOP
007E73CC 90 NOP
007E73CD 90 NOP
007E73CE 90 NOP
007E73CF 90 NOP
007E73D0 90 NOP
007E73D1 90 NOP
007E73D2 90 NOP
007E73D3 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E73D6 8B0D E0838300 MOV ECX, DWORD PTR DS:[8383E0]
007E73DC 330D E4838300 XOR ECX, DWORD PTR DS:[8383E4]
007E73E2 D1E1 SHL ECX, 1
007E73E4 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E73E7 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E73EB 74 09 JE SHORT ezcddax.007E73F6
007E73ED 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E73F0 83CA 01 OR EDX, 1
007E73F3 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E73F6 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E73F9 50 PUSH EAX
007E73FA FF15 0CCC8300 CALL DWORD PTR DS:[83CC0C] ; ezcddax.007DEABB
007E7400 83C4 04 ADD ESP, 4
007E7403 5F POP EDI
007E7404 5E POP ESI
007E7405 5B POP EBX
007E7406 8BE5 MOV ESP, EBP
007E7408 5D POP EBP
007E7409 C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JLE/JNG(比较带符号数) 测试 (S异或O)或Z=1 二进制代码:7E
007E55E0 55 PUSH EBP
007E55E1 8BEC MOV EBP, ESP
007E55E3 83EC 0C SUB ESP, 0C
007E55E6 53 PUSH EBX
007E55E7 56 PUSH ESI
007E55E8 57 PUSH EDI
007E55E9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E55EC 50 PUSH EAX
007E55ED FF15 6CCC8300 CALL DWORD PTR DS:[83CC6C] ; ezcddax.007DE959
007E55F3 83C4 04 ADD ESP, 4
007E55F6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E55F9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E55FC 53 PUSH EBX
007E55FD 8B5D 0C MOV EBX, DWORD PTR SS:[EBP+C]
007E5600 BB FFFF0000 MOV EBX, 0FFFF
007E5605 23C3 AND EAX, EBX
007E5607 51 PUSH ECX
007E5608 B5 2C MOV CH, 2C
007E560A 80ED 01 SUB CH, 1
007E560D 80ED 20 SUB CH, 20
007E5610 FECD DEC CH
007E5612 FECD DEC CH
007E5614 80ED 04 SUB CH, 4
007E5617 FECD DEC CH
007E5619 80ED 03 SUB CH, 3
007E561C FECD DEC CH
007E561E 22E5 AND AH, CH
007E5620 B1 70 MOV CL, 70
007E5622 80E9 02 SUB CL, 2
007E5625 FEC9 DEC CL
007E5627 FEC9 DEC CL
007E5629 FEC9 DEC CL
007E562B 80E9 06 SUB CL, 6
007E562E F6D0 NOT AL
007E5630 0FC9 BSWAP ECX
007E5632 F6D0 NOT AL
007E5634 0FC9 BSWAP ECX
007E5636 FEC9 DEC CL
007E5638 FEC9 DEC CL
007E563A 80E9 10 SUB CL, 10
007E563D FEC9 DEC CL
007E563F FEC9 DEC CL
007E5641 80C1 0C ADD CL, 0C
007E5644 FEC9 DEC CL
007E5646 FEC9 DEC CL
007E5648 FEC9 DEC CL
007E564A 70 07 JO SHORT ezcddax.007E5653
007E564C 7C 03 JL SHORT ezcddax.007E5651
007E564E EB 05 JMP SHORT ezcddax.007E5655
007E5650 C7 ??? ; 未知命令
007E5651 ^ 74 FB JE SHORT ezcddax.007E564E
007E5653 ^ EB F9 JMP SHORT ezcddax.007E564E
007E5655 FEC9 DEC CL
007E5657 FEC9 DEC CL
007E5659 FEC9 DEC CL
007E565B FEC9 DEC CL
007E565D 80E9 10 SUB CL, 10
007E5660 80E9 01 SUB CL, 1
007E5663 FEC9 DEC CL
007E5665 FEC9 DEC CL
007E5667 FEC9 DEC CL
007E5669 FEC9 DEC CL
007E566B FEC9 DEC CL
007E566D FEC9 DEC CL
007E566F FEC9 DEC CL
007E5671 FEC9 DEC CL
007E5673 F7D1 NOT ECX
007E5675 0FC8 BSWAP EAX
007E5677 F7D1 NOT ECX
007E5679 0FC8 BSWAP EAX
007E567B FEC1 INC CL
007E567D 80C1 02 ADD CL, 2
007E5680 22C1 AND AL, CL ; CL=40 ('@')
007E5682 8BC0 MOV EAX, EAX
007E5684 59 POP ECX
007E5685 5B POP EBX
007E5686 85C0 TEST EAX, EAX ; 测试ZF=1
007E5688 0F85 D6000000 JNZ ezcddax.007E5764
007E568E 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E5691 70 07 JO SHORT ezcddax.007E569A
007E5693 7C 03 JL SHORT ezcddax.007E5698
007E5695 EB 05 JMP SHORT ezcddax.007E569C
007E5697 C7 ??? ; 未知命令
007E5698 ^ 74 FB JE SHORT ezcddax.007E5695
007E569A ^ EB F9 JMP SHORT ezcddax.007E5695
007E569C 52 PUSH EDX
007E569D BA FFFF0000 MOV EDX, 0FFFF
007E56A2 23C2 AND EAX, EDX
007E56A4 53 PUSH EBX
007E56A5 50 PUSH EAX
007E56A6 B7 07 MOV BH, 7
007E56A8 FECF DEC BH
007E56AA FECF DEC BH
007E56AC FECF DEC BH
007E56AE FECF DEC BH
007E56B0 FECF DEC BH
007E56B2 FECF DEC BH
007E56B4 FECF DEC BH
007E56B6 25 00080000 AND EAX, 800
007E56BB 0FC9 BSWAP ECX
007E56BD 58 POP EAX
007E56BE 0FC9 BSWAP ECX
007E56C0 22E7 AND AH, BH
007E56C2 B3 C6 MOV BL, 0C6
007E56C4 80EB 05 SUB BL, 5
007E56C7 FECB DEC BL
007E56C9 FECB DEC BL
007E56CB FECB DEC BL
007E56CD 80EB 04 SUB BL, 4
007E56D0 80EB 1A SUB BL, 1A
007E56D3 FECB DEC BL
007E56D5 80EB 1F SUB BL, 1F
007E56D8 66:F7D3 NOT BX
007E56DB 0FC8 BSWAP EAX
007E56DD 66:F7D3 NOT BX
007E56E0 0FC8 BSWAP EAX
007E56E2 22C3 AND AL, BL ; BL=80 测试SF=1
007E56E4 8BC0 MOV EAX, EAX
007E56E6 5B POP EBX
007E56E7 F7D8 NEG EAX
007E56E9 1BC0 SBB EAX, EAX
007E56EB 40 INC EAX
007E56EC 5A POP EDX
007E56ED 8BC8 MOV ECX, EAX
007E56EF 51 PUSH ECX
007E56F0 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E56F3 52 PUSH EDX
007E56F4 BA FFFF0000 MOV EDX, 0FFFF
007E56F9 23C2 AND EAX, EDX
007E56FB 53 PUSH EBX
007E56FC 6A 1F PUSH 1F
007E56FE 5B POP EBX
007E56FF 80EB 05 SUB BL, 5
007E5702 FECB DEC BL
007E5704 50 PUSH EAX
007E5705 FECB DEC BL
007E5707 FECB DEC BL
007E5709 83E0 40 AND EAX, 40
007E570C FECB DEC BL
007E570E 80EB 12 SUB BL, 12
007E5711 80EB 03 SUB BL, 3
007E5714 58 POP EAX
007E5715 FECB DEC BL
007E5717 22C3 AND AL, BL
007E5719 BA 00120000 MOV EDX, 1200
007E571E FECE DEC DH
007E5720 80EE 01 SUB DH, 1
007E5723 FECE DEC DH
007E5725 80EE 07 SUB DH, 7
007E5728 22E6 AND AH, DH ; DH=08 (Backspace) 测试OF=
007E572A 5B POP EBX
007E572B 5A POP EDX
007E572C F7D8 NEG EAX
007E572E 1BC0 SBB EAX, EAX
007E5730 40 INC EAX
007E5731 48 DEC EAX
007E5732 70 07 JO SHORT ezcddax.007E573B
007E5734 7C 03 JL SHORT ezcddax.007E5739
007E5736 EB 05 JMP SHORT ezcddax.007E573D
007E5738 C7 ??? ; 未知命令
007E5739 ^ 74 FB JE SHORT ezcddax.007E5736
007E573B ^ EB F9 JMP SHORT ezcddax.007E5736
007E573D 40 INC EAX
007E573E 48 DEC EAX
007E573F 70 07 JO SHORT ezcddax.007E5748
007E5741 7C 03 JL SHORT ezcddax.007E5746
007E5743 EB 05 JMP SHORT ezcddax.007E574A
007E5745 C7 ??? ; 未知命令
007E5746 ^ 74 FB JE SHORT ezcddax.007E5743
007E5748 ^ EB F9 JMP SHORT ezcddax.007E5743
007E574A 40 INC EAX
007E574B 48 DEC EAX
007E574C 40 INC EAX
007E574D 48 DEC EAX
007E574E 70 07 JO SHORT ezcddax.007E5757
007E5750 7C 03 JL SHORT ezcddax.007E5755
007E5752 EB 05 JMP SHORT ezcddax.007E5759
007E5754 C7 ??? ; 未知命令
007E5755 ^ 74 FB JE SHORT ezcddax.007E5752
007E5757 ^ EB F9 JMP SHORT ezcddax.007E5752
007E5759 40 INC EAX
007E575A 59 POP ECX
007E575B 3BC8 CMP ECX, EAX ; D测试OF=1 SF=1
007E575D 75 05 JNZ SHORT ezcddax.007E5764
007E575F 83E0 00 AND EAX, 0
007E5762 EB 04 JMP SHORT ezcddax.007E5768
007E5764 83E0 00 AND EAX, 0
007E5767 40 INC EAX ; (S异或O)或Z=1 JLE/JNG(比较带符号数)是类型
007E5768 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E576B 8B0D DC838300 MOV ECX, DWORD PTR DS:[8383DC]
007E5771 330D E0838300 XOR ECX, DWORD PTR DS:[8383E0]
007E5777 D1E1 SHL ECX, 1
007E5779 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E577C 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E5780 74 09 JE SHORT ezcddax.007E578B
007E5782 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E5785 83CA 01 OR EDX, 1
007E5788 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E578B 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E578E 50 PUSH EAX
007E578F FF15 08CC8300 CALL DWORD PTR DS:[83CC08] ; ezcddax.007DE7F5
007E5795 83C4 04 ADD ESP, 4
007E5798 5F POP EDI
007E5799 5E POP ESI
007E579A 5B POP EBX
007E579B 8BE5 MOV ESP, EBP
007E579D 5D POP EBP
007E579E C3 RETN
修改为:
007E55E0 55 PUSH EBP
007E55E1 8BEC MOV EBP, ESP
007E55E3 83EC 0C SUB ESP, 0C
007E55E6 53 PUSH EBX
007E55E7 56 PUSH ESI
007E55E8 57 PUSH EDI
007E55E9 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E55EC 50 PUSH EAX
007E55ED FF15 6CCC8300 CALL DWORD PTR DS:[83CC6C] ; ezcddax.007DE959
007E55F3 83C4 04 ADD ESP, 4
007E55F6 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E55F9 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E55FC 90 NOP
007E55FD 90 NOP
007E55FE 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007E5604 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E5606 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E560A 74 06 JE SHORT ezcddax.007E5612
007E560C C640 FF 7E MOV BYTE PTR DS:[EAX-1], 7E
007E5610 EB 20 JMP SHORT ezcddax.007E5632
007E5612 C600 8E MOV BYTE PTR DS:[EAX], 8E
007E5615 90 NOP
007E5616 33C0 XOR EAX, EAX
007E5618 90 NOP
007E5619 90 NOP
007E561A 90 NOP
007E561B 90 NOP
007E561C 90 NOP
007E561D 90 NOP
007E561E 90 NOP
007E561F 90 NOP
007E5620 90 NOP
007E5621 90 NOP
007E5622 90 NOP
007E5623 90 NOP
007E5624 90 NOP
007E5625 90 NOP
007E5626 90 NOP
007E5627 90 NOP
007E5628 90 NOP
007E5629 90 NOP
007E562A 90 NOP
007E562B 90 NOP
007E562C 90 NOP
007E562D 90 NOP
007E562E 90 NOP
007E562F 90 NOP
007E5630 90 NOP
007E5631 90 NOP
007E5632 90 NOP
007E5633 90 NOP
007E5634 90 NOP
007E5635 90 NOP
007E5636 90 NOP
007E5637 90 NOP
007E5638 90 NOP
007E5639 90 NOP
007E563A 90 NOP
007E563B 90 NOP
007E563C 90 NOP
007E563D 90 NOP
007E563E 90 NOP
007E563F 90 NOP
007E5640 90 NOP
007E5641 90 NOP
007E5642 90 NOP
007E5643 90 NOP
007E5644 90 NOP
007E5645 90 NOP
007E5646 90 NOP
007E5647 90 NOP
007E5648 90 NOP
007E5649 90 NOP
007E564A 90 NOP
007E564B 90 NOP
007E564C 90 NOP
007E564D 90 NOP
007E564E 90 NOP
007E564F 90 NOP
007E5650 90 NOP
007E5651 90 NOP
007E5652 90 NOP
007E5653 90 NOP
007E5654 90 NOP
007E5655 90 NOP
007E5656 90 NOP
007E5657 90 NOP
007E5658 90 NOP
007E5659 90 NOP
007E565A 90 NOP
007E565B 90 NOP
007E565C 90 NOP
007E565D 90 NOP
007E565E 90 NOP
007E565F 90 NOP
007E5660 90 NOP
007E5661 90 NOP
007E5662 90 NOP
007E5663 90 NOP
007E5664 90 NOP
007E5665 90 NOP
007E5666 90 NOP
007E5667 90 NOP
007E5668 90 NOP
007E5669 90 NOP
007E566A 90 NOP
007E566B 90 NOP
007E566C 90 NOP
007E566D 90 NOP
007E566E 90 NOP
007E566F 90 NOP
007E5670 90 NOP
007E5671 90 NOP
007E5672 90 NOP
007E5673 90 NOP
007E5674 90 NOP
007E5675 90 NOP
007E5676 90 NOP
007E5677 90 NOP
007E5678 90 NOP
007E5679 90 NOP
007E567A 90 NOP
007E567B 90 NOP
007E567C 90 NOP
007E567D 90 NOP
007E567E 90 NOP
007E567F 90 NOP
007E5680 90 NOP ; CL=40 ('@')
007E5681 90 NOP
007E5682 90 NOP
007E5683 90 NOP
007E5684 90 NOP
007E5685 90 NOP
007E5686 90 NOP ; 测试ZF=1
007E5687 90 NOP
007E5688 90 NOP
007E5689 90 NOP
007E568A 90 NOP
007E568B 90 NOP
007E568C 90 NOP
007E568D 90 NOP
007E568E 90 NOP
007E568F 90 NOP
007E5690 90 NOP
007E5691 90 NOP
007E5692 90 NOP
007E5693 90 NOP
007E5694 90 NOP
007E5695 90 NOP
007E5696 90 NOP
007E5697 90 NOP
007E5698 90 NOP
007E5699 90 NOP
007E569A 90 NOP
007E569B 90 NOP
007E569C 90 NOP
007E569D 90 NOP
007E569E 90 NOP
007E569F 90 NOP
007E56A0 90 NOP
007E56A1 90 NOP
007E56A2 90 NOP
007E56A3 90 NOP
007E56A4 90 NOP
007E56A5 90 NOP
007E56A6 90 NOP
007E56A7 90 NOP
007E56A8 90 NOP
007E56A9 90 NOP
007E56AA 90 NOP
007E56AB 90 NOP
007E56AC 90 NOP
007E56AD 90 NOP
007E56AE 90 NOP
007E56AF 90 NOP
007E56B0 90 NOP
007E56B1 90 NOP
007E56B2 90 NOP
007E56B3 90 NOP
007E56B4 90 NOP
007E56B5 90 NOP
007E56B6 90 NOP
007E56B7 90 NOP
007E56B8 90 NOP
007E56B9 90 NOP
007E56BA 90 NOP
007E56BB 90 NOP
007E56BC 90 NOP
007E56BD 90 NOP
007E56BE 90 NOP
007E56BF 90 NOP
007E56C0 90 NOP
007E56C1 90 NOP
007E56C2 90 NOP
007E56C3 90 NOP
007E56C4 90 NOP
007E56C5 90 NOP
007E56C6 90 NOP
007E56C7 90 NOP
007E56C8 90 NOP
007E56C9 90 NOP
007E56CA 90 NOP
007E56CB 90 NOP
007E56CC 90 NOP
007E56CD 90 NOP
007E56CE 90 NOP
007E56CF 90 NOP
007E56D0 90 NOP
007E56D1 90 NOP
007E56D2 90 NOP
007E56D3 90 NOP
007E56D4 90 NOP
007E56D5 90 NOP
007E56D6 90 NOP
007E56D7 90 NOP
007E56D8 90 NOP
007E56D9 90 NOP
007E56DA 90 NOP
007E56DB 90 NOP
007E56DC 90 NOP
007E56DD 90 NOP
007E56DE 90 NOP
007E56DF 90 NOP
007E56E0 90 NOP
007E56E1 90 NOP
007E56E2 90 NOP ; BL=80 测试SF=1
007E56E3 90 NOP
007E56E4 90 NOP
007E56E5 90 NOP
007E56E6 90 NOP
007E56E7 90 NOP
007E56E8 90 NOP
007E56E9 90 NOP
007E56EA 90 NOP
007E56EB 90 NOP
007E56EC 90 NOP
007E56ED 90 NOP
007E56EE 90 NOP
007E56EF 90 NOP
007E56F0 90 NOP
007E56F1 90 NOP
007E56F2 90 NOP
007E56F3 90 NOP
007E56F4 90 NOP
007E56F5 90 NOP
007E56F6 90 NOP
007E56F7 90 NOP
007E56F8 90 NOP
007E56F9 90 NOP
007E56FA 90 NOP
007E56FB 90 NOP
007E56FC 90 NOP
007E56FD 90 NOP
007E56FE 90 NOP
007E56FF 90 NOP
007E5700 90 NOP
007E5701 90 NOP
007E5702 90 NOP
007E5703 90 NOP
007E5704 90 NOP
007E5705 90 NOP
007E5706 90 NOP
007E5707 90 NOP
007E5708 90 NOP
007E5709 90 NOP
007E570A 90 NOP
007E570B 90 NOP
007E570C 90 NOP
007E570D 90 NOP
007E570E 90 NOP
007E570F 90 NOP
007E5710 90 NOP
007E5711 90 NOP
007E5712 90 NOP
007E5713 90 NOP
007E5714 90 NOP
007E5715 90 NOP
007E5716 90 NOP
007E5717 90 NOP
007E5718 90 NOP
007E5719 90 NOP
007E571A 90 NOP
007E571B 90 NOP
007E571C 90 NOP
007E571D 90 NOP
007E571E 90 NOP
007E571F 90 NOP
007E5720 90 NOP
007E5721 90 NOP
007E5722 90 NOP
007E5723 90 NOP
007E5724 90 NOP
007E5725 90 NOP
007E5726 90 NOP
007E5727 90 NOP
007E5728 90 NOP ; DH=08 (Backspace) 测试OF=
007E5729 90 NOP
007E572A 90 NOP
007E572B 90 NOP
007E572C 90 NOP
007E572D 90 NOP
007E572E 90 NOP
007E572F 90 NOP
007E5730 90 NOP
007E5731 90 NOP
007E5732 90 NOP
007E5733 90 NOP
007E5734 90 NOP
007E5735 90 NOP
007E5736 90 NOP
007E5737 90 NOP
007E5738 90 NOP
007E5739 90 NOP
007E573A 90 NOP
007E573B 90 NOP
007E573C 90 NOP
007E573D 90 NOP
007E573E 90 NOP
007E573F 90 NOP
007E5740 90 NOP
007E5741 90 NOP
007E5742 90 NOP
007E5743 90 NOP
007E5744 90 NOP
007E5745 90 NOP
007E5746 90 NOP
007E5747 90 NOP
007E5748 90 NOP
007E5749 90 NOP
007E574A 90 NOP
007E574B 90 NOP
007E574C 90 NOP
007E574D 90 NOP
007E574E 90 NOP
007E574F 90 NOP
007E5750 90 NOP
007E5751 90 NOP
007E5752 90 NOP
007E5753 90 NOP
007E5754 90 NOP
007E5755 90 NOP
007E5756 90 NOP
007E5757 90 NOP
007E5758 90 NOP
007E5759 90 NOP
007E575A 90 NOP
007E575B 90 NOP ; 测试OF=1 SF=1
007E575C 90 NOP
007E575D 90 NOP
007E575E 90 NOP
007E575F 90 NOP
007E5760 90 NOP
007E5761 90 NOP
007E5762 90 NOP
007E5763 90 NOP
007E5764 90 NOP
007E5765 90 NOP
007E5766 90 NOP
007E5767 90 NOP ; (S异或O)或Z=1 JLE/JNG(比较带符号数)是类型
007E5768 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E576B 8B0D DC838300 MOV ECX, DWORD PTR DS:[8383DC]
007E5771 330D E0838300 XOR ECX, DWORD PTR DS:[8383E0]
007E5777 D1E1 SHL ECX, 1
007E5779 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E577C 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E5780 74 09 JE SHORT ezcddax.007E578B
007E5782 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E5785 83CA 01 OR EDX, 1
007E5788 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E578B 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E578E 50 PUSH EAX
007E578F FF15 08CC8300 CALL DWORD PTR DS:[83CC08] ; ezcddax.007DE7F5
007E5795 83C4 04 ADD ESP, 4
007E5798 5F POP EDI
007E5799 5E POP ESI
007E579A 5B POP EBX
007E579B 8BE5 MOV ESP, EBP
007E579D 5D POP EBP
007E579E C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JBE/JNA(比较无符号数) 测试CF和ZF=1 二进制代码: 76
007E4561 55 PUSH EBP
007E4562 8BEC MOV EBP, ESP
007E4564 83EC 0C SUB ESP, 0C
007E4567 53 PUSH EBX
007E4568 56 PUSH ESI
007E4569 57 PUSH EDI
007E456A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E456D 50 PUSH EAX
007E456E FF15 3CCC8300 CALL DWORD PTR DS:[83CC3C] ; ezcddax.007DCE03
007E4574 83C4 04 ADD ESP, 4
007E4577 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E457A 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E457D 53 PUSH EBX
007E457E BB FFFF0000 MOV EBX, 0FFFF
007E4583 23C3 AND EAX, EBX
007E4585 51 PUSH ECX
007E4586 B5 2C MOV CH, 2C
007E4588 80ED 01 SUB CH, 1
007E458B 80ED 20 SUB CH, 20
007E458E FECD DEC CH
007E4590 FECD DEC CH
007E4592 80ED 04 SUB CH, 4
007E4595 FECD DEC CH
007E4597 80ED 03 SUB CH, 3
007E459A FECD DEC CH
007E459C 22E5 AND AH, CH
007E459E B1 72 MOV CL, 72
007E45A0 80E9 02 SUB CL, 2
007E45A3 FEC9 DEC CL
007E45A5 FEC9 DEC CL
007E45A7 FEC9 DEC CL
007E45A9 80E9 06 SUB CL, 6
007E45AC F6D0 NOT AL
007E45AE 0FC9 BSWAP ECX
007E45B0 F6D0 NOT AL
007E45B2 0FC9 BSWAP ECX
007E45B4 FEC9 DEC CL
007E45B6 FEC9 DEC CL
007E45B8 80E9 10 SUB CL, 10
007E45BB FEC9 DEC CL
007E45BD FEC9 DEC CL
007E45BF 80C1 0C ADD CL, 0C
007E45C2 FEC9 DEC CL
007E45C4 FEC9 DEC CL
007E45C6 FEC9 DEC CL
007E45C8 FEC9 DEC CL
007E45CA FEC9 DEC CL
007E45CC FEC9 DEC CL
007E45CE FEC9 DEC CL
007E45D0 FEC9 DEC CL
007E45D2 80E9 10 SUB CL, 10
007E45D5 80E9 01 SUB CL, 1
007E45D8 FEC9 DEC CL
007E45DA FEC9 DEC CL
007E45DC FEC9 DEC CL
007E45DE FEC9 DEC CL
007E45E0 FEC9 DEC CL
007E45E2 FEC9 DEC CL
007E45E4 FEC9 DEC CL
007E45E6 FEC9 DEC CL
007E45E8 F7D1 NOT ECX
007E45EA 0FC8 BSWAP EAX
007E45EC F7D1 NOT ECX
007E45EE 0FC8 BSWAP EAX
007E45F0 FEC1 INC CL
007E45F2 80C1 02 ADD CL, 2
007E45F5 22C1 AND AL, CL ; CL=41 ('A')
007E45F7 8BC0 MOV EAX, EAX
007E45F9 59 POP ECX
007E45FA F7D8 NEG EAX
007E45FC 1BC0 SBB EAX, EAX
007E45FE F7D8 NEG EAX
007E4600 5B POP EBX ; 测试CF和ZF=1 JBE/JNA(比较无符号数)类型 76
007E4601 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E4604 8B0D AC838300 MOV ECX, DWORD PTR DS:[8383AC]
007E460A 330D B0838300 XOR ECX, DWORD PTR DS:[8383B0]
007E4610 D1E1 SHL ECX, 1
007E4612 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E4615 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E4619 74 09 JE SHORT ezcddax.007E4624
007E461B 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E461E 83CA 01 OR EDX, 1
007E4621 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E4624 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E4627 50 PUSH EAX
007E4628 FF15 D8CB8300 CALL DWORD PTR DS:[83CBD8] ; ezcddax.007DCCAB
007E462E 83C4 04 ADD ESP, 4
007E4631 5F POP EDI
007E4632 5E POP ESI
007E4633 5B POP EBX
007E4634 8BE5 MOV ESP, EBP
007E4636 5D POP EBP
007E4637 C3 RETN
修改为:
007E4561 55 PUSH EBP
007E4562 8BEC MOV EBP, ESP
007E4564 83EC 0C SUB ESP, 0C
007E4567 53 PUSH EBX
007E4568 56 PUSH ESI
007E4569 57 PUSH EDI
007E456A 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E456D 50 PUSH EAX
007E456E FF15 3CCC8300 CALL DWORD PTR DS:[83CC3C] ; ezcddax.007DCE03
007E4574 83C4 04 ADD ESP, 4
007E4577 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E457A 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E457D 90 NOP
007E457E 90 NOP
007E457F 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007E4585 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E4587 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E458B 74 06 JE SHORT ezcddax.007E4593
007E458D C640 FF 76 MOV BYTE PTR DS:[EAX-1], 76
007E4591 EB 20 JMP SHORT ezcddax.007E45B3
007E4593 C600 86 MOV BYTE PTR DS:[EAX], 86
007E4596 90 NOP
007E4597 33C0 XOR EAX, EAX
007E4599 90 NOP
007E459A 90 NOP
007E459B 90 NOP
007E459C 90 NOP
007E459D 90 NOP
007E459E 90 NOP
007E459F 90 NOP
007E45A0 90 NOP
007E45A1 90 NOP
007E45A2 90 NOP
007E45A3 90 NOP
007E45A4 90 NOP
007E45A5 90 NOP
007E45A6 90 NOP
007E45A7 90 NOP
007E45A8 90 NOP
007E45A9 90 NOP
007E45AA 90 NOP
007E45AB 90 NOP
007E45AC 90 NOP
007E45AD 90 NOP
007E45AE 90 NOP
007E45AF 90 NOP
007E45B0 90 NOP
007E45B1 90 NOP
007E45B2 90 NOP
007E45B3 90 NOP
007E45B4 90 NOP
007E45B5 90 NOP
007E45B6 90 NOP
007E45B7 90 NOP
007E45B8 90 NOP
007E45B9 90 NOP
007E45BA 90 NOP
007E45BB 90 NOP
007E45BC 90 NOP
007E45BD 90 NOP
007E45BE 90 NOP
007E45BF 90 NOP
007E45C0 90 NOP
007E45C1 90 NOP
007E45C2 90 NOP
007E45C3 90 NOP
007E45C4 90 NOP
007E45C5 90 NOP
007E45C6 90 NOP
007E45C7 90 NOP
007E45C8 90 NOP
007E45C9 90 NOP
007E45CA 90 NOP
007E45CB 90 NOP
007E45CC 90 NOP
007E45CD 90 NOP
007E45CE 90 NOP
007E45CF 90 NOP
007E45D0 90 NOP
007E45D1 90 NOP
007E45D2 90 NOP
007E45D3 90 NOP
007E45D4 90 NOP
007E45D5 90 NOP
007E45D6 90 NOP
007E45D7 90 NOP
007E45D8 90 NOP
007E45D9 90 NOP
007E45DA 90 NOP
007E45DB 90 NOP
007E45DC 90 NOP
007E45DD 90 NOP
007E45DE 90 NOP
007E45DF 90 NOP
007E45E0 90 NOP
007E45E1 90 NOP
007E45E2 90 NOP
007E45E3 90 NOP
007E45E4 90 NOP
007E45E5 90 NOP
007E45E6 90 NOP
007E45E7 90 NOP
007E45E8 90 NOP
007E45E9 90 NOP
007E45EA 90 NOP
007E45EB 90 NOP
007E45EC 90 NOP
007E45ED 90 NOP
007E45EE 90 NOP
007E45EF 90 NOP
007E45F0 90 NOP
007E45F1 90 NOP
007E45F2 90 NOP
007E45F3 90 NOP
007E45F4 90 NOP
007E45F5 90 NOP ; CL=41 ('A')
007E45F6 90 NOP
007E45F7 90 NOP
007E45F8 90 NOP
007E45F9 90 NOP
007E45FA 90 NOP
007E45FB 90 NOP
007E45FC 90 NOP
007E45FD 90 NOP
007E45FE 90 NOP
007E45FF 90 NOP
007E4600 90 NOP ; 测试CF和ZF=1 JBE/JNA(比较无符号数)类型 76
007E4601 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E4604 8B0D AC838300 MOV ECX, DWORD PTR DS:[8383AC]
007E460A 330D B0838300 XOR ECX, DWORD PTR DS:[8383B0]
007E4610 D1E1 SHL ECX, 1
007E4612 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E4615 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E4619 74 09 JE SHORT ezcddax.007E4624
007E461B 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E461E 83CA 01 OR EDX, 1
007E4621 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E4624 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E4627 50 PUSH EAX
007E4628 FF15 D8CB8300 CALL DWORD PTR DS:[83CBD8] ; ezcddax.007DCCAB
007E462E 83C4 04 ADD ESP, 4
007E4631 5F POP EDI
007E4632 5E POP ESI
007E4633 5B POP EBX
007E4634 8BE5 MOV ESP, EBP
007E4636 5D POP EBP
007E4637 C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 3C CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 76 EB 20 C6 00 86 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
89 45 F4 8B 0D AC 83 83 00 33 0D B0 83 83 00 D1 E1 89 4D F8 83 7D F4 00 74 09 8B 55 F8 83 CA 01
89 55 F8 8B 45 F8 50 FF 15 D8 CB 83 00 83 C4 04 5F 5E 5B 8B E5 5D C3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
jns 测试 sf=0 二进制代码:79
007EE14E 55 PUSH EBP
007EE14F 8BEC MOV EBP, ESP
007EE151 83EC 0C SUB ESP, 0C
007EE154 53 PUSH EBX
007EE155 56 PUSH ESI
007EE156 57 PUSH EDI
007EE157 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EE15A 50 PUSH EAX
007EE15B FF15 78CC8300 CALL DWORD PTR DS:[83CC78] ; ezcddax.007DF082
007EE161 83C4 04 ADD ESP, 4
007EE164 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EE167 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EE16A 53 PUSH EBX
007EE16B 8B5D 0C MOV EBX, DWORD PTR SS:[EBP+C]
007EE16E BB 00080000 MOV EBX, 800
007EE173 EB 05 JMP SHORT ezcddax.007EE17A
007EE175 BB 80000000 MOV EBX, 80
007EE17A BB 70000000 MOV EBX, 70
007EE17F F7D3 NOT EBX
007EE181 0FC8 BSWAP EAX
007EE183 F7D3 NOT EBX
007EE185 43 INC EBX
007EE186 43 INC EBX
007EE187 43 INC EBX
007EE188 43 INC EBX
007EE189 83C3 04 ADD EBX, 4
007EE18C 43 INC EBX
007EE18D 43 INC EBX
007EE18E 43 INC EBX
007EE18F 43 INC EBX
007EE190 4B DEC EBX
007EE191 51 PUSH ECX
007EE192 B9 04000000 MOV ECX, 4
007EE197 03D9 ADD EBX, ECX
007EE199 43 INC EBX
007EE19A 59 POP ECX
007EE19B 0FC8 BSWAP EAX
007EE19D 23C3 AND EAX, EBX ; EBX=00000080 SF=0
007EE19F 5B POP EBX
007EE1A0 F7D8 NEG EAX
007EE1A2 1BC0 SBB EAX, EAX
007EE1A4 40 INC EAX ; JNS类型 79
007EE1A5 5A POP EDX
007EE1A6 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EE1A9 8B0D E8838300 MOV ECX, DWORD PTR DS:[8383E8]
007EE1AF 330D EC838300 XOR ECX, DWORD PTR DS:[8383EC]
007EE1B5 D1E1 SHL ECX, 1
007EE1B7 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EE1BA 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EE1BE 74 09 JE SHORT ezcddax.007EE1C9
007EE1C0 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EE1C3 83CA 01 OR EDX, 1
007EE1C6 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EE1C9 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EE1CC 50 PUSH EAX
007EE1CD FF15 14CC8300 CALL DWORD PTR DS:[83CC14] ; ezcddax.007DEFBD
007EE1D3 83C4 04 ADD ESP, 4
007EE1D6 5F POP EDI
007EE1D7 5E POP ESI
007EE1D8 5B POP EBX
007EE1D9 8BE5 MOV ESP, EBP
007EE1DB 5D POP EBP
007EE1DC C3 RETN
修改:
007EE14E /. 55 PUSH EBP
007EE14F |. 8BEC MOV EBP, ESP
007EE151 |. 83EC 0C SUB ESP, 0C
007EE154 |. 53 PUSH EBX
007EE155 |. 56 PUSH ESI
007EE156 |. 57 PUSH EDI
007EE157 |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EE15A |. 50 PUSH EAX ; /Arg1
007EE15B |. FF15 78CC8300 CALL DWORD PTR DS:[83CC78] ; \ezcddax.007DF082
007EE161 |. 83C4 04 ADD ESP, 4
007EE164 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EE167 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EE16A |> 90 NOP
007EE16B |. 90 NOP
007EE16C |. 36:A1 108F820>MOV EAX, DWORD PTR SS:[828F10]
007EE172 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EE174 |. 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007EE178 |. 74 06 JE SHORT ezcddax.007EE180
007EE17A |. C640 FF 79 MOV BYTE PTR DS:[EAX-1], 79
007EE17E |. EB 20 JMP SHORT ezcddax.007EE1A0
007EE180 |> C600 89 MOV BYTE PTR DS:[EAX], 89
007EE183 |. 90 NOP
007EE184 |. 33C0 XOR EAX, EAX
007EE186 |. 90 NOP
007EE187 |. 90 NOP
007EE188 |. 90 NOP
007EE189 |. 90 NOP
007EE18A |. 90 NOP
007EE18B |. 90 NOP
007EE18C |. 90 NOP
007EE18D |. 90 NOP
007EE18E |. 90 NOP
007EE18F |. 90 NOP
007EE190 |. 90 NOP
007EE191 |. 90 NOP
007EE192 |. 90 NOP
007EE193 |. 90 NOP
007EE194 |. 90 NOP
007EE195 |. 90 NOP
007EE196 |. 90 NOP
007EE197 |. 90 NOP
007EE198 |. 90 NOP
007EE199 |. 90 NOP
007EE19A |. 90 NOP
007EE19B |. 90 NOP
007EE19C |. 90 NOP
007EE19D |. 90 NOP ; EBX=00000080 SF=0
007EE19E |. 90 NOP
007EE19F |. 90 NOP
007EE1A0 |> 90 NOP
007EE1A1 |. 90 NOP
007EE1A2 |. 90 NOP
007EE1A3 |. 90 NOP
007EE1A4 |. 90 NOP ; JnS类型 79
007EE1A5 |. 90 NOP
007EE1A6 |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EE1A9 |. 8B0D E8838300 MOV ECX, DWORD PTR DS:[8383E8]
007EE1AF |. 330D EC838300 XOR ECX, DWORD PTR DS:[8383EC]
007EE1B5 |. D1E1 SHL ECX, 1
007EE1B7 |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EE1BA |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EE1BE |. 74 09 JE SHORT ezcddax.007EE1C9
007EE1C0 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EE1C3 |. 83CA 01 OR EDX, 1
007EE1C6 |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EE1C9 |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EE1CC |. 50 PUSH EAX ; /Arg1
007EE1CD |. FF15 14CC8300 CALL DWORD PTR DS:[83CC14] ; \ezcddax.007DEFBD
007EE1D3 |. 83C4 04 ADD ESP, 4
007EE1D6 |. 5F POP EDI
007EE1D7 |. 5E POP ESI
007EE1D8 |. 5B POP EBX
007EE1D9 |. 8BE5 MOV ESP, EBP
007EE1DB |. 5D POP EBP
007EE1DC \. C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 78 CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 78 EB 20 C6 00 88 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 89 45 F4 8B 0D E8 83 83
00 33 0D EC 83 83 00 D1 E1 89 4D F8 83 7D F4 00 74 09 8B 55 F8 83 CA 01 89 55 F8 8B 45 F8 50 FF
15 14 CC 83 00 83 C4 04 5F 5E 5B 8B E5 5D C3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JGE/JNL(比较带符号数) 测试 sf xor of=0 二进制代码: 7d
007EC235 55 PUSH EBP
007EC236 8BEC MOV EBP, ESP
007EC238 83EC 0C SUB ESP, 0C
007EC23B 53 PUSH EBX
007EC23C 56 PUSH ESI
007EC23D 57 PUSH EDI
007EC23E 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EC241 50 PUSH EAX
007EC242 FF15 50CC8300 CALL DWORD PTR DS:[83CC50] ; ezcddax.007DD791
007EC248 83C4 04 ADD ESP, 4
007EC24B 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EC24E 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EC251 51 PUSH ECX
007EC252 B9 00080000 MOV ECX, 800
007EC257 B9 4B000000 MOV ECX, 4B
007EC25C F7D1 NOT ECX
007EC25E 0FC8 BSWAP EAX
007EC260 F7D1 NOT ECX
007EC262 83F1 19 XOR ECX, 19
007EC265 41 INC ECX
007EC266 41 INC ECX
007EC267 41 INC ECX
007EC268 41 INC ECX
007EC269 41 INC ECX
007EC26A 41 INC ECX
007EC26B 41 INC ECX
007EC26C 41 INC ECX
007EC26D 49 DEC ECX
007EC26E 41 INC ECX
007EC26F FEC1 INC CL
007EC271 FEC1 INC CL
007EC273 FEC1 INC CL
007EC275 83C1 12 ADD ECX, 12
007EC278 83C1 0A ADD ECX, 0A
007EC27B 49 DEC ECX
007EC27C 52 PUSH EDX
007EC27D BA 04000000 MOV EDX, 4
007EC282 03CA ADD ECX, EDX
007EC284 41 INC ECX
007EC285 5A POP EDX
007EC286 0FC8 BSWAP EAX
007EC288 83C1 03 ADD ECX, 3
007EC28B 23C1 AND EAX, ECX ; CL=80 sf=1
007EC28D 59 POP ECX
007EC28E F7D8 NEG EAX
007EC290 1BC0 SBB EAX, EAX
007EC292 40 INC EAX
007EC293 5A POP EDX
007EC294 50 PUSH EAX
007EC295 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EC298 BA 000E0000 MOV EDX, 0E00
007EC29D 80EE 01 SUB DH, 1
007EC2A0 FECE DEC DH
007EC2A2 FECE DEC DH
007EC2A4 FECE DEC DH
007EC2A6 FECE DEC DH
007EC2A8 FECE DEC DH
007EC2AA 23C2 AND EAX, EDX
007EC2AC F7D8 NEG EAX
007EC2AE 1BC0 SBB EAX, EAX
007EC2B0 40 INC EAX
007EC2B1 8BD0 MOV EDX, EAX
007EC2B3 58 POP EAX
007EC2B4 33C9 XOR ECX, ECX
007EC2B6 3BC2 CMP EAX, EDX
007EC2B8 0F94C1 SETE CL
007EC2BB 8AC1 MOV AL, CL ; JGE/JNL(比较带符号数) sf xor of=0
007EC2BD 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EC2C0 8B0D C0838300 MOV ECX, DWORD PTR DS:[8383C0]
007EC2C6 330D C4838300 XOR ECX, DWORD PTR DS:[8383C4]
007EC2CC D1E1 SHL ECX, 1
007EC2CE 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EC2D1 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EC2D5 74 09 JE SHORT ezcddax.007EC2E0
007EC2D7 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EC2DA 83CA 01 OR EDX, 1
007EC2DD 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EC2E0 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EC2E3 50 PUSH EAX
007EC2E4 FF15 ECCB8300 CALL DWORD PTR DS:[83CBEC] ; ezcddax.007DD707
007EC2EA 83C4 04 ADD ESP, 4
007EC2ED 5F POP EDI
007EC2EE 5E POP ESI
007EC2EF 5B POP EBX
007EC2F0 8BE5 MOV ESP, EBP
007EC2F2 5D POP EBP
007EC2F3 C3 RETN
修改为:
007EC235 55 PUSH EBP
007EC236 8BEC MOV EBP, ESP
007EC238 83EC 0C SUB ESP, 0C
007EC23B 53 PUSH EBX
007EC23C 56 PUSH ESI
007EC23D 57 PUSH EDI
007EC23E 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EC241 50 PUSH EAX
007EC242 FF15 50CC8300 CALL DWORD PTR DS:[83CC50] ; ezcddax.007DD791
007EC248 83C4 04 ADD ESP, 4
007EC24B 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EC24E 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EC251 90 NOP
007EC252 90 NOP
007EC253 36:A1 108F8200 MOV EAX, DWORD PTR SS:[828F10]
007EC259 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EC25B 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007EC25F 74 06 JE SHORT ezcddax.007EC267
007EC261 C640 FF 7D MOV BYTE PTR DS:[EAX-1], 7D
007EC265 EB 20 JMP SHORT ezcddax.007EC287
007EC267 C600 8D MOV BYTE PTR DS:[EAX], 8D
007EC26A 90 NOP
007EC26B 33C0 XOR EAX, EAX
007EC26D 90 NOP
007EC26E 90 NOP
007EC26F 90 NOP
007EC270 90 NOP
007EC271 90 NOP
007EC272 90 NOP
007EC273 90 NOP
007EC274 90 NOP
007EC275 90 NOP
007EC276 90 NOP
007EC277 90 NOP
007EC278 90 NOP
007EC279 90 NOP
007EC27A 90 NOP
007EC27B 90 NOP
007EC27C 90 NOP
007EC27D 90 NOP
007EC27E 90 NOP
007EC27F 90 NOP
007EC280 90 NOP
007EC281 90 NOP
007EC282 90 NOP
007EC283 90 NOP
007EC284 90 NOP
007EC285 90 NOP
007EC286 90 NOP
007EC287 90 NOP
007EC288 90 NOP
007EC289 90 NOP
007EC28A 90 NOP
007EC28B 90 NOP ; CL=80 sf=1
007EC28C 90 NOP
007EC28D 90 NOP
007EC28E 90 NOP
007EC28F 90 NOP
007EC290 90 NOP
007EC291 90 NOP
007EC292 90 NOP
007EC293 90 NOP
007EC294 90 NOP
007EC295 90 NOP
007EC296 90 NOP
007EC297 90 NOP
007EC298 90 NOP
007EC299 90 NOP
007EC29A 90 NOP
007EC29B 90 NOP
007EC29C 90 NOP
007EC29D 90 NOP
007EC29E 90 NOP
007EC29F 90 NOP
007EC2A0 90 NOP
007EC2A1 90 NOP
007EC2A2 90 NOP
007EC2A3 90 NOP
007EC2A4 90 NOP
007EC2A5 90 NOP
007EC2A6 90 NOP
007EC2A7 90 NOP
007EC2A8 90 NOP
007EC2A9 90 NOP
007EC2AA 90 NOP
007EC2AB 90 NOP
007EC2AC 90 NOP
007EC2AD 90 NOP
007EC2AE 90 NOP
007EC2AF 90 NOP
007EC2B0 90 NOP
007EC2B1 90 NOP
007EC2B2 90 NOP
007EC2B3 90 NOP
007EC2B4 90 NOP
007EC2B5 90 NOP
007EC2B6 90 NOP
007EC2B7 90 NOP
007EC2B8 90 NOP
007EC2B9 90 NOP
007EC2BA 90 NOP
007EC2BB 90 NOP ; JGE/JNL(比较带符号数) sf xor of=0
007EC2BC 90 NOP
007EC2BD 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EC2C0 8B0D C0838300 MOV ECX, DWORD PTR DS:[8383C0]
007EC2C6 330D C4838300 XOR ECX, DWORD PTR DS:[8383C4]
007EC2CC D1E1 SHL ECX, 1
007EC2CE 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EC2D1 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EC2D5 74 09 JE SHORT ezcddax.007EC2E0
007EC2D7 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EC2DA 83CA 01 OR EDX, 1
007EC2DD 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EC2E0 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EC2E3 50 PUSH EAX
007EC2E4 FF15 ECCB8300 CALL DWORD PTR DS:[83CBEC] ; ezcddax.007DD707
007EC2EA 83C4 04 ADD ESP, 4
007EC2ED 5F POP EDI
007EC2EE 5E POP ESI
007EC2EF 5B POP EBX
007EC2F0 8BE5 MOV ESP, EBP
007EC2F2 5D POP EBP
007EC2F3 C3 RETN
55 8B EC 83 EC 0C 53 56 57 8B 45 08 50 FF 15 50 CC 83 00 83 C4 04 89 45 FC 8B 45 FC 90 90 36 A1
10 8F 82 00 8B 00 80 78 FF 0F 74 06 C6 40 FF 7D EB 20 C6 00 8D 90 33 C0 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90 90 90 90 90 90 89 45 F4 8B 0D C0 83 83 00 33 0D C4 83 83 00 D1 E1 89 4D F8 83 7D F4 00
74 09 8B 55 F8 83 CA 01 89 55 F8 8B 45 F8 50 FF 15 EC CB 83 00 83 C4 04 5F 5E 5B 8B E5 5D C3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JC类型 AND 1 测试CF=1 二进制代码:72
007E4AF7 55 PUSH EBP
007E4AF8 8BEC MOV EBP, ESP
007E4AFA 83EC 0C SUB ESP, 0C
007E4AFD 53 PUSH EBX
007E4AFE 56 PUSH ESI
007E4AFF 57 PUSH EDI
007E4B00 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E4B03 50 PUSH EAX
007E4B04 FF15 5CCC8300 CALL DWORD PTR DS:[83CC5C] ; ezcddax.007DDF8E
007E4B0A 83C4 04 ADD ESP, 4
007E4B0D 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E4B10 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E4B13 52 PUSH EDX
007E4B14 B6 02 MOV DH, 2
007E4B16 FECE DEC DH
007E4B18 FECE DEC DH
007E4B1A 22E6 AND AH, DH
007E4B1C B2 0E MOV DL, 0E
007E4B1E 80EA FF SUB DL, 0FF
007E4B21 70 07 JO SHORT ezcddax.007E4B2A
007E4B23 7C 03 JL SHORT ezcddax.007E4B28
007E4B25 EB 05 JMP SHORT ezcddax.007E4B2C
007E4B27 - E9 74FBEBF9 JMP FA6A46A0
007E4B2C 80EA FF SUB DL, 0FF
007E4B2F 80EA FF SUB DL, 0FF
007E4B32 80EA 0A SUB DL, 0A
007E4B35 80EA FF SUB DL, 0FF
007E4B38 80EA FF SUB DL, 0FF
007E4B3B 80EA 05 SUB DL, 5
007E4B3E FECA DEC DL
007E4B40 FECA DEC DL
007E4B42 FECA DEC DL
007E4B44 80EA 03 SUB DL, 3
007E4B47 80EA FF SUB DL, 0FF
007E4B4A FECA DEC DL
007E4B4C FEC2 INC DL
007E4B4E FEC2 INC DL
007E4B50 FEC2 INC DL
007E4B52 22C2 AND AL, DL ; DL=01 CF=1 JC类型 72
007E4B54 5A POP EDX
007E4B55 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E4B58 8B0D CC838300 MOV ECX, DWORD PTR DS:[8383CC]
007E4B5E 330D D0838300 XOR ECX, DWORD PTR DS:[8383D0]
007E4B64 D1E1 SHL ECX, 1
007E4B66 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E4B69 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E4B6D 74 09 JE SHORT ezcddax.007E4B78
007E4B6F 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E4B72 83CA 01 OR EDX, 1
007E4B75 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E4B78 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E4B7B 50 PUSH EAX
007E4B7C FF15 F8CB8300 CALL DWORD PTR DS:[83CBF8] ; ezcddax.007DDE09
007E4B82 83C4 04 ADD ESP, 4
007E4B85 5F POP EDI
007E4B86 5E POP ESI
007E4B87 5B POP EBX
007E4B88 8BE5 MOV ESP, EBP
007E4B8A 5D POP EBP
007E4B8B C3 RETN
修改为:
007E4AF7 /. 55 PUSH EBP
007E4AF8 |. 8BEC MOV EBP, ESP
007E4AFA |. 83EC 0C SUB ESP, 0C
007E4AFD |. 53 PUSH EBX
007E4AFE |. 56 PUSH ESI
007E4AFF |. 57 PUSH EDI
007E4B00 |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E4B03 |. 50 PUSH EAX ; /Arg1
007E4B04 |. FF15 5CCC8300 CALL DWORD PTR DS:[83CC5C] ; \ezcddax.007DDF8E
007E4B0A |. 83C4 04 ADD ESP, 4
007E4B0D |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E4B10 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E4B13 |. 90 NOP
007E4B14 |. 90 NOP
007E4B15 |. 36:A1 108F820>MOV EAX, DWORD PTR SS:[828F10]
007E4B1B |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E4B1D |. 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E4B21 |. 74 06 JE SHORT ezcddax.007E4B29
007E4B23 |. C640 FF 72 MOV BYTE PTR DS:[EAX-1], 72
007E4B27 |. EB 20 JMP SHORT ezcddax.007E4B49
007E4B29 |> C600 82 MOV BYTE PTR DS:[EAX], 82
007E4B2C |. 90 NOP
007E4B2D |. 33C0 XOR EAX, EAX
007E4B2F |. 90 NOP
007E4B30 |. 90 NOP
007E4B31 |. 90 NOP
007E4B32 |. 90 NOP
007E4B33 |. 90 NOP
007E4B34 |. 90 NOP
007E4B35 |. 90 NOP
007E4B36 |. 90 NOP
007E4B37 |. 90 NOP
007E4B38 |. 90 NOP
007E4B39 |. 90 NOP
007E4B3A |. 90 NOP
007E4B3B |. 90 NOP
007E4B3C |. 90 NOP
007E4B3D |. 90 NOP
007E4B3E |. 90 NOP
007E4B3F |. 90 NOP
007E4B40 |. 90 NOP
007E4B41 |. 90 NOP
007E4B42 |. 90 NOP
007E4B43 |. 90 NOP
007E4B44 |. 90 NOP
007E4B45 |. 90 NOP
007E4B46 |. 90 NOP
007E4B47 |. 90 NOP
007E4B48 |. 90 NOP
007E4B49 |> 90 NOP
007E4B4A |. 90 NOP
007E4B4B |. 90 NOP
007E4B4C |. 90 NOP
007E4B4D |. 90 NOP
007E4B4E |. 90 NOP
007E4B4F |. 90 NOP
007E4B50 |. 90 NOP
007E4B51 |. 90 NOP
007E4B52 |. 90 NOP ; DL=01 CF=1 JC类型 72
007E4B53 |. 90 NOP
007E4B54 |. 90 NOP
007E4B55 |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E4B58 |. 8B0D CC838300 MOV ECX, DWORD PTR DS:[8383CC]
007E4B5E |. 330D D0838300 XOR ECX, DWORD PTR DS:[8383D0]
007E4B64 |. D1E1 SHL ECX, 1
007E4B66 |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E4B69 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E4B6D |. 74 09 JE SHORT ezcddax.007E4B78
007E4B6F |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E4B72 |. 83CA 01 OR EDX, 1
007E4B75 |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E4B78 |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E4B7B |. 50 PUSH EAX ; /Arg1
007E4B7C |. FF15 F8CB8300 CALL DWORD PTR DS:[83CBF8] ; \ezcddax.007DDE09
007E4B82 |. 83C4 04 ADD ESP, 4
007E4B85 |. 5F POP EDI
007E4B86 |. 5E POP ESI
007E4B87 |. 5B POP EBX
007E4B88 |. 8BE5 MOV ESP, EBP
007E4B8A |. 5D POP EBP
007E4B8B \. C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JBE/JNA(比较无符号数) and ebx=41 C或Z=1 二进制代码:76
007E4561 /. 55 PUSH EBP
007E4562 |. 8BEC MOV EBP, ESP
007E4564 |. 83EC 0C SUB ESP, 0C
007E4567 |. 53 PUSH EBX
007E4568 |. 56 PUSH ESI
007E4569 |. 57 PUSH EDI
007E456A |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E456D |. 50 PUSH EAX ; /Arg1
007E456E |. FF15 3CCC8300 CALL DWORD PTR DS:[83CC3C] ; \ezcddax.007DCE03
007E4574 |. 83C4 04 ADD ESP, 4
007E4577 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E457A |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E457D |> 90 NOP
007E457E |. 90 NOP
007E457F |. 36:A1 108F820>MOV EAX, DWORD PTR SS:[828F10]
007E4585 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E4587 |. 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E458B |. 74 06 JE SHORT ezcddax.007E4593
007E458D |. C640 FF 76 MOV BYTE PTR DS:[EAX-1], 76
007E4591 |. EB 20 JMP SHORT ezcddax.007E45B3
007E4593 |> C600 86 MOV BYTE PTR DS:[EAX], 86
007E4596 |. 90 NOP
007E4597 |. 33C0 XOR EAX, EAX
007E4599 |. 90 NOP
007E459A |. 90 NOP
007E459B |. 90 NOP
007E459C |. 90 NOP
007E459D |. 90 NOP
007E459E |. 90 NOP
007E459F |. 90 NOP
007E45A0 |. 90 NOP
007E45A1 |. 90 NOP
007E45A2 |. 90 NOP
007E45A3 |. 90 NOP
007E45A4 |. 90 NOP
007E45A5 |. 90 NOP
007E45A6 |. 90 NOP
007E45A7 |. 90 NOP
007E45A8 |. 90 NOP
007E45A9 |. 90 NOP
007E45AA |. 90 NOP
007E45AB |. 90 NOP
007E45AC |. 90 NOP
007E45AD |. 90 NOP
007E45AE |. 90 NOP
007E45AF |. 90 NOP
007E45B0 |. 90 NOP
007E45B1 |. 90 NOP
007E45B2 |. 90 NOP
007E45B3 |> 90 NOP
007E45B4 |. 90 NOP
007E45B5 |. 90 NOP
007E45B6 |. 90 NOP
007E45B7 |. 90 NOP
007E45B8 |. 90 NOP
007E45B9 |. 90 NOP
007E45BA |. 90 NOP
007E45BB |. 90 NOP
007E45BC |. 90 NOP
007E45BD |. 90 NOP
007E45BE |. 90 NOP
007E45BF |. 90 NOP
007E45C0 |. 90 NOP
007E45C1 |. 90 NOP
007E45C2 |. 90 NOP
007E45C3 |. 90 NOP
007E45C4 |. 90 NOP
007E45C5 |. 90 NOP
007E45C6 |. 90 NOP
007E45C7 |. 90 NOP
007E45C8 |. 90 NOP
007E45C9 |. 90 NOP
007E45CA |. 90 NOP
007E45CB |. 90 NOP
007E45CC |. 90 NOP
007E45CD |. 90 NOP
007E45CE |. 90 NOP
007E45CF |. 90 NOP
007E45D0 |. 90 NOP
007E45D1 |. 90 NOP
007E45D2 |. 90 NOP
007E45D3 |. 90 NOP
007E45D4 |. 90 NOP
007E45D5 |. 90 NOP
007E45D6 |. 90 NOP
007E45D7 |. 90 NOP
007E45D8 |. 90 NOP
007E45D9 |. 90 NOP
007E45DA |. 90 NOP
007E45DB |. 90 NOP
007E45DC |. 90 NOP
007E45DD |. 90 NOP
007E45DE |. 90 NOP
007E45DF |. 90 NOP
007E45E0 |. 90 NOP
007E45E1 |. 90 NOP
007E45E2 |. 90 NOP
007E45E3 |. 90 NOP
007E45E4 |. 90 NOP
007E45E5 |. 90 NOP
007E45E6 |. 90 NOP
007E45E7 |. 90 NOP
007E45E8 |. 90 NOP
007E45E9 |. 90 NOP
007E45EA |. 90 NOP
007E45EB |. 90 NOP
007E45EC |. 90 NOP
007E45ED |. 90 NOP
007E45EE |. 90 NOP
007E45EF |. 90 NOP
007E45F0 |. 90 NOP
007E45F1 |. 90 NOP
007E45F2 |. 90 NOP
007E45F3 |. 90 NOP
007E45F4 |. 90 NOP
007E45F5 |. 90 NOP ; CL=41 ('A')
007E45F6 |. 90 NOP
007E45F7 |. 90 NOP
007E45F8 |. 90 NOP
007E45F9 |. 90 NOP
007E45FA |. 90 NOP
007E45FB |. 90 NOP
007E45FC |. 90 NOP
007E45FD |. 90 NOP
007E45FE |. 90 NOP
007E45FF |. 90 NOP
007E4600 |. 90 NOP ; 测试CF和ZF=1 JBE/JNA(比较无符号数)类型 76
007E4601 |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E4604 |. 8B0D AC838300 MOV ECX, DWORD PTR DS:[8383AC]
007E460A |. 330D B0838300 XOR ECX, DWORD PTR DS:[8383B0]
007E4610 |. D1E1 SHL ECX, 1
007E4612 |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E4615 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E4619 |. 74 09 JE SHORT ezcddax.007E4624
007E461B |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E461E |. 83CA 01 OR EDX, 1
007E4621 |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E4624 |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E4627 |. 50 PUSH EAX ; /Arg1
007E4628 |. FF15 D8CB8300 CALL DWORD PTR DS:[83CBD8] ; \ezcddax.007DCCAB
007E462E |. 83C4 04 ADD ESP, 4
007E4631 |. 5F POP EDI
007E4632 |. 5E POP ESI
007E4633 |. 5B POP EBX
007E4634 |. 8BE5 MOV ESP, EBP
007E4636 |. 5D POP EBP
007E4637 \. C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JGE/JNL(比较带符号数)类型 测试 S异或O=0 二进制代码:7D
007EC235 /. 55 PUSH EBP
007EC236 |. 8BEC MOV EBP, ESP
007EC238 |. 83EC 0C SUB ESP, 0C
007EC23B |. 53 PUSH EBX
007EC23C |. 56 PUSH ESI
007EC23D |. 57 PUSH EDI
007EC23E |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007EC241 |. 50 PUSH EAX ; /Arg1
007EC242 |. FF15 50CC8300 CALL DWORD PTR DS:[83CC50] ; \ezcddax.007DD791
007EC248 |. 83C4 04 ADD ESP, 4
007EC24B |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007EC24E |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007EC251 |> 90 NOP
007EC252 |. 90 NOP
007EC253 |. 36:A1 108F820>MOV EAX, DWORD PTR SS:[828F10]
007EC259 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
007EC25B |. 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007EC25F |. 74 06 JE SHORT ezcddax.007EC267
007EC261 |. C640 FF 7D MOV BYTE PTR DS:[EAX-1], 7D
007EC265 |. EB 20 JMP SHORT ezcddax.007EC287
007EC267 |> C600 8D MOV BYTE PTR DS:[EAX], 8D
007EC26A |. 90 NOP
007EC26B |. 33C0 XOR EAX, EAX
007EC26D |. 90 NOP
007EC26E |. 90 NOP
007EC26F |. 90 NOP
007EC270 |. 90 NOP
007EC271 |. 90 NOP
007EC272 |. 90 NOP
007EC273 |. 90 NOP
007EC274 |. 90 NOP
007EC275 |. 90 NOP
007EC276 |. 90 NOP
007EC277 |. 90 NOP
007EC278 |. 90 NOP
007EC279 |. 90 NOP
007EC27A |. 90 NOP
007EC27B |. 90 NOP
007EC27C |. 90 NOP
007EC27D |. 90 NOP
007EC27E |. 90 NOP
007EC27F |. 90 NOP
007EC280 |. 90 NOP
007EC281 |. 90 NOP
007EC282 |. 90 NOP
007EC283 |. 90 NOP
007EC284 |. 90 NOP
007EC285 |. 90 NOP
007EC286 |. 90 NOP
007EC287 |> 90 NOP
007EC288 |. 90 NOP
007EC289 |. 90 NOP
007EC28A |. 90 NOP
007EC28B |. 90 NOP ; CL=80 sf=1
007EC28C |. 90 NOP
007EC28D |. 90 NOP
007EC28E |. 90 NOP
007EC28F |. 90 NOP
007EC290 |. 90 NOP
007EC291 |. 90 NOP
007EC292 |. 90 NOP
007EC293 |. 90 NOP
007EC294 |. 90 NOP
007EC295 |. 90 NOP
007EC296 |. 90 NOP
007EC297 |. 90 NOP
007EC298 |. 90 NOP
007EC299 |. 90 NOP
007EC29A |. 90 NOP
007EC29B |. 90 NOP
007EC29C |. 90 NOP
007EC29D |. 90 NOP
007EC29E |. 90 NOP
007EC29F |. 90 NOP
007EC2A0 |. 90 NOP
007EC2A1 |. 90 NOP
007EC2A2 |. 90 NOP
007EC2A3 |. 90 NOP
007EC2A4 |. 90 NOP
007EC2A5 |. 90 NOP
007EC2A6 |. 90 NOP
007EC2A7 |. 90 NOP
007EC2A8 |. 90 NOP
007EC2A9 |. 90 NOP
007EC2AA |. 90 NOP
007EC2AB |. 90 NOP
007EC2AC |. 90 NOP
007EC2AD |. 90 NOP
007EC2AE |. 90 NOP
007EC2AF |. 90 NOP
007EC2B0 |. 90 NOP
007EC2B1 |. 90 NOP
007EC2B2 |. 90 NOP
007EC2B3 |. 90 NOP
007EC2B4 |. 90 NOP
007EC2B5 |. 90 NOP
007EC2B6 |. 90 NOP
007EC2B7 |. 90 NOP
007EC2B8 |. 90 NOP
007EC2B9 |. 90 NOP
007EC2BA |. 90 NOP
007EC2BB |. 90 NOP ; JGE/JNL(比较带符号数) sf xor of=0
007EC2BC |. 90 NOP
007EC2BD |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007EC2C0 |. 8B0D C0838300 MOV ECX, DWORD PTR DS:[8383C0]
007EC2C6 |. 330D C4838300 XOR ECX, DWORD PTR DS:[8383C4]
007EC2CC |. D1E1 SHL ECX, 1
007EC2CE |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007EC2D1 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007EC2D5 |. 74 09 JE SHORT ezcddax.007EC2E0
007EC2D7 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007EC2DA |. 83CA 01 OR EDX, 1
007EC2DD |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007EC2E0 |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007EC2E3 |. 50 PUSH EAX ; /Arg1
007EC2E4 |. FF15 ECCB8300 CALL DWORD PTR DS:[83CBEC] ; \ezcddax.007DD707
007EC2EA |. 83C4 04 ADD ESP, 4
007EC2ED |. 5F POP EDI
007EC2EE |. 5E POP ESI
007EC2EF |. 5B POP EBX
007EC2F0 |. 8BE5 MOV ESP, EBP
007EC2F2 |. 5D POP EBP
007EC2F3 \. C3 RETN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JAE/JNB(比较无符号数)类型 测试 CF=0 二进制代码: 73
007E74F3 |. 56 PUSH ESI
007E74F4 |. 57 PUSH EDI
007E74F5 |. 8B45 08 MOV EAX, DWORD PTR SS:[EBP+8]
007E74F8 |. 50 PUSH EAX ; /Arg1
007E74F9 |. FF15 3CCC8300 CALL DWORD PTR DS:[83CC3C] ; \ezcddax.007DCE03
007E74FF |. 83C4 04 ADD ESP, 4
007E7502 |. 8945 FC MOV DWORD PTR SS:[EBP-4], EAX
007E7505 |. 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
007E7508 |. 90 NOP
007E7509 |. 90 NOP
007E750A |. 36:A1 108F820>MOV EAX, DWORD PTR SS:[828F10]
007E7510 |. 8B00 MOV EAX, DWORD PTR DS:[EAX]
007E7512 |. 8078 FF 0F CMP BYTE PTR DS:[EAX-1], 0F
007E7516 |. 74 06 JE SHORT ezcddax.007E751E
007E7518 |. C640 FF 73 MOV BYTE PTR DS:[EAX-1], 73
007E751C |. EB 20 JMP SHORT ezcddax.007E753E
007E751E |> C600 83 MOV BYTE PTR DS:[EAX], 83
007E7521 |. 90 NOP
007E7522 |. 33C0 XOR EAX, EAX
007E7524 |. 90 NOP
007E7525 |. 90 NOP
007E7526 |. 90 NOP
007E7527 |. 90 NOP
007E7528 |. 90 NOP
007E7529 |. 90 NOP
007E752A |. 90 NOP
007E752B |. 90 NOP
007E752C |. 90 NOP
007E752D |. 90 NOP
007E752E |. 90 NOP
007E752F |. 90 NOP
007E7530 |. 90 NOP
007E7531 |. 90 NOP
007E7532 |. 90 NOP
007E7533 |. 90 NOP
007E7534 |. 90 NOP
007E7535 |. 90 NOP
007E7536 |. 90 NOP
007E7537 |. 90 NOP
007E7538 |. 90 NOP
007E7539 |. 90 NOP
007E753A |. 90 NOP
007E753B |. 90 NOP
007E753C |. 90 NOP
007E753D |. 90 NOP
007E753E |> 90 NOP
007E753F |. 90 NOP
007E7540 |. 90 NOP
007E7541 |. 90 NOP
007E7542 |. 90 NOP
007E7543 |. 90 NOP
007E7544 |. 90 NOP
007E7545 |. 90 NOP
007E7546 |. 90 NOP
007E7547 |. 90 NOP
007E7548 |. 90 NOP
007E7549 |. 90 NOP
007E754A |. 90 NOP
007E754B |. 90 NOP
007E754C |. 90 NOP
007E754D |. 8945 F4 MOV DWORD PTR SS:[EBP-C], EAX
007E7550 |. 8B0D AC838300 MOV ECX, DWORD PTR DS:[8383AC]
007E7556 |. 330D B0838300 XOR ECX, DWORD PTR DS:[8383B0]
007E755C |. D1E1 SHL ECX, 1
007E755E |. 894D F8 MOV DWORD PTR SS:[EBP-8], ECX
007E7561 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C], 0
007E7565 |. 74 09 JE SHORT ezcddax.007E7570
007E7567 |. 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
007E756A |. 83CA 01 OR EDX, 1
007E756D |. 8955 F8 MOV DWORD PTR SS:[EBP-8], EDX
007E7570 |> 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
007E7573 |. 50 PUSH EAX ; /Arg1
007E7574 |. FF15 D8CB8300 CALL DWORD PTR DS:[83CBD8] ; \ezcddax.007DCCAB
007E757A |. 83C4 04 ADD ESP, 4
007E757D |. 5F POP EDI
007E757E |. 5E POP ESI
007E757F |. 5B POP EBX
007E7580 |. 8BE5 MOV ESP, EBP
007E7582 |. 5D POP EBP
007E7583 \. C3 RETN
跳转类型全部修改完成,其他的都是重复的,可以jmp到上面的地址完成修复工作。对于跳转类型的判断其实也不难,就是壳把代码分散开来,所以修改的量比较大,所以这个方法也不是个好办法。终于全部的完成,只是给出了基本的方法,大家可以参考这个方法,不必拘于这个方法。整个的CC修复代码二进制文件,复制到007D8000段中,整个的CC地址表,复制到:00828000段中.
附件下载:http://www.unpack.cn/viewthread.php?tid=3490 |
