- UID
- 69642
注册时间2010-7-29
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
昨天 16:03 |
|---|
签到天数: 355 天 [LV.8]以坛为家I
|
OD调试时关键代码如下:
006CDB8C /$ 55 PUSH EBP ; 机器码
006CDB8D |. 8BEC MOV EBP,ESP ==>ESP中值送入EBP
006CDB8F |. 51 PUSH ECX
006CDB90 |. B9 04000000 MOV ECX,4 ==>4中值送入Ecx
006CDB95 |> 6A 00 /PUSH 0
006CDB97 |. 6A 00 |PUSH 0
006CDB99 |. 49 |DEC ECX ==>ECX减1
006CDB9A |.^ 75 F9 \JNZ SHORT JXCRM.006CDB95
//运算完ecx中值0
006CDB9C |. 51 PUSH ECX ==>ECX值为0
006CDB9D |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX ==>数据交换指令 XCHG
006CDBA0 |. 53 PUSH EBX
006CDBA1 |. 56 PUSH ESI
006CDBA2 |. 57 PUSH EDI
006CDBA3 |. 8BF9 MOV EDI,ECX
006CDBA5 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
006CDBA8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006CDBAB |. E8 CC74D3FF CALL JXCRM.0040507C
006CDBB0 |. 33C0 XOR EAX,EAX ==>逻辑异或运算指令 XOR 相异为真,相同为假
006CDBB2 |. 55 PUSH EBP
006CDBB3 |. 68 4DDD6C00 PUSH JXCRM.006CDD4D
006CDBB8 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
006CDBBB |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
006CDBBE |. 8BC7 MOV EAX,EDI
006CDBC0 |. E8 F76FD3FF CALL JXCRM.00404BBC
006CDBC5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 机器码
006CDBC8 |. E8 BF72D3FF CALL JXCRM.00404E8C
006CDBCD |. 8BF0 MOV ESI,EAX
006CDBCF |. 85F6 TEST ESI,ESI ==>对两个操作数进行按位的'与'运算唯一不同之处是不将'与'的结 ---- 果送目的操作数,即本指令对两个操作数 的内容均不进行修改,仅是在逻辑与操作后,对标志位重新置位.
006CDBD1 |. 7E 26 JLE SHORT JXCRM.006CDBF9 ==>条件转移指令JLE/JNG 小于等于/不大于时转移
006CDBD3 |. BB 01000000 MOV EBX,1
006CDBD8 |> 8D4D EC /LEA ECX,DWORD PTR SS:[EBP-14] ; 循环 ==>有效地址传送指令 LEA
006CDBDB |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
006CDBDE |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
006CDBE3 |. 33D2 |XOR EDX,EDX
006CDBE5 |. E8 9AC8D3FF |CALL JXCRM.0040A484
006CDBEA |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
006CDBED |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
006CDBF0 |. E8 9F72D3FF |CALL JXCRM.00404E94
006CDBF5 |. 43 |INC EBX ==> 加1指令 INC
006CDBF6 |. 4E |DEC ESI ==>减一指令 DEC
006CDBF7 |.^ 75 DF \JNZ SHORT JXCRM.006CDBD8
006CDBF9 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 出现一串数字354A565753564750
006CDBFC |. E8 8B72D3FF CALL JXCRM.00404E8C
006CDC01 |. 8BF0 MOV ESI,EAX
006CDC03 |. 85F6 TEST ESI,ESI
006CDC05 |. 7E 2C JLE SHORT JXCRM.006CDC33
006CDC07 |. BB 01000000 MOV EBX,1
006CDC0C |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ; 出现一串数字354A565753564750
006CDC0F |. E8 7872D3FF |CALL JXCRM.00404E8C
006CDC14 |. 2BC3 |SUB EAX,EBX
006CDC16 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
006CDC19 |. 8A1402 |MOV DL,BYTE PTR DS:[EDX+EAX]
006CDC1C |. 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
006CDC1F |. E8 8071D3FF |CALL JXCRM.00404DA4
006CDC24 |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
006CDC27 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
006CDC2A |. E8 6572D3FF |CALL JXCRM.00404E94
006CDC2F |. 43 |INC EBX
006CDC30 |. 4E |DEC ESI
006CDC31 |.^ 75 D9 \JNZ SHORT JXCRM.006CDC0C
006CDC33 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
006CDC36 |. 50 PUSH EAX
006CDC37 |. B9 04000000 MOV ECX,4
006CDC3C |. BA 01000000 MOV EDX,1
006CDC41 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 出现一串数字057465357565A453
006CDC44 |. E8 A374D3FF CALL JXCRM.004050EC
006CDC49 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
006CDC4C |. 50 PUSH EAX
006CDC4D |. B9 04000000 MOV ECX,4
006CDC52 |. BA 05000000 MOV EDX,5
006CDC57 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 出现一串数字057465357565A453
006CDC5A |. E8 8D74D3FF CALL JXCRM.004050EC
006CDC5F |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 出现0574
006CDC62 |. E8 2572D3FF CALL JXCRM.00404E8C
006CDC67 |. 83F8 04 CMP EAX,4
006CDC6A |. 7D 2F JGE SHORT JXCRM.006CDC9B
006CDC6C |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
006CDC6F |. E8 1872D3FF CALL JXCRM.00404E8C
006CDC74 |. 8BD8 MOV EBX,EAX
006CDC76 |. 83FB 03 CMP EBX,3
006CDC79 |. 7F 20 JG SHORT JXCRM.006CDC9B
006CDC7B |> 8D4D E4 /LEA ECX,DWORD PTR SS:[EBP-1C]
006CDC7E |. 8BC3 |MOV EAX,EBX
006CDC80 |. C1E0 02 |SHL EAX,2
006CDC83 |. 33D2 |XOR EDX,EDX
006CDC85 |. E8 FAC7D3FF |CALL JXCRM.0040A484
006CDC8A |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
006CDC8D |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
006CDC90 |. E8 FF71D3FF |CALL JXCRM.00404E94
006CDC95 |. 43 |INC EBX
006CDC96 |. 83FB 04 |CMP EBX,4
006CDC99 |.^ 75 E0 \JNZ SHORT JXCRM.006CDC7B
006CDC9B |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006CDC9E |. E8 E971D3FF CALL JXCRM.00404E8C ; EAX中出现6535
006CDCA3 |. 83F8 04 CMP EAX,4
006CDCA6 |. 7D 2F JGE SHORT JXCRM.006CDCD7
006CDCA8 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
006CDCAB |. E8 DC71D3FF CALL JXCRM.00404E8C
006CDCB0 |. 8BD8 MOV EBX,EAX
006CDCB2 |. 83FB 03 CMP EBX,3
006CDCB5 |. 7F 20 JG SHORT JXCRM.006CDCD7
006CDCB7 |> 8D4D E0 /LEA ECX,DWORD PTR SS:[EBP-20]
006CDCBA |. 8BC3 |MOV EAX,EBX
006CDCBC |. C1E0 02 |SHL EAX,2
006CDCBF |. 33D2 |XOR EDX,EDX
006CDCC1 |. E8 BEC7D3FF |CALL JXCRM.0040A484
006CDCC6 |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
006CDCC9 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
006CDCCC |. E8 C371D3FF |CALL JXCRM.00404E94
006CDCD1 |. 43 |INC EBX
006CDCD2 |. 83FB 04 |CMP EBX,4
006CDCD5 |.^ 75 E0 \JNZ SHORT JXCRM.006CDCB7
006CDCD7 |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
006CDCDA |. BA 64DD6C00 MOV EDX,JXCRM.006CDD64 ; jxcrm123xm566
006CDCDF |. E8 706FD3FF CALL JXCRM.00404C54 ; EDX中出现jxcrm123xm566
006CDCE4 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
006CDCE7 |. 50 PUSH EAX
006CDCE8 |. B9 04000000 MOV ECX,4
006CDCED |. BA 01000000 MOV EDX,1
006CDCF2 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
006CDCF5 |. E8 F273D3FF CALL JXCRM.004050EC
006CDCFA |. FF75 DC PUSH DWORD PTR SS:[EBP-24] ; 出现jxcr
006CDCFD |. 68 7CDD6C00 PUSH JXCRM.006CDD7C ; -
006CDD02 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; 出现 堆栈 SS:[0012FD70]=030C08F0, (ASCII "0574")
006CDD05 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
006CDD08 |. 50 PUSH EAX
006CDD09 |. B9 05000000 MOV ECX,5
006CDD0E |. BA 05000000 MOV EDX,5
006CDD13 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; JXCRM.006CDD64 堆栈 SS:[0012FD68]=006CDD64 (JXCRM.006CDD64), ASCII "jxcrm123xm566"
006CDD16 |. E8 D173D3FF CALL JXCRM.004050EC
006CDD1B |. FF75 D8 PUSH DWORD PTR SS:[EBP-28] ; 出现m123x
006CDD1E |. 68 7CDD6C00 PUSH JXCRM.006CDD7C ; -
006CDD23 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; 出现6535 堆栈 SS:[0012FD6C]=030C0904, (ASCII "6535")
006CDD26 |. 8BC7 MOV EAX,EDI
006CDD28 |. BA 06000000 MOV EDX,6
006CDD2D |. E8 1A72D3FF CALL JXCRM.00404F4C
F7进入看看
//////////////////////////////////////////////////
00404F4C $ 53 PUSH EBX
00404F4D . 56 PUSH ESI
00404F4E . 57 PUSH EDI
00404F4F . 52 PUSH EDX
00404F50 . 50 PUSH EAX
00404F51 . 89D3 MOV EBX,EDX
00404F53 . 31FF XOR EDI,EDI
00404F55 . 8B4C94 14 MOV ECX,DWORD PTR SS:[ESP+EDX*4+14] ; 出现jxcr
00404F59 . 85C9 TEST ECX,ECX
00404F5B . 74 0C JE SHORT JXCRM.00404F69
00404F5D . 3908 CMP DWORD PTR DS:[EAX],ECX
00404F5F . 75 08 JNZ SHORT JXCRM.00404F69
00404F61 . 89CF MOV EDI,ECX
00404F63 . 8B41 FC MOV EAX,DWORD PTR DS:[ECX-4]
00404F66 . 4A DEC EDX
00404F67 . EB 02 JMP SHORT JXCRM.00404F6B
00404F69 > 31C0 XOR EAX,EAX
00404F6B > 8B4C94 14 MOV ECX,DWORD PTR SS:[ESP+EDX*4+14] ; 出现0574
00404F6F . 85C9 TEST ECX,ECX
00404F71 . 74 09 JE SHORT JXCRM.00404F7C
00404F73 . 0341 FC ADD EAX,DWORD PTR DS:[ECX-4]
00404F76 . 39CF CMP EDI,ECX
00404F78 . 75 02 JNZ SHORT JXCRM.00404F7C
00404F7A . 31FF XOR EDI,EDI
00404F7C > 4A DEC EDX
00404F7D .^ 75 EC JNZ SHORT JXCRM.00404F6B
00404F7F . 85FF TEST EDI,EDI
00404F81 . 74 17 JE SHORT JXCRM.00404F9A
00404F83 . 89C2 MOV EDX,EAX
00404F85 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404F88 . 8B77 FC MOV ESI,DWORD PTR DS:[EDI-4]
00404F8B . E8 88020000 CALL JXCRM.00405218
00404F90 . 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
00404F93 . FF37 PUSH DWORD PTR DS:[EDI]
00404F95 . 0337 ADD ESI,DWORD PTR DS:[EDI]
00404F97 . 4B DEC EBX
00404F98 . EB 08 JMP SHORT JXCRM.00404FA2
00404F9A > E8 E1FCFFFF CALL JXCRM.00404C80
00404F9F . 50 PUSH EAX
00404FA0 . 89C6 MOV ESI,EAX
00404FA2 > 8B449C 18 MOV EAX,DWORD PTR SS:[ESP+EBX*4+18] ; jxcr 0574 6535
00404FA6 . 89F2 MOV EDX,ESI
00404FA8 . 85C0 TEST EAX,EAX
00404FAA . 74 0A JE SHORT JXCRM.00404FB6
00404FAC . 8B48 FC MOV ECX,DWORD PTR DS:[EAX-4]
00404FAF . 01CE ADD ESI,ECX
00404FB1 . E8 A6DBFFFF CALL JXCRM.00402B5C
00404FB6 > 4B DEC EBX
00404FB7 .^ 75 E9 JNZ SHORT JXCRM.00404FA2
00404FB9 . 5A POP EDX ; 堆栈 [0012FD04]=030C0940 (030C0940), ASCII "jxcr-0574m123x-6535"
00404FBA . 58 POP EAX
00404FBB . 85FF TEST EDI,EDI
00404FBD . 75 0C JNZ SHORT JXCRM.00404FCB
00404FBF . 85D2 TEST EDX,EDX ; 出现EDX=030C0940, (ASCII "jxcr-0574m123x-6535")
00404FC1 . 74 03 JE SHORT JXCRM.00404FC6
00404FC3 . FF4A F8 DEC DWORD PTR DS:[EDX-8]
00404FC6 > E8 45FCFFFF CALL JXCRM.00404C10
00404FCB > 5A POP EDX
00404FCC . 5F POP EDI
00404FCD . 5E POP ESI
00404FCE . 5B POP EBX
00404FCF . 58 POP EAX
00404FD0 . 8D2494 LEA ESP,DWORD PTR SS:[ESP+EDX*4]
00404FD3 . FFE0 JMP EAX
00404FD3 . /FFE0 JMP EAX ; 返回到JXCRM.006CDD32
/////////////////////////////////////////////////////////
006CDD32 |. 33C0 XOR EAX,EAX
006CDD34 |. 5A POP EDX
006CDD35 |. 59 POP ECX
006CDD36 |. 59 POP ECX
006CDD37 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
006CDD3A |. 68 54DD6C00 PUSH JXCRM.006CDD54
006CDD3F |> 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
006CDD42 |. BA 0A000000 MOV EDX,0A
006CDD47 |. E8 946ED3FF CALL JXCRM.00404BE0
006CDD4C \. C3 RETN
006CDD4D .^ E9 6E67D3FF JMP JXCRM.004044C0
006CDD52 .^ EB EB JMP SHORT JXCRM.006CDD3F
006CDD54 . 5F POP EDI
006CDD55 . 5E POP ESI
006CDD56 . 5B POP EBX
006CDD57 . 8BE5 MOV ESP,EBP
006CDD59 . 5D POP EBP
006CDD5A . C3 RETN ; 返回到 006E71C6 (JXCRM.006E71C6)
006E71C6 . 8B55 A8 MOV EDX,DWORD PTR SS:[EBP-58] ; EDX中出现机器码5JVWSVGP
006E71C9 . A1 909F7000 MOV EAX,DWORD PTR DS:[709F90] ; EDX中出现"jxcr-0574m123x-6535"
006E71CE . 8B00 MOV EAX,DWORD PTR DS:[EAX]
006E71D0 . 8B80 D8040000 MOV EAX,DWORD PTR DS:[EAX+4D8]
006E71D6 . E8 FDDDD1FF CALL JXCRM.00404FD8
在这个006E71D6 . E8 FDDDD1FF CALL JXCRM.00404FD8时寄存器中
EAX 030C06F8 ASCII "www.chinapyg.com"
ECX 00000002
EDX 030C0940 ASCII "jxcr-0574m123x-6535"
EBX 00000001
ESP 0012FD80
EBP 0012FE18
ESI 017017CC
EDI 006E61E0 JXCRM.006E61E0
EIP 006E71D6 JXCRM.006E71D6 |
|
[复制链接]
IP卡
发表于 2010-8-12 09:41:03
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2010-8-12 09:51:32
发表于 2011-5-28 21:45:07
