两个ANTIW32dasm的程序的解决办法 -电脑资料

两个ANTI－W32dasm的程序的解决办法

作者：小牧童[CCG]

版权：CCG所有，转载请保持完整，

两个ANTIW32dasm的程序的解决办法

难度：易

程序1：http://www.my169.com/~zxhxmz/porciins.exe

程序2：就是上面这位大哥所想要解决的轻松试卷。http://www.shijun.com/easypaper/cn/download/eps404.zip

现象：这两个程序用W32dasm打开后陷入没有反应之中，只有用Ctrl+alt+del才能使其退出。

思路：W32dasm陷入无应之中估计进入某处死循环。呵呵，小牧童就是会钻死牛角尖^_^！有了思路ANTI功能自然就解了。

方法：

程序1：

运行W32dasm 并打开animal.exe文件进行编译，W32dasm进入死循环。

下Ctrl+D 进入softice按2次F12到下面：

:0046149F E8DCDB0400 call 004AF080

:004614A4 83C408 add esp, 00000008

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00461494(C)

|

:004614A7 8A9C35E9FDFFFF mov bl, byte ptr [ebp+esi-00000217]

:004614AE 80FB2F cmp bl, 2F

:004614B1 7615 jbe 004614C8

:004614B3 80FB3A cmp bl, 3A

:004614B6 7310 jnb 004614C8

:004614B8 889D0CF6FFFF mov byte ptr [ebp+FFFFF60C], bl

:004614BE C6850DF6FFFF00 mov byte ptr [ebp+FFFFF60D], 00

:004614C5 83C602 add esi, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004614B1(C), :004614B6(C)

|

:004614C8 8D850CF6FFFF lea eax, dword ptr [ebp+FFFFF60C]

:004614CE 50 push eax

:004614CF E8EC9D0400 call 004AB2C0

:004614D4 59 pop ecx

:004614D5 8945F4 mov dword ptr [ebp-0C], eax

:004614D8 33D2 xor edx, edx

:004614DA 8955F8 mov dword ptr [ebp-08], edx

:004614DD 8B4DF8 mov ecx, dword ptr [ebp-08]

:004614E0 8B45F4 mov eax, dword ptr [ebp-0C]

:004614E3 3BC8 cmp ecx, eax

:004614E5 0F83B6FDFFFF jae 004612a1 //这里改为909090909090跳出死循环，

电脑资料

:004614E6 90 nop

:004614E7 90 nop

:004614E8 90 nop

:004614E9 90 nop

:004614EA 90 nop

程序2：

运行W32dasm 并打开easypaper.exe文件进行编译，W32dasm进入死循环。

下Ctrl+D 进入softice按2次F12到下面：

:0046151B E8BCD60400 call KERNEL32!lstrcat //按2次F12后到这里

:00461520 FF45F8 inc [ebp-08]

:00461523 8B4DF8 mov ecx, dword ptr [ebp-08]

:00461526 8B45F4 mov eax, dword ptr [ebp-0C]

:00461529 3BC8 cmp ecx, eax

:004615

:0046152D E96FFDFFFF jmp 004612A1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0046121D(C)

|

:00461532 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]

:00461538 85D2 test edx, edx

:0046153A 7411 je 0046154D

将0046152b的比较取消，顺着0046152d的jmp 来到下面：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:0046152D(U)

|

:004612A1 C7857CFFFFFF01000000 mov dword ptr [ebp+FFFFFF7C], 00000001

:004612AB 8B8D78FFFFFF mov ecx, dword ptr [ebp+FFFFFF78]

:004612B1 85C9 test ecx, ecx

:004612B3 7410 je 004612C5

:004612B5 33C0 xor eax, eax

:004612B7 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C], eax

:004612BD 33D2 xor edx, edx

:004612BF 899578FFFFFF mov dword ptr [ebp+FFFFFF78], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004612B3(C)

|

:004612C5 84DB test bl, bl

:004612C7 0F85D9FEFFFF jne 004611A6 ／／这里改为9090909090跳出死循环。

:004612CD 6A01 push 00000001