本帖最后由 幽溪左畔 于 2022-1-12 10:49 编辑
分析VX的时候 断在一个函数那里 ctrl+F9 直接跳转到另一个DLL中了 是不是说明这个函数是个导出函数? 该怎么构造才能调用呢?(调用方的代码被VM 传的什么参数都不清楚了 = = )6A813AFD | CC | int3 |
6A813AFE | CC | int3 |
6A813AFF | CC | int3 |
6A813B00 | 55 | push ebp | [[esp+0x8-0x4]+0x4]
6A813B01 | 8BEC | mov ebp,esp |
6A813B03 | 6A FF | push FFFFFFFF |
6A813B05 | 68 8885926B | push wechatwin.6B928588 |
6A813B0A | 64:A1 00000000 | mov eax,dword ptr fs:[0] | [00000000]:&"(鹖\v|:恔\x01"
6A813B10 | 50 | push eax |
6A813B11 | 83EC 54 | sub esp,54 |
6A813B14 | 53 | push ebx |
6A813B15 | 56 | push esi |
6A813B16 | 57 | push edi |
6A813B17 | A1 A09BF66B | mov eax,dword ptr ds:[6BF69BA0] | 6BF69BA0:"~<R\x1B"
6A813B1C | 33C5 | xor eax,ebp |
6A813B1E | 50 | push eax |
6A813B1F | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] |
6A813B22 | 64:A3 00000000 | mov dword ptr fs:[0],eax |
6A813B28 | 8B75 08 | mov esi,dword ptr ss:[ebp+8] |
6A813B2B | 8D4D A0 | lea ecx,dword ptr ss:[ebp-60] |
6A813B2E | 6A 00 | push 0 |
6A813B30 | 8D46 04 | lea eax,dword ptr ds:[esi+4] |
|