00A0B5AF E8 FC000000 call 00A0B6B0 ; 寻找镜像地址并验证EP标识
00A0B5B4 8945 FC mov dword ptr ss:[ebp-0x4], eax ; 镜像地址
00A0B5B7 C745 F8 6C860100 mov dword ptr ss:[ebp-0x8], 0x1866C ; 原OEP
00A0B5BE C745 F4 00000000 mov dword ptr ss:[ebp-0xC], 0x0
00A0B5C5 C745 F0 00000000 mov dword ptr ss:[ebp-0x10], 0x0
00A0B5CC C745 EC 4C990200 mov dword ptr ss:[ebp-0x14], 0x2994C ; 导入表地址
00A0B5D3 C745 E8 54010000 mov dword ptr ss:[ebp-0x18], 0x154 ; 导入表大小
00A0B5DA C745 E4 00100000 mov dword ptr ss:[ebp-0x1C], 0x1000 ; 加密Rva
00A0B5E1 C745 E0 00180200 mov dword ptr ss:[ebp-0x20], 0x21800 ; 加密Rva大小
00A0B5E8 C745 DC 4F7E1523 mov dword ptr ss:[ebp-0x24], 0x23157E4F ; XorKey
00A0B5EF C745 D8 00004000 mov dword ptr ss:[ebp-0x28], 0x400000 ; Old_ImageBase
00A0B5F6 C745 D4 00500F00 mov dword ptr ss:[ebp-0x2C], 0xF5000 ; 重定位地址
00A0B5FD C745 D0 28260000 mov dword ptr ss:[ebp-0x30], 0x2628 ; 重定位大小
00A0B604 C745 CC 00000000 mov dword ptr ss:[ebp-0x34], 0x0 ; IsDLL
00A0B60B FF75 FC push dword ptr ss:[ebp-0x4]
00A0B60E FF75 DC push dword ptr ss:[ebp-0x24]
00A0B611 FF75 E0 push dword ptr ss:[ebp-0x20]
00A0B614 FF75 E4 push dword ptr ss:[ebp-0x1C]
00A0B617 E8 47FEFFFF call 00A0B463 ; 解密数据
00A0B61C FF75 FC push dword ptr ss:[ebp-0x4]
00A0B61F FF75 E8 push dword ptr ss:[ebp-0x18]
00A0B622 FF75 EC push dword ptr ss:[ebp-0x14]
00A0B625 E8 D9010000 call 00A0B803 ; 加载导入表
00A0B62A FF75 D0 push dword ptr ss:[ebp-0x30]
00A0B62D FF75 D4 push dword ptr ss:[ebp-0x2C]
00A0B630 FF75 D8 push dword ptr ss:[ebp-0x28]
00A0B633 FF75 FC push dword ptr ss:[ebp-0x4]
00A0B636 E8 05FBFFFF call 00A0B140 ; EP_修正重定位 |