首先用W32dasm载入TRW2000.EXE,但将告诉你“W32dasm执行了非法程序”,它崩溃了。 在Procdump中选择 PEeditor\指定文件 TRW2000.EXE\SECTIONS, 你会发现 .data 的 characteristics值为C0000040,将之改为60000020,保存后再用W32dasm载入,OK! 反汇编后选 refs/string data references,找到"The vention is too old, please",双击后见到如下: * Possible StringData Ref from Data Obj ->"This version is too old , please " ->"visit http://trw2000.yeah.net " ->"to get update."
:004018CD 682CF14100 push 0041F12C
* Referenced by a (U)nconditional or (C)onditional Jump at Address: :004016CA(U)
:004018D2 53 push ebx
向上找见 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: :0040164D(C), :00401675(C) ~~~~~~~~ ~~~~~~~~
精品推荐