模式1
pushfw
xor ebx, 0CC11F4E5h
xor ebx, 0CC11F4E5h
popfw
模式2
.sune:004037E9 55 push ebp
.sune:004037EA E8 00 00 00 00 call $+5
.sune:004037EF 66 9C pushfw
.sune:004037F1 81 24 24 25 B5 D6 D8 and dword ptr [esp], 0D8D6B525h
.sune:004037F8 8B 2C 24 mov ebp, [esp]
.sune:004037FB 66 9D popfw
.sune:004037FD 5D pop ebp
.sune:004037FE 5D pop ebp
模式3
pushfw
and dword ptr [esp], 26A8BF0Eh
mov ebx, [esp]
popfw
模式4
jmp $+2 (0xe9)
jmp $+5 (0xeb)
模式6 PUSH等价指令
lea esp, [esp-4]
mov dword ptr [esp], offset dword_4035C6
等价于
push offset word_4035c6
模式7 POP等价指令
.sune:004029E6 8B 2C 24 mov ebp, [esp]
.sune:004029E9 8D 64 24 04 lea esp, [esp+4]
模式8 call等价
00403666 . C70424 6F3640>mov dword ptr ss:[esp], 0040366F
0040366D . 56 push esi ; msvcrt.malloc
0040366E . C3 retn
模式9 PUSH等价指令2
.sune:004028B9 8D 64 24 FC lea esp, [esp-4]
.sune:004028BD 53 push ebx
.sune:004028BE 8D 1D CE 28 40 00 lea ebx, word_4028CE
.sune:004028C4 89 5C 24 04 mov [esp+4], ebx
.sune:004028C8 5B pop ebx
== PUSH offset 4028CE
模式10
.sune:00402DE3 EB 3C jmp short loc_402E21
.sune:00402DE3 ; ---------------------------------------------------------------------------
.sune:00402DE5 FB unk_402DE5 db 0FBh ; ; DATA XREF: sub_402DC3+15o
.sune:00402DE6 52 db 52h ; R
.sune:00402DE7 E1 db 0E1h ;
.sune:00402DE8 91 db 91h ;
.sune:00402DE9 7C db 7Ch ; |
这种情况下可以采用手工识别 然后自动转换
PATCH长度为EB指令后的内容
模式11
.sune:00402F51 E8 40 00 00 00 call loc_402F96
.sune:00402F51 ; ---------------------------------------------------------------------------
.sune:00402F56 63 40 35 CB 82 33 0D+ db 63h, 40h, 35h, 0CBh, 82h, 33h, 0Dh, 91h, 35h, 8Bh, 72h
.sune:00402F56 91 35 8B 72 F8 97 37+ db 0F8h, 97h, 37h, 8Eh, 33h, 8Ah, 0C8h, 0B7h, 9Ch, 14h
.sune:00402F56 8E 33 8A C8 B7 9C 14+ db 6Dh, 0DDh, 1Dh, 22h, 3Eh, 1Bh, 0D6h, 63h, 0FEh, 2Bh
.sune:00402F56 6D DD 1D 22 3E 1B D6+ db 0FCh, 71h, 0A1h, 0A5h, 4Eh, 1Ah, 88h, 0AFh, 4Ch, 8Fh
.sune:00402F56 63 FE 2B FC 71 A1 A5+ db 9Bh, 47h, 6Eh, 4Ch, 8Dh, 0C9h, 0E6h, 66h, 9Ch, 81h
.sune:00402F56 4E 1A 88 AF 4C 8F 9B+ db 0F6h, 73h, 6Eh, 60h, 0C2h, 81h, 0F6h, 73h, 6Eh, 60h
.sune:00402F56 47 6E 4C 8D C9 E6 66+ db 0C2h, 66h, 9Dh
.sune:00402F96 ; ---------------------------------------------------------------------------
.sune:00402F96
.sune:00402F96 loc_402F96:
这种情况可以采用人工识别,然后自动转换
PATCH的长度为E8指令后的内容
模式12
.sune:00419ED8 8D 35 E5 9E 41 00 lea esi, loc_419EE5
.sune:00419EDE 89 74 24 04 mov [esp+4], esi
.sune:00419EE2 5E pop esi
等价于
pop esi
lea esi, loc_419ee5
模式13
.sune:0041E1CF 8D 64 24 FC lea esp, [esp-4]
.sune:0041E1D3 ; loc_41E1D3
.sune:0041E1E3 56 push esi
.sune:0041E1E4 ; loc_41E1E4
.sune:0041E1EA 8D 35 6C E2 41 00 lea esi, loc_41E26C
.sune:0041E1F0 89 74 24 04 mov [esp+4], esi
.sune:0041E1F4 ; loc_41E1F4
.sune:0041E204 5E pop esi
等价于
lea esi, loc_41E26C
push esi