1.coralqq.exe uses PEID to check, display is PECOMPACT 2.X -> Jeremy Collake's shell to stop back to stop at 00401000 B8 D4A14300 MOV EAX, CORALQQ.0043A1D4 F8 single step run 00401005 50 push eax00401006 64: FF35 00000000 Push DWORD PTR FS: [0] 0040100D 64: 8925 00000000 MOV DWORD PTR FS: [0], ESP00401014 33C0 XOR EAX, EAX here we see in the stack window --------------- --------------------------------- 0012ffbc 0012ffe0 pointer to the next SEH record 0012FFC0 0043A1D4 SE handle 0012FFC4 7C816D4F Return to Kernel32 .7c816d4f --------------------------------------------------
Looking back, we CTRL G to 0043A1D4, after arriving here, then break the point, then F9 run, the program is broken. 0043A1D4 B8 7E9043F0 mov eax, F043907E0043A1D9 8D88 79110010 lea ecx, dword ptr ds: [eax 10001179] 0043A1DF 8941 01 mov dword ptr ds: [ecx 1], eax0043A1E2 8B5424 04 mov edx, dword ptr ss: [esp 4] 0043A1E6 8B52 0C MOV EDX, DWORD PTR DS: [EDX C] 0043A1 PTD DS: [EDX], 0E90043A1EC 83C2 05 Add EDX, 50043A1EF 2BCA SUB ECX, EDX0043A1F1 894A FC MOV DWORD PTR DS: [EDX-4 ], ECX cancel breakpoint, then at 0043A1F7 eax breakpoint 0043A1F7 B8 78563412 mov, 123456780043A1FC 64: 8F05 00000000 pop dword ptr fs: [0] 0043A203 83C4 04 add esp, 40043A206 55 push ebp0043A207 53 push ebx0043A208 51 push ecx0043A209 57 push EDI0043A20A 56 PUSH ESI0043A20B 52 Push EDX Press F9 to run, the program is disconnected, and the breakpoint is canceled.
F8 single-step operation until F8 to 0043A29F, 0043A281 8985 23120010 mov dword ptr ss: [ebp 10001223], eax0043A287 8BF0 mov esi, eax0043A289 59 pop ecx0043A28A 5A pop edx0043A28B 03CA add ecx, edx0043A28D 68 00800000 push 80000043A292 6A 00 push 00043A294 57 push edi0043A295 FF11 call dword ptr ds: [ecx] 0043A297 8BC6 mov eax, esi0043A299 5A pop edx0043A29A 5E pop esi0043A29B 5F pop edi0043A29C 59 pop ecx0043A29D 5B pop ebx0043A29E 5D pop ebp0043A29F FFE0 jmp eax F8 here, jump OEP00418E2C 55 push ebp arrival OEP00418E2D 8BEC MOV EBP, ESP00418E2F 83C4 F0 Add ESP, -1000418E32 B8 648D4100 MOV Eax, CORALQQ.00418D6400418E37 E8 A4BAFEFF CALL CORALQ.004 048E000418E3C A1 F49D4100 mov eax, dword ptr ds: [419DF4] 00418E41 33D2 xor edx, edx00418E43 E8 30F4FFFF after call CoralQQ.004182782.CoralQQ.dllOD Loading 00B7D911> B8 80F5B900 mov eax, CoralQQ.00B9F580 stop here 00B7D916 50 push eax00B7D917 64 : FF35 0000000> push dword ptr fs: [0] 00B7D91E 64: 8925 0000000> mov dword ptr fs: [0], esp00B7D925 33C0 xor eax, eax00B7D927 8908 mov dword ptr ds: [eax], ecx00B7D929 50 push eax00B7D92A 45 inc ebp00B7D92B 43 Inc EBX with ESP Law DD 0006F8A0 Hardware Access Breakpoint;
