关于DBPE的一点反跟踪技巧 (21千字)

发布者：Editor

发布于：2002-05-13 12:19

DBPE也算是个不错的加壳工具，但对于信息的人并不算什么，对于我可就难了，花了九牛二虎之力才高出这么一点点。
不知道再Win NT下如何，我几次修改都不能得到要害，只能说说Win 9x下的情况了。

总共分四部分：
第一部分
分析INT3中断设置以及系统0层的跳入，其中设置了INT3中断门
第二部分
分析INT3子过程，其中，设定了INT1中断门，以及清除使用调试寄存器的断点
第三部分
分析INT1子过程，仅仅简单的完成一段解码
第四部分
其他一些东西，关于操作系统的标志的获取

第一部分分析INT3中断以及系统0层的跳入
程序首先修改中断门INT3，这样，你根本就无法设置BPX断点，不过此时还可以设置BPM断电和单步调试断点；具体看看这段代码：
004F671C 90 NOP==========>修改
004F671D 0F010E SIDT FWORD PTR DS:[ESI]======******>取出中断描述符表寄存器(IDTR)
=========================================================******>保存到[ESI]
004F6720 9C PUSHFD
004F6721 6A 10 PUSH 10
004F6723 73 0B JNB SHORT N4F671D.004F6730
004F6721 6A 10 PUSH 10
004F6723 73 0B JNB SHORT 4F69F6-.004F6730
004F6725 EB 02 JMP SHORT 4F69F6-.004F6729
004F6727 90 NOP==========>修改
004F6728 90 NOP==========>修改
004F6729 E8 06000000 CALL 4F69F6-.004F6734
004F672E 90 NOP==========>修改
004F672F 90 NOP==========>修改
004F6730 73 F7 JNB SHORT 4F69F6-.004F6729
004F6732 5B POP EBX
004F6733 90 NOP==========>修改
004F6734 83C4 04 ADD ESP,4
004F6737 EB 02 JMP SHORT 4F69F6-.004F673B
004F6739 99 CDQ
004F673A 90 NOP==========>修改
004F673B FF0C24 DEC DWORD PTR SS:[ESP]
004F673E 71 01 JNO SHORT 4F69F6-.004F6741
004F6740 90 NOP==========>修改
004F6741 79 E0 JNS SHORT 4F69F6-.004F6723
004F6743 7A 01 JPE SHORT 4F69F6-.004F6746
004F6745 90 NOP==========>修改
004F6746 83C4 04 ADD ESP,4
004F6749 9D POPFD
004F674A EB 01 JMP SHORT 4F69F6-.004F674D
004F674C 90 NOP==========>修改
004F674D 8B76 02 MOV ESI,DWORD PTR DS:[ESI+2]======******>取出IDT的基地址
004F6750 9C PUSHFD
004F6751 72 0A JB SHORT 4F69F6-.004F675D
004F6753 EB 01 JMP SHORT 4F69F6-.004F6756
004F6755 90 NOP==========>修改
004F6756 E8 05000000 CALL 4F69F6-.004F6760
004F675B EB 77 JMP SHORT 4F69F6-.004F67D4
004F675D 72 F4 JB SHORT 4F69F6-.004F6753
004F675F 90 NOP==========>修改
004F6760 83C4 04 ADD ESP,4
004F6763 9D POPFD
004F6764 EB 01 JMP SHORT 4F69F6-.004F6767
004F6766 90 NOP==========>修改
004F6767 66:8B46 18 MOV AX,WORD PTR DS:[ESI+18]==========******>读取中断门
004F676B 9C PUSHFD
004F676C 6A 10 PUSH 10
004F676E 73 0B JNB SHORT 4F69F6-.004F677B
004F6770 EB 02 JMP SHORT 4F69F6-.004F6774
004F6772 90 NOP==========>修改
004F6773 90 NOP==========>修改
004F6774 E8 06000000 CALL 4F69F6-.004F677F
004F6779 90 NOP==========>修改
004F677A 90 NOP==========>修改
004F677B 73 F7 JNB SHORT 4F69F6-.004F6774
004F677D 5B POP EBX
004F677E 90 NOP==========>修改
004F677F 83C4 04 ADD ESP,4
004F6782 EB 02 JMP SHORT 4F69F6-.004F6786
004F6784 99 CDQ
004F6785 90 NOP==========>修改
004F6786 FF0C24 DEC DWORD PTR SS:[ESP]
004F6789 71 01 JNO SHORT 4F69F6-.004F678C
004F678B 90 NOP==========>修改
004F678C 79 E0 JNS SHORT 4F69F6-.004F676E
004F678E 7A 01 JPE SHORT 4F69F6-.004F6791
004F6790 90 NOP==========>修改
004F6791 83C4 04 ADD ESP,4
004F6794 9D POPFD
004F6795 EB 01 JMP SHORT 4F69F6-.004F6798
004F6797 90 NOP==========>修改
004F6798 66:8B5E 1E MOV BX,WORD PTR DS:[ESI+1E]==========******>读取中断门
004F679C 72 03 JB SHORT 4F69F6-.004F67A1
004F679E 73 01 JNB SHORT 4F69F6-.004F67A1
004F67A0 90 NOP==========>修改
004F67A1 66:8985 C3164600 MOV WORD PTR SS:[EBP+4616C3],AX======******>保存中断门
004F67A8 72 03 JB SHORT 4F69F6-.004F67AD
004F67AA 73 01 JNB SHORT 4F69F6-.004F67AD
004F67AC 90 NOP==========>修改
004F67AD 66:899D C5164600 MOV WORD PTR SS:[EBP+4616C5],BX======******>保存中断门
004F67B4 74 03 JE SHORT 4F69F6-.004F67B9
004F67B6 75 01 JNZ SHORT 4F69F6-.004F67B9
004F67B8 90 NOP==========>修改
004F67B9 B8 77244600 MOV EAX,4F69F6-.00462477=============******>新中断门地址相关
004F67BE 9C PUSHFD
004F67BF 6A 10 PUSH 10
004F67C1 73 0B JNB SHORT 4F69F6-.004F67CE
004F67C3 EB 02 JMP SHORT 4F69F6-.004F67C7
004F67C5 90 NOP==========>修改
004F67C6 90 NOP==========>修改
004F67C7 E8 06000000 CALL 4F69F6-.004F67D2
004F67CC 90 NOP==========>修改
004F67CD 90 NOP==========>修改
004F67CE 73 F7 JNB SHORT 4F69F6-.004F67C7
004F67D0 5B POP EBX
004F67D1 90 NOP==========>修改
004F67D2 83C4 04 ADD ESP,4
004F67D5 EB 02 JMP SHORT 4F69F6-.004F67D9
004F67D7 99 CDQ
004F67D8 90 NOP==========>修改
004F67D9 FF0C24 DEC DWORD PTR SS:[ESP]
004F67DC 71 01 JNO SHORT 4F69F6-.004F67DF
004F67DE 90 NOP==========>修改
004F67DF 79 E0 JNS SHORT 4F69F6-.004F67C1
004F67E1 7A 01 JPE SHORT 4F69F6-.004F67E4
004F67E3 90 NOP==========>修改
004F67E4 83C4 04 ADD ESP,4
004F67E7 9D POPFD
004F67E8 EB 01 JMP SHORT 4F69F6-.004F67EB
004F67EA 90 NOP==========>修改
004F67EB 03C5 ADD EAX,EBP======================******>新的INT3中断的地址=0x0054F1CC
004F67ED 7A 03 JPE SHORT 4F69F6-.004F67F2
004F67EF 7B 01 JPO SHORT 4F69F6-.004F67F2
004F67F1 90 NOP==========>修改
004F67F2 66:8946 18 MOV WORD PTR DS:[ESI+18],AX======******>新的INT3中断的地址，从现在开始，不能使用bpx 中断
=============================================================******>0x18==24=8*3
=============================================================******>每一个中断门8个字节
=============================================================******>xx xx ?? ??
=============================================================******>?? ?? xx xx
004F67F6 9C PUSHFD
004F67F7 6A 10 PUSH 10
004F67F9 73 0B JNB SHORT 4F69F6-.004F6806
004F67FB EB 02 JMP SHORT 4F69F6-.004F67FF
004F67FD 90 NOP==========>修改
004F67FE 90 NOP==========>修改
004F67FF E8 06000000 CALL 4F69F6-.004F680A
004F6804 90 NOP==========>修改
004F6805 90 NOP==========>修改
004F6806 73 F7 JNB SHORT 4F69F6-.004F67FF
004F6808 5B POP EBX
004F6809 90 NOP==========>修改
004F680A 83C4 04 ADD ESP,4
004F680D EB 02 JMP SHORT 4F69F6-.004F6811
004F680F 99 CDQ
004F6810 90 NOP==========>修改
004F6811 FF0C24 DEC DWORD PTR SS:[ESP]
004F6814 71 01 JNO SHORT 4F69F6-.004F6817
004F6816 90 NOP==========>修改
004F6817 79 E0 JNS SHORT 4F69F6-.004F67F9
004F6819 7A 01 JPE SHORT 4F69F6-.004F681C
004F681B 90 NOP==========>修改
004F681C 83C4 04 ADD ESP,4
004F681F 9D POPFD
004F6820 EB 01 JMP SHORT 4F69F6-.004F6823
004F6822 90 NOP==========>修改
004F6823 C1E8 10 SHR EAX,10=======================******>新的INT3中断的地址
004F6826 72 03 JB SHORT 4F69F6-.004F682B
004F6828 73 01 JNB SHORT 4F69F6-.004F682B
004F682A 90 NOP==========>修改
004F682B 66:8946 1E MOV WORD PTR DS:[ESI+1E],AX======******>新的INT3中断的地址
=============================================================******>至此，新的中断门设立完成
=============================================================******>该进程可以调用INT3中断
=============================================================******>不再产生例外
=============================================================******>实际也就是一个子过程
好了中断门设置好了，你可不能用bpx来设置断点了，接下来是一地段解码程序。再接着是一段加查程序代码和是否正确。
....
这些完成后,就是INT3指令，这就转到了作者所设计的INT3过程0x0054F1CC
004F69F6 CC INT3===============================>在这儿，程序自动掌握INT3中断
===============================================================>也就是上面的0x0054F1CC

第二部分，分析INT3子过程
它首先是修改INT1中断门，然后
0054F2A5 90 NOP
0054F2A6 0F010E SIDT FWORD PTR DS:[ESI]==================******>存储IDT表
0054F2A9 7A 03 JPE SHORT 4F69F6.0054F2AE
0054F2AB 7B 01 JPO SHORT 4F69F6.0054F2AE
0054F2AD 90 NOP
0054F2AE 8B76 02 MOV ESI,DWORD PTR DS:[ESI+2]=============******>得到IDT基址
0054F2B1 72 03 JB SHORT 4F69F6.0054F2B6
0054F2B3 73 01 JNB SHORT 4F69F6.0054F2B6
0054F2B5 90 NOP
0054F2B6 BB 7C274600 MOV EBX,4F69F6.0046277C
0054F2BB 74 03 JE SHORT 4F69F6.0054F2C0
0054F2BD 75 01 JNZ SHORT 4F69F6.0054F2C0
0054F2BF 90 NOP
0054F2C0 03DD ADD EBX,EBP
0054F2C2 9C PUSHFD
0054F2C3 72 0A JB SHORT 4F69F6.0054F2CF
0054F2C5 EB 01 JMP SHORT 4F69F6.0054F2C8
0054F2C7 90 NOP
0054F2C8 E8 05000000 CALL 4F69F6.0054F2D2
0054F2CD EB 77 JMP SHORT 4F69F6.0054F346
0054F2CF 72 F4 JB SHORT 4F69F6.0054F2C5
0054F2D1 90 NOP
0054F2D2 83C4 04 ADD ESP,4
0054F2D5 9D POPFD
0054F2D6 EB 01 JMP SHORT 4F69F6.0054F2D9
0054F2D8 90 NOP
0054F2D9 66:8B46 08 MOV AX,WORD PTR DS:[ESI+8]=============******>
0054F2DD 9C PUSHFD
0054F2DE 72 0A JB SHORT 4F69F6.0054F2EA
0054F2E0 EB 01 JMP SHORT 4F69F6.0054F2E3
0054F2E2 90 NOP
0054F2E3 E8 05000000 CALL 4F69F6.0054F2ED
0054F2E8 EB 77 JMP SHORT 4F69F6.0054F361
0054F2EA 72 F4 JB SHORT 4F69F6.0054F2E0
0054F2EC 90 NOP
0054F2ED 83C4 04 ADD ESP,4
0054F2F0 9D POPFD
0054F2F1 EB 01 JMP SHORT 4F69F6.0054F2F4
0054F2F3 90 NOP
0054F2F4 66:3BD8 CMP BX,AX
0054F2F7 74 53 JE SHORT 4F69F6.0054F34C
0054F2F9 7A 03 JPE SHORT 4F69F6.0054F2FE
0054F2FB 7B 01 JPO SHORT 4F69F6.0054F2FE
0054F2FD 90 NOP
0054F2FE 66:8B46 08 MOV AX,WORD PTR DS:[ESI+8]=============******>
0054F302 7A 03 JPE SHORT 4F69F6.0054F307
0054F304 7B 01 JPO SHORT 4F69F6.0054F307
0054F306 90 NOP
0054F307 66:8B5E 0E MOV BX,WORD PTR DS:[ESI+E]=============******>
0054F30B 72 03 JB SHORT 4F69F6.0054F310
0054F30D 73 01 JNB SHORT 4F69F6.0054F310
0054F30F 90 NOP
0054F310 66:8985 C7164600 MOV WORD PTR SS:[EBP+4616C7],AX=============******>
0054F317 9C PUSHFD
0054F318 72 0A JB SHORT 4F69F6.0054F324
0054F31A EB 01 JMP SHORT 4F69F6.0054F31D
0054F31C 90 NOP
0054F31D E8 05000000 CALL 4F69F6.0054F327
0054F322 EB 77 JMP SHORT 4F69F6.0054F39B
0054F324 72 F4 JB SHORT 4F69F6.0054F31A
0054F326 90 NOP
0054F327 83C4 04 ADD ESP,4
0054F32A 9D POPFD
0054F32B EB 01 JMP SHORT 4F69F6.0054F32E
0054F32D 90 NOP
0054F32E 66:899D C9164600 MOV WORD PTR SS:[EBP+4616C9],BX=============******>
0054F335 9C PUSHFD
0054F336 72 0A JB SHORT 4F69F6.0054F342
0054F338 EB 01 JMP SHORT 4F69F6.0054F33B
0054F33A 90 NOP
0054F33B E8 05000000 CALL 4F69F6.0054F345
0054F340 EB 77 JMP SHORT 4F69F6.0054F3B9
0054F342 72 F4 JB SHORT 4F69F6.0054F338
0054F344 90 NOP
0054F345 83C4 04 ADD ESP,4
0054F348 9D POPFD
0054F349 EB 01 JMP SHORT 4F69F6.0054F34C
0054F34B 90 NOP
0054F34C 7A 03 JPE SHORT 4F69F6.0054F351
0054F34E 7B 01 JPO SHORT 4F69F6.0054F351
0054F350 90 NOP
0054F351 B8 7C274600 MOV EAX,4F69F6.0046277C
0054F356 9C PUSHFD
0054F357 72 0A JB SHORT 4F69F6.0054F363
0054F359 EB 01 JMP SHORT 4F69F6.0054F35C
0054F35B 90 NOP
0054F35C E8 05000000 CALL 4F69F6.0054F366
0054F361 EB 77 JMP SHORT 4F69F6.0054F3DA
0054F363 72 F4 JB SHORT 4F69F6.0054F359
0054F365 90 NOP
0054F366 83C4 04 ADD ESP,4
0054F369 9D POPFD
0054F36A EB 01 JMP SHORT 4F69F6.0054F36D
0054F36C 90 NOP
0054F36D 03C5 ADD EAX,EBP============================******>新的INT1中断门,0x0054F4D1
0054F36F 74 03 JE SHORT 4F69F6.0054F374
0054F371 75 01 JNZ SHORT 4F69F6.0054F374
0054F373 90 NOP
0054F374 66:8946 08 MOV WORD PTR DS:[ESI+8],AX=============******>修改INT1中断门
===================================================================******>现在开始不能使用INT1中断
0054F378 9C PUSHFD
0054F379 72 0A JB SHORT 4F69F6.0054F385
0054F37B EB 01 JMP SHORT 4F69F6.0054F37E
0054F37D 90 NOP
0054F37E E8 05000000 CALL 4F69F6.0054F388
0054F383 EB 77 JMP SHORT 4F69F6.0054F3FC
0054F385 72 F4 JB SHORT 4F69F6.0054F37B
0054F387 90 NOP
0054F388 83C4 04 ADD ESP,4
0054F38B 9D POPFD
0054F38C EB 01 JMP SHORT 4F69F6.0054F38F
0054F38E 90 NOP
0054F38F C1E8 10 SHR EAX,10============================******>新的INT1中断门
0054F392 9C PUSHFD
0054F393 6A 10 PUSH 10
0054F395 73 0B JNB SHORT 4F69F6.0054F3A2
0054F397 EB 02 JMP SHORT 4F69F6.0054F39B
0054F399 90 NOP
0054F39A 90 NOP
0054F39B E8 06000000 CALL 4F69F6.0054F3A6
0054F3A0 C411 LES EDX,FWORD PTR DS:[ECX]
0054F3A2 73 F7 JNB SHORT 4F69F6.0054F39B
0054F3A4 5B POP EBX
0054F3A5 90 NOP
0054F3A6 83C4 04 ADD ESP,4
0054F3A9 EB 02 JMP SHORT 4F69F6.0054F3AD
0054F3AB 99 CDQ
0054F3AC 90 NOP
0054F3AD FF0C24 DEC DWORD PTR SS:[ESP]
0054F3B0 71 01 JNO SHORT 4F69F6.0054F3B3
0054F3B2 90 NOP
0054F3B3 79 E0 JNS SHORT 4F69F6.0054F395
0054F3B5 7A 01 JPE SHORT 4F69F6.0054F3B8
0054F3B7 90 NOP
0054F3B8 83C4 04 ADD ESP,4
0054F3BB 9D POPFD
0054F3BC EB 01 JMP SHORT 4F69F6.0054F3BF
0054F3BE 90 NOP
0054F3BF 66:8946 0E MOV WORD PTR DS:[ESI+E],AX=============******>修改INT1中断门
至此，INT1中断门修改完毕，
然后就执行到这儿，调用INT1中断0x0054F4D1
0054F3FD 90 NOP
0054F3FE CD 01 INT 1==============================>在这儿，程序自动掌握INT1中断
接下来就是，清除你使用调试寄存器DR0-DR3,DR7所设置的断点，具体看下面的分析：
0054F44F 33C0 XOR EAX,EAX===============================>清0
0054F451 7A 03 JPE SHORT 4F69F6.0054F456
0054F453 7B 01 JPO SHORT 4F69F6.0054F456
0054F455 90 NOP
0054F456 0F23C0 MOV DR0,EAX===============================>断点寄存器DR0清0，达到反调试寄存器跟踪
0054F459 74 03 JE SHORT 4F69F6.0054F45E
0054F45B 75 01 JNZ SHORT 4F69F6.0054F45E
0054F45D 90 NOP
0054F45E 0F23C8 MOV DR1,EAX===============================>断点寄存器DR1清0，达到反调试寄存器跟踪
0054F461 9C PUSHFD
0054F462 72 0A JB SHORT 4F69F6.0054F46E
0054F464 EB 01 JMP SHORT 4F69F6.0054F467
0054F466 90 NOP
0054F467 E8 05000000 CALL 4F69F6.0054F471
0054F46C EB 77 JMP SHORT 4F69F6.0054F4E5
0054F46E 72 F4 JB SHORT 4F69F6.0054F464
0054F470 90 NOP
0054F471 83C4 04 ADD ESP,4
0054F474 9D POPFD
0054F475 EB 01 JMP SHORT 4F69F6.0054F478
0054F477 90 NOP
0054F478 0F23D0 MOV DR2,EAX===============================>断点寄存器DR2清0，达到反调试寄存器跟踪
0054F47B 74 03 JE SHORT 4F69F6.0054F480
0054F47D 75 01 JNZ SHORT 4F69F6.0054F480
0054F47F 90 NOP
0054F480 0F23D8 MOV DR3,EAX===============================>断点寄存器DR3清0，达到反调试寄存器跟踪
0054F483 9C PUSHFD
0054F484 72 0A JB SHORT 4F69F6.0054F490
0054F486 EB 01 JMP SHORT 4F69F6.0054F489
0054F488 90 NOP
0054F489 E8 05000000 CALL 4F69F6.0054F493
0054F48E EB 77 JMP SHORT 4F69F6.0054F507
0054F490 72 F4 JB SHORT 4F69F6.0054F486
0054F492 90 NOP
0054F493 83C4 04 ADD ESP,4
0054F496 9D POPFD
0054F497 EB 01 JMP SHORT 4F69F6.0054F49A
0054F499 90 NOP
0054F49A B8 55010000 MOV EAX,155
0054F49F 7A 03 JPE SHORT 4F69F6.0054F4A4
0054F4A1 7B 01 JPO SHORT 4F69F6.0054F4A4
0054F4A3 90 NOP
0054F4A4 0F23F8 MOV DR7,EAX===============================>断点寄存器DR7，该寄存器起控制作用，不让你的断点有作用

第三部分中断门INT1分析
代码段不长，仅仅完成了一段代码的解码而已
========新的INT1中断门0x0054F4D1===============================完成程序段的解码======
0054F4D1 74 03 JE SHORT 4F69F6.0054F4D6
0054F4D3 75 01 JNZ SHORT 4F69F6.0054F4D6
0054F4D5 90 NOP
0054F4D6 8A26 MOV AH,BYTE PTR DS:[ESI]
0054F4D8 7A 03 JPE SHORT 4F69F6.0054F4DD
0054F4DA 7B 01 JPO SHORT 4F69F6.0054F4DD
0054F4DC 90 NOP
0054F4DD 32E0 XOR AH,AL
0054F4DF 9C PUSHFD
0054F4E0 72 0A JB SHORT 4F69F6.0054F4EC
0054F4E2 EB 01 JMP SHORT 4F69F6.0054F4E5
0054F4E4 90 NOP
0054F4E5 E8 05000000 CALL 4F69F6.0054F4EF
0054F4EA EB 77 JMP SHORT 4F69F6.0054F563
0054F4EC 72 F4 JB SHORT 4F69F6.0054F4E2
0054F4EE 90 NOP
0054F4EF 83C4 04 ADD ESP,4
0054F4F2 9D POPFD
0054F4F3 EB 01 JMP SHORT 4F69F6.0054F4F6
0054F4F5 90 NOP
0054F4F6 F6D4 NOT AH
0054F4F8 9C PUSHFD
0054F4F9 72 0A JB SHORT 4F69F6.0054F505
0054F4FB EB 01 JMP SHORT 4F69F6.0054F4FE
0054F4FD 90 NOP
0054F4FE E8 05000000 CALL 4F69F6.0054F508
0054F503 EB 77 JMP SHORT 4F69F6.0054F57C
0054F505 72 F4 JB SHORT 4F69F6.0054F4FB
0054F507 90 NOP
0054F508 83C4 04 ADD ESP,4
0054F50B 9D POPFD
0054F50C EB 01 JMP SHORT 4F69F6.0054F50F
0054F50E 90 NOP
0054F50F 8826 MOV BYTE PTR DS:[ESI],AH
0054F511 7A 03 JPE SHORT 4F69F6.0054F516
0054F513 7B 01 JPO SHORT 4F69F6.0054F516
0054F515 90 NOP
0054F516 46 INC ESI
0054F517 9C PUSHFD
0054F518 72 0A JB SHORT 4F69F6.0054F524
0054F51A EB 01 JMP SHORT 4F69F6.0054F51D
0054F51C 90 NOP
0054F51D E8 05000000 CALL 4F69F6.0054F527
0054F522 EB 77 JMP SHORT 4F69F6.0054F59B
0054F524 72 F4 JB SHORT 4F69F6.0054F51A
0054F526 90 NOP
0054F527 83C4 04 ADD ESP,4
0054F52A 9D POPFD
0054F52B EB 01 JMP SHORT 4F69F6.0054F52E
0054F52D 90 NOP
0054F52E 49 DEC ECX
0054F52F 7A 03 JPE SHORT 4F69F6.0054F534
0054F531 7B 01 JPO SHORT 4F69F6.0054F534
0054F533 90 NOP
0054F534 CF IRETD===========================>中断返回
第四部分其他一些东西

004F2090 56 PUSH ESI
004F2091 FF95 1A284600 CALL DWORD PTR SS:[EBP+46281A]//GetVersionEx
004F2097 7A 03 JPE SHORT N4F671D.004F209C
004F2099 7B 01 JPO SHORT N4F671D.004F209C
004F209B 90 NOP==========>修改
004F209C 837E 10 02 CMP DWORD PTR DS:[ESI+10],2//dwPlatformId
//0=WIN32s
//1=WIN32_WINDOWS
//2=WIN32_NT
WIN NT系统则会设置标志为1
004F20A7 C685 5F174600 01 MOV BYTE PTR SS:[EBP+46175F],1===========local_46175f
WIN 9x系统则会设置标志为0
004F20E2 C685 5F174600 00 MOV BYTE PTR SS:[EBP+46175F],0===========local_46175f

声明：该文观点仅代表作者本人，转载请注明来自看雪