借鉴于https://www.cnblogs.com/harmonica11/p/13417084.html
这个混淆不清楚叫什么 但是xn 和yn都没有变 所以某些分支永远成立,某些分支永远成立
写脚本去混淆
addr= while(addr<): next_addr = NextHead(addr) if "eax, ds:" in GetDisasm(addr): PatchByte(addr,0xb8) PatchByte(addr+1,0x00) PatchByte(addr+2,0x00) PatchByte(addr+3,0x00) PatchByte(addr+4,0x00) PatchByte(addr+5,0x90) PatchByte(addr+6,0x90) if "ecx, ds:" in GetDisasm(addr): PatchByte(addr,0xb9) PatchByte(addr+1,0x00) PatchByte(addr+2,0x00) PatchByte(addr+3,0x00) PatchByte(addr+4,0x00) PatchByte(addr+5,0x90) PatchByte(addr+6,0x90) if "edx, ds:" in GetDisasm(addr): PatchByte(addr,0xba) PatchByte(addr+1,0x00) PatchByte(addr+2,0x00) PatchByte(addr+3,0x00) PatchByte(addr+4,0x00) PatchByte(addr+5,0x90) PatchByte(addr+6,0x90) if "esi, ds:" in GetDisasm(addr): PatchByte(addr,0xbe) PatchByte(addr+1,0x00) PatchByte(addr+2,0x00) PatchByte(addr+3,0x00) PatchByte(addr+4,0x00) PatchByte(addr+5,0x90) PatchByte(addr+6,0x90) if "edi, ds:" in GetDisasm(addr): PatchByte(addr,0xbf) PatchByte(addr+1,0x00) PatchByte(addr+2,0x00) PatchByte(addr+3,0x00) PatchByte(addr+4,0x00) PatchByte(addr+5,0x90) PatchByte(addr+6,0x90) addr = next_addr
然后他的逻辑就很清晰了 是一个flag的前缀和