|
OdllyDbg + ASProtect 2.0x 高速?? (?例)
After 3 hrs of tracing .... RVA=1EAA8 or binary search "3131320D0A" (without the "") 0041EAA8 sub_41EAA8 proc near ; CODE XREF: sub_41F108+AFp 0041EAA8 ; sub_41F108+10Fp 0041EAA8 push ebx 0041EAA9 push esi 0041EAAA mov esi, ecx 0041EAAC xor ebx, ebx 0041EAAE jmp short loc_41EAB1 0041EAAE ; -------------------------------------------------------------------- 0041EAB0 db 0E9h 0041EAB1 ; -------------------------------------------------------------------- 0041EAB1 0041EAB1 loc_41EAB1: ; CODE XREF: sub_41EAA8+6j 0041EAB1 xor eax, eax 0041EAB3 mov al, dl 0041EAB5 cmp eax, 0Fh ; switch 16 cases 0041EAB8 ja loc_41ED03 ; default 0041EABE jmp off_41EAC5[eax*4] ; switch jump 0041EABE ; -------------------------------------------------------------------- 0041EAC5 off_41EAC5 dd offset loc_41EB08 ; DATA XREF: sub_41EAA8+16r 0041EAC5 dd offset loc_41EB1E ; jump table for switch 0041EAC5 dd offset loc_41EB37 statement 0041EAC5 dd offset loc_41EB4A 0041EAC5 dd offset loc_41EB60 0041EAC5 dd offset loc_41EB76 0041EAC5 dd offset loc_41EB8F 0041EAC5 dd offset loc_41EBA5 0041EAC5 dd offset loc_41EBBE 0041EAC5 dd offset loc_41EBD4 0041EAC5 dd offset loc_41EBED 0041EAC5 dd offset loc_41EC1B 0041EAC5 dd offset loc_41EC49 0041EAC5 dd offset loc_41EC70 0041EAC5 dd offset loc_41EC94 0041EAC5 dd offset loc_41ECCD 0041EB05 ; -------------------------------------------------------------------- 0041EB05 jmp short loc_41EB08 ; case 0x0 0041EB05 ; -------------------------------------------------------------------- 0041EB07 db 9Ah 0041EB08 ; -------------------------------------------------------------------- 0041EB08 0041EB08 loc_41EB08: ; CODE XREF: sub_41EAA8+16j 0041EB08 ; sub_41EAA8+5Dj 0041EB08 ; DATA XREF: ... 0041EB08 mov edx, 0Bh ; case 0x0 0041EB0D mov eax, esi 0041EB0F call sub_41E2F0 0041EB14 mov ebx, eax 0041EB16 jmp loc_41ED0D 0041EB1B ; -------------------------------------------------------------------- 0041EB1B jmp short loc_41EB1E ; case 0x1 0041EB1B ; -------------------------------------------------------------------- 0041EB1D db 69h 0041EB1E ; -------------------------------------------------------------------- 0041EB1E 0041EB1E loc_41EB1E: ; CODE XREF: sub_41EAA8+16j 0041EB1E ; sub_41EAA8+73j 0041EB1E ; DATA XREF: ... 0041EB1E mov edx, 0Bh ; case 0x1 0041EB23 mov eax, esi 0041EB25 call sub_41E2F0 0041EB2A mov ebx, eax 0041EB2C xor bl, 1 0041EB2F jmp loc_41ED0D 0041EB34 ; -------------------------------------------------------------------- 0041EB34 jmp short loc_41EB37 ; case 0x2 0041EB34 ; -------------------------------------------------------------------- 0041EB36 db 0C7h 0041EB37 ; -------------------------------------------------------------------- 0041EB37 0041EB37 loc_41EB37: ; CODE XREF: sub_41EAA8+16j 0041EB37 ; sub_41EAA8+8Cj 0041EB37 ; DATA XREF: ... 0041EB37 xor edx, edx ; case 0x2 0041EB39 mov eax, esi 0041EB3B call sub_41E2F0 0041EB40 mov ebx, eax 0041EB42 jmp loc_41ED0D 0041EB47 ; -------------------------------------------------------------------- 0041EB47 jmp short loc_41EB4A ; case 0x3 0041EB47 ; -------------------------------------------------------------------- 0041EB49 db 0E8h 0041EB4A ; -------------------------------------------------------------------- 0041EB4A 0041EB4A loc_41EB4A: ; CODE XREF: sub_41EAA8+16j 0041EB4A ; sub_41EAA8+9Fj 0041EB4A ; DATA XREF: ... 0041EB4A xor edx, edx ; case 0x3 0041EB4C mov eax, esi 0041EB4E call sub_41E2F0 0041EB53 mov ebx, eax 0041EB55 xor bl, 1 0041EB58 jmp loc_41ED0D 0041EB5D ; -------------------------------------------------------------------- 0041EB5D jmp short loc_41EB60 ; case 0x4 0041EB5D ; -------------------------------------------------------------------- 0041EB5F db 0E9h 0041EB60 ; -------------------------------------------------------------------- 0041EB60 0041EB60 loc_41EB60: ; CODE XREF: sub_41EAA8+16j 0041EB60 ; sub_41EAA8+B5j 0041EB60 ; DATA XREF: ... 0041EB60 mov edx, 6 ; case 0x4 0041EB65 mov eax, esi 0041EB67 call sub_41E2F0 0041EB6C mov ebx, eax 0041EB6E jmp loc_41ED0D 0041EB73 ; -------------------------------------------------------------------- 0041EB73 jmp short loc_41EB76 ; case 0x5 0041EB73 ; -------------------------------------------------------------------- 0041EB75 db 9Ah 0041EB76 ; -------------------------------------------------------------------- 0041EB76 0041EB76 loc_41EB76: ; CODE XREF: sub_41EAA8+16j 0041EB76 ; sub_41EAA8+CBj 0041EB76 ; DATA XREF: ... 0041EB76 mov edx, 6 ; case 0x5 0041EB7B mov eax, esi 0041EB7D call sub_41E2F0 0041EB82 mov ebx, eax 0041EB84 xor bl, 1 0041EB87 jmp loc_41ED0D 0041EB8C ; -------------------------------------------------------------------- 0041EB8C jmp short loc_41EB8F ; case 0x6 0041EB8C ; -------------------------------------------------------------------- 0041EB8E db 9Ah 0041EB8F ; -------------------------------------------------------------------- 0041EB8F 0041EB8F loc_41EB8F: ; CODE XREF: sub_41EAA8+16j 0041EB8F ; sub_41EAA8+E4j 0041EB8F ; DATA XREF: ... 0041EB8F mov edx, 2 ; case 0x6 0041EB94 mov eax, esi 0041EB96 call sub_41E2F0 0041EB9B mov ebx, eax 0041EB9D jmp loc_41ED0D 0041EBA2 ; -------------------------------------------------------------------- 0041EBA2 jmp short loc_41EBA5 ; case 0x7 0041EBA2 ; -------------------------------------------------------------------- 0041EBA4 db 9Ah 0041EBA5 ; -------------------------------------------------------------------- 0041EBA5 0041EBA5 loc_41EBA5: ; CODE XREF: sub_41EAA8+16j 0041EBA5 ; sub_41EAA8+FAj 0041EBA5 ; DATA XREF: ... 0041EBA5 mov edx, 2 ; case 0x7 0041EBAA mov eax, esi 0041EBAC call sub_41E2F0 0041EBB1 mov ebx, eax 0041EBB3 xor bl, 1 0041EBB6 jmp loc_41ED0D 0041EBBB ; -------------------------------------------------------------------- 0041EBBB jmp short loc_41EBBE ; case 0x8 0041EBBB ; -------------------------------------------------------------------- 0041EBBD db 69h 0041EBBE ; -------------------------------------------------------------------- 0041EBBE 0041EBBE loc_41EBBE: ; CODE XREF: sub_41EAA8+16j 0041EBBE ; sub_41EAA8+113j 0041EBBE ; DATA XREF: ... 0041EBBE mov edx, 7 ; case 0x8 0041EBC3 mov eax, esi 0041EBC5 call sub_41E2F0 0041EBCA mov ebx, eax 0041EBCC jmp loc_41ED0D 0041EBD1 ; -------------------------------------------------------------------- 0041EBD1 jmp short loc_41EBD4 ; case 0x9 0041EBD1 ; -------------------------------------------------------------------- 0041EBD3 db 0C7h 0041EBD4 ; -------------------------------------------------------------------- 0041EBD4 0041EBD4 loc_41EBD4: ; CODE XREF: sub_41EAA8+16j 0041EBD4 ; sub_41EAA8+129j 0041EBD4 ; DATA XREF: ... 0041EBD4 mov edx, 7 ; case 0x9 0041EBD9 mov eax, esi 0041EBDB call sub_41E2F0 0041EBE0 mov ebx, eax 0041EBE2 xor bl, 1 0041EBE5 jmp loc_41ED0D 0041EBEA ; -------------------------------------------------------------------- 0041EBEA jmp short loc_41EBED ; case 0xA 0041EBEA ; -------------------------------------------------------------------- 0041EBEC db 0E8h 0041EBED ; -------------------------------------------------------------------- 0041EBED 0041EBED loc_41EBED: ; CODE XREF: sub_41EAA8+16j 0041EBED ; sub_41EAA8+142j 0041EBED ; DATA XREF: ... 0041EBED xor edx, edx ; case 0xA 0041EBEF mov eax, esi 0041EBF1 call sub_41E2F0 0041EBF6 test al, al 0041EBF8 jnz short loc_41EC11 0041EBFA mov edx, 6 0041EBFF mov eax, esi 0041EC01 call sub_41E2F0 0041EC06 test al, al 0041EC08 jnz short loc_41EC11 0041EC0A xor ebx, ebx 0041EC0C jmp loc_41ED0D 0041EC11 ; -------------------------------------------------------------------- 0041EC11 0041EC11 loc_41EC11: ; CODE XREF: sub_41EAA8+150j 0041EC11 ; sub_41EAA8+160j 0041EC11 mov bl, 1 0041EC13 jmp loc_41ED0D 0041EC18 ; -------------------------------------------------------------------- 0041EC18 jmp short loc_41EC1B ; case 0xB 0041EC18 ; -------------------------------------------------------------------- 0041EC1A db 0E9h 0041EC1B ; -------------------------------------------------------------------- 0041EC1B 0041EC1B loc_41EC1B: ; CODE XREF: sub_41EAA8+16j 0041EC1B ; sub_41EAA8+170j 0041EC1B ; DATA XREF: ... 0041EC1B xor edx, edx ; case 0xB 0041EC1D mov eax, esi 0041EC1F call sub_41E2F0 0041EC24 test al, al 0041EC26 jnz short loc_41EC38 0041EC28 mov edx, 6 0041EC2D mov eax, esi 0041EC2F call sub_41E2F0 0041EC34 test al, al 0041EC36 jz short loc_41EC3F 0041EC38 0041EC38 loc_41EC38: ; CODE XREF: sub_41EAA8+17Ej 0041EC38 xor ebx, ebx 0041EC3A jmp loc_41ED0D 0041EC3F ; -------------------------------------------------------------------- 0041EC3F 0041EC3F loc_41EC3F: ; CODE XREF: sub_41EAA8+18Ej 0041EC3F mov bl, 1 0041EC41 jmp loc_41ED0D 0041EC46 ; -------------------------------------------------------------------- 0041EC46 jmp short loc_41EC49 ; case 0xC 0041EC46 ; -------------------------------------------------------------------- 0041EC48 db 9Ah 0041EC49 ; -------------------------------------------------------------------- 0041EC49 0041EC49 loc_41EC49: ; CODE XREF: sub_41EAA8+16j 0041EC49 ; sub_41EAA8+19Ej 0041EC49 ; DATA XREF: ... 0041EC49 mov edx, 7 ; case 0xC 0041EC4E mov eax, esi 0041EC50 call sub_41E2F0 0041EC55 mov ebx, eax 0041EC57 mov edx, 0Bh 0041EC5C mov eax, esi 0041EC5E call sub_41E2F0 0041EC63 cmp bl, al 0041EC65 setnz bl 0041EC68 jmp loc_41ED0D 0041EC6D ; -------------------------------------------------------------------- 0041EC6D jmp short loc_41EC70 ; case 0xD 0041EC6D ; -------------------------------------------------------------------- 0041EC6F db 9Ah 0041EC70 ; -------------------------------------------------------------------- 0041EC70 0041EC70 loc_41EC70: ; CODE XREF: sub_41EAA8+16j 0041EC70 ; sub_41EAA8+1C5j 0041EC70 ; DATA XREF: ... 0041EC70 mov edx, 7 ; case 0xD 0041EC75 mov eax, esi 0041EC77 call sub_41E2F0 0041EC7C mov ebx, eax 0041EC7E mov edx, 0Bh 0041EC83 mov eax, esi 0041EC85 call sub_41E2F0 0041EC8A cmp bl, al 0041EC8C setz bl 0041EC8F jmp short loc_41ED0D 0041EC91 ; -------------------------------------------------------------------- 0041EC91 jmp short loc_41EC94 ; case 0xE 0041EC91 ; -------------------------------------------------------------------- 0041EC93 db 9Ah 0041EC94 ; -------------------------------------------------------------------- 0041EC94 0041EC94 loc_41EC94: ; CODE XREF: sub_41EAA8+16j 0041EC94 ; sub_41EAA8+1E9j 0041EC94 ; DATA XREF: ... 0041EC94 mov edx, 6 ; case 0xE 0041EC99 mov eax, esi 0041EC9B call sub_41E2F0 0041ECA0 test al, al 0041ECA2 jnz short loc_41ECC6 0041ECA4 mov edx, 7 0041ECA9 mov eax, esi 0041ECAB call sub_41E2F0 0041ECB0 mov ebx, eax 0041ECB2 mov edx, 0Bh 0041ECB7 mov eax, esi 0041ECB9 call sub_41E2F0 0041ECBE cmp bl, al 0041ECC0 jnz short loc_41ECC6 0041ECC2 xor ebx, ebx 0041ECC4 jmp short loc_41ED0D 0041ECC6 ; -------------------------------------------------------------------- 0041ECC6 0041ECC6 loc_41ECC6: ; CODE XREF: sub_41EAA8+1FAj 0041ECC6 ; sub_41EAA8+218j 0041ECC6 mov bl, 1 0041ECC8 jmp short loc_41ED0D 0041ECCA ; -------------------------------------------------------------------- 0041ECCA jmp short loc_41ECCD ; case 0xF 0041ECCA ; -------------------------------------------------------------------- 0041ECCC db 9Ah 0041ECCD ; -------------------------------------------------------------------- 0041ECCD 0041ECCD loc_41ECCD: ; CODE XREF: sub_41EAA8+16j 0041ECCD ; sub_41EAA8+222j 0041ECCD ; DATA XREF: ... 0041ECCD mov edx, 6 ; case 0xF 0041ECD2 mov eax, esi 0041ECD4 call sub_41E2F0 0041ECD9 test al, al 0041ECDB jnz short loc_41ECFB 0041ECDD mov edx, 7 0041ECE2 mov eax, esi 0041ECE4 call sub_41E2F0 0041ECE9 mov ebx, eax 0041ECEB mov edx, 0Bh 0041ECF0 mov eax, esi 0041ECF2 call sub_41E2F0 0041ECF7 cmp bl, al 0041ECF9 jz short loc_41ECFF 0041ECFB 0041ECFB loc_41ECFB: ; CODE XREF: sub_41EAA8+233j 0041ECFB xor ebx, ebx 0041ECFD jmp short loc_41ED0D 0041ECFF ; -------------------------------------------------------------------- 0041ECFF 0041ECFF loc_41ECFF: ; CODE XREF: sub_41EAA8+251j 0041ECFF mov bl, 1 0041ED01 jmp short loc_41ED0D 0041ED03 ; -------------------------------------------------------------------- 0041ED03 0041ED03 loc_41ED03: ; CODE XREF: sub_41EAA8+10j 0041ED03 push offset _str_112__.Text ; default 0041ED08 call sub_4150A8 0041ED0D 0041ED0D loc_41ED0D: ; CODE XREF: sub_41EAA8+6Ej 0041ED0D ; sub_41EAA8+87j ... 0041ED0D mov eax, ebx 0041ED0F pop esi 0041ED10 pop ebx 0041ED11 retn 0041ED11 sub_41EAA8 endp ; sp = -4 |
|
OdllyDbg + ASProtect 2.0x 高速?? (?例)
最初由 stephenteh 发布 Do you have the name of your target? maybe I will have a look. |
|
[求助]ASProtect 1.2x - 1.3x脱壳过程中报错。。。
快到那段代码时才用he下断点试试看,开始调试的时候下是断不了的。 |
|
[求助]ASProtect 1.2x - 1.3x脱壳过程中报错。。。
你是下什么中断 ? 硬件断点吗 ?在什么时候下 ?在一开始的时候 ?快到那段代码的时候? |
|
|
|
有些 ARM 4.0 新版加的双进程的壳OEP不好找.
Some Arm4.0 are not using sub edi, ecx call edi but call register register = eax,ebx.... why not try using the DuplicteHandle API ? |
|
OllyMachine问答与技巧集
找个 Asprotect 加壳的程序试试这段 script HideOD eoe lab1 run lab1: invoke msg "press resume!" pause invoke search, eip, "ABBAABBA" mov reg02, reg00 invoke LogLong, reg02 halt find 的结果也一样 |
|
|
|
ASProtect V2.0 脱壳――Registry Clean Expert V3.52 UnPacked + 去除自检验
最新版的 DVDIdle 5.56 它的 Asprotect 版本和 Alfaclock 1.71以及 Audio Tag Editor 1.6.0.1 所用的版本是一样的 ----- 新版 !!!!:( |
|
ASProtect V1.3X 脱壳――Magic NetTrace V2.5.4
最初由 fly 发布 最好是在那个跳转的地方 dump, 还有发生异常的地方还是在 EnterCrictialSection 的那段代码处吗? Magic NetTrace V2.1.3 是 Asprotect 1.3 beta 加壳的吧,它还用到 FindResourceA 的花招,这版是我好久以前脱的, V2.5.4 的我倒有脱好的程序(filesize只有1.xMB), V2.1.3 已经洗掉了。 |
|
ASProtect V1.3X 脱壳――Magic NetTrace V2.5.4
00B3099E 8B07 MOV EAX,DWORD PTR DS:[EDI] 00B309A0 85C0 TEST EAX,EAX 00B309A2 74 20 JE SHORT 00B309C4 上面这跳转如不跳就先 dump file 和修复 IAT,再 看 其 他 的 pre-dip 把须要的数 据 补齐就可以了。 BTW,半 夜 不睡 还在用功 ? |
|
ASProtect V1.3X 脱壳――Magic NetTrace V2.5.4
看了我的笔记,你所遇到的异常还是由 pre-dip 造成的。 00B3099E 8B07 MOV EAX,DWORD PTR DS:[EDI] 00B309A0 85C0 TEST EAX,EAX 00B309A2 74 20 JE SHORT 00B309C4 00B309A4 E8 B7FCFFFF CALL 00B30660 00B309A9 8B1F MOV EBX,DWORD PTR DS:[EDI] 00B309AB FFD3 CALL EBX <- pre-dip 00B309AD 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34] 00B309B0 E8 4760FEFF CALL 00B169FC 这个pre-dip我把它叫 criticalsection pre-dip, 进入后会呼叫 InitializeCriticalSection , VitualAlloc (还是 GlobalAlloc ? 我忘了), 然后一路做记号,脱壳的程序就少了这个 criticalsection, 所以会异常。 |
|
ASProtect V1.3X 脱壳――Magic NetTrace V2.5.4
这东东的 stolen code 不多 , 只需 修 复运转表和标准 函 数就 OK 了 。 |
|
ASProtect V1.3X 脱壳――Magic NetTrace V2.5.4
1. 00B85B68 84C0 test al,al 00B85B6A 75 20 jnz short 00B85B8C 当 al=0 时是 import by ordinal 2. 这里 00B99A5F 3E:8B5424 C0 mov edx,dword ptr ds:[esp-40] //用 VolX 兄的方法,呵呵 00B99A64 3E:035424 C4 add edx,dword ptr ds:[esp-3C] //[esp-40]和[esp-3C]要看你本机的代码来确定 ★ 00B99A69 81C2 00004000 add edx,400000 不妨改成 mov edx, dword ptr [esp-0C] add edx, ebp add edx, 400000 |
|
明月几时有――ASProtect V1.31 build 06.14主程序 脱壳
最初由 fly 发布 我可没看过,不知这东东会如何 BT ? |
|
用Arm3.75加壳的ASProtect V1.31 build 06.14主程序 (2)
Excellent job! |
|
明月几时有――ASProtect V1.31 build 06.14主程序 脱壳
用 Asprotect 1.31 加壳的我还没看过有用 FindResouceA 这个花招的 ,估 计是作者认为有 Stolen code 就够你修复个好半天了吧 ? |
|
明月几时有――ASProtect V1.31 build 06.14主程序 脱壳
TO 鸡 蛋 壳 , 不 是 每 个 人 都 须 看 教 程 后 才 会 脱 壳 的 。 To Fly, Excellent! |
|
关于Armadillo壳的问题?
因为你遇到的 armadillo 版本比较新 |
|
发现Aspr1.31的内存断点断不下来啊
是什么东东?断点下在那? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值