|
[原创]SoftSnoop2009
试着跑了一个VB程序,以前都显示具体函数,现在都变成了下面这样: Object地址:0x42DD04 (地址来于: ObjectTable +0x30) [+0x18]第[01]对象名称:MDIMain [+0x00]dwObjectInfo地址:0x426300 [+0x30]事件列表地址:0x428634 [+0x28]事件数量:271 MDIMain_Event_01:0x42CEBC MDIMain_Event_02:0x42CECB MDIMain_Event_03:0x42CEDA MDIMain_Event_04:0x42CEE9 MDIMain_Event_05:0x42CF03 MDIMain_Event_06:0x42CF1D MDIMain_Event_07:0x42CF37 MDIMain_Event_08:0x42CF46 MDIMain_Event_09:0x42D061 MDIMain_Event_10:0x42D06E MDIMain_Event_11:0x42D2D1 MDIMain_Event_12:0x42D360 MDIMain_Event_13:0x42D387 MDIMain_Event_14:0x42D3A1 MDIMain_Event_15:0x42D3AE MDIMain_Event_16:0x42D3BB MDIMain_Event_17:0x42D3C8 MDIMain_Event_18:0x42D409 MDIMain_Event_19:0x42D416 MDIMain_Event_20:0x42D423 MDIMain_Event_21:0x42D500 MDIMain_Event_22:0x42D50D MDIMain_Event_23:0x42D51A MDIMain_Event_24:0x42D5EA MDIMain_Event_25:0x42D5F7 MDIMain_Event_26:0x42D65F MDIMain_Event_27:0x42D6E1 MDIMain_Event_28:0x42D6EE MDIMain_Event_29:0x42D6FB MDIMain_Event_30:0x42D78A MDIMain_Event_31:0x42D797 MDIMain_Event_32:0x42D7A4 MDIMain_Event_33:0x42D8A8 MDIMain_Event_34:0x42D8B5 MDIMain_Event_35:0x42D8C2 MDIMain_Event_36:0x42D9B9 MDIMain_Event_37:0x42D9C6 MDIMain_Event_38:0x42D9D3 MDIMain_Event_39:0x42DAE4 MDIMain_Event_40:0x42DAF1 MDIMain_Event_41:0x42DAFE MDIMain_Event_42:0x42DBB4 MDIMain_Event_43:0x42DBC1 MDIMain_Event_44:0x42DBCE MDIMain_Event_45:0x42CF5D MDIMain_Event_46:0x42CF6A MDIMain_Event_47:0x42CF77 MDIMain_Event_48:0x42CF84 MDIMain_Event_49:0x42CF91 MDIMain_Event_50:0x42CF9E MDIMain_Event_51:0x42CFAB MDIMain_Event_52:0x42CFB8 MDIMain_Event_53:0x42CFC5 MDIMain_Event_54:0x42CFD2 MDIMain_Event_55:0x42CFDF MDIMain_Event_56:0x42CFEC MDIMain_Event_57:0x42CFF9 MDIMain_Event_58:0x42D006 MDIMain_Event_59:0x42D013 MDIMain_Event_60:0x42D020 MDIMain_Event_61:0x42D02D MDIMain_Event_62:0x42D03A MDIMain_Event_63:0x42D047 MDIMain_Event_64:0x42D054 MDIMain_Event_65:0x42D07B MDIMain_Event_66:0x42D088 MDIMain_Event_67:0x42D095 MDIMain_Event_68:0x42D0A2 MDIMain_Event_69:0x42D0AF MDIMain_Event_70:0x42D0BC MDIMain_Event_71:0x42D0C9 MDIMain_Event_72:0x42D0D6 MDIMain_Event_73:0x42D0E3 MDIMain_Event_74:0x42D0F0 MDIMain_Event_75:0x42D0FD MDIMain_Event_76:0x42D10A MDIMain_Event_77:0x42D117 MDIMain_Event_78:0x42D124 MDIMain_Event_79:0x42D131 MDIMain_Event_80:0x42D13E MDIMain_Event_81:0x42D14B MDIMain_Event_82:0x42D158 MDIMain_Event_83:0x42D165 MDIMain_Event_84:0x42D172 MDIMain_Event_85:0x42D17F MDIMain_Event_86:0x42D18C MDIMain_Event_87:0x42D199 MDIMain_Event_88:0x42D1A6 MDIMain_Event_89:0x42D1B3 MDIMain_Event_90:0x42D1C0 MDIMain_Event_91:0x42D1CD MDIMain_Event_92:0x42D1DA MDIMain_Event_93:0x42D1E7 MDIMain_Event_94:0x42D1F4 MDIMain_Event_95:0x42D201 MDIMain_Event_96:0x42D20E MDIMain_Event_97:0x42D21B MDIMain_Event_98:0x42D228 MDIMain_Event_99:0x42D235 MDIMain_Event_100:0x42D242 MDIMain_Event_101:0x42D24F MDIMain_Event_102:0x42D25C |
|
[原创]SoftSnoop2009
ignoreapi.txt 和 LoadIgnoreApi.txt 两个文件中定义的函数的确不起作用 |
|
[原创]SoftSnoop2009
程序中断,中断地址: 0x7C92120E 代码:0x80000003 |
|
[原创]SoftSnoop2009
请教:在调试过程中出现 “RaiseException返回值: 0x00000010” ,程序停止不动,如何让程序忽略这个而继续运行? |
|
[原创]SoftSnoop2009
刚才在 Sp3下跑了一下,不错,非常感谢 |
|
[原创]SoftSnoop 1.3.2 + Source(增加了中文版和说明文档)
刚才在 Sp3下跑了一下,不错,非常感谢 |
|
[转帖]Fingerprint_Information by LCF-AT
这里是文件中的脚本 |
|
[求助]大家有《破解计算工具V1.00》吗?
www.unpack.cn上有 |
|
[求助]求vb.idc
帮你顶一下,我也需要这个东西,在debugman上看到过,但下不了,因为要邀请注册 |
|
[下载]VBLoclize 1.1
个人感觉功能不如GetVbRes |
|
[求助]UPolyX v0.5怎么脱呢
转贴一个notepad.exe 的实例 *UPolyX v0.5* written by Delikon/www.delikon.de ENTRYPOINT: 15360 FILEENTRYPOINT: 4760 [+] Checking for UPX [+] Yes this is packed with UPX! [+] Replace the section name UPX with irnY [+] the second UPX section starts at 0x400 [+] the second UPX section is 0x4600 big [+] Found a 0x128 big space for the decryptor [+] using the xor/xor 4 byte decryptor [+] Using for Register1 EBX [+] Using for Register2 EAX [+] use 0x1b0f74 as manipulationBytes [+] encrypt 160 bytes from address 0x1015360 till address 0x1015400 [+] Generated 0x38 byte decryptor [+] Generated 0xe1 bytes of trash PRESS A KEY D:\Documents and Settings\Administrator\Desktop> -------------------------------------------------------------------------------- now load the notepad.exe with olly . olly should warn u about the compressed code. just say YES the code should now look like this : -------------------------------------------------------------------------------- 010154B8 > $ 8AD0 MOV DL,AL 010154BA . C7C1 F4E70E99 MOV ECX,990EE7F4 010154C0 . 0FADD8 SHRD EAX,EBX,CL 010154C3 . 64:0FBAE5 23 BT EBP,23 ; Superfluous prefix 010154C8 . 0FBDD5 BSR EDX,EBP 010154CB . 8D0D 7C4FD641 LEA ECX,DWORD PTR DS:[41D64F7C] 010154D1 . 0FACD8 9F SHRD EAX,EBX,9F ; Shift constant out of range 1..31 010154D5 . 84C3 TEST BL,AL 010154D7 . D2DC RCR AH,CL 010154D9 . 0FC1DA XADD EDX,EBX 010154DC . C1E1 04 SHL ECX,4 010154DF . 0FC1F1 XADD ECX,ESI 010154E2 . 8AE2 MOV AH,DL 010154E4 . D1F3 SAL EBX,1 010154E6 . F7D1 NOT ECX 010154E8 . BE BD8C1F66 MOV ESI,661F8CBD 010154ED . 89F9 MOV ECX,EDI ; ntdll.7C910738 010154EF . C7C6 5DACBF86 MOV ESI,86BFAC5D 010154F5 . F2: PREFIX REPNE: ; Superfluous prefix 010154F6 . 0FA4F7 FD SHLD EDI,ESI,0FD ; Shift constant out of range 1..31 010154FA . 15 CD5CAFB6 ADC EAX,B6AF5CCD 010154FF . 0FBAE9 EC BTS ECX,0EC 01015503 . 0FA4F7 6D SHLD EDI,ESI,6D ; Shift constant out of range 1..31 01015507 . 3E:F6DC NEG AH ; Superfluous prefix 0101550A . 31CB XOR EBX,ECX 0101550C . C7C1 74678E19 MOV ECX,198E6774 01015512 . C0F8 B7 SAR AL,0B7 ; Shift constant out of range 1..31 01015515 . 0FC0F1 XADD CL,DH 01015518 . D2DC RCR AH,CL 0101551A . 0FAFDA IMUL EBX,EDX ; ntdll.KiFastSystemCallRet 0101551D . 0FC1C8 XADD EAX,ECX 01015520 . 89EE MOV ESI,EBP 01015522 . 8AE2 MOV AH,DL 01015524 . 3E:0FAFC8 IMUL ECX,EAX ; Superfluous prefix 01015528 . 0FCF BSWAP EDI ; ntdll.7C910738 0101552A . 8D2D D34AE514 LEA EBP,DWORD PTR DS:[14E54AD3] 01015530 . BE B5A4D73E MOV ESI,3ED7A4B5 01015535 . 81E1 34274ED9 AND ECX,D94E2734 0101553B . 84D5 TEST CH,DL 0101553D . 0FBBF7 BTC EDI,ESI 01015540 . 0FBAE5 63 BT EBP,63 01015544 . 0FACEA B1 SHRD EDX,EBP,0B1 ; Shift constant out of range 1..31 01015548 . F6C2 8F TEST DL,8F 0101554B . 2C 7D SUB AL,7D 0101554D . 89EE MOV ESI,EBP 0101554F . F6C6 4B TEST DH,4B 01015552 . 08C2 OR DL,AL 01015554 . C7C1 44F7DE29 MOV ECX,29DEF744 0101555A . 8AC6 MOV AL,DH 0101555C . 64:0FADFD SHRD EBP,EDI,CL ; Superfluous prefix 01015560 . EB 01 JMP SHORT notepad.01015563 01015562 01 DB 01 01015563 > F6D8 NEG AL 01015565 . F2: PREFIX REPNE: ; Superfluous prefix 01015566 . FECC DEC AH 01015568 . 0FBCDA BSF EBX,EDX ; ntdll.KiFastSystemCallRet 0101556B . 81E1 C4775EA9 AND ECX,A95E77C4 01015571 . 48 DEC EAX 01015572 . C1D6 F5 RCL ESI,0F5 ; Shift constant out of range 1..31 01015575 . 81D6 C574678E ADC ESI,8E6774C5 0101557B . 0FBCC8 BSF ECX,EAX 0101557E . 0FBBF7 BTC EDI,ESI 01015581 . 1AE2 SBB AH,DL 01015583 . 8D1D F1F0F3EA LEA EBX,DWORD PTR DS:[EAF3F0F1] 01015589 . 86E7 XCHG BH,AH 0101558B . 81F3 9110930A XOR EBX,0A931091 01015591 . 0FACFD E3 SHRD EBP,EDI,0E3 ; Shift constant out of range 1..31 01015595 . 0FBED0 MOVSX EDX,AL 01015598 . 85DA TEST EDX,EBX 0101559A . F7C0 FDCC5FA6 TEST EAX,A65FCCFD 010155A0 . 25 5CAFB6A1 AND EAX,A1B6AF5C 010155A5 . 88F0 MOV AL,DH 010155A7 . 0FCF BSWAP EDI ; ntdll.7C910738 010155A9 . 18D4 SBB AH,DL 010155AB . 0FBCDA BSF EBX,EDX ; ntdll.KiFastSystemCallRet 010155AE . 8BCF MOV ECX,EDI ; ntdll.7C910738 010155B0 . 15 C574678E ADC EAX,8E6774C5 010155B5 . F7C3 04B79EE9 TEST EBX,E99EB704 010155BB . 88F0 MOV AL,DH 010155BD . 13F5 ADC ESI,EBP 010155BF . E8 00000000 CALL notepad.010155C4 010155C4 /$ 59 POP ECX ; kernel32.7C816D4F 010155C5 |. 83C1 07 ADD ECX,7 010155C8 |. 51 PUSH ECX 010155C9 \. C3 RETN 010155CA > C3 RETN 010155CB . B8 40530101 MOV EAX,notepad.01015340 010155D0 . 50 PUSH EAX 010155D1 . B9 B8000000 MOV ECX,0B8 010155D6 > 8130 F8012700 XOR DWORD PTR DS:[EAX],2701F8 010155DC . 51 PUSH ECX 010155DD . 2BC9 SUB ECX,ECX 010155DF . B9 04000000 MOV ECX,4 010155E4 > 83C0 01 ADD EAX,1 010155E7 .^ E2 FB LOOPD SHORT notepad.010155E4 010155E9 . 59 POP ECX ; kernel32.7C816D4F 010155EA . 83E9 03 SUB ECX,3 010155ED .^ E2 E7 LOOPD SHORT notepad.010155D6 010155EF .^ EB D9 JMP SHORT notepad.010155CA -------------------------------------------------------------------------------- set a breakpoint on the JMP before jump the 2 LOOPD actually unpacks the code. when it breaks on JMP, press F8 once it should take u to : 010155CA > / C3 RETN 010155CB . | B8 40530101 MOV EAX,notepad.01015340 010155D0 . | 50 PUSH EAX ; notepad. 010155D1 . | B9 B8000000 MOV ECX,0B8 010155D6 >| 8130 F8012700 XOR DWORD PTR DS:[EAX],2701F8 010155DC . | 51 PUSH ECX 010155DD . | 2BC9 SUB ECX,ECX 010155DF . | B9 04000000 MOV ECX,4 010155E4 > | 83C0 01 ADD EAX,1 010155E7 .^| E2 FB LOOPD SHORT notepad.010155E4 010155E9 . | 59 POP ECX ; kernel32.7C816D4F 010155EA . | 83E9 03 SUB ECX,3 010155ED .^| E2 E7 LOOPD SHORT notepad.010155D6 010155EF .^\ EB D9 JMP SHORT notepad.010155CA now press F8 once again u'll come to somewhere like : -------------------------------------------------------------------------------- 01015341 BE DB BE 01015342 00 DB 00 01015343 10 DB 10 01015344 01 DB 01 01015345 01 DB 01 01015346 8D DB 8D 01015347 BE DB BE 01015348 00 DB 00 01015349 00 DB 00 0101534A FF DB FF 0101534B FF DB FF 0101534C 57 DB 57 ; CHAR 'W' 0101534D 83 DB 83 0101534E CD DB CD 0101534F FF DB FF 01015350 EB DB EB 01015351 10 DB 10 01015352 90 DB 90 01015353 90 NOP 01015354 90 DB 90 01015355 90 DB 90 01015356 90 DB 90 01015357 90 NOP 01015358 8A DB 8A 01015359 06 DB 06 0101535A 46 DB 46 ; CHAR 'F' 0101535B 8807 MOV BYTE PTR DS:[EDI],AL right click. Analysis > Remove Analysis from this module the code will become like this : -------------------------------------------------------------------------------- 01015340 60 PUSHAD 01015341 BE 00100101 MOV ESI,notepad.01011000 01015346 8DBE 0000FFFF LEA EDI,DWORD PTR DS:[ESI+FFFF0000] 0101534C 57 PUSH EDI 0101534D 83CD FF OR EBP,FFFFFFFF 01015350 EB 10 JMP SHORT notepad.01015362 01015352 90 NOP 01015353 90 NOP 01015354 90 NOP -------------------------------------------------------------------------------- execute the PUSHD with a F8 now on the right hand-pane, right-click on ESP > Follow in dump in the dump window below u should find something like this : -------------------------------------------------------------------------------- 0007FFA4 D3 50 B1 FE AF 8D F2 C4 95 CA 29 DC C4 FF 07 00 óP±t¯?ò?・ê)ü??. 0007FFB4 06 00 00 00 40 00 00 00 00 00 00 00 F8 53 01 01 ...@.......?S 0007FFC4 4F 6D 81 7C 38 07 91 7C FF FF FF FF 00 F0 FD 7F Om?|8‘|????.ey 0007FFD4 FA 22 55 80 C8 FF 07 00 D8 C6 40 FE FF FF FF FF ú"U??.??@t???? 0007FFE4 F3 99 83 7C 58 6D 81 7C 00 00 00 00 00 00 00 00 ó™?|Xm?|........ 0007FFF4 00 00 00 00 B8 54 01 01 00 00 00 00 ....?T.... -------------------------------------------------------------------------------- now right click on D3 ( at address 0007FFA4 ) Breakpoint > Hardware, On Access > Word now press F9 once it should break on a jump like the following : -------------------------------------------------------------------------------- 0101548F - E9 091FFFFF JMP notepad.0100739D 01015494 0000 ADD BYTE PTR DS:[EAX],AL 01015496 0000 ADD BYTE PTR DS:[EAX],AL 01015498 0000 ADD BYTE PTR DS:[EAX],AL 0101549A 0000 ADD BYTE PTR DS:[EAX],AL 0101549C 0000 ADD BYTE PTR DS:[EAX],AL 0101549E 0000 ADD BYTE PTR DS:[EAX],AL 010154A0 0000 ADD BYTE PTR DS:[EAX],AL 010154A2 0000 ADD BYTE PTR DS:[EAX],AL -------------------------------------------------------------------------------- take the jump with a F9, and u r at the entrypoint of the notepad.exe now keep the olly window like this and open LORDPE select the notepad.exe process, right click > dump full ... save it as dumped.exe now open ImpRec attach to active process - notepad.exe, many things will scroll down in log window now in "IAT infos needed" window put : 739D OEP = (RVA from olly) - (original OEP) = 0100739D - 01000000 = 739D press IAT autosearch, it should come up with a window "FOUND SOMETHING", press OK now press GET IMPORTS manythings should comeup in "Imported Functions Found" window now press FIX DUMP & choose ur previously DUMPED.EXE by lordPE the log window should say C:\DUMPED_.EXE save successfully and voila u r DONE |
|
|
|
3D定胆杀码霸主(专业版)破解.混淆代码
参考了jingulong的“几种典型程序Button处理代码的定位"方法 当点击“载入公式”后便弹出一个对话框,点击”确定“按钮后,确无法找到关键call处。 鸡蛋壳大侠能不能指点一下 |
|
Armadillo Script v2 Standard+Strategic Code Splicing
在 OllyDbg forum 中看过 |
|
hacnho,please come in!!!
最新的5.0汉化版在“汉化新世纪”上 |
|
|
|
Semi VB Decompiler Release 0.04
exetools上不是有正式共享版么 |
|
发布新开发成功的调试器-DisShellDbg,现支持Win2000,XP下的调试
在我的2k下,一加载程序就退出。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值