|
Obsidium V1.25加壳VB程序的脱壳――超级自动注册申请王
知道了 ,不能给自己找麻烦 |
|
Obsidium V1.25加壳VB程序的脱壳――超级自动注册申请王
我就是用的1.9版的,在我单位的XP专业版上也是同样的情况,且没有CheckRemoteDebuggerPresent函数 能否给出SYSENTER函数的常规拦截方法,谢谢 |
|
Obsidium V1.25加壳VB程序的脱壳――超级自动注册申请王
谢谢老大,我又重新跟了一下,出现以下的问题,望给予帮助 在WINDOWS2003下有CheckRemoteDebuggerPresent函数,我在此处和IsProcessorFeaturePresent处下断。 从UnhandledExceptionFilter函数出来后返回到下面代码: 77F35275 0AC0 or al,al 77F35277 74 0C je short ntdll.77F35285(此处不跳) 77F35279 5B pop ebx 77F3527A 59 pop ecx 77F3527B 6A 00 push 0 77F3527D 51 push ecx 77F3527E E8 D0FFFFFF call ntdll.ZwContinue 从此处进入,代码如下: 77F35253 > B8 22000000 mov eax,22 77F35258 BA 0003FE7F mov edx,7FFE0300 77F3525D FFD2 call edx 77F3525F C2 0800 retn 8 从CALL处进入,代码如下: 7FFE0300 8BD4 mov edx,esp 7FFE0302 0F34 sysenter 7FFE0304 C3 retn 在SYSENTER命令处不知该如何跟踪,F8或F9运行就退出,不能达到断点处。 |
|
Obsidium V1.25加壳VB程序的脱壳――超级自动注册申请王
按FLY老大的步骤,我的为什么不一样呀,如果打补丁,只是把77E461A2 0F85 15040000 jnz kernel32.77E465BD 这里的JNZ改为NOP,运行还是直接退出,想手动改,但不知该改那个跳转,我用的系统是WIN2003的,另我用我的PEID092检测不出是什么加的壳,只显示"没有找到什么[重叠].那位老大给看一下 77E46157 > 68 F4040000 push 4F4 77E4615C 68 484EE577 push kernel32.77E54E48 77E46161 E8 90B5FCFF call kernel32.77E116F6 77E46166 6A 04 push 4 77E46168 5B pop ebx 77E46169 895D E0 mov dword ptr ss:[ebp-20],ebx 77E4616C 8B75 08 mov esi,dword ptr ss:[ebp+8] 77E4616F 8B06 mov eax,dword ptr ds:[esi] 77E46171 33FF xor edi,edi 77E46173 8138 050000C0 cmp dword ptr ds:[eax],C0000005 77E46179 75 09 jnz short kernel32.77E46184 77E4617B 3978 14 cmp dword ptr ds:[eax+14],edi 77E4617E ^ 0F85 A7FEFFFF jnz kernel32.77E4602B 77E46184 897D DC mov dword ptr ss:[ebp-24],edi 77E46187 57 push edi 77E46188 53 push ebx 77E46189 8D45 DC lea eax,dword ptr ss:[ebp-24] 77E4618C 50 push eax 77E4618D 6A 07 push 7 77E4618F E8 86BBFCFF call kernel32.GetCurrentProcess 77E46194 50 push eax 77E46195 FF15 B810E177 call dword ptr ds:[<&ntdll.NtQueryInform>; ntdll.ZwQueryInformationProcess 77E4619B 85C0 test eax,eax 77E4619D 7C 09 jl short kernel32.77E461A8 77E4619F 397D DC cmp dword ptr ss:[ebp-24],edi 77E461A2 0F85 15040000 jnz kernel32.77E465BD 77E461A8 A1 10E2E877 mov eax,dword ptr ds:[77E8E210] 77E461AD 3BC7 cmp eax,edi 77E461AF 74 15 je short kernel32.77E461C6 77E461B1 56 push esi 77E461B2 FFD0 call eax 77E461B4 83F8 01 cmp eax,1 77E461B7 0F84 02040000 je kernel32.77E465BF 77E461BD 83F8 FF cmp eax,-1 77E461C0 0F84 F9030000 je kernel32.77E465BF 77E461C6 E8 42C5FCFF call kernel32.77E1270D 77E461CB A8 02 test al,2 77E461CD 0F85 28040000 jnz kernel32.77E465FB 77E461D3 E8 77110000 call <jmp.&ntdll.RtlGetThreadErrorMode> 77E461D8 A8 20 test al,20 77E461DA 0F85 1B040000 jnz kernel32.77E465FB 77E461E0 57 push edi 77E461E1 6A 30 push 30 77E461E3 8D85 04FFFFFF lea eax,dword ptr ss:[ebp-FC] 77E461E9 50 push eax 77E461EA 6A 02 push 2 77E461EC 57 push edi 77E461ED FF15 7C15E177 call dword ptr ds:[<&ntdll.NtQueryInform>; ntdll.ZwQueryInformationJobObject 77E461F3 85C0 test eax,eax 77E461F5 0F8D F3030000 jge kernel32.77E465EE 77E461FB 8B06 mov eax,dword ptr ds:[esi] 77E461FD 8B08 mov ecx,dword ptr ds:[eax] 77E461FF 894D 9C mov dword ptr ss:[ebp-64],ecx 77E46202 8B48 0C mov ecx,dword ptr ds:[eax+C] 77E46205 894D A0 mov dword ptr ss:[ebp-60],ecx 77E46208 8138 060000C0 cmp dword ptr ds:[eax],C0000006 77E4620E ^ 0F84 2FFEFFFF je kernel32.77E46043 |
|
|
|
aspack2.12, 脱壳后程序一运行就退出
原版到入口点后,全是DB **代码, 无法进行比较 |
|
aspack2.12, 脱壳后程序一运行就退出
手动脱,修复后和自动脱一样的现象 |
|
那位老大有2.5x版本的armadillo
谢谢,已收藏 |
|
关于注册码拦截
不用脱,我可以跟到注册码比较,但看不懂,暴破就出错,我写出我跟的地方,大家帮看1下,是否正确. 用OD载入 004e7809:由RSA模块转到主模块 然后F9运行输入注册码, 00cb9464:取注册码 00cb94e8:比较注册码 |
|
比较注册码的,看不懂
谢了,已经下载,但没有用. |
|
比较注册码的,看不懂
在那里找DT的armadillo keygen. 我搜索了1下论坛,没有找到 |
|
|
|
比较注册码的,看不懂
下面是直到返回的代码 00CB4713 8D9D E0FDFFFF lea ebx,dword ptr ss:[ebp-220] 00CB4719 8DB5 E0FEFFFF lea esi,dword ptr ss:[ebp-120] 00CB471F 6A 00 push 0 00CB4721 8D4D E8 lea ecx,dword ptr ss:[ebp-18] 00CB4724 E8 EED9FEFF call 00CA2117 00CB4729 8D45 E8 lea eax,dword ptr ss:[ebp-18] 00CB472C 6A 00 push 0 00CB472E 50 push eax 00CB472F 8D45 F0 lea eax,dword ptr ss:[ebp-10] 00CB4732 50 push eax 00CB4733 E8 5FDDFEFF call 00CA2497 00CB4738 83C4 0C add esp,0C 00CB473B 8D4D E8 lea ecx,dword ptr ss:[ebp-18] 00CB473E 85C0 test eax,eax 00CB4740 0F9545 0F setne byte ptr ss:[ebp+F] 00CB4744 E8 91DAFEFF call 00CA21DA 00CB4749 807D 0F 00 cmp byte ptr ss:[ebp+F],0 00CB474D 74 42 je short 00CB4791 00CB474F 51 push ecx 00CB4750 51 push ecx 00CB4751 8BCC mov ecx,esp 00CB4753 6A 10 push 10 00CB4755 E8 BDD9FEFF call 00CA2117 00CB475A 51 push ecx 00CB475B 51 push ecx 00CB475C 8D45 F0 lea eax,dword ptr ss:[ebp-10] 00CB475F 8BCC mov ecx,esp 00CB4761 50 push eax 00CB4762 E8 20DBFEFF call 00CA2287 00CB4767 8D45 E0 lea eax,dword ptr ss:[ebp-20] 00CB476A 50 push eax 00CB476B E8 E2EBFEFF call 00CA3352 00CB4770 83C4 14 add esp,14 00CB4773 8BC8 mov ecx,eax 00CB4775 E8 7EDAFEFF call 00CA21F8 00CB477A 8803 mov byte ptr ds:[ebx],al 00CB477C 8D4D E0 lea ecx,dword ptr ss:[ebp-20] 00CB477F 43 inc ebx 00CB4780 E8 55DAFEFF call 00CA21DA 00CB4785 6A FC push -4 00CB4787 8D4D F0 lea ecx,dword ptr ss:[ebp-10] 00CB478A E8 D2EDFEFF call 00CA3561 00CB478F ^ EB 8E jmp short 00CB471F 00CB4791 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] 00CB4797 3BD8 cmp ebx,eax 00CB4799 76 09 jbe short 00CB47A4 00CB479B 8A43 FF mov al,byte ptr ds:[ebx-1] 00CB479E 4B dec ebx 00CB479F 8806 mov byte ptr ds:[esi],al 00CB47A1 46 inc esi 00CB47A2 ^ EB ED jmp short 00CB4791 00CB47A4 8D85 E0FEFFFF lea eax,dword ptr ss:[ebp-120] 00CB47AA 2BF0 sub esi,eax 00CB47AC 8BDE mov ebx,esi 00CB47AE 81FB 00010000 cmp ebx,100 00CB47B4 0F8F B5000000 jg 00CB486F 00CB47BA 83FB 10 cmp ebx,10 00CB47BD 0F8C AC000000 jl 00CB486F 00CB47C3 8D4D F0 lea ecx,dword ptr ss:[ebp-10] 00CB47C6 E8 0FDAFEFF call 00CA21DA 00CB47CB 6A 01 push 1 00CB47CD 8BCF mov ecx,edi 00CB47CF E8 99D8FFFF call 00CB206D 00CB47D4 83FB 10 cmp ebx,10 00CB47D7 0F9FC0 setg al 00CB47DA 807D FF 00 cmp byte ptr ss:[ebp-1],0 00CB47DE 8887 3C1A0000 mov byte ptr ds:[edi+1A3C],al 00CB47E4 74 07 je short 00CB47ED 00CB47E6 838F 1C190000 04 or dword ptr ds:[edi+191C],4 00CB47ED 8B75 08 mov esi,dword ptr ss:[ebp+8] 00CB47F0 838F 401A0000 FF or dword ptr ds:[edi+1A40],FFFFFFFF 00CB47F7 85F6 test esi,esi 00CB47F9 75 05 jnz short 00CB4800 00CB47FB BE B8F3CC00 mov esi,0CCF3B8 00CB4800 56 push esi 00CB4801 E8 3A2F0100 call 00CC7740 ; jmp to msvcrt.strlen 00CB4806 40 inc eax 00CB4807 50 push eax 00CB4808 E8 ED2E0100 call 00CC76FA ; jmp to msvcrt.operator new 00CB480D 56 push esi 00CB480E 50 push eax 00CB480F 8907 mov dword ptr ds:[edi],eax 00CB4811 E8 362F0100 call 00CC774C ; jmp to msvcrt.strcpy 00CB4816 8D43 01 lea eax,dword ptr ds:[ebx+1] 00CB4819 99 cdq 00CB481A 2BC2 sub eax,edx 00CB481C D1F8 sar eax,1 00CB481E 8987 14180000 mov dword ptr ds:[edi+1814],eax 00CB4824 83C0 04 add eax,4 00CB4827 50 push eax 00CB4828 E8 CD2E0100 call 00CC76FA ; jmp to msvcrt.operator new 00CB482D 83C4 14 add esp,14 00CB4830 8987 10180000 mov dword ptr ds:[edi+1810],eax 00CB4836 F6C3 01 test bl,1 00CB4839 8D8D E0FEFFFF lea ecx,dword ptr ss:[ebp-120] 00CB483F 8DB41D E0FEFFFF lea esi,dword ptr ss:[ebp+ebx-120] 00CB4846 74 0F je short 00CB4857 00CB4848 8A8D E0FEFFFF mov cl,byte ptr ss:[ebp-120] 00CB484E 8808 mov byte ptr ds:[eax],cl 00CB4850 40 inc eax 00CB4851 8D8D E1FEFFFF lea ecx,dword ptr ss:[ebp-11F] 00CB4857 3BCE cmp ecx,esi 00CB4859 0F83 A3000000 jnb 00CB4902 00CB485F 8A11 mov dl,byte ptr ds:[ecx] 00CB4861 C0E2 04 shl dl,4 00CB4864 41 inc ecx 00CB4865 8810 mov byte ptr ds:[eax],dl 00CB4867 8A11 mov dl,byte ptr ds:[ecx] 00CB4869 0810 or byte ptr ds:[eax],dl 00CB486B 41 inc ecx 00CB486C 40 inc eax 00CB486D ^ EB E8 jmp short 00CB4857 00CB486F 8D4D F0 lea ecx,dword ptr ss:[ebp-10] 00CB4872 E8 63D9FEFF call 00CA21DA 00CB4877 E9 82000000 jmp 00CB48FE 00CB487C 8B4D 0C mov ecx,dword ptr ss:[ebp+C] 00CB487F 8A01 mov al,byte ptr ds:[ecx] 00CB4881 84C0 test al,al 00CB4883 74 79 je short 00CB48FE 00CB4885 3C 30 cmp al,30 00CB4887 7C 08 jl short 00CB4891 00CB4889 3C 39 cmp al,39 00CB488B 7F 04 jg short 00CB4891 00CB488D 2C 30 sub al,30 00CB488F EB 16 jmp short 00CB48A7 00CB4891 3C 61 cmp al,61 00CB4893 7C 08 jl short 00CB489D 00CB4895 3C 66 cmp al,66 00CB4897 7F 04 jg short 00CB489D 00CB4899 2C 57 sub al,57 00CB489B EB 0A jmp short 00CB48A7 00CB489D 3C 41 cmp al,41 00CB489F 7C 0F jl short 00CB48B0 00CB48A1 3C 46 cmp al,46 00CB48A3 7F 0B jg short 00CB48B0 00CB48A5 2C 37 sub al,37 00CB48A7 88841D E0FEFFFF mov byte ptr ss:[ebp+ebx-120],al 00CB48AE EB 3C jmp short 00CB48EC 00CB48B0 3C 69 cmp al,69 00CB48B2 74 30 je short 00CB48E4 00CB48B4 3C 49 cmp al,49 00CB48B6 74 2C je short 00CB48E4 00CB48B8 3C 6C cmp al,6C 00CB48BA 74 28 je short 00CB48E4 00CB48BC 3C 4C cmp al,4C 00CB48BE 74 24 je short 00CB48E4 00CB48C0 3C 6F cmp al,6F 00CB48C2 74 16 je short 00CB48DA 00CB48C4 3C 4F cmp al,4F 00CB48C6 74 12 je short 00CB48DA 00CB48C8 3C 73 cmp al,73 00CB48CA 74 04 je short 00CB48D0 00CB48CC 3C 53 cmp al,53 00CB48CE 75 1D jnz short 00CB48ED 00CB48D0 C6841D E0FEFFFF 05 mov byte ptr ss:[ebp+ebx-120],5 00CB48D8 EB 12 jmp short 00CB48EC 00CB48DA 80A41D E0FEFFFF 00 and byte ptr ss:[ebp+ebx-120],0 00CB48E2 EB 08 jmp short 00CB48EC 00CB48E4 C6841D E0FEFFFF 01 mov byte ptr ss:[ebp+ebx-120],1 00CB48EC 43 inc ebx 00CB48ED 8A41 01 mov al,byte ptr ds:[ecx+1] 00CB48F0 41 inc ecx 00CB48F1 84C0 test al,al 00CB48F3 ^ 75 90 jnz short 00CB4885 00CB48F5 83FB 10 cmp ebx,10 00CB48F8 ^ 0F8D CDFEFFFF jge 00CB47CB 00CB48FE 32C0 xor al,al 00CB4900 EB 50 jmp short 00CB4952 00CB4902 8BCF mov ecx,edi 00CB4904 E8 FEE2FFFF call 00CB2C07 00CB4909 8BCF mov ecx,edi 00CB490B E8 EBE0FFFF call 00CB29FB 00CB4910 8BCF mov ecx,edi 00CB4912 66:8987 781A0000 mov word ptr ds:[edi+1A78],ax 00CB4919 E8 DDE0FFFF call 00CB29FB 00CB491E 80BF 3C1A0000 00 cmp byte ptr ds:[edi+1A3C],0 00CB4925 66:8987 7A1A0000 mov word ptr ds:[edi+1A7A],ax 00CB492C 74 0C je short 00CB493A 00CB492E FF75 10 push dword ptr ss:[ebp+10] 00CB4931 8BCF mov ecx,edi 00CB4933 E8 D9020000 call 00CB4C11 00CB4938 EB 07 jmp short 00CB4941 00CB493A 8BCF mov ecx,edi 00CB493C E8 B3070000 call 00CB50F4 00CB4941 84C0 test al,al 00CB4943 8887 0C180000 mov byte ptr ds:[edi+180C],al 00CB4949 74 07 je short 00CB4952 00CB494B 80A7 0E180000 00 and byte ptr ds:[edi+180E],0 00CB4952 5F pop edi 00CB4953 5E pop esi 00CB4954 5B pop ebx 00CB4955 C9 leave 00CB4956 C2 0C00 retn 0C |
|
arm用key加壳,在那里比较key
用内存访问断点拦截,也只是在显示窗口时拦下,点OK后就拦不下了 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值