|
[原创]IDA Pro v4.9.0.863-Lz0 汉化预览版,欢迎各位指正!
支持!我来测试一下。 |
|
tELock v0.99 独家发布
关闭或者开启DEP都无法启动出来~~~ |
|
|
|
|
|
->南蛮妈妈的 TEST.EXE ~!!!
OD载入,不忽略内存访问异常,最后一次异常时候BP CALL XXXXXXX,F9,可以断下,马上取消断点. |
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
谢谢Fly,呵呵,我刚也是按照54C开始算了,不过修复过的文件无法运行(运行无反应),检测是VC,还在找原因中. |
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
谢谢Fly,了解。 00AE70FC 50 push eax 00AE70FD FF15 4801AF00 call dword ptr ds:[AF0148] ; kernel32.VirtualProtect 00AE7103 ^ E9 E3F7FFFF jmp 00AE68EB //循环 00AE7108 8B85 E4C6FFFF mov eax,dword ptr ss:[ebp-391C] //下断在此。 00AE710E 8985 C4AFFFFF mov dword ptr ss:[ebp+FFFFAFC4],eax 00422000 77DA6BF0 ADVAPI32.RegCloseKey 00422004 77DAEBE7 ADVAPI32.RegSetValueExA 00422008 77DA761B ADVAPI32.RegOpenKeyExA 0042200C 77DAEAF4 ADVAPI32.RegCreateKeyExA 00422010 00ACACCF 00422014 5C8415DD COMCTL32.InitCommonControls 00422018 00ACAD98 0042201C 77EF5D0B GDI32.SetBkMode 00422020 77EFA8F7 GDI32.SetMapMode 00422024 77EF7988 GDI32.SetViewportOrgEx 00422028 77F0F27C GDI32.OffsetViewportOrgEx 0042202C 77F0E45F GDI32.SetViewportExtEx 00422030 77F1C352 GDI32.ScaleViewportExtEx 00422034 77F0E3B6 GDI32.SetWindowExtEx 00422038 77F1C433 GDI32.ScaleWindowExtEx 0042203C 77EF6899 GDI32.IntersectClipRect 00422040 77EF6A3B GDI32.DeleteObject 00422044 77EF59A0 GDI32.SelectObject 00422048 77EF7B2D GDI32.GetViewportExtEx 0042204C 77EF7AB5 GDI32.GetWindowExtEx 00422050 77EF5FD5 GDI32.CreateSolidBrush 00422054 77F24F47 GDI32.PtVisible 00422058 77EF8070 GDI32.RectVisible 0042205C 77EFC449 GDI32.TextOutA 00422060 77EF9012 GDI32.ExtTextOutA 00422064 77F07FBB GDI32.Escape 00422068 77EFBFE7 GDI32.DPtoLP 0042206C 77EF8195 GDI32.LPtoDP 00422070 77EFAB59 GDI32.GetMapMode 00422074 77EF86B0 GDI32.PatBlt 00422078 77EF97BE GDI32.RestoreDC 0042207C 77EF9884 GDI32.SaveDC 00422080 77EF6CA6 GDI32.DeleteDC 00422084 77EF5FF1 GDI32.GetStockObject 00422088 77EF58A2 GDI32.GetDeviceCaps 0042208C 77EF84D4 GDI32.GetBkColor 00422090 77EF8528 GDI32.GetTextColor 00422094 77EF9A82 GDI32.GetObjectA 00422098 77EF5C59 GDI32.SetBkColor 0042209C 77EF5BA7 GDI32.SetTextColor 004220A0 77EF68E4 GDI32.GetClipBox 004220A4 77EFB52C GDI32.CreateDIBitmap 004220A8 77EFC333 GDI32.GetTextExtentPointA 004220AC 77EF6DC0 GDI32.BitBlt 004220B0 77EF5E10 GDI32.CreateCompatibleDC 004220B4 77EF601F GDI32.CreateBitmap 004220B8 00ACACAC 004220BC 7C825F62 kernel32.FormatMessageA 004220C0 7C957A40 ntdll.RtlUnwind 004220C4 7C801EEE kernel32.GetStartupInfoA 004220C8 7C812C8D kernel32.GetCommandLineA 004220CC 7C81CAA2 kernel32.ExitProcess 004220D0 7C801E16 kernel32.TerminateProcess 004220D4 7C93043D ntdll.RtlFreeHeap 004220D8 7C81082F kernel32.CreateThread 004220DC 7C80CCA9 kernel32.ExitThread 004220E0 7C9305D4 ntdll.RtlAllocateHeap 004220E4 7C81EAE1 kernel32.RaiseException 004220E8 7C9379FD ntdll.RtlReAllocateHeap 004220EC 7C9309ED ntdll.RtlSizeHeap 004220F0 7C809943 kernel32.GetACP 004220F4 7C8394AE kernel32.GetTimeZoneInformation 004220F8 7C862B8A kernel32.UnhandledExceptionFilter 004220FC 7C81DC3F kernel32.FreeEnvironmentStringsA 00422100 7C81485F kernel32.FreeEnvironmentStringsW 00422104 7C81CC23 kernel32.GetEnvironmentStringsA 00422108 7C812C78 kernel32.GetEnvironmentStringsW 0042210C 7C80C6CF kernel32.SetHandleCount 00422110 7C812CA9 kernel32.GetStdHandle 00422114 7C811110 kernel32.HeapDestroy 00422118 7C812929 kernel32.HeapCreate 0042211C 7C809B14 kernel32.VirtualFree 00422120 7C809A81 kernel32.VirtualAlloc 00422124 7C809F29 kernel32.IsBadWritePtr 00422128 7C810386 kernel32.SetUnhandledExceptionFilter 0042212C 7C838CB9 kernel32.GetStringTypeA 00422130 7C80A480 kernel32.GetStringTypeW 00422134 7C832E2B kernel32.LCMapStringA 00422138 7C80CEC4 kernel32.LCMapStringW 0042213C 7C809EB3 kernel32.IsBadReadPtr 00422140 7C80BB57 kernel32.IsBadCodePtr 00422144 7C81D8CB kernel32.SetStdHandle 00422148 7C80D293 kernel32.CompareStringA 0042214C 7C80A34E kernel32.CompareStringW 00422150 7C8226A9 kernel32.SetEnvironmentVariableA 00422154 7C81F8E2 kernel32.GetFileTime 00422158 7C822D47 kernel32.GetProfileStringA 0042215C 7C810C8F kernel32.GetFileSize 00422160 7C81174C kernel32.GetFileAttributesA 00422164 7C8092AC kernel32.GetTickCount 00422168 7C80EA66 kernel32.FileTimeToLocalFileTime 0042216C 7C80E9EC kernel32.FileTimeToSystemTime 00422170 7C81367C kernel32.GetFullPathNameA 00422174 7C827052 kernel32.GetVolumeInformationA 00422178 7C813559 kernel32.FindFirstFileA 0042217C 7C80EFD7 kernel32.FindClose 00422180 7C81F850 kernel32.SetEndOfFile 00422184 7C81FDDD kernel32.UnlockFile 00422188 7C81FE92 kernel32.LockFile 0042218C 7C80CD58 kernel32.FlushFileBuffers 00422190 7C810DA6 kernel32.SetFilePointer 00422194 7C810F9F kernel32.WriteFile 00422198 7C80180E kernel32.ReadFile 0042219C 7C801A24 kernel32.CreateFileA 004221A0 7C80E00D kernel32.GetCurrentProcess 004221A4 7C80E016 kernel32.DuplicateHandle 004221A8 7C80AA97 kernel32.SetErrorMode 004221AC 7C81E82A kernel32.GetOEMCP 004221B0 7C812BE6 kernel32.GetCPInfo 004221B4 7C80BAF1 kernel32.SizeofResource 004221B8 7C812996 ASCII "jPh" 004221BC 7C930331 ntdll.RtlGetLastWin32Error 004221C0 7C822BB7 kernel32.WritePrivateProfileStringA 004221C4 7C8278F0 kernel32.GlobalFlags 004221C8 7C810311 kernel32.lstrcpynA 004221CC 7C809750 kernel32.TlsGetValue 004221D0 7C81E2B1 kernel32.LocalReAlloc 004221D4 7C809BF5 kernel32.TlsSetValue 004221D8 7C921005 ntdll.RtlEnterCriticalSection 004221DC 7C8125C9 kernel32.GlobalReAlloc 004221E0 7C9210ED ntdll.RtlLeaveCriticalSection 004221E4 7C813453 kernel32.TlsFree 004221E8 7C838F36 kernel32.GlobalHandle 004221EC 7C93188A ntdll.RtlDeleteCriticalSection 004221F0 7C812B0F kernel32.TlsAlloc 004221F4 7C809FA1 kernel32.InitializeCriticalSection 004221F8 7C80995D kernel32.LocalFree 004221FC 7C8099BD kernel32.LocalAlloc 00422200 7C80A0C7 kernel32.WideCharToMultiByte 00422204 7C8097F4 kernel32.MulDiv 00422208 7C930340 ntdll.RtlSetLastWin32Error 0042220C 7C80977B kernel32.InterlockedIncrement 00422210 7C80C6E0 kernel32.lstrlenA 00422214 7C809CAD kernel32.MultiByteToWideChar 00422218 7C80A405 kernel32.GetThreadLocale 0042221C 7C809794 kernel32.InterlockedDecrement 00422220 7C801D77 kernel32.LoadLibraryA 00422224 7C80AA66 kernel32.FreeLibrary 00422228 7C8114AB kernel32.GetVersion 0042222C 7C838FB9 kernel32.lstrcatA 00422230 7C85B073 kernel32.GlobalGetAtomNameA 00422234 7C823039 kernel32.GlobalAddAtomA 00422238 7C823094 kernel32.GlobalFindAtomA 0042223C 7C80C729 kernel32.lstrcpyA 00422240 7C80B529 kernel32.GetModuleHandleA 00422244 7C80AC28 kernel32.GetProcAddress 00422248 7C810082 kernel32.GlobalUnlock 0042224C 7C80FE2F kernel32.GlobalFree 00422250 7C80C6CF kernel32.SetHandleCount 00422254 7C80C7B1 kernel32.FindResourceA 00422258 7C80A065 kernel32.LoadResource 0042225C 7C81E4BD kernel32.CreateEventA 00422260 7C838F10 kernel32.SuspendThread 00422264 7C80CC67 kernel32.SetThreadPriority 00422268 7C81E92A kernel32.ResumeThread 0042226C 7C809C28 kernel32.SetEvent 00422270 7C802530 kernel32.WaitForSingleObject 00422274 7C80B357 kernel32.GetModuleFileNameA 00422278 7C810119 kernel32.GlobalLock 0042227C 7C80FF2D kernel32.GlobalAlloc 00422280 7C81E19A kernel32.GlobalDeleteAtom 00422284 7C81EE79 kernel32.lstrcmpA 00422288 7C80B929 kernel32.lstrcmpiA 0042228C 7C809919 kernel32.GetCurrentThread 00422290 7C809737 kernel32.GetCurrentThreadId 00422294 7C8647B7 kernel32.CreateToolhelp32Snapshot 00422298 7C863A8D kernel32.Process32First 0042229C 7C80220F kernel32.WriteProcessMemory 004222A0 7C81E079 kernel32.OpenProcess 004222A4 7C8021CC kernel32.ReadProcessMemory 004222A8 7C863C00 kernel32.Process32Next 004222AC 7C809B77 kernel32.CloseHandle 004222B0 7C859F0B kernel32.DebugActiveProcess 004222B4 7C85A268 kernel32.WaitForDebugEvent 004222B8 7C811069 kernel32.GetFileType 004222BC 7C85A34D kernel32.ContinueDebugEvent 004222C0 00ACADB5 004222C4 7711D1ED OLEAUT32.VariantTimeToSystemTime 004222C8 770F4B59 OLEAUT32.SysAllocStringLen 004222CC 770F4850 OLEAUT32.SysFreeString 004222D0 770F66D9 OLEAUT32.VariantChangeType 004222D4 770F4BC2 OLEAUT32.SysAllocString 004222D8 7711D295 OLEAUT32.VariantCopy 004222DC 770F4C55 OLEAUT32.SysAllocStringByteLen 004222E0 770F4C3B OLEAUT32.SysStringLen 004222E4 770F48C0 OLEAUT32.VariantClear 004222E8 00ACAD1C 004222EC 5E5C1FC7 004222F0 00ACADB5 004222F4 77D1B46E USER32.SetRect 004222F8 77D5BB21 USER32.GetNextDlgGroupItem 004222FC 77D402D3 USER32.MessageBeep 00422300 77D1B49D USER32.InvalidateRect 00422304 77D18D03 USER32.CharUpperA 00422308 77D1C64D USER32.InflateRect 0042230C 77D18E00 USER32.RegisterWindowMessageA 00422310 77D3EBB0 USER32.PostThreadMessageA 00422314 77D3152F USER32.SendDlgItemMessageA 00422318 77D1B9D7 USER32.MapWindowPoints 0042231C 77D18E50 USER32.GetSysColor 00422320 77D1E5DC USER32.SetFocus 00422324 77D220A2 USER32.AdjustWindowRectEx 00422328 77D1C5B8 USER32.ScreenToClient 0042232C 77D1C03D USER32.CopyRect 00422330 77D1D16F USER32.GetTopWindow 00422334 77D1BEF3 USER32.IsChild 00422338 77D194FF USER32.GetCapture 0042233C 77D350CF USER32.WinHelpA 00422340 77D1A2DE USER32.wsprintfA 00422344 77D34D4A USER32.GetClassInfoA 00422348 77D22316 USER32.RegisterClassA 0042234C 77D3EABE USER32.GetMenu 00422350 77D2375B USER32.GetMenuItemCount 00422354 77D2355A USER32.GetSubMenu 00422358 77D4EEE8 USER32.GetMenuItemID 0042235C 77D4EEAB USER32.GetWindowTextLengthA 00422360 77D3F82E USER32.GetWindowTextA 00422364 77D1C35C USER32.GetDlgCtrlID 00422368 77D1DF6B USER32.DefWindowProcA 0042236C 77D2190B USER32.CreateWindowExA 00422370 77D1E49A USER32.GetClassLongA 00422374 77D1EDFA USER32.SetPropA 00422378 77D3F29F USER32.UnhookWindowsHookEx 0042237C 77D56969 USER32.CopyAcceleratorTableA 00422380 77D1E34B USER32.CallWindowProcA 00422384 77D1EEA2 USER32.RemovePropA 00422388 77D1C531 USER32.PtInRect 0042238C 77D1C6E4 USER32.GetMessagePos 00422390 77D1C4AE USER32.GetForegroundWindow 00422394 77D266A7 USER32.SetForegroundWindow 00422398 77D1C298 USER32.GetWindow 0042239C 77D1DED3 USER32.SetWindowLongA 004223A0 77D1C78E USER32.SetWindowPos 004223A4 77D18E00 USER32.RegisterWindowMessageA 004223A8 77D1B4D9 USER32.OffsetRect 004223AC 77D1B3E7 USER32.IntersectRect 004223B0 77D20554 USER32.SystemParametersInfoA 004223B4 77D1EB14 USER32.GetWindowPlacement 004223B8 77D1B57C USER32.GetWindowRect 004223BC 77D26CC9 USER32.EndDialog 004223C0 77D25380 USER32.SetActiveWindow 004223C4 77D1B7DB USER32.IsWindow 004223C8 77D1E666 USER32.DestroyWindow 004223CC 77D252A4 USER32.GetDlgItem 004223D0 77D50019 USER32.GetMenuCheckMarkDimensions 004223D4 77D267A8 USER32.LoadBitmapA 004223D8 77D3749F USER32.GetMenuState 004223DC 77D4EF2B USER32.ModifyMenuA 004223E0 77D4F7D2 USER32.SetMenuItemBitmaps 004223E4 77D2711B USER32.CheckMenuItem 004223E8 77D1FC3C USER32.EnableMenuItem 004223EC 77D1C640 USER32.GetFocus 004223F0 77D363D3 USER32.GetNextDlgTabItem 004223F4 77D3EA45 USER32.GetMessageA 004223F8 77D18BCE USER32.TranslateMessage 004223FC 77D1BCBD USER32.DispatchMessageA 00422400 77D1DF1E USER32.GetActiveWindow 00422404 77D1C379 USER32.GetKeyState 00422408 77D1ED6E USER32.CallNextHookEx 0042240C 77D3EC29 USER32.ValidateRect 00422410 77D1BD8E USER32.IsWindowVisible 00422414 77D1CEFD USER32.PeekMessageA 00422418 77D1C566 USER32.GetCursorPos 0042241C 77D221AE USER32.LoadIconA 00422420 77D18C06 USER32.SetTimer 00422424 77D1E2AE USER32.SendMessageA 00422428 77D3E438 USER32.UnregisterClassA 0042242C 77D1CB4B USER32.HideCaret 00422430 77D1CB5F USER32.ShowCaret 00422434 77D1CE27 USER32.ExcludeUpdateRgn 00422438 77D1F623 USER32.DrawFocusRect 0042243C 77D402B2 USER32.SetWindowsHookExA 00422440 77D1B5D7 USER32.GetParent 00422444 77D34E3E USER32.GetLastActivePopup 00422448 77D1C592 USER32.IsWindowEnabled 0042244C 77D1947C USER32.GetWindowLongA 00422450 77D5050B USER32.MessageBoxA 00422454 77D1C6A8 USER32.SetCursor 00422458 77D3EDEB USER32.PostQuitMessage 0042245C 77D1DB62 USER32.PostMessageA 00422460 77D1C4D4 USER32.EnableWindow 00422464 77D18C1A USER32.KillTimer 00422468 77D1C48A USER32.IsIconic 0042246C 77D1E3A1 USER32.DestroyMenu 00422470 77D3EC98 USER32.LoadStringA 00422474 77D18E83 USER32.GetSysColorBrush 00422478 77D1EE3C USER32.GetPropA 0042247C 77D18F75 USER32.GetSystemMetrics 00422480 77D1B556 USER32.GetClientRect 00422484 77D2759D USER32.DefDlgProcA 00422488 77D1C416 USER32.IsWindowUnicode 0042248C 77D301EF USER32.DrawIcon 00422490 77D1E032 USER32.GetClassNameA 00422494 77D1D7BB USER32.GetDesktopWindow 00422498 77D1E8FA USER32.LoadCursorA 0042249C 77D557DD USER32.GrayStringA 004224A0 77D35D61 USER32.DrawTextA 004224A4 77D5A1DD USER32.TabbedTextOutA 004224A8 77D1B4C5 USER32.EndPaint 004224AC 77D1B4B1 USER32.BeginPaint 004224B0 77D18FF9 USER32.GetWindowDC 004224B4 77D1866D USER32.ReleaseDC 004224B8 77D18697 USER32.GetDC 004224BC 77D1BF2C USER32.ClientToScreen 004224C0 77D1A041 USER32.wvsprintfA 004224C4 77D3EC40 USER32.CharNextA 004224C8 77D1D4DE USER32.ShowWindow 004224CC 77D1D515 USER32.MoveWindow 004224D0 77D1DC5A USER32.SetWindowTextA 004224D4 77D35C98 USER32.IsDialogMessageA 004224D8 77D2FD41 USER32.CreateDialogIndirectParamA 004224DC 77D1C064 USER32.UpdateWindow 004224E0 77D1C210 USER32.GetMessageTime 004224E4 77D3563B USER32.SetWindowContextHelpId 004224E8 77D5BA46 USER32.MapDialogRect 004224EC 00ACADAB 004224F0 72F75390 WINSPOOL.ClosePrinter 004224F4 72F86673 WINSPOOL.DocumentPropertiesA 004224F8 72F83767 WINSPOOL.OpenPrinterA 004224FC 00ACAD6A 00422500 76322533 comdlg32.GetFileTitleA 00422504 00ACAD6A 00422508 769DD1E0 ole32.CoFreeUnusedLibraries 0042250C 769D949B ole32.OleInitialize 00422510 769A2068 ole32.CoTaskMemAlloc 00422514 769A204C ole32.CoTaskMemFree 00422518 769CEA61 ole32.CreateILockBytesOnHGlobal 0042251C 769CEB91 ole32.StgCreateDocfileOnILockBytes 00422520 76A8B375 ole32.StgOpenStorageOnILockBytes 00422524 769EF356 ole32.CoGetClassObject 00422528 76A048A4 ole32.CLSIDFromString 0042252C 769F29DD ole32.CLSIDFromProgID 00422530 76A02DA0 ole32.CoRegisterMessageFilter 00422534 769D431A ole32.CoRevokeClassObject 00422538 76A2A529 ole32.OleFlushClipboard 0042253C 76A2A379 ole32.OleIsCurrentClipboard 00422540 769D9539 ole32.OleUninitialize 00422544 00ACACAC 00422548 74C9F0F3 oledlg.OleUIBusyA 0042254C 00ACACCF 函数输入表开始[eax]=004220BC 结束0042254C Size=490 Right?呵呵,如有错误,还请指出:) |
|
|
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
感谢Fly的及时回复,我指的最后一次下断是指 “00E891D8 8B85 DCC6FFFF mov eax,dword ptr ss:[ebp-3924] //这里下断,中断后输入表处理完毕 ”这句,我调试的程序跟你的有些偏差,由于是初次调试,所以不知道在哪里下断。 也许问的问题比较菜,让大家见笑了,呵呵。 |
|
有关於Fly发表的Armadillo 4.X Copymem II脱壳问题
另:新开贴原因是我怕没人回复,所以就新开了一贴,不便之处还请见谅。 |
|
有关於Fly发表的Armadillo 4.X Copymem II脱壳问题
呵呵,我不是不知道这个贴在哪里,就在2楼。。。我想知道的是如何判断,我引用的是原帖的内容,附上的是我调试的内容,有些差别。所以带着这些疑问,发这个帖子,希望有人能帮我看看,在此谢过:) |
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
引用------------------------ 下断:BP GetTickCount 中断后取消断点返回 00E88D57 FF15 AC22E900 call dword ptr ds:[E922AC] ; kernel32.GetTickCount 00E88D5D 8985 8CC3FFFF mov dword ptr ss:[ebp-3C74],eax //返回这里 00E88D63 6A 01 push 1 00E88D65 58 pop eax 00E88D66 85C0 test eax,eax 00E88D68 0F84 A8030000 je 00E89116 下面还有一处GetTickCount取时间 00E89100 8908 mov dword ptr ds:[eax],ecx //函数写入。在这里可以看见输入表函数开始地址005D7208,输入表处理结束后可以计算出大小=8B4 00E89102 8B85 FCC7FFFF mov eax,dword ptr ss:[ebp-3804] 00E89108 83C0 04 add eax,4 00E8910B 8985 FCC7FFFF mov dword ptr ss:[ebp-3804],eax 00E89111 E9 4DFCFFFF jmp 00E88D63 00E89116 FF15 AC22E900 call dword ptr ds:[E922AC] ; kernel32.GetTickCount 00E8911C 2B85 8CC3FFFF sub eax,dword ptr ss:[ebp-3C74] 00E89122 8B8D 90C3FFFF mov ecx,dword ptr ss:[ebp-3C70] 00E89128 6BC9 32 imul ecx,ecx,32 00E8912B 81C1 D0070000 add ecx,7D0 00E89131 3BC1 cmp eax,ecx //时间校验 00E89133 76 07 jbe short 00E8913C //修改为:JMP 00E8913C ★ 00E89135 C685 20C8FFFF 0>mov byte ptr ss:[ebp-37E0],1 00E8913C 83BD D0C6FFFF 0>cmp dword ptr ss:[ebp-3930],0 00E89143 0F85 8A000000 jnz 00E891D3 00E891B8 83C4 0C add esp,0C 00E891BB 8B85 58C8FFFF mov eax,dword ptr ss:[ebp-37A8] 00E891C1 8985 A49EFFFF mov dword ptr ss:[ebp+FFFF9EA4],eax 00E891C7 FFB5 A49EFFFF push dword ptr ss:[ebp+FFFF9EA4] 00E891CD E8 64820000 call 00E91436 ; jmp to msvcrt.operator delete 00E891D2 59 pop ecx 00E891D3 E9 05F7FFFF jmp 00E888DD 00E891D8 8B85 DCC6FFFF mov eax,dword ptr ss:[ebp-3924] //这里下断,中断后输入表处理完毕 --------------------------- 我在按教程unpack一程序的时候,如下: 00AE6FFD 8908 mov dword ptr ds:[eax],ecx ////函数写入。在这里可以看见输入表函数开始地址[eax]; 00AE6FFF 8B85 04C8FFFF mov eax,dword ptr ss:[ebp-37FC] 00AE7005 83C0 04 add eax,4 00AE7008 8985 04C8FFFF mov dword ptr ss:[ebp-37FC],eax 00AE700E ^ E9 CEFCFFFF jmp 00AE6CE1 00AE7013 FF15 9C02AF00 call dword ptr ds:[AF029C] ; kernel32.GetTickCount 00AE7019 2B85 94C4FFFF sub eax,dword ptr ss:[ebp-3B6C] 00AE701F 8B8D 98C4FFFF mov ecx,dword ptr ss:[ebp-3B68] 00AE7025 6BC9 32 imul ecx,ecx,32 00AE7028 81C1 D0070000 add ecx,7D0 00AE702E 3BC1 cmp eax,ecx 00AE7030 EB 07 jbe short 00AE7039---修改为JMP; 00AE7032 C685 28C8FFFF 0>mov byte ptr ss:[ebp-37D8],1 00AE7039 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0 00AE7040 0F85 8A000000 jnz 00AE70D0 00AE7046 0FB685 84C4FFFF movzx eax,byte ptr ss:[ebp-3B7C] 00AE704D 85C0 test eax,eax 00AE704F 74 7F je short 00AE70D0 00AE7051 6A 00 push 0 ... ... ... 0AE708E 50 push eax 00AE708F E8 EC7D0000 call 00AEEE80 ; jmp to msvcrt.memcpy 00AE7094 83C4 0C add esp,0C 00AE7097 6A 01 push 1 00AE7099 8B85 88C4FFFF mov eax,dword ptr ss:[ebp-3B78] 00AE709F C1E0 02 shl eax,2 00AE70A2 50 push eax 00AE70A3 8B85 00C7FFFF mov eax,dword ptr ss:[ebp-3900] 00AE70A9 0385 80C4FFFF add eax,dword ptr ss:[ebp-3B80] 00AE70AF 50 push eax 00AE70B0 E8 341B0000 call 00AE8BE9 00AE70B5 83C4 0C add esp,0C 00AE70B8 8B85 60C8FFFF mov eax,dword ptr ss:[ebp-37A0] 00AE70BE 8985 C8AFFFFF mov dword ptr ss:[ebp+FFFFAFC8],eax 00AE70C4 FFB5 C8AFFFFF push dword ptr ss:[ebp+FFFFAFC8] 00AE70CA E8 AB7D0000 call 00AEEE7A ; jmp to msvcrt.operator delete 00AE70CF 59 pop ecx 00AE70D0 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0 00AE70D7 75 2A jnz short 00AE7103 00AE70D9 8D85 7CC4FFFF lea eax,dword ptr ss:[ebp-3B84] 00AE70DF 50 push eax 00AE70E0 FFB5 7CC4FFFF push dword ptr ss:[ebp-3B84] 00AE70E6 8B85 88C4FFFF mov eax,dword ptr ss:[ebp-3B78] 00AE70EC C1E0 02 shl eax,2 00AE70EF 50 push eax 00AE70F0 8B85 00C7FFFF mov eax,dword ptr ss:[ebp-3900] 00AE70F6 0385 80C4FFFF add eax,dword ptr ss:[ebp-3B80] 00AE70FC 50 push eax 00AE70FD FF15 4801AF00 call dword ptr ds:[AF0148] ; kernel32.VirtualProtect 00AE7103 ^ E9 E3F7FFFF jmp 00AE68EB 00AE7108 8B85 E4C6FFFF mov eax,dword ptr ss:[ebp-391C] 00AE710E 8985 C4AFFFFF mov dword ptr ss:[ebp+FFFFAFC4],eax 00AE7114 FFB5 C4AFFFFF push dword ptr ss:[ebp+FFFFAFC4] 00AE711A E8 5B7D0000 call 00AEEE7A ; jmp to msvcrt.operator delete 00AE711F 59 pop ecx 00AE7120 83BD D8C6FFFF 0>cmp dword ptr ss:[ebp-3928],0 00AE7127 0F84 59010000 je 00AE7286 00AE712D A1 2800B000 mov eax,dword ptr ds:[B00028] 00AE7132 8B40 58 mov eax,dword ptr ds:[eax+58] 00AE7135 8985 D4ADFFFF mov dword ptr ss:[ebp+FFFFADD4],eax 00AE713B 8B85 D4ADFFFF mov eax,dword ptr ss:[ebp+FFFFADD4] 00AE7141 8985 44C1FFFF mov dword ptr ss:[ebp-3EBC],eax 00AE7147 E8 8D360000 call 00AEA7D9 00AE714C F7D8 neg eax 00AE714E 1BC0 sbb eax,eax 00AE7150 25 00010000 and eax,100 00AE7155 05 00010000 add eax,100 00AE715A 8985 C0ADFFFF mov dword ptr ss:[ebp+FFFFADC0],eax 00AE7160 68 0D5EDF01 push 1DF5E0D 00AE7165 FFB5 44C1FFFF push dword ptr ss:[ebp-3EBC] 00AE716B 8D8D 44C1FFFF lea ecx,dword ptr ss:[ebp-3EBC] 00AE7171 E8 FB9EFDFF call 00AC1071 00AE7176 40 inc eax 请教前辈最后一次下断在哪里合适,另:如何察看函数输入表结束位置,以便于计算Size。还请赐教,希望能解说详细。比如Fly说的最后看函数表是否结束,在数据窗口往下拉,可否直接将Data贴出来我看看,这样比较形象。 |
|
Armadillo 3.78 - 4.xx + CopyMem2
呵呵,我已经用工具翻译了一遍,从Portuguese---English,不过没权限上传。 |
|
fly,有新货了
贴上来看看? |
|
|
|
RORDbg使用事项
最初由 林海雪原 发布 嗯,这个壳识别库,应该还没有完善起来,我在跟themida,PE-ARMor,尚未有结果。 |
|
RORDbg使用事项
Eip==00401000 GetLastError:::77E68265 未知壳 00401000 B81C164800 MOV EAX,48161C 00401005 50 PUSH EAX 00401006 64FF3500000000 PUSH DWORD PTR FS:[0] 0040100D 64892500000000 MOV DWORD PTR FS:[0],ESP 00401014 33C0 XOR EAX,EAX 00401016 8908 MOV DWORD PTR [EAX],ECX 发生异常! FS:[0]==0012FFBC 异常处理程序地址:0048161C 这个异常被成功捕获! 0048161C B86904B9FF MOV EAX,FFB90469 00481621 8D88D6118F00 LEA ECX,DWORD PTR [EAX+08F11D6h] 00481627 894101 MOV DWORD PTR [ECX+01h],EAX 0048162A 8B542404 MOV EDX,DWORD PTR [ESP+04h] 0048162E 8B520C MOV EDX,DWORD PTR [EDX+0Ch] 00481631 C602E9 MOV BYTE PTR [EDX],E9 00481634 83C205 ADD EDX,5 00481637 2BCA SUB ECX,EDX 00481639 894AFC MOV DWORD PTR [EDX-04h],ECX 0048163C 33C0 XOR EAX,EAX 0048163E C3 RET 异常处理代码结束! 00401016 E924060800 JMP 0048163F 0048163F B86904B9FF MOV EAX,FFB90469 00481644 648F0500000000 POP DWORD PTR FS:[0] 0048164B 83C404 ADD ESP,4 0048164E 55 PUSH EBP 0048164F 53 PUSH EBX 00481650 51 PUSH ECX 00481651 57 PUSH EDI 00481652 56 PUSH ESI 00481653 52 PUSH EDX . . . 00347F42 ***API: KERNEL32.DLL!VirtualProtect 00347F42 ***API: KERNEL32.DLL!VirtualProtect 00347F3E ***API: KERNEL32.DLL!VirtualFree 可能到OEP了,如果不完全正确,请再单步走几下! 004816E9 FFE0 JMP EAX 可能到OEP了,如果不完全正确,请再单步走几下! 004629EC 6A60 PUSH 60 004629EE 68384A4300 PUSH 434A38 004629F3 E8B4180000 CALL 004642AC 004642AC 686C254600 PUSH 46256C 004642B1 64A100000000 MOV EAX,DWORD PTR FS:[00h] 00347F41 ***API: KERNEL32.DLL!GetVersionExA 00462A0C FF1590114000 CALL DWORD PTR [+0401190h] Make PE now Start:77F80000 End:77FFC000 GetLastError:::77E68265 Start:77E60000 End:77F33000 Start:10000000 End:100A2000 Start:78000000 End:78045000 Start:6C170000 End:6C26B000 Start:77F40000 End:77F7C000 Start:77DF0000 End:77E59000 Start:75E00000 End:75E1A000 Start:796D0000 End:79735000 Start:786F0000 End:78768000 Start:6C140000 End:6C149000 Start:777E0000 End:777E7000 Start:75950000 End:75956000 Start:78F90000 End:791D5000 Start:772A0000 End:77306000 Start:71710000 End:71794000 Start:77990000 End:77A2B000 Start:7CF00000 End:7CFEF000 Start:74FB0000 End:74FC4000 Start:74FA0000 End:74FA8000 Start:76AF0000 End:76B2E000 HODULE=00400108 nSec=2 VirtualSize RVA PhysicalSize PhysicalOffset p=00400200 7f000 1000 25400 400 p=00400228 2000 80000 1800 25800 pStart=00401000 pEnd=00401390 16ba 82000 16ba 82000 1f0 -> 1000 write object at 401000 len 7f000 Writing 401000 len 7f000 80000 -> 80000 write object at 480000 len 2000 Writing 480000 len 2000 82000 -> 82000 Writing 349ff0 len 16ba 文件已保存到:D:\unpack\PEiD0.94\PEiD\ROR_Unpacked.exe 呵呵,不错,运行正常。 |
|
发布OllyDBG汉化第二版测试版本,请大家帮忙测试
最初由 CCDebuger 发布 呵呵,用另一个OD跟DLL载入,是在windowjuggler载入时候出错,不过你将hidedebugger或者windowjuggler任何一个去掉,都可以正常运行OD。请高手看一下。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值