|
对 异或 的不解!
是这样, 确作者假设输入的注册码是 "0123456789ABCDEF" 运算一下以后, 到某个地方, 在SS:[sp+4]开始的8个BYTE 就会是 0x10, 0x32, 0x54, 0x76, 0x98, 0xBA, 0xDC, 0xFE; 然后这8个BYTE 两两异或, 得到最后的4个BYTE, 而最后的4个BYTE 应该是0x55, 0x6E, 0x4E, 0x98, 才表示注册码有效. 既 10 xor 76 == 55 32 xor FE == 6E 54 xor BA == 4E 98 xor DC == 98 才可以. 上面的4个等式当然不成立, 只能表示 "0123456789ABCDEF" 不是有效注册码 |
|
大侠们,帮我看看下面这段代码错在哪里,我要晕了!
OnOK 与 OnClose 两处都应该是下面这样: ... HANDLE ghd = OpenProcess( PROCESS_ALL_ACCESS,FALSE,hProcId); if (ghd) { dwP=0x004A7541-0x0044A250-0x5; VirtualProtectEx(ghd,(void*)00x0044A251,4,PAGE_EXECUTE_READWRITE,&dwoldflag); WriteProcessMemory(ghd,(void*)0x0044A251,&dwp, 4 , NULL ); VirtualProtectEx(ghd,(void*)0x0044A251,4,dwoldflag,&dwoldflag); } CloseHandle(ghd); 你的问题: 1. ::OnOK() *((DWORD*)0x0044A251)=(DWORD)dwp; 是在改你的程序的内存, 不是改被打开的进程的内存; 没有调CloseHandle() 2. ::OnClose() 改别的进程要用 VirtualProtectEx/WriteProcessMemory, 而不是VirtualProtect, *(DW*)xxx=yyy, 那就是在改自己了. 当然, 也要有h = OpenProcess(), 除非前面的OpenProcess()返回的句柄没调CloseHandle(), 而且存下来了. |
|
有人帮忙分析一下这段程序吗?好像是des但不知道密钥
什么DES, 应该是memcpy()吧 |
|
[求助]Acprotect壳 (已经搞定)
0046F5B1 3B85 2C854100 CMP EAX,DWORD PTR SS:[EBP+41852C] 0046F5B7 74 20 JE SHORT gameupda.0046F5D9 // NO JMP *** 0046F5B9 90 NOP 0046F5BA 90 NOP 0046F5BB 90 NOP 0046F5BC 90 NOP 0046F5BD 3B85 C4FD4000 CMP EAX,DWORD PTR SS:[EBP+40FDC4] 0046F5C3 74 09 JE SHORT gameupda.0046F5CE // NO JMP *** 0046F5C5 90 NOP 0046F5C6 90 NOP 0046F5C7 90 NOP 0046F5C8 90 NOP 0046F5C9 EB 14 JMP SHORT gameupda.0046F5DF 0046F5CB 90 NOP 0046F5CC 90 NOP 0046F5CD 90 NOP 0046F5CE 8D85 31FE4000 LEA EAX,DWORD PTR SS:[EBP+40FE31] 0046F5D4 EB 09 JMP SHORT gameupda.0046F5DF 0046F5D6 90 NOP 0046F5D7 90 NOP 0046F5D8 90 NOP 0046F5D9 8D85 4BFE4000 LEA EAX,DWORD PTR SS:[EBP+40FE4B] 0046F5DF 56 PUSH ESI 0046F5E0 FFB5 3EF84000 PUSH DWORD PTR SS:[EBP+40F83E] 0046F5E6 5E POP ESI 0046F5E7 39B5 12204000 CMP DWORD PTR SS:[EBP+402012],ESI 0046F5ED 74 15 JE SHORT gameupda.0046F604 // NO JMP *** 0046F5EF 90 NOP 0046F5F0 90 NOP 0046F5F1 90 NOP 0046F5F2 90 NOP 0046F5F3 39B5 16204000 CMP DWORD PTR SS:[EBP+402016],ESI 0046F5F9 74 09 JE SHORT gameupda.0046F604 // NO JMP *** 0046F5FB 90 NOP 0046F5FC 90 NOP 0046F5FD 90 NOP 0046F5FE 90 NOP 0046F5FF EB 63 JMP SHORT gameupda.0046F664 // YES !!! |
|
[求助]Aspr2.0x 脱壳问题(极度郁闷)
用 VolX 大侠 的 Script Asprotect 2.XX SKE IAT Fixer, 可以秒脱 它的壳。 OEP=474EF9, IAT:4B5000-4B583F ImpRec 修复后, 有 3 处 需要 改一下就好了 1.) 0041B5E7 . E8 D4C60000 CALL w_.00427CC0 0041B5EC . 8B15 0C304D00 MOV EDX,DWORD PTR DS:[4D300C] 0041B5F2 . 83C9 FF OR ECX,FFFFFFFF 0041B5F5 . 8BFA MOV EDI,EDX 0041B5F7 . 33C0 XOR EAX,EAX 0041B5F9 . F2:AE REPNE SCAS BYTE PTR ES:[EDI] // 这儿会出错 跟原程序, 4D300C 下硬件读断点, [4D300C] = 004FD838 2.) 0041B2F0 应该总返回 1, 实际上它是在判一个地方的CODE 是不是 E8, 用了 VolX 大侠的 Script, IAT 修复了, 即把好多的 E8 xxxxxxxx Call XXXXXXXX 改回成 FF15 yyyyyyyy Call DWORD PTR DS:[YYYYYYYY] 如果不是E8 xxxxxxxx, 下面 return EAX=0 0041B2F0 $ 52 PUSH EDX 0041B2F1 . 57 PUSH EDI 0041B2F2 . E8 95000000 CALL w_.0041B38C 0041B2F7 . 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B2FB . BA 66C34100 MOV EDX,w_.0041C366 0041B300 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 0041B304 . 8D5402 F4 LEA EDX,DWORD PTR DS:[EDX+EAX-C] 0041B308 . 2BD0 SUB EDX,EAX 0041B30A . FF32 PUSH DWORD PTR DS:[EDX] 0041B30C . 335424 08 XOR EDX,DWORD PTR SS:[ESP+8] 0041B310 . 335424 28 XOR EDX,DWORD PTR SS:[ESP+28] 0041B314 . 5A POP EDX 0041B315 . 8D9422 37D8FEFF LEA EDX,DWORD PTR DS:[EDX+FFFED837] 0041B31C . 8D7C75 4C LEA EDI,DWORD PTR SS:[EBP+ESI*2+4C] 0041B320 . 8D7C07 B4 LEA EDI,DWORD PTR DS:[EDI+EAX-4C] 0041B324 . 2BF8 SUB EDI,EAX 0041B326 . FF32 PUSH DWORD PTR DS:[EDX] 0041B328 . 337C24 08 XOR EDI,DWORD PTR SS:[ESP+8] 0041B32C . BF 3A054200 MOV EDI,w_.0042053A 0041B331 . 5F POP EDI 0041B332 . 81E7 FF000000 AND EDI,0FF 0041B338 . C1DA CF RCR EDX,0CF ; Shift constant out of range 1..31 0041B33B . 83CA 6B OR EDX,6B 0041B33E . 81EA F44D63A3 SUB EDX,A3634DF4 0041B344 . 8D97 A680D7AD LEA EDX,DWORD PTR DS:[EDI+ADD780A6] 0041B34A . 2BD7 SUB EDX,EDI 0041B34C . 8DBC1F 727E2852 LEA EDI,DWORD PTR DS:[EDI+EBX+52287E72] 0041B353 . 2BFB SUB EDI,EBX 0041B355 . 03FA ADD EDI,EDX 0041B357 . 0BFF OR EDI,EDI // 这儿 EDI应该==0 0041B359 0F85 24000000 JNZ w_.0041B383 // NOP掉 **** 0041B35F . 03FF ADD EDI,EDI 0041B361 . 33FF XOR EDI,EDI 0041B363 . C1C8 71 ROR EAX,71 ; Shift constant out of range 1..31 0041B366 . C1D8 ED RCR EAX,0ED ; Shift constant out of range 1..31 0041B369 . C1D8 A5 RCR EAX,0A5 ; Shift constant out of range 1..31 0041B36C . 83D8 E1 SBB EAX,-1F 0041B36F . 33C1 XOR EAX,ECX 0041B371 . 8D442F 44 LEA EAX,DWORD PTR DS:[EDI+EBP+44] 0041B375 . 2BC5 SUB EAX,EBP 0041B377 . 8D4408 BC LEA EAX,DWORD PTR DS:[EAX+ECX-44] 0041B37B . 2BC1 SUB EAX,ECX 0041B37D . 40 INC EAX 0041B37E . E9 11000000 JMP w_.0041B394 0041B383 > 13C1 ADC EAX,ECX 0041B385 . 33C0 XOR EAX,EAX 0041B387 . E9 08000000 JMP w_.0041B394 0041B38C /$ 83CA 1B OR EDX,1B 0041B38F |. 035424 38 ADD EDX,DWORD PTR SS:[ESP+38] 0041B393 \. C3 RETN 0041B394 > 5F POP EDI 0041B395 . 5A POP EDX 0041B396 . EB 68 JMP SHORT w_.0041B400 3.) 同 2), .判一个地方的CODE 是不是 E8, 0041B520 . 55 PUSH EBP 0041B521 . 8BEC MOV EBP,ESP 0041B523 . 6A FF PUSH -1 0041B525 . 68 D3144B00 PUSH w_.004B14D3 ; SE handler installation 0041B52A . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0041B530 . 50 PUSH EAX 0041B531 . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0041B538 . 81EC D8020000 SUB ESP,2D8 0041B53E . 53 PUSH EBX 0041B53F . 56 PUSH ESI ... 0041B6D2 . E8 19FCFFFF CALL w_.0041B2F0 // *** 0041B6D7 . 85C0 TEST EAX,EAX 0041B6D9 . 74 31 JE SHORT w_.0041B70C 0041B6DB . 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54] 0041B6DE . 8BCB MOV ECX,EBX 0041B6E0 . 52 PUSH EDX 0041B6E1 . E8 7E0A0900 CALL w_.004AC164 0041B6E6 . 85C0 TEST EAX,EAX 0041B6E8 . 75 22 JNZ SHORT w_.0041B70C 0041B6EA . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54] 0041B6ED . C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1 0041B6F4 . E8 EB060900 CALL w_.004ABDE4 0041B6F9 . 5F POP EDI 0041B6FA . 5E POP ESI 0041B6FB . 33C0 XOR EAX,EAX 0041B6FD . 5B POP EBX 0041B6FE . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 0041B701 . 64:890D 00000000 MOV DWORD PTR FS:[0],ECX 0041B708 . 8BE5 MOV ESP,EBP 0041B70A . 5D POP EBP 0041B70B . C3 RETN 0041B70C > 56 PUSH ESI 0041B70D . 53 PUSH EBX 0041B70E . E8 7B000000 CALL w_.0041B78E 0041B713 . C1CE FB ROR ESI,0FB ; Shift constant out of range 1..31 0041B716 . 83DE D7 SBB ESI,-29 0041B719 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20] 0041B71D . 8D7426 DC LEA ESI,DWORD PTR DS:[ESI-24] 0041B721 . 8B36 MOV ESI,DWORD PTR DS:[ESI] 0041B723 . 23DB AND EBX,EBX 0041B725 . 68 9D040000 PUSH 49D 0041B72A . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B72E . BB 8A024B00 MOV EBX,w_.004B028A ; ASCII "wL" 0041B733 . 5B POP EBX 0041B734 . 03F3 ADD ESI,EBX 0041B736 . 0BDF OR EBX,EDI 0041B738 . FF36 PUSH DWORD PTR DS:[ESI] 0041B73A . BB 6A974600 MOV EBX,w_.0046976A 0041B73F . 335C24 08 XOR EBX,DWORD PTR SS:[ESP+8] 0041B743 . 5B POP EBX 0041B744 . 81E3 FF000000 AND EBX,0FF 0041B74A . 83EE C3 SUB ESI,-3D 0041B74D . 037424 38 ADD ESI,DWORD PTR SS:[ESP+38] 0041B751 . 2BF7 SUB ESI,EDI 0041B753 . 8DB3 FAFB0220 LEA ESI,DWORD PTR DS:[EBX+2002FBFA] 0041B759 . 2BF3 SUB ESI,EBX 0041B75B . 8D9C3B 1E03FDDF LEA EBX,DWORD PTR DS:[EBX+EDI+DFFD031E] 0041B762 . 2BDF SUB EBX,EDI 0041B764 . 03DE ADD EBX,ESI 0041B766 . 0BDB OR EBX,EBX // EBX == 0!!!! 0041B768 . 0F84 27000000 JE w_.0041B795 // JMP **** 0041B76E . 8D6C4B 18 LEA EBP,DWORD PTR DS:[EBX+ECX*2+18] 0041B772 . 83ED 18 SUB EBP,18 0041B775 . 2BE9 SUB EBP,ECX 0041B777 . 83CE 8B OR ESI,FFFFFF8B 0041B77A . 83DE 67 SBB ESI,67 0041B77D . 2BFB SUB EDI,EBX 0041B77F . 68 60B6E4DD PUSH DDE4B660 0041B784 . 68 7E7B22B8 PUSH B8227B7E 0041B789 . E9 07000000 JMP w_.0041B795 0041B78E $ 83DE 57 SBB ESI,57 0041B791 . C1C6 73 ROL ESI,73 ; Shift constant out of range 1..31 0041B794 . C3 RETN 0041B795 > 5B POP EBX 0041B796 . 5E POP ESI 0041B797 . E9 80000000 JMP w_.0041B81C 我是在 http://www.exacttrend.com/ 下载的 Web Log Explorer 3.1 Standard Edition (Build 0318) |
|
[求助]北斗NsPacK V3.4-V3.5 -> LiuXingPing [Overlay] *脱壳
OD 载入, bp GetVersion, F9 Run, Ctrl+F9, dump, ImpRec修复: OEP 3831(403831), IAT: 406000-4060B4 Overlap Data, 用 HexEdit, 复制原文件的26000-fc407到新修复的文件, OK |
|
"一UPX壳程序脱壳后的迷惑问题" 详解(高手莫入)
sw.exe 的 最后0C bytes: 20 11 A8 AA-AA 0C A8 AA-2F EF C7 5B 解密(XOR AA)后, 为: 8A BB 02 00-00 A6 02 00-85 45 6D F1 即 size=0002BB8A, offset=0002A600, crc=F16D4585 由于脱壳后, 文件new.exe 变大了 50A00, 所以 size = 0007C58A, offset= 0007B000, CRC = ..... 加密(XOR AA)后, 为: 20 6F AD AA-AA 1A AD AA-xx xx xx xx |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值