|
[转帖]ACProtect_2.0_by_CR_CKLAB.RU
虽然说注册成功,加壳的文件还是说是trial version保护,和压缩壳差不多。 |
|
|
|
ARJ Archive *这个是什么壳怎样脱
没这种壳,误报 |
|
|
|
[更新]好用的FlexHEX Editor 2.4(偷偷问问牛人有没有圣诞礼物哈哈)
牛人不过圣诞,只过元旦, |
|
[求助]大哥们谁有崛北0.28BATE
我硬盘上两个版本都有,生怕让杀毒软件直接删掉,所以两个都用压缩包包着, |
|
|
|
|
|
[求助]有没有非汇编语言写的壳呀
我用VC写脱壳机, |
|
[原创]号外、号外:ASProtect补区段辅助小东东出炉
支持一下,其实用编程实现可能会更好, |
|
HeapMagic
这段代码在Themida里是明文,早就注意到了,只是没看过ap0x的例子,所以没有想到这就是传说中的heapMagic,一直围绕着heapalloc,heapsize那里推敲,以为是调试堆那里出了问题,始终没有进展....... 01244152 8BC0 mov eax, eax 01244154 83BD D92A3509 0>cmp dword ptr [ebp+9352AD9], 1 0124415B 0F85 C3000000 jnz 01244224 01244161 83BD 7D193509 0>cmp dword ptr [ebp+935197D], 0 01244168 0F85 B6000000 jnz 01244224 0124416E 83BD B9233509 0>cmp dword ptr [ebp+93523B9], 0 01244175 0F85 A9000000 jnz 01244224 0124417B 8D85 D4BF4409 lea eax, dword ptr [ebp+944BFD4] 01244181 50 push eax 01244182 890424 mov dword ptr [esp], eax 01244185 64:FF35 0000000>push dword ptr fs:[0] 0124418C 64:8925 0000000>mov dword ptr fs:[0], esp 01244193 64:A1 30000000 mov eax, dword ptr fs:[30] 01244199 8B40 0C mov eax, dword ptr [eax+C] 0124419C B9 30000000 mov ecx, 30 012441A1 40 inc eax 012441A2 8138 EEFEEEFE cmp dword ptr [eax], FEEEFEEE 012441A8 ^ 0F85 F3FFFFFF jnz 012441A1 012441AE 49 dec ecx 012441AF ^ 0F85 ECFFFFFF jnz 012441A1 012441B5 8BC0 mov eax, eax 012441B7 83BD 85273509 0>cmp dword ptr [ebp+9352785], 0 012441BE 75 09 jnz short 012441C9 012441C0 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 012441C7 74 13 je short 012441DC 012441C9 50 push eax 012441CA 53 push ebx 012441CB 8BC0 mov eax, eax 012441CD B8 D1040000 mov eax, 4D1 012441D2 8D9D A2734109 lea ebx, dword ptr [ebp+94173A2] 012441D8 FFD3 call ebx 012441DA 5B pop ebx 012441DB 58 pop eax 012441DC 8BC0 mov eax, eax 012441DE C785 4D1D3509 0>mov dword ptr [ebp+9351D4D], 1 012441E8 E9 2D000000 jmp 0124421A 012441ED 8B5C24 0C mov ebx, dword ptr [esp+C] 012441F1 50 push eax 012441F2 892C24 mov dword ptr [esp], ebp 012441F5 E8 00000000 call 012441FA 012441FA 5D pop ebp 012441FB 81ED E1BF4409 sub ebp, 944BFE1 01244201 8B83 B8000000 mov eax, dword ptr [ebx+B8] 01244207 8D85 01C04409 lea eax, dword ptr [ebp+944C001] 0124420D 8983 B8000000 mov dword ptr [ebx+B8], eax 01244213 5D pop ebp 01244214 B8 00000000 mov eax, 0 01244219 C3 retn 0124421A 64:8F05 0000000>pop dword ptr fs:[0] 01244221 83C4 04 add esp, 4 01244224 8BC0 mov eax, eax 01244226 83BD 85273509 0>cmp dword ptr [ebp+9352785], 0 0124422D 75 09 jnz short 01244238 0124422F 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 01244236 74 19 je short 01244251 01244238 50 push eax 01244239 53 push ebx 0124423A 8BC0 mov eax, eax 0124423C B8 D1040000 mov eax, 4D1 01244241 8985 95283509 mov dword ptr [ebp+9352895], eax 01244247 8D9D 9C764109 lea ebx, dword ptr [ebp+941769C] 0124424D FFD3 call ebx 0124424F 5B pop ebx 01244250 58 pop eax 01244251 83BD 0D103509 0>cmp dword ptr [ebp+935100D], 0 01244258 74 17 je short 01244271 0124425A 50 push eax 0124425B 53 push ebx 0124425C B8 D1040000 mov eax, 4D1 01244261 8985 95283509 mov dword ptr [ebp+9352895], eax 01244267 8D9D 3D734109 lea ebx, dword ptr [ebp+941733D] 0124426D FFD3 call ebx 0124426F 5B pop ebx 01244270 58 pop eax 01244271 8BC0 mov eax, eax 01244273 E9 54010000 jmp 012443CC |
|
HeapMagic
最初由 kanxue 发布 是呀,ap0x给它取的名字是Ring3 Debugger Detection via LDR_MODULE 代码如下: Description: ; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data DbgFoundTitle db "Debugger found:",0h DbgFoundText db "Debugger has been found!",0h DbgNotFoundTitle db "Debugger not found:",0h DbgNotFoundText db "Debugger not found!",0h Tries db 30 Alloc dd ? .code start: ; MASM32 antiRing3Debugger example ; coded by ap0x ; Reversing Labs: http://ap0x.headcoders.net ASSUME FS:NOTHING PUSH offset _SehExit PUSH DWORD PTR FS:[0] MOV FS:[0],ESP ; Get NtGlobalFlag MOV EAX,DWORD PTR FS:[30h] ; Get LDR_MODULE MOV EAX,DWORD PTR[EAX+12] ; The trick is here ;) If ring3 debugger is present memory will be allocated ; and it will contain 0xFEEEFEEE bytes at the end of alloc. This will only ; happen if ring3 debugger is present! ; If there is no debugger SEH will fire and take control. ; Note: This code works only on NT systems! _loop: INC EAX CMP DWORD PTR[EAX],0FEEEFEEEh JNE _loop DEC [Tries] JNE _loop PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox PUSH 0 CALL ExitProcess RET _Exit: PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox PUSH 0 CALL ExitProcess RET _SehExit: POP FS:[0] ADD ESP,4 JMP _Exit end start |
|
[游戏]一个奇怪的带壳crackme
最初由 nbw 发布 我也没有文档,看过的东西从来不保存的,能记住多少算多少. 这个EXE的TLS表中,AddressOfCallBacks处是409060,意味着TLS入口的地址保存在409060处,而409060处存的是409040,所以TLS入口为409040 我对TLS还是略知皮毛,最早见识TLS还是ooo做的那个利用TLS来做小动作的程序。 参考 http://www.pediy.com/bbshtml/bbs7/pediy7-660.htm |
|
|
|
|
|
EncryptPE V2.2004.8.10-V2.2005.3.14 -> WFS *
没听说过,他骗你的, |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值