|
[原创]RORDbg V0.25 (下载本帖附件)
我在win98下跑了几亿条指令,跑了十几分钟,我用是900mhz,不知大家用的如何,我等急性子要晕了 |
|
关于开发新型调试器
在原码的基础上,版主给个流程图让大家完成,大家可以出力玩玩,不管怎样经过几年,垃圾软件也会成精品的. |
|
netsowell的壳的IAT简要分析的修复[原创]
FLY,你怎知楼主在日本留学的 |
|
这个软件加了什么壳,用侦壳工具说是C++7.0[Overlay]
有高手就给点意见 |
|
这个软件加了什么壳,用侦壳工具说是C++7.0[Overlay]
发觉有对pbvm100.dll的调用,还有对很多pb开头的代码调用,我想它是pb程序,跟了一下,有下面代码,用pbkiller不能反编译,我现在要找找这里的pb教程,有好提议或教程,各位请指点一下. 11227600 PBV> 55 push ebp 11227601 8BEC mov ebp,esp 11227603 83EC 1C sub esp,1C 11227606 8B45 08 mov eax,dword ptr ss:[ebp+8] 11227609 50 push eax 1122760A E8 2170FCFF call PBVM100.FN_MinimumVersion 1122760F 85C0 test eax,eax 11227611 75 04 jnz short PBVM100.11227617 11227613 33C0 xor eax,eax 11227615 EB 43 jmp short PBVM100.1122765A 11227617 C745 FC 607>mov dword ptr ss:[ebp-4],PBVM100.FN_RunEx> 1122761E 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 11227621 894D E4 mov dword ptr ss:[ebp-1C],ecx 11227624 8B55 0C mov edx,dword ptr ss:[ebp+C] 11227627 8955 E8 mov dword ptr ss:[ebp-18],edx 1122762A 8B45 10 mov eax,dword ptr ss:[ebp+10] 1122762D 8945 EC mov dword ptr ss:[ebp-14],eax 11227630 8B4D 14 mov ecx,dword ptr ss:[ebp+14] 11227633 894D F0 mov dword ptr ss:[ebp-10],ecx 11227636 8B55 18 mov edx,dword ptr ss:[ebp+18] 11227639 8955 F4 mov dword ptr ss:[ebp-C],edx 1122763C 8B45 1C mov eax,dword ptr ss:[ebp+1C] 1122763F 8945 F8 mov dword ptr ss:[ebp-8],eax 11227642 837D 1C 00 cmp dword ptr ss:[ebp+1C],0 11227646 74 0B je short PBVM100.11227653 11227648 8D4D E4 lea ecx,dword ptr ss:[ebp-1C] 1122764B 51 push ecx 1122764C E8 0F000000 call PBVM100.FN_RunExecutableEx 11227651 EB 07 jmp short PBVM100.1122765A 11227653 8D55 E4 lea edx,dword ptr ss:[ebp-1C] 11227656 52 push edx 11227657 FF55 FC call dword ptr ss:[ebp-4] 1122765A 8BE5 mov esp,ebp 1122765C 5D pop ebp 1122765D C2 1800 retn 18 11227660 PBV> 55 push ebp 11227661 8BEC mov ebp,esp 11227663 83EC 58 sub esp,58 11227666 56 push esi 11227667 57 push edi 11227668 8B45 08 mov eax,dword ptr ss:[ebp+8] 1122766B 8B08 mov ecx,dword ptr ds:[eax] 1122766D 894D E8 mov dword ptr ss:[ebp-18],ecx 11227670 8B55 08 mov edx,dword ptr ss:[ebp+8] 11227673 8B42 04 mov eax,dword ptr ds:[edx+4] 11227676 8945 DC mov dword ptr ss:[ebp-24],eax 11227679 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 1122767C 8B51 08 mov edx,dword ptr ds:[ecx+8] 1122767F 8955 C0 mov dword ptr ss:[ebp-40],edx 11227682 8B45 08 mov eax,dword ptr ss:[ebp+8] 11227685 8B48 0C mov ecx,dword ptr ds:[eax+C] 11227688 894D EC mov dword ptr ss:[ebp-14],ecx 1122768B 8B55 08 mov edx,dword ptr ss:[ebp+8] 1122768E 8B42 10 mov eax,dword ptr ds:[edx+10] 11227691 8945 F4 mov dword ptr ss:[ebp-C],eax 11227694 8B4D 08 mov ecx,dword ptr ss:[ebp+8] 11227697 8B51 14 mov edx,dword ptr ds:[ecx+14] 1122769A 8955 CC mov dword ptr ss:[ebp-34],edx 1122769D C745 D0 600>mov dword ptr ss:[ebp-30],60 112276A4 6A 00 push 0 112276A6 E8 355B1A00 call <jmp.&PBSHR100.#3_pbstg_begin> 112276AB 8945 D4 mov dword ptr ss:[ebp-2C],eax 112276AE 837D D4 00 cmp dword ptr ss:[ebp-2C],0 112276B2 74 15 je short PBVM100.112276C9 112276B4 8B45 D4 mov eax,dword ptr ss:[ebp-2C] 112276B7 C740 0C 641>mov dword ptr ds:[eax+C],PBVM100.113F1E64 ; UNICODE "Executable RTE/RTF" 112276BE 8B4D D4 mov ecx,dword ptr ss:[ebp-2C] 112276C1 8B51 0C mov edx,dword ptr ds:[ecx+C] 112276C4 8955 A8 mov dword ptr ss:[ebp-58],edx 112276C7 EB 07 jmp short PBVM100.112276D0 112276C9 C745 A8 000>mov dword ptr ss:[ebp-58],0 112276D0 8B45 D4 mov eax,dword ptr ss:[ebp-2C] 112276D3 50 push eax 112276D4 E8 D75A1A00 call <jmp.&PBSHR100.#179_sh_dbg_init> 112276D9 8945 F8 mov dword ptr ss:[ebp-8],eax 112276DC 6A 00 push 0 112276DE 68 04010000 push 104 112276E3 8B4D D4 mov ecx,dword ptr ss:[ebp-2C] 112276E6 51 push ecx 112276E7 E8 30551A00 call <jmp.&PBSHR100.#5_pbstg_alc> 112276EC 8945 B4 mov dword ptr ss:[ebp-4C],eax 112276EF 68 04010000 push 104 112276F4 8B55 B4 mov edx,dword ptr ss:[ebp-4C] 112276F7 52 push edx 112276F8 8B45 E8 mov eax,dword ptr ss:[ebp-18] 112276FB 50 push eax 112276FC FF15 F4913E>call dword ptr ds:[<&KERNEL32.GetModuleFi>; kernel32.GetModuleFileNameW 11227702 6A 00 push 0 11227704 8B4D C0 mov ecx,dword ptr ss:[ebp-40] 11227707 51 push ecx 11227708 8B55 D4 mov edx,dword ptr ss:[ebp-2C] 1122770B 52 push edx 1122770C E8 8F551A00 call <jmp.&PBSHR100.#37_pbstg_strdup> 11227711 8945 F0 mov dword ptr ss:[ebp-10],eax 11227714 8B45 F0 mov eax,dword ptr ss:[ebp-10] 11227717 50 push eax 11227718 FF15 C4933E>call dword ptr ds:[<&MSVCR71._wcsupr>] ; MSVCR71._wcsupr 1122771E 83C4 04 add esp,4 11227721 C745 C8 000>mov dword ptr ss:[ebp-38],0 11227728 C745 BC 000>mov dword ptr ss:[ebp-44],0 1122772F 8B4D F0 mov ecx,dword ptr ss:[ebp-10] 11227732 894D B0 mov dword ptr ss:[ebp-50],ecx 11227735 EB 09 jmp short PBVM100.11227740 11227737 8B55 B0 mov edx,dword ptr ss:[ebp-50] 1122773A 83C2 02 add edx,2 1122773D 8955 B0 mov dword ptr ss:[ebp-50],edx 11227740 8B45 B0 mov eax,dword ptr ss:[ebp-50] 11227743 0FB708 movzx ecx,word ptr ds:[eax] 11227746 85C9 test ecx,ecx 11227748 0F84 DA0000>je PBVM100.11227828 1122774E B9 02000000 mov ecx,2 11227753 BF 8C1E3F11 mov edi,PBVM100.113F1E8C ; UNICODE "/PBDEBUG" 11227758 8B75 B0 mov esi,dword ptr ss:[ebp-50] 1122775B 33D2 xor edx,edx 1122775D F3:A7 repe cmps dword ptr es:[edi],dword ptr ds> 1122775F 74 13 je short PBVM100.11227774 11227761 B9 02000000 mov ecx,2 11227766 BF A01E3F11 mov edi,PBVM100.113F1EA0 ; UNICODE "-PBDEBUG" 1122776B 8B75 B0 mov esi,dword ptr ss:[ebp-50] 1122776E 33C0 xor eax,eax 11227770 F3:A7 repe cmps dword ptr es:[edi],dword ptr ds> 11227772 75 1F jnz short PBVM100.11227793 11227774 8B4D B0 mov ecx,dword ptr ss:[ebp-50] 11227777 8B15 B41E3F>mov edx,dword ptr ds:[113F1EB4] 1122777D 8911 mov dword ptr ds:[ecx],edx 1122777F A1 B81E3F11 mov eax,dword ptr ds:[113F1EB8] 11227784 8941 04 mov dword ptr ds:[ecx+4],eax 11227787 C745 C8 010>mov dword ptr ss:[ebp-38],1 1122778E E9 95000000 jmp PBVM100.11227828 11227793 B9 07000000 mov ecx,7 11227798 BF C81E3F11 mov edi,PBVM100.113F1EC8 ; UNICODE "/DEBUG=" 1122779D 8B75 B0 mov esi,dword ptr ss:[ebp-50] 112277A0 33D2 xor edx,edx 112277A2 F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:[> 112277A4 74 13 je short PBVM100.112277B9 112277A6 B9 07000000 mov ecx,7 112277AB BF D81E3F11 mov edi,PBVM100.113F1ED8 ; UNICODE "-DEBUG=" 112277B0 8B75 B0 mov esi,dword ptr ss:[ebp-50] 112277B3 33C0 xor eax,eax 112277B5 F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:[> 112277B7 75 6A jnz short PBVM100.11227823 112277B9 8B4D B0 mov ecx,dword ptr ss:[ebp-50] 112277BC 8B15 E81E3F>mov edx,dword ptr ds:[113F1EE8] 112277C2 8911 mov dword ptr ds:[ecx],edx 112277C4 66:A1 EC1E3>mov ax,word ptr ds:[113F1EEC] 112277CA 66:8941 04 mov word ptr ds:[ecx+4],ax 112277CE 8A15 EE1E3F>mov dl,byte ptr ds:[113F1EEE] 112277D4 8851 06 mov byte ptr ds:[ecx+6],dl 112277D7 8B45 B0 mov eax,dword ptr ss:[ebp-50] 112277DA 83C0 0E add eax,0E 112277DD 8945 B0 mov dword ptr ss:[ebp-50],eax 112277E0 C745 C8 010>mov dword ptr ss:[ebp-38],1 112277E7 8B4D B0 mov ecx,dword ptr ss:[ebp-50] 112277EA 0FB711 movzx edx,word ptr ds:[ecx] 112277ED 83FA 30 cmp edx,30 112277F0 7C 31 jl short PBVM100.11227823 112277F2 8B45 B0 mov eax,dword ptr ss:[ebp-50] 112277F5 0FB708 movzx ecx,word ptr ds:[eax] 112277F8 83F9 39 cmp ecx,39 112277FB 7F 26 jg short PBVM100.11227823 112277FD 8B55 BC mov edx,dword ptr ss:[ebp-44] 11227800 6BD2 0A imul edx,edx,0A 11227803 8B45 B0 mov eax,dword ptr ss:[ebp-50] 11227806 0FB708 movzx ecx,word ptr ds:[eax] 11227809 8D540A D0 lea edx,dword ptr ds:[edx+ecx-30] 1122780D 8955 BC mov dword ptr ss:[ebp-44],edx 11227810 8B45 B0 mov eax,dword ptr ss:[ebp-50] 11227813 66:C700 200>mov word ptr ds:[eax],20 11227818 8B4D B0 mov ecx,dword ptr ss:[ebp-50] 1122781B 83C1 02 add ecx,2 1122781E 894D B0 mov dword ptr ss:[ebp-50],ecx 11227821 ^ EB C4 jmp short PBVM100.112277E7 11227823 ^ E9 0FFFFFFF jmp PBVM100.11227737 11227828 837D C8 00 cmp dword ptr ss:[ebp-38],0 1122782C 74 66 je short PBVM100.11227894 1122782E 8B55 B4 mov edx,dword ptr ss:[ebp-4C] 11227831 52 push edx 11227832 6A 00 push 0 11227834 8B45 D4 mov eax,dword ptr ss:[ebp-2C] 11227837 50 push eax 11227838 E8 9D591A00 call <jmp.&PBSHR100.#120_osPathCreate> 1122783D 8945 E4 mov dword ptr ss:[ebp-1C],eax 11227840 68 F81E3F11 push PBVM100.113F1EF8 ; UNICODE "dbg" |
|
PESpin 1.3 主程序详细分析
好也66666666666666666 |
|
Pespin0.3的dump问题
顶一下,有牛人放暑假帮下手最好了, |
|
Pespin0.3的dump问题
最初由 fly 发布 找了很多关于pespin的教程,从ollydbg的设置异常,到script,再到去花指令,到看教程再摸索,由于太莱没有一步步手脱,只用用高手的script,但对于Stolen Code的dump问题很多教程看不懂,只有在这发贴,有高手请指点一下偶。 |
|
Pespin0.3的dump问题
最初由 jskew 发布 最大跳转莫过于 0068C923 - E9 F0A6D>jmp supmail.00407018 用lordpe来dump提示couldn't grab process memory ,我的系统是win2003 是系统问题还是怎了 走到5c6ecc,成功dump,但运行无提示,现在在继续努力 有点问题,走到5c6ecc,用lordpe来dump提示couldn't grab process memory , 但为什么用ImportREC.exe成功dump,但运行无提示, |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值