|
[原创]ASprotect ver 2.1 / 2.73脱壳笔记
64位后脱壳越来越麻烦了 |
|
[求助]帮破一个比较老的软件,VFP写的
用工具竟然轻松解开。 |
|
[推荐]ReFox XII Full + KeyMaker [DimitarSerg & SReg]
系统提示那个set文件有木马要求注入qq行为,请斟酌使用 |
|
[求助]如何对自解压文件加壳
次序乱了吧,把关键文件加密 在打包不也一样吗? |
|
[原创]VBDP 5.0注册机 (新版本,现在可以在任意语言环境下使用了)
注册不正确。帮帮忙 |
|
[求助]王老五的 VFP&EXENC 壳太难脱了
如何硬断 能仔细讲讲吗? |
|
[求助]PEID查询显示:PowerBASIC/Win 8.00如何搞定
vfp9编写的软件 |
|
[推荐]vfp&exeNc 9.0 DEMO 脱到第三层
乖乖 脱了好几层 能运行不能加密 看样子还是有差距啊 还是需要修复啊 |
|
[求助]王老五的 VFP&EXENC 壳太难脱了
我脱了aspack 后 在脱壳的时候家里的电脑和办公室的代码不一样 家里脱好的到办公室不能运行 只能重新脱 办公室的代码: 004CF920 > 60 PUSHAD 004CF921 E8 01000000 CALL vfpenc9.004CF927 004CF926 6358 E8 ARPL WORD PTR DS:[EAX-18],BX 004CF929 0100 ADD DWORD PTR DS:[EAX],EAX 004CF92B 0000 ADD BYTE PTR DS:[EAX],AL 004CF92D 7A 58 JPE SHORT vfpenc9.004CF987 004CF92F 2D 0D104000 SUB EAX,vfpenc9.0040100D 004CF934 8D90 C1104000 LEA EDX,DWORD PTR DS:[EAX+4010C1] 004CF93A 52 PUSH EDX 004CF93B 50 PUSH EAX 004CF93C 8D80 49104000 LEA EAX,DWORD PTR DS:[EAX+401049] 004CF942 5D POP EBP 004CF943 50 PUSH EAX 004CF944 8D85 65104000 LEA EAX,DWORD PTR SS:[EBP+401065] 004CF94A 50 PUSH EAX 004CF94B 64:FF35 0000000>PUSH DWORD PTR FS:[0] 004CF952 64:8925 0000000>MOV DWORD PTR FS:[0],ESP 004CF959 CC INT3 004CF95A 90 NOP 004CF95B 64:8F05 0000000>POP DWORD PTR FS:[0] 004CF962 83C4 04 ADD ESP,4 004CF965 C3 RETN 004CF966 EB 11 JMP SHORT vfpenc9.004CF979 004CF968 59 POP ECX 004CF969 8D9D 00104000 LEA EBX,DWORD PTR SS:[EBP+401000] 004CF96F 53 PUSH EBX 004CF970 5F POP EDI 004CF971 2BFA SUB EDI,EDX 004CF973 57 PUSH EDI f2断 edi 004CD001 记下EDI,这个就是JMP EAX 的地址了,我这儿是OD的载入地址426001,原来没想到老五是把jmp eax后的CODE都给XOR了,只能单步循环,不能在以下任何地址下断,否则就得出问题 004CF974 8A03 MOV AL,BYTE PTR DS:[EBX] 004CF976 3007 XOR BYTE PTR DS:[EDI],AL 004CF978 43 INC EBX 004CF979 47 INC EDI 004CF97A ^ E2 F8 LOOPD SHORT vfpenc9.004CF974 在此处单步走几个循环,再到刚才那个EDI的地址处下断 004CF97C 58 POP EAX 004CF97D 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX 004CF981 61 POPAD 004CF982 FFE0 JMP EAX 004CF984 C3 RETN 004CD001 60 PUSHAD ;JMP EAX 就是这儿了,这儿下断,F9,以下的命令序列要变,,,,,可以DUMP下来了,用ASPPACK脚本脱掉 可以运行 004CD002 E8 03000000 CALL vfpenc9.004CD00A 004CD007 - E9 EB045D45 JMP 45A9D4F7 004CD00C 55 PUSH EBP 004CD00D C3 RETN 004CD00E E8 01000000 CALL vfpenc9.004CD014 004CD013 EB 5D JMP SHORT vfpenc9.004CD072 004CD015 BB EDFFFFFF MOV EBX,-13 004CD01A 03DD ADD EBX,EBP 004CD01C 81EB 00D00C00 SUB EBX,0CD000 004CD022 83BD 22040000 0>CMP DWORD PTR SS:[EBP+422],0 004CD029 899D 22040000 MOV DWORD PTR SS:[EBP+422],EBX 004CD02F 0F85 65030000 JNZ vfpenc9.004CD39A 004CD035 8D85 2E040000 LEA EAX,DWORD PTR SS:[EBP+42E] 004CD03B 50 PUSH EAX 004CD03C FF95 4D0F0000 CALL DWORD PTR SS:[EBP+F4D] 004CD042 8985 26040000 MOV DWORD PTR SS:[EBP+426],EAX 004CD048 8BF8 MOV EDI,EAX 004CD04A 8D5D 5E LEA EBX,DWORD PTR SS:[EBP+5E] 004CD04D 53 PUSH EBX 004CD04E 50 PUSH EAX 004CD04F FF95 490F0000 CALL DWORD PTR SS:[EBP+F49] 004CD055 8985 4D050000 MOV DWORD PTR SS:[EBP+54D],EAX 004CD05B 8D5D 6B LEA EBX,DWORD PTR SS:[EBP+6B] 004CD05E 53 PUSH EBX 004CD05F 57 PUSH EDI 004CD060 FF95 490F0000 CALL DWORD PTR SS:[EBP+F49] 004CD066 8985 51050000 MOV DWORD PTR SS:[EBP+551],EAX 004CD06C 8D45 77 LEA EAX,DWORD PTR SS:[EBP+77] 004CD06F FFE0 JMP EAX 004CD071 56 PUSH ESI 004CD072 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],416C6175 004CD079 6C INS BYTE PTR ES:[EDI],DX 004CD07A 6C INS BYTE PTR ES:[EDI],DX 004CD07B 6F OUTS DX,DWORD PTR ES:[EDI] 004CD07C 6300 ARPL WORD PTR DS:[EAX],AX 004CD07E 56 PUSH ESI 004CD07F 6972 74 75616C4>IMUL ESI,DWORD PTR DS:[EDX+74],466C6175 004CD086 72 65 JB SHORT vfpenc9.004CD0ED 0048D543 > $ 60 PUSHAD 0048D544 . E8 00000000 CALL UN_1.0048D549 0048D549 $ 5D POP EBP 0048D54A . 81ED 06104000 SUB EBP,UN_1.00401006 0048D550 . 8D85 56104000 LEA EAX,DWORD PTR SS:[EBP+401056] 0048D556 . 50 PUSH EAX 0048D557 . 64:FF35 00000>PUSH DWORD PTR FS:[0] 0048D55E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP 0048D565 . CC INT3 跳转 7C92E480 7C92E480 8B1C24 MOV EBX,DWORD PTR SS:[ESP] 7C92E483 51 PUSH ECX 7C92E484 53 PUSH EBX 7C92E485 E8 B35A0200 CALL ntdll.7C953F3D 7C92E48A 0AC0 OR AL,AL 7C92E48C 74 0C JE SHORT ntdll.7C92E49A 7C92E48E 5B POP EBX 7C92E48F 59 POP ECX 7C92E490 6A 00 PUSH 0 7C92E492 51 PUSH ECX 7C92E493 E8 C6EBFFFF CALL ntdll.ZwContinue 进 7C92D05E > B8 20000000 MOV EAX,20 7C92D063 BA 0003FE7F MOV EDX,7FFE0300 7C92D068 FF12 CALL DWORD PTR DS:[EDX] 进 7C92D06A C2 0800 RETN 8 7C92E510 > 8BD4 MOV EDX,ESP 7C92E512 0F34 SYSENTER 跳转 7C92E514 > C3 RETN 0048D567 . 64:8F05 00000>POP DWORD PTR FS:[0] ; 0012FFE0 0048D56E . 83C4 04 ADD ESP,4 0048D571 . 74 05 JE SHORT UN_1.0048D578 0048D573 . 75 03 JNZ SHORT UN_1.0048D578 0048D575 . EB 07 JMP SHORT UN_1.0048D57E 0048D577 . 59 POP ECX 0048D578 > 8D9D 00104000 LEA EBX,DWORD PTR SS:[EBP+401000] 0048D57E > 53 PUSH EBX 0048D57F . 5F POP EDI 0048D580 . 2BFA SUB EDI,EDX 0048D582 . 57 PUSH EDI 0048D583 > 8A03 MOV AL,BYTE PTR DS:[EBX] 单步循环 0048D585 . 3007 XOR BYTE PTR DS:[EDI],AL 0048D587 . 43 INC EBX 0048D588 . 47 INC EDI 0048D589 .^ E2 F8 LOOPD SHORT UN_1.0048D583 0048D58B . 58 POP EAX 0048D58C . 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX 0048D590 . 61 POPAD 0048D591 . FFE0 JMP EAX 0048D4AC 55 DB 55 ; CHAR 'U' dump 测试3.exe 0048D4AD 8B DB 8B 0048D4AE EC DB EC 0048D4AF 83 DB 83 0048D4B0 C4 DB C4 0048D4B1 F0 DB F0 0048D4B2 B8 DB B8 0048D4B3 74 DB 74 ; CHAR 't' 0048D4B4 D2 DB D2 0048D4B5 48 DB 48 ; CHAR 'H' 0048D4B6 00 DB 00 0048D4B7 E8 DB E8 0048D4B8 50 DB 50 ; CHAR 'P' 0048D4B9 8A DB 8A 0048D4BA F7 DB F7 0048D4BB FFE80000 DD 0000E8FF 0048D4BF 00 DB 00 打开 测试3.exe peid BobSoft Mini Delphi -> BoB / BobSoft * 至今还没找到头绪呢,继续努力啊 0048D4AC > $ 55 PUSH EBP 0048D4AD . 8BEC MOV EBP,ESP 0048D4AF . 83C4 F0 ADD ESP,-10 0048D4B2 . B8 74D24800 MOV EAX,测试3.0048D274 0048D4B7 . E8 508AF7FF CALL 测试3.00405F0C 0048D4BC . E8 00000000 CALL 测试3.0048D4C1 0048D4C1 $ 58 POP EAX 0048D4C2 . 83E8 15 SUB EAX,15 0048D4C5 . B9 14000000 MOV ECX,14 0048D4CA > 8908 MOV DWORD PTR DS:[EAX],ECX 0048D4CC . 40 INC EAX 0048D4CD .^ E2 FB LOOPD SHORT 测试3.0048D4CA 0048D4CF . A1 80024900 MOV EAX,DWORD PTR DS:[490280] 0048D4D4 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 0048D4D6 . E8 E969FDFF CALL 测试3.00463EC4 0048D4DB . 8B0D 84034900 MOV ECX,DWORD PTR DS:[490384] ; 测试3.00493598 0048D4E1 . A1 80024900 MOV EAX,DWORD PTR DS:[490280] 0048D4E6 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 0048D4E8 . 8B15 845C4800 MOV EDX,DWORD PTR DS:[485C84] ; 测试3.00485CD0 0048D4EE . E8 E969FDFF CALL 测试3.00463EDC 0048D4F3 . A1 80024900 MOV EAX,DWORD PTR DS:[490280] 0048D4F8 . 8B00 MOV EAX,DWORD PTR DS:[EAX] 0048D4FA . E8 5D6AFDFF CALL 测试3.00463F5C 进 0048D4FF . E8 006BF7FF CALL 测试3.00404004 0048D504 . 0000 ADD BYTE PTR DS:[EAX],AL 0048D506 . 0000 ADD BYTE PTR DS:[EAX],AL 0048D508 . 55 PUSH EBP 00463F5C $ 55 PUSH EBP 00463F5D . 8BEC MOV EBP,ESP 00463F5F . 51 PUSH ECX 00463F60 . 53 PUSH EBX 00463F61 . 56 PUSH ESI 00463F62 . 57 PUSH EDI 00463F63 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00463F66 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00463F69 . C680 A5000000>MOV BYTE PTR DS:[EAX+A5],1 00463F70 . 33D2 XOR EDX,EDX 00463F72 . 55 PUSH EBP 00463F73 . 68 3A404600 PUSH 测试3.0046403A 00463F78 . 64:FF32 PUSH DWORD PTR FS:[EDX] 00463F7B . 64:8922 MOV DWORD PTR FS:[EDX],ESP 00463F7E . B8 54AE4500 MOV EAX,测试3.0045AE54 ; 入口地址 00463F83 . E8 0C3EFAFF CALL 测试3.00407D94 00463F88 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00463F8B . 8B40 44 MOV EAX,DWORD PTR DS:[EAX+44] 00463F8E . 85C0 TEST EAX,EAX 00463F90 . 0F84 8C000000 JE 测试3.00464022 00463F96 . 8B15 34024900 MOV EDX,DWORD PTR DS:[490234] ; 测试3.00491038 00463F9C . 8B12 MOV EDX,DWORD PTR DS:[EDX] 00463F9E . 83EA 03 SUB EDX,3 ; Switch (cases 3..7) 00463FA1 . 74 0E JE SHORT 测试3.00463FB1 00463FA3 . 83EA 04 SUB EDX,4 00463FA6 . 75 10 JNZ SHORT 测试3.00463FB8 00463FA8 . C680 2B020000>MOV BYTE PTR DS:[EAX+22B],1 ; Case 7 of switch 00463F9E 00463FAF . EB 07 JMP SHORT 测试3.00463FB8 00463FB1 > B2 02 MOV DL,2 ; Case 3 of switch 00463F9E 00463FB3 . E8 80A6FFFF CALL 测试3.0045E638 00463FB8 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; Default case of switch 00463F9E 00463FBB . 8078 5B 00 CMP BYTE PTR DS:[EAX+5B],0 00463FBF . 74 20 JE SHORT 测试3.00463FE1 00463FC1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00463FC4 . 8B40 44 MOV EAX,DWORD PTR DS:[EAX+44] 00463FC7 . 80B8 2B020000>CMP BYTE PTR DS:[EAX+22B],1 00463FCE . 75 0A JNZ SHORT 测试3.00463FDA 00463FD0 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00463FD3 . E8 3CF9FFFF CALL 测试3.00463914 00463FD8 . EB 07 JMP SHORT 测试3.00463FE1 00463FDA > B2 01 MOV DL,1 00463FDC . E8 5F95FFFF CALL 测试3.0045D540 00463FE1 > 33C0 XOR EAX,EAX 00463FE3 . 55 PUSH EBP 00463FE4 . 68 01404600 PUSH 测试3.00464001 00463FE9 . 64:FF30 PUSH DWORD PTR FS:[EAX] 00463FEC . 64:8920 MOV DWORD PTR FS:[EAX],ESP 00463FEF . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00463FF2 . E8 D1FDFFFF CALL 测试3.00463DC8 00463FF7 . 33C0 XOR EAX,EAX 00463FF9 . 5A POP EDX 00463FFA . 59 POP ECX 00463FFB . 59 POP ECX 00463FFC . 64:8910 MOV DWORD PTR FS:[EAX],EDX 00463FFF . EB 15 JMP SHORT 测试3.00464016 跳 00464001 .^ E9 3EF8F9FF JMP 测试3.00403844 00464006 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00464009 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0046400C . E8 4B000000 CALL 测试3.0046405C 00464011 . E8 96FBF9FF CALL 测试3.00403BAC 00464016 > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00464019 . 80B8 9C000000>CMP BYTE PTR DS:[EAX+9C],0 00464020 .^ 74 BF JE SHORT 测试3.00463FE1 00464022 > 33C0 XOR EAX,EAX 00464024 . 5A POP EDX 00464025 . 59 POP ECX 00464026 . 59 POP ECX 00464027 . 64:8910 MOV DWORD PTR FS:[EAX],EDX 0046402A . 68 41404600 PUSH 测试3.00464041 0046402F > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00464032 . C680 A5000000>MOV BYTE PTR DS:[EAX+A5],0 00464039 . C3 RETN ; RET 被用作一个跳转到 00464041 0046403A .^ E9 B9FAF9FF JMP 测试3.00403AF8 0046403F .^ EB EE JMP SHORT 测试3.0046402F 00464041 > 5F POP EDI 00464042 . 5E POP ESI 00464043 . 5B POP EBX 00464044 . 59 POP ECX 00464045 . 5D POP EBP 00464046 . C3 RETN 00464016 > \8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00464019 . 80B8 9C000000>CMP BYTE PTR DS:[EAX+9C],0 00464020 .^ 74 BF JE SHORT 测试3.00463FE1 00464022 > 33C0 XOR EAX,EAX 00464024 . 5A POP EDX 00464025 . 59 POP ECX 00464026 . 59 POP ECX 00464027 . 64:8910 MOV DWORD PTR FS:[EAX],EDX 0046402A . 68 41404600 PUSH 测试3.00464041 0046402F > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00464032 . C680 A5000000>MOV BYTE PTR DS:[EAX+A5],0 00464039 . C3 RETN ; RET 被用作一个跳转到 00464041 7C92E480 8B1C24 MOV EBX,DWORD PTR SS:[ESP] 7C92E483 51 PUSH ECX 7C92E484 53 PUSH EBX 7C92E485 - E9 B21BAA83 JMP 003D003C 003D003C 60 PUSHAD 003D003D 83C1 04 ADD ECX,4 003D0040 8BF1 MOV ESI,ECX 003D0042 8BD1 MOV EDX,ECX 003D0044 BF 00003D00 MOV EDI,3D0000 003D0049 B9 18000000 MOV ECX,18 003D004E FC CLD 003D004F F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 003D0051 BE 18003D00 MOV ESI,3D0018 003D0056 8BFA MOV EDI,EDX 003D0058 B9 18000000 MOV ECX,18 003D005D F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 003D005F 90 NOP 003D0060 90 NOP 003D0061 61 POPAD 003D0062 E8 D63E587C CALL ntdll.7C953F3D 003D0067 - E9 1EE4557C JMP ntdll.7C92E48A 7C92E48A 0AC0 OR AL,AL al=1 7C92E48C 74 0C JE SHORT ntdll.7C92E49A 7C92E48E 5B POP EBX 7C92E48F 59 POP ECX 7C92E490 6A 00 PUSH 0 7C92E492 51 PUSH ECX 7C92E493 E8 C6EBFFFF CALL ntdll.ZwContinue 到这儿运行了,看样子需要进去。 7C92E498 EB 0B JMP SHORT ntdll.7C92E4A5 |
|
[推荐]vfp&exeNc 9.0 DEMO 脱到第三层
[QUOTE=sachengbao;651113]晕死啊,你从那儿脱的啊?是从我发上来那个[3]吗? 怎么又是 vfp&exeNc V5.00 -> Wang JianGuo *????[/QUOTE] 不是你的 keheng的 |
|
[推荐]vfp&exeNc 9.0 DEMO 脱到第三层
我这儿可以运行 |
|
[推荐]vfp&exeNc 9.0 DEMO 脱到第三层
peid 0.95 显示nc5.0的壳 估计还没脱完啊 |
|
|
|
[求助]王老五的 VFP&EXENC 壳太难脱了
先说说什么软件 哪儿下载 人家才可以告诉你啊 |
|
[原创]新做的vfp脱壳机截图
用什么电脑也能看出来 厉害 |
|
[求助]vfp表单的原代码
COMPILE FORM *.* |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值