|
这个是技术加壳啊.
无壳 |
|
|
|
我错在哪里啊
WinRar自解压文件,用密码解压缩 |
|
脱upx壳无法运行,用IR修复成功,但还不能运行!求教![求助]
004B2AED E8 BABBFAFF call 0045E6AC 004B2AF2 3D 20A10700 cmp eax,7A120 004B2AF7 7E 0C jle short 004B2B05 //JMP 004B2B05 |
|
|
|
|
|
[求助]关于Armadillo返回时机的问题!
不是感觉,是某些规律 Armadillo V3.X-V4.X在那里返回后可以修改Magic JMP 当然,也可以在其他地方修改 等你脱壳几十个Armadillo保护的程序自然就有这个“感觉”了 |
|
|
|
入门问题 关于ASPack 2.12 记事本加的壳
http://www.pediy.com/tutorial/chap8/Chap8-1.htm |
|
[求助]诚恳求教,一个非常棘手的文件!求大侠指点。。[求助]
SDProtector |
|
Armadillo 3.78-> Silicon Realms Toolworks的若干问题~~~
DriverStudio V3.2 + IceExt V0.67 |
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
只是说在[EAX]可以看到输入表函数开始地址,而不是说你当时中断时[EAX]中就是开始地址 开始地址=00422000 结束地址=0042254C |
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
看看这段代码: 00E89131 3BC1 cmp eax,ecx //时间校验 00E89133 76 07 jbe short 00E8913C //修改为:JMP 00E8913C ★ 00E89135 C685 20C8FFFF 0>mov byte ptr ss:[ebp-37E0],1 00E8913C 83BD D0C6FFFF 0>cmp dword ptr ss:[ebp-3930],0 00E89143 0F85 8A000000 jnz 00E891D3 //00E891D3 00E891D3 E9 05F7FFFF jmp 00E888DD //循环 00E891D8 8B85 DCC6FFFF mov eax,dword ptr ss:[ebp-3924] //这里下断,中断后输入表处理完毕 00E891D8在循环外 |
|
|
|
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版
最后一次下断 ? 以记事本为例来解释一下看输入表函数表的结束 随便在代码中找个函数调用 004010D3 FF15 E0634000 call dword ptr ds:[4063E0]; kernel32.GetCommandLineA 数据窗口中跟随4063E0 点 右键->长型->地址 这样在数据窗口中上下拉动滚动条,可以看的清晰点 004062DC 00000000 004062E0 77DAEBE7 ADVAPI32.RegSetValueExA 004062E4 77DA7883 ADVAPI32.RegQueryValueExA 004062E8 77DA6BF0 ADVAPI32.RegCloseKey 004062EC 77DCC41B ADVAPI32.RegOpenKeyA 004062F0 77DCD5BB ADVAPI32.RegCreateKeyA 004062F4 00000000 004062F8 77EF61E1 GDI32.GetStockObject 004062FC 77EF8C33 GDI32.GetObjectA 00406300 77EF5A8A GDI32.GetDeviceCaps 00406304 77EF5B90 GDI32.SelectObject 00406308 77EF6C2D GDI32.DeleteObject 0040630C 77F23822 GDI32.AbortDoc 00406310 77F0E051 GDI32.EndDoc 00406314 77EF6E98 GDI32.DeleteDC 00406318 77F0F126 GDI32.StartPage 0040631C 77F249C9 GDI32.StartDocA 00406320 77F0DDC9 GDI32.EndPage 00406324 77EFE670 GDI32.GetTextExtentPointA 00406328 77F1B260 GDI32.CreateFontA 0040632C 77F23942 GDI32.SetAbortProc 00406330 77EF5EFB GDI32.SetBkMode 00406334 77EF9A1A GDI32.SetMapMode 00406338 77EFE068 GDI32.GetTextMetricsA 0040633C 77F06C8F GDI32.SetWindowExtEx 00406340 77F06D38 GDI32.SetViewportExtEx 00406344 77EFD526 GDI32.LPtoDP 00406348 77EFB251 GDI32.CreateDCA 0040634C 77EFA0B9 GDI32.GetTextCharset 00406350 77EFE8D6 GDI32.CreateFontIndirectA 00406354 00000000 00406358 7C81E85C kernel32.DeleteFileA 0040635C 7C827778 kernel32._lcreat 00406360 7C85E610 kernel32._lopen 00406364 7C838D93 kernel32._lwrite 00406368 7C822E21 kernel32.LocalUnlock 0040636C 7C839450 kernel32._llseek 00406370 7C80995D kernel32.LocalFree 00406374 7C8099BD kernel32.LocalAlloc 00406378 7C839308 kernel32._lclose 0040637C 7C80FF2D kernel32.GlobalAlloc 00406380 7C80C9C1 kernel32.GetLocalTime 00406384 7C826F4B kernel32.GetTimeFormatA 00406388 7C826E0C kernel32.GetDateFormatA 0040638C 7C80B929 kernel32.lstrcmpiA 00406390 7C801EEE kernel32.GetStartupInfoA 00406394 7C80B529 kernel32.GetModuleHandleA 00406398 7C81CAA2 kernel32.ExitProcess 0040639C 7C810311 kernel32.lstrcpynA 004063A0 7C822D88 kernel32.LocalLock 004063A4 7C81E2B1 kernel32.LocalReAlloc 004063A8 7C822D47 kernel32.GetProfileStringA 004063AC 7C923151 ntdll.RtlMoveMemory 004063B0 7C80C6E0 kernel32.lstrlenA 004063B4 7C80EFD7 kernel32.FindClose 004063B8 7C81EE79 kernel32.lstrcmpA 004063BC 7C813559 kernel32.FindFirstFileA 004063C0 7C801A24 kernel32.CreateFileA 004063C4 7C838FB9 kernel32.lstrcatA 004063C8 7C930331 ntdll.RtlGetLastWin32Error 004063CC 7C80D47E kernel32.GetLocaleInfoA 004063D0 7C8097F4 kernel32.MulDiv 004063D4 7C80C729 kernel32.lstrcpyA 004063D8 7C810082 kernel32.GlobalUnlock 004063DC 7C80FE2F kernel32.GlobalFree 004063E0 7C812C8D kernel32.GetCommandLineA 004063E4 7C839418 kernel32._lread 004063E8 7C810119 kernel32.GlobalLock 004063EC 00000000 004063F0 7D610E80 SHELL32.ShellExecuteA 004063F4 7D5FAF0C SHELL32.DragAcceptFiles 004063F8 7D632362 SHELL32.ShellAboutA 004063FC 7D6882B2 SHELL32.SHGetSpecialFolderPathA 00406400 7D6469FE SHELL32.DragQueryFileA 00406404 7D6469ED SHELL32.DragFinish 00406408 00000000 0040640C 77D1A8AD USER32.wsprintfA 00406410 77D3023D USER32.CloseClipboard 00406414 77D2F13E USER32.IsClipboardFormatAvailable 00406418 77D3024F USER32.OpenClipboard 0040641C 77D3148B USER32.GetMenu 00406420 77D20FE8 USER32.LoadStringA 00406424 77D31524 USER32.LoadAcceleratorsA 00406428 77D1DB70 USER32.GetSystemMenu 0040642C 77D18E28 USER32.RegisterWindowMessageA 00406430 77D1D60D USER32.SetWindowLongA 00406434 77D2025E USER32.CreateWindowExA 00406438 77D20B3E USER32.LoadCursorA 0040643C 77D237E6 USER32.RegisterClassExA 00406440 77D18F9D USER32.GetSystemMetrics 00406444 77D1D7F9 USER32.UpdateWindow 00406448 77D20FBA USER32.CharPrevA 0040644C 77D1B6AE USER32.GetClientRect 00406450 77D1C96C USER32.PeekMessageA 00406454 77D3C94A USER32.SetDlgItemTextA 00406458 77D5A19D USER32.TabbedTextOutA 0040645C 77D3C7B3 USER32.CreateDialogParamA 00406460 77D1BE71 USER32.EnableWindow 00406464 77D3213C USER32.GetWindowTextA 00406468 77D3C2BF USER32.SendDlgItemMessageA 0040646C 77D1D869 USER32.GetDlgCtrlID 00406470 77D2BAAF USER32.ChildWindowFromPoint 00406474 77D1BDC8 USER32.ScreenToClient 00406478 77D1BD76 USER32.GetCursorPos 0040647C 77D6AC1E USER32.GetDlgItemTextA 00406480 77D216E2 USER32.GetSubMenu 00406484 77D31A8E USER32.CheckMenuItem 00406488 77D20F90 USER32.CharNextA 0040648C 77D3C661 USER32.IsDialogMessageA 00406490 77D2FA9C USER32.TranslateAcceleratorA 00406494 77D18BF6 USER32.TranslateMessage 00406498 77D21211 USER32.PostQuitMessage 0040649C 77D1BE27 USER32.IsIconic 004064A0 77D1DAEA USER32.DestroyWindow 004064A4 77D31F4C USER32.MessageBeep 004064A8 77D504EA USER32.MessageBoxA 004064AC 77D1D4EE USER32.DefWindowProcA 004064B0 77D1EA2F USER32.EnableMenuItem 004064B4 77D3154B USER32.GetLastActivePopup 004064B8 77D1D8A4 USER32.ShowWindow 004064BC 77D26250 USER32.EndDialog 004064C0 77D24795 USER32.SetForegroundWindow 004064C4 77D3EE35 USER32.WinHelpA 004064C8 77D21324 USER32.LoadIconA 004064CC 77D186C7 USER32.GetDC 004064D0 77D1869D USER32.ReleaseDC 004064D4 77D1BF58 USER32.SetCursor 004064D8 77D2F39A USER32.SendMessageA 004064DC 77D1BEF0 USER32.GetFocus 004064E0 77D1CB85 USER32.PostMessageA 004064E4 77D1DA60 USER32.SetFocus 004064E8 77D1B5F5 USER32.InvalidateRect 004064EC 77D1DBEC USER32.MoveWindow 004064F0 77D196B8 USER32.DispatchMessageA 004064F4 77D21042 USER32.GetMessageA 004064F8 77D2F543 USER32.SetWindowTextA 004064FC 00000000 00406500 7632311E comdlg32.GetOpenFileNameA 00406504 7633C289 comdlg32.ChooseFontA 00406508 7633867C comdlg32.FindTextA 0040650C 763447B1 comdlg32.PageSetupDlgA 00406510 76337CD8 comdlg32.GetSaveFileNameA 00406514 763300CE comdlg32.CommDlgExtendedError 00406518 76322533 comdlg32.GetFileTitleA 0040651C 00000000 如何看输入表函数开始和结束的地址知道了吧? |
|
用Ollydbg手脱Armadillo加壳的DLL――Visual.Assist.X.V10.2.1437.0
Armadillo V4.0-V4.4.DLL UnPacK Script ///////////////////////////////////////////////////////////// // FileName : Armadillo V4.0-V4.4.DLL.osc // Comment : Armadillo V4.0-V4.4.DLL UnPacK Script // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 // Author : fly // WebSite : http://www.unpack.cn // Date : 2005-12-12 16:00 ///////////////////////////////////////////////////////////// /* ★ 注意: ★ 如果OllyDBG载入目标DLL时无法暂停在其EP而直接运行 请先设置OllyDBG忽略除了“内存访问异常”和“异常范围”之外的其他异常选项, 等OllyDBG暂停在第一个内存异常处,再忽略所有异常选项,然后运行此脚本。 Attention: if OllyDBG fail to first pause at EP when loading a dll, plz not check the "Memory access violation" & "Igorne also following ..." after is pause at first exceptoin, then check those exceptions options all and run the script. */ #log dbh var T0 var T1 var temp var bpcnt var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var set_new_handler var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain //OutputDebugStringA―――――――――――――――――――――――――――――――― gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA―――――――――――――――――――――――――――――――― gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT mov [OpenMutexA], #33C0C20C00# //GetModuleHandleA―――――――――――――――――――――――――――――――― gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA GoOn0: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn0 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00129528 00BE6DF3 RETURN to 00BE6DF3 from kernel32.GetModuleHandleA 0012952C 00BFBC1C ASCII "kernel32.dll" 00129530 00BFCEC4 ASCII "VirtualAlloc" */ VirtualAlloc: mov temp,esp add temp,4 log temp mov T0,[temp] cmp [T0],6E72656B log [T0] jne GoOn0 add temp,4 mov T1,[temp] cmp [T1],74726956 jne GoOn0 bc OpenMutexA inc bpcnt jmp GoOn0 /* 00129528 00BE6E10 RETURN to 00BE6E10 from kernel32.GetModuleHandleA 0012952C 00BFBC1C ASCII "kernel32.dll" 00129530 00BFCEB8 ASCII "VirtualFree" */ VirtualFree: mov temp,esp add temp,4 mov T1,[temp] cmp [T1],6E72656B jne GoOn0 add temp,4 mov T1,[temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn0 inc bpcnt jmp GoOn0 /* 0012928C 00BD5CE1 RETURN to 00BD5CE1 from kernel32.GetModuleHandleA 00129290 001293DC ASCII "kernel32.dll" */ Third: mov temp,esp add temp,4 mov T1,[temp] cmp [T1],6E72656B jne GoOn0 bc GetModuleHandleA sti //MagicJMP―――――――――――――――――――――――――――――――― /* 00BD5CDB FF15 B860BF00 call dword ptr ds:[BF60B8] ; kernel32.GetModuleHandleA 00BD5CE1 8B0D AC40C000 mov ecx,dword ptr ds:[C040AC] 00BD5CE7 89040E mov dword ptr ds:[esi+ecx],eax 00BD5CEA A1 AC40C000 mov eax,dword ptr ds:[C040AC] 00BD5CEF 391C06 cmp dword ptr ds:[esi+eax],ebx 00BD5CF2 75 16 jnz short 00BD5D0A 00BD5CF4 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C] 00BD5CFA 50 push eax 00BD5CFB FF15 BC62BF00 call dword ptr ds:[BF62BC] ; kernel32.LoadLibraryA 00BD5D01 8B0D AC40C000 mov ecx,dword ptr ds:[C040AC] 00BD5D07 89040E mov dword ptr ds:[esi+ecx],eax 00BD5D0A A1 AC40C000 mov eax,dword ptr ds:[C040AC] 00BD5D0F 391C06 cmp dword ptr ds:[esi+eax],ebx 00BD5D12 0F84 2F010000 je 00BD5E47 */ find eip,#39????0F84# cmp $RESULT,0 je NoFind add $RESULT,3 mov MagicJMP,$RESULT log MagicJMP mov T0,$RESULT add T0,2 mov T1, [T0] add T1,4 add T1,T0 mov JmpAddress,T1 log JmpAddress eval "jmp {JmpAddress}" asm MagicJMP,$RESULT /* 00BD5C8C 391D F0B0BF00 cmp dword ptr ds:[BFB0F0],ebx 00BD5C92 0F84 C4010000 je 00BD5E5C */ mov temp,MagicJMP sub temp,100 find temp,#39??????????0F84# cmp $RESULT,0 je NoFind add $RESULT,6 mov T0,$RESULT add T0,2 mov T1, [T0] add T1,4 add T1,T0 mov fiXedOver,T1 log fiXedOver eob fiXedOver bp fiXedOver esto GoOn1: esto fiXedOver: cmp eip,fiXedOver jne GoOn1 bc fiXedOver eval "je {JmpAddress}" asm MagicJMP,$RESULT //_set_new_handler―――――――――――――――――――――――――――――――― gpa "?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z", "msvcrt.dll" mov set_new_handler,$RESULT eob set_new_handler bp set_new_handler esto GoOn2: esto set_new_handler: cmp eip,set_new_handler jne GoOn2 bc set_new_handler rtu rtr //FindOEP―――――――――――――――――――――――――――――――― /* 10320DE6 8B0D 90D63410 mov ecx,dword ptr ds:[1034D690] 10320DEC 51 push ecx 10320DED FF15 C4D63410 call dword ptr ds:[1034D6C4] */ find eip,#8B??????????51FF15# cmp $RESULT,0 je NoFind add $RESULT,7 mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto FindOEP: bc FindOEP sti //GameOver―――――――――――――――――――――――――――――――― log eip cmt eip, "This is the OEP! Found By: fly " MSG "Just : OEP ! Dump and Fix IAT/Relocation/Code Splicing. Good Luck " ret NoFind: MSG "Error! Don't find. " ret TryAgain: MSG " Plz Try Again ! " ret 点击下载: Armadillo.V4.0-V4.4.DLL.osc.rar |
|
试壳,无聊的进来玩玩这记事本
NsPacK+DelphiUpx+MoleBox+VMProtect |
|
|
|
[求助]继续求助,couldn't grab process memory的问题
在OllyDBG里面Alt+M,设置目标程序的所有区段为完整权限 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值