|
|
|
|
|
[求助]高手帮忙看一下是什么客
Themida/WinLicense V1.8.2.0 + -> Oreans Technologies * Sign.By.fly * |
|
[求助]请问谁那里有冷门的壳..
冷门的壳要么没啥用要么找不到 |
|
Armadillo V5.0X 标准加壳保护方式脱壳
1.此脚本只支持Armadillo.V5.0X.Standard.Protection脱壳,不支持Armadillo V5.X以前的版本不支持CopyMem-II保护方式 2.只支持EXE,DLL脱壳脚本准备以后编写 3.此脚本已测试系统平台:WinXPSP2+Win2000SP4 4.使用了ODbgScrip.V1.65.Chinese.dll脚本插件,帮hnhuqiong推广一下,虽然用的新版指令不多 5.如果有异常,请详细描述情况和粘贴运行Log并附上目标程序保护方式和下载地址 |
|
Armadillo V5.0X 标准加壳保护方式脱壳
/////////////////////////////////////////////////////////////// // FileName : Armadillo.V5.X.Standard.Protection.oSc // Comment : Standard Only + Standard plus Debug Blocker // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65 // Author : fly[CUG] // WebSite : http://unpack.cn // Date : 2007-09-16 24:00 /////////////////////////////////////////////////////////////// #log dbh var Temp var bpcnt var Clear var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var VirtualProtect var CreateFileMappingA var GetTickCount var CreateThread var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain cmp $VERSION, "1.65" jb CheckODbgScripVersion BPHWC BC //OutputDebugStringA______________________________________ gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA______________________________________ gpa "VirtualProtect", "KERNEL32.dll" find $RESULT,#5DC21000# add $RESULT,1 mov VirtualProtect,$RESULT eob VirtualProtect bp VirtualProtect gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT bp OpenMutexA esto OpenMutexA: eob KillOpenMutexA exec mov eax,[ESP+0C] pushad push eax push 0 push 0 CALL CreateMutexA popad jmp OpenMutexA ende KillOpenMutexA: bc OpenMutexA esti //VirtualProtect______________________________________ eob VirtualProtect GoOn0: esto VirtualProtect: cmp eip,OpenMutexA je OpenMutexA cmp eip,VirtualProtect jne GoOn0 bc VirtualProtect //CreateFileMappingA______________________________________ gpa "CreateFileMappingA", "KERNEL32.dll" find $RESULT,#C9C21800# mov CreateFileMappingA,$RESULT bp CreateFileMappingA eob CreateFileMappingA esto GoOn1: esto CreateFileMappingA: cmp eip,CreateFileMappingA jne GoOn1 bc CreateFileMappingA //GetModuleHandleA______________________________________ gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA esto GoOn2: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn2 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AD0 ASCII "VirtualAlloc" */ VirtualAlloc: mov Temp,esp add Temp,4 log Temp mov T0,[Temp] cmp [T0],6E72656B log [T0] jne GoOn2 add Temp,4 mov T1,[Temp] cmp [T1],74726956 jne GoOn2 bc OpenMutexA inc bpcnt jmp GoOn2 /* 00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AC4 ASCII "VirtualFree" */ VirtualFree: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 add Temp,4 mov T1,[Temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn2 inc bpcnt jmp GoOn2 /* 001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA 001391C8 00139340 ASCII "kernel32.dll" */ Third: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 bc GetModuleHandleA esti //VirtualProtect2______________________________________ bp VirtualProtect eob VirtualProtect2 esto GoOn3: esto VirtualProtect2: cmp eip,VirtualProtect jne GoOn3 bc VirtualProtect esti find eip,#83C404E9????????C705????????????????83BD??????????7437# cmp $RESULT,0 je Armadillo.V5.X.Standard.Protection add $RESULT,8 mov Temp,$RESULT bp Temp eob Temp esto GoOn4: esto Temp: cmp eip,Temp jne GoOn4 bc Temp //GetTickCount______________________________________ mov bpcnt,0 gpa "GetTickCount", "KERNEL32.dll" find $RESULT,#0FACD018C3# cmp $RESULT,0 je NoFind add $RESULT,4 mov GetTickCount,$RESULT bp GetTickCount eob GetTickCount esto GoOn5: esto GetTickCount: cmp eip,GetTickCount jne GoOn5 esti find eip,#83780800744A68000100008D8D????FFFF518B95????FFFF# inc bpcnt log bpcnt cmp bpcnt,10 ja NoFind cmp $RESULT,0 je GoOn5 bc GetTickCount esti //MagicJMP______________________________________ /* 00E5AA7B 8B85 40C2FFFF mov eax,dword ptr ss:[ebp-3DC0] 00E5AA81 8378 08 00 cmp dword ptr ds:[eax+8],0 00E5AA85 74 4A je short 00E5AAD1 //MagiJmp 00E5AA87 68 00010000 push 100 00E5AA8C 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AA92 51 push ecx 00E5AA93 8B95 40C2FFFF mov edx,dword ptr ss:[ebp-3DC0] 00E5AA99 8B02 mov eax,dword ptr ds:[edx] 00E5AA9B 50 push eax 00E5AA9C E8 2F7CFBFF call 00E126D0 00E5AAA1 83C4 0C add esp,0C 00E5AAA4 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AAAA 51 push ecx 00E5AAAB 8D95 50C2FFFF lea edx,dword ptr ss:[ebp-3DB0] 00E5AAB1 52 push edx 00E5AAB2 E8 25080100 call 00E6B2DC 00E5AAB7 83C4 08 add esp,8 00E5AABA 85C0 test eax,eax 00E5AABC 75 11 jnz short 00E5AACF */ add $RESULT,4 mov MagicJMP,$RESULT log MagicJMP mov [MagicJMP],#EB# /* 00E5AAED E8 BE7CFBFF call 00E127B0 00E5AAF2 0FB6C0 movzx eax,al 00E5AAF5 99 cdq 00E5AAF6 B9 14000000 mov ecx,14 00E5AAFB F7F9 idiv ecx 00E5AAFD 8B85 4CD8FFFF mov eax,dword ptr ss:[ebp-27B4] 00E5AB03 8B8C95 E8D7FFFF mov ecx,dword ptr ss:[ebp+edx*4-2818> 00E5AB0A 8908 mov dword ptr ds:[eax],ecx 00E5AB0C 8B95 4CD8FFFF mov edx,dword ptr ss:[ebp-27B4] 00E5AB12 83C2 04 add edx,4 00E5AB15 8995 4CD8FFFF mov dword ptr ss:[ebp-27B4],edx 00E5AB1B E9 72010000 jmp 00E5AC92 */ find MagicJMP,#99B914000000F7F98B85????FFFF8B8C95????FFFF8908# cmp $RESULT,0 je NoFind add $RESULT,15 mov Clear,$RESULT mov [Clear],#9090# /* 00DFAE77 8B85 50D8FFFF mov eax,dword ptr ss:[ebp-27B0] 00DFAE7D 50 push eax 00DFAE7E E8 2DC30000 call 00E071B0 00DFAE83 83C4 04 add esp,4 00DFAE86 EB 03 jmp short 00DFAE8B 00DFAE88 D6 salc 00DFAE89 D6 salc 00D62407 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0] 00D6240D 52 push edx 00D6240E E8 11B30000 call 00D6D724 00D62413 83C4 04 add esp,4 00D62416 E9 92F6FFFF jmp 00D61AAD */ find Clear,#8B??????FFFF??E8????000083C404# cmp $RESULT,0 je NoFind add $RESULT,14 mov fiXedOver,$RESULT log fiXedOver eob fiXedOver bp fiXedOver esto GoOn6: esto fiXedOver: cmp eip,fiXedOver jne GoOn6 bc fiXedOver mov [MagicJMP],#74# mov [Clear],#8908# //CreateThread______________________________________ gpa "CreateThread", "KERNEL32.dll" find $RESULT,#C21800# mov CreateThread,$RESULT eob CreateThread bp CreateThread esto GoOn7: esto CreateThread: cmp eip,CreateThread jne GoOn7 bc CreateThread esti //FindOEP______________________________________ /* 00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24] 00DBF2F4 FFD1 call ecx ; Armadill.004010CC 00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax 00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4] 00DBF2FC 5E pop esi 00DBF2FD 8BE5 mov esp,ebp 00DBF2FF 5D pop ebp 00DBF300 C3 retn */ mov Temp,eip sub Temp,400 find Temp,#FFD18945FC8B45FC# cmp $RESULT,0 je NoFind mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto GoOn8: esto FindOEP: cmp eip,FindOEP jne GoOn8 bc FindOEP esti //GameOver______________________________________ tick time eval "Time since script startup : {time}" log $RESULT log eip cmt eip, "This is the OEP! Found By: fly[CUG] " MSG "Just : OEP ! Dump and Fix IAT. Good Luck " ret NoFind: MSG "Error! Don't find. " ret CheckODbgScripVersion: msg "ODBGScript Version Need 1.65 or Higher!" ret Armadillo.V5.X.Standard.Protection: msg "Sorry,Maybe it's not Armadillo.V5.X.Standard.Protection." ret TryAgain: MSG " Plz Try Again ! " ret , _/ /| _.-~/ \_ , 青春都一晌 ( /~ / \~-._ |\ `\\ _/ \ ~\ ) 忍把浮名 _-~~~-.) )__/;;,. \_ //' /'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂 `~ _( ,_..--\ ( ,;'' / ~-- /._`\ /~~//' /' `~\ ) /--.._, )_ `~ " `~" " `" /~'`\ `\\~~\ " " "~' "" fly[CUG] http://unpack.cn http://www.unpack.cn 2007.09.16 24:00 |
|
[求助]WinLicense可以加密主程序和其他的文件吗?
EncryptPE 貌似可以在加壳主程序时选择保护一个数据文件 真要用WinLicense加密主程序,那就在加密后再用Thinstall或MoleBox捆绑数据文件了,兼容性需要测试 |
|
|
|
|
|
[转帖]花生脱壳机的正确使用
硬件脱壳机啊 |
|
|
|
[求助]Armadillo 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks脱壳
试试 Armadillo V4.0-V4.4.DLL.oSc |
|
|
|
|
|
[求助]yoda's Protector 1.03.3 求助。
再找找其他yp教程 |
|
|
|
[求助]arvid's tdr file 这个是什么壳
用winrar看看能否打开 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值