|
我记得以前看雪论坛上有一篇帖子上有几种壳的源代码下载,现在找不到了,哪位告诉我一下URL
最初由 Nnewell 发布 N某“善良”的警告 Arucuied :o |
|
UltraProtect 1.x -> RISCO Software Inc.脱壳遇到麻烦,请指教!
ACProtect壳脱壳后无法跨系统平台运行的问题应该是“壳中壳”的缘故 |
|
怎么给一个恶性病毒脱壳?
找 CoDe_Inject 老大 |
|
|
|
以壳解壳ASPROTECT1.23RC4我搞不好,搞定的东东,老是不能运行!
最初由 hmimys 发布 说说这个修改版改进了哪些方面 |
|
|
|
|
|
|
|
OllyDbg插件发布 - Ultra String Reference
小建议: 1、能否增加搜索功能 2、排序是可否加上Text String等排序方式 BTW: 当选择 复制到剪贴板->全部表格 时 Ollydbg 光荣牺牲 |
|
出一个用FSG 2.0加壳的例子给大家玩玩.
98下脱FSG应该也没难度吧 |
|
pklite for dos 如何脱?
加壳后的程序是DOS程序? |
|
ASProtect v.2.0 加壳例子脱壳教程!
最初由 鸡蛋壳 发布 看其内容 新版aspr很少能用Imprec直接修复输入表的 |
|
|
|
ASProtect v.2.0 加壳例子脱壳教程!
俄文翻译英文: Ivan [NUKE] Tools:OLLYDBG v 110 Imprec16f LordPE by yoda Unpacking: We load program in OLLYDBG, 00401000 >/$ 68 01504000 PUSH blaadmeA.00405001 <----We are here cost 00401005 |. E8 01000000 CALL blaadmeA.0040100B 0040100A \. C3 RETN 0040100B $ C3 RETN 0040100C 70 DB 70 ; CHAR 'p' 0040100D 60 DB 60 ; CHAR '`' 0040100E 18 DB 18 0040100F 78 DB 78 ; CHAR 'x' 00401010 93 DB 93 00401011 BE DB BE 00401012 DC DB DC 00401013 12 DB 12 00401014 13 DB 13 00401015 BC DB BC 00401016 09 DB 09 00401017 4E DB 4E ; CHAR 'N' 00401018 6A DB 6A ; CHAR 'j' 00401019 28 DB 28 ; CHAR '(' 0040101A 06 DB 06 0040101B 42 DB 42 ; CHAR 'B' 0040101C EE DB EE 0040101D B2 DB B2 0040101E E7 DB E7 0040101F 91 DB 91 00401020 59 DB 59 ; CHAR 'Y' 00401021 CB DB CB We press F9.We press Shift+.F9 2"of times (if we harvest 28 times that program neglect- A to us this is not necessary).And it is exerted in this place: 008D6807 C700 7F0677B9 MOV DWORD PTR DS:[EAX],B977067F <----We are here cost 008D680D FB STI 008D680E 2D F8868BEF SUB EAX,EF8B86F8 008D6813 B7 FA MOV BH,0FA 008D6815 EB 01 JMP SHORT 008D6818 008D6817 6967 64 8F060000 IMUL ESP,DWORD PTR DS:[EDI+64],68F 008D681E 83C4 04 ADD ESP,4 008D6821 1BC1 SBB EAX,ECX 008D6823 58 POP EAX 008D6824 A1 D8A68D00 MOV EAX,DWORD PTR DS:[8DA6D8] 008D6829 8B00 MOV EAX,DWORD PTR DS:[EAX] 008D682B 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C] 008D682E 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 008D6831 A1 D8A68D00 MOV EAX,DWORD PTR DS:[8DA6D8] 008D6836 8B00 MOV EAX,DWORD PTR DS:[EAX] 008D6838 8B00 MOV EAX,DWORD PTR DS:[EAX] 008D683A 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 008D683D A1 D8A68D00 MOV EAX,DWORD PTR DS:[8DA6D8] 008D6842 8B00 MOV EAX,DWORD PTR DS:[EAX] 008D6844 83C0 18 ADD EAX,18 008D6847 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 008D684A A1 64A68D00 MOV EAX,DWORD PTR DS:[8DA664] 008D684F 8858 08 MOV BYTE PTR DS:[EAX+8],BL 008D6852 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 008D6855 8338 00 CMP DWORD PTR DS:[EAX],0 008D6858 75 21 JNZ SHORT 008D687B‘ Further we arise on line 008D6815 and press F2-/in order to place .Further we press Shift+.F9.They did interrupt???We remove point. Now we press Alt+.M. sense is such:it is necessary to place point in the first section after PE header'.a(v this case of this 00401000).Thus we press in section 00401000 by right button of mouse and we select Set memory point on access.They did place???Now we press F9 and we interrupted on OYEP 00401000 >/$ 6A 00 PUSH 0 00401002 |. E8 AD020000 CALL blaadmeA.004012B4 00401007 |. A3 6C354000 MOV DWORD PTR DS:[40356C],EAX 0040100C |. E8 9D020000 CALL blaadmeA.004012AE 00401011 |. 6A 0A PUSH 0A 00401013 |. FF35 70354000 PUSH DWORD PTR DS:[403570] 00401019 |. 6A 00 PUSH 0 0040101B |. FF35 6C354000 PUSH DWORD PTR DS:[40356C] 00401021 |. E8 06000000 CALL blaadmeA.0040102C 00401026 |. 50 PUSH EAX ; /ExitCode 00401027 \. E8 7C020000 CALL blaadmeA.004012A8 ; \ExitProcess 0040102C /$ 55 PUSH EBP 0040102D |. 8BEC MOV EBP,ESP 0040102F |. B8 4A104000 MOV EAX,blaadmeA.0040104A 00401034 |. 6A 00 PUSH 0 ; /lParam = NULL 00401036 |. 50 PUSH EAX ; |DlgProc => blaadmeA.0040104A 00401037 |. 6A 00 PUSH 0 ; |hOwner = NULL 00401039 |. 68 00304000 PUSH blaadmeA.00403000 ; |pTemplate = "MyDialog" 0040103E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hInst 00401041 |. E8 2C020000 CALL blaadmeA.00401272 ; \DialogBoxParamA 00401046 |. C9 LEAVE 00401047 \. C2 1000 RETN 10 0040104A /. 55 PUSH EBP 0040104B |. 8BEC MOV EBP,ESP 0040104D |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 00401050 |. 3D 10010000 CMP EAX,110 Removal of the dump: Will resemble that we is now cost on address 00401000.We start LordPE by yoda, we select in the list of processes our program, on it by the right button of mouse we select dump full, preserve- all dump is ready. Now it is possible to shut OLLYDBG. Restoration of the import: We start Imprec16f and our packed program.In Imprec16f we select in the list of processes our program. We press button IAT AutoSearch.Then nazhimem button Get Imports and we see that two functions they were not determined.Now we press button Show Invalid with the right button of mouse on the chosen functions and we select Plugin Tracers->.ASProtect1.22 and Trace level1.We further see that now all functions they are restored (is everywhere written YES).In you also the very???Now press Fix Dump i we select that file which you they preserved when we was removed damp(U me dumped.exe).Entire now unpacked program is called dumped _.exe(U you can on other). On this everything. :D |
|
fly,可以重新贴一下《1分钟寻找 幻影 V2.33 壳的OEP》
最初由 李美欣 发布 呵呵,如果能有所进步当然是更好的 可以看: 《幻影之旅》 《幻影 V2.33 脱壳+修复――dbpe.exe主程序》 《用Ollydbg手脱 幻影 V2.33 加壳的DLL 》 |
|
出一个用FSG 2.0加壳的例子给大家玩玩.
应该是输入表的问题 |
|
|
|
|
|
ASProtect v.2.0 加壳例子脱壳教程!
Ivan 老大如果有时间,看看能否简单翻译一下 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值