|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
最初由 kanxue 发布 非常感谢,kanxue能指点小弟!我已经把您上面所说的,打印了出来,在家里反复研究.. 对于您所提出的第一步,找个VB6的文件,分析其输入口,我已经照做了.. //--------------------------------------- 用OD载入后:入口点信息如下: 0040132C <模块入口点> $ 68 C0244000 PUSH GetProxy.004024C0 //入口点 00401331 . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100> .............. //004024C0 在十六进制形式下查看: 004024C0 56 42 35 21 1C 23 76 62 36 63 68 73 2E 64 6C 6C VB5!#vb6chs.dll //以上内容即为vb6未加壳程序的入口点 正如您所讲的:VB6程序的输入口处为: PUSH GetProxy.004024C0 //入口点 CALL <JMP.&MSVBVM60.#100> 而 004024C0 处十六进制值为 56 42 35 21 1C 23 76 62 36 63 68 73 2E 64 6C 6C VB5!#vb6chs.dll 即这就是正常没有加壳的vb6程序的入口点信息. //--------------------------------------- 然后就是用OD运行加壳的程序,到OEP处后,CTRL+A 就显示出来了一大堆的msvbvm60.的函数出来.. 在这些PUTMEM/GETMEM函数后面就是一个JMP跳到ThunRTMain处..这与正常的 VB6程序的入口处不一致!正常的VB6,应该是一个PUSH指令,做为入口点,而现在这个里没有这个入口点,所以我们就应该要把他补回来,是不? 于是我,按您所说的搜索VB5我搜索不到,通过搜索后面的vb6chs.dll到是搜索出来了,如您所说的:00404E38处....这个就应该是正常VB6程序的入口处PUSH指令的内容了,对不?然后就在00403570处的后面地址:00403576处填写入指令push 00404E38 ;在0040357B处,则是: Call 00403570这样子,就完成了我们手工构造入口点的工作,对不? 然后在用OLLYDBG的DUM功能,把内存中的数据DUMP出来...对不? 此时的OEP是:00403570还是用新的OEP?也就是我们构造出来的PUSH处做为入口处00403576??当我们DUMP的时候,这个OEP怎么填? 我发现,当我DUMP后,在用IMport REC的,时候,上面二个地址做为OEP都可以搜索到IAT表...然后用Trace Level1的时候,显示: Congratulations! There is no more invalid pointer, now the question is: Will it work? :-) 这句话怎么理解?好像每次修复都会出这一句话,说程序不能工作.... 修复DUMP后,我在次运行,报错...如您说,不过,报错内容是:在 0x7344df18 指令引用的 0x0000003c 内存,不能read...我怎么没有看到你所说的: 00415DF5 E8 06A2D600 Call 01180000这一句? 肯请各位大虾,指点小弟! ========================================================== 我一定会成长起来的! |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
以下为我用Import REC所找到的IAT表,结果是只有一个DLL是msvbvm60.dll 这里面,只有一个没有被识别出来,用Trace Level1(Disasm)可以修复掉.. 但是运行还是出错....请指点一二,是否要再次跟踪没有脱壳的软体,与已经FIX的软体报错地址,进行修复?如是,怎么进行? 我整个的流程就是这样子的,如有出错处,请指教一二,不胜感激! 以下为:我找到的IAT表, ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal Name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: F:\TempU\esoft_0.exe OEP: 00003570 IATRVA: 00001000 IATSize: 00000308 FThunk: 00001000 NbFunc: 000000C1 1 00001000 msvbvm60.dll 01E8 __vbaVarSub 1 00001004 msvbvm60.dll 01F9 __vbaVarTstGt 1 00001008 msvbvm60.dll 009D _CIcos 1 0000100C msvbvm60.dll 02D7 _adj_fptan 1 00001010 msvbvm60.dll 0091 __vbaVarMove 1 00001014 msvbvm60.dll 01A2 __vbaStrI4 1 00001018 msvbvm60.dll 0092 __vbaVarVargNofree 1 0000101C msvbvm60.dll 00A8 __vbaAryMove 1 00001020 msvbvm60.dll 0083 __vbaFreeVar 1 00001024 msvbvm60.dll 01B5 __vbaStrVarMove 1 00001028 msvbvm60.dll 011A __vbaLateIdCall 1 0000102C msvbvm60.dll 0147 __vbaLenBstr 1 00001030 msvbvm60.dll 00F5 __vbaFreeVarList 1 00001034 msvbvm60.dll 01D2 __vbaVarIdiv 1 00001038 msvbvm60.dll 00D4 __vbaEnd 1 0000103C msvbvm60.dll 02CE _adj_fdiv_m64 1 00001040 msvbvm60.dll 017B __vbaRaiseEvent 1 00001044 msvbvm60.dll 026D rtcInputCharCountVar 1 00001048 msvbvm60.dll 015A __vbaNextEachVar 1 0000104C msvbvm60.dll 00F3 __vbaFreeObjList 1 00001050 msvbvm60.dll 0204 rtcAnsiValueBstr 1 00001054 msvbvm60.dll 006F __vbaStrErrVarCopy 1 00001058 msvbvm60.dll 02D6 _adj_fprem1 1 0000105C msvbvm60.dll 0206 rtcLowerCaseVar 1 00001060 msvbvm60.dll 0085 __vbaI2Abs 1 00001064 msvbvm60.dll 0187 __vbaResume 1 00001068 msvbvm60.dll 0195 __vbaStrCat 1 0000106C msvbvm60.dll 01CA __vbaVarCmpNe 1 00001070 msvbvm60.dll 00D8 __vbaError 1 00001074 msvbvm60.dll 014D __vbaLsetFixstr 1 00001078 msvbvm60.dll 0229 rtcGetYear 1 0000107C msvbvm60.dll 018A __vbaSetSystemError 1 00001080 msvbvm60.dll 0148 __vbaLenBstrB 1 00001084 msvbvm60.dll 0102 __vbaHresultCheckObj 1 00001088 msvbvm60.dll 0296 rtcDateDiff 1 0000108C msvbvm60.dll 022C rtcIsArray 1 00001090 msvbvm60.dll 022D rtcIsDate 1 00001094 msvbvm60.dll 0149 __vbaLenVar 1 00001098 msvbvm60.dll 02B0 _adj_fdiv_m32 1 0000109C msvbvm60.dll 00AD __vbaAryVar 1 000010A0 msvbvm60.dll 01FA __vbaVarTstLe 1 000010A4 msvbvm60.dll 00A7 __vbaAryDestruct 1 000010A8 msvbvm60.dll 01C6 __vbaVarCmpGe 1 000010AC msvbvm60.dll 01D6 __vbaVarIndexLoadRefLock 1 000010B0 msvbvm60.dll 00DF __vbaExitProc 1 000010B4 msvbvm60.dll 01D0 __vbaVarForInit 1 000010B8 msvbvm60.dll 012C GetMem2 1 000010BC msvbvm60.dll 012D GetMem4 1 000010C0 msvbvm60.dll 015D __vbaObjSet 1 000010C4 msvbvm60.dll 0253 rtcMsgBox 1 000010C8 msvbvm60.dll 0160 __vbaOnError 1 000010CC msvbvm60.dll 0293 _adj_fdiv_m16i 1 000010D0 msvbvm60.dll 012F GetMemStr 1 000010D4 msvbvm60.dll 015E __vbaObjSetAddref 1 000010D8 msvbvm60.dll 02D0 _adj_fdivr_m16i 1 000010DC msvbvm60.dll 0130 GetMemVar 1 000010E0 msvbvm60.dll 01D4 __vbaVarIndexLoad 1 000010E4 msvbvm60.dll 0256 rtcDoEvents 1 000010E8 msvbvm60.dll 0132 PutMem2 1 000010EC msvbvm60.dll 0208 rtcTrimVar 1 000010F0 msvbvm60.dll 0133 PutMem4 1 000010F4 msvbvm60.dll 0135 PutMemStr 1 000010F8 msvbvm60.dll 007F __vbaFpR8 1 000010FC msvbvm60.dll 00B0 __vbaBoolVarNull 1 00001100 msvbvm60.dll 01FB __vbaVarTstLt 1 00001104 msvbvm60.dll 0095 __vbaVargVar 1 00001108 msvbvm60.dll 0186 __vbaRefVarAry 1 0000110C msvbvm60.dll 00A0 _CIsin 1 00001110 msvbvm60.dll 02C5 rtcInStrRev 1 00001114 msvbvm60.dll 00D5 __vbaErase 1 00001118 msvbvm60.dll 0278 rtcMidCharVar 1 0000111C msvbvm60.dll 01C7 __vbaVarCmpGt 1 00001120 msvbvm60.dll 0097 __vbaVargVarMove 1 00001124 msvbvm60.dll 00B6 __vbaChkstk 1 00001128 msvbvm60.dll 00E5 __vbaFileClose 1 0000112C msvbvm60.dll 0191 EVENT_SINK_AddRef 1 00001130 msvbvm60.dll 0210 rtcUpperCaseVar 1 00001134 msvbvm60.dll 00F6 __vbaGenerateBoundsError 1 00001138 msvbvm60.dll 0196 __vbaStrCmp 1 0000113C msvbvm60.dll 0211 rtcKillFiles 1 00001140 msvbvm60.dll 00A4 __vbaAryConstruct2 1 00001144 msvbvm60.dll 01F7 __vbaVarTstEq 1 00001148 msvbvm60.dll 016A __vbaPutOwner4 1 0000114C msvbvm60.dll 0086 __vbaI2I4 1 00001150 msvbvm60.dll 015F __vbaObjVar 1 00001154 msvbvm60.dll 0231 rtcIsNumeric 0 00001158 ? 0000 011F64DC //只有这一个出错 1 0000115C msvbvm60.dll 01E0 __vbaVarOr 1 00001160 msvbvm60.dll 0073 __vbaVarLateMemSt 1 00001164 msvbvm60.dll 0182 __vbaRedimPreserve 1 00001168 msvbvm60.dll 0145 __vbaLbound 1 0000116C msvbvm60.dll 01A6 __vbaStrR4 1 00001170 msvbvm60.dll 02D4 _adj_fpatan 1 00001174 msvbvm60.dll 0170 __vbaR4Var 1 00001178 msvbvm60.dll 0239 rtcFileLocation 1 0000117C msvbvm60.dll 011B __vbaLateIdCallLd 1 00001180 msvbvm60.dll 0181 __vbaRedim 1 00001184 msvbvm60.dll 01A7 __vbaStrR8 1 00001188 msvbvm60.dll 0192 EVENT_SINK_Release 1 0000118C msvbvm60.dll 0155 __vbaNew 1 00001190 msvbvm60.dll 0258 rtcShell 1 00001194 msvbvm60.dll 008C __vbaUI1I2 1 00001198 msvbvm60.dll 00A1 _CIsqrt 1 0000119C msvbvm60.dll 0136 PutMemVar 1 000011A0 msvbvm60.dll 015C __vbaObjIs 1 000011A4 msvbvm60.dll 01C3 __vbaVarAnd 1 000011A8 msvbvm60.dll 0190 EVENT_SINK_QueryInterface 1 000011AC msvbvm60.dll 008D __vbaUI1I4 1 000011B0 msvbvm60.dll 00DA __vbaExceptHandler 1 000011B4 msvbvm60.dll 0138 SetMemVar 1 000011B8 msvbvm60.dll 02C7 rtcSplit 1 000011BC msvbvm60.dll 01AB __vbaStrToUnicode 1 000011C0 msvbvm60.dll 02C8 rtcReplace 1 000011C4 msvbvm60.dll 0163 __vbaPrintFile 1 000011C8 msvbvm60.dll 025E rtcStringBstr 1 000011CC msvbvm60.dll 00D0 __vbaDateStr 1 000011D0 msvbvm60.dll 02D5 _adj_fprem 1 000011D4 msvbvm60.dll 02D3 _adj_fdivr_m64 1 000011D8 msvbvm60.dll 02CA rtcRound 1 000011DC msvbvm60.dll 0260 rtcVarBstrFromAnsi 1 000011E0 msvbvm60.dll 02CC rtcCreateObject2 1 000011E4 msvbvm60.dll 0213 rtcMakeDir 1 000011E8 msvbvm60.dll 01C8 __vbaVarCmpLe 1 000011EC msvbvm60.dll 00E0 __vbaFPException 1 000011F0 msvbvm60.dll 02CD rtcStrConvVar2 1 000011F4 msvbvm60.dll 0117 __vbaInStrVar 1 000011F8 msvbvm60.dll 00FB __vbaGetOwner3 1 000011FC msvbvm60.dll 01B6 __vbaStrVarVal 1 00001200 msvbvm60.dll 01BD __vbaUbound 1 00001204 msvbvm60.dll 01C4 __vbaVarCat 1 00001208 msvbvm60.dll 0217 rtcGetTimer 1 0000120C msvbvm60.dll 0107 __vbaI2Var 1 00001210 msvbvm60.dll 0285 rtcDir 1 00001214 msvbvm60.dll 009F _CIlog 1 00001218 msvbvm60.dll 00D9 __vbaErrorOverflow 1 0000121C msvbvm60.dll 00EB __vbaFileOpen 1 00001220 msvbvm60.dll 0288 rtcFreeFile 1 00001224 msvbvm60.dll 0115 __vbaInStr 1 00001228 msvbvm60.dll 0154 __vbaNew2 1 0000122C msvbvm60.dll 023A rtcFileLength 1 00001230 msvbvm60.dll 0071 __vbaVarLateMemCallLdRf 1 00001234 msvbvm60.dll 023B rtcEndOfFile 1 00001238 msvbvm60.dll 02BD _adj_fdiv_m32i 1 0000123C msvbvm60.dll 02D2 _adj_fdivr_m32i 1 00001240 msvbvm60.dll 008A __vbaStrCopy 1 00001244 msvbvm60.dll 01E2 __vbaVarSetObj 1 00001248 msvbvm60.dll 023D rtcHexVarFromVar 1 0000124C msvbvm60.dll 0110 __vbaI4Str 1 00001250 msvbvm60.dll 00F4 __vbaFreeStrList 1 00001254 msvbvm60.dll 01C9 __vbaVarCmpLt 1 00001258 msvbvm60.dll 01DF __vbaVarNot 1 0000125C msvbvm60.dll 02D1 _adj_fdivr_m32 1 00001260 msvbvm60.dll 02CF _adj_fdiv_r 1 00001264 msvbvm60.dll 02AD rtcErrObj 1 00001268 msvbvm60.dll 0064 ThunRTMain 1 0000126C msvbvm60.dll 01FC __vbaVarTstNe 1 00001270 msvbvm60.dll 01E6 __vbaVarSetVar 1 00001274 msvbvm60.dll 0111 __vbaI4Var 1 00001278 msvbvm60.dll 01C5 __vbaVarCmpEq 1 0000127C msvbvm60.dll 0262 rtcGetDateVar 1 00001280 msvbvm60.dll 01C2 __vbaVarAdd 1 00001284 msvbvm60.dll 0124 __vbaLateMemCall 1 00001288 msvbvm60.dll 006C __vbaAryLock 1 0000128C msvbvm60.dll 01AA __vbaStrToAnsi 1 00001290 msvbvm60.dll 0090 __vbaVarDup 1 00001294 msvbvm60.dll 0264 rtcGetTimeVar 1 00001298 msvbvm60.dll 01DC __vbaVarMod 1 0000129C msvbvm60.dll 01BF __vbaUnkVar 1 000012A0 msvbvm60.dll 007D __vbaFpI4 1 000012A4 msvbvm60.dll 0268 rtcLeftCharBstr 1 000012A8 msvbvm60.dll 008F __vbaVarCopy 1 000012AC msvbvm60.dll 0070 __vbaVarLateMemCallLd 1 000012B0 msvbvm60.dll 01E3 __vbaVarSetObjAddref 1 000012B4 msvbvm60.dll 0269 rtcLeftCharVar 1 000012B8 msvbvm60.dll 009C _CIatan 1 000012BC msvbvm60.dll 00A6 __vbaAryCopy 1 000012C0 msvbvm60.dll 008B __vbaStrMove 1 000012C4 msvbvm60.dll 026B rtcRightCharVar 1 000012C8 msvbvm60.dll 00F2 __vbaForEachVar 1 000012CC msvbvm60.dll 01AD __vbaStrVarCopy 1 000012D0 msvbvm60.dll 021E rtcGetDayOfMonth 1 000012D4 msvbvm60.dll 02D8 _allmul 1 000012D8 msvbvm60.dll 0122 __vbaLateIdSt 1 000012DC msvbvm60.dll 0221 rtcGetMonthOfYear 1 000012E0 msvbvm60.dll 00A2 _CItan 1 000012E4 msvbvm60.dll 0222 rtcGetPresentDate 1 000012E8 msvbvm60.dll 00AC __vbaAryUnlock 1 000012EC msvbvm60.dll 00E2 __vbaFPInt 1 000012F0 msvbvm60.dll 01D1 __vbaVarForNext 1 000012F4 msvbvm60.dll 009E _CIexp 1 000012F8 msvbvm60.dll 0081 __vbaFreeObj 1 000012FC msvbvm60.dll 0082 __vbaFreeStr 1 00001300 msvbvm60.dll 0245 rtcR8ValFromBstr ============================================ 我一定会成长起来的! |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
好感动!终于有人回复说话了!!!! 我找OEP的方法,是按照各位大虾们的方法来找的... 首先OD,HIDDEN,忽略掉除内存异常以外的所有错误. SHIFT+F9 单步执行.... 共N(34)次...出现明显异常,程序开始加DLL文件...然后就退出了... 重来,第N-1(33)次时,点击(M),在软件加载程序的code段用F2设断.. 内存中以下地址设断: 地址=00401000 大小=00052000 (335872.) esoft_0 00400000 代码 //设断F2 然后在在CPU窗口,按一次Shift+F9,就出现了一个完全不一样的世界!代码如下: 00403569 00 DB 00 0040356A FF DB FF 0040356B 25 DB 25 ; CHAR '%' 0040356C E8 DB E8 0040356D . 1040 00 ADC BYTE PTR DS:[EAX],AL 00403570 .- FF25 68124000 JMP DWORD PTR DS:[401268] ; msvbvm60.ThunRTMain //OEP???中断于此处 //这里就是传说中的OEP????(中断到了这个JMP指令处)于是我就从这里,开始用右键选择ollydbg脱壳调试进程(大约有600K)比原来大了200多K)DUMP出来的东东完全是我所要的内容.只是运行出错.EIP中的值为:00403570(应该是OEP吧) 00403576 00 DB 00 00403577 00 DB 00 00403578 E9 DB E9 00403579 24 DB 24 ; CHAR '$' 0040357A CD DB CD 0040357B 03 DB 03 0040357C 01 DB 01 0040357D 12 DB 12 0040357E 6D DB 6D ; CHAR 'm' 0040357F DF DB DF 00403580 29 DB 29 ; CHAR ')' 00403581 CA DB CA 00403582 06 DB 06 00403583 00 DB 00 00403584 40 DB 40 ; CHAR '@' 00403585 00 DB 00 00403586 00 DB 00 00403587 00 DB 00 00403588 30 DB 30 ; CHAR '0' 00403589 00 DB 00 0040358A 00 DB 00 0040358B 00 DB 00 0040358C 38 DB 38 ; CHAR '8' 0040358D 00 DB 00 ...... 请各位大虾们指点一下..... 我自己感觉这个OEP应该没问题的.. 由此DUMP出来的程序有图标显示 然后用这个OEP,IMRE也提示发现了IAT表... 修复后,多了4K,运行出错... 请指点.................................. 软体位置: http://www.cnxfms.cn/Download/aaa.rar 希望指出我的问题所在.....不胜感激!!!! ======================================================== 我一定会成长起来的! |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
msvbvm60模块: 6A28DEDB E8 F2DA0000 CALL msvbvm60.6A29B9D2 6A28DEE0 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF 6A28DEE4 6A 00 PUSH 0 6A28DEE6 FF15 2011286A CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; KERNEL32.ExitProcess 6A28DEEC E9 01340300 JMP msvbvm60.6A2C12F2 6A28DEF1 50 PUSH EAX 6A28DEF2 E8 3E110200 CALL msvbvm60.6A2AF035 6A28DEF7 ^ EB E7 JMP SHORT msvbvm60.6A28DEE0 6A28DEF9 55 PUSH EBP 6A28DEFA 8BEC MOV EBP,ESP 6A28DEFC 51 PUSH ECX 6A28DEFD 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 6A28DF00 53 PUSH EBX 6A28DF01 56 PUSH ESI 6A28DF02 57 PUSH EDI 6A28DF03 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 6A28DF06 8BF1 MOV ESI,ECX 6A28DF08 8B1D C806396A MOV EBX,DWORD PTR DS:[6A3906C8] 6A28DF0E 8065 FF 00 AND BYTE PTR SS:[EBP-1],0 6A28DF12 8986 1C010000 MOV DWORD PTR DS:[ESI+11C],EAX ; Esoft_Du.00400000 6A28DF18 8B47 3C MOV EAX,DWORD PTR DS:[EDI+3C] //这里报错! 该怎么处理啊? |
|
ASProtect 1.2x [New Strain]
最初由 ikki 发布 我可跟你不一样哟.. 这几天,我一直是在,天天看关于ASPR的教程,看得我都快晕了..HOHO.... NND,真难搞定啊... 我的一个用ASP1.2X加壳的软件.... |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
我把这个东东,用OD一DUMP后,就已经有图标显示了,这是不是说明PE头是正常的, 一运行出错, 提示: "0x0009598d"指令引用的"0x0009598d"内存.该内存不能"read". 用IMRE修复IAT后,再次运行; 提示: "0x6a28df18"指令引用的"0x0000003c"内存,该内存不能为:"read". 是不是需要继续跟踪未脱壳的文件,与已经脱壳的文件,找到相关地址的错误所在, 可是这一步怎么完成啊??? 需要指点!!!!! 我一定要征服她!ASProtect! |
|
|
|
ASProtect 1.2x [New Strain]
最初由 kanxue 发布 除了叫人使用Stripper还能说点别的不? 老大... 帮帮我们入门了... |
|
ASProtect v1.23 RC1加的壳用什么软件脱?
最初由 cyto 发布 我已经到了OEP处了,可是ImportREC好像搞定不了... 你能看一下,我的那个标题为,处理了几个小时的情况,后面用IMR怎么解决吗? 通过IATAUTOSearch搜索到,提示Size大小不一致!用默认大小搜索出来的,只有一个msvbvm60.dll 把大小改成:00052000就搜索出来了,好多...可Trace level1(disasm)就出问题了.... CPU一直下不来.... 怎么回事? |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
这是我用IMPR写入OEP后,分析出来的... Analysing process... Module loaded: f:\winnt\system32\ntdll.dll Module loaded: f:\winnt\system32\kernel32.dll Module loaded: f:\winnt\system32\msvbvm60.dll Module loaded: f:\winnt\system32\user32.dll Module loaded: f:\winnt\system32\gdi32.dll Module loaded: f:\winnt\system32\advapi32.dll Module loaded: f:\winnt\system32\rpcrt4.dll Module loaded: f:\winnt\system32\ole32.dll Module loaded: f:\winnt\system32\oleaut32.dll Module loaded: f:\winnt\system32\imm32.dll Module loaded: f:\winnt\system32\lpk.dll Module loaded: f:\winnt\system32\usp10.dll Module loaded: f:\winnt\system32\version.dll Module loaded: f:\winnt\system32\lz32.dll Module loaded: f:\winnt\system32\wsock32.dll Module loaded: f:\winnt\system32\ws2_32.dll Module loaded: f:\winnt\system32\msvcrt.dll Module loaded: f:\winnt\system32\ws2help.dll Getting associated modules done. Image Base:00400000 Size:00095000 Original IAT RVA found at: 00001268 in Section RVA: 00001000 Size:00052000 其中Size值与程序中的Size:00000308 不一致! 当我用程序中通过IATAUTOSearch出来的的默认大小的时候, 只有一个DLL,是msvbvm60.dll, 也只有一个是没有识别出来的函数,可是我通过,把Size改成00052000的时候,搜索出来的却是,好多DLL,而且,在家,一用右键中的.trance level1(disasm)的时候,却出现CPU100%,持续数多小时的情况! 请问,这时的SIZE到底是用哪一个值? 自动确定的,还是程序中提示的?00052000的大小? 如果是前者,可FIX,脱壳后的,软件运行还是出错,在一地址...这时,怎么分析? |
|
[求助]修复ASPR1.2X,IMRE一直100%!为什么?好几个小时了!
我补充一下,那个加壳软件,一运行后,发现IP地址不对,就会自动关闭的。。我现在挂起他,就是在他快要关闭的时候。。。 |
|
请教xp下手工脱asprotect1.2壳
对于aspr 1.3X以前的壳 终于明白了。。找到OEP了。。而且用IMRE 这个软件根据用OD找到的OEP,发现了IAT,可是按照《加密解密第二版》P381页上所说的,右键,选择“Trace level1(Disasm)"的时候,CPU一直是100%,从昨天晚上22:30到现在,还是没有处理完。。。这是怎么回事啊。。。。说明一下,加壳软件被OD一直挂起在! 这也是用IMRE软件的要求之一, 要多久IMRE才能处理完啊。。。 我现在把原来的IMRE结束掉了。。现在在用IMRE的原版再一次点击右键,“Trace level1(Disasm)",现在是IMRE的CPU最高,然后就是挂起的加壳软件第二高,担心,数小时后,CPU都会100%的样子,啊。。。 这样子正常吗? 我的系统: 2003,cpu C2.9G,512M |
|
ASProtect 1.2x - 1.3x [Registered] -> Alexey Solodovnikov
最初由 kanxue 发布 是的啊...我们要的是渔而不是鱼! 更何况,脱壳了,还不知怎么修复啊。。。IAT表还得重建。。。还得找OEP啊。。 |
|
[求助]谁能帮我找到这个软件的OEP
以下代码为:我在用OD调试一个ASPR1.2X的加壳东东的时候,无意中找到的,请问这是IAT吗? 找OEP好辛苦啊.... 还没找到.... 00E31070 - FF25 B0C1E600 JMP DWORD PTR DS:[E6C1B0] ; kernel32.GetFileType 00E31076 8BC0 MOV EAX,EAX 00E31078 - FF25 ACC1E600 JMP DWORD PTR DS:[E6C1AC] ; kernel32.GetSystemTime 00E3107E 8BC0 MOV EAX,EAX 00E31080 - FF25 A8C1E600 JMP DWORD PTR DS:[E6C1A8] ; kernel32.GetFileSize 00E31086 8BC0 MOV EAX,EAX 00E31088 - FF25 A4C1E600 JMP DWORD PTR DS:[E6C1A4] ; kernel32.GetStdHandle 00E3108E 8BC0 MOV EAX,EAX 00E31090 - FF25 A0C1E600 JMP DWORD PTR DS:[E6C1A0] ; kernel32.RaiseException 00E31096 8BC0 MOV EAX,EAX 00E31098 - FF25 9CC1E600 JMP DWORD PTR DS:[E6C19C] ; kernel32.ReadFile 00E3109E 8BC0 MOV EAX,EAX 00E310A0 - FF25 98C1E600 JMP DWORD PTR DS:[E6C198] ; ntdll.RtlUnwind 00E310A6 8BC0 MOV EAX,EAX 00E310A8 - FF25 94C1E600 JMP DWORD PTR DS:[E6C194] ; kernel32.SetEndOfFile 00E310AE 8BC0 MOV EAX,EAX 00E310B0 - FF25 90C1E600 JMP DWORD PTR DS:[E6C190] ; kernel32.SetFilePointer 00E310B6 8BC0 MOV EAX,EAX 00E310B8 - FF25 8CC1E600 JMP DWORD PTR DS:[E6C18C] ; kernel32.UnhandledExceptionFilter 00E310BE 8BC0 MOV EAX,EAX 00E310C0 - FF25 88C1E600 JMP DWORD PTR DS:[E6C188] ; kernel32.WriteFile 00E310C6 8BC0 MOV EAX,EAX 00E310C8 - FF25 CCC1E600 JMP DWORD PTR DS:[E6C1CC] ; USER32.CharNextA 00E310CE 8BC0 MOV EAX,EAX 00E310D0 - FF25 84C1E600 JMP DWORD PTR DS:[E6C184] ; kernel32.ExitProcess 00E310D6 8BC0 MOV EAX,EAX 00E310D8 - FF25 C8C1E600 JMP DWORD PTR DS:[E6C1C8] ; USER32.MessageBoxA 00E310DE 8BC0 MOV EAX,EAX 00E310E0 - FF25 80C1E600 JMP DWORD PTR DS:[E6C180] ; kernel32.FindClose 00E310E6 8BC0 MOV EAX,EAX 00E310E8 - FF25 7CC1E600 JMP DWORD PTR DS:[E6C17C] ; kernel32.FindFirstFileA 00E310EE 8BC0 MOV EAX,EAX 00E310F0 - FF25 78C1E600 JMP DWORD PTR DS:[E6C178] ; kernel32.FreeLibrary 00E310F6 8BC0 MOV EAX,EAX 00E310F8 - FF25 74C1E600 JMP DWORD PTR DS:[E6C174] ; kernel32.GetCommandLineA 00E310FE 8BC0 MOV EAX,EAX 00E31100 - FF25 70C1E600 JMP DWORD PTR DS:[E6C170] ; ntdll.RtlGetLastWin32Error 00E31106 8BC0 MOV EAX,EAX 00E31108 - FF25 6CC1E600 JMP DWORD PTR DS:[E6C16C] ; kernel32.GetLocaleInfoA 00E3110E 8BC0 MOV EAX,EAX 00E31110 - FF25 68C1E600 JMP DWORD PTR DS:[E6C168] ; kernel32.GetModuleFileNameA 00E31116 8BC0 MOV EAX,EAX 00E31118 - FF25 64C1E600 JMP DWORD PTR DS:[E6C164] ; kernel32.GetModuleHandleA 00E3111E 8BC0 MOV EAX,EAX 00E31120 - FF25 60C1E600 JMP DWORD PTR DS:[E6C160] ; kernel32.GetProcAddress 00E31126 8BC0 MOV EAX,EAX 00E31128 - FF25 5CC1E600 JMP DWORD PTR DS:[E6C15C] ; kernel32.GetStartupInfoA 00E3112E 8BC0 MOV EAX,EAX 00E31130 - FF25 58C1E600 JMP DWORD PTR DS:[E6C158] ; kernel32.GetThreadLocale 00E31136 8BC0 MOV EAX,EAX 00E31138 - FF25 54C1E600 JMP DWORD PTR DS:[E6C154] ; kernel32.LoadLibraryExA 00E3113E 8BC0 MOV EAX,EAX 00E31140 - FF25 C4C1E600 JMP DWORD PTR DS:[E6C1C4] ; USER32.LoadStringA 00E31146 8BC0 MOV EAX,EAX 00E31148 - FF25 50C1E600 JMP DWORD PTR DS:[E6C150] ; kernel32.lstrcpyA 00E3114E 8BC0 MOV EAX,EAX 00E31150 - FF25 4CC1E600 JMP DWORD PTR DS:[E6C14C] ; kernel32.lstrcpynA 00E31156 8BC0 MOV EAX,EAX 00E31158 - FF25 48C1E600 JMP DWORD PTR DS:[E6C148] ; kernel32.lstrlenA 00E3115E 8BC0 MOV EAX,EAX 00E31160 - FF25 44C1E600 JMP DWORD PTR DS:[E6C144] ; kernel32.MultiByteToWideChar 00E31166 8BC0 MOV EAX,EAX 00E31168 - FF25 DCC1E600 JMP DWORD PTR DS:[E6C1DC] ; ADVAPI32.RegCloseKey 00E3116E 8BC0 MOV EAX,EAX 00E31170 - FF25 D8C1E600 JMP DWORD PTR DS:[E6C1D8] ; ADVAPI32.RegOpenKeyExA 00E31176 8BC0 MOV EAX,EAX 00E31178 - FF25 D4C1E600 JMP DWORD PTR DS:[E6C1D4] ; ADVAPI32.RegQueryValueExA 00E3117E 8BC0 MOV EAX,EAX 00E31180 - FF25 40C1E600 JMP DWORD PTR DS:[E6C140] ; kernel32.WideCharToMultiByte 00E31186 8BC0 MOV EAX,EAX 00E31188 - FF25 3CC1E600 JMP DWORD PTR DS:[E6C13C] ; kernel32.VirtualQuery 00E3118E 8BC0 MOV EAX,EAX 00E31190 - FF25 FCC1E600 JMP DWORD PTR DS:[E6C1FC] ; OLEAUT32.SysAllocStringLen 00E31196 8BC0 MOV EAX,EAX 00E31198 - FF25 F8C1E600 JMP DWORD PTR DS:[E6C1F8] ; OLEAUT32.SysReAllocStringLen 00E3119E 8BC0 MOV EAX,EAX 00E311A0 - FF25 F4C1E600 JMP DWORD PTR DS:[E6C1F4] ; OLEAUT32.SysFreeString 00E311A6 8BC0 MOV EAX,EAX 00E311A8 - FF25 F0C1E600 JMP DWORD PTR DS:[E6C1F0] ; OLEAUT32.SysStringLen 00E311AE 8BC0 MOV EAX,EAX 00E311B0 - FF25 ECC1E600 JMP DWORD PTR DS:[E6C1EC] ; OLEAUT32.VariantClear 00E311B6 8BC0 MOV EAX,EAX 00E311B8 - FF25 E8C1E600 JMP DWORD PTR DS:[E6C1E8] ; OLEAUT32.VariantCopyInd 00E311BE 8BC0 MOV EAX,EAX 00E311C0 - FF25 E4C1E600 JMP DWORD PTR DS:[E6C1E4] ; OLEAUT32.VariantChangeTypeEx 00E311C6 8BC0 MOV EAX,EAX 00E311C8 53 PUSH EBX 00E311C9 83C4 BC ADD ESP,-44 00E311CC BB 0A000000 MOV EBX,0A 00E311D1 54 PUSH ESP 00E311D2 E8 51FFFFFF CALL 00E31128 ; JMP 到 kernel32.GetStartupInfoA 00E311D7 F64424 2C 01 TEST BYTE PTR SS:[ESP+2C],1 00E311DC 74 05 JE SHORT 00E311E3 00E311DE 0FB75C24 30 MOVZX EBX,WORD PTR SS:[ESP+30] 00E311E3 8BC3 MOV EAX,EBX 00E311E5 83C4 44 ADD ESP,44 00E311E8 5B POP EBX 00E311E9 C3 RETN 00E311EA 8BC0 MOV EAX,EAX 00E311EC - FF25 38C1E600 JMP DWORD PTR DS:[E6C138] ; kernel32.LocalAlloc 00E311F2 8BC0 MOV EAX,EAX 00E311F4 - FF25 34C1E600 JMP DWORD PTR DS:[E6C134] ; kernel32.LocalFree 00E311FA 8BC0 MOV EAX,EAX 00E311FC - FF25 30C1E600 JMP DWORD PTR DS:[E6C130] ; kernel32.VirtualAlloc 00E31202 8BC0 MOV EAX,EAX 00E31204 - FF25 2CC1E600 JMP DWORD PTR DS:[E6C12C] ; kernel32.VirtualFree 00E3120A 8BC0 MOV EAX,EAX 00E3120C - FF25 28C1E600 JMP DWORD PTR DS:[E6C128] ; kernel32.InitializeCriticalSection 00E31212 8BC0 MOV EAX,EAX 00E31214 - FF25 24C1E600 JMP DWORD PTR DS:[E6C124] ; ntdll.RtlEnterCriticalSection 00E3121A 8BC0 MOV EAX,EAX 00E3121C - FF25 20C1E600 JMP DWORD PTR DS:[E6C120] ; ntdll.RtlLeaveCriticalSection 00E31222 8BC0 MOV EAX,EAX 00E31224 - FF25 1CC1E600 JMP DWORD PTR DS:[E6C11C] ; ntdll.RtlDeleteCriticalSection 00E3122A 8BC0 MOV EAX,EAX 00E3122C 53 PUSH EBX 00E3122D 56 PUSH ESI 00E3122E BE 4C44E600 MOV ESI,0E6444C 00E31233 833E 00 CMP DWORD PTR DS:[ESI],0 00E31236 75 3A JNZ SHORT 00E31272 00E31238 68 44060000 PUSH 644 00E3123D 6A 00 PUSH 0 00E3123F E8 A8FFFFFF CALL 00E311EC ; JMP 到 kernel32.LocalAlloc |
|
|
|
|
|
请教.ASProtect 1.22 - 1.23 Beta 21 -> Alexey Solodovnikov壳的修复问题.
是的啊..我也是用那个脱壳成功了.. 可是还是不能运行..要修复...可修复ITA...总也不成功...怎么回事啊... |
|
[原创]手脱ASProtect第二篇---OEP 抽取
看你们,脱起来,这么顺手,可我就怎么不行呢? 我这也有一个asprotect 1.2x加壳的,东东,脱得我累死了,我先直接DUMP,好像不行吧..晕死... |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值