|
在程序入口添加ShellExecuteA出错[已解决]
不应该直接call 0040506C 应该是call dword ptr ds:[0040506C] 机器码FF 15 xxxxxxxx 或者在0040506c处补上0FF25(间接jmp的机器码) 变成 0040506c jmp dword ptr ds:[xxxxxxxx] (ShellExecuteA的地址,由Pe装载器填入) |
|
[求助]壳的特征(新手,勿笑)
我写的汇编程序PEID无一例外的说Nothing Found |
|
[救助]关于DDK中两个函数怎么使用???
Parameter不是说得很明白吗? |
|
[救助]关于DDK中两个函数怎么使用???
HalGetInterruptVector The HalGetInterruptVector routine is obsolete and is exported only to support existing drivers. Drivers of PnP devices are assigned resources by the PnP manager, which passes resource lists with each IRP_MN_START_DEVICE request. Drivers that must support a legacy device that cannot be enumerated by the PnP manager should use IoReportDetectedDevice and IoReportResourceForDetection. ULONG HalGetInterruptVector( IN INTERFACE_TYPE InterfaceType, IN ULONG BusNumber, IN ULONG BusInterruptLevel, IN ULONG BusInterruptVector, OUT PKIRQL Irql, OUT PKAFFINITY Affinity ); See Also HalAssignSlotResources, HalGetBusData, HalGetBusDataByOffset, IoAssignResources, IoQueryDeviceDescription, IoConnectInterrupt, IoReportDetectedDevice, IoReportResourceForDetection ------------------------------------------------------------------------ IoConnectInterrupt The IoConnectInterrupt routine registers a device driver's InterruptService routine (ISR), so that it will be called when a device interrupts on any of a specified set of processors. NTSTATUS IoConnectInterrupt( OUT PKINTERRUPT *InterruptObject, IN PKSERVICE_ROUTINE ServiceRoutine, IN PVOID ServiceContext, IN PKSPIN_LOCK SpinLock OPTIONAL, IN ULONG Vector, IN KIRQL Irql, IN KIRQL SynchronizeIrql, IN KINTERRUPT_MODE InterruptMode, IN BOOLEAN ShareVector, IN KAFFINITY ProcessorEnableMask, IN BOOLEAN FloatingSave ); Parameters InterruptObject Pointer to the address of driver-supplied storage for a pointer to a set of interrupt objects. This pointer must be passed in subsequent calls to KeSynchronizeExecution. ServiceRoutine Pointer to the entry point for the driver-supplied InterruptService routine. ServiceContext Pointer to the driver-determined context that will be supplied to the InterruptService routine when it is called. The ServiceContext area must be in resident memory: in the device extension of a driver-created device object, in the controller extension of a driver-created controller object, or in nonpaged pool allocated by the device driver. See Providing ISR Context Information or details. SpinLock Pointer to an initialized spin lock, for which the driver supplies the storage, that will be used to synchronize access to driver-determined data shared by other driver routines. This parameter is required if the ISR handles more than one vector or if the driver has more than one ISR. Otherwise, the driver need not allocate storage for an interrupt spin lock and the input pointer is NULL. Vector Specifies the interrupt vector passed in the interrupt resource at the u.Interrupt.Vector member of CM_PARTIAL_RESOURCE_DESCRIPTOR. Irql Specifies the DIRQL passed in the interrupt resource at the u.Interrupt.Level member of CM_PARTIAL_RESOURCE_DESCRIPTOR. SynchronizeIrql Specifies the DIRQL at which the ISR will execute. If the ISR handles more than one interrupt vector or the driver has more than one ISR, this value must be the highest of the Irql values passed at u.Interrupt.Level in each interrupt resource. Otherwise, the Irql and SynchronizeIrql values are identical. InterruptMode Specifies whether the device interrupt is LevelSensitive or Latched. ShareVector Specifies whether the interrupt vector is sharable. ProcessorEnableMask Specifies a KAFFINITY value representing the set of processors on which device interrupts can occur in this platform. This value is passed in the interrupt resource at u.Interrupt.Affinity. FloatingSave Specifies whether to save the floating-point stack when the driver's device interrupts. For X86-based platforms, this value must be set to FALSE. Return Value IoConnectInterrupt can return one of the following NTSTATUS values: STATUS_SUCCESS STATUS_INVALID_PARAMETER STATUS_INSUFFICIENT_RESOURCES Headers Declared in wdm.h and ntddk.h. Include wdm.h or ntddk.h. Comments A PnP driver should call IoConnectInterrupt as part of device start-up, before it completes the PnP IRP_MN_START_DEVICE request. A driver receives raw and translated hardware resources with the IRP_MN_START_DEVICE request at Irp->Parameters.StartDevice.AllocatedResources and Irp->Parameters.StartDevice.AllocatedResourcesTranslated, respectively. To connect its interrupt, a driver uses the resources at AllocatedResourcesTranslated.List.PartialResourceList.PartialDescriptors[]. The driver must scan the array of partial descriptors for resources of type CmResourceTypeInterrupt. If the driver supplies the storage for the SpinLock, it must call KeInitializeSpinLock before passing its interrupt spin lock to IoConnectInterrupt. On return from a successful call to IoConnectInterrupt, the caller's ISR can be called if interrupts are enabled on the driver's device or if ShareVector was set to TRUE. (If a driver enables interrupts before IoConnectInterrupt is called, the caller's ISR can be called before IoConnectInterrupt returns.) Callers of IoConnectInterrupt must be running at IRQL = PASSIVE_LEVEL. See Also IoDisconnectInterrupt, KeInitializeSpinLock, KeSynchronizeExecution, CM_PARTIAL_RESOURCE_DESCRIPTOR |
|
对异常的疑惑,虚心请教高手.
程序正常运行的时候也会出现异常的,只是程序自身把异常处理了不会表现出来而已(楼主可以参考参考SEH的内容),详细见我的回帖。 OD作为一个通用调试器,而不仅仅是Crack用的,碰到异常就提示是它的职责,异常发生后,像这个例子就可以用Shift+F7/F8忽略异常继续执行程序的。这只是作者的小小Trick而已 |
|
请问“004010FA CMP AL,30”这条语句的段地址是多少?
最初由 zabc 发布 保护模式下,一个段由段基址以及段限长组成,但和实模式不同的是,段基址不一定要以16字节对齐,亦即段基址的最后4位不一定是0。另外和实模式相比,实模式中一个段最大是64KB,而保护模式中,除了有最大长度是1MB的这种段,还有一种长度必须是4KB的整数倍的,最大是1MB×4KB=4GB的段,Windows的应用程序正是用的这种4GB的段 |
|
|
|
[原创]Four-F高级字符串宏修正版
2006.08.17更新 changes: - 彻底去除了Unicode字符串不能超过64字符的限制 - 部分小Bug修补 - 原文件开头的教程被单独分离到tutorial.txt中,但保留版权说明 这一组宏极大的方便了在MASM中定义字符串,特别是Unicode字符串的支持。主要特色:支持转义符(\n和C++的有一点不同);自动消除重复的字符串(Four-F原创),即当一个字符串被定义后, 如果再次遇到相同的定义会自动去引用原来的而不会再次定义一份(可以控制这种机制是否起作用) 唯一的遗憾是不能直接支持Unicode中文字符串,这是MASM宏的能力所限 定义中文字符串要用间接方式,即用\u转义符定义中文字符的Unicode编码 欢迎提出改进意见以及指出Bug,感谢大家的支持 |
|
test不解如test eax,eax
1.举一例说明: test eax,eax jnz loc some instruction; loc: ... 等价于 .if (! eax) some instruction; .end 2.imul eax, eax,0Ch 即 eax = eax * 0Ch |
|
[求助]enter指令是什么功能?
enter原来的设计是用于支持高级语言的过程的(和leave指令配对),但实际上这个指令要耗用近50个指令周期,结果根本就没有什么应用(leave倒是用得不少) enter N,0 这种形式的倒是见过。 enter作用是给一个过程建立栈帧(Stack Frame)并保留局部变量空间 高级语言过程一般都有如下几句 push ebp mov ebp,esp sub esp,xxxx .... leave ret 简单的说,enter就相当于开头的那几条指令 |
|
|
|
[求助]HeapFree的异常用try catch捕捉不到
根据我的试验,HeapFree函数根本没有产生异常 我试着把try-catch去掉,程序照样跑得好好的 Windows的API有些有防错机制,如果你传错误的参数它会把产生的异常自己处理掉,看上去它好像什么也没做 例如MessageBoxA函数,如果你传给它的字符串是NULL,它不会产生访问0地址异常的,估计HeapFree也类似 try-catch还是有用的,不信的话楼主可以故意在try中弄一个访问0地址异常,例如 p1 = 0; *p1 = 0; 这样就可以看到“error”字样了 |
|
[求助]请发个.net sdk 2.0的ildasm
2.0.50727.42版SDK的ILDasm 试试这个吧 http://bbs.pediy.com/showthread.php?s=&threadid=28786&highlight=decompiler |
|
VC2005编译的程序加壳问题
那个工具是在讨论加壳工具的时候有人跟帖发的,现在找不到了,不知哪位能够提供一下 |
|
VC2005编译的程序加壳问题
论坛上这个问题有解答的,工具区有一个VC2005浮点修正工具 |
|
一启动Soft-ICE, CPU就100%。 这正常吗?
CPU有没有超线程? |
|
注册时要求重新启动程序才验证是不否注册的程序怎么破解呢?
找到记录注册信息的地方和程序中读取信息的代码 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值