|
[讨论]谁能推荐一个好用点的win32下的汇编IDE
RadASM |
|
|
|
SOS 小弟买了一个小工具软件是邦定硬件的硬盘坏了
可以要求卖的重新给你注册码 |
|
|
|
软件安全杂志团队招募成员
大力支持 |
|
arhat 翻译的《Shellcoder编程揭秘》出版
支持。。。一定购买 |
|
[原创]hmimys-Packer v1.0
支持。。。perfect |
|
|
|
脱loveboom的execryptor的例子
西裤想要这个插件。。。 |
|
脱loveboom的execryptor的例子
向南蛮妈妈学习。。。 |
|
关于DRX解码
注意SEH,通常ring3程序清drx都是在SEH异常中进行的,找到清除代码NOP掉 |
|
[分享]aspr中的精彩代码(一)(修正)、(二)
这段时间每天的时候也不多,就只能写这么多了东西了,不帖出来的话,怕哪天又没激情了。。。 -_-\\,我尽量帖吧。。。 3. 对GetOpCodeSize的实现,昨天帖的代码和数据表都不完整,今天实现的时候才发现,汗一个。。。现已修正。。。 type PBytes = ^Byte; TMaskTable = array [0..517] of LongWord; var MaskTable: TMaskTable = ( $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000008, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000008, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000008, $00000000, $00004000, $00004000, $00004000, $00004000, $00008000, $00008000, $00000008, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00004000, $00004000, $00000008, $00000008, $00001008, $00000018, $00002000, $00006000, $00000100, $00004100, $00000000, $00000000, $00000000, $00000000, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00004100, $00006000, $00004100, $00004100, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00002002, $00000000, $00000000, $00000000, $00000000, $00000000, $00000020, $00000020, $00000020, $00000020, $00000000, $00000000, $00000000, $00000000, $00000100, $00002000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00004100, $00004100, $00000200, $00000000, $00004000, $00004000, $00004100, $00006000, $00000300, $00000000, $00000200, $00000000, $00000000, $00000000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00000100, $00000100, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00000100, $00002000, $00002000, $00002002, $00000100, $00000000, $00000000, $00000000, $00000000, $00000008, $00000000, $00000008, $00000008, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $FFFFFFFF, $FFFFFFFF, $00000000, $FFFFFFFF, $00000000, $00000000, $00000000, $00000000, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00002000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00000000, $00000000, $00000000, $00004000, $00004100, $00004000, $FFFFFFFF, $FFFFFFFF, $00000000, $00000000, $00000000, $00004000, $00004100, $00004000, $FFFFFFFF, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $FFFFFFFF, $FFFFFFFF, $00004100, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $00004000, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $00000000, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $00000000, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF, $FFFFFFFF ); //成功返回长度,失败返回-1 function GetOpCodeSize(Start: Pointer; Tlb: TMaskTable): integer; stdcall; implementation function GetOpCodeSize(Start: Pointer; Tlb: TMaskTable): integer; var pOPCode: PBytes; t, c: LongWord; dh, dl, al: byte; begin result := -1; t := 0; c := 0; pOPCode := Start; repeat t := t and $F7; c := pOPCode^; pOpCode := Pointer((DWORD(pOpCode) + 1)); t := t or Tlb[c]; until ((t and $000000FF) and 8) = 0; if (c = $0F6) or (c = $0F7) then begin t := t or $00004000; if (pOpCode^ and $38) = 0 then t := t or $00008000; end else if (c = $0CD) then begin t := t or $00000100; if pOpCode^ = $20 then t := t or $00000400; end else if (c = $0F) then begin al := pOpCode^; pOpCode := Pointer((DWORD(pOpCode) + 1)); t := t or Tlb[al + $100]; if t = $FFFFFFFF then Exit; end; if (((t and $0000FF00) shr 8) and $80) <> 0 then begin dh := (t and $0000FF00) shr 8; dh := dh xor $20; if (c and 1) = 0 then dh := dh xor $21; t := t and $FFFF00FF; t := t or (dh shl 8); end; if (((t and $0000FF00) shr 8) and $40) <> 0 then begin al := pOpCode^; pOpCode := Pointer((DWORD(pOpCode) + 1)); c := al; c := c or (al shl 8); c := c and $C007; if (c and $0000FF00) <> $C000 then begin if ((t and $000000FF) and $10) = 0 then begin if (c and $000000FF) = 4 then begin al := pOpCode^; pOpCode := Pointer((DWORD(pOpCode) + 1)); al := al and 7; c := c and $0000FF00; c := c or al; end; if (c and $0000FF00) <> $4000 then begin if (c and $0000FF00) = $8000 then begin t := t or 4; end else if c = 5 then t := t or 4; end else begin t := t or 1; end; end else begin if (c <> 6) then begin if (c and $0000FF00) = $4000 then t := t or 1 else if (c and $0000FF00) = $8000 then t := t or 2; end else t := t or 2; end; end; end; if (((t and $000000FF)) and $20) <> 0 then begin dl := (t and $000000FF); dl := dl xor 2; t := t and $FFFFFF00; t := t or dl; if (dl and $10) = 0 then begin dl := dl xor 6; t := t and $FFFFFF00; t := t or dl; end; end; if (((t and $0000FF00) shr 8) and $20) <> 0 then begin dh := (t and $0000FF00) shr 8; dh := dh xor 2; t := t and $FFFF00FF; t := t or (dh shl 8); if (dh and $10) = 0 then begin dh := dh xor 6; t := t and $FFFFFF00; t := t or dl; end; end; result := DWORD(pOPCode) - DWORD(Start); t := t and $707; result := result + (t and $000000FF); //1条指令不可能大过255个字节 result := result + ((t and $0000FF00) shr 8); end; 4. 检测某个地址是否被下断点 01844A2A 8B06 mov eax,dword ptr ds:[esi] ; 某个地址 01844A2C 8A00 mov al,byte ptr ds:[eax] ; 取这个地址的值 01844A2E 34 12 xor al,12 01844A30 3C DE cmp al,0DE ; 如果这个值是CC的话,与12H进行xor后的结果就是0DEH 01844A32 75 38 jnz short 01844A6C ...... //做某些事 未完待续。。。,下次争取帖出aspr完整偷api代码的程序 如果上面的代码能正确运行的话就是我写的,如果不能,那我也不知道是谁写的。。。 xIkUg/RCT/CCG 2005-12-20 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值