|
|
|
RORDbg使用事项
把DEP关掉应该OK了 |
|
RORDbg使用事项
最初由 china 发布 我运行就没问题: Eip==01001000 GetLastError:::7C578265 未知壳 01001000 B82CBC0101 MOV EAX,101BC2C 01001005 50 PUSH EAX 01001006 64FF3500000000 PUSH DWORD PTR FS:[0] 0100100D 64892500000000 MOV DWORD PTR FS:[0],ESP 01001014 33C0 XOR EAX,EAX 01001016 8908 MOV DWORD PTR [EAX],ECX 发生异常! FS:[0]==0006FFBC 异常处理程序地址:0101BC2C 这个异常被成功捕获! 0101BC2C B823AA01F1 MOV EAX,F101AA23 0101BC31 8D882C120010 LEA ECX,DWORD PTR [EAX+01000122Ch] 0101BC37 894101 MOV DWORD PTR [ECX+01h],EAX 0101BC3A 8B542404 MOV EDX,DWORD PTR [ESP+04h] 0101BC3E 8B520C MOV EDX,DWORD PTR [EDX+0Ch] 0101BC41 C602E9 MOV BYTE PTR [EDX],E9 0101BC44 83C205 ADD EDX,5 0101BC47 2BCA SUB ECX,EDX 0101BC49 894AFC MOV DWORD PTR [EDX-04h],ECX 0101BC4C 33C0 XOR EAX,EAX 0101BC4E C3 RET 异常处理代码结束! 01001016 E934AC0100 JMP 0101BC4F 0101BC4F B823AA01F1 MOV EAX,F101AA23 0101BC54 648F0500000000 POP DWORD PTR FS:[0] 0101BC5B 83C404 ADD ESP,4 0101BC5E 55 PUSH EBP 0101BC5F 53 PUSH EBX 0101BC60 51 PUSH ECX 0101BC61 57 PUSH EDI 0101BC62 56 PUSH ESI 0101BC63 52 PUSH EDX 0101BC64 8D98E5110010 LEA EBX,DWORD PTR [EAX+0100011E5h] 0101BC6A 8B5318 MOV EDX,DWORD PTR [EBX+018h] 0101BC6D 52 PUSH EDX 0101BC6E 8BE8 MOV EBP,EAX 0101BC70 6A40 PUSH 40 0101BC72 6800100000 PUSH 1000 0101BC77 FF7304 PUSH DWORD PTR [EBX+04h] 0101BC7A 6A00 PUSH 0 0101BC7C 8B4B10 MOV ECX,DWORD PTR [EBX+010h] 0101BC7F 03CA ADD ECX,EDX 0101BC81 8B01 MOV EAX,DWORD PTR [ECX] 0101BC83 FFD0 CALL EAX 0101BC83 ***API: KERNEL32.DLL!VirtualAlloc 7C58E891 55 PUSH EBP 7C58E892 8BEC MOV EBP,ESP 7C58E894 FF7514 PUSH DWORD PTR [EBP+014h] 7C58E897 FF7510 PUSH DWORD PTR [EBP+010h] 7C58E89A FF750C PUSH DWORD PTR [EBP+0Ch] 7C58E89D FF7508 PUSH DWORD PTR [EBP+08h] 7C58E8A0 6AFF PUSH FF 7C58E8A2 E81B000000 CALL 7C58E8C2 7C58E8A7 5D POP EBP 7C58E8A8 C21000 RET 10 0101BC85 5A POP EDX 0101BC86 8BF8 MOV EDI,EAX 0101BC88 50 PUSH EAX 0101BC89 52 PUSH EDX 0101BC8A 8B33 MOV ESI,DWORD PTR [EBX] 0101BC8C 8B4320 MOV EAX,DWORD PTR [EBX+020h] 0101BC8F 03C2 ADD EAX,EDX 0101BC91 8B08 MOV ECX,DWORD PTR [EAX] 0101BC93 894B20 MOV DWORD PTR [EBX+020h],ECX 0101BC96 8B431C MOV EAX,DWORD PTR [EBX+01Ch] 0101BC99 03C2 ADD EAX,EDX 0101BC9B 8B08 MOV ECX,DWORD PTR [EAX] 0101BC9D 894B1C MOV DWORD PTR [EBX+01Ch],ECX 0101BCA0 03F2 ADD ESI,EDX 00287EFE ***API: KERNEL32.DLL!LoadLibraryA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!LoadLibraryA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!VirtualAlloc 00287EFA ***API: KERNEL32.DLL!LoadLibraryA 00287EFB ***API: KERNEL32.DLL!GetProcAddress 00287EFB ***API: KERNEL32.DLL!GetProcAddress 019B007E ***API: KERNEL32.DLL!VirtualAlloc 019B00BE ***API: KERNEL32.DLL!VirtualFree 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!LoadLibraryA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!LoadLibraryA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 019B0FA0 ***API: KERNEL32.DLL!GetModuleHandleA 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!GetProcAddress 00287EFE ***API: KERNEL32.DLL!VirtualProtect 00287EFE ***API: KERNEL32.DLL!VirtualProtect 00287EFE ***API: KERNEL32.DLL!VirtualProtect 00287EFE ***API: KERNEL32.DLL!VirtualProtect 00287EFE ***API: KERNEL32.DLL!VirtualProtect 00287EFE ***API: KERNEL32.DLL!VirtualFree 可能到OEP了,如果不完全正确,请再单步走几下! 0101BCEE FFE0 JMP EAX 可能到OEP了,如果不完全正确,请再单步走几下! 0100739D 6A70 PUSH 70 |
|
|
|
|
|
|
|
|
|
请大家看看这是什么反跟踪手段??
pushfd or byte ptr [esp+1] ,1 popfd 把TF置1,使单步不产生异常,OD就无法用F8 可以用指令 g 40a978来过这个ANTI 千万不要用F8或F7键来一步步的DEBUG |
|
hying's PEArmor V0.7X 太强了,大家有脱壳脚本吗?
如果HY不会蓝屏的话我也去碰碰它 |
|
|
|
6层壳,unpackme
win2k sp4 , BS(BlueScreen) |
|
|
|
[分享]终于脱掉了SecuROM 4.X-5.X
还有两种API的CALL的,一共是3种 01822D00 55 push ebp 01822D01 8BEC mov ebp,esp 01822D03 83EC 18 sub esp,18 01822D06 53 push ebx 01822D07 56 push esi 01822D08 57 push edi 01822D09 53 push ebx 01822D0A 51 push ecx 01822D0B 52 push edx 01822D0C 56 push esi 01822D0D 57 push edi 01822D0E 50 push eax 直接往下找RETN就可以了 01822DDB 59 pop ecx 01822DDC 5B pop ebx 01822DDD 5F pop edi 01822DDE 5E pop esi 01822DDF 5B pop ebx 01822DE0 8BE5 mov esp,ebp 01822DE2 5D pop ebp 01822DE3 C3 retn ; retn到相应的API 还有一种是: 0043A94B |. E8 A0813E01 call OMOKIMI_.01822AF0 ; Kernel32.GetStartupInfoA 01822AF0 55 push ebp 01822AF1 8BEC mov ebp,esp 01822AF3 83EC 18 sub esp,18 01822AF6 53 push ebx 01822AF7 56 push esi 01822AF8 57 push edi 01822AF9 53 push ebx 01822AFA 51 push ecx 01822AFB 52 push edx 01822AFC 56 push esi 01822AFD 57 push edi 01822AFE 8B45 04 mov eax,dword ptr ss:[ebp+4] 01822B01 8945 E8 mov dword ptr ss:[ebp-18],eax . .中间也有一个CALL . 01822B9D 5F pop edi 01822B9E 5E pop esi 01822B9F 5A pop edx 01822BA0 59 pop ecx 01822BA1 5B pop ebx 01822BA2 8BE5 mov esp,ebp 01822BA4 5D pop ebp 01822BA5 8B00 mov eax,dword ptr ds:[eax] 01822BA7 FFE0 jmp eax ; 跳到相应的API里面 Kernel32.SetHandleCount 找到一部分的输入表.一共是0x43E298 - 0x43000 = 0x298字节 0043E000 510A24CC dsound.DirectSoundCreate 0043E004 00000000 0043E008 77F41D10 GDI32.SelectObject 0043E00C 77F44DA1 GDI32.GetDeviceCaps 0043E010 77F44AA5 GDI32.CreateCompatibleDC 0043E014 77F42EC7 GDI32.DeleteObject 0043E018 77F44B1E GDI32.DeleteDC 0043E01C 77F4AB12 GDI32.Rectangle 0043E020 77F4393C GDI32.TextOutA 0043E024 77F4202E GDI32.SetTextColor 0043E028 77F43EE0 GDI32.GetWindowExtEx 0043E02C 77F46ABB GDI32.GetWindowOrgEx 0043E030 77F4507E GDI32.CreatePen 0043E034 77F47FDF GDI32.CreateSolidBrush 0043E038 77F42CC0 GDI32.BitBlt 0043E03C 77F4DC9C GDI32.StretchBlt 0043E040 77F4DECD GDI32.CreateDIBSection 0043E044 77F4E311 GDI32.EnumFontFamiliesA 0043E048 77F4CE09 GDI32.CreateFontA 0043E04C 77F42141 GDI32.SetBkColor 0043E050 00000000 0043E054 7C5B5823 KERNEL32.LCMapStringW 0043E058 7C578745 KERNEL32.SetStdHandle 0043E05C 7C586502 KERNEL32.SetEndOfFile 0043E060 7C596E6C KERNEL32.GetEnvironmentStringsW 0043E064 7C59177F KERNEL32.SetHandleCount 0043E068 7C578797 KERNEL32.GetStdHandle 0043E06C 7C5860D5 KERNEL32.GetFileType 0043E070 77FACCB2 ntdll.RtlUnwind 0043E074 7C586981 KERNEL32.FlushFileBuffers 0043E078 7C592D55 KERNEL32.GetDriveTypeA 0043E07C 7C59417E KERNEL32.GetLogicalDriveStringsA 0043E080 77FCB6CA ntdll.RtlFreeHeap 0043E084 7C58F7C1 KERNEL32.GetProcessHeap 0043E088 7C57F79D KERNEL32.OutputDebugStringA 0043E08C 7C58C1F7 KERNEL32.CreateFileA 0043E090 7C577E6D KERNEL32.CloseHandle 0043E094 7C5B8132 KERNEL32.GetOEMCP 0043E098 7C5B811A KERNEL32.GetACP 0043E09C 7C5B8138 KERNEL32.GetCPInfo 0043E0A0 7C586BDE KERNEL32.GetFileSize 0043E0A4 7C58639C KERNEL32.WriteFile 0043E0A8 7C58658E KERNEL32.SetFilePointer 0043E0AC 7C5875DF KERNEL32.DeleteFileA 0043E0B0 7C58F317 KERNEL32.lstrlenA 0043E0B4 7C58F29D KERNEL32.lstrcatA --------------------------------------------------- 这是其中一种CALL API的方法 01822D00 55 push ebp 01822D01 8BEC mov ebp,esp 01822D03 83EC 18 sub esp,18 01822D06 53 push ebx 01822D07 56 push esi 01822D08 57 push edi 01822D09 53 push ebx 01822D0A 51 push ecx 01822D0B 52 push edx 01822D0C 56 push esi 01822D0D 57 push edi 01822D0E 50 push eax 01822D0F 8B45 04 mov eax,dword ptr ss:[ebp+4] ; 取得CALL的retn地址 01822D12 8945 E8 mov dword ptr ss:[ebp-18],eax ; [12F620] 01822D15 68 78563412 push 12345678 01822D1A 8BCD mov ecx,ebp 01822D1C 2BCC sub ecx,esp 01822D1E 8BFC mov edi,esp 01822D20 8BF4 mov esi,esp 01822D22 83C6 04 add esi,4 01822D25 C1E9 02 shr ecx,2 01822D28 8B06 mov eax,dword ptr ds:[esi] ; / 01822D2A 8907 mov dword ptr ds:[edi],eax ; | 01822D2C 83C7 04 add edi,4 ; | 01822D2F 83C6 04 add esi,4 ; | 01822D32 49 dec ecx ; | 01822D33 ^ 75 F3 jnz short OMOKIMI_.01822D28 ; \这里个循环是把栈的数值往上移1个DWORD空间,确保最后RENT到API后的堆栈是原程序PUSH的参数 01822D35 83ED 04 sub ebp,4 01822D38 A1 78729401 mov eax,dword ptr ds:[1947278] 01822D3D 83C0 03 add eax,3 01822D40 8945 F4 mov dword ptr ss:[ebp-C],eax 01822D43 8B4D E8 mov ecx,dword ptr ss:[ebp-18] 01822D46 83E9 04 sub ecx,4 01822D49 C1E9 10 shr ecx,10 01822D4C 81E1 FFFF0000 and ecx,0FFFF 01822D52 8B55 E8 mov edx,dword ptr ss:[ebp-18] 01822D55 83EA 04 sub edx,4 01822D58 81E2 FFFF0000 and edx,0FFFF 01822D5E 81E2 FFFF0000 and edx,0FFFF 01822D64 33CA xor ecx,edx 01822D66 C1E1 03 shl ecx,3 01822D69 8B45 E8 mov eax,dword ptr ss:[ebp-18] 01822D6C 83E8 04 sub eax,4 01822D6F C1E8 05 shr eax,5 01822D72 33D2 xor edx,edx 01822D74 BE 08000000 mov esi,8 01822D79 F7F6 div esi 01822D7B 8B45 F4 mov eax,dword ptr ss:[ebp-C] 01822D7E 0FBE1410 movsx edx,byte ptr ds:[eax+edx] 01822D82 33CA xor ecx,edx 01822D84 8B45 E8 mov eax,dword ptr ss:[ebp-18] 01822D87 83E8 04 sub eax,4 01822D8A 33D2 xor edx,edx 01822D8C BE 08000000 mov esi,8 01822D91 F7F6 div esi 01822D93 8B45 F4 mov eax,dword ptr ss:[ebp-C] 01822D96 0FBE1410 movsx edx,byte ptr ds:[eax+edx] 01822D9A C1E2 07 shl edx,7 01822D9D 33CA xor ecx,edx 01822D9F 894D FC mov dword ptr ss:[ebp-4],ecx 01822DA2 6A 03 push 3 01822DA4 8D45 F8 lea eax,dword ptr ss:[ebp-8] 01822DA7 50 push eax 01822DA8 8B4D FC mov ecx,dword ptr ss:[ebp-4] 01822DAB 51 push ecx 01822DAC 68 981A8A01 push OMOKIMI_.018A1A98 01822DB1 E8 FAFDFFFF call OMOKIMI_.01822BB0 ; 搞不懂里面的算法 :( 01822DB6 83C4 10 add esp,10 01822DB9 8945 F0 mov dword ptr ss:[ebp-10],eax 01822DBC 8B55 F0 mov edx,dword ptr ss:[ebp-10] 01822DBF 8B04D5 9C1A8A01 mov eax,dword ptr ds:[edx*8+18A1A9C] ; 重要的地方,IAT的地址(经过加密) 01822DC6 83F0 30 xor eax,30 ; 解密IAT地址 01822DC9 3345 FC xor eax,dword ptr ss:[ebp-4] ; 解密IAT地址 01822DCC 8945 EC mov dword ptr ss:[ebp-14],eax ; IAT地址(已解密) 01822DCF 8B75 EC mov esi,dword ptr ss:[ebp-14] 01822DD2 8B06 mov eax,dword ptr ds:[esi] ; 取对应的API地址了 01822DD4 8945 04 mov dword ptr ss:[ebp+4],eax ; /放到程序CALL前 01822DD7 58 pop eax ; |恢复现场 01822DD8 5F pop edi ; | 01822DD9 5E pop esi ; | 01822DDA 5A pop edx ; | 01822DDB 59 pop ecx ; | 01822DDC 5B pop ebx ; | 01822DDD 5F pop edi ; | 01822DDE 5E pop esi ; | 01822DDF 5B pop ebx ; | 01822DE0 8BE5 mov esp,ebp ; | 01822DE2 5D pop ebp ; | 01822DE3 C3 retn ; \retn到相应的API |
|
[分享]终于脱掉了SecuROM 4.X-5.X
刚刚再看了一下IAT: 下timeGetTime后,经过两次断就可以看到这里了 017C71A4 0000 add byte ptr ds:[eax],al 017C71A6 0000 add byte ptr ds:[eax],al 017C71A8 0091 AF063962 add byte ptr ds:[ecx+623906AF],dl 017C71AE 833D 2CAD9501 10 cmp dword ptr ds:[195AD2C],10 ; 时间不能小于0x10 ms 017C71B5 0F83 84000000 jnb OMOKIMI_.017C723F ; 一定不能跳 017C71BB 8B55 C0 mov edx,dword ptr ss:[ebp-40] 017C71BE 81E2 FFFF0000 and edx,0FFFF ; 也不能大于0xFFFF ms 017C71C4 85D2 test edx,edx 017C71C6 7E 77 jle short OMOKIMI_.017C723F ; 也不能跳 017C71C8 66:8B45 C0 mov ax,word ptr ss:[ebp-40] 017C71CC 66:2D 0100 sub ax,1 017C72AD 33D2 xor edx,edx 017C72AF 66:8B91 2C4C8801 mov dx,word ptr ds:[ecx+1884C2C] 017C72B6 81E2 00200000 and edx,2000 017C72BC 85D2 test edx,edx 017C72BE 0F84 16020000 je OMOKIMI_.017C74DA ; 一定要跳 017C72C4 8D45 E0 lea eax,dword ptr ss:[ebp-20] 017C72C7 50 push eax 017C72C8 8D4D FC lea ecx,dword ptr ss:[ebp-4] 017C72CB 51 push ecx 017C72CC 8D55 EC lea edx,dword ptr ss:[ebp-14] 017C72CF 52 push edx 017C74DA 5A pop edx 017C74DB 59 pop ecx 017C74DC 8B45 CC mov eax,dword ptr ss:[ebp-34] 017C74DF 8BF0 mov esi,eax 017C74E1 8B06 mov eax,dword ptr ds:[esi] 017C74E3 5F pop edi 017C74E4 5E pop esi 017C74E5 5B pop ebx 017C74E6 8BE5 mov esp,ebp 017C74E8 5D pop ebp 017C74E9 - FFE0 jmp eax ; KERNEL32.HeapCreate 017C74EB E9 1D000000 jmp OMOKIMI_.017C750D 就到了IAT的CALL了 |
|
[分享]终于脱掉了SecuROM 4.X-5.X
建议写个教程 前几个月我也搞过它 OEP很简单 但是那些变型的IAT就....太BT了 结果放弃了 也想写个IR的DLL来取IAT,不过没有SDK就一直没写成 游戏运行中的那个MessageBox是在一个CALL里面的 它是建立在一个循环里面的 也就是说游戏运行的话就一直会读光驱.. SONY想我们的光驱快点完蛋 BTW:用LORDPE重建一下DUMP后的PE文件就会小很多的了 建议把那个CALL也NOP掉 想君不太好玩的,それから还不错,不过还比不上MO1 BTW2:最好把这里改了 01820185 2B05 20739401 sub eax,dword ptr ds:[1947320] 0182018B 3D 60EA0000 cmp eax,0EA60 01820190 0F86 08010000 jbe OMOKIMI.0182029E 01820196 833D B0BE8A01 0>cmp dword ptr ds:[18ABEB0],0 0182019D 74 0F je short OMOKIMI.018201AE 0182019F 68 C0758D01 push OMOKIMI.018D75C0 ; ASCII "70011C5AEBA713BD58EEB4EF9BA10FB238C354C0C3FD2BE9FD8FE5FE5967C596BCC5" 改为 01820185 2B05 20739401 sub eax,dword ptr ds:[1947320] 0182018B 3D 60EA0000 cmp eax,0EA60 01820190 E9 09010000 jmp OMOKIMI_.0182029E 01820195 90 nop 01820196 833D B0BE8A01 0>cmp dword ptr ds:[18ABEB0],0 0182019D 74 0F je short OMOKIMI_.018201AE 0182019F 68 C0758D01 push OMOKIMI_.018D75C0 ; ASCII "70011C5AEBA713BD58EEB4EF9BA10FB238C354C0C3FD2BE9FD8FE5FE5967C596BCC5" SecuRom会提取系统的时间作对比的,太快不行,太慢了也不行的 直接JMP过去就可以了 还有提醒一个: 修复IAT的时候最好下个timeGetTime的断点 |
|
NsPack V3.3+V3.4+V3.5+V3.6 CracKed
ASProtect 2.1x SKE -> Alexey Solodovnikov [Overlay] 某人的计划应该被打乱了吧 BT * BT |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值