|
HideOD 0.13(隐藏OD插件)
最初由 china 发布 想编写一个程序模拟这个Anti-Crackme,但是结构上总是对不上号,这问题暂时放一放。 XP SP2下的ZwQueryObject入口代码: 7C92E0D8 ntdll.ZwQueryObject B8 A3000000 mov eax, 0A3 7C92E0DD BA 0003FE7F mov edx, 7FFE0300 7C92E0E2 FF12 call [edx] 7C92E0E4 C2 1400 retn 14 虽然用将ZwQueryObject入口改成如下形式,能躲过这个Anti-Crackme,但感觉兼容性不好,万一其他地方调用这函数进行计算就麻烦了。 mov eax,0 ret 14 NTSTATUS ZwQueryObject( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT PULONG ReturnLength OPTIONAL ); #define ObjectAllTypesInformation 3 typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING Name; ULONG ObjectCount; ULONG HandleCount; ULONG Reserved1[4]; ULONG PeakObjectCount; ULONG PeakHandleCount; ULONG Reserved2[4]; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccess; UCHAR Unknown; BOOLEAN MaintainHandleDatabase; POOL_TYPE PoolType; ULONG PagedPoolUsage; ULONG NonPagedPoolUsage; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; typedef struct _OBJECT_ALL_TYPES_INFORMATION { ULONG NumberOfTypes; OBJECT_TYPE_INFORMATION TypeInformation; } OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; 00407F19 . 68 A4A74000 push 0040A7A4 ; /pReqsize = zan.0040A7A4 00407F1E . A1 A4A74000 mov eax, [40A7A4] ; | 00407F23 . 50 push eax ; |Bufsize => E00 (3584.) 00407F24 . A1 ACA74000 mov eax, [40A7AC] ; | 00407F29 . 50 push eax ; |Buffer => 003D0000 00407F2A . 6A 03 push 3 ; |InfoClass = ObjectAllTypesInfo 00407F2C . 6A 00 push 0 ; |hObject = NULL 00407F2E . FF15 94924000 call [409294] ; \ZwQueryObject 00407F9B . 8378 08 00 cmp dword ptr [eax+8], 0 00407F9F . 77 0B ja short 00407FAC 00407FA1 . A1 B0A74000 mov eax, [40A7B0] 00407FA6 . 8378 0C 00 cmp dword ptr [eax+C], 0 00407FAA . 76 66 jbe short 00408012 程序会在Buffer里搜索字符串“D.e.b.u.g.O.b.j.e.c.t”,找到后检查标志位,即Buffer+0x31C处(红字),如有OD则是1,无OD则是0. 003D030C 4A 00 6F 00 62 00 00 00 16 00 18 00 74 03 3D 00 J.o.b.....t=. 003D031C 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 .............. 003D032C 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 .............. 003D033C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 003D034C 00 00 00 00 01 00 02 00 02 00 02 00 00 00 12 00 ........... 003D035C 0F 00 1F 00 0F 00 1F 00 01 00 00 00 00 00 00 00 ........... 003D036C 00 00 00 00 30 00 00 00 44 00 65 00 62 00 75 00 ....0...D.e.b.u. 003D037C 67 00 4F 00 62 00 6A 00 65 00 63 00 74 00 00 00 g.O.b.j.e.c.t... |
|
HideOD 0.13(隐藏OD插件)
最初由 liuyilin 发布 我这没问题,也是XP sp2. 可能是PLUGIN目录下的插件太多,你删除一个就可。(我这不删除会出现异常,随便删除一个就正常) |
|
|
|
HideOD 0.13(隐藏OD插件)
最初由 liuyilin 发布 点击OK后,会在ollydbg.ini里添加如下内容: [Plugin HideOD] HideNtDebugBit=1 UnhandledExceptionFilter=1 ZwSetInformationThread=1 OutDebugStringA=1 CheckRemoteDebuggerPresent=1 SetDebugPrivilege=1 Process32Next=1 AutoRun=0 ZwQueryInformationProcess=1 |
|
[原创]RORDbg V0.25 (下载本帖附件)
最初由 Kernel64 发布 Kernel64 和 Liutaotao是邻居吧?呵~苏州很多牛人 希望你能将这工具完善下去,能像ImportREC、Ollydbg一样改变脱壳的发展史。 |
|
加密解密第二版中的问题
将你的这段代码帖出来看看。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值