|
|
|
用Ollydbg手脱 幻影 V2.33 加壳的DLL
最初由 fly 发布 我开始由于D.Boy的奇怪代码懵了,后来hying跟都没跟就看出来是reloc...我@%#%@#$%@$% |
|
|
|
新壳测试 (记事本加壳)
VCASM_IAT_DECRYPTOR mov ebx, 7 cld ok: mov esi, IAT_VA mov ecx, IAT_Size shr ecx, 2 mov edi, esi pushad pal: lodsd test eax, eax jz skip add eax, 4 mov edx, [eax] add eax, 0Ah xor edx, [eax] add eax, 0Ah add edx, [eax] mov eax, edx skip: stosd loop pal dec ebx jnz ok popad pal2: lodsd test eax, eax jz skipp inc eax inc eax mov eax, [eax] skipp: stosd loop pal2:D 手工修复几个准SDK函数,IAT如下: ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal Name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: E:\Documents and Settings\Star\桌面\样本测试.exe OEP: 000010CC IATRVA: 000062F8 IATSize: 00000230 FThunk: 000062FC NbFunc: 00000017 1 000062FC gdi32.dll 0196 GetObjectA 1 00006300 gdi32.dll 016C GetDeviceCaps 1 00006304 gdi32.dll 003B CreateFontIndirectA 1 00006308 gdi32.dll 020F SelectObject 1 0000630C gdi32.dll 0001 AbortDoc 1 00006310 gdi32.dll 0097 EndDoc 1 00006314 gdi32.dll 008D DeleteDC 1 00006318 gdi32.dll 0249 StartPage 1 0000631C gdi32.dll 0246 StartDocA 1 00006320 gdi32.dll 0099 EndPage 1 00006324 gdi32.dll 01B7 GetTextExtentPointA 1 00006328 gdi32.dll 003A CreateFontA 1 0000632C gdi32.dll 0211 SetAbortProc 1 00006330 gdi32.dll 0217 SetBkMode 1 00006334 gdi32.dll 022C SetMapMode 1 00006338 gdi32.dll 01BD GetTextMetricsA 1 0000633C gdi32.dll 0243 SetWindowExtEx 1 00006340 gdi32.dll 023F SetViewportExtEx 1 00006344 gdi32.dll 01CC LPtoDP 1 00006348 gdi32.dll 002F CreateDCA 1 0000634C gdi32.dll 01AE GetTextCharset 1 00006350 gdi32.dll 0090 DeleteObject 1 00006354 gdi32.dll 01A6 GetStockObject FThunk: 0000635C NbFunc: 00000026 1 0000635C kernel32.dll 0396 _hwrite 1 00006360 kernel32.dll 007D DeleteFileA 1 00006364 kernel32.dll 0397 _lclose 1 00006368 kernel32.dll 039A _lopen 1 0000636C kernel32.dll 024B LocalUnlock 1 00006370 kernel32.dll 0398 _lcreat 1 00006374 kernel32.dll 0399 _llseek 1 00006378 kernel32.dll 0248 LocalReAlloc 1 0000637C kernel32.dll 0241 LocalAlloc 1 00006380 kernel32.dll 0247 LocalLock 1 00006384 kernel32.dll 01E4 GlobalAlloc 1 00006388 kernel32.dll 0164 GetLocalTime 1 0000638C kernel32.dll 01CC GetTimeFormatA 1 00006390 kernel32.dll 0139 GetDateFormatA 1 00006394 kernel32.dll 03A3 lstrcmpi 1 00006398 kernel32.dll 01A6 GetStartupInfoA 1 0000639C kernel32.dll 016F GetModuleHandleA 1 000063A0 kernel32.dll 00B0 ExitProcess 1 000063A4 kernel32.dll 03AC lstrlen 1 000063A8 kernel32.dll 03A9 lstrcpyn 1 000063AC kernel32.dll 02BD RtlMoveMemory 1 000063B0 kernel32.dll 03A0 lstrcmp 1 000063B4 kernel32.dll 0222 IsDBCSLeadByte 1 000063B8 kernel32.dll 01A1 GetProfileStringA 1 000063BC kernel32.dll 039D lstrcat 1 000063C0 kernel32.dll 00CA FindFirstFileA 1 000063C4 kernel32.dll 00C6 FindClose 1 000063C8 kernel32.dll 025D MulDiv 1 000063CC kernel32.dll 0162 GetLastError 1 000063D0 kernel32.dll 004E CreateFileA 1 000063D4 kernel32.dll 01EB GlobalFree 1 000063D8 kernel32.dll 03A6 lstrcpy 1 000063DC kernel32.dll 0165 GetLocaleInfoA 1 000063E0 kernel32.dll 0245 LocalFree 1 000063E4 kernel32.dll 0103 GetCommandLineA 1 000063E8 kernel32.dll 01F6 GlobalUnlock 1 000063EC kernel32.dll 0395 _hread 1 000063F0 kernel32.dll 01EF GlobalLock FThunk: 000063F8 NbFunc: 00000006 1 000063F8 shell32.dll 008B DragFinish 1 000063FC shell32.dll 0162 ShellAboutA 1 00006400 shell32.dll 0167 ShellExecuteA 1 00006404 shell32.dll 008A DragAcceptFiles 1 00006408 shell32.dll 013D SHGetSpecialFolderPathA 1 0000640C shell32.dll 008C DragQueryFile FThunk: 00006414 NbFunc: 0000003C 1 00006414 user32.dll 02D9 wsprintfA 1 00006418 user32.dll 0043 CloseClipboard 1 0000641C user32.dll 01A0 IsClipboardFormatAvailable 1 00006420 user32.dll 01F4 OpenClipboard 1 00006424 user32.dll 012D GetMenu 1 00006428 user32.dll 01C9 LoadStringA 1 0000642C user32.dll 01B4 LoadAcceleratorsA 1 00006430 user32.dll 015D GetSystemMenu 1 00006434 user32.dll 021B RegisterClipboardFormatA 1 00006438 user32.dll 0281 SetWindowLongA 1 0000643C user32.dll 0061 CreateWindowExA 1 00006440 user32.dll 01B8 LoadCursorA 1 00006444 user32.dll 0218 RegisterClassExA 1 00006448 user32.dll 015E GetSystemMetrics 1 0000644C user32.dll 02BC UpdateWindow 1 00006450 user32.dll 002E CharPrevA 1 00006454 user32.dll 0100 GetClientRect 1 00006458 user32.dll 01FE PeekMessageA 1 0000645C user32.dll 0254 SetDlgItemTextA 1 00006460 user32.dll 029C TabbedTextOutA 1 00006464 user32.dll 0056 CreateDialogParamA 1 00006468 user32.dll 00C5 EnableWindow 1 0000646C user32.dll 0178 GetWindowTextA 1 00006470 user32.dll 0237 SendDlgItemMessageA 1 00006474 user32.dll 0111 GetDlgCtrlID 1 00006478 user32.dll 003D ChildWindowFromPoint 1 0000647C user32.dll 0232 ScreenToClient 1 00006480 user32.dll 010C GetCursorPos 1 00006484 user32.dll 0114 GetDlgItemTextA 1 00006488 user32.dll 015A GetSubMenu 1 0000648C user32.dll 003A CheckMenuItem 1 00006490 user32.dll 0287 SetWindowTextA 1 00006494 user32.dll 01A1 IsDialogMessage 1 00006498 user32.dll 02AB TranslateMessage 1 0000649C user32.dll 00A2 DispatchMessageA 1 000064A0 user32.dll 013B GetMessageA 1 000064A4 user32.dll 009A DestroyWindow 1 000064A8 user32.dll 01DC MessageBeep 1 000064AC user32.dll 01DD MessageBoxA 1 000064B0 user32.dll 008F DefWindowProcA 1 000064B4 user32.dll 00C3 EnableMenuItem 1 000064B8 user32.dll 0129 GetLastActivePopup 1 000064BC user32.dll 0293 ShowWindow 1 000064C0 user32.dll 00C7 EndDialog 1 000064C4 user32.dll 0258 SetForegroundWindow 1 000064C8 user32.dll 02D3 WinHelpA 1 000064CC user32.dll 01BC LoadIconA 1 000064D0 user32.dll 010D GetDC 1 000064D4 user32.dll 022B ReleaseDC 1 000064D8 user32.dll 024E SetCursor 1 000064DC user32.dll 023C SendMessageA 1 000064E0 user32.dll 0117 GetFocus 1 000064E4 user32.dll 0200 PostMessageA 1 000064E8 user32.dll 0257 SetFocus 1 000064EC user32.dll 0194 InvalidateRect 1 000064F0 user32.dll 01EA MoveWindow 1 000064F4 user32.dll 002B CharNextA 1 000064F8 user32.dll 01A7 IsIconic 1 000064FC user32.dll 0202 PostQuitMessage 1 00006500 user32.dll 02A7 TranslateAccelerator FThunk: 00006508 NbFunc: 00000007 1 00006508 comdlg32.dll 006E GetOpenFileNameA 1 0000650C comdlg32.dll 0067 ChooseFontA 1 00006510 comdlg32.dll 006A FindTextA 1 00006514 comdlg32.dll 0073 PageSetupDlgA 1 00006518 comdlg32.dll 0070 GetSaveFileNameA 1 0000651C comdlg32.dll 0069 CommDlgExtendedError 1 00006520 comdlg32.dll 006C GetFileTitleA |
|
|
|
老妖在ring0下干的好事:)
这个是public版本耶,没壳 |
|
|
|
新壳测试 (记事本加壳)
靠,IAT到底有多少层?写了个script转了3圈还是加密的. |
|
新壳测试 (记事本加壳)
:D :D :D |
|
|
|
老妖在ring0下干的好事:)
seh::D .text:00404089 push ebp .text:0040408A mov ebp, esp .text:0040408C push edi .text:0040408D mov eax, [ebp+10h] ; CONTEXT .text:00404090 mov edi, [eax+CONTEXT.Edi] .text:00404096 push ds:goon[edi] .text:0040409C pop [eax+CONTEXT.Eip] .text:004040A2 mov [eax+CONTEXT.Ebp], edi .text:004040A8 mov [eax+CONTEXT.Eax], 4 .text:004040B2 mov eax, 0 .text:004040B7 pop edi .text:004040B8 leave .text:004040B9 retn |
|
老妖在ring0下干的好事:)
OEP Jump Code: text:0040A92A push ebp .text:0040A92B mov ebp, esp .text:0040A92D push esi .text:0040A92E push edi .text:0040A92F mov eax, 0 .text:0040A934 jmp eax |
|
老妖在ring0下干的好事:)
meltice table: .text:0040A6D6 a_Superbpm_0 db '\\.\SUPERBPM',0 ; DATA XREF: .text:004062B4r .text:0040A6E3 a_Trwdebug_0 db '\\.\TRWDEBUG',0 ; DATA XREF: .text:00406503r .text:0040A6F0 a_Trw_0 db '\\.\TRW',0 ; DATA XREF: .text:00406752r .text:0040A6F8 a_Trw2000_0 db '\\.\TRW2000',0 ; DATA XREF: .text:004069A1r .text:0040A704 a_Bw2k_0 db '\\.\bw2k',0 ; DATA XREF: .text:00406BF0r .text:0040A70D a_Icedump_0 db '\\.\ICEDUMP',0 ; DATA XREF: .text:00406E3Fr .text:0040A719 a_Regvxd_0 db '\\.\REGVXD',0 ; DATA XREF: .text:0040708Er .text:0040A724 a_Ntice_0 db '\\.\NTICE',0 ; DATA XREF: .text:004072DDr .text:0040A72E a_Siwvid_0 db '\\.\SIWVID',0 ; DATA XREF: .text:0040752Cr .text:0040A739 a_Sice_0 db '\\.\SICE',0 ; DATA XREF: .text:0040777Br .text:0040A742 a_Filevxd_0 db '\\.\FILEVXD',0 ; DATA XREF: .text:004079CAr .text:0040A74E a_Siwdebug_0 db '\\.\SIWDEBUG',0 ; DATA XREF: .text:00407C19r .text:0040A75B a_Nticed052_0 db '\\.\NTiceD052',0 ; DATA XREF: .text:00407E68r .text:0040A769 a_Nticed155 db '\\.\NTiced155',0 ; DATA XREF: .text:004080B7r .text:0040A777 a_Twx2002 db '\\.\TWX2002',0 ; DATA XREF: .text:00408306r |
|
|
|
tELock 0.98 精彩代码
最初由 老王 发布 |---------------|----------------| Dr6| |BBB BBB B | | |TSD 3 2 1 0 | |---------------|----------------| Dr7|RWE LEN ... RWE LEN | G GLGLGLGLGL | | 3 3 ... 0 0 | D E E 3 3 2 21 100 | |---------------|----------------| 31 15 0 Dr0~3用于设置硬件断点,即在调试器中经常使用的bpm断点,由于只有4个断点寄存器,所以最多只能设置4个bpm断点。Dr7是一些控制位,用于控制断点的方式,Dr6用于显示是哪些引起断点的原因,如果是Dr0~3或单步(EFLAGS的TF)或由于GD置位时访问调试寄存器引起1号调试陷阱的话,则相应设置对应的位。下面对Dr6和Dr7的对应位做一些详细介绍: 调试控制寄存器Dr7: ========== 位0 L0和位1 G0:用于控制Dr0是全局断点还是局部断点,如果G0置位则是全局断点,L0置位则是局部断点。 G1L1~G3L3用于控制D1~Dr3,其功能同上。 LEN0:占两个位,开始于位15,用于控制Dr0的断点长度,可能取值: 00 1字节 01 2字节 10 保留 11 4字节 RWE0:从第17位开始,占两个位,控制Dr0的断点是读、写还是执行断点或是I/O端口断点: 00 只执行 01 写入数据断点 10 I/O端口断点(只用于pentium+,需设置CR4的DE位) 11 读或写数据断点 RWE1~3,LEN1~3分别用于控制Dr1~3的断点方式,含义如上。 还有一个GD位:用于保护DRx,如果GD位为1,则对Drx的任何访问都会导致进入1号调试陷阱。即IDT的对应入口,这样可以保证调试器在必要的时候完全控制Drx。 调试状态寄存器Dr6: ========= 该寄存器用于表示进入陷阱1的原因,各个位的含义如下: B0~B3,如果其中任何一个位置位,则表示是相应的Dr0~3断点引发的调试陷阱。但还需注意的是,有时候不管GiLi如何设置,只要是遇到Drx指定的断点,总会设置Bi,如果看到多个Bi置位,则可以通过GiLi的情况判断究竟是哪个Dr寄存器引发的调试陷阱。 BD置位表示是GD位置位情况下访问调试寄存器引发的陷阱。 BT置位表示是因为TS置位即任务切换时TSS中TS位置1时切到第二个任务时第一条指令时引发的。 BS置位表示是单步中断引发的断点。。。。即EFLAGS的TF置位时引发的调试陷阱。 注意I/O端口断点是586+以上CPU才有的功能,受CR4的DE位的控制,DE为1才有效。(DE是CR4的第3位)。 |
|
|
|
|
|
tELock 0.98 精彩代码
不好整理的说,tE!遍地花指令,还原个源代码都难 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值