|
请syscom进来一下,Themida的问题。
最初由 softbihu 发布 可以改的,但如果你改错了就重启了。 这部分没有效验。 你看 seg000:00000182 lea eax, [ebp+6611925h] seg000:00000188 mov [eax+1], edx seg000:0000018B jmp eax 这个seg000:00000188 mov [eax+1], edx 就是它自己在改写 seg000:000001DF push 0EB606735h 的代码。 |
|
请syscom进来一下,Themida的问题。
下面是处理int 14的代码 seg000:00000000 pushf seg000:00000001 pusha seg000:00000002 call $+5 seg000:00000007 pop ebp seg000:00000008 sub ebp, 661174Dh seg000:0000000E jmp short loc_1D seg000:00000010 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000010 cmp dword ptr [ebp+6611948h], 63h ; 'c' seg000:00000017 ja loc_B6 seg000:0000001D seg000:0000001D loc_1D: ; CODE XREF: seg000:0000000Ej seg000:0000001D ; seg000:00000130j seg000:0000001D mov eax, [esp+28h] seg000:00000021 cmp eax, 0FFFFFFFFh seg000:00000024 jz short loc_39 seg000:00000026 mov eax, [esp+24h] seg000:0000002A cmp eax, 0FFFFFFFFh seg000:0000002D jnz loc_1DD seg000:00000033 popa seg000:00000034 popf seg000:00000035 add esp, 0Ch seg000:00000038 iret seg000:00000039 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000039 seg000:00000039 loc_39: ; CODE XREF: seg000:00000024j seg000:00000039 mov eax, 1 seg000:0000003E mov ecx, eax seg000:00000040 or eax, eax seg000:00000042 jnz loc_140 seg000:00000048 mov eax, 12345678h seg000:0000004D mov eax, [eax] seg000:0000004F cmp dword ptr [eax+8], 0 seg000:00000053 jz 0000018D seg000:00000059 cmp dword ptr [eax+8], 2 seg000:0000005D ja 0000018D seg000:00000063 cmp dword ptr [eax+8], 1 seg000:00000067 jz loc_135 seg000:0000006D seg000:0000006D loc_6D: ; CODE XREF: seg000:00000165j seg000:0000006D ; seg000:0000017Dj seg000:0000006D mov eax, 0 seg000:00000072 cmp eax, 1 seg000:00000075 jz 0000018D seg000:0000007B or ecx, ecx seg000:0000007D jnz short loc_96 seg000:0000007F mov ebx, esp seg000:00000081 add ebx, 34h ; '4' seg000:00000084 mov eax, [ebx] seg000:00000086 cmp byte ptr [eax-1], 0CCh ; '? seg000:0000008A jnz short loc_AD seg000:0000008C mov byte ptr [eax-1], 0C5h ; '? seg000:00000090 inc eax seg000:00000091 jmp loc_1B1 seg000:00000096 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000096 seg000:00000096 loc_96: ; CODE XREF: seg000:0000007Dj seg000:00000096 mov ebx, esp seg000:00000098 add ebx, 34h ; '4' seg000:0000009B mov eax, [ebx] seg000:0000009D cmp byte ptr [eax-1], 0CCh ; '? seg000:000000A1 jnz loc_1B1 seg000:000000A7 inc eax seg000:000000A8 jmp loc_1B1 seg000:000000AD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000000AD seg000:000000AD loc_AD: ; CODE XREF: seg000:0000008Aj seg000:000000AD mov byte ptr [eax-2], 0C5h ; '? seg000:000000B1 jmp loc_1B1 seg000:000000B6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000000B6 seg000:000000B6 loc_B6: ; CODE XREF: seg000:00000017j seg000:000000B6 mov eax, 80036400h seg000:000000BB mov eax, eax seg000:000000BD add eax, 0Ch seg000:000000C0 mov ecx, cs:[eax] seg000:000000C3 mov cx, cs:[eax-4] seg000:000000C8 cmp ecx, 0FFFF0000h seg000:000000CE jnb short loc_EE seg000:000000D0 cmp ecx, 80000000h seg000:000000D6 jb short loc_EE seg000:000000D8 push ds seg000:000000D9 mov ecx, 10h seg000:000000DE db 66h seg000:000000DE mov ds, cx seg000:000000E1 assume ds:nothing seg000:000000E1 mov cx, 0FFFFh seg000:000000E5 mov [eax-4], cx seg000:000000E9 mov [eax+2], cx seg000:000000ED pop ds seg000:000000EE assume ds:nothing seg000:000000EE seg000:000000EE loc_EE: ; CODE XREF: seg000:000000CEj seg000:000000EE ; seg000:000000D6j seg000:000000EE mov eax, 80036400h seg000:000000F3 mov eax, eax seg000:000000F5 add eax, 1Ch seg000:000000F8 mov ecx, cs:[eax] seg000:000000FB mov cx, cs:[eax-4] seg000:00000100 cmp ecx, 0FFFF0000h seg000:00000106 jnb short loc_126 seg000:00000108 cmp ecx, 80000000h seg000:0000010E jb short loc_126 seg000:00000110 push ds seg000:00000111 mov ecx, 10h seg000:00000116 db 66h seg000:00000116 mov ds, cx seg000:00000119 assume ds:nothing seg000:00000119 mov cx, 0FFFFh seg000:0000011D mov [eax-4], cx seg000:00000121 mov [eax+2], cx seg000:00000125 pop ds seg000:00000126 assume ds:nothing seg000:00000126 seg000:00000126 loc_126: ; CODE XREF: seg000:00000106j seg000:00000126 ; seg000:0000010Ej seg000:00000126 mov dword ptr [ebp+6611948h], 0 seg000:00000130 jmp loc_1D seg000:00000135 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000135 seg000:00000135 loc_135: ; CODE XREF: seg000:00000067j seg000:00000135 lea eax, [ebp+6611925h] seg000:0000013B mov [eax+1], edx seg000:0000013E jmp eax seg000:00000140 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000140 seg000:00000140 loc_140: ; CODE XREF: seg000:00000042j seg000:00000140 push fs seg000:00000142 mov eax, 30h ; '0' seg000:00000147 db 66h seg000:00000147 mov fs, ax seg000:0000014A assume fs:nothing seg000:0000014A mov eax, large fs:124h seg000:00000150 mov eax, [eax+44h] seg000:00000153 pop fs seg000:00000155 assume fs:nothing seg000:00000155 mov ebx, eax seg000:00000157 and ebx, 7FFFFFFFh seg000:0000015D mov esi, 0EBA83000h 这个地方可能是关键 seg000:00000162 cmp dword ptr [esi], 0 seg000:00000165 jz loc_6D seg000:0000016B call sub_206 seg000:00000170 or eax, eax seg000:00000172 jnz short loc_178 seg000:00000174 jmp short 0000018D seg000:00000176 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000176 jmp short loc_182 seg000:00000178 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000178 seg000:00000178 loc_178: ; CODE XREF: seg000:00000172j seg000:00000178 cmp eax, 1 seg000:0000017B jnz short loc_182 seg000:0000017D jmp loc_6D seg000:00000182 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000182 seg000:00000182 loc_182: ; CODE XREF: seg000:00000176j seg000:00000182 ; seg000:0000017Bj seg000:00000182 lea eax, [ebp+6611925h] seg000:00000188 mov [eax+1], edx seg000:0000018B jmp eax seg000:0000018D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:0000018D seg000:0000018D 0000018D: ; CODE XREF: seg000:00000053j seg000:0000018D ; seg000:0000005Dj ... seg000:0000018D mov ebx, esp seg000:0000018F add ebx, 34h ; '4' seg000:00000192 mov eax, [ebx] seg000:00000194 cmp byte ptr [eax-1], 0CCh ; '? seg000:00000198 jz short loc_1E5 seg000:0000019A cmp word ptr [eax-2], 3CDh seg000:000001A0 jz short loc_1E5 seg000:000001A2 cmp word ptr [eax-2], 1CDh seg000:000001A8 jz short loc_1B1 seg000:000001AA popa seg000:000001AB popf seg000:000001AC add esp, 10h seg000:000001AF jmp short int1 seg000:000001B1 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001B1 seg000:000001B1 loc_1B1: ; CODE XREF: seg000:00000091j seg000:000001B1 ; seg000:000000A1j ... seg000:000001B1 sub eax, 2 seg000:000001B4 mov [ebx], eax seg000:000001B6 popa seg000:000001B7 popf seg000:000001B8 add esp, 0Ch seg000:000001BB mov dword ptr [esp], 2Ah ; '*' seg000:000001C2 jmp short loc_1FC seg000:000001C2 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001C4 db 8Bh ; ? seg000:000001C5 db 43h ; C seg000:000001C6 db 8 ; seg000:000001C7 db 0A9h ; ? seg000:000001C8 db 0 ; seg000:000001C9 db 1 ; seg000:000001CA db 0 ; seg000:000001CB db 0 ; seg000:000001CC db 75h ; u seg000:000001CD db 2 ; seg000:000001CE db 40h ; @ seg000:000001CF db 40h ; @ seg000:000001D0 db 43h ; C seg000:000001D1 db 43h ; C seg000:000001D2 db 41h ; A seg000:000001D3 db 42h ; B seg000:000001D4 db 37h ; 7 seg000:000001D5 db 8Bh ; ? seg000:000001D6 db 4Ah ; J seg000:000001D7 db 80h ; ? seg000:000001D8 db 64h ; d seg000:000001D9 db 0 ; seg000:000001DA db 0 ; seg000:000001DB db 0 ; seg000:000001DC db 40h ; @ seg000:000001DD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001DD seg000:000001DD loc_1DD: ; CODE XREF: seg000:0000002Dj seg000:000001DD popa seg000:000001DE popf seg000:000001DF push 0EB606735h seg000:000001E4 retn seg000:000001E5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001E5 seg000:000001E5 loc_1E5: ; CODE XREF: seg000:00000198j seg000:000001E5 ; seg000:000001A0j seg000:000001E5 popa seg000:000001E6 popf seg000:000001E7 add esp, 10h seg000:000001EA jmp short int3 seg000:000001EA ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001EC db 0 ; seg000:000001ED db 0 ; seg000:000001EE db 0 ; seg000:000001EF db 0 ; seg000:000001F0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001F0 seg000:000001F0 int1: ; CODE XREF: seg000:000001AFj seg000:000001F0 push 80465CE4h ; 到原来系统int1的处理函数 seg000:000001F5 retn seg000:000001F6 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001F6 seg000:000001F6 int3: ; CODE XREF: seg000:000001EAj seg000:000001F6 push 80465FD4h ; 到原来系统int3的处理函数 seg000:000001FB retn seg000:000001FC ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:000001FC seg000:000001FC loc_1FC: ; CODE XREF: seg000:000001C2j seg000:000001FC push 8046748Ch ; 到原来系统int13的处理函数 seg000:00000201 retn seg000:00000201 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000202 db 0 ; seg000:00000203 db 0 ; seg000:00000204 db 0 ; seg000:00000205 db 0 ; seg000:00000206 seg000:00000206 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹? seg000:00000206 seg000:00000206 seg000:00000206 sub_206 proc near ; CODE XREF: seg000:0000016Bp seg000:00000206 mov edi, esi seg000:00000208 mov cl, 1 seg000:0000020A or cl, cl seg000:0000020C jz short loc_214 seg000:0000020E add edi, 3E8h seg000:00000214 seg000:00000214 loc_214: ; CODE XREF: sub_206+6j seg000:00000214 ; sub_206+30j seg000:00000214 add esi, 4 seg000:00000217 add edi, 4 seg000:0000021A cmp dword ptr [esi], 47616420h seg000:00000220 jnz short loc_225 seg000:00000222 xor eax, eax seg000:00000224 retn seg000:00000225 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000225 seg000:00000225 loc_225: ; CODE XREF: sub_206+1Aj seg000:00000225 cmp [esi], eax seg000:00000227 jz short locret_22D seg000:00000229 cmp [edi], eax seg000:0000022B jnz short loc_22E seg000:0000022D seg000:0000022D locret_22D: ; CODE XREF: sub_206+21j seg000:0000022D retn seg000:0000022E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:0000022E seg000:0000022E loc_22E: ; CODE XREF: sub_206+25j seg000:0000022E cmp [esi], ebx seg000:00000230 jnz short loc_236 seg000:00000232 xor eax, eax seg000:00000234 inc eax seg000:00000235 retn seg000:00000236 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? seg000:00000236 seg000:00000236 loc_236: ; CODE XREF: sub_206+2Aj seg000:00000236 jmp short loc_214 seg000:00000236 sub_206 endp seg000:00000236 15D 到170 应该是判断加壳的程序是否在运行,代码可以改动但我不知道怎么改。 我把 seg000:00000170 or eax, eax seg000:00000172 jnz short loc_178 都改成nop ,加壳的程序一打开就自动退出了。 |
|
请syscom进来一下,Themida的问题。
修改处理 int 2E的代码,可以跳过THMIDA的hook 函数。 可以dump, 但是用OD附加后,电脑就重启了。 应该是int 14的代码 还要修改。 |
|
请syscom进来一下,Themida的问题。
不知道有没有哪位大侠试过, Hook int 2E ,再把被THMIDA改动过的函数改为正确的。 有可能可以哦。 还有他只是一部分代码做了CRC ?查。 |
|
|
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值