能力值:
( LV2,RANK:10 )
|
-
-
2 楼
发个程序来研究研究啊
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
到OEP后
用OD插件直接dump
选方式二修复IAT
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
脱壳是成功的,运行出现错误是程序有自校验的原因,把自检验去掉就好了!
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
试过也是一样的情况。提示“运行错误:020”
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
00401000 >/$ E8 06000000 call 0040100B
00401005 |. 50 push eax ; /ExitCode
00401006 \. E8 BB010000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0040100B /$ 55 push ebp
0040100C |. 8BEC mov ebp, esp
0040100E |. 81C4 F0FEFFFF add esp, -110
00401014 |. E9 83000000 jmp 0040109C
00401019 |. 6B 72 6E 6C 6>ascii "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6>ascii "krnln.fne",0
0040102D |. 47 65 74 4E 6>ascii "GetNewSock",0
00401038 |. 53 6F 66 74 7>ascii "Software\FlySky\"
00401048 |. 45 5C 49 6E 7>ascii "E\Install",0
00401052 |. 50 61 74 68 0>ascii "Path",0
00401057 |. 4E 6F 74 20 6>ascii "Not found the ke"
00401067 |. 72 6E 65 6C 2>ascii "rnel library or "
00401077 |. 74 68 65 20 6>ascii "the kernel libra"
00401087 |. 72 79 20 69 7>ascii "ry is invalid!",0
00401096 |. 45 72 72 6F 7>ascii "Error",0
0040109C |> 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004010A2 |. 50 push eax
004010A3 |. E8 44010000 call 004011EC
004010A8 |. 68 19104000 push 00401019 ; /String2 = "krnln.fnr"
004010AD |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
004010B3 |. 50 push eax ; |String1
004010B4 |. E8 25010000 call <jmp.&kernel32.lstrcat> ; \lstrcat
004010B9 |. 50 push eax ; /FileName
004010BA |. E8 19010000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
004010BF |. 85C0 test eax, eax
004010C1 |. 0F85 9E000000 jnz 00401165
004010C7 |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
004010CD |. 50 push eax ; /pHandle
004010CE |. 68 19000200 push 20019 ; |Access = KEY_READ
004010D3 |. 6A 00 push 0 ; |Reserved = 0
004010D5 |. 68 38104000 push 00401038 ; |Subkey = "Software\FlySky\E\Install"
004010DA |. 68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
004010DF |. E8 36010000 call <jmp.&advapi32.RegOpenKeyExA> ; \RegOpenKeyExA
004010E4 |. 83F8 00 cmp eax, 0
004010E7 |. 0F85 B8000000 jnz 004011A5
004010ED |. C785 F0FEFFFF>mov dword ptr [ebp-110], 103
004010F7 |. 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
004010FD |. 50 push eax ; /pBufSize
004010FE |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00401104 |. 50 push eax ; |Buffer
00401105 |. 6A 00 push 0 ; |pValueType = NULL
00401107 |. 6A 00 push 0 ; |Reserved = NULL
00401109 |. 68 52104000 push 00401052 ; |ValueName = "Path"
0040110E |. FFB5 F4FEFFFF push dword ptr [ebp-10C] ; |hKey
00401114 |. E8 07010000 call <jmp.&advapi32.RegQueryValueExA> ; \RegQueryValueExA
00401119 |. 50 push eax
0040111A |. FFB5 F4FEFFFF push dword ptr [ebp-10C] ; /hKey
00401120 |. E8 EF000000 call <jmp.&advapi32.RegCloseKey> ; \RegCloseKey
00401125 |. 58 pop eax
00401126 |. 83F8 00 cmp eax, 0
00401129 |. 75 7A jnz short 004011A5
0040112B |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401131 |. 50 push eax ; /String
00401132 |. E8 AD000000 call <jmp.&kernel32.lstrlen> ; \lstrlenA
00401137 |. 8D9D FCFEFFFF lea ebx, dword ptr [ebp-104]
0040113D |. 03D8 add ebx, eax
0040113F |. 4B dec ebx
00401140 |. 803B 5C cmp byte ptr [ebx], 5C
00401143 |. 74 05 je short 0040114A
00401145 |. 66:C703 5C00 mov word ptr [ebx], 5C
0040114A |> 68 23104000 push 00401023 ; /String2 = "krnln.fne"
0040114F |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104] ; |
00401155 |. 50 push eax ; |String1
00401156 |. E8 83000000 call <jmp.&kernel32.lstrcat> ; \lstrcat
0040115B |. 50 push eax ; /FileName
0040115C |. E8 77000000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
00401161 |. 85C0 test eax, eax
00401163 |. 74 40 je short 004011A5
00401165 |> 8985 F8FEFFFF mov dword ptr [ebp-108], eax
0040116B |. 68 2D104000 push 0040102D ; /ProcNameOrOrdinal = "GetNewSock"
00401170 |. 50 push eax ; |hModule
00401171 |. E8 5C000000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
00401176 |. 85C0 test eax, eax
00401178 |. 74 20 je short 0040119A
0040117A |. 68 E8030000 push 3E8
0040117F |. FFD0 call eax
00401181 |. 85C0 test eax, eax
00401183 |. 74 15 je short 0040119A
00401185 |. E8 00000000 call 0040118A
0040118A |$ 810424 761E00>add dword ptr [esp], 1E76
00401191 |. FFD0 call eax
00401193 |. 6A 00 push 0 ; /ExitCode = 0
00401195 |. E8 2C000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0040119A |> FFB5 F8FEFFFF push dword ptr [ebp-108] ; /hLibModule
004011A0 |. E8 27000000 call <jmp.&kernel32.FreeLibrary> ; \FreeLibrary
004011A5 |> 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011A7 |. 68 96104000 push 00401096 ; |Title = "Error"
004011AC |. 68 57104000 push 00401057 ; |Text = "Not found the kernel library or the kernel library is invalid!"
004011B1 |. 6A 00 push 0 ; |hOwner = NULL
004011B3 |. E8 08000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004011B8 |. B8 FFFFFFFF mov eax, -1
004011BD |. C9 leave
004011BE \. C3 retn
004011BF CC int3
一系列的检验代码
绿色的就是202错误的检验
加载GetNewSock函数失败,应该是脱克的时候造成的问题
|
能力值:
( LV8,RANK:130 )
|
-
-
8 楼
CreateFileA/W下断看看
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
|
能力值:
( LV8,RANK:130 )
|
-
-
10 楼
ESP定律对大多数压缩壳还行,加密壳不一定行
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
没有弄懂这软件是怎么比较真假注册码的。高手能否提示下。
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
这问题怎么解决啊?
|