最初由 forgot 发布
没 壳 吧
Peid 检查为arm 1.xx-2.xx
fuckall附加时出现
---------------------------
FuckALL.exe - 应用程序错误
---------------------------
"0x044d1292" 指令引用的 "0x000003ac" 内存。该内存不能为 "read"。
要终止程序,请单击“确定”。
要调试程序,请单击“取消”。
---------------------------
确定 取消
---------------------------
用fackall.exe启动,扫描不到中文
扫描出了这个:
00522154 . 68 E4D45400 PUSH 梦幻宝宝.0054D4E4 ; ASCII "%X::DA%08X"
00522159 . 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128]
0052215F . 51 PUSH ECX
00522160 . E8 2C870000 CALL 梦幻宝宝.0052A891
00522165 . 83C4 10 ADD ESP,10
00522168 . 8D95 D8FEFFFF LEA EDX,DWORD PTR SS:[EBP-128]
0052216E . 52 PUSH EDX ; /MutexName
0052216F . 6A 00 PUSH 0 ; |Inheritable = FALSE
00522171 . 68 01001F00 PUSH 1F0001 ; |Access = 1F0001
00522176 . FF15 50D05400 CALL DWORD PTR DS:[<&KERNEL32.OpenMutexA>; \OpenMutexA
0052217C . 85C0 TEST EAX,EAX
0052217E . 0F85 6D020000 JNZ 梦幻宝宝.005223F1
00522184 . 6A 01 PUSH 1 ; /Priority = THREAD_PRIORITY_ABOVE_NORMAL
00522186 . FF15 38D15400 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; |[GetCurrentThread
0052218C . 50 PUSH EAX ; |hThread
0052218D . FF15 3CD15400 CALL DWORD PTR DS:[<&KERNEL32.SetThreadP>; \SetThreadPriority
00522193 . C685 58F9FFFF>MOV BYTE PTR SS:[EBP-6A8],0
0052219A . 68 F0D45400 PUSH 梦幻宝宝.0054D4F0 ; /FileName = "Kernel32"
0052219F . FF15 48D15400 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
005221A5 . 8985 54F9FFFF MOV DWORD PTR SS:[EBP-6AC],EAX
005221AB . 83BD 54F9FFFF>CMP DWORD PTR SS:[EBP-6AC],0
005221B2 . 74 32 JE SHORT 梦幻宝宝.005221E6
005221B4 . 68 FCD45400 PUSH 梦幻宝宝.0054D4FC ; /ProcNameOrOrdinal = "IsDebuggerPresent"
005221B9 . 8B85 54F9FFFF MOV EAX,DWORD PTR SS:[EBP-6AC] ; |
005221BF . 50 PUSH EAX ; |hModule
005221C0 . FF15 50D15400 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
005221C6 . 8985 BCF8FFFF MOV DWORD PTR SS:[EBP-744],EAX
005221CC . 83BD BCF8FFFF>CMP DWORD PTR SS:[EBP-744],0
005221D3 . 74 11 JE SHORT 梦幻宝宝.005221E6
005221D5 . FF95 BCF8FFFF CALL DWORD PTR SS:[EBP-744]
005221DB . 85C0 TEST EAX,EAX
005221DD . 74 07 JE SHORT 梦幻宝宝.005221E6
005221DF . C685 58F9FFFF>MOV BYTE PTR SS:[EBP-6A8],1
005221E6 > C785 C0F8FFFF>MOV DWORD PTR SS:[EBP-740],94
005221F0 . 8D8D C0F8FFFF LEA ECX,DWORD PTR SS:[EBP-740]
005221F6 . 51 PUSH ECX ; /pVersionInformation
005221F7 . FF15 40D15400 CALL DWORD PTR DS:[<&KERNEL32.GetVersion>; \GetVersionExA