能力值:
( LV9,RANK:170 )
|
-
-
2 楼
软件的自效验
可下断:
bp GetFileSize
bp ReadFile
bp SetFilePointer
bp CreateFileA
或者直接下ExitProcess
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
请问是下在未脱壳的软件还是下在已经脱了壳的软件?下断之后应该怎么做?我新手是第一次遇到自效验问题,谢谢!
还有就是我在OD那里按了运行跟踪,然后左上角出现很多个没有边的窗口,不懂怎么关掉哦,,严重影响了美观,请朋友们帮忙!谢谢!
|
能力值:
( LV9,RANK:170 )
|
-
-
4 楼
脱过壳后下的
下断之后比较简单的就是先Alt+F9返回领空,再Ctrl+F9返回几次,后可能会找到一个
cmp xxx,4321
jnz xxxxxxxx
这样的语句,这可能是比较文件的大小,或者是比较用某中算法计算的值,改它
用ExitProcess比较简单了
你可以在OllyDbg里按Ctrl+N,找到ExitProcess按F2下断,断下后,看有哪个跳转可以跳过它,改一下,不过这种方法能用的上的次数不多
是否能找到就看你的功力如何了
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
试了~不行,能帮我看看么?没空的就算拉~谢谢~
Ufony 1.30
管理,播放,转换,合并,分割,烧录! CDA(CD) RA MP1 MP2 OGG WMA MP3 WAV AC3 VOB(DVD) AAC M4A FLAC AU AIF APE MPC G721 G726 MP4 RM WMV ASF MPG DAT(VCD) AVI ==> MP3 WAV WMA OGG APE CD
下载地址:http://www.shareware.cn/pub/253.html
|
能力值:
( LV9,RANK:170 )
|
-
-
6 楼
的确是个好东西
这个变态东西竟然把它的dll全加上了TELOCK0,不会手动,我用UNtelock.exe全给脱了
它还是用GetFileSize来获得文件大小,然后比较的,
我找到了三处,它检测了主文件大小,hlclass.dll的大小和hlsond.dll的大小,都是类似这样的
这是外面的Call:
004172E0 /$ B9 283C4300 mov ecx,Ufony.00433C28
004172E5 |. E8 F6070000 call Ufony.00417AE0 //第一次
004172EA |. 85C0 test eax,eax
004172EC |. 74 2D je short Ufony.0041731B
004172EE |. 8B4424 04 mov eax,dword ptr ss:[esp+4]
004172F2 |. 50 push eax
004172F3 |. B9 283C4300 mov ecx,Ufony.00433C28
004172F8 |. FF15 F8854200 call dword ptr ds:[<&hlclass.CWinApp::Ini>; hlclass.CWinApp::InitInst 第二次
hlclass.dll里
004172FE |. 85C0 test eax,eax
00417300 |. 74 19 je short Ufony.0041731B
00417302 |. B9 283C4300 mov ecx,Ufony.00433C28
00417307 |. E8 240A0000 call Ufony.00417D30 //里面还有第三次
0041730C |. 85C0 test eax,eax
0041730E |. 74 0B je short Ufony.0041731B
00417310 |. B9 283C4300 mov ecx,Ufony.00433C28
00417315 |. FF15 F4854200 call dword ptr ds:[<&hlclass.CWinApp::Mes>; hlclass.CWinApp::MessageLoop
0041731B |> 33C0 xor eax,eax
0041731D \. C2 1000 retn 10 //退出这个call,下个call就是Exit
00418113 |> /68 00040000 /push 400
00418118 |. |8D8F 4F7D0000 |lea ecx,dword ptr ds:[edi+7D4F]
0041811E |. |51 |push ecx
0041811F |. |8D5424 3C |lea edx,dword ptr ss:[esp+3C]
00418123 |. |52 |push edx
00418124 |. |8D4C24 1C |lea ecx,dword ptr ss:[esp+1C]
00418128 |. |FFD5 |call ebp
0041812A |. |8D4C24 34 |lea ecx,dword ptr ss:[esp+34]
0041812E |. |FFD6 |call esi
00418130 |. |68 FC284300 |push Ufony.004328FC
00418135 |. |8D4424 30 |lea eax,dword ptr ss:[esp+30]
00418139 |. |50 |push eax
0041813A |. |8D4C24 20 |lea ecx,dword ptr ss:[esp+20]
0041813E |. |FF15 FC804200 |call dword ptr ds:[<&hlclass.CStr>; hlclass.CString::operator+
00418144 |. |8D4C24 10 |lea ecx,dword ptr ss:[esp+10]
00418148 |. |51 |push ecx
00418149 |. |8D5424 40 |lea edx,dword ptr ss:[esp+40]
0041814D |. |52 |push edx
0041814E |. |8BC8 |mov ecx,eax
00418150 |. |C68424 08020000 >|mov byte ptr ss:[esp+208],3
00418158 |. |FF15 A4814200 |call dword ptr ds:[<&hlclass.CStr>; hlclass.CString::operator+
0041815E |. |50 |push eax
0041815F |. |8D4424 28 |lea eax,dword ptr ss:[esp+28]
00418163 |. |50 |push eax
00418164 |. |8D4C24 18 |lea ecx,dword ptr ss:[esp+18]
00418168 |. |C68424 08020000 >|mov byte ptr ss:[esp+208],4
00418170 |. |FF15 5C814200 |call dword ptr ds:[<&hlclass.CStr>; hlclass.CString::operator=
00418176 |. |8D4C24 24 |lea ecx,dword ptr ss:[esp+24]
0041817A |. |FFD6 |call esi
0041817C |. |8D4C24 3C |lea ecx,dword ptr ss:[esp+3C]
00418180 |. |C68424 00020000 >|mov byte ptr ss:[esp+200],3
00418188 |. |FFD6 |call esi
0041818A |. |8D4C24 2C |lea ecx,dword ptr ss:[esp+2C]
0041818E |. |C68424 00020000 >|mov byte ptr ss:[esp+200],2
00418196 |. |FFD6 |call esi
00418198 |. |8B4C24 10 |mov ecx,dword ptr ss:[esp+10]
0041819C |. |51 |push ecx
0041819D |. |8D8C24 AC000000 |lea ecx,dword ptr ss:[esp+AC]
004181A4 |. |FF15 F8844200 |call dword ptr ds:[<&hlclass.CFil>; hlclass.CFileSys::GetFileSize //这里获取文件大小,
放在eax里
004181AA |. |3BFB |cmp edi,ebx
004181AC |. |75 2A |jnz short Ufony.004181D8
004181AE |. |3BD3 |cmp edx,ebx
004181B0 |. |0F87 5B010000 |ja Ufony.00418311
004181B6 |. |3D FE510200 |cmp eax,251FE //这里比较hlclass.dll 在这儿改
004181BB |. |0F82 50010000 |jb Ufony.00418311
004181C1 |. |3BD3 |cmp edx,ebx
004181C3 |. |0F87 48010000 |ja Ufony.00418311
004181C9 |. |72 69 |jb short Ufony.00418234
004181CB |. |3D 03520200 |cmp eax,25203 //这里比较hlclass.dll 在这儿改
004181D0 |. |0F87 3B010000 |ja Ufony.00418311
004181D6 |. |EB 5C |jmp short Ufony.00418234
004181D8 |> |83FF 01 |cmp edi,1
004181DB |. |75 2A |jnz short Ufony.00418207
004181DD |. |3BD3 |cmp edx,ebx
004181DF |. |0F87 2C010000 |ja Ufony.00418311
004181E5 |. |3D FDA50500 |cmp eax,5A5FD //这里比较hlsond.dll 在这儿改
004181EA |. |0F82 21010000 |jb Ufony.00418311
004181F0 |. |3BD3 |cmp edx,ebx
004181F2 |. |0F87 19010000 |ja Ufony.00418311
004181F8 |. |72 3A |jb short Ufony.00418234
004181FA |. |3D 07A60500 |cmp eax,5A607 // //这里比较hlsond.dll 在这儿改
004181FF |. |0F87 0C010000 |ja Ufony.00418311
00418205 |. |EB 2D |jmp short Ufony.00418234
00418207 |> |83FF 02 |cmp edi,2
0041820A |. |75 28 |jnz short Ufony.00418234
0041820C |. |3BD3 |cmp edx,ebx
0041820E |. |0F87 FD000000 |ja Ufony.00418311
00418214 |. |3D FFAB0100 |cmp eax,1ABFF //这里比较主文件 在这儿改
00418219 |. |0F82 F2000000 |jb Ufony.00418311
0041821F |. |3BD3 |cmp edx,ebx
00418221 |. |0F87 EA000000 |ja Ufony.00418311
00418227 |. |72 0B |jb short Ufony.00418234
00418229 |. |3D 02AC0100 |cmp eax,1AC02 //这里比较主文件 在这儿改
0041822E |. |0F87 DD000000 |ja Ufony.00418311
00418234 |> |47 |inc edi
00418235 |. |83FF 03 |cmp edi,3 //共三个文件
00418238 |.^\0F8C D5FEFFFF \jl Ufony.00418113
前两次不对就跳到类似这样的
00417D0C 40 xor eax,eax
第三次不对就跳到:
00418311 |> \53 push ebx ; /ExitCode
00418312 |. FF15 A0804200 call dword ptr ds:[<&USER32.PostQu>; \PostQuitMessage
直接退出
应该还有,这样改也只是显示一下主窗口后退出
其他的我还没找到,你也找找试试,
|
