能力值:
( LV9,RANK:450 )
|
-
-
2 楼
看了下.这个版本比之前的那个效果好多了.继续支持你.呵呵
|
能力值:
( LV12,RANK:360 )
|
-
-
3 楼
是吗,嘿嘿
|
能力值:
( LV12,RANK:360 )
|
-
-
4 楼
在被脱中强大起来,欢迎来强奸
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
00404183 - FF6424 FC jmp dword ptr ss:[esp-4]
函数的真实地址都在这啊
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
厉害啊,这次厉害多了,regkiller大牛说厉害,肯定非常难啊
|
能力值:
( LV7,RANK:100 )
|
-
-
7 楼
楼主好厉害啊,搞了半天都搞不明白,不过要还原还是可以的。
00404170 jmp 00404179
00404172 xor dword ptr [esp],0x4142 ; 'AB'
00404179 xor dword ptr [esp],0x3839 ; '89'
00404180 add esp,4
00404183 jmp dword ptr [esp-0x4]
手工还原一下:
00401000 push 0
00401002 call 00404000 //GetModuleHandleA
00401007 mov [0040303C],eax
0040100C push 0xA
0040100E push 0
00401010 push 0
00401012 push dword ptr [0040303C]
00401018 call 00404000 //00401024
0040101D push 0
0040101F call 00404000
00401024 push ebp
00401025 mov ebp,esp
00401027 add esp,0xB0
0040102A mov dword ptr [ebp-0x30],0x30 ; '0'
00401031 mov dword ptr [ebp-0x2C],0x2003
00401038 mov dword ptr [ebp-0x28],0x401443
0040103F mov dword ptr [ebp-0x24],0x0
00401046 mov dword ptr [ebp-0x20],0x0
0040104D push dword ptr [ebp+0x8]
00401050 pop [ebp-0x1C]
00401053 mov dword ptr [ebp-0x10],0x10
0040105A mov dword ptr [ebp-0xC],0x0
00401061 mov dword ptr [ebp-0x8],0x403000 ; ".Alone"
00401068 push 0x64 ; 'd'
0040106A push dword ptr [ebp+0x8]
0040106D call 00404000 //LoadIconA
00401072 mov [ebp-0x18],eax
00401075 push 0x7F00
0040107A push 0
0040107C call 00404000 //LoadCursorA
00401081 mov [ebp-0x14],eax
00401084 mov dword ptr [ebp-0x4],0x0
0040108B lea eax,[ebp-0x30]
0040108E push eax
0040108F call 00404000 //RegisterClassExA
00401094 push 0
00401096 push dword ptr [ebp+0x8]
00401099 push 0
0040109B push 0
0040109D push 0x320
004010A2 push 0x320
004010A7 push 0xC8
004010AC push 0xC8
004010B1 push 0xCF0000
004010B6 push 0x403027 ; "[易经]六十四卦圆图"
004010BB push 0x403000 ; ".Alone"
004010C0 push 0
004010C2 call 00404000 //CreateWindowExA
004010C7 mov [ebp-0x50],eax
004010CA push 1
004010CC push dword ptr [ebp-0x50]
004010CF call 00404000 //ShowWindow
004010D4 push dword ptr [ebp-0x50]
004010D7 call 00404000 //UpdateWindow
004010DC push 0
004010DE push 0
004010E0 push 0
004010E2 lea eax,[ebp-0x4C]
004010E5 push eax
004010E6 call 00404000 //GetMessageA
004010EB cmp eax,0
004010EE jz 00401104
004010F0 lea eax,[ebp-0x4C]
004010F3 push eax
004010F4 call 00404000 //TranslateMessage
004010F9 lea eax,[ebp-0x4C]
004010FC push eax
004010FD call 00404000 //DispatchMessageA
|
能力值:
( LV4,RANK:50 )
|
-
-
8 楼
[QUOTE=accessd;894267]楼主好厉害啊,搞了半天都搞不明白,不过要还原还是可以的。
00404170 jmp 00404179
00404172 xor dword ptr [esp],0x4142 ; 'AB'
00404179 xor dword...[/QUOTE]
人家要脚本还原,等S大脚本
|
能力值:
( LV12,RANK:360 )
|
-
-
9 楼
[QUOTE=accessd;894267]楼主好厉害啊,搞了半天都搞不明白,不过要还原还是可以的。
00404170 jmp 00404179
00404172 xor dword ptr [esp],0x4142 ; 'AB'
00404179 xor dword...[/QUOTE]
没偷代码,还原还是很简单的
|
能力值:
( LV4,RANK:50 )
|
-
-
10 楼
给楼主一个建议,不如把CALL调用的内容自己实现了,然后加上VM,比如CALL MessageBox ,直接自己实现API代码,API代码加几重虚拟机,这样还原起来才有意思,大家才有兴趣玩
|