最新魔兽皇冠外挂SVKP 1.3x - Pavol Cerven脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新魔兽皇冠外挂SVKP 1.3x - Pavol Cerven脱壳

2005-8-23 18:19 14324

最新魔兽皇冠外挂SVKP 1.3x - Pavol Cerven脱壳

stasi

2005-8-23 18:19

14324

【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者邮箱】 stasi@163.com
【作者主页】 www.icehack.org/stasi
【使用工具】 od
【破解平台】 Win9x/NT/2000/XP
【软件名称】魔兽皇冠5.0.0805免费版
【下载地址】 www.baidu.com
【软件简介】 1、新增快速施法功能。只须按一次键即可快速连续施法。
         2、新增快速全修功能。只须按一次键即可快速修理身上全部装备。
         3、新增快速全卖功能。只须按一次键即可快速卖出行囊中的全部物品。
         4、新增周围NPC显示功能。可显示周围所有NPC名称及坐标。
         5、新增数字显示功能。可在目标窗口数字显示目标状态。
         6、新增F12切换功能。重复按F12可极为方便地切换游戏和皇冠。
         7、优化自动打怪功能。

详细使用方法请阅读使用说明！
【软件大小】 600k
【加壳方式】 SVKP 1.3x -> Pavol Cerven
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

0040C000 w>  60             pushad                            入口
0040C001    E8 00000000    call wowcrown.0040C006
0040C006    5D             pop ebp
0040C007    81ED 06000000 sub ebp,6
0040C00D    EB 05          jmp short wowcrown.0040C014
0040C00F    B8 49DC0F06    mov eax,60FDC49
0040C014    64:A0 23000000  mov al,byte ptr fs:[23]
0040C01A    EB 03          jmp short wowcrown.0040C01F
0040C01C    C784E8 84C0EB03>mov dword ptr ds:[eax+ebp*8+3EBC084]>
0040C027    67:B9 49000000  mov ecx,49
0040C02D    8DB5 C5020000 lea esi,dword ptr ss:[ebp+2C5]

0012E3B6    6285 1E220000 bound eax,qword ptr ss:[ebp+221E] 标志异常
0012E3BC    EB 02          jmp short 0012E3C0
0012E3BE    0FE88B D1EB02CD psubsb mm1,qword ptr ds:[ebx+CD02EBD>
0012E3C5    208B C2EB02CD and byte ptr ds:[ebx+CD02EBC2],cl
0012E3CB    208B 8A401600 and byte ptr ds:[ebx+16408A],cl
0012E3D1    008B 89740100 add byte ptr ds:[ebx+17489],cl
0012E3D7    00BA 61110000 add byte ptr ds:[edx+1161],bh
0012E3DD    68 00400000    push 4000

区段名被清空，下断PE header，只要是IAT在的段就行
内存映射，项目 11
地址=00400000
大小=0002D000 (184320.)
宿主=wowcrown 00400000
区段=
包含=PE header
类型=Imag 01001002
访问=R
初始访问=RWE

下断点bp GetModuleHandleA＋5 （od下这个断点在2000下是不是有问题?）

shift＋f9断下，取消断点，ctrl＋f9返回主程序。

ctrl＋f搜索特征码

cmp dword ptr ds:[ebx],251097CC

06055778    813B CC971025 cmp dword ptr ds:[ebx],251097CC    冲这来
0605577E    0F84 41170000 je 06056EC5这里的处理方法很多allnop也行，jmp 060557E4也行
06055784    813B C5B1662D cmp dword ptr ds:[ebx],2D66B1C5
0605578A    0F84 62180000 je 06056FF2
06055790    813B 9404B2D9 cmp dword ptr ds:[ebx],D9B20494
06055796    0F84 AA1C0000 je 06057446
0605579C    813B A41A86D0 cmp dword ptr ds:[ebx],D0861AA4
060557A2    0F84 58210000 je 06057900
060557A8    813B 706586B1 cmp dword ptr ds:[ebx],B1866570
060557AE    0F84 C1240000 je 06057C75
060557B4    813B 0E46769B cmp dword ptr ds:[ebx],9B76460E
060557BA    0F84 36280000 je 06057FF6
060557C0    813B DB0793E6 cmp dword ptr ds:[ebx],E69307DB
060557C6    0F84 76280000 je 06058042
060557CC    813B 627B6CA5 cmp dword ptr ds:[ebx],A56C7B62
060557D2    0F84 BA280000 je 06058092
060557D8    813B 664E96BB cmp dword ptr ds:[ebx],BB964E66
060557DE    0F84 00290000 je 060580E4
060557E4    813B 4506D75B cmp dword ptr ds:[ebx],5BD70645 点名批评这三个不良处理：）
060557EA    0F84 43290000 je 06058133
060557F0    813B 0DE0FC1D cmp dword ptr ds:[ebx],1DFCE00D
060557F6    0F84 83290000 je 0605817F
060557FC    813B 31DD0F00 cmp dword ptr ds:[ebx],0FDD31
06055802    0F84 C6290000 je 060581CE
06055808    813B 95B75126 cmp dword ptr ds:[ebx],2651B795
0605580E    0F84 132A0000 je 06058227                   jmp 06055850
06055814    813B B482F64B cmp dword ptr ds:[ebx],4BF682B4
0605581A    0F84 582A0000 je 06058278

搜索特征码
mov dword ptr ds:[edi],eax
popad

改成：
popad
mov dword ptr ds:[edi],eax  这方法真聪明，以后看能不能在其他地方用上：）

hr 0012FFB0

0012FCFB    E8 00000000    call 0012FD00
0012FD00    5D             pop ebp
0012FD01    E8 02000000    call 0012FD08
0012FD06    CD20 83042408 vxdcall 8240483
0012FD0C    C3             retn

模拟的干tc ebp==12ffc0

060DE7DB    55             push ebp
060DE7DC    E9 E0080000    jmp 060DF0C1          不断的乱序处理

060DF0C1    50             push eax
060DF0C2    B8 23E36501    mov eax,165E323
060DF0C7    294424 04    sub dword ptr ss:[esp+4],eax
060DF0CB    58             pop eax
060DF0CC    E9 21050000    jmp 060DF5F2          乘乱还要偷东西：（

下午在dfcg里聊天的时候，Dream:正在搞DVDFab的IAT，其实方法人人都会，就缺耐心了
stolen code的寻找其实就是比耐心了

没有其他更好的方法了，只能一行一行的找：（

push ebp
MOV EBP,ESP
PUSH -1
PUSH 0165E323
PUSH 060DE159
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
mov dword ptr fs:[0],esp
sub esp,68
POP EBX
PUSH ESI
PUSH EDI
mov dword ptr ss:[ebp-18],esp
sub ebx,ebx
mov dword ptr ss:[ebp-4],ebx
PUSH 0012FFE0
call dword ptr ds:[4063C8]
pop ecx
call dword ptr ds:[4063CC]
mov ecx,dword ptr ds:[40998C]
mov dword ptr ds:[eax],ecx
call dword ptr ds:[4063E0]
mov ecx,dword ptr ds:[409988]
mov dword ptr ds:[eax],ecx
mov eax,dword ptr ds:[4063E4]
mov eax,dword ptr ds:[eax]
mov dword ptr ds:[409994],eax

在空的地方补全stolen code，最后跳到伪oep就行了

0040553C    55             push ebp                      这里新建oep
0040553D    8BEC          mov ebp,esp
0040553F    6A FF          push -1
00405541    68 23E36501    push 165E323
00405546    68 59E10D06    push 60DE159
0040554B    64:A1 00000000  mov eax,dword ptr fs:[0]
00405551    50             push eax
00405552    64:8925 0000000>mov dword ptr fs:[0],esp
00405559    83EC 68       sub esp,68
0040555C    5B             pop ebx
0040555D    56             push esi
0040555E    57             push edi
0040555F    8965 E8       mov dword ptr ss:[ebp-18],esp
00405562    2BDB          sub ebx,ebx
00405564    895D FC       mov dword ptr ss:[ebp-4],ebx
00405567    68 E0FF1200    push 12FFE0
0040556C    FF15 C8634000 call dword ptr ds:[4063C8]          ; msvcrt.__set_app_type
00405572    59             pop ecx
00405573    FF15 CC634000 call dword ptr ds:[4063CC]          ; msvcrt.__p__fmode
00405579    8B0D 8C994000 mov ecx,dword ptr ds:[40998C]
0040557F    8908          mov dword ptr ds:[eax],ecx
00405581    FF15 E0634000 call dword ptr ds:[4063E0]          ; msvcrt.__p__commode
00405587    8B0D 88994000 mov ecx,dword ptr ds:[409988]
0040558D    8908          mov dword ptr ds:[eax],ecx
0040558F    A1 E4634000    mov eax,dword ptr ds:[4063E4]
00405594    8B00          mov eax,dword ptr ds:[eax]
00405596    A3 94994000    mov dword ptr ds:[409994],eax
004055A6    E8 1C010000    call wowcrown.004056C7                伪oep
004055AB    391D 68984000 cmp dword ptr ds:[409868],ebx
004055B1    75 0C          jnz short wowcrown.004055BF
004055B3    68 C4564000    push wowcrown.004056C4
004055B8    FF15 E8634000 call dword ptr ds:[4063E8]          ; msvcrt.__setusermatherr
004055BE    59             pop ecx
004055BF    E8 EE000000    call wowcrown.004056B2
004055C4    68 1C904000    push wowcrown.0040901C
004055C9    68 18904000    push wowcrown.00409018

IAT全面修复，因为跳过了输入表的加密和特殊函数的处理，IAT就能全部dump出来，建立新的IAT
; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for  parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;                         it to zero if you edit it).
;                         - Ordinal is not considered but you should let '0000' as value.
;                         - ModuleName is not considered but you should let '?' as value.
;
;       1 = valid: yes -> All next parameters on the line will be considered.
;                         Function imported by ordinal must have no name (the 4th TAB must
;                                                                         be there though).
;
;       2 = 和 0 相同，但它是为了这个载入器。
;
;       3 = 和 1 相同，但它是为了这个载入器。
;
; 并且最后，当编辑这个文件之时你同样也有危险！ :-)

目标: C:\Documents and Settings\shaojiajun\桌面\wowcrown.exe
OEP: 0000553C IATRVA: 00006000 IATSize: 00000444

FThunk: 00006000 NbFunc: 00000003
1 00006000 advapi32.dll 018C RegCloseKey
1 00006004 advapi32.dll 0193 RegDeleteKeyA
1 00006008 advapi32.dll 0190 RegCreateKeyExA

FThunk: 00006010 NbFunc: 00000006
1 00006010 kernel32.dll 0175 GetSystemDirectoryA
1 00006014 kernel32.dll 002C CopyFileA
1 00006018 kernel32.dll 016B GetStartupInfoA
1 0000601C kernel32.dll 013F GetModuleHandleA
1 00006020 kernel32.dll 0295 SetEvent
1 00006024 kernel32.dll 0158 GetProcAddress

FThunk: 0000602C NbFunc: 000000CD
1 0000602C mfc42.dll 12F5
1 00006030 mfc42.dll 0A18
1 00006034 mfc42.dll 09D2
1 00006038 mfc42.dll 17A4
1 0000603C mfc42.dll 0EF1
1 00006040 mfc42.dll 06EF
1 00006044 mfc42.dll 1137
1 00006048 mfc42.dll 1479
1 0000604C mfc42.dll 0951
1 00006050 mfc42.dll 142B
1 00006054 mfc42.dll 18E6
1 00006058 mfc42.dll 1101
1 0000605C mfc42.dll 14A0
1 00006060 mfc42.dll 0ED6
1 00006064 mfc42.dll 12E5
1 00006068 mfc42.dll 1159
1 0000606C mfc42.dll 0A58
1 00006070 mfc42.dll 0807
1 00006074 mfc42.dll 18E8
1 00006078 mfc42.dll 0BA6
1 0000607C mfc42.dll 13C9
1 00006080 mfc42.dll 06BF
1 00006084 mfc42.dll 148D
1 00006088 mfc42.dll 098E
1 0000608C mfc42.dll 084C
1 00006090 mfc42.dll 1479
1 00006094 mfc42.dll 0BA6
1 00006098 mfc42.dll 0BA6
1 0000609C mfc42.dll 0BA6
1 000060A0 mfc42.dll 06F0
1 000060A4 mfc42.dll 0C40
1 000060A8 mfc42.dll 0CBE
1 000060AC mfc42.dll 0BA9
1 000060B0 mfc42.dll 0C09
1 000060B4 mfc42.dll 0BA0
1 000060B8 mfc42.dll 0EF6
1 000060BC mfc42.dll 0EF1
1 000060C0 mfc42.dll 0EF1
1 000060C4 mfc42.dll 0BA6
1 000060C8 mfc42.dll 0FF0
1 000060CC mfc42.dll 1213
1 000060D0 mfc42.dll 1149
1 000060D4 mfc42.dll 0E0D
1 000060D8 mfc42.dll 0290
1 000060DC mfc42.dll 0281
1 000060E0 mfc42.dll 0237
1 000060E4 mfc42.dll 0144
1 000060E8 mfc42.dll 0339
1 000060EC mfc42.dll 0261
1 000060F0 mfc42.dll 08FE
1 000060F4 mfc42.dll 108A
1 000060F8 mfc42.dll 1266
1 000060FC mfc42.dll 0A55
1 00006100 mfc42.dll 19C5
1 00006104 mfc42.dll 1A90
1 00006108 mfc42.dll 0E89
1 0000610C mfc42.dll 1AE0
1 00006110 mfc42.dll 031B
1 00006114 mfc42.dll 1861
1 00006118 mfc42.dll 1935
1 0000611C mfc42.dll 094B
1 00006120 mfc42.dll 0320
1 00006124 mfc42.dll 035C
1 00006128 mfc42.dll 021C
1 0000612C mfc42.dll 08F1
1 00006130 mfc42.dll 0942
1 00006134 mfc42.dll 1241
1 00006138 mfc42.dll 10B2
1 0000613C mfc42.dll 18E7
1 00006140 mfc42.dll 1186
1 00006144 mfc42.dll 09FA
1 00006148 mfc42.dll 09D0
1 0000614C mfc42.dll 1663
1 00006150 mfc42.dll 0F52
1 00006154 mfc42.dll 0441
1 00006158 mfc42.dll 144F
1 0000615C mfc42.dll 095C
1 00006160 mfc42.dll 0D12
1 00006164 mfc42.dll 14B4
1 00006168 mfc42.dll 14B6
1 0000616C mfc42.dll 0AA5
1 00006170 mfc42.dll 0FEF
1 00006174 mfc42.dll 125A
1 00006178 mfc42.dll 14BB
1 0000617C mfc42.dll 14A9
1 00006180 mfc42.dll 1652
1 00006184 mfc42.dll 120E
1 00006188 mfc42.dll 0E9A
1 0000618C mfc42.dll 0231
1 00006190 mfc42.dll 032F
1 00006194 mfc42.dll 0A3D
1 00006198 mfc42.dll 046E
1 0000619C mfc42.dll 04AF
1 000061A0 mfc42.dll 04DF
1 000061A4 mfc42.dll 19FA
1 000061A8 mfc42.dll 19BF
1 000061AC mfc42.dll 1118
1 000061B0 mfc42.dll 068F
1 000061B4 mfc42.dll 068F
1 000061B8 mfc42.dll 068F
1 000061BC mfc42.dll 068F
1 000061C0 mfc42.dll 068F
1 000061C4 mfc42.dll 068F
1 000061C8 mfc42.dll 1251
1 000061CC mfc42.dll 068F
1 000061D0 mfc42.dll 1282
1 000061D4 mfc42.dll 068F
1 000061D8 mfc42.dll 068F
1 000061DC mfc42.dll 1251
1 000061E0 mfc42.dll 1251
1 000061E4 mfc42.dll 1282
1 000061E8 mfc42.dll 1282
1 000061EC mfc42.dll 1AC8
1 000061F0 mfc42.dll 1A98
1 000061F4 mfc42.dll 068F
1 000061F8 mfc42.dll 11ED
1 000061FC mfc42.dll 10F5
1 00006200 mfc42.dll 1323
1 00006204 mfc42.dll 10F5
1 00006208 mfc42.dll 131C
1 0000620C mfc42.dll 068F
1 00006210 mfc42.dll 13D4
1 00006214 mfc42.dll 10F4
1 00006218 mfc42.dll 10FB
1 0000621C mfc42.dll 1270
1 00006220 mfc42.dll 1319
1 00006224 mfc42.dll 11B3
1 00006228 mfc42.dll 11C1
1 0000622C mfc42.dll 11AC
1 00006230 mfc42.dll 095F
1 00006234 mfc42.dll 11AC
1 00006238 mfc42.dll 11AC
1 0000623C mfc42.dll 1363
1 00006240 mfc42.dll 1360
1 00006244 mfc42.dll 100C
1 00006248 mfc42.dll 17A6
1 0000624C mfc42.dll 14A1
1 00006250 mfc42.dll 0EA4
1 00006254 mfc42.dll 06BD
1 00006258 mfc42.dll 148C
1 0000625C mfc42.dll 19D6
1 00006260 mfc42.dll 1A23
1 00006264 mfc42.dll 1150
1 00006268 mfc42.dll 0297
1 0000626C mfc42.dll 047A
1 00006270 mfc42.dll 0490
1 00006274 mfc42.dll 015C
1 00006278 mfc42.dll 194E
1 0000627C mfc42.dll 1972
1 00006280 mfc42.dll 047F
1 00006284 mfc42.dll 029C
1 00006288 mfc42.dll 0AD2
1 0000628C mfc42.dll 039C
1 00006290 mfc42.dll 0164
1 00006294 mfc42.dll 1837
1 00006298 mfc42.dll 04A9
1 0000629C mfc42.dll 04B0
1 000062A0 mfc42.dll 0219
1 000062A4 mfc42.dll 1A95
1 000062A8 mfc42.dll 0A52
1 000062AC mfc42.dll 0B02
1 000062B0 mfc42.dll 0B04
1 000062B4 mfc42.dll 02F3
1 000062B8 mfc42.dll 01D6
1 000062BC mfc42.dll 0451
1 000062C0 mfc42.dll 1847
1 000062C4 mfc42.dll 18BE
1 000062C8 mfc42.dll 03BD
1 000062CC mfc42.dll 0959
1 000062D0 mfc42.dll 0318
1 000062D4 mfc42.dll 025B
1 000062D8 mfc42.dll 1540
1 000062DC mfc42.dll 15C4
1 000062E0 mfc42.dll 0AF1
1 000062E4 mfc42.dll 18EF
1 000062E8 mfc42.dll 0B63
1 000062EC mfc42.dll 03AB
1 000062F0 mfc42.dll 03AC
1 000062F4 mfc42.dll 035B
1 000062F8 mfc42.dll 0337
1 000062FC mfc42.dll 0111
1 00006300 mfc42.dll 020C
1 00006304 mfc42.dll 0317
1 00006308 mfc42.dll 081D
1 0000630C mfc42.dll 020B
1 00006310 mfc42.dll 184F
1 00006314 mfc42.dll 106C
1 00006318 mfc42.dll 188B
1 0000631C mfc42.dll 035A
1 00006320 mfc42.dll 02C6
1 00006324 mfc42.dll 1045
1 00006328 mfc42.dll 019C
1 0000632C mfc42.dll 10B3
1 00006330 mfc42.dll 1479
1 00006334 mfc42.dll 0DF6
1 00006338 mfc42.dll 1148
1 0000633C mfc42.dll 0D4A
1 00006340 mfc42.dll 14AA
1 00006344 mfc42.dll 112C
1 00006348 mfc42.dll 06F0
1 0000634C mfc42.dll 0BA6
1 00006350 mfc42.dll 096B
1 00006354 mfc42.dll 1A97
1 00006358 mfc42.dll 0E1A
1 0000635C mfc42.dll 0628

FThunk: 00006364 NbFunc: 00000011
1 00006364 msvcp60.dll 0339
1 00006368 msvcp60.dll 0407
1 0000636C msvcp60.dll 03F3
1 00006370 msvcp60.dll 034B
1 00006374 msvcp60.dll 032E
1 00006378 msvcp60.dll 0393
1 0000637C msvcp60.dll 03F9
1 00006380 msvcp60.dll 0662
1 00006384 msvcp60.dll 041D
1 00006388 msvcp60.dll 00EA
1 0000638C msvcp60.dll 0048
1 00006390 msvcp60.dll 0421
1 00006394 msvcp60.dll 0216
1 00006398 msvcp60.dll 0218
1 0000639C msvcp60.dll 052A
1 000063A0 msvcp60.dll 0219
1 000063A4 msvcp60.dll 0406

FThunk: 000063AC NbFunc: 00000018
1 000063AC msvcrt.dll 0044 _CxxThrowException
1 000063B0 msvcrt.dll 01B8 _setmbcp
1 000063B4 msvcrt.dll 01A0 _purecall
1 000063B8 msvcrt.dll 0058 __dllonexit
1 000063BC msvcrt.dll 00BA _controlfp
1 000063C0 msvcrt.dll 0193 _onexit
1 000063C4 msvcrt.dll 00CE _except_handler3
1 000063C8 msvcrt.dll 0084 __set_app_type
1 000063CC msvcrt.dll 0072 __p__fmode
1 000063D0 msvcrt.dll 0009 ??0exception@@QAE@XZ
1 000063D4 msvcrt.dll 000A ??1__non_rtti_object@@UAE@XZ
1 000063D8 msvcrt.dll 0008 ??0exception@@QAE@ABV0@@Z
1 000063DC msvcrt.dll 004C __CxxFrameHandler
1 000063E0 msvcrt.dll 006D __p__commode
1 000063E4 msvcrt.dll 00A0 _adjust_fdiv
1 000063E8 msvcrt.dll 0086 __setusermatherr
1 000063EC msvcrt.dll 011A _initterm
1 000063F0 msvcrt.dll 005B __getmainargs
1 000063F4 msvcrt.dll 0092 _acmdln
1 000063F8 msvcrt.dll 025F exit
1 000063FC msvcrt.dll 004B _XcptFilter
1 00006400 msvcrt.dll 00D7 _exit
1 00006404 msvcrt.dll 000E ??1type_info@@UAE@XZ
1 00006408 msvcrt.dll 02AE memmove

FThunk: 00006410 NbFunc: 0000000C
1 00006410 user32.dll 01E4 PostMessageA
1 00006414 user32.dll 0191 IsIconic
1 00006418 user32.dll 014A GetSystemMetrics
1 0000641C user32.dll 00AC DrawIcon
1 00006420 user32.dll 019A KillTimer
1 00006424 user32.dll 0219 SendMessageA
1 00006428 user32.dll 0258 SetTimer
1 0000642C user32.dll 01E6 PostQuitMessage
1 00006430 user32.dll 01A3 LoadIconA
1 00006434 user32.dll 0161 GetWindowRect
1 00006438 user32.dll 00BA EnableWindow
1 0000643C user32.dll 00F4 GetClientRect

完整输入表：

004063AC  780070D4  msvcrt._CxxThrowException
004063B0  7800162D  msvcrt._setmbcp
004063B4  7800BC73  msvcrt._purecall
004063B8  7801E504  msvcrt.__dllonexit
004063BC  78001EC9  msvcrt._controlfp
004063C0  7801E417  msvcrt._onexit
004063C4  7800BD6A  msvcrt._except_handler3
004063C8  7800776E  msvcrt.__set_app_type
004063CC  78007FD7  msvcrt.__p__fmode
004063D0  780092E9  msvcrt.exception::exception
004063D4  780074BC  msvcrt.exception::~exception
004063D8  78009337  msvcrt.exception::exception
004063DC  78007191  msvcrt.__CxxFrameHandler
004063E0  78007FB9  msvcrt.__p__commode
004063E4  7803A670  offset msvcrt._adjust_fdiv
004063E8  78007778  msvcrt.__setusermatherr
004063EC  7800119B  msvcrt._initterm
004063F0  78007EDA  msvcrt.__getmainargs
004063F4  7803A020  offset msvcrt._acmdln
004063F8  78007C53  msvcrt.exit
004063FC  7800C03E  msvcrt._XcptFilter
00406400  78007CDA  msvcrt._exit
00406404  7800756F  msvcrt.type_info::~type_info
00406408  7800FFB4  msvcrt.memmove
0040640C  00000000
00406410  77DF58B4  USER32.PostMessageA
00406414  77DF4C88  USER32.IsIconic
00406418  77DF5B67  USER32.GetSystemMetrics
0040641C  77DF6BE4  USER32.DrawIcon
00406420  77DF382E  USER32.KillTimer
00406424  77DF5366  USER32.SendMessageA
00406428  77DF356A  USER32.SetTimer
0040642C  77E13B6A  USER32.PostQuitMessage
00406430  77E070DA  USER32.LoadIconA
00406434  77DF5AAE  USER32.GetWindowRect
00406438  77DF54CA  USER32.EnableWindow
0040643C  77DF36EB  USER32.GetClientRect

内存映射
地址    大小 ? 宿主    区段    包含                类型             访问       初始访问
00400000 00001000 dumped_             PE header          Imag 01001002    R          RWE
00401000 00005000 dumped_             code                Imag 01001002    R          RWE
00406000 00003000 dumped_             data                Imag 01001002    R          RWE
00409000 00001000 dumped_                                  Imag 01001002    R          RWE
0040A000 00002000 dumped_             resources          Imag 01001002    R          RWE
0040C000 00021000 dumped_             relocations       Imag 01001002    R          RWE
0042D000 00001000 dumped_ .mackt    imports             Imag 01001002    R          RWE

没什么能减肥的了：）

peid:Microsoft Visual C++

MISSION ALL OVER！

--------------------------------------------------------------------------------
【破解总结】

终于看到外挂的恐怖了，写的比破的快多了，8月5号出了一版，8月6号又出了一版，24小时后又出了一版。。。。。。

--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
                                             2005-8-21
附件:dumped_.rar

阿里云助力开发者！2核2G 3M带宽不限流量！6.18限时价，开发者可享99元/年，续费同价！

收藏・1

点赞・7

打赏

最新回复 (21)
CoreWar 雪币： 0 能力值： (RANK：10 ) 在线值：发帖 0 回帖 35 粉丝 0 关注私信	CoreWar 2005-8-23 19:53 2 楼 0 牛人,上一下.
hyd009 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 143 粉丝 0 关注私信	hyd009 2005-8-23 20:42 3 楼 0 写的不清楚，看不明白
ljy3282393 雪币： 214 活跃值： (15) 能力值： ( LV4，RANK：50 ) 在线值：发帖 2 回帖 426 粉丝 1 关注私信	ljy3282393 1 2005-8-23 23:20 4 楼 0 最初由 hyd009 发布写的不清楚，看不明白不是写的不清楚，而是因为：菜鸟写的文章一般比较详细，大家都看得明白；高手写的文章一般比较简略（个别除外），只有高手才看得明白！BTW：我也看不明白，所以我也是菜鸟一只！
chinadev 雪币： 0 能力值： (RANK：10 ) 在线值：发帖 22 回帖 439 粉丝 0 关注私信	chinadev 2005-8-24 02:30 5 楼 0 呵呵~在6月份的时候我也写了这个的文章可惜那时候没注册到号没发上来嘿嘿，比这个详细抽取了106字节。。。
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 2005-8-24 08:41 6 楼 0 这个没有嵌入加密.有兴趣你看下冰橙子的挂.我花了整整一个上午才搞定嵌入加密.花指令倒是简单.
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 2005-8-24 10:46 7 楼 0 冰橙子有教程了自己去看看就知道了
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 2005-8-24 16:21 8 楼 0 good
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 2005-8-24 16:35 9 楼 0 楼上的兄弟,你看看自己灌了多少goooood
xIkUg 雪币： 116 活跃值： (220) 能力值： ( LV12，RANK：370 ) 在线值：发帖 27 回帖 675 粉丝 4 关注私信	xIkUg 9 2005-8-24 17:26 10 楼 0 赞一个。。。
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2005-8-24 18:01 11 楼 0 看不懂也顶
yunfeng 雪币： 269 活跃值： (46) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 2005-8-25 10:15 12 楼 0 看不明白，以后再慢慢看。
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 2005-8-25 11:45 13 楼 0 最初由夜凉如水发布冰橙子有教程了自己去看看就知道了你不明白我说的是什么意思。另：冰橙子那个贴是我写的。
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 2005-8-25 15:34 14 楼 0 哦哪个是你写的那是我没有记住作者不好意思啊!!!
寒江雪雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 90 粉丝 0 关注私信	寒江雪 2005-8-25 17:09 15 楼 0 最初由 ljy3282393 发布不是写的不清楚，而是因为：菜鸟写的文章一般比较详细，大家都看得明白；高手写的文章一般比较简略（个别除外），只有高手才看得明白！BTW：我也看不明白，所以我也是菜鸟一只！完全正确
leon 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	leon 2005-8-26 01:04 16 楼 0 还是看不太明白
wxj_2008 雪币： 155 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 84 粉丝 0 关注私信	wxj_2008 2005-12-12 09:54 17 楼 0 hehe,good
hclz 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 31 粉丝 0 关注私信	hclz 2005-12-13 19:11 18 楼 0 很好 ,谢谢
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-19 12:38 19 楼 0 我有个程序也是这个壳，脱壳并修复后，发现无法运行，用od打开发现，oep附近的几个call有问题，它们调用居然是exitprocess函数。请问这个是什么原因，怎么解决？谢谢 BTW，我以前也脱过两个这个版本的壳，没发现这种情况。
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-20 13:20 20 楼 0 下面是我的输入表，大家帮我看看有没有问题，无效的函数我全部cut掉了，关于那三个特殊函数我没处理。 ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal Name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: F:\chasgone\脱壳\hx55g+\hx.exe OEP: 00001000 IATRVA: 000883D0 IATSize: 00001500 FThunk: 000883D4 NbFunc: 00000066 1 000883D4 kernel32.dll 0032 CloseHandle 1 000883D8 kernel32.dll 0038 CompareStringA 1 000883DC kernel32.dll 004C CreateEventA 1 000883E0 kernel32.dll 0050 CreateFileA 1 000883E4 kernel32.dll 0063 CreateProcessA 1 000883E8 kernel32.dll 006D CreateThread 1 000883EC kernel32.dll 0077 DebugBreak 1 000883F0 kernel32.dll 0080 DeleteCriticalSection 1 000883F4 kernel32.dll 0097 EnterCriticalSection 1 000883F8 kernel32.dll 0098 EnumCalendarInfoA 1 000883FC kernel32.dll 00B7 ExitProcess 1 00088400 kernel32.dll 00B8 ExitThread 1 00088404 kernel32.dll 00C2 FileTimeToDosDateTime 1 00088408 kernel32.dll 00C3 FileTimeToLocalFileTime 1 0008840C kernel32.dll 00CD FindClose 1 00088410 kernel32.dll 00D1 FindFirstFileA 1 00088414 kernel32.dll 00E0 FindResourceA 1 00088418 kernel32.dll 00EC FormatMessageA 1 0008841C kernel32.dll 00F1 FreeLibrary 1 00088420 kernel32.dll 00F3 FreeResource 1 00088424 kernel32.dll 00F7 GetACP 1 00088428 kernel32.dll 00FE GetCPInfo 1 0008842C kernel32.dll 010A GetCommandLineA 1 00088430 kernel32.dll 010E GetComputerNameA 1 00088434 kernel32.dll 013D GetCurrentProcessId 1 00088438 kernel32.dll 013F GetCurrentThreadId 1 0008843C kernel32.dll 0140 GetDateFormatA 1 00088440 kernel32.dll 0146 GetDiskFreeSpaceA 1 00088444 kernel32.dll 014E GetEnvironmentStrings 1 00088448 kernel32.dll 0154 GetExitCodeThread 1 0008844C kernel32.dll 015C GetFileSize 1 00088450 kernel32.dll 015F GetFileType 1 00088454 kernel32.dll 0169 GetLastError 1 00088458 kernel32.dll 016B GetLocalTime 1 0008845C kernel32.dll 016C GetLocaleInfoA 1 00088460 kernel32.dll 0174 GetModuleFileNameA 1 00088464 kernel32.dll 0176 GetModuleHandleA 1 00088468 kernel32.dll 018B GetOEMCP 1 0008846C kernel32.dll 0194 GetPrivateProfileStringA 1 00088470 kernel32.dll 0198 GetProcAddress 1 00088474 kernel32.dll 019B GetProcessHeap 1 00088478 kernel32.dll 01AD GetStartupInfoA 1 0008847C kernel32.dll 01AF GetStdHandle 1 00088480 kernel32.dll 01B3 GetStringTypeW 1 00088484 kernel32.dll 01B9 GetSystemInfo 1 00088488 kernel32.dll 01CD GetThreadLocale 1 0008848C kernel32.dll 01D2 GetTickCount 1 00088490 kernel32.dll 01D6 GetUserDefaultLCID 1 00088494 kernel32.dll 01DB GetVersion 1 00088498 kernel32.dll 01DC GetVersionExA 1 0008849C kernel32.dll 01E9 GlobalAddAtomA 1 000884A0 kernel32.dll 01EB GlobalAlloc 1 000884A4 kernel32.dll 01ED GlobalDeleteAtom 1 000884A8 kernel32.dll 01F2 GlobalFree 1 000884AC kernel32.dll 01F5 GlobalHandle 1 000884B0 kernel32.dll 01F6 GlobalLock 1 000884B4 kernel32.dll 01F9 GlobalReAlloc 1 000884B8 kernel32.dll 01FA GlobalSize 1 000884BC kernel32.dll 01FD GlobalUnlock 1 000884C0 kernel32.dll 0203 HeapAlloc 1 000884C4 kernel32.dll 0209 HeapFree 1 000884C8 kernel32.dll 0216 InitializeCriticalSection 1 000884CC kernel32.dll 021A InterlockedDecrement 1 000884D0 kernel32.dll 021E InterlockedIncrement 1 000884D4 kernel32.dll 0241 LeaveCriticalSection 1 000884D8 kernel32.dll 0242 LoadLibraryA 1 000884DC kernel32.dll 0243 LoadLibraryExA 1 000884E0 kernel32.dll 0247 LoadResource 1 000884E4 kernel32.dll 0248 LocalAlloc 1 000884E8 kernel32.dll 024C LocalFree 1 000884EC kernel32.dll 0255 LockResource 1 000884F0 kernel32.dll 0264 MulDiv 1 000884F4 kernel32.dll 0265 MultiByteToWideChar 1 000884F8 kernel32.dll 0297 RaiseException 1 000884FC kernel32.dll 02A4 ReadFile 1 00088500 kernel32.dll 02C0 ResumeThread 1 00088504 kernel32.dll 02C5 RtlUnwind 1 00088508 kernel32.dll 02DC SetConsoleCtrlHandler 1 0008850C kernel32.dll 02FE SetEndOfFile 1 00088510 kernel32.dll 0301 SetErrorMode 1 00088514 kernel32.dll 0302 SetEvent 1 00088518 kernel32.dll 0307 SetFilePointer 1 0008851C kernel32.dll 0255 LockResource 1 00088520 kernel32.dll 02BF RestoreLastError 1 00088524 kernel32.dll 032D SetThreadLocale 1 00088528 kernel32.dll 033E SizeofResource 1 0008852C kernel32.dll 033F Sleep 1 00088530 kernel32.dll 034C TlsAlloc 1 00088534 kernel32.dll 034D TlsFree 1 00088538 kernel32.dll 034E TlsGetValue 1 0008853C kernel32.dll 034F TlsSetValue 1 00088540 kernel32.dll 0358 UnhandledExceptionFilter 1 00088544 kernel32.dll 036B VirtualAlloc 1 00088548 kernel32.dll 036E VirtualFree 1 0008854C kernel32.dll 0373 VirtualQuery 1 00088550 kernel32.dll 037B WaitForSingleObject 1 00088554 kernel32.dll 037F WideCharToMultiByte 1 00088558 kernel32.dll 038C WriteFile 1 0008855C kernel32.dll 0391 WritePrivateProfileStringA 1 00088560 kernel32.dll 03AD lstrcpy 1 00088564 kernel32.dll 03B0 lstrcpyn 1 00088568 kernel32.dll 03B3 lstrlen FThunk: 00088570 NbFunc: 00000018 0 00088570 ? 0000 000896CC 0 00088574 ? 0000 000896DC 0 00088578 ? 0000 000896F2 0 0008857C ? 0000 00089706 0 00088580 ? 0000 0008971A 0 00088584 ? 0000 00089730 0 00088588 ? 0000 00089746 0 0008858C ? 0000 0008975C 0 00088590 ? 0000 00089778 0 00088594 ? 0000 0008978A 0 00088598 ? 0000 0008979E 0 0008859C ? 0000 000897B6 0 000885A0 ? 0000 000897D0 0 000885A4 ? 0000 000897E4 0 000885A8 ? 0000 000897FC 0 000885AC ? 0000 00089816 0 000885B0 ? 0000 00089828 0 000885B4 ? 0000 0008983C 0 000885B8 ? 0000 00089850 0 000885BC ? 0000 00089868 0 000885C0 ? 0000 00089880 0 000885C4 ? 0000 000898A0 0 000885C8 ? 0000 000898B8 0 000885CC ? 0000 000898CA FThunk: 000885D4 NbFunc: 00000018 1 000885D4 comctl32.dll 0027 ImageList_Add 1 000885D8 comctl32.dll 002A ImageList_BeginDrag 1 000885DC comctl32.dll 002C ImageList_Create 1 000885E0 comctl32.dll 002D ImageList_Destroy 1 000885E4 comctl32.dll 002E ImageList_DragEnter 1 000885E8 comctl32.dll 002F ImageList_DragLeave 1 000885EC comctl32.dll 0030 ImageList_DragMove 1 000885F0 comctl32.dll 0031 ImageList_DragShowNolock 0000 0008A002 0 00088924 ? 0000 0008A010 0 00088928 ? 0000 0008A01C 0 0008892C ? 0000 0008A02E 0 00088930 ? 0000 0008A040 0 00088934 ? 0000 0008A050 0 00088938 ? 0000 0008A05C 0 0008893C ? 0000 0008A070 0 00088940 ? 0000 0008A07E 0 00088944 ? 0000 0008A08A 0 00088948 ? 0000 0008A096 0 0008894C ? 0000 0008A0A4 0 00088950 ? 0000 0008A0B0 0 00088954 ? 0000 0008A0C2 0 00088958 ? 0000 0008A0D6 0 0008895C ? 0000 0008A0E4 0 00088960 ? 0000 0008A0F4 0 00088964 ? 0000 0008A104 0 00088968 ? 0000 0008A118 0 0008896C ? 0000 0008A124 0 00088970 ? 0000 0008A134 0 00088974 ? 0000 0008A13C 0 00088978 ? 0000 0008A146 0 0008897C ? 0000 0008A15A 0 00088980 ? 0000 0008A166 0 00088984 ? 0000 0008A17C 0 00088988 ? 0000 0008A18A 0 0008898C ? 0000 0008A19C 0 00088990 ? 0000 0008A1AA 0 00088994 ? 0000 0008A1BE 0 00088998 ? 0000 0008A1D6 0 0008899C ? 0000 0008A1EA 0 000889A0 ? 0000 0008A1FC 0 000889A4 ? 0000 0008A212 0 000889A8 ? 0000 0008A21C 0 000889AC ? 0000 0008A230 0 000889B0 ? 0000 0008A240 0 000889B4 ? 0000 0008A254 0 000889B8 ? 0000 0008A264 0 000889BC ? 0000 0008A276 0 000889C0 ? 0000 0008A288 0 000889C4 ? 0000 0008A294 0 000889C8 ? 0000 0008A2A0 0 000889CC ? 0000 0008A2B0 0 000889D0 ? 0000 0008A2C0 0 000889D4 ? 0000 0008A2D2 0 000889D8 ? 0000 0008A2E0 0 000889DC ? 0000 0008A2EE 0 000889E0 ? 0000 0008A302 0 000889E4 ? 0000 0008A312 0 000889E8 ? 0000 0008A31E 0 000889EC ? 0000 0008A32C 0 000889F0 ? 0000 0008A33E 0 000889F4 ? 0000 0008A354 0 000889F8 ? 0000 0008A364 0 000889FC ? 0000 0008A376 0 00088A00 ? 0000 0008A392 0 00088A04 ? 0000 0008A3A0 0 00088A08 ? 0000 0008A3AE 0 00088A0C ? 0000 0008A3C0 0 00088A10 ? 0000 0008A3D0 0 00088A14 ? 0000 0008A3E2 0 00088A18 ? 0000 0008A3EC 0 00088A1C ? 0000 0008A400 0 00088A20 ? 0000 0008A40C 0 00088A24 ? 0000 0008A41A 0 00088A28 ? 0000 0008A426 0 00088A2C ? 0000 0008A438 0 00088A30 ? 0000 0008A44A 0 00088A34 ? 0000 0008A456 0 00088A38 ? 0000 0008A462 0 00088A3C ? 0000 0008A470 0 00088A40 ? 0000 0008A47E 0 00088A44 ? 0000 0008A48A 0 00088A48 ? 0000 0008A4A0 0 00088A4C ? 0000 0008A4AE 0 00088A50 ? 0000 0008A4C0 0 00088A54 ? 0000 0008A4D2 0 00088A58 ? 0000 0008A4E0 0 00088A5C ? 0000 0008A4FC 0 00088A60 ? 0000 0008A50A 0 00088A64 ? 0000 0008A518 0 00088A68 ? 0000 0008A528 0 00088A6C ? 0000 0008A538 0 00088A70 ? 0000 0008A54A 0 00088A74 ? 0000 0008A556 0 00088A78 ? 0000 0008A568 0 00088A7C ? 0000 0008A584 0 00088A80 ? 0000 0008A59E 0 00088A84 ? 0000 0008A5B0 0 00088A88 ? 0000 0008A5BC 0 00088A8C ? 0000 0008A5CA 0 00088A90 ? 0000 0008A5D8 0 00088A94 ? 0000 0008A5EA 0 00088A98 ? 0000 0008A5FA 0 00088A9C ? 0000 0008A60A 0 00088AA0 ? 0000 0008A61C 0 00088AA4 ? 0000 0008A62A 0 00088AA8 ? 0000 0008A63A 0 00088AAC ? 0000 0008A646 0 00088AB0 ? 0000 0008A652 0 00088AB4 ? 0000 0008A668 0 00088AB8 ? 0000 0008A672 0 00088ABC ? 0000 0008A686 0 00088AC0 ? 0000 0008A692 0 00088AC4 ? 0000 0008A69C 0 00088AC8 ? 0000 0008A6AC 0 00088ACC ? 0000 0008A6BC 0 00088AD0 ? 0000 0008A6CE 0 00088AD4 ? 0000 0008A6DA 0 00088AD8 ? 0000 0008A6EC 0 00088ADC ? 0000 0008A702 0 00088AE0 ? 0000 0008A712 0 00088AE4 ? 0000 0008A724 0 00088AE8 ? 0000 0008A738 0 00088AEC ? 0000 0008A746 0 00088AF0 ? 0000 0008A758 0 00088AF4 ? 0000 0008A768 0 00088AF8 ? 0000 0008A776 0 00088AFC ? 0000 0008A78E 0 00088B00 ? 0000 0008A7A0 0 00088B04 ? 0000 0008A7B8 0 00088B08 ? 0000 0008A7CC 0 00088B0C ? 0000 0008A7E2 0 00088B10 ? 0000 0008A7F6 0 00088B14 ? 0000 0008A806 0 00088B18 ? 0000 0008A814 0 00088B1C ? 0000 0008A820 0 00088B20 ? 0000 0008A832 0 00088B24 ? 0000 0008A83E FThunk: 00088B2C NbFunc: 0000009E 1 00088B2C user32.dll 0001 ActivateKeyboardLayout 1 00088B30 user32.dll 0003 AdjustWindowRectEx 1 00088B34 user32.dll 000E BeginPaint 1 00088B38 user32.dll 001B CallNextHookEx 1 00088B3C user32.dll 001C CallWindowProcA 1 00088B40 user32.dll 0027 CharLowerA 1 00088B44 user32.dll 0028 CharLowerBuffA 1 00088B48 user32.dll 002B CharNextA 1 00088B4C user32.dll 003A CheckMenuItem 1 00088B50 user32.dll 0041 ClientToScreen 1 00088B54 user32.dll 0058 CreateIcon 1 00088B58 user32.dll 005E CreateMenu 1 00088B5C user32.dll 005F CreatePopupMenu 1 00088B60 user32.dll 0061 CreateWindowExA 1 00088B64 user32.dll 008A DefFrameProcA 1 00088B68 user32.dll 008C DefMDIChildProcA 1 00088B6C user32.dll 008F DefWindowProcA 1 00088B70 user32.dll 0092 DeleteMenu 1 00088B74 user32.dll 0096 DestroyCursor 1 00088B78 user32.dll 0096 DestroyCursor 1 00088B7C user32.dll 0098 DestroyMenu 1 00088B80 user32.dll 009A DestroyWindow 1 00088B84 user32.dll 00A2 DispatchMessageA 1 00088B88 user32.dll 00B3 DrawEdge 1 00088B8C user32.dll 00B4 DrawFocusRect 1 00088B90 user32.dll 00B6 DrawFrameControl 1 00088B94 user32.dll 00B7 DrawIcon 1 00088B98 user32.dll 00B8 DrawIconEx 1 00088B9C user32.dll 00B9 DrawMenuBar 1 00088BA0 user32.dll 00BD DrawTextA 1 00088BA4 user32.dll 00C3 EnableMenuItem 1 00088BA8 user32.dll 00C4 EnableScrollBar 1 00088BAC user32.dll 00C5 EnableWindow 1 00088BB0 user32.dll 00C9 EndPaint 1 00088BB4 user32.dll 00DC EnumThreadWindows 1 00088BB8 user32.dll 00DF EnumWindows 1 00088BBC user32.dll 00E0 EqualRect 1 00088BC0 user32.dll 00E3 FillRect 1 00088BC4 user32.dll 00E4 FindWindowA 1 00088BC8 user32.dll 00EA FrameRect 1 00088BCC user32.dll 00EC GetActiveWindow 1 00088BD0 user32.dll 00F3 GetAsyncKeyState 1 00088BD4 user32.dll 00F4 GetCapture 1 00088BD8 user32.dll 00F7 GetClassInfoA 1 00088BDC user32.dll 0100 GetClientRect 1 00088BE0 user32.dll 0102 GetClipboardData 1 00088BE4 user32.dll 0109 GetCursor 1 00088BE8 user32.dll 010C GetCursorPos 1 00088BEC user32.dll 010D GetDC 1 00088BF0 user32.dll 010E GetDCEx 1 00088BF4 user32.dll 010F GetDesktopWindow 1 00088BF8 user32.dll 0117 GetFocus 1 00088BFC user32.dll 0118 GetForegroundWindow 1 00088C00 user32.dll 011B GetIconInfo 1 00088C04 user32.dll 0120 GetKeyNameTextA 1 00088C08 user32.dll 0122 GetKeyState 1 00088C0C user32.dll 0123 GetKeyboardLayout 1 00088C10 user32.dll 0124 GetKeyboardLayoutList 1 00088C14 user32.dll 0127 GetKeyboardState 1 00088C18 user32.dll 0128 GetKeyboardType 1 00088C1C user32.dll 0129 GetLastActivePopup 1 00088C20 user32.dll 012D GetMenu 1 00088C24 user32.dll 0133 GetMenuItemCount 1 00088C28 user32.dll 0134 GetMenuItemID 1 00088C2C user32.dll 0135 GetMenuItemInfoA 1 00088C30 user32.dll 0138 GetMenuState 1 00088C34 user32.dll 0139 GetMenuStringA 1 00088C38 user32.dll 013E GetMessageTime 1 00088C3C user32.dll 0146 GetParent 1 00088C40 user32.dll 014B GetPropA 1 00088C44 user32.dll 0156 GetScrollInfo 1 00088C48 user32.dll 0157 GetScrollPos 1 00088C4C user32.dll 0158 GetScrollRange 1 00088C50 user32.dll 015A GetSubMenu 1 00088C54 user32.dll 015B GetSysColor 1 00088C58 user32.dll 015E GetSystemMetrics 1 00088C5C user32.dll 0164 GetTopWindow 1 00088C60 user32.dll 016B GetWindow 1 00088C64 user32.dll 016D GetWindowDC 1 00088C68 user32.dll 016F GetWindowLongA 1 00088C6C user32.dll 0174 GetWindowPlacement 1 00088C70 user32.dll 0175 GetWindowRect 1 00088C74 user32.dll 0178 GetWindowTextA 1 00088C78 user32.dll 017C GetWindowThreadProcessId 1 00088C7C user32.dll 018B InflateRect 1 00088C80 user32.dll 018E InsertMenuA 1 00088C84 user32.dll 018F InsertMenuItemA 1 00088C88 user32.dll 0193 IntersectRect 1 00088C8C user32.dll 0194 InvalidateRect 1 00088C90 user32.dll 019F IsChild 1 00088C94 user32.dll 01A1 IsDialogMessage 1 00088C98 user32.dll 01A7 IsIconic 1 00088C9C user32.dll 01A9 IsRectEmpty 1 00088CA0 user32.dll 01AC IsWindow 1 00088CA4 user32.dll 01AD IsWindowEnabled 1 00088CA8 user32.dll 01B0 IsWindowVisible 1 00088CAC user32.dll 01B1 IsZoomed 1 00088CB0 user32.dll 01B3 KillTimer 1 00088CB4 user32.dll 01B6 LoadBitmapA 1 00088CB8 user32.dll 01B8 LoadCursorA 1 00088CBC user32.dll 01BC LoadIconA 1 00088CC0 user32.dll 01C0 LoadKeyboardLayoutA 1 00088CC4 user32.dll 01C9 LoadStringA 1 00088CC8 user32.dll 01D4 MapVirtualKeyA 1 00088CCC user32.dll 01D8 MapWindowPoints 1 00088CD0 user32.dll 01DD MessageBoxA 1 00088CD4 user32.dll 01EB MsgWaitForMultipleObjects 1 00088CD8 user32.dll 01EF OemToCharA 1 00088CDC user32.dll 01F3 OffsetRect 1 00088CE0 user32.dll 01FE PeekMessageA 1 00088CE4 user32.dll 0200 PostMessageA 1 00088CE8 user32.dll 0202 PostQuitMessage 1 00088CEC user32.dll 020C PtInRect 1 00088CF0 user32.dll 0217 RegisterClassA 1 00088CF4 user32.dll 021B RegisterClipboardFormatA 1 00088CF8 user32.dll 021B RegisterClipboardFormatA 1 00088CFC user32.dll 022A ReleaseCapture 1 00088D00 user32.dll 022B ReleaseDC 1 00088D04 user32.dll 022C RemoveMenu 1 00088D08 user32.dll 022D RemovePropA 1 00088D0C user32.dll 0232 ScreenToClient 1 00088D10 user32.dll 0235 ScrollWindow 1 00088D14 user32.dll 023C SendMessageA 1 00088D18 user32.dll 0244 SetActiveWindow 1 00088D1C user32.dll 0245 SetCapture 1 00088D20 user32.dll 0248 SetClassLongA 1 00088D24 user32.dll 024E SetCursor 1 00088D28 user32.dll 0257 SetFocus 1 00088D2C user32.dll 0258 SetForegroundWindow 1 00088D30 user32.dll 025E SetMenu 1 00088D34 user32.dll 0263 SetMenuItemInfoA 1 00088D38 user32.dll 026B SetPropA 1 00088D3C user32.dll 026D SetRect 1 00088D40 user32.dll 026F SetScrollInfo 1 00088D44 user32.dll 0270 SetScrollPos 1 00088D48 user32.dll 0271 SetScrollRange 1 00088D4C user32.dll 027B SetTimer 1 00088D50 user32.dll 0281 SetWindowLongA 1 00088D54 user32.dll 0283 SetWindowPlacement 1 00088D58 user32.dll 0284 SetWindowPos 1 00088D5C user32.dll 0287 SetWindowTextA 1 00088D60 user32.dll 028B SetWindowsHookExA 1 00088D64 user32.dll 028F ShowCursor 1 00088D68 user32.dll 0290 ShowOwnedPopups 1 00088D6C user32.dll 0291 ShowScrollBar 1 00088D70 user32.dll 0293 ShowWindow 1 00088D74 user32.dll 029A SystemParametersInfoA 1 00088D78 user32.dll 02A5 TrackPopupMenu 1 00088D7C user32.dll 02AA TranslateMDISysAccel 1 00088D80 user32.dll 02AB TranslateMessage 1 00088D84 user32.dll 02AF UnhookWindowsHookEx 1 00088D88 user32.dll 02B4 UnregisterClassA 1 00088D8C user32.dll 02BC UpdateWindow 1 00088D90 user32.dll 02D1 WaitMessage 1 00088D94 user32.dll 02D3 WinHelpA 1 00088D98 user32.dll 02D6 WindowFromPoint 1 00088D9C user32.dll 02D9 wsprintfA 1 00088DA0 user32.dll 015D GetSystemMenu FThunk: 00088DA8 NbFunc: 0000000C 0 00088DA8 ? 0000 0008A84E 0 00088DAC ? 0000 0008A862 0 00088DB0 ? 0000 0008A876 0 00088DB4 ? 0000 0008A886 0 00088DB8 ? 0000 0008A896 0 00088DBC ? 0000 0008A8A8 0 00088DC0 ? 0000 0008A8C0 0 00088DC4 ? 0000 0008A8D0 0 00088DC8 ? 0000 0008A8DE 0 00088DCC ? 0000 0008A8E8 0 00088DD0 ? 0000 0008A900 0 00088DD4 ? 0000 0008A912 FThunk: 00088DDC NbFunc: 0000000C 1 00088DDC ole32.dll 0012 CoCreateInstance 1 00088DE0 ole32.dll 0024 CoGetClassObject 1 00088DE4 ole32.dll 003C CoInitialize 1 00088DE8 ole32.dll 0066 CoTaskMemFree 1 00088DEC ole32.dll 006A CoUninitialize 1 00088DF0 ole32.dll 0093 CreateStreamOnHGlobal 1 00088DF4 ole32.dll 00D7 IsAccelerator 1 00088DF8 ole32.dll 00D8 IsEqualGUID 1 00088DFC ole32.dll 00F7 OleDraw 1 00088E00 ole32.dll 0113 OleSetMenuDescriptor 1 00088E04 ole32.dll 0117 ProgIDFromCLSID 1 00088E08 ole32.dll 0143 StringFromCLSID FThunk: 00088E10 NbFunc: 0000000D 0 00088E10 ? 0000 0008A924 0 00088E14 ? 0000 0008A936 0 00088E18 ? 0000 0008A946 0 00088E1C ? 0000 0008A958 0 00088E20 ? 0000 0008A96C 0 00088E24 ? 0000 0008A97C 0 00088E28 ? 0000 0008A992 0 00088E2C ? 0000 0008A9A2 0 00088E30 ? 0000 0008A9B6 0 00088E34 ? 0000 0008A9CC 0 00088E38 ? 0000 0008A9DC 0 00088E3C ? 0000 0008A9EA 0 00088E40 ? 0000 0008A9FC FThunk: 00088E48 NbFunc: 0000000D 1 00088E48 oleaut32.dll 0023 GetActiveObject 1 00088E4C oleaut32.dll 00C8 GetErrorInfo 1 00088E50 oleaut32.dll 0002 SysAllocString 1 00088E54 oleaut32.dll 0004 SysAllocStringLen 1 00088E58 oleaut32.dll 0006 SysFreeString 1 00088E5C oleaut32.dll 0005 SysReAllocStringLen 1 00088E60 oleaut32.dll 0007 SysStringLen 1 00088E64 oleaut32.dll 000C VariantChangeType 1 00088E68 oleaut32.dll 0093 VariantChangeTypeEx 1 00088E6C oleaut32.dll 0009 VariantClear 1 00088E70 oleaut32.dll 000A VariantCopy 1 00088E74 oleaut32.dll 000B VariantCopyInd 1 00088E78 oleaut32.dll 0008 VariantInit
99fan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	99fan 2005-12-20 15:17 21 楼 0 你的加密版本是1.43，不能用本教程的方法脱壳。
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-20 21:40 22 楼 0 你怎么知道是1.43的呀？真是高人呀那我这个应该怎么脱呢？能给介绍一个教程吗？我没到新版本的教程谢谢急切等待你的回答
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

stasi

发帖

127

回帖

490

RANK

关注

私信

他的文章

魔兽皇冠ASProtect 2.0x Registered DLL脱壳

北斗nspack2.3 dll脱壳

最新魔兽皇冠外挂SVKP 1.3x - Pavol Cerven脱壳

Akala 密码壳的多层smc技术注入

tElock+ PECompact双重壳DLL一次脱壳

关于我们

联系我们

企业服务

看雪公众号

最新回复 (21)
CoreWar 雪币： 0 能力值： (RANK：10 ) 在线值：发帖 0 回帖 35 粉丝 0 关注私信	CoreWar 2005-8-23 19:53 2 楼 0 牛人,上一下.
hyd009 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 143 粉丝 0 关注私信	hyd009 2005-8-23 20:42 3 楼 0 写的不清楚，看不明白
ljy3282393 雪币： 214 活跃值： (15) 能力值： ( LV4，RANK：50 ) 在线值：发帖 2 回帖 426 粉丝 1 关注私信	ljy3282393 1 2005-8-23 23:20 4 楼 0 最初由 hyd009 发布写的不清楚，看不明白不是写的不清楚，而是因为：菜鸟写的文章一般比较详细，大家都看得明白；高手写的文章一般比较简略（个别除外），只有高手才看得明白！BTW：我也看不明白，所以我也是菜鸟一只！
chinadev 雪币： 0 能力值： (RANK：10 ) 在线值：发帖 22 回帖 439 粉丝 0 关注私信	chinadev 2005-8-24 02:30 5 楼 0 呵呵~在6月份的时候我也写了这个的文章可惜那时候没注册到号没发上来嘿嘿，比这个详细抽取了106字节。。。
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 2005-8-24 08:41 6 楼 0 这个没有嵌入加密.有兴趣你看下冰橙子的挂.我花了整整一个上午才搞定嵌入加密.花指令倒是简单.
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 2005-8-24 10:46 7 楼 0 冰橙子有教程了自己去看看就知道了
pendan2001 雪币： 61 活跃值： (160) 能力值： ( LV9，RANK：170 ) 在线值：发帖 25 回帖 1180 粉丝 0 关注私信	pendan2001 4 2005-8-24 16:21 8 楼 0 good
baby2008 雪币： 442 活跃值： (1216) 能力值： ( LV12，RANK：1130 ) 在线值：发帖 87 回帖 1435 粉丝 5 关注私信	baby2008 28 2005-8-24 16:35 9 楼 0 楼上的兄弟,你看看自己灌了多少goooood
xIkUg 雪币： 116 活跃值： (220) 能力值： ( LV12，RANK：370 ) 在线值：发帖 27 回帖 675 粉丝 4 关注私信	xIkUg 9 2005-8-24 17:26 10 楼 0 赞一个。。。
lnn1123 雪币： 234 活跃值： (370) 能力值： ( LV9，RANK：530 ) 在线值：发帖 39 回帖 765 粉丝 0 关注私信	lnn1123 13 2005-8-24 18:01 11 楼 0 看不懂也顶
yunfeng 雪币： 269 活跃值： (46) 能力值： ( LV4，RANK：50 ) 在线值：发帖 3 回帖 489 粉丝 0 关注私信	yunfeng 1 2005-8-25 10:15 12 楼 0 看不明白，以后再慢慢看。
aki 雪币： 223 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 592 粉丝 0 关注私信	aki 2 2005-8-25 11:45 13 楼 0 最初由夜凉如水发布冰橙子有教程了自己去看看就知道了你不明白我说的是什么意思。另：冰橙子那个贴是我写的。
夜凉如水雪币： 136 活跃值： (105) 能力值： ( LV9，RANK：140 ) 在线值：发帖 18 回帖 719 粉丝 1 关注私信	夜凉如水 3 2005-8-25 15:34 14 楼 0 哦哪个是你写的那是我没有记住作者不好意思啊!!!
寒江雪雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 90 粉丝 0 关注私信	寒江雪 2005-8-25 17:09 15 楼 0 最初由 ljy3282393 发布不是写的不清楚，而是因为：菜鸟写的文章一般比较详细，大家都看得明白；高手写的文章一般比较简略（个别除外），只有高手才看得明白！BTW：我也看不明白，所以我也是菜鸟一只！完全正确
leon 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 4 粉丝 0 关注私信	leon 2005-8-26 01:04 16 楼 0 还是看不太明白
wxj_2008 雪币： 155 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 84 粉丝 0 关注私信	wxj_2008 2005-12-12 09:54 17 楼 0 hehe,good
hclz 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 31 粉丝 0 关注私信	hclz 2005-12-13 19:11 18 楼 0 很好 ,谢谢
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-19 12:38 19 楼 0 我有个程序也是这个壳，脱壳并修复后，发现无法运行，用od打开发现，oep附近的几个call有问题，它们调用居然是exitprocess函数。请问这个是什么原因，怎么解决？谢谢 BTW，我以前也脱过两个这个版本的壳，没发现这种情况。
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-20 13:20 20 楼 0 下面是我的输入表，大家帮我看看有没有问题，无效的函数我全部cut掉了，关于那三个特殊函数我没处理。 ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal Name ; ; Details for <Valid> parameter: ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: F:\chasgone\脱壳\hx55g+\hx.exe OEP: 00001000 IATRVA: 000883D0 IATSize: 00001500 FThunk: 000883D4 NbFunc: 00000066 1 000883D4 kernel32.dll 0032 CloseHandle 1 000883D8 kernel32.dll 0038 CompareStringA 1 000883DC kernel32.dll 004C CreateEventA 1 000883E0 kernel32.dll 0050 CreateFileA 1 000883E4 kernel32.dll 0063 CreateProcessA 1 000883E8 kernel32.dll 006D CreateThread 1 000883EC kernel32.dll 0077 DebugBreak 1 000883F0 kernel32.dll 0080 DeleteCriticalSection 1 000883F4 kernel32.dll 0097 EnterCriticalSection 1 000883F8 kernel32.dll 0098 EnumCalendarInfoA 1 000883FC kernel32.dll 00B7 ExitProcess 1 00088400 kernel32.dll 00B8 ExitThread 1 00088404 kernel32.dll 00C2 FileTimeToDosDateTime 1 00088408 kernel32.dll 00C3 FileTimeToLocalFileTime 1 0008840C kernel32.dll 00CD FindClose 1 00088410 kernel32.dll 00D1 FindFirstFileA 1 00088414 kernel32.dll 00E0 FindResourceA 1 00088418 kernel32.dll 00EC FormatMessageA 1 0008841C kernel32.dll 00F1 FreeLibrary 1 00088420 kernel32.dll 00F3 FreeResource 1 00088424 kernel32.dll 00F7 GetACP 1 00088428 kernel32.dll 00FE GetCPInfo 1 0008842C kernel32.dll 010A GetCommandLineA 1 00088430 kernel32.dll 010E GetComputerNameA 1 00088434 kernel32.dll 013D GetCurrentProcessId 1 00088438 kernel32.dll 013F GetCurrentThreadId 1 0008843C kernel32.dll 0140 GetDateFormatA 1 00088440 kernel32.dll 0146 GetDiskFreeSpaceA 1 00088444 kernel32.dll 014E GetEnvironmentStrings 1 00088448 kernel32.dll 0154 GetExitCodeThread 1 0008844C kernel32.dll 015C GetFileSize 1 00088450 kernel32.dll 015F GetFileType 1 00088454 kernel32.dll 0169 GetLastError 1 00088458 kernel32.dll 016B GetLocalTime 1 0008845C kernel32.dll 016C GetLocaleInfoA 1 00088460 kernel32.dll 0174 GetModuleFileNameA 1 00088464 kernel32.dll 0176 GetModuleHandleA 1 00088468 kernel32.dll 018B GetOEMCP 1 0008846C kernel32.dll 0194 GetPrivateProfileStringA 1 00088470 kernel32.dll 0198 GetProcAddress 1 00088474 kernel32.dll 019B GetProcessHeap 1 00088478 kernel32.dll 01AD GetStartupInfoA 1 0008847C kernel32.dll 01AF GetStdHandle 1 00088480 kernel32.dll 01B3 GetStringTypeW 1 00088484 kernel32.dll 01B9 GetSystemInfo 1 00088488 kernel32.dll 01CD GetThreadLocale 1 0008848C kernel32.dll 01D2 GetTickCount 1 00088490 kernel32.dll 01D6 GetUserDefaultLCID 1 00088494 kernel32.dll 01DB GetVersion 1 00088498 kernel32.dll 01DC GetVersionExA 1 0008849C kernel32.dll 01E9 GlobalAddAtomA 1 000884A0 kernel32.dll 01EB GlobalAlloc 1 000884A4 kernel32.dll 01ED GlobalDeleteAtom 1 000884A8 kernel32.dll 01F2 GlobalFree 1 000884AC kernel32.dll 01F5 GlobalHandle 1 000884B0 kernel32.dll 01F6 GlobalLock 1 000884B4 kernel32.dll 01F9 GlobalReAlloc 1 000884B8 kernel32.dll 01FA GlobalSize 1 000884BC kernel32.dll 01FD GlobalUnlock 1 000884C0 kernel32.dll 0203 HeapAlloc 1 000884C4 kernel32.dll 0209 HeapFree 1 000884C8 kernel32.dll 0216 InitializeCriticalSection 1 000884CC kernel32.dll 021A InterlockedDecrement 1 000884D0 kernel32.dll 021E InterlockedIncrement 1 000884D4 kernel32.dll 0241 LeaveCriticalSection 1 000884D8 kernel32.dll 0242 LoadLibraryA 1 000884DC kernel32.dll 0243 LoadLibraryExA 1 000884E0 kernel32.dll 0247 LoadResource 1 000884E4 kernel32.dll 0248 LocalAlloc 1 000884E8 kernel32.dll 024C LocalFree 1 000884EC kernel32.dll 0255 LockResource 1 000884F0 kernel32.dll 0264 MulDiv 1 000884F4 kernel32.dll 0265 MultiByteToWideChar 1 000884F8 kernel32.dll 0297 RaiseException 1 000884FC kernel32.dll 02A4 ReadFile 1 00088500 kernel32.dll 02C0 ResumeThread 1 00088504 kernel32.dll 02C5 RtlUnwind 1 00088508 kernel32.dll 02DC SetConsoleCtrlHandler 1 0008850C kernel32.dll 02FE SetEndOfFile 1 00088510 kernel32.dll 0301 SetErrorMode 1 00088514 kernel32.dll 0302 SetEvent 1 00088518 kernel32.dll 0307 SetFilePointer 1 0008851C kernel32.dll 0255 LockResource 1 00088520 kernel32.dll 02BF RestoreLastError 1 00088524 kernel32.dll 032D SetThreadLocale 1 00088528 kernel32.dll 033E SizeofResource 1 0008852C kernel32.dll 033F Sleep 1 00088530 kernel32.dll 034C TlsAlloc 1 00088534 kernel32.dll 034D TlsFree 1 00088538 kernel32.dll 034E TlsGetValue 1 0008853C kernel32.dll 034F TlsSetValue 1 00088540 kernel32.dll 0358 UnhandledExceptionFilter 1 00088544 kernel32.dll 036B VirtualAlloc 1 00088548 kernel32.dll 036E VirtualFree 1 0008854C kernel32.dll 0373 VirtualQuery 1 00088550 kernel32.dll 037B WaitForSingleObject 1 00088554 kernel32.dll 037F WideCharToMultiByte 1 00088558 kernel32.dll 038C WriteFile 1 0008855C kernel32.dll 0391 WritePrivateProfileStringA 1 00088560 kernel32.dll 03AD lstrcpy 1 00088564 kernel32.dll 03B0 lstrcpyn 1 00088568 kernel32.dll 03B3 lstrlen FThunk: 00088570 NbFunc: 00000018 0 00088570 ? 0000 000896CC 0 00088574 ? 0000 000896DC 0 00088578 ? 0000 000896F2 0 0008857C ? 0000 00089706 0 00088580 ? 0000 0008971A 0 00088584 ? 0000 00089730 0 00088588 ? 0000 00089746 0 0008858C ? 0000 0008975C 0 00088590 ? 0000 00089778 0 00088594 ? 0000 0008978A 0 00088598 ? 0000 0008979E 0 0008859C ? 0000 000897B6 0 000885A0 ? 0000 000897D0 0 000885A4 ? 0000 000897E4 0 000885A8 ? 0000 000897FC 0 000885AC ? 0000 00089816 0 000885B0 ? 0000 00089828 0 000885B4 ? 0000 0008983C 0 000885B8 ? 0000 00089850 0 000885BC ? 0000 00089868 0 000885C0 ? 0000 00089880 0 000885C4 ? 0000 000898A0 0 000885C8 ? 0000 000898B8 0 000885CC ? 0000 000898CA FThunk: 000885D4 NbFunc: 00000018 1 000885D4 comctl32.dll 0027 ImageList_Add 1 000885D8 comctl32.dll 002A ImageList_BeginDrag 1 000885DC comctl32.dll 002C ImageList_Create 1 000885E0 comctl32.dll 002D ImageList_Destroy 1 000885E4 comctl32.dll 002E ImageList_DragEnter 1 000885E8 comctl32.dll 002F ImageList_DragLeave 1 000885EC comctl32.dll 0030 ImageList_DragMove 1 000885F0 comctl32.dll 0031 ImageList_DragShowNolock 0000 0008A002 0 00088924 ? 0000 0008A010 0 00088928 ? 0000 0008A01C 0 0008892C ? 0000 0008A02E 0 00088930 ? 0000 0008A040 0 00088934 ? 0000 0008A050 0 00088938 ? 0000 0008A05C 0 0008893C ? 0000 0008A070 0 00088940 ? 0000 0008A07E 0 00088944 ? 0000 0008A08A 0 00088948 ? 0000 0008A096 0 0008894C ? 0000 0008A0A4 0 00088950 ? 0000 0008A0B0 0 00088954 ? 0000 0008A0C2 0 00088958 ? 0000 0008A0D6 0 0008895C ? 0000 0008A0E4 0 00088960 ? 0000 0008A0F4 0 00088964 ? 0000 0008A104 0 00088968 ? 0000 0008A118 0 0008896C ? 0000 0008A124 0 00088970 ? 0000 0008A134 0 00088974 ? 0000 0008A13C 0 00088978 ? 0000 0008A146 0 0008897C ? 0000 0008A15A 0 00088980 ? 0000 0008A166 0 00088984 ? 0000 0008A17C 0 00088988 ? 0000 0008A18A 0 0008898C ? 0000 0008A19C 0 00088990 ? 0000 0008A1AA 0 00088994 ? 0000 0008A1BE 0 00088998 ? 0000 0008A1D6 0 0008899C ? 0000 0008A1EA 0 000889A0 ? 0000 0008A1FC 0 000889A4 ? 0000 0008A212 0 000889A8 ? 0000 0008A21C 0 000889AC ? 0000 0008A230 0 000889B0 ? 0000 0008A240 0 000889B4 ? 0000 0008A254 0 000889B8 ? 0000 0008A264 0 000889BC ? 0000 0008A276 0 000889C0 ? 0000 0008A288 0 000889C4 ? 0000 0008A294 0 000889C8 ? 0000 0008A2A0 0 000889CC ? 0000 0008A2B0 0 000889D0 ? 0000 0008A2C0 0 000889D4 ? 0000 0008A2D2 0 000889D8 ? 0000 0008A2E0 0 000889DC ? 0000 0008A2EE 0 000889E0 ? 0000 0008A302 0 000889E4 ? 0000 0008A312 0 000889E8 ? 0000 0008A31E 0 000889EC ? 0000 0008A32C 0 000889F0 ? 0000 0008A33E 0 000889F4 ? 0000 0008A354 0 000889F8 ? 0000 0008A364 0 000889FC ? 0000 0008A376 0 00088A00 ? 0000 0008A392 0 00088A04 ? 0000 0008A3A0 0 00088A08 ? 0000 0008A3AE 0 00088A0C ? 0000 0008A3C0 0 00088A10 ? 0000 0008A3D0 0 00088A14 ? 0000 0008A3E2 0 00088A18 ? 0000 0008A3EC 0 00088A1C ? 0000 0008A400 0 00088A20 ? 0000 0008A40C 0 00088A24 ? 0000 0008A41A 0 00088A28 ? 0000 0008A426 0 00088A2C ? 0000 0008A438 0 00088A30 ? 0000 0008A44A 0 00088A34 ? 0000 0008A456 0 00088A38 ? 0000 0008A462 0 00088A3C ? 0000 0008A470 0 00088A40 ? 0000 0008A47E 0 00088A44 ? 0000 0008A48A 0 00088A48 ? 0000 0008A4A0 0 00088A4C ? 0000 0008A4AE 0 00088A50 ? 0000 0008A4C0 0 00088A54 ? 0000 0008A4D2 0 00088A58 ? 0000 0008A4E0 0 00088A5C ? 0000 0008A4FC 0 00088A60 ? 0000 0008A50A 0 00088A64 ? 0000 0008A518 0 00088A68 ? 0000 0008A528 0 00088A6C ? 0000 0008A538 0 00088A70 ? 0000 0008A54A 0 00088A74 ? 0000 0008A556 0 00088A78 ? 0000 0008A568 0 00088A7C ? 0000 0008A584 0 00088A80 ? 0000 0008A59E 0 00088A84 ? 0000 0008A5B0 0 00088A88 ? 0000 0008A5BC 0 00088A8C ? 0000 0008A5CA 0 00088A90 ? 0000 0008A5D8 0 00088A94 ? 0000 0008A5EA 0 00088A98 ? 0000 0008A5FA 0 00088A9C ? 0000 0008A60A 0 00088AA0 ? 0000 0008A61C 0 00088AA4 ? 0000 0008A62A 0 00088AA8 ? 0000 0008A63A 0 00088AAC ? 0000 0008A646 0 00088AB0 ? 0000 0008A652 0 00088AB4 ? 0000 0008A668 0 00088AB8 ? 0000 0008A672 0 00088ABC ? 0000 0008A686 0 00088AC0 ? 0000 0008A692 0 00088AC4 ? 0000 0008A69C 0 00088AC8 ? 0000 0008A6AC 0 00088ACC ? 0000 0008A6BC 0 00088AD0 ? 0000 0008A6CE 0 00088AD4 ? 0000 0008A6DA 0 00088AD8 ? 0000 0008A6EC 0 00088ADC ? 0000 0008A702 0 00088AE0 ? 0000 0008A712 0 00088AE4 ? 0000 0008A724 0 00088AE8 ? 0000 0008A738 0 00088AEC ? 0000 0008A746 0 00088AF0 ? 0000 0008A758 0 00088AF4 ? 0000 0008A768 0 00088AF8 ? 0000 0008A776 0 00088AFC ? 0000 0008A78E 0 00088B00 ? 0000 0008A7A0 0 00088B04 ? 0000 0008A7B8 0 00088B08 ? 0000 0008A7CC 0 00088B0C ? 0000 0008A7E2 0 00088B10 ? 0000 0008A7F6 0 00088B14 ? 0000 0008A806 0 00088B18 ? 0000 0008A814 0 00088B1C ? 0000 0008A820 0 00088B20 ? 0000 0008A832 0 00088B24 ? 0000 0008A83E FThunk: 00088B2C NbFunc: 0000009E 1 00088B2C user32.dll 0001 ActivateKeyboardLayout 1 00088B30 user32.dll 0003 AdjustWindowRectEx 1 00088B34 user32.dll 000E BeginPaint 1 00088B38 user32.dll 001B CallNextHookEx 1 00088B3C user32.dll 001C CallWindowProcA 1 00088B40 user32.dll 0027 CharLowerA 1 00088B44 user32.dll 0028 CharLowerBuffA 1 00088B48 user32.dll 002B CharNextA 1 00088B4C user32.dll 003A CheckMenuItem 1 00088B50 user32.dll 0041 ClientToScreen 1 00088B54 user32.dll 0058 CreateIcon 1 00088B58 user32.dll 005E CreateMenu 1 00088B5C user32.dll 005F CreatePopupMenu 1 00088B60 user32.dll 0061 CreateWindowExA 1 00088B64 user32.dll 008A DefFrameProcA 1 00088B68 user32.dll 008C DefMDIChildProcA 1 00088B6C user32.dll 008F DefWindowProcA 1 00088B70 user32.dll 0092 DeleteMenu 1 00088B74 user32.dll 0096 DestroyCursor 1 00088B78 user32.dll 0096 DestroyCursor 1 00088B7C user32.dll 0098 DestroyMenu 1 00088B80 user32.dll 009A DestroyWindow 1 00088B84 user32.dll 00A2 DispatchMessageA 1 00088B88 user32.dll 00B3 DrawEdge 1 00088B8C user32.dll 00B4 DrawFocusRect 1 00088B90 user32.dll 00B6 DrawFrameControl 1 00088B94 user32.dll 00B7 DrawIcon 1 00088B98 user32.dll 00B8 DrawIconEx 1 00088B9C user32.dll 00B9 DrawMenuBar 1 00088BA0 user32.dll 00BD DrawTextA 1 00088BA4 user32.dll 00C3 EnableMenuItem 1 00088BA8 user32.dll 00C4 EnableScrollBar 1 00088BAC user32.dll 00C5 EnableWindow 1 00088BB0 user32.dll 00C9 EndPaint 1 00088BB4 user32.dll 00DC EnumThreadWindows 1 00088BB8 user32.dll 00DF EnumWindows 1 00088BBC user32.dll 00E0 EqualRect 1 00088BC0 user32.dll 00E3 FillRect 1 00088BC4 user32.dll 00E4 FindWindowA 1 00088BC8 user32.dll 00EA FrameRect 1 00088BCC user32.dll 00EC GetActiveWindow 1 00088BD0 user32.dll 00F3 GetAsyncKeyState 1 00088BD4 user32.dll 00F4 GetCapture 1 00088BD8 user32.dll 00F7 GetClassInfoA 1 00088BDC user32.dll 0100 GetClientRect 1 00088BE0 user32.dll 0102 GetClipboardData 1 00088BE4 user32.dll 0109 GetCursor 1 00088BE8 user32.dll 010C GetCursorPos 1 00088BEC user32.dll 010D GetDC 1 00088BF0 user32.dll 010E GetDCEx 1 00088BF4 user32.dll 010F GetDesktopWindow 1 00088BF8 user32.dll 0117 GetFocus 1 00088BFC user32.dll 0118 GetForegroundWindow 1 00088C00 user32.dll 011B GetIconInfo 1 00088C04 user32.dll 0120 GetKeyNameTextA 1 00088C08 user32.dll 0122 GetKeyState 1 00088C0C user32.dll 0123 GetKeyboardLayout 1 00088C10 user32.dll 0124 GetKeyboardLayoutList 1 00088C14 user32.dll 0127 GetKeyboardState 1 00088C18 user32.dll 0128 GetKeyboardType 1 00088C1C user32.dll 0129 GetLastActivePopup 1 00088C20 user32.dll 012D GetMenu 1 00088C24 user32.dll 0133 GetMenuItemCount 1 00088C28 user32.dll 0134 GetMenuItemID 1 00088C2C user32.dll 0135 GetMenuItemInfoA 1 00088C30 user32.dll 0138 GetMenuState 1 00088C34 user32.dll 0139 GetMenuStringA 1 00088C38 user32.dll 013E GetMessageTime 1 00088C3C user32.dll 0146 GetParent 1 00088C40 user32.dll 014B GetPropA 1 00088C44 user32.dll 0156 GetScrollInfo 1 00088C48 user32.dll 0157 GetScrollPos 1 00088C4C user32.dll 0158 GetScrollRange 1 00088C50 user32.dll 015A GetSubMenu 1 00088C54 user32.dll 015B GetSysColor 1 00088C58 user32.dll 015E GetSystemMetrics 1 00088C5C user32.dll 0164 GetTopWindow 1 00088C60 user32.dll 016B GetWindow 1 00088C64 user32.dll 016D GetWindowDC 1 00088C68 user32.dll 016F GetWindowLongA 1 00088C6C user32.dll 0174 GetWindowPlacement 1 00088C70 user32.dll 0175 GetWindowRect 1 00088C74 user32.dll 0178 GetWindowTextA 1 00088C78 user32.dll 017C GetWindowThreadProcessId 1 00088C7C user32.dll 018B InflateRect 1 00088C80 user32.dll 018E InsertMenuA 1 00088C84 user32.dll 018F InsertMenuItemA 1 00088C88 user32.dll 0193 IntersectRect 1 00088C8C user32.dll 0194 InvalidateRect 1 00088C90 user32.dll 019F IsChild 1 00088C94 user32.dll 01A1 IsDialogMessage 1 00088C98 user32.dll 01A7 IsIconic 1 00088C9C user32.dll 01A9 IsRectEmpty 1 00088CA0 user32.dll 01AC IsWindow 1 00088CA4 user32.dll 01AD IsWindowEnabled 1 00088CA8 user32.dll 01B0 IsWindowVisible 1 00088CAC user32.dll 01B1 IsZoomed 1 00088CB0 user32.dll 01B3 KillTimer 1 00088CB4 user32.dll 01B6 LoadBitmapA 1 00088CB8 user32.dll 01B8 LoadCursorA 1 00088CBC user32.dll 01BC LoadIconA 1 00088CC0 user32.dll 01C0 LoadKeyboardLayoutA 1 00088CC4 user32.dll 01C9 LoadStringA 1 00088CC8 user32.dll 01D4 MapVirtualKeyA 1 00088CCC user32.dll 01D8 MapWindowPoints 1 00088CD0 user32.dll 01DD MessageBoxA 1 00088CD4 user32.dll 01EB MsgWaitForMultipleObjects 1 00088CD8 user32.dll 01EF OemToCharA 1 00088CDC user32.dll 01F3 OffsetRect 1 00088CE0 user32.dll 01FE PeekMessageA 1 00088CE4 user32.dll 0200 PostMessageA 1 00088CE8 user32.dll 0202 PostQuitMessage 1 00088CEC user32.dll 020C PtInRect 1 00088CF0 user32.dll 0217 RegisterClassA 1 00088CF4 user32.dll 021B RegisterClipboardFormatA 1 00088CF8 user32.dll 021B RegisterClipboardFormatA 1 00088CFC user32.dll 022A ReleaseCapture 1 00088D00 user32.dll 022B ReleaseDC 1 00088D04 user32.dll 022C RemoveMenu 1 00088D08 user32.dll 022D RemovePropA 1 00088D0C user32.dll 0232 ScreenToClient 1 00088D10 user32.dll 0235 ScrollWindow 1 00088D14 user32.dll 023C SendMessageA 1 00088D18 user32.dll 0244 SetActiveWindow 1 00088D1C user32.dll 0245 SetCapture 1 00088D20 user32.dll 0248 SetClassLongA 1 00088D24 user32.dll 024E SetCursor 1 00088D28 user32.dll 0257 SetFocus 1 00088D2C user32.dll 0258 SetForegroundWindow 1 00088D30 user32.dll 025E SetMenu 1 00088D34 user32.dll 0263 SetMenuItemInfoA 1 00088D38 user32.dll 026B SetPropA 1 00088D3C user32.dll 026D SetRect 1 00088D40 user32.dll 026F SetScrollInfo 1 00088D44 user32.dll 0270 SetScrollPos 1 00088D48 user32.dll 0271 SetScrollRange 1 00088D4C user32.dll 027B SetTimer 1 00088D50 user32.dll 0281 SetWindowLongA 1 00088D54 user32.dll 0283 SetWindowPlacement 1 00088D58 user32.dll 0284 SetWindowPos 1 00088D5C user32.dll 0287 SetWindowTextA 1 00088D60 user32.dll 028B SetWindowsHookExA 1 00088D64 user32.dll 028F ShowCursor 1 00088D68 user32.dll 0290 ShowOwnedPopups 1 00088D6C user32.dll 0291 ShowScrollBar 1 00088D70 user32.dll 0293 ShowWindow 1 00088D74 user32.dll 029A SystemParametersInfoA 1 00088D78 user32.dll 02A5 TrackPopupMenu 1 00088D7C user32.dll 02AA TranslateMDISysAccel 1 00088D80 user32.dll 02AB TranslateMessage 1 00088D84 user32.dll 02AF UnhookWindowsHookEx 1 00088D88 user32.dll 02B4 UnregisterClassA 1 00088D8C user32.dll 02BC UpdateWindow 1 00088D90 user32.dll 02D1 WaitMessage 1 00088D94 user32.dll 02D3 WinHelpA 1 00088D98 user32.dll 02D6 WindowFromPoint 1 00088D9C user32.dll 02D9 wsprintfA 1 00088DA0 user32.dll 015D GetSystemMenu FThunk: 00088DA8 NbFunc: 0000000C 0 00088DA8 ? 0000 0008A84E 0 00088DAC ? 0000 0008A862 0 00088DB0 ? 0000 0008A876 0 00088DB4 ? 0000 0008A886 0 00088DB8 ? 0000 0008A896 0 00088DBC ? 0000 0008A8A8 0 00088DC0 ? 0000 0008A8C0 0 00088DC4 ? 0000 0008A8D0 0 00088DC8 ? 0000 0008A8DE 0 00088DCC ? 0000 0008A8E8 0 00088DD0 ? 0000 0008A900 0 00088DD4 ? 0000 0008A912 FThunk: 00088DDC NbFunc: 0000000C 1 00088DDC ole32.dll 0012 CoCreateInstance 1 00088DE0 ole32.dll 0024 CoGetClassObject 1 00088DE4 ole32.dll 003C CoInitialize 1 00088DE8 ole32.dll 0066 CoTaskMemFree 1 00088DEC ole32.dll 006A CoUninitialize 1 00088DF0 ole32.dll 0093 CreateStreamOnHGlobal 1 00088DF4 ole32.dll 00D7 IsAccelerator 1 00088DF8 ole32.dll 00D8 IsEqualGUID 1 00088DFC ole32.dll 00F7 OleDraw 1 00088E00 ole32.dll 0113 OleSetMenuDescriptor 1 00088E04 ole32.dll 0117 ProgIDFromCLSID 1 00088E08 ole32.dll 0143 StringFromCLSID FThunk: 00088E10 NbFunc: 0000000D 0 00088E10 ? 0000 0008A924 0 00088E14 ? 0000 0008A936 0 00088E18 ? 0000 0008A946 0 00088E1C ? 0000 0008A958 0 00088E20 ? 0000 0008A96C 0 00088E24 ? 0000 0008A97C 0 00088E28 ? 0000 0008A992 0 00088E2C ? 0000 0008A9A2 0 00088E30 ? 0000 0008A9B6 0 00088E34 ? 0000 0008A9CC 0 00088E38 ? 0000 0008A9DC 0 00088E3C ? 0000 0008A9EA 0 00088E40 ? 0000 0008A9FC FThunk: 00088E48 NbFunc: 0000000D 1 00088E48 oleaut32.dll 0023 GetActiveObject 1 00088E4C oleaut32.dll 00C8 GetErrorInfo 1 00088E50 oleaut32.dll 0002 SysAllocString 1 00088E54 oleaut32.dll 0004 SysAllocStringLen 1 00088E58 oleaut32.dll 0006 SysFreeString 1 00088E5C oleaut32.dll 0005 SysReAllocStringLen 1 00088E60 oleaut32.dll 0007 SysStringLen 1 00088E64 oleaut32.dll 000C VariantChangeType 1 00088E68 oleaut32.dll 0093 VariantChangeTypeEx 1 00088E6C oleaut32.dll 0009 VariantClear 1 00088E70 oleaut32.dll 000A VariantCopy 1 00088E74 oleaut32.dll 000B VariantCopyInd 1 00088E78 oleaut32.dll 0008 VariantInit
99fan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	99fan 2005-12-20 15:17 21 楼 0 你的加密版本是1.43，不能用本教程的方法脱壳。
chasgone 雪币： 217 活跃值： (61) 能力值： ( LV6，RANK：90 ) 在线值：发帖 4 回帖 94 粉丝 1 关注私信	chasgone 2 2005-12-20 21:40 22 楼 0 你怎么知道是1.43的呀？真是高人呀那我这个应该怎么脱呢？能给介绍一个教程吗？我没到新版本的教程谢谢急切等待你的回答
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复