是Armadillo的早期版本吗？-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

是Armadillo的早期版本吗？

发表于: 2005-10-30 14:03 4330

是Armadillo的早期版本吗？

hunter_boy 活跃值

2005-10-30 14:03

4330

http://www.pctools.com/spyware-doctor/?ref=d6

Spyware Doctor is not only one of the most popular spyware removal and real-time protection tools on the market (with 500,000+ downloads per week) but also one of the most highly awarded!

the most !!!

这个程序加了壳用PEiD看是
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]

用 Stud_PE 看是
Armadillo 2.5x-2.6x -> Silicon Realms Toolswork
但是我没有找到脱 Armadillo 2.5x-2.6x 的教材也

我就照着脱 Armadillo 1.xx - 2.xx 的脱了一下，一看
晕，真的脱了？都没有检测出有壳，Borland Delphi 6.0 - 7.0
也可以运行(现在就在用)

但是OD加载进去后怎么看都仍然像是加了壳的，无法调试呀，也无法附加
也无法分析，而且还有这种东西 rtl70.bpl ，vcl70.bpl 怎么API还有用
这里面的？是 Armadillo 带的？

现在看到 hacnho 大哥拿出的 Armadillo 都是3.x 4.x的啦，不知道大家
还愿不愿意教教我这个了，我下了他哪里的几篇tur都不是中文的，而且也
不是英文的，看不懂

这是脱了一次后看到的信息

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・0

免费・0

支持

最新回复 (9)
demitasse 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 33 粉丝 0 关注私信	demitasse 2 楼 rtl70.bpl ，vcl70.bpl 是Delphi的运行时包，你在你的机器上安装一个Delphi7.0就Ok了。 2005-10-30 15:17 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 3 楼普通标准壳 00DCAC0D FF15 D820DF00 call dword ptr ds:[DF20D8] ; kernel32.GetModuleHandleA 00DCAC13 8B0D E4C9DF00 mov ecx,dword ptr ds:[DFC9E4] 00DCAC19 89040E mov dword ptr ds:[esi+ecx],eax 00DCAC1C A1 E4C9DF00 mov eax,dword ptr ds:[DFC9E4] 00DCAC21 391C06 cmp dword ptr ds:[esi+eax],ebx 00DCAC24 75 16 jnz short 00DCAC3C 00DCAC26 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C] 00DCAC2C 50 push eax 00DCAC2D FF15 E020DF00 call dword ptr ds:[DF20E0] ; kernel32.LoadLibraryA 00DCAC33 8B0D E4C9DF00 mov ecx,dword ptr ds:[DFC9E4] 00DCAC39 89040E mov dword ptr ds:[esi+ecx],eax 00DCAC3C A1 E4C9DF00 mov eax,dword ptr ds:[DFC9E4] 00DCAC41 391C06 cmp dword ptr ds:[esi+eax],ebx 00DCAC44 0F84 35010000 je 00DCAD7F //jmp 00DCAD7F 00DCAC4A 33C9 xor ecx,ecx 00DCAC4C 8B07 mov eax,dword ptr ds:[edi] 00DCAC4E 3918 cmp dword ptr ds:[eax],ebx 00DCAC50 74 06 je short 00DCAC58 00DCAC52 41 inc ecx 00DCAC53 83C0 0C add eax,0C 00DCAC56 EB F6 jmp short 00DCAC4E 0053B170 55 push ebp //OEP 0053B171 8BEC mov ebp,esp 0053B173 83C4 E8 add esp,-18 0053B176 53 push ebx 0053B177 56 push esi 0053B178 57 push edi 0053B179 33C0 xor eax,eax 0053B17B 8945 E8 mov dword ptr ss:[ebp-18],eax 0053B17E 8945 EC mov dword ptr ss:[ebp-14],eax 0053B181 B8 B0A85300 mov eax,53A8B0 0053B186 E8 2164ECFF call 004015AC 脱壳文件改为swdoctor.exe即可正常运行 2005-10-30 16:38 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 4 楼最初由 fly 发布脱壳文件改为swdoctor.exe即可正常运行最初由 hunter_boy 发布晕，真的脱了？都没有检测出有壳，Borland Delphi 6.0 - 7.0 也可以运行(现在就在用) 我的确是这样脱的，也该了名字，可以使用但我的问题是OD仍然不能调试程序呢，在OD下一运行OD就无响应了 2005-10-30 23:02 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 5 楼 OD 还是没搞定 DeDe 都可以看，只能静态？希望大哥们帮我看看应该有东西可以学的 2005-10-31 20:15 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 6 楼用DeDe看的 object FormRegistration: TFormRegistration Left = 362 Top = 257 BorderIcons = [biSystemMenu] BorderStyle = bsNone Caption = 'FormRegistration' ClientHeight = 296 ClientWidth = 434 Color = clWhite Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [] FormStyle = fsStayOnTop KeyPreview = True OldCreateOrder = False Position = poDesktopCenter Scaled = False OnCreate = FormCreate PixelsPerInch = 96 TextHeight = 14 object Image1: TImage Left = 0 Top = 0 Width = 434 Height = 296 Align = alClient Picture.Data = { omit ...................... } OnMouseDown = Image1MouseDown OnMouseMove = Image1MouseMove OnMouseUp = Image1MouseUp end object LabelState: TLabel Left = 8 Top = 81 Width = 265 Height = 14 Caption = 'You have used the software for 0 days out of 30.' Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False end object lblText: TLabel Left = 8 Top = 103 Width = 417 Height = 48 AutoSize = False Caption = 'To purchase the program please click "Purchase Online" or click ' + '"Continue" to access the trial version. Registered users please ' + 'provide your registration and license information below to activ' + 'ate the full version.' WordWrap = True end object lblName: TLabel Left = 16 Top = 162 Width = 30 Height = 14 Caption = 'Name:' end object lblLicense: TLabel Left = 16 Top = 194 Width = 41 Height = 14 Caption = 'License:' end object lblTitle: TLabel Left = 16 Top = 11 Width = 231 Height = 22 Caption = 'Register Spyware Doctor' Font.Charset = DEFAULT_CHARSET Font.Color = clWhite Font.Height = -19 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False Transparent = True OnMouseDown = Image1MouseDown OnMouseMove = Image1MouseMove OnMouseUp = Image1MouseUp end object hlRegistrationHelp: THotLabel Left = 104 Top = 220 Width = 106 Height = 13 Cursor = crHandPoint Caption = 'Need help registering?' Font.Charset = DEFAULT_CHARSET Font.Color = clHighlight Font.Height = -11 Font.Name = 'MS Sans Serif' Font.Style = [fsUnderline] ParentFont = False OnClick = hlRegistrationHelpClick HotColor = clHighlight end object EditName: TEdit Left = 104 Top = 160 Width = 217 Height = 22 TabOrder = 0 OnChange = EditNameChange end object EditLicense: TEdit Left = 104 Top = 192 Width = 217 Height = 22 TabOrder = 1 OnChange = EditNameChange end object ButtonRegister: TButton Left = 16 Top = 249 Width = 105 Height = 25 Caption = 'Register' Enabled = False Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [] ParentFont = False TabOrder = 2 OnClick = ButtonRegisterClick end object ButtonEvaluate: TButton Left = 312 Top = 249 Width = 105 Height = 25 Cancel = True Caption = 'Continue' ModalResult = 2 TabOrder = 3 end object bbPurchaseOnline: TBitBtn Left = 152 Top = 249 Width = 129 Height = 25 Caption = 'Purchase Online' Font.Charset = DEFAULT_CHARSET Font.Color = clBlack Font.Height = -11 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False TabOrder = 4 OnClick = bbPurchaseOnlineClick end end 查看代码 =============== OnClick = ButtonRegisterClick ======================================== 0048FDFC 55 push ebp 0048FDFD 8BEC mov ebp, esp 0048FDFF B905000000 mov ecx, $00000005 0048FE04 6A00 push $00 0048FE06 6A00 push $00 0048FE08 49 dec ecx 0048FE09 75F9 jnz 0048FE04 0048FE0B 51 push ecx 0048FE0C 8955F8 mov [ebp-$08], edx 0048FE0F 8945FC mov [ebp-$04], eax 0048FE12 33C0 xor eax, eax 0048FE14 55 push ebp 0048FE15 688EFF4800 push $0048FF8E ***** TRY \| 0048FE1A 64FF30 push dword ptr fs:[eax] 0048FE1D 648920 mov fs:[eax], esp 0048FE20 8D55F4 lea edx, [ebp-$0C] 0048FE23 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FE26 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE2C E8CF80F9FF call 00427F00 0048FE31 8B45F4 mov eax, [ebp-$0C] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE34 E89F14F7FF call 004012D8 0048FE39 50 push eax 0048FE3A 8D55F0 lea edx, [ebp-$10] 0048FE3D 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FE40 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE46 E8B580F9FF call 00427F00 0048FE4B 8B45F0 mov eax, [ebp-$10] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE4E E88514F7FF call 004012D8 0048FE53 50 push eax * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE54 E89FEBFFFF call 0048E9F8 0048FE59 84C0 test al, al 0048FE5B 743B jz 0048FE98 <===============TEST 0048FE5D 8D55EC lea edx, [ebp-$14] 0048FE60 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FE63 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE69 E89280F9FF call 00427F00 0048FE6E 8B45EC mov eax, [ebp-$14] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE71 E86214F7FF call 004012D8 0048FE76 50 push eax 0048FE77 8D55E8 lea edx, [ebp-$18] 0048FE7A 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FE7D 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE83 E87880F9FF call 00427F00 0048FE88 8B45E8 mov eax, [ebp-$18] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE8B E84814F7FF call 004012D8 0048FE90 50 push eax * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE91 E86AEBFFFF call 0048EA00 0048FE96 EB05 jmp 0048FE9D * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE98 E87BEBFFFF call 0048EA18 0048FE9D A16C2E5400 mov eax, dword ptr [$542E6C] 0048FEA2 8B00 mov eax, [eax] 0048FEA4 8B4024 mov eax, [eax+$24] 0048FEA7 50 push eax 0048FEA8 8B00 mov eax, [eax] 0048FEAA FF500C call dword ptr [eax+$0C] <== 只看到这个call 0048FEAD 84C0 test al, al <=================== TEST 0048FEAF 7552 jnz 0048FF03 <==== 改为 jmp 则提示注册成功（只是提示信息哦） 0048FEB1 689CFF4800 push $0048FF9C 0048FEB6 689CFF4800 push $0048FF9C * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FEBB E838EBFFFF call 0048E9F8 0048FEC0 8D4DE4 lea ecx, [ebp-$1C] 0048FEC3 A118335400 mov eax, dword ptr [$543318] 0048FEC8 8B00 mov eax, [eax] * Possible String Reference to: "Msg29" \| 0048FECA BAA8FF4800 mov edx, $0048FFA8 0048FECF E82872FBFF call 004470FC 0048FED4 8B45E4 mov eax, [ebp-$1C] 0048FED7 BA30000400 mov edx, $00040030 0048FEDC E8FFC7F9FF call 0042C6E0 0048FEE1 33D2 xor edx, edx 0048FEE3 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FEE6 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@SetText$qqrx17System@AnsiString \| 0048FEEC E81780F9FF call 00427F08 0048FEF1 33D2 xor edx, edx 0048FEF3 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FEF6 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@SetText$qqrx17System@AnsiString \| 0048FEFC E80780F9FF call 00427F08 0048FF01 EB63 jmp 0048FF66 0048FF03 E858030900 call 00520260 0048FF08 A16C2E5400 mov eax, dword ptr [$542E6C] 0048FF0D 8B00 mov eax, [eax] 0048FF0F 8B400C mov eax, [eax+$0C] 0048FF12 E8790F0900 call 00520E90 0048FF17 8D45E0 lea eax, [ebp-$20] 0048FF1A 50 push eax 0048FF1B 8D4DDC lea ecx, [ebp-$24] 0048FF1E A118335400 mov eax, dword ptr [$543318] 0048FF23 8B00 mov eax, [eax] * Possible String Reference to: "Msg28" \| 0048FF25 BAB8FF4800 mov edx, $0048FFB8 0048FF2A E8CD71FBFF call 004470FC 0048FF2F 8B45DC mov eax, [ebp-$24] 0048FF32 50 push eax 0048FF33 A178315400 mov eax, dword ptr [$543178] 0048FF38 8B00 mov eax, [eax] 0048FF3A 8945D4 mov [ebp-$2C], eax 0048FF3D C645D80B mov byte ptr [ebp-$28], $0B 0048FF41 8D55D4 lea edx, [ebp-$2C] 0048FF44 33C9 xor ecx, ecx 0048FF46 58 pop eax * Reference to: kernel32.@Sysutils@Format$qqrx17System@AnsiStringpx14System@TVarRecxi \| 0048FF47 E85475F9FF call 004274A0 0048FF4C 8B45E0 mov eax, [ebp-$20] 0048FF4F BA40000400 mov edx, $00040040 0048FF54 E887C7F9FF call 0042C6E0 0048FF59 8B45FC mov eax, [ebp-$04] 0048FF5C C7804C02000001000000 mov dword ptr [eax+$024C], $00000001 0048FF66 33C0 xor eax, eax 0048FF68 5A pop edx 0048FF69 59 pop ecx 0048FF6A 59 pop ecx 0048FF6B 648910 mov fs:[eax], edx ****** FINALLY \| * Possible String Reference to: "?]? \| 0048FF6E 6895FF4800 push $0048FF95 0048FF73 8D45DC lea eax, [ebp-$24] 0048FF76 BA03000000 mov edx, $00000003 * Reference to: GDI32.@System@@LStrArrayClr$qqrpvi \| 0048FF7B E8D812F7FF call 00401258 0048FF80 8D45E8 lea eax, [ebp-$18] 0048FF83 BA04000000 mov edx, $00000004 * Reference to: GDI32.@System@@LStrArrayClr$qqrpvi \| 0048FF88 E8CB12F7FF call 00401258 0048FF8D C3 ret 0048FF8E E95D12F7FF jmp 004011F0 0048FF93 EBDE jmp 0048FF73 **** END \| 0048FF95 8BE5 mov esp, ebp 0048FF97 5D pop ebp 0048FF98 C3 ret 小结: **** Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE98 E87BEBFFFF call 0048EA18 0048FE9D A16C2E5400 mov eax, dword ptr [$542E6C] 0048FEA2 8B00 mov eax, [eax] 0048FEA4 8B4024 mov eax, [eax+$24] 0048FEA7 50 push eax 0048FEA8 8B00 mov eax, [eax] 0048FEAA FF500C call dword ptr [eax+$0C] <== 只看到这个call 0048FEAD 84C0 test al, al <=================== TEST 0048FEAF 7552 jnz 0048FF03 <==== 改为 jmp 则提示注册成功（只是有提示筐而已啦） 0048FEB1 689CFF4800 push $0048FF9C 0048FEB6 689CFF4800 push $0048FF9C 并且写注册表 [HKEY_LOCAL_MACHINE\SOFTWARE\PCTools\Live Update\Subscription] "sd"=hex:05,76,61,6c,69,64,b4,16,86,00,5c,0f,06,01,f6,1b,53,00,fe,1b,53,00,00,\ 00,00,00,00,00,00,00,00,00,00,00 问题是不知道程序 call dword ptr [eax+$0C] 进哪里了？？？？？ 2005-10-31 22:10 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 7 楼重新安装程序测试了一下我这边OllyDBG是可以跑起来的当然，你要忽略掉那些异常 Shift+F9 注册部分是用的Armadillo模块，所以你要处理以下函数，或者直接屏蔽 0048E9F8 - FF25 F0875400 jmp dword ptr ds:[5487F0] 0048E9FE 8BC0 mov eax,eax 0048EA00 FF25 EC875400 jmp dword ptr ds:[5487EC] 0048EA06 8BC0 mov eax,eax 0048EA08 FF25 E8875400 jmp dword ptr ds:[5487E8] 0048EA0E 8BC0 mov eax,eax 0048EA10 FF25 E4875400 jmp dword ptr ds:[5487E4] 0048EA16 8BC0 mov eax,eax 0048EA18 FF25 E0875400 jmp dword ptr ds:[5487E0] 2005-10-31 22:56 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 8 楼最初由 fly 发布注册部分是用的Armadillo模块，所以你要处理以下函数，或者直接屏蔽啊！这样的呀，经fly大侠一说，我试了一下功能，果然可以用了，是不是说注册的模块已经没有了是不是脱之前要把注册信息放进去呀，就像patch那样？这样说来没戏了，我对这个一点都不懂 55555555555555555555555 2005-11-1 16:42 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 9 楼如果没有使用key解码限制功能的话这样就没问题了脱壳后即去掉注册模块，不需要再注册 2005-11-1 16:54 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 10 楼恩谢谢fly大哥的帮助 2005-11-1 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hunter_boy

发帖

249

回帖

130

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (9)
demitasse 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 33 粉丝 0 关注私信	demitasse 2 楼 rtl70.bpl ，vcl70.bpl 是Delphi的运行时包，你在你的机器上安装一个Delphi7.0就Ok了。 2005-10-30 15:17 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 3 楼普通标准壳 00DCAC0D FF15 D820DF00 call dword ptr ds:[DF20D8] ; kernel32.GetModuleHandleA 00DCAC13 8B0D E4C9DF00 mov ecx,dword ptr ds:[DFC9E4] 00DCAC19 89040E mov dword ptr ds:[esi+ecx],eax 00DCAC1C A1 E4C9DF00 mov eax,dword ptr ds:[DFC9E4] 00DCAC21 391C06 cmp dword ptr ds:[esi+eax],ebx 00DCAC24 75 16 jnz short 00DCAC3C 00DCAC26 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C] 00DCAC2C 50 push eax 00DCAC2D FF15 E020DF00 call dword ptr ds:[DF20E0] ; kernel32.LoadLibraryA 00DCAC33 8B0D E4C9DF00 mov ecx,dword ptr ds:[DFC9E4] 00DCAC39 89040E mov dword ptr ds:[esi+ecx],eax 00DCAC3C A1 E4C9DF00 mov eax,dword ptr ds:[DFC9E4] 00DCAC41 391C06 cmp dword ptr ds:[esi+eax],ebx 00DCAC44 0F84 35010000 je 00DCAD7F //jmp 00DCAD7F 00DCAC4A 33C9 xor ecx,ecx 00DCAC4C 8B07 mov eax,dword ptr ds:[edi] 00DCAC4E 3918 cmp dword ptr ds:[eax],ebx 00DCAC50 74 06 je short 00DCAC58 00DCAC52 41 inc ecx 00DCAC53 83C0 0C add eax,0C 00DCAC56 EB F6 jmp short 00DCAC4E 0053B170 55 push ebp //OEP 0053B171 8BEC mov ebp,esp 0053B173 83C4 E8 add esp,-18 0053B176 53 push ebx 0053B177 56 push esi 0053B178 57 push edi 0053B179 33C0 xor eax,eax 0053B17B 8945 E8 mov dword ptr ss:[ebp-18],eax 0053B17E 8945 EC mov dword ptr ss:[ebp-14],eax 0053B181 B8 B0A85300 mov eax,53A8B0 0053B186 E8 2164ECFF call 004015AC 脱壳文件改为swdoctor.exe即可正常运行 2005-10-30 16:38 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 4 楼最初由 fly 发布脱壳文件改为swdoctor.exe即可正常运行最初由 hunter_boy 发布晕，真的脱了？都没有检测出有壳，Borland Delphi 6.0 - 7.0 也可以运行(现在就在用) 我的确是这样脱的，也该了名字，可以使用但我的问题是OD仍然不能调试程序呢，在OD下一运行OD就无响应了 2005-10-30 23:02 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 5 楼 OD 还是没搞定 DeDe 都可以看，只能静态？希望大哥们帮我看看应该有东西可以学的 2005-10-31 20:15 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 6 楼用DeDe看的 object FormRegistration: TFormRegistration Left = 362 Top = 257 BorderIcons = [biSystemMenu] BorderStyle = bsNone Caption = 'FormRegistration' ClientHeight = 296 ClientWidth = 434 Color = clWhite Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [] FormStyle = fsStayOnTop KeyPreview = True OldCreateOrder = False Position = poDesktopCenter Scaled = False OnCreate = FormCreate PixelsPerInch = 96 TextHeight = 14 object Image1: TImage Left = 0 Top = 0 Width = 434 Height = 296 Align = alClient Picture.Data = { omit ...................... } OnMouseDown = Image1MouseDown OnMouseMove = Image1MouseMove OnMouseUp = Image1MouseUp end object LabelState: TLabel Left = 8 Top = 81 Width = 265 Height = 14 Caption = 'You have used the software for 0 days out of 30.' Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False end object lblText: TLabel Left = 8 Top = 103 Width = 417 Height = 48 AutoSize = False Caption = 'To purchase the program please click "Purchase Online" or click ' + '"Continue" to access the trial version. Registered users please ' + 'provide your registration and license information below to activ' + 'ate the full version.' WordWrap = True end object lblName: TLabel Left = 16 Top = 162 Width = 30 Height = 14 Caption = 'Name:' end object lblLicense: TLabel Left = 16 Top = 194 Width = 41 Height = 14 Caption = 'License:' end object lblTitle: TLabel Left = 16 Top = 11 Width = 231 Height = 22 Caption = 'Register Spyware Doctor' Font.Charset = DEFAULT_CHARSET Font.Color = clWhite Font.Height = -19 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False Transparent = True OnMouseDown = Image1MouseDown OnMouseMove = Image1MouseMove OnMouseUp = Image1MouseUp end object hlRegistrationHelp: THotLabel Left = 104 Top = 220 Width = 106 Height = 13 Cursor = crHandPoint Caption = 'Need help registering?' Font.Charset = DEFAULT_CHARSET Font.Color = clHighlight Font.Height = -11 Font.Name = 'MS Sans Serif' Font.Style = [fsUnderline] ParentFont = False OnClick = hlRegistrationHelpClick HotColor = clHighlight end object EditName: TEdit Left = 104 Top = 160 Width = 217 Height = 22 TabOrder = 0 OnChange = EditNameChange end object EditLicense: TEdit Left = 104 Top = 192 Width = 217 Height = 22 TabOrder = 1 OnChange = EditNameChange end object ButtonRegister: TButton Left = 16 Top = 249 Width = 105 Height = 25 Caption = 'Register' Enabled = False Font.Charset = DEFAULT_CHARSET Font.Color = clWindowText Font.Height = -11 Font.Name = 'Arial' Font.Style = [] ParentFont = False TabOrder = 2 OnClick = ButtonRegisterClick end object ButtonEvaluate: TButton Left = 312 Top = 249 Width = 105 Height = 25 Cancel = True Caption = 'Continue' ModalResult = 2 TabOrder = 3 end object bbPurchaseOnline: TBitBtn Left = 152 Top = 249 Width = 129 Height = 25 Caption = 'Purchase Online' Font.Charset = DEFAULT_CHARSET Font.Color = clBlack Font.Height = -11 Font.Name = 'Arial' Font.Style = [fsBold] ParentFont = False TabOrder = 4 OnClick = bbPurchaseOnlineClick end end 查看代码 =============== OnClick = ButtonRegisterClick ======================================== 0048FDFC 55 push ebp 0048FDFD 8BEC mov ebp, esp 0048FDFF B905000000 mov ecx, $00000005 0048FE04 6A00 push $00 0048FE06 6A00 push $00 0048FE08 49 dec ecx 0048FE09 75F9 jnz 0048FE04 0048FE0B 51 push ecx 0048FE0C 8955F8 mov [ebp-$08], edx 0048FE0F 8945FC mov [ebp-$04], eax 0048FE12 33C0 xor eax, eax 0048FE14 55 push ebp 0048FE15 688EFF4800 push $0048FF8E ***** TRY \| 0048FE1A 64FF30 push dword ptr fs:[eax] 0048FE1D 648920 mov fs:[eax], esp 0048FE20 8D55F4 lea edx, [ebp-$0C] 0048FE23 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FE26 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE2C E8CF80F9FF call 00427F00 0048FE31 8B45F4 mov eax, [ebp-$0C] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE34 E89F14F7FF call 004012D8 0048FE39 50 push eax 0048FE3A 8D55F0 lea edx, [ebp-$10] 0048FE3D 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FE40 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE46 E8B580F9FF call 00427F00 0048FE4B 8B45F0 mov eax, [ebp-$10] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE4E E88514F7FF call 004012D8 0048FE53 50 push eax * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE54 E89FEBFFFF call 0048E9F8 0048FE59 84C0 test al, al 0048FE5B 743B jz 0048FE98 <===============TEST 0048FE5D 8D55EC lea edx, [ebp-$14] 0048FE60 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FE63 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE69 E89280F9FF call 00427F00 0048FE6E 8B45EC mov eax, [ebp-$14] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE71 E86214F7FF call 004012D8 0048FE76 50 push eax 0048FE77 8D55E8 lea edx, [ebp-$18] 0048FE7A 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FE7D 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@GetText$qqrv \| 0048FE83 E87880F9FF call 00427F00 0048FE88 8B45E8 mov eax, [ebp-$18] * Reference to: GDI32.@System@@LStrToPChar$qqrx17System@AnsiString \| 0048FE8B E84814F7FF call 004012D8 0048FE90 50 push eax * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE91 E86AEBFFFF call 0048EA00 0048FE96 EB05 jmp 0048FE9D * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE98 E87BEBFFFF call 0048EA18 0048FE9D A16C2E5400 mov eax, dword ptr [$542E6C] 0048FEA2 8B00 mov eax, [eax] 0048FEA4 8B4024 mov eax, [eax+$24] 0048FEA7 50 push eax 0048FEA8 8B00 mov eax, [eax] 0048FEAA FF500C call dword ptr [eax+$0C] <== 只看到这个call 0048FEAD 84C0 test al, al <=================== TEST 0048FEAF 7552 jnz 0048FF03 <==== 改为 jmp 则提示注册成功（只是提示信息哦） 0048FEB1 689CFF4800 push $0048FF9C 0048FEB6 689CFF4800 push $0048FF9C * Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FEBB E838EBFFFF call 0048E9F8 0048FEC0 8D4DE4 lea ecx, [ebp-$1C] 0048FEC3 A118335400 mov eax, dword ptr [$543318] 0048FEC8 8B00 mov eax, [eax] * Possible String Reference to: "Msg29" \| 0048FECA BAA8FF4800 mov edx, $0048FFA8 0048FECF E82872FBFF call 004470FC 0048FED4 8B45E4 mov eax, [ebp-$1C] 0048FED7 BA30000400 mov edx, $00040030 0048FEDC E8FFC7F9FF call 0042C6E0 0048FEE1 33D2 xor edx, edx 0048FEE3 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditLicense:TEdit' \| 0048FEE6 8B8010030000 mov eax, [eax+$0310] * Reference to: kernel32.@Controls@TControl@SetText$qqrx17System@AnsiString \| 0048FEEC E81780F9FF call 00427F08 0048FEF1 33D2 xor edx, edx 0048FEF3 8B45FC mov eax, [ebp-$04] * Possible Reference to Control 'EditName:TEdit' \| 0048FEF6 8B800C030000 mov eax, [eax+$030C] * Reference to: kernel32.@Controls@TControl@SetText$qqrx17System@AnsiString \| 0048FEFC E80780F9FF call 00427F08 0048FF01 EB63 jmp 0048FF66 0048FF03 E858030900 call 00520260 0048FF08 A16C2E5400 mov eax, dword ptr [$542E6C] 0048FF0D 8B00 mov eax, [eax] 0048FF0F 8B400C mov eax, [eax+$0C] 0048FF12 E8790F0900 call 00520E90 0048FF17 8D45E0 lea eax, [ebp-$20] 0048FF1A 50 push eax 0048FF1B 8D4DDC lea ecx, [ebp-$24] 0048FF1E A118335400 mov eax, dword ptr [$543318] 0048FF23 8B00 mov eax, [eax] * Possible String Reference to: "Msg28" \| 0048FF25 BAB8FF4800 mov edx, $0048FFB8 0048FF2A E8CD71FBFF call 004470FC 0048FF2F 8B45DC mov eax, [ebp-$24] 0048FF32 50 push eax 0048FF33 A178315400 mov eax, dword ptr [$543178] 0048FF38 8B00 mov eax, [eax] 0048FF3A 8945D4 mov [ebp-$2C], eax 0048FF3D C645D80B mov byte ptr [ebp-$28], $0B 0048FF41 8D55D4 lea edx, [ebp-$2C] 0048FF44 33C9 xor ecx, ecx 0048FF46 58 pop eax * Reference to: kernel32.@Sysutils@Format$qqrx17System@AnsiStringpx14System@TVarRecxi \| 0048FF47 E85475F9FF call 004274A0 0048FF4C 8B45E0 mov eax, [ebp-$20] 0048FF4F BA40000400 mov edx, $00040040 0048FF54 E887C7F9FF call 0042C6E0 0048FF59 8B45FC mov eax, [ebp-$04] 0048FF5C C7804C02000001000000 mov dword ptr [eax+$024C], $00000001 0048FF66 33C0 xor eax, eax 0048FF68 5A pop edx 0048FF69 59 pop ecx 0048FF6A 59 pop ecx 0048FF6B 648910 mov fs:[eax], edx ****** FINALLY \| * Possible String Reference to: "?]? \| 0048FF6E 6895FF4800 push $0048FF95 0048FF73 8D45DC lea eax, [ebp-$24] 0048FF76 BA03000000 mov edx, $00000003 * Reference to: GDI32.@System@@LStrArrayClr$qqrpvi \| 0048FF7B E8D812F7FF call 00401258 0048FF80 8D45E8 lea eax, [ebp-$18] 0048FF83 BA04000000 mov edx, $00000004 * Reference to: GDI32.@System@@LStrArrayClr$qqrpvi \| 0048FF88 E8CB12F7FF call 00401258 0048FF8D C3 ret 0048FF8E E95D12F7FF jmp 004011F0 0048FF93 EBDE jmp 0048FF73 **** END \| 0048FF95 8BE5 mov esp, ebp 0048FF97 5D pop ebp 0048FF98 C3 ret 小结: **** Reference to: ntdll.RtlRestoreLastWin32Error \| 0048FE98 E87BEBFFFF call 0048EA18 0048FE9D A16C2E5400 mov eax, dword ptr [$542E6C] 0048FEA2 8B00 mov eax, [eax] 0048FEA4 8B4024 mov eax, [eax+$24] 0048FEA7 50 push eax 0048FEA8 8B00 mov eax, [eax] 0048FEAA FF500C call dword ptr [eax+$0C] <== 只看到这个call 0048FEAD 84C0 test al, al <=================== TEST 0048FEAF 7552 jnz 0048FF03 <==== 改为 jmp 则提示注册成功（只是有提示筐而已啦） 0048FEB1 689CFF4800 push $0048FF9C 0048FEB6 689CFF4800 push $0048FF9C 并且写注册表 [HKEY_LOCAL_MACHINE\SOFTWARE\PCTools\Live Update\Subscription] "sd"=hex:05,76,61,6c,69,64,b4,16,86,00,5c,0f,06,01,f6,1b,53,00,fe,1b,53,00,00,\ 00,00,00,00,00,00,00,00,00,00,00 问题是不知道程序 call dword ptr [eax+$0C] 进哪里了？？？？？ 2005-10-31 22:10 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 7 楼重新安装程序测试了一下我这边OllyDBG是可以跑起来的当然，你要忽略掉那些异常 Shift+F9 注册部分是用的Armadillo模块，所以你要处理以下函数，或者直接屏蔽 0048E9F8 - FF25 F0875400 jmp dword ptr ds:[5487F0] 0048E9FE 8BC0 mov eax,eax 0048EA00 FF25 EC875400 jmp dword ptr ds:[5487EC] 0048EA06 8BC0 mov eax,eax 0048EA08 FF25 E8875400 jmp dword ptr ds:[5487E8] 0048EA0E 8BC0 mov eax,eax 0048EA10 FF25 E4875400 jmp dword ptr ds:[5487E4] 0048EA16 8BC0 mov eax,eax 0048EA18 FF25 E0875400 jmp dword ptr ds:[5487E0] 2005-10-31 22:56 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 8 楼最初由 fly 发布注册部分是用的Armadillo模块，所以你要处理以下函数，或者直接屏蔽啊！这样的呀，经fly大侠一说，我试了一下功能，果然可以用了，是不是说注册的模块已经没有了是不是脱之前要把注册信息放进去呀，就像patch那样？这样说来没戏了，我对这个一点都不懂 55555555555555555555555 2005-11-1 16:42 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 9 楼如果没有使用key解码限制功能的话这样就没问题了脱壳后即去掉注册模块，不需要再注册 2005-11-1 16:54 0
hunter_boy 雪币： 261 活跃值： (230) 能力值： ( LV8，RANK：130 ) 在线值：发帖 28 回帖 249 粉丝 3 关注私信	hunter_boy 3 10 楼恩谢谢fly大哥的帮助 2005-11-1 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复