首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 加壳脱壳
    3. 发新帖
[原创]RORDbg V0.25 (下载本帖附件)
发表于: 2005-11-29 20:30 87192

[原创]RORDbg V0.25 (下载本帖附件)

Kernel64 活跃值
2005-11-29 20:30
87192

查看主题内容

收藏
免费 0
支持
分享
最新回复 (220)
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
51
先试用一下

真的不错,有点让人惊讶的感觉 竟然体积还这么小

支持继续升级
2005-12-5 09:51
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
52
对于压缩壳来说一般相对比较容易,只要选中“在OEP处暂停”,然后GO!,耐心等待,停止后,单步走几下就是真正
          OEP了,使用MakePe命令就可以成功脱掉。

我试了下aspack212壳,怎么没见脱出来的ROR-Unpacked.exe

Eip==004D4001
GetLastError:::77E68265
ASPack 2.12 -> Alexey Solodovnikov
004D4001 60                  PUSHAD
004D4002 E803000000          CALL 004D400A
004D400A 5D                  POP EBP
004D400B 45                  INC EBP
004D400C 55                  PUSH EBP
004D400D C3                  RET
004D4008 EB04                JMP 004D400E
004D400E E801000000          CALL 004D4014
004D4014 5D                  POP EBP
004D4015 BBEDFFFFFF          MOV EBX,FFFFFFED
004D401A 03DD                ADD EBX,EBP
004D401C 81EB00400D00        SUB EBX,D4000
004D4022 83BD2204000000      CMP DWORD PTR [EBP+0422h],0
004D4029 899D22040000        MOV DWORD PTR [EBP+0422h],EBX
004D402F 0F8565030000        JNZ 004D439A
004D4035 8D852E040000        LEA EAX,DWORD PTR [EBP+042Eh]
004D403B 50                  PUSH EAX
004D403C FF954D0F0000        CALL DWORD PTR [EBP+0F4Dh]
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
004D4042 898526040000        MOV DWORD PTR [EBP+0426h],EAX
004D4048 8BF8                MOV EDI,EAX
004D404A 8D5D5E              LEA EBX,DWORD PTR [EBP+05Eh]
004D404D 53                  PUSH EBX
004D404E 50                  PUSH EAX
004D404F FF95490F0000        CALL DWORD PTR [EBP+0F49h]
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
004D4055 89854D050000        MOV DWORD PTR [EBP+054Dh],EAX
004D405B 8D5D6B              LEA EBX,DWORD PTR [EBP+06Bh]
004D405E 53                  PUSH EBX
004D405F 57                  PUSH EDI
004D4060 FF95490F0000        CALL DWORD PTR [EBP+0F49h]
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
004D4066 898551050000        MOV DWORD PTR [EBP+0551h],EAX
004D406C 8D4577              LEA EAX,DWORD PTR [EBP+077h]
004D406F FFE0                JMP EAX
004D408A 8B9D31050000        MOV EBX,DWORD PTR [EBP+0531h]
004D4090 0BDB                OR EBX,EBX
004D4092 740A                JZ 004D409E
004D4094 8B03                MOV EAX,DWORD PTR [EBX]
004D4096 878535050000        XCHG DWORD PTR [EBP+0535h],EAX
004D409C 8903                MOV DWORD PTR [EBX],EAX
004D409E 8DB569050000        LEA ESI,DWORD PTR [EBP+0569h]
004D40A4 833E00              CMP DWORD PTR [ESI],0
004D40A7 0F8421010000        JZ 004D41CE
004D40AD 6A04                PUSH 4
004D40AF 6800100000          PUSH 1000
004D40B4 6800180000          PUSH 1800
004D40B9 6A00                PUSH 0
004D40BB FF954D050000        CALL DWORD PTR [EBP+054Dh]
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
004D40C1 898556010000        MOV DWORD PTR [EBP+0156h],EAX
004D40C7 8B4604              MOV EAX,DWORD PTR [ESI+04h]
004D40CA 050E010000          ADD EAX,10E
004D40CF 6A04                PUSH 4
004D40D1 6800100000          PUSH 1000
004D40D6 50                  PUSH EAX
004D40D7 6A00                PUSH 0
004D40D9 FF954D050000        CALL DWORD PTR [EBP+054Dh]
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
004D40DF 898552010000        MOV DWORD PTR [EBP+0152h],EAX
004D40E5 56                  PUSH ESI
004D40E6 8B1E                MOV EBX,DWORD PTR [ESI]
004D40E8 039D22040000        ADD EBX,DWORD PTR [EBP+0422h]
004D40EE FFB556010000        PUSH DWORD PTR [EBP+0156h]
004D40F4 FF7604              PUSH DWORD PTR [ESI+04h]
004D40F7 50                  PUSH EAX
004D40F8 53                  PUSH EBX
004D40F9 E86E050000          CALL 004D466C
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualAlloc
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!VirtualFree
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetModuleHandleA
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
00D57B16 ***API: KERNEL32.DLL!GetProcAddress
可能到OEP了,如果不完全正确,请再单步走几下!
004D43B0 7508                JNZ 004D43BA
可能到OEP了,如果不完全正确,请再单步走几下!
004D43BA 6860954900          PUSH 499560
Disasmble start address 004D43BA:
004D43BA 6860954900          PUSH 499560
004D43BF C3                  RET
004D43C0 8B8526040000        MOV EAX,DWORD PTR [EBP+0426h]
004D43C6 8D8D3B040000        LEA ECX,DWORD PTR [EBP+043Bh]
004D43CC 51                  PUSH ECX
004D43CD 50                  PUSH EAX
004D43CE FF95490F0000        CALL DWORD PTR [EBP+0F49h]
004D43D4 898555050000        MOV DWORD PTR [EBP+0555h],EAX
004D43DA 8D8547040000        LEA EAX,DWORD PTR [EBP+0447h]
004D43E0 50                  PUSH EAX
004D43E1 FF95510F0000        CALL DWORD PTR [EBP+0F51h]
004D43E7 89852A040000        MOV DWORD PTR [EBP+042Ah],EAX
004D43ED 8D8D52040000        LEA ECX,DWORD PTR [EBP+0452h]
004D43F3 51                  PUSH ECX
004D43F4 50                  PUSH EAX
004D43F5 FF95490F0000        CALL DWORD PTR [EBP+0F49h]
004D43FB 898559050000        MOV DWORD PTR [EBP+0559h],EAX
004D4401 8B852A040000        MOV EAX,DWORD PTR [EBP+042Ah]
004D4407 8D8D5E040000        LEA ECX,DWORD PTR [EBP+045Eh]
004D440D 51                  PUSH ECX
End disasm command.
004D43BF C3                  RET
可能到OEP了,如果不完全正确,请再单步走几下!
00499560 55                  PUSH EBP
Disasmble start address 00499560:
00499560 55                  PUSH EBP
00499561 8BEC                MOV EBP,ESP
00499563 83C4F0              ADD ESP,F0
00499566 B858914900          MOV EAX,499158
0049956B E80CD4F6FF          CALL 0040697C
00499570 A11CB34900          MOV EAX,DWORD PTR [049B31Ch]
00499575 8B00                MOV EAX,DWORD PTR [EAX]
00499577 E8B850FCFF          CALL 0045E634
0049957C A11CB34900          MOV EAX,DWORD PTR [049B31Ch]
00499581 8B00                MOV EAX,DWORD PTR [EAX]
00499583 BAEC954900          MOV EDX,4995EC
00499588 E8B34CFCFF          CALL 0045E240
0049958D B800964900          MOV EAX,499600
00499592 E8BD66FCFF          CALL 0045FC54
00499597 84C0                TEST AL,AL
00499599 7405                JZ 004995A0
0049959B E894AEF6FF          CALL 00404434
004995A0 8B0D40B14900        MOV ECX,DWORD PTR [+049B140h]
004995A6 A11CB34900          MOV EAX,DWORD PTR [049B31Ch]
004995AB 8B00                MOV EAX,DWORD PTR [EAX]
End disasm command.
Make PE now
Module:ntdll.dll
Start:77F80000 End:77FFC000
Module:kernel32.dll
GetLastError:::77E68265
Start:77E60000 End:77F32000
Module:user32.dll
Start:77DF0000 End:77E59000
Module:GDI32.dll
Start:77F40000 End:77F7C000
Module:advapi32.dll
Start:796D0000 End:79735000
Module:RPCRT4.dll
Start:786F0000 End:78768000
Module:oleaut32.dll
Start:77990000 End:77A2B000
Module:ole32.dll
Start:7CF00000 End:7CFEF000
Module:version.dll
Start:777E0000 End:777E7000
Module:LZ32.DLL
Start:75950000 End:75956000
Module:comctl32.dll
Start:71710000 End:71794000
Module:shell32.dll
Start:78F90000 End:791D5000
Module:SHLWAPI.dll
Start:772A0000 End:77306000
Module:msvcrt.dll
Start:78000000 End:78045000
Module:urlmon.dll
Start:1A400000 End:1A47C000
Module:comdlg32.dll
Start:76AF0000 End:76B2E000
Module:wsock32.dll
Start:74FD0000 End:74FDA000
Module:WS2_32.DLL
Start:74FB0000 End:74FC4000
Module:WS2HELP.DLL
Start:74FA0000 End:74FA8000
Module:netapi32.dll
Start:7CEA0000 End:7CEF3000
Module:DNSAPI.dll
Start:77960000 End:77984000
Module:NETRAP.dll
Start:75150000 End:75156000
Module:NTDSAPI.dll
Start:77BD0000 End:77BE1000
Module:WLDAP32.DLL
Start:77930000 End:7795B000
Module:SECUR32.DLL
Start:797B0000 End:797BF000
Module:SAMLIB.dll
Start:750E0000 End:750F0000
Module:IMM32.DLL
Start:75E00000 End:75E1A000
Module:LPK.DLL
Start:6C330000 End:6C338000
Module:USP10.dll
Start:65D20000 End:65D74000
Module:VMDll.dll
Start:10000000 End:10083000
Module:MFC42.DLL
Start:6BC40000 End:6BD3B000
Module:MFC42LOC.DLL
Start:6BC20000 End:6BC2D000
00--00
HODULE=00400100
nSec=11
VirtualSize RVA PhysicalSize PhysicalOffset
p=004001F8
   99000     1000    3ac00      600
p=00400220
    2000    9a000      a00    3b200
p=00400248
    1000    9c000      200    3bc00
p=00400270
    3000    9d000     1000    3be00
p=00400298
    1000    a0000     1000    3ce00
p=004002C0
    1000    a1000      200    3de00
p=004002E8
    b000    a2000        0        0
p=00400310
   25000    ad000    17400    3e000
p=00400338
    2000    d2000     1600    55400
p=00400360
    2000    d4000     1e00    56a00
p=00400388
    1000    d6000        0        0
2005-12-5 10:40
0
南蛮妈妈
雪    币: 233
活跃值: (130)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
53
太强了.
南蛮妈妈决定留名!!
别拦我!
希望完善后能免费
2005-12-5 11:54
0
Kernel64
雪    币: 224
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
54
答快雪时晴:
    makepe并不是每次都能成功,因为RORDbg要定位IAT的位置,方法是从当前IP开始向后反汇编,寻找那种CALL [402000]的指令或者
是JMP [XXXXXXXX]的指令,有可能找不到,或者出现死循环,实际上
,可以用一些技巧来解决这个问题,比如,你这个例子,你发现
00499560 55                  PUSH EBP
地方是OEP,那么,记录下这个地址(499560),然后勾选“遇到API暂停”,然后继续GO!,当遇到API调用了,也就是类似CALL [XXXX]
类的指令时,就可以makpe了,此时,makepe命令后面要带上参数,
就是你确认的那个OEP地址,形式如下:
   makepe 499560
就会正确脱掉了。
2005-12-5 12:07
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
55
非常感谢Kernel64,成功了! 真的太棒了!

最初由 Kernel64 发布
答快雪时晴:
makepe并不是每次都能成功,因为RORDbg要定位IAT的位置,方法是从当前IP开始向后反汇编,寻找那种CALL [402000]的指令或者
是JMP [XXXXXXXX]的指令,有可能找不到,或者出现死循环,实际上
,可以用一些技巧来解决这个问题,比如,你这个例子,你发现
00499560 55 PUSH EBP
地方是OEP,那么,记录下这个地址(499560),然后勾选“遇到API暂停”,然后继续GO!,当遇到API调用了,也就是类似CALL [XXXX]
类的指令时,就可以makpe了,此时,makepe命令后面要带上参数,
就是你确认的那个OEP地址,形式如下:
makepe 499560
就会正确脱掉了。
........


00D577CD ***API: KERNEL32.DLL!GetModuleHandleA
004068B8 FF25CCD24900        JMP DWORD PTR [+049D2CCh]
Make PE now
Module:ntdll.dll
Start:77F80000 End:77FFC000
Module:kernel32.dll
GetLastError:::77E68265
Start:77E60000 End:77F32000
Module:user32.dll
Start:77DF0000 End:77E59000
Module:GDI32.dll
Start:77F40000 End:77F7C000
Module:advapi32.dll
Start:796D0000 End:79735000
Module:RPCRT4.dll
Start:786F0000 End:78768000
Module:oleaut32.dll
Start:77990000 End:77A2B000
Module:ole32.dll
Start:7CF00000 End:7CFEF000
Module:version.dll
Start:777E0000 End:777E7000
Module:LZ32.DLL
Start:75950000 End:75956000
Module:comctl32.dll
Start:71710000 End:71794000
Module:shell32.dll
Start:78F90000 End:791D5000
Module:SHLWAPI.dll
Start:772A0000 End:77306000
Module:msvcrt.dll
Start:78000000 End:78045000
Module:urlmon.dll
Start:1A400000 End:1A47C000
Module:comdlg32.dll
Start:76AF0000 End:76B2E000
Module:wsock32.dll
Start:74FD0000 End:74FDA000
Module:WS2_32.DLL
Start:74FB0000 End:74FC4000
Module:WS2HELP.DLL
Start:74FA0000 End:74FA8000
Module:netapi32.dll
Start:7CEA0000 End:7CEF3000
Module:DNSAPI.dll
Start:77960000 End:77984000
Module:NETRAP.dll
Start:75150000 End:75156000
Module:NTDSAPI.dll
Start:77BD0000 End:77BE1000
Module:WLDAP32.DLL
Start:77930000 End:7795B000
Module:SECUR32.DLL
Start:797B0000 End:797BF000
Module:SAMLIB.dll
Start:750E0000 End:750F0000
Module:IMM32.DLL
Start:75E00000 End:75E1A000
Module:LPK.DLL
Start:6C330000 End:6C338000
Module:USP10.dll
Start:65D20000 End:65D74000
Module:VMDll.dll
Start:10000000 End:10083000
Module:MFC42.DLL
Start:6BC40000 End:6BD3B000
Module:MFC42LOC.DLL
Start:6BC20000 End:6BC2D000
00--00
HODULE=00400100
nSec=11
VirtualSize RVA PhysicalSize PhysicalOffset
p=004001F8
   99000     1000    3ac00      600
p=00400220
    2000    9a000      a00    3b200
p=00400248
    1000    9c000      200    3bc00
p=00400270
    3000    9d000     1000    3be00
p=00400298
    1000    a0000     1000    3ce00
p=004002C0
    1000    a1000      200    3de00
p=004002E8
    b000    a2000        0        0
p=00400310
   25000    ad000    17400    3e000
p=00400338
    2000    d2000     1600    55400
p=00400360
    2000    d4000     1e00    56a00
p=00400388
    1000    d6000        0        0
pStart=0049D1E0
pEnd=0049FC20
    77ec    d7000     77ec    d7000
358 -> 1000
write object at 401000 len 99000
Writing 401000 len 99000
9a000 -> 9a000
write object at 49a000 len 2000
Writing 49a000 len 2000
9c000 -> 9c000
write object at 49c000 len 1000
Writing 49c000 len 1000
9d000 -> 9d000
write object at 49d000 len 3000
Writing 49d000 len 3000
a0000 -> a0000
write object at 4a0000 len 1000
Writing 4a0000 len 1000
a1000 -> a1000
write object at 4a1000 len 1000
Writing 4a1000 len 1000
a2000 -> a2000
write object at 4a2000 len b000
Writing 4a2000 len b000
ad000 -> ad000
write object at 4ad000 len 25000
Writing 4ad000 len 25000
d2000 -> d2000
write object at 4d2000 len 2000
Writing 4d2000 len 2000
d4000 -> d4000
write object at 4d4000 len 2000
Writing 4d4000 len 2000
d6000 -> d6000
write object at 4d6000 len 1000
Writing 4d6000 len 1000
d7000 -> d7000
Writing 1898020 len 77ec
文件已保存到:G:\TMP\rordbg.rar_278\ROR_Unpacked.exe
2005-12-5 13:19
0
Lenus
雪    币: 159
活跃值: (339)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
56
好东西....大家一起用
2005-12-5 14:07
0
q3 watcher
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
57
好东西,支持原创.
2005-12-5 18:11
0
peaceclub
雪    币: 255
活跃值: (207)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
58
沾光,留名.
2005-12-5 19:32
0
Kernel64
雪    币: 224
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
59
对话框里想支持F8单步似乎很麻烦,还没找到有效办法.
2005-12-5 20:36
0
laomms
雪    币: 560
活跃值: (359)
能力值: ( LV13,RANK:1370 )
在线值:
发帖
回帖
粉丝
私信
60
真的非常好用,测试了几个,压缩壳好象基本上都可以脱掉,而且脱壳的原理非常值得学习,等壳解压完后将内存中的镜像DUMP出来,所以整个过程就是壳的执行分析过程,虽然慢点,但操作非常自动化,还能自动处理SEH.....不知道对一些加密壳会怎么样,比对STOLEN CODE的处理....建议增加几个快捷键功能和代码右击复制功能等,期待完善。。。
2005-12-5 21:35
0
kanxue
雪    币: 47147
活跃值: (20450)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
私信
61
最初由 Kernel64 发布
对话框里想支持F8单步似乎很麻烦,还没找到有效办法.


Kernel64 和 Liutaotao是邻居吧?呵~苏州很多牛人

希望你能将这工具完善下去,能像ImportREC、Ollydbg一样改变脱壳的发展史。
2005-12-5 21:43
0
Kernel64
雪    币: 224
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
62
难得坛主来捧场~

我和LiuTaoTao现在在一起,一个公司里,我们也是老搭档了~

这个工具会不断完善下去的,希望能够给沉闷的逆向工程界带来一屡
春风...

希望能够在大家的支持和鼓励下实现这个小小愿望...
2005-12-5 22:07
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
63
对于未加壳的自带记事本,怎么在OEP处停不下来,直接就飞了?
2005-12-5 23:01
0
Kernel64
雪    币: 224
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
64
没加壳的程序无法找到OEP的,RORDbg目前还没判断一个程序是否加了
壳,跑过64条指令后开始寻找OEP,而这时OEP早就过了,因此就不可能
断下来了.
2005-12-6 08:52
0
mejy
雪    币: 239
活跃值: (220)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
65
最初由 dingshan 发布

特别是mydaj居然是个mm

!哈哈~~晕下
呼唤源码,呵呵
2005-12-6 09:06
0
heroin
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
66
多谢,如此强贴,留名一个。
2005-12-7 12:35
0
q3 watcher
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
67
应该放到工具版,作成长期设顶.
2005-12-7 19:22
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
68
最初由 Kernel64 发布
没加壳的程序无法找到OEP的,RORDbg目前还没判断一个程序是否加了
壳,跑过64条指令后开始寻找OEP,而这时OEP早就过了,因此就不可能
断下来了.


原来如此。
严重支持不断升级完善,V0.16已下载试用
2005-12-7 20:18
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
69
V0.16像对
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo 壳也停不下来,直接飞起来了

为什么要“跑过64条指令后开始寻找OEP”?

我又试了一个
ASPack 2.12 -> Alexey Solodovnikov 也飞了(可我前面发帖的一个同样壳的另一个程序却正常识别并暂停)

我又试上次成功脱壳的例子,今天却飞了,奇怪!!!!
2005-12-8 01:26
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
70
怪了,0.15-0.17三个版本我全试了,
对所有程序不管有壳无壳全部加载就飞起来了,执行指令数=0

我前天还成功脱壳的,今天也不行了,

跟我机器有关?我机器没改东西呀?
难道是RORDBG有试用期限但没说??

补充:我又试了,只有自带的sample.exe打开后能停住
2005-12-8 01:47
0
china
雪    币: 3688
活跃值: (4242)
能力值: (RANK:215 )
在线值:
发帖
回帖
粉丝
私信
71
http://bbs.pediy.com/upload/2005/10/files/antidebugdemo.rar

我用了makepe不能脱出文件来,同样本论坛出现的EXE Guarder都能正确到达OEP,但是使用makepe或者makepe oep后都不能脱出文件来,0.16和0.17都如此,为什么?
2005-12-8 09:33
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
72
引用:
    工具包中提供一个脱壳例子文件(脱壳方法:启动RORDbg(名字为Explorer.exe),加载Sample.exe,GO!...在OEP处停止后,用makepe命令即可)

我的测试:
Eip==004050D1
GetLastError:::77E68265
hying's PEArmor V0.7X -> hying
004050D1 60                  PUSHAD
004050D2 E800000000          CALL 004050D7
004050D7 5D                  POP EBP
004050D8 81EDD7000000        SUB EBP,D7
004050DE 8DB5EE000000        LEA ESI,DWORD PTR [EBP+0EEh]
004050E4 55                  PUSH EBP
004050E5 56                  PUSH ESI
004050E6 81C5FC010000        ADD EBP,1FC
004050EC 55                  PUSH EBP
004050ED C3                  RET
004051FC 81C574B31770        ADD EBP,7017B374
00405202 8D8E1C838E66        LEA ECX,DWORD PTR [ESI+0668E831Ch]
00405208 81CAD0470818        OR EDX,180847D0
0040520E BBA4AD1B0F          MOV EBX,F1BADA4
00405213 8D8E0367682A        LEA ECX,DWORD PTR [ESI+02A686703h]
00405219 EB03                JMP 0040521E
0040521E 8D852A672F42        LEA EAX,DWORD PTR [EBP+0422F672Ah]
00405224 8B3C24              MOV EDI,DWORD PTR [ESP]
00405227 BD876F641D          MOV EBP,1D646F87
0040522C 8D85E7489A12        LEA EAX,DWORD PTR [EBP+0129A48E7h]
00405232 8D854924BC09        LEA EAX,DWORD PTR [EBP+09BC2449h]
00405238 81EB05B8B42E        SUB EBX,2EB4B805
0040523E 810725AAB33C        ADD DWORD PTR [EDI],3CB3AA25
00405244 81D1D12C0319        ADC ECX,19032CD1
0040524A 51                  PUSH ECX
0040524B 59                  POP ECX
0040524C BE942CC55C          MOV ESI,5CC52C94
00405251 F7C27C2EC44A        TEST EDX,4AC42E7C
00405257 8D340A              LEA ESI,DWORD PTR [EDX+ECX]
0040525A 81CED258EC74        OR ESI,74EC58D2
00405260 81D17A6C2F1C        ADC ECX,1C2F6C7A
00405266 83EFFC              SUB EDI,FC
00405269 81EB54773B1E        SUB EBX,1E3B7754
0040526F EB03                JMP 00405274
00405274 BA974AF238          MOV EDX,38F24A97
00405279 EB03                JMP 0040527E
0040527E 8D8EBA5EA679        LEA ECX,DWORD PTR [ESI+079A65EBAh]
00405284 51                  PUSH ECX
00405285 59                  POP ECX
00405286 8137E368B533        XOR DWORD PTR [EDI],33B568E3
0040528C 8D8EC5E98F61        LEA ECX,DWORD PTR [ESI+0618FE9C5h]
00405292 F7C24C856D3F        TEST EDX,3F6D854C
00405298 B8332BE86E          MOV EAX,6EE82B33
0040529D 2517C9436D          AND EAX,6D43C917
004052A2 B80F43203E          MOV EAX,3E20430F
004052A7 83C706              ADD EDI,6
004052AA 4F                  DEC EDI
004052AB 4F                  DEC EDI
004052AC F717                NOT DWORD PTR [EDI]
004052AE 8D9FE51EFE22        LEA EBX,DWORD PTR [EDI+022FE1EE5h]
004052B4 F7C26B4BEF09        TEST EDX,9EF4B6B
004052BA 45                  INC EBP
004052BB 3BC1                CMP EAX,ECX
004052BD B873913E5E          MOV EAX,5E3E9173
004052C2 81D150A7DB14        ADC ECX,14DBA750
004052C8 EB03                JMP 004052CD
004052CD 83C704              ADD EDI,4
004052D0 81CE6B9E9E3E        OR ESI,3E9E9E6B
004052D6 E802000000          CALL 004052DD
004052DD 5E                  POP ESI
004052DE F717                NOT DWORD PTR [EDI]
004052E0 81C513C0933B        ADD EBP,3B93C013
004052E6 BA2427C239          MOV EDX,39C22724
003477CB ***API: KERNEL32.DLL!GetModuleHandleA
003477CB ***API: KERNEL32.DLL!GetProcAddress
003477CB ***API: KERNEL32.DLL!VirtualAlloc
发生异常!
FS:[0]==0012FF94
异常处理程序地址:01A70031
这个异常被成功捕获!
异常处理代码结束!
发生异常!
FS:[0]==0012FF94
异常处理程序地址:01A70076
这个异常被成功捕获!
异常处理代码结束!
....
发生异常!
FS:[0]==0012FF94
异常处理程序地址:01A73789
这个异常被成功捕获!
异常处理代码结束!
发生异常!
FS:[0]==0012FF94
异常处理程序地址:01A738AA
这个异常被成功捕获!
异常处理代码结束!
003477CE ***API: KERNEL32.DLL!GetModuleHandleA
003477CE ***API: KERNEL32.DLL!VirtualAlloc
.......
.......
发生异常!
FS:[0]==0012FF9C
异常处理程序地址:01A73D68
这个异常被成功捕获!
异常处理代码结束!
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E7E8AB VirtualFree
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E7C1F7 CreateFileA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E76BDE GetFileSize
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E869BE ExitProcess
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E7F0AA lstrcmp
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E80D1D GetVersion
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E80B1A GetModuleHandleA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E80A5C GetModuleFileNameA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E6B57B GetCurrentThread
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8B8F7 SetThreadPriority
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E87909 GetCurrentProcess
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8790D GetCurrentProcessId
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E86E3F GetCommandLineA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E80F5D FindResourceA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E81104 LoadResource
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E76ED6 CreateFileMappingA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E771A8 MapViewOfFile
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E77279 UnmapViewOfFile
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E67E6D CloseHandle
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8790D GetCurrentProcessId
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8B80A CreateThread
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8B8F7 SetThreadPriority
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E8BAE7 TerminateThread
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E6B3CC WaitForSingleObject
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E69723 SetEvent
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E69705 ResetEvent
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E7E9A2 VirtualProtect
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E68252 SetLastError
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E87917 ReadProcessMemory
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E133DA wsprintfA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77DF3D81 MessageBoxA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E067C5 GetWindowTextA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E093AB EnumWindows
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E37ECA DialogBoxIndirectParamA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E06FDA CreateDialogIndirectParamA
01A75CA7 AC                  LODSB AL,BYTE PTR DS:[ESI]
Read API Address:77E07BCC SendMessageA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E6B57B GetCurrentThread
01A80007 API: 77E6B57D Maybe KERNEL32.DLL!GetCurrentThread
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E8B8F7 SetThreadPriority
01A80008 API: 77E8B8FA Maybe KERNEL32.DLL!SetThreadPriority
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7C1F7 CreateFileA
01A80008 API: 77E7C1FA Maybe KERNEL32.DLL!CreateFileA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E6B57B GetCurrentThread
01A80007 API: 77E6B57D Maybe KERNEL32.DLL!GetCurrentThread
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77F88CDC NtSetInformationThread
01A80005 ***API: NTDLL.DLL!NtSetInformationThread
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7E891 VirtualAlloc
01A80008 API: 77E7E894 Maybe KERNEL32.DLL!VirtualAlloc
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7E8AB VirtualFree
01A80008 API: 77E7E8AE Maybe KERNEL32.DLL!VirtualFree
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7E891 VirtualAlloc
01A80008 API: 77E7E894 Maybe KERNEL32.DLL!VirtualAlloc
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E7E8AB VirtualFree
01A80008 API: 77E7E8AE Maybe KERNEL32.DLL!VirtualFree
003477CE ***API: KERNEL32.DLL!VirtualAlloc
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E80B1A GetModuleHandleA
01A80008 API: 77E80B1D Maybe KERNEL32.DLL!GetModuleHandleA
01A75AB2 668B06              MOV AX,WORD PTR [ESI]
Read API Address:77E87909 GetCurrentProcess
01A80005 ***API: KERNEL32.DLL!GetCurrentProcess
01A75358 ***API: NTDLL.DLL!NtQueryInformationProcess
发生异常!
FilterCC==78007700
异常处理程序地址:81068B08

到这里就死翘翘了
2005-12-8 12:21
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
73
最初由 china 发布
http://bbs.pediy.com/upload/2005/10/files/antidebugdemo.rar

我用了makepe不能脱出文件来,同样本论坛出现的EXE Guarder都能正确到达OEP,但是使用makepe或者makepe oep后都不能脱出文件来,0.16和0.17都如此,为什么?


我试了antidebugdemo.exe,可以脱壳,但运行出错,是不是还要修复,如何修复?

可能到OEP了,如果不完全正确,请再单步走几下!
00411559 E9A26CFFFF          JMP 00408200
Disasmble start address 00411559:
00411559 E9A26CFFFF          JMP 00408200
0041155E 8BB521FDFFFF        MOV ESI,DWORD PTR [EBP-02DFh]
00411564 0BF6                OR ESI,ESI
00411566 0F8497000000        JZ 00411603
0041156C 8B9529FDFFFF        MOV EDX,DWORD PTR [EBP-02D7h]
00411572 03F2                ADD ESI,EDX
00411574 833E00              CMP DWORD PTR [ESI],0
00411577 750E                JNZ 00411587
00411579 837E0400            CMP DWORD PTR [ESI+04h],0
0041157D 7508                JNZ 00411587
0041157F 837E0800            CMP DWORD PTR [ESI+08h],0
00411583 7502                JNZ 00411587
00411585 EB7A                JMP 00411601
00411587 8B5E08              MOV EBX,DWORD PTR [ESI+08h]
0041158A 03DA                ADD EBX,EDX
0041158C 53                  PUSH EBX
0041158D 52                  PUSH EDX
0041158E 56                  PUSH ESI
0041158F 8DBDBDFEFFFF        LEA EDI,DWORD PTR [EBP-0143h]
00411595 037E04              ADD EDI,DWORD PTR [ESI+04h]
End disasm command.
可能到OEP了,如果不完全正确,请再单步走几下!
00408200 55                  PUSH EBP
Disasmble start address 00408200:
00408200 55                  PUSH EBP
00408201 8BEC                MOV EBP,ESP
00408203 83C4F0              ADD ESP,F0
00408206 53                  PUSH EBX
00408207 56                  PUSH ESI
00408208 57                  PUSH EDI
00408209 B8B0814000          MOV EAX,4081B0
0040820E E899C2FFFF          CALL 004044AC
00408213 BEECA74000          MOV ESI,40A7EC
00408218 BFB8A74000          MOV EDI,40A7B8
0040821D 8B1D60A64000        MOV EBX,DWORD PTR [+040A660h]
00408223 C707C0000000        MOV DWORD PTR [EDI],C0
00408229 C74704CC804000      MOV DWORD PTR [EDI+04h],4080CC
00408230 895F10              MOV DWORD PTR [EDI+010h],EBX
00408233 C7471C10000000      MOV DWORD PTR [EDI+01Ch],10
0040823A B8BC834000          MOV EAX,4083BC
0040823F 894724              MOV DWORD PTR [EDI+024h],EAX
00408242 68007F0000          PUSH 7F00
00408247 6A00                PUSH 0
00408249 E8CAC3FFFF          CALL 00404618
End disasm command.
00C977CD ***API: KERNEL32.DLL!GetModuleHandleA
004043E8 FF256CB14000        JMP DWORD PTR [+040B16Ch]
Make PE now
Start:77F80000 End:77FFC000
Start:77E60000 End:77F32000
Start:77DF0000 End:77E59000
Start:77F40000 End:77F7C000
Start:796D0000 End:79735000
Start:786F0000 End:78768000
Start:77990000 End:77A2B000
Start:7CF00000 End:7CFEF000
Start:75E00000 End:75E1A000
Start:6C330000 End:6C338000
Start:65D20000 End:65D74000
Start:10000000 End:100A2000
Start:78000000 End:78045000
Start:6BC40000 End:6BD3B000
Start:6BC20000 End:6BC2D000
Start:777E0000 End:777E7000
Start:75950000 End:75956000
Start:78F90000 End:791D5000
Start:772A0000 End:77306000
Start:71710000 End:71794000
Start:74FB0000 End:74FC4000
Start:74FA0000 End:74FA8000
HODULE=00400040
nSec=3
VirtualSize RVA PhysicalSize PhysicalOffset
p=00400138
   10000     1000        0        0
p=00400160
    5000    11000     4d46      200
p=00400188
    1092    16000        0        0
pStart=0040B0B4
pEnd=0040B1FC
     85f    18000      85f    18000
218 -> 1000
write object at 401000 len 10000
Writing 401000 len 10000
11000 -> 11000
write object at 411000 len 5000
Writing 411000 len 5000
16000 -> 16000
write object at 416000 len 1092
Writing 416000 len 1092
17092 -> 18000
Writing 19b1018 len 85f
文件已保存到:G:\TMP\RORDbg0.17[外壳分析工具demo版本]\ROR_Unpacked.exe
被调试程序已经终止
2005-12-8 12:34
0
Kernel64
雪    币: 224
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
74
我测试了,发现antidebugdemo.exe这个程序的IAT没有正确修复
2005-12-8 18:57
0
Pr0Zel
雪    币: 288
活跃值: (415)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
私信
75
分析一个UPX程序...
好像快要死机的样子...
建议用多线程来编写,
把经常执行的代码用新线程来执行,
而且把该线程的优先级降低
2005-12-8 21:18
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//