RORDbg使用事项-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (71) ◀ 1 2 3
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 51 楼最初由快雪时晴发布用0.19版本试了，结果还是一样，我发上来你看看。附件:jhzj.rar 附件:jhzj.rar 已脱: 附件:ror_unpacked.rar 附件:ror_unpacked.rar 2005-12-10 00:50 0
playx 雪币： 146 活跃值： (72) 能力值： ( LV4，RANK：50 ) 在线值：发帖 25 回帖 445 粉丝 0 关注私信	playx 1 52 楼最初由 china 发布用0.19脱了notepad_2，但是运行出错，好像没修复成功。 Eip==01001000 未知壳 01001000 B82CBC0101 MOV EAX,101BC2C 01001005 50 PUSH EAX 01001006 64FF3500000000 PUSH DWORD PTR FS:[0] 0100100D 64892500000000 MOV DWORD PTR FS:[0],ESP 01001014 33C0 XOR EAX,EAX 01001016 8908 MOV DWORD PTR [EAX],ECX 发生异常! FS:[0]==0006FFBC 异常处理程序地址：0101BC2C 这个异常被成功捕获! 0101BC2C B823AA01F1 MOV EAX,F101AA23 0101BC31 8D882C120010 LEA ECX,DWORD PTR [EAX+01000122Ch] 0101BC37 894101 MOV DWORD PTR [ECX+01h],EAX 0101BC3A 8B542404 MOV EDX,DWORD PTR [ESP+04h] 0101BC3E 8B520C MOV EDX,DWORD PTR [EDX+0Ch] 0101BC41 C602E9 MOV BYTE PTR [EDX],E9 0101BC44 83C205 ADD EDX,5 0101BC47 2BCA SUB ECX,EDX 0101BC49 894AFC MOV DWORD PTR [EDX-04h],ECX 0101BC4C 33C0 XOR EAX,EAX 0101BC4E C3 RET 异常处理代码结束! 01001016 E934AC0100 JMP 0101BC4F 0101BC4F B823AA01F1 MOV EAX,F101AA23 0101BC54 648F0500000000 POP DWORD PTR FS:[0] 0101BC5B 83C404 ADD ESP,4 0101BC5E 55 PUSH EBP 0101BC5F 53 PUSH EBX 0101BC60 51 PUSH ECX 0101BC61 57 PUSH EDI 0101BC62 56 PUSH ESI 0101BC63 52 PUSH EDX 0101BC64 8D98E5110010 LEA EBX,DWORD PTR [EAX+0100011E5h] 0101BC6A 8B5318 MOV EDX,DWORD PTR [EBX+018h] 0101BC6D 52 PUSH EDX 0101BC6E 8BE8 MOV EBP,EAX 0101BC70 6A40 PUSH 40 0101BC72 6800100000 PUSH 1000 0101BC77 FF7304 PUSH DWORD PTR [EBX+04h] 0101BC7A 6A00 PUSH 0 0101BC7C 8B4B10 MOV ECX,DWORD PTR [EBX+010h] 0101BC7F 03CA ADD ECX,EDX 0101BC81 8B01 MOV EAX,DWORD PTR [ECX] 0101BC83 FFD0 CALL EAX 0101BC83 *API: KERNEL32.DLL!VirtualAlloc 0101BC83 FFD0 CALL EAX 0101BC83 API: KERNEL32.DLL!VirtualAlloc 0101BC85 5A POP EDX 0101BC86 8BF8 MOV EDI,EAX 0101BC88 50 PUSH EAX 0101BC89 52 PUSH EDX 0101BC8A 8B33 MOV ESI,DWORD PTR [EBX] 0101BC8C 8B4320 MOV EAX,DWORD PTR [EBX+020h] 0101BC8F 03C2 ADD EAX,EDX 0101BC91 8B08 MOV ECX,DWORD PTR [EAX] 0101BC93 894B20 MOV DWORD PTR [EBX+020h],ECX 0101BC96 8B431C MOV EAX,DWORD PTR [EBX+01Ch] 0101BC99 03C2 ADD EAX,EDX 0101BC9B 8B08 MOV ECX,DWORD PTR [EAX] 0101BC9D 894B1C MOV DWORD PTR [EBX+01Ch],ECX 0101BCA0 03F2 ADD ESI,EDX 0101BCA2 8B4B0C MOV ECX,DWORD PTR [EBX+0Ch] 0101BCA5 03CA ADD ECX,EDX 0101BCA7 8D431C LEA EAX,DWORD PTR [EBX+01Ch] 0101BCAA 50 PUSH EAX 0101BCAB 57 PUSH EDI 0101BCAC 56 PUSH ESI 0101BCAD FFD1 CALL ECX 0101BB5D 60 PUSHAD 0101BB5E 8B742424 MOV ESI,DWORD PTR [ESP+024h] 002C79CA API: KERNEL32.DLL!LoadLibraryA 00F509CB FF939E1D0010 CALL DWORD PTR [EBX+010001D9Eh] 002C79CA API: KERNEL32.DLL!LoadLibraryA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!LoadLibraryA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!VirtualAlloc 002C79C6 API: KERNEL32.DLL!LoadLibraryA 002C79C7 API: KERNEL32.DLL!GetProcAddress 002C79C7 API: KERNEL32.DLL!GetProcAddress 00F5007E API: KERNEL32.DLL!VirtualAlloc 00F500BE API: KERNEL32.DLL!VirtualFree 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!LoadLibraryA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!LoadLibraryA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 00F50FA0 API: KERNEL32.DLL!GetModuleHandleA 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!GetProcAddress 002C79CA API: KERNEL32.DLL!VirtualProtect 002C79CA API: KERNEL32.DLL!VirtualProtect 002C79CA API: KERNEL32.DLL!VirtualProtect 002C79CA API: KERNEL32.DLL!VirtualProtect 002C79CA API: KERNEL32.DLL!VirtualProtect 002C79CA *API: KERNEL32.DLL!VirtualFree 可能到OEP了，如果不完全正确，请再单步走几下！ 0101BCEE FFE0 JMP EAX 可能到OEP了，如果不完全正确，请再单步走几下！ 0100739D 6A70 PUSH 70 Command: makepe Make PE now Start:7C920000 End:7C9B4000 Start:7C800000 End:7C91C000 Start:10000000 End:100A2000 Start:77BE0000 End:77C38000 Start:73D30000 End:73E2E000 Start:77EF0000 End:77F37000 Start:77D10000 End:77D9F000 Start:76300000 End:7631D000 Start:77DA0000 End:77E49000 Start:77E50000 End:77EE1000 Start:62C20000 End:62C29000 Start:73FA0000 End:7400B000 Start:61BE0000 End:61BED000 Start:77BD0000 End:77BD8000 Start:7D590000 End:7DD82000 Start:77F40000 End:77FB6000 Start:77180000 End:77282000 Start:770F0000 End:7717C000 Start:76990000 End:76ACD000 Start:71A20000 End:71A37000 Start:71A10000 End:71A18000 Start:76320000 End:76367000 Start:72F70000 End:72F96000 HODULE=010000E0 nSec=2 VirtualSize RVA PhysicalSize PhysicalOffset p=010001D8 13000 1000 4200 400 p=01000200 8000 14000 7e00 4600 pStart=01001000 pEnd=01001344 1431 1c000 1431 1c000 1f0 -> 1000 write object at 1001000 len 13000 Writing 1001000 len 13000 14000 -> 14000 write object at 1014000 len 8000 Writing 1014000 len 8000 1c000 -> 1c000 Writing 2c9e40 len 1431 文件已保存到：C:\Documents and Settings\xxx\桌面\壳\notepad.rar_631\ROR_Unpacked.exe 被调试程序已经终止脱出来的程序运行正常～ 2005-12-10 00:57 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 53 楼为什么要跑过64条/字节指令后才开始寻找OEP，我发现不少程序都会飞走，在入口处停不下来。比如NSPACK3.4 另外：不知道NsPack V3.4.CracKed.exe是不是保护功能（完全压缩壳？）较原版弱了，我对某程序加了壳，虽然PEID093没识别，但竟然用OD F8几下(不要回头往前跳)就来到OEP，ODDUMP后运行增正常。 004E279B 61 popad 004E279C 9D popfd 004E279D - E9 56D7FDFF jmp accesspa.004BFEF8 <---jump to OEP 跳到OEP后，OD并没显示出代码来，点“分析”也无效，不过不影响执行和脱壳。 2005-12-10 01:44 0
playx 雪币： 146 活跃值： (72) 能力值： ( LV4，RANK：50 ) 在线值：发帖 25 回帖 445 粉丝 0 关注私信	playx 1 54 楼快雪时晴帮一下啦。呵呵。 2005-12-10 02:01 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 55 楼最初由 playx 发布快雪时晴帮一下啦。呵呵。也许发帖不够，没权限吧 2005-12-10 02:08 0
playx 雪币： 146 活跃值： (72) 能力值： ( LV4，RANK：50 ) 在线值：发帖 25 回帖 445 粉丝 0 关注私信	playx 1 56 楼最初由快雪时晴发布也许发帖不够，没权限吧呵呵，也许吧。看来要加油了。对了，你刚才放上去的那个东东我的瑞星杀了很长时间啊，3分43秒！！修改后的壳够强的啊 2005-12-10 02:29 0
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 57 楼最初由快雪时晴发布为什么要跑过64条/字节指令后才开始寻找OEP，我发现不少程序都会飞走，在入口处停不下来。比如NSPACK3.4 ........ 如果有壳的话,前64条指令内不可能到真正的OEP的,哪个壳的代码也不会傻到少于64条指令的,而由于代码刚载入时的环境就是我要判断的OEP的环境,我想避开,避免刚开始运行就错误地提示说“OEP找到了”，因此，我让代码先跑过 64条，再判别OEP，不知道你明白否？ 2005-12-10 18:16 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 58 楼最初由 Kernel64 发布如果有壳的话,前64条指令内不可能到真正的OEP的,哪个壳的代码也不会傻到少于64条指令的,而由于代码刚载入时的环境就是我要判断的OEP的环境,我想避开,避免刚开始运行就错误地提示说“OEP找到了”，因此，我让代码先跑过 ........ 明白是明白了,可程序加载就跑飞的问题怎么解决?这时执行指令数=0 能不能一开始强制停在入口处 2005-12-10 18:26 0
快雪时晴雪币： 370 活跃值： (15) 能力值： ( LV9，RANK：170 ) 在线值：发帖 34 回帖 2272 粉丝 1 关注私信	快雪时晴 4 59 楼最初由 Kernel64 发布已脱: 附件:ror_unpacked.rar 附件:ror_unpacked.rar 会不会与操作系统有关呢？我WIN2K+SP4 就是不成功，用v0.20试了，可以正常脱壳，但运行失败。提示程序初始化时失败0x00000005 2005-12-10 18:43 0
okdodo 雪币： 233 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 12 回帖 396 粉丝 1 关注私信	okdodo 2 60 楼能否share一下 2005-12-10 19:04 0
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 61 楼最初由 okdodo 发布能否share一下 http://bbs.pediy.com/showthread.php?s=&threadid=18994 2005-12-10 19:21 0
xiaoboy 雪币： 224 活跃值： (75) 能力值： ( LV6，RANK：90 ) 在线值：发帖 22 回帖 300 粉丝 0 关注私信	xiaoboy 2 62 楼有个小问题我试着跑一个UPX加壳的程序,到了 oep 输入MAKEPE 之后到Start:77D10000 End:77D9D000 Start:77180000 End:77290000 Start:770F0000 End:7717B000 Start:77BE0000 End:77C33000 Start:77BD0000 End:77BD7000 Start:76300000 End:7631A000 Start:62C20000 End:62C28000 Start:72F10000 End:72F6A000 Start:10000000 End:100A2000 Start:73D30000 End:73E22000 Start:61BE0000 End:61BED000 Start:773A0000 End:77B94000 Start:772A0000 End:77303000 Start:71950000 End:71A34000 Start:01420000 End:01435000 Start:003E0000 End:003E8000 Start:66000000 End:66152000 HODULE=00400100 nSec=3 VirtualSize RVA PhysicalSize PhysicalOffset p=004001F8 5c000 1000 0 0 p=00400220 32000 5d000 31800 400 p=00400248 2000 8f000 1a00 31c00 这就没有继续了好几个程序都这样我用的是0.20 不知道什么原因. 请教下. 2005-12-11 23:13 0
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 63 楼最初由 xiaoboy 发布有个小问题我试着跑一个UPX加壳的程序,到了 oep 输入MAKEPE 之后到Start:77D10000 End:77D9D000 Start:77180000 End:77290000 Start:770F0000 End:7717B000 Start:77BE0000 End:77C33000 ........ 5、脱壳命令：MAKEPE 首先，你要确认找到了OEP，知道OEP的准确地址，然后勾选“遇到API暂停” 项，往下跑，当遇到API暂停后，看其调用形式，如果是CALL [XXXXXXXX] 或者是JMP [XXXXXXXX]时，你就可以成功地makepe了，注意，这时MAKEPE要加参数，参数就是OEP的地址。如：MAKEPE 401000 脱壳后的文件IAT已经修复。请对照下看看. 2005-12-12 07:35 0
nig 雪币： 413 活跃值： (637) 能力值： ( LV9，RANK：170 ) 在线值：发帖 38 回帖 1456 粉丝 13 关注私信	nig 4 64 楼昨天一个ARM 没有脱成，版本未知！ 2005-12-12 08:34 0
lfsx 雪币： 218 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 169 粉丝 1 关注私信	lfsx 65 楼 Eip==00401000 ASProtect V2.X Registered -> Alexey Solodovnikov 00401000 6801004D00 PUSH 4D0001 00401005 E801000000 CALL 0040100B 0040100B C3 RET 0040100A C3 RET 004D0001 60 PUSHAD 004D0002 E803000000 CALL 004D000A 004D000A 5D POP EBP 004D000B 45 INC EBP 004D000C 55 PUSH EBP 004D000D C3 RET 004D0008 EB04 JMP 004D000E 004D000E E801000000 CALL 004D0014 004D0014 5D POP EBP 004D0015 BBEDFFFFFF MOV EBX,FFFFFFED 004D001A 03DD ADD EBX,EBP 004D001C 81EB00000D00 SUB EBX,D0000 004D0022 807D4D01 CMP BYTE PTR [EBP+04Dh],1 004D0026 750C JNZ 004D0034 004D0034 8D4553 LEA EAX,DWORD PTR [EBP+053h] 004D0037 50 PUSH EAX 004D0038 53 PUSH EBX 004D0039 FFB5ED090000 PUSH DWORD PTR [EBP+09EDh] 004D003F 8D4535 LEA EAX,DWORD PTR [EBP+035h] 004D0042 50 PUSH EAX 004D0043 E982000000 JMP 004D00CA 004D00CA 6899C5A521 PUSH 21A5C599 004D00CF 66BE5522 MOV SI,2255 004D00D3 5E POP ESI 004D00D4 E810000000 CALL 004D00E9 004D00E9 6681F0D4B7 XOR AX,B7D4 004D00EE 5B POP EBX 004D00EF 81E66C2DEF23 AND ESI,23EF2D6C 004D00F5 81C3AC080000 ADD EBX,8AC 004D00FB 8AC2 MOV AL,DL 004D00FD BF00000000 MOV EDI,0 004D0102 66BEE9FD MOV SI,FDE9 004D0106 8B0C3B MOV ECX,DWORD PTR [EBX+EDI] 004D0109 E90A000000 JMP 004D0118 004D0118 81C1C82E6762 ADD ECX,62672EC8 004D011E 0F8B0F000000 JNP 004D0133 004D0133 81F1610BE04C XOR ECX,4CE00B61 004D0139 80DCFC SBB AH,FC 004D013C 81C18696E26C ADD ECX,6CE29686 004D0142 8BF2 MOV ESI,EDX 004D0144 51 PUSH ECX 004D0145 8BF1 MOV ESI,ECX 004D0147 8F043B POP DWORD PTR [EBX+EDI] 004D014A 668BD3 MOV DX,BX 004D014D BEA93BAA70 MOV ESI,70AA3BA9 004D0152 83EF02 SUB EDI,2 004D0155 6681E04858 AND AX,5848 004D015A 4F DEC EDI 004D015B 4F DEC EDI 004D015C 53 PUSH EBX 004D015D 66BA60E8 MOV DX,E860 004D0161 5A POP EDX 004D0162 81FFE8F7FFFF CMP EDI,FFFFF7E8 004D0168 0F8598FFFFFF JNZ 004D0106 004D0106 8B0C3B MOV ECX,DWORD PTR [EBX+EDI] 004D0109 E90A000000 JMP 004D0118 004D0118 81C1C82E6762 ADD ECX,62672EC8 004D011E 0F8B0F000000 JNP 004D0133 004D0133 81F1610BE04C XOR ECX,4CE00B61 00377C62 *API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!VirtualAlloc 00377C62 API: KERNEL32.DLL!VirtualFree 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetModuleHandleA 00377C62 API: KERNEL32.DLL!LoadLibraryA 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C62 API: KERNEL32.DLL!GetProcAddress 00377C61 API: KERNEL32.DLL!GetModuleFileNameA 00377C61 API: KERNEL32.DLL!GetModuleFileNameA 00377C61 API: ADVAPI32.DLL!RegOpenKeyExA 00377C61 API: ADVAPI32.DLL!RegOpenKeyExA 00377C61 API: KERNEL32.DLL!lstrcpy 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!lstrlen 00377C61 API: KERNEL32.DLL!TlsAlloc 00377C61 API: KERNEL32.DLL!LocalAlloc 00377C61 API: KERNEL32.DLL!TlsSetValue 00377C61 API: USER32.DLL!GetKeyboardType 00377C61 API: KERNEL32.DLL!GetCommandLineA 00377C61 API: KERNEL32.DLL!GetStartupInfoA 00377C61 API: KERNEL32.DLL!GetCurrentThreadId 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: KERNEL32.DLL!InitializeCriticalSection 00377C61 API: KERNEL32.DLL!LocalAlloc 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: KERNEL32.DLL!LocalAlloc 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: USER32.DLL!LoadStringA 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: USER32.DLL!GetSystemMetrics 00377C61 API: USER32.DLL!GetSystemMetrics 00377C61 API: KERNEL32.DLL!GetCPInfo 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetThreadLocale 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetLocaleInfoA 00377C61 API: KERNEL32.DLL!GetVersionExA 00377C61 API: KERNEL32.DLL!GetModuleHandleA 00377C61 API: KERNEL32.DLL!GetProcAddress 00377C61 API: WS2_32.DLL!WSAStartup 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: KERNEL32.DLL!VirtualLock 00377C61 API: KERNEL32.DLL!GetLocalTime 00377C61 API: KERNEL32.DLL!GetSystemTime 发生异常! FS:[0]==0012FF74 异常处理程序地址：02130666 这个异常被成功捕获! 异常处理代码结束! 00377C61 API: KERNEL32.DLL!VirtualFree 发生异常! FS:[0]==0012FE3C 异常处理程序地址：0212FCB5 这个异常被成功捕获! 异常处理代码结束! 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: KERNEL32.DLL!VirtualFree 00377C61 API: KERNEL32.DLL!VirtualAlloc 00377C61 API: KERNEL32.DLL!VirtualFree 00377C61 API: KERNEL32.DLL!GetModuleHandleA 021265FD 8A02 MOV AL,BYTE PTR [EDX] Read API Address:77E5B332 GetProcAddress 0212353F 8A01 MOV AL,BYTE PTR [ECX] Read API Address:77E5B332 GetProcAddress 02122C0B 8A08 MOV CL,BYTE PTR [EAX] Read API Address:77E5B332 GetProcAddress 02122BF0 8A08 MOV CL,BYTE PTR [EAX] Read API Address:77E5B332 GetProcAddress 0212720E 66813FFF25 CMP WORD PTR [EDI],25FF Read API Address:77E5B332 GetProcAddress 02122BBC 8A10 MOV DL,BYTE PTR [EAX] Read API Address:77E5B332 GetProcAddress 02122C88 8A00 MOV AL,BYTE PTR [EAX] Read API Address:77E5B332 GetProcAddress 02122BDC 8A00 MOV AL,BYTE PTR [EAX] Read API Address:77E5B332 GetProcAddress 00377C61 **API: KERNEL32.DLL!VirtualAlloc 021265FD 8A02 MOV AL,BYTE PTR [EDX] Read API Address:77EB6FC4 LoadLibraryA 021265FD 8A02 MOV AL,BYTE PTR [EDX] Read API Address:77EB6FD3 LoadLibraryExA 021265FD 8A02 MOV AL,BYTE PTR [EDX] Read API Address:77EB6FE2 LoadLibraryW 0212353F 8A01 MOV AL,BYTE PTR [ECX] Read API Address:77EB6FC4 LoadLibraryA 02122C0B 8A08 MOV CL,BYTE PTR [EAX] Read API Address:77EB6FC4 LoadLibraryA 发生异常! FS:[0]==0012FDC0 异常处理程序地址：02127299 2005-12-12 11:15 0
wangshq397 雪币： 277 活跃值： (312) 能力值： ( LV9，RANK：330 ) 在线值：发帖 59 回帖 650 粉丝 0 关注私信	wangshq397 8 66 楼 arm的不能脱，自由象棋助手，最后程序异常终止 2005-12-12 17:58 0
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 67 楼最初由 wangshq397 发布 arm的不能脱，自由象棋助手，最后程序异常终止是不是双进程的？如果是双进程，是肯定脱不掉的，这方面还有很多工作要做。 2005-12-12 17:59 0
njzzzzzz 雪币： 207 活跃值： (41) 能力值： ( LV3，RANK：20 ) 在线值：发帖 27 回帖 212 粉丝 0 关注私信	njzzzzzz 68 楼已经找到了OEP,可是不会用命令脱壳呀 2005-12-13 03:27 0
njzzzzzz 雪币： 207 活跃值： (41) 能力值： ( LV3，RANK：20 ) 在线值：发帖 27 回帖 212 粉丝 0 关注私信	njzzzzzz 69 楼楼主要是能做一个,你脱一个简单壳的小演示就好了, 这样大家一目了然,也不用瞎猜了 2005-12-13 03:29 0
prince 雪币： 603 活跃值： (617) 能力值： ( LV12，RANK：660 ) 在线值：发帖 51 回帖 1874 粉丝 8 关注私信	prince 16 70 楼晕，楼上的仔细看过说明了没有，还有前面发过的帖子？ 2005-12-13 10:43 0
Kernel64 雪币： 224 活跃值： (50) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 127 粉丝 0 关注私信	Kernel64 71 楼把这个说明再顶一下。 2006-1-6 15:22 0
TarZan 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 6 回帖 135 粉丝 0 关注私信	TarZan 72 楼我来帮着顶，不过这个工具不是入门级的工具，要求使用者应该有一定的基础的。 2006-1-7 00:40 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Kernel64

雪币： 224

活跃值： (50)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

127

粉丝

0

关注

私信

Kernel64: 51 楼

最初由快雪时晴发布

用0.19版本试了，结果还是一样，我发上来你看看。
附件:jhzj.rar 附件:jhzj.rar

已脱:
附件:ror_unpacked.rar 附件:ror_unpacked.rar

2005-12-10 00:50

0

playx

雪币： 146

活跃值： (72)

能力值：

( LV4，RANK：50 )

在线值：

发帖

25

回帖

445

粉丝

0

关注

私信

playx 1: 52 楼

最初由 china 发布
用0.19脱了notepad_2，但是运行出错，好像没修复成功。

Eip==01001000
未知壳
01001000 B82CBC0101       MOV EAX,101BC2C
01001005 50                PUSH EAX
01001006 64FF3500000000    PUSH DWORD PTR FS:[0]
0100100D 64892500000000    MOV DWORD PTR FS:[0],ESP
01001014 33C0             XOR EAX,EAX
01001016 8908             MOV DWORD PTR [EAX],ECX
发生异常!
FS:[0]==0006FFBC
异常处理程序地址：0101BC2C
这个异常被成功捕获!
0101BC2C B823AA01F1       MOV EAX,F101AA23
0101BC31 8D882C120010       LEA ECX,DWORD PTR [EAX+01000122Ch]
0101BC37 894101             MOV DWORD PTR [ECX+01h],EAX
0101BC3A 8B542404          MOV EDX,DWORD PTR [ESP+04h]
0101BC3E 8B520C             MOV EDX,DWORD PTR [EDX+0Ch]
0101BC41 C602E9             MOV BYTE PTR [EDX],E9
0101BC44 83C205             ADD EDX,5
0101BC47 2BCA             SUB ECX,EDX
0101BC49 894AFC             MOV DWORD PTR [EDX-04h],ECX
0101BC4C 33C0             XOR EAX,EAX
0101BC4E C3                RET
异常处理代码结束!
01001016 E934AC0100       JMP 0101BC4F
0101BC4F B823AA01F1       MOV EAX,F101AA23
0101BC54 648F0500000000    POP DWORD PTR FS:[0]
0101BC5B 83C404             ADD ESP,4
0101BC5E 55                PUSH EBP
0101BC5F 53                PUSH EBX
0101BC60 51                PUSH ECX
0101BC61 57                PUSH EDI
0101BC62 56                PUSH ESI
0101BC63 52                PUSH EDX
0101BC64 8D98E5110010       LEA EBX,DWORD PTR [EAX+0100011E5h]
0101BC6A 8B5318             MOV EDX,DWORD PTR [EBX+018h]
0101BC6D 52                PUSH EDX
0101BC6E 8BE8             MOV EBP,EAX
0101BC70 6A40             PUSH 40
0101BC72 6800100000       PUSH 1000
0101BC77 FF7304             PUSH DWORD PTR [EBX+04h]
0101BC7A 6A00             PUSH 0
0101BC7C 8B4B10             MOV ECX,DWORD PTR [EBX+010h]
0101BC7F 03CA             ADD ECX,EDX
0101BC81 8B01             MOV EAX,DWORD PTR [ECX]
0101BC83 FFD0             CALL EAX
0101BC83 ***API: KERNEL32.DLL!VirtualAlloc
0101BC83 FFD0             CALL EAX
0101BC83 ***API: KERNEL32.DLL!VirtualAlloc
0101BC85 5A                POP EDX
0101BC86 8BF8             MOV EDI,EAX
0101BC88 50                PUSH EAX
0101BC89 52                PUSH EDX
0101BC8A 8B33             MOV ESI,DWORD PTR [EBX]
0101BC8C 8B4320             MOV EAX,DWORD PTR [EBX+020h]
0101BC8F 03C2             ADD EAX,EDX
0101BC91 8B08             MOV ECX,DWORD PTR [EAX]
0101BC93 894B20             MOV DWORD PTR [EBX+020h],ECX
0101BC96 8B431C             MOV EAX,DWORD PTR [EBX+01Ch]
0101BC99 03C2             ADD EAX,EDX
0101BC9B 8B08             MOV ECX,DWORD PTR [EAX]
0101BC9D 894B1C             MOV DWORD PTR [EBX+01Ch],ECX
0101BCA0 03F2             ADD ESI,EDX
0101BCA2 8B4B0C             MOV ECX,DWORD PTR [EBX+0Ch]
0101BCA5 03CA             ADD ECX,EDX
0101BCA7 8D431C             LEA EAX,DWORD PTR [EBX+01Ch]
0101BCAA 50                PUSH EAX
0101BCAB 57                PUSH EDI
0101BCAC 56                PUSH ESI
0101BCAD FFD1             CALL ECX
0101BB5D 60                PUSHAD
0101BB5E 8B742424          MOV ESI,DWORD PTR [ESP+024h]
002C79CA ***API: KERNEL32.DLL!LoadLibraryA
00F509CB FF939E1D0010       CALL DWORD PTR [EBX+010001D9Eh]
002C79CA ***API: KERNEL32.DLL!LoadLibraryA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!LoadLibraryA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!VirtualAlloc
002C79C6 ***API: KERNEL32.DLL!LoadLibraryA
002C79C7 ***API: KERNEL32.DLL!GetProcAddress
002C79C7 ***API: KERNEL32.DLL!GetProcAddress
00F5007E ***API: KERNEL32.DLL!VirtualAlloc
00F500BE ***API: KERNEL32.DLL!VirtualFree
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!LoadLibraryA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!LoadLibraryA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
00F50FA0 ***API: KERNEL32.DLL!GetModuleHandleA
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!GetProcAddress
002C79CA ***API: KERNEL32.DLL!VirtualProtect
002C79CA ***API: KERNEL32.DLL!VirtualProtect
002C79CA ***API: KERNEL32.DLL!VirtualProtect
002C79CA ***API: KERNEL32.DLL!VirtualProtect
002C79CA ***API: KERNEL32.DLL!VirtualProtect
002C79CA ***API: KERNEL32.DLL!VirtualFree
可能到OEP了，如果不完全正确，请再单步走几下！
0101BCEE FFE0             JMP EAX
可能到OEP了，如果不完全正确，请再单步走几下！
0100739D 6A70             PUSH 70
Command: makepe
Make PE now
Start:7C920000 End:7C9B4000
Start:7C800000 End:7C91C000
Start:10000000 End:100A2000
Start:77BE0000 End:77C38000
Start:73D30000 End:73E2E000
Start:77EF0000 End:77F37000
Start:77D10000 End:77D9F000
Start:76300000 End:7631D000
Start:77DA0000 End:77E49000
Start:77E50000 End:77EE1000
Start:62C20000 End:62C29000
Start:73FA0000 End:7400B000
Start:61BE0000 End:61BED000
Start:77BD0000 End:77BD8000
Start:7D590000 End:7DD82000
Start:77F40000 End:77FB6000
Start:77180000 End:77282000
Start:770F0000 End:7717C000
Start:76990000 End:76ACD000
Start:71A20000 End:71A37000
Start:71A10000 End:71A18000
Start:76320000 End:76367000
Start:72F70000 End:72F96000
HODULE=010000E0
nSec=2
VirtualSize RVA PhysicalSize PhysicalOffset
p=010001D8
13000    1000    4200    400
p=01000200
8000 14000    7e00    4600
pStart=01001000
pEnd=01001344
1431 1c000    1431 1c000
1f0 -> 1000
write object at 1001000 len 13000
Writing 1001000 len 13000
14000 -> 14000
write object at 1014000 len 8000
Writing 1014000 len 8000
1c000 -> 1c000
Writing 2c9e40 len 1431
文件已保存到：C:\Documents and Settings\xxx\桌面\壳\notepad.rar_631\ROR_Unpacked.exe
被调试程序已经终止

脱出来的程序运行正常～

2005-12-10 00:57

0

快雪时晴

雪币： 370

活跃值： (15)

能力值：

( LV9，RANK：170 )

在线值：

发帖

34

回帖

2272

粉丝

1

关注

私信

快雪时晴 4: 53 楼

为什么要跑过64条/字节指令后才开始寻找OEP，
我发现不少程序都会飞走，
在入口处停不下来。
比如NSPACK3.4

另外：
不知道NsPack V3.4.CracKed.exe是不是保护功能（完全压缩壳？）较原版弱了，我对某程序加了壳，虽然PEID093没识别，但竟然用OD F8几下(不要回头往前跳)就来到OEP，ODDUMP后运行增正常。
004E279B    61                popad
004E279C    9D                popfd
004E279D - E9 56D7FDFF       jmp accesspa.004BFEF8 <---jump to OEP

跳到OEP后，OD并没显示出代码来，点“分析”也无效，不过不影响执行和脱壳。

2005-12-10 01:44

0

playx

雪币： 146

活跃值： (72)

能力值：

( LV4，RANK：50 )

在线值：

发帖

25

回帖

445

粉丝

0

关注

私信

playx 1: 54 楼

快雪时晴帮一下啦。呵呵。

2005-12-10 02:01

0

快雪时晴

雪币： 370

活跃值： (15)

能力值：

( LV9，RANK：170 )

在线值：

发帖

34

回帖

2272

粉丝

1

关注

私信

快雪时晴 4: 55 楼

最初由 playx 发布
快雪时晴帮一下啦。呵呵。

也许发帖不够，没权限吧

2005-12-10 02:08

0

playx

雪币： 146

活跃值： (72)

能力值：

( LV4，RANK：50 )

在线值：

发帖

25

回帖

445

粉丝

0

关注

私信

playx 1: 56 楼

最初由快雪时晴发布

也许发帖不够，没权限吧

呵呵，也许吧。看来要加油了。
对了，你刚才放上去的那个东东我的瑞星杀了很长时间啊，3分43秒！！修改后的壳够强的啊

2005-12-10 02:29

0

Kernel64

雪币： 224

活跃值： (50)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

127

粉丝

0

关注

私信

Kernel64: 57 楼

最初由快雪时晴发布
为什么要跑过64条/字节指令后才开始寻找OEP，
我发现不少程序都会飞走，
在入口处停不下来。
比如NSPACK3.4

........

如果有壳的话,前64条指令内不可能到真正的OEP的,哪个壳的代码也不会傻到
少于64条指令的,而由于代码刚载入时的环境就是我要判断的OEP的环境,我想
避开,避免刚开始运行就错误地提示说“OEP找到了”，因此，我让代码先跑过
64条，再判别OEP，不知道你明白否？

2005-12-10 18:16

0

快雪时晴

雪币： 370

活跃值： (15)

能力值：

( LV9，RANK：170 )

在线值：

发帖

34

回帖

2272

粉丝

1

关注

私信

快雪时晴 4: 58 楼

最初由 Kernel64 发布

如果有壳的话,前64条指令内不可能到真正的OEP的,哪个壳的代码也不会傻到
少于64条指令的,而由于代码刚载入时的环境就是我要判断的OEP的环境,我想
避开,避免刚开始运行就错误地提示说“OEP找到了”，因此，我让代码先跑过
........

明白是明白了,可程序加载就跑飞的问题怎么解决?这时执行指令数=0
能不能一开始强制停在入口处

2005-12-10 18:26

0

快雪时晴

雪币： 370

活跃值： (15)

能力值：

( LV9，RANK：170 )

在线值：

发帖

34

回帖

2272

粉丝

1

关注

私信

快雪时晴 4: 59 楼

最初由 Kernel64 发布

已脱:
附件:ror_unpacked.rar 附件:ror_unpacked.rar

会不会与操作系统有关呢？
我WIN2K+SP4
就是不成功，
用v0.20试了，可以正常脱壳，但运行失败。
提示程序初始化时失败0x00000005

2005-12-10 18:43

0

okdodo

雪币： 233

活跃值： (10)

能力值：

( LV6，RANK：90 )

在线值：

发帖

12

回帖

396

粉丝

1

关注

私信

okdodo 2: 60 楼

能否share一下

2005-12-10 19:04

0

Kernel64

雪币： 224

活跃值： (50)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

127

粉丝

0

关注

私信

Kernel64: 61 楼

最初由 okdodo 发布
能否share一下

http://bbs.pediy.com/showthread.php?s=&threadid=18994

2005-12-10 19:21

0

xiaoboy

雪币： 224

活跃值： (75)

能力值：

( LV6，RANK：90 )

在线值：

发帖

22

回帖

300

粉丝

0

关注

私信

xiaoboy 2: 62 楼

有个小问题我试着跑一个UPX加壳的程序,到了 oep 输入MAKEPE 之后
到Start:77D10000 End:77D9D000
Start:77180000 End:77290000
Start:770F0000 End:7717B000
Start:77BE0000 End:77C33000
Start:77BD0000 End:77BD7000
Start:76300000 End:7631A000
Start:62C20000 End:62C28000
Start:72F10000 End:72F6A000
Start:10000000 End:100A2000
Start:73D30000 End:73E22000
Start:61BE0000 End:61BED000
Start:773A0000 End:77B94000
Start:772A0000 End:77303000
Start:71950000 End:71A34000
Start:01420000 End:01435000
Start:003E0000 End:003E8000
Start:66000000 End:66152000
HODULE=00400100
nSec=3
VirtualSize RVA PhysicalSize PhysicalOffset
p=004001F8
5c000    1000       0       0
p=00400220
32000 5d000 31800    400
p=00400248
2000 8f000    1a00 31c00
这就没有继续了好几个程序都这样我用的是0.20 不知道什么原因.
请教下.

2005-12-11 23:13

0

Kernel64

雪币： 224

活跃值： (50)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

127

粉丝

0

关注

私信

Kernel64: 63 楼

最初由 xiaoboy 发布
有个小问题我试着跑一个UPX加壳的程序,到了 oep 输入MAKEPE 之后
到Start:77D10000 End:77D9D000
Start:77180000 End:77290000
Start:770F0000 End:7717B000
Start:77BE0000 End:77C33000
........

5、脱壳命令：MAKEPE
首先，你要确认找到了OEP，知道OEP的准确地址，然后勾选“遇到API暂停”
项，往下跑，当遇到API暂停后，看其调用形式，如果是CALL [XXXXXXXX]
或者是JMP [XXXXXXXX]时，你就可以成功地makepe了，注意，这时MAKEPE要
加参数，参数就是OEP的地址。如：MAKEPE 401000
脱壳后的文件IAT已经修复。

请对照下看看.

2005-12-12 07:35

0

nig

雪币： 413

活跃值： (637)

能力值：

( LV9，RANK：170 )

在线值：

发帖

38

回帖

1456

粉丝

13

关注

私信

nig 4: 64 楼

昨天一个ARM 没有脱成，版本未知！

2005-12-12 08:34

0

lfsx

雪币： 218

活跃值： (40)

能力值：

( LV2，RANK：10 )

在线值：

发帖

9

回帖

169

粉丝

1

关注

私信

lfsx: 65 楼

Eip==00401000
ASProtect V2.X Registered -> Alexey Solodovnikov
00401000 6801004D00       PUSH 4D0001
00401005 E801000000       CALL 0040100B
0040100B C3                RET
0040100A C3                RET
004D0001 60                PUSHAD
004D0002 E803000000       CALL 004D000A
004D000A 5D                POP EBP
004D000B 45                INC EBP
004D000C 55                PUSH EBP
004D000D C3                RET
004D0008 EB04             JMP 004D000E
004D000E E801000000       CALL 004D0014
004D0014 5D                POP EBP
004D0015 BBEDFFFFFF       MOV EBX,FFFFFFED
004D001A 03DD             ADD EBX,EBP
004D001C 81EB00000D00       SUB EBX,D0000
004D0022 807D4D01          CMP BYTE PTR [EBP+04Dh],1
004D0026 750C             JNZ 004D0034
004D0034 8D4553             LEA EAX,DWORD PTR [EBP+053h]
004D0037 50                PUSH EAX
004D0038 53                PUSH EBX
004D0039 FFB5ED090000       PUSH DWORD PTR [EBP+09EDh]
004D003F 8D4535             LEA EAX,DWORD PTR [EBP+035h]
004D0042 50                PUSH EAX
004D0043 E982000000       JMP 004D00CA
004D00CA 6899C5A521       PUSH 21A5C599
004D00CF 66BE5522          MOV SI,2255
004D00D3 5E                POP ESI
004D00D4 E810000000       CALL 004D00E9
004D00E9 6681F0D4B7       XOR AX,B7D4
004D00EE 5B                POP EBX
004D00EF 81E66C2DEF23       AND ESI,23EF2D6C
004D00F5 81C3AC080000       ADD EBX,8AC
004D00FB 8AC2             MOV AL,DL
004D00FD BF00000000       MOV EDI,0
004D0102 66BEE9FD          MOV SI,FDE9
004D0106 8B0C3B             MOV ECX,DWORD PTR [EBX+EDI]
004D0109 E90A000000       JMP 004D0118
004D0118 81C1C82E6762       ADD ECX,62672EC8
004D011E 0F8B0F000000       JNP 004D0133
004D0133 81F1610BE04C       XOR ECX,4CE00B61
004D0139 80DCFC             SBB AH,FC
004D013C 81C18696E26C       ADD ECX,6CE29686
004D0142 8BF2             MOV ESI,EDX
004D0144 51                PUSH ECX
004D0145 8BF1             MOV ESI,ECX
004D0147 8F043B             POP DWORD PTR [EBX+EDI]
004D014A 668BD3             MOV DX,BX
004D014D BEA93BAA70       MOV ESI,70AA3BA9
004D0152 83EF02             SUB EDI,2
004D0155 6681E04858       AND AX,5848
004D015A 4F                DEC EDI
004D015B 4F                DEC EDI
004D015C 53                PUSH EBX
004D015D 66BA60E8          MOV DX,E860
004D0161 5A                POP EDX
004D0162 81FFE8F7FFFF       CMP EDI,FFFFF7E8
004D0168 0F8598FFFFFF       JNZ 004D0106
004D0106 8B0C3B             MOV ECX,DWORD PTR [EBX+EDI]
004D0109 E90A000000       JMP 004D0118
004D0118 81C1C82E6762       ADD ECX,62672EC8
004D011E 0F8B0F000000       JNP 004D0133
004D0133 81F1610BE04C       XOR ECX,4CE00B61
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!VirtualAlloc
00377C62 ***API: KERNEL32.DLL!VirtualFree
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetModuleHandleA
00377C62 ***API: KERNEL32.DLL!LoadLibraryA
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C62 ***API: KERNEL32.DLL!GetProcAddress
00377C61 ***API: KERNEL32.DLL!GetModuleFileNameA
00377C61 ***API: KERNEL32.DLL!GetModuleFileNameA
00377C61 ***API: ADVAPI32.DLL!RegOpenKeyExA
00377C61 ***API: ADVAPI32.DLL!RegOpenKeyExA
00377C61 ***API: KERNEL32.DLL!lstrcpy
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!lstrlen
00377C61 ***API: KERNEL32.DLL!TlsAlloc
00377C61 ***API: KERNEL32.DLL!LocalAlloc
00377C61 ***API: KERNEL32.DLL!TlsSetValue
00377C61 ***API: USER32.DLL!GetKeyboardType
00377C61 ***API: KERNEL32.DLL!GetCommandLineA
00377C61 ***API: KERNEL32.DLL!GetStartupInfoA
00377C61 ***API: KERNEL32.DLL!GetCurrentThreadId
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: KERNEL32.DLL!InitializeCriticalSection
00377C61 ***API: KERNEL32.DLL!LocalAlloc
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: KERNEL32.DLL!LocalAlloc
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: USER32.DLL!LoadStringA
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: USER32.DLL!GetSystemMetrics
00377C61 ***API: USER32.DLL!GetSystemMetrics
00377C61 ***API: KERNEL32.DLL!GetCPInfo
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetThreadLocale
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetLocaleInfoA
00377C61 ***API: KERNEL32.DLL!GetVersionExA
00377C61 ***API: KERNEL32.DLL!GetModuleHandleA
00377C61 ***API: KERNEL32.DLL!GetProcAddress
00377C61 ***API: WS2_32.DLL!WSAStartup
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: KERNEL32.DLL!VirtualLock
00377C61 ***API: KERNEL32.DLL!GetLocalTime
00377C61 ***API: KERNEL32.DLL!GetSystemTime
发生异常!
FS:[0]==0012FF74
异常处理程序地址：02130666
这个异常被成功捕获!
异常处理代码结束!
00377C61 ***API: KERNEL32.DLL!VirtualFree
发生异常!
FS:[0]==0012FE3C
异常处理程序地址：0212FCB5
这个异常被成功捕获!
异常处理代码结束!
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: KERNEL32.DLL!VirtualFree
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
00377C61 ***API: KERNEL32.DLL!VirtualFree
00377C61 ***API: KERNEL32.DLL!GetModuleHandleA
021265FD 8A02             MOV AL,BYTE PTR [EDX]
Read API Address:77E5B332 GetProcAddress
0212353F 8A01             MOV AL,BYTE PTR [ECX]
Read API Address:77E5B332 GetProcAddress
02122C0B 8A08             MOV CL,BYTE PTR [EAX]
Read API Address:77E5B332 GetProcAddress
02122BF0 8A08             MOV CL,BYTE PTR [EAX]
Read API Address:77E5B332 GetProcAddress
0212720E 66813FFF25       CMP WORD PTR [EDI],25FF
Read API Address:77E5B332 GetProcAddress
02122BBC 8A10             MOV DL,BYTE PTR [EAX]
Read API Address:77E5B332 GetProcAddress
02122C88 8A00             MOV AL,BYTE PTR [EAX]
Read API Address:77E5B332 GetProcAddress
02122BDC 8A00             MOV AL,BYTE PTR [EAX]
Read API Address:77E5B332 GetProcAddress
00377C61 ***API: KERNEL32.DLL!VirtualAlloc
021265FD 8A02             MOV AL,BYTE PTR [EDX]
Read API Address:77EB6FC4 LoadLibraryA
021265FD 8A02             MOV AL,BYTE PTR [EDX]
Read API Address:77EB6FD3 LoadLibraryExA
021265FD 8A02             MOV AL,BYTE PTR [EDX]
Read API Address:77EB6FE2 LoadLibraryW
0212353F 8A01             MOV AL,BYTE PTR [ECX]
Read API Address:77EB6FC4 LoadLibraryA
02122C0B 8A08             MOV CL,BYTE PTR [EAX]
Read API Address:77EB6FC4 LoadLibraryA
发生异常!
FS:[0]==0012FDC0
异常处理程序地址：02127299

2005-12-12 11:15

0