首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]大智慧的插件求指导怎么破自效验 0.00雪花
发表于: 2016-5-30 00:02 2369

[旧帖] [求助]大智慧的插件求指导怎么破自效验 0.00雪花

枫风枫 活跃值
2016-5-30 00:02
2369
大侠们,小弟新手好不容易看着论坛的教程把Armadillo5.20的壳破了,但是
大智慧软件检测不到DLL这个文件了。这个DLL本身有时间验证,只能在2013年之前用,
好像还有大小验证。脱壳后的文件BP ExitProcess 断了后SHIFT+F9,就跳出错误窗口了。
现在没有思路了,求大侠们指导用什么断点来断?帮忙分析下是什么类型的自效验,大概思路是什么?
我通过对比法,双OD后发现2个程序到了RETN跳的是不一样的?选择PEID0.95的KANNAL插件显示如附件 脱壳前.zip

[课程]Android-CTF解题方法汇总!

上传的附件:
收藏
免费 0
支持
分享
最新回复 (5)
爱在手心
雪    币: 53
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
不管加啥壳在内存中运行都是不带壳的吧!直接做内存可以吗?
2016-5-31 08:17
0
枫风枫
雪    币: 9
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
本人新手,现在刚开始学习脱壳,内存什么的还不会,
现在开始学习学习自效验
2016-5-31 10:31
0
枫风枫
雪    币: 9
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
模块间调用
地址       反汇编                                    目标文件
10001015   CALL DWORD PTR DS:[<&msvcrt.time>]        msvcrt.time
10001020   CALL DWORD PTR DS:[<&msvcrt.gmtime>]      msvcrt.gmtime
100010C6   CALL DWORD PTR DS:[<&msvcrt.swprintf>]    msvcrt.swprintf
100010EB   CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>       mfc42.#823_??2@YAPAXI@Z
10001162   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
10001180   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
100011D1   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
1000127D   CALL DWORD PTR DS:[<&msvcrt.wcscpy>]      msvcrt.wcscpy
100012B3   CALL DWORD PTR DS:[<&msvcrt._strcmpi>]    msvcrt._stricmp
10001370   CALL DWORD PTR DS:[<&msvcrt.wcscpy>]      msvcrt.wcscpy
1000176A   CALL <JMP.&mfc42.#472_??0CPen@@QAE@HHK@Z  mfc42.#472_??0CPen@@QAE@HHK@Z
10001781   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
100017C6   CALL DWORD PTR DS:[<&gdi32.Arc>]          GDI32.Arc
1000189C   CALL <JMP.&mfc42.#540_??0CString@@QAE@XZ  mfc42.#540_??0CString@@QAE@XZ
100018AD   CALL <JMP.&mfc42.#540_??0CString@@QAE@XZ  mfc42.#540_??0CString@@QAE@XZ
100018BE   CALL <JMP.&mfc42.#540_??0CString@@QAE@XZ  mfc42.#540_??0CString@@QAE@XZ
100018CF   CALL <JMP.&mfc42.#540_??0CString@@QAE@XZ  mfc42.#540_??0CString@@QAE@XZ
100018E0   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
100018EE   CALL DWORD PTR DS:[<&gdi32.CreatePen>]    GDI32.CreatePen
100018F9   CALL <JMP.&mfc42.#1641_?Attach@CGdiObjec  mfc42.#1641_?Attach@CGdiObject@@QAEHPAX@Z
10001905   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
10001920   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
10001956   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
10001986   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
100019B9   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
10001A2D   CALL <JMP.&msvcrt._ftol>                  msvcrt._ftol
10001A8F   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
10001A9B   CALL <JMP.&msvcrt._ftol>                  msvcrt._ftol
10001AFD   CALL <JMP.&mfc42.#4297_?MoveTo@CDC@@QAE?  mfc42.#4297_?MoveTo@CDC@@QAE?AVCPoint@@HH@Z
10001B23   CALL <JMP.&mfc42.#4133_?LineTo@CDC@@QAEH  mfc42.#4133_?LineTo@CDC@@QAEHHH@Z
10001B46   CALL <JMP.&mfc42.#2818_?Format@CString@@  mfc42.#2818_?Format@CString@@QAAXPBDZZ
10001B9C   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
10001BAA   CALL DWORD PTR DS:[<&gdi32.CreatePen>]    GDI32.CreatePen
10001BB5   CALL <JMP.&mfc42.#1641_?Attach@CGdiObjec  mfc42.#1641_?Attach@CGdiObject@@QAEHPAX@Z
10001BC1   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
10001BD6   CALL <JMP.&mfc42.#4297_?MoveTo@CDC@@QAE?  mfc42.#4297_?MoveTo@CDC@@QAE?AVCPoint@@HH@Z
10001BE3   CALL <JMP.&mfc42.#4133_?LineTo@CDC@@QAEH  mfc42.#4133_?LineTo@CDC@@QAEHHH@Z
10001BEC   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
10001BFA   CALL DWORD PTR DS:[<&gdi32.CreatePen>]    GDI32.CreatePen
10001C05   CALL <JMP.&mfc42.#1641_?Attach@CGdiObjec  mfc42.#1641_?Attach@CGdiObject@@QAEHPAX@Z
10001C11   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
10001C3E   CALL DWORD PTR DS:[<&gdi32.Arc>]          GDI32.Arc
10001C66   CALL DWORD PTR DS:[<&gdi32.Arc>]          GDI32.Arc
10001C84   CALL DWORD PTR DS:[<&gdi32.Arc>]          GDI32.Arc
10001C8E   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
10001C9C   CALL DWORD PTR DS:[<&gdi32.CreatePen>]    GDI32.CreatePen
10001CA7   CALL <JMP.&mfc42.#1641_?Attach@CGdiObjec  mfc42.#1641_?Attach@CGdiObject@@QAEHPAX@Z
10001CB3   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
10001CC7   CALL <JMP.&mfc42.#4297_?MoveTo@CDC@@QAE?  mfc42.#4297_?MoveTo@CDC@@QAE?AVCPoint@@HH@Z
10001CD7   CALL <JMP.&mfc42.#4133_?LineTo@CDC@@QAEH  mfc42.#4133_?LineTo@CDC@@QAEHHH@Z
10001D01   CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ  mfc42.#800_??1CString@@QAE@XZ
10001D12   CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ  mfc42.#800_??1CString@@QAE@XZ
10001D23   CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ  mfc42.#800_??1CString@@QAE@XZ
10001D34   CALL <JMP.&mfc42.#800_??1CString@@QAE@XZ  mfc42.#800_??1CString@@QAE@XZ
10001D66   CALL <JMP.&mfc42.#5787_?SelectObject@CDC  mfc42.#5788_?SelectObject@CDC@@QAEPAVCPen@@PAV2@@Z
10001DBB   CALL DWORD PTR DS:[<&user32.InvertRect>]  USER32.InvertRect
10001E28   CALL DWORD PTR DS:[<&user32.InvertRect>]  USER32.InvertRect
10001E45   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
10001E92   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
10002335   CALL DWORD PTR DS:[<&msvcrt.swprintf>]    msvcrt.swprintf
100023A9   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
100023CF   CALL <JMP.&mfc42.#1146_?AfxFindResourceH  mfc42.#1146_?AfxFindResourceHandle@@YGPAUHINSTANCE__@@PBD0@Z
100023D5   CALL DWORD PTR DS:[<&user32.LoadMenuA>]   USER32.LoadMenuA
100023E0   CALL <JMP.&mfc42.#1644_?Attach@CMenu@@QA  mfc42.#1644_?Attach@CMenu@@QAEHPAUHMENU__@@@Z
100023EB   CALL DWORD PTR DS:[<&user32.GetSubMenu>]  USER32.GetSubMenu
100023F2   CALL <JMP.&mfc42.#2863_?FromHandle@CMenu  mfc42.#2863_?FromHandle@CMenu@@SGPAV1@PAUHMENU__@@@Z
1000240E   CALL DWORD PTR DS:[<&user32.ClientToScre  USER32.ClientToScreen
1000243F   CALL <JMP.&mfc42.#6270_?TrackPopupMenu@C  mfc42.#6270_?TrackPopupMenu@CMenu@@QAEHIHHPAVCWnd@@PBUtagRECT@@@Z
10002518   CALL DWORD PTR DS:[<&user32.CheckMenuIte  USER32.CheckMenuItem
10002539   CALL DWORD PTR DS:[<&user32.CheckMenuIte  USER32.CheckMenuItem
10002616   CALL <JMP.&mfc42.#2438_?DestroyMenu@CMen  mfc42.#2438_?DestroyMenu@CMenu@@QAEHXZ
10002672   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
1000267F   CALL <JMP.&mfc42.#1168_?AfxGetModuleStat  mfc42.#1168_?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ
10002710   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
1000274B   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
1000279B   CALL <JMP.&mfc42.#2414_?DeleteObject@CGd  mfc42.#2414_?DeleteObject@CGdiObject@@QAEHXZ
100027D0   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
1000280B   CALL <JMP.&mfc42.#2438_?DestroyMenu@CMen  mfc42.#2438_?DestroyMenu@CMenu@@QAEHXZ
1000287B   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
100028C5   CALL <JMP.&mfc42.#561_??0CWinApp@@QAE@PB  mfc42.#561_??0CWinApp@@QAE@PBD@Z
100028E3   CALL 画线插件.10002900                        mfc42.#815_??1CWinApp@@UAE@XZ
100028F0   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
10002954   CALL <JMP.&mfc42.#3922_?InitApplication@  mfc42.#3922_?InitApplication@CWinApp@@UAEHXZ
10002991   CALL <JMP.&mfc42.#2725_?ExitInstance@CWi  mfc42.#2725_?ExitInstance@CWinApp@@UAEHXZ
100029FA   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
100029FF   CALL <JMP.&mfc42.#1168_?AfxGetModuleStat  mfc42.#1168_?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ
10002A15   CALL <JMP.&mfc42.#1168_?AfxGetModuleStat  mfc42.#1168_?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ
10002A50   CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>       mfc42.#823_??2@YAPAXI@Z
10002ABD   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
10002B3D   CALL DWORD PTR DS:[<&msvcp60.?_Tidy@?$ba  msvcp60.?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
10002B5C   CALL DWORD PTR DS:[<&msvcp60.?assign@?$b  msvcp60.?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
10002B6B   CALL DWORD PTR DS:[<&msvcp60.??0out_of_r  msvcp60.??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
10002B7B   CALL <JMP.&msvcrt._CxxThrowException>     msvcrt._CxxThrowException
10002C19   CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>       mfc42.#823_??2@YAPAXI@Z
10002C99   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
10002DF4   CALL DWORD PTR DS:[<&msvcrt._vsnprintf>]  msvcrt._vsnprintf
10002E02   CALL DWORD PTR DS:[<&kernel32.GetLocalTi  kernel32.GetLocalTime
10002E4F   CALL DWORD PTR DS:[<&msvcrt.sprintf>]     msvcrt.sprintf
10002E60   CALL DWORD PTR DS:[<&kernel32.OutputDebu  kernel32.OutputDebugStringA
10003001   CALL <JMP.&mfc42.#269_??0AFX_MODULE_STAT  mfc42.#269_??0AFX_MODULE_STATE@@QAE@HP6GJPAUHWND__@@IIJ@ZK@Z
10003013   CALL 画线插件.1000302B                        mfc42.#600_??1AFX_MODULE_STATE@@UAE@XZ
10003020   CALL <JMP.&mfc42.#826_??3CNoTrackObject@  mfc42.#826_??3CNoTrackObject@@SGXPAX@Z
1000305A   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
1000306F   CALL <JMP.&mfc42.#1578_?AfxWndProc@@YGJP  mfc42.#1578_?AfxWndProc@@YGJPAUHWND__@@IIJ@Z
100030A8   CALL <JMP.&mfc42.#1116_?AfxCoreInitModul  mfc42.#1116_?AfxCoreInitModule@@YGXXZ
100030AD   CALL <JMP.&mfc42.#1176_?AfxGetThreadStat  mfc42.#1176_?AfxGetThreadState@@YGPAV_AFX_THREAD_STATE@@XZ
100030C1   CALL <JMP.&mfc42.#1575_?AfxWinInit@@YGHP  mfc42.#1575_?AfxWinInit@@YGHPAUHINSTANCE__@@0PADH@Z
100030CA   CALL <JMP.&mfc42.#1168_?AfxGetModuleStat  mfc42.#1168_?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ
100030E8   CALL <JMP.&mfc42.#1577_?AfxWinTerm@@YGXX  mfc42.#1577_?AfxWinTerm@@YGXXZ
100030FB   CALL <JMP.&mfc42.#1182_?AfxInitExtension  mfc42.#1182_?AfxInitExtensionModule@@YGHAAUAFX_EXTENSION_MODULE@@PAUHINSTANCE__@@@Z
10003102   CALL <JMP.&mfc42.#823_??2@YAPAXI@Z>       mfc42.#823_??2@YAPAXI@Z
10003111   CALL <JMP.&mfc42.#342_??0CDynLinkLibrary  mfc42.#342_??0CDynLinkLibrary@@QAE@AAUAFX_EXTENSION_MODULE@@H@Z
10003120   CALL <JMP.&mfc42.#1176_?AfxGetThreadStat  mfc42.#1176_?AfxGetThreadState@@YGPAV_AFX_THREAD_STATE@@XZ
10003128   CALL <JMP.&mfc42.#1243_?AfxSetModuleStat  mfc42.#1243_?AfxSetModuleState@@YGPAVAFX_MODULE_STATE@@PAV1@@Z
1000313F   CALL <JMP.&mfc42.#1243_?AfxSetModuleStat  mfc42.#1243_?AfxSetModuleState@@YGPAVAFX_MODULE_STATE@@PAV1@@Z
10003146   CALL <JMP.&mfc42.#1176_?AfxGetThreadStat  mfc42.#1176_?AfxGetThreadState@@YGPAV_AFX_THREAD_STATE@@XZ
1000314E   CALL <JMP.&mfc42.#1168_?AfxGetModuleStat  mfc42.#1168_?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ
10003161   CALL <JMP.&mfc42.#1197_?AfxLockTempMaps@  mfc42.#1197_?AfxLockTempMaps@@YGXXZ
10003168   CALL <JMP.&mfc42.#1570_?AfxUnlockTempMap  mfc42.#1570_?AfxUnlockTempMaps@@YGHH@Z
1000316D   CALL <JMP.&mfc42.#1577_?AfxWinTerm@@YGXX  mfc42.#1577_?AfxWinTerm@@YGXXZ
10003179   CALL <JMP.&mfc42.#1253_?AfxTermExtension  mfc42.#1253_?AfxTermExtensionModule@@YGXAAUAFX_EXTENSION_MODULE@@H@Z
1000318E   CALL <JMP.&mfc42.#6467_??0AFX_MAINTAIN_S  mfc42.#6467_??0AFX_MAINTAIN_STATE2@@QAE@PAVAFX_MODULE_STATE@@@Z
10003193   CALL <JMP.&mfc42.#1197_?AfxLockTempMaps@  mfc42.#1197_?AfxLockTempMaps@@YGXXZ
1000319A   CALL <JMP.&mfc42.#1570_?AfxUnlockTempMap  mfc42.#1570_?AfxUnlockTempMaps@@YGHH@Z
100031A2   CALL <JMP.&mfc42.#1255_?AfxTermThread@@Y  mfc42.#1255_?AfxTermThread@@YGXPAUHINSTANCE__@@@Z
100031C6   CALL DWORD PTR DS:[<&kernel32.LocalAlloc  kernel32.LocalAlloc
100031D2   CALL DWORD PTR DS:[<&kernel32.LocalFree>  kernel32.LocalFree
100031D8   CALL <JMP.&mfc42.#1176_?AfxGetThreadStat  mfc42.#1176_?AfxGetThreadState@@YGPAV_AFX_THREAD_STATE@@XZ
100031E4   CALL <JMP.&mfc42.#1243_?AfxSetModuleStat  mfc42.#1243_?AfxSetModuleState@@YGPAVAFX_MODULE_STATE@@PAV1@@Z
100031F6   CALL <JMP.&mfc42.#1176_?AfxGetThreadStat  mfc42.#1176_?AfxGetThreadState@@YGPAV_AFX_THREAD_STATE@@XZ
100031FE   CALL <JMP.&mfc42.#1243_?AfxSetModuleStat  mfc42.#1243_?AfxSetModuleState@@YGPAVAFX_MODULE_STATE@@PAV1@@Z
10003229   CALL DWORD PTR DS:[<&msvcrt._onexit>]     msvcrt._onexit
1000323F   CALL <JMP.&msvcrt.__dllonexit>            msvcrt.__dllonexit
10003263   CALL <JMP.&msvcrt.??1type_info@@UAE@XZ>   msvcrt.??1type_info@@UAE@XZ
10003270   CALL <JMP.&mfc42.#825_??3@YAXPAX@Z>       mfc42.#825_??3@YAXPAX@Z
100032ED   CALL DWORD PTR DS:[<&msvcrt.malloc>]      msvcrt.malloc
10003318   CALL <JMP.&msvcrt._initterm>              msvcrt._initterm
10003355   CALL DWORD PTR DS:[<&msvcrt.free>]        msvcrt.free

BP 命令断不下来   大家帮我看看
2016-6-1 17:24
0
枫风枫
雪    币: 9
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
请大牛帮忙看看用什么BP断点能断下来,这个应该是CRC32的自效验。
2016-6-3 13:35
0
追梦人r
雪    币: 5
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
本人新手,现在刚开始学习脱壳,内存什么的还不会,
现在开始学习学习自效验
2016-6-3 16:06
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//