-
-
[求助]关于手脱.NET Reactor(4.5-4.7)的问题,求大神指点。
-
发表于:
2018-1-17 12:05
5700
-
[求助]关于手脱.NET Reactor(4.5-4.7)的问题,求大神指点。
整个安装包有点大,1G多,我就不上传全部了,只上传主程序算了。
根据这篇帖子(https://forum.tuts4you.com/topic/36587-crackmenet-reactor-modded/)
原文:
Finding The Embedded Resource Name(查找PE的资源,用Restorator就可以了,找到RC数据,找到"__")
Open the crackme in your favorite PE browser.
Locate RCDATA and find the main resource. In this case it is "__"
Dumping The "Real" Executable(
dump可执行文件,通过
SafeArrayAccessData 找到解密资源位置(也可以通过搜索字符串
"__" 找到解密资源的位置),然后dump可执行文件)
Open the crackme in OllyDbg.
Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"
Follow the reference into the code.
Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.
We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)
Once the break is hit, step over the call.
Follow EAX in the dump window. This is the executable decrypted from the "__" resource.
Save the memory region, do any fixes needed based on how you save the region etc.
You should now have the real executable.
Dumping The "Real" Real Executable
Open the new file you dumped in a .NET disassembler such as ILSpy.
View the files managed resources and save the resource '_' in this case, to disk as a new executable.
This new file is the real obfuscated crackme file fully removed from the loaders.
After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.
然后通过API SafeArrayUnaccessData 定位 断在这里
英语不行,逆向小白,求大神指点一下,接下来我该怎么做呢?
如果有大牛愿意花时间做个视频教程就更感激不尽了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课