我用――――
Armadillo V4.X CopyMem-II脱壳――魔法转换(Magic Converter) V4.0正式版 提到的方法进行脱壳
一、寻找OEP+解码Dump
BP WaitForDebugEvent
F9运行时中断在这里:
0012D98C 00503335 /CALL 到 WriteProcessMemory 来自 SD5000Se.0050332F
0012D990 0000004C |hProcess = 0000004C (window)
0012D994 0050ECF3 |Address = 50ECF3
0012D998 0012DC7C |Buffer = 0012DC7C
0012D99C 00000002 |BytesToWrite = 2
0012D9A0 0012DC80 \pBytesWritten = 0012DC80
F9
0012D98C 0050335D /CALL 到 WriteProcessMemory 来自 SD5000Se.00503357
0012D990 0000004C |hProcess = 0000004C (window)
0012D994 0050ECF3 |Address = 50ECF3
0012D998 0053A29C |Buffer = SD5000Se.0053A29C
0012D99C 00000002 |BytesToWrite = 2
0012D9A0 0012DC80 \pBytesWritten = 0012DC80
0012D9A4 0012F234 UNICODE "32.dll"
F9
0012DC8C 004FEE36 /CALL 到 WaitForDebugEvent 来自 SD5000Se.004FEE30
0012DC90 0012ED7C |pDebugEvent = 0012ED7C
0012DC94 000003E8 \Timeout = 1000. ms
0012DC98 7C930738 ntdll.7C930738
接着下断:BP WriteProcessMemory
F9
好象和文中所说的就不一样了,我也不知道该怎么操作!希望高手指点!