首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 加壳脱壳
    3. 发新帖
不一样的Armadillo3.00a的壳
2004-7-14 12:06 5034

不一样的Armadillo3.00a的壳

rename 活跃值
1
2004-7-14 12:06
5034
JobMaster是mindleads出品的一款强大的具有内建转化器和文件复制功能的任务计划工具,它能自动地将整个目录结构下的WinWord, Excel,Powerpoint,Text和Html文件转化为40多种文件格式,能自由地在各种文件格式之间转换.下载地址:http://download.mindleads.com/jobmaster/JobMaster250.exe
它的壳用PEiD侦测为Armadillo 3.00a - 3.20 -> Silicon Realms Toolworks,用FI301侦测Armadillo 3.00a.利用dillodumper不能将其脱出.搜遍了看雪论坛和白菜上的所有Armadillo脱壳文章,东施效仿,也一事无成(是俺太笨了).采用odbg109下断点BP VirtualProtect, bp WaitForDebugEvent;bp WriteProcessMemory;bp IsDebuggerPresent都没有反应,在调试设置里忽略掉单步中断,然后F9运行,用SHIFT+F9跳过2次异常后就自动终止了,让俺一点用武的机会都没有.还请FLY兄等脱壳大侠多指点指点,在此行礼谢过,就先不裸跪键盘了.郁闷ing,怎么就断不了呢?

[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

收藏
点赞2
打赏
分享
最新回复 (3)
rename
雪    币: 216
活跃值: (40)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
rename 1 2004-7-14 12:07
2
0
怎么网址变成省略号了,再帖一次:
http://download.mindleads.com/jobmaster/JobMaster250.exe
fxyang
雪    币: 2179
活跃值: (1940)
能力值: ( LV12,RANK:810 )
在线值:
发帖
回帖
粉丝
私信
fxyang 20 2004-7-15 11:52
3
0
应该是arm3.61版加的,VB程序请看入口:
00405BE0  JMP DWORD PTR DS:[<&msvbvm60.__vbaChkstk>; msvbvm60.__vbaChkstk
00405BE6  JMP DWORD PTR DS:[<&msvbvm60.__vbaExcept>; msvbvm60.__vbaExceptHandler
00405BEC  JMP DWORD PTR DS:[<&msvbvm60.__vbaFPExce>; msvbvm60.__vbaFPException
00405BF2  JMP DWORD PTR DS:[<&msvbvm60._adj_fdiv_m>; msvbvm60._adj_fdiv_m16i
00405BF8  JMP DWORD PTR DS:[<&msvbvm60._adj_fdiv_m>; msvbvm60._adj_fdiv_m32
00405BFE  JMP DWORD PTR DS:[<&msvbvm60._adj_fdiv_m>; msvbvm60._adj_fdiv_m32i
00405C04  JMP DWORD PTR DS:[<&msvbvm60._adj_fdiv_m>; msvbvm60._adj_fdiv_m64
00405C0A  JMP DWORD PTR DS:[<&msvbvm60._adj_fdiv_r>; msvbvm60._adj_fdiv_r
00405C10  JMP DWORD PTR DS:[<&msvbvm60._adj_fdivr_>; msvbvm60._adj_fdivr_m16i
00405C16  JMP DWORD PTR DS:[<&msvbvm60._adj_fdivr_>; msvbvm60._adj_fdivr_m32
00405C1C  JMP DWORD PTR DS:[<&msvbvm60._adj_fdivr_>; msvbvm60._adj_fdivr_m32i
00405C22  JMP DWORD PTR DS:[<&msvbvm60._adj_fdivr_>; msvbvm60._adj_fdivr_m64
00405C28  JMP DWORD PTR DS:[<&msvbvm60._adj_fpatan>; msvbvm60._adj_fpatan
00405C2E  JMP DWORD PTR DS:[<&msvbvm60._adj_fprem>>; msvbvm60._adj_fprem
00405C34  JMP DWORD PTR DS:[<&msvbvm60._adj_fprem1>; msvbvm60._adj_fprem1
00405C3A  JMP DWORD PTR DS:[<&msvbvm60._adj_fptan>>; msvbvm60._adj_fptan
00405C40  JMP DWORD PTR DS:[<&msvbvm60._CIatan>]   ; msvbvm60._CIatan
00405C46  JMP DWORD PTR DS:[<&msvbvm60._CIcos>]    ; msvbvm60._CIcos
00405C4C  JMP DWORD PTR DS:[<&msvbvm60._CIexp>]    ; msvbvm60._CIexp
00405C52  JMP DWORD PTR DS:[<&msvbvm60._CIlog>]    ; msvbvm60._CIlog
00405C58  JMP DWORD PTR DS:[<&msvbvm60._CIsin>]    ; msvbvm60._CIsin
00405C5E  JMP DWORD PTR DS:[<&msvbvm60._CIsqrt>]   ; msvbvm60._CIsqrt
00405C64  JMP DWORD PTR DS:[<&msvbvm60._CItan>]    ; msvbvm60._CItan
00405C6A  JMP DWORD PTR DS:[<&msvbvm60._allmul>]   ; msvbvm60._allmul
00405C70  JMP DWORD PTR DS:[<&msvbvm60.DllFunction>; msvbvm60.DllFunctionCall
00405C76  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryDes>; msvbvm60.__vbaAryDestruct
00405C7C  JMP DWORD PTR DS:[<&msvbvm60.rtcDateDiff>; msvbvm60.rtcDateDiff
00405C82  JMP DWORD PTR DS:[<&msvbvm60.__vbaExitPr>; msvbvm60.__vbaExitProc
00405C88  JMP DWORD PTR DS:[<&msvbvm60.rtcErrObj>] ; msvbvm60.rtcErrObj
00405C8E  JMP DWORD PTR DS:[<&msvbvm60.rtcBstrFrom>; msvbvm60.rtcBstrFromAnsi
00405C94  JMP DWORD PTR DS:[<&msvbvm60.__vbaR4Var>>; msvbvm60.__vbaR4Var
00405C9A  JMP DWORD PTR DS:[<&msvbvm60.__vbaCastOb>; msvbvm60.__vbaCastObj
00405CA0  JMP DWORD PTR DS:[<&msvbvm60.__vbaI2Var>>; msvbvm60.__vbaI2Var
00405CA6  JMP DWORD PTR DS:[<&msvbvm60.rtcGetDateV>; msvbvm60.rtcGetDateVar
00405CAC  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarCat>; msvbvm60.__vbaVarCat
00405CB2  JMP DWORD PTR DS:[<&msvbvm60.rtcGetPrese>; msvbvm60.rtcGetPresentDate
00405CB8  JMP DWORD PTR DS:[<&msvbvm60.rtcDateAdd>>; msvbvm60.rtcDateAdd
00405CBE  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrI4>>; msvbvm60.__vbaStrI4
00405CC4  JMP DWORD PTR DS:[<&msvbvm60.__vbaI2Str>>; msvbvm60.__vbaI2Str
00405CCA  JMP DWORD PTR DS:[<&msvbvm60.rtcRightCha>; msvbvm60.rtcRightCharBstr
00405CD0  JMP DWORD PTR DS:[<&msvbvm60.rtcMsgBox>] ; msvbvm60.rtcMsgBox
00405CD6  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrCmp>; msvbvm60.__vbaStrCmp
00405CDC  JMP DWORD PTR DS:[<&msvbvm60.__vbaUbound>; msvbvm60.__vbaUbound
00405CE2  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryCon>; msvbvm60.__vbaAryConstruct2
00405CE8  JMP DWORD PTR DS:[<&msvbvm60.__vbaObjSet>; msvbvm60.__vbaObjSetAddref
00405CEE  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrVar>; msvbvm60.__vbaStrVarMove
00405CF4  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateId>; msvbvm60.__vbaLateIdCall
00405CFA  JMP DWORD PTR DS:[<&msvbvm60.__vbaRecDes>; msvbvm60.__vbaRecDestruct
00405D00  JMP DWORD PTR DS:[<&msvbvm60.rtcLeftChar>; msvbvm60.rtcLeftCharBstr
00405D06  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrToU>; msvbvm60.__vbaStrToUnicode
00405D0C  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrToA>; msvbvm60.__vbaStrToAnsi
00405D12  JMP DWORD PTR DS:[<&msvbvm60.rtcSpaceBst>; msvbvm60.rtcSpaceBstr
00405D18  JMP DWORD PTR DS:[<&msvbvm60.__vbaRecDes>; msvbvm60.__vbaRecDestructAnsi
00405D1E  JMP DWORD PTR DS:[<&msvbvm60.__vbaRecAns>; msvbvm60.__vbaRecAnsiToUni
00405D24  JMP DWORD PTR DS:[<&msvbvm60.__vbaRecUni>; msvbvm60.__vbaRecUniToAnsi
00405D2A  JMP DWORD PTR DS:[<&msvbvm60.__vbaErrorO>; msvbvm60.__vbaErrorOverflow
00405D30  JMP DWORD PTR DS:[<&msvbvm60.__vbaRedimP>; msvbvm60.__vbaRedimPreserve
00405D36  JMP DWORD PTR DS:[<&msvbvm60.rtcTrimBstr>; msvbvm60.rtcTrimBstr
00405D3C  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeVa>; msvbvm60.__vbaFreeVarList
00405D42  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryUnl>; msvbvm60.__vbaAryUnlock
00405D48  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryLoc>; msvbvm60.__vbaAryLock
00405D4E  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarDup>; msvbvm60.__vbaVarDup
00405D54  JMP DWORD PTR DS:[<&msvbvm60.rtcBstrFrom>; msvbvm60.rtcBstrFromFormatVar
00405D5A  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateId>; msvbvm60.__vbaLateIdSt
00405D60  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrI2>>; msvbvm60.__vbaStrI2
00405D66  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrR4>>; msvbvm60.__vbaStrR4
00405D6C  JMP DWORD PTR DS:[<&msvbvm60.__vbaInStr>>; msvbvm60.__vbaInStr
00405D72  JMP DWORD PTR DS:[<&msvbvm60.__vbaGenera>; msvbvm60.__vbaGenerateBoundsError
00405D78  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00405D7E  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00405D84  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStr
00405D8A  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeVa>; msvbvm60.__vbaFreeVar
00405D90  JMP DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
00405D96  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateId>; msvbvm60.__vbaLateIdCallLd
00405D9C  JMP DWORD PTR DS:[<&msvbvm60.__vbaCastOb>; msvbvm60.__vbaCastObjVar
00405DA2  JMP DWORD PTR DS:[<&msvbvm60.__vbaI2I4>] ; msvbvm60.__vbaI2I4
00405DA8  JMP DWORD PTR DS:[<&msvbvm60.__vbaLenBst>; msvbvm60.__vbaLenBstr
00405DAE  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00405DB4  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrCop>; msvbvm60.__vbaStrCopy
00405DBA  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObjList
00405DC0  JMP DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00405DC6  JMP DWORD PTR DS:[<&msvbvm60.__vbaObjSet>; msvbvm60.__vbaObjSet
00405DCC  JMP DWORD PTR DS:[<&msvbvm60.__vbaFpI2>] ; msvbvm60.__vbaFpI2
00405DD2  JMP DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj
00405DD8  JMP DWORD PTR DS:[<&msvbvm60.__vbaSetSys>; msvbvm60.__vbaSetSystemError
00405DDE  JMP DWORD PTR DS:[<&msvbvm60.__vbaOnErro>; msvbvm60.__vbaOnError
00405DE4  JMP DWORD PTR DS:[<&msvbvm60.__vbaExitEa>; msvbvm60.__vbaExitEachColl
00405DEA  JMP DWORD PTR DS:[<&msvbvm60.VarPtr>]    ; msvbvm60.VarPtr
00405DF0  JMP DWORD PTR DS:[<&msvbvm60.rtcAppActiv>; msvbvm60.rtcAppActivate
00405DF6  JMP DWORD PTR DS:[<&msvbvm60.rtcLowerCas>; msvbvm60.rtcLowerCaseBstr
00405DFC  JMP DWORD PTR DS:[<&msvbvm60.rtcVarBstrF>; msvbvm60.rtcVarBstrFromAnsi
00405E02  JMP DWORD PTR DS:[<&msvbvm60.__vbaInStrV>; msvbvm60.__vbaInStrVar
00405E08  JMP DWORD PTR DS:[<&msvbvm60.rtcDoEvents>; msvbvm60.rtcDoEvents
00405E0E  JMP DWORD PTR DS:[<&msvbvm60.__vbaCyMulI>; msvbvm60.__vbaCyMulI2
00405E14  JMP DWORD PTR DS:[<&msvbvm60.__vbaFixstr>; msvbvm60.__vbaFixstrConstruct
00405E1A  JMP DWORD PTR DS:[<&msvbvm60.__vbaLsetFi>; msvbvm60.__vbaLsetFixstrFree
00405E20  JMP DWORD PTR DS:[<&msvbvm60.__vbaFPInt>>; msvbvm60.__vbaFPInt
00405E26  JMP DWORD PTR DS:[<&msvbvm60.rtcRandomNe>; msvbvm60.rtcRandomNext
00405E2C  JMP DWORD PTR DS:[<&msvbvm60.rtcRandomiz>; msvbvm60.rtcRandomize
00405E32  JMP DWORD PTR DS:[<&msvbvm60.rtcHexBstrF>; msvbvm60.rtcHexBstrFromVar
00405E38  JMP DWORD PTR DS:[<&msvbvm60.__vbaErase>>; msvbvm60.__vbaErase
00405E3E  JMP DWORD PTR DS:[<&msvbvm60.rtcStrConvV>; msvbvm60.rtcStrConvVar2
00405E44  JMP DWORD PTR DS:[<&msvbvm60.__vbaVar2Ve>; msvbvm60.__vbaVar2Vec
00405E4A  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryMov>; msvbvm60.__vbaAryMove
00405E50  JMP DWORD PTR DS:[<&msvbvm60.rtcR8ValFro>; msvbvm60.rtcR8ValFromBstr
00405E56  JMP DWORD PTR DS:[<&msvbvm60.__vbaFpI4>] ; msvbvm60.__vbaFpI4
00405E5C  JMP DWORD PTR DS:[<&msvbvm60.__vbaUI1I4>>; msvbvm60.__vbaUI1I4
00405E62  JMP DWORD PTR DS:[<&msvbvm60.rtcFileCopy>; msvbvm60.rtcFileCopy
00405E68  JMP DWORD PTR DS:[<&msvbvm60.rtcEndOfFil>; msvbvm60.rtcEndOfFile
00405E6E  JMP DWORD PTR DS:[<&msvbvm60.__vbaLineIn>; msvbvm60.__vbaLineInputStr
00405E74  JMP DWORD PTR DS:[<&msvbvm60.rtcFileLen>>; msvbvm60.rtcFileLen
00405E7A  JMP DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileClose
00405E80  JMP DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00405E86  JMP DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen
00405E8C  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrErr>; msvbvm60.__vbaStrErrVarCopy
00405E92  JMP DWORD PTR DS:[<&msvbvm60.rtcGetTimeV>; msvbvm60.rtcGetTimeVar
00405E98  JMP DWORD PTR DS:[<&msvbvm60.rtcFreeFile>; msvbvm60.rtcFreeFile
00405E9E  JMP DWORD PTR DS:[<&msvbvm60.rtcStrFromV>; msvbvm60.rtcStrFromVar
00405EA4  JMP DWORD PTR DS:[<&msvbvm60.rtcPackDate>; msvbvm60.rtcPackDate
00405EAA  JMP DWORD PTR DS:[<&msvbvm60.__vbaLsetFi>; msvbvm60.__vbaLsetFixstr
00405EB0  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrFix>; msvbvm60.__vbaStrFixstr
00405EB6  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarTst>; msvbvm60.__vbaVarTstGt
00405EBC  JMP DWORD PTR DS:[<&msvbvm60.__vbaNextEa>; msvbvm60.__vbaNextEachCollObj
00405EC2  JMP DWORD PTR DS:[<&msvbvm60.__vbaForEac>; msvbvm60.__vbaForEachCollObj
00405EC8  JMP DWORD PTR DS:[<&msvbvm60.rtcDir>]    ; msvbvm60.rtcDir
00405ECE  JMP DWORD PTR DS:[<&msvbvm60.__vbaUI1I2>>; msvbvm60.__vbaUI1I2
00405ED4  JMP DWORD PTR DS:[<&msvbvm60.__vbaRedim>>; msvbvm60.__vbaRedim
00405EDA  JMP DWORD PTR DS:[<&msvbvm60.__vbaI4Var>>; msvbvm60.__vbaI4Var
00405EE0  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarVar>; msvbvm60.__vbaVarVargNofree
00405EE6  JMP DWORD PTR DS:[<&msvbvm60.rtcVarFromF>; msvbvm60.rtcVarFromFormatVar
00405EEC  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarAdd>; msvbvm60.__vbaVarAdd
00405EF2  JMP DWORD PTR DS:[<&msvbvm60.rtcMidCharV>; msvbvm60.rtcMidCharVar
00405EF8  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrVar>; msvbvm60.__vbaStrVarVal
00405EFE  JMP DWORD PTR DS:[<&msvbvm60.rtcHexVarFr>; msvbvm60.rtcHexVarFromVar
00405F04  JMP DWORD PTR DS:[<&msvbvm60.rtcMidCharB>; msvbvm60.rtcMidCharBstr
00405F0A  JMP DWORD PTR DS:[<&msvbvm60.rtcAnsiValu>; msvbvm60.rtcAnsiValueBstr
00405F10  JMP DWORD PTR DS:[<&msvbvm60.rtcStringBs>; msvbvm60.rtcStringBstr
00405F16  JMP DWORD PTR DS:[<&msvbvm60.rtcGetTimer>; msvbvm60.rtcGetTimer
00405F1C  JMP DWORD PTR DS:[<&msvbvm60.__vbaFpR4>] ; msvbvm60.__vbaFpR4
00405F22  JMP DWORD PTR DS:[<&msvbvm60.rtcInStrRev>; msvbvm60.rtcInStrRev
00405F28  JMP DWORD PTR DS:[<&msvbvm60.__vbaFpCSng>; msvbvm60.__vbaFpCSngR8
00405F2E  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrR8>>; msvbvm60.__vbaStrR8
00405F34  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrCy>>; msvbvm60.__vbaStrCy
00405F3A  JMP DWORD PTR DS:[<&msvbvm60.__vbaFPFix>>; msvbvm60.__vbaFPFix
00405F40  JMP DWORD PTR DS:[<&msvbvm60.__vbaR8FixI>; msvbvm60.__vbaR8FixI4
00405F46  JMP DWORD PTR DS:[<&msvbvm60.rtcRemoveDi>; msvbvm60.rtcRemoveDir
00405F4C  JMP DWORD PTR DS:[<&msvbvm60.__vbaRecAss>; msvbvm60.__vbaRecAssign
00405F52  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryRec>; msvbvm60.__vbaAryRecCopy
00405F58  JMP DWORD PTR DS:[<&msvbvm60.rtcIsNumeri>; msvbvm60.rtcIsNumeric
00405F5E  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarLat>; msvbvm60.__vbaVarLateMemCallLdRf
00405F64  JMP DWORD PTR DS:[<&msvbvm60.rtcLowerCas>; msvbvm60.rtcLowerCaseVar
00405F6A  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarTex>; msvbvm60.__vbaVarTextTstEq
00405F70  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarLat>; msvbvm60.__vbaVarLateMemCallLd
00405F76  JMP DWORD PTR DS:[<&msvbvm60.__vbaObjIs>>; msvbvm60.__vbaObjIs
00405F7C  JMP DWORD PTR DS:[<&msvbvm60.__vbaVarLat>; msvbvm60.__vbaVarLateMemSt
00405F82  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateMe>; msvbvm60.__vbaLateMemSt
00405F88  JMP DWORD PTR DS:[<&msvbvm60.rtcShell>]  ; msvbvm60.rtcShell
00405F8E  JMP DWORD PTR DS:[<&msvbvm60.rtcKillFile>; msvbvm60.rtcKillFiles
00405F94  JMP DWORD PTR DS:[<&msvbvm60.__vbaNameFi>; msvbvm60.__vbaNameFile
00405F9A  JMP DWORD PTR DS:[<&msvbvm60.__vbaCopyBy>; msvbvm60.__vbaCopyBytes
00405FA0  JMP DWORD PTR DS:[<&msvbvm60.__vbaCyI4>] ; msvbvm60.__vbaCyI4
00405FA6  JMP DWORD PTR DS:[<&msvbvm60.__vbaCyAdd>>; msvbvm60.__vbaCyAdd
00405FAC  JMP DWORD PTR DS:[<&msvbvm60.rtcRightTri>; msvbvm60.rtcRightTrimBstr
00405FB2  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrTex>; msvbvm60.__vbaStrTextLike
00405FB8  JMP DWORD PTR DS:[<&msvbvm60.rtcSplit>]  ; msvbvm60.rtcSplit
00405FBE  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryVar>; msvbvm60.__vbaAryVar
00405FC4  JMP DWORD PTR DS:[<&msvbvm60.__vbaAryCop>; msvbvm60.__vbaAryCopy
00405FCA  JMP DWORD PTR DS:[<&msvbvm60.rtcReplace>>; msvbvm60.rtcReplace
00405FD0  JMP DWORD PTR DS:[<&msvbvm60.__vbaCyI2>] ; msvbvm60.__vbaCyI2
00405FD6  JMP DWORD PTR DS:[<&msvbvm60.__vbaLbound>; msvbvm60.__vbaLbound
00405FDC  JMP DWORD PTR DS:[<&msvbvm60.rtcCommandV>; msvbvm60.rtcCommandVar
00405FE2  JMP DWORD PTR DS:[<&msvbvm60.__vbaLenVar>; msvbvm60.__vbaLenVar
00405FE8  JMP DWORD PTR DS:[<&msvbvm60.__vbaBoolVa>; msvbvm60.__vbaBoolVarNull
00405FEE  JMP DWORD PTR DS:[<&msvbvm60.__vbaStrTex>; msvbvm60.__vbaStrTextCmp
00405FF4  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateMe>; msvbvm60.__vbaLateMemCall
00405FFA  JMP DWORD PTR DS:[<&msvbvm60.__vbaLateMe>; msvbvm60.__vbaLateMemCallLd
00406000  JMP DWORD PTR DS:[<&msvbvm60.rtcCreateOb>; msvbvm60.rtcCreateObject2
00406006  JMP DWORD PTR DS:[<&msvbvm60.__vbaObjVar>; msvbvm60.__vbaObjVar
0040600C  JMP DWORD PTR DS:[<&msvbvm60.__vbaNew>]  ; msvbvm60.__vbaNew
00406012  JMP DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileCloseAll
00406018  JMP DWORD PTR DS:[<&msvbvm60.__vbaFpCmpC>; msvbvm60.__vbaFpCmpCy
0040601E  JMP DWORD PTR DS:[<&msvbvm60.rtcSetFileA>; msvbvm60.rtcSetFileAttr
00406024  JMP DWORD PTR DS:[<&msvbvm60.rtcMakeDir>>; msvbvm60.rtcMakeDir
0040602A  JMP DWORD PTR DS:[<&msvbvm60.__vbaI4Str>>; msvbvm60.__vbaI4Str
00406030  JMP DWORD PTR DS:[<&msvbvm60.__vbaEnd>]  ; msvbvm60.__vbaEnd
00406036  JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_QueryInterface
0040603C  JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_AddRef
00406042  JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release
00406048  JMP DWORD PTR DS:[<&msvbvm60.Zombie_GetT>; msvbvm60.Zombie_GetTypeInfoCount
0040604E  JMP DWORD PTR DS:[<&msvbvm60.Zombie_GetT>; msvbvm60.Zombie_GetTypeInfo
00406054  JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_GetIDsOfNames
0040605A  JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Invoke
00406060  JMP DWORD PTR DS:[<&msvbvm60.GetMemEvent>; msvbvm60.GetMemEvent
00406066  JMP DWORD PTR DS:[<&msvbvm60.PutMemEvent>; msvbvm60.PutMemEvent
0040606C  JMP DWORD PTR DS:[<&msvbvm60.SetMemEvent>; msvbvm60.SetMemEvent
00406072  JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain
00406078 >PUSH dumped_.00412568
0040607D  CALL <JMP.&msvbvm60.ThunRTMain>

程序使用了CC保护,但是主程序我用OD加载无法运行,所以CC没有修复:

00449470  PUSH EBP
00449471  MOV EBP,ESP
00449473  SUB ESP,18
00449476  PUSH <JMP.&msvbvm60.__vbaExceptHandler>
0044947B  MOV EAX,DWORD PTR FS:[0]
00449481  PUSH EAX
00449482  MOV DWORD PTR FS:[0],ESP
00449489  MOV EAX,4F0
0044948E  CALL <JMP.&msvbvm60.__vbaChkstk>
00449493  PUSH EBX
00449494  PUSH ESI
00449495  PUSH EDI
00449496  MOV DWORD PTR SS:[EBP-18],ESP
00449499  MOV DWORD PTR SS:[EBP-14],dumped_.004013>
004494A0  MOV EAX,DWORD PTR SS:[EBP+8]
004494A3  AND EAX,1
004494A6  MOV DWORD PTR SS:[EBP-10],EAX
004494A9  MOV ECX,DWORD PTR SS:[EBP+8]
004494AC  AND ECX,FFFFFFFE
004494AF  MOV DWORD PTR SS:[EBP+8],ECX
004494B2  MOV DWORD PTR SS:[EBP-C],0
004494B9  MOV EDX,DWORD PTR SS:[EBP+8]
004494BC  MOV EAX,DWORD PTR DS:[EDX]
004494BE  MOV ECX,DWORD PTR SS:[EBP+8]
004494C1  PUSH ECX
004494C2  CALL DWORD PTR DS:[EAX+4]
004494C5  MOV DWORD PTR SS:[EBP-4],1
004494CC  MOV DWORD PTR SS:[EBP-4],2
004494D3  PUSH -1
004494D5  CALL DWORD PTR DS:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
004494DB  MOV DWORD PTR SS:[EBP-4],3
004494E2  INT3
004494E3  ADC DWORD PTR DS:[EDI+15FFD0CF],7C
004494EA  ADC BYTE PTR DS:[EAX],AL
004494ED  MOV DWORD PTR SS:[EBP-4],4
004494F4  LEA EDX,DWORD PTR SS:[EBP-FC]
004494FA  PUSH EDX
004494FB  MOV EAX,DWORD PTR SS:[EBP+8]
004494FE  MOV ECX,DWORD PTR DS:[EAX]
00449500  MOV EDX,DWORD PTR SS:[EBP+8]
00449503  PUSH EDX
00449504  CALL DWORD PTR DS:[ECX+108]
0044950A  FCLEX
0044950C  MOV DWORD PTR SS:[EBP-100],EAX
00449512  CMP DWORD PTR SS:[EBP-100],0
00449519  INT3
0044951A  POP DS                                   ; 修正的段位寄存器
0044951B  PUSH 108
00449520  PUSH dumped_.0041A130
00449525  MOV EAX,DWORD PTR SS:[EBP+8]
00449528  PUSH EAX
00449529  MOV ECX,DWORD PTR SS:[EBP-100]
0044952F  PUSH ECX
00449530  CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00449536  MOV DWORD PTR SS:[EBP-140],EAX
0044953C  INT3
0044953D  INC EDX
0044953E  MOV DWORD PTR SS:[EBP-140],0
00449548  LEA EDX,DWORD PTR SS:[EBP-F8]
0044954E  PUSH EDX
0044954F  MOV EAX,DWORD PTR SS:[EBP+8]
00449552  MOV ECX,DWORD PTR DS:[EAX]
00449554  MOV EDX,DWORD PTR SS:[EBP+8]
00449557  PUSH EDX
00449558  CALL DWORD PTR DS:[ECX+88]
0044955E  FCLEX
00449560  MOV DWORD PTR SS:[EBP-104],EAX
00449566  CMP DWORD PTR SS:[EBP-104],0
0044956D  INT3
0044956E  JL SHORT dumped_.004495D8
00449570  MOV BYTE PTR DS:[EAX],AL
00449572  ADD BYTE PTR DS:[EAX],AL
00449574  PUSH dumped_.0041A130
00449579  MOV EAX,DWORD PTR SS:[EBP+8]
0044957C  PUSH EAX
0044957D  MOV ECX,DWORD PTR SS:[EBP-104]
00449583  PUSH ECX
00449584  CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
0044958A  MOV DWORD PTR SS:[EBP-144],EAX
00449590  INT3
00449591  IN EAX,0C7                               ; I/O 命令
00449593  TEST DWORD PTR DS:[ESI+EDI*8+FFFF],EDI
0044959A  ADD BYTE PTR DS:[EAX],AL
0044959C  FLD DWORD PTR SS:[EBP-F8]
004495A2  FSUB DWORD PTR SS:[EBP-FC]
004495A8  FSTSW AX
004495AA  TEST AL,0D
004495AC  INT3
004495AD  LOCK CLC                                 ; 锁定前缀是不允许的
004495AF  POP EAX
004495B0  SAR DH,CL
004495B2  CALL DWORD PTR DS:[<&msvbvm60.__vbaFpI2>>; msvbvm60.__vbaFpI2
004495B8  MOV WORD PTR SS:[EBP-34],AX
004495BC  MOV DWORD PTR SS:[EBP-4],5
004495C3  MOV DX,WORD PTR SS:[EBP-34]
004495C7  ADD DX,1428
004495CC  INT3
004495CD  AND EDI,DWORD PTR DS:[EDX+F6821AE]
004495D3  MOV EDI,B88589C2
004495D8  ???                                      ; 未知命令
004495D9  ???                                      ; 未知命令
004495DB  FILD DWORD PTR SS:[EBP-148]
004495E1  FSTP DWORD PTR SS:[EBP-14C]
004495E7  MOV ECX,DWORD PTR SS:[EBP-14C]
004495ED  PUSH ECX
004495EE  MOV EDX,DWORD PTR SS:[EBP+8]
004495F1  MOV EAX,DWORD PTR DS:[EDX]
004495F3  MOV ECX,DWORD PTR SS:[EBP+8]
004495F6  PUSH ECX
004495F7  CALL DWORD PTR DS:[EAX+8C]
004495FD  FCLEX
004495FF  MOV DWORD PTR SS:[EBP-100],EAX
00449605  CMP DWORD PTR SS:[EBP-100],0
0044960C  INT3
0044960D  TEST AL,68
0044960F  MOV WORD PTR DS:[EAX],ES
00449611  ADD BYTE PTR DS:[EAX],AL
00449613  PUSH dumped_.0041A130
00449618  MOV EDX,DWORD PTR SS:[EBP+8]
rename
雪    币: 216
活跃值: (40)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
rename 1 2004-7-17 20:30
4
0
谢谢!还是不太懂,如何进一步脱壳?
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回