PEID 探测为 Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
ArmaFP检测:
!- Protected Armadillo
?- Signature = D058C018
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
CopyMem-II
Enable Memory-Patching Protections
!- <Backup Key Options>
Main Key Only, No Backup Keys
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
Use Digital River Edition Keys
现有别人的key,设置Ollydbg忽略所有异常,用IsDebug 1.4插件去掉Ollydbg的调试器标志
OD载入程序:
00458000 > 60 PUSHAD
00458001 E8 00000000 CALL 00458006
00458006 5D POP EBP
00458007 50 PUSH EAX
00458008 51 PUSH ECX
00458009 0FCA BSWAP EDX
0045800B F7D2 NOT EDX
0045800D 9C PUSHFD
0045800E F7D2 NOT EDX
00458010 0FCA BSWAP EDX
下断bp OpenMutexA SHIFT+F9:
7C80EC1B > 8BFF MOV EDI,EDI
7C80EC1D 55 PUSH EBP
7C80EC1E 8BEC MOV EBP,ESP
7C80EC20 51 PUSH ECX
7C80EC21 51 PUSH ECX
7C80EC22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EC26 56 PUSH ESI
7C80EC27 0F84 7A500300 JE kernel32.7C843CA7
7C80EC2D 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80EC33 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C80EC36 8DB0 F80B0000 LEA ESI,DWORD PTR DS:[EAX+BF8]
7C80EC3C 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
7C80EC3F 50 PUSH EAX
7C80EC40 FF15 8C10807C CALL NEAR DWORD PTR DS:[<&ntdll.RtlInitA>; ntdll.RtlInitAnsiString
7C80EC46 6A 00 PUSH 0
CTRL+G 00401000 输入代码:
60 9C 68 B0 FD 12 00 33 C0 50 50 E8 2F DB 40 7C 9D 61 E9 04 DC 40 7C
在复制的代码处 新建EIP SHIFT+F9 再次断下 F2取消断点 CTRL+G->00401000 撤消修改
双进程转换单进程!
下断he GetDlgItem SHIFT+F9:
77D24816 > 8BFF MOV EDI,EDI
77D24818 55 PUSH EBP
77D24819 8BEC MOV EBP,ESP
77D2481B 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
77D2481E E8 AD3CFFFF CALL USER32.77D184D0
77D24823 85C0 TEST EAX,EAX
77D24825 74 1F JE SHORT USER32.77D24846
77D24827 56 PUSH ESI
77D24828 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D2482B 50 PUSH EAX
77D2482C E8 A9FFFFFF CALL USER32.77D247DA
77D24831 85C0 TEST EAX,EAX
77D24833 0F84 29D80000 JE USER32.77D32062
77D24839 8B30 MOV ESI,DWORD PTR DS:[EAX]
77D2483B 85F6 TEST ESI,ESI
77D2483D 0F84 21D80000 JE USER32.77D32064
alt+9,返回,到这里和教程不一样,扎回事,请高手老师们指点。
00AD2D46 50 PUSH EAX
00AD2D47 FF15 5C74AD00 CALL NEAR DWORD PTR DS:[AD745C] ; USER32.SetFocus
00AD2D4D 6A 01 PUSH 1
00AD2D4F 57 PUSH EDI
00AD2D50 FF15 F474AD00 CALL NEAR DWORD PTR DS:[AD74F4] ; USER32.ShowWindow
00AD2D56 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
00AD2D59 3BF3 CMP ESI,EBX
00AD2D5B 74 12 JE SHORT 00AD2D6F
00AD2D5D 53 PUSH EBX
00AD2D5E 56 PUSH ESI
00AD2D5F FF15 1875AD00 CALL NEAR DWORD PTR DS:[AD7518] ; USER32.EnableWindow
00AD2D65 57 PUSH EDI
00AD2D66 E8 8FF3FFFF CALL 00AD20FA
00AD2D6B 59 POP ECX
00AD2D6C 8970 0C MOV DWORD PTR DS:[EAX+C],ESI
00AD2D6F F645 1A 01 TEST BYTE PTR SS:[EBP+1A],1
请高手老师们指点下来扎进行,谢谢。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课