研究Armadillo的壳,网上找了个程序测试。
StudyFile.exe
peid查:Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
ArmaFP检测:
<------- 13-04-2007 17:24:11 ------->
F:\_Test\StudyFile.exe
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Standard protection or Minimum protection
!- <Backup Key Options>
No Registry Keys at All
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
Disable Monitoring Thread
!- Version 3.75c 23Jun2004
dilloDIE.exe DUMP成功以后生成 StudyFile.dDIE.exe,本来打算修复生成文件的表。
没想到直接点也能运行了,再用PEID看了下还有壳:
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks, OllyICE加载后死住
ArmaFP检测:
<------- 13-04-2007 17:26:46 ------->
F:\_Test\StudyFile.dDIE.exe
!- Protected Armadillo
?- GetThreadContext error(31)
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
CopyMem-II
Enable Nanomites Processing
Enable Memory-Patching Protections
!- <Backup Key Options>
Variable Backup Keys
Fixed Backup Keys
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
Store Environment Vars Externally
Allow Only One Copy
Use eSellerate Edition Keys
?- VirtualProtectEx error(5)
?- VirtualProtectEx error(5)
?- GetThreadContext error(31)
?- VirtualProtectEx error(6)
?- GetThreadContext error(6)
?- VirtualProtectEx error(6)
?- VirtualProtectEx error(6)
?- GetThreadContext error(6)
?- VirtualProtectEx error(6)
?- GetThreadContext error(6)
后来发现是PE文件头Armadillo加壳标志的问题。
将
MajorLinkerVersion
MinorLinkerVersion两处清0,搞定
IDA反汇编没有问题,但是OD加载的时候会死在:
7C80B690 FFFF ??? ; 未知命令
7C80B692 FFFF ??? ; 未知命令
7C80B694 10AB 837C26AB adc byte ptr [ebx+AB267C83], ch
7C80B69A 837C90 90 90 cmp dword ptr [eax+edx*4-70], -70
7C80B69F 90 nop
7C80B6A0 90 nop
7C80B6A1 > 8BFF mov edi, edi
7C80B6A3 55 push ebp
7C80B6A4 8BEC mov ebp, esp
7C80B6A6 837D 08 00 cmp dword ptr [ebp+8], 0 //------------这里OD死了
7C80B6AA 74 18 je short 7C80B6C4
7C80B6AC FF75 08 push dword ptr [ebp+8]
7C80B6AF E8 C0290000 call 7C80E074
7C80B6B4 85C0 test eax, eax
7C80B6B6 74 08 je short 7C80B6C0
7C80B6B8 FF70 04 push dword ptr [eax+4]
7C80B6BB E8 7D2D0000 call GetModuleHandleW
7C80B6C0 5D pop ebp
7C80B6C1 C2 0400 retn 4
7C80B6C4 64:A1 18000000 mov eax, dword ptr fs:[18]
7C80B6CA 8B40 30 mov eax, dword ptr [eax+30]
7C80B6CD 8B40 08 mov eax, dword ptr [eax+8]
7C80B6D0 ^ EB EE jmp short 7C80B6C0
7C80B6D2 90 nop
7C80B6D3 90 nop
7C80B6D4 90 nop
7C80B6D5 90 nop
7C80B6D6 90 nop
7C80B6D7 8BFF mov edi, edi
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)