能力值:
( LV9,RANK:170 )
|
-
-
6 楼
写的太乱了,思路怕是还不清楚吧!
狗壳有解码或解锁的部分,不完成这一步,脱出来有何用呢。
|
能力值:
( LV4,RANK:50 )
|
-
-
7 楼
思路太乱了,让人一头雾水。我个人认为应该以读狗地方为切入点,这样思路可能比较清楚。
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
呵呵,有狗EASY,呵呵,我也有MH狗了,昨天上海一个客户送的.呵呵
晚上再研究.
|
能力值:
( LV2,RANK:10 )
|
-
-
11 楼
上面文章主要对有狗朋友(本人以为很明确了)
如下明细:
1、W32Dasm反汇编原狗壳程序,查jmp dword ptr [00 得到RCC0壳入口:
:00761235 50 push eax
:00761236 E8DDF3FFFF call 00760618
:0076123B 83C40C add esp, 0000000C
:0076123E 90 nop
:0076123F 90 nop
:00761240 90 nop
:00761241 90 nop
:00761242 90 nop
:00761243 90 nop
:00761244 90 nop
:00761245 90 nop
:00761246 90 nop
:00761247 90 nop
:00761248 90 nop
:00761249 90 nop
:0076124A 90 nop
:0076124B 90 nop
:0076124C 90 nop
:0076124D 90 nop
:0076124E 90 nop
:0076124F 90 nop
:00761250 90 nop
:00761251 90 nop
:00761252 EB00 jmp 00761254
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00761126(U), :007611B7(U), :007611E3(U), :00761252(U)
:00761254 5F pop edi
:00761255 5E pop esi
:00761256 5B pop ebx
:00761257 C9 leave
:00761258 90 nop
:00761259 90 nop
:0076125A 90 nop
:0076125B 90 nop
:0076125C 90 nop
:0076125D 90 nop
:0076125E 90 nop
:0076125F 90 nop
:00761260 61 popad
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00761335(C)
:00761261 FF2510217600 jmp dword ptr [00762110] ***************
:00761267 C3 ret
:00761268 90 nop
:00761269 90 nop
:0076126A 90 nop
:0076126B 90 nop
:0076126C 90 nop
:0076126D 90 nop
* Referenced by a CALL at Address:
|:0076121A
:0076126E 55 push ebp
2、反汇编脱壳1.EXE,查WSOCK32.DLL取其前面的Possible StringData Ref from Data Obj ->"Y%并记下
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00695B06(U)
:0069677E 90 nop
:0069677F 90 nop
:00696780 90 nop
:00696781 90 nop
:00696782 90 nop
:00696783 90 nop
* Possible StringData Ref from Data Obj ->"Y%???
:00696784 A14CBA6A00 mov eax, dword ptr [006ABA4C] ****
:00696789 50 push eax
:0069678A E8F4EBFFFF call 00695383
:0069678F 83C404 add esp, 00000004
:00696792 A34CBA6A00 mov dword ptr [006ABA4C], eax
* Possible StringData Ref from Data Obj ->"Y%???
:00696797 A150BA6A00 mov eax, dword ptr [006ABA50] ****
:0069679C 50 push eax
:0069679D E8E1EBFFFF call 00695383
:006967A2 83C404 add esp, 00000004
:006967A5 A350BA6A00 mov dword ptr [006ABA50], eax
* Possible StringData Ref from Data Obj ->"Y%???
:006967AA A154BA6A00 mov eax, dword ptr [006ABA54] ****
:006967AF 50 push eax
:006967B0 E8CEEBFFFF call 00695383
:006967B5 83C404 add esp, 00000004
:006967B8 A354BA6A00 mov dword ptr [006ABA54], eax
* Possible StringData Ref from Data Obj ->"Y%???
:006967BD A158BA6A00 mov eax, dword ptr [006ABA58] ****
:006967C2 50 push eax
:006967C3 E8BBEBFFFF call 00695383
:006967C8 83C404 add esp, 00000004
:006967CB A358BA6A00 mov dword ptr [006ABA58], eax
* Possible StringData Ref from Data Obj ->"Y%???
:006967D0 A15CBA6A00 mov eax, dword ptr [006ABA5C] ****
:006967D5 50 push eax
:006967D6 E8A8EBFFFF call 00695383
:006967DB 83C404 add esp, 00000004
:006967DE A35CBA6A00 mov dword ptr [006ABA5C], eax
* Possible StringData Ref from Data Obj ->"Y%???
:006967E3 A160BA6A00 mov eax, dword ptr [006ABA60] ****
:006967E8 50 push eax
:006967E9 E895EBFFFF call 00695383
:006967EE 83C404 add esp, 00000004
:006967F1 A360BA6A00 mov dword ptr [006ABA60], eax
* Possible StringData Ref from Data Obj ->"Y%???
:006967F6 A164BA6A00 mov eax, dword ptr [006ABA64] ****
:006967FB 50 push eax
:006967FC E882EBFFFF call 00695383
:00696801 83C404 add esp, 00000004
:00696804 A364BA6A00 mov dword ptr [006ABA64], eax
* Possible StringData Ref from Data Obj ->"Y%???
:00696809 A168BA6A00 mov eax, dword ptr [006ABA68] ****
:0069680E 50 push eax
:0069680F E86FEBFFFF call 00695383
:00696814 83C404 add esp, 00000004
:00696817 A368BA6A00 mov dword ptr [006ABA68], eax
:0069681C E97FF3FFFF jmp 00695BA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00695B10(U)
:00696821 90 nop
:00696822 90 nop
:00696823 90 nop
:00696824 90 nop
:00696825 90 nop
:00696826 90 nop
:00696827 A16CBA6A00 mov eax, dword ptr [006ABA6C]
:0069682C 50 push eax
:0069682D E851EBFFFF call 00695383
:00696832 83C404 add esp, 00000004
:00696835 A36CBA6A00 mov dword ptr [006ABA6C], eax
* Possible StringData Ref from Data Obj ->"Y%???
:0069683A A170BA6A00 mov eax, dword ptr [006ABA70] ****
:0069683F 50 push eax
:00696840 E83EEBFFFF call 00695383
:00696845 83C404 add esp, 00000004
:00696848 A370BA6A00 mov dword ptr [006ABA70], eax
* Possible StringData Ref from Data Obj ->"Y%???
:0069684D A174BA6A00 mov eax, dword ptr [006ABA74] ****
:00696852 50 push eax
:00696853 E82BEBFFFF call 00695383
:00696858 83C404 add esp, 00000004
:0069685B A374BA6A00 mov dword ptr [006ABA74], eax
* Possible StringData Ref from Data Obj ->"Y%???
:00696860 A178BA6A00 mov eax, dword ptr [006ABA78] ****
:00696865 50 push eax
:00696866 E818EBFFFF call 00695383
:0069686B 83C404 add esp, 00000004
:0069686E A378BA6A00 mov dword ptr [006ABA78], eax
* Possible StringData Ref from Data Obj ->"Y%???
:00696873 A17CBA6A00 mov eax, dword ptr [006ABA7C] ****
:00696878 50 push eax
:00696879 E805EBFFFF call 00695383
:0069687E 83C404 add esp, 00000004
:00696881 A37CBA6A00 mov dword ptr [006ABA7C], eax
* Possible StringData Ref from Data Obj ->"Y%???
:00696886 A180BA6A00 mov eax, dword ptr [006ABA80] ****
:0069688B 50 push eax
:0069688C E8F2EAFFFF call 00695383
:00696891 83C404 add esp, 00000004
:00696894 A380BA6A00 mov dword ptr [006ABA80], eax
:00696899 E902F3FFFF jmp 00695BA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00695B1A(U)
:0069689E 90 nop
:0069689F 51 push ecx
:006968A0 31C9 xor ecx, ecx
:006968A2 E301 jcxz 006968A5
:006968A4 BF596888BA mov edi, BA886859
:006968A9 6A00 push 00000000
:006968AB FF1574026B00 call dword ptr [006B0274]
:006968B1 8985DCFEFFFF mov dword ptr [ebp+FFFFFEDC], eax
:006968B7 83BDDCFEFFFF00 cmp dword ptr [ebp+FFFFFEDC], 00000000
:006968BE 7418 je 006968D8
:006968C0 8B85DCFEFFFF mov eax, dword ptr [ebp+FFFFFEDC]
:006968C6 A3FCF76A00 mov dword ptr [006AF7FC], eax
:006968CB 8B85DCFEFFFF mov eax, dword ptr [ebp+FFFFFEDC]
:006968D1 50 push eax
:006968D2 FF15F4016B00 call dword ptr [006B01F4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006968BE(C)
:006968D8 C705ECF76A0000000000 mov dword ptr [006AF7EC], 00000000
:006968E2 FF157C026B00 call dword ptr [006B027C]
:006968E8 8985E8FEFFFF mov dword ptr [ebp+FFFFFEE8], eax
:006968EE 81BDE8FEFFFF00000080 cmp dword ptr [ebp+FFFFFEE8], 80000000
:006968F8 734A jnb 00696944
:006968FA C7055CBF6A0001000000 mov dword ptr [006ABF5C], 00000001
* Possible StringData Ref from Data Obj ->"WSOCK32.DLL" *****************
:00696904 6860BF6A00 push 006ABF60
:00696909 FF1574026B00 call dword ptr [006B0274]
:0069690F 8985DCFEFFFF mov dword ptr [ebp+FFFFFEDC], eax
:00696915 83BDDCFEFFFF00 cmp dword ptr [ebp+FFFFFEDC], 00000000
:0069691C 7424 je 00696942
* Possible StringData Ref from Data Obj ->"WSAGetLastError"
3、冲击波Bw2000得真入口例如:006922F8 <需狗>
另外:
无狗的朋友不妨带上一张软盘或闪盘,拷上TRw2000、W32Dash、冲击波,到有狗用户点疏通一下,不就十来分钟码!
据热心网友介绍,新虹壳是没有无狗可试用功能的,就算原程序有试用功能也不行。(似乎多了点保护,推广性可差了!)
奥运闭幕了,中国队赢了!
无狗脱新虹壳已经有眉目了!
Email:jhqg3721@yahoo.com.cn
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
最初由 nig 发布 看来你的上海之行顺利啊.好的兄弟! 不行呀,东西还没有搞定呢! 我都快累死了,ROCKEY的有狗也搞不定.
唉,水平太差了! 要是会复制就好了哦.
|