WinXP SP2运行一闪而过。Win2K SP4可运行,先打开一个Armdillo保护的程序。再打开这个DeAttcher.exe,可自动找到目标程序.但deattach子进程时,加壳程序报错.是否不能对付Armdillo 5.20?
这个程序用Armdillo 5.20 Pro加壳的,用了Debug-Blocker+CopyMem-II等.Peid0.94,FI4.01均无法识别,ArmFP1.6检测结果如下:
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
CopyMem-II
Enable Import Table Elimination
Enable Nanomites Processing
Enable Memory-Patching Protections
!- <Backup Key Options>
Variable Backup Keys
!- <Compression Options>
Better/Slower Compression
!- <Other Options>
Store Environment Vars Externally
Allow Only One Copy
Disable Monitoring Thread
Use eSellerate Edition Keys
?- Signature 47267400 30-10-2007
开头不知啥壳,运行发现双进程,节表发现有text1,adata,data1和pdata,初步判断是arm的壳,就用ArmFP1.6查如上,不知版本,今天下了arm5.20,自己把记事本加了个壳,用ArmFP1.6一查发现Signature是47267400 30-10-2007和上面一样。再看arm5.20的Help,发现Version 5.20, 30October2007而Version 5.20 Beta-1, 01October2007。所以肯定是Arm5.20的壳了。
