[分享]精确定位tmd、wl 1.91-2.065 Version-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[分享]精确定位tmd、wl 1.91-2.065 Version

发表于: 2009-9-28 12:43 6869

[分享]精确定位tmd、wl 1.91-2.065 Version

hxqlky

2009-9-28 12:43

6869

精确定位tmd、wl 1.91-2.065 Version
脚本早有了，自己搜索
01371000 >  68 60530000    push 5360
01371005 893424       mov dword ptr ss:[esp],esi
01371008 54             push esp
01371009 5E             pop esi
0137100A 53             push ebx
0137100B BB 5D48DC52    mov ebx,52DC485D
01371010 43             inc ebx
01371011 81C3 A6B723AD add ebx,AD23B7A6
01371017 01DE          add esi,ebx
01371019 5B             pop ebx
0137101A 83EE 04       sub esi,4
0137101D 873424       xchg dword ptr ss:[esp],esi

bp ZwContinue
7C956DAD >  B8 22000000    mov eax,22       断下
7C956DB2 BA 0003FE7F    mov edx,7FFE0300
7C956DB7 FF12          call dword ptr ds:[edx]
7C956DB9 C2 0800       retn 8
7C956DBC 90             nop

0006FCB0 7C95858C 返回到 ntdll.7C95858C 来自 ntdll.ZwContinue       f9
0006FCB4 0006FCD0
0006FCB8 00000000
0006FCBC C000001D

0006FCB0 7C95858C 返回到 ntdll.7C95858C 来自 ntdll.ZwContinue
0006FCB4 0006FCD0
0006FCB8 00000000
0006FCBC C0000096

0006FCD0  0001003F  ?..       向下
0006FCD4  00000000  ....
0006FCD8  00000000  ....
0006FCDC  00000000  ....

0006FD84  EEDC0014
0006FD88  0108B6C0  CISC-1.0108B6C0
0006FD8C  0000001B
0006FD90  00010212  UNICODE "MEDRIVE=C:"
0006FD94  0006FF9C

0108B6C0 64:8F05 0000000>pop dword ptr fs:[0]       eip
0108B6C7 83C4 04       add esp,4
0108B6CA 0F86 03000000 jbe CISC-1.0108B6D3
0108B6D0 66:8BC8       mov cx,ax
0108B6D3 8B8D 39022612 mov ecx,dword ptr ss:[ebp+12260239]
0108B6D9 83BD F5142612 0>cmp dword ptr ss:[ebp+122614F5],0

0108BAA5 0000          add byte ptr ds:[eax],al
0108BAA7 322E          xor ch,byte ptr ds:[esi]
0108BAA9 3036          xor byte ptr ds:[esi],dh
0108BAAB 35 00000000    xor eax,0
0108BAB0 0000          add byte ptr ds:[eax],al

0108BAA3  00000004  ...
0108BAA7  36302E32  2.06
0108BAAB  00000035  5...

0108BE29 83BD 9D172612 0>cmp dword ptr ss:[ebp+1226179D],0
0108BE30 0F85 0D000000 jnz CISC-1.0108BE43                Z跳
0108BE36 83BD 95272612 0>cmp dword ptr ss:[ebp+12262795],0
0108BE3D 0F84 86000000 je CISC-1.0108BEC9
0108BE43 FFB5 C5BA2C12 push dword ptr ss:[ebp+122CBAC5]
0108BE49 FFB5 C1BA2C12 push dword ptr ss:[ebp+122CBAC1]
0108BE4F FFB5 BDBA2C12 push dword ptr ss:[ebp+122CBABD]
0108BE55 FFB5 B9BA2C12 push dword ptr ss:[ebp+122CBAB9]
0108BE5B FFB5 B5BA2C12 push dword ptr ss:[ebp+122CBAB5]
0108BE61 FFB5 B1BA2C12 push dword ptr ss:[ebp+122CBAB1]
0108BE67 FFB5 A5BA2C12 push dword ptr ss:[ebp+122CBAA5]
0108BE6D FFB5 A1BA2C12 push dword ptr ss:[ebp+122CBAA1]
0108BE73 FFB5 ADBA2C12 push dword ptr ss:[ebp+122CBAAD]
0108BE79 FFB5 A9BA2C12 push dword ptr ss:[ebp+122CBAA9]
0108BE7F FFB5 9DBA2C12 push dword ptr ss:[ebp+122CBA9D]
0108BE85 FFB5 99BA2C12 push dword ptr ss:[ebp+122CBA99]
0108BE8B 8D85 93BA2C12 lea eax,dword ptr ss:[ebp+122CBA93]
0108BE91 50             push eax
0108BE92 8D85 DFBA2C12 lea eax,dword ptr ss:[ebp+122CBADF]
0108BE98 50             push eax
0108BE99 8D85 85282612 lea eax,dword ptr ss:[ebp+12262885]
0108BE9F 50             push eax
0108BEA0 FF95 AD272612 call dword ptr ss:[ebp+122627AD]
0108BEA6 83C4 38       add esp,38
0108BEA9 6A 40          push 40
0108BEAB 8D85 C9BA2C12 lea eax,dword ptr ss:[ebp+122CBAC9]
0108BEB1 50             push eax
0108BEB2 8D85 85282612 lea eax,dword ptr ss:[ebp+12262885]
0108BEB8 50             push eax
0108BEB9 6A 00          push 0
0108BEBB FF95 75332612 call dword ptr ss:[ebp+12263375]
0108BEC1 6A 01          push 1
0108BEC3 FF95 F1332612 call dword ptr ss:[ebp+122633F1]
0108BEC9 8BC1          mov eax,ecx

-----------------------------------------------------------------------
0108BE92 8D85 DFBA2C12 lea eax,dword ptr ss:[ebp+122CBADF]

地址=0108BAF3, (ASCII "Please, contact the software developers with the following codes. Thank you.

      (press CTRL+C on this window to copy to clipboard)

Version  = %s
CheckIN  = %d
CheckOUT = %d
ProcIN = %d
ProcOUT  = %d
ExitIN =)
eax=0108BAA7 (CISC-1.0108BAA7), ASCII "2.065"
--------------------------------------------------------------------------------------
0108BEAB 8D85 C9BA2C12 lea eax,dword ptr ss:[ebp+122CBAC9]

地址=0108BADD, (ASCII "Exception Information")
eax=00000147
0108BEBB FF95 75332612 call dword ptr ss:[ebp+12263375]       ; user32.MessageBoxExA

--------------------------------------------------

---------------------------
Exception Information
---------------------------
Please, contact the software developers with the following codes. Thank you.

      (press CTRL+C on this window to copy to clipboard)

Version  = 2.065

CheckIN  = 0

CheckOUT = 0

ProcIN = 0

ProcOUT  = 0

ExitIN = 0

ExitOUT  = 0

TPin    = 0

HWIn    = 0

IntV    = e1630fbf, f97e0183, e07b7f47, 91cc9667
---------------------------
确定
---------------------------

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持

最新回复 (1)
yzjsdn 雪币： 170 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 126 粉丝 0 关注私信	yzjsdn 2 楼山寨的山寨，脚本的手动执行，没意义，不如看脚本 2009-9-28 18:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hxqlky

发帖

156

回帖

RANK

关注

私信

他的文章

[分享]eXPressor 1.6.0.1 (All Protections) 5706
[分享]脱壳svkp1.43 5508
[分享]脱壳Yodas Crypter 1.3 3985
[分享]脱壳ExeCryptor 2.4.1 6439
[分享]精确定位tmd、wl 1.91-2.065 Version 6870

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (1)
yzjsdn 雪币： 170 活跃值： (18) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 126 粉丝 0 关注私信	yzjsdn 2 楼山寨的山寨，脚本的手动执行，没意义，不如看脚本 2009-9-28 18:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复