[转载]无key脱arm4.4单进程
<P>文章作者: wangshq397</P><P><FONT face=宋体>无key脱arm4.4单进程<BR>用arm4.4汉化版,本文只讨论key,加壳选项只选运行时需要密钥,输入密钥iw9LWgs4FPbkw8JVhq2E,其他选项全不选。<BR>修改版od载入,shift+F9运行,弹出提示,任意输入key,在od命令行下断:bpstrlen<BR>点确定,中断后alt+F9返回,<BR>00A149E4E835060100call00A2501E<BR>00A149E985C0testeax,eax=》返回这里<BR>00A149EB59popecx<BR>00A149EC741Ajeshort00A14A08<BR>00A149EE8B0DE01EA300movecx,dwordptrds:[A31EE0]<BR>00A149F48D8500FFFFFFleaeax,dwordptrss:[ebp-100]<BR>00A149FA50pusheax<BR>00A149FBE87D77FEFFcall009FC17D<BR>00A14A0084C0testal,al=》测试标志位,修改al=1<BR>00A14A027404jeshort00A14A08<BR>00A14A046A01push1<BR>00A14A06EB4Cjmpshort00A14A54=》跳走吧<BR>删除断点,设置断点:BPGetModuleHandleA,shift+F9运行,中断后取消断点,alt+M下内存断点。<BR>如下:<BR>内存映射,项目50<BR>地址=01001000<BR>大小=00016000(90112.)<BR>宿主=350s01000000<BR>区段=.text<BR>类型=Imag01001002<BR>访问=R<BR>初始访问=RWE<BR>shift+F9运行,中断后到OEP,1次不到就2次、3次。<BR>0100E3B76A60push60<BR>0100E3B968E01C0001push350s.01001CE0<BR>0100E3BEE831120000call350s.0100F5F4<BR>0100E3C3BF94000000movedi,94<BR>0100E3C88BC7moveax,edi<BR>0100E3CAE881130000call350s.0100F750<BR>0100E3CF8965E8movdwordptrss:[ebp-18],esp<BR>0100E3D28BF4movesi,esp<BR>0100E3D4893Emovdwordptrds:[esi],edi<BR>0100E3D656pushesi<BR>0100E3D7FF15AC10000>calldwordptrds:[10010AC];kernel32.GetVersionExA<BR>0100E3DD8B4E10movecx,dwordptrds:[esi+10]<BR>dump和修复略。<BR>加壳程序见附件。</FONT><A href="http://bbs.pediy.com/upload/2006/8/files/350s.rar" target=_blank><FONT face=宋体 color=darkblue>附件:350s.rar</FONT></A><BR></P>
页:
[1]