[求助]Armadillo 2.51 - 3.xx DLL 脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

[求助]Armadillo 2.51 - 3.xx DLL 脱壳

发表于: 2009-4-18 14:27 1893

[求助]Armadillo 2.51 - 3.xx DLL 脱壳

dedong

2009-4-18 14:27

1893

用PEiD查壳 Armadillo 2.51 - 3.xx DLL Stub -> Silicon Realms Toolworks

OD 载入停在这里
009F7017 X>  55          push ebp
009F7018    8BEC          mov ebp,esp
009F701A    53          push ebx
009F701B    8B5D 08       mov ebx,dword ptr ss:[ebp+8]
009F701E    56          push esi
009F701F    8B75 0C       mov esi,dword ptr ss:[ebp+C]
009F7022    57          push edi
009F7023    8B7D 10       mov edi,dword ptr ss:[ebp+10]
009F7026    85F6          test esi,esi
009F7028    75 09       jnz short XKeyAPI.009F7033
009F702A    833D 9827A100 >cmp dword ptr ds:[A12798],0
009F7031    EB 26       jmp short XKeyAPI.009F7059
009F7033    83FE 01       cmp esi,1
009F7036    74 05       je short XKeyAPI.009F703D
下断点 BP GetModuleHandleA+5， Shift+F9 运行中断后看堆栈
到这里
00069380  /000695E4
00069384  |01425A60 返回到 01425A60 来自 kernel32.GetModuleHandleA
00069388  |000694C0 ASCII "kernel32.dll"
0006938C  |0006E940
清除断点ALT+F9返回
01425A60    8B0D B4D24401  mov ecx,dword ptr ds:[144D2B4]
01425A66    89040E       mov dword ptr ds:[esi+ecx],eax
01425A69    A1 B4D24401 mov eax,dword ptr ds:[144D2B4]
01425A6E    393C06       cmp dword ptr ds:[esi+eax],edi
01425A71    75 16       jnz short 01425A89
01425A73    8D85 DCFEFFFF  lea eax,dword ptr ss:[ebp-124]
01425A79    50          push eax
01425A7A    FF15 90F04301  call dword ptr ds:[143F090]       ; kernel32.LoadLibraryA
01425A80    8B0D B4D24401  mov ecx,dword ptr ds:[144D2B4]
01425A86    89040E       mov dword ptr ds:[esi+ecx],eax
01425A89    A1 B4D24401 mov eax,dword ptr ds:[144D2B4]
01425A8E    393C06       cmp dword ptr ds:[esi+eax],edi
01425A91    0F84 2F010000  je 01425BC6       修改为JMP
01425A97    33C9          xor ecx,ecx
01425A99    8B03          mov eax,dword ptr ds:[ebx]
01425A9B    3938          cmp dword ptr ds:[eax],edi
01425A9D    74 06       je short 01425AA5
01425A9F    41          inc ecx
01425AA0    83C0 0C       add eax,0C
01425AA3 ^ EB F6       jmp short 01425A9B
01425AA5    8BF9          mov edi,ecx
01425AA7    C1E7 02       shl edi,2
01425AAA    57          push edi

下断点 bp GetTickCount，Shift+F9 运行
3次后ALI+F9返回到这里

01436A47    2B85 58D7FFFF  sub eax,dword ptr ss:[ebp-28A8]
01436A4D    8B8D 5CD7FFFF  mov ecx,dword ptr ss:[ebp-28A4]
01436A53    6BC9 32       imul ecx,ecx,32
01436A56    81C1 D0070000  add ecx,7D0
01436A5C    3BC1          cmp eax,ecx
01436A5E    76 07       jbe short 01436A67
01436A60    C685 30DBFFFF >mov byte ptr ss:[ebp-24D0],1
01436A67    83BD F0D9FFFF >cmp dword ptr ss:[ebp-2610],0
01436A6E    0F85 8A000000  jnz 01436AFE
01436A74    0FB685 48D7FFF>movzx eax,byte ptr ss:[ebp-28B8]
01436A7B    85C0          test eax,eax
01436A7D    74 7F       je short 01436AFE
01436A7F    6A 00       push 0
01436A81    8B85 4CD7FFFF  mov eax,dword ptr ss:[ebp-28B4]
01436A87    C1E0 02       shl eax,2
01436A8A    50          push eax
01436A8B    8B85 10DAFFFF  mov eax,dword ptr ss:[ebp-25F0]
01436A91    0385 44D7FFFF  add eax,dword ptr ss:[ebp-28BC]
01436A97    50          push eax
01436A98    E8 AA140000 call 01437F47
01436A9D    83C4 0C       add esp,0C
01436AA0    8B85 4CD7FFFF  mov eax,dword ptr ss:[ebp-28B4]
01436AA6    C1E0 02       shl eax,2

在 CPU 窗口按 Ctrl+S 查找如下代码

PUSH EAX
XCHG CX,CX
POP EAX
STC

到这里后就找不到了！我这个是加密狗的破解帮忙分析一下

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持