谢谢 现在好了!:)
完成,上面的破文也已更新,请指导!
[ 本帖最后由 busheler 于 2006-1-13 14:28 编辑 ]
晕~~ 附件丢失了
重新上传~~
破解努力中
下了,不过搞不定,还是看看楼上的分析再玩
这个壳竟修复不了。。。晕
哪位讲解一下。。。
有该壳的自动脱壳机。。在网上找一下
- -看到crackme003,所以顺便搜了下001练习下,呵呵,老大不算偶翻旧贴吧?呵呵~
补上去处延时的处理方法,小菜~
我用的是ReSscope,修改下RC数据~
object Button1: TButton
Left = 64
Top = 208
Width = 75
Height = 25
Caption = '确 定'
Enabled = true
TabOrder = 1
OnClick = Button1Click
end
object Button2: TButton
Left = 214
Top = 208
Width = 75
Height = 25
Caption = '取 消'
TabOrder = 2
OnClick = Button2Click
end
object Timer1: TTimer
OnTimer = Timer1Timer
Left = 152
Top = 208
Enabled=False
end
end
-----------------------------------------------------------
Nag的去除方法,用OD,NOP掉
00468486|.A1 E0A64600 mov eax, dword ptr
0046848B|.E8 7CBEF9FF call 0040430C
00468490|.8BD0 mov edx, eax
00468492|.8D45 FC lea eax, dword ptr
00468495|.E8 AABBF9FF call 00404044
0046849A|.8B45 FC mov eax, dword ptr
0046849D|.E8 4EF3FBFF call 004277F0
004684A2|.8BC3 mov eax, ebx
004684A4|.E8 7379FEFF call 0044FE1C
004684A9|.33C0 xor eax, eax
004684AB|.5A pop edx
004684AC|.59 pop ecx
004684AD|.59 pop ecx
004684AE|.64:8910 mov dword ptr fs:, edx
这段代码就OK了,嘿嘿~
[ 本帖最后由 musoft 于 2006-11-5 20:38 编辑 ]
收下学习了 :victory:
去除Nag的去除方法
根据ShowWindow函数下断,找到00450214 (通过004501CC到00450212的循环到00450214出现窗口),上行找到00450074 ,将其改为 JMP 0045025即可
00450074 55 push ebp JMP 450258
00450075 8BEC mov ebp, esp
00450077 83C4 E0 add esp, -20
0045007A|.53 push ebx
0045007B|.56 push esi
0045007C|.33D2 xor edx, edx
0045007E|.8955 E0 mov , edx
00450081|.8945 FC mov , eax
00450084|.33C0 xor eax, eax
00450086|.55 push ebp
00450087|.68 3C034500 push 0045033C
0045008C|.64:FF30 push dword ptr fs:
0045008F|.64:8920 mov fs:, esp
00450092|.E8 7125FEFF call 00432608
00450097|.8B45 FC mov eax,
0045009A|.8078 57 00 cmp byte ptr , 0
0045009E|.75 24 jnz short 004500C4
004500A0|.8B45 FC mov eax,
004500A3|.8B10 mov edx,
004500A5|.FF52 50 call
004500A8|.84C0 test al, al
004500AA|.74 18 je short 004500C4
004500AC|.8B45 FC mov eax,
004500AF|.F680 F4020000>test byte ptr , 8
004500B6|.75 0C jnz short 004500C4
004500B8|.8B45 FC mov eax,
004500BB|.80B8 2F020000>cmp byte ptr , 1
004500C2|.75 21 jnz short 004500E5
004500C4|>8D55 E0 lea edx,
004500C7|.A1 D0A84600 mov eax,
004500CC|.E8 D758FBFF call 004059A8
004500D1|.8B4D E0 mov ecx,
004500D4|.B2 01 mov dl, 1
004500D6|.A1 4C164100 mov eax,
004500DB|.E8 6CB2FBFF call 0040B34C
004500E0|.E8 A337FBFF call 00403888
004500E5|>E8 C662FBFF call 004063B0 ; [GetCapture
004500EA|.85C0 test eax, eax
004500EC|.74 11 je short 004500FF
004500EE|.6A 00 push 0 ; /lParam = 0
004500F0|.6A 00 push 0 ; |wParam = 0
004500F2|.6A 1F push 1F ; |Message = WM_CANCELMODE
004500F4|.E8 B762FBFF call 004063B0 ; |[GetCapture
004500F9|.50 push eax ; |hWnd
004500FA|.E8 5965FBFF call 00406658 ; \SendMessageA
004500FF|>E8 2465FBFF call 00406628 ; [ReleaseCapture
00450104|.A1 DCBB4600 mov eax,
00450109|.E8 06240000 call 00452514
0045010E|.33D2 xor edx, edx
00450110|.55 push ebp
00450111|.68 1F034500 push 0045031F
00450116|.64:FF32 push dword ptr fs:
00450119|.64:8922 mov fs:, esp
0045011C|.8B45 FC mov eax,
0045011F|.8088 F4020000>or byte ptr , 8
00450126|.E8 7D62FBFF call 004063A8 ; [GetActiveWindow
0045012B|.8945 E4 mov , eax
0045012E|.A1 B89C4600 mov eax,
00450133|.8945 F0 mov , eax
00450136|.A1 E0BB4600 mov eax,
0045013B|.8B48 78 mov ecx,
0045013E|.A1 E0BB4600 mov eax,
00450143|.8B40 7C mov eax,
00450146|.33D2 xor edx, edx
00450148|.E8 4339FCFF call 00413A90
0045014D|.A1 E0BB4600 mov eax,
00450152|.8B55 FC mov edx,
00450155|.8950 78 mov , edx
00450158|.A1 E0BB4600 mov eax,
0045015D|.66:8B40 44 mov ax,
00450161|.66:8945 EE mov , ax
00450165|.33D2 xor edx, edx
00450167|.A1 E0BB4600 mov eax,
0045016C|.E8 D3130000 call 00451544
00450171|.A1 E0BB4600 mov eax,
00450176|.8B40 48 mov eax,
00450179|.8945 E8 mov , eax
0045017C|.33C0 xor eax, eax
0045017E|.E8 C9A2FFFF call 0044A44C
00450183|.8945 F4 mov , eax
00450186|.33D2 xor edx, edx
00450188|.55 push ebp
00450189|.68 FD024500 push 004502FD
0045018E|.64:FF32 push dword ptr fs:
00450191|.64:8922 mov fs:, esp
00450194|.8B45 FC mov eax,
00450197|.E8 28FEFFFF call 0044FFC4
0045019C|.33D2 xor edx, edx
0045019E|.55 push ebp
0045019F|.68 5C024500 push 0045025C
004501A4|.64:FF32 push dword ptr fs:
004501A7|.64:8922 mov fs:, esp
004501AA|.6A 00 push 0
004501AC|.6A 00 push 0
004501AE|.68 00B00000 push 0B000
004501B3|.8B45 FC mov eax,
004501B6|.E8 C9A3FEFF call 0043A584
004501BB|.50 push eax ; |hWnd
004501BC|.E8 9764FBFF call 00406658 ; \SendMessageA
004501C1|.8B45 FC mov eax,
004501C4|.33D2 xor edx, edx
004501C6|.8990 4C020000 mov , edx
004501CC|>A1 DCBB4600 /mov eax,
004501D1|.E8 DA310000 |call 004533B0
004501D6|.A1 DCBB4600 |mov eax,
004501DB|.80B8 9C000000>|cmp byte ptr , 0
004501E2|.74 0F |je short 004501F3
004501E4|.8B45 FC |mov eax,
004501E7|.C780 4C020000>|mov dword ptr ,>
004501F1|.EB 14 |jmp short 00450207
004501F3|>8B45 FC |mov eax,
004501F6|.83B8 4C020000>|cmp dword ptr ,>
004501FD|.74 08 |je short 00450207
004501FF|.8B45 FC |mov eax,
00450202|.E8 1DFDFFFF |call 0044FF24
00450207|>8B45 FC |mov eax,
0045020A|.8B80 4C020000 |mov eax,
00450210|.85C0 |test eax, eax
00450212|.^ 74 B8 \je short 004501CC
00450214|.8945 F8 mov , eax ;到这里出现窗口
00450217|.6A 00 push 0
00450219|.6A 00 push 0
0045021B|.68 01B00000 push 0B001
00450220|.8B45 FC mov eax,
00450223|.E8 5CA3FEFF call 0043A584
00450228|.50 push eax ; |hWnd
00450229|.E8 2A64FBFF call 00406658 ; \SendMessageA
0045022E|.8B45 FC mov eax,
00450231|.E8 4EA3FEFF call 0043A584
00450236|.8BD8 mov ebx, eax
00450238|.E8 6B61FBFF call 004063A8 ; [GetActiveWindow
0045023D|.3BD8 cmp ebx, eax
0045023F|.74 05 je short 00450246
00450241|.33C0 xor eax, eax
00450243|.8945 E4 mov , eax
00450246|>33C0 xor eax, eax
00450248|.5A pop edx
00450249|.59 pop ecx
0045024A|.59 pop ecx
0045024B|.64:8910 mov fs:, edx
0045024E|.68 63024500 push 00450263
00450253|>8B45 FC mov eax,
00450256|.E8 61FDFFFF call 0044FFBC
0045025B\.C3 retn
0045025C .^ E9 EF35FBFF jmp 00403850
00450261 .^ EB F0 jmp short 00450253
00450263 .33C0 xor eax, eax
00450265 .5A pop edx
00450266 .59 pop ecx
00450267 .59 pop ecx
[ 本帖最后由 chadd 于 2006-11-12 18:06 编辑 ]
原帖由 黑夜彩虹 于 2006-7-1 10:26 发表
这个壳竟修复不了。。。晕
哪位讲解一下。。。
同上 。。。。后来逼偶去 找了个脱壳机