Enigma 1.xx - 2.xx通用去NAG原理动画教程 by rAy
本帖最后由 Rainy 于 2013-8-27 21:46 编辑本教程Enigma测试版本有(Enigma1.51,1.53,1.55,1.71,1.91,2.21等其他版本)
搜索调用NAG窗口的call的字符串(DLL_Loader_NAG_Unit):
44 4C 4C 5F 4C 6F 61 64 65 72 5F 4E 41 47 5F 55 6E 69 74Loading project settings
Loading main information
Loading Registration Features
Loading Checkup
Loading Protection
Loading Miscellaneous
Protection started
Input file size
Process Entry point
Compress section
File entropy
1.Enigma1.55版去NAG地址和补丁代码
006D5A2F 8BD6 mov edx,esi
006D5A31 8B45 F8 mov eax,dword ptr ss:
006D5A34 E8 1FE5DFFF call Enigma.004D3F58
006D5A39 E9 44000000 jmp Enigma.006D5A82
补丁代码:
60 9C 81 3E 53 56 57 55 75 13 81 7E F8 5F 55 6E 69 75 0A C6 06 C3 9D 61 E9 65 8B FB FF 83 C6 04 EB E0
0071CF00 60 pushad
0071CF01 9C pushfd
0071CF02 813E 53565755 cmp dword ptr ds:,0x55575653
0071CF08 75 13 jnz XEnigma.0071CF1D
0071CF0A 817E F8 5F556E6>cmp dword ptr ds:,0x696E555F
0071CF11 75 0A jnz XEnigma.0071CF1D
0071CF13 C606 C3 mov byte ptr ds:,0xC3
0071CF16 9D popfd
0071CF17 61 popad
0071CF18 ^ E9 658BFBFF jmp Enigma.006D5A82
0071CF1D 83C6 04 add esi,0x4
0071CF20 ^ EB C4 jmp XEnigma.0071CEE6
2.Enigma2.21版去NAG地址和补丁代码
这个版本的Nag不能像之前那样直接retn,因为ShowNagWindow的前后调用了GetTickCount进行计时,去Nag方法是nop掉函数,改sub为add。
参考资料:http://www.52pojie.cn/thread-71355-1-1.html
Patch地址:0077B657 E8 E43FDAFF call Enigma32.0051F640
补丁地址:00869F00
补丁代码:
89 50 04 8B 45 FC 60 90 52 8B FF 55 8B EC 56 8B 75 04 85 F6 74 41 57 68 94 12 00 00 8D 86 90 7C
0F 00 6A 00 50 FF 15 60 9F 86 00 68 84 CC 00 00 8D 86 AC 17 11 00 6A 00 50 FF 15 60 9F 86 00 B8
90 90 90 90 8D BE 7C 99 0F 00 AB 83 C4 18 AA C6 86 86 99 0F 00 03 5F 5E 5D 58 61 E9 08 17 F1 FF
F0 75 C1 77 00
00869F00 8950 04 mov dword ptr ds:,edx
00869F03 8B45 FC mov eax,dword ptr ss:
00869F06 60 pushad
00869F07 90 nop
00869F08 52 push edx
00869F09 8BFF mov edi,edi
00869F0B 55 push ebp
00869F0C 8BEC mov ebp,esp
00869F0E 56 push esi
00869F0F 8B75 04 mov esi,dword ptr ss:
00869F12 85F6 test esi,esi
00869F14 74 41 je XEnigma32.00869F57
00869F16 57 push edi
00869F17 68 94120000 push 0x1294
00869F1C 8D86 907C0F00 lea eax,dword ptr ds:
00869F22 6A 00 push 0x0
00869F24 50 push eax
00869F25 FF15 609F8600 call dword ptr ds: ; msvcrt.memset
00869F2B 68 84CC0000 push 0xCC84
00869F30 8D86 AC171100 lea eax,dword ptr ds:
00869F36 6A 00 push 0x0
00869F38 50 push eax
00869F39 FF15 609F8600 call dword ptr ds: ; msvcrt.memset
00869F3F B8 90909090 mov eax,0x90909090
00869F44 8DBE 7C990F00 lea edi,dword ptr ds:
00869F4A AB stos dword ptr es:
00869F4B 83C4 18 add esp,0x18
00869F4E AA stos byte ptr es:
00869F4F C686 86990F00 0>mov byte ptr ds:,0x3
00869F56 5F pop edi
00869F57 5E pop esi
00869F58 5D pop ebp
00869F59 58 pop eax
00869F5A 61 popad
00869F5B ^ E9 0817F1FF jmp Enigma32.0077B668
00869F60 F0:75 C1 lock jnz XEnigma32.00869F24 ; 不允许锁定前缀
00869F63 77 00 ja XEnigma32.00869F65 EGM比TMD还鸟,认真学习,谢谢大神! 我照葫芦画瓢回去试试 感谢分享,EMA这样被玩了呀 谢谢你的教程。 来学习下班!!! 红包 谢谢了
页:
[1]