好友
阅读权限 40
听众
最后登录 1970-1-1
目标文件 http://forum.tuts4you.com/index.php?showtopic=18316 新版本的就下载下来看看
本文系写个新手看的老鸟路过吧 开始动工。
C:\TDDOWNLOAD\Armadillo6.2.4.624.exe
!- Protected Armadillo
Protection system (Professional)
!- <Protection Options>
Debug-Blocker
!- <Backup Key Options>
Fixed Backup Keys
!- <Compression Options>
Minimal/Fastest Compression
!- <Other Options>
Use Digital River Edition Keys
49347A80 Version 6.24 02-12-2008
!- Elapsed Time 00h 00m 01s 687ms
09B8-DE48
crack
000JM0-26TU82-N5WR91-4NRETJ-A98ZBZ-P5D7YR-FPEM2K-AKG41P
1.
0106B000 A> 60 PUSHAD
0106B001 E8 00000000 CALL Armadill.0106B006
0106B006 5D POP EBP ; kernel32.7C817067
0106B007 50 PUSH EAX
0106B008 51 PUSH ECX
0106B009 0FCA BSWAP EDX ; ntdll.KiFastSystemCallRet
0106B00B F7D2 NOT EDX ; ntdll.KiFastSystemCallRet
0106B00D 9C PUSHFD
0106B00E F7D2 NOT EDX ; ntdll.KiFastSystemCallRet
0106B010 0FCA BSWAP EDX ; ntdll.KiFastSystemCallRet
0106B012 EB 0F JMP SHORT Armadill.0106B023
0106B014 B9 EB0FB8EB MOV ECX,EBB80FEB
0106B019 07 POP ES ; Modification of segment register
0106B01A B9 EB0F90EB MOV ECX,EB900FEB
0106B01F 08FD OR CH,BH
0106B021 EB 0B JMP SHORT Armadill.0106B02E
0106B023 F2: PREFIX REPNE: ; Superfluous prefix
bp OpenMutexA F9运行
7C80EAAB k> 8BFF MOV EDI,EDI
7C80EAAD 55 PUSH EBP
7C80EAAE 8BEC MOV EBP,ESP
7C80EAB0 51 PUSH ECX
7C80EAB1 51 PUSH ECX
7C80EAB2 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EAB6 56 PUSH ESI
7C80EAB7 0F84 37550300 JE kernel32.7C843FF4
7C80EABD 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
0006F718 01032C09 /CALL to OpenMutexA from Armadill.01032C03
0006F71C 001F0001 |Access = 1F0001
0006F720 00000000 |Inheritable = FALSE
0006F724 0006FD5C \MutexName = "F50:A7AF5CD59"
ALT+F9
01032C09 85C0 TEST EAX,EAX
01032C0B 74 04 JE SHORT Armadill.01032C11 //修改 z=0
01032C0D C645 FF 00 MOV BYTE PTR SS:[EBP-1],0
01032C11 0FB645 FF MOVZX EAX,BYTE PTR SS:[EBP-1]
01032C15 85C0 TEST EAX,EAX
01032C17 0F84 95010000 JE Armadill.01032DB2
01032C1D 8B0D 1CB90701 MOV ECX,DWORD PTR DS:[107B91C]
01032C23 330D 84B90701 XOR ECX,DWORD PTR DS:[107B984]
01032C29 330D 6CB90701 XOR ECX,DWORD PTR DS:[107B96C]
F9运行
7C80EAAB k> 8BFF MOV EDI,EDI
7C80EAAD 55 PUSH EBP
7C80EAAE 8BEC MOV EBP,ESP
7C80EAB0 51 PUSH ECX
7C80EAB1 51 PUSH ECX
7C80EAB2 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EAB6 56 PUSH ESI
7C80EAB7 0F84 37550300 JE kernel32.7C843FF4
7C80EABD 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80EAC3 FF75 10 PUSH DWORD PTR SS:[EBP+10]
0006F718 01033002 /CALL to OpenMutexA from Armadill.01032FFC
0006F71C 001F0001 |Access = 1F0001
0006F720 00000000 |Inheritable = FALSE
0006F724 0006FD5C \MutexName = "F50:A7AF5CD59"
alt+f9 bc OpenMutexA
01033002 85C0 TEST EAX,EAX
01033004 0F85 FE010000 JNZ Armadill.01033208 //修改 z=0
0103300A 6A 01 PUSH 1
0103300C FF15 88B00701 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentThread>>; kernel32.GetCurrentThread
01033012 50 PUSH EAX
01033013 FF15 84B00701 CALL DWORD PTR DS:[<&KERNEL32.SetThreadPriority>; kernel32.SetThreadPriority
01033019 C685 57F9FFFF 00 MOV BYTE PTR SS:[EBP-6A9],0
01033020 68 68DF0701 PUSH Armadill.0107DF68 ; ASCII "Kernel32"
01033025 FF15 7CB00701 CALL DWORD PTR DS:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
bp VirtualProtect f9
7C801AD4 k> 8BFF MOV EDI,EDI
7C801AD6 55 PUSH EBP
7C801AD7 8BEC MOV EBP,ESP
7C801AD9 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801ADC FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801ADF FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C801AE2 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; Armadill.01185D22
7C801AE5 6A FF PUSH -1
7C801AE7 E8 75FFFFFF CALL kernel32.VirtualProtectEx
7C801AEC 5D POP EBP ; Armadill.01032777
7C801AED C2 1000 RETN 10
2.
ctrl+g GetDlgItem 下硬件执行断点 F9
77D2436E U> 8BFF MOV EDI,EDI
77D24370 55 PUSH EBP
77D24371 8BEC MOV EBP,ESP
77D24373 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Armadill.01185D22
77D24376 E8 6541FFFF CALL USER32.77D184E0
77D2437B 85C0 TEST EAX,EAX
77D2437D 74 1F JE SHORT USER32.77D2439E
77D2437F 56 PUSH ESI
77D24380 FF75 0C PUSH DWORD PTR SS:[EBP+C]
77D24383 50 PUSH EAX
77D24384 E8 A9FFFFFF CALL USER32.77D24332
77D24389 85C0 TEST EAX,EAX
取消硬件执行断点
atl+m 搜索 ENHFINGERPRINT
009D3684 45 4E 48 46 49 4E 47 45 52 50 52 49 4E 54 56 31 ENHFINGERPRINTV1
009D3694 00 00 00 00 46 49 4E 47 45 52 50 52 49 4E 54 56 ....FINGERPRINTV
009D36A4 31 00 00 00 45 4E 48 46 49 4E 47 45 52 50 52 49 1...ENHFINGERPRI
ctrl+g 009D3684
009D3684 45 INC EBP
009D3685 4E DEC ESI
009D3686 48 DEC EAX
009D3687 46 INC ESI
009D3688 49 DEC ECX ; Armadill.010714DA
009D3689 4E DEC ESI
009D368A 47 INC EDI
009D368B 45 INC EBP
009D368C 52 PUSH EDX
009D368D 50 PUSH EAX
ctrl+r
References in 00920000..00A09FFF to 009D3684
Address Disassembly Comment
0093C8BC PUSH 9D3684 ASCII "ENHFINGERPRINTV1"
009D3684 INC EBP (Initial CPU selection)
0093C645 68 D0369D00 PUSH 9D36D0 ; ASCII "DATELASTRUN"
0093C64A 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C650 81C1 60240000 ADD ECX,2460
0093C656 E8 15FDFEFF CALL 0092C370
0093C65B 6A 00 PUSH 0
0093C65D 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C663 E8 E855FFFF CALL 00931C50
0093C668 8985 C4FCFFFF MOV DWORD PTR SS:[EBP-33C],EAX
0093C66E 8B95 C4FCFFFF MOV EDX,DWORD PTR SS:[EBP-33C]
0093C674 81E2 FFFF0000 AND EDX,0FFFF
0093C67A 52 PUSH EDX
0093C67B 8B85 C4FCFFFF MOV EAX,DWORD PTR SS:[EBP-33C]
0093C681 C1E8 10 SHR EAX,10
0093C684 50 PUSH EAX
0093C685 68 0C359D00 PUSH 9D350C ; ASCII "%04X-%04X"
0093C68A 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
0093C690 51 PUSH ECX ; Armadill.010714DA
0093C691 E8 0AF00600 CALL 009AB6A0
0093C696 83C4 10 ADD ESP,10
0093C699 6A 00 PUSH 0
0093C69B 8D95 D8FCFFFF LEA EDX,DWORD PTR SS:[EBP-328]
0093C6A1 52 PUSH EDX
0093C6A2 68 C4369D00 PUSH 9D36C4 ; ASCII "FINGERPRINT"
0093C6A7 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C6AD 81C1 60240000 ADD ECX,2460
0093C6B3 E8 C8FBFEFF CALL 0092C280
0093C6B8 6A 00 PUSH 0
0093C6BA 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C6C0 E8 EB55FFFF CALL 00931CB0
0093C6C5 8985 C4FCFFFF MOV DWORD PTR SS:[EBP-33C],EAX
0093C6CB 8B85 58FBFFFF MOV EAX,DWORD PTR SS:[EBP-4A8]
0093C6D1 8B88 5C060000 MOV ECX,DWORD PTR DS:[EAX+65C]
0093C6D7 898D A0FBFFFF MOV DWORD PTR SS:[EBP-460],ECX ; Armadill.010714DA
0093C6DD 6A 01 PUSH 1
0093C6DF 8B8D A0FBFFFF MOV ECX,DWORD PTR SS:[EBP-460]
0093C6E5 E8 A6990200 CALL 00966090
0093C6EA 0FB6D0 MOVZX EDX,AL
0093C6ED 85D2 TEST EDX,EDX
0093C6EF 74 1F JE SHORT 0093C710
0093C6F1 83BD C4FCFFFF 00 CMP DWORD PTR SS:[EBP-33C],0
0093C6F8 75 16 JNZ SHORT 0093C710
0093C6FA 68 B8369D00 PUSH 9D36B8 ; ASCII "????-????"
0093C6FF 8D85 D8FCFFFF LEA EAX,DWORD PTR SS:[EBP-328]
0093C705 50 PUSH EAX
0093C706 E8 D5F00600 CALL 009AB7E0
0093C70B 83C4 08 ADD ESP,8
0093C70E EB 2B JMP SHORT 0093C73B
0093C710 8B8D C4FCFFFF MOV ECX,DWORD PTR SS:[EBP-33C]
0093C716 81E1 FFFF0000 AND ECX,0FFFF
0093C71C 51 PUSH ECX ; Armadill.010714DA
0093C71D 8B95 C4FCFFFF MOV EDX,DWORD PTR SS:[EBP-33C]
0093C723 C1EA 10 SHR EDX,10
0093C726 52 PUSH EDX
0093C727 68 0C359D00 PUSH 9D350C ; ASCII "%04X-%04X"
0093C72C 8D85 D8FCFFFF LEA EAX,DWORD PTR SS:[EBP-328]
0093C732 50 PUSH EAX
0093C733 E8 68EF0600 CALL 009AB6A0
0093C738 83C4 10 ADD ESP,10
0093C73B 6A 00 PUSH 0
0093C73D 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
0093C743 51 PUSH ECX ; Armadill.010714DA
0093C744 68 A8369D00 PUSH 9D36A8 ; ASCII "ENHFINGERPRINT"
0093C749 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C74F 81C1 60240000 ADD ECX,2460
0093C755 E8 26FBFEFF CALL 0092C280
0093C75A 8B95 58FBFFFF MOV EDX,DWORD PTR SS:[EBP-4A8]
0093C760 8B82 5C060000 MOV EAX,DWORD PTR DS:[EDX+65C]
0093C766 8985 9CFBFFFF MOV DWORD PTR SS:[EBP-464],EAX
0093C76C 33C9 XOR ECX,ECX ; Armadill.010714DA
0093C76E C1E1 02 SHL ECX,2
0093C771 8B95 9CFBFFFF MOV EDX,DWORD PTR SS:[EBP-464] ; USER32.77D1882A
0093C777 8B840A 18040000 MOV EAX,DWORD PTR DS:[EDX+ECX+418]
0093C77E 8985 98FBFFFF MOV DWORD PTR SS:[EBP-468],EAX
0093C784 33C9 XOR ECX,ECX ; Armadill.010714DA
0093C786 7C 21 JL SHORT 0093C7A9
0093C788 33D2 XOR EDX,EDX
0093C78A 83FA 01 CMP EDX,1
0093C78D 7F 1A JG SHORT 0093C7A9
0093C78F 33C0 XOR EAX,EAX
0093C791 C1E0 02 SHL EAX,2
0093C794 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C79A 8B9401 64200000 MOV EDX,DWORD PTR DS:[ECX+EAX+2064]
0093C7A1 8995 54FBFFFF MOV DWORD PTR SS:[EBP-4AC],EDX
0093C7A7 EB 0A JMP SHORT 0093C7B3
0093C7A9 C785 54FBFFFF 00000000 MOV DWORD PTR SS:[EBP-4AC],0
0093C7B3 8B85 98FBFFFF MOV EAX,DWORD PTR SS:[EBP-468]
0093C7B9 3385 54FBFFFF XOR EAX,DWORD PTR SS:[EBP-4AC]
0093C7BF 8985 C4FCFFFF MOV DWORD PTR SS:[EBP-33C],EAX
0093C7C5 8B8D C4FCFFFF MOV ECX,DWORD PTR SS:[EBP-33C]
0093C7CB 81E1 FFFF0000 AND ECX,0FFFF
0093C7D1 51 PUSH ECX ; Armadill.010714DA
0093C7D2 8B95 C4FCFFFF MOV EDX,DWORD PTR SS:[EBP-33C]
0093C7D8 C1EA 10 SHR EDX,10
0093C7DB 52 PUSH EDX
0093C7DC 68 0C359D00 PUSH 9D350C ; ASCII "%04X-%04X"
0093C7E1 8D85 D8FCFFFF LEA EAX,DWORD PTR SS:[EBP-328]
0093C7E7 50 PUSH EAX
0093C7E8 E8 B3EE0600 CALL 009AB6A0
0093C7ED 83C4 10 ADD ESP,10
0093C7F0 6A 00 PUSH 0
0093C7F2 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
0093C7F8 51 PUSH ECX ; Armadill.010714DA
0093C7F9 68 98369D00 PUSH 9D3698 ; ASCII "FINGERPRINTV1"
0093C7FE 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C804 81C1 60240000 ADD ECX,2460
0093C80A E8 71FAFEFF CALL 0092C280
0093C80F 8B95 58FBFFFF MOV EDX,DWORD PTR SS:[EBP-4A8]
0093C815 8B82 5C060000 MOV EAX,DWORD PTR DS:[EDX+65C]
0093C81B 8985 94FBFFFF MOV DWORD PTR SS:[EBP-46C],EAX
0093C821 B9 01000000 MOV ECX,1
0093C826 C1E1 02 SHL ECX,2
0093C829 8B95 94FBFFFF MOV EDX,DWORD PTR SS:[EBP-46C] ; USER32.77D1885A
0093C82F 8B840A 18040000 MOV EAX,DWORD PTR DS:[EDX+ECX+418]
0093C836 8985 90FBFFFF MOV DWORD PTR SS:[EBP-470],EAX
0093C83C B9 01000000 MOV ECX,1
0093C841 85C9 TEST ECX,ECX ; Armadill.010714DA
0093C843 7C 27 JL SHORT 0093C86C
0093C845 BA 01000000 MOV EDX,1
0093C84A 83FA 01 CMP EDX,1
0093C84D 7F 1D JG SHORT 0093C86C
0093C84F B8 01000000 MOV EAX,1
0093C854 C1E0 02 SHL EAX,2
0093C857 8B8D 58FBFFFF MOV ECX,DWORD PTR SS:[EBP-4A8]
0093C85D 8B9401 64200000 MOV EDX,DWORD PTR DS:[ECX+EAX+2064]
0093C864 8995 50FBFFFF MOV DWORD PTR SS:[EBP-4B0],EDX
0093C86A EB 0A JMP SHORT 0093C876
0093C86C C785 50FBFFFF 00000000 MOV DWORD PTR SS:[EBP-4B0],0
0093C876 8B85 90FBFFFF MOV EAX,DWORD PTR SS:[EBP-470]
0093C87C 3385 50FBFFFF XOR EAX,DWORD PTR SS:[EBP-4B0]
0093C882 8985 C4FCFFFF MOV DWORD PTR SS:[EBP-33C],EAX
0093C888 8B8D C4FCFFFF MOV ECX,DWORD PTR SS:[EBP-33C]
0093C88E 81E1 FFFF0000 AND ECX,0FFFF
0093C894 51 PUSH ECX ; Armadill.010714DA
0093C895 8B95 C4FCFFFF MOV EDX,DWORD PTR SS:[EBP-33C]
0093C89B C1EA 10 SHR EDX,10
0093C89E 52 PUSH EDX
0093C89F 68 0C359D00 PUSH 9D350C ; ASCII "%04X-%04X"
0093C8A4 8D85 D8FCFFFF LEA EAX,DWORD PTR SS:[EBP-328]
0093C8AA 50 PUSH EAX
0093C8AB E8 F0ED0600 CALL 009AB6A0
0093C8B0 83C4 10 ADD ESP,10
0093C8B3 6A 00 PUSH 0
0093C8B5 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328]
0093C8BB 51 PUSH ECX ; Armadill.010714DA
0093C8BC 68 84369D00 PUSH 9D3684 ; ASCII "ENHFINGERPRINTV1"
3.
重复操作 1.
然后在0093C656下硬件执行断点 F9运行出现注册框 点ok程序断下
009A0113 E8 381BFAFF CALL 00941C50
009A0118 8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
009A011E 8B8D 60FFFFFF MOV ECX,DWORD PTR SS:[EBP-A0]
009A0124 81E1 FFFF0000 AND ECX,0FFFF
009A012A 51 PUSH ECX
009A012B 8B95 60FFFFFF MOV EDX,DWORD PTR SS:[EBP-A0]
009A0131 C1EA 10 SHR EDX,10
009A0134 52 PUSH EDX ; Armadill.0107B910
009A0135 68 0C359E00 PUSH 9E350C ; ASCII "%04X-%04X"
009A013A 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C]
009A0140 50 PUSH EAX
009A0141 E8 5AB50100 CALL 009BB6A0
009A0146 83C4 10 ADD ESP,10
009A0149 6A 00 PUSH 0
009A014B B9 30B49F00 MOV ECX,9FB430
009A0150 E8 5B1BFAFF CALL 00941CB0
009A0155 8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
009A015B 8B0D 8CBA9F00 MOV ECX,DWORD PTR DS:[9FBA8C]
009A0161 898D C8F4FFFF MOV DWORD PTR SS:[EBP-B38],ECX
009A0167 6A 01 PUSH 1
009A0169 8B8D C8F4FFFF MOV ECX,DWORD PTR SS:[EBP-B38]
009A016F E8 1C5FFDFF CALL 00976090
009A0174 0FB6D0 MOVZX EDX,AL
009A0177 85D2 TEST EDX,EDX ; Armadill.0107B910
009A0179 74 1F JE SHORT 009A019A
经过跟踪发现
009A0150 E8 5B1BFAFF CALL 00941CB0 //F7进入
009A0155 8985 60FFFFFF MOV DWORD PTR SS:[EBP-A0],EAX
009A015B 8B0D 8CBA9F00 MOV ECX,DWORD PTR DS:[9FBA8C]
009A0161 898D C8F4FFFF MOV DWORD PTR SS:[EBP-B38],ECX
009A0167 6A 01 PUSH 1
009A0169 8B8D C8F4FFFF MOV ECX,DWORD PTR SS:[EBP-B38]
009A016F E8 1C5FFDFF CALL 00976090
00941CFF E8 CC430300 CALL 009760D0
00941D04 3345 F4 XOR EAX,DWORD PTR SS:[EBP-C]
00941D07 8BE5 MOV ESP,EBP 此时的eax=我的硬件id
00941D09 5D POP EBP
00941D0A C2 0400 RETN 4
Patch EAX为 09B8-DE48
00941D04 B8 48DEB809 MOV EAX,9B8DE48
00941D09 8BE5 MOV ESP,EBP
00941D0B 5D POP EBP
00941D0C C2 0400 RETN 4
00941D0F CC INT3
F9运行 填入上面提供的key就可以了 然后程序会断下 上面还保留VirtualProtect 这个断点
4.脱壳 、、
7C801AD4 k> 8BFF MOV EDI,EDI //程序暂停在这里
7C801AD6 55 PUSH EBP
7C801AD7 8BEC MOV EBP,ESP
7C801AD9 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C801ADC FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C801ADF FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C801AE2 FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801AE5 6A FF PUSH -1
7C801AE7 E8 75FFFFFF CALL kernel32.VirtualProtectEx
7C801AEC 5D POP EBP ; 009A92A1
7C801AED C2 1000 RETN 10
F9运行几次 当堆栈如下时
000691F8 009AA16F /CALL to VirtualProtect from 009AA169
000691FC 01001020 |Address = Armadill.01001020
00069200 00000008 |Size = 8 看这里等于8
00069204 00000004 |NewProtect = PAGE_READWRITE
00069208 0006BED8 \pOldProtect = 0006BED8
取消断点 alt+f9
009AA16F 6A 14 PUSH 14
009AA171 E8 68100100 CALL 009BB1DE
009AA176 83C4 04 ADD ESP,4
009AA179 8985 C0AAFFFF MOV DWORD PTR SS:[EBP+FFFFAAC0],EAX
009AA17F C745 FC 03000000 MOV DWORD PTR SS:[EBP-4],3
009AA186 83BD C0AAFFFF 00 CMP DWORD PTR SS:[EBP+FFFFAAC0],0
009AA18D 74 59 JE SHORT 009AA1E8
009AA18F 8B0D 945CA000 MOV ECX,DWORD PTR DS:[A05C94]
009AA195 898D FCA8FFFF MOV DWORD PTR SS:[EBP+FFFFA8FC],ECX
搜索 push 100
009AA3FD 68 00010000 PUSH 100
009AA402 8D95 2CC1FFFF LEA EDX,DWORD PTR SS:[EBP-3ED4]
009AA408 52 PUSH EDX ; ntdll.KiFastSystemCallRet
009AA409 8B85 2CC2FFFF MOV EAX,DWORD PTR SS:[EBP-3DD4]
009AA40F 8B08 MOV ECX,DWORD PTR DS:[EAX]
009AA411 51 PUSH ECX
009AA412 E8 0981F8FF CALL 00932520 //跟进
009AA417 83C4 0C ADD ESP,0C
00932520 55 PUSH EBP //修改成ret
00932521 8BEC MOV EBP,ESP
00932523 83EC 2C SUB ESP,2C
00932526 833D C0A49F00 00 CMP DWORD PTR DS:[9FA4C0],0
0093252D 75 59 JNZ SHORT 00932588
0093252F C745 EC 53CAECB2 MOV DWORD PTR SS:[EBP-14],B2ECCA53
00932536 68 00010000 PUSH 100
0093253B E8 08870800 CALL 009BAC48
Bp CreateThread F9
7C8106C7 k> 8BFF MOV EDI,EDI
7C8106C9 55 PUSH EBP
7C8106CA 8BEC MOV EBP,ESP
7C8106CC FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C8106CF FF75 18 PUSH DWORD PTR SS:[EBP+18] ; Armadill.0108A188
7C8106D2 FF75 14 PUSH DWORD PTR SS:[EBP+14] ; Armadill.01052E97
7C8106D5 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C8106D8 FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C8106DB FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C8106DE 6A FF PUSH -1
7C8106E0 E8 D7FDFFFF CALL kernel32.CreateRemoteThread
7C8106E5 5D POP EBP ; 0098258C
7C8106E6 C2 1800 RETN 18
断下返回
009AFD8F 83C4 04 ADD ESP,4
009AFD92 B9 30B49F00 MOV ECX,9FB430
009AFD97 E8 D4CAF8FF CALL 0093C870
009AFD9C 0FB6C8 MOVZX ECX,AL
009AFD9F 85C9 TEST ECX,ECX
009AFDA1 74 0C JE SHORT 009AFDAF
009AFDA3 6A 01 PUSH 1
009AFDA5 B9 30B49F00 MOV ECX,9FB430
009AFDAA E8 91CFF9FF CALL 0094CD40
009AFDAF C705 E4719F00 68729E00 MOV DWORD PTR DS:[9F71E4],9E7268
009AFDB9 B9 D0A49F00 MOV ECX,9FA4D0
009AFDBE E8 FD50FEFF CALL 00994EC0
009AFDC3 C745 F0 00000000 MOV DWORD PTR SS:[EBP-10],0
009AFDCA 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
009AFDCD 52 PUSH EDX ; ntdll.KiFastSystemCallRet
009AFDCE 68 B0FE9A00 PUSH 9AFEB0
009AFDD3 FF15 B8B09F00 CALL DWORD PTR DS:[9FB0B8]
009AFDD9 83C4 08 ADD ESP,8
009AFDDC A1 94BA9F00 MOV EAX,DWORD PTR DS:[9FBA94]
009AFDE1 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
009AFDE4 B9 07000000 MOV ECX,7
009AFDE9 C1E1 02 SHL ECX,2
009AFDEC 8B15 7CBA9F00 MOV EDX,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFDF2 A1 7CBA9F00 MOV EAX,DWORD PTR DS:[9FBA7C]
009AFDF7 8B35 7CBA9F00 MOV ESI,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFDFD 8B76 64 MOV ESI,DWORD PTR DS:[ESI+64]
009AFE00 3370 5C XOR ESI,DWORD PTR DS:[EAX+5C]
009AFE03 33340A XOR ESI,DWORD PTR DS:[EDX+ECX]
009AFE06 0375 E4 ADD ESI,DWORD PTR SS:[EBP-1C] ; Armadill.0108A188
009AFE09 8975 F4 MOV DWORD PTR SS:[EBP-C],ESI
009AFE0C 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE0F 8339 00 CMP DWORD PTR DS:[ECX],0
009AFE12 75 3F JNZ SHORT 009AFE53
009AFE14 8B15 7CBA9F00 MOV EDX,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFE1A A1 7CBA9F00 MOV EAX,DWORD PTR DS:[9FBA7C]
009AFE1F 8B4A 38 MOV ECX,DWORD PTR DS:[EDX+38]
009AFE22 3348 5C XOR ECX,DWORD PTR DS:[EAX+5C]
009AFE25 8B15 7CBA9F00 MOV EDX,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFE2B 334A 68 XOR ECX,DWORD PTR DS:[EDX+68]
009AFE2E 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
009AFE31 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE34 8B48 18 MOV ECX,DWORD PTR DS:[EAX+18]
009AFE37 51 PUSH ECX
009AFE38 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE3B 8B42 14 MOV EAX,DWORD PTR DS:[EDX+14]
009AFE3E 50 PUSH EAX
009AFE3F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE42 8B51 10 MOV EDX,DWORD PTR DS:[ECX+10]
009AFE45 52 PUSH EDX ; ntdll.KiFastSystemCallRet
009AFE46 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
009AFE49 2B45 E0 SUB EAX,DWORD PTR SS:[EBP-20] ; Armadill.01052E97
009AFE4C FFD0 CALL EAX
009AFE4E 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
009AFE51 EB 47 JMP SHORT 009AFE9A
009AFE53 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE56 8339 01 CMP DWORD PTR DS:[ECX],1
009AFE59 75 3F JNZ SHORT 009AFE9A
009AFE5B 8B15 7CBA9F00 MOV EDX,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFE61 A1 7CBA9F00 MOV EAX,DWORD PTR DS:[9FBA7C]
009AFE66 8B4A 38 MOV ECX,DWORD PTR DS:[EDX+38]
009AFE69 3348 5C XOR ECX,DWORD PTR DS:[EAX+5C]
009AFE6C 8B15 7CBA9F00 MOV EDX,DWORD PTR DS:[9FBA7C] ; Armadill.0107B910
009AFE72 334A 68 XOR ECX,DWORD PTR DS:[EDX+68]
009AFE75 894D DC MOV DWORD PTR SS:[EBP-24],ECX
009AFE78 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE7B 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
009AFE7E 51 PUSH ECX
009AFE7F 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE82 8B42 08 MOV EAX,DWORD PTR DS:[EDX+8]
009AFE85 50 PUSH EAX
009AFE86 6A 00 PUSH 0
009AFE88 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; Armadill.01088F48
009AFE8B 8B51 0C MOV EDX,DWORD PTR DS:[ECX+C]
009AFE8E 52 PUSH EDX ; ntdll.KiFastSystemCallRet
009AFE8F 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
009AFE92 2B45 DC SUB EAX,DWORD PTR SS:[EBP-24]
009AFE95 FFD0 CALL EAX //传说中的去光明の巅的路
009AFE97 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
009AFE9A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
009AFE9D 5E POP ESI
009AFE9E 8BE5 MOV ESP,EBP
009AFEA0 5D POP EBP
009AFEA1 C3 RETN
0100739D d> 6A 70 PUSH 70 //oep
0100739F 68 98180001 PUSH dumped_.01001898
010073A4 E8 BF010000 CALL dumped_.01007568
010073A9 33DB XOR EBX,EBX
010073AB 53 PUSH EBX
010073AC 8B3D CC100001 MOV EDI,DWORD PTR DS:[<&kernel32.GetModuleHandl>; kernel32.GetModuleHandleA
010073B2 FFD7 CALL EDI
010073B4 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
010073B9 75 1F JNZ SHORT dumped_.010073DA
010073BB 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]
010073BE 03C8 ADD ECX,EAX
010073C0 8139 50450000 CMP DWORD PTR DS:[ECX],4550
lordpe dump 修复即可
别骂我 写的乱七八糟的 本人小学没毕业 嘎嘎