http://hi.baidu.com/herozone/blog/item/73472624a8b5ba36c9955968.html
手脫Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks2008年05月17日 星期六 下午 01:59【破文标題】手脫Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【破文作者】一杯涼茶
【作者郵箱】[email protected]
【作者首頁】A/N
【破解工具】peid0.94+OD+ArmInline0.96+LordPE+ImportREC+Enjoy
【破解平台】盜版XPsp2
【軟體名稱】..........
【軟體大小】..........
【原版下載下傳】...........
【保護方式】殼
【軟體簡介】
【破解聲明】本文僅供研究學習,本人對因這篇文章而導緻的一切後果,不承擔任何法律責任。本文中的不足之處請各位多多
【破解過程】1. OD 載入 忽略所有異常,插件隐藏OD.
00946000 > 60 PUSHAD
00946001 E8 00000000 CALL FlyWoool.00946006
00946006 5D POP EBP
00946007 50 PUSH EAX
00946008 51 PUSH ECX
00946009 0FCA BSWAP EDX
0094600B F7D2 NOT EDX
0094600D 9C PUSHFD
0094600E F7D2 NOT EDX
00946010 0FCA BSWAP EDX
00946012 EB 0F JMP SHORT FlyWoool.00946023
00946014 B9 EB0FB8EB MOV ECX,EBB80FEB
00946019 07 POP ES ; 段寄存器修飾
0094601A B9 EB0F90EB MOV ECX,EB900FEB
0094601F 08FD OR CH,BH
++++++++++++++++++++++++++++++++++++++++
下bp OpenMutexA SHIFT+F9到這裡
0094F5C3 F0: PREFIX LOCK: ; 多餘字首
0094F5C4 F0:C7 ??? ; 未知指令
0094F5C6 C8 64678F ENTER 6764,8F
0094F5CA 06 PUSH ES
0094F5CB 0000 ADD BYTE PTR DS:[EAX],AL
0094F5CD 83C4 04 ADD ESP,4
0094F5D0 C3 RETN
0094F5D1 03C5 ADD EAX,EBP
0094F5D3 C3 RETN
0094F5D4 B9 EA7A0000 MOV ECX,7AEA
0094F5D9 C3 RETN
0094F5DA B8 661A0000 MOV EAX,1A66
0094F5DF C3 RETN
出現異常,手動添加最近的異常,SHIFT+F9到這裡
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
++++++++++++++++++++++++++++++++++++++++++++++++
ALT+F9 傳回到這裡
0091E735 85C0 TEST EAX,EAX
0091E737 74 04 JE SHORT FlyWoool.0091E73D
0091E739 C645 DC 00 MOV BYTE PTR SS:[EBP-24],0
0091E73D 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0091E740 25 FF000000 AND EAX,0FF
0091E745 85C0 TEST EAX,EAX
把0091E735 74 04 JE SHORT FlyWoool.0091E73D 改為JNZ
SHIFT+F9 到這裡
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
ALT+F9到這裡
0091EB37 85C0 TEST EAX,EAX
0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9
0091EB3F 6A 01 PUSH 1
0091EB41 FF15 88609500 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThread
0091EB47 50 PUSH EAX
把0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9 改為JE
SHIFT+F9到這裡 取消斷點
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
到這一步是雙線程改單線程和方法
++++++++++++++++++++++++++++++++++++++
下he GetModuleHandleA+5 後SHIFT+F9,每次都要注意堆棧
一次
001394A4 /0013EBEC
001394A8 |01078091 傳回到 01078091 來自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E084 ASCII "VirtualAlloc"
二次
001394A4 /0013EBEC
001394A8 |010780AE 傳回到 010780AE 來自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E078 ASCII "VirtualFree"
三次
00139208 /001394A8
0013920C |010665FF 傳回到 010665FF 來自 kernel32.GetModuleHandleA
00139210 |0013935C ASCII "kernel32.dll"
到這裡就是傳回的時機了
++++++++++++++++++++++++++++++++++++++++++==
取消斷點,ALT+F9 到這裡
010665FF 8B0D 9C550901 MOV ECX,DWORD PTR DS:[109559C]
01066605 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066608 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
0106660D 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01066610 75 2E JNZ SHORT 01066640
01066612 F647 04 02 TEST BYTE PTR DS:[EDI+4],2
01066616 74 12 JE SHORT 0106662A
01066618 B9 880F0901 MOV ECX,1090F88
0106661D E8 B86CFFFF CALL 0105D2DA
01066622 84C0 TEST AL,AL
01066624 0F84 53010000 JE 0106677D
0106662A 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
01066630 50 PUSH EAX
01066631 FF15 E0710801 CALL DWORD PTR DS:[10871E0] ; kernel32.LoadLibraryA
01066637 8B0D 9C550901 MOV ECX,DWORD PTR DS:[109559C]
0106663D 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066640 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
01066645 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01066648 0F84 2F010000 JE 0106677D 這個跳就是Magic Jump 改為JMP
0106664E 33C9 XOR ECX,ECX
01066650 8B07 MOV EAX,DWORD PTR DS:[EDI]
01066652 3918 CMP DWORD PTR DS:[EAX],EBX
01066654 74 06 JE SHORT 0106665C
01066656 41 INC ECX
01066657 83C0 0C ADD EAX,0C
0106665A ^ EB F6 JMP SHORT 01066652
0106665C 8BD9 MOV EBX,ECX
0106665E C1E3 02 SHL EBX,2
01066661 53 PUSH EBX
01066662 E8 D3020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066667 8B0D 94550901 MOV ECX,DWORD PTR DS:[1095594]
0106666D 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066670 53 PUSH EBX
01066671 E8 C4020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066676 59 POP ECX
01066677 59 POP ECX
01066678 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
0106667E 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066681 8B07 MOV EAX,DWORD PTR DS:[EDI]
01066683 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
01066689 8B00 MOV EAX,DWORD PTR DS:[EAX]
0106668B 85C0 TEST EAX,EAX
0106668D 0F84 D4000000 JE 01066767
01066693 33FF XOR EDI,EDI
01066695 68 00010000 PUSH 100
0106669A 8D8D A8FDFFFF LEA ECX,DWORD PTR SS:[EBP-258]
010666A0 51 PUSH ECX
010666A1 50 PUSH EAX
010666A2 E8 0CC0FEFF CALL 010526B3
010666A7 83C4 0C ADD ESP,0C
010666AA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
010666B0 50 PUSH EAX
010666B1 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
010666B6 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
010666B9 FF15 C4720801 CALL DWORD PTR DS:[10872C4] ; kernel32.GetProcAddress
010666BF 8BD8 MOV EBX,EAX
010666C1 B9 880F0901 MOV ECX,1090F88
010666C6 E8 BF3A0000 CALL 0106A18A
010666CB 33D8 XOR EBX,EAX
010666CD A1 94550901 MOV EAX,DWORD PTR DS:[1095594]
010666D2 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
010666D5 891C38 MOV DWORD PTR DS:[EAX+EDI],EBX
010666D8 6A 01 PUSH 1
010666DA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
010666E0 50 PUSH EAX
010666E1 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
010666E6 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
010666E9 E8 83050000 CALL 01066C71
010666EE 83C4 0C ADD ESP,0C
010666F1 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
010666F7 8B0C0E MOV ECX,DWORD PTR DS:[ESI+ECX]
010666FA 890439 MOV DWORD PTR DS:[ECX+EDI],EAX
010666FD A1 98550901 MOV EAX,DWORD PTR DS:[1095598]
01066702 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
01066705 833C38 00 CMP DWORD PTR DS:[EAX+EDI],0
01066709 75 25 JNZ SHORT 01066730
0106670B 6A 00 PUSH 0
0106670D 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
01066713 50 PUSH EAX
01066714 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
01066719 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
0106671C E8 50050000 CALL 01066C71
01066721 83C4 0C ADD ESP,0C
01066724 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
0106672A 8B0C0E MOV ECX,DWORD PTR DS:[ESI+ECX]
0106672D 890439 MOV DWORD PTR DS:[ECX+EDI],EAX
01066730 A1 98550901 MOV EAX,DWORD PTR DS:[1095598]
01066735 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
01066738 8D1C38 LEA EBX,DWORD PTR DS:[EAX+EDI]
0106673B B9 880F0901 MOV ECX,1090F88
01066740 E8 453A0000 CALL 0106A18A
01066745 3103 XOR DWORD PTR DS:[EBX],EAX
01066747 8385 ACFEFFFF 0>ADD DWORD PTR SS:[EBP-154],0C
0106674E 83C7 04 ADD EDI,4
01066751 8B85 ACFEFFFF MOV EAX,DWORD PTR SS:[EBP-154]
01066757 8B00 MOV EAX,DWORD PTR DS:[EAX]
01066759 85C0 TEST EAX,EAX
0106675B ^ 0F85 34FFFFFF JNZ 01066695
01066761 8BBD 78FDFFFF MOV EDI,DWORD PTR SS:[EBP-288]
01066767 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
0106676C 8D1C06 LEA EBX,DWORD PTR DS:[ESI+EAX]
0106676F B9 880F0901 MOV ECX,1090F88
01066774 E8 FB390000 CALL 0106A174
01066779 3103 XOR DWORD PTR DS:[EBX],EAX
0106677B 33DB XOR EBX,EBX
0106677D 83C7 0C ADD EDI,0C
01066780 89BD 78FDFFFF MOV DWORD PTR SS:[EBP-288],EDI
01066786 83C6 04 ADD ESI,4
01066789 395F FC CMP DWORD PTR DS:[EDI-4],EBX
0106678C ^ 0F85 31FEFFFF JNZ 010665C3
01066792 EB 03 JMP SHORT 01066797
01066794 D6 SALC
01066795 D6 SALC
01066796 8F ??? ; 未知指令
在01066792 EB 03 JMP SHORT 01066797 下硬體執行.然後F9 到這裡斷下,取消硬體斷點,撤消Magic Jump處的修改
++++++++++++++++++++++++++++++++++++++++++++++++
下BP GetCurrentThreadId SHIFT+F9 到這裡
7C809728 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80972E 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
7C809731 C3 RETN
取消斷點
一路F8 到這裡
01080A88 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
01080A8B 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01080A8F 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
01080A92 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
01080A95 A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080A9A 3150 74 XOR DWORD PTR DS:[EAX+74],EDX
01080A9D A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080AA2 3150 74 XOR DWORD PTR DS:[EAX+74],EDX
01080AA5 A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080AAA 8B88 88000000 MOV ECX,DWORD PTR DS:[EAX+88]
01080AB0 3348 70 XOR ECX,DWORD PTR DS:[EAX+70]
01080AB3 3308 XOR ECX,DWORD PTR DS:[EAX]
01080AB5 030D EC150901 ADD ECX,DWORD PTR DS:[10915EC] ; FlyWoool.00400000
01080ABB 8B17 MOV EDX,DWORD PTR DS:[EDI]
01080ABD 85D2 TEST EDX,EDX
01080ABF 75 1B JNZ SHORT 01080ADC
01080AC1 FF77 18 PUSH DWORD PTR DS:[EDI+18]
01080AC4 FF77 14 PUSH DWORD PTR DS:[EDI+14]
01080AC7 FF77 10 PUSH DWORD PTR DS:[EDI+10]
01080ACA 8B90 88000000 MOV EDX,DWORD PTR DS:[EAX+88]
01080AD0 3350 24 XOR EDX,DWORD PTR DS:[EAX+24]
01080AD3 3350 04 XOR EDX,DWORD PTR DS:[EAX+4]
01080AD6 2BCA SUB ECX,EDX
01080AD8 FFD1 CALL ECX
01080ADA EB 20 JMP SHORT 01080AFC
01080ADC 83FA 01 CMP EDX,1
01080ADF 75 1E JNZ SHORT 01080AFF
01080AE1 FF77 04 PUSH DWORD PTR DS:[EDI+4]
01080AE4 FF77 08 PUSH DWORD PTR DS:[EDI+8]
01080AE7 6A 00 PUSH 0
01080AE9 FF77 0C PUSH DWORD PTR DS:[EDI+C]
01080AEC 8B90 88000000 MOV EDX,DWORD PTR DS:[EAX+88]
01080AF2 3350 24 XOR EDX,DWORD PTR DS:[EAX+24]
01080AF5 3350 04 XOR EDX,DWORD PTR DS:[EAX+4]
01080AF8 2BCA SUB ECX,EDX
01080AFA FFD1 CALL ECX F7步入 到達OEP
++++++++++++++++++++++++++++++++++++++++++++++++++
下面用ArmInline0.96 拼接代碼 整理亂序後就可以用LordPE,DMUP下來了,用ImportREC修複.再用Enjoy修複CC
運作軟體,一切正常 終于完成了 呵呵
------------------------------------------------------------------------
【破解總結】尋找到Magic Jump 的傳回時機很重要
------------------------------------------------------------------------
【版權聲明】轉載請注明作者并保持文章的完整, 謝謝!
脫殼過程:OD載入程式,老規矩插件隐藏OD,忽略所有異常,再添加以下幾個異常C0000005(ACCESS VIOLATION)、C000
001D(ILLEGAL INSTRUCTION)、C000001E(INVALID LOCK SEQUENCE)、C0000096(PRIVILEGED INSTRUCTION)
入口代碼:
0105A000 N> 60 pushad
0105A001 E8 00000000 call NOTEPAD.0105A006
0105A006 5D pop ebp
0105A007 50 push eax
0105A008 51 push ecx
0105A009 0FCA bswap edx
0105A00B F7D2 not edx
0105A00D 9C pushfd
下bp OpenMutexA斷點shift+F9運作,
77E62391 k> 55 push ebp---------中斷在這裡
77E62392 8BEC mov ebp,esp
77E62394 51 push ecx
77E62395 51 push ecx
77E62396 837D 10 00 cmp dword ptr ss:[ebp+10],0
77E6239A 56 push esi
77E6239B 0F84 C2E30100 je kernel32.77E80763
77E623A1 64:A1 18000000 mov eax,dword ptr fs:[18]
看堆棧
0006F710 0103229B /CALL 到 OpenMutexA 來自 NOTEPAD.01032295
0006F714 001F0001 |Access = 1F0001
0006F718 00000000 |Inheritable = FALSE
0006F71C 0006FDA0 /MutexName = "52C:A9EEE0AC4"------注意0006fda0,等下會用到
0006F720 00000004
0006F724 00000000
0006F728 010476B3 NOTEPAD.010476B3
Ctrl+G 01001000 鍵入以下代碼:
為什麼是Ctrl+G 01001000呢?很多教程裡都是Ctrl+G 401000,在本例Ctrl+G 401000是無法寫入調式
程式中的,而且401000處有代碼(大家可以試一試),那麼如何知道是用Ctrl+G 01001000的呢?個人認
為是根據載入口的代碼來确定的,形式是入口代碼位址的前3位+01000,如本例中的入口代碼是:
0105A000 N> 60 pushad,取其位址中的前3位010,再加上01000,合起來就是01001000。這樣一來
許多教程中的Ctrl+G 401000是入口代碼位址為004xxxxx的形式,401000屬于取其位址中的前3位010,再
加上01000中入口代碼前3位為004的一個特例。
01001000 60 pushad
01001001 9C pushfd
01001002 68 A0FD0600 push 6FDA0 堆棧裡看到的值
01001007 33C0 xor eax,eax
01001009 50 push eax
0100100A 50 push eax
0100100B E8 B5A6E576 call kernel32.CreateMutexA
01001010 9D popfd
01001011 61 popad
01001012 - E9 7A13E676 jmp kernel32.OpenMutexA
01001017 90 nop
在01001000處建立起源,右鍵-》此處建立EIP
F9運作,再次中斷在OpenMutexA處,取消斷點。
再次Ctrl+G 01001000
撤消剛才做的選擇,右鍵-》撤消選擇
接着下 bp GetModuleHandleA斷點F9運作
77E5AD86 k> 837C24 04 00 cmp dword ptr ss:[esp+4],0----斷在這裡,取消斷點
77E5AD8B 0F84 37010000 je kernel32.77E5AEC8----------在這裡重新下斷點
77E5AD91 FF7424 04 push dword ptr ss:[esp+4]
77E5AD95 E8 F8050000 call kernel32.77E5B392
77E5AD9A 85C0 test eax,eax
77E5AD9C 74 08 je short kernel32.77E5ADA6
77E5AD9E FF70 04 push dword ptr ds:[eax+4]
按F9運作,注意堆棧
許多高手都點明了傳回的時機
0006900C 00A05A99 傳回到 00A05A99 來自 kernel32.GetModuleHandleA
00069010 0006915C ASCII "kernel32.dll"
00069014 0006EA58
看到以上代碼時就是傳回的時機了,取消斷點
CTRL+F9傳回殼代碼
00A05A99 8B0D 6C50A300 mov ecx,dword ptr ds:[A3506C]--------回到這裡
00A05A9F 89040E mov dword ptr ds:[esi+ecx],eax
00A05AA2 A1 6C50A300 mov eax,dword ptr ds:[A3506C]
00A05AA7 391C06 cmp dword ptr ds:[esi+eax],ebx
00A05AAA 75 16 jnz short 00A05AC2
00A05AAC 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00A05AB2 50 push eax
00A05AB3 FF15 B862A200 call dword ptr ds:[A262B8]
00A05AB9 8B0D 6C50A300 mov ecx,dword ptr ds:[A3506C]
00A05ABF 89040E mov dword ptr ds:[esi+ecx],eax
00A05AC2 A1 6C50A300 mov eax,dword ptr ds:[A3506C]
00A05AC7 391C06 cmp dword ptr ds:[esi+eax],ebx
00A05ACA <> 0F84 2F010000 je 00A05BFF ------magic jump//修改為:JMP 00A05BFF
00A05AD0 33C9 xor ecx,ecx
00A05AD2 8B07 mov eax,dword ptr ds:[edi]
00A05AD4 3918 cmp dword ptr ds:[eax],ebx
00A05AD6 74 06 je short 00A05ADE
00A05AD8 41 inc ecx
00A05AD9 83C0 0C add eax,0C
00A05ADC ^ EB F6 jmp short 00A05AD4
将magic jump由 je 00A05BFF修改為JMP 00A05BFF後,
按ALT+M,不能馬上在記憶體映像:
01001000 00007000 NOTEPAD .text Imag 01001002 R RWE 上下記憶體斷點
否則将會出現以下情況:
77F60B6F 56 push esi
77F60B70 FF75 0C push dword ptr ss:[ebp+C]
77F60B73 8B75 08 mov esi,dword ptr ss:[ebp+8]
77F60B76 56 push esi
77F60B77 E8 AA000000 call ntdll.77F60C26
77F60B7C 84C0 test al,al
77F60B7E 0F85 EB6F0200 jnz ntdll.77F87B6F
77F60B84 53 push ebx
77F60B85 57 push edi
被調式程式無法處理異常。
看了KuNgBiM[DFCG]大大的“新手學脫殼 之 Armadillo 3.00a - 3.61 标準殼”後知道,
在将magic jump由 je 00A05BFF修改為JMP 00A05BFF後,Ctrl+F 在目前位置查找指令:
salc 在00A05C16處,當看到jmp、salc、salc代碼連在一起時,呵呵,恭喜,
找到地方了,在salc上面的jmp處下斷!--------- KuNgBiM[DFCG]大大的原話
00A05C14 /EB 03 jmp short 00A05C19-----在此下斷
00A05C16 |D6 salc-------------------找到這裡
00A05C17 |D6 salc
F9運作,斷在00A05C14處,現在傳回Magic Jump 處,改回原先修改的代碼,在 00A05ACA 處
點右鍵->“撤銷選擇”即可。
撤消00A05C14處的斷點,現在ALT+M在去
01001000 00007000 NOTEPAD .text Imag 01001002 R RWE 下記憶體斷點
按F9兩次運作後,直接中斷在OEP處(一遍紅色的海洋)
01006AE0 6A 70 push 70
01006AE2 68 88180001 push NOTEPAD.01001888
01006AE7 E8 BC010000 call NOTEPAD.01006CA8
01006AEC 33DB xor ebx,ebx
01006AEE 53 push ebx
01006AEF 8B3D 4C110001 mov edi,dword ptr ds:[100114C]
01006AF5 FFD7 call edi
01006AF7 66:8138 4D5A cmp word ptr ds:[eax],5A4D
01006AFC 75 1F jnz short NOTEPAD.01006B1D
01006AFE 8B48 3C mov ecx,dword ptr ds:[eax+3C]
01006B01 03C8 add ecx,eax
01006B03 8139 50450000 cmp dword ptr ds:[ecx],4550
01006B09 75 12 jnz short NOTEPAD.01006B1D
01006B0B 0FB741 18 movzx eax,word ptr ds:[ecx+18]
01006B0F 3D 0B010000 cmp eax,10B
01006B14 74 1F je short NOTEPAD.01006B35
用LORD PE将其dump出來,不關OD,用ImportREC 1.6,選擇這個程式的程序,把OEP改為6ae0,
點IT AutoSearch,CUT掉無效函數。FixDump,正常運作!正常的NOTEPAD大小為65K,加殼後
為592K,而脫殼修複後則達到784K,是以有必要對修複後的程式進行減肥,可以參考飄雲的
《Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks 脫殼分析 》,減肥後的NOTEPAD
大小為65.3K,與正常的大小差不多