http://hi.baidu.com/herozone/blog/item/73472624a8b5ba36c9955968.html
手脱Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks2008年05月17日 星期六 下午 01:59【破文标题】手脱Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
【破文作者】一杯凉茶
【作者邮箱】[email protected]
【作者主页】A/N
【破解工具】peid0.94+OD+ArmInline0.96+LordPE+ImportREC+Enjoy
【破解平台】盗版XPsp2
【软件名称】..........
【软件大小】..........
【原版下载】...........
【保护方式】壳
【软件简介】
【破解声明】本文仅供研究学习,本人对因这篇文章而导致的一切后果,不承担任何法律责任。本文中的不足之处请各位多多
【破解过程】1. OD 载入 忽略所有异常,插件隐藏OD.
00946000 > 60 PUSHAD
00946001 E8 00000000 CALL FlyWoool.00946006
00946006 5D POP EBP
00946007 50 PUSH EAX
00946008 51 PUSH ECX
00946009 0FCA BSWAP EDX
0094600B F7D2 NOT EDX
0094600D 9C PUSHFD
0094600E F7D2 NOT EDX
00946010 0FCA BSWAP EDX
00946012 EB 0F JMP SHORT FlyWoool.00946023
00946014 B9 EB0FB8EB MOV ECX,EBB80FEB
00946019 07 POP ES ; 段寄存器修饰
0094601A B9 EB0F90EB MOV ECX,EB900FEB
0094601F 08FD OR CH,BH
++++++++++++++++++++++++++++++++++++++++
下bp OpenMutexA SHIFT+F9到这里
0094F5C3 F0: PREFIX LOCK: ; 多余前缀
0094F5C4 F0:C7 ??? ; 未知命令
0094F5C6 C8 64678F ENTER 6764,8F
0094F5CA 06 PUSH ES
0094F5CB 0000 ADD BYTE PTR DS:[EAX],AL
0094F5CD 83C4 04 ADD ESP,4
0094F5D0 C3 RETN
0094F5D1 03C5 ADD EAX,EBP
0094F5D3 C3 RETN
0094F5D4 B9 EA7A0000 MOV ECX,7AEA
0094F5D9 C3 RETN
0094F5DA B8 661A0000 MOV EAX,1A66
0094F5DF C3 RETN
出现异常,手动添加最近的异常,SHIFT+F9到这里
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
++++++++++++++++++++++++++++++++++++++++++++++++
ALT+F9 返回到这里
0091E735 85C0 TEST EAX,EAX
0091E737 74 04 JE SHORT FlyWoool.0091E73D
0091E739 C645 DC 00 MOV BYTE PTR SS:[EBP-24],0
0091E73D 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0091E740 25 FF000000 AND EAX,0FF
0091E745 85C0 TEST EAX,EAX
把0091E735 74 04 JE SHORT FlyWoool.0091E73D 改为JNZ
SHIFT+F9 到这里
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
ALT+F9到这里
0091EB37 85C0 TEST EAX,EAX
0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9
0091EB3F 6A 01 PUSH 1
0091EB41 FF15 88609500 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThread
0091EB47 50 PUSH EAX
把0091EB39 0F85 7A020000 JNZ FlyWoool.0091EDB9 改为JE
SHIFT+F9到这里 取消断点
7C80EA1B > 8BFF MOV EDI,EDI
7C80EA1D 55 PUSH EBP
7C80EA1E 8BEC MOV EBP,ESP
7C80EA20 51 PUSH ECX
7C80EA21 51 PUSH ECX
7C80EA22 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
7C80EA26 56 PUSH ESI
到这一步是双线程改单线程和方法
++++++++++++++++++++++++++++++++++++++
下he GetModuleHandleA+5 后SHIFT+F9,每次都要注意堆栈
一次
001394A4 /0013EBEC
001394A8 |01078091 返回到 01078091 来自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E084 ASCII "VirtualAlloc"
二次
001394A4 /0013EBEC
001394A8 |010780AE 返回到 010780AE 来自 kernel32.GetModuleHandleA
001394AC |0108CD04 ASCII "kernel32.dll"
001394B0 |0108E078 ASCII "VirtualFree"
三次
00139208 /001394A8
0013920C |010665FF 返回到 010665FF 来自 kernel32.GetModuleHandleA
00139210 |0013935C ASCII "kernel32.dll"
到这里就是返回的时机了
++++++++++++++++++++++++++++++++++++++++++==
取消断点,ALT+F9 到这里
010665FF 8B0D 9C550901 MOV ECX,DWORD PTR DS:[109559C]
01066605 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066608 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
0106660D 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01066610 75 2E JNZ SHORT 01066640
01066612 F647 04 02 TEST BYTE PTR DS:[EDI+4],2
01066616 74 12 JE SHORT 0106662A
01066618 B9 880F0901 MOV ECX,1090F88
0106661D E8 B86CFFFF CALL 0105D2DA
01066622 84C0 TEST AL,AL
01066624 0F84 53010000 JE 0106677D
0106662A 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
01066630 50 PUSH EAX
01066631 FF15 E0710801 CALL DWORD PTR DS:[10871E0] ; kernel32.LoadLibraryA
01066637 8B0D 9C550901 MOV ECX,DWORD PTR DS:[109559C]
0106663D 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066640 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
01066645 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
01066648 0F84 2F010000 JE 0106677D 这个跳就是Magic Jump 改为JMP
0106664E 33C9 XOR ECX,ECX
01066650 8B07 MOV EAX,DWORD PTR DS:[EDI]
01066652 3918 CMP DWORD PTR DS:[EAX],EBX
01066654 74 06 JE SHORT 0106665C
01066656 41 INC ECX
01066657 83C0 0C ADD EAX,0C
0106665A ^ EB F6 JMP SHORT 01066652
0106665C 8BD9 MOV EBX,ECX
0106665E C1E3 02 SHL EBX,2
01066661 53 PUSH EBX
01066662 E8 D3020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066667 8B0D 94550901 MOV ECX,DWORD PTR DS:[1095594]
0106666D 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066670 53 PUSH EBX
01066671 E8 C4020200 CALL 0108693A ; JMP 到 msvcrt.operator new
01066676 59 POP ECX
01066677 59 POP ECX
01066678 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
0106667E 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
01066681 8B07 MOV EAX,DWORD PTR DS:[EDI]
01066683 8985 ACFEFFFF MOV DWORD PTR SS:[EBP-154],EAX
01066689 8B00 MOV EAX,DWORD PTR DS:[EAX]
0106668B 85C0 TEST EAX,EAX
0106668D 0F84 D4000000 JE 01066767
01066693 33FF XOR EDI,EDI
01066695 68 00010000 PUSH 100
0106669A 8D8D A8FDFFFF LEA ECX,DWORD PTR SS:[EBP-258]
010666A0 51 PUSH ECX
010666A1 50 PUSH EAX
010666A2 E8 0CC0FEFF CALL 010526B3
010666A7 83C4 0C ADD ESP,0C
010666AA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
010666B0 50 PUSH EAX
010666B1 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
010666B6 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
010666B9 FF15 C4720801 CALL DWORD PTR DS:[10872C4] ; kernel32.GetProcAddress
010666BF 8BD8 MOV EBX,EAX
010666C1 B9 880F0901 MOV ECX,1090F88
010666C6 E8 BF3A0000 CALL 0106A18A
010666CB 33D8 XOR EBX,EAX
010666CD A1 94550901 MOV EAX,DWORD PTR DS:[1095594]
010666D2 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
010666D5 891C38 MOV DWORD PTR DS:[EAX+EDI],EBX
010666D8 6A 01 PUSH 1
010666DA 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
010666E0 50 PUSH EAX
010666E1 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
010666E6 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
010666E9 E8 83050000 CALL 01066C71
010666EE 83C4 0C ADD ESP,0C
010666F1 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
010666F7 8B0C0E MOV ECX,DWORD PTR DS:[ESI+ECX]
010666FA 890439 MOV DWORD PTR DS:[ECX+EDI],EAX
010666FD A1 98550901 MOV EAX,DWORD PTR DS:[1095598]
01066702 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
01066705 833C38 00 CMP DWORD PTR DS:[EAX+EDI],0
01066709 75 25 JNZ SHORT 01066730
0106670B 6A 00 PUSH 0
0106670D 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]
01066713 50 PUSH EAX
01066714 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
01066719 FF3406 PUSH DWORD PTR DS:[ESI+EAX]
0106671C E8 50050000 CALL 01066C71
01066721 83C4 0C ADD ESP,0C
01066724 8B0D 98550901 MOV ECX,DWORD PTR DS:[1095598]
0106672A 8B0C0E MOV ECX,DWORD PTR DS:[ESI+ECX]
0106672D 890439 MOV DWORD PTR DS:[ECX+EDI],EAX
01066730 A1 98550901 MOV EAX,DWORD PTR DS:[1095598]
01066735 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
01066738 8D1C38 LEA EBX,DWORD PTR DS:[EAX+EDI]
0106673B B9 880F0901 MOV ECX,1090F88
01066740 E8 453A0000 CALL 0106A18A
01066745 3103 XOR DWORD PTR DS:[EBX],EAX
01066747 8385 ACFEFFFF 0>ADD DWORD PTR SS:[EBP-154],0C
0106674E 83C7 04 ADD EDI,4
01066751 8B85 ACFEFFFF MOV EAX,DWORD PTR SS:[EBP-154]
01066757 8B00 MOV EAX,DWORD PTR DS:[EAX]
01066759 85C0 TEST EAX,EAX
0106675B ^ 0F85 34FFFFFF JNZ 01066695
01066761 8BBD 78FDFFFF MOV EDI,DWORD PTR SS:[EBP-288]
01066767 A1 9C550901 MOV EAX,DWORD PTR DS:[109559C]
0106676C 8D1C06 LEA EBX,DWORD PTR DS:[ESI+EAX]
0106676F B9 880F0901 MOV ECX,1090F88
01066774 E8 FB390000 CALL 0106A174
01066779 3103 XOR DWORD PTR DS:[EBX],EAX
0106677B 33DB XOR EBX,EBX
0106677D 83C7 0C ADD EDI,0C
01066780 89BD 78FDFFFF MOV DWORD PTR SS:[EBP-288],EDI
01066786 83C6 04 ADD ESI,4
01066789 395F FC CMP DWORD PTR DS:[EDI-4],EBX
0106678C ^ 0F85 31FEFFFF JNZ 010665C3
01066792 EB 03 JMP SHORT 01066797
01066794 D6 SALC
01066795 D6 SALC
01066796 8F ??? ; 未知命令
在01066792 EB 03 JMP SHORT 01066797 下硬件执行.然后F9 到这里断下,取消硬件断点,撤消Magic Jump处的修改
++++++++++++++++++++++++++++++++++++++++++++++++
下BP GetCurrentThreadId SHIFT+F9 到这里
7C809728 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C80972E 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
7C809731 C3 RETN
取消断点
一路F8 到这里
01080A88 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
01080A8B 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01080A8F 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
01080A92 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
01080A95 A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080A9A 3150 74 XOR DWORD PTR DS:[EAX+74],EDX
01080A9D A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080AA2 3150 74 XOR DWORD PTR DS:[EAX+74],EDX
01080AA5 A1 D4150901 MOV EAX,DWORD PTR DS:[10915D4]
01080AAA 8B88 88000000 MOV ECX,DWORD PTR DS:[EAX+88]
01080AB0 3348 70 XOR ECX,DWORD PTR DS:[EAX+70]
01080AB3 3308 XOR ECX,DWORD PTR DS:[EAX]
01080AB5 030D EC150901 ADD ECX,DWORD PTR DS:[10915EC] ; FlyWoool.00400000
01080ABB 8B17 MOV EDX,DWORD PTR DS:[EDI]
01080ABD 85D2 TEST EDX,EDX
01080ABF 75 1B JNZ SHORT 01080ADC
01080AC1 FF77 18 PUSH DWORD PTR DS:[EDI+18]
01080AC4 FF77 14 PUSH DWORD PTR DS:[EDI+14]
01080AC7 FF77 10 PUSH DWORD PTR DS:[EDI+10]
01080ACA 8B90 88000000 MOV EDX,DWORD PTR DS:[EAX+88]
01080AD0 3350 24 XOR EDX,DWORD PTR DS:[EAX+24]
01080AD3 3350 04 XOR EDX,DWORD PTR DS:[EAX+4]
01080AD6 2BCA SUB ECX,EDX
01080AD8 FFD1 CALL ECX
01080ADA EB 20 JMP SHORT 01080AFC
01080ADC 83FA 01 CMP EDX,1
01080ADF 75 1E JNZ SHORT 01080AFF
01080AE1 FF77 04 PUSH DWORD PTR DS:[EDI+4]
01080AE4 FF77 08 PUSH DWORD PTR DS:[EDI+8]
01080AE7 6A 00 PUSH 0
01080AE9 FF77 0C PUSH DWORD PTR DS:[EDI+C]
01080AEC 8B90 88000000 MOV EDX,DWORD PTR DS:[EAX+88]
01080AF2 3350 24 XOR EDX,DWORD PTR DS:[EAX+24]
01080AF5 3350 04 XOR EDX,DWORD PTR DS:[EAX+4]
01080AF8 2BCA SUB ECX,EDX
01080AFA FFD1 CALL ECX F7步入 到达OEP
++++++++++++++++++++++++++++++++++++++++++++++++++
下面用ArmInline0.96 拼接代码 整理乱序后就可以用LordPE,DMUP下来了,用ImportREC修复.再用Enjoy修复CC
运行软件,一切正常 终于完成了 呵呵
------------------------------------------------------------------------
【破解总结】寻找到Magic Jump 的返回时机很重要
------------------------------------------------------------------------
【版权声明】转载请注明作者并保持文章的完整, 谢谢!
脱壳过程:OD载入程序,老规矩插件隐藏OD,忽略所有异常,再添加以下几个异常C0000005(ACCESS VIOLATION)、C000
001D(ILLEGAL INSTRUCTION)、C000001E(INVALID LOCK SEQUENCE)、C0000096(PRIVILEGED INSTRUCTION)
入口代码:
0105A000 N> 60 pushad
0105A001 E8 00000000 call NOTEPAD.0105A006
0105A006 5D pop ebp
0105A007 50 push eax
0105A008 51 push ecx
0105A009 0FCA bswap edx
0105A00B F7D2 not edx
0105A00D 9C pushfd
下bp OpenMutexA断点shift+F9运行,
77E62391 k> 55 push ebp---------中断在这里
77E62392 8BEC mov ebp,esp
77E62394 51 push ecx
77E62395 51 push ecx
77E62396 837D 10 00 cmp dword ptr ss:[ebp+10],0
77E6239A 56 push esi
77E6239B 0F84 C2E30100 je kernel32.77E80763
77E623A1 64:A1 18000000 mov eax,dword ptr fs:[18]
看堆栈
0006F710 0103229B /CALL 到 OpenMutexA 来自 NOTEPAD.01032295
0006F714 001F0001 |Access = 1F0001
0006F718 00000000 |Inheritable = FALSE
0006F71C 0006FDA0 /MutexName = "52C:A9EEE0AC4"------注意0006fda0,等下会用到
0006F720 00000004
0006F724 00000000
0006F728 010476B3 NOTEPAD.010476B3
Ctrl+G 01001000 键入以下代码:
为什么是Ctrl+G 01001000呢?很多教程里都是Ctrl+G 401000,在本例Ctrl+G 401000是无法写入调式
程序中的,而且401000处有代码(大家可以试一试),那么如何知道是用Ctrl+G 01001000的呢?个人认
为是根据载入口的代码来确定的,形式是入口代码地址的前3位+01000,如本例中的入口代码是:
0105A000 N> 60 pushad,取其地址中的前3位010,再加上01000,合起来就是01001000。这样一来
许多教程中的Ctrl+G 401000是入口代码地址为004xxxxx的形式,401000属于取其地址中的前3位010,再
加上01000中入口代码前3位为004的一个特例。
01001000 60 pushad
01001001 9C pushfd
01001002 68 A0FD0600 push 6FDA0 堆栈里看到的值
01001007 33C0 xor eax,eax
01001009 50 push eax
0100100A 50 push eax
0100100B E8 B5A6E576 call kernel32.CreateMutexA
01001010 9D popfd
01001011 61 popad
01001012 - E9 7A13E676 jmp kernel32.OpenMutexA
01001017 90 nop
在01001000处新建起源,右键-》此处新建EIP
F9运行,再次中断在OpenMutexA处,取消断点。
再次Ctrl+G 01001000
撤消刚才做的选择,右键-》撤消选择
接着下 bp GetModuleHandleA断点F9运行
77E5AD86 k> 837C24 04 00 cmp dword ptr ss:[esp+4],0----断在这里,取消断点
77E5AD8B 0F84 37010000 je kernel32.77E5AEC8----------在这里重新下断点
77E5AD91 FF7424 04 push dword ptr ss:[esp+4]
77E5AD95 E8 F8050000 call kernel32.77E5B392
77E5AD9A 85C0 test eax,eax
77E5AD9C 74 08 je short kernel32.77E5ADA6
77E5AD9E FF70 04 push dword ptr ds:[eax+4]
按F9运行,注意堆栈
许多高手都点明了返回的时机
0006900C 00A05A99 返回到 00A05A99 来自 kernel32.GetModuleHandleA
00069010 0006915C ASCII "kernel32.dll"
00069014 0006EA58
看到以上代码时就是返回的时机了,取消断点
CTRL+F9返回壳代码
00A05A99 8B0D 6C50A300 mov ecx,dword ptr ds:[A3506C]--------回到这里
00A05A9F 89040E mov dword ptr ds:[esi+ecx],eax
00A05AA2 A1 6C50A300 mov eax,dword ptr ds:[A3506C]
00A05AA7 391C06 cmp dword ptr ds:[esi+eax],ebx
00A05AAA 75 16 jnz short 00A05AC2
00A05AAC 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C]
00A05AB2 50 push eax
00A05AB3 FF15 B862A200 call dword ptr ds:[A262B8]
00A05AB9 8B0D 6C50A300 mov ecx,dword ptr ds:[A3506C]
00A05ABF 89040E mov dword ptr ds:[esi+ecx],eax
00A05AC2 A1 6C50A300 mov eax,dword ptr ds:[A3506C]
00A05AC7 391C06 cmp dword ptr ds:[esi+eax],ebx
00A05ACA <> 0F84 2F010000 je 00A05BFF ------magic jump//修改为:JMP 00A05BFF
00A05AD0 33C9 xor ecx,ecx
00A05AD2 8B07 mov eax,dword ptr ds:[edi]
00A05AD4 3918 cmp dword ptr ds:[eax],ebx
00A05AD6 74 06 je short 00A05ADE
00A05AD8 41 inc ecx
00A05AD9 83C0 0C add eax,0C
00A05ADC ^ EB F6 jmp short 00A05AD4
将magic jump由 je 00A05BFF修改为JMP 00A05BFF后,
按ALT+M,不能马上在内存映像:
01001000 00007000 NOTEPAD .text Imag 01001002 R RWE 上下内存断点
否则将会出现以下情况:
77F60B6F 56 push esi
77F60B70 FF75 0C push dword ptr ss:[ebp+C]
77F60B73 8B75 08 mov esi,dword ptr ss:[ebp+8]
77F60B76 56 push esi
77F60B77 E8 AA000000 call ntdll.77F60C26
77F60B7C 84C0 test al,al
77F60B7E 0F85 EB6F0200 jnz ntdll.77F87B6F
77F60B84 53 push ebx
77F60B85 57 push edi
被调式程序无法处理异常。
看了KuNgBiM[DFCG]大大的“新手学脱壳 之 Armadillo 3.00a - 3.61 标准壳”后知道,
在将magic jump由 je 00A05BFF修改为JMP 00A05BFF后,Ctrl+F 在当前位置查找命令:
salc 在00A05C16处,当看到jmp、salc、salc代码连在一起时,呵呵,恭喜,
找到地方了,在salc上面的jmp处下断!--------- KuNgBiM[DFCG]大大的原话
00A05C14 /EB 03 jmp short 00A05C19-----在此下断
00A05C16 |D6 salc-------------------找到这里
00A05C17 |D6 salc
F9运行,断在00A05C14处,现在返回Magic Jump 处,改回原先修改的代码,在 00A05ACA 处
点右键->“撤销选择”即可。
撤消00A05C14处的断点,现在ALT+M在去
01001000 00007000 NOTEPAD .text Imag 01001002 R RWE 下内存断点
按F9两次运行后,直接中断在OEP处(一遍红色的海洋)
01006AE0 6A 70 push 70
01006AE2 68 88180001 push NOTEPAD.01001888
01006AE7 E8 BC010000 call NOTEPAD.01006CA8
01006AEC 33DB xor ebx,ebx
01006AEE 53 push ebx
01006AEF 8B3D 4C110001 mov edi,dword ptr ds:[100114C]
01006AF5 FFD7 call edi
01006AF7 66:8138 4D5A cmp word ptr ds:[eax],5A4D
01006AFC 75 1F jnz short NOTEPAD.01006B1D
01006AFE 8B48 3C mov ecx,dword ptr ds:[eax+3C]
01006B01 03C8 add ecx,eax
01006B03 8139 50450000 cmp dword ptr ds:[ecx],4550
01006B09 75 12 jnz short NOTEPAD.01006B1D
01006B0B 0FB741 18 movzx eax,word ptr ds:[ecx+18]
01006B0F 3D 0B010000 cmp eax,10B
01006B14 74 1F je short NOTEPAD.01006B35
用LORD PE将其dump出来,不关OD,用ImportREC 1.6,选择这个程序的进程,把OEP改为6ae0,
点IT AutoSearch,CUT掉无效函数。FixDump,正常运行!正常的NOTEPAD大小为65K,加壳后
为592K,而脱壳修复后则达到784K,所以有必要对修复后的程序进行减肥,可以参考飘云的
《Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks 脱壳分析 》,减肥后的NOTEPAD
大小为65.3K,与正常的大小差不多