00AB0A0F Breakpoint at 00AB0A0F
00AB0A10 Breakpoint at 00AB0A10
00AC0054 Breakpoint at 00AC0054
OS=x86 32-Bit
00AC0056 Breakpoint at 00AC0056
00AE0021 Breakpoint at 00AE0021
00AE0028 Breakpoint at 00AE0028
2.434 MB +/-
8.244 MB +/-
Your target is a >>> Dynamic <<< Link Library!
Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!
Change VM OEP after popad to JMP Target OEP!
Or
Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!
OEP change if you want to keep VM OEP for Dll
-------------------------------------------------
popad
mov ebp, Align
push 0
push VM OEP Value
jmp WL VM
-------------------------------------------------
Exsample: Not stolen Dll OEP!
-------------------------------------------------
100084D2 MOV EDI,EDI
100084D4 PUSH EBP
100084D5 MOV EBP,ESP
100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to run the Dll
100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack
Stack: At Target OEP / Not stolen
-------------------------------------------------
$ ==> 7C91118A RETURN to ntdll.7C91118A
$+4 10000000 Dll_X.10000000 <-- Base
$+8 00000001 <-- 1
$+C 00000000
ImageBase in PE keep same = File was loaded with original ImageBase!
PE HEADER: 10000000 | 1000
CODESECTION: 10001000 | 36B000
PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
Your Target seems to be a normal file!
Unpacking of NET targets is diffrent!
Dump running process with WinHex and then fix the whole PE and NET struct!
00AF07AA Breakpoint at 00AF07AA
No Overlay used!
Disasembling Syntax: MASM (Microsoft) <=> OK
Show default segments: Enabled
Always show size of memory operands: Enabled
Extra space between arguments: Disabled
StrongOD Found!
----------------------------------------------
HidePEB=1 Enabled = OK
KernelMode=1 Enabled = OK
KillPEBug=1 Enabled = OK
SkipExpection=1 Enabled = OK
Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF
DriverName=CError
DRX=1 Enabled = OK
----------------------------------------------
1080C009 Breakpoint at custom.1080C009
1080C00B Breakpoint at custom.1080C00B
XP System found - Very good choice!
Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!
Kernel Ex Table Start: 7C802644
00B2003F Breakpoint at 00B2003F
PE DUMPSEC: VA 10810000 - VS 3D000
PE ANTISEC: VA 10811000
PE OEPMAKE: VA 10811600
SETEVENT_VM: VA 108121D0
PE I-Table: VA 10813000
VP - STORE: VA 10812F00
and or...
API JUMP-T: VA 10813000
00B2003F Breakpoint at 00B2003F
RISC VM Store Section VA is: 10850000 - VS 200000
00B20041 Breakpoint at 00B20041
10372A78 Hardware breakpoint 1 at custom.10372A78
Found WL Intern Export API Access at: 10372E59
Use this address to get all intern access WL APIs!
7C809AF1 Hardware breakpoint 2 at kernel32.VirtualAlloc
XBundler Prepair Sign not found!
CISC VM is located in the Themida - Winlicense section 1036F000 | 2E4000.
VMWare Address: 10372946 | 0
VMWare Checks are not Used & Disabled by Script!
Found No SetEvent WL Location!
Found No LoadLibraryA WL Location!
Found No FreeLibrary WL Location!
Auto XBundler Checker & Dumper is enabled!
If XBunlder Files are found in auto-modus then they will dumped by script!
If the auto XBunlder Dumper does fail etc then disable it next time!
Anti Access Stop on Code Section was Set!
Moddern MJM Scan Chosen!
Normal IAT Patch Scan Was Written!
00BB0306 Hardware breakpoint 3 at 00BB0306
76B10000 Module C:\WINDOWS\system32\winmm.dll
7C8106F9 New thread with ID 000004B0 created
7C8106F9 New thread with ID 000004BC created
7C8106F9 New thread with ID 000004C0 created
7C8106F9 New thread with ID 00000228 created
7C8106F9 New thread with ID 000004E0 created
7C8106F9 New thread with ID 0000050C created
7C8106F9 New thread with ID 00000580 created
7C8106F9 New thread with ID 00000740 created
7C8106F9 New thread with ID 00000290 created
7C8106F9 New thread with ID 00000500 created
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 3 at ntdll.7C9301DB
Heap Prot was redirected!
7D590000 Module C:\WINDOWS\system32\shell32.dll
77F40000 Module C:\WINDOWS\system32\shlwapi.dll
77180000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
77BD0000 Module C:\WINDOWS\system32\version.dll
71A20000 Module C:\WINDOWS\system32\ws2_32.dll
71A10000 Module C:\WINDOWS\system32\ws2help.dll
76BC0000 Module C:\WINDOWS\system32\psapi.dll
76680000 Module C:\WINDOWS\system32\wininet.dll
765E0000 Module C:\WINDOWS\system32\crypt32.dll
76DB0000 Module C:\WINDOWS\system32\msasn1.dll
7C8106F9 New thread with ID 00000514 created
61880000 Module C:\WINDOWS\system32\oleacc.dll
7C8106F9 New thread with ID 00000530 created
7C8106F9 New thread with ID 0000033C created
72F70000 Module C:\WINDOWS\system32\winspool.drv
76320000 Module C:\WINDOWS\system32\comdlg32.dll
7C8106F9 New thread with ID 000004F8 created
105BCC24 Hardware breakpoint 2 at custom.105BCC24
10001000 Problems when disabling memory breakpoint:
10001000 Access to memory changed from RE to RWE (original RWECopy)
105C3172 Memory breakpoint when writing to [10001000]
105C3172 - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
105C3174 Breakpoint at custom.105C3174
7C8106F9 New thread with ID 00000560 created
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 2 at ntdll.7C9301DB
Heap One was redirected!
00BA0033 Hardware breakpoint 1 at 00BA0033
7C9301DB Hardware breakpoint 2 at ntdll.7C9301DB
Heap Two was redirected!
5ADC0000 Module C:\WINDOWS\system32\uxtheme.dll
73640000 Module C:\WINDOWS\system32\MSCTFIME.IME
插件重新下载最新版的,越新越好,或多试几个,啥都不说,给各位点赞,我脱了几个按键精灵的mmt文件夹里文件的壳,好东西,用的虚拟机,装32位win7,乱折腾;搞了一晚,刚脱,你懂,慢慢折腾
我的是最后一步ODbgScript插件无法保存数据,不知道这样说对不对,我都不懂,就找几个教程照着来搞,最后一步一直弹窗这样
“dumping failed by the script
dump the file manually”
然后一个确认跟取消按钮,换了论坛里的汉化ODbgScript跟汉化StrongOD,PhantOm plugin也是论坛里的反正都论坛里的,OD用的吾爱专版那个,没想到成功了
我就一搬运工,依虎花猫,啥都不会,给各位点赞,赞
发表于 2021-11-29 12:30
|
发表于 2021-12-3 17:36
发表于 2021-12-2 21:04
