http://www.netease.com/~ayliutt) PUSH AX ;2978:0100 50
MOV AX,01B9 ;2978:0101 B8B901
MOV DX,000B ;2978:0104 BA0B00
ADD AX,2988 ;2978:0107 058829
CMP AX,[0002] ;2978:010A 3B060200
JB 013A ;2978:010E 722A
MOV AH,09 ;2978:0110 B409
MOV DX,011C ;2978:0112 BA1C01
INT 21 ;2978:0115 CD21
MOV AX,4C01 ;2978:0117 B8014C
..................
..................
PUSH CX ;2978:0140 51
SUB AX,0019 ;2978:0141 2D1900 ---> AX = 2B08
MOV ES,AX ;2978:0144 8EC0 Address unpacked percent.
PUSH AX ;2978:0146 50
MOV CX,00C5 ;2978:0147 B9C500
XOR DI,DI ;2978:014A 33FF
PUSH DI ;2978:014C 57
MOV SI,0154 ;2978:014D BE5401
CLD ;2978:0150 FC
REPZ ;2978:0151 F3
MOVSW ;2978:0152 A5
RETF ;2978:0153 CB
PUSH AX ;2978:0100 50 ----------->RETF ;2978:0153 CB
bpx RETF(1) g
F8
here:
STD ;2B08:0000 FD
MOV BX,DS ;2B08:0001 8CDB
PUSH BX ;2B08:0003 53
ADD BX,2E ;2B08:0004 83C32E
NOP ;2B08:0007 90
ADD BX,DX ;2B08:0008 03DA
MOV BP,CS ;2B08:000A 8CCD
MOV AX,DX ;2B08:000C 8BC2
AND AH,0F ;2B08:000E 80E40F
MOV CL,04 ;2B08:0011 B104
MOV SI,DX ;2B08:0013 8BF2
SHL SI,CL ;2B08:0015 D3E6
...................
...................
XOR BX,BX ;2B08:0155 33DB
MOV CX,BX ;2B08:0157 8BCB
MOV DX,BX ;2B08:0159 8BD3
MOV BP,BX ;2B08:015B 8BEB
MOV SI,BX ;2B08:015D 8BF3
MOV DI,BX ;2B08:015F 8BFB
RETF ;2B08:0161 CB
bpx RETF(2) g
F8
here:
PUSH AX ;2988:0000 50--->oep
PUSH BX ;2988:0001 53
MOV AX,DS ;2988:0002 8CD8
MOV BX,CS ;2988:0004 8CCB
SUB BX,10 ;2988:0006 83EB10
CMP AX,BX ;2988:0009 3BC3
JNE 0016 ;2988:000B 7509
MOV AX,2988 ;2988:000D B88829
MOV DS,AX ;2988:0010 8ED8
INC [BYTE 00A7] ;2988:0012 FE06A700
MOV AX,2988 ;2988:0016 B88829
MOV DS,AX ;2988:0019 8ED8
POP BX ;2988:001B 5B
POP AX ;2988:001C 58
ok! we can find app oep here,we will do:
EXE1
RELOAD
pret
pret
t
WEXE1
EXE2
RELOAD
pret
pret
t
WEXE2
q
we can get two files like:
mem1.dat mem2.dat
exit the tr2.5 return the dos:
run mkexe,it can read two files and make linke: mem.exe (unpacked)
or we lets the tr2.5 auto do:
exe1
reload
goknl count (count pack?) here: 1
wexe1
exe2
reload
goknl count
wexe2
q
also get the mkexe.exe
wwpack:
tr wwpack.exe here:
CALL 0143 ;2D88:000F E83101
CMP CX,DX ;2D88:0012 39D1
SUB [BYTE DI+0031],82 ;2D88:0014 826D3182
XCHG AX,DX ;2D88:0018 92
OR [WORD DI+8248],6A ;2D88:0019 838D48826A
INC DI ;2D88:001E 47
STOSB ;2D88:001F AA
XCHG AX,SI ;2D88:0020 96
ADC [WORD SI+BP+6596],8F6B ;2D88:0021 819296656B8F
MOV AX,0024 ;2CFE:0001 B82400
MOV DX,CS ;2CFE:0004 8CCA
ADD DX,AX ;2CFE:0006 03D0
MOV CX,CS ;2CFE:0008 8CC9
ADD CX,0087 ;2CFE:000A 81C18700
PUSH CX ;2CFE:000E 51
......................
REPZ ;2CFE:0031 F3
MOVSW ;2CFE:0032 A5
DEC AX ;2CFE:0033 48
JNS 0024 ;2CFE:0034 79EE
MOV DS,BP ;2CFE:0036 8EDD
PUSH CS ;2CFE:0038 0E
POP ES ;2CFE:0039 07
XOR DI,DI ;2CFE:003A 33FF
MOV SI,0008 ;2CFE:003C BE0800
RETF ;2CFE:003F CB--->F8
note: RETF CS:017D we can find anther RETF!
here:
PUSH AX ;2988:0000 50
PUSH BX ;2988:0001 53
MOV AX,DS ;2988:0002 8CD8
MOV BX,CS ;2988:0004 8CCB
SUB BX,10 ;2988:0006 83EB10
CMP AX,BX ;2988:0009 3BC3
JNE 0016 ;2988:000B 7509
MOV AX,2988 ;2988:000D B88829
MOV DS,AX ;2988:0010 8ED8
INC [BYTE 00A7] ;2988:0012 FE06A700
MOV AX,2988 ;2988:0016 B88829
MOV DS,AX ;2988:0019 8ED8
POP BX ;2988:001B 5B
POP AX ;2988:001C 58
do:
EXE1
RELOAD
pret
g 17d
t
pret
WEXE1
EXE2
RELOAD
g 17d
t
pret
WEXE2
GustawKit [CrackPl]
t
he tuts is polish!
translator: peterdocter
group: FCG
peterdocter:
ok! Upacking for dos tips:
1.tr *.exe or *.com
2.find tow pret or mores and f8
3.notes we can find linke "REPZ" on the first pret
4.oep flag:
PUSH AX
PUSH BX
then track:
POP BX
POP AX
5. on the PUSH AX do:
EXE1
RELOAD
pret
pret
t
WEXE1
EXE2
RELOAD
pret
pret
t
WEXE2
q
run mkexe
and
exe1
reload
goknl count
wexe1
exe2
reload
goknl count
wexe2
q
or
EXE1
RELOAD
pret
g CS:xxx
t
pret
WEXE1
EXE2
RELOAD
g CS:xxx
t
pret
WEXE2
中文有空再补写,很久没用英语也不知道你们是看得懂?
欢迎指出错误与提示更好方法。
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>