thisistest Posted December 13, 2008 Posted December 13, 2008 Process ID : 3596 Set BreakPoint On VirtualProtect Virtual Protect Address : 7C801AD0 First Patch Address : 008D204 Second Patch Address : 008D264_unpackme_Armadillo6.2.4.624.rar
Ziggy Posted December 13, 2008 Posted December 13, 2008 Here is a keygen for the unpackme 6.24UnpackmeV624_keygen.rarZiggy
ghandi Posted December 13, 2008 Posted December 13, 2008 Nice! No chance of a tutorial explaining how you coded the keygen Ziggy?HR,Ghandi
leimer Posted December 14, 2008 Posted December 14, 2008 (edited) Snd is wroxxxx! Edited December 14, 2008 by leimer
quosego Posted December 16, 2008 Posted December 16, 2008 wooh that's just creepy... Oddly enough he looks like a guy I know.. (Without the costume of course. )
Teddy Rogers Posted December 17, 2008 Posted December 17, 2008 Oddly enough he looks like a guy I know.. (Without the costume of course. With other clothes on I hope... Ted.
thisistest Posted January 9, 2009 Author Posted January 9, 2009 注册key后载入程序0106B000 > 60 PUSHAD0106B001 E8 00000000 CALL Armadill.0106B0060106B006 5D POP EBP0106B007 50 PUSH EAX0106B008 51 PUSH ECX0106B009 0FCA BSWAP EDX0106B00B F7D2 NOT EDX0106B00D 9C PUSHFD0106B00E F7D2 NOT EDXbp OpenMutexA0006F718 01032C09 /CALL 到 OpenMutexA 来自 Armadill.01032C030006F71C 001F0001 |Access = 1F00010006F720 00000000 |Inheritable = FALSE0006F724 0006FD5C \MutexName = "A7C::DA7AF5CD59"0006F728 000000000006F718 01033002 /CALL 到 OpenMutexA 来自 Armadill.01032FFC0006F71C 001F0001 |Access = 1F00010006F720 00000000 |Inheritable = FALSE0006F724 0006FD5C \MutexName = "A7C::DA7AF5CD59"01033002 85C0 TEST EAX,EAX01033004 0F85 FE010000 JNZ Armadill.01033208 /////////////0103300A 6A 01 PUSH 10103300C FF15 88B00701 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentThread01033012 50 PUSH EAX01033013 FF15 84B00701 CALL DWORD PTR DS:[<&KERNEL32.SetThreadP>; kernel32.SetThreadPriority01033019 C685 57F9FFFF 0>MOV BYTE PTR SS:[EBP-6A9],001033020 68 68DF0701 PUSH Armadill.0107DF68 ; ASCII "Kernel32"01033025 FF15 7CB00701 CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA0103302B 8985 50F9FFFF MOV DWORD PTR SS:[EBP-6B0],EAX01033031 83BD 50F9FFFF 0>CMP DWORD PTR SS:[EBP-6B0],001033038 74 32 JE SHORT Armadill.0103306C0103303A 68 54DF0701 PUSH Armadill.0107DF54 ; ASCII "IsDebuggerPresent" ///////////////0103303F 8B8D 50F9FFFF MOV ECX,DWORD PTR SS:[EBP-6B0]01033045 51 PUSH ECX01033046 FF15 74B00701 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress0103304C 8985 B4F8FFFF MOV DWORD PTR SS:[EBP-74C],EAXbp VirtualProtect0006F640 01032777 /CALL 到 VirtualProtect 来自 Armadill.010327710006F644 008F1000 |Address = 008F10000006F648 000B022C |Size = B022C (721452.)0006F64C 00000040 |NewProtect = PAGE_EXECUTE_READWRITE0006F650 0006F674 \pOldProtect = 0006F6740006F654 01031E5A 返回到 Armadill.01031E5A 来自 Armadill.0104B8C4000691F8 009692A1 /CALL 到 VirtualProtect 来自 0096929B000691FC 01001000 |Address = Armadill.0100100000069200 00008000 |Size = 8000 (32768.)00069204 00000004 |NewProtect = PAGE_READWRITE00069208 0006C014 \pOldProtect = 0006C014000691F8 0096A16F /CALL 到 VirtualProtect 来自 0096A169000691FC 01001020 |Address = Armadill.0100102000069200 00000008 |Size = 800069204 00000004 |NewProtect = PAGE_READWRITE00069208 0006BED8 \pOldProtect = 0006BED80006920C DB70EB6B00069210 C56A94840096A16F 6A 14 PUSH 140096A171 E8 68100100 CALL 0097B1DE0096A176 83C4 04 ADD ESP,40096A179 8985 C0AAFFFF MOV DWORD PTR SS:[EBP+FFFFAAC0],EAX0096A17F C745 FC 0300000>MOV DWORD PTR SS:[EBP-4],30096A186 83BD C0AAFFFF 0>CMP DWORD PTR SS:[EBP+FFFFAAC0],00096A18D 74 59 JE SHORT 0096A1E80096A18F 8B0D 945C9C00 MOV ECX,DWORD PTR DS:[9C5C94]0096A195 898D FCA8FFFF MOV DWORD PTR SS:[EBP+FFFFA8FC],ECX0096A19B 8B95 68D8FFFF MOV EDX,DWORD PTR SS:[EBP-2798]0096A1A1 0395 64D3FFFF ADD EDX,DWORD PTR SS:[EBP-2C9C]0096A1A7 8B85 C0AAFFFF MOV EAX,DWORD PTR SS:[EBP+FFFFAAC0]0096A1AD 8910 MOV DWORD PTR DS:[EAX],EDX0096A1AF 8B8D 88D4FFFF MOV ECX,DWORD PTR SS:[EBP-2B78]0096A3FD 68 00010000 PUSH 1000096A402 8D95 2CC1FFFF LEA EDX,DWORD PTR SS:[EBP-3ED4]0096A408 52 PUSH EDX0096A409 8B85 2CC2FFFF MOV EAX,DWORD PTR SS:[EBP-3DD4]0096A40F 8B08 MOV ECX,DWORD PTR DS:[EAX]0096A411 51 PUSH ECX0096A412 E8 0981F8FF CALL 008F2520 /////////////008F251A C3 RETN008F251B CC INT3008F251C CC INT3008F251D CC INT3008F251E CC INT3008F251F CC INT3008F2520 55 PUSH EBP ///////////008F2521 8BEC MOV EBP,ESP008F2523 83EC 2C SUB ESP,2C008F2526 833D C0A49B00 0>CMP DWORD PTR DS:[9BA4C0],0008F252D 75 59 JNZ SHORT 008F2588008F252F C745 EC 53CAECB>MOV DWORD PTR SS:[EBP-14],B2ECCA53Bp CreateThread008AFDA0 77E67695 /CALL 到 CreateThread 来自 RPCRT4.77E6768F008AFDA4 00000000 |pSecurity = NULL008AFDA8 00000000 |StackSize = 0008AFDAC 77E56BF9 |ThreadFunction = RPCRT4.77E56BF9008AFDB0 000BCD70 |pThreadParm = 000BCD70008AFDB4 00000000 |CreationFlags = 0008AFDB8 008AFDC8 \pThreadId = 008AFDC80006F6C0 0094258C /CALL 到 CreateThread 来自 009425860006F6C4 00000000 |pSecurity = NULL0006F6C8 00000000 |StackSize = 00006F6CC 00943630 |ThreadFunction = 009436300006F6D0 00000000 |pThreadParm = NULL0006F6D4 00000000 |CreationFlags = 00006F6D8 0006F6E4 \pThreadId = 0006F6E40094258C 50 PUSH EAX0094258D FF15 84229A00 CALL DWORD PTR DS:[9A2284] ; kernel32.CloseHandle00942593 5E POP ESI00942594 5B POP EBX00942595 8BE5 MOV ESP,EBP00942597 5D POP EBP00942598 C3 RETN ///////00942599 CC INT30096FD8F 83C4 04 ADD ESP,40096FD92 B9 30B49B00 MOV ECX,9BB4300096FD97 E8 D4CAF8FF CALL 008FC8700096FD9C 0FB6C8 MOVZX ECX,AL0096FD9F 85C9 TEST ECX,ECX0096FDA1 74 0C JE SHORT 0096FDAF0096FDA3 6A 01 PUSH 10096FDA5 B9 30B49B00 MOV ECX,9BB4300096FDAA E8 91CFF9FF CALL 0090CD408B 45 F4 2B 45 DC FF D00096FE8F 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]0096FE92 2B45 DC SUB EAX,DWORD PTR SS:[EBP-24]0096FE95 FFD0 CALL EAX ; Armadill.0100739D0096FE97 8945 FC MOV DWORD PTR SS:[EBP-4],EAX0096FE9A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]0100739D 6A 70 PUSH 70 /////////0100739F 68 98180001 PUSH Armadill.01001898010073A4 E8 BF010000 CALL Armadill.01007568010073A9 33DB XOR EBX,EBX010073AB 53 PUSH EBX010073AC 8B3D CC100001 MOV EDI,DWORD PTR DS:[10010CC] ; kernel32.GetModuleHandleA010073B2 FFD7 CALL EDI010073B4 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D010073B9 75 1F JNZ SHORT Armadill.010073DA010073BB 8B48 3C MOV ECX,DWORD PTR DS:[EAX+3C]010073BE 03C8 ADD ECX,EAX010073C0 8139 50450000 CMP DWORD PTR DS:[ECX],4550010073C6 75 12 JNZ SHORT Armadill.010073DA
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now