PC Guard for Win32 V5.0 DEMO 脫殼 ―― PCGWIN32.EXE 主程式
PC Guard for Win32 V5.0 DEMO 脫殼 ―― PCGWIN32.EXE 主程式
下載頁面: http://www.sofpro.com/downl.htm
軟體大小: 692 KB
釋出日期: by Blagoje Ceklic. 03.IX.2003.
【軟體簡介】:PC Guard for Win32 is a professional software protection and licensing system. With PC Guard for Win32 you can easily protect Windows 95/98/NT 32bit EXE/DLL applications from illegal distribution and reverse engineering . Even more, you don't need any source code editing or programming experience for this. Everything is fully automatic!
【作者宣告】:初學Crack,只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
【除錯環境】:WinXP、Ollydbg1.09、PEiD、LordPE、ImportREC
―――――――――――――――――――――――――――――――――
【脫殼過程】:
用Ollydbg手動脫殼,老規矩:載入後彈出“是壓縮程式碼――要繼續進行分析嗎?”,點“否”。
設定Ollydbg忽略所有異常。下斷:BP LoadLibraryA F9執行,斷下!
00483000 FC cld
====>進入OD後斷在這!
77E605D8 837C24 04 00 cmp dword ptr ss:[esp+4],0
====>斷在這!繼續F9執行,不斷攔下!
77E605DD 53 push ebx
77E605DE 56 push esi
77E605DF 74 19 je short kernel32.77E605FA
77E605E1 68 9C5BE777 push kernel32.77E75B9C
77E605E6 FF7424 10 push dword ptr ss:[esp+10]
77E605EA FF15 9013E477 call dword ptr ds:[<&ntdll._strcmpi>]
77E605F0 85C0 test eax,eax
77E605F2 59 pop ecx
77E605F3 59 pop ecx
77E605F4 0F84 76AF0100 je kernel32.77E7B570
77E605FA 6A 00 push 0
77E605FC 6A 00 push 0
77E605FE FF7424 14 push dword ptr ss:[esp+14]
77E60602 E8 B1FFFFFF call kernel32.LoadLibraryExA
77E60607 5E pop esi
77E60608 5B pop ebx
77E60609 C2 0400 retn 4
確定彈出的“入口點預警”對話方塊,這時可以看見堆疊出現的這些DLL名。
0012FF28 0042D750 FileName = "COMCTL32.dll"
0012FF28 0042D774 FileName = "IMAGEHLP.dll"
0012FF28 0042DD74 FileName = "comdlg32.dll"
0012FF28 0042DE46 FileName = "VERSION.dll"
中斷4次,出現VERSION.dll。再F9兩次程式就執行啦,停!取消這個斷點!
――――――――――――――――――――――――
再下斷: BP GetProcAddress F9執行,斷下! 取消這個斷點!
77E5A5FD 55 push ebp
====>斷在這!CTRL+F9執行到返回
77E5A5FE 8BEC mov ebp,esp
77E5A600 51 push ecx
77E5A601 51 push ecx
77E5A602 53 push ebx
77E5A603 57 push edi
77E5A604 8B7D 0C mov edi,dword ptr ss:[ebp+C]
77E5A607 BB FFFF0000 mov ebx,0FFFF
77E5A60C 3BFB cmp edi,ebx
77E5A60E 0F86 6B83FFFF jbe kernel32.77E5297F
77E5A614 57 push edi
77E5A615 8D45 F8 lea eax,dword ptr ss:[ebp-8]
77E5A618 50 push eax
77E5A619 FF15 8012E477 call dword ptr ds:[<&ntdll.RtlInitString>]
77E5A61F 8D45 0C lea eax,dword ptr ss:[ebp+C]
77E5A622 50 push eax
77E5A623 6A 00 push 0
77E5A625 8D45 F8 lea eax,dword ptr ss:[ebp-8]
77E5A628 50 push eax
77E5A629 6A 00 push 0
77E5A62B FF75 08 push dword ptr ss:[ebp+8]
77E5A62E E8 B4F2FFFF call kernel32.77E598E7
77E5A633 50 push eax
77E5A634 E8 BEFFFFFF call <jmp.&ntdll.LdrGetProcedureAddress>
77E5A639 85C0 test eax,eax
77E5A63B 0F8C 5725FFFF jl kernel32.77E4CB98
77E5A641 6A 00 push 0
77E5A643 FF75 08 push dword ptr ss:[ebp+8]
77E5A646 E8 9CF2FFFF call kernel32.77E598E7
77E5A64B 3945 0C cmp dword ptr ss:[ebp+C],eax
77E5A64E 0F84 A1870200 je kernel32.77E82DF5
77E5A654 8B45 0C mov eax,dword ptr ss:[ebp+C]
77E5A657 5F pop edi
77E5A658 5B pop ebx
77E5A659 C9 leave
77E5A65A C2 0800 retn 8
====>返回到 0047DCE6
0047DCE6 0BC0 or eax,eax
0047DCE8 74 12 je short 0047DCFC
0047DCEA 5D pop ebp
0047DCEB 5F pop edi
0047DCEC 5E pop esi
0047DCED 5A pop edx
0047DCEE 59 pop ecx
0047DCEF 5B pop ebx
0047DCF0 C3 retn
====>返回到 0047DBD1
――――――――――――――――――――――――
0047DBD1 EB 01 jmp short 0047DBD4
====>返回到這裡!:-) 不用F7蝸牛般跟蹤,向下找RET
0047DBD3 898B BD3AF041 mov dword ptr ds:[ebx+41F03ABD],ecx
0047DBD9 009CEB 01D59DEB add byte ptr ds:[ebx+ebp*8+EB9DD501],bl
0047DBE0 010B add dword ptr ds:[ebx],ecx
0047DBE2 03BD 40384200 add edi,dword ptr ss:[ebp+423840]
0047DBE8 EB 01 jmp short 0047DBEB
0047DBEA E3 60 jecxz short 0047DC4C
0047DBEC E8 03000000 call 0047DBF4
0047DBF1 D2EB shr bl,cl
0047DBF3 0B58 EB or ebx,dword ptr ds:[eax-15]
0047DBF6 0148 40 add dword ptr ds:[eax+40],ecx
0047DBF9 EB 01 jmp short 0047DBFC
0047DBFB 35 FFE0E761 xor eax,61E7E0FF
0047DC00 89048F mov dword ptr ds:[edi+ecx*4],eax
0047DC03 EB 01 jmp short 0047DC06
0047DC05 89F7 mov edi,esi
0047DC07 8570 38 test dword ptr ds:[eax+38],esi
0047DC0A 42 inc edx
0047DC0B 0000 add byte ptr ds:[eax],al
0047DC0D 0000 add byte ptr ds:[eax],al
0047DC0F 04 9C add al,9C
0047DC11 EB 01 jmp short 0047DC14
0047DC13 D5 9D aad 9D
0047DC15 EB 01 jmp short 0047DC18
0047DC17 0B740B EB or esi,dword ptr ds:[ebx+ecx-15]
0047DC1B 01E3 add ebx,esp
0047DC1D EB 01 jmp short 0047DC20
0047DC1F D4 E8 aam 0E8
0047DC21 14 00 adc al,0
0047DC23 0000 add byte ptr ds:[eax],al
0047DC25 41 inc ecx
0047DC26 E9 24FFFFFF jmp 0047DB4F
0047DC2B B8 FFFFFFFF mov eax,-1
0047DC30 C3 retn
====>此處下斷!會節省不少時間。F9直接斷在這!
BTW:常有朋友問“你們怎麼知道這裡跳那裡不跳、此處該下斷彼處又不用下斷?”等等,偶只能很遺憾的回答:偶僅僅是菜鳥,偶也只知其然而不知其所以然。但偶知道的“此處下斷!會節省不少時間”是偶試了N次,有的甚至是花了數天的時間才實踐、總結出來的。由於水平低微,只能做到這一步了,請諸位見諒!
――――――――――――――――――――――――
0046F30C EB 01 jmp short 0046F30F
====>0047DC30返回到這裡!
0046F30F 60 pushad
0046F310 E8 03000000 call 0046F318
0046F318 58 pop eax
0046F319 EB 01 jmp short 0046F31C
0046F31C 40 inc eax
0046F31D EB 01 jmp short 0046F320
0046F320 FFE0 jmp eax
0046F316 EB 0B jmp short 0046F323
0046F323 61 popad
0046F324 85C0 test eax,eax
0046F326 9C pushfd
0046F327 EB 01 jmp short 0046F32A
0046F32A 9D popfd
0046F32B EB 01 jmp short 0046F32E
0046F32E 0F84 B0000000 je 0046F3E4
====>看到這個je 0046F3E4 向下找0046F3E4在其上面的JMP處下斷!
0046F3DF E9 6B240100 jmp 0048184F
====>在這下斷!F9斷下!呵呵,又偷了點巧 :-)
0046F3E4 B8 05000000 mov eax,5
====>在0046F3E4上面的JMP處下斷!
0048184F 8B85 48384200 mov eax,dword ptr ss:[ebp+423848]
00481855 EB 01 jmp short 00481858
00481858 8DB5 C72E4200 lea esi,dword ptr ss:[ebp+422EC7]
0048185E EB 01 jmp short 00481861
00481861 EB 01 jmp short 00481864
00481864 B9 98020000 mov ecx,298
00481869 60 pushad
0048186A E8 03000000 call 00481872
00481872 EB 01 jmp short 00481875
00481875 58 pop eax
00481876 EB 01 jmp short 00481879
00481879 40 inc eax
0048187A EB 01 jmp short 0048187D
0048187D FFE0 jmp eax
00481870 EB 0E jmp short 00481880
00481880 61 popad
00481881 0006 add byte ptr ds:[esi],al
00481883 EB 01 jmp short 00481886
00481886 EB 01 jmp short 00481889
00481889 D1C8 ror eax,1
0048188B EB 01 jmp short 0048188E
0048188E 4E dec esi
0048188F EB 01 jmp short 00481892
00481892 EB 01 jmp short 00481895
00481895 E2 EA loopd short 00481881
====>F4下去跳出LOOP
00481897 9C pushfd
00481898 EB 01 jmp short 0048189B
0048189B 9D popfd
0048189C EB 01 jmp short 0048189F
0048189F F7857038420000000020 test dword ptr ss:[ebp+423870],20000000
004818A9 0F85 85000000 jnz 00481934
00481934 81ED 4DF1B84A sub ebp,4AB8F14D
0048193A 9C pushfd
0048193B EB 01 jmp short 0048193E
0048193E 9D popfd
0048193F EB 01 jmp short 00481942
00481942 60 pushad
00481943 EB 01 jmp short 00481946
00481946 E8 15000000 call 00481960
00481960 2BFF sub edi,edi
00481962 60 pushad
00481963 E8 03000000 call 0048196B
0048196B EB 01 jmp short 0048196E
0048196E 58 pop eax
0048196F EB 01 jmp short 00481972
00481972 40 inc eax
00481973 EB 01 jmp short 00481976
00481976 FFE0 jmp eax
00481969 EB 0E jmp short 00481979
00481979 61 popad
0048197A 64:FF37 push dword ptr fs:[edi]
0048197D 9C pushfd
0048197E EB 01 jmp short 00481981
00481981 9D popfd
00481982 EB 01 jmp short 00481985
00481985 64:8927 mov dword ptr fs:[edi],esp
00481988 EB 01 jmp short 0048198B
0048198B EB 01 jmp short 0048198E
0048198E F1 int1
====>異常!看看堆疊區的第二條地址是 0048194B
0048194B EB 01 jmp short 0048194E
====>堆疊區的第二條地址 設斷 F9斷在此處
0048194E EB 01 jmp short 00481951
00481951 8B6424 08 mov esp,dword ptr ss:[esp+8]
00481955 EB 01 jmp short 00481958
00481958 EB 45 jmp short 0048199F
0048199F EB 01 jmp short 004819A2
004819A2 EB 01 jmp short 004819A5
004819A5 85E4 test esp,esp
004819A7 9C pushfd
004819A8 EB 01 jmp short 004819AB
004819AB 9D popfd
004819AC EB 01 jmp short 004819AF
004819AF 79 0C jns short 004819BD
004819BD 33C0 xor eax,eax
004819BF EB 01 jmp short 004819C2
004819C2 EB 01 jmp short 004819C5
004819C5 64:8F00 pop dword ptr fs:[eax]
004819C8 60 pushad
004819C9 E8 03000000 call 004819D1
004819D1 EB 01 jmp short 004819D4
004819D4 58 pop eax
004819D5 EB 01 jmp short 004819D8
004819D8 40 inc eax
004819D9 EB 01 jmp short 004819DC
004819DC FFE0 jmp eax
004819CF EB 0E jmp short 004819DF
004819DF 61 popad
004819E0 58 pop eax
004819E1 EB 01 jmp short 004819E4
004819E4 60 pushad
004819E5 E8 03000000 call 004819ED
004819ED 58 pop eax
004819EE EB 01 jmp short 004819F1
004819F1 40 inc eax
004819F2 EB 01 jmp short 004819F5
004819F5 FFE0 jmp eax
004819EB EB 0B jmp short 004819F8
004819F8 61 popad
004819F9 61 popad
004819FA 9C pushfd
004819FB EB 01 jmp short 004819FE
004819FE 9D popfd
004819FF EB 01 jmp short 00481A02
00481A02 81C5 4DF1B84A add ebp,4AB8F14D
00481A08 60 pushad
00481A09 E8 03000000 call 00481A11
00481A11 EB 01 jmp short 00481A14
00481A14 58 pop eax
00481A15 EB 01 jmp short 00481A18
00481A18 40 inc eax
00481A19 EB 01 jmp short 00481A1C
00481A1C FFE0 jmp eax
00481A0F EB 0E jmp short 00481A1F
00481A1F 61 popad
00481A20 8B85 48384200 mov eax,dword ptr ss:[ebp+423848]
00481A26 60 pushad
00481A27 E8 03000000 call 00481A2F
00481A2F EB 01 jmp short 00481A32
00481A32 58 pop eax
00481A33 EB 01 jmp short 00481A36
00481A36 40 inc eax
00481A37 EB 01 jmp short 00481A3A
00481A3A FFE0 jmp eax
00481A2D EB 0E jmp short 00481A3D
00481A3D 61 popad
00481A3E 3385 C42E4200 xor eax,dword ptr ss:[ebp+422EC4]
====>EAX=F253D0A0 XOR F2518C81=00025C21 這是OEP的偏移值
00481A44 9C pushfd
00481A45 EB 01 jmp short 00481A48
00481A4C 0385 40384200 add eax,dword ptr ss:[ebp+423840] ; PCGWIN32.00400000
====>EAX=00025C21 + 00400000=00425C21 這就是OEP值 :-)
00481A52 EB 01 jmp short 00481A55
00481A55 60 pushad
00481A56 E8 03000000 call 00481A5E
00481A5E 58 pop eax
00481A5F EB 01 jmp short 00481A62
00481A62 40 inc eax
00481A63 EB 01 jmp short 00481A66
00481A66 FFE0 jmp eax
00481A5C EB 0B jmp short 00481A69
00481A69 61 popad
00481A6A 8BA5 4C394200 mov esp,dword ptr ss:[ebp+42394C]
00481A70 9C pushfd
00481A71 EB 01 jmp short 00481A74
00481A74 9D popfd
00481A75 EB 01 jmp short 00481A78
00481A78 50 push eax
00481A79 60 pushad
00481A7A E8 03000000 call 00481A82
00481A82 EB 01 jmp short 00481A85
00481A85 58 pop eax
00481A86 EB 01 jmp short 00481A89
00481A89 40 inc eax
00481A8A EB 01 jmp short 00481A8D
00481A8D FFE0 jmp eax
00481A80 EB 0E jmp short 00481A90
00481A90 61 popad
00481A91 8B85 30394200 mov eax,dword ptr ss:[ebp+423930]
00481A97 9C pushfd
00481A98 EB 01 jmp short 00481A9B
00481A9B 9D popfd
00481A9C EB 01 jmp short 00481A9F
00481A9F 8BB5 40394200 mov esi,dword ptr ss:[ebp+423940]
00481AA5 60 pushad
00481AA6 E8 03000000 call 00481AAE
00481AAE EB 01 jmp short 00481AB1
00481AB1 58 pop eax
00481AB2 EB 01 jmp short 00481AB5
00481AB5 40 inc eax
00481AB6 EB 01 jmp short 00481AB9
00481AB9 FFE0 jmp eax
00481AAC EB 0E jmp short 00481ABC
00481ABC 61 popad
00481ABD 8BBD 44394200 mov edi,dword ptr ss:[ebp+423944]
00481AC3 9C pushfd
00481AC4 EB 01 jmp short 00481AC7
00481AC7 9D popfd
00481AC8 EB 01 jmp short 00481ACB
00481ACB 8B9D 34394200 mov ebx,dword ptr ss:[ebp+423934]
00481AD1 60 pushad
00481AD2 E8 03000000 call 00481ADA
00481ADA EB 01 jmp short 00481ADD
00481ADD 58 pop eax
00481ADE EB 01 jmp short 00481AE1
00481AE1 40 inc eax
00481AE2 EB 01 jmp short 00481AE5
00481AE5 FFE0 jmp eax
00481AD8 EB 0E jmp short 00481AE8
00481AE8 61 popad
00481AE9 8B8D 38394200 mov ecx,dword ptr ss:[ebp+423938]
00481AEF EB 01 jmp short 00481AF2
00481AF2 60 pushad
00481AF3 E8 03000000 call 00481AFB
00481AFB 58 pop eax
00481AFC EB 01 jmp short 00481AFF
00481AFF 40 inc eax
00481B00 EB 01 jmp short 00481B03
00481B03 FFE0 jmp eax
00481AF9 EB 0B jmp short 00481B06
00481B06 61 popad
00481B07 8B95 3C394200 mov edx,dword ptr ss:[ebp+42393C]
00481B0D 9C pushfd
00481B0E EB 01 jmp short 00481B11
00481B11 9D popfd
00481B12 EB 01 jmp short 00481B15
00481B15 8BAD 48394200 mov ebp,dword ptr ss:[ebp+423948]
00481B1B 60 pushad
00481B1C E8 03000000 call 00481B24
00481B24 EB 01 jmp short 00481B27
00481B27 58 pop eax
00481B28 EB 01 jmp short 00481B2B
00481B2B 40 inc eax
00481B2C EB 01 jmp short 00481B2F
00481B2F FFE0 jmp eax
00481B22 EB 0E jmp short 00481B32
00481B32 61 popad
00481B33 C3 retn
====>飛向光明之巔! 返回至 00425C21
――――――――――――――――――――――――
00425C21 55 push ebp
====>在這兒用LordPE糾正ImageSize後完全DUMP這個程式
00425C22 8BEC mov ebp,esp
00425C24 6A FF push -1
00425C26 68 A8CF4200 push 42CFA8
00425C2B 68 289B4200 push 429B28
00425C30 64:A1 00000000 mov eax,dword ptr fs:[0]
00425C36 50 push eax
00425C37 64:8925 00000000 mov dword ptr fs:[0],esp
00425C3E 83EC 58 sub esp,58
00425C41 53 push ebx
00425C42 56 push esi
00425C43 57 push edi
00425C44 8965 E8 mov dword ptr ss:[ebp-18],esp
00425C47 FF15 08C14200 call dword ptr ds:[42C108] ; kernel32.GetVersion
―――――――――――――――――――――――
執行ImportREC,選擇這個程式。把OEP改為00025C21,點IT AutoSearch,點“Get Import”,有2個函式無效。奇怪,不能用“追蹤層次2、3”修復,否則PC Guard自動退出!如果CUT掉則修復的程式可以執行,但是退出時會非法操作。呵呵,試著將其改為:kernel32.dll ExitProcess FixDump,正常執行!VC++ 6.0 編寫,576K->612K 重建PE後是564K
―――――――――――――――――――――――――――――――――
☆☆☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
☆☆☆☆☆☆☆☆☆☆ 再簡化一下上面的脫殼步驟,呵呵,能省就省吧!:-) ☆☆☆☆☆☆☆☆☆☆
☆☆☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
設定Ollydbg忽略除了“單步中斷”之外的所有異常。
00483000 FC cld
====>進入OD後斷在這!F9執行,斷下!
004836D8 EB 01 jmp short PCGWIN32.004836DB
====>第1個單步異常
SHIFT+F9 通過異常,不用記下次數,呵呵,直到程式彈出一系列的“入口點預警”就停下!
把那些對話方塊一一確定之。呵呵,看看偶現在停在什麼地方? :-)
0048198F EB 01 jmp short 00481992
====>停在這個單步異常的地方
看看堆疊:
0012FF24 0012FFE0 指標到下一個 SEH 記錄
0012FF28 0048194B SE 控制程式碼 //呵呵,這是什麼?
0048194B就是 0048198E int1 異常的堆疊區的第二條地址!!:-) 又快了點,接下來就可以找OEP了!
―――――――――――――――――――――――――――――――――
以上的脫殼過程是針對 PC Guard for Win32 V5.0 DEMO 版的PCGWIN32.EXE主程式,而不是那種沒有KEY就無法執行的保護型別的加殼程式。偶也簡單測試了一下,以上尋找OEP的過程同樣適用於用這個版本加殼的其他同類程式!當然有些地方是不可能完全一樣的,有興趣的朋友可以自己測試。
這個帖子是偶在 看雪論壇 的第 1000 個帖子,謹以此篇簡單的脫殼筆記留個簡單的紀念。:-)
―――――――――――――――――――――――――――――――――
, _/
/| _.-~/ _ , 青春都一餉
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 換了破解輕狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊――fly [OCN][FCG]
2003-10-26 00:00
相關文章
- SoftDefender主程式脫殼2015-11-15
- 偽 SVK Protector 1.32 脫殼+修復――SVK Protector
DEMO 1.32 主程式2015-11-15
- International CueClub主程式脫殼(Softwrap殼)2004-09-12
- ExeStealth 常用脫殼方法 + ExeStealth V2.72主程式脫殼2015-11-15
- Armadillo 3.6主程式脫殼2015-11-15
- EncryptPE
2003.5.18 主程式脫殼2004-06-19
- 部份軟體的脫殼(Upx 0.72-1.0x,PC Guard,Telock,PECompact)
(4千字)2001-02-02
- 壹次脫殼法――Armadillo 雙程式標準殼 快速脫殼2015-11-15
- Alex
Protector V1.0 脫殼――alexprot.exe 主程式2004-10-17
- XcR V0.11 脫殼――XcR.ExE 主程式2015-11-15
- DAEMON Protect 0.6.7脫殼――protect beta-last.exe主程式2015-11-15AST
- 用Ollydbg快速手脫Krypton 0.5加殼程式――Krypton主程式
等2015-11-15
- Lock98主程式脫殼筆記 (1千字)2015-11-15筆記
- PeX V0.99b脫殼――PeX.exe主程式2015-11-15
- VGCrypt PE Encryptor V0.75脫殼――Vgcrypt.exe
主程式2015-11-15GC
- 用Arm3.75加殼的cc
版+iat亂序主程式的脫殼 (1)2004-10-02
- 幻影 V2.33 脫殼+修復――dbpe.exe主程式2015-11-15
- Visual Protect V3.54 脫殼 ―― VisualProtect.exe
主程式2015-11-15
- 脫殼----對用pecompact加殼的程式進行手動脫殼
(1千字)2000-07-30
- 殼的工作原理脫殼2013-04-10
- 對Crunch v1.1主程式檔案的脫殼方法 ---ljtt2000-11-30
- Protection Plus V4.X 脫殼――SoftwareKey V1.1 主程式2015-11-15
- [翻譯]利用程式碼注入脫殼2015-11-15
- VBExplorer.exe脫殼教程
附脫殼指令碼2015-11-15指令碼
- ACProtect 1.21專業版主程式的脫殼2015-11-15
- 明月幾時有――ASProtect
V1.31 build 06.14主程式 脫殼2004-10-01UI
- ASProtect 1.23 SDK之 Aspack2.12r 主程式脫殼去暗樁2015-11-15
- 以殼解殼--SourceRescuer脫殼手記破解分析2004-11-16
- Krypton
0.5加殼程式脫殼及輸入表修復記2004-10-06
- Armadillo V3.6雙程式標準殼 ------神速脫殼大法2015-11-15
- 脫殼----對用Petite2.2加殼的程式進行手動脫殼的一點分析
(5千字)2000-07-27
- 脫殼基本知識2015-11-15
- 脫中國遊戲中心大廳程式的殼2000-10-08遊戲
- iOS逆向學習之五(加殼?脫殼?)2019-10-10iOS
- 先分析,再脫殼(一)2003-09-04
- IconEdit2
脫殼2002-03-28
- iRider.exe
2.20BETA主程式脫殼 Armadillo 1.xx - 2.xx2004-07-30IDE
- 十、iOS逆向之《越獄砸殼/ipa脫殼》2021-03-18iOS