This is because the file uses some compressed casing software encrypted, which requires the ability to decompress the sheet after removing the shell. Such compression is different from our usual compression tools such as Winzip, WinRAR, etc., WinZip compressed files cannot be executed directly, and this EXE compression software, the exe file is compressed, can still be run. After this compression tool compresses the file, the file will be part of the file and add a decompression code. When this file is executed, the code will perform the decompression restore file, but these are completed in memory, because the microcomputer speed is fast, we basically feel different. There are many such programs such as the BAT, ACDSEE, WINXFILE, and more. This compression and shell belongs to software encryption. Now, more and more software has been compressed, and it brings us many inconvenience to us. The software Chinese enthusiasts have to learn to master this skill. Now shell is generally divided by hand and automatic, manually deal with the TRW2000, Tr, Softice and other debugging tools, have a certain horizontal requirement, involving many assembly languages and software debugging knowledge. Automatic use of specialized shelling tools, most often uses some of the compression software to write anti-compression tools, some compression tools can extract, such as UPX; some do not provide this function, such as: aspack, you need Unaspack deserves, benefits? Simple, shortcomings, no use. In addition, the shell is to deal with the special shelling tool, and the most popular is Procdump V1.62, which can deal with the compressed files of various compression software. Introduced here, some general methods and tools, I hope to help everyone. Detective shell type: We know that the file is encrypted by some compressed casing software. Next, we must analyze the name, version of the encryption software. Because different software or even different versions of the shell, the shell processing method is different. There are many tools for this type of shell. I introduced you to use FileBase for Executable (referlate), which is a file format analyzer. In addition to checking the shell, there are many functions, we will contact it in the later Chinese tutorial. Since FI is using a DOS command format, you must operate in the address bar of "My Computer" (if you have not upgraded to IE4.0 or more, you may have to operate in "Start" - "Run") The operation is as follows: First we copy the files to be analyzed to the Fi directory, determine it in the directory of the Fi, then enter the following command in the "My Computer" address bar: Fi file name. Suffix name (Example Fi ACDSee.exe appears as follows (see Figure): Oh, it turns out with aspack1.804 encrypted :-) We know the encryption of the file, you can use different tools, different methods to take a shell. Below is a step-shelling method and simple shelling measures that we often encounter often in our software, for your reference: -) (1) Aspack: Up to the UNSPACK or PEDUMP32 shell (2) asprotect aspack: Time, foreign software uses it to use it, need to use Softice iCedump when she picking up, requires certain expertise, but the latest version has no way.
(3) UPX: You can use the UPX itself to take the housing, but you should pay attention to whether the version is consistent, with -d parameter (4) Armadill: You can use Softice Icedump to take back, more annoying (5) DBPE: Domestic comparison encryption software The new version is temporarily unable to take it, but you can crack (6) Neolite: You can take yourself (7) pcguard: You can use Softice Icedump Frogice to take back (8) PECOMPAT: With Softice to match the PEDUMP32 to shell, but Don't expert knowledge (9) Petite: Some old versions can be taken back to the shell with PEDUMP32, and Softice iCedump needs to be used when the new version is shelled. It requires certain expertise (10) WWPACK32: Some of the old people like Pecompact You can use PEDUMP32 to take back the shell, but sometimes resources cannot be modified, it will not be Hanhua, so it is best to use the Softice to match the PEDUMP32 shell. We usually use the general shelling software using ProCDump32, it is a powerful shell software, He can unlock most of the encryption enclosure, and the script feature can easily unlock the encrypted file of the particular housing. The tutorial of the procdump written by Jiexun Chinese Tiandi (Yang Guanzhong) is selected. It is very good. The appendix is as follows: -------------------------------------------------------------------------------------------------------- ------ Yang Guanzhong's article ------------ (start) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- The above two executable programming tools know that TPM1.0 is pressurized by UPX 0.70, by the way, the ACDSEE32 version 2.42 of the previous time is pressurized with aspack1.803, mass Downloader V1.2.62 Beta 2 is pressurized with aspack1.804d. Below we open Procdump32's main program: 5. Click the button "Unpack", pop up the following dialog box: Set the unpacking mode to: UPX, then click OK, select the program to unpack to: TPM. Exe Click the button "Open" will appear as follows: At this point, PROCDUMP will automatically open the TPM and analyze it to process its encryption case. Be sure to wait until the TPM is fully loaded, click the button "OK", otherwise you To re-come, click the button "OK" will then appear as follows, and the TPM opens will be automatically turned off: Click the button "Save", save it as newtpm.exe, newtpm.exe is what we need Document, now you can freely, how to, how to, simple. Temporary a paragraph actually you can also use the procdump built-in unpacking function to directly unwatch the TPM, without having to use GTW 2.51 and FileBase for Executable 2.10 to identify files to be processed, but this success rate is much lower. The method is: 1. Open the TPM before opening ProCDUMP, then open procdump, select the TPM process in the ProCDUMP window, as shown below: After you are fully saved, you will pop up the following box To select the file you want to save. Name, write a saver to get the unpaged procedure you need to be Chinese.
