Resource Hacker Reshacker
因原英文版附带的帮助文件格式太老,Win7下无法使用,现已转换为 CHM 帮助文件,去掉了 hlp 文件,仍为中文,但无法从软件的帮助菜单中直接调用,如要查阅帮助文件,请直接点击 ResHacker.chm 文件。
* 新增对 PNG 图标的支持。猛击此处下载!
Comment Viewer v.0.2
Comment Viewer is a plug-in for Interactive Dissasembler (IDA) whose purpose is to provide an easy way for the security researcher to manage the comments in the database. It should prove to be useful on large analysis of binary code projects where keeping a good image of the executable actions is needed.
The plug-in supports a variety of options to be as efficient as possible in a variety of cases, while keeping much of its simplicity. For more information on the various options, what they mean and how to use them please read the attached pdf
Orginal Download link:http://www.openrce.org/downloads/details/237/Comment_Viewer
Dbank Download link:http://dl.dbank.com/c0qtmkuof4
Export ASM Code From IDA To File
#include "idc.idc"
static ElementExist(arrayid,size,val)
{
auto i,v;
for(i=0;i
Delphi Get HDD Serial Number
program keygenme;
uses
Windows,Messages,CommCtrl;
{$R software.RES}
var WinClass: TWndClassA;
Inst: HINST;
hWindow: HWND;
TheMessage: TMsg;
hDrive:HWND;
hID:HWND;
hf:THandle;
htitle:HWND;
cmbChange: HWND;
cmbAbout: HWND;
cmbExit: HWND;
PaintStruct: TPaintStruct;
PaintDC: HDC;
hFont1: HFONT;
isNT:Boolean;
function StrToInt(const S: string):Integer;
var
E: Integer;
begin
Val(S, Result, E);
end;
Core FTP Pro v2.2 build 1687 Serial Number
SN:
50AF9991CEBA5288381A455E7DD51737DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3CFD86CCD7FF1D7D1276122E3E2C8975FDDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3DDA96ADCCB98BEC36AFBC7C17CDB96B3
从RegQueryValueExA到ZwQueryValueKey
对于注册表的REG_MULTI_SZ类型的数据个人感觉一直比较蛋疼,一个是因为在Delphi下竟然没有相关的函数,第二个是因为对于这类型的数据在使用ssdt hook修改数据的时候出现了很多问题。
为了明白到底是怎么处理的,于是就把相关的调用流程跟踪了一遍。至于是什么程序调用的这里就不提了,直接贴代码吧。
103B29D8 8B4C24 18 mov ecx,dword ptr ss:[esp+0x18]
103B29DC 8B3D 34F0EE10 mov edi,dword ptr ds:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExA
103B29E2 894424 14 mov dword ptr ss:[esp+0x14],eax
103B29E6 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
103B29EA 50 push eax
103B29EB 6A 00 push 0x0
103B29ED 6A 00 push 0x0
103B29EF 6A 00 push 0x0
103B29F1 68 088FFD10 push iTunes_1.10FD8F08 ; ASCII "SystemBiosVersion"
103B29F6 51 push ecx
103B29F7 FFD7 call edi
103B29F9 85C0 test eax,eax
103B29FB 75 48 jnz XiTunes_1.103B2A45
103B29FD 8B5424 14 mov edx,dword ptr ss:[esp+0x14]
103B2A01 52 push edx
103B2A02 50 push eax
103B2A03 E8 7820CDFF call iTunes_1.10084A80
103B2A08 50 push eax
103B2A09 FF15 84FEEE10 call dword ptr ds:[<&KERNEL32.HeapAlloc>>; ntdll.RtlAllocateHeap
103B2A0F 8B4C24 18 mov ecx,dword ptr ss:[esp+0x18]
103B2A13 8BF0 mov esi,eax
103B2A15 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
103B2A19 50 push eax
103B2A1A 56 push esi
103B2A1B 6A 00 push 0x0
103B2A1D 6A 00 push 0x0
103B2A1F 68 088FFD10 push iTunes_1.10FD8F08 ; ASCII "SystemBiosVersion"
103B2A24 51 push ecx
103B2A25 FFD7 call edi
这里是应用层的第一次调用,在调用的时候第一次并没有分配相应的缓冲区来存放数据。这次调用的根本目的是为了获取注册表中对应的数据的大小。