【文章标题】: 脱壳 VMProtect 1.70.4
【文章作者】: hxqlky
【作者邮箱】:
[email protected]
【作者主页】:
http://www.x5dj.com/hxqlky
【下载地址】: 自己搜索下载
【加壳方式】: VMProtect 1.70.4
【保护方式】: VMProtect 1.70.4
【编写语言】: MASM32 / TASM32
【使用工具】: od
【操作平台】: xp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
脱壳 VMProtect 1.70.4
0041A300 > 68 FE571FD7 push D71F57FE
0041A305 E8 B5970000 call Sec_Add_.00423ABF
0041A30A ^ E2 B8 loopd short Sec_Add_.0041A2C4
0041A30C 1E push ds
0041A30D D7 xlat byte ptr ds:[xbx+al]
有debug A debugger has been found running in your system.
Please, unload it from memory and
restart your program.
alt +m 下断401000 f9运行出现A debugger has been found running in your system.
Please, unload it
from memory and restart your program.
f12 点k
77D505CA E8 2D000000 call user32.MessageBoxExA
77D505CF 5D pop ebp
77D505D0 C2 1000 retn 10 f2 f9
77D505D3 90 nop
看寄存器
EAX 00000001
ECX 7C93005D ntdll.7C93005D
EDX 00000000
EBX 0012F798 ASCII "\Sec Add 1.8 vmp\Sec Add_1.8 version.exe"
ESP 0012F784
EBP 0012FF98
ESI 7C801AD0 kernel32.VirtualProtect
EDI 004155C3 ASCII "A debugger has been found running in your system.
Please, unload it from
memory and restart your program."
EIP 77D505D0 user32.77D505D0
从新再来
go 7C801AD0
7C801AD0 > 8BFF mov edi,edi
7C801AD2 55 push ebp f2 f9
7C801AD3 8BEC mov ebp,esp
7C801AD5 FF75 14 push dword ptr ss:[ebp+14]
7C801AD8 FF75 10 push dword ptr ss:[ebp+10]
7C801ADB FF75 0C push dword ptr ss:[ebp+C]
7C801ADE FF75 08 push dword ptr ss:[ebp+8]
7C801AE1 6A FF push -1
7C801AE3 E8 75FFFFFF call kernel32.VirtualProtectEx
7C801AE8 5D pop ebp
7C801AE9 C2 1000 retn 10
看堆栈
0012F784 004142FA Sec_Add_.004142FA
0012F788 00401000 Sec_Add_.00401000
0012F78C 0000111E
f9 7次运行
从来f9 6次
看堆栈
0012EBE0 10202FA0 返回到 SogouPy.10202FA0
0012EBE4 10000000 SogouPy.10000000
0012EBE8 00001000
看数据窗口
00401000 6A 00 push 0
00401002 E8 67DF0000 call Sec_Add_.0040EF6E
00401007 A3 08404000 mov dword ptr ds:[404008],eax
0040100C E8 D9730000 call Sec_Add_.004083EA
00401011 6A 00 push 0
00401013 68 30104000 push Sec_Add_.00401030
00401018 6A 00 push 0
0040101A 68 EC404000 push Sec_Add_.004040EC ; ASCII "m00n"
alt+m 40100内存访问断点 f9
00401030 55 push ebp 断在这里向上
00401031 8BEC mov ebp,esp
00401033 83C4 F0 add esp,-10
00401036 53 push ebx
00401037 57 push edi
00401038 56 push esi
00401039 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110
00401040 0F85 E8010000 jnz Sec_Add_.0040122E
00401000 6A 00 push 0 oep
00401002 E8 67DF0000 call Sec_Add_.0040EF6E
00401007 A3 08404000 mov dword ptr ds:[404008],eax
0040100C E8 D9730000 call Sec_Add_.004083EA
00401011 6A 00 push 0
00401013 68 30104000 push Sec_Add_.00401030
00401018 6A 00 push 0
0040101A 68 EC404000 push Sec_Add_.004040EC ; ASCII "m00n"
0040101F FF35 08404000 push dword ptr ds:[404008] ; Sec_Add_.00400000
00401025 E8 B1D80000 call Sec_Add_.0040E8DB
0040102A 50 push eax
0040102B E8 51C70000 call Sec_Add_.0040D781
dump
0012FFC4 7C816FE7 返回到 kernel32.7C816FE7
0012FFC8 7C930041 返回到 ntdll.7C930041 来自 ntdll.7C930092
0012FFCC 005F0778
0012FFD0 7FFDD000
0012FFD4 8054507D
0012FFD8 0012FFC8
0012FFDC 89357CB0
0012FFE0 FFFFFFFF SEH 链尾部
0012FFE4 7C839AF0 SE 句柄
0012FFE8 7C816FF0 kernel32.7C816FF0
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 0041A300 Sec_Add_.
0012FFFC 00000000