脱壳 VMProtect 1.70.4
生活随笔
收集整理的這篇文章主要介紹了
脱壳 VMProtect 1.70.4
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
【文章標題】:??脫殼 VMProtect 1.70.4
【文章作者】: hxqlky
【作者郵箱】: zmunlky@gmail.com
【作者主頁】: http://www.x5dj.com/hxqlky
【下載地址】: 自己搜索下載
【加殼方式】: VMProtect 1.70.4
【保護方式】: VMProtect 1.70.4
【編寫語言】: MASM32 / TASM32
【使用工具】: od
【操作平臺】: xp
【作者聲明】: 只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
??脫殼 VMProtect 1.70.4
??0041A300 >??68 FE571FD7? ???push D71F57FE??
??0041A305? ? E8 B5970000? ???call Sec_Add_.00423ABF
??0041A30A??^ E2 B8? ?? ?? ???loopd short Sec_Add_.0041A2C4
??0041A30C? ? 1E? ?? ?? ?? ???push ds
??0041A30D? ? D7? ?? ?? ?? ???xlat byte ptr ds:[xbx+al]
??
??有debug??A debugger has been found running in your system.
Please, unload it from memory and
??restart your program.
??
??alt +m??下斷401000 f9運行出現A debugger has been found running in your system.
Please, unload it
??from memory and restart your program.
??f12??點k
??77D505CA? ? E8 2D000000? ???call user32.MessageBoxExA
??77D505CF? ? 5D? ?? ?? ?? ???pop ebp
??77D505D0? ? C2 1000? ?? ?? ?retn 10? ???f2??f9
??77D505D3? ? 90? ?? ?? ?? ???nop
??
??看寄存器
??EAX 00000001
??ECX 7C93005D ntdll.7C93005D
??EDX 00000000
??EBX 0012F798 ASCII "\Sec Add 1.8 vmp\Sec Add_1.8 version.exe"
??ESP 0012F784
??EBP 0012FF98
??ESI 7C801AD0 kernel32.VirtualProtect
??EDI 004155C3 ASCII "A debugger has been found running in your system.
Please, unload it from
??memory and restart your program."
??EIP 77D505D0 user32.77D505D0
??從新再來
??go 7C801AD0
??
??7C801AD0 >??8BFF? ?? ?? ?? ?mov edi,edi
??7C801AD2? ? 55? ?? ?? ?? ???push ebp? ?? ?? ?? ?? ???f2??f9
??7C801AD3? ? 8BEC? ?? ?? ?? ?mov ebp,esp
??7C801AD5? ? FF75 14? ?? ?? ?push dword ptr ss:[ebp+14]
??7C801AD8? ? FF75 10? ?? ?? ?push dword ptr ss:[ebp+10]
??7C801ADB? ? FF75 0C? ?? ?? ?push dword ptr ss:[ebp+C]
??7C801ADE? ? FF75 08? ?? ?? ?push dword ptr ss:[ebp+8]
??7C801AE1? ? 6A FF? ?? ?? ???push -1
??7C801AE3? ? E8 75FFFFFF? ???call kernel32.VirtualProtectEx
??7C801AE8? ? 5D? ?? ?? ?? ???pop ebp
??7C801AE9? ? C2 1000? ?? ?? ?retn 10
??看堆棧
??0012F784? ?004142FA??Sec_Add_.004142FA
??0012F788? ?00401000??Sec_Add_.00401000
??0012F78C? ?0000111E
??f9??7次運行
??從來f9??6次
??看堆棧
??0012EBE0? ?10202FA0??返回到? ? SogouPy.10202FA0
??0012EBE4? ?10000000??SogouPy.10000000
??0012EBE8? ?00001000
??看數據窗口
??00401000? ? 6A 00? ?? ?? ???push 0
??00401002? ? E8 67DF0000? ???call Sec_Add_.0040EF6E
??00401007? ? A3 08404000? ???mov dword ptr ds:[404008],eax
??0040100C? ? E8 D9730000? ???call Sec_Add_.004083EA
??00401011? ? 6A 00? ?? ?? ???push 0
??00401013? ? 68 30104000? ???push Sec_Add_.00401030
??00401018? ? 6A 00? ?? ?? ???push 0
??0040101A? ? 68 EC404000? ???push Sec_Add_.004040EC? ?? ?? ?? ?? ?? ? ; ASCII "m00n"
??alt+m 40100內存訪問斷點 f9
??00401030? ? 55? ?? ?? ?? ???push ebp 斷在這里向上
??00401031? ? 8BEC? ?? ?? ?? ?mov ebp,esp
??00401033? ? 83C4 F0? ?? ?? ?add esp,-10
??00401036? ? 53? ?? ?? ?? ???push ebx
??00401037? ? 57? ?? ?? ?? ???push edi
??00401038? ? 56? ?? ?? ?? ???push esi
??00401039? ? 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110
??00401040? ? 0F85 E8010000? ?jnz Sec_Add_.0040122E
??
??00401000? ? 6A 00? ?? ?? ???push 0? ???oep??
??00401002? ? E8 67DF0000? ???call Sec_Add_.0040EF6E
??00401007? ? A3 08404000? ???mov dword ptr ds:[404008],eax
??0040100C? ? E8 D9730000? ???call Sec_Add_.004083EA
??00401011? ? 6A 00? ?? ?? ???push 0
??00401013? ? 68 30104000? ???push Sec_Add_.00401030
??00401018? ? 6A 00? ?? ?? ???push 0
??0040101A? ? 68 EC404000? ???push Sec_Add_.004040EC? ?? ?? ?? ?? ?? ? ; ASCII "m00n"
??0040101F? ? FF35 08404000? ?push dword ptr ds:[404008]? ?? ?? ?? ?? ?; Sec_Add_.00400000
??00401025? ? E8 B1D80000? ???call Sec_Add_.0040E8DB
??0040102A? ? 50? ?? ?? ?? ???push eax
??0040102B? ? E8 51C70000? ???call Sec_Add_.0040D781
??
??
??dump
??0012FFC4? ?7C816FE7??返回到? ? kernel32.7C816FE7
??0012FFC8? ?7C930041??返回到? ? ntdll.7C930041 來自 ntdll.7C930092
??0012FFCC? ?005F0778
??0012FFD0? ?7FFDD000
??0012FFD4? ?8054507D
??0012FFD8? ?0012FFC8
??0012FFDC? ?89357CB0
??0012FFE0? ?FFFFFFFF??SEH 鏈尾部
??0012FFE4? ?7C839AF0??SE 句柄
??0012FFE8? ?7C816FF0??kernel32.7C816FF0
??0012FFEC? ?00000000
??0012FFF0? ?00000000
??0012FFF4? ?00000000
??0012FFF8? ?0041A300??Sec_Add_.
??0012FFFC? ?00000000
【文章作者】: hxqlky
【作者郵箱】: zmunlky@gmail.com
【作者主頁】: http://www.x5dj.com/hxqlky
【下載地址】: 自己搜索下載
【加殼方式】: VMProtect 1.70.4
【保護方式】: VMProtect 1.70.4
【編寫語言】: MASM32 / TASM32
【使用工具】: od
【操作平臺】: xp
【作者聲明】: 只是感興趣,沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
??脫殼 VMProtect 1.70.4
??0041A300 >??68 FE571FD7? ???push D71F57FE??
??0041A305? ? E8 B5970000? ???call Sec_Add_.00423ABF
??0041A30A??^ E2 B8? ?? ?? ???loopd short Sec_Add_.0041A2C4
??0041A30C? ? 1E? ?? ?? ?? ???push ds
??0041A30D? ? D7? ?? ?? ?? ???xlat byte ptr ds:[xbx+al]
??
??有debug??A debugger has been found running in your system.
Please, unload it from memory and
??restart your program.
??
??alt +m??下斷401000 f9運行出現A debugger has been found running in your system.
Please, unload it
??from memory and restart your program.
??f12??點k
??77D505CA? ? E8 2D000000? ???call user32.MessageBoxExA
??77D505CF? ? 5D? ?? ?? ?? ???pop ebp
??77D505D0? ? C2 1000? ?? ?? ?retn 10? ???f2??f9
??77D505D3? ? 90? ?? ?? ?? ???nop
??
??看寄存器
??EAX 00000001
??ECX 7C93005D ntdll.7C93005D
??EDX 00000000
??EBX 0012F798 ASCII "\Sec Add 1.8 vmp\Sec Add_1.8 version.exe"
??ESP 0012F784
??EBP 0012FF98
??ESI 7C801AD0 kernel32.VirtualProtect
??EDI 004155C3 ASCII "A debugger has been found running in your system.
Please, unload it from
??memory and restart your program."
??EIP 77D505D0 user32.77D505D0
??從新再來
??go 7C801AD0
??
??7C801AD0 >??8BFF? ?? ?? ?? ?mov edi,edi
??7C801AD2? ? 55? ?? ?? ?? ???push ebp? ?? ?? ?? ?? ???f2??f9
??7C801AD3? ? 8BEC? ?? ?? ?? ?mov ebp,esp
??7C801AD5? ? FF75 14? ?? ?? ?push dword ptr ss:[ebp+14]
??7C801AD8? ? FF75 10? ?? ?? ?push dword ptr ss:[ebp+10]
??7C801ADB? ? FF75 0C? ?? ?? ?push dword ptr ss:[ebp+C]
??7C801ADE? ? FF75 08? ?? ?? ?push dword ptr ss:[ebp+8]
??7C801AE1? ? 6A FF? ?? ?? ???push -1
??7C801AE3? ? E8 75FFFFFF? ???call kernel32.VirtualProtectEx
??7C801AE8? ? 5D? ?? ?? ?? ???pop ebp
??7C801AE9? ? C2 1000? ?? ?? ?retn 10
??看堆棧
??0012F784? ?004142FA??Sec_Add_.004142FA
??0012F788? ?00401000??Sec_Add_.00401000
??0012F78C? ?0000111E
??f9??7次運行
??從來f9??6次
??看堆棧
??0012EBE0? ?10202FA0??返回到? ? SogouPy.10202FA0
??0012EBE4? ?10000000??SogouPy.10000000
??0012EBE8? ?00001000
??看數據窗口
??00401000? ? 6A 00? ?? ?? ???push 0
??00401002? ? E8 67DF0000? ???call Sec_Add_.0040EF6E
??00401007? ? A3 08404000? ???mov dword ptr ds:[404008],eax
??0040100C? ? E8 D9730000? ???call Sec_Add_.004083EA
??00401011? ? 6A 00? ?? ?? ???push 0
??00401013? ? 68 30104000? ???push Sec_Add_.00401030
??00401018? ? 6A 00? ?? ?? ???push 0
??0040101A? ? 68 EC404000? ???push Sec_Add_.004040EC? ?? ?? ?? ?? ?? ? ; ASCII "m00n"
??alt+m 40100內存訪問斷點 f9
??00401030? ? 55? ?? ?? ?? ???push ebp 斷在這里向上
??00401031? ? 8BEC? ?? ?? ?? ?mov ebp,esp
??00401033? ? 83C4 F0? ?? ?? ?add esp,-10
??00401036? ? 53? ?? ?? ?? ???push ebx
??00401037? ? 57? ?? ?? ?? ???push edi
??00401038? ? 56? ?? ?? ?? ???push esi
??00401039? ? 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110
??00401040? ? 0F85 E8010000? ?jnz Sec_Add_.0040122E
??
??00401000? ? 6A 00? ?? ?? ???push 0? ???oep??
??00401002? ? E8 67DF0000? ???call Sec_Add_.0040EF6E
??00401007? ? A3 08404000? ???mov dword ptr ds:[404008],eax
??0040100C? ? E8 D9730000? ???call Sec_Add_.004083EA
??00401011? ? 6A 00? ?? ?? ???push 0
??00401013? ? 68 30104000? ???push Sec_Add_.00401030
??00401018? ? 6A 00? ?? ?? ???push 0
??0040101A? ? 68 EC404000? ???push Sec_Add_.004040EC? ?? ?? ?? ?? ?? ? ; ASCII "m00n"
??0040101F? ? FF35 08404000? ?push dword ptr ds:[404008]? ?? ?? ?? ?? ?; Sec_Add_.00400000
??00401025? ? E8 B1D80000? ???call Sec_Add_.0040E8DB
??0040102A? ? 50? ?? ?? ?? ???push eax
??0040102B? ? E8 51C70000? ???call Sec_Add_.0040D781
??
??
??dump
??0012FFC4? ?7C816FE7??返回到? ? kernel32.7C816FE7
??0012FFC8? ?7C930041??返回到? ? ntdll.7C930041 來自 ntdll.7C930092
??0012FFCC? ?005F0778
??0012FFD0? ?7FFDD000
??0012FFD4? ?8054507D
??0012FFD8? ?0012FFC8
??0012FFDC? ?89357CB0
??0012FFE0? ?FFFFFFFF??SEH 鏈尾部
??0012FFE4? ?7C839AF0??SE 句柄
??0012FFE8? ?7C816FF0??kernel32.7C816FF0
??0012FFEC? ?00000000
??0012FFF0? ?00000000
??0012FFF4? ?00000000
??0012FFF8? ?0041A300??Sec_Add_.
??0012FFFC? ?00000000
轉載于:https://www.cnblogs.com/MaxWoods/archive/2010/04/21/1716866.html
總結
以上是生活随笔為你收集整理的脱壳 VMProtect 1.70.4的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: qq个性签名男生伤感
- 下一篇: 柴犬多少钱一只啊?