【文章作者】: hxqlky 【作者主页】: http://www./hxqlky 【下载地址】: 自己搜索下载 【加壳方式】: VMProtect 1.70.4 【保护方式】: VMProtect 1.70.4 【编写语言】: MASM32 / TASM32 【使用工具】: od 【操作平台】: xp 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! -------------------------------------------------------------------------------- 【详细过程】 脱壳 VMProtect 1.70.4 0041A300 > 68 FE571FD7 push D71F57FE 0041A305 E8 B5970000 call Sec_Add_.00423ABF 0041A30A ^ E2 B8 loopd short Sec_Add_.0041A2C4 0041A30C 1E push ds 0041A30D D7 xlat byte ptr ds:[xbx+al] 有debug A debugger has been found running in your system. Please, unload it from memory and restart your program. alt +m 下断401000 f9运行出现A debugger has been found running in your system. Please, unload it from memory and restart your program. f12 点k 77D505CA E8 2D000000 call user32.MessageBoxExA 77D505CF 5D pop ebp 77D505D0 C2 1000 retn 10 f2 f9 77D505D3 90 nop 看寄存器 EAX 00000001 ECX 7C93005D ntdll.7C93005D EDX 00000000 EBX 0012F798 ASCII "\Sec Add 1.8 vmp\Sec Add_1.8 version.exe" ESP 0012F784 EBP 0012FF98 ESI 7C801AD0 kernel32.VirtualProtect EDI 004155C3 ASCII "A debugger has been found running in your system. Please, unload it from memory and restart your program." EIP 77D505D0 user32.77D505D0 从新再来 go 7C801AD0 7C801AD0 > 8BFF mov edi,edi 7C801AD2 55 push ebp f2 f9 7C801AD3 8BEC mov ebp,esp 7C801AD5 FF75 14 push dword ptr ss:[ebp+14] 7C801AD8 FF75 10 push dword ptr ss:[ebp+10] 7C801ADB FF75 0C push dword ptr ss:[ebp+C] 7C801ADE FF75 08 push dword ptr ss:[ebp+8] 7C801AE1 6A FF push -1 7C801AE3 E8 75FFFFFF call kernel32.VirtualProtectEx 7C801AE8 5D pop ebp 7C801AE9 C2 1000 retn 10 看堆栈 0012F784 004142FA Sec_Add_.004142FA 0012F788 00401000 Sec_Add_.00401000 0012F78C 0000111E f9 7次运行 从来f9 6次 看堆栈 0012EBE0 10202FA0 返回到 SogouPy.10202FA0 0012EBE4 10000000 SogouPy.10000000 0012EBE8 00001000 看数据窗口 00401000 6A 00 push 0 00401002 E8 67DF0000 call Sec_Add_.0040EF6E 00401007 A3 08404000 mov dword ptr ds:[404008],eax 0040100C E8 D9730000 call Sec_Add_.004083EA 00401011 6A 00 push 0 00401013 68 30104000 push Sec_Add_.00401030 00401018 6A 00 push 0 0040101A 68 EC404000 push Sec_Add_.004040EC ; ASCII "m00n" alt+m 40100内存访问断点 f9 00401030 55 push ebp 断在这里向上 00401031 8BEC mov ebp,esp 00401033 83C4 F0 add esp,-10 00401036 53 push ebx 00401037 57 push edi 00401038 56 push esi 00401039 817D 0C 1001000>cmp dword ptr ss:[ebp+C],110 00401040 0F85 E8010000 jnz Sec_Add_.0040122E 00401000 6A 00 push 0 oep 00401002 E8 67DF0000 call Sec_Add_.0040EF6E 00401007 A3 08404000 mov dword ptr ds:[404008],eax 0040100C E8 D9730000 call Sec_Add_.004083EA 00401011 6A 00 push 0 00401013 68 30104000 push Sec_Add_.00401030 00401018 6A 00 push 0 0040101A 68 EC404000 push Sec_Add_.004040EC ; ASCII "m00n" 0040101F FF35 08404000 push dword ptr ds:[404008] ; Sec_Add_.00400000 00401025 E8 B1D80000 call Sec_Add_.0040E8DB 0040102A 50 push eax 0040102B E8 51C70000 call Sec_Add_.0040D781 dump 0012FFC4 7C816FE7 返回到 kernel32.7C816FE7 0012FFC8 7C930041 返回到 ntdll.7C930041 来自 ntdll.7C930092 0012FFCC 005F0778 0012FFD0 7FFDD000 0012FFD4 8054507D 0012FFD8 0012FFC8 0012FFDC 89357CB0 0012FFE0 FFFFFFFF SEH 链尾部 0012FFE4 7C839AF0 SE 句柄 0012FFE8 7C816FF0 kernel32.7C816FF0 0012FFEC 00000000 0012FFF0 00000000 0012FFF4 00000000 0012FFF8 0041A300 Sec_Add_. 0012FFFC 00000000 |
|
来自: 新用户85985a9d > 《脱壳》