VMP软件脱壳后,程序无法启动退出暗桩问题
软件已经被脱壳,F9运行后
直接7C92E514 >C3 RETN
7C92E515 8DA424 00000000 LEA ESP,DWORD PTR SS:
7C92E51C 8D6424 00 LEA ESP,DWORD PTR SS:
7C92E520 >8D5424 08 LEA EDX,DWORD PTR SS:
7C92E524 CD 2E INT 2E
7C92E526 C3 RETN
7C92E527 90 NOP
7C92E528 >55 PUSH EBP
7C92E529 8BEC MOV EBP,ESP
7C92E52B 9C PUSHFD
7C92E52C 81EC D0020000 SUB ESP,2D0
7C92E532 8985 DCFDFFFF MOV DWORD PTR SS:,EAX
7C92E538 898D D8FDFFFF MOV DWORD PTR SS:,ECX
7C92E53E 8B45 08 MOV EAX,DWORD PTR SS:
7C92E541 8B4D 04 MOV ECX,DWORD PTR SS:
7C92E544 8948 0C MOV DWORD PTR DS:,ECX
7C92E547 8D85 2CFDFFFF LEA EAX,DWORD PTR SS:
7C92E54D 8988 B8000000 MOV DWORD PTR DS:,ECX
7C92E553 8998 A4000000 MOV DWORD PTR DS:,EBX
7C92E559 8990 A8000000 MOV DWORD PTR DS:,EDX
7C92E55F 89B0 A0000000 MOV DWORD PTR DS:,ESI
7C92E565 89B8 9C000000 MOV DWORD PTR DS:,EDI
7C92E56B 8D4D 0C LEA ECX,DWORD PTR SS:
7C92E56E 8988 C4000000 MOV DWORD PTR DS:,ECX
7C92E574 8B4D 00 MOV ECX,DWORD PTR SS:
7C92E577 8988 B4000000 MOV DWORD PTR DS:,ECX
7C92E57D 8B4D FC MOV ECX,DWORD PTR SS:
7C92E580 8988 C0000000 MOV DWORD PTR DS:,ECX
7C92E586 8C88 BC000000 MOV WORD PTR DS:,CS
7C92E58C 8C98 98000000 MOV WORD PTR DS:,DS
7C92E592 8C80 94000000 MOV WORD PTR DS:,ES
7C92E598 8CA0 90000000 MOV WORD PTR DS:,FS
7C92E59E 8CA8 8C000000 MOV WORD PTR DS:,GS
7C92E5A4 8C90 C8000000 MOV WORD PTR DS:,SS
7C92E5AA C700 07000100 MOV DWORD PTR DS:,10007
7C92E5B0 6A 01 PUSH 1
7C92E5B2 50 PUSH EAX
7C92E5B3 FF75 08 PUSH DWORD PTR SS:
7C92E5B6 E8 F3F3FFFF CALL ntdll.ZwRaiseException
7C92E5BB 83EC 20 SUB ESP,20
7C92E5BE 890424 MOV DWORD PTR SS:,EAX
7C92E5C1 C74424 04 01000>MOV DWORD PTR SS:,1
7C92E5C9 C74424 10 00000>MOV DWORD PTR SS:,0
7C92E5D1 8B45 08 MOV EAX,DWORD PTR SS:
7C92E5D4 894424 08 MOV DWORD PTR SS:,EAX
7C92E5D8 8BC4 MOV EAX,ESP
7C92E5DA 50 PUSH EAX
7C92E5DB E8 48FFFFFF CALL ntdll.RtlRaiseException
进Call stack of main thread
显示
Address Stack Procedure / arguments Called from Frame
0012FE70 7C92DE7A Includes ntdll.KiFastSystemCallRet ntdll.7C92DE78 0012FF6C
0012FE74 7C81D1C6 Includes ntdll.7C92DE7A kernel32.7C81D1C4 0012FF6C
0012FF70 7C81D21E ? kernel32.7C81D164 kernel32.7C81D219 0012FF6C
0012FF74 00000000 Arg1 = 00000000
0012FF84 7C80C15B ? kernel32.ExitProcess kernel32.7C80C156 0012FF80
0012FF88 00000000 ExitCode = 0
0012FFC0 7C817775 ? kernel32.ExitThread kernel32.7C817770 0012FFBC
0012FFC4 00000000 ExitCode = 0
找到了ExitProcess位置,回车进入,在ExitProcess段首下段,
7C80C0F8 >6A 14 push 0x14
7C80C0FA 68 60C1807C push kernel32.7C80C160
7C80C0FF E8 D263FFFF call kernel32.7C8024D6
7C80C104 64:A1 18000000mov eax,dword ptr fs:
7C80C10A 8BF0 mov esi,eax
7C80C10C 8975 E0 mov dword ptr ss:,esi
7C80C10F 33FF xor edi,edi ; ntdll.7C930228
7C80C111 57 push edi ; ntdll.7C930228
7C80C112 6A 04 push 0x4
7C80C114 8D45 E4 lea eax,dword ptr ss:
7C80C117 50 push eax
7C80C118 6A 0C push 0xC
7C80C11A 6A FE push -0x2
7C80C11C FF15 3811807C call dword ptr ds:[<&ntdll.NtQueryInform>; ntdll.ZwQueryInformationThread
7C80C122 3BC7 cmp eax,edi ; ntdll.7C930228
7C80C124 75 05 jnz short kernel32.7C80C12B
7C80C126 397D E4 cmp dword ptr ss:,edi ; ntdll.7C930228
7C80C129 75 28 jnz short kernel32.7C80C153
7C80C12B FF15 0015807C call dword ptr ds:[<&ntdll.RtlFreeThread>; ntdll.RtlFreeThreadActivationContextStack
7C80C131 E8 3B000000 call <jmp.&ntdll.LdrShutdownThread>
7C80C136 39BE 940F0000 cmp dword ptr ds:,edi ; ntdll.7C930228
7C80C13C 0F85 E3870300 jnz kernel32.7C844925
7C80C142 C686 750F0000 0>mov byte ptr ds:,0x1
7C80C149 FF75 08 push dword ptr ss: ; 1_.<ModuleEntryPoint>
7C80C14C 57 push edi ; ntdll.7C930228
7C80C14D FF15 7414807C call dword ptr ds:[<&ntdll.NtTerminateTh>; ntdll.ZwTerminateThread
7C80C153 FF75 08 push dword ptr ss: ; 1_.<ModuleEntryPoint>
7C80C156 E8 AF100100 call kernel32.ExitProcess
7C80C15B 90 nop
7C80C15C 90 nop
7C80C15D 90 nop
7C80C15E 90 nop
7C80C15F 90 nop
回车重新载入,右下角显示为:
0012FFC0 7C817775/CALL 到 ExitThread 来自 kernel32.7C817770
0012FFC4 00000000\ExitCode = 0x0
0012FFC8 7C930228ntdll.7C930228
0012FFCC FFFFFFFF
0012FFD0 7FFDE000
0012FFD4 805522FA
再次回车进入,段首下段
7C817737 57 push edi ; ntdll.7C930228
7C817738 E8 D742FFFF call kernel32.UnmapViewOfFile
7C81773D BF 7B0000C0 mov edi,0xC000007B
7C817742 E9 B5770000 jmp kernel32.7C81EEFC
7C817747 90 nop
7C817748 90 nop
7C817749 90 nop
7C81774A 90 nop
7C81774B 90 nop
7C81774C 6A 0C push 0xC
7C81774E 68 7877817C push kernel32.7C817778
7C817753 E8 7EADFEFF call kernel32.7C8024D6
7C817758 8365 FC 00 and dword ptr ss:,0x0
7C81775C 6A 04 push 0x4
7C81775E 8D45 08 lea eax,dword ptr ss:
7C817761 50 push eax
7C817762 6A 09 push 0x9
7C817764 6A FE push -0x2
7C817766 FF15 B013807C call dword ptr ds:[<&ntdll.NtSetInformat>; ntdll.ZwSetInformationThread
7C81776C FF55 08 call dword ptr ss: ; 1_.<ModuleEntryPoint>
7C81776F 50 push eax
7C817770 E8 8349FFFF call kernel32.ExitThread
7C817775 90 nop
7C817776 90 nop
7C817777 90 nop
7C817778 FFFF ??? ; 未知命令
7C81777A FFFF ??? ; 未知命令
7C81777C 5A pop edx ; kernel32.7C817775
再次重新载入,直接停留在了断点的界面 F9运行回到了OEP界面。
本人新手,实在找不到原因啦,麻烦大牛们帮忙找下问题关键点,谢谢啦!
脱壳后软件存网盘啦:https://pan.baidu.com/s/1dFrpiTV
能脱vmp的都是高手 中间有代码被VM了 xxhaishixx 发表于 2018-1-6 01:51
中间有代码被VM了
懂得,我今天自己又弄了一晚上,发现了这个是E盾的网络验证 企业定制版。试图按照破解E盾的方法还是无解!
其实vmp脱不脱壳都不重要了,关键是你能否在vmp中找到关键的地方,直接上baymax就能搞定 能脱vmp的都是高手 zeknight 发表于 2018-1-6 09:01
其实vmp脱不脱壳都不重要了,关键是你能否在vmp中找到关键的地方,直接上baymax就能搞定
本人新手!请问一下baymax是什么意思!
baymax 是nicy校长开发的一款补丁软件………………谁用谁知道
页:
[1]