脱壳VMProtect 1.70.4

hxqlky · 发表于 2009-8-27 16:13:59

脱壳的境界写壳  破解的境界写注册机！源码！

人逃避不了的是现实，总要面对的是生活!
查壳推选exeinfope，Protection，DETECT 0.64，RDG Packer Detector
工具 1.od
   2.ImportREC
004E4D57 >  68 D87F5344    push 44537FD8    vmp入口
004E4D5C E8 8E4B0100    call edx33.004F98EF hr esp  he GetThreadContext
004E4D61 17             pop ss
004E4D62 30A8 471470F7 xor byte ptr ds:[eax+F7701447],ch
004E4D68 E7 DB          out 0DB,eax
004E4D6A F0:6BA7 A867424>lock imul esp,dword ptr ds:[edi+444267A8>; LOCK prefix is not allowed
004E4D72  ^ EB D4          jmp short edx33.004E4D48
004E4D74 99             cdq

004F96BA  ^\E9 80F8FFFF    jmp edx33.004F8F3F
004F96BF 60             pushad
004F96C0 4E             dec esi
004F96C1 66:81FD BCE1 cmp bp,0E1BC
004F96C6 F5             cmc

004F892D 55             push ebp
004F892E 9C             pushfd
004F892F FF7424 08    push dword ptr ss:[esp+8]
004F8933 50             push eax
004F8934 8D6424 38    lea esp,dword ptr ss:[esp+38]
004F8938  ^ E9 0EFFFFFF    jmp edx33.004F884B

7C837AE3 >  8BFF          mov edi,edi
7C837AE5 55             push ebp
7C837AE6 8BEC          mov ebp,esp
7C837AE8 FF75 0C       push dword ptr ss:[ebp+C]
7C837AEB FF75 08       push dword ptr ss:[ebp+8]
7C837AEE FF15 5415807C call dword ptr ds:[<&ntdll.NtGetContextT>; ntdll.ZwGetContextThread
7C837AF4 85C0          test eax,eax
7C837AF6 0F8C EFA60000 jl kernel32.7C8421EB
7C837AFC 33C0          xor eax,eax
7C837AFE 40             inc eax
7C837AFF 5D             pop ebp
7C837B00 C2 0800       retn 8    来到这里看寄存器

EAX 7C837AE3 kernel32.GetThreadContext
ECX 000001D7
EDX 7C95860C ntdll.KiFastSystemCallRet
EBX 7C800000 kernel32.7C800000
ESP 0012F784
EBP 0012FF98
ESI 0012FF88 ASCII "kernel32.dll"
EDI 0012F790                         跟随
EIP 7C837AE3 kernel32.GetThreadContext
C 1  ES 0023 32bit 0(FFFFFFFF)

0012F794  7C837AE3  kernel32.GetThreadContext
0012F798  0012FFC0
0012F79C  7C837AF4  返回到 kernel32.7C837AF4 来自 ntdll.ZwGetContextThread
0012F7A0  00000000
0012F7A4  FFFF0FF0
0012F7A8  00F00515

填00
0012F794  00000000
0012F798  00000000
0012F79C  00000000
0012F7A0  00000000
0012F7A4  00000000
0012F7A8  00000000

004FA7F9 66:896C24 04 mov word ptr ss:[esp+4],bp
004FA7FE 8D6424 24    lea esp,dword ptr ss:[esp+24]
004FA802  ^ 0F8C 8BFEFFFF jl edx33.004FA693
004FA808 8945 00       mov dword ptr ss:[ebp],eax
004FA80B 9C             pushfd
004FA80C 8D6424 04    lea esp,dword ptr ss:[esp+4]
004FA810  ^ E9 94F3FFFF    jmp edx33.004F9BA9
004FA815 29C0          sub eax,eax

004F7FA6 66:81FF 793C cmp di,3C79
004F7FAB 66:39ED       cmp bp,bp
004F7FAE 66:85FF       test di,di
004F7FB1 FF3424       push dword ptr ss:[esp]
004F7FB4 F7D0          not eax
004F7FB6 883C24       mov byte ptr ss:[esp],bh

004F7FD6 8945 04       mov dword ptr ss:[ebp+4],eax
004F7FD9 E8 D90E0000    call edx33.004F8EB7
004F7FDE C64424 04 4A mov byte ptr ss:[esp+4],4A

004FA8B5 8F4424 1C    pop dword ptr ss:[esp+1C]             ; edx33.004FA8AE
004FA8B9 66:C74424 08 38>mov word ptr ss:[esp+8],0FD38
004FA8C0 83C5 04       add ebp,4
004FA8C3 60             pushad

004F918F 68 AAC37BB0    push B07BC3AA
004F9194 887424 08    mov byte ptr ss:[esp+8],dh
004F9198 E8 DD150000    call edx33.004FA77A
004F919D E9 5F100000    jmp edx33.004FA201

004F97A5 F5             cmc
004F97A6 F9             stc
004F97A7 F7C6 B7A34451 test esi,5144A3B7
004F97AD F9             stc
004F97AE 83C5 04       add ebp,4

004F892D 55             push ebp
004F892E 9C             pushfd
004F892F FF7424 08    push dword ptr ss:[esp+8]
004F8933 50             push eax

004F918F 68 AAC37BB0    push B07BC3AA
004F9194 887424 08    mov byte ptr ss:[esp+8],dh
004F9198 E8 DD150000    call edx33.004FA77A
004F919D E9 5F100000    jmp edx33.004FA201

0048AA93 68 DB7F7EA4    push A47E7FDB
0048AA98 E8 94D6FEFF    call edx33.00478131
0048AA9D AC             lods byte ptr ds:[esi]
0048AA9E 09BF DFBD68A8 or dword ptr ds:[edi+A868BDDF],edi

004781AE 60             pushad
004781AF F5             cmc
004781B0 F5             cmc
004781B1 C1CE 1A       ror esi,1A

004791CF F5             cmc
004791D0 F9             stc
004791D1 F7C6 B7A34451 test esi,5144A3B7
004791D7 F9             stc

00478357 55             push ebp
00478358 9C             pushfd
00478359 FF7424 08    push dword ptr ss:[esp+8]
0047835D 50             push eax
0047835E 8D6424 38    lea esp,dword ptr ss:[esp+38]

004797B4 FF3424       push dword ptr ss:[esp]
004797B7 9C             pushfd
004797B8 8F4424 0C    pop dword ptr ss:[esp+C]
004797BC 60             pushad
004797BD C60424 B0    mov byte ptr ss:[esp],0B0

00479498 C2 2400       retn 24       一直运行到这里 f7
0047949B C1CE 1A       ror esi,1A
0047949E E8 EA0D0000    call edx33.0047A28D
004794A3 66:8945 00    mov word ptr ss:[ebp],ax
004794A7 51             push ecx

返回到 00408E87 (edx33.00408E87)

00408E87 6A 58          push 58                      oep
00408E89 68 003B4200    push edx33.00423B00
00408E8E E8 ED290000    call edx33.0040B880
00408E93 33F6          xor esi,esi
00408E95 8975 FC       mov dword ptr ss:[ebp-4],esi
00408E98 8D45 98       lea eax,dword ptr ss:[ebp-68]
00408E9B 50             push eax
00408E9C FF15 0CD14100 call dword ptr ds:[41D10C]             ; kernel32.GetStartupInfoA
00408EA2 6A FE          push -2
00408EA4 5F             pop edi
00408EA5 897D FC       mov dword ptr ss:[ebp-4],edi
00408EA8 B8 4D5A0000    mov eax,5A4D
00408EAD 66:3905 0000400>cmp word ptr ds:[400000],ax
00408EB4 75 38          jnz short edx33.00408EEE
00408EB6 A1 3C004000    mov eax,dword ptr ds:[40003C]
00408EBB 81B8 00004000 5>cmp dword ptr ds:[eax+400000],4550
00408EC5 75 27          jnz short edx33.00408EEE
00408EC7 B9 0B010000    mov ecx,10B
00408ECC 66:3988 1800400>cmp word ptr ds:[eax+400018],cx
00408ED3 75 19          jnz short edx33.00408EEE
00408ED5 83B8 74004000 0>cmp dword ptr ds:[eax+400074],0E
00408EDC 76 10          jbe short edx33.00408EEE
00408EDE 33C9          xor ecx,ecx
00408EE0 39B0 E8004000 cmp dword ptr ds:[eax+4000E8],esi
00408EE6 0F95C1       setne cl
00408EE9 894D E4       mov dword ptr ss:[ebp-1C],ecx
00408EEC EB 03          jmp short edx33.00408EF1
00408EEE 8975 E4       mov dword ptr ss:[ebp-1C],esi
00408EF1 33DB          xor ebx,ebx
00408EF3 43             inc ebx
00408EF4 53             push ebx
00408EF5 E8 E6490000    call edx33.0040D8E0
00408EFA 59             pop ecx
ing1 http://www.plunder.com/VMProtect ... load-471c946e7f.htm
ing2  http://d.namipan.com/d/VMProtect ... 0fc915d449222bb2800

老万 · 发表于 2009-8-27 21:00:58

学习了，谢谢楼主分享。

qinglianzi · 发表于 2009-9-19 17:54:18

顶你一下，支持，学习了

o8u8o · 发表于 2009-10-7 19:58:23

顶你一下，支持，学习了:loveliness:

egowssc · 发表于 2009-10-19 13:04:52

好东西。收藏起来啊

		自动登录	找回密码
密码			加入我们

[脱壳破解] 脱壳VMProtect 1.70.4

相关帖子