|
[求助]ACProtect2.0弹框问题
未注册吧``` |
|
|
|
|
|
|
|
[虚伪]slv unpackme 脱壳 & 去校验
好虚伪 //code by skylly //for shoooo's vm engine gpa "VirtualFree", "kernel32.dll" cmp $RESULT,0 je err var VF mov VF,$RESULT bp VF esto esto esto bc VF rtu find eip,#FFE0# cmp $RESULT,0 je err go $RESULT sti //vm start here fuckvm: //首先找到 op_code起始地址 var temp lps: mov temp,[eip] and temp,FF cmp temp,E9 //jmp je vmstart sti jmp lps vmstart: sti var addr mov addr,[esp] cmt eip,"请等待分析过程..." //解析 anly: var tempcode mov tempcode,[addr] and tempcode,FF cmp tempcode,0C je vm_0C cmp tempcode,0D je vm_0D cmp tempcode,13 je vm_13 cmp tempcode,14 je vm_14 cmp tempcode,1C je vm_1C cmp tempcode,2C je vm_2C cmp tempcode,2D je vm_2D cmp tempcode,35 je vm_35 cmp tempcode,39 je vm_39 cmp tempcode,3D je vm_3D cmp tempcode,3F je vm_3F cmp tempcode,42 je vm_42 cmp tempcode,45 je vm_45 cmp tempcode,48 je vm_48 cmp tempcode,4A je vm_4A cmp tempcode,4F je vm_4F cmp tempcode,54 je vm_54 cmp tempcode,55 je vm_55 cmp tempcode,5C je vm_5C cmp tempcode,5E je vm_5E cmp tempcode,60 je vm_60 cmp tempcode,61 je vm_5E //这里和5e一样的操作 cmp tempcode,64 je vm_5E //这里和5e一样的操作 cmp tempcode,68 je vm_68 cmp tempcode,6A je vm_6A cmp tempcode,76 je vm_5E //这里和5e一样的操作 cmp tempcode,78 je vm_5E //这里和5e一样的操作 cmp tempcode,7A je vm_7A cmp tempcode,7B je vm_7B cmp tempcode,7D je vm_7D //to be continue... jmp unknown vm_0C: //je neweip var code var reg inc addr mov reg,[addr] and reg,FF cmp reg,1A jne err inc addr mov code,[addr] add addr,4 add code,addr sub addr,5 eval "{addr}: je {code}" log $RESULT add addr,5 var addr1 var addr2 mov addr1,addr mov addr2,code bphws addr1,"r" bphws addr2,"r" esto bphwc addr1 bphwc addr2 mov addr,esi dec addr jmp anly vm_0D: //or vm_reg1 vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: or vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_13: //and 400, vm_reg //push 结果 var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: and [esp], 400, vmreg_{code}" log $RESULT add addr,2 jmp anly vm_14: //mov fs: [vm_reg1], vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov dword ptr fs: [vmreg_{reg2}], vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_1C: //mov vm_reg,const var code var reg inc addr mov code,[addr] add addr,4 mov reg,[addr] and reg,FF sub addr,5 eval "{addr}: mov vmreg_{reg}, {code}" log $RESULT add addr,6 jmp anly vm_2C: //add vm_reg, esi var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: add vmreg_{code}, esi" log $RESULT add addr,2 jmp anly vm_2D: //mov word vm_reg1,[vm_reg2] var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov word vmreg_{reg2}, [vmreg_{reg1}]" log $RESULT add addr,3 jmp anly vm_35: //mov byte ptr vm_reg1, vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov byte vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_39: //xor vm_reg1 vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: xor vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_3D: //pop vm_reg var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: pop vmreg_{code}" log $RESULT add addr,2 jmp anly vm_3F: //and byte ptr vm_reg1, vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: and byte vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_42: //mov [vm_reg1],vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov [vmreg_{reg2}], vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_45: //sub vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: sub vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_48: //jmp neweip var code var reg inc addr mov reg,[addr] and reg,FF cmp reg,1A jne err inc addr mov code,[addr] add addr,4 add code,addr sub addr,5 eval "{addr}: jmp {code}" log $RESULT add addr,5 mov addr,code //跳转了 jmp anly vm_4A: //mov ebp, vm_reg var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: mov ebp, vmreg_{code}]" log $RESULT add addr,2 jmp anly vm_4F: //shr dword vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: shr vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_54: //push vm_reg var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: push vmreg_{code}" log $RESULT add addr,2 jmp anly vm_55: //retn to a real api call eval "{addr}: out of vm" log $RESULT //add addr,1 bphws addr,"r" esto bphwc addr mov addr,ebp add addr,24 var temp mov temp,[addr] eval "jmp api: {temp}" log $RESULT add addr,4 mov addr,[addr] cmp temp,10000000 jb end //如果不是个api地址 bphws addr,"x" esto vmreturn: bphwc addr jmp fuckvm vm_5C: //pushfd //or [esp],vm_13的运行结果 //pop vm_reg var code inc addr mov code,[addr] and code,FF dec addr eval "{addr}: or vmreg_{code}, eflag, [esp]" log $RESULT add addr,2 jmp anly vm_5E: //mov vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_60: //jne neweip var code var reg inc addr mov reg,[addr] and reg,FF cmp reg,1A jne err inc addr mov code,[addr] add addr,4 add code,addr sub addr,5 eval "{addr}: jne {code}" log $RESULT add addr,5 var addr1 var addr2 mov addr1,addr mov addr2,code bphws addr1,"r" bphws addr2,"r" esto bphwc addr1 bphwc addr2 mov addr,esi dec addr jmp anly vm_68: //shl dword vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: shl vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_6A: //add vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: add vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_7A: //mov byte vm_reg1,[vm_reg2] var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov byte vmreg_{reg2}, [vmreg_{reg1}]" log $RESULT add addr,3 jmp anly vm_7B: //and vm_reg1,vm_reg2 var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: and vmreg_{reg2}, vmreg_{reg1}" log $RESULT add addr,3 jmp anly vm_7D: //mov vm_reg1, (vm_reg2 shr 8; and FF) var reg1 var reg2 inc addr mov reg1,[addr] and reg1,FF inc addr mov reg2,[addr] and reg2,FF sub addr,2 eval "{addr}: mov vmreg_{reg2}, (vmreg_{reg1} shr 8; and FF)" log $RESULT add addr,3 jmp anly unknown: eval "unkonw code at: {addr}" log $RESULT msg $RESULT ret end: //vm外的代码 bphws temp,"x" esto bphwc temp cmt eip,"here is not vmed" bphws addr,"x" esto jmp vmreturn ret err: msg "error" ret |
|
|
|
|
|
[下载]asp服务器,网络验证必备工具
向楼主学习,向楼主致敬~~~~~~~~ |
|
|
|
[求助][求助]哪位大哥帮我看看这个加了什么壳,怎么弄
vb的程序加啥壳都白搭,论坛有脱壳脚本 |
|
[求助]脱壳后自校验
易语言~~~~ |
|
[求助][求助]哪位大哥帮我看看这个加了什么壳,怎么弄
因为他的答案没问题,就没必要重复了撒,总不至于下了十三次,这里就要回13个帖子吧 |
|
[下载]Anti-SecuROM SoftICE Plugin
林版能否找到一个secuRom加壳的程序,越小越好~~~ |
|
[讨论]惊报:新的一种变态壳
少见多怪, |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值