上次更新添加了算法分析功能,可以反出类似高级语言的表达式,现在分析简单的程序应该没什么问题了,很多人说不太会用,这里给一个实例分析,讲解一下用法。这篇文章只讲插件的应用和一般的分析方法,还简单介绍了一下VMP加壳的原理和脱壳方法,其他内容比如插件分析原理和虚拟机代码还原方法等请看VMP分析插件的帖子。
http://bbs.pediy.com/showthread.php?t=154621
先随便输入一些内容,用户名zdhysd,注册码qwertyuiop,点确定弹出注册码错误的提示。在MessageBox设个断点看看哪里来的,再点确定直接出错,看来有断点检查,在最后的retn设断点试试。这回断下来了,返回到
004CBAE8 9C PUSHFD
004CBAE9 C70424 AFF5A7F9 MOV DWORD PTR SS:[ESP],F9A7F5AF
004CBAF0 E8 1F41F7FF CALL VMPCrack.0043FC14
004CBAF5 9C PUSHFD
004CBAF6 90 NOP
004CBAF7 9C PUSHFD
...
00402990 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00402994 2D 10010000 SUB EAX,110
00402999 74 1A JE SHORT VMPCrack.004029B5
0040299B 48 DEC EAX
0040299C 75 3A JNZ SHORT VMPCrack.004029D8
0040299E 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004029A2 66:3D 0100 CMP AX,1
004029A6 75 15 JNZ SHORT VMPCrack.004029BD
004029A8 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
004029AC 50 PUSH EAX
004029AD E8 5EFEFFFF CALL VMPCrack.00402810 ***这个函数被加密了
004029B2 83C4 04 ADD ESP,4 ***返回到这里
004029B5 B8 01000000 MOV EAX,1
004029BA C2 1000 RETN 10
00465EF0 |. 55 vReadMemSs4 (变量); 堆栈-0B4:(变量) ***读取解密前的目标
00465EEF |. 38 vPopReg4 vR8 堆栈-0B4:(变量) ***
00465EEE |. 00 000000 AddVEsp 8 (常量)8; (vESP)-0B0
00465EEC |. 3C vPushReg4 vR8 vR8:(变量) ***
00465EEB |. 68 vPopReg4 vR13 堆栈-0AC:(变量) ***下面开始解密,异或AA2B8C58
00465EEA |. 6C vPushReg4 vR13 vR13:(变量)
00465EE9 |. 49 vPushVEsp (vESP)-0AC
00465EE8 |. 34 vReadMemSs4 堆栈-0AC:(变量); 堆栈-0B0:(vESP)-0AC
00465EE7 |. 20 vNand4 堆栈-0B0:(变量); 堆栈-0AC:(变量)
00465EE6 |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0B0
00465EE5 |. 65 A773D455 vPushImm4 55D473A7 (常量)55D473A7
00465EE0 |. 20 vNand4 堆栈-0B0:(常量)55D473A7; 堆栈-0AC:(变量)
00465EDF |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0B0
00465EDE |. DE 588C2BAA vPushImm4 0AA2B8C58 (常量)0AA2B8C58
00465ED9 |. 6C vPushReg4 vR13 vR13:(变量) ***
00465ED8 |. 20 vNand4 堆栈-0B4:(变量); 堆栈-0B0:(常量)0AA2B8C58 ***
00465ED7 |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0B4
00465ED6 |. 20 vNand4 堆栈-0B0:(变量); 堆栈-0AC:(变量) ***
00465ED5 |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0B0
00465ED4 |. 98 vPopReg4 vR2 堆栈-0AC:(变量) ***这是解密后的目标
00465ED3 |. 00 000000 AddVEsp 0FFFFFFF4 (常量)0FFFFFFF4; (vESP)-0A8
00465ED0 |. 5C vPushReg4 vR14 vR14:(寄存器)EBP
00465ECF |. CC vPushReg4 vR7 vR7:(寄存器)EBX
00465ECE |. 1C vPushReg4 vR10 vR10:(寄存器)ECX
00465ECD |. 00 000000 AddVEsp 0FFFFFFFC (常量)0FFFFFFFC; (vESP)-0C0
00465ECC |. AC vPushReg4 vR1 vR1:(寄存器)EAX
00465ECB |. 0C vPushReg4 vR11 vR11:(寄存器)EDX
00465ECA |. 7C vPushReg4 vR12 vR12:(寄存器)EDI
00465EC9 |. FC vPushReg4 vR4 vR4:(寄存器)ESI
00465EC2 |. 00 000000 vPushImm4 0EF8B1AAC (常量)0EF8B1AAC
00465EC0 |. EC vPushReg4 vR5 vR5:(常量)0
00465EBF |. 9C vPushReg4 vR2 vR2:(变量) ***
00465EBE |. 05 vJmp_00412430 堆栈-0E0:(变量); 堆栈-0DC:(常量)0 ***
0045E7AD |. BC vPushReg4 vR0 vR0:(寄存器)EAX
0045E7AC |. 17 vPushVEsp (vESP)-0BC
0045E7AB |. 34 vReadMemSs4 堆栈-0BC:(寄存器)EAX; 堆栈-0C0:(vESP)-0BC
0045E7AA |. 20 vNand4 堆栈-0C0:(寄存器)EAX; 堆栈-0BC:(寄存器)EAX //EAX ~& EAX = ~EAX
0045E7A9 |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0C0
0045E7A8 |. BC vPushReg4 vR0 vR0:(寄存器)EAX
0045E7A7 |. BC vPushReg4 vR0 vR0:(寄存器)EAX
0045E7A6 |. 27 vNand4 堆栈-0C4:(寄存器)EAX; 堆栈-0C0:(寄存器)EAX //EAX ~& EAX = ~EAX
0045E7A5 |. 00 000000 AddVEsp 4 (常量)4; (vESP)-0C4
0045E7A4 |. C0 vNand4 堆栈-0C0:(变量); 堆栈-0BC:(变量) //~EAX ~& ~EAX = EAX & EAX
0048FA81 |. 53 vMul2 WORD v0 = GetBytes(9 * (0 : (5A86 ^ GetBytes(Rdtsc(), 0, 2)) % 1B5), 0, 2)
0048FA2F |. AD vAdd4 DWORD v1 = 428F55 + v0
0048F9DF |. 5A vReadMemDs1 BYTE m0 = BYTE DS:[4 + v1]
0048F9DD |. 08 vReadMemDs4 DWORD m1 = DWORD DS:[v1]
0048F8B3 |. 08 vReadMemDs4 DWORD m2 = DWORD DS:[5 + v1]
0048F8B0 |. 0B vAdd4 DWORD v2 = m2 + Check(0 + (400000 + (862FE2A3 + ((708F098F ^ m1) + 1 - 1))), 0 : (0 : ByteToWord(m0))) + (((40 & AddFlag(34, 8B)) >> 1) + 77D307EA)
0048F8A3 \. 86 vRet return v2; user32.MessageBoxA
004917A6 /$ D8 vPopReg4 vR6
0049136C |. F9 vReadMemDs4 DWORD m0 = DWORD DS:[164B38]
0049121C |. 27 vNand4 DWORD v0 = 0 - ((m0 >>< 1B) + 1)
00490F4D |. 34 vReadMemSs4 DWORD m1 = DWORD SS:[Je(SubFlag((RolFlag(v0, 17) & 100) + (0 - (((164AD8 ^ (CpuidEax(1) & 0FFFFFFF0 ^ 588B4548) + (CpuidEbx(1) & 0FFFFFF ^ 3F598CC3)) >>< 1B) + 1) <<> 17), v0 <<> 17)) + 18]
00490F1C |. F1 vJmp_00412430 if (unpacked) goto VMPCrack.00476AA5 //检查是否被脱壳
0042E2DE |. 23 vPopfd EFL = 0FFFFF700 & EFL
00451055 |. BF vWriteMemSs4 EXIT DWORD v1 = EBP
00450F95 |. 82 vNand4 EXIT DWORD v2 = 118D7BDF
00464AF1 |. BF vWriteMemSs4 EXIT DWORD v3 = EBX
004DB3A5 |. BF vWriteMemSs4 EXIT DWORD v4 = ESI
004C19DC |. 32 vWriteMemSs4 EXIT DWORD v5 = EDI
004C193D |. E4 vWriteMemSs4 ARG1 EXIT DWORD v6 = 1 //调用的参数,TRUE,检测用户+内核调试器
004C3918 |. 83 vJmp_00425E0A callVM <VMPCrack.检测调试器> //调用SDK,检测调试器
00465EF0 |. 55 vReadMemSs4 DWORD m2 = DWORD SS:[Je(AndFlag("发现调试器", "发现调试器")) + 0FFFFFF50]
00465ECC |. AC vPushReg4 vR1 DWORD v15 = "发现调试器"
00465EBE |. 05 vJmp_00412430 if (entryVMEax_4D6C58 != 0) goto VMPCrack.0046A6C8004C392D |. BC vPushReg4 vR0 堆栈-0B4:(标志)
004C392C |. 6C vPushReg4 vR13 堆栈-0B8:(寄存器)ESI
004C392B |. 4C vPushReg4 vR15 堆栈-0BC:(寄存器)ECX
004C392A |. 1C vPushReg4 vR10 堆栈-0C0:(标志)
004C3929 |. 8C vPushReg4 vR3 堆栈-0C4:(寄存器)EAX
004C3928 |. 2C vPushReg4 vR9 堆栈-0C8:(寄存器)EBX
004C3927 |. 6C vPushReg4 vR13 堆栈-0CC:(寄存器)ESI
004C3926 |. 9C vPushReg4 vR2 堆栈-0D0:(寄存器)EDI
004C3925 |. 3C vPushReg4 vR8 堆栈-0D4:(vESP)30
004C3924 |. FC vPushReg4 vR4 堆栈-0D8:(常量)4B77D0
004C3923 |. DC vPushReg4 vR6 堆栈-0DC:(寄存器)EDX
004C3922 |. EC vPushReg4 vR5 堆栈-0E0:(常量)164AD8
004C3921 |. DE D4CF74EF vPushImm4 0EF74CFD4 堆栈-0E4:(常量)0EF74CFD4
004C391C |. 10 vAdd4 堆栈-0E0:(常量)0EF8B1AAC; 堆栈-0E4:(标志)
004C391B |. 78 vPopReg4 vR12 vR12:(标志)
004C391A |. CC vPushReg4 vR7 堆栈-0E4:(常量)0
004C3919 |. FC vPushReg4 vR4 堆栈-0E8:(常量)4B77D0
004C3918 |. 83 vJmp_00425E0A
0041EC9D |. 61 vPushReg4 vR6 ECX DWORD v8 = unknownInit8
0041EC9E |. 01 vPushReg4 vR0 EFL DWORD v9 = SubFlag(0C, 800)
0041EC9F |. 81 vPushReg4 vR8 EDX DWORD v10 = unknownInit7
0041ECA1 |. E1 vPushReg4 vR14 ESI DWORD v11 = unknownInit4
0041ECA2 |. 91 vPushReg4 vR9 EAX DWORD v12 = unknownInit2
0041ECA3 |. 71 vPushReg4 vR7 EDI DWORD v13 = unknownInit10
0041ECA4 |. 51 vPushReg4 vR5 EBP DWORD v14 = 0C
0041ECA5 |. A1 vPushReg4 vR10 EBX DWORD v15 = unknownInit3
0041ECA8 |. 00 vRet online 4CF851; VMPCrack.004CF851; STR WORD PTR SS:[ESP]
0046783B |. 83 vJmp_00425E0A callVM <VMPCrack.检测虚拟机>
00465908 |. 94 vReadMemSs4 DWORD m3 = DWORD SS:[Je(AndFlag("发现虚拟机", "发现虚拟机")) + 0FFFFFF50]
004658E8 |. 2C vPushReg4 vR9 DWORD v17 = 30
004658E4 |. DC vPushReg4 vR6 DWORD v18 = "发现虚拟机"
004658D6 |. 05 vJmp_00412430 if ("发现虚拟机" != 0) goto VMPCrack.0046A6C80049FC7D |. 57 vJmp_00425E0A callVM <VMPCrack.检查文件改变>
004A9FBD |. 34 vReadMemSs4 DWORD m4 = DWORD SS:[Je(AndFlag("文件没有改变", "文件没有改变")) + 0FFFFFF50]
004A9F99 |. 7C vPushReg4 vR12 DWORD v15 = "文件没有改变"
004A9F8B |. F1 vJmp_00412430 if ("文件没有改变" == 0) goto VMPCrack.0046A6C8004417D4 /$ 80 vPopReg4 vR0
00441666 |. 2F vPopfd EFL = 0FFFFF700 & unknownInit5
004414D8 |. 12 vMul2 WORD v0 = GetBytes(9 * (0 : (30B4 ^ GetBytes(Rdtsc(), 0, 2)) % 1B5), 0, 2)
0044147F |. 41 vAdd4 DWORD v1 = 428F55 + v0
0044143E |. B4 vReadMemDs1 BYTE m0 = BYTE DS:[4 + v1]
0044143C |. 24 vReadMemDs4 DWORD m1 = DWORD DS:[v1]
0044133B |. 24 vReadMemDs4 DWORD m2 = DWORD DS:[5 + v1]
00441338 |. 0B vAdd4 DWORD v2 = m2 + Check(0 + (400000 + (862FE2A3 + ((708F098F ^ m1) + 1 - 1))), 0 : (0 : ByteToWord(m0))) + (((40 & AddFlag(34, 8B)) >> 2) + 77D0436E)
00441336 |. FE vPushReg4 vR2 EBP DWORD v3 = unknownInit2
00441335 |. F1 vPushReg4 vR15 EDX DWORD v4 = unknownInit4
00441334 |. F2 vPushReg4 vR14 EAX DWORD v5 = unknownInit10
00441333 |. FF vPushReg4 vR1 EBX DWORD v6 = unknownInit9
00441331 |. F3 vPushReg4 vR13 ESI DWORD v7 = unknownInit6
00441330 |. F8 vPushReg4 vR8 EFL DWORD v8 = unknownInit5
0044132F |. F4 vPushReg4 vR12 ECX DWORD v9 = unknownInit8
0044132E |. FD vPushReg4 vR3 EDI DWORD v10 = unknownInit3
0044132B \. 86 vRet return v2; user32.GetDlgItem
0049DD33 |. 34 vReadMemSs4 DWORD s0 = Stack(vESP + 38, ESP + 4, 4)
004C7830 |. 32 vWriteMemSs4 ControlID EXIT DWORD v32 = 3E8 //用户名输入框ID
00486CDA |. BF vWriteMemSs4 hWnd EXIT DWORD v33 = s0 //主窗口句柄,ESP + 4说明是第一个参数传进来的
0046540A |. D9 vJmp_00411C30 callVM <VMPCrack.GetDlgItem> //取用户名输入框句柄
004B5E69 |. 32 vWriteMemSs4 hWnd EXIT DWORD v42 = "用户名hwnd"
0048B7F5 |. 09 vJmp_00411C30 callVM <VMPCrack.GetWindowTextLengthA>//取输入的用户名长度
0048324C |. 34 vReadMemSs4 DWORD m5 = DWORD SS:[Je(AndFlag("用户名长度", "用户名长度")) + 0FFFFFF44]
00483229 |. FC vPushReg4 vR4 DWORD v51 = "用户名长度"
00483227 |. 1C vPushReg4 vR10 DWORD v52 = "用户名长度"
0048321A |. F1 vJmp_00412430 if ("用户名长度" != 0) goto VMPCrack.0044E3A0//检查输入的用户名长度是否为0
004565AC |. DC vPushReg4 vR6 Style EXIT DWORD v53 = v52
0043E13E |. 32 vWriteMemSs4 Title EXIT DWORD v54 = 4074EC //标题"VMPCrackMe"
00456CC4 |. E4 vWriteMemSs4 Text EXIT DWORD v55 = 4074DC //内容"请输入用户名"
00483041 |. E4 vWriteMemSs4 hOwner EXIT DWORD v56 = v38
004B6338 |. D9 vJmp_00411C30 callVM <VMPCrack.MessageBoxA> //弹出消息框
0042F277 |. 34 vReadMemSs4 DWORD s1 = Stack(vESP + 34, ESP + 0, 4)
...
0042EF25 |. 44 vRet return v67 //函数结束004482FA |. 50 vAdd4 DWORD v76 = SubFlag(v51, 20)
00479AB2 |. 34 vReadMemSs4 DWORD m10 = DWORD SS:[Ja(v76) + 0FFFFFF44]
00479A81 |. 05 vJmp_00412430 if (v51 <= 20) goto VMPCrack.004D0510 //v51 = "用户名长度"
0043EDAB |. 34 vReadMemSs4 DWORD m11 = DWORD SS:[Jpo(v76) + 0FFFFFF44]
0043ED7A |. 05 vJmp_00412430 if (Jpe(v76)) goto VMPCrack.004D4ABA
0043ED7A |. /05 vJmp_00412430 goto m11 ^ 6F67D83E
00440CB7 |. 50 vAdd4 Style EXIT DWORD v83 = 0
004DA716 |. BF vWriteMemSs4 Title EXIT DWORD v84 = 4074EC //标题"VMPCrackMe"
004346AA |. 32 vWriteMemSs4 Text EXIT DWORD v85 = 4074C4 //内容"用户名不能超过32个字符"
00439EB1 |. 32 vWriteMemSs4 hOwner EXIT DWORD v86 = v38
00439DA2 |. 09 vJmp_00411C30 callVM <VMPCrack.MessageBoxA> //弹出消息框
004D90C8 |. 94 vReadMemSs4 DWORD s2 = Stack(vESP + 34, ESP + 0, 4)
...
004D8D23 |. 16 vRet return v96 //函数结束
00450450 /$ 7E vPopReg4 vR2
004502F0 |. 0C vPopfd EFL = 0FFFFF700 & unknownInit6
004502ED |. 4C vReadMemSs4 DWORD s0 = Stack(vESP + 34, ESP + 0, 4)
004502EC |. 20 vReadMemDs1 BYTE m0 = BYTE DS:[s0]
0045018F |. 10 vMul2 WORD v0 = GetBytes(9 * (0 : (2595 ^ GetBytes(Rdtsc(), 0, 2)) % 1B5), 0, 2)
0045013C |. 8C vAdd4 DWORD v1 = 428F55 + v0
0045010A |. 5A vReadMemDs1 BYTE m1 = BYTE DS:[4 + v1]
00450108 |. 24 vReadMemDs4 DWORD m2 = DWORD DS:[v1]
00450005 |. 2D vReadMemDs4 DWORD m3 = DWORD DS:[5 + v1]
00450002 |. 0B vAdd4 DWORD v2 = m3 + Check(0 + (400000 + (862FE2A3 + ((708F098F ^ m2) + 1 - 1))), 0 : (0 : ByteToWord(m1))) + (((40 & AddFlag(34, m0)) >> 3) + Stack(34, 4))
00450000 |. F6 vPushReg4 vR10 EBP DWORD v3 = unknownInit8
0044FFFF |. FB vPushReg4 vR5 EDX DWORD v4 = unknownInit9
0044FFFE |. F7 vPushReg4 vR9 EAX DWORD v5 = unknownInit5
0044FFFD |. FF vPushReg4 vR1 EBX DWORD v6 = 77D1216B
0044FFFB |. 00 vPushReg4 vR0 ESI DWORD v7 = unknownInit4
0044FFFA |. F9 vPushReg4 vR7 EFL DWORD v8 = unknownInit6
0044FFF9 |. F5 vPushReg4 vR11 ECX DWORD v9 = unknownInit7
0044FFF8 |. F3 vPushReg4 vR13 EDI DWORD v10 = unknownInit10
0044FFF5 \. 86 vRet return v2
004337E4 |. E4 vWriteMemSs4 EXIT DWORD v105 = 21 //参数Count
00493ACB |. E4 vWriteMemSs4 EXIT DWORD v106 = 0FFFFFFE8 //参数Buffer
00493A68 |. 32 vWriteMemSs4 EXIT DWORD v107 = v51 //参数hWnd,v51 = "用户名hwnd"
0049398D |. EB vJmp_00411C30 callVM VMPCrack.00450450 //解密GetWindowTextA的地址,保存到EBX
...
0048EA90 |. B5 vRet call v120; user32.GetWindowTextA
0043365C |. BF vWriteMemSs4 "MD5对象" EXIT DWORD v129 = 0CC75CF87
...
004886EF |. 16 vRet call v135; <VMPCrack.MD5初始化>
0043D766 |. 32 vWriteMemSs4 "长度" EXIT DWORD v144 = v141
004AD7AB |. BF vWriteMemSs4 "内容" EXIT DWORD v145 = 235A22B8
004B18A6 |. BF vWriteMemSs4 "MD5对象" EXIT DWORD v146 = 235A2234
...
004BCE2E |. B2 vRet call v152; <VMPCrack.MD5计算>
004B2E32 |. 32 vWriteMemSs4 "MD5对象" EXIT DWORD v161 = 15CC7877
00496BA8 |. BF vWriteMemSs4 "保存MD5值" EXIT DWORD v162 = 15CC7933
...
004963CC |. B5 vRet call v168; <VMPCrack.MD5取结果>
00430681 |. C0 vNand4 ControlID EXIT DWORD v175 = 3E9 //注册码输入框ID
004305A8 |. 32 vWriteMemSs4 hWnd EXIT DWORD v176 = v173 //主窗口句柄
004A9744 |. 09 vJmp_00411C30 callVM <VMPCrack.GetDlgItem> //取注册码输入框句柄
004462EC |. 32 vWriteMemSs4 hWnd EXIT DWORD v185 = "注册码hwnd"
00498016 |. 09 vJmp_00411C30 callVM <VMPCrack.GetWindowTextLengthA>//取输入的注册码长度
00455B49 |. 55 vReadMemSs4 DWORD m41 = DWORD SS:[Jnz(AndFlag("注册码长度", "注册码长度")) + 0FFFFFF50]
00455B26 |. CC vPushReg4 vR7 DWORD v193 = "注册码长度"
00455B17 |. F1 vJmp_00412430 if ("注册码长度" == 0) goto VMPCrack.00466E05//检查是否输入了注册码,转到弹出提示"请输入注册码"
004DF80B |. 10 vAdd4 DWORD v194 = SubFlag(v193, 28)
00467664 |. 34 vReadMemSs4 DWORD m42 = DWORD SS:[Je(v194) + 0FFFFFF50]
00467632 |. F1 vJmp_00412430 if (v193 != 28) goto VMPCrack.00441B20//v193 = "注册码长度",检查注册码是否为28位,转到弹出提示"注册码错误。"
0048A6D2 |. 32 vWriteMemSs4 Count EXIT DWORD v195 = 29 //长度
0048A665 |. 32 vWriteMemSs4 Buffer EXIT DWORD v196 = 0FFFFFFAC //保存注册码
004812BF |. 32 vWriteMemSs4 hWnd EXIT DWORD v197 = v190 //v190 = "注册码hwnd"
...
004B2243 |. 16 vRet call v203; user32.GetWindowTextA00496DC7 |. 32 vWriteMemSs4 "数组长度" EXIT DWORD v212 = 14
00496D91 |. 32 vWriteMemSs4 "数组" EXIT DWORD v213 = 0FFFFFFFC
004D2528 |. 32 vWriteMemSs4 "字符串长度" EXIT DWORD v214 = 28
004938F7 |. BF vWriteMemSs4 "字符串" EXIT DWORD v215 = 0FFFFFFAC//输入的注册码
...
0044C1AA |. B5 vRet call v221; <VMPCrack.16进制字符串转数组>//把输入的注册码字符串转成数组
00486E37 |. 94 vReadMemSs4 DWORD m56 = DWORD SS:[Je(AndFlag("结果长度", "结果长度")) + 0FFFFFF50]
00486E04 |. F1 vJmp_00412430 if ("结果长度" == 0) goto VMPCrack.00441B20//结果长度为0表示转换失败,注册码不是16进制字符串,转到弹出提示"注册码错误。"0042E566 |. B9 vJmp_00411670 callVM <VMPCrack.验证注册码> //调用验证函数
004BE669 |. 34 vReadMemSs4 DWORD m57 = DWORD SS:[Jnz(AndFlag(GetBytes("验证成功", 0, 1), GetBytes("验证成功", 0, 1))) + 0FFFFFF50]
004BE637 |. 05 vJmp_00412430 if (GetBytes("验证成功", 0, 1) == 0) goto VMPCrack.00441B20//返回0为验证失败,转到弹出提示"注册码错误。"
004B66A0 |. BF vWriteMemSs4 Style EXIT DWORD v231 = 0
00454109 |. 32 vWriteMemSs4 Title EXIT DWORD v232 = 4074EC //标题"VMPCrackMe"
00491BBF |. 32 vWriteMemSs4 Text EXIT DWORD v233 = 1 //内容,地址为1?
00468648 |. E4 vWriteMemSs4 hOwner EXIT DWORD v234 = v182
004D80F4 |. 09 vJmp_00411C30 callVM <VMPCrack.MessageBoxA> //弹出消息框
...
0046DC11 |. 16 vRet return v24600475768 |. ED vPushReg4 vR0 EAX DWORD v84 = GetBytes(v80, 1, 3) : 0
...
0047575D |. 2E vRet return v83
//
004C8E1B |. F5 vPushReg4 vR2 EAX DWORD v95 = GetBytes(s43, 1, 3) : 0
...
004C8E10 |. 2E vRet return v94
//
0049DE80 |. ED vPushReg4 vR0 EAX DWORD v125 = GetBytes(s46, 1, 3) : 0
...
0049DE75 |. 2E vRet return v124
//
004A22AC |. 05 vPushReg4 vR6 EAX DWORD v140 = GetBytes(entryVMEax_4689BB, 1, 3) : 1
...
004A22A1 |. 2E vRet return v139
//
0048704D |. 11 vPushReg4 vR9 EAX DWORD v151 = GetBytes(entryVMEax_45CED7, 1, 3) : 0
...
00487042 |. 37 vRet return v150
//
004376C3 |. FD vPushReg4 vR4 EAX DWORD v162 = GetBytes(v120, 1, 3) : 0
...
004376B8 |. 2E vRet return v161
004425EA |. /06 vJmp_00411670 if (v79 == v80) goto VMPCrack.0047E2E8//跳
0047DD76 |. /06 vJmp_00411670 if (v40 == s43) goto VMPCrack.004318DE//跳
0048D8F3 |. /06 vJmp_00411670 if (Cross(nonentity, v111) == v121) goto VMPCrack.004A927A//跳
0047F698 |. /94 vJmp_00411670 if (entryVMEax_45CED7 != entryVMEsi_45CED7) goto VMPCrack.00467F03//不跳
004CAA21 |. /06 vJmp_00411670 if (v119 != v120) goto VMPCrack.00437E53//不跳
004DFC32 |. 00 000000 vPushImm4 407470 (常量)407470
004DFC30 |. 6F vReadMemDs4 内存00407470:(常量)1; 堆栈-0B4:(常量)407470
00446EE6 |. /1B vJmp_00411C30 callVM VMPCrack.0046BB01
004B16AB |. 8F vWriteMemDs4 DWORD DS:[407470] = v136; EXIT DWORD v136 = entryVMEax_4689BB
0046BB01 /$ 7B vPopReg4 vR5
0046B9AB |. 4C vReadMemSs4 DWORD m0 = DWORD SS:[Je(AndFlag(0, 0)) + 28]
0046B987 |. F4 vPushReg4 vR12 DWORD v0 = 0
0046B979 |. 2B vJmp_00411C30 if (0 != 0) goto VMPCrack.004B8F91
004B9438 |. 71 vPopReg4 vR15
004B93CD |. 0B vAdd4 ARG4 DWORD v1 = 4
004B939A |. 2C vNand4 ARG3 DWORD v2 = 3000
004B9378 |. 66 vNand4 ARG2 DWORD v3 = 18
004B9340 |. 41 vAdd4 ARG1 DWORD v4 = 0
004B92C2 |. 17 04 vCall 4 v5 = Call(495AD3); VMPCrack.00495AD3 //VirtualAlloc
004B9250 |. CE vWriteMemDs4 DWORD DS:[v5] = v6; DWORD v6 = 0E1B2A2D7 //产生字符串
004B91EA |. 16 vWriteMemDs4 DWORD DS:[v5 + 4] = v7; DWORD v7 = 0FDD5EBC2
004B913E |. E2 vWriteMemDs4 DWORD DS:[v5 + 8] = v8; DWORD v8 = 0ACA3B7C8
004B90AA |. 16 vWriteMemDs4 DWORD DS:[v5 + 0C] = v9; DWORD v9 = 0A4D6E9D1
004B9057 |. 16 vWriteMemDs4 DWORD DS:[v5 + 10] = v10; DWORD v10 = 0C9B3EACD
004B902C |. 16 vWriteMemDs4 DWORD DS:[v5 + 14] = v11; DWORD v11 = 0A3A1
004B8FE2 |. E2 vWriteMemDs4 DWORD DS:[491D42] = v12; EXIT DWORD v12 = v5
004B8F9E |. F8 vPushReg4 vR8 DWORD v0 = v5
...
004B8C46 \. 86 vRet return v15
0046BA92 |. 00 000000 vPushImm4 491D42 (常量)491D42
0046BA90 |. 08 vReadMemDs4 内存00491D42:(常量)0; 堆栈24:(常量)491D42
0046BA90 |. 08 vReadMemDs4 DWORD m0 = DWORD DS:[491D42]
0046B9AB |. 4C vReadMemSs4 DWORD m1 = DWORD SS:[Je(AndFlag(m0, m0)) + 28]
0046B987 |. F4 vPushReg4 vR12 DWORD v0 = m0
0046B979 |. 2B vJmp_00411C30 if (m0 != 0) goto VMPCrack.004B8F91
vPopReg4 vR14 ;弹出重定位
;在这里添加指令
vPushImm4 0EF74CFD4 ;被覆盖的指令
vPushReg4 vR3 ;被覆盖的指令
vAdd4 ;被覆盖的指令
vPopReg4 vR5 ;被覆盖的指令
vPushReg4 vR14 ;重定位
vPushImm4 0047DD79 ;目标地址
vJmp_00411670 ;转到原来的位置
004400A8 8A 1914727C vPushImm4 47E2E8
004400A3 64 vJmp_00411670
004400A2 64 19 14 72 7C 8A
//
004C9665 47 C8CD0790 vPushImm4 4318DE
004C9660 23 vJmp_00411670
004C965F 23 C8 CD 07 90 47
//
004C9B00 22 95AD0CE9 vPushImm4 4A927A
004C9AFB A2 vJmp_00411670
004C9AFA A2 95 AD 0C E9 22
//
00467F03 21 14AEF0B4 vPushImm4 43C25B
00467EFE 82 vJmp_00411670
00467EFD 82 14 AE F0 B4 21
//
00437E53 71 E3CBEF76 vPushImm4 461C3F
00437E4E B6 vJmp_00411670
00437E4D B6 E3 CB EF 76 71
004E68CD |. BD vJmp_005BED37 ; 连接 VMPCrack.0044DB51; VMPCrack.0044DB51
0044DB51 |> 00 DB 00 ; 指令块没有被初始化
005C0900 C705 A2004400 64191472 MOV DWORD PTR DS:[4400A2],72141964
005C090A 66:C705 A6004400 7C8A MOV WORD PTR DS:[4400A6],8A7C
005C0913 C705 5F964C00 23C8CD07 MOV DWORD PTR DS:[4C965F],7CDC823
005C091D 66:C705 63964C00 9047 MOV WORD PTR DS:[4C9663],4790
005C0926 C705 FA9A4C00 A295AD0C MOV DWORD PTR DS:[4C9AFA],0CAD95A2
005C0930 66:C705 FE9A4C00 E922 MOV WORD PTR DS:[4C9AFE],22E9
005C0939 C705 FD7E4600 8214AEF0 MOV DWORD PTR DS:[467EFD],F0AE1482
005C0943 66:C705 017F4600 B421 MOV WORD PTR DS:[467F01],21B4
005C094C C705 4D7E4300 B6E3CBEF MOV DWORD PTR DS:[437E4D],EFCBE3B6
005C0956 66:C705 517E4300 7671 MOV WORD PTR DS:[437E51],7176
005C095F C3 RETN
005C0FFF 97 vPopReg4 vR12 ; 弹出重定位
005C0FFE C6 49EC81D9 vPushImm4 5C0900 //补丁代码地址
005C0FF9 FC 4F vCall 0 //调用补丁代码,0个参数
005C0FF7 EF vPopReg4 vR10 //弹出返回值
005C0FF6 BE 802FF1B7 vPushImm4 0EF74CFD4 ; 被覆盖的指令
005C0FF1 C2 vAdd4 ; 被覆盖的指令
005C0FF0 D1 vPopReg4 vR10 ; 被覆盖的指令
005C0FEF CC vPushReg4 vR12 ; 被覆盖的指令
005C0FEE D1 vPushReg4 vR12 ; 重定位
005C0FED 80 5893A8AA vPushImm4 4E68CF ; 目标地址
005C0FE8 51 vJmp_005BED37 ; 转到原来的位置
0045B998 /$ C8 vPopReg4 vR14
0045B8A4 |. CA vPopVEsp vESP = 0FFFFFFFC
0045B722 |. F5 vReadMemSs4 DWORD s0 = Stack(vESP + 38, ESP + 4, 4)
00485989 |. 98 vWriteMemSs4 EXIT DWORD v0 = unknownInit2
004858DE |. 95 vWriteMemSs4 EXIT DWORD v1 = unknownInit6
004BBC36 |. 37 vWriteMemSs4 EXIT DWORD v2 = unknownInit5
00456E9A |. A1 vWriteMemSs4 "长度" EXIT DWORD v3 = 10
00484B5C |. 5A vWriteMemSs4 "结果" EXIT DWORD v4 = 0FFFFFFFC
004A64A2 |. 39 vWriteMemSs4 "内容" EXIT DWORD v5 = s0 //用户名MD5
004A63DD |. 12 vWriteMemSs4 "密码" EXIT DWORD v6 = 407498 //QWERTYUI
004B865E |. 63 vWriteMemSs4 "加解密" EXIT DWORD v7 = 1 //解密
...
00484180 |. 2A vRet call v13; <VMPCrack.DES>
0042AAF1 |. D0 vReadMemSs4 DWORD m6 = DWORD SS:[Jnz(~v17 | AddFlag(LoWord(v21), 0FFFF)) + 0FFFFFFD4]
0042AABF |. 55 vJmp_00411670 if (Jnz(~v17 | AddFlag(LoWord(v21), 0FFFF))) goto VMPCrack.004DD64A
0047F53A |. 68 vReadMemSs4 DWORD s1 = Stack(vESP + 3C, ESP + 8, 4)
0048656B |. 1E vWriteMemSs4 EXIT DWORD v22 = 10
00486460 |. 93 vPopVEsp vESP = 0FFFFFFD8
004862BF |. 30 vReadMemSs4 DWORD m7 = DWORD SS:[Jle(v17) + 0FFFFFFD0]
00486298 |. 92 vPushReg4 vR0 DWORD v23 = s1
0048628D |. 1D vJmp_00411670 if (Jg(SubFlag(30, 34) ^ 8C4)) goto VMPCrack.004DBBDF
0042AABF |. /55 vJmp_00411670 goto 0ACA0F192 ^ m6
004DD5E1 |. 88 vReadMemSs4 DWORD s1 = Stack(vESP + 3C, ESP + 8, 4)
004D7808 |. 2D vWriteMemSs4 EXIT DWORD v22 = 10 //参数"长度"
004778EA |. 9E vWriteMemSs4 EXIT DWORD v23 = 20 //参数"结果"
0046732B |. 54 vWriteMemSs4 EXIT DWORD v24 = 20 //参数"内容",输入的注册码
00467233 |. DC vWriteMemSs4 EXIT DWORD v25 = 40748C //参数"密码",ASDFGHJK
00438232 |. CA vWriteMemSs4 EXIT DWORD v26 = 1 //参数"加解密",解密
004380AF |. 79 vReadMemSs4 DWORD m7 = DWORD SS:[Je(AddFlag(5, 0)) + 0FFFFFF78]
0043808B |. 97 vPushReg4 vR2 DWORD v27 = 20
00438089 |. 9F vPushReg4 vR9 DWORD v28 = 5
00438088 |. B6 vPushReg4 vR15 DWORD v29 = s1
0043807D |. 43 vJmp_00411670 if (5 + 0 == 0) goto VMPCrack.0046964E
0043807C |> 10 /vPopReg4 vR13
0043804F |. F1 |vReadMemDs4 DWORD m8 = DWORD DS:[v29]
0043804D |. FA |vWriteMemEs4 DWORD ES:[v27] = v30; DWORD v30 = m8
00437FB4 |. BA |vAdd4 DWORD v31 = 0FFFFFFFC + ((0FFFFFBFF ~& v17) >> 7)
00437EA2 |. 78 |vReadMemSs4 DWORD m9 = DWORD SS:[Jnz(AddFlag(v28, 0FFFFFFFF)) + 0FFFFFF78]
00437E7E |. F8 |vPushReg4 vR7 DWORD v27 = v27 + v31
00437E7C |. 04 |vPushReg4 vR0 DWORD v28 = v28 + 0FFFFFFFF
00437E7B |. 1D |vPushReg4 vR11 DWORD v29 = v29 + v31
00437E70 |.^ B4 \vJmp_00411670 if (v28 != 0) goto VMPCrack.0043807C
0046964E |> 26 vPopReg4 vR12
...
004E0003 |. 43 vRet call v37; <VMPCrack.DES>
int a[4] = {0};//a初始化为0
int b;
for (int i = 0; i < 4; i++)
{
a[i] = 1;//把a中所有的值设为1,由于这里i不是常量,不会把这个赋值添加到已知数据中
}
b = a[0];//这里会认为a中的值还是00048DF12 |. 4A vWriteMemSs1 BYTE v46 = GetBytes(MD5, 8, 1) + GetBytes(MD5, 0C, 1) + GetBytes(MD5, 4, 1) + GetBytes(MD5, 0, 1) ^ 12
004C1464 |. B5 vReadMemSs4 DWORD v47 = GetBytes(MD5, 4, 4)
00487AF7 |. 67 vWriteMemSs1 BYTE v48 = GetBytes(MD5, 1, 1) - GetBytes(MD5, 0D, 1) - GetBytes(MD5, 9, 1) - GetBytes(MD5, 5, 1) ^ 34
00483EB5 |. 79 vWriteMemSs1 BYTE v49 = LoByte(ERROR("")) + 56
00454C74 |. 68 vWriteMemSs1 BYTE v50 = (GetBytes(MD5, 0F, 1) ^ GetBytes(MD5, 0B, 1) ^ GetBytes(MD5, 7, 1) ^ GetBytes(MD5, 3, 1)) - 78
004D37D0 |. D6 vWriteMemSs4 EXIT DWORD v51 = (GetBytes(MD5, 0, 4) ^ v50 : (v49 : (v48 : v46))) + (GetBytes(MD5, 8, 4) ^ v47) + (GetBytes(MD5, 0C, 4) ^ 98765432)
004C6383 |. 08 vWriteMemSs4 "结果" EXIT DWORD v52 = 0C
004C5160 |. A4 vWriteMemSs4 "密码" EXIT DWORD v53 = 0FFFFFFFC //解密后的MD5
004C4FD9 |. 0C vWriteMemSs4 "内容" EXIT DWORD v54 = 0C //上面计算的内容
0045E205 |. 09 vJmp_00425E0A callVM <VMPCrack.TEA加密>
004606F0 |. F8 vReadMemSs4 DWORD v57 = v50 : (v49 : (v48 : v46))
00460667 |. F1 vReadMemSs4 DWORD v58 = Cross(GetBytes("注册码", 0, 4), nonentity)
0044261C |. EF vReadMemSs4 DWORD m16 = DWORD SS:[Jnz(SubFlag(v57, v58)) + 0FFFFFFE8]
004425EA |. 31 vJmp_00411670 if (v57 == v58) goto VMPCrack.0047E2E8 //检查注册码第一部分
00475ACE |. 2E vReadMemSs4 DWORD s2 = Stack(vESP + 34, ESP + 0, 4)
00475768 |. 4B vPushReg4 vR0 EAX DWORD v62 = GetBytes(v58, 1, 3) : 0
...
0047575D |. 95 vRet return v61
0047E2E8 |> B8 vPopReg4 vR14
0047E00E |. 25 vReadMemSs4 DWORD v70 = Cross(GetBytes("注册码", 4, 4), nonentity)
0047DDA8 |. B4 vReadMemSs4 DWORD m21 = DWORD SS:[Jnz(SubFlag(v51, v70)) + 0FFFFFFE8]
0047DD76 |. 33 vJmp_00411670 if (v51 == v70) goto VMPCrack.004318DE //检查注册码第二部分
004C9144 |. 82 vReadMemSs4 DWORD s3 = Stack(vESP + 34, ESP + 0, 4)
004C8E1B |. 9A vPushReg4 vR2 EAX DWORD v74 = GetBytes(v70, 1, 3) : 0
...
004C8E10 |. 8C vRet return v730040CF8A /MOV DL,BYTE PTR SS:[EBP] ; 未知指令
0040CF8F |MOV AL,BYTE PTR SS:[EBP+2]
0040CF9A |SUB EBP,2
0040CFA0 |IMUL DL
0040CFA8 |MOV WORD PTR SS:[EBP+4],AX
0040CFB6 |PUSHFD
0040CFC1 \POP DWORD PTR SS:[EBP]
0045E54B /$ D2 vPopReg4 vR13
0045E619 |. 0A vPopVEsp vESP = 28
00436936 |. 3D vReadMemSs4 DWORD s0 = Stack(vESP + 3C, ESP + 8, 4) //参数2
004DC3B7 |. 06 vReadMemDs4 DWORD m0 = DWORD DS:[s0]
004DC53F |. 06 vReadMemDs4 DWORD m1 = DWORD DS:[s0 + 4]
004A12F0 |. 03 vWriteMemSs4 EXIT DWORD v0 = m1
004A130B |. 06 vReadMemDs4 DWORD m2 = DWORD DS:[s0 + 8]
004A1419 |. 49 vReadMemDs4 DWORD m3 = DWORD DS:[s0 + 0C]
004956C2 |. BD vReadMemSs4 DWORD s1 = Stack(vESP + 38, ESP + 4, 4) //参数1
004D8325 |. 06 vReadMemDs4 DWORD m4 = DWORD DS:[s1]
004D843F |. 06 vReadMemDs4 DWORD m5 = DWORD DS:[s1 + 4]
004D87DE |. 0A vPopVEsp vESP = 18
004D8823 |. 41 vPushReg4 vR4 DWORD v1 = m5 ^ 2B3C4D5E
004D8824 |. B1 vPushReg4 vR11 DWORD v2 = 10 //循环次数,0x10(16)
004D8827 |. 91 vPushReg4 vR9 DWORD v3 = 0
004D8828 |. 01 vPushReg4 vR0 DWORD v4 = m4 ^ 1A2B3C4D
004D8832 |> 62 /vPopReg4 vR6
004BBE28 |. B3 |vNand4 DWORD v5 = v3 - 61C88647
004C2D6D |. C8 |vAdd4 DWORD v6 = (v1 >> 5) + v0
004C2F17 |. 60 |vShl4 DWORD v7 = v1 << 4
004B0A40 |. 14 |vNand4 DWORD v8 = m0 + v7 ^ v6
004B0AF2 |. C3 |vAdd4 DWORD v9 = v1 + v5
00492E61 |. 14 |vNand4 DWORD v10 = v8 ^ v9
0043585B |. C8 |vAdd4 DWORD v11 = v4 + v10
00434A13 |. 3D |vReadMemSs4 DWORD m6 = DWORD SS:[Jnz(DecFlag(v2)) + 10]
00434A35 |. 61 |vPushReg4 vR6 DWORD v1 = v1 + ((v11 >> 5) + m3 ^ (v11 << 4) + m2 ^ v11 + v5)
00434A36 |. 91 |vPushReg4 vR9 DWORD v2 = v2 + 0FFFFFFFF
00434A39 |. F1 |vPushReg4 vR15 DWORD v3 = v5
00434A3A |. B1 |vPushReg4 vR11 DWORD v4 = v11
00434A45 |.^ 7A \vJmp_00425E0A if (Jnz(DecFlag(v2))) goto VMPCrack.004D8832
00492A56 |. B7 vNand4 DWORD v12 = v4 ^ 4D3C2B1A
00492B05 |. 3D vReadMemSs4 DWORD s2 = Stack(vESP + 40, ESP + 0C, 4) //参数3
004CA064 |. 53 vNand4 DWORD v13 = v1 ^ 5E4D3C2B
00478252 |. EE vWriteMemDs4 DWORD DS:[s2] = v14; DWORD v14 = v12 //保存结果
004782E1 |. EE vWriteMemDs4 DWORD DS:[s2 + 4] = v15; DWORD v15 = v13 //保存结果
004CBEC2 |. 3D vReadMemSs4 DWORD s3 = Stack(vESP + 34, ESP + 0, 4)
...
004CC1F3 \. AE vRet return v18
v5 = v5 - 61C88647
v11 = v11 + ((v1 >> 5) + m1 ^ (v1 << 4) + m0 ^ v1 + v5)
v1 = v1 + ((v11 >> 5) + m3 ^ (v11 << 4) + m2 ^ v11 + v5)
0043183F |. 93 vReadMemSs4 DWORD v82 = GetBytes(MD5, 0, 4)
004DA066 |. A4 vReadMemSs4 DWORD v83 = GetBytes(MD5, 0C, 4)
004D9FDD |. 2B vReadMemSs4 DWORD v84 = GetBytes(MD5, 8, 4)
0042B0C3 |. 49 vWriteMemSs1 EXIT BYTE v85 = (GetBytes(v51, 0, 1) ^ v46) + (GetBytes(MD5, 0, 1) ^ 0AA)
0042AF7A |. 2B vReadMemSs4 DWORD v86 = GetBytes(MD5, 4, 4)
004AB52C |. D3 vWriteMemSs1 EXIT BYTE v87 = (GetBytes(v51, 1, 1) ^ v48) + (GetBytes(MD5, 5, 1) ^ 0BB)
004B20AF |. 38 vWriteMemSs1 EXIT BYTE v88 = (v49 ^ GetBytes(v51, 2, 1)) + (GetBytes(MD5, 0A, 1) ^ 0CC)
00482E81 |. 38 vWriteMemSs1 EXIT BYTE v89 = (GetBytes(MD5, 0F, 1) ^ 0DD) + (GetBytes(v51, 3, 1) ^ v50)
0045F1B8 |. E1 vDiv4 DWORD v90 = 0 : (v82 ^ (v83 ^ v84 ^ v86)) % 5
004D277E |. 2B vReadMemSs4 DWORD m27 = DWORD SS:[Ja(SubFlag(v90, 4)) + 0FFFFFFE8]
004D275E |. 19 vPushReg4 vR11 DWORD v91 = v84
004D274B |. 94 vJmp_00411670 if (v90 > 4) goto VMPCrack.00470963
0047C94E |. 8C vReadMemDs4 DWORD m28 = DWORD DS:[(v90 << 2) + 40609C]
0047C920 |.- 06 vJmp_00411670 switch (v90)
004DD0F5 |> F3 vPopReg4 vR2 //switch 0
00437358 |. 31 vWriteMemSs4 EXIT DWORD v92 = (v82 ^ 11223344) + (v86 ^ 22334455)
004B3409 |> 03 vPopReg4 vR6 //switch 1
004B31D6 |. C7 vNand4 DWORD v93 = v91 ^ 44556677
0048CF6D |. 31 vWriteMemSs4 EXIT DWORD v92 = v93 + (v86 ^ 33445566)
0048CD9F |. 1D vPushReg4 vR12 DWORD v91 = v93
0047C627 |> FB vPopReg4 vR4 //switch 2
0049ED8F |. 00 vNand4 DWORD v94 = v91 ^ 55667788
004E19BC |. 31 vWriteMemSs4 EXIT DWORD v92 = v94 + (v83 ^ 66778899)
004E18D6 |. F1 vPushReg4 vR1 DWORD v91 = v94
004A9743 |> EF vPopReg4 vR1 //switch 3
00472BED |. 31 vWriteMemSs4 EXIT DWORD v92 = (v83 ^ 778899AA) + (v82 ^ 8899AABB)
0045E0BA |> 0B vPopReg4 vR8 //switch 4
0045DF80 |. 00 vNand4 DWORD v95 = v91 ^ 0AABBCCDD
0045DE90 |. 00 vNand4 DWORD v96 = v82 ^ 99AABBCC
00470B2F |. 48 vAdd4 DWORD v97 = v96 + v95
004709E8 |. BA vWriteMemSs4 EXIT DWORD v92 = v97
0047098C |. FD vPushReg4 vR4 DWORD v91 = v97
00470963 |> 1B vPopReg4 vR12
0047881C |. 31 vWriteMemSs4 "结果" EXIT DWORD v98 = 14
0047CAB2 |. 31 vWriteMemSs4 "密码" EXIT DWORD v99 = 0FFFFFFFC //解密后的MD5
00434420 |. BA vWriteMemSs4 "内容" EXIT DWORD v100 = 14 //上面计算的内容
00481A39 |. 11 vPushReg4 vR9 EXIT DWORD v101 = v91
00481A32 |. 6F vAdd4 EXIT DWORD v102 = 0EF8B1AAC
00481A2E |. 52 vJmp_00412430 callVM <VMPCrack.TEA解密>
004B4216 |. 2B vReadMemSs4 DWORD v103 = Cross(GetBytes("注册码", 8, 4), nonentity)
004B4154 |. A4 vReadMemSs4 DWORD v104 = v89 : (v88 : (v87 : v85))
004B3F46 |. 00 vNand4 DWORD v105 = v103 ^ 13579BDF
004CAA54 |. CE vReadMemSs4 DWORD m29 = DWORD SS:[Je(SubFlag(v104, v105)) + 0FFFFFFE8]
004CAA21 |. 06 vJmp_00411670 if (v104 != v105) goto VMPCrack.00437E53 //检查注册码第三部分
0046198A |. A4 vReadMemSs4 DWORD v106 = Cross(GetBytes("注册码", 0C, 4), nonentity)
004A8CA3 |. 73 vNand4 DWORD v107 = v106 ^ 0FDB97531
0048D926 |. 2B vReadMemSs4 DWORD m30 = DWORD SS:[Jnz(SubFlag(Cross(nonentity, v92), v107)) + 0FFFFFFE8]
0048D8F3 |. 06 vJmp_00411670 if (Cross(nonentity, v92) == v107) goto VMPCrack.004A927A//检查注册码第四部分
0049E1D7 |. 2B vReadMemSs4 DWORD s4 = Stack(vESP + 34, ESP + 0, 4)
...
0049DE75 |. 2E vRet return v110004C04FE |. BA vWriteMemSs4 "长度" EXIT DWORD v119 = 14
004574ED |. 31 vWriteMemSs4 "内容" EXIT DWORD v120 = 20 //输入的注册码
00446FD7 |. 15 vPushReg4 vR10 EXIT DWORD v121 = XorFlag(Cross(GetBytes("注册码", 4, 4), nonentity) + Cross(GetBytes("注册码", 0, 4), nonentity), v103 + v106)
00446FD0 |. 6F vAdd4 EXIT DWORD v122 = 0EF8B1AAC
00446FCC |. 45 vJmp_00411C30 callVM <VMPCrack.CRC>
0047F6CA |. CE vReadMemSs4 DWORD m35 = DWORD SS:[Je(SubFlag(entryVMEax_45CED7, entryVMEsi_45CED7)) + 0FFFFFFE8]
0047F698 |. 94 vJmp_00411670 if (entryVMEax_45CED7 != entryVMEsi_45CED7) goto VMPCrack.00467F03
00446EEA |. AD vAdd4 EXIT DWORD v123 = 0EF8B1AAC
00446EE6 |. 1B vJmp_00411C30 callVM VMPCrack.0046BB01 //调用SDK,解密字符串
004B16AB |. 8F vWriteMemDs4 DWORD DS:[407470] = v124; EXIT DWORD v124 = entryVMEax_4689BB
004A259F |. 93 vReadMemSs4 DWORD s5 = Stack(vESP + 34, ESP + 0, 4)
...
004A22A1 |. 2E vRet return v127
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
