首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 加壳脱壳
    3. 发新帖
[讨论] vmp crc过程的假设
发表于: 2013-2-26 23:05 7862

[讨论] vmp crc过程的假设

生物钟 活跃值
2013-2-26 23:05
7862
本人菜鸟一个 求大牛多多指教

经过一段时间对vmp的跟踪感觉 vmp的crc很关键于是写了一个脚本跑了下等到以下结果

check --> 7BF81EF9 ebx --> 575232F0 vEIP --> 6F8F58 start_addr --> 145015C vESP --> 12F75C
check --> F36289CF ebx --> 575232F0 vEIP --> 6F8F58 start_addr --> 14501A0 vESP --> 12F75C
check --> B53A9851 ebx --> 575232F0 vEIP --> 6F8F58 start_addr --> 1450000 vESP --> 12F75C
check --> 39250C9D ebx --> 575232F0 vEIP --> 6F8F58 start_addr --> 14AFAF5 vESP --> 12F75C
check --> DE2F3620 ebx --> B936BBFB vEIP --> 6123F6 start_addr --> 5BA506 vESP --> 12F758
check --> 862A5C35 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F78 vESP --> 12F75C
check --> 80DA4268 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F00 vESP --> 12F75C
check --> 53E062FF ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 4001A0 vESP --> 12F75C
check --> 809080 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3EF4 vESP --> 12F75C
check --> F163F9A4 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6162B4 vESP --> 12F75C
check --> 58109C2D ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 5BA776 vESP --> 12F75C
check --> E38435B8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FD547 vESP --> 12F75C
check --> 7CBB6D57 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6196F5 vESP --> 12F75C
check --> 7020DC6A ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FD353 vESP --> 12F75C
check --> 841A6B2F ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F50 vESP --> 12F75C
check --> 870A58A8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F64 vESP --> 12F75C
check --> 82E02C6F ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F28 vESP --> 12F75C
check --> 84523934 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FDF4B vESP --> 12F75C
check --> 89282228 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F8C vESP --> 12F75C
check --> 88538CE8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3FA0 vESP --> 12F75C
check --> 327FD67C ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FDA7E vESP --> 12F75C
check --> BC8363C3 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3FDC vESP --> 12F75C
check --> 42977593 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F80E6 vESP --> 12F75C
check --> 2B720566 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FF000 vESP --> 12F75C
check --> 7BF81EF9 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 40015C vESP --> 12F75C
check --> 3B413581 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 5BA000 vESP --> 12F75C
check --> A40B4C8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 617684 vESP --> 12F75C
check --> 8B4DBBEF ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3FB4 vESP --> 12F75C
check --> AEB93109 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FE1A4 vESP --> 12F75C
check --> C0CB82 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 400138 vESP --> 12F75C
check --> ACF385A4 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F2016 vESP --> 12F75C
check --> 64C87F93 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FB3C0 vESP --> 12F75C
check --> 7948C668 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FCC3B vESP --> 12F75C
check --> 21DAE4B7 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FD4E1 vESP --> 12F75C
check --> 3D21BD19 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FB929 vESP --> 12F75C
check --> 83C65A68 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F14 vESP --> 12F75C
check --> D120A2CF ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FC628 vESP --> 12F75C
check --> 85F274A8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3F3C vESP --> 12F75C
check --> 61574C82 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 400024 vESP --> 12F75C
check --> CC80CE44 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FDD57 vESP --> 12F75C
check --> 18F11232 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F200D vESP --> 12F75C
check --> 8A6274A8 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F3FC8 vESP --> 12F75C
check --> B93EF071 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 400000 vESP --> 12F75C
check --> 46B9ABC3 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 61192A vESP --> 12F75C
check --> A23037FB ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 700000 vESP --> 12F75C
check --> 2B363D54 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6F4615 vESP --> 12F75C
check --> 42803C3 ebx --> EA310B89 vEIP --> 6134E8 start_addr --> 6FD18A vESP --> 12F75C
check --> AD3CE0D6 ebx --> B95A0B40 vEIP --> 613BA0 start_addr --> 5390AC vESP --> 12F758
check --> 8002 ebx --> 7ABB73A3 vEIP --> 5BDE6C start_addr --> 437206 vESP --> 12F75C
check --> 4EA25DAA ebx --> 7ABB73A3 vEIP --> 5BDE6C start_addr --> 467FB3 vESP --> 12F75C
check --> 6D352856 ebx --> 7ABB73A3 vEIP --> 5BDE6C start_addr --> 433974 vESP --> 12F75C
check --> DC52D3C6 ebx --> 7ABB73A3 vEIP --> 5BDE6C start_addr --> 4A7C10 vESP --> 12F75C
check --> 158000FF ebx --> 7ABB73A3 vEIP --> 5BDE6C start_addr --> 463B0D vESP --> 12F75C

check为crc算法的结果 start_addr 为起始crc地址

发现vmp 中有3种crc循环 6F8F58  6134E8 5BDE6C 每次ebx产生变化后就会切换crc循环

我假设了一个循环

whiel(1)
{
   int check;

   if(check == 0)
   {
     check = algorithm (vm_check01(start_addr))
   }
   
   if(check == 1)
   {
     check = algorithm (vm_check02(start_addr))
   }
   
   if(check == 2)
   {
     check = algorithm (vm_check03(start_addr))
   }
}

请各位大牛指导假设是否正确 求大牛们多多指教

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (6)
hkfans
雪    币: 576
活跃值: (1163)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
2
数据搞这么复杂,拿个什么VM解码插件解一下,整个CRC过程就出来了。。
2013-3-5 14:09
0
kgxxx
雪    币: 14
活跃值: (46)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
3
请问下vmp程序找到oep了dump下来的话要怎么修复?
2013-9-6 17:12
0
hulucc
雪    币: 81
活跃值: (100)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
4
用插件就弄不懂其中的过程了
2013-9-6 19:43
0
hkfans
雪    币: 576
活跃值: (1163)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
5
那你要做的是搞懂插件的原理。。如何去编写这个插件
2013-9-9 23:24
0
hulucc
雪    币: 81
活跃值: (100)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
6
插件又没源码,还不是得研究vmp本身
2013-9-10 16:49
0
hkfans
雪    币: 576
活跃值: (1163)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
私信
7
正解
2013-9-10 18:14
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//