供小菜愉乐。
高手莫要见笑.
测试环境:XP3
测试程序:加密解密三中的CreakeMe。
VMP版本及保护选项如下图所示:
1.Patch Hash值方法如下:具体请看附件。
//------------Hash函数---------------
00551F35 86D5 xchg ch,dl ; GetHash
00551F37 8B55 00 mov edx,dword ptr ss:[ebp] ; ---获得首地址
00551F3A 60 pushad
00551F3B 83C5 04 add ebp,0x4 ; *
00551F3E F7D1 not ecx
00551F40 FECD dec ch
00551F42 30D5 xor ch,dl
00551F44 31C0 xor eax,eax
00551F46 83EC E0 sub esp,-0x20
00551F49 80F5 F3 xor ch,0xF3
00551F4C 66:0FBDCF bsr cx,di
00551F50 C0E5 06 shl ch,0x6
00551F53 66:39DE cmp si,bx
00551F56 89C1 mov ecx,eax
00551F58 F8 clc
00551F59 C1E0 07 shl eax,0x7
00551F5C 9C pushfd
00551F5D F5 cmc
00551F5E C1E9 19 shr ecx,0x19
00551F61 9C pushfd
00551F62 09C8 or eax,ecx
00551F64 9C pushfd
00551F65 880424 mov byte ptr ss:[esp],al
00551F68 60 pushad
00551F69 3202 xor al,byte ptr ds:[edx] ; -----计算
00551F6B E8 4C020000 call Test_VMP.005521BC
005521BC 9C pushfd
005521BD 9C pushfd
005521BE 42 inc edx ; ---- 地址向后移一个字节
005521BF E9 950F0000 jmp Test_VMP.00553159
00553159 9C pushfd
0055315A FF4D 00 dec dword ptr ss:[ebp] ; ---- 长度减一
0055315D ^ E9 9CF2FFFF jmp Test_VMP.005523FE
005523FE 8D6424 3C lea esp,dword ptr ss:[esp+0x3C]
00552402 ^ 0F85 41FBFFFF jnz Test_VMP.00551F49
00552408 50 push eax ; -----计算后的结果
00552409 E8 B3210000 call Test_VMP.005545C1
005545C1 8D6424 08 lea esp,dword ptr ss:[esp+0x8]
005545C5 ^ 0F88 8BE4FFFF js Test_VMP.00552A56 ; ----------在这里设置异常 (修改要Patch Hash值)
005545CB 54 push esp
005545CC 8945 00 mov dword ptr ss:[ebp],eax ; ------- 保存计算后的值(修改eax的值就可以了)
005545CF 880424 mov byte ptr ss:[esp],al
005545D2 FF3424 push dword ptr ss:[esp]
005545D5 60 pushad
005545D6 9C pushfd
005545D7 8D6424 2C lea esp,dword ptr ss:[esp+0x2C]
005545DB ^ E9 EDDCFFFF jmp Test_VMP.005522CD
2.Patch 跳转实现爆破方法如下:具体请看附件
//判断是否解码了,然后开始Patch
_declspec (naked) VOID My_VirtualProtect(
LPVOID lpAddress, // region of committed pages
SIZE_T dwSize, // size of the region
DWORD flNewProtect, // desired access protection
PDWORD lpflOldProtect // old protection
)
{
__asm
{
cmp dword ptr ss:[esp+0x4],0X00401000
jz L1
JNZ continu
L1:
cmp dword ptr ss:[esp+0xC],PAGE_EXECUTE_READ
JZ FindSucc
JNZ continu
}
continu:
__asm
{
mov edi,edi
push ebp
mov ebp,esp
jmp g_OldAddressNext_VirtualProtect
}
FindSucc:
if (0X85 == *(BYTE*)0X004011A8 )
{
MessageBox(NULL,"找到特证码1 ", "(^_^)" ,MB_OK);
*(BYTE*)0X004011A8 = 0X84;//修改为Je
}
if (0X85 == *(BYTE*)0X004011B6 )
{
MessageBox(NULL,"找到特证码2 ", "(^_^)" ,MB_OK);
*(BYTE*)0X004011B6 = 0X84;//修改为Je
}
if (0X85 == *(BYTE*)0X004011C0 )
{
MessageBox(NULL,"找到特证码3 ", "(^_^)" ,MB_OK);
*(BYTE*)0X004011C0 = 0X84;//修改为Je
}
if (0X85 == *(BYTE*)0X004011CA )
{
MessageBox(NULL,"找到特证码4 ", "(^_^)" ,MB_OK);
*(BYTE*)0X004011CA = 0X84;//修改为Je
}
if (0X75 == *(BYTE*)0X0040127D )
{
MessageBox(NULL,"找到特证码5 ", "(^_^)" ,MB_OK);
*(BYTE*)0X0040127D = 0X74;//修改为Je
goto continu; //修改完后让它继续执行
}
}
3.成功后如下图所示 :
src.zip
Bin.zip
[课程]FART 脱壳王!加量不加价!FART作者讲授!