1.简介:
VMProtectSDK32.VMPro>; VMProtec. VMProtectSetSerialNumber
VMProtectSDK32.VMPro>; VMProtec.VMProtectGetCurrentHWID
USER32.CloseClipboar>; user32.CloseClipboard
user32.EmptyClipboar>; user32.EmptyClipboard
user32.MessageBoxA>] ; user32.MessageBoxA
USER32.OpenClipboard>; user32.OpenClipboard
user32.SetClipboardD>; user32.SetClipboardData
kernel32.ExitProcess>; kernel32.ExitProcess
kernel32.GlobalAlloc>; kernel32.GlobalAlloc
KERNEL32.GlobalLock>>; kernel32.GlobalLock
KERNEL32.GlobalUnloc>; kernel32.GlobalUnlock
第一段代码,读取注册文件及内容,有则跳向VMP壳授权校验代码,没有注册文件及内容则跳向下一段取硬件码。
利用GetPrivateProfileStringA 取授权字符, VMProtectSetSerialNumber检测授权文件存在与否
可以偷懒二进制粘贴上,再修改
第一段代码十六进制:
33 C9 64 A1 30 00 00 00 8B 40 0C 8B 70 1C 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B D0 8B 423C 8B 44 10 78 03 C2 8B 70 20 03 F2 68 73 73 00 00 68 64 64 72 65 68 72 6F 63 41 68 47 65 74 5054 33 C9 8B 3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48 18 72E2 59 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 6A 00 68 61 72 79 41 68 4C69 62 72 68 4C 6F 61 64 54 52 FF D6 E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 5B 53FF D0 E8 19 00 00 00 47 65 74 50 72 69 76 61 74 65 50 72 6F 66 69 6C 65 53 74 72 69 6E 67 41 005B 53 50 FF D6 E8 0A 00 00 00 2E 5C 4B 65 79 2E 64 61 74 00 5B 53 68 56 02 00 00 E8 00 00 00 005B 83 C3 50 53 6A 00 E8 04 00 00 00 4C 69 63 00 5B 53 E8 09 00 00 00 CA DA C8 A8 CE C4 BC FE 005B 53 FF D0 8B 44 24 F4 E8 07 00 00 00 90 FF 25 48 10 82 00 80 38 00 0F 84 5D FE FF FF 5B 50 FFD3 68 BC 38 5C 00 C3
汇编代码如下:
0081E150 >/$ 33C9 xor ecx,ecx //新的OEP
0081E152 |. 64:A1 3000000>mov eax,dword ptr fs:[0x30]
0081E158 |. 8B40 0C mov eax,dword ptr ds:[eax+0xC]
0081E15B |. 8B70 1C mov esi,dword ptr ds:[eax+0x1C]
0081E15E |> 8B46 08 /mov eax,dword ptr ds:[esi+0x8]
0081E161 |. 8B7E 20 |mov edi,dword ptr ds:[esi+0x20]
0081E164 |. 8B36 |mov esi,dword ptr ds:[esi]
0081E166 |. 66:394F 18 |cmp word ptr ds:[edi+0x18],cx
0081E16A |.^ 75 F2 \jnz short ZZZX.0081E15E
0081E16C |. 8BD0 mov edx,eax
0081E16E |. 8B42 3C mov eax,dword ptr ds:[edx+0x3C]
0081E171 |. 8B4410 78 mov eax,dword ptr ds:[eax+edx+0x78]
0081E175 |. 03C2 add eax,edx
0081E177 |. 8B70 20 mov esi,dword ptr ds:[eax+0x20]
0081E17A |. 03F2 add esi,edx
0081E17C |. 68 73730000 push 0x7373
0081E181 |. 68 64647265 push 0x65726464
0081E186 |. 68 726F6341 push 0x41636F72
0081E18B |. 68 47657450 push 0x50746547
0081E190 |. 54 push esp
0081E191 |. 33C9 xor ecx,ecx
0081E193 |> 8B3E /mov edi,dword ptr ds:[esi]
0081E195 |. 03FA |add edi,edx
0081E197 |. 56 |push esi
0081E198 |. 8B7424 04 |mov esi,dword ptr ss:[esp+0x4]
0081E19C |. 51 |push ecx
0081E19D |. B9 0F000000 |mov ecx,0xF
0081E1A2 |. F3:A6 |repe cmps byte ptr es:[edi],byte ptr ds>
0081E1A4 |. 74 0B |je short ZZZX.0081E1B1
0081E1A6 |. 59 |pop ecx
0081E1A7 |. 5E |pop esi
0081E1A8 |. 83C6 04 |add esi,0x4
0081E1AB |. 41 |inc ecx
0081E1AC |. 3B48 18 |cmp ecx,dword ptr ds:[eax+0x18]
0081E1AF |.^ 72 E2 \jb short ZZZX.0081E193
0081E1B1 |> 59 pop ecx
0081E1B2 |. 8B70 24 mov esi,dword ptr ds:[eax+0x24]
0081E1B5 |. 03F2 add esi,edx
0081E1B7 |. 0FB70C4E movzx ecx,word ptr ds:[esi+ecx*2]
0081E1BB |. 8B70 1C mov esi,dword ptr ds:[eax+0x1C]
0081E1BE |. 03F2 add esi,edx
0081E1C0 |. 8B348E mov esi,dword ptr ds:[esi+ecx*4]
0081E1C3 |. 03F2 add esi,edx
0081E1C5 |. 8BFA mov edi,edx
0081E1C7 |. 6A 00 push 0x0
0081E1C9 |. 68 61727941 push 0x41797261
0081E1CE |. 68 4C696272 push 0x7262694C
0081E1D3 |. 68 4C6F6164 push 0x64616F4C
0081E1D8 |. 54 push esp
0081E1D9 |. 52 push edx
0081E1DA |. FFD6 call esi
0081E1DC |. E8 0D000000 call ZZZX.0081E1EE ; PUSH ASCII "kernel32.dll"
0081E1E1 |. 6B 65 72 6E 6>ascii "kernel32.dll",0
0081E1EE |> 5B pop ebx
0081E1EF |. 53 push ebx
0081E1F0 |. FFD0 call eax
0081E1F2 |. E8 19000000 call ZZZX.0081E210 ; PUSH ASCII "GetPrivateProfileStringA"
0081E1F7 |. 47 65 74 50 7>ascii "GetPrivateProfil"
0081E207 |. 65 53 74 72 6>ascii "eStringA",0
0081E210 |> 5B pop ebx
0081E211 |. 53 push ebx
0081E212 |. 50 push eax
0081E213 |. FFD6 call esi
0081E215 |. E8 0A000000 call ZZZX.0081E224 ; PUSH ASCII ".\Key.dat"
0081E21A |. 2E 5C 4B 65 7>ascii ".\Key.dat",0
0081E224 |> 5B pop ebx
0081E225 |. 53 push ebx
0081E226 |. 68 56020000 push 0x256
0081E22B |. E8 00000000 call ZZZX.0081E230
0081E230 |$ 5B pop ebx
0081E231 |. 83C3 50 add ebx,0x50
0081E234 |. 53 push ebx
0081E235 |. 6A 00 push 0x0
0081E237 |. E8 04000000 call ZZZX.0081E240 ; PUSH ASCII "Lic"
0081E23C |. 4C 69 63 00 ascii "Lic",0
0081E240 |> 5B pop ebx
0081E241 |. 53 push ebx
0081E242 |. E8 09000000 call ZZZX.0081E250
0081E247 \. CA DAC8 retf 0xC8DA
0081E24A A8 db A8
0081E24B . CE C4 BC FE 0>ascii "文件",0
0081E250 $ 5B pop ebx ; ZZZX.0081E247
0081E251 . 53 push ebx
0081E252 . FFD0 call eax
0081E254 . 8B4424 F4 mov eax,dword ptr ss:[esp-0xC]
0081E258 . E8 07000000 call ZZZX.0081E264
0081E25D . 90 nop
0081E25E .- FF25 48108200 jmp dword ptr ds:[<&VMProtectSDK32.VMPro>; //修正此处 地址处call VMProtectSetSerialNumber
0081E264 $ 8038 00 cmp byte ptr ds:[eax],0x0 //取授权文件字符串第一个字符比较,如果是零则下面跳向硬件码弹窗。
0081E267 .^ 0F84 5DFEFFFF je ZZZX.0081E0CA // 跳向硬件码弹窗
MARK_4:
0081E26D . 5B pop ebx
0081E26E . 50 push eax
0081E26F . FFD3 call ebx
0081E271 . 68 BC385C00 push ZZZX.
0x88888888
// 返回OEP
0081E276 . C3 retn
Step 1.9: Hardware lock有使用方法。编译好了把代码段取出来
HWID: myhwid
偷懒一下,二进制粘贴也可以:
8B 44 24 04 6A 00 C7 00 00 00 00 00 E8 19 01 00 00 85 C0 74 65 53 55 56 57 E8 00 01 00 00 8B 7424 1C 83 C9 FF 33 C0 8B 3E F2 AE F7 D1 49 8B E9 45 55 6A 42 E8 03 01 00 00 8B D8 85 DB 74 32 8B36 53 E8 FB 00 00 00 8B CD 8B F8 8B D1 53 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 E8 E9 00 00 00 536A 01 E8 C9 00 00 00 8B 44 24 14 C7 00 01 00 00 00 E8 A2 00 00 00 5F 5E 5D 5B C3 90 8D 44 24 0883 EC 0C 50 FF 74 24 14 33 C0 89 44 24 08 89 44 24 0C 89 44 24 10 8D 54 24 08 52 FF D3 8B 44 240C 8B 54 24 10 8B 4C 24 14 83 C4 18 C3 55 8B EC 68 04 00 00 80 6A 00 FF 75 08 6A 01 BB 00 E0 8100 E8 B6 FF FF FF C9 C2 04 00 6A 00 6A 00 E8 3F 00 00 00 83 F8 00 74 1F A3 B0 E4 81 00 FF 35 B0E4 81 00 68 33 E3 81 00 E8 25 00 00 00 68 33 E3 81 00 E8 B6 FF FF FF 6A 00 68 66 E6 81 00 68 33E3 81 00 6A 00 E8 1A 00 00 00 6A 00 E8 25 00 00 00 CC FF 25 4C 10 82 00 FF 25 E8 86 81 00 FF 258C 86 81 00 FF 25 C4 80 81 00 FF 25 1C 85 81 00 FF 25 CC 84 81 00 FF 25 7C 80 81 00 FF 25 C8 8181 00 FF 25 B8 81 81 00 FF 25 A8 81 81 00
MARK_1:
0081E000 . 8B4424 04 mov eax,dword ptr ss:[esp+0x4] //这段应该是
复制机器码到剪贴版。如果不对大神请指正。
0081E004 . 6A 00 push 0x0 ; /hWnd = NULL
0081E006 . C700 00000000 mov dword ptr ds:[eax],0x0 ; |
0081E00C . E8 19010000 call <jmp.&user32.OpenClipboard> ; \OpenClipboard //修正此处函数地址
0081E011 . 85C0 test eax,eax
0081E013 . 74 65 je short ZZZX.0081E07A
0081E015 . 53 push ebx
0081E016 . 55 push ebp
0081E017 . 56 push esi
0081E018 . 57 push edi
0081E019 . E8 00010000 call <jmp.&user32.EmptyClipboard> ; [EmptyClipboard
//修正此处函数地址
0081E01E . 8B7424 1C mov esi,dword ptr ss:[esp+0x1C]
0081E022 . 83C9 FF or ecx,-0x1
0081E025 . 33C0 xor eax,eax
0081E027 . 8B3E mov edi,dword ptr ds:[esi]
0081E029 . F2:AE repne scas byte ptr es:[edi]
0081E02B . F7D1 not ecx
0081E02D . 49 dec ecx
0081E02E . 8BE9 mov ebp,ecx
0081E030 . 45 inc ebp
0081E031 . 55 push ebp ; /MemSize
0081E032 . 6A 42 push 0x42 ; |Flags = GHND
0081E034 . E8 03010000 call <jmp.&kernel32.GlobalAlloc> ; \GlobalAlloc
//修正此处函数地址
0081E039 . 8BD8 mov ebx,eax
0081E03B . 85DB test ebx,ebx
0081E03D . 74 32 je short ZZZX.0081E071
0081E03F . 8B36 mov esi,dword ptr ds:[esi]
0081E041 . 53 push ebx ; /hMem
0081E042 . E8 FB000000 call <jmp.&kernel32.GlobalLock> ; \GlobalLock
//修正此处函数地址
0081E047 . 8BCD mov ecx,ebp
0081E049 . 8BF8 mov edi,eax
0081E04B . 8BD1 mov edx,ecx
0081E04D . 53 push ebx ; /hMem
0081E04E . C1E9 02 shr ecx,0x2 ; |
0081E051 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; |
0081E053 . 8BCA mov ecx,edx ; |
0081E055 . 83E1 03 and ecx,0x3 ; |
0081E058 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; |
0081E05A . E8 E9000000 call <jmp.&kernel32.GlobalUnlock> ; \GlobalUnlock
//修正此处函数地址
0081E05F . 53 push ebx ; /hData
0081E060 . 6A 01 push 0x1 ; |Format = CF_TEXT
0081E062 . E8 C9000000 call <jmp.&user32.SetClipboardData> ; \SetClipboardData
//修正此处函数地址
0081E067 . 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
0081E06B . C700 01000000 mov dword ptr ds:[eax],0x1
0081E071 > E8 A2000000 call <jmp.&user32.CloseClipboard> ; [CloseClipboard
//修正此处函数地址
0081E076 . 5F pop edi
0081E077 . 5E pop esi
0081E078 . 5D pop ebp
0081E079 . 5B pop ebx
0081E07A > C3 retn
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
MARK_2:
0081E07B 90 nop
0081E07C /$ 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
0081E080 |. 83EC 0C sub esp,0xC
0081E083 |. 50 push eax
0081E084 |. FF7424 14 push dword ptr ss:[esp+0x14]
0081E088 |. 33C0 xor eax,eax
0081E08A |. 894424 08 mov dword ptr ss:[esp+0x8],eax
0081E08E |. 894424 0C mov dword ptr ss:[esp+0xC],eax
0081E092 |. 894424 10 mov dword ptr ss:[esp+0x10],eax
0081E096 |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
0081E09A |. 52 push edx
0081E09B |. FFD3 call ebx
//EBX地址指向0081E000,
MARK_1:
0081E09D |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC]
0081E0A1 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
0081E0A5 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14]
0081E0A9 |. 83C4 18 add esp,0x18
0081E0AC \. C3 retn
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
MARK_3:
0081E0AD /$ 55 push ebp
0081E0AE |. 8BEC mov ebp,esp
0081E0B0 |. 68 04000080 push 0x80000004
0081E0B5 |. 6A 00 push 0x0
0081E0B7 |. FF75 08 push [arg.1]
0081E0BA |. 6A 01 push 0x1
0081E0BC |. BB 00E08100 mov ebx,ZZZX.0081E000 //修正此处地址指向
0081E000 也就是
MARK_1:
。
0081E0C1 |. E8 B6FFFFFF call ZZZX.0081E07C //修正此处地址指向
0081E07B , CALL MARK_2:
0081E0C6 |. C9 leave
0081E0C7 \. C2 0400 retn 0x4
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
MARK_4:
0081E0CA > 6A 00 push 0x0
0081E0CC . 6A 00 push 0x0
0081E0CE . E8 3F000000 call <jmp.&VMProtectSDK32.VMProtectGetCu>
//修正此处函数地址
0081E0D3 . 83F8 00 cmp eax,0x0
0081E0D6 . 74 1F je short ZZZX.0081E0F7
0081E0D8 . A3 B0E48100 mov dword ptr ds:[0x81E4B0],eax //此处内存指向零区,同时修正下面的常量也指向零区
0081E0DD . FF35 B0E48100 push dword ptr ds:[0x81E4B0]
0081E0E3 . 68 33E38100 push ZZZX.0081E333 //修正此处地址批向零区,注意下面有三处是一样的VA 此处标记为1
0081E0E8 . E8 25000000 call <jmp.&VMProtectSDK32.VMProtectGetCu>
//修正此处函数地址
0081E0ED . 68 33E38100 push ZZZX.0081E333 //修正此处地址批向零区,注意下面有三处是一样的VA 此处标记为2
0081E0F2 . E8 B6FFFFFF call ZZZX.0081E0AD //修正 地址调用 MARK_3:
0081E0F7 > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
0081E0F9 . 68 66E68100 push ZZZX.0081E666 ; |Title = "中国飘云阁"
//修正此处地址批向任意零区,弹窗标题内容,可以自定义
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2019-3-1 00:36
被daohaodaye编辑
,原因: 补充解决几个硬编码问题。可以少修复几处了。
还想写自动获取并填充下面的FF25函数的代码,又感觉好麻烦。放弃了
