看看这篇分析文章:05dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6E0M7q4)9J5k6i4N6W2K9i4S2A6L8W2)9J5k6i4q4I4i4K6u0W2j5$3!0E0i4K6u0r3M7#2)9J5c8U0R3@1f1#2)9#2k6Y4m8^5c8o6k6f1h3X3g2h3M7r3x3I4d9p5x3@1g2Y4y4f1k6H3`.`.341K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6^5P5W2)9J5k6h3q4D9K9i4W2#2L8W2)9J5k6h3y4G2L8g2)9J5c8Y4c8Q4x3V1j5I4x3K6M7@1y4b7`.`.想知道VMP是怎么脱壳的
在X搜"from:@vxunderground SugarGh0st"就能找到相关信息了b5eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1N6$3W2@1N6r3g2J5i4K6u0W2j5$3!0E0i4K6u0r3N6Y4S2#2L8X3c8W2M7X3N6J5L8%4g2F1k6q4)9J5c8Y4y4@1j5i4c8#2M7#2)9J5c8U0p5%4y4e0M7$3y4e0p5K6z5o6b7@1y4e0x3%4z5o6M7%4x3U0y4Q4x3@1k6@1i4K6y4p5d9s2y4W2k6h3#2e0x3X3D9@1g2q4S2G2c8h3W2o6K9i4N6b7K9$3u0Z5k6#2)9J5y4X3q4E0M7q4)9K6b7Y4y4Q4x3@1b7I4z5b7`.`.9b5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6$3P5q4)9J5k6s2g2F1k6r3g2J5k6%4u0G2N6h3&6V1i4K6u0W2L8%4u0Y4i4K6u0r3b7g2m8f1M7#2)9J5c8U0t1H3x3U0c8Q4x3V1j5J5x3o6t1@1i4K6u0W2x3o6u0Q4x3X3f1H3z5g2)9J5y4e0t1H3i4K6u0V1i4K6t1#2x3U0m8e0N6h3N6S2M7V1N6Z5x3s2y4@1i4K6t1#2x3U0m8d9b7g2c8Q4x3U0f1J5x3r3q4@1N6r3q4U0K9%4y4Q4x3U0f1J5x3p5E0S2P5X3q4C8K9s2y4@1j5h3&6Q4x3U0f1J5x3q4)9J5y4f1f1J5i4K6t1#2z5o6m8Q4x3U0f1&6x3#2)9J5y4e0t1H3f1%4c8S2N6r3g2Q4x3U0f1J5x3q4c8W2j5$3S2F1K9h3y4S2L8q4)9J5y4e0t1H3f1$3g2J5N6X3W2U0k6b7`.`.
DIE查看update.dll_DEDF98E7E085CED2D3266AFA9279E4C7,显示是VMP1.7保护器: VMProtect(1.70)[Max protection]
思路灵感来自这里: https:
/
bbs.kanxue.com
thread
-
246429.htm
这种旧版的VMP,开始在.vmp段运行,最后会跳到在.text段的oep执行,所以逻辑上只要在.text段第一次执行时断下就可以了
为什么不直接在.text段下一个内存执行断点呢?
因为程序会调用VirtualProtect修改.text段的权限,导致内存执行断点失效
x64dbg32位加载update.dll,查看.text段内存,我这里起始地址是0x00231000,建个快照
方法1:
方法2:
2024/5/9
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
有没有64位DLL的教程?
NT10086 有没有64位DLL的教程?