[原创]破解vmp程序的关键点-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (91) ◀ 1 2 3 4
Bughoho 雪币： 1946 活跃值： (248) 能力值： (RANK：330 ) 在线值：发帖 72 回帖 1217 粉丝 27 关注私信	Bughoho 8 76 楼 [QUOTE=forgot;582634]这难道是... A B A-B ~A+B 0 0 (0)0 (0)1 0 1 (1)1 (1)0 1 0 (0)1 (0)0 1 1 (0)1 (0)0 [/QUOTE] 才反应过来. 感谢发哥为我解决了XX困难 2009-2-23 11:07 0
Isaiah 雪币： 331 活跃值： (56) 能力值： ( LV13，RANK：410 ) 在线值：发帖 68 回帖 1293 粉丝 2 关注私信	Isaiah 10 90 楼 VMP_LOAD VMP_STORE 2009-2-23 11:26 0
AsmDebuger 雪币： 1270 活跃值： (109) 能力值： ( LV5，RANK：60 ) 在线值：发帖 8 回帖 362 粉丝 1 关注私信	AsmDebuger 1 98 楼看来懂VMP必须要学好逻辑运算，什么时候能够根据CPU运行的指令流来统计、分析它的功能就好了，似乎这句也很绕的。 VMP就是保护的终极版。最终幻想：根据CPU的状态、行为来得出一个软件运行机制的分析机（不是IDA）。 2009-2-23 11:55 0
KooJiSung 雪币： 357 活跃值： (3403) 能力值： ( LV3，RANK：25 ) 在线值：发帖 8 回帖 682 粉丝 3 关注私信	KooJiSung 100 楼看不懂not and，搞去混淆，结果失败了 0079A057 pop reloc 20 (00000000) 0079A057 pop edx 18 (7C92EB94) 0079A057 pop vm_reg1 04 (7C92EB94) 0079A057 pop ecx 34 (0012FFB0) 0079A057 pop esi 30 (FFFFFFFF) 0079A057 pop eax 08 (00000000) 0079A057 pop ebx 10 (7FFDD000) 0079A057 pop ebp 3C (0012FFF0) 0079A057 pop edi 38 (7C930738) 0079A057 pop efl 2C (00000246) 0079A057 pop vm_reg3 0C (0066B57C) 0079A057 pop ac1 14 (30049E9B) 00799FBF push efl 2C (00000246) 00799BD1 push 0066B50F 00799BD1 push 00691AC3 00797E5B push 0000 00799BD1 push 0066D439 00798B80 pop_word; word[00] = (BYTE )[0066D439] 00798594 push esp 007980BC pop_word; word[00] = (BYTE )[0012FFB4] 00797ED0 push_word; dword[efl] + word[and not(00),not(00)] 0079A057 pop vm_reg2 28 (00000286) 0079893D push_word; dword[efl] + word[add FF,00] 0079A057 pop vm_reg2 28 (00000286) 00798594 push esp 007980BC pop_word; word[FF] = (BYTE )[0012FFB6] 00797ED0 push_word; dword[efl] + word[and not(FF),not(FF)] 0079A057 pop vm_reg3 0C (00000246) 00798AF0 pop word vm_efl 1C (0000) 00799FBF push vm_reg2 28 (00000286) 00798594 push esp 00798019 [esp] -> [esp]; [0012FFB4] - > [00000286] 00799372 dword[efl] + dword[and not(00000286),not(00000286)] 0079A057 pop vm_opcode 24 (00000282) 007989A9 push FFFFF7EA (cwde) 00799372 dword[efl] + dword[and not(FFFFF7EA),not(FFFFFD79)] 0079A057 pop efl 2C (00000202) 00799FBF push vm_reg3 0C (00000246) 00798594 push esp 00798019 [esp] -> [esp]; [0012FFB0] - > [00000246] 00799372 dword[efl] + dword[and not(00000246),not(00000246)] 0079A057 pop vm_opcode 24 (00000282) 007989A9 push 00000815 (cwde) 00799372 dword[efl] + dword[and not(00000815),not(FFFFFDB9)] 0079A057 pop efl 2C (00000206) 00799DB1 dword[efl] + dword[add 00000242,00000004] 0079A057 pop vm_efl 1C (00000202) 0079A057 pop vm_efl 1C (00000246) 00798594 push esp 00797E5B push 0004 00799FBF push vm_efl 1C (00000246) 007980A5 push FFFFFFBF (cbw;cwde) 00799372 dword[efl] + dword[and not(FFFFFFBF),not(00000246)] 0079A057 pop vm_opcode 24 (00000246) 0079A0D0 push_word; dword[efl] + dword[shr 00000000,04] 0079A057 pop vm_opcode 24 (00000246) 00799DB1 dword[efl] + dword[add 00000000,0012FFB8] 0079A057 pop vm_reg1 04 (00000206) 00798019 [esp] -> [esp]; [0012FFB8] - > [00691AC3] 0079A057 pop vm_reg1 04 (00691AC3) 0079A057 pop vm_opcode 24 (00691AC3) 0079A057 pop vm_reg2 28 (0066B50F) 00799FBF push vm_reg1 04 (00691AC3) 0079A057 pop vm_opcode 24 (00691AC3) 00799FBF push eax 08 (00000000) 00799FBF push ebx 10 (7FFDD000) 00799FBF push ebx 10 (7FFDD000) 00799FBF push eax 08 (00000000) 00799FBF push edx 18 (7C92EB94) 00799FBF push esi 30 (FFFFFFFF) 00799FBF push edi 38 (7C930738) 00799FBF push vm_efl 1C (00000246) 00799FBF push ebp 3C (0012FFF0) 00799FBF push efl 2C (00000206) 00799FBF push ecx 34 (0012FFB0) 00799FBF push reloc 20 (00000000) 00799FBF push vm_opcode 24 (00691AC3) 00798316 pop; set opcode -> 00691AC3 = 00691AC3 + 00000000 0079A057 pop reloc 14 (00000000) 0079A057 pop ecx 04 (0012FFB0) 0079A057 pop efl 24 (00000206) 0079A057 pop ebp 0C (0012FFF0) 0079A057 pop vm_efl 10 (00000246) 0079A057 pop edi 1C (7C930738) 0079A057 pop esi 34 (FFFFFFFF) 0079A057 pop edx 00 (7C92EB94) 0079A057 pop eax 08 (00000000) 0079A057 pop ebx 38 (7FFDD000) 0079A057 pop szUnknow 28 (7FFDD000) 0079A057 pop szUnknow 30 (00000000) 00799FBF push eax 08 (00000000) 00799FBF push ebx 38 (7FFDD000) 00799FBF push ecx 04 (0012FFB0) 00799FBF push edx 00 (7C92EB94) 00799FBF push ebp 0C (0012FFF0) 00799FBF push esi 34 (FFFFFFFF) 00799FBF push edi 1C (7C930738) 00798594 push esp 0079A057 pop szUnknow 20 (0012FFA4) 007989A9 push 00000800 (cwde) 007980A5 push 00000008 (cbw;cwde) 00798594 push esp 00799DB1 dword[efl] + dword[add 0012FF9C,00000008] 0079A057 pop ebp 0C (00000212) 00798594 push esp 007980A5 push 00000008 (cbw;cwde) 2009-2-23 13:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (91) ◀ 1 2 3 4
Bughoho 雪币： 1946 活跃值： (248) 能力值： (RANK：330 ) 在线值：发帖 72 回帖 1217 粉丝 27 关注私信	Bughoho 8 76 楼 [QUOTE=forgot;582634]这难道是... A B A-B ~A+B 0 0 (0)0 (0)1 0 1 (1)1 (1)0 1 0 (0)1 (0)0 1 1 (0)1 (0)0 [/QUOTE] 才反应过来. 感谢发哥为我解决了XX困难 2009-2-23 11:07 0
Isaiah 雪币： 331 活跃值： (56) 能力值： ( LV13，RANK：410 ) 在线值：发帖 68 回帖 1293 粉丝 2 关注私信	Isaiah 10 90 楼 VMP_LOAD VMP_STORE 2009-2-23 11:26 0
AsmDebuger 雪币： 1270 活跃值： (109) 能力值： ( LV5，RANK：60 ) 在线值：发帖 8 回帖 362 粉丝 1 关注私信	AsmDebuger 1 98 楼看来懂VMP必须要学好逻辑运算，什么时候能够根据CPU运行的指令流来统计、分析它的功能就好了，似乎这句也很绕的。 VMP就是保护的终极版。最终幻想：根据CPU的状态、行为来得出一个软件运行机制的分析机（不是IDA）。 2009-2-23 11:55 0
KooJiSung 雪币： 357 活跃值： (3403) 能力值： ( LV3，RANK：25 ) 在线值：发帖 8 回帖 682 粉丝 3 关注私信	KooJiSung 100 楼看不懂not and，搞去混淆，结果失败了 0079A057 pop reloc 20 (00000000) 0079A057 pop edx 18 (7C92EB94) 0079A057 pop vm_reg1 04 (7C92EB94) 0079A057 pop ecx 34 (0012FFB0) 0079A057 pop esi 30 (FFFFFFFF) 0079A057 pop eax 08 (00000000) 0079A057 pop ebx 10 (7FFDD000) 0079A057 pop ebp 3C (0012FFF0) 0079A057 pop edi 38 (7C930738) 0079A057 pop efl 2C (00000246) 0079A057 pop vm_reg3 0C (0066B57C) 0079A057 pop ac1 14 (30049E9B) 00799FBF push efl 2C (00000246) 00799BD1 push 0066B50F 00799BD1 push 00691AC3 00797E5B push 0000 00799BD1 push 0066D439 00798B80 pop_word; word[00] = (BYTE )[0066D439] 00798594 push esp 007980BC pop_word; word[00] = (BYTE )[0012FFB4] 00797ED0 push_word; dword[efl] + word[and not(00),not(00)] 0079A057 pop vm_reg2 28 (00000286) 0079893D push_word; dword[efl] + word[add FF,00] 0079A057 pop vm_reg2 28 (00000286) 00798594 push esp 007980BC pop_word; word[FF] = (BYTE )[0012FFB6] 00797ED0 push_word; dword[efl] + word[and not(FF),not(FF)] 0079A057 pop vm_reg3 0C (00000246) 00798AF0 pop word vm_efl 1C (0000) 00799FBF push vm_reg2 28 (00000286) 00798594 push esp 00798019 [esp] -> [esp]; [0012FFB4] - > [00000286] 00799372 dword[efl] + dword[and not(00000286),not(00000286)] 0079A057 pop vm_opcode 24 (00000282) 007989A9 push FFFFF7EA (cwde) 00799372 dword[efl] + dword[and not(FFFFF7EA),not(FFFFFD79)] 0079A057 pop efl 2C (00000202) 00799FBF push vm_reg3 0C (00000246) 00798594 push esp 00798019 [esp] -> [esp]; [0012FFB0] - > [00000246] 00799372 dword[efl] + dword[and not(00000246),not(00000246)] 0079A057 pop vm_opcode 24 (00000282) 007989A9 push 00000815 (cwde) 00799372 dword[efl] + dword[and not(00000815),not(FFFFFDB9)] 0079A057 pop efl 2C (00000206) 00799DB1 dword[efl] + dword[add 00000242,00000004] 0079A057 pop vm_efl 1C (00000202) 0079A057 pop vm_efl 1C (00000246) 00798594 push esp 00797E5B push 0004 00799FBF push vm_efl 1C (00000246) 007980A5 push FFFFFFBF (cbw;cwde) 00799372 dword[efl] + dword[and not(FFFFFFBF),not(00000246)] 0079A057 pop vm_opcode 24 (00000246) 0079A0D0 push_word; dword[efl] + dword[shr 00000000,04] 0079A057 pop vm_opcode 24 (00000246) 00799DB1 dword[efl] + dword[add 00000000,0012FFB8] 0079A057 pop vm_reg1 04 (00000206) 00798019 [esp] -> [esp]; [0012FFB8] - > [00691AC3] 0079A057 pop vm_reg1 04 (00691AC3) 0079A057 pop vm_opcode 24 (00691AC3) 0079A057 pop vm_reg2 28 (0066B50F) 00799FBF push vm_reg1 04 (00691AC3) 0079A057 pop vm_opcode 24 (00691AC3) 00799FBF push eax 08 (00000000) 00799FBF push ebx 10 (7FFDD000) 00799FBF push ebx 10 (7FFDD000) 00799FBF push eax 08 (00000000) 00799FBF push edx 18 (7C92EB94) 00799FBF push esi 30 (FFFFFFFF) 00799FBF push edi 38 (7C930738) 00799FBF push vm_efl 1C (00000246) 00799FBF push ebp 3C (0012FFF0) 00799FBF push efl 2C (00000206) 00799FBF push ecx 34 (0012FFB0) 00799FBF push reloc 20 (00000000) 00799FBF push vm_opcode 24 (00691AC3) 00798316 pop; set opcode -> 00691AC3 = 00691AC3 + 00000000 0079A057 pop reloc 14 (00000000) 0079A057 pop ecx 04 (0012FFB0) 0079A057 pop efl 24 (00000206) 0079A057 pop ebp 0C (0012FFF0) 0079A057 pop vm_efl 10 (00000246) 0079A057 pop edi 1C (7C930738) 0079A057 pop esi 34 (FFFFFFFF) 0079A057 pop edx 00 (7C92EB94) 0079A057 pop eax 08 (00000000) 0079A057 pop ebx 38 (7FFDD000) 0079A057 pop szUnknow 28 (7FFDD000) 0079A057 pop szUnknow 30 (00000000) 00799FBF push eax 08 (00000000) 00799FBF push ebx 38 (7FFDD000) 00799FBF push ecx 04 (0012FFB0) 00799FBF push edx 00 (7C92EB94) 00799FBF push ebp 0C (0012FFF0) 00799FBF push esi 34 (FFFFFFFF) 00799FBF push edi 1C (7C930738) 00798594 push esp 0079A057 pop szUnknow 20 (0012FFA4) 007989A9 push 00000800 (cwde) 007980A5 push 00000008 (cbw;cwde) 00798594 push esp 00799DB1 dword[efl] + dword[add 0012FF9C,00000008] 0079A057 pop ebp 0C (00000212) 00798594 push esp 007980A5 push 00000008 (cbw;cwde) 2009-2-23 13:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复