-
-
[分享]VMP1.7壳破法
-
发表于:
2009-7-1 16:22
8597
-
2009年05月07日 星期四 上午 00:40//vmp 1.7 iat repair
//run the script at oep
//vmp code base = va of .vmp0
//vmp code end = va of .vmp1
//if the program crashes, check log and make sure "mov reg32, [iat]" references are correctly fixed!
var codebase
var refaddr
var vmpbase
var vmpend
var ptr
var tmpesp
var oep
var tmp
var codesize
var isfirst
var phase
mov oep, eip
GMI eip, CODEBASE
mov codebase, $RESULT
mov ptr, codebase
GMI eip, CODESIZE
mov codesize, $RESULT
Ask "vmp code base"
mov vmpbase, $RESULT
Ask "vmp code end"
mov vmpend, $RESULT
mov tmpesp, esp
next:
mov esp, tmpesp
cmp phase, 0
jne findcall
find ptr, #E9??????00#
jmp check
findcall:
find ptr, #E8??????0090#
check:
cmp $RESULT,0
je done
cmp $RESULT, vmpbase
ja done
mov ptr, $RESULT
mov eip, ptr
inc ptr
mov tmp, [ptr]
add tmp, eip
cmp tmp, vmpbase
jb next
cmp tmp, vmpend
ja next
mov refaddr, ptr
cmp isfirst, 0
jne fuck
firstfuck:
sti
find eip,#c2#,1
cmp $RESULT,0
je firstfuck
bphws eip, "x"
inc isfirst
jmp fix
fuck:
run
fix:
mov eip, refaddr
mov tmp, eip
add tmp, 5
find tmp, #ffd6#, 12
cmp $RESULT,0
je fix1
dec eip
eval "mov esi, {eax}"
asm eip, $RESULT
log eip
add ptr, 6
jmp next
fix1:
find tmp, #ffd7#, 12
cmp $RESULT,0
je fix2
dec eip
eval "mov edi, {eax}"
asm eip, $RESULT
log eip
add ptr, 6
jmp next
fix2:
find tmp, #ffd3#, 12
cmp $RESULT,0
je normalfix
dec eip
eval "mov ebx, {eax}"
asm eip, $RESULT
log eip
add ptr, 6
jmp next
normalfix:
sub eax, refaddr
sub eax, 4
mov [refaddr], eax, 4
add ptr, 5
log eip
jmp next
done:
cmp phase, 0
jne exit
inc phase
mov ptr, codebase
jmp next
exit:
mov eip, oep
ret这壳比较简单,脚本也简单.
跑到oep以后跑一下,第一个参数是vmp0段地址,第二个是vmp1段地址,跑完了如果程序不能运行,找找mov reg32, [iat]这类的有没有错误.
完了以后用UIF把直接地址转换成IAT,就行了
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
