VMProtect代码还原By ReWolf

Eddy 发布于2011-6-7 12:56:7 分类: 加密解密 已浏览loading 网友评论0条 我要评论

这是ReWolf写的关于VMProtect一文中的一段代码还原的思路:

第一步
Temporary variables:            Temporary variables:                         
DWORD t0                        DWORD t0                                     
DWORD t1                        DWORD t1                                     
DWORD t2                        DWORD t2                                     
DWORD t3                        DWORD t3                                     
DWORD t4                        DWORD t4                                     
DWORD t5                        DWORD t5                                     
DWORD t6                        DWORD t6                                     
DWORD t7                        DWORD t7                                     
DWORD t8                        DWORD t8                                     
DWORD t9                        DWORD t9                                     
DWORD t10                       DWORD t10                                    
DWORD t11                       DWORD t11                                    
DWORD t12                       DWORD t12                                    
DWORD t13                       DWORD t13                                    
DWORD t14                       DWORD t14                                    
DWORD t15                       DWORD t15                                    
DWORD t16                       DWORD t16                                    
DWORD t17                       DWORD t17                                    
push Dword(19088743)            
push Dword(-1985229329)         
push edi                        
push ecx                        
push edx                        
push esi                        
push ebp                        
push ebx                        
push eax                        
push edx                        
push eflags                     
push Dword(0)                   
pop DWORD Scratch:[Dword(24)]   DWORD Scratch:[Dword(24)] = Dword(0)         
pop DWORD Scratch:[Dword(28)]   DWORD Scratch:[Dword(28)] = eflags           
pop DWORD Scratch:[Dword(60)]   DWORD Scratch:[Dword(60)] = edx              
pop DWORD Scratch:[Dword(56)]   DWORD Scratch:[Dword(56)] = eax              
pop DWORD Scratch:[Dword(16)]   DWORD Scratch:[Dword(16)] = ebx              
pop DWORD Scratch:[Dword(32)]   DWORD Scratch:[Dword(32)] = ebp              
pop DWORD Scratch:[Dword(48)]   DWORD Scratch:[Dword(48)] = esi              
pop DWORD Scratch:[Dword(44)]   DWORD Scratch:[Dword(44)] = edx              
pop DWORD Scratch:[Dword(20)]   DWORD Scratch:[Dword(20)] = ecx              
pop DWORD Scratch:[Dword(0)]    DWORD Scratch:[Dword(0)] = edi               
pop DWORD Scratch:[Dword(4)]    DWORD Scratch:[Dword(4)] = Dword(-1985229329)
pop DWORD Scratch:[Dword(8)]    DWORD Scratch:[Dword(8)] = Dword(19088743)   
push DWORD Scratch:[Dword(32)]  push DWORD Scratch:[Dword(32)]               
push esp                                 
pop DWORD Scratch:[Dword(40)]   DWORD Scratch:[Dword(40)] = esp              
push Dword(-1)                  push Dword(-1)                               
push Dword(4525664)             push Dword(4525664)                          
push Dword(4362952)             push Dword(4362952)                          
push Dword(0)                   
pop t0                          t0 = Dword(0)                                
push DWORD FS:[t0]              push DWORD FS:[t0]                           
pop DWORD Scratch:[Dword(36)]   pop DWORD Scratch:[Dword(36)]                
push DWORD Scratch:[Dword(36)]  push DWORD Scratch:[Dword(36)]               
push esp                               
push Dword(0)                          
pop t1                          t1 = Dword(0)                                
pop t2                          t2 = esp                                     
DWORD FS:[t1] = t2              DWORD FS:[t1] = t2                           
push Dword(-88)                 
push esp                        
push Dword(4)                   
pop t3                          t3 = Dword(4)                                
pop t4                          t4 = esp                                     
t5 = t3 + t4                    t5 = t3 + t4                                 
push t5                         
push flags t5                   
pop DWORD Scratch:[Dword(52)]   DWORD Scratch:[Dword(52)] = flags t5         
pop t6                          t6 = t5                                      
pop t7                          t7 = Dword(-88)                              
t8 = t6 + t7                    t8 = t6 + t7                                 
push t8                         
push flags t8                   
pop DWORD Scratch:[Dword(12)]   DWORD Scratch:[Dword(12)] = flags t8         
pop esp                         esp = t8                                     
push DWORD Scratch:[Dword(16)]  push DWORD Scratch:[Dword(16)]               
push DWORD Scratch:[Dword(48)]  push DWORD Scratch:[Dword(48)]               
push DWORD Scratch:[Dword(0)]   push DWORD Scratch:[Dword(0)]                
push esp                        
push DWORD Scratch:[Dword(40)]  
push Dword(-24)                 
pop t9                          t9 = Dword(-24)                              
pop t10                         t10 = DWORD Scratch:[Dword(40)]              
t11 = t9 + t10                  t11 = t9 + t10                               
push t11                        
push flags t11                  
pop DWORD Scratch:[Dword(4)]    DWORD Scratch:[Dword(4)] = flags t11         
pop t12                         t12 = t11                                    
pop t13                         t13 = esp                                    
DWORD SS:[t12] = t13            DWORD SS:[t12] = t13                         
push Dword(4638392)             
push DWORD Scratch:[Dword(24)]  
pop t14                         t14 = DWORD Scratch:[Dword(24)]              
pop t15                         t15 = Dword(4638392)                         
t16 = t14 + t15                 t16 = t14 + t15                              
push t16                        push t16                                     
push flags t16                  
pop DWORD Scratch:[Dword(8)]    DWORD Scratch:[Dword(8)] = flags t16         
push Dword(4590300)             
pop t17                         t17 = Dword(4590300)                         
push DWORD [t17]                push DWORD [t17]                             
push DWORD Scratch:[Dword(0)]   
push DWORD Scratch:[Dword(20)]  
push DWORD Scratch:[Dword(44)]  
push DWORD Scratch:[Dword(48)]  
push DWORD Scratch:[Dword(40)]  
push DWORD Scratch:[Dword(16)]  
push DWORD Scratch:[Dword(36)]  
push DWORD Scratch:[Dword(60)]  
push DWORD Scratch:[Dword(12)]  
push DWORD Scratch:[Dword(24)]  
pop edx                         edx = DWORD Scratch:[Dword(24)]              
pop eflags                      eflags = DWORD Scratch:[Dword(12)]           
pop edx                         edx = DWORD Scratch:[Dword(60)]              
pop eax                         eax = DWORD Scratch:[Dword(36)]              
pop ebx                         ebx = DWORD Scratch:[Dword(16)]              
pop ebp                         ebp = DWORD Scratch:[Dword(40)]              
pop esi                         esi = DWORD Scratch:[Dword(48)]              
pop ecx                         ecx = DWORD Scratch:[Dword(44)]              
pop ecx                         ecx = DWORD Scratch:[Dword(20)]              
pop edi                         edi = DWORD Scratch:[Dword(0)]               
ret                             ret



第二步

Temporary variables:                             
DWORD t0                                         
DWORD t1                                         
DWORD t2                                         
DWORD t3                                         
DWORD t4                                         
DWORD t5                                         
DWORD t6                                         
DWORD t7                                         
DWORD t8                                         
DWORD t9                                         
DWORD t10                                        
DWORD t11                                        
DWORD t12                                        
DWORD t13                                        
DWORD t14                                        
DWORD t15                                        
DWORD t16                                        
DWORD t17                                        
DWORD Scratch:[Dword(24)] = Dword(0)             DWORD Scratch:[Dword(24)] = Dword(0)                                       
DWORD Scratch:[Dword(28)] = eflags               DWORD Scratch:[Dword(28)] = eflags                                         
DWORD Scratch:[Dword(60)] = edx                  DWORD Scratch:[Dword(60)] = edx                                            
DWORD Scratch:[Dword(56)] = eax                  DWORD Scratch:[Dword(56)] = eax                                            
DWORD Scratch:[Dword(16)] = ebx                  DWORD Scratch:[Dword(16)] = ebx                                            
DWORD Scratch:[Dword(32)] = ebp                  DWORD Scratch:[Dword(32)] = ebp                                            
DWORD Scratch:[Dword(48)] = esi                  DWORD Scratch:[Dword(48)] = esi                                            
DWORD Scratch:[Dword(44)] = edx                  DWORD Scratch:[Dword(44)] = edx                                            
DWORD Scratch:[Dword(20)] = ecx                  DWORD Scratch:[Dword(20)] = ecx                                            
DWORD Scratch:[Dword(0)] = edi                   DWORD Scratch:[Dword(0)] = edi                                             
DWORD Scratch:[Dword(4)] = Dword(-1985229329)    DWORD Scratch:[Dword(4)] = Dword(-1985229329)                              
DWORD Scratch:[Dword(8)] = Dword(19088743)       DWORD Scratch:[Dword(8)] = Dword(19088743)                                 
push DWORD Scratch:[Dword(32)]                   push DWORD Scratch:[Dword(32)]                                             
DWORD Scratch:[Dword(40)] = esp                  DWORD Scratch:[Dword(40)] = esp                                            
push Dword(-1)                                   push Dword(-1)                                                             
push Dword(4525664)                              push Dword(4525664)                                                        
push Dword(4362952)                              push Dword(4362952)                                                        
t0 = Dword(0)                                    
push DWORD FS:[t0]                               push DWORD FS:[Dword(0)]                                                   
pop DWORD Scratch:[Dword(36)]                    pop DWORD Scratch:[Dword(36)]                                              
push DWORD Scratch:[Dword(36)]                   push DWORD Scratch:[Dword(36)]                                             
t1 = Dword(0)                                    
t2 = esp                                         
DWORD FS:[t1] = t2                               DWORD FS:[Dword(0)] = esp                                                  
t3 = Dword(4)                                    
t4 = esp                                         
t5 = t3 + t4                                     
DWORD Scratch:[Dword(52)] = flags t5             DWORD Scratch:[Dword(52)] = flags Dword(4) + esp                           
t6 = t5                                          
t7 = Dword(-88)                                  
t8 = t6 + t7                                     
DWORD Scratch:[Dword(12)] = flags t8             DWORD Scratch:[Dword(12)] = flags Dword(4) + esp + Dword(-88)              
esp = t8                                         esp = Dword(4) + esp + Dword(-88)                                          
push DWORD Scratch:[Dword(16)]                   push DWORD Scratch:[Dword(16)]                                             
push DWORD Scratch:[Dword(48)]                   push DWORD Scratch:[Dword(48)]                                             
push DWORD Scratch:[Dword(0)]                    push DWORD Scratch:[Dword(0)]                                              
t9 = Dword(-24)                                  
t10 = DWORD Scratch:[Dword(40)]                  
t11 = t9 + t10                                   
DWORD Scratch:[Dword(4)] = flags t11             DWORD Scratch:[Dword(4)] = flags Dword(-24) + DWORD Scratch:[Dword(40)]    
t12 = t11                                        
t13 = esp                                        
DWORD SS:[t12] = t13                             DWORD SS:[Dword(-24) + DWORD Scratch:[Dword(40)]] = esp                    
t14 = DWORD Scratch:[Dword(24)]                  
t15 = Dword(4638392)                             
t16 = t14 + t15                                  
push t16                                         push DWORD Scratch:[Dword(24)] + Dword(4638392)                            
DWORD Scratch:[Dword(8)] = flags t16             DWORD Scratch:[Dword(8)] = flags DWORD Scratch:[Dword(24)] + Dword(4638392)
t17 = Dword(4590300)                                                                      
push DWORD [t17]                                 push DWORD [Dword(4590300)]                                                
edx = DWORD Scratch:[Dword(24)]                                                           
eflags = DWORD Scratch:[Dword(12)]               eflags = DWORD Scratch:[Dword(12)]                                         
edx = DWORD Scratch:[Dword(60)]                  edx = DWORD Scratch:[Dword(60)]                                            
eax = DWORD Scratch:[Dword(36)]                  eax = DWORD Scratch:[Dword(36)]                                            
ebx = DWORD Scratch:[Dword(16)]                  ebx = DWORD Scratch:[Dword(16)]                                            
ebp = DWORD Scratch:[Dword(40)]                  ebp = DWORD Scratch:[Dword(40)]                                            
esi = DWORD Scratch:[Dword(48)]                  esi = DWORD Scratch:[Dword(48)]                                            
ecx = DWORD Scratch:[Dword(44)]                                                           
ecx = DWORD Scratch:[Dword(20)]                  ecx = DWORD Scratch:[Dword(20)]   
edi = DWORD Scratch:[Dword(0)]                   edi = DWORD Scratch:[Dword(0)]    
ret                                              ret



第三步

DWORD Scratch:[Dword(24)] = Dword(0)
DWORD Scratch:[Dword(28)] = eflags
DWORD Scratch:[Dword(60)] = edx
DWORD Scratch:[Dword(56)] = eax
DWORD Scratch:[Dword(16)] = ebx
DWORD Scratch:[Dword(32)] = ebp
DWORD Scratch:[Dword(48)] = esi
DWORD Scratch:[Dword(44)] = edx
DWORD Scratch:[Dword(20)] = ecx
DWORD Scratch:[Dword(0)] = edi
DWORD Scratch:[Dword(4)] = Dword(-1985229329)
DWORD Scratch:[Dword(8)] = Dword(19088743)
push DWORD Scratch:[Dword(32)]                                              push ebp                                  
DWORD Scratch:[Dword(40)] = esp                                             ebp = esp                                 
push Dword(-1)                                                              push Dword(-1)                            
push Dword(4525664)                                                         push Dword(4525664)                       
push Dword(4362952)                                                         push Dword(4362952)                       
push DWORD FS:[Dword(0)]                                                    push DWORD FS:[Dword(0)]                  
pop DWORD Scratch:[Dword(36)]                                               pop eax                                   
push DWORD Scratch:[Dword(36)]                                              push eax                                  
DWORD FS:[Dword(0)] = esp                                                   DWORD FS:[Dword(0)] = esp                 
DWORD Scratch:[Dword(52)] = flags Dword(4) + esp                            
DWORD Scratch:[Dword(12)] = flags Dword(4) + esp + Dword(-88)               eflags = flags Dword(4) + esp + Dword(-88)
esp = Dword(4) + esp + Dword(-88)                                           esp = Dword(4) + esp + Dword(-88)         
push DWORD Scratch:[Dword(16)]                                              push ebx                                  
push DWORD Scratch:[Dword(48)]                                              push esi                                  
push DWORD Scratch:[Dword(0)]                                               push edi                                  
DWORD Scratch:[Dword(4)] = flags Dword(-24) + DWORD Scratch:[Dword(40)]     DWORD SS:[Dword(-24) + ebp] = esp         
DWORD SS:[Dword(-24) + DWORD Scratch:[Dword(40)]] = esp                                 
push DWORD Scratch:[Dword(24)] + Dword(4638392)                             push Dword(0) + Dword(4638392)            
DWORD Scratch:[Dword(8)] = flags DWORD Scratch:[Dword(24)] + Dword(4638392)                
push DWORD [Dword(4590300)]                                                 push DWORD [Dword(4590300)]   
eflags = DWORD Scratch:[Dword(12)]                                          
edx = DWORD Scratch:[Dword(60)]
eax = DWORD Scratch:[Dword(36)]
ebx = DWORD Scratch:[Dword(16)]
ebp = DWORD Scratch:[Dword(40)]
esi = DWORD Scratch:[Dword(48)]
ecx = DWORD Scratch:[Dword(20)]
edi = DWORD Scratch:[Dword(0)]
ret                                                                         ret

已经有(0)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/decryption/788.html     欢迎订阅Eddy Blog

关于 vmp  虚拟机  还原  的相关文章

记住我的信息,下次不用再输入 欢迎给Eddy Blog留言