VMProtect代码还原By ReWolf

Eddy 发布于2011-6-7 12:56:7 分类: 加密解密 已浏览loading 网友评论0条 我要评论

这是ReWolf写的关于VMProtect一文中的一段代码还原的思路:

第一步
Temporary variables:            Temporary variables:                         
[color=#b000b0]DWORD[/color] t0                        [color=#b000b0]DWORD[/color] t0                                     
[color=#b000b0]DWORD[/color] t1                        [color=#b000b0]DWORD[/color] t1                                     
[color=#b000b0]DWORD[/color] t2                        [color=#b000b0]DWORD[/color] t2                                     
[color=#b000b0]DWORD[/color] t3                        [color=#b000b0]DWORD[/color] t3                                     
[color=#b000b0]DWORD[/color] t4                        [color=#b000b0]DWORD[/color] t4                                     
[color=#b000b0]DWORD[/color] t5                        [color=#b000b0]DWORD[/color] t5                                     
[color=#b000b0]DWORD[/color] t6                        [color=#b000b0]DWORD[/color] t6                                     
[color=#b000b0]DWORD[/color] t7                        [color=#b000b0]DWORD[/color] t7                                     
[color=#b000b0]DWORD[/color] t8                        [color=#b000b0]DWORD[/color] t8                                     
[color=#b000b0]DWORD[/color] t9                        [color=#b000b0]DWORD[/color] t9                                     
[color=#b000b0]DWORD[/color] t10                       [color=#b000b0]DWORD[/color] t10                                    
[color=#b000b0]DWORD[/color] t11                       [color=#b000b0]DWORD[/color] t11                                    
[color=#b000b0]DWORD[/color] t12                       [color=#b000b0]DWORD[/color] t12                                    
[color=#b000b0]DWORD[/color] t13                       [color=#b000b0]DWORD[/color] t13                                    
[color=#b000b0]DWORD[/color] t14                       [color=#b000b0]DWORD[/color] t14                                    
[color=#b000b0]DWORD[/color] t15                       [color=#b000b0]DWORD[/color] t15                                    
[color=#b000b0]DWORD[/color] t16                       [color=#b000b0]DWORD[/color] t16                                    
[color=#b000b0]DWORD[/color] t17                       [color=#b000b0]DWORD[/color] t17                                    
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](19088743)            
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1985229329)         
[color=#0000D0]push[/color] [color=#FF0000]edi[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]ecx[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]edx[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]esi[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]ebp[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]ebx[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]eax[/color]                        
[color=#0000D0]push[/color] [color=#FF0000]edx[/color]                        
[color=#0000D0]push[/color] eflags                     
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)                   
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)         
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags           
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]              
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]               
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)]    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)]    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)   
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]  [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]               
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]                                 
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]              
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                  [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                               
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)             [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)                          
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)             [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)                          
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)                   
[color=#0000D0]pop[/color] t0                          t0 = [color=#b000b0]Dword[/color](0)                                
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0]              [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0]                           
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]   [color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]  [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]               
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]                               
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0)                          
[color=#0000D0]pop[/color] t1                          t1 = [color=#b000b0]Dword[/color](0)                                
[color=#0000D0]pop[/color] t2                          t2 = [color=#FF0000]esp[/color]                                     
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2              [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2                           
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-88)                 
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]                        
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4)                   
[color=#0000D0]pop[/color] t3                          t3 = [color=#b000b0]Dword[/color](4)                                
[color=#0000D0]pop[/color] t4                          t4 = [color=#FF0000]esp[/color]                                     
t5 = t3 + t4                    t5 = t3 + t4                                 
[color=#0000D0]push[/color] t5                         
[color=#0000D0]push[/color] flags t5                   
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags t5         
[color=#0000D0]pop[/color] t6                          t6 = t5                                      
[color=#0000D0]pop[/color] t7                          t7 = [color=#b000b0]Dword[/color](-88)                              
t8 = t6 + t7                    t8 = t6 + t7                                 
[color=#0000D0]push[/color] t8                         
[color=#0000D0]push[/color] flags t8                   
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags t8         
[color=#0000D0]pop[/color] [color=#FF0000]esp[/color]                         [color=#FF0000]esp[/color] = t8                                     
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]  [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]               
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]  [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]               
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]   [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]                
[color=#0000D0]push[/color] [color=#FF0000]esp[/color]                        
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]  
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-24)                 
[color=#0000D0]pop[/color] t9                          t9 = [color=#b000b0]Dword[/color](-24)                              
[color=#0000D0]pop[/color] t10                         t10 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]              
t11 = t9 + t10                  t11 = t9 + t10                               
[color=#0000D0]push[/color] t11                        
[color=#0000D0]push[/color] flags t11                  
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)]    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags t11         
[color=#0000D0]pop[/color] t12                         t12 = t11                                    
[color=#0000D0]pop[/color] t13                         t13 = [color=#FF0000]esp[/color]                                    
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13            [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13                         
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4638392)             
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]  
[color=#0000D0]pop[/color] t14                         t14 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]              
[color=#0000D0]pop[/color] t15                         t15 = [color=#b000b0]Dword[/color](4638392)                         
t16 = t14 + t15                 t16 = t14 + t15                              
[color=#0000D0]push[/color] t16                        [color=#0000D0]push[/color] t16                                     
[color=#0000D0]push[/color] flags t16                  
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)]    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags t16         
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4590300)             
[color=#0000D0]pop[/color] t17                         t17 = [color=#b000b0]Dword[/color](4590300)                         
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17]                [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17]                             
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]   
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]  
[color=#0000D0]pop[/color] [color=#FF0000]edx[/color]                         [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]              
[color=#0000D0]pop[/color] eflags                      eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]           
[color=#0000D0]pop[/color] [color=#FF0000]edx[/color]                         [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]              
[color=#0000D0]pop[/color] [color=#FF0000]eax[/color]                         [color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]              
[color=#0000D0]pop[/color] [color=#FF0000]ebx[/color]                         [color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]              
[color=#0000D0]pop[/color] [color=#FF0000]ebp[/color]                         [color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]              
[color=#0000D0]pop[/color] [color=#FF0000]esi[/color]                         [color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]              
[color=#0000D0]pop[/color] [color=#FF0000]ecx[/color]                         [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]              
[color=#0000D0]pop[/color] [color=#FF0000]ecx[/color]                         [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]              
[color=#0000D0]pop[/color] [color=#FF0000]edi[/color]                         [color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]               
[color=#0000D0]ret[/color]                             [color=#0000D0]ret[/color]



第二步

Temporary variables:                             
[color=#b000b0]DWORD[/color] t0                                         
[color=#b000b0]DWORD[/color] t1                                         
[color=#b000b0]DWORD[/color] t2                                         
[color=#b000b0]DWORD[/color] t3                                         
[color=#b000b0]DWORD[/color] t4                                         
[color=#b000b0]DWORD[/color] t5                                         
[color=#b000b0]DWORD[/color] t6                                         
[color=#b000b0]DWORD[/color] t7                                         
[color=#b000b0]DWORD[/color] t8                                         
[color=#b000b0]DWORD[/color] t9                                         
[color=#b000b0]DWORD[/color] t10                                        
[color=#b000b0]DWORD[/color] t11                                        
[color=#b000b0]DWORD[/color] t12                                        
[color=#b000b0]DWORD[/color] t13                                        
[color=#b000b0]DWORD[/color] t14                                        
[color=#b000b0]DWORD[/color] t15                                        
[color=#b000b0]DWORD[/color] t16                                        
[color=#b000b0]DWORD[/color] t17                                        
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)             [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)                                       
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags               [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags                                         
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]                                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]                   [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]                                             
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)    [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)                              
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)       [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)                                 
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]                   [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]                                             
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]                  [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]                                            
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                                   [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                                                             
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)                              [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)                                                        
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)                              [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)                                                        
t0 = [color=#b000b0]Dword[/color](0)                                    
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t0]                               [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)]                                                   
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                    [color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                                              
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                   [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                                             
t1 = [color=#b000b0]Dword[/color](0)                                    
t2 = [color=#FF0000]esp[/color]                                         
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[t1] = t2                               [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color]                                                  
t3 = [color=#b000b0]Dword[/color](4)                                    
t4 = [color=#FF0000]esp[/color]                                         
t5 = t3 + t4                                     
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags t5             [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color]                           
t6 = t5                                          
t7 = [color=#b000b0]Dword[/color](-88)                                  
t8 = t6 + t7                                     
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags t8             [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)              
[color=#FF0000]esp[/color] = t8                                         [color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)                                          
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]                   [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]                                             
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]                   [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]                                             
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]                    [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]                                              
t9 = [color=#b000b0]Dword[/color](-24)                                  
t10 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]                  
t11 = t9 + t10                                   
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags t11             [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags [color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]    
t12 = t11                                        
t13 = [color=#FF0000]esp[/color]                                        
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[t12] = t13                             [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]] = [color=#FF0000]esp[/color]                    
t14 = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]                  
t15 = [color=#b000b0]Dword[/color](4638392)                             
t16 = t14 + t15                                  
[color=#0000D0]push[/color] t16                                         [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags t16             [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)
t17 = [color=#b000b0]Dword[/color](4590300)                                                                      
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [t17]                                 [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)]                                                
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)]                                                           
eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]               eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]                                         
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]                  [color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]                                            
[color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                  [color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                                            
[color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]                  [color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]                                            
[color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]                  [color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]                                            
[color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]                  [color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]                                            
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)]                                                           
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]                  [color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]   
[color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]                   [color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]    
[color=#0000D0]ret[/color]                                              [color=#0000D0]ret[/color]



第三步

[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] = [color=#b000b0]Dword[/color](0)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](28)] = eflags
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](56)] = [color=#FF0000]eax[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)] = [color=#FF0000]ebx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)] = [color=#FF0000]ebp[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)] = [color=#FF0000]esi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](44)] = [color=#FF0000]edx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)] = [color=#FF0000]ecx[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]edi[/color]
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = [color=#b000b0]Dword[/color](-1985229329)
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = [color=#b000b0]Dword[/color](19088743)
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](32)]                                              [color=#0000D0]push[/color] [color=#FF0000]ebp[/color]                                  
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)] = [color=#FF0000]esp[/color]                                             [color=#FF0000]ebp[/color] = [color=#FF0000]esp[/color]                                 
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                                                              [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](-1)                            
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)                                                         [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4525664)                       
[color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)                                                         [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](4362952)                       
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)]                                                    [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)]                  
[color=#0000D0]pop[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                                               [color=#0000D0]pop[/color] [color=#FF0000]eax[/color]                                   
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]                                              [color=#0000D0]push[/color] [color=#FF0000]eax[/color]                                  
[color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color]                                                   [color=#b000b0]DWORD[/color] [color=#FF0000]FS[/color]:[[color=#b000b0]Dword[/color](0)] = [color=#FF0000]esp[/color]                 
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](52)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color]                            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)] = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)               eflags = flags [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)
[color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)                                           [color=#FF0000]esp[/color] = [color=#b000b0]Dword[/color](4) + [color=#FF0000]esp[/color] + [color=#b000b0]Dword[/color](-88)         
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]                                              [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]                                  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]                                              [color=#0000D0]push[/color] [color=#FF0000]esi[/color]                                  
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]                                               [color=#0000D0]push[/color] [color=#FF0000]edi[/color]                                  
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](4)] = flags [color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]     [color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#FF0000]ebp[/color]] = [color=#FF0000]esp[/color]         
[color=#b000b0]DWORD[/color] [color=#FF0000]SS[/color]:[[color=#b000b0]Dword[/color](-24) + [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]] = [color=#FF0000]esp[/color]                                 
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)                             [color=#0000D0]push[/color] [color=#b000b0]Dword[/color](0) + [color=#b000b0]Dword[/color](4638392)            
[color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](8)] = flags [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](24)] + [color=#b000b0]Dword[/color](4638392)                
[color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)]                                                 [color=#0000D0]push[/color] [color=#b000b0]DWORD[/color] [[color=#b000b0]Dword[/color](4590300)]   
eflags = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](12)]                                          
[color=#FF0000]edx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](60)]
[color=#FF0000]eax[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](36)]
[color=#FF0000]ebx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](16)]
[color=#FF0000]ebp[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](40)]
[color=#FF0000]esi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](48)]
[color=#FF0000]ecx[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](20)]
[color=#FF0000]edi[/color] = [color=#b000b0]DWORD[/color] Scratch:[[color=#b000b0]Dword[/color](0)]
[color=#0000D0]ret[/color]                                                                         [color=#0000D0]ret[/color]

已经有(0)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/decryption/788.html     欢迎订阅Eddy Blog

关于 vmp  虚拟机  还原  的相关文章

记住我的信息,下次不用再输入 欢迎给Eddy Blog留言