-
-
[未解决,已结帖] [求助]帮忙看看一个退出暗装!要求能恢复正常功能! 50.00雪花
-
发表于: 2018-8-17 10:22
-
文件下载:db4K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2D9j5h3&6*7L8%4g2K6i4K6u0W2j5$3!0E0i4K6u0r3K9e0q4Y4L8U0k6F1k6b7`.`.
vmp1.60-2.05,飘零金盾8.3-8.32,已经用窗体载入得到功能窗体,但是有个退出暗装我搞不定了,要求帮忙,使程序恢复正常功能!。分析过程如下:
用SharpOD插件直接无视 vmp壳的检测,用 EWND(4c7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3f1#2x3Y4m8G2K9X3W2W2i4K6u0W2j5$3&6Q4x3V1k6@1K9s2u0W2j5h3c8Q4x3X3b7K6z5e0j5$3x3K6c8Q4x3X3b7I4i4K6u0V1x3g2)9J5k6h3S2@1L8h3I4Q4c8f1k6Q4b7V1y4Q4z5o6W2Q4c8e0k6Q4z5o6W2Q4b7V1g2Q4c8e0g2Q4z5o6S2Q4b7U0m8Q4c8e0c8Q4b7U0S2Q4b7e0c8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0N6Q4b7f1q4Q4z5e0N6Q4c8e0g2Q4z5p5k6Q4b7e0y4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0N6Q4z5o6c8Q4b7U0k6Q4c8e0g2Q4z5e0m8Q4z5p5g2Q4c8e0g2Q4z5p5k6Q4z5e0q4Q4c8e0N6Q4z5p5g2Q4b7U0m8Q4c8e0g2Q4z5p5k6Q4b7f1q4Q4c8e0S2Q4z5o6y4Q4b7V1c8Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4z5o6m8Q4z5p5y4Q4c8e0c8Q4b7U0S2Q4z5e0c8Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0W2Q4z5o6u0Q4b7e0y4Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0N6Q4b7f1q4Q4z5e0N6Q4c8e0g2Q4z5p5k6Q4b7e0y4Q4c8e0S2Q4b7V1k6Q4z5e0S2Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0W2Q4z5e0N6Q4b7f1q4Q4c8e0W2Q4z5o6m8Q4z5o6m8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7V1q4Q4z5e0c8Q4c8e0S2Q4b7f1k6Q4b7e0g2Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0k6Q4z5f1q4Q4z5e0N6Q4c8e0S2Q4b7e0y4Q4z5o6g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0W2Q4z5o6m8Q4z5e0m8Q4c8e0k6Q4b7f1c8Q4b7e0g2Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0k6Q4z5e0k6Q4b7f1c8Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
vmp1.60-2.05,飘零金盾8.3-8.32,已经用窗体载入得到功能窗体,但是有个退出暗装我搞不定了,要求帮忙,使程序恢复正常功能!。分析过程如下:
用SharpOD插件直接无视 vmp壳的检测,用 EWND(4c7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3f1#2x3Y4m8G2K9X3W2W2i4K6u0W2j5$3&6Q4x3V1k6@1K9s2u0W2j5h3c8Q4x3X3b7K6z5e0j5$3x3K6c8Q4x3X3b7I4i4K6u0V1x3g2)9J5k6h3S2@1L8h3I4Q4c8f1k6Q4b7V1y4Q4z5o6W2Q4c8e0k6Q4z5o6W2Q4b7V1g2Q4c8e0g2Q4z5o6S2Q4b7U0m8Q4c8e0c8Q4b7U0S2Q4b7e0c8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0N6Q4b7f1q4Q4z5e0N6Q4c8e0g2Q4z5p5k6Q4b7e0y4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0N6Q4z5o6c8Q4b7U0k6Q4c8e0g2Q4z5e0m8Q4z5p5g2Q4c8e0g2Q4z5p5k6Q4z5e0q4Q4c8e0N6Q4z5p5g2Q4b7U0m8Q4c8e0g2Q4z5p5k6Q4b7f1q4Q4c8e0S2Q4z5o6y4Q4b7V1c8Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4z5o6m8Q4z5p5y4Q4c8e0c8Q4b7U0S2Q4z5e0c8Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0W2Q4z5o6u0Q4b7e0y4Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0N6Q4b7f1q4Q4z5e0N6Q4c8e0g2Q4z5p5k6Q4b7e0y4Q4c8e0S2Q4b7V1k6Q4z5e0S2Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0W2Q4z5e0N6Q4b7f1q4Q4c8e0W2Q4z5o6m8Q4z5o6m8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7V1q4Q4z5e0c8Q4c8e0S2Q4b7f1k6Q4b7e0g2Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0k6Q4z5f1q4Q4z5e0N6Q4c8e0S2Q4b7e0y4Q4z5o6g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0W2Q4z5o6m8Q4z5e0m8Q4c8e0k6Q4b7f1c8Q4b7e0g2Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0k6Q4z5e0k6Q4b7f1c8Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
77BD97C0 ntdll.ZwTerminateProcess B8 2C000700 mov eax,0x7002C
再往上下断,
77BA09B0 ntdll.RtlExitUserProcess 8BFF mov edi,edi
再往上
76523A10 kernel32.ExitProcess 55 push ebp
再往上
0044BCC0 /$ 55 push ebp
0044BCC1 |. 8BEC mov ebp,esp
0044BCC3 |. 8B45 08 mov eax,[arg.1]
0044BCC6 |. 50 push eax
0044BCC7 |. B9 D001C100 mov ecx,QQ.00C101D0 ; ̥R
0044BCCC |. E8 5F82FFFF call QQ.00443F30
0044BCD1 |. 8B4D 08 mov ecx,[arg.1]
0044BCD4 |. 51 push ecx
0044BCD5 |. 51 push ecx
0044BCD6 |. E8 39EC2D01 call QQ.0172A914
在段首0044BCC0处直接retn,
再往上下断,
77BA09B0 ntdll.RtlExitUserProcess 8BFF mov edi,edi
再往上
76523A10 kernel32.ExitProcess 55 push ebp
再往上
0044BCC0 /$ 55 push ebp
0044BCC1 |. 8BEC mov ebp,esp
0044BCC3 |. 8B45 08 mov eax,[arg.1]
0044BCC6 |. 50 push eax
0044BCC7 |. B9 D001C100 mov ecx,QQ.00C101D0 ; ̥R
0044BCCC |. E8 5F82FFFF call QQ.00443F30
0044BCD1 |. 8B4D 08 mov ecx,[arg.1]
0044BCD4 |. 51 push ecx
0044BCD5 |. 51 push ecx
0044BCD6 |. E8 39EC2D01 call QQ.0172A914
在段首0044BCC0处直接retn,
然后跟上面一样从精益编程助手找到PID,然后填入 EWND的程序中,载入第二个窗体,窗体成功载入且可正常拖动!
可是上游戏发现无功能。
推测是修改的地方太往后了,程序退出了功能失效了才中断的。
于是继续往上找
发现0044BCC0有三个调用它的,挨个下断分析重复上面的,发现是最后一个、即00446245调用的0044BCC0,来到00446245
推测是修改的地方太往后了,程序退出了功能失效了才中断的。
于是继续往上找
发现0044BCC0有三个调用它的,挨个下断分析重复上面的,发现是最后一个、即00446245调用的0044BCC0,来到00446245
00446240 . 8B4424 04 mov eax,dword ptr ss:[esp+0x4]
00446244 . 50 push eax
00446245 . E8 765A0000 call QQ.0044BCC0
0044624A . 83C4 04 add esp,0x4
0044624D . 33C0 xor eax,eax
0044624F . C2 0800 retn 0x8
00446244 . 50 push eax
00446245 . E8 765A0000 call QQ.0044BCC0
0044624A . 83C4 04 add esp,0x4
0044624D . 33C0 xor eax,eax
0044624F . C2 0800 retn 0x8
nop掉00446245 或者直接把00446240 改为retn 0x8都失败告终,程序都会直接结束!
在分析分析不下去了。恳求高手给个建议!或者帮忙下!
在分析分析不下去了。恳求高手给个建议!或者帮忙下!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
