-
-
[原创]vmpboom_crackme追码与爆破不完全分析08030501
-
发表于: 2008-3-5 15:30
-
【文章标题】: vmpboom_crackme追码与爆破不完全分析08030501
【文章作者】: ShellWolf
【作者邮箱】: ShellWolf@163.com
【作者主页】: b74K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4y4Z5k6h3I4D9N6$3!0D9k6W2)9J5k6h3u0D9L8$3N6Q4x3X3f1I4y4U0y4Q4x3X3g2U0L8$3@1`.
【作者QQ号】: 无,有事邮件联系
【软件名称】: "vmpboom crakeme
【下载地址】: 自己搜索下载
【保护方式】: vmprotect1.20
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: IDA,OD,及相关插件
【操作平台】: win2000
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
软件介绍:unpack.cn上的一个crackme,已给出正确注册码,要求爆破,以输入任意注册码均可解除软件限制。成功后,注册码区变灰。
一、准备
1.1查壳 pediy给出Borland Delphi 6.0 - 7.0
1.2查vmprotect 由于作者已说是vmprotect保护,使用IDA载入,运行Vmp1.2x-OP插件,全部识别,共191多条
VMP12X_Recorder>虚拟机伪代码表VM_OP_TABLE:0x00411400 VMP12X_Recorder>找到Vmprotect的伪指令跳转地址retn:0x00411A5C VMP12X_Recorder>找到虚拟机解释引擎入口VMLoop_EP:0x00411A40 VMP12X_Recorder>共识别191条VMprotect12x虚拟机伪指令。 VMP12X_Recorder>如插件异常或有建议请发QQ:719110750 VMP12X_Recorder>good luck!
//"1.pause OD after regcode"
//"2.run script"
var bp_retn
var count
var tmpstr
Init:
mov bp_retn,40b32d
mov count,1
dbh
BPHWCALL
BPMC
bc
bp bp_retn
start:
eob b1
esto
b1:
cmp eip,bp_retn
jnz error
eval "####{count}####"
log $RESULT
log [esp+0]
log [esp+4]
log [esp+8]
log eax
log edx
log ecx
log ebx
log esi
log edi
add count,1
jmp start
error:
msg "Error"
bc
ret
Script Log Window Address Message 40B32D $RESULT: ####1#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 004154C7 40B32D [esp+8]: 00416A45 40B32D eax: 00880F88 40B32D edx: 0012FB68 40B32D ecx: 00405CC4 | <vmpboom.loc_405CC4> 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC 40B32D $RESULT: ####2#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 004158D6 40B32D [esp+8]: 0012FBDC 40B32D eax: 00880004 40B32D edx: 0012FB68 40B32D ecx: 00405CC4 | <vmpboom.loc_405CC4> 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####3#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 0041579A 40B32D [esp+8]: 0012FBDC 40B32D eax: 00880004 40B32D edx: 0012FB68 40B32D ecx: 00120326 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####4#### 40B32D [esp+0]: 00403B1C | <jmp.&user32.GetWindowTextLengthA> 40B32D [esp+4]: 004169C3 40B32D [esp+8]: 00120326 40B32D eax: 00880004 40B32D edx: 0012FB68 40B32D ecx: 00120326 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####5#### 40B32D [esp+0]: 004035D4 | <vmpboom.System::__linkproc__ LStrSetLength(void)> 40B32D [esp+4]: 004169B8 40B32D [esp+8]: 00000008 40B32D eax: 00881514 40B32D edx: 00000008 40B32D ecx: 00000008 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####6#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00414DD1 | ASCII 06,"考vv?" 40B32D [esp+8]: 0012FBDC 40B32D eax: 00881514 40B32D edx: 00000000 40B32D ecx: 00000008 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####7#### 40B32D [esp+0]: 00403B14 | <jmp.&user32.GetWindowTextA> 40B32D [esp+4]: 004169A9 | ASCII "h'PA" 40B32D [esp+8]: 00120326 40B32D eax: 00881514 40B32D edx: 00000000 40B32D ecx: 00000009 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 0012FB68 40B32D $RESULT: ####8#### 40B32D [esp+0]: 00403384 | <vmpboom.System::__linkproc__ LStrAsg(void *,void *)> 40B32D [esp+4]: 004169CF 40B32D [esp+8]: 0012FBDC 40B32D eax: 0012FB68 40B32D edx: 00881F3C | ASCII "20000611" 40B32D ecx: 0012FB58 40B32D ebx: 00880F88 40B32D esi: 00881DF8 40B32D edi: 00000008 40B32D $RESULT: ####9#### 40B32D [esp+0]: 00416A45 40B32D [esp+4]: 0012FF50 40B32D [esp+8]: 00416A36 40B32D eax: 0012FB68 40B32D edx: 00000000 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC 40B32D $RESULT: ####A#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00413B29 40B32D [esp+8]: 00416A11 40B32D eax: 00881F3C | ASCII "20000611" 40B32D edx: 00405D58 | ASCII "20000615" 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC 40B32D $RESULT: ####B#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 0041251A 40B32D [esp+8]: 0012FBDC 40B32D eax: 00881F3C | ASCII "20000611" 40B32D edx: 00405D58 | ASCII "20000615" 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####C#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 0041467C 40B32D [esp+8]: 0012FBDC 40B32D eax: 00881F3C | ASCII "20000611" 40B32D edx: 00405D58 | ASCII "20000615" 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####D#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00411F7A 40B32D [esp+8]: 0012FBDC 40B32D eax: 00881F3C | ASCII "20000611" 40B32D edx: 00405D58 | ASCII "20000615" 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####E#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 004138DA 40B32D [esp+8]: 0012FBDC 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####F#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00411D14 40B32D [esp+8]: 00000008 40B32D eax: 00000000 40B32D edx: 00000002 40B32D ecx: 00000002 40B32D ebx: 00880004 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####10#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 004136EA 40B32D [esp+8]: 00000008 40B32D eax: 00000000 40B32D edx: 00000002 40B32D ecx: 30303032 40B32D ebx: 30303032 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####11#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00411AC3 40B32D [esp+8]: 00000008 40B32D eax: 00000000 40B32D edx: 00000001 40B32D ecx: 30303032 40B32D ebx: 30303032 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####12#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00413F30 40B32D [esp+8]: 00000008 40B32D eax: 00000000 40B32D edx: 00000001 40B32D ecx: 31313630 40B32D ebx: 35313630 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####13#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 0041296F 40B32D [esp+8]: 0012FBDC 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 31313630 40B32D ebx: 35313630 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####14#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00414A83 40B32D [esp+8]: 0012FBDC 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 31313630 40B32D ebx: 35313630 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####15#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 00414462 40B32D [esp+8]: 0012FBDC 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 00003131 40B32D ebx: 00003531 40B32D esi: 00881F3C | ASCII "20000611" 40B32D edi: 00405D58 | ASCII "20000615" 40B32D $RESULT: ####16#### 40B32D [esp+0]: 00416A11 40B32D [esp+4]: 0012FF50 40B32D [esp+8]: 00416A36 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 00003131 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC 40B32D $RESULT: ####17#### 40B32D [esp+0]: 004119FD 40B32D [esp+4]: 004162A5 40B32D [esp+8]: 0012FF50 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 00003131 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC 40B32D $RESULT: ####18#### 40B32D [esp+0]: 00403B4C | <jmp.&user32.MessageBoxA> 40B32D [esp+4]: 004169E8 40B32D [esp+8]: 00000000 40B32D eax: 00000000 40B32D edx: 00000008 40B32D ecx: 00003131 40B32D ebx: 00880004 40B32D esi: 00881DF8 40B32D edi: 0012FBDC
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
感谢wangdell,ccer.
 vmp_op_rec插件还有问题,亟待解决,输入参数和返回参数多数不正确。(这是由于vmprotect保护时,寄存器每次加密用法都不同的原因) 回头我写个OD的脚本,也实现跟踪功能。 |
|
|
|
|
|
|
|
|
|
