E盾,UPX1,补丁,闪退
问题描述: 补丁逆向后直接崩溃自我分析: 如下
问题配图 :界面:
由此可见很明显是个E盾
查壳:
UPX1,但是不要问我为什么不脱壳机。。。能脱掉也就不这么麻烦了
运行后附加
可以看到里面的内容也被加密的差不多了
所以我先搜特征码
登录:
00411451 55 push ebp
00411452 8BEC mov ebp, esp
00411454 81EC 4C010000 sub esp, 0x14C
0041145A C745 FC 0000000>mov dword ptr , 0x0
00411461 C745 F8 0000000>mov dword ptr , 0x0
00411468 C745 F4 0000000>mov dword ptr , 0x0
0041146F C745 F0 0000000>mov dword ptr , 0x0
00411476 C745 EC 0000000>mov dword ptr , 0x0
0041147D C745 E8 0000000>mov dword ptr , 0x0
00411484 C745 E4 0000000>mov dword ptr , 0x0
0041148B C745 E0 0000000>mov dword ptr , 0x0
00411492 C745 DC 0000000>mov dword ptr , 0x0
00411499 68 20000000 push 0x20
0041149E E8 451B0200 call 00432FE8 ; jmp 到 <3ABC2D.分配内存>
频率:
004255E2 55 push ebp
004255E3 8BEC mov ebp, esp
004255E5 81EC 78000000 sub esp, 0x78
004255EB C745 FC 0000000>mov dword ptr , 0x0
004255F2 C745 F8 0000000>mov dword ptr , 0x0
算法:
00422C63 55 push ebp
00422C64 8BEC mov ebp, esp
00422C66 81EC 98000000 sub esp, 0x98
00422C6C C745 FC 0000000>mov dword ptr , 0x0
合法:
0040BBD9 55 push ebp
0040BBDA 8BEC mov ebp, esp
0040BBDC 81EC 84000000 sub esp, 0x84
0040BBE2 C745 FC 0000000>mov dword ptr , 0x0
0040BBE9 C745 F8 0000000>mov dword ptr , 0x0
0040BBF0 C745 F4 0000000>mov dword ptr , 0x0
0040BBF7 68 08010000 push 0x108
========================================================================
不知道以上特征码找的对不对,先按对的来的话就开始写补丁了
欢迎使用
-----------------(登录)--------------------
寻找到的地址:411451
寻找的特征码:55 8B EC 81 EC 4C 01 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 68 20 00 00 00
替换的特征码:B8 01 00 00 00 C9 C3 90 90 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 68 20 00 00 00
特征备注:
-----------------(频率)--------------------
寻找到的地址:4255E2
寻找的特征码:55 8B EC 81 EC 78 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 68 08 00 00 00
替换的特征码:C9 C3 90 81 EC 78 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 68 08 00 00 00
特征备注:
-----------------(合法)--------------------
寻找到的地址:4215DA
寻找的特征码:55 8B EC 5D 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 56 33 C9 33 F6 33 D2 57
替换的特征码:C9 8B EC 5D 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 56 33 C9 33 F6 33 D2 57
特征备注:
-----------------(算法)--------------------
寻找到的地址:422C63
寻找的特征码:55 8B EC 81 EC 98 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C0 00 00 00 00 C7 45 BC 00 00 00 00C7 45 B8 00 00 00 00 68 08 00 00 00
替换的特征码:B8 01 00 00 00 C9 C3 90 90 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C0 00 00 00 00 C7 45 BC 00 00 00 00C7 45 B8 00 00 00 00 68 08 00 00 00
特征备注:
补丁执行完毕!
输入卡密,登录,程序直接退出
登录部分改的是
mov eax,1
leave
ret
合法
leave
ret
算法
ret
频率
leave
ret
病毒查杀截图或链接:https://habo.qq.com/file/showdetail?pk=ADcGYV1kB24IO1s4U2U%3D
下载链接:
https://wwm.lanzouf.com/i89Gr03o299i
新人,HB有限,十分感谢
本帖最后由 jinqike 于 2022-4-24 17:19 编辑
.版本 2
写内存字节集 (PID, 十六到十 (“4C7C0A”), 还原字节集2 (“32 32 32 32 32 32 32 32”))
写内存字节集 (PID, 十六到十 (“411451”), 还原字节集2 (“B8 01 00 00 00 C3 90 90 90”))
写内存字节集 (PID, 十六到十 (“41F8A1”), 还原字节集2 (“B8 0A 7C 4C 00 C9 C3 90 90”))
写内存字节集 (PID, 十六到十 (“40B48B”), 还原字节集2 (“C3”))
写内存字节集 (PID, 十六到十 (“4458B0”), 还原字节集2 (“C3”))
写内存字节集 (PID, 十六到十 (“40AEF8”), 还原字节集2 (“C3”))
写内存字节集 (PID, 十六到十 (“422C63”), 还原字节集2 (“C3”))
最佳给了吧
实际是vmp,被某人把区段伪装成upx。 啥游戏的 月儿圆 发表于 2022-4-24 14:28
啥游戏的
原神,请问方便出个教程不 jinqike 发表于 2022-4-24 17:14
.版本 2
写内存字节集 (PID, 十六到十 (“4C7C0A”), 还原字节集2 (“32 32 32 32 32 32 32 32”))
请问能不能讲讲原理啥的, jinqike 发表于 2022-4-24 17:14
.版本 2
写内存字节集 (PID, 十六到十 (“4C7C0A”), 还原字节集2 (“32 32 32 32 32 32 32 32”))
需要的话可以加点HB,水钱也行
页:
[1]