楼主软件有密码啊
密码补上了 忘了 369
本帖最后由 a228467053 于 2015-4-9 19:11 编辑
基址 是随机变化的 。。。。。。。。。。。。。。。{:5_121:}
eno一样都能找到只不过每次都对变化位置
脱壳试一下 送你两个脚本
/*
VMProtect OEP Founder 1.1
by ximo
just for fun
*/
var imagebase
var tmp
var pNtHeader
var sectionaddr
var sectionsize
var sum
var protection
var firstpro
var isfirst
var retn
mov isfirst,1
//VM_Retn
mov retn,00474737
bc
bphwc
GMI eip, MODULEBASE
mov imagebase, $RESULT
mov tmp,
add tmp,imagebase
mov pNtHeader,tmp
add pNtHeader,f8
mov tmp,pNtHeader
add tmp,c
mov sectionaddr,
add sectionaddr,imagebase
mov tmp,pNtHeader
add tmp,8
mov sectionsize,
mov sum,sectionaddr
add sum,sectionsize
gpa "VirtualProtect", "kernel32"
cmp $RESULT, 0
je err
bp $RESULT+13
loop:
esto
cmp isfirst,1
je firstt
mov protection,
cmp protection,firstpro
je next
jmp loop
firstt:
mov firstpro,
mov isfirst,0
jmp loop
next:
bc
rtu
find:
bp retn
esto
bc
bprm sectionaddr,sectionsize
esto
cmp eip,sum
bpmc
ja find
finded:
cmt eip,"this is OEP or Near OEP!"
ret
err:
ret
-------------------------------------------------------------
上面为第一个找OEP 脚本
/*
VMProtect 2.07 Unpacker
by ximo
just for fun
*/
var getfunc
var dllname
var apiname
var writeaddr
var addr
var apiaddr
var key
var info
var end
var logfile
mov logfile,"FkIAT.txt"
/*
VM_WmDs32:
004FBA37 8910 mov dword ptr ds:,edx
*/
mov writeaddr,0047640E
//OEP or stop script addr
mov end,00401DAD
bc
bphwc
gpa "CreateFileW", "kernel32"
cmp $RESULT, 0
je err
findop $RESULT,#C21C00#
cmp $RESULT, 0
je err
bp $RESULT
esto
bc
rtu
mov getfunc,eip
bphws getfunc, "x"
bphws end, "x"
loop:
run
cmp eip,end
je end
gn eax
cmp $RESULT,0
je next
do:
mov apiaddr,eax
mov dllname,$RESULT_1
mov apiname,$RESULT_2
bp writeaddr
esto
bc eip
mov addr,eax
mov key,apiaddr
sub key,edx
eval "{addr},{key},{dllname},{apiname}"
mov info,$RESULT
wrta logfile,info
next:
jmp loop
end:
ret
err:
bc
bphwc
ret
----------------------------------------
修复脚本
页:
1
[2]