E盾，UPX1,补丁,闪退

2041535600 · 发表于 2022-4-24 08:53

问题描述：补丁逆向后直接崩溃
自我分析：如下
问题配图：界面：

由此可见很明显是个E盾
查壳：

UPX1，但是不要问我为什么不脱壳机。。。能脱掉也就不这么麻烦了
运行后附加

可以看到里面的内容也被加密的差不多了
所以我先搜特征码
登录：
00411451 55             push ebp
00411452 8BEC          mov    ebp, esp
00411454 81EC 4C010000 sub    esp, 0x14C
0041145A C745 FC 0000000>mov    dword ptr [ebp-0x4], 0x0
00411461 C745 F8 0000000>mov    dword ptr [ebp-0x8], 0x0
00411468 C745 F4 0000000>mov    dword ptr [ebp-0xC], 0x0
0041146F C745 F0 0000000>mov    dword ptr [ebp-0x10], 0x0
00411476 C745 EC 0000000>mov    dword ptr [ebp-0x14], 0x0
0041147D C745 E8 0000000>mov    dword ptr [ebp-0x18], 0x0
00411484 C745 E4 0000000>mov    dword ptr [ebp-0x1C], 0x0
0041148B C745 E0 0000000>mov    dword ptr [ebp-0x20], 0x0
00411492 C745 DC 0000000>mov    dword ptr [ebp-0x24], 0x0
00411499 68 20000000    push 0x20
0041149E E8 451B0200    call 00432FE8                      ; jmp 到 <3ABC2D.分配内存>

频率：
004255E2 55             push ebp
004255E3 8BEC          mov    ebp, esp
004255E5 81EC 78000000 sub    esp, 0x78
004255EB C745 FC 0000000>mov    dword ptr [ebp-0x4], 0x0
004255F2 C745 F8 0000000>mov    dword ptr [ebp-0x8], 0x0

算法：

00422C63 55             push ebp
00422C64 8BEC          mov    ebp, esp
00422C66 81EC 98000000 sub    esp, 0x98
00422C6C C745 FC 0000000>mov    dword ptr [ebp-0x4], 0x0

合法：

0040BBD9 55             push ebp
0040BBDA 8BEC          mov    ebp, esp
0040BBDC 81EC 84000000 sub    esp, 0x84
0040BBE2 C745 FC 0000000>mov    dword ptr [ebp-0x4], 0x0
0040BBE9 C745 F8 0000000>mov    dword ptr [ebp-0x8], 0x0
0040BBF0 C745 F4 0000000>mov    dword ptr [ebp-0xC], 0x0
0040BBF7 68 08010000    push 0x108

========================================================================

不知道以上特征码找的对不对，先按对的来的话就开始写补丁了
欢迎使用
-----------------(登录)--------------------
寻找到的地址：411451
寻找的特征码：55 8B EC 81 EC 4C 01 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 68 20 00 00 00
替换的特征码：B8 01 00 00 00 C9 C3 90 90 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 68 20 00 00 00
特征备注：

-----------------(频率)--------------------
寻找到的地址：4255E2
寻找的特征码：55 8B EC 81 EC 78 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 68 08 00 00 00
替换的特征码：C9 C3 90 81 EC 78 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 68 08 00 00 00
特征备注：

-----------------(合法)--------------------
寻找到的地址：4215DA
寻找的特征码：55 8B EC 5D 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 56 33 C9 33 F6 33 D2 57
替换的特征码：C9 8B EC 5D 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 56 33 C9 33 F6 33 D2 57
特征备注：

-----------------(算法)--------------------
寻找到的地址：422C63
寻找的特征码：55 8B EC 81 EC 98 00 00 00 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C0 00 00 00 00 C7 45 BC 00 00 00 00C7 45 B8 00 00 00 00 68 08 00 00 00
替换的特征码：B8 01 00 00 00 C9 C3 90 90 C7 45 FC 00 00 00 00 C7 45 F8 00 00 00 00 C7 45 F4 00 00 00 00 C7 45F0 00 00 00 00 C7 45 EC 00 00 00 00 C7 45 E8 00 00 00 00 C7 45 E4 00 00 00 00 C7 45 E0 00 00 0000 C7 45 DC 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 D4 00 00 00 00 C7 45 D0 00 00 00 00 C7 45 CC00 00 00 00 C7 45 C8 00 00 00 00 C7 45 C4 00 00 00 00 C7 45 C0 00 00 00 00 C7 45 BC 00 00 00 00C7 45 B8 00 00 00 00 68 08 00 00 00
特征备注：

补丁执行完毕！

输入卡密，登录，程序直接退出
登录部分改的是
mov eax,1
leave
ret
合法
leave
ret
算法
ret
频率
leave
ret

病毒查杀截图或链接：https://habo.qq.com/file/showdetail?pk=ADcGYV1kB24IO1s4U2U%3D

下载链接：
https://wwm.lanzouf.com/i89Gr03o299i
新人，HB有限，十分感谢

jinqike · 发表于 2022-4-24 08:53

最佳答案本应属于楼主私有，因此限制查看

您还有0次查看次数，点此查看答案

点此购买查看次数
也可以兑换VIP特权或加入解密专家，每日可免费查看5次最佳答案！

boot · 发表于 2022-4-24 12:22

实际是vmp，被某人把区段伪装成upx。

月儿圆 · 发表于 2022-4-24 14:28

啥游戏的

2041535600 · 发表于 2022-4-24 14:40

月儿圆发表于 2022-4-24 14:28
啥游戏的

原神，请问方便出个教程不

2041535600 · 发表于 2022-4-24 17:18

jinqike 发表于 2022-4-24 17:14
.版本 2

写内存字节集 (PID, 十六到十 (“4C7C0A”), 还原字节集2 (“32 32 32 32 32 32 32 32”))

请问能不能讲讲原理啥的，

2041535600 · 发表于 2022-4-24 17:30

jinqike 发表于 2022-4-24 17:14
.版本 2

写内存字节集 (PID, 十六到十 (“4C7C0A”), 还原字节集2 (“32 32 32 32 32 32 32 32”))

需要的话可以加点HB，水钱也行

		自动登录	找回密码
密码			立即注册