罗萨 发表于 2022-3-23 13:42

分析一个.NET CM

本帖最后由 罗萨 于 2022-3-23 14:42 编辑

原文链接:https://www.52pojie.cn/thread-1608459-1-1.html
一、准备工作
目标软件是一个加了VMP并开启虚拟化及代码变异,脱壳过程略,直接看脱壳的结果

可以看到关键地方全部被虚拟化了,关于虚拟化处理起来我还没有很好的解决方案
二、去除反调试
timer1里有进程检测反调试,每2秒检测是否包含{“dnSpy”,“de4dot”,“64”,“32”,“ExtremeDumper”}字样,将timer1时钟设置为flase即可关闭检测

de4dot直接修改会清除vmp区段,这里我直接跳转到16禁止去c32修改的,将0xC98F6这里修改为0就可以啦

三、追码
解决反调试后我找了个软件来帮助解决虚拟化代码的问题,下面贴软件生成的log
2022-03-23 13:19:42.639 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.639 +08:00 {
2022-03-23 13:19:42.640 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.640 +08:00          MethodName: Replace
2022-03-23 13:19:42.640 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.640 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.640 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.640 +08:00          Parameter (System.String) : ("0")
2022-03-23 13:19:42.640 +08:00          Parameter (System.String) : ("D")
2022-03-23 13:19:42.641 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.641 +08:00          Return Type: System.String
2022-03-23 13:19:42.641 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.641 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.641 +08:00 }

2022-03-23 13:19:42.641 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.641 +08:00 {
2022-03-23 13:19:42.641 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.641 +08:00          MethodName: Replace
2022-03-23 13:19:42.641 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.641 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.641 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.641 +08:00          Parameter (System.String) : ("8")
2022-03-23 13:19:42.641 +08:00          Parameter (System.String) : ("C")
2022-03-23 13:19:42.641 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.642 +08:00          Return Type: System.String
2022-03-23 13:19:42.642 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.642 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.642 +08:00 }

2022-03-23 13:19:42.642 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.642 +08:00 {
2022-03-23 13:19:42.642 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.642 +08:00          MethodName: Replace
2022-03-23 13:19:42.642 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.643 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.643 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.643 +08:00          Parameter (System.String) : ("7")
2022-03-23 13:19:42.643 +08:00          Parameter (System.String) : ("N")
2022-03-23 13:19:42.643 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.643 +08:00          Return Type: System.String
2022-03-23 13:19:42.643 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.643 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.643 +08:00 }

2022-03-23 13:19:42.643 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.643 +08:00 {
2022-03-23 13:19:42.643 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.643 +08:00          MethodName: Replace
2022-03-23 13:19:42.643 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.643 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.643 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.644 +08:00          Parameter (System.String) : ("5")
2022-03-23 13:19:42.644 +08:00          Parameter (System.String) : ("Q")
2022-03-23 13:19:42.644 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.644 +08:00          Return Type: System.String
2022-03-23 13:19:42.644 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.644 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.644 +08:00 }

2022-03-23 13:19:42.644 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.644 +08:00 {
2022-03-23 13:19:42.644 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.644 +08:00          MethodName: Replace
2022-03-23 13:19:42.644 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.644 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.644 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.644 +08:00          Parameter (System.String) : ("6")
2022-03-23 13:19:42.645 +08:00          Parameter (System.String) : ("R")
2022-03-23 13:19:42.645 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.645 +08:00          Return Type: System.String
2022-03-23 13:19:42.645 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.645 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.645 +08:00 }

2022-03-23 13:19:42.645 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.645 +08:00 {
2022-03-23 13:19:42.645 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.645 +08:00          MethodName: Replace
2022-03-23 13:19:42.645 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.645 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.645 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.645 +08:00          Parameter (System.String) : ("L")
2022-03-23 13:19:42.645 +08:00          Parameter (System.String) : ("4")
2022-03-23 13:19:42.646 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.646 +08:00          Return Type: System.String
2022-03-23 13:19:42.646 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.646 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.646 +08:00 }

2022-03-23 13:19:42.646 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.646 +08:00 {
2022-03-23 13:19:42.646 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.646 +08:00          MethodName: Replace
2022-03-23 13:19:42.646 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.646 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.646 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.646 +08:00          Parameter (System.String) : ("A")
2022-03-23 13:19:42.646 +08:00          Parameter (System.String) : ("2")
2022-03-23 13:19:42.646 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.647 +08:00          Return Type: System.String
2022-03-23 13:19:42.647 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.647 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.647 +08:00 }

2022-03-23 13:19:42.647 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.647 +08:00 {
2022-03-23 13:19:42.647 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.647 +08:00          MethodName: Replace
2022-03-23 13:19:42.647 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.647 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.647 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.647 +08:00          Parameter (System.String) : ("B")
2022-03-23 13:19:42.647 +08:00          Parameter (System.String) : ("3")
2022-03-23 13:19:42.647 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.647 +08:00          Return Type: System.String
2022-03-23 13:19:42.648 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.648 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.648 +08:00 }

2022-03-23 13:19:42.648 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.648 +08:00 {
2022-03-23 13:19:42.648 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.648 +08:00          MethodName: Replace
2022-03-23 13:19:42.648 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.648 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.648 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.648 +08:00          Parameter (System.String) : ("E")
2022-03-23 13:19:42.648 +08:00          Parameter (System.String) : ("0")
2022-03-23 13:19:42.648 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.648 +08:00          Return Type: System.String
2022-03-23 13:19:42.649 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.649 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.649 +08:00 }

2022-03-23 13:19:42.649 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.649 +08:00 {
2022-03-23 13:19:42.649 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.649 +08:00          MethodName: Replace
2022-03-23 13:19:42.649 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.649 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.649 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.649 +08:00          Parameter (System.String) : ("F")
2022-03-23 13:19:42.649 +08:00          Parameter (System.String) : ("1")
2022-03-23 13:19:42.649 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.649 +08:00          Return Type: System.String
2022-03-23 13:19:42.649 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.650 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.650 +08:00 }

2022-03-23 13:19:42.650 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.650 +08:00 {
2022-03-23 13:19:42.650 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.650 +08:00          MethodName: Replace
2022-03-23 13:19:42.650 +08:00          FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.650 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.650 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.650 +08:00          Parameter (System.String) : ("M")
2022-03-23 13:19:42.650 +08:00          Parameter (System.String) : ("9")
2022-03-23 13:19:42.651 +08:00          MDToken: 0x6000542
2022-03-23 13:19:42.651 +08:00          Return Type: System.String
2022-03-23 13:19:42.651 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.651 +08:00          Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.651 +08:00 }

2022-03-23 13:19:42.651 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.651 +08:00 {
2022-03-23 13:19:42.651 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.651 +08:00          MethodName: ToArray
2022-03-23 13:19:42.651 +08:00          FullDescription: static System.Char[] System.Linq.Enumerable::ToArray(System.Collections.Generic.IEnumerable`1<System.Char> source)
2022-03-23 13:19:42.651 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.651 +08:00          Parameter (System.String) : ("D93D3311D3NN2C9D213DC21DR1QD9234")
2022-03-23 13:19:42.651 +08:00          MDToken: 0x6000B6F
2022-03-23 13:19:42.651 +08:00          Return Type: System.Char[]
2022-03-23 13:19:42.652 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.652 +08:00          Returns: ["D","9","3","D","3","3","1","1","D","3","N","N","2","C","9","D","2","1","3","D","C","2","1","D","R","1","Q","D","9","2","3","4"]
2022-03-23 13:19:42.652 +08:00 }

2022-03-23 13:19:42.652 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.652 +08:00 {
2022-03-23 13:19:42.652 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.652 +08:00          MethodName: get_Length
2022-03-23 13:19:42.652 +08:00          FullDescription: System.Int32 System.String::get_Length()
2022-03-23 13:19:42.652 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.652 +08:00          Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.653 +08:00          MDToken: 0x60004D2
2022-03-23 13:19:42.653 +08:00          Return Type: System.Int32
2022-03-23 13:19:42.653 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.653 +08:00          Returns: 32
2022-03-23 13:19:42.653 +08:00 }

2022-03-23 13:19:42.653 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.653 +08:00 {
2022-03-23 13:19:42.653 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.653 +08:00          MethodName: smethod_0
2022-03-23 13:19:42.653 +08:00          FullDescription: static System.Void 7B4E5853::smethod_0(System.Array array_0, System.Int32 int_0, System.Int32 int_1)
2022-03-23 13:19:42.653 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.653 +08:00          Parameter (System.Char[]) : (Char[] {D, 9, 3, D, 3, 3, 1, 1, D, 3, N, N, 2, C, 9, D, 2, 1, 3, D, C, 2, 1, D, R, 1, Q, D, 9, 2, 3, 4})
2022-03-23 13:19:42.653 +08:00          Parameter (System.Int32) : (0)
2022-03-23 13:19:42.653 +08:00          Parameter (System.Int32) : (32)
2022-03-23 13:19:42.654 +08:00          MDToken: 0x6000094
2022-03-23 13:19:42.654 +08:00          Return Type: System.Void
2022-03-23 13:19:42.654 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.654 +08:00          Returns: null
2022-03-23 13:19:42.654 +08:00 }

2022-03-23 13:19:42.654 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.654 +08:00 {
2022-03-23 13:19:42.654 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.654 +08:00          MethodName: smethod_0
2022-03-23 13:19:42.654 +08:00          FullDescription: static System.Object 37891AB0::smethod_0()
2022-03-23 13:19:42.654 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.654 +08:00          MDToken: 0x6000049
2022-03-23 13:19:42.654 +08:00          Return Type: System.Object
2022-03-23 13:19:42.654 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.654 +08:00          Returns:
2022-03-23 13:19:42.655 +08:00 }

2022-03-23 13:19:42.657 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.657 +08:00 {
2022-03-23 13:19:42.657 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.657 +08:00          MethodName: smethod_0
2022-03-23 13:19:42.657 +08:00          FullDescription: static System.Text.StringBuilder 1C814297::smethod_0(System.Object object_0, System.Char[] char_0)
2022-03-23 13:19:42.657 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.658 +08:00          Parameter (System.Text.StringBuilder) : ()
2022-03-23 13:19:42.658 +08:00          Parameter (System.Char[]) : (Char[] {4, 3, 2, 9, D, Q, 1, R, D, 1, 2, C, D, 3, 1, 2, D, 9, C, 2, N, N, 3, D, 1, 1, 3, 3, D, 3, 9, D})
2022-03-23 13:19:42.658 +08:00          MDToken: 0x6000040
2022-03-23 13:19:42.658 +08:00          Return Type: System.Text.StringBuilder
2022-03-23 13:19:42.658 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.658 +08:00          Returns: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.658 +08:00 }

2022-03-23 13:19:42.658 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.658 +08:00 {
2022-03-23 13:19:42.659 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.659 +08:00          MethodName: ToString
2022-03-23 13:19:42.659 +08:00          FullDescription: virtual System.String System.Object::ToString()
2022-03-23 13:19:42.659 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.659 +08:00          Obj: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.659 +08:00          MDToken: 0x600022A
2022-03-23 13:19:42.659 +08:00          Return Type: System.String
2022-03-23 13:19:42.659 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.659 +08:00          Returns: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.659 +08:00 }

2022-03-23 13:19:42.659 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.659 +08:00 {
2022-03-23 13:19:42.659 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.660 +08:00          MethodName: smethod_0
2022-03-23 13:19:42.660 +08:00          FullDescription: static System.String 680A5711::smethod_0(System.Object object_0)
2022-03-23 13:19:42.660 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.660 +08:00          Parameter (System.Windows.Forms.TextBox) : (System.Windows.Forms.TextBox, Text: 1245)
2022-03-23 13:19:42.660 +08:00          MDToken: 0x6000022
2022-03-23 13:19:42.660 +08:00          Return Type: System.String
2022-03-23 13:19:42.660 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.660 +08:00          Returns: 1245
2022-03-23 13:19:42.660 +08:00 }

2022-03-23 13:19:42.660 +08:00 VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.660 +08:00 {
2022-03-23 13:19:42.660 +08:00          VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.660 +08:00          MethodName: smethod_0
2022-03-23 13:19:42.660 +08:00          FullDescription: static System.Boolean 094923F6::smethod_0(System.String string_0, System.String string_1)
2022-03-23 13:19:42.661 +08:00          MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.661 +08:00          Parameter (System.String) : ("1245")
2022-03-23 13:19:42.661 +08:00          Parameter (System.String) : ("4329DQ1RD12CD312D9C2NN3D1133D39D")
2022-03-23 13:19:42.661 +08:00          MDToken: 0x600003A
2022-03-23 13:19:42.661 +08:00          Return Type: System.Boolean
2022-03-23 13:19:42.661 +08:00 VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.661 +08:00          Returns: false
2022-03-23 13:19:42.661 +08:00 }

我的机器码为4B29D5F6EFA8EB1AE98277BE1FB30B90,此时正确的key为D93D3311D3NN2C9D213DC21DR1QD9234

四、分析算法
借助于软件的log分析起来应该不难,直接贴注册机成品算法了

首先是机器码的算法

                public string doIt()
                {
                        
                        string text = null;
                        foreach (ManagementBaseObject managementBaseObject in new ManagementClass("Win32_NetworkAdapterConfiguration").GetInstances())
                        {
                              ManagementObject managementObject = (ManagementObject)managementBaseObject;
                              if (Convert.ToBoolean(managementObject["IPEnabled"]))
                              {
                                        text = managementObject["MacAddress"].ToString();
                                        text = text.Replace(':', '-');
                              }
                              managementObject.Dispose();
                        }
                        return text;
                }
                public string run(string str)
                {
                        return BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(Encoding.UTF8.GetBytes(str))).Replace("-", "");
                }
               
                private void Form1_Load(object sender, EventArgs e)
      {
                        textBox1.Text = run(doIt().Replace("-", ""));
                }

下面是注册机的算法
   private void button1_Click(object sender, EventArgs e)
      {
                        string text;
                        text = textBox1.Text.Replace("0","D");
                        text = text.Replace("8", "C");
                        text = text.Replace("7", "N");
                        text = text.Replace("5", "Q");
                        text = text.Replace("6", "R");
                        text = text.Replace("L", "4");
                        text = text.Replace("A", "2");
                        text = text.Replace("B", "3");
                        text = text.Replace("E", "0");
                        text = text.Replace("F", "1");
                        text = text.Replace("M", "9");

                        textBox2.Text = ReverseA(text);
      }
                public string ReverseA(string text)
                {
                        char[] cArray = text.ToCharArray();
                        string reverse = String.Empty;
                        for (int i = cArray.Length - 1; i > -1; i--)
                        {
                              reverse += cArray;
                        }
                        return reverse;
                }



完活@Domado




evea 发表于 2022-3-23 17:35

https://github.com/void-stack/VMUnprotect

byh3025 发表于 2022-3-23 18:37

bigharvest 发表于 2022-3-23 17:26
好像这个软件Hook了 NET的所有方法和返回值类似frida可以告知下是啥软件?
一个vmp辅助分析工具,21楼已经发出来了

kds0221 发表于 2022-3-23 13:46

学习学习{:1_893:}

byh3025 发表于 2022-3-23 13:46

其实我们还是想看脱壳的过程

loopg 发表于 2022-3-23 13:46

{:1_909:}啥也没学到啊{:1_909:}

桴止 发表于 2022-3-23 13:52

学习一下谢谢楼主

wqs0987 发表于 2022-3-23 14:03

感谢大佬的无私分享

byh3025 发表于 2022-3-23 14:19

我这个也应该是真码啊,为什么会没反映呢?

罗萨 发表于 2022-3-23 14:24

byh3025 发表于 2022-3-23 14:19
我这个也应该是真码啊,为什么会没反映呢?

倒序输出一下

hsctest 发表于 2022-3-23 14:37

vmp method,现在vmp支持.net了吗

spiritffff 发表于 2022-3-23 14:38

{:1_921:}感谢分享
页: [1] 2 3 4
查看完整版本: 分析一个.NET CM


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn