VMP 检测Vmware虚拟机 一小段代码
由于一个VMP 的程序加了 VMWare 检测,所以 想到程序镜像上找 0x564D5868之类的,总是找不到,后来逐段分析到了,因此 记录下。并贴出来,共享下。0xxxxxxx 表示地址。|.00 429CA100vPushImm4 0xxxxxxxxDWORD _t1880 = 0A19C42
|.77 vAdd4 EXIT DWORD _t1881 = 0xxxxxxx; DWORD _t1882 = AddFlag(0A19C42, 0)# X1 z, a0 n9 Y& g' ^5 g
|.0C vPopReg4 vR11 DWORD _t1883 = AddFlag(0xxxxxxx, 0)
|.22 vPushReg4 vR8 DWORD _t1884 = 0
|.25 vReadMemFs4 v133 = DWORD FS:6 }6 y6 I7 a/ `@/ P% z
|.66 vPushVEsp DWORD _t1886 = 0FFFFF7FC4 ^1 A; Z: k0 GC: ]3 s
|.22 vPushReg4 vR8 DWORD _t1887 = 07 W1 I, E. Z+ [
|.09 vWriteMemFs4 DWORD FS: = v134; v134 = 0FFFFF7FC
|.84 0A vPushImmSx1 0A DWORD _t1889 = 0A
|.0C vPopReg4 vR11 DWORD _t1890 = 0A0 b, B# T$ E, n# `0 d8 v' c- r
|.00 68584D56vPushImm4 564D5868DWORD _t1891 = 564D5868
|.5C vPopReg4 vR1 DWORD _t1892 = 564D5868
|.01 5856 vPushImmSx2 5658 DWORD _t1893 = 5658
|.44 vPopReg4 vR4 DWORD _t1894 = 5658
|.00 1B3BA100vPushImm4 0A13B1B DWORD _t1895 = 0A13B1B
|.1A vPushReg4 vR9 DWORD _t1896 = 0
|.77 vAdd4 DWORD _v188 = 0A13B1B; DWORD _t1898 = AddFlag(0, 0A13B1B)8 A' z: R/ }; k6 r2 k
|.24 vPopReg4 vR8 DWORD _t1899 = AddFlag(0, 0A13B1B)
|.32 vPushReg4 vR6 ESI DWORD v135 = v123- f. |0 W) [9 t, m& S
|.F3 vPushReg4 vR14 DWORD _t1901 = 8C64333D ^ _v151
|.4A vPushReg4 vR3 EBX DWORD v136 = 0
|.02 vPushReg4 vR12 EFL DWORD v137 = v131
|.0A vPushReg4 vR11 ECX DWORD v138 = 0A& E! @9 H. ^! r* S1 C
|.62 vPushReg4 vR0 EDI DWORD v139 = v127- B. i' {6 t- e4 i5 Y. ]+ c
|.5A vPushReg4 vR1 EAX DWORD v140 = 564D5868+ u8 h$ a2 X3 F$ P! L
|.52 vPushReg4 vR2 EBP DWORD v141 = 8
|.42 vPushReg4 vR4 EDX DWORD v142 = 5658% V6 J$ h: Y* p# f1 _
|.5A vPushReg4 vR1 DWORD _t1909 = 564D5868% F4 m, h# t/ k3 g9 y
|.F3 vPushReg4 vR14 DWORD _t1910 = 8C64333D ^ _v151/ \& p; q8 R* q5 v# ~- X! _
|.70 vRet online 0xxxxxabd; 0xxxxxabc; in eax, dx
复制代码
菜鸟完全看不懂,不过也支持一下大大 代码有点乱 整理一下吧(万一火了呢,幸亏哥是沙发) 不明白什么意思
页:
[1]