官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - 52pojie.cn»网站 【 软件安全 】 『脱壳破解区』 分析一个.NET CM
1234下一页
返回列表 发新帖
查看: 4528|回复: 37
收起左侧

[.NET逆向] 分析一个.NET CM

[复制链接]
罗萨
罗萨 发表于 2022-3-23 13:42
本帖最后由 罗萨 于 2022-3-23 14:42 编辑

原文链接:https://www.52pojie.cn/thread-1608459-1-1.html
一、准备工作
目标软件是一个加了VMP并开启虚拟化及代码变异,脱壳过程略,直接看脱壳的结果
11.png
可以看到关键地方全部被虚拟化了,关于虚拟化处理起来我还没有很好的解决方案
二、去除反调试
timer1里有进程检测反调试,每2秒检测是否包含{“dnSpy”,“de4dot”,“64”,“32”,“ExtremeDumper”}字样,将timer1时钟设置为flase即可关闭检测
22.png
de4dot直接修改会清除vmp区段,这里我直接跳转到16禁止去c32修改的,将0xC98F6这里修改为0就可以啦
33.png
三、追码
解决反调试后我找了个软件来帮助解决虚拟化代码的问题,下面贴软件生成的log
[Asm] 纯文本查看 复制代码
2022-03-23 13:19:42.639 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.639 +08:00 [WRN] {
2022-03-23 13:19:42.640 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.640 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.640 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.640 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.640 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.640 +08:00 [VRB]         Parameter (System.String) [0]: ("0")
2022-03-23 13:19:42.640 +08:00 [VRB]         Parameter (System.String) [1]: ("D")
2022-03-23 13:19:42.641 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.641 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.641 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.641 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.641 +08:00 [WRN] }

2022-03-23 13:19:42.641 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.641 +08:00 [WRN] {
2022-03-23 13:19:42.641 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.641 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.641 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.641 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.641 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.641 +08:00 [VRB]         Parameter (System.String) [0]: ("8")
2022-03-23 13:19:42.641 +08:00 [VRB]         Parameter (System.String) [1]: ("C")
2022-03-23 13:19:42.641 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.642 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.642 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.642 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.642 +08:00 [WRN] }

2022-03-23 13:19:42.642 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.642 +08:00 [WRN] {
2022-03-23 13:19:42.642 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.642 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.642 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.643 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.643 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.643 +08:00 [VRB]         Parameter (System.String) [0]: ("7")
2022-03-23 13:19:42.643 +08:00 [VRB]         Parameter (System.String) [1]: ("N")
2022-03-23 13:19:42.643 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.643 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.643 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.643 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.643 +08:00 [WRN] }

2022-03-23 13:19:42.643 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.643 +08:00 [WRN] {
2022-03-23 13:19:42.643 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.643 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.643 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.643 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.643 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.644 +08:00 [VRB]         Parameter (System.String) [0]: ("5")
2022-03-23 13:19:42.644 +08:00 [VRB]         Parameter (System.String) [1]: ("Q")
2022-03-23 13:19:42.644 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.644 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.644 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.644 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.644 +08:00 [WRN] }

2022-03-23 13:19:42.644 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.644 +08:00 [WRN] {
2022-03-23 13:19:42.644 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.644 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.644 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.644 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.644 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.644 +08:00 [VRB]         Parameter (System.String) [0]: ("6")
2022-03-23 13:19:42.645 +08:00 [VRB]         Parameter (System.String) [1]: ("R")
2022-03-23 13:19:42.645 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.645 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.645 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.645 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.645 +08:00 [WRN] }

2022-03-23 13:19:42.645 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.645 +08:00 [WRN] {
2022-03-23 13:19:42.645 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.645 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.645 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.645 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.645 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.645 +08:00 [VRB]         Parameter (System.String) [0]: ("L")
2022-03-23 13:19:42.645 +08:00 [VRB]         Parameter (System.String) [1]: ("4")
2022-03-23 13:19:42.646 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.646 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.646 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.646 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.646 +08:00 [WRN] }

2022-03-23 13:19:42.646 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.646 +08:00 [WRN] {
2022-03-23 13:19:42.646 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.646 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.646 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.646 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.646 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.646 +08:00 [VRB]         Parameter (System.String) [0]: ("A")
2022-03-23 13:19:42.646 +08:00 [VRB]         Parameter (System.String) [1]: ("2")
2022-03-23 13:19:42.646 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.647 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.647 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.647 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.647 +08:00 [WRN] }

2022-03-23 13:19:42.647 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.647 +08:00 [WRN] {
2022-03-23 13:19:42.647 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.647 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.647 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.647 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.647 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.647 +08:00 [VRB]         Parameter (System.String) [0]: ("B")
2022-03-23 13:19:42.647 +08:00 [VRB]         Parameter (System.String) [1]: ("3")
2022-03-23 13:19:42.647 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.647 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.648 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.648 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.648 +08:00 [WRN] }

2022-03-23 13:19:42.648 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.648 +08:00 [WRN] {
2022-03-23 13:19:42.648 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.648 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.648 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.648 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.648 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.648 +08:00 [VRB]         Parameter (System.String) [0]: ("E")
2022-03-23 13:19:42.648 +08:00 [VRB]         Parameter (System.String) [1]: ("0")
2022-03-23 13:19:42.648 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.648 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.649 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.649 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.649 +08:00 [WRN] }

2022-03-23 13:19:42.649 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.649 +08:00 [WRN] {
2022-03-23 13:19:42.649 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.649 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.649 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.649 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.649 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.649 +08:00 [VRB]         Parameter (System.String) [0]: ("F")
2022-03-23 13:19:42.649 +08:00 [VRB]         Parameter (System.String) [1]: ("1")
2022-03-23 13:19:42.649 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.649 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.649 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.650 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.650 +08:00 [WRN] }

2022-03-23 13:19:42.650 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.650 +08:00 [WRN] {
2022-03-23 13:19:42.650 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.650 +08:00 [VRB]         MethodName: Replace
2022-03-23 13:19:42.650 +08:00 [VRB]         FullDescription: System.String System.String::Replace(System.String oldValue, System.String newValue)
2022-03-23 13:19:42.650 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.650 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.650 +08:00 [VRB]         Parameter (System.String) [0]: ("M")
2022-03-23 13:19:42.650 +08:00 [VRB]         Parameter (System.String) [1]: ("9")
2022-03-23 13:19:42.651 +08:00 [VRB]         MDToken: 0x6000542
2022-03-23 13:19:42.651 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.651 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.651 +08:00 [VRB]         Returns: D93D3311D3NN2C9D213DC21DR1QD9234
2022-03-23 13:19:42.651 +08:00 [WRN] }

2022-03-23 13:19:42.651 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.651 +08:00 [WRN] {
2022-03-23 13:19:42.651 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.651 +08:00 [VRB]         MethodName: ToArray
2022-03-23 13:19:42.651 +08:00 [VRB]         FullDescription: static System.Char[] System.Linq.Enumerable::ToArray(System.Collections.Generic.IEnumerable`1<System.Char> source)
2022-03-23 13:19:42.651 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.651 +08:00 [VRB]         Parameter (System.String) [0]: ("D93D3311D3NN2C9D213DC21DR1QD9234")
2022-03-23 13:19:42.651 +08:00 [VRB]         MDToken: 0x6000B6F
2022-03-23 13:19:42.651 +08:00 [VRB]         Return Type: System.Char[]
2022-03-23 13:19:42.652 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.652 +08:00 [VRB]         Returns: ["D","9","3","D","3","3","1","1","D","3","N","N","2","C","9","D","2","1","3","D","C","2","1","D","R","1","Q","D","9","2","3","4"]
2022-03-23 13:19:42.652 +08:00 [WRN] }

2022-03-23 13:19:42.652 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.652 +08:00 [WRN] {
2022-03-23 13:19:42.652 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.652 +08:00 [VRB]         MethodName: get_Length
2022-03-23 13:19:42.652 +08:00 [VRB]         FullDescription: System.Int32 System.String::get_Length()
2022-03-23 13:19:42.652 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.652 +08:00 [VRB]         Obj: "D93D3311D3NN2C9D213DC21DR1QD9234"
2022-03-23 13:19:42.653 +08:00 [VRB]         MDToken: 0x60004D2
2022-03-23 13:19:42.653 +08:00 [VRB]         Return Type: System.Int32
2022-03-23 13:19:42.653 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.653 +08:00 [VRB]         Returns: 32
2022-03-23 13:19:42.653 +08:00 [WRN] }

2022-03-23 13:19:42.653 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.653 +08:00 [WRN] {
2022-03-23 13:19:42.653 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.653 +08:00 [VRB]         MethodName: smethod_0
2022-03-23 13:19:42.653 +08:00 [VRB]         FullDescription: static System.Void 7B4E5853::smethod_0(System.Array array_0, System.Int32 int_0, System.Int32 int_1)
2022-03-23 13:19:42.653 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.653 +08:00 [VRB]         Parameter (System.Char[]) [0]: (Char[] {D, 9, 3, D, 3, 3, 1, 1, D, 3, N, N, 2, C, 9, D, 2, 1, 3, D, C, 2, 1, D, R, 1, Q, D, 9, 2, 3, 4})
2022-03-23 13:19:42.653 +08:00 [VRB]         Parameter (System.Int32) [1]: (0)
2022-03-23 13:19:42.653 +08:00 [VRB]         Parameter (System.Int32) [2]: (32)
2022-03-23 13:19:42.654 +08:00 [VRB]         MDToken: 0x6000094
2022-03-23 13:19:42.654 +08:00 [VRB]         Return Type: System.Void
2022-03-23 13:19:42.654 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.654 +08:00 [VRB]         Returns: null
2022-03-23 13:19:42.654 +08:00 [WRN] }

2022-03-23 13:19:42.654 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.654 +08:00 [WRN] {
2022-03-23 13:19:42.654 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.654 +08:00 [VRB]         MethodName: smethod_0
2022-03-23 13:19:42.654 +08:00 [VRB]         FullDescription: static System.Object 37891AB0::smethod_0()
2022-03-23 13:19:42.654 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.654 +08:00 [VRB]         MDToken: 0x6000049
2022-03-23 13:19:42.654 +08:00 [VRB]         Return Type: System.Object
2022-03-23 13:19:42.654 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.654 +08:00 [VRB]         Returns: 
2022-03-23 13:19:42.655 +08:00 [WRN] }

2022-03-23 13:19:42.657 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.657 +08:00 [WRN] {
2022-03-23 13:19:42.657 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.657 +08:00 [VRB]         MethodName: smethod_0
2022-03-23 13:19:42.657 +08:00 [VRB]         FullDescription: static System.Text.StringBuilder 1C814297::smethod_0(System.Object object_0, System.Char[] char_0)
2022-03-23 13:19:42.657 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.658 +08:00 [VRB]         Parameter (System.Text.StringBuilder) [0]: ()
2022-03-23 13:19:42.658 +08:00 [VRB]         Parameter (System.Char[]) [1]: (Char[] {4, 3, 2, 9, D, Q, 1, R, D, 1, 2, C, D, 3, 1, 2, D, 9, C, 2, N, N, 3, D, 1, 1, 3, 3, D, 3, 9, D})
2022-03-23 13:19:42.658 +08:00 [VRB]         MDToken: 0x6000040
2022-03-23 13:19:42.658 +08:00 [VRB]         Return Type: System.Text.StringBuilder
2022-03-23 13:19:42.658 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.658 +08:00 [VRB]         Returns: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.658 +08:00 [WRN] }

2022-03-23 13:19:42.658 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.658 +08:00 [WRN] {
2022-03-23 13:19:42.659 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.659 +08:00 [VRB]         MethodName: ToString
2022-03-23 13:19:42.659 +08:00 [VRB]         FullDescription: virtual System.String System.Object::ToString()
2022-03-23 13:19:42.659 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.659 +08:00 [VRB]         Obj: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.659 +08:00 [VRB]         MDToken: 0x600022A
2022-03-23 13:19:42.659 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.659 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.659 +08:00 [VRB]         Returns: 4329DQ1RD12CD312D9C2NN3D1133D39D
2022-03-23 13:19:42.659 +08:00 [WRN] }

2022-03-23 13:19:42.659 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.659 +08:00 [WRN] {
2022-03-23 13:19:42.659 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.660 +08:00 [VRB]         MethodName: smethod_0
2022-03-23 13:19:42.660 +08:00 [VRB]         FullDescription: static System.String 680A5711::smethod_0(System.Object object_0)
2022-03-23 13:19:42.660 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.660 +08:00 [VRB]         Parameter (System.Windows.Forms.TextBox) [0]: (System.Windows.Forms.TextBox, Text: 1245)
2022-03-23 13:19:42.660 +08:00 [VRB]         MDToken: 0x6000022
2022-03-23 13:19:42.660 +08:00 [VRB]         Return Type: System.String
2022-03-23 13:19:42.660 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.660 +08:00 [VRB]         Returns: 1245
2022-03-23 13:19:42.660 +08:00 [WRN] }

2022-03-23 13:19:42.660 +08:00 [INF] VmProtectDumperUnsafeInvoke Prefix:
2022-03-23 13:19:42.660 +08:00 [WRN] {
2022-03-23 13:19:42.660 +08:00 [VRB]         VMP MethodName: System.Void Crackme.Form1::textBox2_TextChanged(System.Object sender, System.EventArgs e) (MDToken 0x100663302)
2022-03-23 13:19:42.660 +08:00 [VRB]         MethodName: smethod_0
2022-03-23 13:19:42.660 +08:00 [VRB]         FullDescription: static System.Boolean 094923F6::smethod_0(System.String string_0, System.String string_1)
2022-03-23 13:19:42.661 +08:00 [VRB]         MethodType: System.Reflection.RuntimeMethodInfo
2022-03-23 13:19:42.661 +08:00 [VRB]         Parameter (System.String) [0]: ("1245")
2022-03-23 13:19:42.661 +08:00 [VRB]         Parameter (System.String) [1]: ("4329DQ1RD12CD312D9C2NN3D1133D39D")
2022-03-23 13:19:42.661 +08:00 [VRB]         MDToken: 0x600003A
2022-03-23 13:19:42.661 +08:00 [VRB]         Return Type: System.Boolean
2022-03-23 13:19:42.661 +08:00 [INF] VmProtectDumperUnsafeInvoke Result:
2022-03-23 13:19:42.661 +08:00 [VRB]         Returns: false
2022-03-23 13:19:42.661 +08:00 [WRN] }


我的机器码为4B29D5F6EFA8EB1AE98277BE1FB30B90,此时正确的key为D93D3311D3NN2C9D213DC21DR1QD9234
44.png
四、分析算法
借助于软件的log分析起来应该不难,直接贴注册机成品算法了

首先是机器码的算法

[C#] 纯文本查看 复制代码
                public string doIt()
                {
                        
                        string text = null;
                        foreach (ManagementBaseObject managementBaseObject in new ManagementClass("Win32_NetworkAdapterConfiguration").GetInstances())
                        {
                                ManagementObject managementObject = (ManagementObject)managementBaseObject;
                                if (Convert.ToBoolean(managementObject["IPEnabled"]))
                                {
                                        text = managementObject["MacAddress"].ToString();
                                        text = text.Replace(':', '-');
                                }
                                managementObject.Dispose();
                        }
                        return text;
                }
                public string run(string str)
                {
                        return BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(Encoding.UTF8.GetBytes(str))).Replace("-", "");
                }
                
                private void Form1_Load(object sender, EventArgs e)
        {
                        textBox1.Text = run(doIt().Replace("-", ""));
                }


下面是注册机的算法
[C#] 纯文本查看 复制代码
   private void button1_Click(object sender, EventArgs e)
        {
                        string text;
                        text = textBox1.Text.Replace("0","D");
                        text = text.Replace("8", "C");
                        text = text.Replace("7", "N");
                        text = text.Replace("5", "Q");
                        text = text.Replace("6", "R");
                        text = text.Replace("L", "4");
                        text = text.Replace("A", "2");
                        text = text.Replace("B", "3");
                        text = text.Replace("E", "0");
                        text = text.Replace("F", "1");
                        text = text.Replace("M", "9");

                        textBox2.Text = ReverseA(text);
        }
                public string ReverseA(string text)
                {
                        char[] cArray = text.ToCharArray();
                        string reverse = String.Empty;
                        for (int i = cArray.Length - 1; i > -1; i--)
                        {
                                reverse += cArray[i];
                        }
                        return reverse;
                }




完活@Domado




QQ截图20220323132534.png

免费评分

参与人数 7威望 +1 吾爱币 +27 热心值 +7 收起 理由
Hmily + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
笙若 + 1 + 1 谢谢@Thanks!
Tunx + 1 + 1 热心回复!
光之优雅 + 1 + 1 谢谢@Thanks!
jy04468108 + 2 + 1 谢谢@Thanks!
Stubborn6 + 1 + 1 我很赞同!
Domado + 1 + 1 恭喜成功,厉害!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

evea
evea 发表于 2022-3-23 17:35
https://github.com/void-stack/VMUnprotect
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持 3

举报

byh3025
byh3025 发表于 2022-3-23 18:37
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
bigharvest 发表于 2022-3-23 17:26
好像这个软件Hook了 NET的所有方法和返回值  类似frida  可以告知下是啥软件?

一个vmp辅助分析工具,21楼已经发出来了
如何升级?如何获得积分?积分对应解释说明!
回复 支持

举报

kds0221
kds0221 发表于 2022-3-23 13:46
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
学习学习
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复 支持

举报

byh3025
byh3025 发表于 2022-3-23 13:46
其实我们还是想看脱壳的过程
如何快速判断一个文件是否为病毒!
回复 支持

举报

loopg
loopg 发表于 2022-3-23 13:46
啥也没学到啊
回复 支持

举报

桴止
桴止 发表于 2022-3-23 13:52
学习一下谢谢楼主
回复 支持

举报

wqs0987
wqs0987 发表于 2022-3-23 14:03
感谢大佬的无私分享
回复 支持

举报

byh3025
byh3025 发表于 2022-3-23 14:19
我这个也应该是真码啊,为什么会没反映呢?
捕获.PNG
回复 支持

举报

罗萨
 楼主| 罗萨 发表于 2022-3-23 14:24
byh3025 发表于 2022-3-23 14:19
我这个也应该是真码啊,为什么会没反映呢?

倒序输出一下
回复 支持

举报

hsctest
hsctest 发表于 2022-3-23 14:37
vmp method,现在vmp支持.net了吗
回复 支持

举报

spiritffff
spiritffff 发表于 2022-3-23 14:38
感谢分享
回复 支持

举报

下一页 »
1234下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 15:27

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表