好友
阅读权限20
听众
最后登录1970-1-1
|
由于一个VMP 的程序加了 VMWare 检测,所以 想到程序镜像上找 0x564D5868 之类的,总是找不到,后来逐段分析到了,因此 记录下。并贴出来,共享下。0xxxxxxx 表示地址。
|. 00 429CA100 vPushImm4 0xxxxxxxx DWORD _t1880 = 0A19C42
|. 77 vAdd4 EXIT DWORD _t1881 = 0xxxxxxx; DWORD _t1882 = AddFlag(0A19C42, 0)# X1 z, a0 n9 Y& g' ^5 g
|. 0C vPopReg4 vR11 DWORD _t1883 = AddFlag(0xxxxxxx, 0)
|. 22 vPushReg4 vR8 DWORD _t1884 = 0
|. 25 vReadMemFs4 v133 = DWORD FS:[0]6 }6 y6 I7 a/ ` @/ P% z
|. 66 vPushVEsp DWORD _t1886 = 0FFFFF7FC4 ^1 A; Z: k0 G C: ]3 s
|. 22 vPushReg4 vR8 DWORD _t1887 = 07 W1 I, E. Z+ [
|. 09 vWriteMemFs4 DWORD FS:[0] = v134; v134 = 0FFFFF7FC
|. 84 0A vPushImmSx1 0A DWORD _t1889 = 0A
|. 0C vPopReg4 vR11 DWORD _t1890 = 0A0 b, B# T$ E, n# `0 d8 v' c- r
|. 00 68584D56 vPushImm4 564D5868 DWORD _t1891 = 564D5868
|. 5C vPopReg4 vR1 DWORD _t1892 = 564D5868
|. 01 5856 vPushImmSx2 5658 DWORD _t1893 = 5658
|. 44 vPopReg4 vR4 DWORD _t1894 = 5658
|. 00 1B3BA100 vPushImm4 0A13B1B DWORD _t1895 = 0A13B1B
|. 1A vPushReg4 vR9 DWORD _t1896 = 0
|. 77 vAdd4 DWORD _v188 = 0A13B1B; DWORD _t1898 = AddFlag(0, 0A13B1B)8 A' z: R/ }; k6 r2 k
|. 24 vPopReg4 vR8 DWORD _t1899 = AddFlag(0, 0A13B1B)
|. 32 vPushReg4 vR6 ESI DWORD v135 = v123- f. |0 W) [9 t, m& S
|. F3 vPushReg4 vR14 DWORD _t1901 = 8C64333D ^ _v151
|. 4A vPushReg4 vR3 EBX DWORD v136 = 0
|. 02 vPushReg4 vR12 EFL DWORD v137 = v131
|. 0A vPushReg4 vR11 ECX DWORD v138 = 0A& E! @9 H. ^! r* S1 C
|. 62 vPushReg4 vR0 EDI DWORD v139 = v127- B. i' {6 t- e4 i5 Y. ]+ c
|. 5A vPushReg4 vR1 EAX DWORD v140 = 564D5868+ u8 h$ a2 X3 F$ P! L
|. 52 vPushReg4 vR2 EBP DWORD v141 = 8
|. 42 vPushReg4 vR4 EDX DWORD v142 = 5658% V6 J$ h: Y* p# f1 _
|. 5A vPushReg4 vR1 DWORD _t1909 = 564D5868% F4 m, h# t/ k3 g9 y
|. F3 vPushReg4 vR14 DWORD _t1910 = 8C64333D ^ _v151/ \& p; q8 R* q5 v# ~- X! _
|. 70 vRet online 0xxxxxabd; 0xxxxxabc; in eax, dx
复制代码
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2014-8-3 10:27
