大致的脱壳流程还是没什么变:
1.到OEP后dump
2.生成IAT的对应关系txt
3.添加进DLL,实现跨平台
但是,IAT的处理,新版的VMP有了点变化,之前的版本,外壳是获取全部的IAT地址后,存放在某内存区域,然后进行填充;而新版的VMP的,则是获取1个,填充1个。其实也是换汤不换药的更新,只是,以前的脚本都失效了,于是只能自己动手搞一下。
首先,用fkvmp,获取2条handler的地址:VM_Retn和VM_WmDs32,这2跳handler的地址,一会要手动修改脚本里的2个地址。
具体不多说了,就给出2个脚本:
一:OEP Founder:
/*
VMProtect OEP Founder
by ximo[LCG][DFJG]
just for fun
*/
var imagebase
var tmp
var pNtHeader
var sectionaddr
var sectionsize
var sum
var protection
var retn
//VM_Retn
mov retn,0104f1fe
bc
bphwc
gpa "VirtualProtect", "kernel32"
cmp $RESULT, 0
je err
bp $RESULT+13
loop:
esto
mov protection,[esp+c]
cmp protection,20
je next
jmp loop
next:
bc
rtu
find:
bp retn
esto
bc
bprm sectionaddr,sectionsize
esto
cmp eip,sum
bpmc
ja find
finded:
cmt eip,"this is OEP or Near OEP!"
ret
err:
ret
二:Fake IAT:
/*
VMProtect 2.07 Unpacker
by ximo[LCG][DFJG]
just for fun
*/
var getfunc
var dllname
var apiname
var writeaddr
var addr
var apiaddr
var key
var info
var end
var logfile
mov logfile,"FkIAT.txt"
/*
VM_WmDs32:
01050DA5 8910 mov dword ptr ds:[eax],edx
*/
mov writeaddr,01050DA5
//OEP or stop script addr
mov end,0100739d
bc
bphwc
gpa "CreateFileA", "kernel32"
cmp $RESULT, 0
je err
bp $RESULT+26
esto
bc
rtu
mov getfunc,eip
bphws getfunc, "x"
bphws end, "x"
loop:
run
cmp eip,end
je end
gn eax
cmp $RESULT,0
je next
do:
mov apiaddr,eax
mov dllname,$RESULT_1
mov apiname,$RESULT_2
bp writeaddr
esto
bc eip
mov addr,eax
mov key,apiaddr
sub key,edx
eval "{addr},{key},{dllname},{apiname}"
mov info,$RESULT
wrta logfile,info
next:
jmp loop
end:
ret
err:
bc
bphwc
ret
发表于 2011-2-28 19:00
发表于 2011-2-28 19:10
|
发表于 2011-2-28 19:54
