好友
阅读权限20
听众
最后登录1970-1-1
|
冷月孤心
发表于 2019-2-27 17:58
本帖最后由 冷月孤心 于 2019-3-1 01:17 编辑
1.简介:
无源码给软件添加VMP授权 。思路与工具来自这里https://bbs.pediy.com/thread-204563.htm。参考了大神的思路。借用了这个文件的代码段。
用到函数如下,有部分函数文件里没有,那就全部添加了吧。也可以查软件里面包含哪个函数,如果都有的话,只添加VMProtectSDK32.dllVMProtectGetCurrentHWID VMProtectSetSerialNumber两个就好。
用到函数如下 :VMProtectSDK32.VMPro>; VMProtec. VMProtectSetSerialNumber
VMProtectSDK32.VMPro>; VMProtec.VMProtectGetCurrentHWIDUSER32.CloseClipboar>; user32.CloseClipboarduser32.EmptyClipboar>; user32.EmptyClipboarduser32.MessageBoxA>] ; user32.MessageBoxAUSER32.OpenClipboard>; user32.OpenClipboarduser32.SetClipboardD>; user32.SetClipboardDatakernel32.ExitProcess>; kernel32.ExitProcesskernel32.GlobalAlloc>; kernel32.GlobalAllocKERNEL32.GlobalLock>>; kernel32.GlobalLockKERNEL32.GlobalUnloc>; kernel32.GlobalUnlock
2.注意事项:
测试发现,要先添加空区段再添加输入表函数,如果空区段添加在最后,各种问题就来了。如果仔细看就发现新的OEP了,需要修正的内存地址都注释了。
检测机器码的代码要写在检测授权文件代码之前。否则走完检测授权的代码后某个内存地址会被修改,从而导致出错。我是写在新添加的区段起始位置了。
也就是说要第二段要写在第一段之前。
3.开工吧!检测授权文件
第一段代码,读取注册文件及内容,有则跳向VMP壳授权校验代码,没有注册文件及内容则跳向下一段取硬件码。利用GetPrivateProfileStringA 取授权字符, VMProtectSetSerialNumber检测授权文件存在与否可以偷懒二进制粘贴上,再修改
第一段代码十六进制:
33 C9 64 A1 30 00 00 00 8B 40 0C 8B 70 1C 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B D0 8B 42
3C 8B 44 10 78 03 C2 8B 70 20 03 F2 68 73 73 00 00 68 64 64 72 65 68 72 6F 63 41 68 47 65 74 50
54 33 C9 8B 3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48 18 72
E2 59 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 6A 00 68 61 72 79 41 68 4C
69 62 72 68 4C 6F 61 64 54 52 FF D6 E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 5B 53
FF D0 E8 19 00 00 00 47 65 74 50 72 69 76 61 74 65 50 72 6F 66 69 6C 65 53 74 72 69 6E 67 41 00
5B 53 50 FF D6 E8 0A 00 00 00 2E 5C 4B 65 79 2E 64 61 74 00 5B 53 68 56 02 00 00 E8 00 00 00 00
5B 83 C3 50 53 6A 00 E8 04 00 00 00 4C 69 63 00 5B 53 E8 09 00 00 00 CA DA C8 A8 CE C4 BC FE 00
5B 53 FF D0 8B 44 24 F4 E8 07 00 00 00 90 FF 25 48 10 82 00 80 38 00 0F 84 5D FE FF FF 5B 50 FF
D3 68 BC 38 5C 00 C3
汇编代码如下:
[Asm] 纯文本查看 复制代码 0081E150 >/$ 33C9 xor ecx,ecx //新的OEP
0081E152 |. 64:A1 3000000>mov eax,dword ptr fs:[0x30]
0081E158 |. 8B40 0C mov eax,dword ptr ds:[eax+0xC]
0081E15B |. 8B70 1C mov esi,dword ptr ds:[eax+0x1C]
0081E15E |> 8B46 08 /mov eax,dword ptr ds:[esi+0x8]
0081E161 |. 8B7E 20 |mov edi,dword ptr ds:[esi+0x20]
0081E164 |. 8B36 |mov esi,dword ptr ds:[esi]
0081E166 |. 66:394F 18 |cmp word ptr ds:[edi+0x18],cx
0081E16A |.^ 75 F2 \jnz short ZZZX.0081E15E
0081E16C |. 8BD0 mov edx,eax
0081E16E |. 8B42 3C mov eax,dword ptr ds:[edx+0x3C]
0081E171 |. 8B4410 78 mov eax,dword ptr ds:[eax+edx+0x78]
0081E175 |. 03C2 add eax,edx
0081E177 |. 8B70 20 mov esi,dword ptr ds:[eax+0x20]
0081E17A |. 03F2 add esi,edx
0081E17C |. 68 73730000 push 0x7373
0081E181 |. 68 64647265 push 0x65726464
0081E186 |. 68 726F6341 push 0x41636F72
0081E18B |. 68 47657450 push 0x50746547
0081E190 |. 54 push esp
0081E191 |. 33C9 xor ecx,ecx
0081E193 |> 8B3E /mov edi,dword ptr ds:[esi]
0081E195 |. 03FA |add edi,edx
0081E197 |. 56 |push esi
0081E198 |. 8B7424 04 |mov esi,dword ptr ss:[esp+0x4]
0081E19C |. 51 |push ecx
0081E19D |. B9 0F000000 |mov ecx,0xF
0081E1A2 |. F3:A6 |repe cmps byte ptr es:[edi],byte ptr ds>
0081E1A4 |. 74 0B |je short ZZZX.0081E1B1
0081E1A6 |. 59 |pop ecx
0081E1A7 |. 5E |pop esi
0081E1A8 |. 83C6 04 |add esi,0x4
0081E1AB |. 41 |inc ecx
0081E1AC |. 3B48 18 |cmp ecx,dword ptr ds:[eax+0x18]
0081E1AF |.^ 72 E2 \jb short ZZZX.0081E193
0081E1B1 |> 59 pop ecx
0081E1B2 |. 8B70 24 mov esi,dword ptr ds:[eax+0x24]
0081E1B5 |. 03F2 add esi,edx
0081E1B7 |. 0FB70C4E movzx ecx,word ptr ds:[esi+ecx*2]
0081E1BB |. 8B70 1C mov esi,dword ptr ds:[eax+0x1C]
0081E1BE |. 03F2 add esi,edx
0081E1C0 |. 8B348E mov esi,dword ptr ds:[esi+ecx*4]
0081E1C3 |. 03F2 add esi,edx
0081E1C5 |. 8BFA mov edi,edx
0081E1C7 |. 6A 00 push 0x0
0081E1C9 |. 68 61727941 push 0x41797261
0081E1CE |. 68 4C696272 push 0x7262694C
0081E1D3 |. 68 4C6F6164 push 0x64616F4C
0081E1D8 |. 54 push esp
0081E1D9 |. 52 push edx
0081E1DA |. FFD6 call esi
0081E1DC |. E8 0D000000 call ZZZX.0081E1EE ; PUSH ASCII "kernel32.dll"
0081E1E1 |. 6B 65 72 6E 6>ascii "kernel32.dll",0
0081E1EE |> 5B pop ebx
0081E1EF |. 53 push ebx
0081E1F0 |. FFD0 call eax
0081E1F2 |. E8 19000000 call ZZZX.0081E210 ; PUSH ASCII "GetPrivateProfileStringA"
0081E1F7 |. 47 65 74 50 7>ascii "GetPrivateProfil"
0081E207 |. 65 53 74 72 6>ascii "eStringA",0
0081E210 |> 5B pop ebx
0081E211 |. 53 push ebx
0081E212 |. 50 push eax
0081E213 |. FFD6 call esi
0081E215 |. E8 0A000000 call ZZZX.0081E224 ; PUSH ASCII ".\Key.dat"
0081E21A |. 2E 5C 4B 65 7>ascii ".\Key.dat",0
0081E224 |> 5B pop ebx
0081E225 |. 53 push ebx
0081E226 |. 68 56020000 push 0x256
0081E22B |. E8 00000000 call ZZZX.0081E230
0081E230 |$ 5B pop ebx
0081E231 |. 83C3 50 add ebx,0x50
0081E234 |. 53 push ebx
0081E235 |. 6A 00 push 0x0
0081E237 |. E8 04000000 call ZZZX.0081E240 ; PUSH ASCII "Lic"
0081E23C |. 4C 69 63 00 ascii "Lic",0
0081E240 |> 5B pop ebx
0081E241 |. 53 push ebx
0081E242 |. E8 09000000 call ZZZX.0081E250
0081E247 \. CA DAC8 retf 0xC8DA
0081E24A A8 db A8
0081E24B . CE C4 BC FE 0>ascii "文件",0
0081E250 $ 5B pop ebx ; ZZZX.0081E247
0081E251 . 53 push ebx
0081E252 . FFD0 call eax
0081E254 . 8B4424 F4 mov eax,dword ptr ss:[esp-0xC]
0081E258 . E8 07000000 call ZZZX.0081E264
0081E25D . 90 nop
0081E25E .- FF25 48108200 jmp dword ptr ds:[<&VMProtectSDK32.VMPro>; //修正此处 地址处call VMProtectSetSerialNumber
0081E264 $ 8038 00 cmp byte ptr ds:[eax],0x0 //取授权文件字符串第一个字符比较,如果是零则下面跳向硬件码弹窗。
0081E267 .^ 0F84 5DFEFFFF je ZZZX.0081E0CA // 跳向硬件码弹窗 jmp_硬件弹窗(MARK_4):
0081E26D . 5B pop ebx
0081E26E . 50 push eax
0081E26F . FFD3 call ebx
0081E271 . 68 BC385C00 push ZZZX.00888888 // 返回软件原始OEP
0081E276 . C3 retn
4.获取硬件码:
第二段代码借鉴别人的,也可以自己编译。VMP帮助Step 1.9: Hardware lock有使用方法。编译好了把代码段取出来
VMProtectGetCurrentHWID
取的硬件码HWID: myhwid
偷懒一下,二进制粘贴也可以:8B 44 24 04 6A 00 C7 00 00 00 00 00 E8 19 01 00 00 85 C0 74 65 53 55 56 57 E8 00 01 00 00 8B 74
24 1C 83 C9 FF 33 C0 8B 3E F2 AE F7 D1 49 8B E9 45 55 6A 42 E8 03 01 00 00 8B D8 85 DB 74 32 8B
36 53 E8 FB 00 00 00 8B CD 8B F8 8B D1 53 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 E8 E9 00 00 00 53
6A 01 E8 C9 00 00 00 8B 44 24 14 C7 00 01 00 00 00 E8 A2 00 00 00 5F 5E 5D 5B C3 90 8D 44 24 08
83 EC 0C 50 FF 74 24 14 33 C0 89 44 24 08 89 44 24 0C 89 44 24 10 8D 54 24 08 52 FF D3 8B 44 24
0C 8B 54 24 10 8B 4C 24 14 83 C4 18 C3 55 8B EC 68 04 00 00 80 6A 00 FF 75 08 6A 01 BB 00 E0 81
00 E8 B6 FF FF FF C9 C2 04 00 6A 00 6A 00 E8 3F 00 00 00 83 F8 00 74 1F A3 B0 E4 81 00 FF 35 B0
E4 81 00 68 33 E3 81 00 E8 25 00 00 00 68 33 E3 81 00 E8 B6 FF FF FF 6A 00 68 66 E6 81 00 68 33
E3 81 00 6A 00 E8 1A 00 00 00 6A 00 E8 25 00 00 00 CC FF 25 4C 10 82 00 FF 25 E8 86 81 00 FF 25
8C 86 81 00 FF 25 C4 80 81 00 FF 25 1C 85 81 00 FF 25 CC 84 81 00 FF 25 7C 80 81 00 FF 25 C8 81
81 00 FF 25 B8 81 81 00 FF 25 A8 81 81 00
汇编代码如下:
[Asm] 纯文本查看 复制代码 MARK_1:
0081E000 . 8B4424 04 mov eax,dword ptr ss:[esp+0x4] //这段应该是 复制机器码到剪贴版。如果不对大神请指正。
0081E004 . 6A 00 push 0x0 ; /hWnd = NULL
0081E006 . C700 00000000 mov dword ptr ds:[eax],0x0 ; |
0081E00C . E8 19010000 call <jmp.&user32.OpenClipboard> ; \OpenClipboard //修正此处函数地址
0081E011 . 85C0 test eax,eax
0081E013 . 74 65 je short ZZZX.0081E07A
0081E015 . 53 push ebx
0081E016 . 55 push ebp
0081E017 . 56 push esi
0081E018 . 57 push edi
0081E019 . E8 00010000 call <jmp.&user32.EmptyClipboard> ; [EmptyClipboard //修正此处函数地址
0081E01E . 8B7424 1C mov esi,dword ptr ss:[esp+0x1C]
0081E022 . 83C9 FF or ecx,-0x1
0081E025 . 33C0 xor eax,eax
0081E027 . 8B3E mov edi,dword ptr ds:[esi]
0081E029 . F2:AE repne scas byte ptr es:[edi]
0081E02B . F7D1 not ecx
0081E02D . 49 dec ecx
0081E02E . 8BE9 mov ebp,ecx
0081E030 . 45 inc ebp
0081E031 . 55 push ebp ; /MemSize
0081E032 . 6A 42 push 0x42 ; |Flags = GHND
0081E034 . E8 03010000 call <jmp.&kernel32.GlobalAlloc> ; \GlobalAlloc //修正此处函数地址
0081E039 . 8BD8 mov ebx,eax
0081E03B . 85DB test ebx,ebx
0081E03D . 74 32 je short ZZZX.0081E071
0081E03F . 8B36 mov esi,dword ptr ds:[esi]
0081E041 . 53 push ebx ; /hMem
0081E042 . E8 FB000000 call <jmp.&kernel32.GlobalLock> ; \GlobalLock //修正此处函数地址
0081E047 . 8BCD mov ecx,ebp
0081E049 . 8BF8 mov edi,eax
0081E04B . 8BD1 mov edx,ecx
0081E04D . 53 push ebx ; /hMem
0081E04E . C1E9 02 shr ecx,0x2 ; |
0081E051 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; |
0081E053 . 8BCA mov ecx,edx ; |
0081E055 . 83E1 03 and ecx,0x3 ; |
0081E058 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; |
0081E05A . E8 E9000000 call <jmp.&kernel32.GlobalUnlock> ; \GlobalUnlock //修正此处函数地址
0081E05F . 53 push ebx ; /hData
0081E060 . 6A 01 push 0x1 ; |Format = CF_TEXT
0081E062 . E8 C9000000 call <jmp.&user32.SetClipboardData> ; \SetClipboardData //修正此处函数地址
0081E067 . 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
0081E06B . C700 01000000 mov dword ptr ds:[eax],0x1
0081E071 > E8 A2000000 call <jmp.&user32.CloseClipboard> ; [CloseClipboard //修正此处函数地址
0081E076 . 5F pop edi
0081E077 . 5E pop esi
0081E078 . 5D pop ebp
0081E079 . 5B pop ebx
0081E07A > C3 retn
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
MARK_2:
0081E07B 90 nop
0081E07C /$ 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
0081E080 |. 83EC 0C sub esp,0xC
0081E083 |. 50 push eax
0081E084 |. FF7424 14 push dword ptr ss:[esp+0x14]
0081E088 |. 33C0 xor eax,eax
0081E08A |. 894424 08 mov dword ptr ss:[esp+0x8],eax
0081E08E |. 894424 0C mov dword ptr ss:[esp+0xC],eax
0081E092 |. 894424 10 mov dword ptr ss:[esp+0x10],eax
0081E096 |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
0081E09A |. 52 push edx
0081E09B |. FFD3 call ebx //EBX地址指向0081E000, MARK_1:
0081E09D |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC]
0081E0A1 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
0081E0A5 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14]
0081E0A9 |. 83C4 18 add esp,0x18
0081E0AC \. C3 retn
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
MARK_3:
0081E0AD /$ 55 push ebp
0081E0AE |. 8BEC mov ebp,esp
0081E0B0 |. 68 04000080 push 0x80000004
0081E0B5 |. 6A 00 push 0x0
0081E0B7 |. FF75 08 push [arg.1]
0081E0BA |. 6A 01 push 0x1
0081E0BC |. BB 00E08100 mov ebx,ZZZX.0081E000 //修正此处地址指向 0081E000 也就是 MARK_1: 。
0081E0C1 |. E8 B6FFFFFF call ZZZX.0081E07C //修正此处地址指向 0081E07B , CALL MARK_2:
0081E0C6 |. C9 leave
0081E0C7 \. C2 0400 retn 0x4
---------------------------------------------------------------------------------------优雅分割线----------------------------------------------------------------------------------------------------
硬件弹窗(MARK_4):
0081E0CA > 6A 00 push 0x0
0081E0CC . 6A 00 push 0x0
0081E0CE . E8 3F000000 call <jmp.&VMProtectSDK32.VMProtectGetCu> //修正此处函数地址
0081E0D3 . 83F8 00 cmp eax,0x0
0081E0D6 . 74 1F je short ZZZX.0081E0F7
0081E0D8 . A3 B0E48100 mov dword ptr ds:[0x81E4B0],eax //此处内存指向零区,同时修正下面的常量也指向零区
0081E0DD . FF35 B0E48100 push dword ptr ds:[0x81E4B0]
0081E0E3 . 68 33E38100 push ZZZX.0081E333 //修正此处地址批向零区,注意下面有三处是一样的VA 此处标记为1
0081E0E8 . E8 25000000 call <jmp.&VMProtectSDK32.VMProtectGetCu> //修正此处函数地址
0081E0ED . 68 33E38100 push ZZZX.0081E333 //修正此处地址批向零区,注意下面有三处是一样的VA 此处标记为2
0081E0F2 . E8 B6FFFFFF call ZZZX.0081E0AD //修正 地址调用 MARK_3:
0081E0F7 > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
0081E0F9 . 68 66E68100 push ZZZX.0081E666 ; |Title = "中国飘云阁" //修正此处地址批向任意零区,弹窗标题内容,可以自定义
0081E0FE . 68 33E38100 push ZZZX.0081E333 ; |Text = "" //修正此处地址批向零区,注意下面有三处是一样的VA 此处标记为3
0081E103 . 6A 00 push 0x0 ; |hOwner = NULL
0081E105 . E8 1A000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA //修正此处函数地址
0081E10A . 6A 00 push 0x0 ; /ExitCode = 0x0
0081E10C . E8 25000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess //修正此处函数地址
0081E111 CC int3
0081E112 $- FF25 4C108200 jmp dword ptr ds:[<&VMProtectSDK32.VMPro>; VMProtec.VMProtectGetCurrentHWID //修正此处函数地址
0081E118 $- FF25 E8868100 jmp dword ptr ds:[<&user32.CloseClipboar>; user32.CloseClipboard //修正此处函数地址
0081E11E $- FF25 8C868100 jmp dword ptr ds:[<&user32.EmptyClipboar>; user32.EmptyClipboard
0081E124 $- FF25 C4808100 jmp dword ptr ds:[<&user32.MessageBoxA>] ; user32.MessageBoxA //修正此处函数地址
0081E12A $- FF25 1C858100 jmp dword ptr ds:[<&user32.OpenClipboard>; user32.OpenClipboard //修正此处函数地址
0081E130 $- FF25 CC848100 jmp dword ptr ds:[<&user32.SetClipboardD>; user32.SetClipboardData //修正此处函数地址
0081E136 .- FF25 7C808100 jmp dword ptr ds:[<&kernel32.ExitProcess>; kernel32.ExitProcess //修正此处函数地址
0081E13C $- FF25 C8818100 jmp dword ptr ds:[<&kernel32.GlobalAlloc>; kernel32.GlobalAlloc //修正此处函数地址
0081E142 $- FF25 B8818100 jmp dword ptr ds:[<&kernel32.GlobalLock>>; kernel32.GlobalLock //修正此处函数地址
0081E148 $- FF25 A8818100 jmp dword ptr ds:[<&kernel32.GlobalUnloc>; kernel32.GlobalUnlock //修正此处函数地址
补充: 取硬件码需要修复的位置太多了,修改了一下代码,实现自动修正内存地址 注意:
不要随意调换代码顺序。检测授权的代码依旧就不重新编辑了。
下面这段代码写在新区段段首。做为第一段。
十六进制数据:
8B 44 24 04 6A 00 C7 00 00 00 00 00 E8 AE 01 00 00 85 C0 74 65 53 55 56 57 E8 95 01 00 00 8B 74
24 1C 83 C9 FF 33 C0 8B 3E F2 AE F7 D1 49 8B E9 45 55 6A 42 E8 98 01 00 00 8B D8 85 DB 74 32 8B
36 53 E8 90 01 00 00 8B CD 8B F8 8B D1 53 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 E8 7E 01 00 00 53
6A 01 E8 5E 01 00 00 8B 44 24 14 C7 00 01 00 00 00 E8 37 01 00 00 5F 5E 5D 5B C3 90 8D 44 24 08
83 EC 0C 50 FF 74 24 14 33 C0 89 44 24 08 89 44 24 0C 89 44 24 10 8D 54 24 08 52 FF D3 8B 44 24
0C 8B 54 24 10 8B 4C 24 14 83 C4 18 C3 55 8B EC 68 04 00 00 80 6A 00 FF 75 08 6A 01 BB 00 E0 81
00 E8 B6 FF FF FF C9 C2 04 00 6A 00 6A 00 E8 D4 00 00 00 83 F8 00 0F 84 B0 00 00 00 60 9C 33 C9
43 41 83 3B 00 75 F9 81 F9 00 08 00 00 75 F1 E8 00 00 00 00 58 83 C0 7A 8D 8B 00 FF FF FF 89 08
83 C0 06 8D 8B 00 FF FF FF 89 08 83 C0 05 8D 8B 00 FE FF FF 89 08 83 C0 0A 8D 8B 00 FE FF FF 89
08 83 C0 11 8D 8B 00 FE FF FF 89 08 83 E8 05 8D 8B 00 FD FF FF 89 08 2D D2 00 00 00 8D 8B 24 F5
FF FF 89 08 05 1F 07 00 00 C7 00 D6 D0 B9 FA C7 40 04 C6 AE D4 C6 C7 40 08 B8 F3 A1 BE C7 40 0C
50 44 47 A1 C7 40 10 BF 00 00 00 9D 61 A3 CA C7 81 00 FF 35 CA C7 81 00 68 CA C6 81 00 E8 25 00
00 00 68 CA C6 81 00 E8 21 FF FF FF 6A 00 68 CA C5 81 00 68 CA C6 81 00 6A 00 E8 1A 00 00 00 6A
00 E8 25 00 00 00 CC FF 25 48 D0 81 00 FF 25 E8 76 5F 00 FF 25 8C 76 5F 00 FF 25 C4 70 5F 00 FF
25 1C 75 5F 00 FF 25 CC 74 5F 00 FF 25 7C 70 5F 00 FF 25 C8 71 5F 00 FF 25 B8 71 5F 00 FF 25 A8
71 5F 00
汇编代码如下:
[AppleScript] 纯文本查看 复制代码 0081C000 . 8B4424 04 mov eax,dword ptr ss:[esp+0x4]
0081C004 . 6A 00 push 0x0 ; /hWnd = NULL
0081C006 . C700 00000000 mov dword ptr ds:[eax],0x0 ; |
0081C00C . E8 AE010000 call <jmp.&user32.OpenClipboard> ; \OpenClipboard
0081C011 . 85C0 test eax,eax
0081C013 . 74 65 je short ZZZX添加.0081C07A
0081C015 . 53 push ebx
0081C016 . 55 push ebp
0081C017 . 56 push esi
0081C018 . 57 push edi
0081C019 . E8 95010000 call <jmp.&user32.EmptyClipboard> ; [EmptyClipboard
0081C01E . 8B7424 1C mov esi,dword ptr ss:[esp+0x1C]
0081C022 . 83C9 FF or ecx,-0x1
0081C025 . 33C0 xor eax,eax
0081C027 . 8B3E mov edi,dword ptr ds:[esi]
0081C029 . F2:AE repne scas byte ptr es:[edi]
0081C02B . F7D1 not ecx
0081C02D . 49 dec ecx
0081C02E . 8BE9 mov ebp,ecx
0081C030 . 45 inc ebp
0081C031 . 55 push ebp ; /MemSize
0081C032 . 6A 42 push 0x42 ; |Flags = GHND
0081C034 . E8 98010000 call <jmp.&kernel32.GlobalAlloc> ; \GlobalAlloc
0081C039 . 8BD8 mov ebx,eax
0081C03B . 85DB test ebx,ebx
0081C03D . 74 32 je short ZZZX添加.0081C071
0081C03F . 8B36 mov esi,dword ptr ds:[esi]
0081C041 . 53 push ebx ; /hMem
0081C042 . E8 90010000 call <jmp.&kernel32.GlobalLock> ; \GlobalLock
0081C047 . 8BCD mov ecx,ebp
0081C049 . 8BF8 mov edi,eax
0081C04B . 8BD1 mov edx,ecx
0081C04D . 53 push ebx ; /hMem
0081C04E . C1E9 02 shr ecx,0x2 ; |
0081C051 . F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; |
0081C053 . 8BCA mov ecx,edx ; |
0081C055 . 83E1 03 and ecx,0x3 ; |
0081C058 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; |
0081C05A . E8 7E010000 call <jmp.&kernel32.GlobalUnlock> ; \GlobalUnlock
0081C05F . 53 push ebx ; /hData
0081C060 . 6A 01 push 0x1 ; |Format = CF_TEXT
0081C062 . E8 5E010000 call <jmp.&user32.SetClipboardData> ; \SetClipboardData
0081C067 . 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
0081C06B . C700 01000000 mov dword ptr ds:[eax],0x1
0081C071 > E8 37010000 call <jmp.&user32.CloseClipboard> ; [CloseClipboard
0081C076 . 5F pop edi
0081C077 . 5E pop esi
0081C078 . 5D pop ebp
0081C079 . 5B pop ebx
0081C07A > C3 retn
0081C07B 90 nop
0081C07C /$ 8D4424 08 lea eax,dword ptr ss:[esp+0x8]
0081C080 |. 83EC 0C sub esp,0xC
0081C083 |. 50 push eax
0081C084 |. FF7424 14 push dword ptr ss:[esp+0x14]
0081C088 |. 33C0 xor eax,eax
0081C08A |. 894424 08 mov dword ptr ss:[esp+0x8],eax
0081C08E |. 894424 0C mov dword ptr ss:[esp+0xC],eax
0081C092 |. 894424 10 mov dword ptr ss:[esp+0x10],eax
0081C096 |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
0081C09A |. 52 push edx
0081C09B |. FFD3 call ebx
0081C09D |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC]
0081C0A1 |. 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
0081C0A5 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+0x14]
0081C0A9 |. 83C4 18 add esp,0x18
0081C0AC \. C3 retn
0081C0AD /$ 55 push ebp
0081C0AE |. 8BEC mov ebp,esp
0081C0B0 |. 68 04000080 push 0x80000004
0081C0B5 |. 6A 00 push 0x0
0081C0B7 |. FF75 08 push [arg.1]
0081C0BA |. 6A 01 push 0x1
0081C0BC |. BB 00E08100 mov ebx,0x81E000
0081C0C1 |. E8 B6FFFFFF call ZZZX添加.0081C07C
0081C0C6 |. C9 leave
0081C0C7 \. C2 0400 retn 0x4
0081C0CA > 6A 00 push 0x0
0081C0CC . 6A 00 push 0x0
0081C0CE . E8 D4000000 call <jmp.&VMProtectSDK32.VMProtectGetCu>
0081C0D3 . 83F8 00 cmp eax,0x0
0081C0D6 . 0F84 B0000000 je ZZZX添加.0081C18C
0081C0DC . 60 pushad //自动修正硬编码起始
0081C0DD . 9C pushfd
0081C0DE . 33C9 xor ecx,ecx
0081C0E0 > 43 inc ebx
0081C0E1 . 41 inc ecx
0081C0E2 . 833B 00 cmp dword ptr ds:[ebx],0x0
0081C0E5 .^ 75 F9 jnz short ZZZX添加.0081C0E0
0081C0E7 . 81F9 00080000 cmp ecx,0x800
0081C0ED .^ 75 F1 jnz short ZZZX添加.0081C0E0
0081C0EF . E8 00000000 call ZZZX添加.0081C0F4
0081C0F4 /$ 58 pop eax
0081C0F5 |. 83C0 7A add eax,0x7A
0081C0F8 |. 8D8B 00FFFFFF lea ecx,dword ptr ds:[ebx-0x100]
0081C0FE |. 8908 mov dword ptr ds:[eax],ecx
0081C100 |. 83C0 06 add eax,0x6
0081C103 |. 8D8B 00FFFFFF lea ecx,dword ptr ds:[ebx-0x100]
0081C109 |. 8908 mov dword ptr ds:[eax],ecx
0081C10B |. 83C0 05 add eax,0x5
0081C10E |. 8D8B 00FEFFFF lea ecx,dword ptr ds:[ebx-0x200]
0081C114 |. 8908 mov dword ptr ds:[eax],ecx
0081C116 |. 83C0 0A add eax,0xA
0081C119 |. 8D8B 00FEFFFF lea ecx,dword ptr ds:[ebx-0x200]
0081C11F |. 8908 mov dword ptr ds:[eax],ecx
0081C121 |. 83C0 11 add eax,0x11
0081C124 |. 8D8B 00FEFFFF lea ecx,dword ptr ds:[ebx-0x200]
0081C12A |. 8908 mov dword ptr ds:[eax],ecx
0081C12C |. 83E8 05 sub eax,0x5
0081C12F |. 8D8B 00FDFFFF lea ecx,dword ptr ds:[ebx-0x300]
0081C135 |. 8908 mov dword ptr ds:[eax],ecx
0081C137 |. 2D D2000000 sub eax,0xD2
0081C13C |. 8D8B 24F5FFFF lea ecx,dword ptr ds:[ebx-0xADC]
0081C142 |. 8908 mov dword ptr ds:[eax],ecx
0081C144 |. 05 1F070000 add eax,0x71F
0081C149 |. C700 D6D0B9FA mov dword ptr ds:[eax],0xFAB9D0D6 //自定义弹窗文字。
0081C14F |. C740 04 C6AED>mov dword ptr ds:[eax+0x4],0xC6D4AEC6 //自定义弹窗文字。
0081C156 |. C740 08 B8F3A>mov dword ptr ds:[eax+0x8],0xBEA1F3B8 //自定义弹窗文字。
0081C15D |. C740 0C 50444>mov dword ptr ds:[eax+0xC],0xA1474450 //自定义弹窗文字。
0081C164 |. C740 10 BF000>mov dword ptr ds:[eax+0x10],0xBF //自定义弹窗文字。
0081C16B |. 9D popfd
0081C16C |. 61 popad //自动修正硬编码结束
0081C16D |. A3 CAC78100 mov dword ptr ds:[0x81C7CA],eax
0081C172 |. FF35 CAC78100 push dword ptr ds:[0x81C7CA]
0081C178 |. 68 CAC68100 push ZZZX添加.0081C6CA
0081C17D |. E8 25000000 call <jmp.&VMProtectSDK32.VMProtectGetCu>
0081C182 |. 68 CAC68100 push ZZZX添加.0081C6CA
0081C187 |. E8 21FFFFFF call ZZZX添加.0081C0AD
0081C18C |> 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
0081C18E |. 68 CAC58100 push ZZZX添加.0081C5CA ; |Title = ""
0081C193 |. 68 CAC68100 push ZZZX添加.0081C6CA ; |Text = ""
0081C198 |. 6A 00 push 0x0 ; |hOwner = NULL
0081C19A |. E8 1A000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0081C19F |. 6A 00 push 0x0 ; /ExitCode = 0x0
0081C1A1 \. E8 25000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
0081C1A6 CC int3
0081C1A7 $- FF25 48D08100 jmp dword ptr ds:[<&VMProtectSDK32.VMPro>; VMProtec.VMProtectGetCurrentHWID
0081C1AD $- FF25 E8765F00 jmp dword ptr ds:[<&user32.CloseClipboar>; user32.CloseClipboard
0081C1B3 $- FF25 8C765F00 jmp dword ptr ds:[<&user32.EmptyClipboar>; user32.EmptyClipboard
0081C1B9 $- FF25 C4705F00 jmp dword ptr ds:[<&user32.MessageBoxA>] ; user32.MessageBoxA
0081C1BF $- FF25 1C755F00 jmp dword ptr ds:[<&user32.OpenClipboard>; user32.OpenClipboard
0081C1C5 $- FF25 CC745F00 jmp dword ptr ds:[<&user32.SetClipboardD>; user32.SetClipboardData
0081C1CB .- FF25 7C705F00 jmp dword ptr ds:[<&kernel32.ExitProcess>; kernel32.ExitProcess
0081C1D1 $- FF25 C8715F00 jmp dword ptr ds:[<&kernel32.GlobalAlloc>; kernel32.GlobalAlloc
0081C1D7 $- FF25 B8715F00 jmp dword ptr ds:[<&kernel32.GlobalLock>>; kernel32.GlobalLock
0081C1DD $- FF25 A8715F00 jmp dword ptr ds:[<&kernel32.GlobalUnloc>; kernel32.GlobalUnlock
可能有人会怀疑强度,虽然比不上源码编译的强度,但也差不了太多。前题是你会用VMP加壳。 完整版附件及使用方法视频:
链接: https://pan.baidu.com/s/14PPsOH_dZm_qftI9aTQ27g 提取码: 7q4v |
-
免费评分
-
查看全部评分
本帖被以下淘专辑推荐:
- · 学习及教程|主题: 1126, 订阅: 1118
|
[复制链接]
|
发表于 2019-6-5 21:46
