这是我分析的不知道对不对哦
第一步
0040A99A $ 55 push ebp ; 登录
0040A99B . 8BEC mov ebp,esp ;
0040A99D . 81EC 20000000 sub esp,0x20
0040A9A3 . C745 FC 00000000 mov dword ptr ss:[ebp-0x4],0x0
0040A9AA . EB 10 jmp X3Xco0S7.0040A9BC
0040A9AC . 56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
第二步
--------------------------------------------------------------------------------------------------------------------------
0040A87F |. 56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
0040A88F |> 68 00000000 push 0x0
0040A894 |. BB 60514400 mov ebx,3Xco0S7.00445160
0040A899 |. E8 1B830300 call 3Xco0S7.00442BB9
0040A89E |. 83C4 04 add esp,0x4
0040A8A1 |. 6A FF push -0x1
0040A8A3 |. 6A 08 push 0x8
0040A8A5 |. 68 C08B0216 push 0x16028BC0
0040A8AA |. 68 67540252 push 0x52025467
0040A8AF |. E8 17830300 call 3Xco0S7.00442BCB 这个CALL没跟过不知道是什么
0040A8B4 |. 83C4 10 add esp,0x10
0040A8B7 |. 8945 F4 mov [local.3],eax
0040A8BA |. 6A FF push -0x1
0040A8BC |. 6A 08 push 0x8
0040A8BE |. 68 BE8B0216 push 0x16028BBE
0040A8C3 |. 68 67540252 push 0x52025467
0040A8C8 |. E8 FE820300 call 3Xco0S7.00442BCB 这2个CALL没跟过不知道是什么
0040A8CD |. 83C4 10 add esp,0x10
0040A8D0 |. 8945 F0 mov [local.4],eax
0040A8D3 |. 6A 01 push 0x1
0040A8D5 |. 8D45 F8 lea eax,[local.2]
0040A8D8 |. 50 push eax
0040A8D9 |. 8D45 F0 lea eax,[local.4]
0040A8DC |. 50 push eax
0040A8DD |. 8D45 F4 lea eax,[local.3]
0040A8E0 |. 50 push eax
0040A8E1 |. E8 B4000000 call 3Xco0S7. 0040A99A ;很明显这个CALL调用的是在字符串搜索帐号密码错误那里的段首
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
第三步 找合法
00416078 /$ 55 push ebp ; 合法地址一
00416079 |. 8BEC mov ebp,esp
0041607B |. 81EC 20000000 sub esp,0x20
00416081 |. C745 FC 00000000 mov [local.1],0x0
00416088 |. EB 10 jmp X3Xco0S7.0041609A
0041608A |. 56 4D 50 72 6F 74 65 63 74 20 62 65 67 69 6E 00 ascii "VMProtect begin",0
------------------------------------------------------------------------------------------------------------------------------------
0041656B $ 55 push ebp ;合法地址二
0041656C . 8BEC mov ebp,esp
0041656E . 81EC 84000000 sub esp,0x84
------------------------------------------------------------------------------------------------------------------------------------
第四部 暗桩
00405554 /$ 55 push ebp
00405555 |. 8BEC mov ebp,esp
00405557 |. 81EC 1C000000 sub esp,0x1C
0040555D |. 68 60000000 push 0x60
本地调用来自 004026BF, 004026CE, 00402732, 004104CF, 00416139, 0041629F, 00416436, 004196B2, 004197E8, 004198C8, 00419A58, 00419B10, 00419B7C, 00419C0E, 00421537, 00421549
一个一个跟
BF和CE在一起都不是
004026B9 |. /0F84 05000000 je 3Xco0S7.004026C4
004026BF |. |E8 902E0000 call 3Xco0S7.00405554
004026C4 |> \837D FC 01 cmp [local.1],0x1
004026C8 |. 0F85 5A000000 jnz 3Xco0S7.00402728
004026CE |. E8 812E0000 call 3Xco0S7.00405554
004026D3 |> 817D FC 41010000 /cmp [local.1],0x141
004026DA |. 0F84 02000000 |je 3Xco0S7.004026E2
004026E0 |.^ EB F1 \jmp X3Xco0S7.004026D3
004026E2 |> E8 0E340000 call 3Xco0S7.00405AF5
00402732
0040272C |. /0F85 5A000000 jnz 3Xco0S7.0040278C
00402732 |. |E8 1D2E0000 call 3Xco0S7.00405554
004104CF 不是
0041629F 疑似
00416290 |. /74 0D je X3Xco0S7.0041629F
00416292 |. |68 06000000 push 0x6
00416297 |. |E8 11C90200 call 3Xco0S7.00442BAD
0041629C |. |83C4 04 add esp,0x4
0041629F |> \E8 B0F2FEFF call 3Xco0S7.00405554
00416436 疑似
00416427 |. /74 0D je X3Xco0S7.00416436
00416429 |. |68 06000000 push 0x6
0041642E |. |E8 7AC70200 call 3Xco0S7.00442BAD
00416433 |. |83C4 04 add esp,0x4
00416436 |> \E8 19F1FEFF call 3Xco0S7.00405554
004196B2 疑似
00419698 |. /0F85 14000000 |jnz 3Xco0S7.004196B2
0041969E |. |68 00000000 |push 0x0
004196A3 |. |BB 60514400 |mov ebx,3Xco0S7.00445160
004196A8 |. |E8 0C950200 |call 3Xco0S7.00442BB9
004196AD |. |83C4 04 |add esp,0x4
004196B0 |.^|EB E2 \jmp X3Xco0S7.00419694
004196B2 |> \E8 9DBEFEFF call 3Xco0S7.00405554
004197E8 疑似
004197CE |. /0F85 14000000 |jnz 3Xco0S7.004197E8
004197D4 |. |68 00000000 |push 0x0
004197D9 |. |BB 60514400 |mov ebx,3Xco0S7.00445160
004197DE |. |E8 D6930200 |call 3Xco0S7.00442BB9
004197E3 |. |83C4 04 |add esp,0x4
004197E6 |.^|EB E2 \jmp X3Xco0S7.004197CA
004197E8 |> \E8 67BDFEFF call 3Xco0S7.00405554
004198C8 疑似
004198AE |. /0F85 14000000 |jnz 3Xco0S7.004198C8
004198B4 |. |68 00000000 |push 0x0
004198B9 |. |BB 60514400 |mov ebx,3Xco0S7.00445160
004198BE |. |E8 F6920200 |call 3Xco0S7.00442BB9
004198C3 |. |83C4 04 |add esp,0x4
004198C6 |.^|EB E2 \jmp X3Xco0S7.004198AA
004198C8 |> \E8 87BCFEFF call 3Xco0S7.00405554
00419A58 疑似
00419A3E |. /0F85 14000000 |jnz 3Xco0S7.00419A58
00419A44 |. |68 00000000 |push 0x0
00419A49 |. |BB 60514400 |mov ebx,3Xco0S7.00445160
00419A4E |. |E8 66910200 |call 3Xco0S7.00442BB9
00419A53 |. |83C4 04 |add esp,0x4
00419A56 |.^|EB E2 \jmp X3Xco0S7.00419A3A
00419A58 |> \E8 F7BAFEFF call 3Xco0S7.00405554
00419B10 疑似
00419AF6 |. /0F85 14000000 |jnz 3Xco0S7.00419B10
00419AFC |. |68 00000000 |push 0x0
00419B01 |. |BB 60514400 |mov ebx,3Xco0S7.00445160
00419B06 |. |E8 AE900200 |call 3Xco0S7.00442BB9
00419B0B |. |83C4 04 |add esp,0x4
00419B0E |.^|EB E2 \jmp X3Xco0S7.00419AF2
00419B10 |> \E8 3FBAFEFF call 3Xco0S7.00405554
00419B7C JE 直接跳走 00419BB4
00419B76 |. /0F84 38000000 je 3Xco0S7.00419BB4
00419B7C |. |E8 D3B9FEFF call 3Xco0S7.00405554
00419C0E JGE 跳转 00419C41
00419C03 |. /0F8D 38000000 jge 3Xco0S7.00419C41
00419C09 |. |E8 E7BEFEFF call 3Xco0S7.00405AF5
00419C0E |. |E8 41B9FEFF call 3Xco0S7.00405554
00421537 JNZ条件跳转
00421531 |. /0F85 05000000 |jnz 3Xco0S7.0042153C
00421537 |. |E8 1840FEFF |call 3Xco0S7.00405554
0042153C |> \E8 820E0000 |call 3Xco0S7.004223C3
00421549 JE跳转
00421543 |. /0F84 05000000 |je 3Xco0S7.0042154E
00421549 |. |E8 0640FEFF |call 3Xco0S7.00405554
0042154E |>^\E9 70FFFFFF \jmp 3Xco0S7.004214C3
--------------------------------------
蓝屏
共找到1处地址:
00405B85
段首为
00405B38 /$ 55 push ebp
调用CALL
本地调用来自 00405AF8, 00417B8A
00417B8A 段首
00417AFD /$ 55 push ebp
00405AF8 段首
00405AF5 /$ 55 push ebp
00405AF6 |. 8BEC mov ebp,esp
00405AF8 |. E8 3B000000 call 3Xco0S7.00405B38
----------------------
|