在虚拟机逆向好的软件放到电脑上为什么没有效果？

wellin 发表于 2015-4-9 13:47
楼主软件有密码啊

密码补上了 忘了   369

基址 是随机变化的 。。。。。。。。。。。。。。。


eno一样  都能找到  只不过每次都对变化位置

脱壳试一下   送你  两个脚本

/*
VMProtect OEP Founder 1.1
by ximo[LCG][DFJG]
just for fun
*/
var imagebase
var tmp
var pNtHeader
var sectionaddr
var sectionsize
var sum
var protection
var firstpro
var isfirst
var retn
mov isfirst,1
//VM_Retn
mov retn,00474737
bc
bphwc

GMI eip, MODULEBASE
mov imagebase, $RESULT
mov tmp,[imagebase+3c]
add tmp,imagebase
mov pNtHeader,tmp
add pNtHeader,f8
mov tmp,pNtHeader
add tmp,c
mov sectionaddr,[tmp]
add sectionaddr,imagebase
mov tmp,pNtHeader
add tmp,8
mov sectionsize,[tmp]
mov sum,sectionaddr
add sum,sectionsize

gpa "VirtualProtect", "kernel32"
cmp $RESULT, 0
je err
bp $RESULT+13
loop:
esto
cmp isfirst,1
je firstt
mov protection,[esp+4]
cmp protection,firstpro
je next
jmp loop
firstt:
mov firstpro,[esp+4]
mov isfirst,0
jmp loop

next:
bc
rtu
find:
bp retn
esto
bc

bprm sectionaddr,sectionsize
esto
cmp eip,sum
bpmc
ja find
finded:
cmt eip,"this is OEP or Near OEP!"
ret
err:
ret

-------------------------------------------------------------
上面为第一个找OEP 脚本


/*
VMProtect 2.07 Unpacker
by ximo[LCG][DFJG]
just for fun
*/
var getfunc
var dllname
var apiname
var writeaddr
var addr
var apiaddr
var key
var info
var end
var logfile
mov logfile,"FkIAT.txt"

/*
VM_WmDs32:      
004FBA37    8910                 mov dword ptr ds:[eax],edx
*/
mov writeaddr,0047640E  
//OEP or stop script addr
mov end,00401DAD
bc
bphwc
gpa "CreateFileW", "kernel32"
cmp $RESULT, 0
je err
findop $RESULT,#C21C00#
cmp $RESULT, 0
je err
bp $RESULT
esto
bc
rtu
mov getfunc,eip
bphws getfunc, "x"
bphws end, "x"
loop:
run
cmp eip,end
je end
gn eax
cmp $RESULT,0
je next
do:
mov apiaddr,eax
mov dllname,$RESULT_1
mov apiname,$RESULT_2
bp writeaddr
esto
bc eip
mov addr,eax
mov key,apiaddr
sub key,edx
eval "{addr},{key},{dllname},{apiname}"
mov info,$RESULT
wrta logfile,info
next:
jmp loop
end:
ret
err:
bc
bphwc
ret
----------------------------------------
修复脚本