设为首页收藏本站官方微博
开启辅助访问 切换到窄版

飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

[x86]PYG官方Dll优雅破解补丁制作工具[x64]PYG官方DLL优雅破解补丁制作工具[x86]PYG官方Exe优雅破解补丁制作工具[x86/x64]Baymax Patch Tools飘云阁工具包(已更新第4季)
返回列表 发新帖
查看: 4294|回复: 7

[原创] vmp是如何修复api的

[复制链接]
wai1216
  • TA的每日心情
    擦汗
    2016-4-19 21:35

    • 签到天数: 3 天

    [LV.2]偶尔看看I
    发表于 2020-7-2 19:01:13 | 显示全部楼层 |阅读模式

    1.vmp 在执行完类似如下指令时 完成了对api的解密以及调用
    1. lea reg,[imm0]
    2. mov reg,[reg+imm1]
    3. lea reg,[reg+imm2]
    4. xchg [rsp],reg
    5. ret
    复制代码

    2.先说 imm1 因为 reg+imm1 位于 vmp0 区段之中
    eg:
    vmp0的区段 base 以及 size 分别为
    1. base = 000000014009D000
    2. size = 00000000000B1000
    复制代码
    1. lea rax, ds:[0x0000000140006A16]
    2. // rax == 0x0000000140006A16
    3. mov rax, qword ptr ds:[rax+0xEA94A]
    4. // rax+0xEA94A = 00000001400F1360
    5. // [rax+0xEA94A] = [00000001400F1360] = 00007FFDE207E8F0
    6. lea rax, ds:[rax-0x3262A0B0]
    7. // rax = 00007FF**54840
    复制代码

    00007FF**54840 为 jmp qword ptr ds:[<&GetModuleFileNameW>]

    此时 kernel32.dll 的 base 为
    1. base=00007FF**30000
    复制代码

    设想以下情况:
    假如电脑关机后重启 重新打开 而此时 kernel32.dll 的 base 以及 size 分别变成了
    1. base=00007FFC36780000
    复制代码

    那此时 [00000001400F1360] 应该填上多少比较合适呢
    1. [00000001400F1360] = 00007FFC36780000 - 00007FF**30000 + 00007FFDE207E8F0 = 00007FFC68DCE8F0
    复制代码

    至此就修复了该api的调用

    所以我们是不是就可以这样了
    弄点代码 跑在原本oep之前 根据记录到的dllname,dllbase,dllsize以及api的name
    然后在对vmp0进行暴搜
    进行修复就可以了

    回到最开始 我们发现还有个imm2而这个立即数会导致
    [reg+imm1]里面存放的数可能不属于[dllbase, dllbase + dllsize]

    3.看看vmp是如何完成映射的

    写入
    1. // mov qword ptr ds:[rax],rdx
    2. // rdx == 0x0000000020A44E60
    3. // rax == 0x000007FEEAC2C999
    复制代码

    先看看 映射空间 0x000007FEEAC2C999 怎么计算得到的
    1. add qword ptr ss:[rbp+8],rax
    2. // [rbp+8] == 0x000007FEEAC2C999 =  0x7FD6AB50000 + 0x1800DC999
    复制代码

    rax 来自于 mov rax,qword ptr ss:[rbp]
    1. mov rax,qword ptr ds:[rsi]
    2. // rax == 0x2033B8E1C16B3FB
    3. add rax,rbx
    4. // rax == 0x2033B9013000000
    5. ror rax,14
    6. // rax == 0x2033B90130
    7. bswap rax
    8. // rax == 0x3001B93320000000
    9. rol rax,23
    10. // rax == 0x1800DC999
    11. mov qword ptr ss:[rbp],rax
    12. // [rbp] == 0x1800DC999
    复制代码

    我们不难发现 这个偏移来自于vmp的bytecode里面
    再看看 数据 0x0000000020A44E60 怎么计算得到的

    1. mov rax,qword ptr ss:[rbp]
    2. // rax == 0xFFFFFFFFA90235F0
    3. // [rbp+8] == 0x77A21870
    4. add qword ptr ss:[rbp+8],rax
    5. // [rbp+8] == 0x20A44E60
    复制代码

    先看 0xFFFFFFFFA90235F0
    1. mov eax,dword ptr ds:[rsi]
    2. // eax == 0x45BC37E0
    3. xor eax,ebx
    4. // eax == 0x1A574EB1
    5. inc eax
    6. // eax == 0x1A574EB2
    7. sub eax,94C212A
    8. // rax == 0xA90235F0
    9. cdqe
    10. // rax == 0xFFFFFFFFA90235F0
    11. mov qword ptr ss:[rbp],rax
    12. // [rbp] == 0xFFFFFFFFA90235F0
    复制代码
    偏移也来自于vmp的bytecode里面

    再看关键的 0x77A21870
    首先 kernel32.dll 的 base为 0x77A10000
    1. // rdx == 77AB003C
    2.         // 为Export directory for KERNEL32.dll
    复制代码
    1. mov ebx,dword ptr ds:[rdx+20]
    2. // ebx == 0xA1610
    3.         // 获取到 AddressOfNames
    4. add rbx,rax  
    5. // rbx == 0x77AB1610
    6.         // Export Names Table for KERNEL32.dll
    复制代码
    1. mov edi,dword ptr ds:[rdx+24]
    2. // edi == 0xA2BBC  
    3.         // 获取到 AddressOfNameOrdinals
    4. add rdi,rax
    5. // rdi == 0x77AB2BBC == 0xA2BBC + 0x77A10000
    6.         // 获取到Export Ordinals Table for KERNEL32.dll
    复制代码
    1. movzx ecx,word ptr ds:[rdi+rcx*2]
    2. // ecx == 0x8F
    3. mov edi,dword ptr ds:[rdx+1C]
    4. // edi == 0xA0064
    5. add rdi,rax
    6. // rdi == 0x77AB0064
    7.         // 获取到 Export Address Table for KERNEL32.dll
    8. mov edi,dword ptr ds:[rdi+rcx*4]
    9. // edi == 0x11870
    10. add rax,rdi
    11. // rax == 0x77A21870 == 0x77A10000 + 0x11870
    12. // 0000000077A21870 ; HANDLE __stdcall CreateFileWImplementation
    复制代码

    接下来 我们看看获得序号0x8F后做了哪些事情
    1. add ecx,1
    2. // ecx == 8F
    3. mov dword ptr ss:[rbp-8],ecx
    4. mov ecx,dword ptr ss:[rbp-8]
    5. add ecx,dword ptr ss:[rbp-4]
    6. // ecx == 11E
    7. shr ecx,1
    8. // ecx == 8F
    9. mov edi,dword ptr ds:[rbx+rcx*4]
    10. // edi == 0xA4258
    11. add rdi,rax
    12. // rdi == 0x0000000077AB4258 aCreatefilew    db 'CreateFileW',0
    复制代码

    获取到 rdi 之后
    设置好 rsi
    开始
    1. lodsb
    2. // rsi: 2FD7F4-> 2FD7F5
    3. // 00000000002FD7F4  9E 13 AB 8B 23 AB B6 CB E3 AB 3E 78 4B 45 52 4E  ..&#171;.#&#171;&#182;&#203;&#227;&#171;>xKERN  
    4. // 00000000002FD804  45 4C 33 32 2E 64 6C 6C 00 00 00 00 02 00 00 00  EL32.dll........
    5. // 这部分空间为vmp开辟的 数据是从vm的bytecode里面获取到的
    6. // 当一个获取完后再获取另一个保存到该空间数据
    7. // 节省点篇幅 就不贴了
    复制代码
    1. inc al
    2. xor al,79
    3. dec al
    4. not al
    5. rol al,5
    6. cmp al,byte ptr ds:[rdi]
    复制代码

    在根据Export Names的不同序号(如:aCreatefilew)进行比较
    得到想要的api的地址 只是这个api的name是写死在vm的字节码中
    然后在写入 vmp0 或者像 LocalAlloc开辟的空间里
    其实就是我们去获取api地址的那些常规逻辑

    vmp类似去处理字符串的方式还是很多
    比方说xjun师傅的插件绕过syscall的处理方式
    就是因为vmp就是去读ntdll .rsrc里面的版本信息的

    样本中 处理的api:
    1. INFO: VirtualProtect
    2. INFO: LocalAlloc 0xd0 bytes, allocated at 0x14024d000
    3. INFO: LoadLibraryA KERNEL32.dll, return 7ff**30000
    4. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    5. GET: changeaddr:0x14012CF14 info:0xFFFFFFFF93E98F89 -> 0x7FFD91E75F5E writeaddr:0x140240304
    6. GET: changeaddr:0x1400DC999 info:0x20C54ECF -> 0x7FFD58A80EA0 writeaddr:0x140240304
    7. GET: changeaddr:0x1401386D2 info:0xFFFFFFFF84E4C247 -> 0x7FFDD0C06208 writeaddr:0x140240304
    8. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    9. GET: changeaddr:0x140114DF1 info:0x72EC197C -> 0x7FFE0021F4CF writeaddr:0x140240304
    10. GET: changeaddr:0x1400BF700 info:0xFFFFFFFFA0F139EB -> 0x7FFDF9B10524 writeaddr:0x140240304
    11. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    12. GET: changeaddr:0x1400A8424 info:0x6720DAF0 -> 0x7FFD5BBD122B writeaddr:0x140240304
    13. GET: changeaddr:0x1400BF5A1 info:0x5933AA4D -> 0x7FFD8B625FFA writeaddr:0x140240304
    14. GET: changeaddr:0x1400DE9BF info:0x1BAC8109 -> 0x7FFDDA6D076E writeaddr:0x140240304
    15. GET: changeaddr:0x1401058EE info:0xFFFFFFFF856E310C -> 0x7FFD52CBA43F writeaddr:0x140240304
    16. GET: changeaddr:0x1400F80D6 info:0xFFFFFFFF804959BC -> 0x7FFDA608800F writeaddr:0x140240304
    17. GET: changeaddr:0x140131670 info:0xFFFFFFFFD5603F83 -> 0x7FFDC7E3B62C writeaddr:0x140240304
    18. GET: changeaddr:0x1400D8B98 info:0xFFFFFFFFD4849A73 -> 0x7FFDB5C9E14C writeaddr:0x140240304
    19. GET: changeaddr:0x1401150D7 info:0xFFFFFFFFADD9A510 -> 0x7FFD60C0DE7B writeaddr:0x140240304
    20. GET: changeaddr:0x1400B4374 info:0xFFFFFFFFCABBE1F2 -> 0x7FFD31DFFF21 writeaddr:0x140240304
    21. GET: changeaddr:0x1400B6D19 info:0x4A88125B -> 0x7FFD9EA510F4 writeaddr:0x140240304
    22. GET: changeaddr:0x14012D238 info:0xFFFFFFFFBFC07818 -> 0x7FFE2A2E4D83 writeaddr:0x140240304
    23. GET: changeaddr:0x1401372EB info:0x59B6839 -> 0x7FFD600DC55E writeaddr:0x140240304
    24. GET: changeaddr:0x140148E72 info:0xFFFFFFFFC1383704 -> 0x7FFE0D05C2F7 writeaddr:0x140240304
    25. GET: changeaddr:0x1400CBB51 info:0x6E826F15 -> 0x7FFE1D225532 writeaddr:0x140240304
    26. GET: changeaddr:0x14014963B info:0xFFFFFFFFD5BCFD7F -> 0x7FFE243EE940 writeaddr:0x140240304
    27. GET: changeaddr:0x14013A908 info:0xFFFFFFFFA6F9E8FA -> 0x7FFD70CA7549 writeaddr:0x140240304
    28. GET: changeaddr:0x140148F24 info:0x49504912 -> 0x7FFDFACE0F01 writeaddr:0x140240304
    29. GET: changeaddr:0x140112E5B info:0xFFFFFFFF8D4D6BFB -> 0x7FFDC19440F4 writeaddr:0x140240304
    30. GET: changeaddr:0x1400AC101 info:0xFFFFFFFFFB180638 -> 0x7FFD6B2FB7D3 writeaddr:0x140240304
    31. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    32. GET: changeaddr:0x1400E0B3E info:0x7067D4D9 -> 0x7FFD7D335CFE writeaddr:0x140240304
    33. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    34. GET: changeaddr:0x1400F47A3 info:0x78C1C94E -> 0x7FFDA5C12755 writeaddr:0x140240304
    35. GET: changeaddr:0x1400A3690 info:0x1454C37B -> 0x7FFD99521A34 writeaddr:0x140240304
    36. GET: changeaddr:0x14009D008 info:0x2EED23B8 -> 0x7FFD98D0C603 writeaddr:0x140240304
    37. GET: changeaddr:0x1400A7261 info:0x4716F059 -> 0x7FFE2574C0CE writeaddr:0x140240304
    38. GET: changeaddr:0x14009D010 info:0xFFFFFFFFFEDF0E91 -> 0x7FFDAD3645F6 writeaddr:0x140240304
    39. GET: changeaddr:0x14013D4B0 info:0xFFFFFFFF9503B9D6 -> 0x7FFD540757CD writeaddr:0x140240304
    40. GET: changeaddr:0x1400F7159 info:0x705B585F -> 0x7FFDA14A7AB0 writeaddr:0x140240304
    41. GET: changeaddr:0x1401218A7 info:0xFFFFFFFF934988BA -> 0x7FFDC6DCF4B9 writeaddr:0x140240304
    42. GET: changeaddr:0x140107F3E info:0xFFFFFFFFB270D741 -> 0x7FFD3A62DAA6 writeaddr:0x140240304
    43. GET: changeaddr:0x1401251B4 info:0xFFFFFFFFE3737767 -> 0x7FFDB992E148 writeaddr:0x140240304
    44. GET: changeaddr:0x1400AB3BF info:0xFFFFFFFF8DFB51C5 -> 0x7FFD95629372 writeaddr:0x140240304
    45. GET: changeaddr:0x1400E397B info:0x5DCFBA53 -> 0x7FFD4BE350BC writeaddr:0x140240304
    46. GET: changeaddr:0x1400F814C info:0xFFFFFFFFCBD2DAA6 -> 0x7FFDEE90566D writeaddr:0x140240304
    47. GET: changeaddr:0x140112A4D info:0x34EFD15 -> 0x7FFD4BEAF4F2 writeaddr:0x140240304
    48. GET: changeaddr:0x1400C1742 info:0x2613FCB2 -> 0x7FFE255D2E71 writeaddr:0x140240304
    49. GET: changeaddr:0x1400A4B2E info:0x63A1EE13 -> 0x7FFE2E194F1C writeaddr:0x140240304
    50. GET: changeaddr:0x140117E5D info:0x4327F530 -> 0x7FFD93E7FD8B writeaddr:0x140240304
    51. GET: changeaddr:0x1400BD1FF info:0xFFFFFFFFA4C2D29C -> 0x7FFD86562C2F writeaddr:0x140240304
    52. GET: changeaddr:0x14014A5D9 info:0x3E024361 -> 0x7FFE23CB6F26 writeaddr:0x140240304
    53. GET: changeaddr:0x1400C8BD8 info:0x1E0DE56 -> 0x7FFE08E4408D writeaddr:0x140240304
    54. GET: changeaddr:0x1400F1360 info:0x2741D30F -> 0x7FFDE207E8F0 writeaddr:0x140240304
    55. GET: changeaddr:0x140147C39 info:0x2DD31705 -> 0x7FFE0A762C12 writeaddr:0x140240304
    56. GET: changeaddr:0x140145B19 info:0x74AEF008 -> 0x7FFD6C2DFA43 writeaddr:0x140240304
    57. GET: changeaddr:0x1400BEB54 info:0x7DB8A260 -> 0x7FFDEC48374B writeaddr:0x140240304
    58. GET: changeaddr:0x1400E758B info:0x3D2F2921 -> 0x7FFDD3735EB6 writeaddr:0x140240304
    59. GET: changeaddr:0x1400E6217 info:0x5A317B3D -> 0x7FFD9F31DA5A writeaddr:0x140240304
    60. GET: changeaddr:0x14014C0BE info:0x5409F81D -> 0x7FFD3693D82A writeaddr:0x140240304
    61. GET: changeaddr:0x1400D89C0 info:0xFFFFFFFFAFB576C6 -> 0x7FFDC1A2C92D writeaddr:0x140240304
    62. GET: changeaddr:0x1400FE35B info:0xFFFFFFFF9EA377CC -> 0x7FFE2646016F writeaddr:0x140240304
    63. GET: changeaddr:0x1400C6689 info:0xFFFFFFFF90243DAF -> 0x7FFDC1A13E30 writeaddr:0x140240304
    64. GET: changeaddr:0x1400DC743 info:0x1D7D1527 -> 0x7FFDB40AADD8 writeaddr:0x140240304
    65. GET: changeaddr:0x1400E0B0C info:0x3CC10F6E -> 0x7FFE00722E95 writeaddr:0x140240304
    66. GET: changeaddr:0x1400F0AFA info:0xFFFFFFFF856FFA1B -> 0x7FFDA69EE984 writeaddr:0x140240304
    67. GET: changeaddr:0x1400F6B85 info:0x560381E2 -> 0x7FFE0B833321 writeaddr:0x140240304
    68. GET: changeaddr:0x140148991 info:0xFFFFFFFFF0D6B4FA -> 0x7FFDC64A18F9 writeaddr:0x140240304
    69. GET: changeaddr:0x1400AA7B1 info:0x16D0C303 -> 0x7FFD60E2F5DC writeaddr:0x140240304
    70. GET: changeaddr:0x14012E09B info:0x24FA822A -> 0x7FFD624B2549 writeaddr:0x140240304
    71. GET: changeaddr:0x1400CE7E6 info:0xFFFFFFFFA9BC3DF3 -> 0x7FFDBF66DA8C writeaddr:0x140240304
    72. GET: changeaddr:0x140106D06 info:0xFFFFFFFFD22E7E90 -> 0x7FFE1EF2A2DB writeaddr:0x140240304
    73. GET: changeaddr:0x140106536 info:0x63B7BF11 -> 0x7FFD75F9DCE6 writeaddr:0x140240304
    74. GET: changeaddr:0x140128865 info:0x2CE579C6 -> 0x7FFD7627DCED writeaddr:0x140240304
    75. GET: changeaddr:0x14014A055 info:0xFFFFFFFFF2D0013F -> 0x7FFDA6F06B50 writeaddr:0x140240304
    76. GET: changeaddr:0x1401230D3 info:0xFFFFFFFFF9B6C6B7 -> 0x7FFD9ADD1E08 writeaddr:0x140240304
    77. GET: changeaddr:0x140126685 info:0xFFFFFFFF92E24F24 -> 0x7FFD7F42C7C7 writeaddr:0x140240304
    78. GET: changeaddr:0x14010E102 info:0x2A256DB5 -> 0x7FFD72A8E302 writeaddr:0x140240304
    79. GET: changeaddr:0x1401029A8 info:0xFFFFFFFFB14421BA -> 0x7FFD3214C7B9 writeaddr:0x140240304
    80. GET: changeaddr:0x1400A4D39 info:0xFFFFFFFFB6D3E9D2 -> 0x7FFDF258D9E1 writeaddr:0x140240304
    81. GET: changeaddr:0x140106556 info:0x415B3BB -> 0x7FFDECABD944 writeaddr:0x140240304
    82. GET: changeaddr:0x1400BA557 info:0xFFFFFFFFAB770102 -> 0x7FFDD9B4E0F1 writeaddr:0x140240304
    83. GET: changeaddr:0x1401231B8 info:0xFFFFFFFFAB1B80AB -> 0x7FFDC4652F14 writeaddr:0x140240304
    84. GET: changeaddr:0x1400DDED6 info:0xFFFFFFFF85B54C32 -> 0x7FFD9E390E51 writeaddr:0x140240304
    85. GET: changeaddr:0x1400DCA31 info:0xFFFFFFFFEAC3119B -> 0x7FFE17E11764 writeaddr:0x140240304
    86. GET: changeaddr:0x1400D7EAD info:0x7D6F5058 -> 0x7FFD8C424163 writeaddr:0x140240304
    87. GET: changeaddr:0x140120C23 info:0x68A62D79 -> 0x7FFDB9239C2E writeaddr:0x140240304
    88. GET: changeaddr:0x1400B414F info:0xFFFFFFFFBB3767B1 -> 0x7FFDA8889926 writeaddr:0x140240304
    89. GET: changeaddr:0x14009FBD0 info:0x6D6F62E6 -> 0x7FFDCE41625D writeaddr:0x140240304
    90. GET: changeaddr:0x1400FC946 info:0x142944DF -> 0x7FFDDC539490 writeaddr:0x140240304
    91. GET: changeaddr:0x1400B48FE info:0x45E75657 -> 0x7FFD96DB4DB8 writeaddr:0x140240304
    92. GET: changeaddr:0x14010384A info:0xFFFFFFFFF7AC0B44 -> 0x7FFDA1520E67 writeaddr:0x140240304
    93. GET: changeaddr:0x1400BED73 info:0xFFFFFFFF897BBC47 -> 0x7FFE10E5BF88 writeaddr:0x140240304
    94. GET: changeaddr:0x14014B947 info:0xFFFFFFFFEE79D0BF -> 0x7FFDB1A35660 writeaddr:0x140240304
    95. GET: changeaddr:0x140120E42 info:0xFFFFFFFFC14B7576 -> 0x7FFD9CE2C74D writeaddr:0x140240304
    96. GET: changeaddr:0x1400C3234 info:0xFFFFFFFFA8F9FD71 -> 0x7FFE0084B926 writeaddr:0x140240304
    97. GET: changeaddr:0x14011D02C info:0xFFFFFFFF8DF488A9 -> 0x7FFD3E1750BE writeaddr:0x140240304
    98. GET: changeaddr:0x140110E71 info:0x3D5C363E -> 0x7FFD46E7E325 writeaddr:0x140240304
    99. GET: changeaddr:0x1400A65BC info:0xFFFFFFFFAEFA0617 -> 0x7FFD68DF5598 writeaddr:0x140240304
    100. GET: changeaddr:0x14013E3D3 info:0xFFFFFFFFC432726E -> 0x7FFDCC2F3C55 writeaddr:0x140240304
    101. GET: changeaddr:0x14011B897 info:0xFFFFFFFF8E47DB13 -> 0x7FFD62A7A37C writeaddr:0x140240304
    102. GET: changeaddr:0x1400C3014 info:0xFFFFFFFF9CE895AD -> 0x7FFD947CC89A writeaddr:0x140240304
    103. GET: changeaddr:0x140109835 info:0x6A106812 -> 0x7FFD4F117D11 writeaddr:0x140240304
    104. GET: changeaddr:0x14009E95C info:0xFFFFFFFFADB3D6FB -> 0x7FFDF86848B4 writeaddr:0x140240304
    105. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    106. GET: changeaddr:0x1400DE1FD info:0xFFFFFFFFF2200CF3 -> 0x7FFD66E119CC writeaddr:0x140240304
    107. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    108. GET: changeaddr:0x1400EE25A info:0x6BACD3EB -> 0x7FFD78C7F5A4 writeaddr:0x140240304
    109. GET: changeaddr:0x1400F0906 info:0x22A28AE8 -> 0x7FFD938FFC53 writeaddr:0x140240304
    110. GET: changeaddr:0x1400F7FD7 info:0x73182140 -> 0x7FFDECFF4C1B writeaddr:0x140240304
    111. GET: changeaddr:0x1400D8EFC info:0xFFFFFFFF84286D81 -> 0x7FFDC6544146 writeaddr:0x140240304
    112. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    113. GET: changeaddr:0x14013BE6D info:0xFFFFFFFFB7F396F6 -> 0x7FFE0E786AED writeaddr:0x140240304
    114. GET: changeaddr:0x1400D0759 info:0x4189DF8E -> 0x7FFDDC361815 writeaddr:0x140240304
    115. GET: changeaddr:0x1401200E3 info:0xFFFFFFFFC127ECA0 -> 0x7FFDE6D233FB writeaddr:0x140240304
    116. GET: changeaddr:0x1400EC169 info:0xFFFFFFFFF1D18861 -> 0x7FFD992B9656 writeaddr:0x140240304
    117. GET: changeaddr:0x1400D27D9 info:0x14AA2756 -> 0x7FFD9951911D writeaddr:0x140240304
    118. GET: changeaddr:0x140109A01 info:0xFFFFFFFFF14DF00F -> 0x7FFDC8D6ECB0 writeaddr:0x140240304
    119. GET: changeaddr:0x1400F24BC info:0xFFFFFFFFCE6C0800 -> 0x7FFDAB60C82B writeaddr:0x140240304
    120. GET: changeaddr:0x140146CA1 info:0xFFFFFFFF834F3341 -> 0x7FFD9E9B6A66 writeaddr:0x140240304
    121. GET: changeaddr:0x1400A20C8 info:0x426287B6 -> 0x7FFDA0068E2D writeaddr:0x140240304
    122. INFO: LoadLibraryA NTDLL, return 7ffdafc80000
    123. GET: changeaddr:0x1400C4082 info:0x438F3EB1 -> 0x7FFDFC1A3AB6 writeaddr:0x140240304
    124. GET: changeaddr:0x14012FB51 info:0x60DD21E9 -> 0x7FFD6686ECEE writeaddr:0x140240304
    125. GET: changeaddr:0x14009D000 info:0xFFFFFFFFFD596E21 -> 0x7FFE1F0CDF56 writeaddr:0x140240304
    126. INFO: LoadLibraryA USER32.dll, return 7ffdadf10000
    127. GET: changeaddr:0x1400D9A08 info:0x6D383B47 -> 0x7FFD730E9E58 writeaddr:0x140240304
    128. GET: changeaddr:0x14010C195 info:0xFFFFFFFFFB34B816 -> 0x7FFE1E48AEAD writeaddr:0x140240304
    129. GET: changeaddr:0x1400FC262 info:0xFFFFFFFFC0EF9CAE -> 0x7FFDFF035815 writeaddr:0x140240304
    130. GET: changeaddr:0x1400E8392 info:0xF1570F4 -> 0x7FFE24A1A657 writeaddr:0x140240304
    131. GET: changeaddr:0x140141F22 info:0x34892C5B -> 0x7FFDA9868F44 writeaddr:0x140240304
    132. GET: changeaddr:0x1400EFBE6 info:0xFFFFFFFF89BADA18 -> 0x7FFE0C0F65D3 writeaddr:0x140240304
    133. GET: changeaddr:0x1400CF338 info:0xFFFFFFFF8FBED14B -> 0x7FFD90EEBCD4 writeaddr:0x140240304
    134. GET: changeaddr:0x140127915 info:0x677FFFC8 -> 0x7FFD6246B703 writeaddr:0x140240304
    135. GET: changeaddr:0x1400D2B35 info:0xFFFFFFFFC5347FA9 -> 0x7FFD74C966AE writeaddr:0x140240304
    136. GET: changeaddr:0x1400BEA2B info:0x725334D7 -> 0x7FFE24530E78 writeaddr:0x140240304
    137. GET: changeaddr:0x1400EBD79 info:0x50C7DBF3 -> 0x7FFD8D014B5C writeaddr:0x140240304
    138. GET: changeaddr:0x1401475D2 info:0xFFFFFFFFD276974F -> 0x7FFD311DA750 writeaddr:0x140240304
    139. GET: changeaddr:0x140138130 info:0xDA17FC6 -> 0x7FFDEDB2229D writeaddr:0x140240304
    140. GET: changeaddr:0x1400A81F6 info:0x6DFD3F3F -> 0x7FFDF9648920 writeaddr:0x140240304
    141. GET: changeaddr:0x1400AC3E8 info:0xFFFFFFFF939044B7 -> 0x7FFD82F1EB88 writeaddr:0x140240304
    142. GET: changeaddr:0x1400E43BE info:0xFFFFFFFFE21CFBB5 -> 0x7FFDC3E975B2 writeaddr:0x140240304
    143. GET: changeaddr:0x14012EBF5 info:0x26C487BA -> 0x7FFD80491799 writeaddr:0x140240304
    144. GET: changeaddr:0x1400B7EEB info:0xFFFFFFFF945564C3 -> 0x7FFD7A321E6C writeaddr:0x140240304
    145. GET: changeaddr:0x140114149 info:0xFFFFFFFF93E187A0 -> 0x7FFD3B93DCAB writeaddr:0x140240304
    146. GET: changeaddr:0x14011CC23 info:0xFFFFFFFFDCC116DD -> 0x7FFE2771F3BA writeaddr:0x140240304
    147. GET: changeaddr:0x1400DFE6A info:0x14B0CB50 -> 0x7FFD3B22652B writeaddr:0x140240304
    148. GET: changeaddr:0x1400D2E6D info:0x37B9A2D1 -> 0x7FFD38CEE8E6 writeaddr:0x140240304
    149. GET: changeaddr:0x1400DCB00 info:0x7B2F7B4D -> 0x7FFD7FFFFBCA writeaddr:0x140240304
    150. GET: changeaddr:0x140125210 info:0xFFFFFFFFA4B39B79 -> 0x7FFD2E772E7E writeaddr:0x140240304
    151. GET: changeaddr:0x140142C13 info:0xFFFFFFFFEDDB2883 -> 0x7FFDA3A7005C writeaddr:0x140240304
    152. GET: changeaddr:0x1400DA17C info:0x649ADD7B -> 0x7FFE10D85114 writeaddr:0x140240304
    153. GET: changeaddr:0x1400F92BC info:0x53085B8 -> 0x7FFD99462163 writeaddr:0x140240304
    154. GET: changeaddr:0x1400E30A2 info:0x2DCA3A59 -> 0x7FFDE0196A0E writeaddr:0x140240304
    155. GET: changeaddr:0x14013FE71 info:0xFFFFFFFF92851891 -> 0x7FFDDC1CFD26 writeaddr:0x140240304
    156. GET: changeaddr:0x14013CEF0 info:0x8E0FFC9 -> 0x7FFD2F5AFA8E writeaddr:0x140240304
    157. GET: changeaddr:0x140139F67 info:0xFFFFFFFFF45CDFDE -> 0x7FFE0DBA9D25 writeaddr:0x140240304
    158. GET: changeaddr:0x14013CC45 info:0x2B99FB76 -> 0x7FFDDA8EB0CD writeaddr:0x140240304
    159. GET: changeaddr:0x14011395F info:0x1EE0DAAF -> 0x7FFDCD4D2410 writeaddr:0x140240304
    160. GET: changeaddr:0x14010BFB1 info:0x577D717C -> 0x7FFDD612C20F writeaddr:0x140240304
    161. GET: changeaddr:0x1400E6E32 info:0xFFFFFFFFF4D0FAC8 -> 0x7FFE0645A003 writeaddr:0x140240304
    162. GET: changeaddr:0x1400DB0E5 info:0xFFFFFFFFC0F9F952 -> 0x7FFDA1EA5F21 writeaddr:0x140240304
    163. INFO: LoadLibraryA ADVAPI32.dll, return 7ffdad4a0000
    164. GET: changeaddr:0x1400B2C6C info:0xFFFFFFFF8A46E93B -> 0x7FFD3FC5F1C4 writeaddr:0x140240304
    165. GET: changeaddr:0x14010895D info:0x4E246015 -> 0x7FFDB45A2DB2 writeaddr:0x140240304
    166. GET: changeaddr:0x140136F07 info:0x7FF2941D -> 0x7FFD883F05EA writeaddr:0x140240304
    167. GET: changeaddr:0x1400BCED4 info:0x9F711D5 -> 0x7FFDD795B2F2 writeaddr:0x140240304
    168. GET: changeaddr:0x1400F2A75 info:0xFFFFFFFF9DE2315E -> 0x7FFD73738FA5 writeaddr:0x140240304
    169. GET: changeaddr:0x1400EB284 info:0x4C4303B7 -> 0x7FFDC4518A68 writeaddr:0x140240304
    170. GET: changeaddr:0x1400E7E39 info:0xFFFFFFFF86C3CA2F -> 0x7FFD45B7B2A0 writeaddr:0x140240304
    171. GET: changeaddr:0x14013E3DB info:0xFFFFFFFFB9C906FC -> 0x7FFD44DBD82F writeaddr:0x140240304
    172. INFO: LoadLibraryA SHELL32.dll, return 142300000
    173. GET: changeaddr:0x14014ACDC info:0x71E27D6D -> 0xE4BBC77A writeaddr:0x140240304
    174. INFO: LoadLibraryA ole32.dll, return 7ffdad630000
    175. INFO: LoadLibraryA api-ms-win-core-com-l1-1-0, return 7ffdad200000
    176. GET: changeaddr:0x1400C5013 info:0xFFFFFFFF9D25EE4A -> 0x7FFD4235A7C9 writeaddr:0x140240304
    177. GET: changeaddr:0x1400EDD0A info:0xFFFFFFFFEBF562D2 -> 0x7FFDDC0C9811 writeaddr:0x140240304
    178. INFO: LoadLibraryA api-ms-win-core-com-l1-1-0, return 7ffdad200000
    179. GET: changeaddr:0x1400DD1DF info:0x236917EA -> 0x7FFDB46B7179 writeaddr:0x140240304
    180. INFO: LoadLibraryA api-ms-win-core-com-l1-1-0, return 7ffdad200000
    181. GET: changeaddr:0x140128103 info:0xFFFFFFFFF06A3A02 -> 0x7FFD4D0FED31 writeaddr:0x140240304
    182. INFO: LoadLibraryA api-ms-win-core-com-l1-1-0, return 7ffdad200000
    183. GET: changeaddr:0x1400E3316 info:0x61D64DAB -> 0x7FFD768B9E34 writeaddr:0x140240304
    184. INFO: LoadLibraryA api-ms-win-core-com-l1-1-0, return 7ffdad200000
    185. GET: changeaddr:0x1400D5978 info:0x4AD9BA05 -> 0x7FFDF2D00B12 writeaddr:0x140240304
    186. INFO: LoadLibraryA OLEAUT32.dll, return 7ffdae1e0000
    187. GET: changeaddr:0x140106198 info:0xFFFFFFFF99A5A093 -> 0x7FFDA276E06C writeaddr:0x140240304
    188. INFO: LoadLibraryA SHLWAPI.dll, return 7ffdad1a0000
    189. GET: changeaddr:0x1400B3A18 info:0xFFFFFFFFF1D2B1BC -> 0x7FFDDA6FE89F writeaddr:0x140240304
    190. GET: changeaddr:0x14013AAFB info:0x145BE9B0 -> 0x7FFE0D47F58B writeaddr:0x140240304
    191. GET: changeaddr:0x140117D1E info:0xFFFFFFFFEFCDA960 -> 0x7FFD9FB8697B writeaddr:0x140240304
    192. GET: changeaddr:0x1400A1783 info:0xFFFFFFFFF39C62AE -> 0x7FFDBAB2A895 writeaddr:0x140240304
    193. INFO: LoadLibraryA VERSION.dll, return 7ffda0730000
    194. GET: changeaddr:0x1400DBC54 info:0x1B0764C0 -> 0x7FFE1B5294AB writeaddr:0x140240304
    195. GET: changeaddr:0x1400FD105 info:0xFFFFFFFFB58675DA -> 0x7FFD3935D719 writeaddr:0x140240304
    196. GET: changeaddr:0x14012D421 info:0x4827B163 -> 0x7FFE1515093C writeaddr:0x140240304
    197. INFO: LoadLibraryA GDI32.dll, return 7ffdadd80000
    198. GET: changeaddr:0x14013A87E info:0x4816701 -> 0x7FFD9625B3B6 writeaddr:0x140240304
    199. GET: changeaddr:0x1400DACCF info:0x619170ED -> 0x7FFDD058129A writeaddr:0x140240304
    200. GET: changeaddr:0x1401053C8 info:0x45FC15CD -> 0x7FFD36418B7A writeaddr:0x140240304
    201. GET: changeaddr:0x140147F22 info:0x91D7D85 -> 0x7FFD2F5D0D12 writeaddr:0x140240304
    202. GET: changeaddr:0x1400FAB20 info:0xFFFFFFFFCC633864 -> 0x7FFD9BADA247 writeaddr:0x140240304
    203. GET: changeaddr:0x1400E4865 info:0xFFFFFFFFEC1AF0E7 -> 0x7FFD65DDBF78 writeaddr:0x140240304
    204. GET: changeaddr:0x140133345 info:0xFFFFFFFFB0BA47FE -> 0x7FFDF5212A85 writeaddr:0x140240304
    205. GET: changeaddr:0x14013F22E info:0x66918CD9 -> 0x7FFD6994B52E writeaddr:0x140240304
    206. GET: changeaddr:0x1400BBDB7 info:0x6700142E -> 0x7FFD86F99B55 writeaddr:0x140240304
    207. GET: changeaddr:0x14010BAB5 info:0xFFFFFFFFD9F0F8C7 -> 0x7FFE25A01B28 writeaddr:0x140240304
    208. GET: changeaddr:0x1400F7C0E info:0xFFFFFFFFE8E4AC74 -> 0x7FFE2CCE1B07 writeaddr:0x140240304
    209. GET: changeaddr:0x1400D5D87 info:0x3779C2B7 -> 0x7FFDFA522518 writeaddr:0x140240304
    210. GET: changeaddr:0x140117FD5 info:0x2EC07B24 -> 0x7FFD8370D087 writeaddr:0x140240304
    211. GET: changeaddr:0x1400A564F info:0x3A489B5 -> 0x7FFDC6F1B7A2 writeaddr:0x140240304
    212. GET: changeaddr:0x1400D0098 info:0xFFFFFFFFC4B9646D -> 0x7FFDAB0455FA writeaddr:0x140240304
    213. GET: changeaddr:0x140128A11 info:0x39A2B825 -> 0x7FFDB58B1B42 writeaddr:0x140240304
    214. GET: changeaddr:0x1400C248E info:0xFFFFFFFFCDB764DD -> 0x7FFE0252CB0A writeaddr:0x140240304
    215. GET: changeaddr:0x1400F25C8 info:0xFFFFFFFF93234D02 -> 0x7FFE1A5C4011 writeaddr:0x140240304
    216. GET: changeaddr:0x1400EB787 info:0xFFFFFFFFE2473CAB -> 0x7FFD41CD5A54 writeaddr:0x140240304
    217. GET: changeaddr:0x140139362 info:0xFFFFFFFFDE223AA8 -> 0x7FFD93A7FAB3 writeaddr:0x140240304
    218. GET: changeaddr:0x1400A5799 info:0xFFFFFFFFC97EB009 -> 0x7FFD9B4B2E3E writeaddr:0x140240304
    219. GET: changeaddr:0x1400C712B info:0xFFFFFFFF8BDA5D1E -> 0x7FFD7999EE65 writeaddr:0x140240304
    220. INFO: VirtualProtect
    复制代码

    以上过程就是vmp LoadLibrary dll修复完vmp0中各个api的地址的过程
    LocalAlloc中填写也类似
    当然LocalAlloc中的空间还包括cpuid计算出的数据

    btw:
    适用于vmp2.x vmp3.x没看过
    明白了 就能去处理这些东西了
    思路会有一些 不同思路会处理起来不一样
    一些思路上一些需要注意的点
    1.
    vmp1里面会调用到一些api,涉及到空间问题
    2.
    0xAAA: call 0xBBB
    0xBBB: call 0xCCC // CCC去解密调用api
    这种需要将 BBB 修复成 jmp
    3.
    反汇编引擎search 0xe8会得到两种 // 感谢大表哥提供的暴搜0xe8
    一种为5字节的
    一种为6字节的 即opcode中会包含前缀 // 前面如果会有 push reg opcode也会有前缀 即2字节
    4.
    根据堆栈情况
    call/jmp
    前移/补ret

    还有的 等我遇到再补充




    评分

    参与人数 2威望 +3 飘云币 +3 收起 理由
    smallhorse + 2 + 2 珍爱生命,远离VMP
    不破不立 + 1 + 1

    查看全部评分

    PYG19周年生日快乐!
    回复

    使用道具 举报

    不破不立
  • TA的每日心情
    开心
    13 小时前

    • 签到天数: 2199 天

    [LV.Master]伴坛终老
    发表于 2020-7-2 19:53:50 | 显示全部楼层
    珍爱生命,远离VMP
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    wgz001
  • TA的每日心情
    开心
    2019-2-26 11:14

    • 签到天数: 459 天

    [LV.9]以坛为家II
    发表于 2020-7-2 21:54:07 | 显示全部楼层
    坐等放出还原工具
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    xxx4
  • TA的每日心情
    开心
    3 小时前

    • 签到天数: 1634 天

    [LV.Master]伴坛终老
    发表于 2020-7-17 22:42:21 | 显示全部楼层
    完全不会啊
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    fcguo800
  • TA的每日心情
    开心
    8 小时前

    • 签到天数: 483 天

    [LV.9]以坛为家II
    发表于 2020-7-24 08:18:33 | 显示全部楼层
    期待大神的还原工具,感谢分享,好好学习一下。
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    chyx
  • TA的每日心情
    无聊
    2022-8-22 16:57

    • 签到天数: 89 天

    [LV.6]常住居民II
    发表于 2020-8-8 06:54:18 | 显示全部楼层
    过来学习,看看大牛。
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    m2m
  • TA的每日心情
    奋斗
    2023-9-8 00:02

    • 签到天数: 256 天

    [LV.8]以坛为家I
    发表于 2020-9-29 01:31:40 | 显示全部楼层
    感觉能啃VM的都有神一样的耐性。。。
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    小咪喳
  • TA的每日心情
    开心
    2023-8-12 23:08

    • 签到天数: 6 天

    [LV.2]偶尔看看I
    发表于 2020-10-13 23:17:20 | 显示全部楼层
    学习学习            
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    返回列表 发新帖
    高级模式
    B Color Image Link Quote Code Smilies
    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表