大家看看这个vmp壳如何下手脱壳?
这个程序使用od加载正常,下了任何断点 都断不住,都会断到90 db处,使用工具读取数据目录表,读取到的各段都没有起始地址和大小,最后通过peid查看 里边包括vmp0 vmp1段,经过问度娘,知道是使用vmp加壳,不知这种壳如何下手脱壳或破解?或有其它什么方法?
0040003C 00010000 DD 00000100 ; Offset to PE signature
00400100 50 45 00 00>ASCII "PE" ; PE signature (PE)
00400104 4C01 DW 014C ; Machine = IMAGE_FILE_MACHINE_I386
00400106 0C00 DW 000C ; NumberOfSections = C (12.)
00400108 87648454 DD 54846487 ; TimeDateStamp = 0x54846487
0040010C 00000000 DD 00000000 ; PointerToSymbolTable = 0x0
00400110 00000000 DD 00000000 ; NumberOfSymbols = 0x0
00400114 E000 DW 00E0 ; SizeOfOptionalHeader = E0 (224.)
00400116 8E81 DW 818E ; Characteristics = EXECUTABLE_IMAGE|32BIT_MACHINE|LINE_NUMS_STRIPPED|LOCAL_SYMS_STRIPPED|BYTES_REVERSED_LO|BYTES_REVERSED_HI
00400118 0B01 DW 010B ; MagicNumber = PE32
0040011A 02 DB 02 ; MajorLinkerVersion = 0x2
0040011B 19 DB 19 ; MinorLinkerVersion = 19 (25.)
0040011C 00384C00 DD 004C3800 ; SizeOfCode = 4C3800 (4995072.)
00400120 000CD300 DD 00D30C00 ; SizeOfInitializedData = D30C00 (13831168.)
00400124 00000000 DD 00000000 ; SizeOfUninitializedData = 0x0
00400128 615DFB01 DD 01FB5D61 ; AddressOfEntryPoint = 0x1FB5D61
0040012C 00100000 DD 00001000 ; BaseOfCode = 0x1000
00400130 00504C00 DD 004C5000 ; BaseOfData = 0x4C5000
00400134 00004000 DD 00400000 ; ImageBase = 0x400000
00400138 00100000 DD 00001000 ; SectionAlignment = 0x1000
0040013C 00020000 DD 00000200 ; FileAlignment = 0x200
00400140 0500 DW 0005 ; MajorOSVersion = 0x5
00400142 0000 DW 0000 ; MinorOSVersion = 0x0
00400144 0000 DW 0000 ; MajorImageVersion = 0x0
00400146 0000 DW 0000 ; MinorImageVersion = 0x0
00400148 0500 DW 0005 ; MajorSubsystemVersion = 0x5
0040014A 0000 DW 0000 ; MinorSubsystemVersion = 0x0
0040014C 00000000 DD 00000000 ; Reserved
00400150 EF85AB03 DD 03AB85EF ; SizeOfImage = 3AB85EF (61572591.)
00400154 00040000 DD 00000400 ; SizeOfHeaders = 400 (1024.)
00400158 00000000 DD 00000000 ; CheckSum = 0x0
0040015C 0200 DW 0002 ; Subsystem = IMAGE_SUBSYSTEM_WINDOWS_GUI
0040015E 0000 DW 0000 ; DLLCharacteristics = 0x0
00400160 00001000 DD 00100000 ; SizeOfStackReserve = 100000 (1048576.)
00400164 00400000 DD 00004000 ; SizeOfStackCommit = 4000 (16384.)
00400168 00001000 DD 00100000 ; SizeOfHeapReserve = 100000 (1048576.)
0040016C 00100000 DD 00001000 ; SizeOfHeapCommit = 1000 (4096.)
00400170 00000000 DD 00000000 ; LoaderFlags = 0x0
00400174 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400178 00000000 DD 00000000 ; Export Table address = 0x0
0040017C 00000000 DD 00000000 ; Export Table size = 0x0
00400180 8C8BAA03 DD 03AA8B8C ; Import Table address = 0x3AA8B8C
00400184 68010000 DD 00000168 ; Import Table size = 168 (360.)
00400188 0070AB03 DD 03AB7000 ; Resource Table address = 0x3AB7000
0040018C EF150000 DD 000015EF ; Resource Table size = 15EF (5615.)
00400190 00000000 DD 00000000 ; Exception Table address = 0x0
00400194 00000000 DD 00000000 ; Exception Table size = 0x0
00400198 00000000 DD 00000000 ; Certificate File pointer = 0x0
0040019C 00000000 DD 00000000 ; Certificate Table size = 0x0
004001A0 0060AB03 DD 03AB6000 ; Relocation Table address = 0x3AB6000
004001A4 A8000000 DD 000000A8 ; Relocation Table size = A8 (168.)
004001A8 00000000 DD 00000000 ; Debug Data address = 0x0
004001AC 00000000 DD 00000000 ; Debug Data size = 0x0
004001B0 00000000 DD 00000000 ; Architecture Data address = 0x0
004001B4 00000000 DD 00000000 ; Architecture Data size = 0x0
004001B8 00000000 DD 00000000 ; Global Ptr address = 0x0
004001BC 00000000 DD 00000000 ; Must be 0
004001C0 2037E101 DD 01E13720 ; TLS Table address = 0x1E13720
004001C4 1C000000 DD 0000001C ; TLS Table size = 1C (28.)
004001C8 00000000 DD 00000000 ; Load Config Table address = 0x0
004001CC 00000000 DD 00000000 ; Load Config Table size = 0x0
004001D0 00000000 DD 00000000 ; Bound Import Table address = 0x0
004001D4 00000000 DD 00000000 ; Bound Import Table size = 0x0
004001D8 0090E101 DD 01E19000 ; Import Address Table address = 0x1E19000
004001DC A8000000 DD 000000A8 ; Import Address Table size = A8 (168.)
004001E0 00604F00 DD 004F6000 ; Delay Import Descriptor address = 0x4F6000
004001E4 801B0000 DD 00001B80 ; Delay Import Descriptor size = 1B80 (7040.)
004001E8 00000000 DD 00000000 ; COM+ Runtime Header address = 0x0
004001EC 00000000 DD 00000000 ; Import Address Table size = 0x0
004001F0 00000000 DD 00000000 ; Reserved
004001F4 00000000 DD 00000000 ; Reserved
004001F8 2E 74 65 78>ASCII ".text" ; SECTION
00400200 5CFD4B00 DD 004BFD5C ; VirtualSize = 4BFD5C (4980060.)
00400204 00100000 DD 00001000 ; VirtualAddress = 0x1000
00400208 00000000 DD 00000000 ; SizeOfRawData = 0x0
0040020C 00000000 DD 00000000 ; PointerToRawData = 0x0
00400210 00000000 DD 00000000 ; PointerToRelocations = 0x0
00400214 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400218 0000 DW 0000 ; NumberOfRelocations = 0x0
0040021A 0000 DW 0000 ; NumberOfLineNumbers = 0x0
0040021C 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
00400220 2E 69 74 65>ASCII ".itext" ; SECTION
00400228 1C380000 DD 0000381C ; VirtualSize = 381C (14364.)
0040022C 00104C00 DD 004C1000 ; VirtualAddress = 0x4C1000
00400230 00000000 DD 00000000 ; SizeOfRawData = 0x0
00400234 00000000 DD 00000000 ; PointerToRawData = 0x0
00400238 00000000 DD 00000000 ; PointerToRelocations = 0x0
0040023C 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400240 0000 DW 0000 ; NumberOfRelocations = 0x0
00400242 0000 DW 0000 ; NumberOfLineNumbers = 0x0
00400244 20000060 DD 60000020 ; Characteristics = CODE|EXECUTE|READ
00400248 2E 64 61 74>ASCII ".data" ; SECTION
00400250 48110100 DD 00011148 ; VirtualSize = 11148 (69960.)
00400254 00504C00 DD 004C5000 ; VirtualAddress = 0x4C5000
00400258 00000000 DD 00000000 ; SizeOfRawData = 0x0
0040025C 00000000 DD 00000000 ; PointerToRawData = 0x0
00400260 00000000 DD 00000000 ; PointerToRelocations = 0x0
00400264 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400268 0000 DW 0000 ; NumberOfRelocations = 0x0
0040026A 0000 DW 0000 ; NumberOfLineNumbers = 0x0
0040026C 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
00400270 2E 62 73 73>ASCII ".bss" ; SECTION
00400278 74AD0100 DD 0001AD74 ; VirtualSize = 1AD74 (109940.)
0040027C 00704D00 DD 004D7000 ; VirtualAddress = 0x4D7000
00400280 00000000 DD 00000000 ; SizeOfRawData = 0x0
00400284 00000000 DD 00000000 ; PointerToRawData = 0x0
00400288 00000000 DD 00000000 ; PointerToRelocations = 0x0
0040028C 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400290 0000 DW 0000 ; NumberOfRelocations = 0x0
00400292 0000 DW 0000 ; NumberOfLineNumbers = 0x0
00400294 000000C0 DD C0000000 ; Characteristics = READ|WRITE
00400298 2E 69 64 61>ASCII ".idata" ; SECTION
004002A0 383D0000 DD 00003D38 ; VirtualSize = 3D38 (15672.)
004002A4 00204F00 DD 004F2000 ; VirtualAddress = 0x4F2000
004002A8 00000000 DD 00000000 ; SizeOfRawData = 0x0
004002AC 00000000 DD 00000000 ; PointerToRawData = 0x0
004002B0 00000000 DD 00000000 ; PointerToRelocations = 0x0
004002B4 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
004002B8 0000 DW 0000 ; NumberOfRelocations = 0x0
004002BA 0000 DW 0000 ; NumberOfLineNumbers = 0x0
004002BC 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
004002C0 2E 64 69 64>ASCII ".didata" ; SECTION
004002C8 801B0000 DD 00001B80 ; VirtualSize = 1B80 (7040.)
004002CC 00604F00 DD 004F6000 ; VirtualAddress = 0x4F6000
004002D0 00000000 DD 00000000 ; SizeOfRawData = 0x0
004002D4 00000000 DD 00000000 ; PointerToRawData = 0x0
004002D8 00000000 DD 00000000 ; PointerToRelocations = 0x0
004002DC 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
004002E0 0000 DW 0000 ; NumberOfRelocations = 0x0
004002E2 0000 DW 0000 ; NumberOfLineNumbers = 0x0
004002E4 400000C0 DD C0000040 ; Characteristics = INITIALIZED_DATA|READ|WRITE
004002E8 2E 74 6C 73>ASCII ".tls" ; SECTION
004002F0 40000000 DD 00000040 ; VirtualSize = 40 (64.)
004002F4 00804F00 DD 004F8000 ; VirtualAddress = 0x4F8000
004002F8 00000000 DD 00000000 ; SizeOfRawData = 0x0
004002FC 00000000 DD 00000000 ; PointerToRawData = 0x0
00400300 00000000 DD 00000000 ; PointerToRelocations = 0x0
00400304 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400308 0000 DW 0000 ; NumberOfRelocations = 0x0
0040030A 0000 DW 0000 ; NumberOfLineNumbers = 0x0
0040030C 000000C0 DD C0000000 ; Characteristics = READ|WRITE
00400310 2E 72 64 61>ASCII ".rdata" ; SECTION
00400318 18000000 DD 00000018 ; VirtualSize = 18 (24.)
0040031C 00904F00 DD 004F9000 ; VirtualAddress = 0x4F9000
00400320 00000000 DD 00000000 ; SizeOfRawData = 0x0
00400324 00000000 DD 00000000 ; PointerToRawData = 0x0
00400328 00000000 DD 00000000 ; PointerToRelocations = 0x0
0040032C 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400330 0000 DW 0000 ; NumberOfRelocations = 0x0
00400332 0000 DW 0000 ; NumberOfLineNumbers = 0x0
00400334 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
00400338 2E 76 6D 70>ASCII ".vmp0" ; SECTION
00400340 B0839101 DD 019183B0 ; VirtualSize = 19183B0 (26313648.)
00400344 00A04F00 DD 004FA000 ; VirtualAddress = 0x4FA000
00400348 00000000 DD 00000000 ; SizeOfRawData = 0x0
0040034C 00000000 DD 00000000 ; PointerToRawData = 0x0
00400350 00000000 DD 00000000 ; PointerToRelocations = 0x0
00400354 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400358 0000 DW 0000 ; NumberOfRelocations = 0x0
0040035A 0000 DW 0000 ; NumberOfLineNumbers = 0x0
0040035C 600000E0 DD E0000060 ; Characteristics = CODE|INITIALIZED_DATA|EXECUTE|READ|WRITE
00400360 2E 76 6D 70>ASCII ".vmp1" ; SECTION
00400368 F122CA01 DD 01CA22F1 ; VirtualSize = 1CA22F1 (30024433.)
0040036C 0030E101 DD 01E13000 ; VirtualAddress = 0x1E13000
00400370 0024CA01 DD 01CA2400 ; SizeOfRawData = 1CA2400 (30024704.)
00400374 00040000 DD 00000400 ; PointerToRawData = 0x400
00400378 00000000 DD 00000000 ; PointerToRelocations = 0x0
0040037C 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
00400380 0000 DW 0000 ; NumberOfRelocations = 0x0
00400382 0000 DW 0000 ; NumberOfLineNumbers = 0x0
00400384 600000E0 DD E0000060 ; Characteristics = CODE|INITIALIZED_DATA|EXECUTE|READ|WRITE
00400388 2E 72 65 6C>ASCII ".reloc" ; SECTION
00400390 A8000000 DD 000000A8 ; VirtualSize = A8 (168.)
00400394 0060AB03 DD 03AB6000 ; VirtualAddress = 0x3AB6000
00400398 00020000 DD 00000200 ; SizeOfRawData = 200 (512.)
0040039C 0028CA01 DD 01CA2800 ; PointerToRawData = 0x1CA2800
004003A0 00000000 DD 00000000 ; PointerToRelocations = 0x0
004003A4 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
004003A8 0000 DW 0000 ; NumberOfRelocations = 0x0
004003AA 0000 DW 0000 ; NumberOfLineNumbers = 0x0
004003AC 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
004003B0 2E 72 73 72>ASCII ".rsrc" ; SECTION
004003B8 EF150000 DD 000015EF ; VirtualSize = 15EF (5615.)
004003BC 0070AB03 DD 03AB7000 ; VirtualAddress = 0x3AB7000
004003C0 00160000 DD 00001600 ; SizeOfRawData = 1600 (5632.)
004003C4 002ACA01 DD 01CA2A00 ; PointerToRawData = 0x1CA2A00
004003C8 00000000 DD 00000000 ; PointerToRelocations = 0x0
004003CC 00000000 DD 00000000 ; PointerToLineNumbers = 0x0
004003D0 0000 DW 0000 ; NumberOfRelocations = 0x0
004003D2 0000 DW 0000 ; NumberOfLineNumbers = 0x0
004003D4 40000040 DD 40000040 ; Characteristics = INITIALIZED_DATA|READ
004003D8 00 DB 00
004003D9 00 DB 00
大家看看这个vmp壳如何下手脱壳?相关推荐
- 【胖虎的逆向之路】04——脱壳(一代壳)原理脱壳相关概念详解
[胖虎的逆向之路]04--脱壳(一代壳)原理&脱壳相关概念详解 [胖虎的逆向之路]01--动态加载和类加载机制详解 [胖虎的逆向之路]02--Android整体加壳原理详解&实现 [胖 ...
- 病毒加壳技术与脱壳杀毒方法解析
壳是什么?脱壳又是什么?这是很多经常感到迷惑和经常提出的问题,其实这个问题一点也不幼稚.当你想听说脱壳这个名词并试着去了解的时候,说明你已经在各个安全站点很有了一段日子了.下面,我们进入"壳 ...
- 某vmp壳原理分析笔记----ELF文件的加载,链接,IDAPYTHON
某vmp壳原理分析笔记 分析的样本为某数字公司最新免费壳子.之前的壳子已经被很多大佬分析了,这篇笔记的主要目的是比较详细的分析下该vmp壳子的原理,数字壳子主要分为反调试,linker,虚拟机三部分. ...
- 加密壳的一般脱壳步骤与实例演示
今天主要是深入的了解汇编语言,要想反编译没这个可是不行的啊.当然,这也不是一天两天可以成功的,继续努力. 一.如何分辨加密壳: 壳分为加密壳和压缩壳,压缩壳目的是减少软件的体积便于在网上传播, 而加密 ...
- 逆向VMP壳的基本思路
逆向VMP壳的基本思路 发现需求 故事最早发生在2020年的8月份,我参加数学建模大赛,为了赛前准备购买了全套数学课,2021年5月份的时候我准备换台笔记本玩,在整理文件的时候看到了当时买的这个正版软 ...
- DLL巧妙的绕过被VMP壳HOOK的ZwProtectVirtualMemory
被VMP HOOK的ZwProtectVirtualMemory介绍 ZwProtectVirtualMemory,是一个修改内存输入的API函数,VirtualProtect和VirtualProt ...
- 【Android 安全】深思数盾 Virbox 加固应用 ( 购买加固服务 | 下载加固软件 | 启动加固软件 | 函数 VMP 壳设置 | 加密选项 | 资源加密 | SO 保护 )
文章目录 一.购买加固服务 二.下载加固软件 三.启动加固软件 四.函数 VMP 壳设置 五.加密选项 六.资源加密 七.SO 保护 八.开始加固 一.购买加固服务 深思数盾官网地址 : https: ...
- X86逆向4:VMP壳内寻找注册码
本节课将讲解一下重启验证,重启验证在软件中也是非常的常见的,重启验证的原理很简单,用户在注册界面输入注册码以后程序会自动将输入的注册信息保存到配置文件中,这里可能保存到注册表,也可能使用INI文件来保 ...
- 总结Themida / Winlicense加壳软件的脱壳方法
总结下Themida / Winlicense (TM / WL) 的脱壳方法. 1, 查看壳版本,这个方法手动也可以,因为这个壳的版本号是写在程序里面的,在解压后下断点即可查看,这里有通用的脚本, ...
最新文章
- ASP.NET Ajax – History Support 續
- python爬取网页有乱码怎么解决_python - 爬虫获取网站数据,出现乱码怎么解决。...
- Fast_Human_Pose_Estimation_Pytorch
- linux安装web服务器httpd,Linux_linux构建动态WEB服务器安装篇,基本配置 安装web服务器:httpd-2. - phpStudy...
- 44 岁的微软下一步是什么?
- python房价数据挖掘_Python数据分析及可视化实例之帝都房价预测
- ArcGIS10.2不能打开10.6版本创建的镶嵌数据集
- mac 安装android sdk
- oracle数据泵功能,Oracle数据泵的使用(1)-Oracle
- Elastic search相关
- flutter怎么手动刷新_Flutter 怎样更新?怎样升级? - Flutter - Angular 教程网
- Python调用Matlab教程
- 内外网双网卡同时上网
- 阿里巴巴-菜鸟网络和申通快递面试
- eth0 eth0:1 eth0.1 的区别
- 青龙面板除了JD的另外玩法 跑跑 能赚Q和省Q的“果冻宝盒”
- JS导入Excel实战
- 极限编程-拥抱变化阅读感想(二)
- SV学习(1)——数据类型
- 基于easyTrader部署自动化交易(一)