Home > Cloud Computing > Cloud Security

A simple crackme positive tracing with vmp1.63

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Today, my son is so good that I can calm down and have more computers.
I have long wanted to try heXer's key. I couldn't find vmp1.64, so I had to install a 1.63, and even successfully registered it. I felt the strength of the key.
Previously, I used vmp1.60 notepad provided by Haifeng, which has a lot of deformation and vmopcodetable encryption. Although rokyxue provided a simplified method, I still did not dare to follow it in, afraid of wasting too much time and energy. How can we confront machines manually?

Objective: To analyze a self-designed code with vmp and find traces of the original code in vmp.
According to rokyxue analysis, although vmp1.63 has many variants, it is the same as vmp1.2x virtual machine. Confirm that the opcode structure of vmp1.2x is retained in the vmp engine, and esi is the opcode pointer. Ecx is the address after opcode decryption.

Process:
Write a crackme with the simplest explicit Code comparison, and add the vmp marker to the Registration button event.

Code:
# Define VMBEGIN
_ Asm
{
_ Emit 0xEB
_ Emit 0x10
_ Emit 0x56
_ Emit 0x4D
_ Emit 0x50
_ Emit 0x72
_ Emit 0x6F
_ Emit 0x74
_ Emit 0x65
_ Emit 0x63
_ Emit 0x74
_ Emit 0x20
_ Emit 0x62
_ Emit 0x65
_ Emit 0x67
_ Emit 0x69
_ Emit 0x6E
_ Emit 0x00
}
Namelen = GetDlgItemText (IDC_NAME, & name [0], 15 );
Regcodelen = GetDlgItemText (IDC_REGCODE, & regcode [0], 4095 );

If (namelen = 0 | namelen> 15 | regcodelen! = 16)
Return;

Strupr (& regcode [0]); //
For (tmpi = 0; tmpi <regcodelen; tmpi ++)
{
If (regcode [tmpi]> 0x39 | regcode [tmpi] <0x30)
If (regcode [tmpi]> F | regcode [tmpi] <)
Return;
}
If (! Strcmp (& name [0], "wangdell ")&&! Strcmp (& regcode [0], "FEDCBA9876543210 "))
MessageBox ("OK! ", 0, MB_ OK );
Else
MessageBox ("FAILED! ", 0, MB_ OK );
# Define VMEND
_ Asm
{
_ Emit 0xEB
_ Emit 0x0E
_ Emit 0x56
_ Emit 0x4D
_ Emit 0x50
_ Emit 0x72
_ Emit 0x6F
_ Emit 0x74
_ Emit 0x65
_ Emit 0x63
_ Emit 0x74
_ Emit 0x20
_ Emit 0x65
_ Emit 0x6E
_ Emit 0x64
_ Emit 0x00
}
Use vmp1.63to Add a speed (vmptest-ms.exe), and a protected (vmtest-mp.exe)
Vmptest-ms.exe)
1. Search for virtual machine engines
Breakpoint under the vmp segment. Shift-f9 to vmp engine. (0x42d91d)
2. Find the VM command
F7 one-step execution till

Code:
0042DD96 8B0C85 A6F64200 mov ecx, dword ptr [eax * 4 + 42F6A6]; getcodeaddr
Addr of opcode encrypted in ecx
Continue to f7 and observe ecx until it changes to a normal vmp segment address. At this time, the opcode address has been decrypted.
Continue f7, observe the code window, stop when retn xx is found, and add the vm_execute label, as shown below

Code:
0042F35E C2 5400 retn 54; vm_excute
3. Search for two common vmopcodes (VM_push_CT, VM_pop_CT)
Generally, if you are redirected to VM_push_CT through retn for the first time. However, we use a statistical method using the following OD script

Code:
/*
Script written by wangdell
Record opcode
20080802
// 0x42e30b
*/
// Test for vmprotect 1.63 release

Var tmp1
Var tmp2
Var tmp3
Var tmp4
Var tmp5
Var tmp6
Var tmp7
Var tmp8
Var tmp9
Var tmp10
Var imgbase

Var bpVMenginejmp
Var count


Cmp $ VERSION, "1.47" // compare VERSION> 1.47
Jb odbgver
Dbh // hide od
BPHWCALL // clear hardware breakpoint
BC // clear software breakpoint
BPMC // clear Memory breakpoint

Mov count, 0

Ask_jmp:
Ask "Enter EIP of VM_execute"
Mov bpVMenginejmp, $ RESULT
Cmp bpVMenginejmp, 0
Je ask_jmp
Bp $ RESULT

Log "VM Trace start! "
Run_to_bp:
EOB bp_record
ESTO // step to bp (vm_execute)

Bp_record:
Log ecx
Jmp run_to_bp

Odbgver:
Msg "this script must be used with ODbgscript 1.47 or later"
Jmp end

End:
Ret
Run the script, enter the vm_execute address determined in step 1, and terminate the script after several seconds. Observe the log window.

Code:
Script Log Window
Address Message
42F35E VM Trace start!
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042DB4B
42F35E ecx: 0042D6A5
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042D95D
42F35E ecx: 0042F3F0
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E ecx: 0042D6A5
42F35E

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
a certification jobs with no experience positive assertion positive names simple website with node js md5 algorithm with simple example simple php website with database dynamic tracing
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More