http://www.unpack.cn/forum.php?mod=viewthread&tid=56675
发表于 2010-9-28 15:10:50
例子一共V了2行
00401000 60 pushad
00401001 8B7424 24 mov esi, dword ptr [esp+0x24]
VM INIT ESP :
[+00] <- RELOC
[+01] <- ANTIDUMP --这个值每次启动不同
[+02] <- EDI
[+03] <- ECX
[+04] <- EBX
[+05] <- EBP
[+06] <- ESI
[+07] <- EAX
[+08] <- EAX
[+09] <- EFL
[+0A] <- EDX
[+0B] <- RETADDR
[+0C] <- INITDATA
00415EC0 [C5 ] SetR32 r2
00415EC1 [38 E4 46 A0 ED] GetI32 EDA046E4
00415EC6 [76 ] add32
00415EC7 [B9 ] SetR32 r1
00415EC8 [A1 ] SetR32 r11 --取antidump + 0xEDA046E4 -> r11
00415EC9 [C9 ] SetR32 r5
00415ECA [99 ] SetR32 r9
00415ECB [B9 ] SetR32 r1
00415ECC [BD ] SetR32 r0
00415ECD [B5 ] SetR32 r14
00415ECE [D5 ] SetR32 r6
00415ECF [CD ] SetR32 r4
00415ED0 [D1 ] SetR32 r7
00415ED1 [A9 ] SetR32 r13
00415ED2 [B1 ] SetR32 r15
00415ED3 [A5 ] SetR32 r10
00415ED4 [CF ] GetR32 r7
00415ED5 [D3 ] GetR32 r6
00415ED6 [97 ] GetR32 r9
00415ED7 [A7 ] GetR32 r13
00415ED8 [B7 ] GetR32 r1
00415ED9 [54 01 ] GetI8To32 00000001
00415EDB [C1 ] SetR32 r3
00415EDC [BF ] GetR32 r3
00415EDD [56 ] cpuid ---antidump内容
00415EDE [A5 ] SetR32 r10
00415EDF [B1 ] SetR32 r15
00415EE0 [9D ] SetR32 r8
00415EE1 [99 ] SetR32 r9
00415EE2 [54 0F ] GetI8To32 0000000F
00415EE4 [97 ] GetR32 r9
00415EE5 [97 ] GetR32 r9
00415EE6 [0A ] nor32
00415EE7 [C1 ] SetR32 r3
00415EE8 [0A ] nor32
00415EE9 [B9 ] SetR32 r1
00415EEA [B9 ] SetR32 r1
00415EEB [38 00 00 00 FF] GetI32 FF000000
00415EF0 [9B ] GetR32 r8
00415EF1 [1D ] GetESP
00415EF2 [53 ] RmSs32
00415EF3 [0A ] nor32
00415EF4 [D5 ] SetR32 r6
00415EF5 [0A ] nor32
00415EF6 [AD ] SetR32 r12
00415EF7 [D5 ] SetR32 r6
00415EF8 [01 EF A8 1F E4] GetI32 E41FA8EF
00415EFD [B7 ] GetR32 r1
00415EFE [B7 ] GetR32 r1
00415EFF [0A ] nor32
00415F00 [A9 ] SetR32 r13
00415F01 [0A ] nor32
00415F02 [C1 ] SetR32 r3
00415F03 [B7 ] GetR32 r1
00415F04 [49 10 57 E0 1B] GetI32 1BE05710
00415F09 [0A ] nor32
00415F0A [A9 ] SetR32 r13
00415F0B [0F ] nor32
00415F0C [C1 ] SetR32 r3
00415F0D [9D ] SetR32 r8
00415F0E [49 AA 88 31 87] GetI32 873188AA
00415F13 [AF ] GetR32 r15
00415F14 [1D ] GetESP
00415F15 [E8 ] RmSs32
00415F16 [0F ] nor32
00415F17 [B9 ] SetR32 r1
00415F18 [0F ] nor32
00415F19 [C1 ] SetR32 r3
00415F1A [AF ] GetR32 r15
00415F1B [3E 55 77 CE 78] GetI32 78CE7755
00415F20 [0A ] nor32
00415F21 [AD ] SetR32 r12
00415F22 [0A ] nor32
00415F23 [99 ] SetR32 r9
00415F24 [A9 ] SetR32 r13
00415F25 [3E 51 53 BF C3] GetI32 C3BF5351
00415F2A [A3 ] GetR32 r10
00415F2B [A3 ] GetR32 r10
00415F2C [0A ] nor32
00415F2D [C1 ] SetR32 r3
00415F2E [0A ] nor32
00415F2F [C1 ] SetR32 r3
00415F30 [01 AE AC 40 3C] GetI32 3C40ACAE
00415F35 [A3 ] GetR32 r10
00415F36 [0A ] nor32
00415F37 [AD ] SetR32 r12
00415F38 [0A ] nor32
00415F39 [AD ] SetR32 r12
00415F3A [B1 ] SetR32 r15
00415F3B [01 94 64 3A 9C] GetI32 9C3A6494
00415F40 [D3 ] GetR32 r6
00415F41 [D3 ] GetR32 r6
00415F42 [0F ] nor32
00415F43 [A5 ] SetR32 r10
00415F44 [15 ] nor32
00415F45 [99 ] SetR32 r9
00415F46 [D3 ] GetR32 r6
00415F47 [3E 6B 9B C5 63] GetI32 63C59B6B
00415F4C [4C ] nor32
00415F4D [C1 ] SetR32 r3
00415F4E [4C ] nor32
00415F4F [C1 ] SetR32 r3
00415F50 [A5 ] SetR32 r10
00415F51 [A3 ] GetR32 r10
00415F52 [9B ] GetR32 r8
00415F53 [08 ] add32
00415F54 [C1 ] SetR32 r3
00415F55 [AD ] SetR32 r12
00415F56 [9F ] GetR32 r11
00415F57 [9F ] GetR32 r11
00415F58 [0A ] nor32
00415F59 [D5 ] SetR32 r6
00415F5A [AB ] GetR32 r12
00415F5B [1D ] GetESP
00415F5C [53 ] RmSs32
00415F5D [4C ] nor32
00415F5E [D5 ] SetR32 r6
00415F5F [0F ] nor32
00415F60 [B9 ] SetR32 r1
00415F61 [AB ] GetR32 r12
00415F62 [9F ] GetR32 r11
00415F63 [0F ] nor32
00415F64 [D5 ] SetR32 r6
00415F65 [15 ] nor32
00415F66 [B9 ] SetR32 r1
00415F67 [B9 ] SetR32 r1
00415F68 [AF ] GetR32 r15
00415F69 [B7 ] GetR32 r1
00415F6A [76 ] add32
00415F6B [99 ] SetR32 r9
00415F6C [D5 ] SetR32 r6
00415F6D [2A 1A ] GetI8To16 001A
00415F6F [D3 ] GetR32 r6
00415F70 [1D ] GetESP
00415F71 [53 ] RmSs32
00415F72 [47 ] shrd
00415F73 [AD ] SetR32 r12
00415F74 [C1 ] SetR32 r3
00415F75 [BF ] GetR32 r3
00415F76 [BF ] GetR32 r3
00415F77 [0F ] nor32
00415F78 [AD ] SetR32 r12
00415F79 [B9 ] SetR32 r1
00415F7A [8B 46 0E 36 6A] GetI32 6A360E46
00415F7F [B7 ] GetR32 r1
00415F80 [59 ] GetESP
00415F81 [85 ] RmSs32
00415F82 [4C ] nor32
00415F83 [AD ] SetR32 r12
00415F84 [73 ] add32
00415F85 [D1 ] SetR32 r7
00415F86 [1D ] GetESP
00415F87 [53 ] RmSs32
00415F88 [0F ] nor32
00415F89 [C1 ] SetR32 r3
00415F8A [99 ] SetR32 r9
00415F8B [CF ] GetR32 r7
00415F8C [CF ] GetR32 r7
00415F8D [0A ] nor32
00415F8E [D5 ] SetR32 r6
00415F8F [C4 EA F7 ] GetI16To32 FFFFF7EA
00415F92 [0A ] nor32
00415F93 [B9 ] SetR32 r1
00415F94 [BF ] GetR32 r3
00415F95 [BF ] GetR32 r3
00415F96 [15 ] nor32
00415F97 [CD ] SetR32 r4
00415F98 [5B 15 08 ] GetI16To32 00000815
00415F9B [4C ] nor32
00415F9C [CD ] SetR32 r4
00415F9D [73 ] add32
00415F9E [D5 ] SetR32 r6
00415F9F [AD ] SetR32 r12
00415FA0 [2A 0F ] GetI8To16 000F
00415FA2 [97 ] GetR32 r9
00415FA3 [1D ] GetESP
00415FA4 [53 ] RmSs32
00415FA5 [52 ] shld
00415FA6 [B9 ] SetR32 r1
00415FA7 [CD ] SetR32 r4
00415FA8 [9F ] GetR32 r11
00415FA9 [54 34 ] GetI8To32 00000034
00415FAB [08 ] add32
00415FAC [B9 ] SetR32 r1
00415FAD [BC ] RmDs32 ----取r11 + 0x34
00415FAE [B9 ] SetR32 r1
00415FAF [17 1A ] GetI8To16 001A
00415FB1 [B7 ] GetR32 r1
00415FB2 [42 ] GetESP
00415FB3 [85 ] RmSs32
00415FB4 [04 ] shrd
00415FB5 [D5 ] SetR32 r6
00415FB6 [D1 ] SetR32 r7
00415FB7 [CF ] GetR32 r7
00415FB8 [5A ] GetESP
00415FB9 [53 ] RmSs32
00415FBA [4C ] nor32
00415FBB [A5 ] SetR32 r10
00415FBC [99 ] SetR32 r9
00415FBD [8B 46 0E 36 6A] GetI32 6A360E46
00415FC2 [97 ] GetR32 r9
00415FC3 [5A ] GetESP
00415FC4 [53 ] RmSs32
00415FC5 [0A ] nor32
00415FC6 [A5 ] SetR32 r10
00415FC7 [73 ] add32
00415FC8 [9D ] SetR32 r8
00415FC9 [63 ] GetESP
00415FCA [53 ] RmSs32
00415FCB [0F ] nor32
00415FCC [D1 ] SetR32 r7
00415FCD [B9 ] SetR32 r1
00415FCE [9B ] GetR32 r8
00415FCF [9B ] GetR32 r8
00415FD0 [0A ] nor32
00415FD1 [AD ] SetR32 r12
00415FD2 [5B EA F7 ] GetI16To32 FFFFF7EA
00415FD5 [0F ] nor32
00415FD6 [AD ] SetR32 r12
00415FD7 [CF ] GetR32 r7
00415FD8 [CF ] GetR32 r7
00415FD9 [0A ] nor32
00415FDA [99 ] SetR32 r9
00415FDB [5B 15 08 ] GetI16To32 00000815
00415FDE [0A ] nor32
00415FDF [99 ] SetR32 r9
00415FE0 [08 ] add32
00415FE1 [A5 ] SetR32 r10
00415FE2 [D5 ] SetR32 r6
00415FE3 [2A 0F ] GetI8To16 000F
00415FE5 [B7 ] GetR32 r1
00415FE6 [42 ] GetESP
00415FE7 [53 ] RmSs32
00415FE8 [6C ] shld
00415FE9 [A5 ] SetR32 r10
00415FEA [9D ] SetR32 r8
00415FEB [D3 ] GetR32 r6
00415FEC [1D ] GetESP
00415FED [53 ] RmSs32
00415FEE [4C ] nor32
00415FEF [B9 ] SetR32 r1
00415FF0 [F8 2B FF ] GetI16To32 FFFFFF2B
00415FF3 [15 ] nor32
00415FF4 [B9 ] SetR32 r1
00415FF5 [A3 ] GetR32 r10
00415FF6 [1D ] GetESP
00415FF7 [E8 ] RmSs32
00415FF8 [0A ] nor32
00415FF9 [B9 ] SetR32 r1
00415FFA [5B D4 00 ] GetI16To32 000000D4
00415FFD [0A ] nor32
00415FFE [99 ] SetR32 r9
00415FFF [80 ] add32
00416000 [B9 ] SetR32 r1
00416001 [B9 ] SetR32 r1
00416002 [B7 ] GetR32 r1
00416003 [99 ] SetR32 r9
00416004 [5B FF FE ] GetI16To32 FFFFFEFF
00416007 [97 ] GetR32 r9
00416008 [97 ] GetR32 r9
00416009 [0A ] nor32
0041600A [D5 ] SetR32 r6
0041600B [0A ] nor32
0041600C [D1 ] SetR32 r7
0041600D [D1 ] SetR32 r7
0041600E [CF ] GetR32 r7
0041600F [CB ] GetR32 r4
00416010 [76 ] add32
00416011 [99 ] SetR32 r9
00416012 [A9 ] SetR32 r13
00416013 [9B ] GetR32 r8
00416014 [A7 ] GetR32 r13
00416015 [1D ] GetESP
00416016 [53 ] RmSs32
00416017 [0F ] nor32
00416018 [99 ] SetR32 r9
00416019 [08 ] add32
0041601A [CD ] SetR32 r4
0041601B [42 ] GetESP
0041601C [53 ] RmSs32
0041601D [0A ] nor32
0041601E [C1 ] SetR32 r3
0041601F [99 ] SetR32 r9
00416020 [CB ] GetR32 r4
00416021 [1D ] GetESP
00416022 [53 ] RmSs32
00416023 [0F ] nor32
00416024 [D5 ] SetR32 r6
00416025 [5B EA F7 ] GetI16To32 FFFFF7EA
00416028 [0F ] nor32
00416029 [B9 ] SetR32 r1
0041602A [BF ] GetR32 r3
0041602B [BF ] GetR32 r3
0041602C [4C ] nor32
0041602D [B9 ] SetR32 r1
0041602E [5B 15 08 ] GetI16To32 00000815
00416031 [0A ] nor32
00416032 [99 ] SetR32 r9
00416033 [73 ] add32
00416034 [D5 ] SetR32 r6
00416035 [99 ] SetR32 r9
00416036 [49 E4 5F 8F B5] GetI32 B58F5FE4 --错误路线
0041603B [01 A4 43 8F B5] GetI32 B58F43A4 --正确路线
00416040 [1D ] GetESP
00416041 [2A 04 ] GetI8To16 0004
00416043 [97 ] GetR32 r9
00416044 [54 BF ] GetI8To32 000000BF
00416046 [0A ] nor32
00416047 [B9 ] SetR32 r1
00416048 [39 ] shr32
00416049 [A5 ] SetR32 r10
0041604A [73 ] add32
0041604B [B9 ] SetR32 r1
0041604C [E8 ] RmSs32
0041604D [CD ] SetR32 r4
0041604E [A5 ] SetR32 r10
0041604F [B9 ] SetR32 r1
00416050 [CB ] GetR32 r4
00416051 [1D ] GetESP
00416052 [53 ] RmSs32
00416053 [D5 ] SetR32 r6
00416054 [1D ] GetESP
00416055 [53 ] RmSs32
00416056 [0A ] nor32
00416057 [AD ] SetR32 r12
00416058 [38 2B 1C 30 4A] GetI32 4A301C2B
0041605D [4C ] nor32
0041605E [CD ] SetR32 r4
0041605F [D3 ] GetR32 r6
00416060 [01 D4 E3 CF B5] GetI32 B5CFE3D4 ---解码地址的key
00416065 [0A ] nor32
00416066 [CD ] SetR32 r4
00416067 [0F ] nor32
00416068 [B9 ] SetR32 r1
00416069 [B9 ] SetR32 r1
0041606A [AF ] GetR32 r15
0041606B [CB ] GetR32 r4
0041606C [AF ] GetR32 r15
0041606D [CF ] GetR32 r7
0041606E [C7 ] GetR32 r5
0041606F [97 ] GetR32 r9
00416070 [B3 ] GetR32 r14
00416071 [9B ] GetR32 r8
00416072 [AF ] GetR32 r15
00416073 [A7 ] GetR32 r13
00416074 [BB ] GetR32 r0
00416075 [9F ] GetR32 r11
00416076 [01 1C B9 5F 12] GetI32 125FB91C
0041607B [73 ] add32
0041607C [A5 ] SetR32 r10
0041607D [C3 ] GetR32 r2
0041607E [B7 ] GetR32 r1
0041607F [25 ] SetEIP
key = 0xFF414DA5到这二选一,正确路线:
0040A070 [A5 ] SetR32 r10
0040A071 [38 E4 46 A0 ED] GetI32 EDA046E4
0040A076 [73 ] add32
0040A077 [B1 ] SetR32 r15
0040A078 [D1 ] SetR32 r7
0040A079 [C5 ] SetR32 r2
0040A07A [B5 ] SetR32 r14
0040A07B [9D ] SetR32 r8
0040A07C [CD ] SetR32 r4
0040A07D [B9 ] SetR32 r1
0040A07E [A1 ] SetR32 r11
0040A07F [BD ] SetR32 r0
0040A080 [AD ] SetR32 r12
0040A081 [D5 ] SetR32 r6
0040A082 [D3 ] GetR32 r6
0040A083 [D3 ] GetR32 r6
0040A084 [0A ] nor32
0040A085 [A9 ] SetR32 r13
0040A086 [01 2B 1C 30 4A] GetI32 4A301C2B
0040A08B [0A ] nor32
0040A08C [99 ] SetR32 r9
0040A08D [D3 ] GetR32 r6
0040A08E [38 D4 E3 CF B5] GetI32 B5CFE3D4
0040A093 [4C ] nor32
0040A094 [B1 ] SetR32 r15
0040A095 [0A ] nor32
0040A096 [C9 ] SetR32 r5
0040A097 [A9 ] SetR32 r13
0040A098 [C1 ] SetR32 r3
0040A099 [C9 ] SetR32 r5
0040A09A [99 ] SetR32 r9
0040A09B [B1 ] SetR32 r15
0040A09C [B5 ] SetR32 r14
0040A09D [AD ] SetR32 r12
0040A09E [CD ] SetR32 r4
0040A09F [CB ] GetR32 r4
0040A0A0 [1D ] GetESP
0040A0A1 [53 ] RmSs32
0040A0A2 [4C ] nor32
0040A0A3 [9D ] SetR32 r8
0040A0A4 [5B FF 08 ] GetI16To32 000008FF
0040A0A7 [0A ] nor32
0040A0A8 [A1 ] SetR32 r11
0040A0A9 [14 ] Popfd
0040A0AA [AB ] GetR32 r12 --这开始pushad
0040A0AB [B3 ] GetR32 r14
0040A0AC [AF ] GetR32 r15
0040A0AD [97 ] GetR32 r9
0040A0AE [54 14 ] GetI8To32 00000014
0040A0B0 [1D ] GetESP
0040A0B1 [80 ] add32
0040A0B2 [A1 ] SetR32 r11
0040A0B3 [C3 ] GetR32 r2
0040A0B4 [B7 ] GetR32 r1
0040A0B5 [BB ] GetR32 r0
0040A0B6 [6E 24 ] GetI8To32 00000024 --这开始mov esi, dword ptr [esp+0x24]
0040A0B8 [59 ] GetESP
0040A0B9 [A2 04 ] GetI8To32 00000004
0040A0BB [73 ] add32
0040A0BC [C1 ] SetR32 r3
0040A0BD [80 ] add32
0040A0BE [C1 ] SetR32 r3
0040A0BF [E8 ] RmSs32
0040A0C0 [C1 ] SetR32 r3
0040A0C1 [A3 ] GetR32 r10
0040A0C2 [01 05 10 40 00] GetI32 00401005
0040A0C7 [73 ] add32
0040A0C8 [A1 ] SetR32 r11
0040A0C9 [AF ] GetR32 r15
0040A0CA [CB ] GetR32 r4
0040A0CB [A7 ] GetR32 r13
0040A0CC [AB ] GetR32 r12
0040A0CD [BF ] GetR32 r3
0040A0CE [C3 ] GetR32 r2
0040A0CF [97 ] GetR32 r9
0040A0D0 [B3 ] GetR32 r14
0040A0D1 [BB ] GetR32 r0
0040A0D2 [AB ] GetR32 r12
0040A0D3 [AF ] GetR32 r15
0040A0D4 [67 ] retn
key = 0x125F3270错误路线:
0040BC30 [BD ] SetR32 r0
0040BC31 [3E E4 46 A0 ED] GetI32 EDA046E4
0040BC36 [76 ] add32
0040BC37 [C1 ] SetR32 r3
0040BC38 [B1 ] SetR32 r15
0040BC39 [9D ] SetR32 r8
0040BC3A [A5 ] SetR32 r10
0040BC3B [C9 ] SetR32 r5
0040BC3C [B5 ] SetR32 r14
0040BC3D [C5 ] SetR32 r2
0040BC3E [AD ] SetR32 r12
0040BC3F [99 ] SetR32 r9
0040BC40 [D5 ] SetR32 r6
0040BC41 [C1 ] SetR32 r3
0040BC42 [BF ] GetR32 r3
0040BC43 [BF ] GetR32 r3
0040BC44 [0A ] nor32
0040BC45 [A9 ] SetR32 r13
0040BC46 [01 2B 1C 30 4A] GetI32 4A301C2B
0040BC4B [0F ] nor32
0040BC4C [B9 ] SetR32 r1
0040BC4D [BF ] GetR32 r3
0040BC4E [49 D4 E3 CF B5] GetI32 B5CFE3D4
0040BC53 [15 ] nor32
0040BC54 [A1 ] SetR32 r11
0040BC55 [0F ] nor32
0040BC56 [D1 ] SetR32 r7
0040BC57 [CD ] SetR32 r4
0040BC58 [A9 ] SetR32 r13
0040BC59 [B9 ] SetR32 r1
0040BC5A [B9 ] SetR32 r1
0040BC5B [A5 ] SetR32 r10
0040BC5C [A9 ] SetR32 r13
0040BC5D [A1 ] SetR32 r11
0040BC5E [D1 ] SetR32 r7
0040BC5F [CF ] GetR32 r7
0040BC60 [1D ] GetESP
0040BC61 [E8 ] RmSs32
0040BC62 [0A ] nor32
0040BC63 [B5 ] SetR32 r14
0040BC64 [C4 FF 08 ] GetI16To32 000008FF
0040BC67 [4C ] nor32
0040BC68 [B5 ] SetR32 r14
0040BC69 [14 ] Popfd
0040BC6A [01 C0 BE 48 81] GetI32 8148BEC0
0040BC6F [A3 ] GetR32 r10
0040BC70 [CF ] GetR32 r7
0040BC71 [CB ] GetR32 r4
0040BC72 [9F ] GetR32 r11
0040BC73 [C3 ] GetR32 r2
0040BC74 [9B ] GetR32 r8
0040BC75 [B7 ] GetR32 r1
0040BC76 [A7 ] GetR32 r13
0040BC77 [97 ] GetR32 r9
0040BC78 [C7 ] GetR32 r5
0040BC79 [CB ] GetR32 r4
0040BC7A [67 ] retn
key = 0x9357B07D我承认杀鸡用牛刀了,所以注释几行关键的
2568
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
