VMProtect1.63分析
教材上给出了一些说明,虽然是断断续续的..
..之后通过单步,把断的地方都连起来了,也明白了VMP分析插件究竟做了些什么..
//表1,表2在最后.
加密之前的代码:
INC ECX
C3 RETN
> INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
^ EB F8 JMP
0040100A C3 RETN
之后用VMP默认加密,加密范围是[401002,401006]闭区间
加密后的代码: 之后的代码都是加密后EXE中的代码
00401000 INC ECX
C3 RETN
>- E9 7C170000 JMP 用于测试.
INC EAX
^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint>
0040100A C3 RETN
可以看出被加密的代码替换成jmp 402783了.
跟入后是
PUSH 用于测试.00402792 ;402792这个地址是字节码的存储地址
E8 EFFEFFFF CALL 用于测试.0040267C ;这个call是解释程序
跟进40267c后是
0040267C PUSH EDX
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP ;保存CONTEXT..
PUSH 0x0 **
0040268A 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+0x2C] ;ESI = 402792 就是传入这个函数的那一个参数
0040268E 89E5 MOV EBP,ESP ;当前栈顶保存到EBP中,可认为是 真实程序的栈顶
81EC C0000000 SUB ESP,0xC0 ;这是为虚拟机开辟存储空间
89E7 MOV EDI,ESP ;EDI就是虚拟机的栈顶
ADD ESI,DWORD PTR SS:[EBP] ;这里的[EBP]就是上面**处压进来的0
0040269B__ 8A06 MOV AL,BYTE PTR DS:[ESI]
0040269D 0FB6C0 MOVZX EAX,AL
004026A0 > 83C6 ADD ESI,0x1 ;把esi处单个字节放到AL中,零扩展成EAX,然后esi+1
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8] ;根据arr_4021a8[eax]跳到对应地址执行指令
上面这一段代码就是初始化虚拟机,然后循环执行指令...
那么当我第一次执行到到
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8]
EAX=0x39 0x39*4+0x4021A8 = 40228C 由表2得 [40228C] = 40206B
代码为:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B
上面4行代码先不管他,直接看最后的jmp, 40269B就是
0040269B__ 8A06 MOV AL,BYTE PTR DS:[ESI]
0040269D 0FB6C0 MOVZX EAX,AL
004026A0 > 83C6 ADD ESI,0x1
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8]
就是这个循环,ESI在表1中取到下一个字节,然后根据表2算出跳转地址,进行下一次字节码执行..
那么现在的问题就是终点在哪, 我第一次实验时,根据入口的
0040267C PUSH EDX
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP
估计出口肯定会有对应的pop,然后就在OD中搜索指令序列
pop eax
pop ebx
pop edx
然后就顺利地找到了
0040219B 89EC MOV ESP,EBP
0040219D 5A POP EDX
0040219E 5D POP EBP
0040219F 5E POP ESI
004021A0 5F POP EDI
004021A1 POP EAX
004021A2 POP ECX
004021A3 9D POPFD
004021A4 POP EAX
004021A5 5B POP EBX
004021A6 5A POP EDX
004021A7 C3 RETN
之后在40219B处下了个断点,运行断下后,查看ESI的值,就可以知道有多少字节码要执行,以及最后的那个字节码是什么.
得到ESI==402836
也就是说表1中402792~402836-1就是全部要执行的字节码了(A4 == 164).
原本的5条inc eax指令就变成了164个字节码..每个字节码由几条汇编指令来实现..果然变态..
接下来就是分析各个字节码对应的指令序列的功能:
有些预先注意的:
ESI是字节码的地址
EBP(一开始)是
PUSH CONTEXT
PUSH 0之后的栈顶,指着0 称为栈顶2
ESP(一开始是),EDI是虚拟机的栈顶,是EBP-0c0h, 称为栈顶1
栈顶1\2会变化,无论如何,就把EBP, EDI(ESP)的栈顶分别称为栈顶2和栈顶1 1在上,2在下
上面都指的是虚拟机的栈 开辟之后(402690 sub esp,0c0),以及销毁之前(40219B mov esp,ebp)
在表1中可以看到,字节码会重复出现,在表2中也可以看到表二的元素也有重复
对字节码0x39有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B AND AL,3C ===> AL == 38
这几条指令完成的就是栈2顶pop出个dd存到(栈1顶+AL&3C的位置) [EDI+0x38]
字节码和3C And之后的值变成了一个位置.. 那么前面看到的表2的元素虽然会重复,但是对应的表1的值不一样,那么就算到了
同一个处理程序,得到的这个位置也会不一样..
对字节码0x31有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B AND AL,3C ==> 0x31 & 0x3C = 0x30
跟0x39的完全一样,唯一个区别就是AL不同了,也就存在了不同的位置,[EDI+0x30]
对字节码0x19有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX 还是完全一样
AND AL,3C ==> 0x19 & 0x3c = 0x18 [EDI+0x18]
此时我已经觉得有些麻烦了,三个竟然都是重复的, 于是写了一个测试程序用于根据表1的字节码得到对应的处理程序的地址, 全部处理完毕后,得到的对应地址为(从402792~402835,闭区间,一共A4=164个地址):
表3:
0040206B 0040206B 0040206B 0040206B
0040206B 0040206B 0040206B 0040206B
0040206B 0040206B 0040206B 0040206B
0040206B 004025E5 0040205C
0040206B 0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5
004026CD 0040206B
0040206B 004026CD 0040206B
0040205C 0040206B 0040206B
0040206B 004025E5 0040205C 0040206B
0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5 004025E5
004026CD 0040206B 0040206B
004026CD 0040206B 0040205C 0040206B
0040206B 004025E5 0040206B
0040205C 0040206B 0040206B 004025E5
004026CD 0040206B
004026CD 0040206B
004025E5 004025E5 004026CD 0040206B
0040206B 004026CD 0040206B
0040205C 0040206B 0040206B 004025E5
0040206B 0040205C 0040206B
0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5
004026CD 0040206B
0040206B 004026CD 0040206B 0040205C
0040206B 0040206B 004025E5
0040206B 0040205C 0040206B 0040206B
004025E5 004026CD
0040206B 004026CD
0040206B 004025E5
004026CD 0040206B 0040206B
004026CD 0040206B 0040205C 0040206B
0040206B 004025E5 004020BD 004020ED
004025E5 004020BD 004025E5 0040205C
0040206B 004025E5 004025E5 004025E5
004025E5 004025E5 004025E5 004025E5
004025E5 004025E5 004025E5 0040219B
之后就是把出现过的地址,不重复地分析一次就行了..
还得搞清楚在虚拟机里面的代码是怎样影响到外面的代码的..
为了更好地说明,加入一个堆栈示意图:
上面的PROC_40206B,做的就是EBP向下一格,值放在EDI+AL&3C的位置..
而这个时候的EBP的值,是虚拟机入口点40267C处那一堆PUSH CONTEXT, PUSH进来的,也就是说,初始状态下的上图应该为....
根据表3,前12个,都是FUNC_40206B,对应的字节码为
2D 0D 3D
AND 3C后,对应的值为
2C 0C 3C
可以看出,会把栈顶2中的数据取出来放到对应的EDI+38/30/18/14/....地址处
这12条opcode刚好对应着栈中的12个"有用的数据(0, oldXXX, oldXXX, ...., r, 402792)"..
另外,虚拟机中的代码究竟是如何影响到外部的,应该就是通过对EBP这边的数据不断的操作,然后最终的字节码是0x95,对应的
处理程序为FUNC_40219B
0040219B 89EC MOV ESP,EBP
0040219D 5A POP EDX
0040219E 5D POP EBP
0040219F 5E POP ESI
004021A0 5F POP EDI
004021A1 POP EAX
004021A2 POP ECX
004021A3 9D POPFD
004021A4 POP EAX
004021A5 5B POP EBX
004021A6 5A POP EDX
004021A7 C3 RETN
对照PUSH
0040267C PUSH EDX ; 用于测试.<ModuleEntryPoint>
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP
PUSH 0x0
在FUNC_40219B中,单步到了retn, 此时发现栈顶的元素值(其实就是堆栈图中的r)为401007,而不是40278D,
PUSH 用于测试.
E8 EFFEFFFF CALL 用于测试.0040267C
0040278D A8 E3 TEST AL,0xE3
40278D就是进入虚拟机CALL前,CALL时推入的下一条指令地址,在执行字节码的过程中被替换成了401007,就是
INC ECX
C3 RETN
>- E9 7C170000 JMP 用于测试.
INC EAX ;<---------------------------HERE
^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint>
0040100A C3 RETN
出了虚拟机...运行完了那5条inc eax的虚拟指令后的下一条指令地址
之后的内容教材上都有..
VMP分析插件就是:
给各个处理函数命名(根据行为产生助记符),给EDI+XXX的空间命个名(作为寄存器,操作数),堆栈窗口显示的是 栈顶2
用到的文件:
http://images2015.cnblogs.com/blog/638600/201701/638600-20170112081555619-763736492.jpg
另存为.zip文件就行了
附录:
地址402792处的值为,称为 表1:
00402792 39 31 19 15 2D 05 09 0D 25 3D 01 29 F8 01 0C 54 91-..%=)?.T
004027A2 29 35 08 55 32 FB 0D F8 FE C6 0D 28 45 F6 A6 21 )5U2??(E靓!
004027B2 F8 01 93 1D 4E 01 21 F8 01 34 54 2D 01 20 45 32 ??N!?4T- E2
004027C2 93 09 F8 FE 93 09 2C 2C 93 0D F8 01 93 35 5E 0D ??,,???^.
004027D2 29 00 F8 01 C2 1D 0D 28 45 F9 93 21 F8 FE 93 01 ).??.(E鶕!?
004027E2 1C 1C 93 01 F8 01 A6 35 4E 21 01 0C F8 01 54 09 ???N!.?T.
004027F2 1D 00 41 F9 C6 2D F8 FE C6 21 08 41 F6 C6 29 F8 .A-?A銎)?
00402802 01 C6 11 4E 0D 0D 1C F8 01 54 35 2D 0C 55 32 FB ?N..?T5-.U2?
00402812 11 F8 FE A6 11 34 41 32 93 11 F8 01 93 11 4E 1D ?4A2???N
00402822 09 38 40 07 10 40 00 5E 29 3C 24 2C 08 04 34 14 .8@@.^)<$,4
00402832 18 30 38 95 00 00 00 00 00 00 00 00 00 00 00 00 08?...........
表4021A8处的值为, 称为表2:
004021A8 E5 25 40 00 6B 20 40 00 70 21 40 00 70 21 40 00 ?@.k @.p!@.p!@.
004021B8 E5 25 40 00 6B 20 40 00 ED 20 40 00 ED 20 40 00 ?@.k @.?@.?@.
004021C8 E5 25 40 00 6B 20 40 00 2A 26 40 00 2A 26 40 00 ?@.k @.*&@.*&@.
004021D8 E5 25 40 00 6B 20 40 00 32 27 40 00 68 26 40 00 ?@.k @.2'@.h&@.
004021E8 E5 25 40 00 6B 20 40 00 2A 26 40 00 00 20 40 00 ?@.k @.*&@.. @.
004021F8 E5 25 40 00 6B 20 40 00 E5 26 40 00 56 27 40 00 ?@.k @.?@.V'@.
00402208 E5 25 40 00 6B 20 40 00 CC 25 40 00 D5 25 40 00 ?@.k @.?@.?@.
00402218 E5 25 40 00 6B 20 40 00 FB 20 40 00 D5 20 40 00 ?@.k @.?@.?@.
00402228 E5 25 40 00 6B 20 40 00 ED 20 40 00 68 26 40 00 ?@.k @.?@.h&@.
00402238 E5 25 40 00 6B 20 40 00 22 27 40 00 97 20 40 00 ?@.k @."'@.?@.
00402248 E5 25 40 00 6B 20 40 00 71 27 40 00 71 27 40 00 ?@.k @.q'@.q'@.
00402258 E5 25 40 00 6B 20 40 00 68 26 40 00 70 21 40 00 ?@.k @.h&@.p!@.
00402268 E5 25 40 00 6B 20 40 00 63 27 40 00 ED 20 40 00 ?@.k @.c'@.?@.
00402278 E5 25 40 00 6B 20 40 00 CD 20 40 00 32 27 40 00 ?@.k @.?@.2'@.
00402288 E5 25 40 00 6B 20 40 00 13 20 40 00 7C 20 40 00 ?@.k @. @.| @.
00402298 E5 25 40 00 6B 20 40 00 F6 25 40 00 44 27 40 00 ?@.k @.?@.D'@.
004022A8 BD 20 40 00 44 26 40 00 27 20 40 00 ED 20 40 00 ?@.D&@.' @.?@.
004022B8 56 27 40 00 44 26 40 00 97 20 40 00 ED 20 40 00 V'@.D&@.?@.?@.
004022C8 D5 25 40 00 68 26 40 00 44 27 40 00 2A 26 40 00 ?@.h&@.D'@.*&@.
004022D8 22 27 40 00 AA 26 40 00 5C 20 40 00 0C 26 40 00 "'@.?@.\ @..&@.
004022E8 70 21 40 00 BB 25 40 00 22 27 40 00 22 27 40 00 p!@.?@."'@."'@.
004022F8 5C 20 40 00 44 26 40 00 AA 26 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402308 32 27 40 00 BB 26 40 00 55 21 40 00 2A 26 40 00 2'@.?@.U!@.*&@.
00402318 87 21 40 00 0C 26 40 00 5C 20 40 00 D5 20 40 00 ?@..&@.\ @.?@.
00402328 51 26 40 00 55 21 40 00 44 27 40 00 FB 20 40 00 Q&@.U!@.D'@.?@.
00402338 BD 20 40 00 87 21 40 00 E5 26 40 00 87 21 40 00 ?@.?@.?@.?@.
00402348 70 21 40 00 BB 26 40 00 AB 20 40 00 CD 20 40 00 p!@.?@.?@.?@.
00402358 27 20 40 00 27 20 40 00 F6 25 40 00 08 27 40 00 ' @.' @.?@.'@.
00402368 D5 20 40 00 7C 20 40 00 44 26 40 00 44 26 40 00 ?@.| @.D&@.D&@.
00402378 56 27 40 00 97 20 40 00 00 20 40 00 D5 20 40 00 V'@.?@.. @.?@.
00402388 CC 25 40 00 7C 20 40 00 F0 26 40 00 71 27 40 00 ?@.| @.?@.q'@.
00402398 97 20 40 00 0C 26 40 00 AB 20 40 00 44 27 40 00 ?@..&@.?@.D'@.
004023A8 00 20 40 00 BB 25 40 00 55 21 40 00 F0 26 40 00 . @.?@.U!@.?@.
004023B8 5C 20 40 00 E5 26 40 00 A8 25 40 00 F0 26 40 00 \ @.?@.?@.?@.
004023C8 39 20 40 00 51 26 40 00 32 27 40 00 7C 20 40 00 9 @.Q&@.2'@.| @.
004023D8 22 27 40 00 AA 26 40 00 71 27 40 00 F0 26 40 00 "'@.?@.q'@.?@.
004023E8 56 27 40 00 D5 20 40 00 97 20 40 00 CD 26 40 00 V'@.?@.?@.?@.
004023F8 BD 20 40 00 9B 21 40 00 39 20 40 00 F0 26 40 00 ?@.?@.9 @.?@.
00402408 44 27 40 00 D5 20 40 00 BB 26 40 00 ED 20 40 00 D'@.?@.?@.?@.
00402418 5C 20 40 00 56 27 40 00 D5 25 40 00 13 20 40 00 \ @.V'@.?@. @.
00402428 97 20 40 00 44 26 40 00 2A 26 40 00 13 20 40 00 ?@.D&@.*&@. @.
00402438 D5 25 40 00 4B 20 40 00 CD 26 40 00 0C 26 40 00 ?@.K @.?@..&@.
00402448 51 26 40 00 5C 20 40 00 51 26 40 00 87 21 40 00 Q&@.\ @.Q&@.?@.
00402458 CD 20 40 00 44 26 40 00 00 20 40 00 68 26 40 00 ?@.D&@.. @.h&@.
00402468 ED 20 40 00 A8 25 40 00 68 26 40 00 55 21 40 00 ?@.?@.h&@.U!@.
00402478 71 27 40 00 51 26 40 00 AA 26 40 00 BD 20 40 00 q'@.Q&@.?@.?@.
00402488 44 27 40 00 BD 20 40 00 00 20 40 00 13 20 40 00 D'@.?@.. @. @.
00402498 CD 20 40 00 7C 20 40 00 ED 20 40 00 56 27 40 00 ?@.| @.?@.V'@.
004024A8 22 27 40 00 F6 25 40 00 5C 20 40 00 2A 26 40 00 "'@.?@.\ @.*&@.
004024B8 D5 20 40 00 CC 25 40 00 CD 26 40 00 32 27 40 00 ?@.?@.?@.2'@.
004024C8 97 20 40 00 D5 25 40 00 2A 26 40 00 ED 20 40 00 ?@.?@.*&@.?@.
004024D8 F0 26 40 00 0C 26 40 00 D5 20 40 00 F6 25 40 00 ?@..&@.?@.?@.
004024E8 44 27 40 00 7C 20 40 00 CD 20 40 00 AB 20 40 00 D'@.| @.?@.?@.
004024F8 5C 20 40 00 44 26 40 00 97 20 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402508 CC 25 40 00 CC 25 40 00 9B 21 40 00 27 20 40 00 ?@.?@.?@.' @.
00402518 51 26 40 00 32 27 40 00 5C 20 40 00 2A 26 40 00 Q&@.2'@.\ @.*&@.
00402528 BB 25 40 00 CC 25 40 00 0C 26 40 00 AA 26 40 00 ?@.?@..&@.?@.
00402538 87 21 40 00 0C 26 40 00 27 20 40 00 AB 20 40 00 ?@..&@.' @.?@.
00402548 97 20 40 00 CD 20 40 00 00 20 40 00 2A 26 40 00 ?@.?@.. @.*&@.
00402558 56 27 40 00 56 27 40 00 E5 26 40 00 BB 26 40 00 V'@.V'@.?@.?@.
00402568 D5 25 40 00 CD 20 40 00 CD 26 40 00 27 20 40 00 ?@.?@.?@.' @.
00402578 ED 20 40 00 70 21 40 00 63 27 40 00 44 27 40 00 ?@.p!@.c'@.D'@.
00402588 12 21 40 00 63 27 40 00 9B 21 40 00 CD 26 40 00 !@.c'@.?@.?@.
00402598 ED 20 40 00 4B 20 40 00 08 27 40 00 87 21 40 00 ?@.K @.'@.?@.
转换程序 的源码为:
创建一个对话框资源,然后拉一个Edit控件上去就行了
#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#include "resource.h"
#include <windowsx.h> CHAR szInfo[] = { }; int arr1[] = {
0x39,0x31,0x19,0x15,0x2D,0x05,0x09,0x0D,0x25,0x3D,0x01,0x29,0xF8,0x01,0x0C,0x54,
0x29,0x35,0x08,0x55,0x32,0xFB,0x0D,0xF8,0xFE,0xC6,0x0D,0x28,0x45,0xF6,0xA6,0x21,
0xF8,0x01,0x93,0x1D,0x4E,0x01,0x21,0xF8,0x01,0x34,0x54,0x2D,0x01,0x20,0x45,0x32,
0x93,0x09,0xF8,0xFE,0x93,0x09,0x2C,0x2C,0x93,0x0D,0xF8,0x01,0x93,0x35,0x5E,0x0D,
0x29,0x00,0xF8,0x01,0xC2,0x1D,0x0D,0x28,0x45,0xF9,0x93,0x21,0xF8,0xFE,0x93,0x01,
0x1C,0x1C,0x93,0x01,0xF8,0x01,0xA6,0x35,0x4E,0x21,0x01,0x0C,0xF8,0x01,0x54,0x09,
0x1D,0x00,0x41,0xF9,0xC6,0x2D,0xF8,0xFE,0xC6,0x21,0x08,0x41,0xF6,0xC6,0x29,0xF8,
0x01,0xC6,0x11,0x4E,0x0D,0x0D,0x1C,0xF8,0x01,0x54,0x35,0x2D,0x0C,0x55,0x32,0xFB,
0x11,0xF8,0xFE,0xA6,0x11,0x34,0x41,0x32,0x93,0x11,0xF8,0x01,0x93,0x11,0x4E,0x1D,
0x09,0x38,0x40,0x07,0x10,0x40,0x00,0x5E,0x29,0x3C,0x24,0x2C,0x08,0x04,0x34,0x14,
0x18,0x30,0x38,0x95 }; BYTE arr2[] =
{
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x70,0x21,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x32,0x27,0x40,0x00,0x68,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x00,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0x56,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xD5,0x25,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xFB,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x22,0x27,0x40,0x00,0x97,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x71,0x27,0x40,0x00,0x71,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x68,0x26,0x40,0x00,0x70,0x21,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x63,0x27,0x40,0x00,0xED,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x32,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x13,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x44,0x27,0x40,0x00,
0xBD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0x56,0x27,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0xD5,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x44,0x27,0x40,0x00,0x2A,0x26,0x40,0x00,
0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,
0x70,0x21,0x40,0x00,0xBB,0x25,0x40,0x00,0x22,0x27,0x40,0x00,0x22,0x27,0x40,0x00,
0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
0x32,0x27,0x40,0x00,0xBB,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x2A,0x26,0x40,0x00,
0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0x51,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x44,0x27,0x40,0x00,0xFB,0x20,0x40,0x00,
0xBD,0x20,0x40,0x00,0x87,0x21,0x40,0x00,0xE5,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
0x70,0x21,0x40,0x00,0xBB,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,
0x27,0x20,0x40,0x00,0x27,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x08,0x27,0x40,0x00,
0xD5,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x44,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0x97,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0xCC,0x25,0x40,0x00,0x7C,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
0x97,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0x44,0x27,0x40,0x00,
0x00,0x20,0x40,0x00,0xBB,0x25,0x40,0x00,0x55,0x21,0x40,0x00,0xF0,0x26,0x40,0x00,
0x5C,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0xA8,0x25,0x40,0x00,0xF0,0x26,0x40,0x00,
0x39,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,
0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,0xF0,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0x97,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,
0xBD,0x20,0x40,0x00,0x9B,0x21,0x40,0x00,0x39,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,
0x44,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0xBB,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
0x5C,0x20,0x40,0x00,0x56,0x27,0x40,0x00,0xD5,0x25,0x40,0x00,0x13,0x20,0x40,0x00,
0x97,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,0x13,0x20,0x40,0x00,
0xD5,0x25,0x40,0x00,0x4B,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,
0x51,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
0xCD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x00,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
0xED,0x20,0x40,0x00,0xA8,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x55,0x21,0x40,0x00,
0x71,0x27,0x40,0x00,0x51,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0xBD,0x20,0x40,0x00,
0x44,0x27,0x40,0x00,0xBD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x13,0x20,0x40,0x00,
0xCD,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x56,0x27,0x40,0x00,
0x22,0x27,0x40,0x00,0xF6,0x25,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0xD5,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xCD,0x26,0x40,0x00,0x32,0x27,0x40,0x00,
0x97,0x20,0x40,0x00,0xD5,0x25,0x40,0x00,0x2A,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
0xF0,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,0xD5,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,
0x44,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0x71,0x27,0x40,0x00,
0xCC,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x9B,0x21,0x40,0x00,0x27,0x20,0x40,0x00,
0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0xBB,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x0C,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,
0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
0x97,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0x56,0x27,0x40,0x00,0xE5,0x26,0x40,0x00,0xBB,0x26,0x40,0x00,
0xD5,0x25,0x40,0x00,0xCD,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x27,0x20,0x40,0x00,
0xED,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x44,0x27,0x40,0x00,
0x12,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x9B,0x21,0x40,0x00,0xCD,0x26,0x40,0x00,
0xED,0x20,0x40,0x00,0x4B,0x20,0x40,0x00,0x08,0x27,0x40,0x00,0x87,0x21,0x40,0x00,
};
INT_PTR DlgProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
HWND hwndEdit = GetDlgItem(hwndDlg, IDC_EDIT1);
CHAR szBuffer[] = { };
int nIndex = ;
int nAddr = ;
for (int i = ; i < ; ++i)
{
if (i % == )
{
strcat_s(szInfo, "\r\n");
}
nIndex = arr1[i];
nAddr = *(DWORD*)&arr2[nIndex*];
StringCbPrintf(szBuffer, , "%08X ", nAddr);
strcat_s(szInfo, szBuffer);
} Edit_SetText(hwndEdit, szInfo);
break;
} case WM_CLOSE:
{
EndDialog(hwndDlg, );
break;
}
} return FALSE;
} int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int nCmdShow)
{
DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, (DLGPROC)DlgProc); return ;
}
VMProtect1.63分析的更多相关文章
- 全球SEO行业调查报告
这是一份来自MOZ的调查报告,本报告是两年一次的SEO行业调查,主要围绕SEO从业人员的特征.工作内容时间分配比例.对未来市场的看法.使用的seo工具以及SEO知识扩充渠道等展开. 这份报告可以对从事 ...
- 无穷字符串问题--CSDN上的面试题(原创)
网上看到一道奇怪的题,分享一下:http://hero.csdn.net/Question/Details?ID=307&ExamID=302 发布公司:CSDN 有 效 期:2014-02- ...
- CSP学习之导出密钥BLOB 解析
通过CryptExportKey( hKey, NULL, PUBLICKEYBLOB,0, NULL, &dwBlobLen) 函数导出的公钥信息如下: 06 02 00 00 00 A4 ...
- 【UVA10655】 Contemplation! Algebra
题目 给定 \(p = a + b\) 和 \(q = ab\) 和 \(n\),求 \(a ^ n + b ^ n\). $0\le n\lt 2^{63} $ 分析 大水题. 先考虑 \(n\) ...
- 密码学笔记-一段base64wp
CTF--练习平台 例题: 一段Base64 flag格式:flag{xxxxxxxxxxxxx} 附件: base64.txt 1.base64解码:http://base64.xpcha.com/ ...
- 63.如何对单链表进行快排?和数组快排的分析与对比[quicksort of array and linked list]
[本文链接] http://www.cnblogs.com/hellogiser/p/quick-sort-of-array-and-linked-list.html [题目] 单链表的特点是:单向. ...
- Django(63)drf权限源码分析与自定义权限
前言 上一篇我们分析了认证的源码,一个请求认证通过以后,第二步就是查看权限了,drf默认是允许所有用户访问 权限源码分析 源码入口:APIView.py文件下的initial方法下的check_per ...
- 用MongoDB分析合肥餐饮业
看了<从数据角度解析福州美食>后难免心痒,动了要分析合肥餐饮业的念头,因此特地写了Node.js爬虫爬取了合肥的大众点评数据.分析数据库我并没有采用MySQL而是用的MongoDB,是因为 ...
- Linux设备管理(一)_kobject, kset,ktype分析
Linux内核大量使用面向对象的设计思想,通过追踪源码,我们甚至可以使用面向对象语言常用的UML类图来分析Linux设备管理的"类"之间的关系.这里以4.8.5内核为例从kobje ...
随机推荐
- 泛型集合List的详细用法
命名空间: System.Collections.Generic List<T>类是 ArrayList 类的泛型等效类. 该类使用大小可 按需动态增加 的数组实现 IList& ...
- 【读书笔记】使用代理录制Web性能测试脚本
读书笔记:<零成本实现Web性能测试>第3章 基本操作步骤: 在测试计划中添加线程组. 在该线程组中添加HTTP请求默认值.设置服务器名称或ip.端口. 在工作台添加HTTP代理服务器.设 ...
- JSESSIONID的简单说明
原文地址:http://blog.csdn.net/chunqiuwei/article/details/23461995 1)第一次访问服务器的时候,会在响应头里面看到Set-Cookie信息(只有 ...
- mongodb修改和删除操作
修改数据修改里面还有查询条件.你要该谁,要告诉 mongo.查找名字叫做小明的,把年龄更改为 16 岁:1 db.student.update({"name":"小明&q ...
- HackerRank-Python攻城歷程-3.List( Find the Second Largest Number )
if __name__ == '__main__': n = int(input()) arr = map(int, input().split()) print(sorted(list(set(ar ...
- Git仓库删除大文件
Git仓库删除大文件 背景 当用Git久了,难免会手误或临时添加一些大文件到仓库中,即使以后添加进了.gitignore,甚至做了git rm,但是Git为了保证版本可回退,history pack里 ...
- es6 Promise简单介绍
promise的基本用法 promise执行多步操作非常好用,那我们就来模仿一个多步操作的过程,那就以吃饭为例吧.要想在家吃顿饭,是要经过三个步骤的. 洗菜做饭. 坐下来吃饭. 收拾桌子洗碗. 这个过 ...
- Oracle 动态sql
静态SQL是前置编译绑定,动态SQL是后期执行时才编译绑定. 场景: 动态SQL适用于表名及查询字段名未知的情况.在已知查询字段名及表名的情况下,使用动态SQL(字符串拼接方式)会增加硬解析的开销,在 ...
- 亚马逊(Review、Feedback)差评怎么处理?
移除亚马逊Review差评,我看也就这三招靠谱点! 亚马逊特别重视review,差评会直接影响到listing的浏览量和销量,甚至还可以摧毁一个账号.遇到一个差的review怎么办?网上看到很多讲移除 ...
- mongo学习笔记2--索引及表设计
-背景: 鉴于我们使用mongo作为数据库,期间少不了需要添加索引和对业务表进行设计.因此以下我对mongo索引及表设计原则做了一些分享.希望对大家有用,如有错误还望指正~ MongDB的索引类型简介 ...