教材上给出了一些说明,虽然是断断续续的..

..之后通过单步,把断的地方都连起来了,也明白了VMP分析插件究竟做了些什么..

//表1,表2在最后.

加密之前的代码:
INC ECX
C3 RETN
> INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
INC EAX
^ EB F8 JMP
0040100A C3 RETN

之后用VMP默认加密,加密范围是[401002,401006]闭区间

加密后的代码:   之后的代码都是加密后EXE中的代码
00401000 INC ECX
C3 RETN
>- E9 7C170000 JMP 用于测试.
INC EAX
^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint>
0040100A C3 RETN

可以看出被加密的代码替换成jmp 402783了.

跟入后是

          PUSH 用于测试.00402792  ;402792这个地址是字节码的存储地址
E8 EFFEFFFF CALL 用于测试.0040267C ;这个call是解释程序

跟进40267c后是

0040267C                  PUSH EDX
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP ;保存CONTEXT..
PUSH 0x0 **
0040268A 8B7424 2C MOV ESI,DWORD PTR SS:[ESP+0x2C] ;ESI = 402792 就是传入这个函数的那一个参数
0040268E 89E5 MOV EBP,ESP ;当前栈顶保存到EBP中,可认为是 真实程序的栈顶
81EC C0000000 SUB ESP,0xC0 ;这是为虚拟机开辟存储空间
89E7 MOV EDI,ESP ;EDI就是虚拟机的栈顶
ADD ESI,DWORD PTR SS:[EBP] ;这里的[EBP]就是上面**处压进来的0
0040269B__ 8A06 MOV AL,BYTE PTR DS:[ESI]
0040269D 0FB6C0 MOVZX EAX,AL
004026A0 > 83C6 ADD ESI,0x1 ;把esi处单个字节放到AL中,零扩展成EAX,然后esi+1
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8] ;根据arr_4021a8[eax]跳到对应地址执行指令

上面这一段代码就是初始化虚拟机,然后循环执行指令...

那么当我第一次执行到到

004026A3    FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8] 

EAX=0x39  0x39*4+0x4021A8 = 40228C    由表2得 [40228C] = 40206B

代码为:

0040206B    80E0 3C         AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B

上面4行代码先不管他,直接看最后的jmp, 40269B就是

0040269B__  8A06            MOV AL,BYTE PTR DS:[ESI]
0040269D 0FB6C0 MOVZX EAX,AL
004026A0 > 83C6 ADD ESI,0x1
004026A3 FF2485 A8214000 JMP DWORD PTR DS:[EAX*+0x4021A8]

就是这个循环,ESI在表1中取到下一个字节,然后根据表2算出跳转地址,进行下一次字节码执行..

那么现在的问题就是终点在哪,  我第一次实验时,根据入口的

0040267C                  PUSH EDX
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP

估计出口肯定会有对应的pop,然后就在OD中搜索指令序列

pop eax
pop ebx
pop edx

然后就顺利地找到了

0040219B    89EC            MOV ESP,EBP
0040219D 5A POP EDX
0040219E 5D POP EBP
0040219F 5E POP ESI
004021A0 5F POP EDI
004021A1 POP EAX
004021A2 POP ECX
004021A3 9D POPFD
004021A4 POP EAX
004021A5 5B POP EBX
004021A6 5A POP EDX
004021A7 C3 RETN

之后在40219B处下了个断点,运行断下后,查看ESI的值,就可以知道有多少字节码要执行,以及最后的那个字节码是什么.

得到ESI==402836

也就是说表1中402792~402836-1就是全部要执行的字节码了(A4 == 164).

原本的5条inc eax指令就变成了164个字节码..每个字节码由几条汇编指令来实现..果然变态..

接下来就是分析各个字节码对应的指令序列的功能:

有些预先注意的:
ESI是字节码的地址
EBP(一开始)是
PUSH CONTEXT
PUSH 0之后的栈顶,指着0 称为栈顶2
ESP(一开始是),EDI是虚拟机的栈顶,是EBP-0c0h, 称为栈顶1
栈顶1\2会变化,无论如何,就把EBP, EDI(ESP)的栈顶分别称为栈顶2和栈顶1 1在上,2在下
上面都指的是虚拟机的栈 开辟之后(402690 sub esp,0c0),以及销毁之前(40219B mov esp,ebp)
在表1中可以看到,字节码会重复出现,在表2中也可以看到表二的元素也有重复
对字节码0x39有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B AND AL,3C  ===>  AL == 38
这几条指令完成的就是栈2顶pop出个dd存到(栈1顶+AL&3C的位置) [EDI+0x38]

字节码和3C And之后的值变成了一个位置.. 那么前面看到的表2的元素虽然会重复,但是对应的表1的值不一样,那么就算到了

同一个处理程序,得到的这个位置也会不一样..

对字节码0x31有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX
E9 1F060000 JMP 用于测试.0040269B AND AL,3C ==> 0x31 & 0x3C = 0x30
跟0x39的完全一样,唯一个区别就是AL不同了,也就存在了不同的位置,[EDI+0x30]

对字节码0x19有:
0040206B 80E0 3C AND AL,0x3C
0040206E 8B55 MOV EDX,DWORD PTR SS:[EBP]
83C5 ADD EBP,0x4
MOV DWORD PTR DS:[EDI+EAX],EDX 还是完全一样
AND AL,3C ==> 0x19 & 0x3c = 0x18 [EDI+0x18]

此时我已经觉得有些麻烦了,三个竟然都是重复的, 于是写了一个测试程序用于根据表1的字节码得到对应的处理程序的地址, 全部处理完毕后,得到的对应地址为(从402792~402835,闭区间,一共A4=164个地址):

表3:

0040206B  0040206B  0040206B  0040206B
0040206B 0040206B 0040206B 0040206B
0040206B 0040206B 0040206B 0040206B
0040206B 004025E5 0040205C
0040206B 0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5
004026CD 0040206B
0040206B 004026CD 0040206B
0040205C 0040206B 0040206B
0040206B 004025E5 0040205C 0040206B
0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5 004025E5
004026CD 0040206B 0040206B
004026CD 0040206B 0040205C 0040206B
0040206B 004025E5 0040206B
0040205C 0040206B 0040206B 004025E5
004026CD 0040206B
004026CD 0040206B
004025E5 004025E5 004026CD 0040206B
0040206B 004026CD 0040206B
0040205C 0040206B 0040206B 004025E5
0040206B 0040205C 0040206B
0040206B 004025E5
004026CD 0040206B
004026CD 0040206B 004025E5
004026CD 0040206B
0040206B 004026CD 0040206B 0040205C
0040206B 0040206B 004025E5
0040206B 0040205C 0040206B 0040206B
004025E5 004026CD
0040206B 004026CD
0040206B 004025E5
004026CD 0040206B 0040206B
004026CD 0040206B 0040205C 0040206B
0040206B 004025E5 004020BD 004020ED
004025E5 004020BD 004025E5 0040205C
0040206B 004025E5 004025E5 004025E5
004025E5 004025E5 004025E5 004025E5
004025E5 004025E5 004025E5 0040219B

之后就是把出现过的地址,不重复地分析一次就行了..

还得搞清楚在虚拟机里面的代码是怎样影响到外面的代码的..

为了更好地说明,加入一个堆栈示意图:

上面的PROC_40206B,做的就是EBP向下一格,值放在EDI+AL&3C的位置..

而这个时候的EBP的值,是虚拟机入口点40267C处那一堆PUSH CONTEXT, PUSH进来的,也就是说,初始状态下的上图应该为....

根据表3,前12个,都是FUNC_40206B,对应的字节码为

    2D   0D  3D
AND 3C后,对应的值为
2C 0C 3C

可以看出,会把栈顶2中的数据取出来放到对应的EDI+38/30/18/14/....地址处

这12条opcode刚好对应着栈中的12个"有用的数据(0, oldXXX, oldXXX, ...., r, 402792)"..

另外,虚拟机中的代码究竟是如何影响到外部的,应该就是通过对EBP这边的数据不断的操作,然后最终的字节码是0x95,对应的

处理程序为FUNC_40219B

0040219B    89EC            MOV ESP,EBP
0040219D 5A POP EDX
0040219E 5D POP EBP
0040219F 5E POP ESI
004021A0 5F POP EDI
004021A1 POP EAX
004021A2 POP ECX
004021A3 9D POPFD
004021A4 POP EAX
004021A5 5B POP EBX
004021A6 5A POP EDX
004021A7 C3 RETN

对照PUSH

0040267C                  PUSH EDX                                 ; 用于测试.<ModuleEntryPoint>
0040267D PUSH EBX
0040267E PUSH EAX
0040267F 9C PUSHFD
PUSH ECX
PUSH ESI
PUSH EDI
PUSH ESI
PUSH EBP
PUSH 0x0

在FUNC_40219B中,单步到了retn, 此时发现栈顶的元素值(其实就是堆栈图中的r)为401007,而不是40278D,

          PUSH 用于测试.
E8 EFFEFFFF CALL 用于测试.0040267C
0040278D A8 E3 TEST AL,0xE3

40278D就是进入虚拟机CALL前,CALL时推入的下一条指令地址,在执行字节码的过程中被替换成了401007,就是

                  INC ECX
C3 RETN
>- E9 7C170000 JMP 用于测试.
INC EAX ;<---------------------------HERE
^ EB F8 JMP SHORT 用于测试.<ModuleEntryPoint>
0040100A C3 RETN

出了虚拟机...运行完了那5条inc eax的虚拟指令后的下一条指令地址

之后的内容教材上都有..

VMP分析插件就是:

给各个处理函数命名(根据行为产生助记符),给EDI+XXX的空间命个名(作为寄存器,操作数),堆栈窗口显示的是 栈顶2

用到的文件:

    http://images2015.cnblogs.com/blog/638600/201701/638600-20170112081555619-763736492.jpg

另存为.zip文件就行了

附录:

地址402792处的值为,称为 表1:

00402792  39 31 19 15 2D 05 09 0D 25 3D 01 29 F8 01 0C 54  91-..%=)?.T
004027A2 29 35 08 55 32 FB 0D F8 FE C6 0D 28 45 F6 A6 21 )5U2??(E靓!
004027B2 F8 01 93 1D 4E 01 21 F8 01 34 54 2D 01 20 45 32 ??N!?4T- E2
004027C2 93 09 F8 FE 93 09 2C 2C 93 0D F8 01 93 35 5E 0D ??,,???^.
004027D2 29 00 F8 01 C2 1D 0D 28 45 F9 93 21 F8 FE 93 01 ).??.(E鶕!?
004027E2 1C 1C 93 01 F8 01 A6 35 4E 21 01 0C F8 01 54 09 ???N!.?T.
004027F2 1D 00 41 F9 C6 2D F8 FE C6 21 08 41 F6 C6 29 F8 .A-?A銎)?
00402802 01 C6 11 4E 0D 0D 1C F8 01 54 35 2D 0C 55 32 FB ?N..?T5-.U2?
00402812 11 F8 FE A6 11 34 41 32 93 11 F8 01 93 11 4E 1D ?4A2???N
00402822 09 38 40 07 10 40 00 5E 29 3C 24 2C 08 04 34 14 .8@@.^)<$,4
00402832 18 30 38 95 00 00 00 00 00 00 00 00 00 00 00 00 08?...........

表4021A8处的值为, 称为表2:

004021A8  E5 25 40 00 6B 20 40 00 70 21 40 00 70 21 40 00  ?@.k @.p!@.p!@.
004021B8 E5 25 40 00 6B 20 40 00 ED 20 40 00 ED 20 40 00 ?@.k @.?@.?@.
004021C8 E5 25 40 00 6B 20 40 00 2A 26 40 00 2A 26 40 00 ?@.k @.*&@.*&@.
004021D8 E5 25 40 00 6B 20 40 00 32 27 40 00 68 26 40 00 ?@.k @.2'@.h&@.
004021E8 E5 25 40 00 6B 20 40 00 2A 26 40 00 00 20 40 00 ?@.k @.*&@.. @.
004021F8 E5 25 40 00 6B 20 40 00 E5 26 40 00 56 27 40 00 ?@.k @.?@.V'@.
00402208 E5 25 40 00 6B 20 40 00 CC 25 40 00 D5 25 40 00 ?@.k @.?@.?@.
00402218 E5 25 40 00 6B 20 40 00 FB 20 40 00 D5 20 40 00 ?@.k @.?@.?@.
00402228 E5 25 40 00 6B 20 40 00 ED 20 40 00 68 26 40 00 ?@.k @.?@.h&@.
00402238 E5 25 40 00 6B 20 40 00 22 27 40 00 97 20 40 00 ?@.k @."'@.?@.
00402248 E5 25 40 00 6B 20 40 00 71 27 40 00 71 27 40 00 ?@.k @.q'@.q'@.
00402258 E5 25 40 00 6B 20 40 00 68 26 40 00 70 21 40 00 ?@.k @.h&@.p!@.
00402268 E5 25 40 00 6B 20 40 00 63 27 40 00 ED 20 40 00 ?@.k @.c'@.?@.
00402278 E5 25 40 00 6B 20 40 00 CD 20 40 00 32 27 40 00 ?@.k @.?@.2'@.
00402288 E5 25 40 00 6B 20 40 00 13 20 40 00 7C 20 40 00 ?@.k @. @.| @.
00402298 E5 25 40 00 6B 20 40 00 F6 25 40 00 44 27 40 00 ?@.k @.?@.D'@.
004022A8 BD 20 40 00 44 26 40 00 27 20 40 00 ED 20 40 00 ?@.D&@.' @.?@.
004022B8 56 27 40 00 44 26 40 00 97 20 40 00 ED 20 40 00 V'@.D&@.?@.?@.
004022C8 D5 25 40 00 68 26 40 00 44 27 40 00 2A 26 40 00 ?@.h&@.D'@.*&@.
004022D8 22 27 40 00 AA 26 40 00 5C 20 40 00 0C 26 40 00 "'@.?@.\ @..&@.
004022E8 70 21 40 00 BB 25 40 00 22 27 40 00 22 27 40 00 p!@.?@."'@."'@.
004022F8 5C 20 40 00 44 26 40 00 AA 26 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402308 32 27 40 00 BB 26 40 00 55 21 40 00 2A 26 40 00 2'@.?@.U!@.*&@.
00402318 87 21 40 00 0C 26 40 00 5C 20 40 00 D5 20 40 00 ?@..&@.\ @.?@.
00402328 51 26 40 00 55 21 40 00 44 27 40 00 FB 20 40 00 Q&@.U!@.D'@.?@.
00402338 BD 20 40 00 87 21 40 00 E5 26 40 00 87 21 40 00 ?@.?@.?@.?@.
00402348 70 21 40 00 BB 26 40 00 AB 20 40 00 CD 20 40 00 p!@.?@.?@.?@.
00402358 27 20 40 00 27 20 40 00 F6 25 40 00 08 27 40 00 ' @.' @.?@.'@.
00402368 D5 20 40 00 7C 20 40 00 44 26 40 00 44 26 40 00 ?@.| @.D&@.D&@.
00402378 56 27 40 00 97 20 40 00 00 20 40 00 D5 20 40 00 V'@.?@.. @.?@.
00402388 CC 25 40 00 7C 20 40 00 F0 26 40 00 71 27 40 00 ?@.| @.?@.q'@.
00402398 97 20 40 00 0C 26 40 00 AB 20 40 00 44 27 40 00 ?@..&@.?@.D'@.
004023A8 00 20 40 00 BB 25 40 00 55 21 40 00 F0 26 40 00 . @.?@.U!@.?@.
004023B8 5C 20 40 00 E5 26 40 00 A8 25 40 00 F0 26 40 00 \ @.?@.?@.?@.
004023C8 39 20 40 00 51 26 40 00 32 27 40 00 7C 20 40 00 9 @.Q&@.2'@.| @.
004023D8 22 27 40 00 AA 26 40 00 71 27 40 00 F0 26 40 00 "'@.?@.q'@.?@.
004023E8 56 27 40 00 D5 20 40 00 97 20 40 00 CD 26 40 00 V'@.?@.?@.?@.
004023F8 BD 20 40 00 9B 21 40 00 39 20 40 00 F0 26 40 00 ?@.?@.9 @.?@.
00402408 44 27 40 00 D5 20 40 00 BB 26 40 00 ED 20 40 00 D'@.?@.?@.?@.
00402418 5C 20 40 00 56 27 40 00 D5 25 40 00 13 20 40 00 \ @.V'@.?@. @.
00402428 97 20 40 00 44 26 40 00 2A 26 40 00 13 20 40 00 ?@.D&@.*&@. @.
00402438 D5 25 40 00 4B 20 40 00 CD 26 40 00 0C 26 40 00 ?@.K @.?@..&@.
00402448 51 26 40 00 5C 20 40 00 51 26 40 00 87 21 40 00 Q&@.\ @.Q&@.?@.
00402458 CD 20 40 00 44 26 40 00 00 20 40 00 68 26 40 00 ?@.D&@.. @.h&@.
00402468 ED 20 40 00 A8 25 40 00 68 26 40 00 55 21 40 00 ?@.?@.h&@.U!@.
00402478 71 27 40 00 51 26 40 00 AA 26 40 00 BD 20 40 00 q'@.Q&@.?@.?@.
00402488 44 27 40 00 BD 20 40 00 00 20 40 00 13 20 40 00 D'@.?@.. @. @.
00402498 CD 20 40 00 7C 20 40 00 ED 20 40 00 56 27 40 00 ?@.| @.?@.V'@.
004024A8 22 27 40 00 F6 25 40 00 5C 20 40 00 2A 26 40 00 "'@.?@.\ @.*&@.
004024B8 D5 20 40 00 CC 25 40 00 CD 26 40 00 32 27 40 00 ?@.?@.?@.2'@.
004024C8 97 20 40 00 D5 25 40 00 2A 26 40 00 ED 20 40 00 ?@.?@.*&@.?@.
004024D8 F0 26 40 00 0C 26 40 00 D5 20 40 00 F6 25 40 00 ?@..&@.?@.?@.
004024E8 44 27 40 00 7C 20 40 00 CD 20 40 00 AB 20 40 00 D'@.| @.?@.?@.
004024F8 5C 20 40 00 44 26 40 00 97 20 40 00 71 27 40 00 \ @.D&@.?@.q'@.
00402508 CC 25 40 00 CC 25 40 00 9B 21 40 00 27 20 40 00 ?@.?@.?@.' @.
00402518 51 26 40 00 32 27 40 00 5C 20 40 00 2A 26 40 00 Q&@.2'@.\ @.*&@.
00402528 BB 25 40 00 CC 25 40 00 0C 26 40 00 AA 26 40 00 ?@.?@..&@.?@.
00402538 87 21 40 00 0C 26 40 00 27 20 40 00 AB 20 40 00 ?@..&@.' @.?@.
00402548 97 20 40 00 CD 20 40 00 00 20 40 00 2A 26 40 00 ?@.?@.. @.*&@.
00402558 56 27 40 00 56 27 40 00 E5 26 40 00 BB 26 40 00 V'@.V'@.?@.?@.
00402568 D5 25 40 00 CD 20 40 00 CD 26 40 00 27 20 40 00 ?@.?@.?@.' @.
00402578 ED 20 40 00 70 21 40 00 63 27 40 00 44 27 40 00 ?@.p!@.c'@.D'@.
00402588 12 21 40 00 63 27 40 00 9B 21 40 00 CD 26 40 00 !@.c'@.?@.?@.
00402598 ED 20 40 00 4B 20 40 00 08 27 40 00 87 21 40 00 ?@.K @.'@.?@.

转换程序 的源码为:

创建一个对话框资源,然后拉一个Edit控件上去就行了

#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#include "resource.h"
#include <windowsx.h> CHAR szInfo[] = { }; int arr1[] = {
0x39,0x31,0x19,0x15,0x2D,0x05,0x09,0x0D,0x25,0x3D,0x01,0x29,0xF8,0x01,0x0C,0x54,
0x29,0x35,0x08,0x55,0x32,0xFB,0x0D,0xF8,0xFE,0xC6,0x0D,0x28,0x45,0xF6,0xA6,0x21,
0xF8,0x01,0x93,0x1D,0x4E,0x01,0x21,0xF8,0x01,0x34,0x54,0x2D,0x01,0x20,0x45,0x32,
0x93,0x09,0xF8,0xFE,0x93,0x09,0x2C,0x2C,0x93,0x0D,0xF8,0x01,0x93,0x35,0x5E,0x0D,
0x29,0x00,0xF8,0x01,0xC2,0x1D,0x0D,0x28,0x45,0xF9,0x93,0x21,0xF8,0xFE,0x93,0x01,
0x1C,0x1C,0x93,0x01,0xF8,0x01,0xA6,0x35,0x4E,0x21,0x01,0x0C,0xF8,0x01,0x54,0x09,
0x1D,0x00,0x41,0xF9,0xC6,0x2D,0xF8,0xFE,0xC6,0x21,0x08,0x41,0xF6,0xC6,0x29,0xF8,
0x01,0xC6,0x11,0x4E,0x0D,0x0D,0x1C,0xF8,0x01,0x54,0x35,0x2D,0x0C,0x55,0x32,0xFB,
0x11,0xF8,0xFE,0xA6,0x11,0x34,0x41,0x32,0x93,0x11,0xF8,0x01,0x93,0x11,0x4E,0x1D,
0x09,0x38,0x40,0x07,0x10,0x40,0x00,0x5E,0x29,0x3C,0x24,0x2C,0x08,0x04,0x34,0x14,
0x18,0x30,0x38,0x95 }; BYTE arr2[] =
{
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x70,0x21,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x32,0x27,0x40,0x00,0x68,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,0x00,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0x56,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xD5,0x25,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xFB,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x22,0x27,0x40,0x00,0x97,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x71,0x27,0x40,0x00,0x71,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x68,0x26,0x40,0x00,0x70,0x21,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x63,0x27,0x40,0x00,0xED,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x32,0x27,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0x13,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,
0xE5,0x25,0x40,0x00,0x6B,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x44,0x27,0x40,0x00,
0xBD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0x56,0x27,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0xED,0x20,0x40,0x00,
0xD5,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x44,0x27,0x40,0x00,0x2A,0x26,0x40,0x00,
0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,
0x70,0x21,0x40,0x00,0xBB,0x25,0x40,0x00,0x22,0x27,0x40,0x00,0x22,0x27,0x40,0x00,
0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
0x32,0x27,0x40,0x00,0xBB,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x2A,0x26,0x40,0x00,
0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0x51,0x26,0x40,0x00,0x55,0x21,0x40,0x00,0x44,0x27,0x40,0x00,0xFB,0x20,0x40,0x00,
0xBD,0x20,0x40,0x00,0x87,0x21,0x40,0x00,0xE5,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
0x70,0x21,0x40,0x00,0xBB,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,
0x27,0x20,0x40,0x00,0x27,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,0x08,0x27,0x40,0x00,
0xD5,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x44,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0x97,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0xD5,0x20,0x40,0x00,
0xCC,0x25,0x40,0x00,0x7C,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,0x71,0x27,0x40,0x00,
0x97,0x20,0x40,0x00,0x0C,0x26,0x40,0x00,0xAB,0x20,0x40,0x00,0x44,0x27,0x40,0x00,
0x00,0x20,0x40,0x00,0xBB,0x25,0x40,0x00,0x55,0x21,0x40,0x00,0xF0,0x26,0x40,0x00,
0x5C,0x20,0x40,0x00,0xE5,0x26,0x40,0x00,0xA8,0x25,0x40,0x00,0xF0,0x26,0x40,0x00,
0x39,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,
0x22,0x27,0x40,0x00,0xAA,0x26,0x40,0x00,0x71,0x27,0x40,0x00,0xF0,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0x97,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,
0xBD,0x20,0x40,0x00,0x9B,0x21,0x40,0x00,0x39,0x20,0x40,0x00,0xF0,0x26,0x40,0x00,
0x44,0x27,0x40,0x00,0xD5,0x20,0x40,0x00,0xBB,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
0x5C,0x20,0x40,0x00,0x56,0x27,0x40,0x00,0xD5,0x25,0x40,0x00,0x13,0x20,0x40,0x00,
0x97,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x2A,0x26,0x40,0x00,0x13,0x20,0x40,0x00,
0xD5,0x25,0x40,0x00,0x4B,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,
0x51,0x26,0x40,0x00,0x5C,0x20,0x40,0x00,0x51,0x26,0x40,0x00,0x87,0x21,0x40,0x00,
0xCD,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x00,0x20,0x40,0x00,0x68,0x26,0x40,0x00,
0xED,0x20,0x40,0x00,0xA8,0x25,0x40,0x00,0x68,0x26,0x40,0x00,0x55,0x21,0x40,0x00,
0x71,0x27,0x40,0x00,0x51,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,0xBD,0x20,0x40,0x00,
0x44,0x27,0x40,0x00,0xBD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x13,0x20,0x40,0x00,
0xCD,0x20,0x40,0x00,0x7C,0x20,0x40,0x00,0xED,0x20,0x40,0x00,0x56,0x27,0x40,0x00,
0x22,0x27,0x40,0x00,0xF6,0x25,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0xD5,0x20,0x40,0x00,0xCC,0x25,0x40,0x00,0xCD,0x26,0x40,0x00,0x32,0x27,0x40,0x00,
0x97,0x20,0x40,0x00,0xD5,0x25,0x40,0x00,0x2A,0x26,0x40,0x00,0xED,0x20,0x40,0x00,
0xF0,0x26,0x40,0x00,0x0C,0x26,0x40,0x00,0xD5,0x20,0x40,0x00,0xF6,0x25,0x40,0x00,
0x44,0x27,0x40,0x00,0x7C,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
0x5C,0x20,0x40,0x00,0x44,0x26,0x40,0x00,0x97,0x20,0x40,0x00,0x71,0x27,0x40,0x00,
0xCC,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x9B,0x21,0x40,0x00,0x27,0x20,0x40,0x00,
0x51,0x26,0x40,0x00,0x32,0x27,0x40,0x00,0x5C,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0xBB,0x25,0x40,0x00,0xCC,0x25,0x40,0x00,0x0C,0x26,0x40,0x00,0xAA,0x26,0x40,0x00,
0x87,0x21,0x40,0x00,0x0C,0x26,0x40,0x00,0x27,0x20,0x40,0x00,0xAB,0x20,0x40,0x00,
0x97,0x20,0x40,0x00,0xCD,0x20,0x40,0x00,0x00,0x20,0x40,0x00,0x2A,0x26,0x40,0x00,
0x56,0x27,0x40,0x00,0x56,0x27,0x40,0x00,0xE5,0x26,0x40,0x00,0xBB,0x26,0x40,0x00,
0xD5,0x25,0x40,0x00,0xCD,0x20,0x40,0x00,0xCD,0x26,0x40,0x00,0x27,0x20,0x40,0x00,
0xED,0x20,0x40,0x00,0x70,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x44,0x27,0x40,0x00,
0x12,0x21,0x40,0x00,0x63,0x27,0x40,0x00,0x9B,0x21,0x40,0x00,0xCD,0x26,0x40,0x00,
0xED,0x20,0x40,0x00,0x4B,0x20,0x40,0x00,0x08,0x27,0x40,0x00,0x87,0x21,0x40,0x00,
};
INT_PTR DlgProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
switch (uMsg)
{
case WM_INITDIALOG:
{
HWND hwndEdit = GetDlgItem(hwndDlg, IDC_EDIT1);
CHAR szBuffer[] = { };
int nIndex = ;
int nAddr = ;
for (int i = ; i < ; ++i)
{
if (i % == )
{
strcat_s(szInfo, "\r\n");
}
nIndex = arr1[i];
nAddr = *(DWORD*)&arr2[nIndex*];
StringCbPrintf(szBuffer, , "%08X ", nAddr);
strcat_s(szInfo, szBuffer);
} Edit_SetText(hwndEdit, szInfo);
break;
} case WM_CLOSE:
{
EndDialog(hwndDlg, );
break;
}
} return FALSE;
} int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int nCmdShow)
{
DialogBox(hInstance, MAKEINTRESOURCE(IDD_DIALOG1), NULL, (DLGPROC)DlgProc); return ;
}

VMProtect1.63分析的更多相关文章

  1. 全球SEO行业调查报告

    这是一份来自MOZ的调查报告,本报告是两年一次的SEO行业调查,主要围绕SEO从业人员的特征.工作内容时间分配比例.对未来市场的看法.使用的seo工具以及SEO知识扩充渠道等展开. 这份报告可以对从事 ...

  2. 无穷字符串问题--CSDN上的面试题(原创)

    网上看到一道奇怪的题,分享一下:http://hero.csdn.net/Question/Details?ID=307&ExamID=302 发布公司:CSDN 有 效 期:2014-02- ...

  3. CSP学习之导出密钥BLOB 解析

    通过CryptExportKey( hKey, NULL, PUBLICKEYBLOB,0, NULL, &dwBlobLen) 函数导出的公钥信息如下: 06 02 00 00 00 A4 ...

  4. 【UVA10655】 Contemplation! Algebra

    题目 给定 \(p = a + b\) 和 \(q = ab\) 和 \(n\),求 \(a ^ n + b ^ n\). $0\le n\lt 2^{63} $ 分析 大水题. 先考虑 \(n\) ...

  5. 密码学笔记-一段base64wp

    CTF--练习平台 例题: 一段Base64 flag格式:flag{xxxxxxxxxxxxx} 附件: base64.txt 1.base64解码:http://base64.xpcha.com/ ...

  6. 63.如何对单链表进行快排?和数组快排的分析与对比[quicksort of array and linked list]

    [本文链接] http://www.cnblogs.com/hellogiser/p/quick-sort-of-array-and-linked-list.html [题目] 单链表的特点是:单向. ...

  7. Django(63)drf权限源码分析与自定义权限

    前言 上一篇我们分析了认证的源码,一个请求认证通过以后,第二步就是查看权限了,drf默认是允许所有用户访问 权限源码分析 源码入口:APIView.py文件下的initial方法下的check_per ...

  8. 用MongoDB分析合肥餐饮业

    看了<从数据角度解析福州美食>后难免心痒,动了要分析合肥餐饮业的念头,因此特地写了Node.js爬虫爬取了合肥的大众点评数据.分析数据库我并没有采用MySQL而是用的MongoDB,是因为 ...

  9. Linux设备管理(一)_kobject, kset,ktype分析

    Linux内核大量使用面向对象的设计思想,通过追踪源码,我们甚至可以使用面向对象语言常用的UML类图来分析Linux设备管理的"类"之间的关系.这里以4.8.5内核为例从kobje ...

随机推荐

  1. new Date().getTime()和System.currentTimeMillis()的区别

    在Java中,new Date().getTime()和System.currentTimeMillis()都是用来获取当前时间的,并可以用DateFormat转成对应的时间格式,代码如下. impo ...

  2. springboot-yml内list、map组合写法

    yml:myProps: varmaplist: key11: - t1 - t2 - t3 key22: - t11 - t22 - t33 list: - topic1 - topic2 - to ...

  3. 常用VIM插件配置

    airline 状态栏美化 除了airline本体还要下airline主题 和打过powerline补丁的字体 常用设置: set laststatus=2 " 总是显示状态栏 set no ...

  4. 一步步学会用docker部署应用(nodejs版)

    一步步学会用docker部署应用 docker是一种虚拟化技术,可以在内核层隔离资源.因此对于上层应用而言,采用docker技术可以达到类似于虚拟机的沙盒环境.这大大简化了应用部署,让运维人员无需陷入 ...

  5. elasticsearch+logstash_jdbc 实现mysql数据实时同步至es

    jdk安装1.8版本,es.ls.ik.kibana版本一致我这里使用的6.6.2版本 安装es tar xf elasticsearch-6.6.2.tar.gz mv elasticsearch- ...

  6. 部署springboot项目时 打包成jar时包中html,js,css文件缺失

    问题 打包出来的jar包里面没有html,js,css文件 解决方案 在pom.xml文件下的build选项中的src/main/resources的目录下 添加配置 <build> &l ...

  7. 十个经典的Python面试题

    1.Python下多线程的限制以及多进程中传递参数的方式 Python多线程有个全局解释器锁,这个锁的意思是任一时间只能有一个线程运用解释器.并发不是并行. 多进程间同享数据,能够运用multipro ...

  8. vue怎么引入外网json文件

    今日吃午饭时,伊万卡前端小妹问了我一个问题."App中有一个模块是用H5做的,其中有一个接口读取的是本地json资源文件,但是这个文件修改时间不定,我又不想每次修改了这个文件再重新发版打个包 ...

  9. 找出 Xcode 编译C/C++过程文件及生成文件

    在使用 Xcode 编写C/C++时,会发现在项目的目录位置是没有编译过程的那些 .o .exe 文件,只有一个 C/C++ 源代码 .c 文件.如下图(在Mac OS的finder中右键窗口标题名称 ...

  10. python程序—利用socket监控端口

    利用socket监控服务器端口,端口不通时,发邮件提醒 import yagmail #导入yagmail模块 import re #导入re模块,进行正则匹配 import socket #导入so ...