Code: Select all
-=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...
Scanning -> C:\Program Files\VMProtect Ultimate\VMProtect.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 4072448 (03E2400h) Byte(s)
[File Heuristics] -> Flag : 00000000000001001100001100000011 (0x0004C303)
[!] VM Protect v1.60 - v2.05 (or newer) detected !
- Scan Took : 0.641 Second(s)
Code: Select all
000985B0: 00 56 4D 20 50 72 6F 74 │ 65 63 74 20 53 63 61 6E VM Protect Scan
000985C0: 2E 2E 2E 00 0D 0A 5B 21 │ 5D 20 56 4D 20 50 72 6F ...
[!] VM Pro
000985D0: 74 65 63 74 20 25 73 20 │ 64 65 74 65 63 74 65 64 tect %s detected
000985E0: 20 21 00 0D 0A 56 4D 20 │ 50 72 6F 74 65 63 74 20 !
VM Protect
000985F0: 25 73 00 76 31 2E 30 30 │ 20 2D 20 76 31 2E 35 30 %s v1.00 - v1.50
00098600: 00 76 31 2E 36 30 20 2D │ 20 76 32 2E 30 35 20 28 v1.60 - v2.05 (
00098610: 6F 72 20 6E 65 77 65 72 │ 29 00 41 20 64 65 62 75 or newer) A debu
00098620: 67 67 65 72 20 68 61 73 │ 20 62 65 65 6E 20 66 6F gger has been fo
00098630: 75 6E 64 20 72 75 6E 6E │ 69 6E 67 20 69 6E 20 79 und running in y
00098640: 6F 75 72 20 73 79 73 74 │ 65 6D 2E 0D 50 6C 65 61 our system.
Plea
00098650: 73 65 2C 20 75 6E 6C 6F │ 61 64 20 69 74 20 66 72 se, unload it fr
00098660: 6F 6D 20 6D 65 6D 6F 72 │ 79 20 61 6E 64 20 72 65 om memory and re
00098670: 73 74 61 72 74 20 79 6F │ 75 72 20 70 72 6F 67 72 start your progr
00098680: 61 6D 46 69 6C 65 20 63 │ 6F 72 72 75 70 74 65 64 amFile corrupted
00098690: 21 2E 20 54 68 69 73 20 │ 70 72 6F 67 72 61 6D 20 !. This program
000986A0: 68 61 73 20 62 65 65 6E │ 20 6D 61 6E 69 70 75 6C has been manipul
000986B0: 61 74 65 64 20 61 6E 64 │ 20 6D 61 79 62 65 0D 69 ated and maybe
i
000986C0: 74 27 73 20 69 6E 66 65 │ 63 74 65 64 20 62 79 20 t's infected by
000986D0: 61 20 56 69 72 75 73 20 │ 6F 72 20 63 72 61 63 6B a Virus or crack
000986E0: 65 64 2E 20 54 68 69 73 │ 20 66 69 6C 65 20 77 6F ed. This file wo
000986F0: 6E 27 74 20 77 6F 72 6B │ 20 61 6E 79 6D 6F 72 65 n't work anymore
00098700: 2E 00 54 68 65 20 70 72 │ 6F 63 65 64 75 72 65 20 . The procedure
00098710: 65 6E 74 72 79 20 70 6F │ 69 6E 74 20 25 63 20 63 entry point %c c
00098720: 6F 75 6C 64 20 6E 6F 74 │ 20 62 65 20 6C 6F 63 61 ould not be loca
00098730: 74 65 64 20 69 6E 20 74 │ 68 65 20 64 79 6E 61 6D ted in the dynam
00098740: 69 63 20 6C 69 6E 6B 20 │ 6C 69 62 72 61 72 79 20 ic link library
00098750: 25 73 00 2E 76 6D 70 30 │ 00 00 00 2E 76 6D 74 30 %s .vmp0 .vmt0
00098760: 00 00 00 2E 76 64 74 30 │ 00 00 00 53 D7 49 00 5B .vdt0 S╫I [
Проверяем - грузим protection_id.exe в OllyDBG, переходим к адресу 0049D5B0 (определили по файловому смещению 000985B0) и патчим все строки загрузчика (просто меняя одну букву в каждой строке). Проверяем результат:
Code: Select all
-=[ ProtectionID v0.6.4.0 JULY]=-
(c) 2003-2010 CDKiLLER & TippeX
Build 07/08/10-17:57:05
Ready...
Scanning -> C:\Program Files\VMProtect Ultimate\VMProtect.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 4072448 (03E2400h) Byte(s)
[File Heuristics] -> Flag : 00000000000001001100001100000011 (0x0004C303)
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.641 Second(s)
P.S. Также улыбнула "обфускация" против нахождения стринг референсов:
Code: Select all
0045224E 8BFF MOV EDI,EDI
00452250 . 50 PUSH EAX
00452251 . 53 PUSH EBX
00452252 . 68 4F4AE6DE PUSH DEE64A4F ; /Arg1 = DEE64A4F
00452257 . 810424 628B632>ADD DWORD PTR SS:[ESP],21638B62 ; |
0045225E . E8 9998FBFF CALL protecti.0040BAFC ; \protecti.0040BAFC