其实很简单,因为VMP虚拟的代码太少,导致可以轻易暴破,见下面代码,下一个断点,中断后多次CTRL+F9就可以到下面的代码处,再改一下代码即可爆破了:
[Asm] 纯文本查看 复制代码 0040B803 |> 8D45 E8 lea eax,[local.6]
0040B806 |. 50 push eax
0040B807 |. E8 8559FFFF call CrackMe.00401191 ; 调用 kernel32.WriteConsoleA 函数输出: "请输入密码:",在 OD 下WriteConsoleA断点
0040B80C |. 8D4D E4 lea ecx,[local.7]
0040B80F |. 51 push ecx
0040B810 |. 68 18E14000 push CrackMe.0040E118 ; ASCII "%d"
0040B815 |. E8 7D58FFFF call CrackMe.00401097 ; 输入函数,从控制台输入一个32bits整数
0040B81A |. B9 D0B64000 mov ecx,CrackMe.0040B6D0 ; 验证函数入口地址
0040B81F |. 8A09 mov cl,byte ptr ds:[ecx]
0040B821 |. 83C4 0C add esp,0xC
0040B824 |. B8 D0B64000 mov eax,CrackMe.0040B6D0 ;
0040B829 |. 80F9 E9 cmp cl,0xE9
0040B82C |. 74 05 je short CrackMe.0040B833
0040B82E |. 80F9 E8 cmp cl,0xE8
0040B831 |. 75 10 jnz short CrackMe.0040B843
0040B833 |> BA D0B64000 mov edx,CrackMe.0040B6D0 ;
0040B838 |. 8B42 01 mov eax,dword ptr ds:[edx+0x1]
0040B83B |. 05 D0B64000 add eax,CrackMe.0040B6D0 ; 入口地址
0040B840 |. 83C0 05 add eax,0x5
0040B843 |> 50 push eax
0040B844 |. 8B45 E4 mov eax,[local.7] ; 输入的整数(整数!整数!整数!从下面验证调用可以看出是可以循环暴破的)
0040B847 |. 50 push eax
0040B848 |. E8 83FEFFFF call CrackMe.0040B6D0 ; 调用验证函数检查密码并输出结果
0040B84D |. 68 1CE14000 push CrackMe.0040E11C ; ASCII "pause",从这行代码开始改汇编代码循环暴破
0040B852 |. E8 5D58FFFF call CrackMe.004010B4 ; system("pause")
0040B857 |. 8B4D FC mov ecx,[local.1]
0040B85A |. 33CD xor ecx,ebp
0040B85C |. 83C4 0C add esp,0xC
0040B85F |. 33C0 xor eax,eax
0040B861 |. E8 A557FFFF call CrackMe.0040100B
0040B866 |. 8BE5 mov esp,ebp
0040B868 |. 5D pop ebp
0040B869 \. C3 retn |