2015年4月

VMProtect + IDA Pro 做一回强悍的加密

VMProtect是支持手动定义需要Mutation或者Virtualization的函数的,不过默认情况下,VMP显示的只有入口点一个函数和其他系统API,在无法取得有效的map文件时,还有个非常牛逼的工具可以做到这点:IDA Pro

使用IDA Pro的Products->generate map file,然后全选(如果你真的需要的话),再保存成appname.map,使用VMP编辑脚本,Add New Script,这个时候就可以……

f1.png

有时候VMP还会报错:
MAP file have incorrect timestamp and can not be loaded.

A mapfile is a text file that contains the following information about the program being linked:
    The module name, which is the base name of the file
    The timestamp from the program file header (not from the file system)
    A list of groups in the program, with each group's start address (as section:offset), length, group name, and class
    A list of public symbols, with each address (as section:offset), symbol name, flat address, and .obj file where the symbol is defined
    The entry point (as section:offset)

msdn: https://msdn.microsoft.com/en-us/library/k7xkk3e2.aspx

IDA生成的MAP很简单,为啥会有timestamp呢,查看帮助文档后知道了,map的修改时间必须和exe一致,所以做个程序同时修改map和exe的修改时间即可~

还有一个小问题:

 Start         Length     Name                   Class
 0001:00000000 000005504H .rdata                 DATA
 0002:00000000 0000033BCH .data                  DATA
 0003:00000000 0000051E4H .rsrc                  DATA
 0004:00000000 000003D16H .reloc                 DATA

对比EXE可见少了一节,最好也手动补上:

 Start         Length     Name                   Class
 0001:00000000 000010025H .text                  CODE
 0002:00000000 000005504H .rdata                 DATA
 0003:00000000 0000033BCH .data                  DATA
 0004:00000000 0000051E4H .rsrc                  DATA
 0005:00000000 000003D16H .reloc                 DATA


  Address         Publics by Value

 0001:00000000       sub_401000
 0001:00000078       wWinMain(x,x,x,x)