VMProtect + IDA Pro 做一回强悍的加密
VMProtect是支持手动定义需要Mutation或者Virtualization的函数的,不过默认情况下,VMP显示的只有入口点一个函数和其他系统API,在无法取得有效的map文件时,还有个非常牛逼的工具可以做到这点:IDA Pro
使用IDA Pro的Products->generate map file,然后全选(如果你真的需要的话),再保存成appname.map,使用VMP编辑脚本,Add New Script,这个时候就可以……
有时候VMP还会报错:
MAP file have incorrect timestamp and can not be loaded.
A mapfile is a text file that contains the following information about the program being linked:
The module name, which is the base name of the file
The timestamp from the program file header (not from the file system)
A list of groups in the program, with each group's start address (as section:offset), length, group name, and class
A list of public symbols, with each address (as section:offset), symbol name, flat address, and .obj file where the symbol is defined
The entry point (as section:offset)
msdn: https://msdn.microsoft.com/en-us/library/k7xkk3e2.aspx
IDA生成的MAP很简单,为啥会有timestamp呢,查看帮助文档后知道了,map的修改时间必须和exe一致,所以做个程序同时修改map和exe的修改时间即可~
还有一个小问题:
Start Length Name Class
0001:00000000 000005504H .rdata DATA
0002:00000000 0000033BCH .data DATA
0003:00000000 0000051E4H .rsrc DATA
0004:00000000 000003D16H .reloc DATA
对比EXE可见少了一节,最好也手动补上:
Start Length Name Class
0001:00000000 000010025H .text CODE
0002:00000000 000005504H .rdata DATA
0003:00000000 0000033BCH .data DATA
0004:00000000 0000051E4H .rsrc DATA
0005:00000000 000003D16H .reloc DATA
Address Publics by Value
0001:00000000 sub_401000
0001:00000078 wWinMain(x,x,x,x)