[原创]第二阶段第一题VM代码还原，附虚拟机代码翻译工具-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]第二阶段第一题VM代码还原，附虚拟机代码翻译工具

发表于: 2010-11-1 12:47 9244

[原创]第二阶段第一题VM代码还原，附虚拟机代码翻译工具

lelfei

2010-11-1 12:47

9244

虚拟机命令列表：

0040D8D0  00401380        00 = vm_ret
0040D8D4  004013C0        01 = vm_mov vm_ELF,ELF
0040D8D8  004013D0        02 = vm_mov ELF,vm_ELF
0040D8DC  004013E0        03 = vm_mov vm_reg[op1],vm_tmp[op2]
0040D8E0  00401430        04 = vm_mov vm_tmp[op1],vm_reg[op2]
0040D8E4  00401480        05 = vm_mov vm_tmp[op1],vm_tmp[op2]
0040D8E8  004014D0        06 = vm_mov vm_tmp[op1],op2
0040D8EC  00401520        07 = vm_mov [vm_tmp[op1]],vm_tmp[op2]
0040D8F0  00401580        08 = vm_mov vm_tmp[op1],[vm_tmp[op2]]
0040D8F4  004015E0        09 = vm_add vm_tmp[0],vm_tmp[1]
0040D8F8  004015F0        0A = vm_sub vm_tmp[0],vm_tmp[1]
0040D8FC  00401600        0B = vm_mul vm_tmp[0],vm_tmp[1]
0040D900  00401640        0C = vm_div vm_tmp[0],vm_tmp[1]
0040D904  00401690        0D = vm_test_ELF op1     op1==0:JMP,1:JZ,2:JNZ,3:JL,4:JBE,4+:NO
0040D908  00401720        0E = vm_jmp_by_FLAG op1
0040D90C  00401780        0F = vm_addf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D910  004017F0        10 = vm_subf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D914  00401860        11 = vm_mulf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D918  00401920        12 = vm_divf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D91C  004019E0        13 = vm_testf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D920  00401A40        14 = vm_andf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D924  00401AF0        15 = vm_xorf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D928  00401BA0        16 = vm_orf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D92C  00401C50        17 = vm_notf vm_tmp[0]    set vm_ELF
0040D930  00401CF0        18 = vm_shrf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D934  00401DA0        19 = vm_sarf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D938  00401E50        1A = vm_shlf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D93C  00401E50        1B = vm_shlf vm_tmp[0],vm_tmp[1]    set vm_ELF
0040D940  00401F00        1C = nop
0040D944  00401F00        1D = nop

0040CDD0  01 00 00 00 00 00 00 00 00 00 00 00  vm_mov vm_ELF,ELF
0040CDE0  04 00 00 00 00 00 00 00 04 00 00 00  vm_mov vm_tmp[0],ESP
0040CDF0  06 00 00 00 01 00 00 00 FC FF FF FF  vm_mov vm_tmp[1],-4
0040CE00  09 00 00 00 00 00 00 00 00 00 00 00  vm_add vm_tmp[0],vm_tmp[1]
0040CE10  03 00 00 00 04 00 00 00 00 00 00 00  vm_mov ESP,vm_tmp[0]
0040CE20  04 00 00 00 01 00 00 00 02 00 00 00  vm_mov vm_tmp[1],ESI
0040CE30  07 00 00 00 00 00 00 00 01 00 00 00  vm_mov [vm_tmp[0]],vm_tmp[1]
push esi

0040CE40  04 00 00 00 00 00 00 00 06 00 00 00  vm_mov vm_tmp[0],EDX
0040CE50  04 00 00 00 01 00 00 00 06 00 00 00  vm_mov vm_tmp[1],EDX
0040CE60  15 00 00 00 00 00 00 00 00 00 00 00  vm_xorf vm_tmp[0],vm_tmp[1]
0040CE70  02 00 00 00 00 00 00 00 00 00 00 00  vm_mov ELF,vm_ELF
0040CE80  03 00 00 00 06 00 00 00 00 00 00 00  vm_mov EDX,vm_tmp[0]
xor edx,edx

0040CE90  06 00 00 00 00 00 00 00 E0 EC 40 00  vm_mov vm_tmp[0],0040ECE0
0040CEA0  03 00 00 00 07 00 00 00 00 00 00 00  vm_mov ECX,vm_tmp[0]
mov ecx,0040ECE0

0040CEB0  04 00 00 00 00 00 00 00 06 00 00 00  vm_mov vm_tmp[0],EDX
0040CEC0  03 00 00 00 08 00 00 00 00 00 00 00  vm_mov EAX,vm_tmp[0]
mov eax,edx

0040CED0  06 00 00 00 00 00 00 00 08 00 00 00  vm_mov vm_tmp[0],8
0040CEE0  03 00 00 00 02 00 00 00 00 00 00 00  vm_mov ESI,vm_tmp[0]
mov esi,8

0040CEF0  04 00 00 00 00 00 00 00 08 00 00 00  vm_mov vm_tmp[0],EAX
0040CF00  06 00 00 00 01 00 00 00 01 00 00 00  vm_mov vm_tmp[1],1
0040CF10  13 00 02 00 00 00 00 00 00 00 00 00  vm_testf byte vm_tmp[0],byte vm_tmp[1]
test al,1

0040CF20  0D 00 00 00 01 00 00 00 00 00 00 00  vm_test_ELF 1
0040CF30  0E 00 00 00 0A 00 00 00 00 00 00 00  vm_jmp_by_FLAG +0A:0040CFE0
jz 0040CFE0

0040CF40  04 00 00 00 00 00 00 00 08 00 00 00  vm_mov vm_tmp[0],EAX
0040CF50  06 00 00 00 01 00 00 00 01 00 00 00  vm_mov vm_tmp[1],1
0040CF60  18 00 00 00 00 00 00 00 00 00 00 00  vm_shrf vm_tmp[0],vm_tmp[1]
0040CF70  03 00 00 00 08 00 00 00 00 00 00 00  vm_mov EAX,vm_tmp[0]
shr eax,1

0040CF80  04 00 00 00 00 00 00 00 08 00 00 00  vm_mov vm_tmp[0],EAX
0040CF90  06 00 00 00 01 00 00 00 20 83 B0 ED  vm_mov vm_tmp[1],EDB08320
0040CFA0  15 00 00 00 00 00 00 00 00 00 00 00  vm_xorf vm_tmp[0],vm_tmp[1]
0040CFB0  03 00 00 00 08 00 00 00 00 00 00 00  vm_mov EAX,vm_tmp[0]
xor eax,EDB08320

0040CFC0  0D 00 00 00 00 00 00 00 00 00 00 00  vm_test_ELF 0
0040CFD0  0E 00 00 00 04 00 00 00 00 00 00 00  vm_jmp_by_FLAG +04:0040D020
jmp 0040D020

0040CFE0  04 00 00 00 00 00 00 00 08 00 00 00  vm_mov vm_tmp[0],EAX
0040CFF0  06 00 00 00 01 00 00 00 01 00 00 00  vm_mov vm_tmp[1],1
0040D000  18 00 00 00 00 00 00 00 00 00 00 00  vm_shrf vm_tmp[0],vm_tmp[1]
0040D010  03 00 00 00 08 00 00 00 00 00 00 00  vm_mov EAX,vm_tmp[0]
shr eax,1

0040D020  04 00 00 00 00 00 00 00 02 00 00 00  vm_mov vm_tmp[0],ESI
0040D030  06 00 00 00 01 00 00 00 01 00 00 00  vm_mov vm_tmp[1],1
0040D040  10 00 00 00 00 00 00 00 00 00 00 00  vm_subf vm_tmp[0],vm_tmp[1]
0040D050  03 00 00 00 02 00 00 00 00 00 00 00  vm_mov ESI,vm_tmp[0]
dec esi

0040D060  0D 00 00 00 02 00 00 00 00 00 00 00  vm_test_ELF 2
0040D070  0E 00 00 00 E7 FF FF FF 00 00 00 00  vm_jmp_by_FLAG FFFFFFE7:0040CEF0
jnz 0040CEF0

0040D080  04 00 00 00 01 00 00 00 08 00 00 00  vm_mov vm_tmp[1],EAX
0040D090  04 00 00 00 00 00 00 00 07 00 00 00  vm_mov vm_tmp[0],ECX
0040D0A0  07 00 00 00 00 00 00 00 01 00 00 00  vm_mov [vm_tmp[0]],vm_tmp[1]
mov [ecx],eax

0040D0B0  04 00 00 00 00 00 00 00 07 00 00 00  vm_mov vm_tmp[0],ECX
0040D0C0  06 00 00 00 01 00 00 00 04 00 00 00  vm_mov vm_tmp[1],4
0040D0D0  0F 00 00 00 00 00 00 00 00 00 00 00  vm_addf vm_tmp[0],vm_tmp[1]
0040D0E0  03 00 00 00 07 00 00 00 00 00 00 00  vm_mov ECX,vm_tmp[0]
add ecx,4

0040D0F0  04 00 00 00 00 00 00 00 06 00 00 00  vm_mov vm_tmp[0],EDX
0040D100  06 00 00 00 01 00 00 00 01 00 00 00  vm_mov vm_tmp[1],1
0040D110  0F 00 00 00 00 00 00 00 00 00 00 00  vm_addf vm_tmp[0],vm_tmp[1]
0040D120  03 00 00 00 06 00 00 00 00 00 00 00  vm_mov EDX,vm_tmp[0]
add edx,1

0040D130  04 00 00 00 00 00 00 00 07 00 00 00  vm_mov vm_tmp[0],ECX
0040D140  06 00 00 00 01 00 00 00 E0 F0 40 00  vm_mov vm_tmp[1],0040F0E0
0040D150  10 00 00 00 00 00 00 00 00 00 00 00  vm_subf vm_tmp[0],vm_tmp[1]
cmp ecx,0040F0E0

0040D160  0D 00 00 00 03 00 00 00 00 00 00 00  vm_test_ELF 3
0040D170  0E 00 00 00 D3 FF FF FF 00 00 00 00  vm_jmp_by_FLAG FFFFFFD3:0040CEB0
jl 0040CEB0

0040D180  04 00 00 00 00 00 00 00 04 00 00 00  vm_mov vm_tmp[0],ESP
0040D190  08 00 00 00 01 00 00 00 00 00 00 00  vm_mov vm_tmp[1],[vm_tmp[0]]
0040D1A0  03 00 00 00 02 00 00 00 01 00 00 00  vm_mov ESI,vm_tmp[1]
0040D1B0  04 00 00 00 00 00 00 00 04 00 00 00  vm_mov vm_tmp[0],ESP
0040D1C0  06 00 00 00 01 00 00 00 04 00 00 00  vm_mov vm_tmp[1],4
0040D1D0  09 00 00 00 00 00 00 00 00 00 00 00  vm_add vm_tmp[0],vm_tmp[1]
0040D1E0  03 00 00 00 04 00 00 00 00 00 00 00  vm_mov ESP,vm_tmp[0]
pop esi

0040D1F0  04 00 00 00 00 00 00 00 04 00 00 00  vm_mov vm_tmp[0],ESP
0040D200  08 00 00 00 07 00 00 00 00 00 00 00  vm_mov vm_tmp[7],[vm_tmp[0]]
0040D210  04 00 00 00 00 00 00 00 04 00 00 00  vm_mov vm_tmp[0],ESP
0040D220  06 00 00 00 01 00 00 00 04 00 00 00  vm_mov vm_tmp[1],4
0040D230  09 00 00 00 00 00 00 00 00 00 00 00  vm_add vm_tmp[0],vm_tmp[1]
0040D240  03 00 00 00 04 00 00 00 00 00 00 00  vm_mov ESP,vm_tmp[0]
pop vm_ret_addr

0040D250  02 00 00 00 00 00 00 00 00 00 00 00  vm_mov ELF,vm_ELF
0040D260  00 00 00 00 00 00 00 00 00 00 00 00  vm_ret
ret

push esi
xor edx,edx
mov ecx,0040ECE0
0040CEB0:
mov eax,edx
mov esi,8
0040CEF0:
test al,1
jz 0040CFE0
shr eax,1
xor eax,EDB08320
jmp 0040D020
0040CFE0:
shr eax,1
0040D020:
dec esi
jnz 0040CEF0
mov [ecx],eax
add ecx,4
add edx,1
cmp ecx,0040F0E0
jl 0040CEB0
pop esi
pop vm_ret_addr
ret

0040D948  01 00 00 00 00 00 00 00 00 00 00 00   vm_mov vm_ELF,ELF
0040D958  04 00 00 00 00 00 00 00 04 00 00 00   vm_mov vm_tmp[0],ESP
0040D968  06 00 00 00 01 00 00 00 FC FF FF FF   vm_mov vm_tmp[1],FFFFFFFC
0040D978  09 00 00 00 00 00 00 00 00 00 00 00   vm_add vm_tmp[0],vm_tmp[1]
0040D988  03 00 00 00 04 00 00 00 00 00 00 00   vm_mov ESP,vm_tmp[0]
0040D998  04 00 00 00 01 00 00 00 02 00 00 00   vm_mov vm_tmp[1],ESI
0040D9A8  07 00 00 00 00 00 00 00 01 00 00 00   vm_mov [vm_tmp[0]],vm_tmp[1]
push esi

0040D9B8  04 00 00 00 00 00 00 00 03 00 00 00   vm_mov vm_tmp[0],EBP
0040D9C8  06 00 00 00 01 00 00 00 30 00 00 00   vm_mov vm_tmp[1],00000030
0040D9D8  0A 00 00 00 00 00 00 00 00 00 00 00   vm_sub vm_tmp[0],vm_tmp[1]
0040D9E8  08 00 00 00 00 00 00 00 00 00 00 00   vm_mov vm_tmp[0],[vm_tmp[0]]
0040D9F8  03 00 00 00 02 00 00 00 00 00 00 00   vm_mov ESI,vm_tmp[0]
mov esi,[ebp-30]

0040DA08  04 00 00 00 00 00 00 00 02 00 00 00   vm_mov vm_tmp[0],ESI
0040DA18  06 00 00 00 01 00 00 00 08 00 00 00   vm_mov vm_tmp[1],00000008
0040DA28  09 00 00 00 00 00 00 00 00 00 00 00   vm_add vm_tmp[0],vm_tmp[1]
0040DA38  08 00 00 00 00 00 00 00 00 00 00 00   vm_mov vm_tmp[0],[vm_tmp[0]]
0040DA48  03 00 00 00 08 00 00 00 00 00 00 00   vm_mov EAX,vm_tmp[0]
mov eax,[esi+8]

0040DA58  04 00 00 00 00 00 00 00 04 00 00 00   vm_mov vm_tmp[0],ESP
0040DA68  06 00 00 00 01 00 00 00 FC FF FF FF   vm_mov vm_tmp[1],FFFFFFFC
0040DA78  09 00 00 00 00 00 00 00 00 00 00 00   vm_add vm_tmp[0],vm_tmp[1]
0040DA88  03 00 00 00 04 00 00 00 00 00 00 00   vm_mov ESP,vm_tmp[0]
0040DA98  04 00 00 00 01 00 00 00 08 00 00 00   vm_mov vm_tmp[1],EAX
0040DAA8  07 00 00 00 00 00 00 00 01 00 00 00   vm_mov [vm_tmp[0]],vm_tmp[1]
push eax

0040DAB8  04 00 00 00 00 00 00 00 02 00 00 00   vm_mov vm_tmp[0],ESI
0040DAC8  03 00 00 00 08 00 00 00 00 00 00 00   vm_mov EAX,vm_tmp[0]
mov eax,esi

0040DAD8  04 00 00 00 00 00 00 00 08 00 00 00   vm_mov vm_tmp[0],EAX
0040DAE8  06 00 00 00 01 00 00 00 10 00 00 00   vm_mov vm_tmp[1],00000010
0040DAF8  0F 00 00 00 00 00 00 00 00 00 00 00   vm_addf vm_tmp[0],vm_tmp[1]
0040DB08  03 00 00 00 08 00 00 00 00 00 00 00   vm_mov EAX,vm_tmp[0]
add eax,10

0040DB18  04 00 00 00 00 00 00 00 04 00 00 00   vm_mov vm_tmp[0],ESP
0040DB28  06 00 00 00 01 00 00 00 FC FF FF FF   vm_mov vm_tmp[1],FFFFFFFC
0040DB38  09 00 00 00 00 00 00 00 00 00 00 00   vm_add vm_tmp[0],vm_tmp[1]
0040DB48  03 00 00 00 04 00 00 00 00 00 00 00   vm_mov ESP,vm_tmp[0]
0040DB58  04 00 00 00 01 00 00 00 08 00 00 00   vm_mov vm_tmp[1],EAX
0040DB68  07 00 00 00 00 00 00 00 01 00 00 00   vm_mov [vm_tmp[0]],vm_tmp[1]
push eax

0040DB78  02 00 00 00 00 00 00 00 00 00 00 00   vm_mov ELF,vm_ELF

push esi
mov esi,[ebp-30]
mov eax,[esi+8]
push eax
mov eax,esi
add eax,10
push eax

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

VMTranslater.rar （6.78kb，118次下载）

收藏・9

免费・7

支持

最新回复 (7)
ccfer 雪币： 8209 活跃值： (4518) 能力值： ( LV15，RANK：2473 ) 在线值：发帖 84 回帖 1529 粉丝 106 关注私信	ccfer 16 2 楼翻译的比较彻底我觉得1C和1D应该等效nop操作，而不是ret 2010-11-1 13:11 0
glery 雪币： 233 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 156 粉丝 0 关注私信	glery 2 3 楼来膜拜的 2010-11-1 13:16 0
frozenrain 雪币： 107 活跃值： (1693) 能力值： ( LV6，RANK：80 ) 在线值：发帖 26 回帖 509 粉丝 1 关注私信	frozenrain 4 楼我也来贴一个 40cdc0: pushfd 40cdd0: pushfd 40cde0: mov R0,esp 40cdf0: mov R1,fffffffch 40ce00: add R0,R1 40ce10: mov esp,R0 40ce20: mov R1,esi 40ce30: mov dword ptr [R0],R1 40ce40: mov R0,edx 40ce50: mov R1,edx 40ce60: xor R0,R1 40ce70: popfd 40ce80: mov edx,R0 40ce90: mov R0,0040ece0h 40cea0: mov ecx,R0 40ceb0: mov R0,edx 40cec0: mov eax,R0 40ced0: mov R0,00000008h 40cee0: mov esi,R0 40cef0: mov R0,eax 40cf00: mov R1,00000001h 40cf10: test R0,R1 40cf20: test eflags 40cf30: jcc 40cfe0h 40cf40: mov R0,eax 40cf50: mov R1,00000001h 40cf60: shr R0,R1 40cf70: mov eax,R0 40cf80: mov R0,eax 40cf90: mov R1,edb08320h 40cfa0: xor R0,R1 40cfb0: mov eax,R0 40cfc0: test eflags 40cfd0: jcc 40d020h 40cfe0: mov R0,eax 40cff0: mov R1,00000001h 40d000: shr R0,R1 40d010: mov eax,R0 40d020: mov R0,esi 40d030: mov R1,00000001h 40d040: sub R0,R1 40d050: mov esi,R0 40d060: test eflags 40d070: jcc 40cef0h 40d080: mov R1,eax 40d090: mov R0,ecx 40d0a0: mov dword ptr [R0],R1 40d0b0: mov R0,ecx 40d0c0: mov R1,00000004h 40d0d0: add R0,R1 40d0e0: mov ecx,R0 40d0f0: mov R0,edx 40d100: mov R1,00000001h 40d110: add R0,R1 40d120: mov edx,R0 40d130: mov R0,ecx 40d140: mov R1,0040f0e0h 40d150: sub R0,R1 40d160: test eflags 40d170: jcc 40ceb0h 40d180: mov R0,esp 40d190: mov R1,dword ptr [R0] 40d1a0: mov esi,R1 40d1b0: mov R0,esp 40d1c0: mov R1,00000004h 40d1d0: add R0,R1 40d1e0: mov esp,R0 40d1f0: mov R0,esp 40d200: mov R7,dword ptr [R0] 40d210: mov R0,esp 40d220: mov R1,00000004h 40d230: add R0,R1 40d240: mov esp,R0 40d250: popfd 40d260: enter/leave 40d270: pushfd 40d280: mov R0,esp 40d290: mov R1,fffffffch 40d2a0: add R0,R1 40d2b0: mov esp,R0 40d2c0: mov R1,esi 40d2d0: mov dword ptr [R0],R1 40d2e0: mov R0,esp 40d2f0: mov R1,0000000ch 40d300: add R0,R1 40d310: mov R0,dword ptr [R0] 40d320: mov esi,R0 40d330: mov R0,eax 40d340: mov R1,ffffffffh 40d350: or R0,R1 40d360: mov eax,R0 40d370: mov R0,esi 40d380: mov R1,esi 40d390: test R0,R1 40d3a0: test eflags 40d3b0: jcc 40d7b0h 40d3c0: mov R0,esp 40d3d0: mov R1,00000008h 40d3e0: add R0,R1 40d3f0: mov R0,dword ptr [R0] 40d400: mov ecx,R0 40d410: mov R0,esp 40d420: mov R1,fffffffch 40d430: add R0,R1 40d440: mov esp,R0 40d450: mov R1,ebx 40d460: mov dword ptr [R0],R1 40d470: mov R0,eax 40d480: mov edx,R0 40d490: mov R0,ebx 40d4a0: mov R1,ebx 40d4b0: xor R0,R1 40d4c0: popfd 40d4d0: mov ebx,R0 40d4e0: mov R0,ecx 40d4f0: mov R0,byte ptr [R0] 40d500: mov ebx,R0 40d510: mov R0,edx 40d520: mov R1,000000ffh 40d530: and R0,R1 40d540: mov edx,R0 40d550: mov R0,edx 40d560: mov R1,ebx 40d570: xor R0,R1 40d580: popfd 40d590: mov edx,R0 40d5a0: mov R0,eax 40d5b0: mov R1,00000008h 40d5c0: shr R0,R1 40d5d0: mov eax,R0 40d5e0: mov R0,edx 40d5f0: mov R1,00000004h 40d600: mul R0,R1 40d610: mov R1,0040ece0h 40d620: add R0,R1 40d630: mov R0,dword ptr [R0] 40d640: mov edx,R0 40d650: mov R0,eax 40d660: mov R1,edx 40d670: or R0,R1 40d680: popfd 40d690: mov eax,R0 40d6a0: mov R0,ecx 40d6b0: mov R1,00000001h 40d6c0: add R0,R1 40d6d0: mov ecx,R0 40d6e0: mov R0,esi 40d6f0: mov R1,00000001h 40d700: sub R0,R1 40d710: mov esi,R0 40d720: test eflags 40d730: jcc 40d470h 40d740: mov R0,esp 40d750: mov R1,dword ptr [R0] 40d760: mov ebx,R1 40d770: mov R0,esp 40d780: mov R1,00000004h 40d790: add R0,R1 40d7a0: mov esp,R0 40d7b0: mov R0,eax 40d7c0: not R0 40d7d0: mov eax,R0 40d7e0: mov R0,esp 40d7f0: mov R1,dword ptr [R0] 40d800: mov esi,R1 40d810: mov R0,esp 40d820: mov R1,00000004h 40d830: add R0,R1 40d840: mov esp,R0 40d850: mov R0,esp 40d860: mov R7,dword ptr [R0] 40d870: mov R0,esp 40d880: mov R1,00000004h 40d890: add R0,R1 40d8a0: mov esp,R0 40d8b0: popfd 40d8c0: enter/leave 40d948: pushfd 40d958: mov R0,esp 40d968: mov R1,fffffffch 40d978: add R0,R1 40d988: mov esp,R0 40d998: mov R1,esi 40d9a8: mov dword ptr [R0],R1 40d9b8: mov R0,ebp 40d9c8: mov R1,00000030h 40d9d8: sub R0,R1 40d9e8: mov R0,dword ptr [R0] 40d9f8: mov esi,R0 40da08: mov R0,esi 40da18: mov R1,00000008h 40da28: add R0,R1 40da38: mov R0,dword ptr [R0] 40da48: mov eax,R0 40da58: mov R0,esp 40da68: mov R1,fffffffch 40da78: add R0,R1 40da88: mov esp,R0 40da98: mov R1,eax 40daa8: mov dword ptr [R0],R1 40dab8: mov R0,esi 40dac8: mov eax,R0 40dad8: mov R0,eax 40dae8: mov R1,00000010h 40daf8: add R0,R1 40db08: mov eax,R0 40db18: mov R0,esp 40db28: mov R1,fffffffch 40db38: add R0,R1 40db48: mov esp,R0 40db58: mov R1,eax 40db68: mov dword ptr [R0],R1 40db78: popfd 40db88: pushfd 40db98: mov R0,esp 40dba8: mov R1,00000008h 40dbb8: add R0,R1 40dbc8: mov esp,R0 40dbd8: mov R0,esi 40dbe8: mov R1,0000000ch 40dbf8: add R0,R1 40dc08: mov R1,dword ptr [R0] 40dc18: mov R0,eax 40dc28: sub R0,R1 40dc38: test eflags 40dc48: jcc 40dca8h 40dc58: mov R0,ebp 40dc68: mov R1,0000002ch 40dc78: sub R0,R1 40dc88: mov R1,00000001h 40dc98: mov dword ptr [R0],R1 40dca8: mov R0,esp 40dcb8: mov R1,dword ptr [R0] 40dcc8: mov esi,R1 40dcd8: mov R0,esp 40dce8: mov R1,00000004h 40dcf8: add R0,R1 40dd08: mov esp,R0 40dd18: popfd enter/leave，表示进入或离开VM。R0~R7是临时寄存器，跳转指令没有分析出来。 patch只用了两字节，or eax,edx ; sub esi,1。可以自己手动翻译为x86指令：如： 40cde0: mov R0,esp 40cdf0: mov R1,fffffffch =>add esp,-4 40ce00: add R0,R1 2010-11-1 13:26 0
lelfei 雪币： 6051 活跃值： (1441) 能力值： ( LV15，RANK：1473 ) 在线值：发帖 67 回帖 537 粉丝 16 关注私信	lelfei 23 5 楼说的很对，后面几个VM指令都没在程序中用到，我就没仔细看，感谢提醒 2010-11-1 13:37 0
nkspark 雪币： 101 活跃值： (88) 能力值： ( LV2，RANK：140 ) 在线值：发帖 46 回帖 610 粉丝 0 关注私信	nkspark 3 6 楼干净漂亮，赞一个！ 2010-11-1 14:45 0
codegame 雪币： 59 活跃值： (55) 能力值： ( LV3，RANK：30 ) 在线值：发帖 12 回帖 56 粉丝 1 关注私信	codegame 7 楼的确不错，还原的彻底 2010-11-1 14:55 0
nevsayno 雪币： 333 活跃值： (46) 能力值： ( LV3，RANK：30 ) 在线值：发帖 3 回帖 170 粉丝 1 关注私信	nevsayno 8 楼我是来膜拜的 2010-11-2 23:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lelfei

发帖

537

回帖

1473

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
ccfer 雪币： 8209 活跃值： (4518) 能力值： ( LV15，RANK：2473 ) 在线值：发帖 84 回帖 1529 粉丝 106 关注私信	ccfer 16 2 楼翻译的比较彻底我觉得1C和1D应该等效nop操作，而不是ret 2010-11-1 13:11 0
glery 雪币： 233 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 17 回帖 156 粉丝 0 关注私信	glery 2 3 楼来膜拜的 2010-11-1 13:16 0
frozenrain 雪币： 107 活跃值： (1693) 能力值： ( LV6，RANK：80 ) 在线值：发帖 26 回帖 509 粉丝 1 关注私信	frozenrain 4 楼我也来贴一个 40cdc0: pushfd 40cdd0: pushfd 40cde0: mov R0,esp 40cdf0: mov R1,fffffffch 40ce00: add R0,R1 40ce10: mov esp,R0 40ce20: mov R1,esi 40ce30: mov dword ptr [R0],R1 40ce40: mov R0,edx 40ce50: mov R1,edx 40ce60: xor R0,R1 40ce70: popfd 40ce80: mov edx,R0 40ce90: mov R0,0040ece0h 40cea0: mov ecx,R0 40ceb0: mov R0,edx 40cec0: mov eax,R0 40ced0: mov R0,00000008h 40cee0: mov esi,R0 40cef0: mov R0,eax 40cf00: mov R1,00000001h 40cf10: test R0,R1 40cf20: test eflags 40cf30: jcc 40cfe0h 40cf40: mov R0,eax 40cf50: mov R1,00000001h 40cf60: shr R0,R1 40cf70: mov eax,R0 40cf80: mov R0,eax 40cf90: mov R1,edb08320h 40cfa0: xor R0,R1 40cfb0: mov eax,R0 40cfc0: test eflags 40cfd0: jcc 40d020h 40cfe0: mov R0,eax 40cff0: mov R1,00000001h 40d000: shr R0,R1 40d010: mov eax,R0 40d020: mov R0,esi 40d030: mov R1,00000001h 40d040: sub R0,R1 40d050: mov esi,R0 40d060: test eflags 40d070: jcc 40cef0h 40d080: mov R1,eax 40d090: mov R0,ecx 40d0a0: mov dword ptr [R0],R1 40d0b0: mov R0,ecx 40d0c0: mov R1,00000004h 40d0d0: add R0,R1 40d0e0: mov ecx,R0 40d0f0: mov R0,edx 40d100: mov R1,00000001h 40d110: add R0,R1 40d120: mov edx,R0 40d130: mov R0,ecx 40d140: mov R1,0040f0e0h 40d150: sub R0,R1 40d160: test eflags 40d170: jcc 40ceb0h 40d180: mov R0,esp 40d190: mov R1,dword ptr [R0] 40d1a0: mov esi,R1 40d1b0: mov R0,esp 40d1c0: mov R1,00000004h 40d1d0: add R0,R1 40d1e0: mov esp,R0 40d1f0: mov R0,esp 40d200: mov R7,dword ptr [R0] 40d210: mov R0,esp 40d220: mov R1,00000004h 40d230: add R0,R1 40d240: mov esp,R0 40d250: popfd 40d260: enter/leave 40d270: pushfd 40d280: mov R0,esp 40d290: mov R1,fffffffch 40d2a0: add R0,R1 40d2b0: mov esp,R0 40d2c0: mov R1,esi 40d2d0: mov dword ptr [R0],R1 40d2e0: mov R0,esp 40d2f0: mov R1,0000000ch 40d300: add R0,R1 40d310: mov R0,dword ptr [R0] 40d320: mov esi,R0 40d330: mov R0,eax 40d340: mov R1,ffffffffh 40d350: or R0,R1 40d360: mov eax,R0 40d370: mov R0,esi 40d380: mov R1,esi 40d390: test R0,R1 40d3a0: test eflags 40d3b0: jcc 40d7b0h 40d3c0: mov R0,esp 40d3d0: mov R1,00000008h 40d3e0: add R0,R1 40d3f0: mov R0,dword ptr [R0] 40d400: mov ecx,R0 40d410: mov R0,esp 40d420: mov R1,fffffffch 40d430: add R0,R1 40d440: mov esp,R0 40d450: mov R1,ebx 40d460: mov dword ptr [R0],R1 40d470: mov R0,eax 40d480: mov edx,R0 40d490: mov R0,ebx 40d4a0: mov R1,ebx 40d4b0: xor R0,R1 40d4c0: popfd 40d4d0: mov ebx,R0 40d4e0: mov R0,ecx 40d4f0: mov R0,byte ptr [R0] 40d500: mov ebx,R0 40d510: mov R0,edx 40d520: mov R1,000000ffh 40d530: and R0,R1 40d540: mov edx,R0 40d550: mov R0,edx 40d560: mov R1,ebx 40d570: xor R0,R1 40d580: popfd 40d590: mov edx,R0 40d5a0: mov R0,eax 40d5b0: mov R1,00000008h 40d5c0: shr R0,R1 40d5d0: mov eax,R0 40d5e0: mov R0,edx 40d5f0: mov R1,00000004h 40d600: mul R0,R1 40d610: mov R1,0040ece0h 40d620: add R0,R1 40d630: mov R0,dword ptr [R0] 40d640: mov edx,R0 40d650: mov R0,eax 40d660: mov R1,edx 40d670: or R0,R1 40d680: popfd 40d690: mov eax,R0 40d6a0: mov R0,ecx 40d6b0: mov R1,00000001h 40d6c0: add R0,R1 40d6d0: mov ecx,R0 40d6e0: mov R0,esi 40d6f0: mov R1,00000001h 40d700: sub R0,R1 40d710: mov esi,R0 40d720: test eflags 40d730: jcc 40d470h 40d740: mov R0,esp 40d750: mov R1,dword ptr [R0] 40d760: mov ebx,R1 40d770: mov R0,esp 40d780: mov R1,00000004h 40d790: add R0,R1 40d7a0: mov esp,R0 40d7b0: mov R0,eax 40d7c0: not R0 40d7d0: mov eax,R0 40d7e0: mov R0,esp 40d7f0: mov R1,dword ptr [R0] 40d800: mov esi,R1 40d810: mov R0,esp 40d820: mov R1,00000004h 40d830: add R0,R1 40d840: mov esp,R0 40d850: mov R0,esp 40d860: mov R7,dword ptr [R0] 40d870: mov R0,esp 40d880: mov R1,00000004h 40d890: add R0,R1 40d8a0: mov esp,R0 40d8b0: popfd 40d8c0: enter/leave 40d948: pushfd 40d958: mov R0,esp 40d968: mov R1,fffffffch 40d978: add R0,R1 40d988: mov esp,R0 40d998: mov R1,esi 40d9a8: mov dword ptr [R0],R1 40d9b8: mov R0,ebp 40d9c8: mov R1,00000030h 40d9d8: sub R0,R1 40d9e8: mov R0,dword ptr [R0] 40d9f8: mov esi,R0 40da08: mov R0,esi 40da18: mov R1,00000008h 40da28: add R0,R1 40da38: mov R0,dword ptr [R0] 40da48: mov eax,R0 40da58: mov R0,esp 40da68: mov R1,fffffffch 40da78: add R0,R1 40da88: mov esp,R0 40da98: mov R1,eax 40daa8: mov dword ptr [R0],R1 40dab8: mov R0,esi 40dac8: mov eax,R0 40dad8: mov R0,eax 40dae8: mov R1,00000010h 40daf8: add R0,R1 40db08: mov eax,R0 40db18: mov R0,esp 40db28: mov R1,fffffffch 40db38: add R0,R1 40db48: mov esp,R0 40db58: mov R1,eax 40db68: mov dword ptr [R0],R1 40db78: popfd 40db88: pushfd 40db98: mov R0,esp 40dba8: mov R1,00000008h 40dbb8: add R0,R1 40dbc8: mov esp,R0 40dbd8: mov R0,esi 40dbe8: mov R1,0000000ch 40dbf8: add R0,R1 40dc08: mov R1,dword ptr [R0] 40dc18: mov R0,eax 40dc28: sub R0,R1 40dc38: test eflags 40dc48: jcc 40dca8h 40dc58: mov R0,ebp 40dc68: mov R1,0000002ch 40dc78: sub R0,R1 40dc88: mov R1,00000001h 40dc98: mov dword ptr [R0],R1 40dca8: mov R0,esp 40dcb8: mov R1,dword ptr [R0] 40dcc8: mov esi,R1 40dcd8: mov R0,esp 40dce8: mov R1,00000004h 40dcf8: add R0,R1 40dd08: mov esp,R0 40dd18: popfd enter/leave，表示进入或离开VM。R0~R7是临时寄存器，跳转指令没有分析出来。 patch只用了两字节，or eax,edx ; sub esi,1。可以自己手动翻译为x86指令：如： 40cde0: mov R0,esp 40cdf0: mov R1,fffffffch =>add esp,-4 40ce00: add R0,R1 2010-11-1 13:26 0
lelfei 雪币： 6051 活跃值： (1441) 能力值： ( LV15，RANK：1473 ) 在线值：发帖 67 回帖 537 粉丝 16 关注私信	lelfei 23 5 楼说的很对，后面几个VM指令都没在程序中用到，我就没仔细看，感谢提醒 2010-11-1 13:37 0
nkspark 雪币： 101 活跃值： (88) 能力值： ( LV2，RANK：140 ) 在线值：发帖 46 回帖 610 粉丝 0 关注私信	nkspark 3 6 楼干净漂亮，赞一个！ 2010-11-1 14:45 0
codegame 雪币： 59 活跃值： (55) 能力值： ( LV3，RANK：30 ) 在线值：发帖 12 回帖 56 粉丝 1 关注私信	codegame 7 楼的确不错，还原的彻底 2010-11-1 14:55 0
nevsayno 雪币： 333 活跃值： (46) 能力值： ( LV3，RANK：30 ) 在线值：发帖 3 回帖 170 粉丝 1 关注私信	nevsayno 8 楼我是来膜拜的 2010-11-2 23:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复