[原创]这么热闹，我也来发个第二轮第一题的分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]这么热闹，我也来发个第二轮第一题的分析

2010-11-1 14:00 6343

[原创]这么热闹，我也来发个第二轮第一题的分析

wuwenyao

2010-11-1 14:00

6343

虚拟机分析：

虚拟机循环：

004012DB  |. /EB 03       jmp    short 004012E0
004012DD  |  |8D49 00    lea    ecx, dword ptr [ecx]
004012E0  |> \8B46 68    /mov    eax, dword ptr [esi+68]       ;  V_eip
004012E3  |.  0FB608       |movzx ecx, byte ptr [eax]          ;  虚指令代码，byte
004012E6  |.  8B148D D0D840>|mov    edx, dword ptr [ecx*4+40D8D0] ;  40D8D0虚指令表
004012ED  |.  56          |push esi                            ;  vcontext指针
004012EE  |.  FFD2       |call edx                            ;  执行虚指令
004012F0  |.  8346 68 10 |add    dword ptr [esi+68], 10       ;  DF20+0x10
004012F4  |.  397E 68    |cmp    dword ptr [esi+68], edi
004012F7  |.^ 72 E7       \jb    short 004012E0
004012F9  |>  8B86 BC000000 mov    eax, dword ptr [esi+BC]
004012FF  |.  56          push esi
00401300  |.  8946 5C    mov    dword ptr [esi+5C], eax
00401303  |.  FF15 D0D84000 call dword ptr [40D8D0]             ;  verify1.00401380
00401309  |.  5F          pop    edi
0040130A  |.  5E          pop    esi
0040130B  |.  5D          pop    ebp
0040130C  \.  C3          retn

上下文：

以下为例:

0040DEB8  00000246 0 EFLAGS
0040DEBC  7C930228    4 EDI
0040DEC0  00000000 8 ESI
0040DEC4  0012FF6C C EBP
0040DEC8  0012FF28 10 ESP
0040DECC  7FFDE000 14 EBX
0040DED0  7C92E514    18 EDX
0040DED4  003C0000 1C ECX
0040DED8  003C0000 20 EAX
0040DEDC  00000000 24
0040DEE0  00000000 28
0040DEE4  00000000 2C
0040DEE8  00000000 30
0040DEEC  00000000 34
0040DEF0  00000000 38
0040DEF4  00000000 3C
0040DEF8  00000000 40 虚寄存器0，记为VEAX
0040DEFC  00000000 44 虚寄存器1，记为VECX
0040DF00  00000000 48 虚寄存器2，记为VEDX //除法用到
0040DF04  00000000 4C 虚寄存器3，记为VEBX
0040DF08  00000000 50 虚寄存器4，记为VEBP
0040DF0C  00000000 54 虚寄存器5，记为VESI
0040DF10  00000000 58 虚寄存器6，记为VEDI
0040DF14  00401F4D    5C 返回地址
0040DF18  00000000 60 虚标志寄存器，记为VEFLAGS
0040DF1C  00000000 64 跳转标志
0040DF20  0040CDD0    68 虚指令指针，记为VEIP
0040DF24  0040CDD0    6C 虚代码首指针
0040DF28  000004A0 70 虚代码段长度
0040DF2C  00000000 74
0040DF30  00000000 78
0040DF34  00000000 7C
0040DF38  00400000    80 系统较验位
0040DF3C  00400000    84
0040DF40  00000000 88
0040DF44  00000000 8C
0040DF48  00000000 90
0040DF4C  00000001 94 进入临界区标志

虚指令入口表：

0040D8D0  00401380  Entry address
0040D8D4  004013C0  verify1.004013C0    01
0040D8D8  004013D0  verify1.004013D0 02
0040D8DC  004013E0  verify1.004013E0 03
0040D8E0  00401430  verify1.00401430 04
0040D8E4  00401480  verify1.00401480 05
0040D8E8  004014D0  verify1.004014D0 06
0040D8EC  00401520  verify1.00401520 07
0040D8F0  00401580  verify1.00401580 08
0040D8F4  004015E0  verify1.004015E0 09
0040D8F8  004015F0  verify1.004015F0 0A
0040D8FC  00401600  verify1.00401600 0B
0040D900  00401640  verify1.00401640 0C
0040D904  00401690  verify1.00401690 0D
0040D908  00401720  verify1.00401720 0E
0040D90C  00401780  verify1.00401780 0F
0040D910  004017F0  verify1.004017F0 10
0040D914  00401860  verify1.00401860 11
0040D918  00401920  verify1.00401920 12
0040D91C  004019E0  verify1.004019E0 13
0040D920  00401A40  verify1.00401A40 14
0040D924  00401AF0  verify1.00401AF0 15
0040D928  00401BA0  verify1.00401BA0 16
0040D92C  00401C50  verify1.00401C50 17
0040D930  00401CF0  verify1.00401CF0 18
0040D934  00401DA0  verify1.00401DA0 19
0040D938  00401E50  verify1.00401E50 1A
0040D93C  00401E50  verify1.00401E50 1B //和1A指向同一个入口
0040D940  00401F00  verify1.00401F00 1C
0040D944  00401F00  verify1.00401F00 1D //和1C指向同一个入口

虚指令：

以下为例：

0040CDF0  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
虚指令由16个byte组成
第1个byte代表OPCODE，做为下标由虚指令表进入函数入口
第2个byte只在0E指令中使用，用来标识是相对veip跳转(0)，还是相对段指针跳转(1),还是跳到其他段(2)
后面1个字表示是双字操作(0),还是字操作(1),还是字节操作(2)
后面2个双字为operand,根据指令的不同，代表寄存器代码，虚寄存器代码，立即数，跳转相对量或地址以及置位条件，具体见后文
最后1个双字未用

01 虚指令：LVFF ;Veflags<-eflags
02 虚指令：SVFF ;eflags<-veflags
03 虚指令：MOV 寄存器，虚寄存器
04 虚指令：MOV 虚寄存器，寄存器
05 虚指令：MOV 虚寄存器，虚寄存器
06 虚指令：MOV 虚寄存器，立即数
07 虚指令：MOV [虚寄存器]，虚寄存器
08 虚指令：MOV 虚寄存器，[虚寄存器]
09 虚指令：ADD
0A 虚指令：SUB
0B 虚指令：MUL
0C 虚指令：DIV
0D 虚指令：SET code;置位,根据VEFLAGS设置DF1C,code: 0:置1，1:根据zf置位，2：根据~zf置位，3:根据sf^of置位，4：根据zf&cf置位
0E 虚指令：JZ  地址；条件跳转，近跳转，远跳转，跨段跳转
0F 虚指令：ADD  置Veflags
10 虚指令：SUB  置Veflags
11 虚指令：MUL  置Veflags
12 虚指令：DIV  置Veflags
13 虚指令：TEST 置Veflags
14 虚指令：AND  置Veflags
15 虚指令：XOR  置Veflags
16 虚指令：OR 置Veflags
17 虚指令：NOT  置Veflags
18 虚指令：SHR  置Veflags
19 虚指令：SAR  置Veflags
1A 虚指令：SHL  置Veflags
1B 虚指令：SHL  置Veflags
1C 虚指令：NOP
1D 虚指令：NOP

虚拟机opcode分析：

0040DEB8  00000246
0040DEBC  7C930228  ntdll.7C930228
0040DEC0  00000000
0040DEC4  0012FF6C
0040DEC8  0012FF28
0040DECC  7FFDE000
0040DED0  7C92E514  ntdll.KiFastSystemCallRet
0040DED4  003C0000
0040DED8  003C0000
0040DEDC  00000000
0040DEE0  00000000
0040DEE4  00000000
0040DEE8  00000000
0040DEEC  00000000
0040DEF0  00000000
0040DEF4  00000000
0040DEF8  00000000
0040DEFC  00000000
0040DF00  00000000
0040DF04  00000000
0040DF08  00000000
0040DF0C  00000000
0040DF10  00000000
0040DF14  00401F4D  verify1.00401F4D
0040DF18  00000000
0040DF1C  00000000
0040DF20  0040CDD0  verify1.0040CDD0
0040DF24  0040CDD0  verify1.0040CDD0
0040DF28  000004A0
0040DF2C  00000000
0040DF30  00000000
0040DF34  00000000
0040DF38  00400000  verify1.00400000
0040DF3C  00400000  verify1.00400000
0040DF40  00000000
0040DF44  00000000
0040DF48  00000000
0040DF4C  00000001

0012FF28  00401123  verify1.00401123
0012FF2C  ACD64F6A
0012FF30  7C930228  ntdll.7C930228
0012FF34  00000000
0012FF38  7FFD7000
0012FF3C  003C0000

0040CDD0  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 lvff
0040CDE0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040CDF0  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040CE00  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040CE10  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,evax
0040CE20  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040CE30  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push esi
0040CE40  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040CE50  04 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00    mov vecx,edx
0040CE60  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040CE70  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      svff
0040CE80  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax xor edx,edx
0040CE90  06 00 00 00 00 00 00 00 E0 EC 40 00 00 00 00 00    mov veax,0x0040ECE0
0040CEA0  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax mov ecx,0x40ECE0
0040CEB0  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040CEC0  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax mov eax,edx
0040CED0  06 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,0x08
0040CEE0  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax mov esi,8
0040CEF0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040CF00  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x01
0040CF10  13 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00    test byte test al,1
0040CF20  0D 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    set 1
0040CF30  0E 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00    jz 0040CFE0 jz 0040CFE0
0040CF40  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040CF50  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x01
0040CF60  18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    shr
0040CF70  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax shr eax,1
0040CF80  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040CF90  06 00 00 00 01 00 00 00 20 83 B0 ED 00 00 00 00    mov vecx,0xEDB08320
0040CFA0  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040CFB0  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax xor eax,0xEDB08320
0040CFC0  0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    set 0
0040CFD0  0E 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    jz 0040D020 jmp 0040D020
0040CFE0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040CFF0  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x01
0040D000  18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    shr
0040D010  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax shr eax,1
0040D020  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D030  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x01
0040D040  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D050  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax sub esi,1
0040D060  0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    set 2
0040D070  0E 00 00 00 E7 FF FF FF 00 00 00 00 00 00 00 00    jz 0040CEF0 jnz 0040CEF0
0040D080  04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,eax
0040D090  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D0A0  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx mov dword ptr [ecx],eax
0040D0B0  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D0C0  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x04
0040D0D0  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D0E0  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax add ecx,4
0040D0F0  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D100  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x01
0040D110  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D120  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax inc edx
0040D130  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D140  06 00 00 00 01 00 00 00 E0 F0 40 00 00 00 00 00    mov vecx,0x40F0E0 (push ecx)
0040D150  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub sub ecx,0040F0E0
0040D160  0D 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00    set 3 (pop ecx)
0040D170  0E 00 00 00 D3 FF FF FF 00 00 00 00 00 00 00 00    jz 0040CEB0 jl 0040CEB0
0040D180  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D190  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax]
0040D1A0  03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00    mov esi,vecx
0040D1B0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D1C0  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x04
0040D1D0  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D1E0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax pop esi
0040D1F0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D200  08 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov vedi,[veax]
0040D210  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D220  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x04
0040D230  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D240  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D250  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0040DD28  00000246
0040DD2C  7C930228  ntdll.7C930228
0040DD30  00000000
0040DD34  0012FF6C
0040DD38  0012FF2C
0040DD3C  7FFDE000
0040DD40  00000100
0040DD44  0040F0E0  verify1.0040F0E0
0040DD48  2D011F8D
0040DD4C  00000000
0040DD50  00000000
0040DD54  00000000
0040DD58  00000000
0040DD5C  00000000
0040DD60  00000000
0040DD64  00000000
0040DD68  00000000
0040DD6C  00000000
0040DD70  00000000
0040DD74  00000000
0040DD78  00000000
0040DD7C  00000000
0040DD80  00000000
0040DD84  00401160  verify1.00401160
0040DD88  00000000
0040DD8C  00000000
0040DD90  0040D948  verify1.0040D948
0040DD94  0040D948  verify1.0040D948
0040DD98  00000240
0040DD9C  00000000
0040DDA0  00000000
0040DDA4  00000000
0040DDA8  00400000  verify1.00400000
0040DDAC  00400000  verify1.00400000
0040DDB0  00000000
0040DDB4  00000000
0040DDB8  00000000
0040DDBC  00000001

0012FF2C  ACD64F6A
0012FF30  7C930228  ntdll.7C930228
0012FF34  00000000
0012FF38  7FFD7000
0012FF3C  003C0000
0012FF40  00000000
0012FF44  0000001C
0012FF48  00000010
0012FF4C  00000020
0012FF50  003C0000

0040D948  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 lvff
0040D958  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D968  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040D978  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D988  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D998  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040D9A8  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push esi
0040D9B8  04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00    mov veax,ebp
0040D9C8  06 00 00 00 01 00 00 00 30 00 00 00 00 00 00 00    mov vecx,0x30
0040D9D8  0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D9E8  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D9F8  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax mov esi,dword ptr [ebp-30]
0040DA08  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040DA18  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x8
0040DA28  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040DA38  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040DA48  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax mov eax,dword ptr [esi+8]
0040DA58  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040DA68  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040DA78  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040DA88  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040DA98  04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,eax
0040DAA8  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push eax
0040DAB8  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040DAC8  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax mov eax,esi
0040DAD8  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040DAE8  06 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00    mov vecx,0x10
0040DAF8  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040DB08  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax add eax,10
0040DB18  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040DB28  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040DB38  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040DB48  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040DB58  04 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,eax
0040DB68  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push eax
0040DB78  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff

0040DF80  00000202
0040DF84  7C930228  ntdll.7C930228
0040DF88  003C0000
0040DF8C  0012FF6C
0040DF90  0012FF1C
0040DF94  7FFD4000
0040DF98  00000100
0040DF9C  0040F0E0  verify1.0040F0E0
0040DFA0  003C0010  ASCII "This is a test!!"
0040DFA4  00000000
0040DFA8  00000000
0040DFAC  00000000
0040DFB0  00000000
0040DFB4  00000000
0040DFB8  00000000
0040DFBC  00000000
0040DFC0  00000000
0040DFC4  00000000
0040DFC8  00000000
0040DFCC  00000000
0040DFD0  00000000
0040DFD4  00000000
0040DFD8  00000000
0040DFDC  00401F8D  Entry address
0040DFE0  00000000
0040DFE4  00000000
0040DFE8  0040D270  verify1.0040D270
0040DFEC  0040D270  verify1.0040D270
0040DFF0  00000660
0040DFF4  00000000
0040DFF8  00000000
0040DFFC  00000000
0040E000  00400000  verify1.00400000
0040E004  00400000  verify1.00400000
0040E008  00000000
0040E00C  00000000
0040E010  00000000
0040E014  00000001

0012FF1C  00401165  verify1.00401165
0012FF20  003C0010  ASCII "This is a test!!"
0012FF24  00000010
0012FF28  00000000
0012FF2C  AC032AD4
0012FF30  7C930228  ntdll.7C930228
0012FF34  00000000
0012FF38  7FFD4000
0012FF3C  003C0000

0040D270  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 lvff
0040D280  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D290  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040D2A0  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D2B0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D2C0  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040D2D0  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push esi
0040D2E0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D2F0  06 00 00 00 01 00 00 00 0C 00 00 00 00 00 00 00    mov vecx,0xc
0040D300  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D310  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D320  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax mov esi,dword ptr [esp+c]
0040D330  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D340  06 00 00 00 01 00 00 00 FF FF FF FF 00 00 00 00    mov vecx,0xffffffff
0040D350  16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    or
0040D360  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax or eax,-1
0040D370  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D380  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040D390  13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    test test esi,esi
0040D3A0  0D 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    set 0x04
0040D3B0  0E 00 00 00 3F 00 00 00 00 00 00 00 00 00 00 00    jz 0040D7B0 jna 0040D7B0
0040D3C0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D3D0  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x08
0040D3E0  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D3F0  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D400  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax mov ecx,dowrd ptr [esp+8]
0040D410  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D420  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040D430  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D440  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D450  04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00    mov vecx,ebx
0040D460  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push ebx
0040D470  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D480  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax mov edx,eax
0040D490  04 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00    mov veax,ebx
0040D4A0  04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00    mov vecx,ebx
0040D4B0  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040D4C0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D4D0  03 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00    mov ebx,veax xor ebx,ebx
0040D4E0  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D4F0  08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00    mov val,byte ptr [veax]
0040D500  03 00 02 00 05 00 00 00 00 00 00 00 00 00 00 00    mov bl,val mov bl, byte ptr [ecx]
0040D510  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D520  06 00 00 00 01 00 00 00 FF 00 00 00 00 00 00 00    mov vecx,0xff
0040D530  14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    and
0040D540  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax and edx,0xff
0040D550  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D560  04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00    mov vecx,ebx
0040D570  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040D580  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D590  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax xor edx,ebx
0040D5A0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D5B0  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x8
0040D5C0  18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    shr
0040D5D0  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax shr eax,8
0040D5E0  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D5F0  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D600  0B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mul
0040D610  06 00 00 00 01 00 00 00 E0 EC 40 00 00 00 00 00    mov vecx 0040ECE0
0040D620  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D630  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D640  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax mov edx,dword ptr [edx*4+0040ECE0]
0040D650  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D660  04 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00    mov vecx,edx
0040D670  16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    or //改为15(xor);第一个bug修复
0040D680  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D690  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax or eax,edx 改为 xor eax,edx
0040D6A0  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D6B0  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x1
0040D6C0  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D6D0  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax inc ecx
0040D6E0  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D6F0  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x1
0040D700  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D710  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax dec esi
0040D720  0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    set 2
0040D730  0E 00 00 00 D3 FF FF FF 00 00 00 00 00 00 00 00    jz 0040D470 jnz 0040D470
0040D740  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D750  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax]
0040D760  03 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00    mov ebx,vecx
0040D770  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D780  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D790  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D7A0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax pop ebx
0040D7B0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D7C0  17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    not
0040D7D0  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax not eax
0040D7E0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D7F0  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax]
0040D800  03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00    mov esi,vecx
0040D810  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D820  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D830  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D840  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax pop esi
0040D850  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D860  08 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov vedi,[veax]
0040D870  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D880  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D890  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D8A0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D8B0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff

0040DDF0  00000246
0040DDF4  7C930228  ntdll.7C930228
0040DDF8  003C0000
0040DDFC  0012FF6C
0040DE00  0012FF20
0040DE04  7FFD4000
0040DE08  616E1FD3
0040DE0C  003C0020
0040DE10  9E908000
0040DE14  00000000
0040DE18  00000000
0040DE1C  00000000
0040DE20  00000000
0040DE24  00000000
0040DE28  00000000
0040DE2C  00000000
0040DE30  00000000
0040DE34  00000000
0040DE38  00000000
0040DE3C  00000000
0040DE40  00000000
0040DE44  00000000
0040DE48  00000000
0040DE4C  004011A2  verify1.004011A2
0040DE50  00000000
0040DE54  00000000
0040DE58  0040DB88  verify1.0040DB88
0040DE5C  0040DB88  verify1.0040DB88
0040DE60  000001A0
0040DE64  00000000
0040DE68  00000000
0040DE6C  00000000
0040DE70  00400000  verify1.00400000
0040DE74  00400000  verify1.00400000
0040DE78  00000000
0040DE7C  00000000
0040DE80  00000000
0040DE84  00000001

0012FF20  003C0010  ASCII "This is a test!!"
0012FF24  00000010
0012FF28  00000000
0012FF2C  AC032AD4
0012FF30  7C930228  ntdll.7C930228
0012FF34  00000000
0012FF38  7FFD4000

0040DB88  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    lvff
0040DB98  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040DBA8  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x8
0040DBB8  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040DBC8  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax add esp,8
0040DBD8  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040DBE8  06 00 00 00 01 00 00 00 0C 00 00 00 00 00 00 00    mov vecx,0xc
0040DBF8  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add (push eax)
0040DC08  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax] sub eax,dword ptr [esi+c]
0040DC18  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax (pop eax)
0040DC28  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040DC38  0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    set 2
0040DC48  0E 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00    jz 0040DCA8 jnz 0040DCA8
0040DC58  04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00    mov veax,ebp
0040DC68  06 00 00 00 01 00 00 00 2C 00 00 00 00 00 00 00    mov vecx,0x2c
0040DC78  0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040DC88  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x1
0040DC98  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx mov dword ptr [ebp-2c],1
0040DCA8  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040DCB8  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax]
0040DCC8  03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00    mov esi,vecx
0040DCD8  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040DCE8  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040DCF8  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040DD08  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax pop esi
0040DD18  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff

根据上面的代码分析，虚拟机第一部分代码将0-0x3ff分别逐位右移8次，最低位为1时与0xEDB08320异或，产生1024个dword；第二部分代码处理原始堆栈，将文件map指针和文件中字符串长度压入栈；第三部分代码对文件中字符与第一部分代码产生的dword的进行运算，产生一个dword，最后取反;第四部分代码处理堆栈，弹出第二部分压入的指针，将文件中0XC处的dword与第三部分计算出的dword比较，相等则将[ebp-2C]置1。

第一个BUG原因分析：

第三部分恢复代码

push esi
mov esi,dword ptr [esp+c]//第二个BUG入手点
or eax,-1
test esi,esi
jna 0040D7B0
mov ecx,dowrd ptr [esp+8]
push ebx
mov edx,eax
xor ebx,ebx
mov bl, byte ptr [ecx]//第二个BUG出错
and edx,0xff
xor edx,ebx
shr eax,8
mov edx,dword ptr [edx*4+0040ECE0]
or eax,edx //第一个BUG
inc ecx
dec esi
jnz 0040D470
pop ebx
not eax
pop esi

问题出在第三部分代码，以上恢复出的代码可以看到：edx取得0040ECE0起始以dl*4为下标的dword（即第一部分计算出的1024个dword）后,与eax进行或运算，而eax为0xffffffff每次右移8位产生dword,这种或处理相当于eax高位的0位被0040ECE0+4*dl处的dword的相应位替换，而eax低位连续的1并无变化，起不到hash运算扩大离散度的要求，因些考虑改成异或运算以增加离散度，经测试成功。

第一个BUG修复：

应修改 or eax,edx 为xor eax,edx，因此将虚拟机对应处代码0040D670由16改为15，第一个bug修复。

0040D670  16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    or //改为15(xor);第一个bug修复

第二个BUG原因分析：

第二部分恢复代码

push esi
mov esi,dword ptr [ebp-30]
mov eax,dword ptr [esi+8]
push eax
mov eax,esi
add eax,10
push eax

问题也出在第三部分代码,在恢复出第二部分和第三部分代码中可以看到：ecx为文件中数据部分的指针，每次循环递增1，由前向后移动；esi为文件数据部分的字节数，作为循环的条件，每次循环递减，递减至0循环结束，而esi的值是在第二部分代码入栈的，取得的文件偏移0x8处的值，而且并未用文件大小对该值进行较验，因此，如果文件中偏移0x8的dword不是真实反映数据部分的字节数，而是一个超过文件映射空间长度的数字，就会产生crash。crash.dat中偏移0x8的dword为0x01000016，大大超过了文件的长度，也超过了文件映射空间的长度，因此会产生非法访问错误。

第二个BUG修复：

由于文件格式中，数据部分的偏移是0x10，因此只要用文件的size减去0x10，就可以得到数据部分的最大长度，对0x8处的dword用这个最大长度进行校验，如果超过，则在第三部分代码中用数据部分的最大长度代替文件偏移0x8处的dword，即可修复bug。

第一种方法：

在第二段和第三段虚拟机opcode之间，利用流程跳出虚拟机，进行虚拟机opcode段转换的过程，将压入栈的文件偏移0x8处dword与文件size-0x10进行校验，大于则将栈中的Dword修改为文件size-0x10。

在代码段尾找一块空白空间，如00408D90，将

00401160 .  E8 EB0D0000 call 00401F50
00401165 .  9C          pushfd
00401166 .  50          push eax
00401167 .  52          push edx

改为

00401160    /E9 2B7C0000 jmp    00408D90
00401165 . |9C          pushfd
00401166 . |50          push eax
00401167 . |52          push edx

将00408D90处加入以下代码

00408D90    56          push esi
00408D91    50          push eax
00408D92    8B7424 0C    mov    esi, dword ptr [esp+C]
00408D96    8B45 E0    mov    eax, dword ptr [ebp-20]
00408D99    83E8 10    sub    eax, 10
00408D9C    3BF0       cmp    esi, eax
00408D9E    76 04       jbe    short 00408DA4
00408DA0    894424 0C    mov    dword ptr [esp+C], eax
00408DA4    58          pop    eax
00408DA5    5E          pop    esi
00408DA6    E8 A591FFFF call 00401F50
00408DAB ^ E9 B583FFFF jmp    00401165

第二种方法：

修改虚拟机opcode段，如第三段，在获取esi值以后，插入以下opcode，对esi进行校验，如不符合，将esi替换为文件size-0x10。

04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00    mov veax,ebp
06 00 00 00 01 00 00 00 20 00 00 00 00 00 00 00    mov vecx,0x20
0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
06 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00    mov vcax,0x10
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov vebp,veax
04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
05 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,eax
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    set 4
0E 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    jz 0x01
03 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00    mov esi,vebp

修改后代码如下，去掉对ebx的压栈和出栈操作，共13句，刚好与插入代码相符，并将代码中利用ebx保存数据部分，改为利用vebp。

0040D270  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 lvff
0040D280  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D290  06 00 00 00 01 00 00 00 FC FF FF FF 00 00 00 00    mov vecx,0xfffffffc
0040D2A0  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D2B0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D2C0  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040D2D0  07 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00    mov [veax],vecx push esi
0040D2E0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D2F0  06 00 00 00 01 00 00 00 0C 00 00 00 00 00 00 00    mov vecx,0xc
0040D300  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D310  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D320  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax mov esi,dword ptr [esp+c]

0040D330  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D340  04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00    mov veax,ebp
0040D350  06 00 00 00 01 00 00 00 20 00 00 00 00 00 00 00    mov vecx,0x20
0040D360  0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D370  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D380  06 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00    mov vcax,0x10
0040D390  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D3A0  05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov vebp,veax
0040D3B0  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D3C0  05 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,eax
0040D3D0  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D3E0  0D 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    set 4
0040D3F0  0E 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    jz 0040D410
0040D400  03 00 00 00 02 00 00 00 04 00 00 00 00 00 00 00    mov esi,vebp

0040D410  06 00 00 00 01 00 00 00 FF FF FF FF 00 00 00 00    mov vecx,0xffffffff
0040D420  16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    or
0040D430  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax or eax,-1
0040D440  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D450  04 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00    mov vecx,esi
0040D460  13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    test test esi,esi
0040D470  0D 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    set 0x04
0040D480  0E 00 00 00 3F 00 00 00 00 00 00 00 00 00 00 00    jz 0040D7B0 jna 0040D7B0
0040D490  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D4A0  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x08
0040D4B0  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D4C0  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D4D0  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax mov ecx,dowrd ptr [esp+8]

0040D4E0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D4F0  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax mov edx,eax
0040D500  04 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00    mov veax,ebx
0040D510  04 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00    mov vecx,ebx
0040D520  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040D530  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D540  05 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov vebp,veax xor ebx,ebx //修改，用vebp代替ebx
0040D550  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D560  08 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00    mov val,byte ptr [veax]
0040D570  05 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00    mov vbl,val mov bl, byte ptr [ecx]//修改，用vebp代替ebx
0040D580  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D590  06 00 00 00 01 00 00 00 FF 00 00 00 00 00 00 00    mov vecx,0xff
0040D5A0  14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    and
0040D5B0  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax and edx,0xff
0040D5C0  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D5D0  05 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,vebp //修改，用vebp代替ebx
0040D5E0  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    xor
0040D5F0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D600  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax xor edx,ebx
0040D610  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D620  06 00 00 00 01 00 00 00 08 00 00 00 00 00 00 00    mov vecx,0x8
0040D630  18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    shr
0040D640  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax shr eax,8
0040D650  04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00    mov veax,edx
0040D660  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D670  0B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mul
0040D680  06 00 00 00 01 00 00 00 E0 EC 40 00 00 00 00 00    mov vecx 0040ECE0
0040D690  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D6A0  08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    mov veax,[veax]
0040D6B0  03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00    mov edx,veax mov edx,dword ptr [edx*4+0040ECE0]
0040D6C0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D6D0  04 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00    mov vecx,edx
0040D6E0  15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    or //改为15(xor);第一个bug修复
0040D6F0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff
0040D700  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax or eax,edx 改为 xor eax,edx
0040D710  04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00    mov veax,ecx
0040D720  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x1
0040D730  0F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D740  03 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov ecx,veax inc ecx
0040D750  04 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00    mov veax,esi
0040D760  06 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00    mov vecx,0x1
0040D770  10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    sub
0040D780  03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    mov esi,veax dec esi
0040D790  0D 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00    set 2
0040D7A0  0E 00 00 00 D3 FF FF FF 00 00 00 00 00 00 00 00    jz 0040D4E0 jnz 0040D4E0 //相对地址跳转，不用修改

0040D7B0  04 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00    mov veax,eax
0040D7C0  17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    not
0040D7D0  03 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00    mov eax,veax not eax
0040D7E0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D7F0  08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00    mov vecx,[veax]
0040D800  03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00    mov esi,vecx
0040D810  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D820  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D830  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D840  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax pop esi
0040D850  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D860  08 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00    mov vedi,[veax]
0040D870  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    mov veax,esp
0040D880  06 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00    mov vecx,0x4
0040D890  09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    add
0040D8A0  03 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00    mov esp,veax
0040D8B0  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    svff

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

#调试逆向

收藏・0

点赞・6

打赏

最新回复 (2)
nkspark 雪币： 101 活跃值： (88) 能力值： ( LV2，RANK：140 ) 在线值：发帖 46 回帖 613 粉丝 0 关注私信	nkspark 3 2010-11-1 14:59 2 楼 0 够细，赞。。。
wuwenyao 雪币： 338 活跃值： (95) 能力值： ( LV7，RANK：100 ) 在线值：发帖 7 回帖 25 粉丝 0 关注私信	wuwenyao 2 2010-11-5 09:52 3 楼 0 谢谢老大,给了精华,第一次分析VM,很多概念都不懂,边查边弄,搞了3天
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复