有没有人研究过VMP的变形代码是如何生成的,有什么规律没?
我看来看去,没找到什么规律。。 至少themida的是模板的递归嵌套,不过VMP完全是一个不同的东西
贴一段变形前后的代码,大家帮忙看看能不能找出什么规律。。程序如何实现变形的还原。
//
// 原始代码如下
//
01007568 /$ 68 BA750001 push <jmp.&msvcrt._except_handler3>
0100756D |. 64:A1 0000000>mov eax, dword ptr fs:[0]
01007573 |. 50 push eax
01007574 |. 8B4424 10 mov eax, dword ptr [esp+10]
01007578 |. 896C24 10 mov dword ptr [esp+10], ebp
0100757C |. 8D6C24 10 lea ebp, dword ptr [esp+10]
01007580 |. 2BE0 sub esp, eax
01007582 |. 53 push ebx
01007583 |. 56 push esi
01007584 |. 57 push edi
01007585 |. 8B45 F8 mov eax, dword ptr [ebp-8]
01007588 |. 8965 E8 mov dword ptr [ebp-18], esp
0100758B |. 50 push eax
0100758C |. 8B45 FC mov eax, dword ptr [ebp-4]
0100758F |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
01007596 |. 8945 F8 mov dword ptr [ebp-8], eax
01007599 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0100759C |. 64:A3 0000000>mov dword ptr fs:[0], eax
010075A2 \. C3 retn
=======================================================================================
//
// 变形后代码
//
01034926 98 cwde
01034927 68 BA750001 push 010075BA
0103492C 68 E6582DAC push AC2D58E6
01034931 64:A1 00000000 mov eax, dword ptr fs:[0]
01034937 60 pushad
01034938 F8 clc
01034939 66:0FA3CF bt di, cx
0103493D 874424 20 xchg dword ptr [esp+20], eax
01034941 66:35 1C44 xor ax, 441C
01034945 9F lahf
01034946 80C4 BF add ah, 0BF
01034949 66:0FBAF0 0C btr ax, 0C
0103494E 8B4424 30 mov eax, dword ptr [esp+30]
01034952 E9 80820000 jmp 0103CBD7
0103CBD7 E8 C0DAFFFF call 0103A69C
0103A69C 9C pushfd
0103A69D F8 clc
0103A69E 896C24 38 mov dword ptr [esp+38], ebp
0103A6A2 66:D3E5 shl bp, cl
0103A6A5 66:D3F5 sal bp, cl
0103A6A8 8DAC24 072A27BC lea ebp, dword ptr [esp+BC272A07]
0103A6AF 66:0FA4E5 06 shld bp, sp, 6
0103A6B4 8D6C24 38 lea ebp, dword ptr [esp+38]
0103A6B8 39FD cmp ebp, edi
0103A6BA F9 stc
0103A6BB 66:0FBAE5 07 bt bp, 7
0103A6C0 8D6424 28 lea esp, dword ptr [esp+28]
0103A6C4 2BE0 sub esp, eax
0103A6C6 60 pushad
0103A6C7 E9 9B590000 jmp 01040067
01040067 F6D4 not ah
01040069 68 4FA672F0 push F072A64F
0104006E 895C24 20 mov dword ptr [esp+20], ebx
01040072 8D04AD C67280D0 lea eax, dword ptr [ebp*4+D08072C6]
01040079 0F96C0 setbe al
0104007C 897424 1C mov dword ptr [esp+1C], esi
01040080 E8 13A1FFFF call 0103A198
0103A198 98 cwde
0103A199 897C24 1C mov dword ptr [esp+1C], edi
0103A19D 66:0FB6C3 movzx ax, bl
0103A1A1 98 cwde
0103A1A2 8D80 BEFD2DCB lea eax, dword ptr [eax+CB2DFDBE]
0103A1A8 8B45 F8 mov eax, dword ptr [ebp-8]
0103A1AB E9 5B1E0000 jmp 0103C00B
0103C00B E9 680AFFFF jmp 0102CA78
0102CA78 C64424 08 1A mov byte ptr [esp+8], 1A
0102CA7D 8D6424 1C lea esp, dword ptr [esp+1C]
0102CA81 8965 E8 mov dword ptr [ebp-18], esp
0102CA84 E9 D5860000 jmp 0103515E
0103515E 0F8F 44A80000 jg 0103F9A8
0103F9A8 E8 5FEAFEFF call 0102E40C
0102E40C 870424 xchg dword ptr [esp], eax
0102E40F 9F lahf
0102E410 8B45 FC mov eax, dword ptr [ebp-4]
0102E413 60 pushad
0102E414 68 17737B60 push 607B7317
0102E419 C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
0102E420 C64424 04 D0 mov byte ptr [esp+4], 0D0
0102E425 9C pushfd
0102E426 9C pushfd
0102E427 E8 1E0E0100 call 0103F24A
0103F24A 8945 F8 mov dword ptr [ebp-8], eax
0103F24D 8D85 CA57CB98 lea eax, dword ptr [ebp+98CB57CA]
0103F253 8D45 F0 lea eax, dword ptr [ebp-10]
0103F256 E9 52CAFEFF jmp 0102BCAD
0102BCAD 66:C74424 08 88C4 mov word ptr [esp+8], 0C488
0102BCB4 E9 E5200000 jmp 0102DD9E
0102DD9E E9 68270100 jmp 0104050B
0104050B 64:A3 00000000 mov dword ptr fs:[0], eax
01040511 FF3424 push dword ptr [esp]
01040514 68 D9BC5C38 push 385CBCD9
01040519 52 push edx
0104051A FF7424 3C push dword ptr [esp+3C]
0104051E C2 4000 retn 40
[课程]Android-CTF解题方法汇总!