本人新菜
最近研究了一小段vmp的代码 做了一点分析还请各位大牛多多指教 有什么不对的地方请各位大牛发帖纠正 废话不多说
以下为 vmp createfileW 返回后的一小段跟踪和分析
handler --> 006FE85B vPopReg4
pop reg[10] FFFFFFFF vESP --> 12F760 = 8EC31C reg[10] = 7c Createfile
handler --> 006FC9F4 vPushImm4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057 push 立即数 E64A6057
handler --> 006FC9F4 vPushImm4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E push 立即数 E644A83E
handler --> 006FDD64 vPushImmSx1
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFFFF push cwde 立即数 FF
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFFFF
PUSH reg[10] 7c vESP --> 12F750 = 7c PUSH reg[10] = 7c CreateFile
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFFFF
vESP --> 12F750 = 7c
PUSH reg[10] 7c vESP --> 12F74C = 7c PUSH reg[10] = 7c CreateFile
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFFFF
vESP --> 12F750 = FFFFFF83 nand4_01 = FFFFFF83 = nand(CreateFile)
vESP --> 12F74C = 282 vesp = efl 282
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFFFF
vESP --> 12F750 = FFFFFF83
pop reg[38] 282 清除 reg[38] 中的 CreateFile
reg[10] = nand4_01 efl 282
handler --> 006FEA7D vAdd4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFF82 add_ImmSx1 = FFFFFF82 = ImmSx1+nand4_01
vESP --> 12F750 = 297 vesp = efl 297
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFF82
pop reg[28] 297 reg[28] = add_ImmSx1 efl 297
handler --> 006FDF50 vPushVEsp
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFF82
vESP --> 12F750 = 0012F754
handler --> 006FD949 vReadMemSs4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFF82
vESP --> 12F750 = FFFFFF82 push FFFFFF82 = add_ImmSx1
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 7d nand4_02 = 7d = nand4(add_ImmSx1)
vESP --> 12F750 = 206 vesp = efl 206
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 7d
pop reg[14] 206 reg[14] = nand4_02 efl 206
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
pop reg[2c] 7d reg[2c] = 7d = nand4_02
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
push reg[28] 297 vESP --> 12F754 = 297 reg[28] = add_ImmSx1 efl 297
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 286
push reg[28] 297 vESP --> 12F750 = 286 reg[28] = add_ImmSx1 efl 297
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFD68 nand4_03 = FFFFFD68 = nand4(add_ImmSx1 efl)
vESP --> 12F750 = 282
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFD68
pop reg[3c] 282 reg[3c] = nand4_03 efl 282
handler --> 006FE209 vPushImmSx2
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = FFFFFD68
vESP --> 12F750 = FFFFF7EA push 立即数 F7EA
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15 nand4_04 = 15 = nand4(nand4_03,立即数 F7EA)
vESP --> 12F750 = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
pop reg[38] 202 reg[38] = nand4_04 efl 202
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
push reg[14] 206 vESP --> 12F750 = 206 push reg[14] = nand4_02 efl 206
handler --> 006FDF50 vPushVEsp
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = 206
vESP --> 12F74c = 12F750
handler --> 006FD949 vReadMemSs4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = 206
vESP --> 12F74c = 206 push reg[14] = nand4_02 efl 206
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = FFFFFDF9 nand4_05 = FFFFFDF9 = nand4(nand4_02 efl)
vESP --> 12F74c = 286
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = FFFFFDF9
pop reg[18] 286 reg[18] = nand4_05 efl 286
handler --> 006FE209 vPushImmSx2
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = FFFFFDB9
vESP --> 12F74c = 815 push 立即数 815
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = 202 nand4_06 = nand4(立即数 815,nand4_05)
vESP --> 12F74c = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 15
vESP --> 12F750 = 202
pop reg[38] 202 清除 reg[38] 中的 nand4_04 efl
reg[38] = nand4_06 efl 202
handler --> 006FEA7D vAdd4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 217 add_nand4_06 = 217 = nand4_06 + nand4_04
vESP --> 12F750 = 206
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 217
pop reg[38] 206 清除 reg[38] 中的 nand4_04 efl
reg[38] = add_nand4_06 efl 206
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
pop reg[2c] 217 清除 reg[2c] 中的 nand4_02
reg[2c] = add_nand4_06
handler --> 006FDF50 vPushVEsp
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 0012F758
handler --> 006FDEAF vPushImm1
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F752 = 0004 push 立即数 4 (栈转换位2字节形式 push dword mov [vesp+2],imm)
handler --> 006FDD64 vPushImmSx1
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F752 = 0004
vESP --> 12F74E = FFFFFFBF pushd 立即数 BF
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F752 = 0004
vESP --> 12F74E = FFFFFFBF
push reg[2c] 217 vESP --> 12F74A = 217 push reg[2c] 217 = add_nand4_06
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F752 = 0004
vESP --> 12F74c = 40 nand4_07 = 40 = nand4(add_nand4_06,立即数 BF)
vESP --> 12F74A = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F752 = 4
vESP --> 12F74c = 40
pop reg[28] 202 清除 reg[28] 中的 add_ImmSx1 efl 246
reg[28] = nand4_07 efl 202
handler --> 006FE2C4 vShr4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F750 = 0004
shr [vesp],[vESP+4] vESP --> 12F74c = 202 栈转换为4字节形式
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F758
vESP --> 12F750 = 0004
pop reg[18] 202 清除 reg[18] 中的 nand4_05 efl 282
reg[18] = vshr efl 246
handler --> 006FEA7D vAdd4 **************************************
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F75c
vESP --> 12F750 = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = 12F75c
pop reg[3c] 202 清除 reg[3c] 中的 nand4_03 efl 282
reg[3c] = 202
handler --> 006FD949 vReadMemSs4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
vESP --> 12F754 = E64A6057 mov [vesp], 立即数 E64A6057
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
vESP --> 12F758 = E644A83E
pop reg[3c] E64A6057 清除 reg[3c] 中的 202
reg[3c] = 立即数 E64A6057
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75C = E64A6057
pop reg[38] E644A83E 清除 reg[38] 中的 add_nand4_06 efl 202
reg[38] = 立即数 E644A83E
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
pop reg[4] E64A6057 reg[4] = 立即数 E64A6057
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
push reg[3c] E64A6057 vESP --> 12F75c = E64A6057 push 立即数 E64A6057
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
pop reg[38] E64A6057 清除 reg[38] 中的 立即数 E64A6057
reg[38] = 立即数 E64A6057
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
push reg[38] E64A6057 vESP --> 12F75c = E64A6057 push 立即数 E64A6057
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E644A83E
push reg[38] E64A6057 vESP --> 12F758 = E64A6057 push 立即数 E64A6057
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = 19B59FA8 nand4_08 = nand4(立即数 E64A6057)
vESP --> 12F758 = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = 19B59FA8
pop reg[4] 202 清除 reg[4] 中的 立即数 E64A6057
reg[4] = nand4_08 efl 202
handler --> 006FC9F4 vPushImm4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = 19BB57C1
vESP --> 12F758 = 19DAC2D7 push 立即数 19DAC2D7
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6002000 nand4_09 = nand4(立即数 19DAC2D7,nand4_08)
vESP --> 12F758 = 286
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6042828
pop reg[18] 286 清除 reg[18] 中的 0
reg[18] = nand4_09 efl 286
handler --> 006FC8CE vPushReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6002000
push reg[38] E64A6057 vESP --> 12F758 = E64A6057 push 立即数 E64A6057
handler --> 006FC9F4 vPushImm4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6002000
vESP --> 12F758 = E64A6057
vESP --> 12F754 = E6253D28 push 立即数 E6253D28
handler --> 006FE99D vNand4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6002000
vESP --> 12F758 = 19908280 nand4_10 = nand4(reg[38]立即数 19DAC2D7,立即数 E644A83E)
vESP --> 12F754 = 202
handler --> 006FE85B vPopReg4
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = E6002000
vESP --> 12F758 = 19908280
pop reg[18] 202 清除 reg[18] 中的 nand4_09 efl 202
reg[18] = nand4_10 efl 202
handler --> 006FE99D vNand4 ********************************************************************
vESP --> 12F760 = 8EC31C
vESP --> 12F75c = 006F5D7F jmp_addr = nand4_11 = nand4(nand4_10,nand4_09)
vESP --> 12F758 = 202
**********************************************************************************************************************************
以下为代码总结
nand4_01 = FFFFFF83 = nand(7C = CreateFile)
add_ImmSx1 = FFFFFF82 = FFFFFFFF + nand4_01 nand4_02 = 7d = nand4(add_ImmSx1)
add_ImmSx1 efl 297 (相对固定值) nand4_02 efl 206 (相对固定值)
//////////////////////////////////////////////////// //////////////////////////////////////////////////////////
// // // //
// add_ImmSx1 efl 297 & 815 // // nand4_02 efl 206 & ~815 //
// // // //
//////////////////////////////////////////////////// //////////////////////////////////////////////////////////
// // // //
// nand4_03 = FFFFFD68 = nand4(add_ImmSx1 efl) // // nand4_05 = FFFFFDF9 = nand4(nand4_02 efl) //
// // // //
// nand4_04 = 15 = nand4(nand4_03,FFFFF7EA) // // nand4_06 = nand4(立即数 815,nand4_05) //
// // // //
//////////////////////////////////////////////////// //////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////
// //
// add_nand4_06 = 217 = nand4_06 + nand4_04 //
// //
// add_nand4_06 = (297 & 815) + (206 & ~815) //
// //
/////////////////////////////////////////////////////////
(判断标志位) nand4_07 = 40 = nand4(add_nand4_06,FFFFFFBF)
shr nand4_07,4 (nand4_07 右移4位 = 4)
此时 [[vESP]] 为加密的vJmp地址A [[vESP]+ 4] 为加密的vJmp地址B
add [vESP],nand4_07 ([vESP] + 4) 选择加密的跳转地址
nand4_08 = nand4(加密的vJmp)
nand4_09 = nand4(立即数 KEY1,nand4_08)
nand4_10 = nand4(立即数 KEY2,加密的vJmp)
jmp_addr = nand4_11 = nand4(nand4_10,nand4_09)
小弟刚刚入门开始逆向 还请各位大牛多多指教
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
