源代码如下
push fbb5f5
add esp, 04h
push 40b
pushf
push 103bcd4
add esp, 04h
push 103bcde
add esp, 04h
lea esp, dword ptr ss:[esp-04h]
xchg dword ptr ss:[esp], eax
not eax
and eax, eax
push 103bd12
add esp, 04h
push 103bd1c
add esp, 04h
lea esp, dword ptr ss:[esp-04h]
xchg dword ptr ss:[esp], eax
xchg dword ptr ss:[esp], eax
push 103bd56
add esp, 04h
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
push 103bd81
add esp, 04h
add dword ptr ss:[esp], 49h
push 103bda7
add esp, 04h
ret
第一次压缩
push imm
add esp, 04h
清理以后
mov [esp-4],fbb5f5
push 40b
pushf
mov [esp-4],103bcd4
mov [esp-4],103bcde
lea esp, dword ptr ss:[esp-04h]
xchg dword ptr ss:[esp], eax
not eax
and eax, eax
mov [esp-4],103bd12
mov [esp-4],103bd1c
lea esp, dword ptr ss:[esp-04h]
xchg dword ptr ss:[esp], eax
xchg dword ptr ss:[esp], eax
mov [esp-4],103bd56
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
mov [esp-4],103bd81
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第二次压缩清理重复指令
push 40b
pushf
mov [esp-4],103bcde
lea esp, dword ptr ss:[esp-04h]
xchg dword ptr ss:[esp], eax
not eax
and eax, eax
mov [esp-4],103bd1c
lea esp, dword ptr ss:[esp-04h]
mov [esp-4],103bd56
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第三次压缩
mov [esp-4],imm
lea esp, dword ptr ss:[esp-04h]
==》push imm
push 40b
pushf
push 103bcde
xchg dword ptr ss:[esp], eax
not eax
and eax, eax
push 103bd1c
mov [esp-4],103bd56
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第四次清理xchg这种不好识别的指令
push 40b
pushf
push eax
mov eax,103bcde
not eax
and eax, eax
push 103bd1c
mov [esp-4],103bd56
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第五步清理逻辑运算
(not a) and (not a)
==》not a
push 40b
pushf
push eax
mov eax,FEFC4321
push 103bd1c
mov [esp-4],103bd56
lea esp, dword ptr ss:[esp+04h]
push 103bd7c
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第六步
lea esp, dword ptr ss:[esp+04h]
push imm
==》mov [esp],imm
整理后
push 40b
pushf
push eax
mov eax,FEFC4321
push 103bd1c
mov [esp-4],103bd56
mov [esp],103bd7c
add dword ptr ss:[esp], 49h
mov [esp-4],103bda7
ret
第七步 清理重复指令并且消去数学计算
push 40b
pushf
push eax
mov eax,FEFC4321
push 103bd1c
mov [esp],103BDC5
mov [esp-4],103bda7
ret
第八步
push imm1
mov [esp],imm2
==》push imm2
整理后
push 40b
pushf
push eax
mov eax,FEFC4321
push 103BDC5 //ret的返回地址
mov [esp-4],103bda7
ret
基本是完成了第一次清洗
这里计算ret的返回地址也比价简单。只需要模拟not和and以及add指令即可,经过计算是103BDC5,而且根据后面ret的返回地址来看。后面的代码仍然使用xchg和eax来计算ret返回地址。所以判定eax应该是在后面作为一个temp变量来使用,可以称作key,会由壳自动维护这个值,那么这清洗出来的7句代码中,有用的只有前三句,后面的用来参与程序逻辑
push 40b
pushf
push eax //basethreadinitthunk
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
