-
-
[原创]看雪 2016 CTF 第四题 Anti-WProtect
-
发表于: 2016-11-25 16:34 7671
-
@F:VM没有想象中的那么难。
第四题至今未能尽善尽美地攻下,分析文章也就悬着没写完,所以这里只有对WProtect的反编译,还原与清除部分。
一、未解决的部分
悬而未解的问题是对于 MD5HashXor17Str = (MD5Hash(keyHead7Str)+MD5Hash(keyHead7Str)[0:7]) ^ Tail17Str 的快速求解问题。
其中 MD5HashXor17Str = [0xED, 0xF7, 0xE2, 0x66, 0xB7, 0xC5, 0xD6, 0x8D, 0x47, 0x7B, 0x5F, 0x89, 0x84, 0x89, 0x8A, 0x56, 0xB9, 0xFF, 0xE3, 0x34, 0xBB, 0xCE, 0x82]
(1)由于(MD5Hash(keyHead7Str)+MD5Hash(keyHead7Str)[0:7])的存在
a = [0xED, 0xF7, 0xE2, 0x66, 0xB7, 0xC5, 0xD6] = MD5Hash(keyHead7Str)[0:7] ^ Tail17Str[0:7]
b = [0xB9, 0xFF, 0xE3, 0x34, 0xBB, 0xCE, 0x82] = MD5Hash(keyHead7Str)[0:7] ^ Tail17Str[-7:]
for i in xrange(0,7):
print "0x{:02X},".format((a[i] ^ b[i])),
c = a ^ b = [0x54, 0x08, 0x01, 0x52, 0x0C, 0x0B, 0x54] = Tail17Str[0:7] ^ Tail17Str[-7:]
也即,如果限定为可打印字符,我们可以限定Tail17Str前七个字符-后七个字符对的集合chs717,以减少枚举量
pc = [i for i in xrange(33,127)]
chs717 ={}
for i in xrange(0,7):
chs717[i] = []
print "{:02X}".format(i),
for c1 in pc:
for c2 in pc:
if c[i] == (c1 ^ c2):
chs717[i].append([chr(c1),chr(c2)])
#if (a[i] ^ c1) == (b[i] ^ c2):
print "({},{})".format(chr(c1),chr(c2)),
print ""
(2)但我们似乎是没法从反方向确定前七keyHead7Str个字符的hash值的,若能确定,hashcat或在线MD5都能有效给出解码。
而通过 Tail17Str[0:7],Tail17Str[-7:] 集合元素如 ('!!"!!!!', 'u)#s-*u'),拼凑 m_str 如 "123456789" 得到的 Tail17Str(即下面的hashxorstr),
结合 MD5HashXor17Str = (MD5Hash(keyHead7Str)+MD5Hash(keyHead7Str)[0:7]) ^ Tail17Str,我们就可以确定一个 满足等式的hash。
但这里的最大问题是,这样得到的 hash 并不能保证等反映射到 keyHead7Str,即此hash并不保证在 MD5Hash(keyHead7Str) 集合中。
hashxorstr = p_str + m_str + s_str
def getHash(hashxorstr):
MD5Hash = [0xED, 0xF7, 0xE2, 0x66, 0xB7, 0xC5, 0xD6, 0x8D, 0x47, 0x7B, 0x5F, 0x89, 0x84, 0x89, 0x8A, 0x56, 0xB9, 0xFF, 0xE3, 0x34, 0xBB, 0xCE, 0x82]
hash_str = ""
chs = [i for i in hashxorstr]
for i in xrange(0,0x10):
hash_str = hash_str + "{:02X}".format(ord(chs[i]) ^ MD5Hash[i])
return hash_str
(3)所以,目前只能想到通过编程去正向枚举,至于普通CPU编程还是opencl的GPU编程效率的对比个人并没有实现,所以就没有发言权。
二、这里只重点分析其使用的WProtec。
a. 程序总共有六个虚拟代码区,作者告知是三个保护区,至于为何是六,估计是内部实现机制的原因,如(3)中就只相对于x86的一个跳转指令。
b. 确保IDAPython可正常工作,直接把后面"#----------------"之间的IDAPython代码复制粘贴编译后,
执行相应的 vm_start_run(pc,key)即可在IDAPython输出反编译代码。
反编译指令格式如下,
b.1 nsi,nbx是执行执行前的pc,key;
b.2 esi,ebx是指令执行后的pc,key;
b.3 Dispatch[00000001] 为当前反编译片区的指令计数,00000001便是第一条虚拟指令,00001B1C 为 第 0x00001B1C 条虚拟指令
b.4 如果是指令带虚拟寄存器操作,edi.offset 中为虚拟寄存器相对 reg-base:edi的偏移,
Rx 表示第几个虚拟寄存器,Rx.b Rx.w分别为虚拟寄存器相应低位单字节和字寄存器
b.5 nBp:xx 是相应的堆栈跟踪,这里对于输出的反编译指令去冗余起着决定性参考,也是为了去掉冗余而添加的追踪。
Dispatch[00000001] nsi:00438AB5 nbx:EDCBF0A8 14 0042F441 >> esi:00438AB4 ebx:EC1E7F44 edi.08 d_pop_R2 nBp:4
c. 若反编译执行过程中,时间显得长,请淡定等一会,一般不会超过几分钟。
主要原因是WProtect添加的冗余代码非常多,不过冗余代码都相对简单,只是push和pop,可以根据nBp平衡删除。
d. 主要有效支架是
VMHandle(翻译指令),
OpDiffnEbpDict(跟踪堆栈),
asm(它的思路类似于自源码的ASMJIT,可以实现vm_handlefunction的快速添加,
一开始是在各个vm里用ctype写相同的功能,一两个还好,多时就难免会疏漏,且难调试管理。
这里并没有处理WProtect的所有指令,基本是遇到没实现的就通过asm快速添加。
关于这个添加的性能,可以在复制代码编译时,少几个vm_function,反编译结果就会知道该怎么做。
这里,我们不会去添加ret的handle,因为它已经结束了。当然,这是对WProtect而言,且VM代码块少的情形。
若代码多,或老毛的vmp,还是要诊断性实现的。
e. vm_handle_function 只是模拟pc,key的行为,并没有操作内存或做其它运行
也可以实现python的模拟执行,老毛的vmp许多常量和跳转地址在需要解码的,所以那种情形就需要一定的跟踪执行介入。
如果你看到冗余 push pop 导致 nBp 的值严重超过了开始的边界。请不要惊讶。
因为这里只是纯粹的跟踪堆栈,其值是正确的。而实际不会越界,那是因为真正的WProtect会在
每一个指令(基本是每一个指令之后)执行vm_chekc_stack,可参考该函数汇编代码,其会自动检测ebp的增长情况,
一旦超过了接近edi虚拟寄存器的边界,其多自动增长reg-base:edi并迁移,保证足够的ebp栈空间。
f. 如何不带任何东西,动态调试WProtect?
因为反编译工作已经完成了,
如要调试 Hi_WProtectVMCodes_chip2_word_438AB6 第3464条(00000D88)指令开始的虚拟指令流
f.1 只需对nsi:00436FA8或esi:00436FA4下硬件单字节访问断点就可以停下来,nsi,esi分别对应指令执行前断、指令执行后断下
f.2 往后要单步调试的话,就在f.1的停下的基础上 在分发函数 ".WProtec:0042FCD9 gfOpF_dispatch"下普通断点即可。
往后,每次F9一次到断下就代表一条虚拟指令执行完毕。
Dispatch[00000D88] nsi:00436FA8 nbx:8D7D2538 10 0042F3A3 >> esi:00436FA4 ebx:78AEB37C d_push_imm 00000004h (4h) nBp:20
Dispatch[00000D89] nsi:00436FA3 nbx:87514DAC 23 0042F623 >> esi:00436FA2 ebx:87515C1A edi.34 d_push_regR13 nBp:1C
Dispatch[00000D8A] nsi:00436FA1 nbx:78AEF64A 0A 0042F2E5 >> esi:00436FA1 ebx:A8751F49 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00000D8B] nsi:00436FA0 nbx:578AB979 14 0042F441 >> esi:00436F9F ebx:D16D1640 edi.18 d_pop_R6 nBp:20
f.3 当然,论坛上也有通用的VMP插件,可以用来调和反编译,但毕竟那是基于早期老毛个别版本而写的通用调试插件,需要添加自己的指令集。
g.CTF04作者用的WProtect相对开源项目上的,其虚拟指令操作码是改动过的,如后续代码中
0x01指令为开源项目的源码中的VMHandle_b_read_stack,而对应CTF04中VM的指令d_pop_reg。
VMHandle = {
0x01:"d_pop_reg",#"VMHandle_b_read_stack",
0x02:"rdtsc",#"VMHandle_w_read_stack",
0x03:"w_shl",#"VMHandle_d_read_stack",
0x04:"b_nand",#"VMHandle_b_write_stack",
...
}
i.以下是CTF04的WProtect所有六个虚拟代码片区的反编译,去冗余,原义替换还原的代码。
(j.)后面给出的是去冗余后的虚拟代码及相应的伪码,以及逐步向原义操作靠近的反编译整理过程。
(k.)为IDAPython的WProtect反编译代码。
由于WProtect只是对原汇编代码进行了清零,位置还保留着,而WProtect的虚拟化基本是直译汇编代码(至少CTF04中是如此),
所以可以直接还原(这么这里没有介绍)
#Hi_WProtectVMCodes_chip1_word_43540E
#Hi_WProtectVMCodes_chip2_word_438AB6
#Hi_WProtectVMCodes_chip3_word_43C40E
#Hi_WProtectVMCodes_chip4_word_43C44E
#Hi_WProtectVMCodes_chip5_word_4416DB
#Hi_WProtectVMCodes_chip6_word_44BB93
(1) vm_start_run(0x43540E,0x12345678) 反编译代码经整理如下,实际是hash功能的初始化函数
edx = ebp - 70h
ecx = ebp - 3C8h
dword ptr[ebp - 384h] = 0
dword ptr[ebp - 3B8h] = 0
dword ptr[ebp - 3C8h] = 67452301h
dword ptr[ebp - 3C4h] = EFCDAB89h
dword ptr[ebp - 3C0h] = 98BADCFEh
dword ptr[ebp - 3BCh] = 10325476h
retjmp fun.004014F0h(00000007h,return.fun.0042F10Eh)
//hash初始化完成后,fast call的方式调用004014F0h函数,实际为hash函数的 update函数, ecx=&HashContext,edx=strPtr,P1.strLen=7
retjmp 行为我们定义为直接跳转至目标函数并在执行完后返回值return.fun继续执行,下同。
(2)vm_start_run(0x438AB6,0x12345678) 反编译代码经整理如下
pop xxx
edx = ebp - 3C8h
ecx = ebp - 270h
push 004301E4h
push 004015C0h
retjmp fun.004015C0h(ecx,edx,return.fun.004301E4h)
(3)vm_start_run(0x43C40E,0x12345678)
dword ptr[R9.ebp-260h] = dword ptr [R9.ebp-270h]
word ptr[R9.ebp-25Ch] = word ptr[R9.ebp-26Ch]
byte ptr[R9.ebp-25Ah] = byte ptr[R9.ebp-26Ah]
retjmp fun.0040115Eh()
(4)vm_start_run(0x43C44E,0x12345678) 反编译代码经整理如下
retjmp fun.004012B5h()
(5)vm_start_run(0x4416DB,0x12345678) 反编译代码经整理如下
R23 = dword ptr[R1.ebp - 3FCh]
b = byte ptr[R1.ebp - 3C9h]
byte ptr[R23] = 0x0D ^ b
retjmp fun.00401366h()
(6)vm_start_run(0x44BB93 ,0x12345678)
R18 = dword ptr[R6.ebp-3F8h]
R9 = dword ptr[R6.ebp-3F0h]
R18 = R18 << 4
R9 = R18 + R9
b = byte ptr[R9-370h+R6.ebp] = byte ptr[R6.ebp-370h+R9]
byte ptr[R9-170h+R6.ebp] = 80h ^ b
retjmp fun.004013AAh()
j.以下是从虚拟指令还原的过程(已删除大量区间冗余虚拟指令)
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(1)vm_start_run(0x43540E,0x12345678)
.+20h push eax
.+1Ch push edi
.+18h pushf
.+14h push ebp
.+10h push esi
.+0Ch push 1E240
.+08h push ecx
.+04h push edx
.+00h push ebx ------- ------- ------- ebp
...
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip1_word_43540E
Python>vm_start_run(0x43540E,0x12345678)
Dispatch[00000001] nsi:0043540D nbx:EDCBF0A8 14 0042F441 >> esi:0043540C ebx:EC1E7F44 edi.00 d_pop_R0 nBp:4
Dispatch[00000002] nsi:0043540B nbx:13E11974 14 0042F441 >> esi:0043540A ebx:3B63EDE6 edi.18 d_pop_R6 nBp:8
Dispatch[00000003] nsi:00435409 nbx:C49C8816 14 0042F441 >> esi:00435408 ebx:F26028D1 edi.3C d_pop_R15 nBp:C
Dispatch[00000004] nsi:00435407 nbx:0D9FC301 14 0042F441 >> esi:00435406 ebx:21CE0D42 edi.24 d_pop_R9 nBp:10
Dispatch[00000005] nsi:00435405 nbx:DE31A772 14 0042F441 >> esi:00435404 ebx:438FEE4B edi.28 d_pop_R10 nBp:14
Dispatch[00000006] nsi:00435403 nbx:BC70887B 14 0042F441 >> esi:00435402 ebx:3591186F edi.0C d_pop_R3 nBp:18
Dispatch[00000007] nsi:00435401 nbx:CA6EB29F 14 0042F441 >> esi:00435400 ebx:10C4590F edi.08 d_pop_R2 nBp:1C
Dispatch[00000008] nsi:004353FF nbx:EF3BF33F 14 0042F441 >> esi:004353FE ebx:ECD89FBB edi.20 d_pop_R8 nBp:20
Dispatch[00000009] nsi:004353FD nbx:132739EB 14 0042F441 >> esi:004353FC ebx:996CFDFA edi.5C d_pop_R23 nBp:24
R0 = ebx
R6 = edx
R15 = ecx
R9 = 1E240
R10 = esi
R3 = ebp
R2 = flag
R8 = edi
R23 = eax
Dispatch[0000000A] nsi:004353FB nbx:6693982A 23 0042F623 >> esi:004353FA ebx:669308A0 edi.0C d_push_regR3 nBp:20
Dispatch[0000000B] nsi:004353F9 nbx:996CA2D0 1D 0042F563 >> esi:004353F8 ebx:B62EA24C b_push_imm_sx -112 (-70h FFFFFF90) nBp:1C
Dispatch[0000000C] nsi:004353F7 nbx:49D13C7C 0A 0042F2E5 >> esi:004353F7 ebx:8B62EAE6 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[0000000D] nsi:004353F6 nbx:749D8516 14 0042F441 >> esi:004353F5 ebx:05B027D2 edi.50 d_pop_R20 nBp:20
Dispatch[0000000E] nsi:004353F4 nbx:FA4FC202 14 0042F441 >> esi:004353F3 ebx:21F80C0D edi.18 d_pop_R6 nBp:24
R6 = R3.ebp - 70h
Dispatch[0000000F] nsi:004353F2 nbx:DE07A63D 10 0042F3A3 >> esi:004353EE ebx:CCB6DE00 d_push_imm 00000000h (0h) nBp:20
Dispatch[00000010] nsi:004353ED nbx:33497830 23 0042F623 >> esi:004353EC ebx:334928B6 edi.0C d_push_regR3 nBp:1C
Dispatch[00000011] nsi:004353EB nbx:CCB6C2E6 10 0042F3A3 >> esi:004353E7 ebx:459C2576 d_push_imm FFFFFC4Ch (-3B4h) nBp:18
Dispatch[00000012] nsi:004353E6 nbx:BA63BFA6 0A 0042F2E5 >> esi:004353E6 ebx:E459C2B3 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:18
Dispatch[00000013] nsi:004353E5 nbx:1BA65CE3 14 0042F441 >> esi:004353E4 ebx:975CC262 edi.30 d_pop_R12 nBp:1C
Dispatch[00000014] nsi:004353E3 nbx:68A35C92 30 0042F7C6 >> esi:004353E3 ebx:8D711A32 d_write_mem [s1_mem],s2_Opnd nBp:24
dword ptr[R3.ebp - 384h] = 0
Dispatch[00000015] nsi:004353E2 nbx:728EB462 23 0042F623 >> esi:004353E1 ebx:728EE4E8 edi.0C d_push_regR3 nBp:20
Dispatch[00000016] nsi:004353E0 nbx:8D717F18 10 0042F3A3 >> esi:004353DC ebx:1B7DB37C d_push_imm FFFFFC38h (-3C8h) nBp:1C
Dispatch[00000017] nsi:004353DB nbx:E4824DAC 0A 0042F2E5 >> esi:004353DB ebx:81B7D9D3 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00000018] nsi:004353DA nbx:7E487403 14 0042F441 >> esi:004353D9 ebx:B4D2044C edi.14 d_pop_R5 nBp:20
//
Dispatch[00000D95] nsi:004338E0 nbx:EE4482F8 14 0042F441 >> esi:004338DF ebx:75FE1F4C edi.3C d_pop_R15 nBp:24
R15 = R3.ebp - 3C8h
Dispatch[00000D96] nsi:004338DE nbx:8A01B97C 10 0042F3A3 >> esi:004338DA ebx:9D50D360 d_push_imm 00000000h (0h) nBp:20
Dispatch[00000D97] nsi:004338D9 nbx:62AF6D90 23 0042F623 >> esi:004338D8 ebx:62AF3C16 edi.0C d_push_regR3 nBp:1C
Dispatch[00000D98] nsi:004338D7 nbx:9D50D646 10 0042F3A3 >> esi:004338D3 ebx:163723FB d_push_imm FFFFFC48h (-3B8h) nBp:18
Dispatch[00000D99] nsi:004338D2 nbx:E9C8BE2B 0A 0042F2E5 >> esi:004338D2 ebx:916372CB d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:18
Dispatch[00000D9A] nsi:004338D1 nbx:6E9C0CFB 14 0042F441 >> esi:004338D0 ebx:EA5C17B1 edi.30 d_pop_R12 nBp:1C
Dispatch[00000D9B] nsi:004338CF nbx:15A3B1E1 30 0042F7C6 >> esi:004338CF ebx:8EC7C57B d_write_mem [s1_mem],s2_Opnd nBp:24
dword ptr[R3.ebp - 3B8h] = 0
Dispatch[00000D9C] nsi:004338CE nbx:71385FAB 10 0042F3A3 >> esi:004338CA ebx:52824A9A d_push_imm 00000007h (7h) nBp:20
push 00000007h
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00001B19] nsi:00431DD1 nbx:4F2E0093 10 0042F3A3 >> esi:00431DCD ebx:FF898989 d_push_imm 67452301h (67452301h) nBp:1C
Dispatch[00001B1A] nsi:00431DCC nbx:007623B9 23 0042F623 >> esi:00431DCB ebx:00766E2F edi.0C d_push_regR3 nBp:18
Dispatch[00001B1B] nsi:00431DCA nbx:FF89085F 10 0042F3A3 >> esi:00431DC6 ebx:D7C7EF0C d_push_imm FFFFFC38h (-3C8h) nBp:14
Dispatch[00001B1C] nsi:00431DC5 nbx:2838893C 0A 0042F2E5 >> esi:00431DC5 ebx:8D7C761A d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:14
Dispatch[00001B1D] nsi:00431DC4 nbx:7283104A 14 0042F441 >> esi:00431DC3 ebx:5A1EB790 edi.2C d_pop_R11 nBp:18
Dispatch[00001B1E] nsi:00431DC2 nbx:A5E151C0 30 0042F7C6 >> esi:00431DC2 ebx:8545E987 d_write_mem [s1_mem],s2_Opnd nBp:20
dword ptr[R3.ebp - 3C8h] = 67452301h
Dispatch[00001B1F] nsi:00431DC1 nbx:7ABA83B7 10 0042F3A3 >> esi:00431DBD ebx:63A2AAE6 d_push_imm EFCDAB89h (-10325477h) nBp:1C
Dispatch[00001B20] nsi:00431DBC nbx:9C5D4516 23 0042F623 >> esi:00431DBB ebx:9C5D5394 edi.0C d_push_regR3 nBp:18
Dispatch[00001B21] nsi:00431DBA nbx:63A2EDC4 10 0042F3A3 >> esi:00431DB6 ebx:A6F3122D d_push_imm FFFFFC3Ch (-3C4h) nBp:14
Dispatch[00001B22] nsi:00431DB5 nbx:590CAC5D 0A 0042F2E5 >> esi:00431DB5 ebx:7A6F33E8 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:14
Dispatch[00001B23] nsi:00431DB4 nbx:8590CE18 14 0042F441 >> esi:00431DB3 ebx:3E3B54C1 edi.30 d_pop_R12 nBp:18
Dispatch[00001B24] nsi:00431DB2 nbx:C1C4EEF1 30 0042F7C6 >> esi:00431DB2 ebx:13BBF08D d_write_mem [s1_mem],s2_Opnd nBp:20
dword ptr[R3.ebp - 3C4h] = EFCDAB89h
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[000028A1] nsi:004302B9 nbx:99A2F4D0 10 0042F3A3 >> esi:004302B5 ebx:A72B73DD d_push_imm 98BADCFEh (-67452302h) nBp:1C
Dispatch[000028A2] nsi:004302B4 nbx:58D40E0D 23 0042F623 >> esi:004302B3 ebx:58D49A7B edi.0C d_push_regR3 nBp:18
Dispatch[000028A3] nsi:004302B2 nbx:A72B34AB 10 0042F3A3 >> esi:004302AE ebx:E92A4C49 d_push_imm FFFFFC40h (-3C0h) nBp:14
Dispatch[000028A4] nsi:004302AD nbx:16D5E679 0A 0042F2E5 >> esi:004302AD ebx:BE92A046 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:14
Dispatch[000028A5] nsi:004302AC nbx:416D3A76 14 0042F441 >> esi:004302AB ebx:F947E09E edi.48 d_pop_R18 nBp:18
Dispatch[000028A6] nsi:004302AA nbx:06B87ACE 30 0042F7C6 >> esi:004302AA ebx:E1E981B9 d_write_mem [s1_mem],s2_Opnd nBp:20
dword ptr[R3.ebp - 3C0h] = 98BADCFEh
Dispatch[000028A7] nsi:004302A9 nbx:1E161BE9 10 0042F3A3 >> esi:004302A5 ebx:405C3801 d_push_imm 10325476h (10325476h) nBp:1C
Dispatch[000028A8] nsi:004302A4 nbx:BFA3D231 23 0042F623 >> esi:004302A3 ebx:BFA3BEB7 edi.0C d_push_regR3 nBp:18
Dispatch[000028A9] nsi:004302A2 nbx:405C58E7 10 0042F3A3 >> esi:0043029E ebx:724C2913 d_push_imm FFFFFC44h (-3BCh) nBp:14
Dispatch[000028AA] nsi:0043029D nbx:8DB3C343 0A 0042F2E5 >> esi:0043029D ebx:1724C27A d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:14
Dispatch[000028AB] nsi:0043029C nbx:E8DB5CAA 14 0042F441 >> esi:0043029B ebx:E7527F15 edi.50 d_pop_R20 nBp:18
Dispatch[000028AC] nsi:0043029A nbx:18AD1945 30 0042F7C6 >> esi:0043029A ebx:B4664638 d_write_mem [s1_mem],s2_Opnd nBp:20
dword ptr[R3.ebp - 3BCh] = 10325476h
Dispatch[000028AD] nsi:00430299 nbx:4B99E068 10 0042F3A3 >> esi:00430295 ebx:5E88316D d_push_imm 0042F10Eh (42F10Eh) nBp:1C
Dispatch[000028AE] nsi:00430294 nbx:A177CB9D 10 0042F3A3 >> esi:00430290 ebx:4DE1DC1C d_push_imm 004014F0h (4014F0h) nBp:18
push 0042F10Eh
push 004014F0h
Dispatch[000028AF] nsi:0043028F nbx:B21E764C 23 0042F623 >> esi:0043028E ebx:B21E22BA edi.08 d_push_regR2 nBp:14
Dispatch[000028B0] nsi:0043028D nbx:4DE1BCEA 23 0042F623 >> esi:0043028C ebx:4DE1ED60 edi.5C d_push_regR23 nBp:10
Dispatch[000028B1] nsi:0043028B nbx:B21E8790 23 0042F623 >> esi:0043028A ebx:B21E1216 edi.3C d_push_regR15 nBp:C
Dispatch[000028B2] nsi:00430289 nbx:4DE1AC46 23 0042F623 >> esi:00430288 ebx:4DE1FCC4 edi.18 d_push_regR6 nBp:8
Dispatch[000028B3] nsi:00430287 nbx:B21E96F4 23 0042F623 >> esi:00430286 ebx:B21E0372 edi.00 d_push_regR0 nBp:4
Dispatch[000028B4] nsi:00430285 nbx:4DE19DA2 23 0042F623 >> esi:00430284 ebx:4DE10C28 edi.0C d_push_regR3 nBp:0
Dispatch[000028B5] nsi:00430283 nbx:B21EA658 23 0042F623 >> esi:00430282 ebx:B21EF2CE edi.28 d_push_regR10 nBp:-4
Dispatch[000028B6] nsi:00430281 nbx:4DE18CFE 23 0042F623 >> esi:00430280 ebx:4DE11D6C edi.20 d_push_regR8 nBp:-8
push R2
push R23
push R15
push R6
push R0
push R3
push R10
push R8
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R8 = edi
esi = R10 = esi
ebp = R3 = ebp
ebx = R0 = ebx
edx = R6 = R3.ebp - 70h
ecx = R15 = R3.ebp - 3C8h
eax = R23 = eax
flag = R2 = flag
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(1.1)提取精简为
R6 = R3.ebp - 70h
dword ptr[R3.ebp - 384h] = 0
R15 = R3.ebp - 3C8h
dword ptr[R3.ebp - 3B8h] = 0
push 00000007h
dword ptr[R3.ebp - 3C8h] = 67452301h
dword ptr[R3.ebp - 3C4h] = EFCDAB89h
dword ptr[R3.ebp - 3C0h] = 98BADCFEh
dword ptr[R3.ebp - 3BCh] = 10325476h
push 0042F10Eh
push 004014F0h
ret
edx = R6 = R3.ebp - 70h
ecx = R15 = R3.ebp - 3C8h
(1.2)修整
edx = ebp - 70h
ecx = ebp - 3C8h
dword ptr[ebp - 384h] = 0
dword ptr[ebp - 3B8h] = 0
dword ptr[ebp - 3C8h] = 67452301h
dword ptr[ebp - 3C4h] = EFCDAB89h
dword ptr[ebp - 3C0h] = 98BADCFEh
dword ptr[ebp - 3BCh] = 10325476h
push 00000007h
push 0042F10Eh
push 004014F0h
ret
retjmp fun.004014F0h(00000007h,return.fun.0042F10Eh)
(1.3)得到
edx = ebp - 70h
ecx = ebp - 3C8h
dword ptr[ebp - 384h] = 0
dword ptr[ebp - 3B8h] = 0
dword ptr[ebp - 3C8h] = 67452301h
dword ptr[ebp - 3C4h] = EFCDAB89h
dword ptr[ebp - 3C0h] = 98BADCFEh
dword ptr[ebp - 3BCh] = 10325476h
retjmp fun.004014F0h(00000007h,return.fun.0042F10Eh)
retjmp 行为我们定义为直接跳转至目标函数并在执行完后返回值return.fun继续执行
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(2)vm_start_run(0x438AB6,0x12345678)
push eax
push edi
pushf
push ebp
push esi
push 1E240
push ecx
push edx
push ebx
.+00h push ebx ------- ------- ------- ebp
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip2_word_438AB6
Python>vm_start_run(0x438AB6,0x12345678)
Dispatch[00000001] nsi:00438AB5 nbx:EDCBF0A8 14 0042F441 >> esi:00438AB4 ebx:EC1E7F44 edi.08 d_pop_R2 nBp:4
Dispatch[00000002] nsi:00438AB3 nbx:13E11974 14 0042F441 >> esi:00438AB2 ebx:3B63EDE6 edi.10 d_pop_R4 nBp:8
Dispatch[00000003] nsi:00438AB1 nbx:C49C8816 14 0042F441 >> esi:00438AB0 ebx:F26028D1 edi.50 d_pop_R20 nBp:C
Dispatch[00000004] nsi:00438AAF nbx:0D9FC301 14 0042F441 >> esi:00438AAE ebx:21CE0D42 edi.24 d_pop_R9 nBp:10
Dispatch[00000005] nsi:00438AAD nbx:DE31A772 14 0042F441 >> esi:00438AAC ebx:438FEE4B edi.38 d_pop_R14 nBp:14
Dispatch[00000006] nsi:00438AAB nbx:BC70887B 14 0042F441 >> esi:00438AAA ebx:3591186F edi.60 d_pop_R24 nBp:18
Dispatch[00000007] nsi:00438AA9 nbx:CA6EB29F 14 0042F441 >> esi:00438AA8 ebx:10C4590F edi.18 d_pop_R6 nBp:1C
Dispatch[00000008] nsi:00438AA7 nbx:EF3BF33F 14 0042F441 >> esi:00438AA6 ebx:ECD89FBB edi.3C d_pop_R15 nBp:20
Dispatch[00000009] nsi:00438AA5 nbx:132739EB 14 0042F441 >> esi:00438AA4 ebx:996CFDFA edi.04 d_pop_R1 nBp:24
R2 = ebx
R4 = edx
R20 = ecx
R9 = 1E240
R14 = esi
R24 = ebp
R6 = flag
R15 = edi
R1 = eax
Dispatch[0000000A] nsi:00438AA3 nbx:6693982A 34 0042F853 >> esi:00438AA3 ebx:899890FA push_stack_top_base Nebp nBp:20
Dispatch[0000000B] nsi:00438AA2 nbx:76672B2A 14 0042F441 >> esi:00438AA1 ebx:984F77CE edi.34 d_pop_R13 nBp:24
R13 = nBp.24
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00000D88] nsi:00436FA8 nbx:8D7D2538 10 0042F3A3 >> esi:00436FA4 ebx:78AEB37C d_push_imm 00000004h (4h) nBp:20
Dispatch[00000D89] nsi:00436FA3 nbx:87514DAC 23 0042F623 >> esi:00436FA2 ebx:87515C1A edi.34 d_push_regR13 nBp:1C
Dispatch[00000D8A] nsi:00436FA1 nbx:78AEF64A 0A 0042F2E5 >> esi:00436FA1 ebx:A8751F49 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00000D8B] nsi:00436FA0 nbx:578AB979 14 0042F441 >> esi:00436F9F ebx:D16D1640 edi.18 d_pop_R6 nBp:20
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00001B08] nsi:004354A6 nbx:45DB5636 20 0042F5C5 >> esi:004354A6 ebx:BA24F426 pop_stack_top_base Nebp nBp:24
nBp = R13.nBp.24 + 4
Dispatch[00001B09] nsi:004354A5 nbx:45DB8E56 23 0042F623 >> esi:004354A4 ebx:45DB1AD4 edi.60 d_push_regR24 nBp:20
Dispatch[00001B0A] nsi:004354A3 nbx:BA24B504 10 0042F3A3 >> esi:0043549F ebx:B52D14E1 d_push_imm FFFFFC38h (-3C8h) nBp:1C
Dispatch[00001B0B] nsi:0043549E nbx:4AD2AF11 0A 0042F2E5 >> esi:0043549E ebx:3B52D3BD d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00001B0C] nsi:0043549D nbx:C4AD6DED 14 0042F441 >> esi:0043549C ebx:0430F8D3 edi.48 d_pop_R18 nBp:20
Dispatch[00001B0D] nsi:0043549B nbx:FBCF9303 14 0042F441 >> esi:0043549A ebx:22C20C65 edi.10 d_pop_R4 nBp:24
R4 = R24.ebp - 3C8h
Dispatch[00001B0E] nsi:00435499 nbx:DD3DA695 23 0042F623 >> esi:00435498 ebx:DD3DF313 edi.60 d_push_regR24 nBp:20
Dispatch[00001B0F] nsi:00435497 nbx:22C28D43 10 0042F3A3 >> esi:00435493 ebx:A3EF0826 d_push_imm FFFFFD90h (-270h) nBp:1C
Dispatch[00001B10] nsi:00435492 nbx:5C10A256 0A 0042F2E5 >> esi:00435492 ebx:EA3EF488 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00001B11] nsi:00435491 nbx:15C18EB8 14 0042F441 >> esi:00435490 ebx:423D9DC4 edi.58 d_pop_R22 nBp:20
Dispatch[00001B12] nsi:0043548F nbx:BDC237F4 14 0042F441 >> esi:0043548E ebx:4896E844 edi.50 d_pop_R20 nBp:24
R20 = R24.ebp - 270h
Dispatch[00001B13] nsi:0043548D nbx:B7698274 10 0042F3A3 >> esi:00435489 ebx:DB9894CB d_push_imm 004301E4h (4301E4h) nBp:20
Dispatch[00001B14] nsi:00435488 nbx:24672EFB 10 0042F3A3 >> esi:00435484 ebx:C8F4C833 d_push_imm 004015C0h (4015C0h) nBp:1C
push 004301E4h
push 004015C0h
Dispatch[00001B15] nsi:00435483 nbx:370B6263 23 0042F623 >> esi:00435482 ebx:370B2EE9 edi.18 d_push_regR6 nBp:18
Dispatch[00001B16] nsi:00435481 nbx:C8F4C919 23 0042F623 >> esi:00435480 ebx:C8F4D78F edi.04 d_push_regR1 nBp:14
Dispatch[00001B17] nsi:0043547F nbx:370B71BF 23 0042F623 >> esi:0043547E ebx:370B202D edi.50 d_push_regR20 nBp:10
Dispatch[00001B18] nsi:0043547D nbx:C8F4BA5D 23 0042F623 >> esi:0043547C ebx:C8F4E6CB edi.10 d_push_regR4 nBp:C
Dispatch[00001B19] nsi:0043547B nbx:370B80FB 23 0042F623 >> esi:0043547A ebx:370B1171 edi.08 d_push_regR2 nBp:8
Dispatch[00001B1A] nsi:00435479 nbx:C8F4ABA1 23 0042F623 >> esi:00435478 ebx:C8F4F627 edi.60 d_push_regR24 nBp:4
Dispatch[00001B1B] nsi:00435477 nbx:370B9057 23 0042F623 >> esi:00435476 ebx:370B00D5 edi.38 d_push_regR14 nBp:0
Dispatch[00001B1C] nsi:00435475 nbx:C8F49B05 23 0042F623 >> esi:00435474 ebx:C8F40583 edi.3C d_push_regR15 nBp:-4
push R6
push R1
push R20
push R4
push R2
push R24
push R14
push R15
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R15 = edi
esi = R14 = esi
ebp = R24 = ebp
ebx = R2 = ebx
edx = R4 = R24.ebp - 3C8h
ecx = R20 = R24.ebp - 270h
eax = R1 = eax
flag = R6 = flag
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(2.1)提取精简
R13 = nBp.24
nBp = R13.nBp.24 + 4
R4 = R24.ebp - 3C8h
R20 = R24.ebp - 270h
push 004301E4h
push 004015C0h
edx = R4 = R24.ebp - 3C8h
ecx = R20 = R24.ebp - 270h
ret
(2.2)得到
pop xxx //-------------------------这里对应时弹出(1)中的push 7参数
edx = ebp - 3C8h
ecx = ebp - 270h
push 004301E4h
push 004015C0h
retjmp fun.004015C0h(return.fun.004301E4h)
retjmp 行为我们定义为直接跳转至目标函数并在执行完后返回值return.fun继续执行
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(3)vm_start_run(0x43C40E,0x12345678)
push eax
push edi
pushf
push ebp
push esi
push 1E240
push ecx
push edx
.+00h push ebx ------- ------- ------- ebp
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip3_word_43C40E
Python>vm_start_run(0x43C40E,0x12345678)
Dispatch[00000001] nsi:0043C40D nbx:EDCBF0A8 14 0042F441 >> esi:0043C40C ebx:EC1E7F44 edi.0C d_pop_R3 nBp:4
Dispatch[00000002] nsi:0043C40B nbx:13E11974 14 0042F441 >> esi:0043C40A ebx:3B63EDE6 edi.60 d_pop_R24 nBp:8
Dispatch[00000003] nsi:0043C409 nbx:C49C8816 14 0042F441 >> esi:0043C408 ebx:F26028D1 edi.28 d_pop_R10 nBp:C
Dispatch[00000004] nsi:0043C407 nbx:0D9FC301 14 0042F441 >> esi:0043C406 ebx:21CE0D42 edi.2C d_pop_R11 nBp:10
Dispatch[00000005] nsi:0043C405 nbx:DE31A772 14 0042F441 >> esi:0043C404 ebx:438FEE4B edi.50 d_pop_R20 nBp:14
Dispatch[00000006] nsi:0043C403 nbx:BC70887B 14 0042F441 >> esi:0043C402 ebx:3591186F edi.24 d_pop_R9 nBp:18
Dispatch[00000007] nsi:0043C401 nbx:CA6EB29F 14 0042F441 >> esi:0043C400 ebx:10C4590F edi.4C d_pop_R19 nBp:1C
Dispatch[00000008] nsi:0043C3FF nbx:EF3BF33F 14 0042F441 >> esi:0043C3FE ebx:ECD89FBB edi.14 d_pop_R5 nBp:20
Dispatch[00000009] nsi:0043C3FD nbx:132739EB 14 0042F441 >> esi:0043C3FC ebx:996CFDFA edi.38 d_pop_R14 nBp:24
R3 = ebx
R24 = edx
R10 = ecx
R111 = 1E240
R20 = esi
R9 = ebp
R19 = flag
R5 = edi
R14 = eax
Dispatch[0000000A] nsi:0043C3FB nbx:6693982A 23 0042F623 >> esi:0043C3FA ebx:669308A0 edi.24 d_push_regR9 nBp:20
Dispatch[0000000B] nsi:0043C3F9 nbx:996CA2D0 10 0042F3A3 >> esi:0043C3F5 ebx:F49B73DB d_push_imm FFFFFD90h (-270h) nBp:1C
Dispatch[0000000C] nsi:0043C3F4 nbx:0B640E0B 0A 0042F2E5 >> esi:0043C3F4 ebx:9F49BDCD d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[0000000D] nsi:0043C3F3 nbx:60B657FD 14 0042F441 >> esi:0043C3F2 ebx:96901693 edi.20 d_pop_R8 nBp:20
Dispatch[0000000E] nsi:0043C3F1 nbx:696FB0C3 13 0042F434 >> esi:0043C3F1 ebx:696FB0C3 d_read_mem s1_mem >> s1_ww nBp:20
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00000D8B] nsi:0043A8F8 nbx:F2901FC1 14 0042F441 >> esi:0043A8F7 ebx:2B0F8FF1 edi.38 d_pop_R14 nBp:24
R14 = dword ptr [R9.ebp-270h]
Dispatch[00000D8C] nsi:0043A8F6 nbx:D4F02A21 23 0042F623 >> esi:0043A8F5 ebx:D4F076A7 edi.38 d_push_regR14 nBp:20
Dispatch[00000D8D] nsi:0043A8F4 nbx:2B0F10D7 23 0042F623 >> esi:0043A8F3 ebx:2B0F8155 edi.24 d_push_regR9 nBp:1C
Dispatch[00000D8E] nsi:0043A8F2 nbx:D4F01B85 10 0042F3A3 >> esi:0043A8EE ebx:10611DB8 d_push_imm FFFFFDA0h (-260h) nBp:18
Dispatch[00000D8F] nsi:0043A8ED nbx:EF9EB7E8 0A 0042F2E5 >> esi:0043A8ED ebx:C106132F d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:18
Dispatch[00000D90] nsi:0043A8EC nbx:3EF9AD5F 14 0042F441 >> esi:0043A8EB ebx:C039D0B7 edi.3C d_pop_R15 nBp:1C
Dispatch[00000D91] nsi:0043A8EA nbx:3FC66AE7 30 0042F7C6 >> esi:0043A8EA ebx:19AB900C d_write_mem [s1_mem],s2_Opnd nBp:24
dword ptr[R9.ebp-260h] = R14
Dispatch[00000D92] nsi:0043A8E9 nbx:E6542A3C 1F 0042F5AD >> esi:0043A8E8 ebx:E654740D b_push_imm 0 (0) nBp:23
Dispatch[00000D93] nsi:0043A8E7 nbx:19AB0E3D 1F 0042F5AD >> esi:0043A8E6 ebx:19AB500C b_push_imm 0 (0) nBp:22
Dispatch[00000D94] nsi:0043A8E5 nbx:E654EA3C 23 0042F623 >> esi:0043A8E4 ebx:E654B6AA edi.24 d_push_regR9 nBp:1E
Dispatch[00000D95] nsi:0043A8E3 nbx:19AB50DA 10 0042F3A3 >> esi:0043A8DF ebx:EA0BC7DD d_push_imm FFFFFD94h (-26Ch) nBp:1A
Dispatch[00000D96] nsi:0043A8DE nbx:15F4620D 0A 0042F2E5 >> esi:0043A8DE ebx:7EA0B88D d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1A
Dispatch[00000D97] nsi:0043A8DD nbx:815F52BD 14 0042F441 >> esi:0043A8DC ebx:26C7949E edi.04 d_pop_R1 nBp:1E
Dispatch[00000D98] nsi:0043A8DB nbx:D9382ECE 19 0042F4DE >> esi:0043A8DB ebx:5546C468 w_read_mem [s1_mem] >> s1_w nBp:20
Dispatch[00000D99] nsi:0043A8DA nbx:AAB95E98 14 0042F441 >> esi:0043A8D9 ebx:C73E5B73 edi.38 d_pop_R14 nBp:24
R14 = word ptr[R9.ebp-26Ch]
Dispatch[00000D9A] nsi:0043A8D8 nbx:38C1F5A3 2E 0042F77A >> esi:0043A8D7 ebx:38C1F55C edi.38 w_push_regR14.w nBp:22
Dispatch[00001B17] nsi:00438DDE nbx:A0BC4636 23 0042F623 >> esi:00438DDD ebx:A0BC52B4 edi.24 d_push_regR9 nBp:1E
Dispatch[00001B18] nsi:00438DDC nbx:5F43ECE4 10 0042F3A3 >> esi:00438DD8 ebx:AEEC120A d_push_imm FFFFFDA4h (-25Ch) nBp:1A
Dispatch[00001B19] nsi:00438DD7 nbx:5113AC3A 0A 0042F2E5 >> esi:00438DD7 ebx:AAEEC3EA d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1A
Dispatch[00001B1A] nsi:00438DD6 nbx:55115E1A 14 0042F441 >> esi:00438DD5 ebx:473F51D9 edi.3C d_pop_R15 nBp:1E
Dispatch[00001B1B] nsi:00438DD4 nbx:B8C0EC09 06 0042F25C >> esi:00438DD4 ebx:935E5C26 w_write_mem [s1_mem],s2_Opnd.w nBp:24
word ptr[R9.ebp-25Ch] = R14
Dispatch[00001B1C] nsi:00438DD3 nbx:6CA1F656 1F 0042F5AD >> esi:00438DD2 ebx:6CA1A867 b_push_imm 0 (0) nBp:23
Dispatch[00001B1D] nsi:00438DD1 nbx:935E4297 1F 0042F5AD >> esi:00438DD0 ebx:935E1CA6 b_push_imm 0 (0) nBp:22
Dispatch[00001B1E] nsi:00438DCF nbx:6CA1B6D6 1F 0042F5AD >> esi:00438DCE ebx:6CA1E8E7 b_push_imm 0 (0) nBp:21
Dispatch[00001B1F] nsi:00438DCD nbx:935E8317 23 0042F623 >> esi:00438DCC ebx:935E0D95 edi.24 d_push_regR9 nBp:1D
Dispatch[00001B20] nsi:00438DCB nbx:6CA1A7C5 10 0042F3A3 >> esi:00438DC7 ebx:9CC31A75 d_push_imm FFFFFD96h (-26Ah) nBp:19
Dispatch[00001B21] nsi:00438DC6 nbx:633CB4A5 0A 0042F2E5 >> esi:00438DC6 ebx:F9CC3363 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:19
Dispatch[00001B22] nsi:00438DC5 nbx:0633CD93 14 0042F441 >> esi:00438DC4 ebx:6E212CCB edi.58 d_pop_R22 nBp:1D
Dispatch[00001B23] nsi:00438DC3 nbx:91DEC6FB 1C 0042F54A >> esi:00438DC3 ebx:654EFFF7 b_read_mem [s1_mem] >> s1_b nBp:20
Dispatch[00001B24] nsi:00438DC2 nbx:9AB19A27 14 0042F441 >> esi:00438DC1 ebx:43494A73 edi.38 d_pop_R14 nBp:24
R14 = byte ptr[R9.ebp-26Ah]
Dispatch[00001B25] nsi:00438DC0 nbx:BCB6E4A3 31 0042F7E7 >> esi:00438DBF ebx:BCB6E4A3 edi.38 w_push_regR14.b nBp:23
Dispatch[00001B26] nsi:00438DBE nbx:43497ED3 23 0042F623 >> esi:00438DBD ebx:43492B59 edi.24 d_push_regR9 nBp:1F
Dispatch[00001B27] nsi:00438DBC nbx:BCB6C589 10 0042F3A3 >> esi:00438DB8 ebx:45B13CF6 d_push_imm FFFFFDA6h (-25Ah) nBp:1B
Dispatch[00001B28] nsi:00438DB7 nbx:BA4ED726 0A 0042F2E5 >> esi:00438DB7 ebx:E45B113B d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1B
Dispatch[00001B29] nsi:00438DB6 nbx:1BA4AB6B 14 0042F441 >> esi:00438DB5 ebx:7041F262 edi.1C d_pop_R7 nBp:1F
Dispatch[00001B2A] nsi:00438DB4 nbx:8FBE8C92 26 0042F697 >> esi:00438DB4 ebx:9A64E513 b_write_mem [s1_mem],s2_Opnd.b nBp:24
byte ptr[R9.ebp-25Ah] = R14
Dispatch[00001B2B] nsi:00438DB3 nbx:659B7F43 10 0042F3A3 >> esi:00438DAF ebx:6B7F0A3D d_push_imm 0040115Eh (40115Eh) nBp:20
Dispatch[00001B2C] nsi:00438DAE nbx:9480A46D 23 0042F623 >> esi:00438DAD ebx:9480F4DB edi.4C d_push_regR19 nBp:1C
Dispatch[00001B2D] nsi:00438DAC nbx:6B7F8F0B 23 0042F623 >> esi:00438DAB ebx:6B7F1981 edi.38 d_push_regR14 nBp:18
Dispatch[00001B2E] nsi:00438DAA nbx:9480B3B1 23 0042F623 >> esi:00438DA9 ebx:9480DE37 edi.28 d_push_regR10 nBp:14
Dispatch[00001B2F] nsi:00438DA8 nbx:6B7F7867 23 0042F623 >> esi:00438DA7 ebx:6B7F28E5 edi.60 d_push_regR24 nBp:10
Dispatch[00001B30] nsi:00438DA6 nbx:9480C315 23 0042F623 >> esi:00438DA5 ebx:9480CD93 edi.0C d_push_regR3 nBp:C
Dispatch[00001B31] nsi:00438DA4 nbx:6B7F67C3 23 0042F623 >> esi:00438DA3 ebx:6B7F3249 edi.24 d_push_regR9 nBp:8
Dispatch[00001B32] nsi:00438DA2 nbx:9480CC79 23 0042F623 >> esi:00438DA1 ebx:9480DCEF edi.50 d_push_regR20 nBp:4
Dispatch[00001B33] nsi:00438DA0 nbx:6B7F771F 23 0042F623 >> esi:00438D9F ebx:6B7F218D edi.14 d_push_regR5 nBp:0
push 0040115Eh
push R19
push R14
push R10
push R24
push R3
push R9
push R20
push R5
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R5 = edi
esi = R20 = esi
ebp = R9 = ebp
ebx = R3 = ebx
edx = R24 = edx
ecx = R10 = ecx
eax = R14 = eax
flag = R19 = flag
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(3.1)提取精简得
R14 = dword ptr [R9.ebp-270h]
dword ptr[R9.ebp-260h] = R14
R14 = word ptr[R9.ebp-26Ch]
word ptr[R9.ebp-25Ch] = R14
R14 = byte ptr[R9.ebp-26Ah]
byte ptr[R9.ebp-25Ah] = R14
push 0040115Eh
ret
(3.2)得到
dword ptr[R9.ebp-260h] = dword ptr [R9.ebp-270h]
word ptr[R9.ebp-25Ch] = word ptr[R9.ebp-26Ch]
byte ptr[R9.ebp-25Ah] = byte ptr[R9.ebp-26Ah]
retjmp fun.0040115Eh()
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(4)vm_start_run(0x43C44E,0x12345678)
push ebx
pushf
push edi
push 1E240h
push edx
push eax
push ecx
push esi
.+00h push ebp ------- ------- ------- ebp
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip4_word_43C44E
Python>vm_start_run(0x43C44E,0x12345678)
Dispatch[00000001] nsi:0043C44D nbx:EDCBF0A8 14 0042F441 >> esi:0043C44C ebx:EC1E7F44 edi.10 d_pop_R4 nBp:4
Dispatch[00000002] nsi:0043C44B nbx:13E11974 14 0042F441 >> esi:0043C44A ebx:3B63EDE6 edi.34 d_pop_R13 nBp:8
Dispatch[00000003] nsi:0043C449 nbx:C49C8816 14 0042F441 >> esi:0043C448 ebx:F26028D1 edi.0C d_pop_R3 nBp:C
Dispatch[00000004] nsi:0043C447 nbx:0D9FC301 14 0042F441 >> esi:0043C446 ebx:21CE0D42 edi.40 d_pop_R16 nBp:10
Dispatch[00000005] nsi:0043C445 nbx:DE31A772 14 0042F441 >> esi:0043C444 ebx:438FEE4B edi.3C d_pop_R15 nBp:14
Dispatch[00000006] nsi:0043C443 nbx:BC70887B 14 0042F441 >> esi:0043C442 ebx:3591186F edi.50 d_pop_R20 nBp:18
Dispatch[00000007] nsi:0043C441 nbx:CA6EB29F 14 0042F441 >> esi:0043C440 ebx:10C4590F edi.2C d_pop_R11 nBp:1C
Dispatch[00000008] nsi:0043C43F nbx:EF3BF33F 14 0042F441 >> esi:0043C43E ebx:ECD89FBB edi.30 d_pop_R12 nBp:20
Dispatch[00000009] nsi:0043C43D nbx:132739EB 14 0042F441 >> esi:0043C43C ebx:996CFDFA edi.44 d_pop_R17 nBp:24
R4 = ebp
R13 = esi
R3 = ecx
R16 = eax
R15 = edx
R20 = 1E240
R11 = edi
R12 = flag
R17 = ebx
Dispatch[0000000A] nsi:0043C43B nbx:6693982A 10 0042F3A3 >> esi:0043C437 ebx:2C464245 d_push_imm 004012B5h (4012B5h) nBp:20
push 004012B5h
Dispatch[0000000B] nsi:0043C436 nbx:D3B9DC75 23 0042F623 >> esi:0043C435 ebx:D3B9CCF3 edi.30 d_push_regR12 nBp:1C
Dispatch[0000000C] nsi:0043C434 nbx:2C466723 23 0042F623 >> esi:0043C433 ebx:2C4631A9 edi.40 d_push_regR16 nBp:18
Dispatch[0000000D] nsi:0043C432 nbx:D3B9CBD9 23 0042F623 >> esi:0043C431 ebx:D3B9D64F edi.0C d_push_regR3 nBp:14
Dispatch[0000000E] nsi:0043C430 nbx:2C46707F 23 0042F623 >> esi:0043C42F ebx:2C4620ED edi.3C d_push_regR15 nBp:10
Dispatch[0000000F] nsi:0043C42E nbx:D3B9BB1D 23 0042F623 >> esi:0043C42D ebx:D3B9E58B edi.44 d_push_regR17 nBp:C
Dispatch[00000010] nsi:0043C42C nbx:2C467FBB 23 0042F623 >> esi:0043C42B ebx:2C462A31 edi.10 d_push_regR4 nBp:8
Dispatch[00000011] nsi:0043C42A nbx:D3B9C461 23 0042F623 >> esi:0043C429 ebx:D3B9D4E7 edi.34 d_push_regR13 nBp:4
Dispatch[00000012] nsi:0043C428 nbx:2C466F17 23 0042F623 >> esi:0043C427 ebx:2C463995 edi.2C d_push_regR11 nBp:0
push R12
push R16
push R3
push R15
push R17
push R4
push R13
push R11
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R11 = edi
esi = R13 = esi
ebp = R4 = ebp
ebx = R17 = ebx
edx = R15 = edx
ecx = R3 = ecx
eax = R16 = eax
flag = R12 = flag
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(4.1)提取精简为
retjmp fun.004012B5h()
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(5)vm_start_run(0x4416DB,0x12345678)
push esi
push eax
push ebx
push edx
pushf
push ecx
push edi
push ebp
push 1E240
.+00h push ebp ------- ------- ------- ebp
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip4_word_43C44E
Python>vm_start_run(0x4416DB,0x12345678)
Dispatch[00000001] nsi:004416DA nbx:EDCBF0A8 14 0042F441 >> esi:004416D9 ebx:EC1E7F44 edi.38 d_pop_R14 nBp:4
Dispatch[00000002] nsi:004416D8 nbx:13E11974 14 0042F441 >> esi:004416D7 ebx:3B63EDE6 edi.04 d_pop_R1 nBp:8
Dispatch[00000003] nsi:004416D6 nbx:C49C8816 14 0042F441 >> esi:004416D5 ebx:F26028D1 edi.1C d_pop_R7 nBp:C
Dispatch[00000004] nsi:004416D4 nbx:0D9FC301 14 0042F441 >> esi:004416D3 ebx:21CE0D42 edi.48 d_pop_R18 nBp:10
Dispatch[00000005] nsi:004416D2 nbx:DE31A772 14 0042F441 >> esi:004416D1 ebx:438FEE4B edi.4C d_pop_R19 nBp:14
Dispatch[00000006] nsi:004416D0 nbx:BC70887B 14 0042F441 >> esi:004416CF ebx:3591186F edi.3C d_pop_R15 nBp:18
Dispatch[00000007] nsi:004416CE nbx:CA6EB29F 14 0042F441 >> esi:004416CD ebx:10C4590F edi.44 d_pop_R17 nBp:1C
Dispatch[00000008] nsi:004416CC nbx:EF3BF33F 14 0042F441 >> esi:004416CB ebx:ECD89FBB edi.5C d_pop_R23 nBp:20
Dispatch[00000009] nsi:004416CA nbx:132739EB 14 0042F441 >> esi:004416C9 ebx:996CFDFA edi.2C d_pop_R11 nBp:24
R14 = 1E240
R1 = ebp
R7 = edi
R18 = ecx
R19 = flag
R15 = edx
R17 = ebx
R23 = eax
R11 = esi
Dispatch[0000000A] nsi:004416C8 nbx:6693982A 23 0042F623 >> esi:004416C7 ebx:669308A0 edi.04 d_push_regR1 nBp:20
Dispatch[0000000B] nsi:004416C6 nbx:996CA2D0 10 0042F3A3 >> esi:004416C2 ebx:F49B73DB d_push_imm FFFFFC04h (-3FCh) nBp:1C
Dispatch[0000000C] nsi:004416C1 nbx:0B640E0B 0A 0042F2E5 >> esi:004416C1 ebx:9F49BDCD d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[0000000D] nsi:004416C0 nbx:60B657FD 14 0042F441 >> esi:004416BF ebx:96901693 edi.08 d_pop_R2 nBp:20
Dispatch[0000000E] nsi:004416BE nbx:696FB0C3 13 0042F434 >> esi:004416BE ebx:696FB0C3 d_read_mem s1_mem >> s1_ww nBp:20
Dispatch[0000000F] nsi:004416BD nbx:96904AF3 14 0042F441 >> esi:004416BC ebx:367CEA31 edi.5C d_pop_R23 nBp:24
R23 = dword ptr[R1.ebp - 3FCh]
Dispatch[00000010] nsi:004416BB nbx:C9838461 1F 0042F5AD >> esi:004416BA ebx:C983DA50 b_push_imm 43 (43) nBp:23
Dispatch[00000D8D] nsi:0043FBC1 nbx:2EDF0FDB 37 0042F893 >> esi:0043FBC0 ebx:254717D9 edi.48 b_pop_R18.b nBp:24
Dispatch[00000D8E] nsi:0043FBBF nbx:DAB8B209 31 0042F7E7 >> esi:0043FBBE ebx:DAB8B209 edi.48 b_push_regR18.b nBp:23
Dispatch[00000D8F] nsi:0043FBBD nbx:25474C39 1F 0042F5AD >> esi:0043FBBC ebx:25471208 b_push_imm 2 (2) nBp:22
Dispatch[00000D90] nsi:0043FBBB nbx:DAB8AC38 0C 0042F316 >> esi:0043FBBB ebx:AA831A3A b_rol s2_b <<< s1_b nBp:1F
Dispatch[00000D91] nsi:0043FBBA nbx:557CB46A 14 0042F441 >> esi:0043FBB9 ebx:F0DFF1DF edi.4C d_pop_R19 nBp:23
Dispatch[00000D92] nsi:0043FBB8 nbx:0F208C0F 37 0042F893 >> esi:0043FBB7 ebx:0588940D edi.48 b_pop_R18.b nBp:24
R18 = 0x43 << 2 = 0x0D
Dispatch[00000D93] nsi:0043FBB6 nbx:FA772E3D 31 0042F7E7 >> esi:0043FBB5 ebx:FA772E3D edi.48 b_push_regR18.b nBp:23
pushd R18
Dispatch[00000D94] nsi:0043FBB4 nbx:0588C86D 23 0042F623 >> esi:0043FBB3 ebx:0588D8DB edi.04 d_push_regR1 nBp:1F
Dispatch[00000D95] nsi:0043FBB2 nbx:FA77730B 10 0042F3A3 >> esi:0043FBAE ebx:4B1D4EE4 d_push_imm FFFFFC37h (-3C9h) nBp:1B
Dispatch[00000D96] nsi:0043FBAD nbx:B4E2E914 0A 0042F2E5 >> esi:0043FBAD ebx:04B1D01D d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1B
Dispatch[00000D97] nsi:0043FBAC nbx:FB4E6A4D 14 0042F441 >> esi:0043FBAB ebx:1444BC7D edi.50 d_pop_R20 nBp:1F
Dispatch[00000D98] nsi:0043FBAA nbx:EBBB56AD 1C 0042F54A >> esi:0043FBAA ebx:BF2B8FA9 b_read_mem [s1_mem] >> s1_b nBp:22
b = byte ptr[R1.ebp - 3C9h]
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00001B15] nsi:0043E0B1 nbx:EF020A97 34 0042F853 >> esi:0043E0B1 ebx:12070367 push_stack_top_base Nebp nBp:1E
Dispatch[00001B16] nsi:0043E0B0 nbx:EDF89D97 19 0042F4DE >> esi:0043E0B0 ebx:6A073331 w_read_mem [s1_mem] >> s1_w nBp:20
Dispatch[00001B17] nsi:0043E0AF nbx:95F8CD61 04 0042F206 >> esi:0043E0AF ebx:7E571E31 b_nand s1_b,s2_b nBp:1D
Dispatch[00001B18] nsi:0043E0AE nbx:81A8B861 14 0042F441 >> esi:0043E0AD ebx:B09DC482 edi.10 d_pop_R4 nBp:21
Dispatch[00001B19] nsi:0043E0AC nbx:4F625EB2 37 0042F893 >> esi:0043E0AB ebx:45CA66B0 edi.18 b_pop_R6.b nBp:22
R6 = (~b)&(~R18) = 0xF0 = ~0x0D & ~0x02
Dispatch[00001B1A] nsi:0043E0AA nbx:BA3500E0 37 0042F893 >> esi:0043E0A9 ebx:B09D08DE edi.0C b_pop_R3.b nBp:23
R3 = b
Dispatch[00001B1B] nsi:0043E0A8 nbx:4F62A30E 34 0042F853 >> esi:0043E0A8 ebx:72679BDE push_stack_top_base Nebp nBp:1F
Dispatch[00001B1C] nsi:0043E0A7 nbx:8D98360E 1C 0042F54A >> esi:0043E0A7 ebx:61086F0A b_read_mem [s1_mem] >> s1_b nBp:22
Dispatch[00001B1D] nsi:0043E0A6 nbx:9EF7093A 04 0042F206 >> esi:0043E0A6 ebx:127B2122 b_nand s1_b,s2_b nBp:1F
Dispatch[00001B1E] nsi:0043E0A5 nbx:ED84BB52 14 0042F441 >> esi:0043E0A4 ebx:714EAF60 edi.28 d_pop_R10 nBp:23
t1 = ~0x0d & ~0x0d = 0xF2
Dispatch[00001B1F] nsi:0043E0A3 nbx:8EB14990 31 0042F7E7 >> esi:0043E0A2 ebx:8EB14990 edi.0C b_push_regR3.b nBp:22
Dispatch[00001B20] nsi:0043E0A1 nbx:714EE3C0 34 0042F853 >> esi:0043E0A1 ebx:9453DC90 push_stack_top_base Nebp nBp:1E
Dispatch[00001B21] nsi:0043E0A0 nbx:6BAC76C0 1C 0042F54A >> esi:0043E0A0 ebx:3F1CAFBC b_read_mem [s1_mem] >> s1_b nBp:21
Dispatch[00001B22] nsi:0043E09F nbx:C0E349EC 04 0042F206 >> esi:0043E09F ebx:4B03701F b_nand s1_b,s2_b nBp:1E
Dispatch[00001B23] nsi:0043E09E nbx:B4FC0A4F 14 0042F441 >> esi:0043E09D ebx:EA48BBD7 edi.34 d_pop_R13 nBp:22
t2 = ~b & ~b = ~0x02 & ~0x02 = 0xFD
Dispatch[00001B24] nsi:0043E09C nbx:15B75607 04 0042F206 >> esi:0043E09C ebx:E456205E b_nand s1_b,s2_b nBp:1F
Dispatch[00001B25] nsi:0043E09B nbx:1BA9BA8E 14 0042F441 >> esi:0043E09A ebx:C1473262 edi.30 d_pop_R12 nBp:23
t3 = ~t1 & ~t2 = 0x00 flag 249
Dispatch[00001B26] nsi:0043E099 nbx:3EB8CC92 31 0042F7E7 >> esi:0043E098 ebx:3EB8CC92 edi.18 b_push_regR6.b nBp:22
Dispatch[00001B27] nsi:0043E097 nbx:C14766C2 04 0042F206 >> esi:0043E097 ebx:F305E09B b_nand s1_b,s2_b nBp:1F
Dispatch[00001B28] nsi:0043E096 nbx:0CFA7ACB 14 0042F441 >> esi:0043E095 ebx:D573BD57 edi.4C d_pop_R19 nBp:23
Dispatch[00001B29] nsi:0043E094 nbx:2A8C5787 37 0042F893 >> esi:0043E093 ebx:20F45F85 edi.48 d_pop_R18.b nBp:24
R18 = ~t3 & ~R6 = 0x0F
Dispatch[00001B2A] nsi:0043E092 nbx:DF0BF9B5 31 0042F7E7 >> esi:0043E091 ebx:DF0BF9B5 edi.48 b_push_reg18.b nBp:23
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[000028A7] nsi:0043C598 nbx:92A7C3C1 23 0042F623 >> esi:0043C597 ebx:92A7CE47 edi.5C d_push_regR23 nBp:1F
Dispatch[000028A8] nsi:0043C596 nbx:6D586877 26 0042F697 >> esi:0043C596 ebx:BCCA092E b_write_mem [s1_mem],s2_Opnd.b nBp:24
byte ptr[R23] = R18
Dispatch[000028A9] nsi:0043C595 nbx:4335A35E 10 0042F3A3 >> esi:0043C591 ebx:3C9FE12A d_push_imm 00401366h (401366h) nBp:20
pushd 00401366h
Dispatch[000028AA] nsi:0043C590 nbx:C3607B5A 23 0042F623 >> esi:0043C58F ebx:C36025D0 edi.4C d_push_regR19 nBp:1C
Dispatch[000028AB] nsi:0043C58E nbx:3C9FC000 23 0042F623 >> esi:0043C58D ebx:3C9FD086 edi.5C d_push_regR23 nBp:18
Dispatch[000028AC] nsi:0043C58C nbx:C3606AB6 23 0042F623 >> esi:0043C58B ebx:C3603734 edi.48 d_push_regR18 nBp:14
Dispatch[000028AD] nsi:0043C58A nbx:3C9FD164 23 0042F623 >> esi:0043C589 ebx:3C9FBFE2 edi.3C d_push_regR15 nBp:10
Dispatch[000028AE] nsi:0043C588 nbx:C3605A12 23 0042F623 >> esi:0043C587 ebx:C3604698 edi.44 d_push_regR17 nBp:C
Dispatch[000028AF] nsi:0043C586 nbx:3C9FE0C8 23 0042F623 >> esi:0043C585 ebx:3C9FB13E edi.04 d_push_regR1 nBp:8
Dispatch[000028B0] nsi:0043C584 nbx:C3604B6E 23 0042F623 >> esi:0043C583 ebx:C36055DC edi.2C d_push_regR11 nBp:4
Dispatch[000028B1] nsi:0043C582 nbx:3C9FF00C 23 0042F623 >> esi:0043C581 ebx:3C9FA17A edi.1C d_push_regR7 nBp:0
push R19
push R23
push R18
push R15
push R17
push R1
push R11
push R7
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R7 = edi
esi = R11 = esi
ebp = R1 = ebp
ebx = R17 = ebx
edx = R15 = edx
ecx = R18 = ecx
eax = R23 = eax
flag = R19
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(5.1)提取精简为
R23 = dword ptr[R1.ebp - 3FCh]
R18 = 0x43 << 2 = 0x0D
b = byte ptr[R1.ebp - 3C9h]
R6 = (~b)&(~R18)
t1 = ~R18 & ~R18
t2 = ~b & ~b
t3 = ~t1 & ~t2
R18 = ~t3 & ~R6
byte ptr[R23] = R18
retjmp fun.00401366h()
(5.2)得到
R23 = dword ptr[R1.ebp - 3FCh]
b = byte ptr[R1.ebp - 3C9h]
byte ptr[R23] = 0x0D ^ b
retjmp fun.00401366h()
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(6)vm_start_run(0x44BB93 ,0x12345678
push edx
push ebp
push eax
push ebx
pushf
push 1E240
push edi
push ecx
push esi
.+00h push ebp ------- ------- ------- ebp
.-C8h ------- ------- ------- ------- edi
#ebx = 12345678h
#esi = Hi_WProtectVMCodes_chip6_word_44BB93
Python>vm_start_run(0x44BB93 ,0x12345678)
Dispatch[00000001] nsi:0044BB92 nbx:EDCBF0A8 14 0042F441 >> esi:0044BB91 ebx:EC1E7F44 edi.3C d_pop_R15 nBp:4
Dispatch[00000002] nsi:0044BB90 nbx:13E11974 14 0042F441 >> esi:0044BB8F ebx:3B63EDE6 edi.24 d_pop_R9 nBp:8
Dispatch[00000003] nsi:0044BB8E nbx:C49C8816 14 0042F441 >> esi:0044BB8D ebx:F26028D1 edi.4C d_pop_R19 nBp:C
Dispatch[00000004] nsi:0044BB8C nbx:0D9FC301 14 0042F441 >> esi:0044BB8B ebx:21CE0D42 edi.28 d_pop_R10 nBp:10
Dispatch[00000005] nsi:0044BB8A nbx:DE31A772 14 0042F441 >> esi:0044BB89 ebx:438FEE4B edi.40 d_pop_R16 nBp:14
Dispatch[00000006] nsi:0044BB88 nbx:BC70887B 14 0042F441 >> esi:0044BB87 ebx:3591186F edi.2C d_pop_R11 nBp:18
Dispatch[00000007] nsi:0044BB86 nbx:CA6EB29F 14 0042F441 >> esi:0044BB85 ebx:10C4590F edi.48 d_pop_R18 nBp:1C
Dispatch[00000008] nsi:0044BB84 nbx:EF3BF33F 14 0042F441 >> esi:0044BB83 ebx:ECD89FBB edi.18 d_pop_R6 nBp:20
Dispatch[00000009] nsi:0044BB82 nbx:132739EB 14 0042F441 >> esi:0044BB81 ebx:996CFDFA edi.54 d_pop_R21 nBp:24
R15 = esi
R9 = ecx
R19 = edi
R10 = 1E40
R16 = flag
R11 = ebx
R18 = eax
R6 = ebp
R21 = edx
Dispatch[0000000A] nsi:0044BB80 nbx:6693982A 23 0042F623 >> esi:0044BB7F ebx:669308A0 edi.18 d_push_regR6 nBp:20
Dispatch[0000000B] nsi:0044BB7E nbx:996CA2D0 10 0042F3A3 >> esi:0044BB7A ebx:F49B73DB d_push_imm FFFFFC08h (-3F8h) nBp:1C
Dispatch[0000000C] nsi:0044BB79 nbx:0B640E0B 0A 0042F2E5 >> esi:0044BB79 ebx:9F49BDCD d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[0000000D] nsi:0044BB78 nbx:60B657FD 14 0042F441 >> esi:0044BB77 ebx:96901693 edi.30 d_pop_R12 nBp:20
Dispatch[0000000E] nsi:0044BB76 nbx:696FB0C3 13 0042F434 >> esi:0044BB76 ebx:696FB0C3 d_read_mem [s1_mem] >> s1_ww nBp:20
Dispatch[0000000F] nsi:0044BB75 nbx:96904AF3 14 0042F441 >> esi:0044BB74 ebx:367CEA31 edi.48 d_pop_R18 nBp:24
R18 = dword ptr[R6.ebp-3F8h]
Dispatch[00000010] nsi:0044BB73 nbx:C9838461 23 0042F623 >> esi:0044BB72 ebx:C98314E7 edi.18 d_push_regR6 nBp:20
Dispatch[00000011] nsi:0044BB71 nbx:367CAF17 10 0042F3A3 >> esi:0044BB6D ebx:74FDA8C4 d_push_imm FFFFFC10h (-3F0h) nBp:1C
Dispatch[00000012] nsi:0044BB6C nbx:8B0242F4 0A 0042F2E5 >> esi:0044BB6C ebx:074FDA7F d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00000013] nsi:0044BB6B nbx:F8B074AF 14 0042F441 >> esi:0044BB6A ebx:34A47C13 edi.38 d_pop_R14 nBp:20
Dispatch[00000014] nsi:0044BB69 nbx:CB5B1643 13 0042F434 >> esi:0044BB69 ebx:CB5B1643 d_read_mem [s1_mem] >> s1_ww nBp:20
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00000D91] nsi:0044A070 nbx:E078BCB1 14 0042F441 >> esi:0044A06F ebx:B1586EAF edi.24 d_pop_R9 nBp:24
R9 = dword ptr[R6.ebp-3F0h]
Dispatch[00000D92] nsi:0044A06E nbx:4EA708DF 23 0042F623 >> esi:0044A06D ebx:4EA7994D edi.48 d_push_regR18 nBp:20
Dispatch[00000D93] nsi:0044A06C nbx:B158337D 1F 0042F5AD >> esi:0044A06B ebx:B1586D4C b_push_imm 4 (4) nBp:1F
Dispatch[00000D94] nsi:0044A06A nbx:4EA7077C 28 0042F6CA >> esi:0044A06A ebx:4EA7077B d_shl s2_ww,s1_b nBp:1C
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00001B11] nsi:00448571 nbx:E97E496A 14 0042F441 >> esi:00448570 ebx:166FFF20 edi.40 d_pop_R16 nBp:20
Dispatch[00001B12] nsi:0044856F nbx:E9909950 14 0042F441 >> esi:0044856E ebx:336AAF01 edi.48 d_pop_R18 nBp:24
R18 = R18 << 4
Dispatch[00001B13] nsi:0044856D nbx:CC954931 23 0042F623 >> esi:0044856C ebx:CC9557B7 edi.48 d_push_regR18 nBp:20
Dispatch[00001B14] nsi:0044856B nbx:336AF1E7 23 0042F623 >> esi:0044856A ebx:336AA065 edi.24 d_push_regR9 nBp:1C
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00002891] nsi:00446A71 nbx:20565DF2 0A 0042F2E5 >> esi:00446A71 ebx:2DFA98CF d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1C
Dispatch[00002892] nsi:00446A70 nbx:D20532FF 14 0042F441 >> esi:00446A6F ebx:78C41988 edi.40 d_pop_R16 nBp:20
Dispatch[00002893] nsi:00446A6E nbx:873BB3B8 14 0042F441 >> esi:00446A6D ebx:E0CD953B edi.24 d_pop_R9 nBp:24
R9 = R18 + R9
Dispatch[00002894] nsi:00446A6C nbx:1F322F6B 1F 0042F5AD >> esi:00446A6B ebx:1F32715A b_push_imm 20 (20) nBp:23
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[00003611] nsi:00444F72 nbx:62312D86 37 0042F893 >> esi:00444F71 ebx:58993584 edi.48 b_pop_R18.b nBp:24
Dispatch[00003612] nsi:00444F70 nbx:A766CFB4 31 0042F7E7 >> esi:00444F6F ebx:A766CFB4 edi.48 b_push_reg18.b nBp:23
Dispatch[00003613] nsi:00444F6E nbx:589969E4 1F 0042F5AD >> esi:00444F6D ebx:589937D5 b_push_imm 2 (2) nBp:22
Dispatch[00003614] nsi:00444F6C nbx:A766D205 0C 0042F316 >> esi:00444F6C ebx:4418DEF4 b_rol s2_b <<< s1_b nBp:1F
Dispatch[00003615] nsi:00444F6B nbx:BBE77924 14 0042F441 >> esi:00444F6A ebx:A5634866 edi.40 d_pop_R16 nBp:23
Dispatch[00003616] nsi:00444F69 nbx:5A9CE296 37 0042F893 >> esi:00444F68 ebx:5104EA94 edi.48 b_pop_R18.b nBp:24
R18 = rol 20h,2 = 80h
Dispatch[00003617] nsi:00444F67 nbx:AEFB84C4 31 0042F7E7 >> esi:00444F66 ebx:AEFB84C4 edi.48 b_push_reg18.b nBp:23
Dispatch[00003618] nsi:00444F65 nbx:51041EF4 23 0042F623 >> esi:00444F64 ebx:51048B72 edi.18 d_push_regR6 nBp:1F
Dispatch[00003619] nsi:00444F63 nbx:AEFB25A2 23 0042F623 >> esi:00444F62 ebx:AEFB7428 edi.24 d_push_regR9 nBp:1B
Dispatch[0000361A] nsi:00444F61 nbx:51040E58 10 0042F3A3 >> esi:00444F5D ebx:AFF7B198 d_push_imm FFFFFC90h (-370h) nBp:17
Dispatch[0000361B] nsi:00444F5C nbx:50084BC8 0A 0042F2E5 >> esi:00444F5C ebx:CAFF79F1 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:17
Dispatch[0000361C] nsi:00444F5B nbx:35001421 14 0042F441 >> esi:00444F5A ebx:2ADD43D8 edi.44 d_pop_R17 nBp:1B
Dispatch[0000361D] nsi:00444F59 nbx:D522DE08 0A 0042F2E5 >> esi:00444F59 ebx:C2ADD0CD d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1B
Dispatch[0000361E] nsi:00444F58 nbx:3D526AFD 14 0042F441 >> esi:00444F57 ebx:5440105D edi.5C d_pop_R23 nBp:1F
Dispatch[0000361F] nsi:00444F56 nbx:ABBFAA8D 1C 0042F54A >> esi:00444F56 ebx:7F2FE389 b_read_mem [s1_mem] >> s1_b nBp:22
//省略n条冗余代码,n在这里是可以看出来的?
b = byte ptr[R9-370h+R6.ebp] = byte ptr[R6.ebp-370h+R9]
Dispatch[0000439C] nsi:0044345D nbx:C2293718 34 0042F853 >> esi:0044345D ebx:E52E2FE8 push_stack_top_base Nebp nBp:1E
Dispatch[0000439D] nsi:0044345C nbx:1AD1CA18 19 0042F4DE >> esi:0044345C ebx:96E05FB2 w_read_mem [s1_mem] >> s1_w nBp:20
Dispatch[0000439E] nsi:0044345B nbx:691FF9E2 04 0042F206 >> esi:0044345B ebx:71A482DF b_nand s1_b,s2_b nBp:1D
Dispatch[0000439F] nsi:0044345A nbx:8E5B1D0F 14 0042F441 >> esi:00443459 ebx:DB3A354D edi.60 d_pop_R24 nBp:21
Dispatch[000043A0] nsi:00443458 nbx:24C5CF7D 37 0042F893 >> esi:00443457 ebx:1B2DD77B edi.20 b_pop_R8.b nBp:22
Dispatch[000043A1] nsi:00443456 nbx:E4D271AB 37 0042F893 >> esi:00443455 ebx:DB3A79A9 edi.1C b_pop_R7.b nBp:23
R8 = ~R18 & ~b
Dispatch[000043A2] nsi:00443454 nbx:24C513D9 34 0042F853 >> esi:00443454 ebx:47CA0CA9 push_stack_top_base Nebp nBp:1F
Dispatch[000043A3] nsi:00443453 nbx:B835A6D9 1C 0042F54A >> esi:00443453 ebx:8BA5DFD5 b_read_mem [s1_mem] >> s1_b nBp:22
Dispatch[000043A4] nsi:00443452 nbx:745A7A05 04 0042F206 >> esi:00443452 ebx:EDD194EE b_nand s1_b,s2_b nBp:1F
Dispatch[000043A5] nsi:00443451 nbx:122E2F1E 14 0042F441 >> esi:00443450 ebx:08175D8B edi.04 d_pop_R1 nBp:23
t1 = ~R8 & ~R8
Dispatch[000043A6] nsi:0044344F nbx:F7E8F7BB 31 0042F7E7 >> esi:0044344E ebx:F7E8F7BB edi.1C b_push_regR7.b nBp:22
Dispatch[000043A7] nsi:0044344D nbx:081791EB 34 0042F853 >> esi:0044344D ebx:2B1C8ABB push_stack_top_base Nebp nBp:1E
Dispatch[000043A8] nsi:0044344C nbx:D4E324EB 1C 0042F54A >> esi:0044344C ebx:A8535DE7 b_read_mem [s1_mem] >> s1_b nBp:21
Dispatch[000043A9] nsi:0044344B nbx:57ACF817 04 0042F206 >> esi:0044344B ebx:A55E4EE6 b_nand s1_b,s2_b nBp:1E
Dispatch[000043AA] nsi:0044344A nbx:5AA1E916 14 0042F441 >> esi:00443449 ebx:4C702672 edi.44 d_pop_R17 nBp:22
t2 = ~R7 & ~R7
Dispatch[000043AB] nsi:00443448 nbx:B38FC0A2 04 0042F206 >> esi:00443448 ebx:72CEC204 b_nand s1_b,s2_b nBp:1F
Dispatch[000043AC] nsi:00443447 nbx:8D315C34 14 0042F441 >> esi:00443446 ebx:4753655B edi.50 d_pop_R20 nBp:23
t3 = ~t1 & ~t2
Dispatch[000043AD] nsi:00443445 nbx:B8ACFF8B 31 0042F7E7 >> esi:00443444 ebx:B8ACFF8B edi.20 b_push_regR8.b nBp:22
Dispatch[000043AE] nsi:00443443 nbx:475399BB 04 0042F206 >> esi:00443443 ebx:151DB360 b_nand s1_b,s2_b nBp:1F
Dispatch[000043AF] nsi:00443442 nbx:EAE24D90 14 0042F441 >> esi:00443441 ebx:562B2F76 edi.40 d_pop_R16 nBp:23
Dispatch[000043B0] nsi:00443440 nbx:A9D4C9A6 37 0042F893 >> esi:0044343F ebx:A03CD1A4 edi.48 d_pop_R18.b nBp:24
R18 = ~R8 & ~t3 = R18 ^ b
Dispatch[000043B1] nsi:0044343E nbx:5FC36BD4 31 0042F7E7 >> esi:0044343D ebx:5FC36BD4 edi.48 b_push_regR18.b nBp:23
//省略n条冗余代码,n在这里是可以看出来的?
Dispatch[0000512E] nsi:00441944 nbx:B236A2FF 23 0042F623 >> esi:00441943 ebx:B236EF6D edi.18 d_push_regR6 nBp:1F
Dispatch[0000512F] nsi:00441942 nbx:4DC9899D 23 0042F623 >> esi:00441941 ebx:4DC9180B edi.24 d_push_regR9 nBp:1B
Dispatch[00005130] nsi:00441940 nbx:B236B23B 10 0042F3A3 >> esi:0044193C ebx:4516CCA2 d_push_imm FFFFFE90h (-170h) nBp:17
Dispatch[00005131] nsi:0044193B nbx:BAE966D2 0A 0042F2E5 >> esi:0044193B ebx:24516841 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:17
Dispatch[00005132] nsi:0044193A nbx:DBAE0271 14 0042F441 >> esi:00441939 ebx:0DFDEE63 edi.44 d_pop_R17 nBp:1B
Dispatch[00005133] nsi:00441938 nbx:F2028893 0A 0042F2E5 >> esi:00441938 ebx:10DFD625 d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum nBp:1B
Dispatch[00005134] nsi:00441937 nbx:EF207055 14 0042F441 >> esi:00441936 ebx:34E4AFBA edi.5C d_pop_R23 nBp:1F
Dispatch[00005135] nsi:00441935 nbx:CB1B49EA 26 0042F697 >> esi:00441935 ebx:5F0727BB b_write_mem [s1_mem],s2_Opnd.b nBp:24
byte ptr[R9-170h+R6.ebp] = R18
Dispatch[00005136] nsi:00441934 nbx:A0F8C1EB 10 0042F3A3 >> esi:00441930 ebx:558C4C18 d_push_imm 004013AAh (4013AAh) nBp:20
Dispatch[00005137] nsi:0044192F nbx:AA73E648 23 0042F623 >> esi:0044192E ebx:AA73B2BE edi.40 d_push_regR16 nBp:1C
Dispatch[00005138] nsi:0044192D nbx:558C4CEE 23 0042F623 >> esi:0044192C ebx:558C5D5C edi.48 d_push_regR18 nBp:18
Dispatch[00005139] nsi:0044192B nbx:AA73F78C 23 0042F623 >> esi:0044192A ebx:AA73A1FA edi.24 d_push_regR9 nBp:14
Dispatch[0000513A] nsi:00441929 nbx:558C3C2A 23 0042F623 >> esi:00441928 ebx:558C6CA0 edi.54 d_push_regR21 nBp:10
Dispatch[0000513B] nsi:00441927 nbx:AA7306D0 23 0042F623 >> esi:00441926 ebx:AA739356 edi.2C d_push_regR11 nBp:C
Dispatch[0000513C] nsi:00441925 nbx:558C2D86 23 0042F623 >> esi:00441924 ebx:558C7C04 edi.18 d_push_regR6 nBp:8
Dispatch[0000513D] nsi:00441923 nbx:AA731634 23 0042F623 >> esi:00441922 ebx:AA7382B2 edi.3C d_push_regR15 nBp:4
Dispatch[0000513E] nsi:00441921 nbx:558C1CE2 23 0042F623 >> esi:00441920 ebx:558C8D68 edi.4C d_push_regR19 nBp:0
push 004013AAh
push R16
push R18
push R9
push R21
push R11
push R6
push R15
push R19
vm_ret
.WProtec:0042F76F mov esp, ebp
.WProtec:0042F771 pop edi
.WProtec:0042F772 pop esi
.WProtec:0042F773 pop ebp
.WProtec:0042F774 pop ebx
.WProtec:0042F775 pop edx
.WProtec:0042F776 pop ecx
.WProtec:0042F777 pop eax
.WProtec:0042F778 popf
.WProtec:0042F779 retn
edi = R19 = edi
esi = R15 = esi
ebp = R6 = ebp
ebx = R11 = ebx
edx = R21 = edx
ecx = R9 = ecx
eax = R18 = eax
flag = R16
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
(6.1)提取精简为
R18 = dword ptr[R6.ebp-3F8h]
R9 = dword ptr[R6.ebp-3F0h]
R18 = R18 << 4
R9 = R18 + R9
R18 = rol 20h,2 = 80h
b = byte ptr[R9-370h+R6.ebp] = byte ptr[R6.ebp-370h+R9]
R8 = ~R18 & ~b
R7 = b
t1 = ~R8 & ~R8
t2 = ~R7 & ~R7
t3 = ~t1 & ~t2
R18 = ~R8 & ~t3 = R18 ^ b
byte ptr[R9-170h+R6.ebp] = R18
push 004013AAh
ret
(6.2)整理
R18 = dword ptr[R6.ebp-3F8h]
R9 = dword ptr[R6.ebp-3F0h]
R18 = R18 << 4
R9 = R18 + R9
R18 = rol 20h,2 = 80h
b = byte ptr[R9-370h+R6.ebp] = byte ptr[R6.ebp-370h+R9]
R18 = R18 ^ b
byte ptr[R9-170h+R6.ebp] = R18
push 004013AAh
ret
(6.3)得到
R18 = dword ptr[R6.ebp-3F8h]
R9 = dword ptr[R6.ebp-3F0h]
R18 = R18 << 4
R9 = R18 + R9
b = byte ptr[R9-370h+R6.ebp] = byte ptr[R6.ebp-370h+R9]
byte ptr[R9-170h+R6.ebp] = 80h ^ b
retjmp fun.004013AAh()
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
#------- ======= ------- ======= ------- ======= ------- ======= ------- ======= ------- ======= -------
k.以下是IDAPython的WProtect反编译代码
#-------------------------------------------------------------------------------------------------------
from ctypes import *
VMHandle = {
0x01:"d_pop_reg",#"VMHandle_b_read_stack",
0x02:"rdtsc",#"VMHandle_w_read_stack",
0x03:"w_shl",#"VMHandle_d_read_stack",
0x04:"b_nand",#"VMHandle_b_write_stack",
0x05:"w_push_imm_sx",#"VMHandle_w_write_stack",
0x06:"w_write_mem",#"VMHandle_d_write_stack",
0x07:"fstsw",#"VMHandle_b_push_reg",
0x08:"shld",#"VMHandle_w_puah_reg",
0x09:"w_nand",#"VMHandle_d_push_reg",
0x0A:"d_add",#"VMHandle_b_pop_reg",
0x0B:"run_stack_code",#"VMHandle_w_pop_reg",
0x0C:"b_rol",#"VMHandle_d_pop_reg",
0x0D:"d_shr",#"VMHandle_b_push_imm",
0x0E:"d_ror",#"VMHandle_w_push_imm",
0x0F:"w_ror",#"VMHandle_d_push_imm",
0x10:"d_push_imm",#"VMHandle_b_shl",
0x11:"b_shr",#"VMHandle_w_shl",
0x12:"b_read_stack",#"VMHandle_d_shl",
0x13:"d_read_mem",#"VMHandle_b_shr",
0x14:"d_pop_reg",#"VMHandle_w_shr",
0x15:"set_key",#"VMHandle_d_shr",
0x16:"b_push_imm_zx",#"VMHandle_shld",
0x17:"d_rol",#"VMHandle_shrd",
0x18:"w_add",#"VMHandle_b_nand",
0x19:"w_read_mem",#"VMHandle_w_nand",
0x1A:"w_push_imm_zx",#"VMHandle_d_nand",
0x1B:"w_rol",#"VMHandle_set_pc",
0x1C:"b_read_mem",#"VMHandle_ret",
0x1D:"b_push_imm_sx",#"VMHandle_in",
0x1E:"w_push_imm",#"VMHandle_rdtsc",
0x1F:"b_push_imm",#"VMHandle_cpuid",
0x20:"pop_stack_top_base",#"VMHandle_check_stack",
0x21:"cpuid",#"VMHandle_push_stack_top_base",push_stack_top_base
0x22:"w_pop_reg",#"VMHandle_b_read_mem",
0x23:"d_push_reg",#"VMHandle_w_read_mem",
0x24:"shrd",#"VMHandle_d_read_mem",
0x25:"in",#"VMHandle_b_write_mem",
0x26:"b_write_mem",#"VMHandle_w_write_mem",
0x27:"d_read_stack",#"VMHandle_d_write_mem",
0x28:"d_shl",#"VMHandle_pop_stack_top_base",
0x29:"d_write_stack",#"VMHandle_b_push_imm_sx",
0x2A:"w_shr",#"VMHandle_w_push_imm_sx",
0x2B:"check_stack",#"VMHandle_b_push_imm_zx",
0x2C:"w_write_stack",#"VMHandle_w_push_imm_zx",
0x2D:"ret",#"VMHandle_b_add",
0x2E:"w_push_reg",#"VMHandle_w_add",
0x2F:"b_ror",#"VMHandle_d_add",
0x30:"d_write_mem",#"VMHandle_b_rol",
0x31:"b_push_reg",#"VMHandle_w_rol",
0x32:"d_nand",#"VMHandle_d_rol",
0x33:"w_read_stack",#"VMHandle_b_ror",
0x34:"push_stack_top_base",#"VMHandle_w_ror",
0x35:"set_pc",#"VMHandle_d_ror",
0x36:"b_add",#"VMHandle_set_key",
0x37:"b_pop_reg",#"VMHandle_run_stack_code",
0x38:"b_shl",#"VMHandle_fstsw"
}
OpDiffnEbpDict = {
0x01:+0x01,#"d_pop_reg",#"VMHandle_b_read_stack",
0x02:-0x08,#"rdtsc",#"VMHandle_w_read_stack",
0x03:+0x01-0x04,#"w_shl",#"VMHandle_d_read_stack",
0x04:+0x01-0x04,#"b_nand",#"VMHandle_b_write_stack",
0x05:-0x04,#"w_push_imm_sx",#"VMHandle_w_write_stack",
0x06:+0x06,#"w_write_mem",#"VMHandle_d_write_stack",
0x07:-0x02,#"fstsw",#"VMHandle_b_push_reg",
0x08:+0x01,#"shld",#"VMHandle_w_puah_reg",
0x09:+0x02-0x04,#"w_nand",#"VMHandle_d_push_reg",
0x0A:0,#"d_add",#"VMHandle_b_pop_reg",
0x0B:+1,#"run_stack_code",#"VMHandle_w_pop_reg", ******* 1 + xxx *******
0x0C:+0x01-0x04,#"b_rol",#"VMHandle_d_pop_reg",
0x0D:+0x01-0x04,#"d_shr",#"VMHandle_b_push_imm",
0x0E:+0x01-0x04,#"d_ror",#"VMHandle_w_push_imm",
0x0F:+0x01-0x04,#"w_ror",#"VMHandle_d_push_imm",
0x10:-0x04,#"d_push_imm",#"VMHandle_b_shl",
0x11:+0x01-0x04,#"b_shr",#"VMHandle_w_shl",
0x12:-0x01,#"b_read_stack",#"VMHandle_d_shl",
0x13:0,#"d_read_mem",#"VMHandle_b_shr",
0x14:+0x04,#"d_pop_reg",#"VMHandle_w_shr",
0x15:+0x04+0x04,#"set_key",#"VMHandle_d_shr",
0x16:-0x04,#"b_push_imm_zx",#"VMHandle_shld",
0x17:+0x01-0x04,#"d_rol",#"VMHandle_shrd",
0x18:-0x02,#"w_add",#"VMHandle_b_nand",
0x19:+0x02,#"w_read_mem",#"VMHandle_w_nand",
0x1A:-0x04,#"w_push_imm_zx",#"VMHandle_d_nand",
0x1B:+0x01-0x04,#"w_rol",#"VMHandle_set_pc",
0x1C:+0x03,#"b_read_mem",#"VMHandle_ret",
0x1D:-0x04,#"b_push_imm_sx",#"VMHandle_in",
0x1E:-0x02,#"w_push_imm",#"VMHandle_rdtsc",
0x1F:-0x01,#"b_push_imm",#"VMHandle_cpuid",
0x20:0,#"pop_stack_top_base",#"VMHandle_check_stack", ******* xxx *******
0x21:-0x10,#"cpuid",#"VMHandle_push_stack_top_base",push_stack_top_base
0x22:+0x02,#"w_pop_reg",#"VMHandle_b_read_mem",
0x23:-0x04,#"d_push_reg",#"VMHandle_w_read_mem",
0x24:+0x01,#"shrd",#"VMHandle_d_read_mem",
0x25:0,#"in",#"VMHandle_b_write_mem",
0x26:+0x05,#"b_write_mem",#"VMHandle_w_write_mem",
0x27:-0x04,#"d_read_stack",#"VMHandle_d_write_mem",
0x28:+0x01-0x04,#"d_shl",#"VMHandle_pop_stack_top_base",
0x29:+0x04,#"d_write_stack",#"VMHandle_b_push_imm_sx",
0x2A:+0x01-0x04,#"w_shr",#"VMHandle_w_push_imm_sx",
0x2B:0,#"check_stack",#"VMHandle_b_push_imm_zx",
0x2C:+0x02,#"w_write_stack",#"VMHandle_w_push_imm_zx",
0x2D:0,#"ret",#"VMHandle_b_add", ******* xxx *******
0x2E:-0x02,#"w_push_reg",#"VMHandle_w_add",
0x2F:+0x01-0x04,#"b_ror",#"VMHandle_d_add",
0x30:+0x08,#"d_write_mem",#"VMHandle_b_rol",
0x31:-0x01,#"b_push_reg",#"VMHandle_w_rol",
0x32:-0x04,#"d_nand",#"VMHandle_d_rol",
0x33:-0x02,#"w_read_stack",#"VMHandle_b_ror",
0x34:-0x04,#"push_stack_top_base",#"VMHandle_w_ror",
0x35:+0x04,#"set_pc",#"VMHandle_d_ror",
0x36:-0x03,#"b_add",#"VMHandle_set_key",
0x37:+0x01,#"b_pop_reg",#"VMHandle_run_stack_code",
0x38:-0x04,#"b_shl",#"VMHandle_fstsw"
}
DispatchCnt = 0;CurEbp=0;EbpLink = []
def trace_nsinbx_tips(nsi,nbx,op,esi,ebx,tips):
global DispatchCnt,CurEbp,EbpLink
DispatchCnt = DispatchCnt + 1
print "Dispatch[{:08X}] nsi:{:08X} nbx:{:08X} {:02X} {:08X} >> esi:{:08X} ebx:{:08X} {}".format(DispatchCnt,nsi,nbx,op,Dword(0x42F8DD+op*4),esi,ebx,tips),
if op == 0x34:#push_stack_top_base
EbpLink.append(CurEbp)
elif op == 0x20:#pop_stack_top_base
if EbpLink.__len__() > 0:
CurEbp = EbpLink.pop()
else:
raise Exception("pop_stack_top_base but EbpLink is empty.")
if op not in [0x0B,0x2D]: #run_stack_code,ret#pop_stack_top_base
CurEbp = CurEbp + OpDiffnEbpDict[op]
print " nBp:{:X}".format(CurEbp)
else:
raise Exception("Match run_stack_code,pop_stack_top_base,ret operation, ebp changes variablely.")
def vm_chekc_stack(nsi,nbx):
esi = nsi; ebx = c_ulong(nbx);
return gfOpF_dispatch(esi,ebx.value)
def vm_start_run(nsi = 0x43540E,nbx = 0x12345678):
global DispatchCnt,CurEbp,EbpLink
DispatchCnt = 0
CurEbp = 0
EbpLink = []
callback_key_continue = gfOpF_dispatch(nsi,nbx)
while isinstance(callback_key_continue,list):
if callback_key_continue[0] == vm_chekc_stack:
callback_key_continue = callback_key_continue[0](callback_key_continue[1],callback_key_continue[2])
else:
print "vm run end"
def asm(reg32 = None,opSize = 4,op = "xxx",args = None):
reg = None
regM = c_ulong(0)
if not isinstance(args,list):
args = [args]
if opSize == 4:
reg = c_ulong(reg32)
regM.value = 0
elif opSize == 2:
reg = c_ushort(reg32)
regM.value = reg32 & 0xFFFF0000
elif opSize == 1:
reg = c_ubyte(reg32)
regM.value = reg32 & 0xFFFFFF00
else:
raise Exception("opReg32 opSize Error {}".format(opSize))
#
if "~" == op:
reg.value = ~reg.value
elif "-" == op:
reg.value = reg.value - args[0]
elif "^" == op:
reg.value = reg.value ^ args[0]
elif "+" == op:
reg.value = reg.value + args[0]
elif "ror" == op:
opWidth = 8*opSize
reg.value = (reg.value >> (args[0] % opWidth)) | (reg.value << (opWidth - (args[0] % opWidth)))
elif "rol" == op:
opWidth = 8*opSize
reg.value = (reg.value << (args[0] % opWidth)) | (reg.value >> (opWidth - (args[0] % opWidth)))
else:
raise Exception("opReg32 op Error {}".format(op))
#
regM.value = regM.value | reg.value
return regM.value
#DispatchCnt = 0;gfOpF_dispatch()
def gfOpF_dispatch(nsi = 0x43540E,nbx = 0x12345678): #key=[nsi,nbx]
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;#pcb >> bpc >> bpc_al >> al
ebx = asm(ebx,4,"~")
ebx = asm(ebx,4,"-",1)
ebx = asm(ebx,2,"~")
ebx = asm(ebx,2,"-",0x65D1)
al.value = al.value - (ebx & 0xFF)
al.value = ~al.value
al.value = al.value + 0x57
al.value = al.value - 1
al.value = al.value - 0x3E
if al.value in VMHandle:
OpF_name = "vm_"+VMHandle[al.value]
if OpF_name in globals():
OpF = globals()[OpF_name]
callback_key = OpF(esi,ebx)
return callback_key
else:
#raise Exception('Found undefine VM Op:{:02X} function "{}" at {:08X}'.format(al.value,OpF_name,Dword(0x42F8DD+4*al.value)))
print Exception('Found undefine VM Op:{:02X} function "{}" at {:08X}'.format(al.value,OpF_name,Dword(0x42F8DD+4*al.value)))
print """def {}(nsi,nbx):\n esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
trace_nsinbx_tips(nsi,nbx,0x{:02X},esi,ebx,"".format())
return [vm_chekc_stack,esi,ebx]
""".format(OpF_name,al.value)
return None
else:
#raise Exception("dispatch error: nsi:{:08X} nbx:{:08X} Op:{:02X}".format(nsi,nbx,al.value))
print Exception("dispatch error: nsi:{:08X} nbx:{:08X} Op:{:02X}".format(nsi,nbx,al.value))
print "------end???-------"
return None
def vm_d_pop_reg(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"ror",3)
ebx = asm(ebx,4,"-",0x168D4893)
ebx = asm(ebx,4,"^",0x26163857)
ebx = asm(ebx,1,"-",0xB4)
ebx = asm(ebx,4,"ror",0x14)
ebx = asm(ebx,4,"^",0x65EC6051)
ebx = asm(ebx,4,"+",1)
Ri = al.value
trace_nsinbx_tips(nsi,nbx,0x14,esi,ebx,"edi.{:02X} d_pop_R{}".format(Ri,Ri/4))
return [vm_chekc_stack,esi,ebx]
def vm_d_push_reg(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,2,"~")
ebx = asm(ebx,2,"^",0x730C)
ebx = asm(ebx,2,"~")
ebx = asm(ebx,1,"-",1)
ebx = asm(ebx,2,"-",0xE285)
al.value = asm(al.value,1,"rol",4)
al.value = asm(al.value,1,"+",0x84)
al.value = asm(al.value,1,"ror",0x1E)
al.value = al.value - (ebx & 0xFF)
al.value = ~al.value
Ri = al.value
trace_nsinbx_tips(nsi,nbx,0x23,esi,ebx,"edi.{:02X} d_push_regR{}".format(Ri,Ri/4))
return [vm_chekc_stack,esi,ebx]
def vm_b_push_imm_sx(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"~")
ebx = asm(ebx,2,"-",1)
ebx = asm(ebx,2,"ror",7)
ebx = asm(ebx,4,"rol",7)
bl = ebx & 0xFF
al.value = al.value + bl
al.value = al.value ^ bl
al.value = ~al.value
al.value = al.value - bl
imm8 = c_long(c_byte(al.value).value).value
trace_nsinbx_tips(nsi,nbx,0x1D,esi,ebx,"b_push_imm_sx {} ({:X}h {:08X})".format(imm8,imm8,c_ulong(imm8).value))
return [vm_chekc_stack,esi,ebx]
def vm_d_add(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,2,"+",0x151B)
ebx = asm(ebx,4,"~")
ebx = asm(ebx,4,"ror",4)
trace_nsinbx_tips(nsi,nbx,0x0A,esi,ebx,"d_add s1_Opnd,s2_Opnd >> s1_flag,s2_sum ")
return [vm_chekc_stack,esi,ebx]
def vm_d_push_imm(nsi,nbx):
esi = nsi; ebx = nbx;
eax = c_ulong(Dword(esi-4)); esi = esi - 4;
ebx = asm(ebx,1,"+",0x18)
ebx = asm(ebx,4,"-",0x1DEE0F7A)
ebx = asm(ebx,4,"ror",0x15)
eax.value = asm(eax.value,4,"rol",0x0D)
eax.value = eax.value + 1
eax.value = eax.value + ebx
eax.value = eax.value + ebx
eax.value = eax.value + 0x2768FF15
eax.value = eax.value ^ ebx
u32 = eax.value
i32 = c_long(u32).value
trace_nsinbx_tips(nsi,nbx,0x10,esi,ebx,"d_push_imm {:08X}h ({:X}h)".format(u32,i32))
return [vm_chekc_stack,esi,ebx]
def vm_d_write_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"rol",0x17)
ebx = asm(ebx,2,"+",1)
ebx = asm(ebx,4,"-",1)
ebx = asm(ebx,2,"-",1)
ebx = asm(ebx,4,"ror",0x16)
ebx = asm(ebx,2,"+",1)
ebx = asm(ebx,2,"ror",0x1C)
trace_nsinbx_tips(nsi,nbx,0x30,esi,ebx,"d_write_mem [s1_mem],s2_Opnd")
return [vm_chekc_stack,esi,ebx]
#-------------------------------------------------------------------
#Dispatch[00000009] nsi:00438AA5 nbx:132739EB 14 0042F441 >> esi:00438AA4 ebx:996CFDFA edi.04 d_pop_R1 nBp:24
def vm_push_stack_top_base(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"+",0x2304F8D0)
trace_nsinbx_tips(nsi,nbx,0x34,esi,ebx,"push_stack_top_base Nebp")
return [vm_chekc_stack,esi,ebx]
#Dispatch[00001B07] nsi:004354A8 nbx:F9E90C4D 14 0042F441 >> esi:004354A7 ebx:BA24BC06 edi.18 d_pop_R6 nBp:20
def vm_pop_stack_top_base(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"^",0x45)
ebx = asm(ebx,2,"-",0x4B3F)
ebx = asm(ebx,4,"~")
ebx = asm(ebx,2,"+",1)
ebx = asm(ebx,1,"+",0x5A)
trace_nsinbx_tips(nsi,nbx,0x20,esi,ebx,"pop_stack_top_base Nebp")
return [vm_chekc_stack,esi,ebx]
#-----------------------------------------------
def vm_d_read_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
trace_nsinbx_tips(nsi,nbx,0x13,esi,ebx,"d_read_mem [s1_mem] >> s1_ww")
return [vm_chekc_stack,esi,ebx]
def vm_b_push_imm(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,2,"^",0x5E31)
al.value = al.value - 0x90
al.value = ~al.value
al.value = al.value + (ebx & 0xFF)
uim8 = al.value
iim8 = c_byte(al.value).value
trace_nsinbx_tips(nsi,nbx,0x1F,esi,ebx,"b_push_imm {:X} ({:X}h)".format(uim8,iim8))
return [vm_chekc_stack,esi,ebx]
def vm_w_read_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"+",0x7C0E959A)
trace_nsinbx_tips(nsi,nbx,0x19,esi,ebx,"w_read_mem [s1_mem] >> s1_w".format())
return [vm_chekc_stack,esi,ebx]
def vm_w_push_reg(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"~")
Ri = al.value
trace_nsinbx_tips(nsi,nbx,0x2E,esi,ebx,"edi.{:02X} w_push_regR{}.w".format(Ri,Ri/4))
return [vm_chekc_stack,esi,ebx]
def vm_w_write_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"~")
ebx = asm(ebx,1,"+",1)
ebx = asm(ebx,4,"^",0x2B9EB09D)
ebx = asm(ebx,1,"+",0x70)
ebx = asm(ebx,4,"~")
ebx = asm(ebx,4,"+",1)
trace_nsinbx_tips(nsi,nbx,0x06,esi,ebx,"w_write_mem [s1_mem],s2_Opnd.w")
return [vm_chekc_stack,esi,ebx]
def vm_b_read_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,1,"ror",0x10)
ebx = asm(ebx,4,"-",0x2C8FC704)
trace_nsinbx_tips(nsi,nbx,0x1C,esi,ebx,"b_read_mem [s1_mem] >> s1_b".format())
return [vm_chekc_stack,esi,ebx]
def vm_b_push_reg(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
bl = (ebx & 0xFF)
al.value = al.value ^ bl
al.value = al.value + bl
Ri = al.value
trace_nsinbx_tips(nsi,nbx,0x31,esi,ebx,"edi.{:02X} b_push_regR{}.b".format(Ri,Ri/4))
return [vm_chekc_stack,esi,ebx]
def vm_b_write_mem(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"~")
ebx = asm(ebx,4,"-",1)
ebx = asm(ebx,4,"+",0x2A22CDFB)
ebx = asm(ebx,2,"+",0xA3AC)
trace_nsinbx_tips(nsi,nbx,0x26,esi,ebx,"b_write_mem [s1_mem],s2_Opnd.b".format())
return [vm_chekc_stack,esi,ebx]
def vm_b_pop_reg(nsi,nbx):
esi = nsi; ebx = nbx;
al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"-",0x997F802)
bl = ebx & 0xFF
al.value = al.value - bl
al.value = al.value ^ bl
al.value = asm(al.value,1,"rol",0x0B)
al.value = al.value - 0x94
al.value = al.value ^ bl
Ri = al.value
trace_nsinbx_tips(nsi,nbx,0x37,esi,ebx,"edi.{:02X} b_pop_regR{}.b".format(Ri,Ri/4))
return [vm_chekc_stack,esi,ebx]
def vm_b_rol(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"+",0x795F8CB7)
ebx = asm(ebx,2,"-",0x671A)
ebx = asm(ebx,4,"ror",3)
trace_nsinbx_tips(nsi,nbx,0x0C,esi,ebx,"b_rol s2_b <<< s1_b".format())
return [vm_chekc_stack,esi,ebx]
def vm_b_nand(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,2,"^",0xBE3E)
ebx = asm(ebx,4,"rol",0x0B)
ebx = asm(ebx,4,"rol",0x0F)
ebx = asm(ebx,2,"~")
ebx = asm(ebx,4,"-",1)
trace_nsinbx_tips(nsi,nbx,0x04,esi,ebx,"b_nand s1_b,s2_b".format())
return [vm_chekc_stack,esi,ebx]
def vm_d_shl(nsi,nbx):
esi = nsi; ebx = nbx;
#al = c_ubyte(Byte(esi-1)); esi = esi - 1;
ebx = asm(ebx,4,"-",1)
trace_nsinbx_tips(nsi,nbx,0x28,esi,ebx,"d_shl s2_ww,s1_b".format())
return [vm_chekc_stack,esi,ebx]
#-------------------------------------------------------------------------------------------------------
应当注意到,这里并没有实现所有的虚拟指令 vm_xxx,但遇到使用的新虚拟指令时,
上述代码会输出指令实现框架及指令的IDA汇编地址,可以对比使用asm快速补齐。
以前只整过老毛的vmp的反编译,就单单CTF04中的WProtect性能而言,WProtect相对简单许多。
直译,也没有引入运行时编码,也没混淆,也没专门的反调试检测指令,
老毛个别版本的vmp会有专门的在运行时对敏感片区代码校验的虚拟指令,
所以在老毛的vmp中一般的F2断点就很可能踩中被校验的雷区而调不动,当然还有更多的反调试业务逻辑。
最后,感谢WProtect的开源作者xiaoweime 和 看雪 2016 CTF 第四题作者 JoenChen
@B:VM没有想象中的那么易。
不过想想第一代程序员,相对他们用卡片和纸带打孔机编程的年代,我们已经进化许多,也将继续进化,Just Do IT.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- [原创] KCTF 2022 Win. 第六题 约束与伪随机 6745
- [原创] KCTF 2021 Win. 第二题 排排坐 21174
- [原创] KCTF 2021 Win. 第一题 算力与攻击模式 4118
- 鸿蒙通识 26029
- [原创] KCTF 2021 Spr. 第二题 未选择的路 9249
